Add option to authenticate via client certificates #38
Conversation
ctenruh-phytec
changed the title
ctenruh-phytec
force-pushed
the
WIP/ctenruh-phytec/client_certificates
branch
2 times, most recently
from
c109fa7 to
93b0872
Compare
|
If you have time and if you find it appropriate, would you mind writing a a couple of lines about the client certificates in the README. We already have some text about the two different tokens. I think it could be helpful to new users of the updater. |
|
of course. |
|
@ctenruh-phytec Great work on the README 🥇 |
|
thanks :) |
|
Thank you for your work on this feature. I, too, would like to see this implemented. If client devices have TLS client certificates anyway, it seems like a good idea to use those. The primary benefit to me seems to be that, technically, the hawkbit server does not have to be aware of the client (e.g. know a client-specific auth token) before its first connection. However, looking at this pull request, I am somewhat confused by the language used; within the patch and also within the pull request description. In particular, "Client certificate and private key of Client certificate are send to the set Server." confuses me. The client uses asymmetric cryptography and has a private/public key pair. The client certificate is essentially a signature of a certificate authority on the client public key. The client certificate contains no private information and must be sent to the server. However, the private key is used for decryption or signing only; and must never be transferred. |
|
The implementation provides access to the certificate and private key to curl, so (under the assumption that curl behaves correctly) does not seem to actually send the private key to the server. So my comment merely refers to a documentation issue. |
|
Hello @bantu , |
ctenruh-phytec
force-pushed
the
WIP/ctenruh-phytec/client_certificates
branch
from
3ef8059 to
0fa5338
Compare
There was a problem hiding this comment.
In general it looks like a good and relevant extension of the already-implemented authentication options for me.
I've also added some notes of what I've found while having a look on this.
We should also add some minimal tests for that (at least for option handling).
Please also note that the commit messages should be prefixed with the appropriate scope where applicable.
ctenruh-phytec
force-pushed
the
WIP/ctenruh-phytec/client_certificates
branch
2 times, most recently
from
a0ab027 to
2df0ba8
Compare
ctenruh-phytec
force-pushed
the
WIP/ctenruh-phytec/client_certificates
branch
from
2df0ba8 to
5bcc93c
Compare
|
May I know when this is planned to be merged? It looks like all the needed changes are here? |
|
@hongkongkiwi It looks like this PR needs to be rebased (or merged) to resolve some conflicts. I'd like to see this merged too. Anything in particular I can help with? |
ctenruh-phytec
force-pushed
the
WIP/ctenruh-phytec/client_certificates
branch
from
5bcc93c to
986ab6b
Compare
ctenruh-phytec
force-pushed
the
WIP/ctenruh-phytec/client_certificates
branch
from
986ab6b to
b327129
Compare
|
i noticed you removed the Authentication Methods from the README so i also removed my entry for the verification via certificates. |
|
@ctenruh-phytec The authentication section from the README was moved to |
ctenruh-phytec
force-pushed
the
WIP/ctenruh-phytec/client_certificates
branch
2 times, most recently
from
83a2b0d to
9a1833b
Compare
ctenruh-phytec
force-pushed
the
WIP/ctenruh-phytec/client_certificates
branch
2 times, most recently
from
14a5bb1 to
e9a4e8b
Compare
|
moved the description to |
| @@ -1,8 +1,8 @@ | |||
| Using the RAUC hawkbit Updater | |||
| ============================== | |||
|
|
|||
| Authentication | |||
| -------------- | |||
| Authentication via tokens | |||
There was a problem hiding this comment.
| Authentication via tokens | |
| Authentication via Tokens |
| - to have a TLS connection to the reverse proxy server | ||
| - to contain the client certificate | ||
| - to have the common name of the server certificate match the server | ||
| name set in the configuration file as "hawkbit_server" | ||
|
|
||
| The purpose of the reverse proxy is to: | ||
|
|
||
| - disband the TLS connection | ||
| - check if sent client certificate is valid | ||
| - extract the common name and fingerprint of the client certificate | ||
| - forward the common name and fingerprint as HTTP headers to the | ||
| hawkBit server | ||
|
|
||
| When the hawkBit server receives the request it checks if: | ||
|
|
||
| - sent common name matches with the controller ID of the target | ||
| - sent fingerprint(s) matches the expected fingerprint(s) which is set | ||
| in the system configuration settings of hawkBit |
There was a problem hiding this comment.
No need for indentation here.
| ssl = true | ||
| ssl_verify = true |
There was a problem hiding this comment.
What happens if these options are false?
| #client_cert = /path/to/client_certificate.pem | ||
| #client_key = /path/to/client_certificate.key |
There was a problem hiding this comment.
Why are these options commented?
| g_set_error(error, G_KEY_FILE_ERROR, G_KEY_FILE_ERROR_INVALID_VALUE, | ||
| "Neither auth_token nor gateway_token is set in the config."); | ||
| return NULL; | ||
| } | ||
| if (key_auth_token_exists && key_gateway_token_exists) { | ||
| g_info("Neither auth_token nor gateway_token is set, using client certificates"); | ||
| key_client_cert_exists = get_key_string(ini_file, "client", "client_cert", &config->client_cert, NULL, NULL); | ||
| key_client_key_exists = get_key_string(ini_file, "client", "client_key", &config->client_key, NULL, NULL); | ||
| if (!key_client_cert_exists || !key_client_key_exists) { | ||
| g_set_error(error, 1, 4, "Neither a token nor client certificate are set!"); | ||
| return NULL; | ||
| } | ||
| } else if (key_auth_token_exists && key_gateway_token_exists) { |
There was a problem hiding this comment.
Could you please read these config options outside of these if and then add checks for all combinations that are not allowed? This should make the logic simpler here.
|
|
||
| if (hawkbit_config->client_cert && hawkbit_config->client_key) { | ||
| curl_easy_setopt(curl, CURLOPT_SSLKEYTYPE, "PEM"); | ||
| curl_easy_setopt(curl, CURLOPT_SSLCERT, hawkbit_config->client_cert); | ||
| curl_easy_setopt(curl, CURLOPT_SSLKEY, hawkbit_config->client_key); | ||
| } | ||
|
|
There was a problem hiding this comment.
This belongs in set_auth_curl_header() which is used for get_binary() as well as rest_request().
|
|
||
| if (hawkbit_config->client_cert && hawkbit_config->client_key) { | ||
| curl_easy_setopt(curl, CURLOPT_SSLKEYTYPE, "PEM"); | ||
| curl_easy_setopt(curl, CURLOPT_SSLCERT, hawkbit_config->client_cert); | ||
| curl_easy_setopt(curl, CURLOPT_SSLKEY, hawkbit_config->client_key); | ||
| } | ||
|
|
test/rauc-hawkbit-updater.t
Outdated
| echo 'Loading config file failed: Neither auth_token nor gateway_token is set in the config.' > expected_out && | ||
| echo 'Loading config file failed: Neither a token nor client certificate are set!' > expected_out && |
There was a problem hiding this comment.
The bash tests are gone since #83. It would be great to have an actual test case for this with a reverse proxy. We already use nginx for some test cases (see test/conftest.py).
Client certificate and privat key of Client certificate are send to the set Server. Add description on how to use this authentication method in "docs/using.rst" file. Signed-off-by: Cem Tenruh <[email protected]>
Signed-off-by: Cem Tenruh <[email protected]>
ejoerns
force-pushed
the
WIP/ctenruh-phytec/client_certificates
branch
from
e9a4e8b to
ed59577
Compare
|
I've rebased this onto master now (no further modifications). |
|
@ejoerns thanks, i did not had the time to look into the requested changes, as i was busy with other tasks. I will try to work on this as soon as possible. |
|
@ctenruh-phytec No worries, same here ;) |
|
Superseded by #166. |
Client certificate is send to the set Server.
Also added a new condition in "get_key_string" since before the function would return TRUE when "val" was given an empty string.
Edited the "rauc-hawkbit-updater.t" file accordingly so the tests won't fail.