Add PKCS11 and file URI support to Mosquitto

[vareddy-zz]

These changes allows certs and CAs to be in the form of file URIs and private keys to be either file URIs or PKCS11 compliant URIs.The private keys can either be stored on the filesystem or in a PKCS11 compliant Trusted Platform Module/Hardware Security Module (TPM/HSM). This provides more security to the private keys as they cannot be directly copied off of the filesystem. Changes:

1. Added new API mosquitto_tls_set_uri to accept cert and CA as file URI (RFC8089) and private key as PKCS11 compliant (RFC7512) URI.
2. The above function also accepts paths to the libp11 library and the PKCS11 provider library, which is required to access keys stored on a TPM/HSM
3. Modified internal tls_set function to parse URI
4. Modified internal ssl connect function to initialize and call appropriate OpenSSL engine functions to load private key from the HSM/TPM
5. Added options for mosquitto_sub and mosquitto_pub to accept URIs and lib paths
6. Added unit tests for the new mosquitto_tls_set_uri function

The above changes were tested using SoftHSM2 as the keystore.

Signed-off-by: Varun Reddy [email protected]

[ralight]

This is a big enough contribution that it will need to go through a more formal review than most of our PRs. That's good though - it makes me happy when people contribute tests.

There are some more details on what we need to follow here:

https://www.eclipse.org/legal/committerguidelines.php#appropriateness

Before that though, I can guarantee that distributing compiled binaries of the two libraries will be a no-no. Can you approach that in another way?

[vareddy-zz]

HI @ralight, Thanks for the review! I looked through the flowchart for contributions that is linked in the readme. I couldn't locate the link to submit the contribution questionnaire or create the Ipzilla bug after I logged into the Eclipse portal. Is there some procedure to be followed before I am allowed to submit the questionnaire? I apologize wrt binary files. I had dummy files for testing that were just text files. I will replace them with those. Also, the integration tests are failing, I will investigate and make the fix and update the diff with all the changes @karlp noted. Thanks! Varun

[clogwog]

this seems to have been abandoned, however it would be very useful. is it just that some of the CI unit-tests have failed ?

[ced1209]

This feature would be very useful.
Please could you tell me the status of this evolution?

[clogwog]

This feature would be very useful. Please could you tell me the status of this evolution?

I've gotten it to work with a small patch , and we are running it against our 608A security chip so it picks up the private key from there https://github.com/eclipse/mosquitto/issues/1742#issuecomment-658565475

to create the csr i'm also using openssl req

[flongo82]

Hi,

I've gotten it to work with a small patch , and we are running it against our 608A security chip so it picks up the private key from there

Are you using the 608A on the broker side or on the client side? I'm struggling with a 508A (but I think the kind of chip is not the problem). Please, have a look here: #1986.

[keshavck]

what's the way to pass keys from softHSM and start the broker? or is it start broker and then provide the key's? i want to do this from java, want to pass key's that read from softHSM, and start broker

[clogwog]

Hi,

I've gotten it to work with a small patch , and we are running it against our 608A security chip so it picks up the private key from there

Are you using the 608A on the broker side or on the client side? I'm struggling with a 508A (but I think the kind of chip is not the problem). Please, have a look here: #1986.

using the 608A on the broker side to talk to AWS IoT.