Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for openssl PKCS#11 engine to openssl_posix.c #1780

Open
wants to merge 9 commits into
base: main
Choose a base branch
from
Open

Add support for openssl PKCS#11 engine to openssl_posix.c #1780

wants to merge 9 commits into from

Conversation

paulbartell
Copy link
Member

Add support for the libp11 openssl engine and p11-kit to the openssl_posix.c transport interface implementation.

By submitting this pull request, I confirm that my contribution is made under the terms of the MIT license.

@paulbartell paulbartell force-pushed the paulbartell/openssl_libp11_support branch from 16841cc to 73542a7 Compare January 13, 2022 19:55
@paulbartell paulbartell force-pushed the paulbartell/openssl_libp11_support branch from 73542a7 to eb9bcfc Compare January 13, 2022 19:58
@paulbartell paulbartell force-pushed the paulbartell/openssl_libp11_support branch from ec02980 to 3813275 Compare January 13, 2022 20:09
@paulbartell paulbartell marked this pull request as ready for review January 14, 2022 18:59
@paulbartell paulbartell requested a review from a team as a code owner January 14, 2022 18:59
ravibhagavandas
ravibhagavandas reviewed Jan 14, 2022
View reviewed changes
docs/README_openssl_pkcs11.md
```
p11tool --login --load-certificate=aws_iot_pk.crt --write --label=aws_iot_pk "pkcs11:token=default"
```

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Steps are missing or its not clear how to add/get Amazon Root CA or private rootCA from system trust store.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

They're automatically included by the OS.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See https://p11-glue.github.io/p11-glue/p11-kit/manual/trust-module.html for more information.

I'll add a note similar to:

You can confirm this with the follow cli command:

p11tool --list-all-certs pkcs11:token=System%20Trust | grep Amazon\ Root\ CA

platform/posix/transport/src/openssl_posix.c
assert( pSslContext != NULL );
assert( pEngine != NULL );
assert( pClientCertURI != NULL );

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add debug log for pClientCertURI here ?

platform/posix/transport/src/openssl_posix.c
if( pOpensslCredentials->pRootCaPath != NULL )
/* Initialize the pkcs11 engine if needed */
if( ( pOpensslCredentials->pPrivateKeyPath != NULL ) &&
( pOpensslCredentials->pClientCertPath != NULL ) )
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Check for pOpensslCredentials->pRootCaPath != NULL

platform/posix/transport/src/openssl_posix.c Show resolved Hide resolved
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ravibhagavandas ravibhagavandas ravibhagavandas left review comments

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@paulbartell @ravibhagavandas