ROS2 DDS Security PKCS#11 URI support #332
Conversation
The DDS-Security specification defines the use of Hardware Security Modules (HSM) and PKCS#11 URIs as an alternative to private keys and certificates stored in the file system. Current implementation only supports these tokens to be directly stored in the file system as `.pem` files. This is a design proposal to support PKCS#11 URIs. The changes affect to the RMW implementations, as these are filling the DDS security attributes for the participant. However, it also affects the contents of the enclave directories in the keystore. Although the proposed changes are totally backwards compatible (meaning that current RMW implementations will continue working if no PKCS#11 URIS are used), description of the new enclave contents and the expected RMW behavior seems appropriate.
Signed-off-by: Miguel Company <MiguelCompany@eprosima.com>
Signed-off-by: Miguel Company <MiguelCompany@eprosima.com>
|
This is good |
|
👍 |
Signed-off-by: Miguel Company <MiguelCompany@eprosima.com> Co-authored-by: Mikael Arguedas <mikael.arguedas@gmail.com>
|
@mikaelarguedas Thanks for the review. Just applied your fixes. |
|
Ping @clalancette or @tfoote ? Good to merge? |
|
In general this sounds good. However this site overall is deprecated and we would much prefer to land this as a REP instead so that we can have all of our reference materials in one place. Would you mind submitting it over there as a new informational REP instead? |
|
This pull request has been mentioned on ROS Discourse. There might be relevant details there: https://discourse.ros.org/t/ros-2-tsc-meeting-minutes-2023-02-16/29927/1 |
|
Hi @tfoote, we have gone ahead and moved this to a REP in ros-infrastructure/rep#375 |
| @@ -0,0 +1,86 @@ | |||
| --- | |||
| layout: default | |||
| title: ROS2 DDS security PKCS#11 URI support | |||
There was a problem hiding this comment.
| title: ROS2 DDS security PKCS#11 URI support | |
| title: ROS 2 DDS security PKCS#11 URI support |
| published: false | ||
| --- | ||
|
|
||
| - This will become a table of contents (this text will be scraped). |
There was a problem hiding this comment.
we need to remove this line?
|
|
||
| Original Author: {{ page.author }} | ||
|
|
||
| ## Scope |
There was a problem hiding this comment.
I take this into more like Motivation section? especially the end of this section would look like problem statement.
| Then, the RMW can be aware of the file extension and set the security property accordingly. | ||
| Taking the private key in the authentication plugin as an example: | ||
|
|
||
| 1. The RMW will look for a file with name `key.pem` or `key.p11` in the enclave. |
There was a problem hiding this comment.
What happens if both files are in the enclaves? key.p11 prevails to key.pem and if rmw implementation does not support key.p11, then it falls back to use key.pem?
|
Closing in favor of ros-infrastructure/rep#375 |
|
This pull request has been mentioned on ROS Discourse. There might be relevant details there: https://discourse.ros.org/t/announcing-rep-2015-ros-2-dds-security-pkcs-11-support/31357/1 |
This is a rework of #319, addressing the comments there, since I don't have write access on the original contributor repository.