Enable mTLS connection support (#249)

* Enable mTLS connection support Enable mutual TLS (mTLS) connection support for mutual authentication. * Add an option to enable curl logs * Update Safestring and Metee lib version tag in Jenkinsfile.yml Signed-off-by: Shrikant Temburwar <[email protected]>
fido-device-onboard · Nov 3, 2023 · 56c7bd0 · 56c7bd0
1 parent bc537fd
commit 56c7bd0
Show file tree

Hide file tree

Showing 11 changed files with 150 additions and 3 deletions.
diff --git a/Jenkinsfile.yml b/Jenkinsfile.yml
@@ -20,6 +20,7 @@ node('ccode'){
       sh '''
         cd $WORKSPACE/safestringlib
         echo 'Building safestring'
+        git checkout v1.2.0
         mkdir obj
         make
       '''
@@ -29,7 +30,7 @@ node('ccode'){
       sh '''
         cd $WORKSPACE/tinycbor
         echo 'Building TinyCBOR'
-        git checkout v0.5.3
+        git checkout v0.6.0
         make
       '''
     }
@@ -38,6 +39,7 @@ node('ccode'){
       sh '''
         cd $WORKSPACE/metee
         echo 'Building METEE'
+        git checkout 3.2.3
         cmake .
         make -j$(nproc)
         sudo make install

diff --git a/cmake/blob_path.cmake b/cmake/blob_path.cmake
@@ -24,6 +24,13 @@ if(TARGET_OS MATCHES linux)
       -DDEVICE_CSE_ENABLED
     )
     endif()
+
+  if (${MTLS} MATCHES true)
+    client_sdk_compile_definitions(
+      -DSSL_CERT=\"${BLOB_PATH}/data/apiUser.pem\"
+      -DSSL_KEY=\"${BLOB_PATH}/data/clientKey.pem\"
+    )
+    endif()
 
   if (${DA} MATCHES tpm)
     client_sdk_compile_definitions(

diff --git a/cmake/cli_input.cmake b/cmake/cli_input.cmake
@@ -29,6 +29,7 @@ set (BLOB_PATH .)
 set (TPM2_TCTI_TYPE tabrmd)
 set (RESALE true)
 set (REUSE true)
+set (MTLS false)
 
 #for CSE
 set (CSE_SHUTDOWN true)
@@ -827,3 +828,30 @@ if (${DA} MATCHES cse)
   message("Selected CSE_CLEAR ${CSE_CLEAR}")
 endif()
 ###########################################
+# FOR MTLS
+get_property(cached_mtls_value CACHE MTLS PROPERTY VALUE)
+
+set(mtls_cli_arg ${cached_mtls_value})
+if(mtls_cli_arg STREQUAL CACHED_MTLS)
+  unset(mtls_cli_arg)
+endif()
+
+set(mtls_app_cmake_lists ${MTLS})
+if(cached_mtls_value STREQUAL MTLS)
+  unset(mtls_app_cmake_lists)
+endif()
+
+if(DEFINED CACHED_MTLS)
+  if ((DEFINED mtls_cli_arg) AND (NOT(CACHED_MTLS STREQUAL mtls_cli_arg)))
+    message(WARNING "Need to do make pristine before cmake args can change.")
+  endif()
+  set(MTLS ${CACHED_MTLS})
+elseif(DEFINED mtls_cli_arg)
+  set(MTLS ${mtls_cli_arg})
+elseif(DEFINED mtls_app_cmake_lists)
+  set(MTLS ${mtls_app_cmake_lists})
+endif()
+
+set(CACHED_MTLS ${MTLS} CACHE STRING "Selected MTLS")
+message("Selected MTLS ${MTLS}")
+###########################################
diff --git a/cmake/extension.cmake b/cmake/extension.cmake
@@ -271,4 +271,8 @@ endif()
 if(${CSE_CLEAR} STREQUAL true)
   client_sdk_compile_definitions(-DCSE_CLEAR)
 endif()
+
+if(${MTLS} STREQUAL true)
+  client_sdk_compile_definitions(-DMTLS)
+endif()
 ############################################################
diff --git a/data/client.conf b/data/client.conf
@@ -0,0 +1,21 @@
+[req]
+distinguished_name=req_distinguished_name
+x509_extensions=v3_req
+prompt=no
+
+[req_distinguished_name]
+CN=apiUser
+OU=FDO project
+O=LF Edge
+L=Hillsboro
+ST=OR
+C=US
+
+[v3_req]
+basicConstraints = CA:FALSE
+nsCertType = client, email
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth, emailProtection
+
diff --git a/docs/build_conf.md b/docs/build_conf.md
@@ -1,4 +1,5 @@
 
+
 # Build Configuration
 Following are some of the options to choose when building the device:
 - BUILD: Release or debug mode
@@ -86,6 +87,9 @@ SNI=false # SNI support is disabled.
 > ***Note***: If you have server IP configured in no_proxy environment variable, also add the
 server name in that list for SNI enablement to work as expected.
 ```
+Option to enable/disable mTLS connection:
+MTLS=true 	# mTLS connection enabled
+MTLS=false 	# mTLS connection disabled (default) 
 
 Option to enable/disable Device credential resue and resale feature:
 REUSE=true            # Reuse feature enabled (default)

diff --git a/docs/cse.md b/docs/cse.md
@@ -219,6 +219,12 @@ make pristine
 cmake -DDA=cse_ecdsa384 .
 make -j$(nproc)
 ```
+> ***NOTE***:  To run with mTLS connection, 
+> 1. Compile the code with `-DMTLS=true` flag.
+> 2. If signing with external CA, copy CA cert and CA key to `data` folder.
+> 3. Execute `bash utlils/user_csr_req.sh .`
+> This will generate client CSR and private key.
+> 
 Refer to the section [FDO Build configurations](build_conf.md) for more build options.
 
 <a name="run_linux_fdo"></a>

diff --git a/docs/linux.md b/docs/linux.md
@@ -1,4 +1,5 @@
 
+
 # Linux* OS
 The development and execution OS used was `Ubuntu* OS version 20.04 or 22.04 / RHEL* OS version 8.4 or 8.6 / Debian 11.4` on x86. Follow these steps to compile and execute FIDO Device Onboard (FDO).
 
@@ -192,7 +193,12 @@ bash utils/keys_gen.sh .
 > ***NOTE***:  [Keys_Gen](../utils/keys_gen.sh) script will use OpenSSL from `/opt/` by default. To provide a different path, use `which openssl` command to get the exact path of OpenSSL and modify this variable in the script 
 > OPENSSL3_BIN=/opt/openssl/bin (can be /usr/bin or /usr/local/bin)
 >
-
+> ***NOTE***:  To run with mTLS connection, 
+> 1. Compile the code with `-DMTLS=true` flag.
+> 2. If signing with external CA, copy CA cert and CA key to `data` folder.
+> 3. Execute `bash utlils/user_csr_req.sh .`
+> This will generate client CSR and private key.
+> 
 Several other options to choose when building the device are, but not limited to, the following: device-attestation (DA) methods, Advanced Encryption Standard (AES) encryption modes (AES_MODE), and underlying cryptography library to use (TLS).
 Refer to the section. [FDO Build configurations](build_conf.md)
 

diff --git a/docs/tpm.md b/docs/tpm.md
@@ -328,7 +328,12 @@ make pristine
 cmake -DDA=tpm20_ecdsa256 -DTPM2_TCTI_TYPE=tpmrm0 .
 make -j$(nproc)
 ```
-
+> ***NOTE***:  To run with mTLS connection, 
+> 1. Compile the code with `-DMTLS=true` flag.
+> 2. If signing with external CA, copy CA cert and CA key to `data` folder.
+> 3. Execute `bash utlils/user_csr_req.sh .`
+> This will generate client CSR and private key.
+> 
 Several other options to choose when building the device are, but not limited to, the following: device-attestation (DA) methods, Advanced Encryption Standard (AES) encryption modes (AES_MODE), and underlying cryptography library to use (TLS).
 Refer to the section [FDO Build configurations](build_conf.md)
 

diff --git a/network/network_if_linux.c b/network/network_if_linux.c
@@ -880,6 +880,20 @@ int32_t fdo_con_send_recv_message(uint32_t protocol_version,
 		goto err;
 	}
 
+#if defined(MTLS)
+	curlCode = curl_easy_setopt(curl, CURLOPT_SSLCERT, (char *)SSL_CERT);
+	if (curlCode != CURLE_OK) {
+		LOG(LOG_ERROR, "CURL_ERROR: Could not able to select client certificate.\n");
+		goto err;
+	}
+
+	curlCode = curl_easy_setopt(curl, CURLOPT_SSLKEY, (char *)SSL_KEY);
+	if (curlCode != CURLE_OK) {
+		LOG(LOG_ERROR, "CURL_ERROR: Could not able to select client key.\n");
+		goto err;
+	}
+#endif
+
 	curlCode = curl_easy_setopt(curl, CURLOPT_URL, msg_header->data);
 	if (curlCode != CURLE_OK) {
 		LOG(LOG_ERROR, "CURL_ERROR: Could not able to pass url.\n");
@@ -966,6 +980,14 @@ int32_t fdo_con_send_recv_message(uint32_t protocol_version,
 		goto err;
 	}
 
+#ifdef DEBUG_LOGS
+	curlCode = curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L);
+	if (curlCode != CURLE_OK) {
+		LOG(LOG_ERROR, "CURL_ERROR: Could not enable curl logs.\n");
+		goto err;
+	}
+#endif
+
 	curlCode = curl_easy_perform(curl);
 	if (curlCode != CURLE_OK) {
 		LOG(LOG_ERROR, "Error: %s\n", curl_easy_strerror(curlCode));

diff --git a/utils/user_csr_req.sh b/utils/user_csr_req.sh
@@ -0,0 +1,42 @@
+#!/bin/bash
+#
+# Copyright 2023 Intel Corporation
+# SPDX-License-Identifier: Apache 2.0
+#
+# ***WARNING***: The script generates the credentials using default system
+# configurations and might not provide necessary security strength for a
+# production deployment. Care must be taken to maintain necessary cryptographic
+# strength while generating keys for production deployment.
+
+# Summary:
+# user_csr_req.sh creates a certificate signing request for mTLS user/client credentials
+# the client.conf contains the subject name of the certificate.
+# the csr will be outputed to client.req file.
+# the private key will be outputed to client.key
+#
+# Usage message to be displayed whenever we provide wrong inputs
+usage()
+{
+  echo -e "\nUsage:
+    $0 /path/to/client-sdk-fidoiot"
+}
+
+CLIENTSDK_REPO=$1
+if ! [[ -d ${CLIENTSDK_REPO}/data ]]; then
+  echo -e "Data folder doesn't exist.......\n\
+Please do verify the data path in /path/to/client-sdk-fidoiot"
+  usage
+  exit 1
+else
+  CLIENTSDK_DATA=$CLIENTSDK_REPO/data
+fi
+
+if [[ $# == 1 ]]; then
+  openssl req -x509 -newkey rsa:2048 -keyout $CLIENTSDK_DATA/clientKey.pem -out $CLIENTSDK_DATA/clientUser.pem -sha256 -days 12775 -nodes -config $CLIENTSDK_DATA/client.conf
+  openssl x509 -x509toreq -in $CLIENTSDK_DATA/clientUser.pem -out $CLIENTSDK_DATA/client.req -signkey $CLIENTSDK_DATA/clientKey.pem
+
+  #comment out following line if signing with external CA
+  openssl x509 -req -days 12775 -in $CLIENTSDK_DATA/client.req -CA $CLIENTSDK_DATA/ca-cert.pem -CAkey $CLIENTSDK_DATA/caKey.pem -CAcreateserial -out $CLIENTSDK_DATA/apiUser.pem -extfile $CLIENTSDK_DATA/client.conf -extensions v3_req
+else
+  usage; exit 1;
+fi