Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[mosquitto-dev] Mosquitto supports TPM 2.0 on Windows?
  • From: Didi Key <terryatsnort@xxxxxxxxxxx>
  • Date: Mon, 1 Aug 2022 01:12:15 +0000
  • Accept-language: en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=6tVsKEk5XneYGIYKm+asJS/CTq1coygsqAXheLtp750=; b=XaPU5ardkqBYZmep5M9/YNY+R+f9mkAFuPvXd0fuHRL5tNsbr7cFAURr39AvxzQSDi50W1UYja7w49QSXvZLBxOAacL9Ve0oyZWDNsU0m1RCjkfyx2qUB83EWWUZMHmtEUXLlcRAdKKUfe2ez3Tk7mvs47fx4Y1jLvaxKshBRKM14kvkcluPJo0DGMCoHd6Nvd57Eu+S3q8foE1QiAQKWrgS6S7GiZOFjPvLfIumk51Ixrg/VrPnHPpcoChtu2IPfZ7BmsGmzfL+MyFmh1jX3gW/lTnS4gNrS0qI8vf10+xLrY2Kej6elkLwru/CMeGO11dul3wyf2VuaTiYTUdCDw==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=BFty5izCXwQRhEBH9VGMM6KBSfGybrbI+CVE1tZpKsPaScpphhzmP0+gcfx7jw19mrIo7m6tvO3cvAC8nQ8TMb0BW6Ay6USBat/yAiQjWwfXtm8zLM+eiNfN811LKc0flGmKMH6YYDtc5IoyKTbMxFNsQ3bd4NRmq0Ery3jfovZ3uEEZBNqyf4mfK+KhhgNBHw8BtNEc/xdFJ9InxMhXc4XLGiBGiv48fwxLITxrGJHXHnoh6nkjOo/N4ubncClSMptTV6YIP9qrE4tYyLPwQxKkoARYCPYeZ4+CjShtH1Nid3vAKS1b+O2WSlZLpUSYJ4iJxKngShMcYGRF/Woubg==
  • Delivered-to: mosquitto-dev@xxxxxxxxxxx
  • List-archive: <https://www.eclipse.org/mailman/private/mosquitto-dev/>
  • List-help: <mailto:mosquitto-dev-request@eclipse.org?subject=help>
  • List-subscribe: <https://www.eclipse.org/mailman/listinfo/mosquitto-dev>, <mailto:mosquitto-dev-request@eclipse.org?subject=subscribe>
  • List-unsubscribe: <https://www.eclipse.org/mailman/options/mosquitto-dev>, <mailto:mosquitto-dev-request@eclipse.org?subject=unsubscribe>
  • Suggested_attachment_session_id: e15398e4-b430-2199-99fd-184036a36ce2
  • Thread-index: AQHYpUDoSwVuQ83K5ESBP4ms3u3Vew==
  • Thread-topic: Mosquitto supports TPM 2.0 on Windows?
Dear the team,

G'day!

Here I'd like your help to find out:
  1. if Mosquitto v2.0.14 supports using TPM as OpenSSL's engine on Windows, when TLS is required?
  2. if yes, then how to configure the broker (for telling Mosquitto to load private key information from TPM instead of a local private key file)?
I noticed that related change (of support TPM) was introduced in Aug 2018, by this commit:
Author:            Nicolás Pernas Maradei <nicopernas@xxxxxxxxx>
Author date:      4 years ago (12/08/2018 2:57:58 AM)
Committer:        Roger A. Light <roger@xxxxxxxxxx>
Commit date:      3 years ago (27/02/2019 2:50:37 AM)
Commit hash:      20894fcbce661d50f77c49b132dedea4cdc1f5a0
Parent:                 d5f039ec
The change is to allow using the following options in configuration file to load private key (instead of reading a private key file on the disk)
keyfile file path

Path to the PEM encoded server key. This option and certfile must be present to enable certificate based TLS encryption.

The private key pointed to by this option will be reloaded when Mosquitto receives a SIGHUP signal. This can be used to load new keys prior to the existing ones expiring.

require_certificate [ true | false ]

By default an SSL/TLS enabled listener will operate in a similar fashion to a https enabled web server, in that the server has a certificate signed by a CA and the client will verify that it is a trusted certificate. The overall aim is encryption of the network traffic. By setting require_certificate to true, a client connecting to this listener must provide a valid certificate in order for the network connection to proceed. This allows access to the broker to be controlled outside of the mechanisms provided by MQTT.

tls_engine engine

A valid openssl engine id. These can be listed with openssl engine command.

tls_engine_kpass_sha1 engine_kpass_sha1

SHA1 of the private key password when using an TLS engine. Some TLS engines such as the TPM engine may require the use of a password in order to be accessed. This option allows a hex encoded SHA1 hash of the password to the engine directly, instead of the user being prompted for the password.

tls_keyform [ pem | engine ]

Specifies the type of private key in use when making TLS connections.. This can be "pem" or "engine". This parameter is useful when a TPM module is being used and the private key has been created with it. Defaults to "pem", which means normal private key files are used.


Though, I couldn't find any detailed instructions on the internet (or in the mailinglist here); has anyone done similar setup on Windows using TPM? I'd like to understand more for the questions below:
  1. How to set OpenSSL engine to use TPM as its engine?
  2. Do we need any 3rd party component to enable Mosquitto using TPM?
    Like this one: https://github.com/tpm2-software/tpm2-openssl "Provider for integration of TPM 2.0 to OpenSSL 3.0" 
    But this supports OpenSSL v3.0 only
  3. If everything works, then what should be specified for the "keyfile" option?
    The source code indicates that we need to pass in this information, but what should it be when using TPM?

    https://github.com/eclipse/mosquitto/blob/master/src/net.c#L548 

Any advice on this are really appreciated; or if not using TPM, how do you protect the private key file (as best practice) when using TLS? Thank you very much!

Thanks and Regards,
Terry

Back to the top