Re: [mosquitto-dev] Mosquitto supports TPM 2.0 on Windows?

[Ben Hardill <hardillb@xxxxxxxxx>]

Some pointers that might (or might not) help


The Openssl 1.1.x version of the TPM Engine is here 
https://github.com/tpm2-software/tpm2-tss-engine. The docs don't make 
any mention of Windows (unlike the 3.0 version that includes 
instructions for building on Windows).


You will need to use the tools included with this to prepare key material.

You will need to set `tls_engine` to `tpm2tss`

Then is will be a case of reading the tpm2-tss-engine docs to get a feel 
for how you seal keys. But the `keyfile` will point to the sealed 
private key file.

I've used 
(https://www.hardill.me.uk/wordpress/2021/02/07/adding-a-tpm-to-my-offline-certificate-authority/) 
this on Linux directly with openssl to run a hardware backed CA, not 
directly mosquitto.

On 11/08/2022 22:05, terryatsnort@xxxxxxxxxxx wrote:
> Dear the team,
>
> Just wondering if anyone could help on configuring Mosquitto to use 
> Windows TPM?
>
> Thanks and Regards,
> Terry
> ------------------------------------------------------------------------
> *From:* mosquitto-dev <mosquitto-dev-bounces@xxxxxxxxxxx> on behalf of 
> Didi Key <terryatsnort@xxxxxxxxxxx>
> *Sent:* Monday, August 1, 2022 11:12 AM
> *To:* mosquitto-dev@xxxxxxxxxxx <mosquitto-dev@xxxxxxxxxxx>
> *Subject:* [mosquitto-dev] Mosquitto supports TPM 2.0 on Windows?
> Dear the team,
>
> G'day!
>
> Here I'd like your help to find out:
>
>  1. if Mosquitto v2.0.14 supports using TPM as OpenSSL's engine on
>     Windows, when TLS is required?
>  2. if yes, then how to configure the broker (for telling Mosquitto to
>     load private key information from TPM instead of a local private key
>     file)?
>
> I noticed that related change (of support TPM) was introduced in Aug 
> 2018, by this commit:
>
>     Author:            Nicolás Pernas Maradei <nicopernas@xxxxxxxxx>
>     Author date:      4 years ago (12/08/2018 2:57:58 AM)
>     Committer:        Roger A. Light <roger@xxxxxxxxxx>
>     Commit date:      3 years ago (27/02/2019 2:50:37 AM)
>     Commit hash:      20894fcbce661d50f77c49b132dedea4cdc1f5a0
>     Parent:                 d5f039ec
>
> The change is to allow using the following options in configuration file 
> to load private key (instead of reading a private key file on the disk)
>
>     https://mosquitto.org/man/mosquitto-conf-5.html
>     <https://mosquitto.org/man/mosquitto-conf-5.html>
>     |keyfile| /|file path|/
>
>         Path to the PEM encoded server key. This option and |certfile|
>         must be present to enable certificate based TLS encryption.
>
>         The private key pointed to by this option will be reloaded when
>         Mosquitto receives a SIGHUP signal. This can be used to load new
>         keys prior to the existing ones expiring.
>
>     |require_certificate| [ true | false ]
>
>         By default an SSL/TLS enabled listener will operate in a similar
>         fashion to a https enabled web server, in that the server has a
>         certificate signed by a CA and the client will verify that it is
>         a trusted certificate. The overall aim is encryption of the
>         network traffic. By setting |require_certificate| to /|true|/, a
>         client connecting to this listener must provide a valid
>         certificate in order for the network connection to proceed. This
>         allows access to the broker to be controlled outside of the
>         mechanisms provided by MQTT.
>
>     |tls_engine| /|engine|/
>
>         A valid openssl engine id. These can be listed with openssl
>         engine command.
>
>     |tls_engine_kpass_sha1| /|engine_kpass_sha1|/
>
>         SHA1 of the private key password when using an TLS engine. Some
>         TLS engines such as the TPM engine may require the use of a
>         password in order to be accessed. This option allows a hex
>         encoded SHA1 hash of the password to the engine directly,
>         instead of the user being prompted for the password.
>
>     |tls_keyform| [ pem | engine ]
>
>         Specifies the type of private key in use when making TLS
>         connections.. This can be "pem" or "engine". This parameter is
>         useful when a TPM module is being used and the private key has
>         been created with it. Defaults to "pem", which means normal
>         private key files are used.
>
>
> Though, I couldn't find any detailed instructions on the internet (or in 
> the mailinglist here); has anyone done similar setup on Windows using 
> TPM? I'd like to understand more for the questions below:
>
>  1. How to set OpenSSL engine to use TPM as its engine?
>  2. Do we need any 3rd party component to enable Mosquitto using TPM?
>     Like this one: https://github.com/tpm2-software/tpm2-openssl
>     <https://github.com/tpm2-software/tpm2-openssl> "Provider for
>     integration of TPM 2.0 to OpenSSL 3.0"
>     But this supports OpenSSL v3.0 only
>  3. If everything works, then what should be specified for the "keyfile"
>     option?
>     The source code indicates that we need to pass in this information,
>     but what should it be when using TPM?
>
>     https://github.com/eclipse/mosquitto/blob/master/src/net.c#L548
>     <https://github.com/eclipse/mosquitto/blob/master/src/net.c#L548>
>
> Any advice on this are really appreciated; or if not using TPM, how do 
> you protect the private key file (as best practice) when using TLS? 
> Thank you very much!
>
> Thanks and Regards,
> Terry
>
> _______________________________________________
> mosquitto-dev mailing list
> mosquitto-dev@xxxxxxxxxxx
> To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/mosquitto-dev

--
https://www.hardill.me.uk/wordpress
https://github.com/hardillb
https://about.me/hardillb
https://flickr.com/photos/hardillb/
https://keybase.io/hardillb