Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [mosquitto-dev] Mosquitto supports TPM 2.0 on Windows?

Some pointers that might (or might not) help


The Openssl 1.1.x version of the TPM Engine is here https://github.com/tpm2-software/tpm2-tss-engine. The docs don't make any mention of Windows (unlike the 3.0 version that includes instructions for building on Windows).


You will need to use the tools included with this to prepare key material.

You will need to set `tls_engine` to `tpm2tss`

Then is will be a case of reading the tpm2-tss-engine docs to get a feel for how you seal keys. But the `keyfile` will point to the sealed private key file.

I've used (https://www.hardill.me.uk/wordpress/2021/02/07/adding-a-tpm-to-my-offline-certificate-authority/) this on Linux directly with openssl to run a hardware backed CA, not directly mosquitto.

On 11/08/2022 22:05, terryatsnort@xxxxxxxxxxx wrote:
Dear the team,

Just wondering if anyone could help on configuring Mosquitto to use Windows TPM?

Thanks and Regards,
Terry
------------------------------------------------------------------------
*From:* mosquitto-dev <mosquitto-dev-bounces@xxxxxxxxxxx> on behalf of Didi Key <terryatsnort@xxxxxxxxxxx>
*Sent:* Monday, August 1, 2022 11:12 AM
*To:* mosquitto-dev@xxxxxxxxxxx <mosquitto-dev@xxxxxxxxxxx>
*Subject:* [mosquitto-dev] Mosquitto supports TPM 2.0 on Windows?
Dear the team,

G'day!

Here I'd like your help to find out:

 1. if Mosquitto v2.0.14 supports using TPM as OpenSSL's engine on
    Windows, when TLS is required?
 2. if yes, then how to configure the broker (for telling Mosquitto to
    load private key information from TPM instead of a local private key
    file)?

I noticed that related change (of support TPM) was introduced in Aug 2018, by this commit:

    Author:            Nicolás Pernas Maradei <nicopernas@xxxxxxxxx>
    Author date:      4 years ago (12/08/2018 2:57:58 AM)
    Committer:        Roger A. Light <roger@xxxxxxxxxx>
    Commit date:      3 years ago (27/02/2019 2:50:37 AM)
    Commit hash:      20894fcbce661d50f77c49b132dedea4cdc1f5a0
    Parent:                 d5f039ec

The change is to allow using the following options in configuration file to load private key (instead of reading a private key file on the disk)

    https://mosquitto.org/man/mosquitto-conf-5.html
    <https://mosquitto.org/man/mosquitto-conf-5.html>
    |keyfile| /|file path|/

        Path to the PEM encoded server key. This option and |certfile|
        must be present to enable certificate based TLS encryption.

        The private key pointed to by this option will be reloaded when
        Mosquitto receives a SIGHUP signal. This can be used to load new
        keys prior to the existing ones expiring.

    |require_certificate| [ true | false ]

        By default an SSL/TLS enabled listener will operate in a similar
        fashion to a https enabled web server, in that the server has a
        certificate signed by a CA and the client will verify that it is
        a trusted certificate. The overall aim is encryption of the
        network traffic. By setting |require_certificate| to /|true|/, a
        client connecting to this listener must provide a valid
        certificate in order for the network connection to proceed. This
        allows access to the broker to be controlled outside of the
        mechanisms provided by MQTT.

    |tls_engine| /|engine|/

        A valid openssl engine id. These can be listed with openssl
        engine command.

    |tls_engine_kpass_sha1| /|engine_kpass_sha1|/

        SHA1 of the private key password when using an TLS engine. Some
        TLS engines such as the TPM engine may require the use of a
        password in order to be accessed. This option allows a hex
        encoded SHA1 hash of the password to the engine directly,
        instead of the user being prompted for the password.

    |tls_keyform| [ pem | engine ]

        Specifies the type of private key in use when making TLS
        connections.. This can be "pem" or "engine". This parameter is
        useful when a TPM module is being used and the private key has
        been created with it. Defaults to "pem", which means normal
        private key files are used.


Though, I couldn't find any detailed instructions on the internet (or in the mailinglist here); has anyone done similar setup on Windows using TPM? I'd like to understand more for the questions below:

 1. How to set OpenSSL engine to use TPM as its engine?
 2. Do we need any 3rd party component to enable Mosquitto using TPM?
    Like this one: https://github.com/tpm2-software/tpm2-openssl
    <https://github.com/tpm2-software/tpm2-openssl> "Provider for
    integration of TPM 2.0 to OpenSSL 3.0"
    But this supports OpenSSL v3.0 only
 3. If everything works, then what should be specified for the "keyfile"
    option?
    The source code indicates that we need to pass in this information,
    but what should it be when using TPM?

    https://github.com/eclipse/mosquitto/blob/master/src/net.c#L548
    <https://github.com/eclipse/mosquitto/blob/master/src/net.c#L548>

Any advice on this are really appreciated; or if not using TPM, how do you protect the private key file (as best practice) when using TLS? Thank you very much!

Thanks and Regards,
Terry

_______________________________________________
mosquitto-dev mailing list
mosquitto-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/mosquitto-dev

--
https://www.hardill.me.uk/wordpress
https://github.com/hardillb
https://about.me/hardillb
https://flickr.com/photos/hardillb/
https://keybase.io/hardillb


Back to the top