12 063
правки
(Новая страница: «== Using the built-in chip ATECCx08 for authorization on external services. ==») |
(Новая страница: «Getting messages from the "test" topic on the example.com server») |
||
(не показаны 52 промежуточные версии этого же участника) | |||
Строка 2: | Строка 2: | ||
== Using the built-in chip ATECCx08 for authorization on external services. == | == Using the built-in chip ATECCx08 for authorization on external services. == | ||
Built-in chip for '''Wiren Board''' controllers '''ATECCx08''' generates key pairs, storing the private keys and an asymmetric encryption operation using elliptic curves. | |||
After initial initialization private key is stored in the chip and does not leave it, thus eliminating its compromise. | |||
Using this chip, you can organize the authorization of the controller and SSL connection protection on external services and be sure that the request is made using this particular instance of the chip. | |||
This article will focus on three applications: '''nginx''', '''openssl''', '''mosquitto'''. | |||
To access the crypto device needs a library libateccssl1.1, install it with the command: | |||
'''apt install libateccssl1.1''' | '''apt install libateccssl1.1''' | ||
Next you need to edit the ''/etc/ssl/openssl.cnf''' file, adding the following lines: | |||
<pre> | <pre> | ||
Строка 28: | Строка 28: | ||
</pre> | </pre> | ||
Now let's start creating certificates. | |||
First, we will create our own Certification Authority ('''CA'''): | |||
To do this, generate a key pair: | |||
<pre>openssl genrsa -out ca.key 2048</pre> | <pre>openssl genrsa -out ca.key 2048</pre> | ||
And certificate of our '''CA''': | |||
<pre>openssl req -x509 -new -days 3650 -key ca.key -out ca.crt -subj "/CN=MY CA"</pre> | <pre>openssl req -x509 -new -days 3650 -key ca.key -out ca.crt -subj "/CN=MY CA"</pre> | ||
'''CA''' | '''CA''' is the basis of security in this scheme, so these operations are performed on the machine that is accessed | ||
only the owner of the '''CA'''. | |||
Next, create a request for a device certificate on the Wiren Board controller: | |||
<pre>openssl req -new -engine ateccx08 -keyform engine -key ATECCx08:00:04:C0:00 -subj "/CN=wirenboard-AP6V5MDG" -out device_AP6V5MDG.csr</pre> | <pre>openssl req -new -engine ateccx08 -keyform engine -key ATECCx08:00:04:C0:00 -subj "/CN=wirenboard-AP6V5MDG" -out device_AP6V5MDG.csr</pre> | ||
In this command, we specify that the request is signed with a private key that is in the ateccx08 crypto device | |||
with ID '''ateccx08:00:04:C0:00''' and public name wirenboard-AP6V5MDG. The request is placed in the file device_AP6V5MDG.csr. | |||
You can choose any unique name, it is convenient for this purpose to use the device ID, which is prescribed by default | |||
in /etc/hostname: | |||
<pre> | <pre> | ||
Строка 56: | Строка 56: | ||
</pre> | </pre> | ||
Next, we sign this request in our certification authority: | |||
openssl x509 -req -in device_AP6V5MDG.csr -CA ca.crt -CAkey ca.key -out device_AP6V5MDG.crt -days 365 -CAcreateserial | openssl x509 -req -in device_AP6V5MDG.csr -CA ca.crt -CAkey ca.key-out device_AP6V5MDG.crt -days 365 -CAcreateserial | ||
In this command, we specify the request file and the CA files required for signing. The result is a device certificate device_AP6V5MDG.crt. | |||
File '''device_AP6V5MDG.crt''' copy to the Wiren Board controller, it will be necessary for authorization. | |||
Let's see what is there in the CA and device certificate files: | |||
<pre> | <pre> | ||
Строка 107: | Строка 107: | ||
</pre> | </pre> | ||
We see that the certificate is issued by a Certification Authority named "MY CA" for 1 year, starting with "Feb 4 14:50:14 2019 GMT" (for this we specified -days 365 in the signature team), | |||
a device named '''wirenboard-AP6V5MDG''' that has a private key corresponding to the Subject Public Key Info. | |||
The certificate is digitally signed. | |||
A digital signature ensures that no part of the certificate can be tampered. In case of a change, a public inspection with | |||
the key '''CA''' will show an error. | |||
<pre> | <pre> | ||
Строка 177: | Строка 177: | ||
</pre> | </pre> | ||
We see that the certificate is signed by its own private key (Issuer: CN = MY CA, Subject: CN = MY CA) | |||
and discharged for 10 years: starting with "Feb 4 14:30:01 2019 GMT" (for this we indicated -days 3650 in the signature team) | |||
Thus, the chain of trust (verification) is built as follows: | |||
The device certificate is signed by a CA certificate and can be verified by it: | |||
<pre> | <pre> | ||
openssl verify -CAfile ca.crt device_AP6V5MDG.crt | openssl verify -CAfile ca.crt device_AP6V5MDG.crt | ||
Строка 188: | Строка 188: | ||
</pre> | </pre> | ||
Well, the certificate is signed "by itself" | |||
<pre> | <pre> | ||
openssl verify -CAfile ca.crt ca.crt | openssl verify -CAfile ca.crt ca.crt | ||
Строка 196: | Строка 196: | ||
== | == Nginx configuration == | ||
For example, suppose you have a server on the Internet that must process requests only from devices that have certificates, | |||
issued by our CA. | |||
To enable this check in the nginx configuration file, you need to write the following lines in the http or server section: | |||
<pre> | <pre> | ||
Строка 207: | Строка 207: | ||
</pre> | </pre> | ||
Nginx will now require a certificate from the client that must be validated by a ca.crt, otherwise the server | |||
returns an error 400 to the client: | |||
<pre> | <pre> | ||
Строка 222: | Строка 222: | ||
</pre> | </pre> | ||
Now let's make http requests from WB controller pass this check. | |||
For simplicity, we will use nginx on the client side. This will give the opportunity to work | |||
with secure servers for clients who can't make SSL connections. | |||
First, we will create a server on the unused local http port, which will do the following | |||
all https "magic" for us: | |||
<pre> | <pre> | ||
Строка 242: | Строка 242: | ||
</pre> | </pre> | ||
Add the www-data user to the i2c group to access the crypto device: | |||
<pre> | <pre> | ||
usermod -G www-data | usermod -G www-data | ||
</pre> | </pre> | ||
Run the command '''service nginx restart''' to update the configuration. | |||
Now, when you access http on the local port 8080, encrypted requests with authentication information will be sent to the server example.com | |||
<pre> | <pre> | ||
Строка 261: | Строка 260: | ||
</pre> | </pre> | ||
== | == Openvpn configuration == | ||
First, install the package: | |||
<pre> | <pre> | ||
Строка 269: | Строка 268: | ||
</pre> | </pre> | ||
Create file named req.cnf - we need it to make a server certificate. | |||
<pre> | <pre> | ||
[ v3_req ] | [ v3_req ] | ||
Строка 277: | Строка 276: | ||
</pre> | </pre> | ||
The openvpn server also needs a file with DH parameters, let's make it. | |||
<pre> | <pre> | ||
openssl dhparam -out dh2048.pem 2048 | openssl dhparam -out dh2048.pem 2048 | ||
</pre> | </pre> | ||
It may take a few minutes to create this file. | |||
Next, make a private key of our server and request a certificate. We assume, for example, that | |||
server has name example.com: | |||
<pre> | <pre> | ||
Строка 293: | Строка 292: | ||
</pre> | </pre> | ||
Sign the request in our certification authority: | |||
<pre> | <pre> | ||
Строка 299: | Строка 298: | ||
</pre> | </pre> | ||
Now let's start setting up openvpn server on the machine example.com | |||
Copy the file '''ca.crt''', '''example.crt''', '''example.key''' and '''dh2048.pem''' and edit the openvpn server configuration file. | |||
By default, the configuration file is in /etc/openvpn/server.conf | |||
<pre> | <pre> | ||
Строка 328: | Строка 327: | ||
</pre> | </pre> | ||
Add the openvpn user to the i2c group to access the crypto device: | |||
<pre> | <pre> | ||
Строка 334: | Строка 333: | ||
</pre> | </pre> | ||
after that, start the server with the command | |||
service openvpn start. | service openvpn start. | ||
Next, create a client configuration file on the controller: | |||
client.ovpn: | client.ovpn: | ||
<pre> | <pre> | ||
Строка 359: | Строка 358: | ||
------------------------------------------------------------------------- | ------------------------------------------------------------------------- | ||
</pre> | </pre> | ||
Note the line group i2c. It is necessary to work with the crypto device. | |||
Then run the client: | |||
<pre> | <pre> | ||
Строка 367: | Строка 366: | ||
</pre> | </pre> | ||
If all is well, then the system should appear tun0 interface with the address from the subnet 10.8.0.0/24: | |||
<pre> | <pre> | ||
Строка 380: | Строка 379: | ||
</pre> | </pre> | ||
To check the performance run ping: | |||
<pre> | <pre> | ||
Строка 389: | Строка 388: | ||
</pre> | </pre> | ||
== | == Mosquitto settings == | ||
UPD: | UPD: | ||
Строка 469: | Строка 468: | ||
Generate a private key and certificate request: | |||
<pre> | <pre> | ||
Строка 481: | Строка 480: | ||
</pre> | </pre> | ||
Copy the file '''ca.crt''', '''mosquitto.crt''', '''mosquitto.key''' to the server and edit the configuration file '''/etc/mosquito/conf.d/server.conf''' | |||
<pre> | <pre> | ||
Строка 491: | Строка 490: | ||
</pre> | </pre> | ||
Start service: | |||
<pre> | <pre> | ||
service mosquitto start | service mosquitto start | ||
</pre> | </pre> | ||
Also, if required, you can make the local mosquitto server on the controller | |||
forwarder some topics on a remote server. To do this, create a bridge file: '''/etc/mosquitto/bridge.conf''' | |||
<pre> | <pre> | ||
Строка 509: | Строка 508: | ||
</pre> | </pre> | ||
After restarting the local service mosquito topics /test/.. will be sent to the remote server example.com | |||
secure ssl channel. | |||
Examples of client mosquitto commands. | |||
Sending a message to the "test" topic on the example.com server | |||
<pre> | <pre> | ||
Строка 519: | Строка 518: | ||
</pre> | </pre> | ||
Getting messages from the "test" topic on the example.com server | |||
<pre> | <pre> | ||
mosquitto_sub -h example.com --cert device_AP6V5MDG.crt --key 'engine:ateccx08:ATECCx08:00:04:C0:00' -t "test" --cafile ca.crt | mosquitto_sub -h example.com --cert device_AP6V5MDG.crt --key 'engine:ateccx08:ATECCx08:00:04:C0:00' -t "test" --cafile ca.crt | ||
</pre> | </pre> |
правки