OpenSSL Engine support for private key handling in TLS

[BenBaratte]

Problem:

S2N does not offer the possibility do use OpenSSL engine. In order to increase embedded devices security, hardware secure element like a TPM can be used to store device private key. Generally secure element provide OpenSSL engine to integrate within OpenSSL application framework.

Solution:

The solution is to add parameter to point one or more OpenSSL engine to load.

• Does this change what S2N sends over the wire? No.
• Does this change any public APIs? Yes, configuration API add extra optional parameter to activate OpenSSL engine.
• Which versions of TLS will this impact? implementation shall start at TLS1.2

Requirements / Acceptance Criteria:

The implementation shall be able to use the TSS2 TPM engine (https://github.com/tpm2-software/tpm2-tss-engine)

Check that the ciphersuite configuration is enough to reflect the OpenSSL Engine capabilities.

• RFC links: None (OpenSSL Engine management)
• Related Issues: None
• Will the Usage Guide or other documentation need to be updated? Yes
• Testing: Testing can be done with TPM simulator https://tpm2-software.github.io/2020/10/19/TPM2-Device-Emulation-With-QEMU.html.
  • Will this change trigger SAW changes? To be assessed
  • Should this change be fuzz tested? To be assessed

[dougch]

BenBaratte- thanks for reaching out. Will discuss with the team.

[iot-suite]

Plus one from me!

Despite code security, also storage of credentials in a TPM or SE is essential.

This is a blocker for us to switch from aws-iot-device-sdk-cpp-v1 to aws-iot-device-sdk-cpp-v2

V1 has openssl support, which enables us to use TPM and SE.

[MikeDombo]

Is PKCS11 an option @iot-suite? https://github.com/awslabs/aws-c-io/pull/428