From 7ba7baafc203fa4dd59829eca0cd3fc6777eda15 Mon Sep 17 00:00:00 2001 From: Joerg Zeidler <62105035+JoergZeidler@users.noreply.github.com> Date: Tue, 25 Mar 2025 13:15:39 +0100 Subject: [PATCH 1/3] added edge_ca validation for identity config (x509 DPS and TPM DPS) Signed-off-by: Joerg Zeidler <62105035+JoergZeidler@users.noreply.github.com> --- src/validators/identity.rs | 23 ++++++++++----------- testfiles/identity_config_dps_tpm.toml | 19 ++++++++++++++++- testfiles/identity_config_dps_x509_est.toml | 13 ++++++++++++ 3 files changed, 42 insertions(+), 13 deletions(-) diff --git a/src/validators/identity.rs b/src/validators/identity.rs index 13c6d2f..b2bdd8b 100644 --- a/src/validators/identity.rs +++ b/src/validators/identity.rs @@ -121,8 +121,12 @@ struct Tpm { #[serde(deny_unknown_fields)] #[allow(dead_code)] struct EdgeCA { - cert: String, - pk: String, + method: String, + common_name: String, + url: String, + bootstrap_identity_cert: String, + bootstrap_identity_pk: String, + auto_renew: Option, } #[derive(Debug, Deserialize)] @@ -144,8 +148,8 @@ struct Urls { #[serde(deny_unknown_fields)] #[allow(dead_code, clippy::upper_case_acronyms)] struct EST { - auth: Auth, - urls: Urls, + auth: Option, + urls: Option, trusted_certs: Vec, } @@ -307,14 +311,9 @@ pub fn validate_identity( .as_ref() .and_then(|ci| ci.est.as_ref()) .map(|est| { - est.auth.bootstrap_identity_cert.as_str() - == "file:///mnt/cert/priv/device_id_cert.pem" - && est.auth.bootstrap_identity_cert.as_str() - == "file:///mnt/cert/priv/device_id_cert.pem" - && est - .trusted_certs - .iter() - .any(|e| e == "file:///mnt/cert/ca/ca.crt") + est.trusted_certs.iter().any(|e| { + e == "file:///mnt/cert/ca/ca.crt" || e == "file:///mnt/cert/ca/edge_ca.crt" + }) }) { out.push(WARN_UNEXPECTED_PATH) diff --git a/testfiles/identity_config_dps_tpm.toml b/testfiles/identity_config_dps_tpm.toml index 7c0f67a..cca59b8 100644 --- a/testfiles/identity_config_dps_tpm.toml +++ b/testfiles/identity_config_dps_tpm.toml @@ -6,4 +6,21 @@ global_endpoint = "https://global.azure-devices-provisioning.net" id_scope = "my-scope-id" [provisioning.attestation] -method = "tpm" \ No newline at end of file +method = "tpm" + +[cert_issuance.est] +trusted_certs = [ + "file:///mnt/cert/ca/edge_ca.crt", +] + +[edge_ca] +method = "est" +common_name = "test" +url = "my-est-url" +bootstrap_identity_cert = "file:///mnt/cert/priv/edge_ca_cert.pem" +bootstrap_identity_pk = "file:///mnt/cert/priv/edge_ca_cert_key.pem" + +[edge_ca.auto_renew] +rotate_key = true +threshold = "80%" +retry = "4%" \ No newline at end of file diff --git a/testfiles/identity_config_dps_x509_est.toml b/testfiles/identity_config_dps_x509_est.toml index 6223e10..9271523 100644 --- a/testfiles/identity_config_dps_x509_est.toml +++ b/testfiles/identity_config_dps_x509_est.toml @@ -21,6 +21,7 @@ retry = "4%" [cert_issuance.est] trusted_certs = [ "file:///mnt/cert/ca/ca.crt", + "file:///mnt/cert/ca/edge_ca.crt", ] [cert_issuance.est.auth] @@ -29,3 +30,15 @@ bootstrap_identity_pk = "file:///mnt/cert/priv/device_id_cert_key.pem" [cert_issuance.est.urls] default = "my-est-url" + +[edge_ca] +method = "est" +common_name = "test-omnect-est" +url = "my-est-url" +bootstrap_identity_cert = "file:///mnt/cert/priv/edge_ca_cert.pem" +bootstrap_identity_pk = "file:///mnt/cert/priv/edge_ca_cert_key.pem" + +[edge_ca.auto_renew] +rotate_key = true +threshold = "80%" +retry = "4%" From 88f433f30529b5cd3eeec5f8adaf0a6de1e844e5 Mon Sep 17 00:00:00 2001 From: Joerg Zeidler <62105035+JoergZeidler@users.noreply.github.com> Date: Tue, 25 Mar 2025 15:12:45 +0100 Subject: [PATCH 2/3] update config templates to support edgeCA handling via EST Signed-off-by: Joerg Zeidler <62105035+JoergZeidler@users.noreply.github.com> --- Cargo.lock | 2 +- Cargo.toml | 2 +- conf/config.toml.est.template | 13 +++++++++++++ conf/config.toml.tpm.template | 19 ++++++++++++++++++- src/validators/identity.rs | 2 ++ 5 files changed, 35 insertions(+), 3 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 19d0099..16b4765 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2411,7 +2411,7 @@ dependencies = [ [[package]] name = "omnect-cli" -version = "0.25.1" +version = "0.26.0" dependencies = [ "actix-web", "anyhow", diff --git a/Cargo.toml b/Cargo.toml index 77c1e1f..22a7626 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -7,7 +7,7 @@ license = "MIT OR Apache-2.0" name = "omnect-cli" readme = "README.md" repository = "https://github.com/omnect/omnect-cli" -version = "0.25.1" +version = "0.26.0" [dependencies] actix-web = "4.9" diff --git a/conf/config.toml.est.template b/conf/config.toml.est.template index d65b30b..6a8a91b 100644 --- a/conf/config.toml.est.template +++ b/conf/config.toml.est.template @@ -24,6 +24,7 @@ retry = "4%" [cert_issuance.est] trusted_certs = [ "file:///mnt/cert/ca/ca.crt", + "file:///mnt/cert/ca/edge_ca.crt", ] [cert_issuance.est.auth] @@ -32,3 +33,15 @@ bootstrap_identity_pk = "file:///mnt/cert/priv/device_id_cert_key.pem" [cert_issuance.est.urls] default = "https://omnect-est.url:8080/.well-known/est" + +[edge_ca] +method = "est" +common_name = "test-omnect-est" +url = "https://omnect-est.url2/.well-known/est" +bootstrap_identity_cert = "file:///mnt/cert/priv/edge_ca_cert.pem" +bootstrap_identity_pk = "file:///mnt/cert/priv/edge_ca_cert_key.pem" + +[edge_ca.auto_renew] +rotate_key = true +threshold = "80%" +retry = "4%" diff --git a/conf/config.toml.tpm.template b/conf/config.toml.tpm.template index 36f9dad..bba4eda 100644 --- a/conf/config.toml.tpm.template +++ b/conf/config.toml.tpm.template @@ -9,7 +9,24 @@ id_scope = "my-scope-id" [provisioning.attestation] method = "tpm" -registration_id = "my-reg-id" +registration_id = "my-omnect-iot-tpm-device" + +[cert_issuance.est] +trusted_certs = [ + "file:///mnt/cert/ca/edge_ca.crt", +] + +[edge_ca] +method = "est" +common_name = "my-omnect-iot-tpm-device" +url = "https://omnect-est.url:8080/.well-known/est" +bootstrap_identity_cert = "file:///mnt/cert/priv/edge_ca_cert.pem" +bootstrap_identity_pk = "file:///mnt/cert/priv/edge_ca_cert_key.pem" + +[edge_ca.auto_renew] +rotate_key = true +threshold = "80%" +retry = "4%" # [tpm] # tcti = "device:/dev/tpmrm0" # adapt if using e.g. abrmd, default is "device" diff --git a/src/validators/identity.rs b/src/validators/identity.rs index b2bdd8b..b198f11 100644 --- a/src/validators/identity.rs +++ b/src/validators/identity.rs @@ -121,6 +121,8 @@ struct Tpm { #[serde(deny_unknown_fields)] #[allow(dead_code)] struct EdgeCA { + cert: Option, + pk: Option, method: String, common_name: String, url: String, From 101853dba6b3061c4fbe205a326ba7c50c25c53e Mon Sep 17 00:00:00 2001 From: Joerg Zeidler <62105035+JoergZeidler@users.noreply.github.com> Date: Fri, 28 Mar 2025 11:14:15 +0100 Subject: [PATCH 3/3] switch back to cert_issuance.est handling; improve tpm handling Signed-off-by: Joerg Zeidler <62105035+JoergZeidler@users.noreply.github.com> --- conf/config.toml.tpm.template | 16 ++++++++++------ src/validators/identity.rs | 24 ++++++++++++++++-------- testfiles/identity_config_dps_tpm.toml | 10 +++++++--- 3 files changed, 33 insertions(+), 17 deletions(-) diff --git a/conf/config.toml.tpm.template b/conf/config.toml.tpm.template index bba4eda..641502f 100644 --- a/conf/config.toml.tpm.template +++ b/conf/config.toml.tpm.template @@ -1,5 +1,5 @@ ## Hostname -hostname = "my-omnect-iot-tpm-device" +hostname = "test-omnect-tpm" ## DPS provisioning with tpm [provisioning] @@ -9,20 +9,24 @@ id_scope = "my-scope-id" [provisioning.attestation] method = "tpm" -registration_id = "my-omnect-iot-tpm-device" +registration_id = "test-omnect-tpm" [cert_issuance.est] trusted_certs = [ "file:///mnt/cert/ca/edge_ca.crt", ] -[edge_ca] -method = "est" -common_name = "my-omnect-iot-tpm-device" -url = "https://omnect-est.url:8080/.well-known/est" +[cert_issuance.est.auth] bootstrap_identity_cert = "file:///mnt/cert/priv/edge_ca_cert.pem" bootstrap_identity_pk = "file:///mnt/cert/priv/edge_ca_cert_key.pem" +[cert_issuance.est.urls] +default = "https://omnect-est.url:8080/.well-known/est" + +[edge_ca] +method = "est" +common_name = "test-omnect-tpm" + [edge_ca.auto_renew] rotate_key = true threshold = "80%" diff --git a/src/validators/identity.rs b/src/validators/identity.rs index b198f11..c0c413c 100644 --- a/src/validators/identity.rs +++ b/src/validators/identity.rs @@ -125,9 +125,9 @@ struct EdgeCA { pk: Option, method: String, common_name: String, - url: String, - bootstrap_identity_cert: String, - bootstrap_identity_pk: String, + url: Option, + bootstrap_identity_cert: Option, + bootstrap_identity_pk: Option, auto_renew: Option, } @@ -150,8 +150,8 @@ struct Urls { #[serde(deny_unknown_fields)] #[allow(dead_code, clippy::upper_case_acronyms)] struct EST { - auth: Option, - urls: Option, + auth: Auth, + urls: Urls, trusted_certs: Vec, } @@ -313,9 +313,17 @@ pub fn validate_identity( .as_ref() .and_then(|ci| ci.est.as_ref()) .map(|est| { - est.trusted_certs.iter().any(|e| { - e == "file:///mnt/cert/ca/ca.crt" || e == "file:///mnt/cert/ca/edge_ca.crt" - }) + (est.auth.bootstrap_identity_cert.as_str() + == "file:///mnt/cert/priv/device_id_cert.pem" + || est.auth.bootstrap_identity_cert.as_str() + == "file:///mnt/cert/priv/edge_ca_cert.pem") + && (est.auth.bootstrap_identity_pk.as_str() + == "file:///mnt/cert/priv/device_id_cert_key.pem" + || est.auth.bootstrap_identity_pk.as_str() + == "file:///mnt/cert/priv/edge_ca_cert_key.pem") + && est.trusted_certs.iter().any(|e| { + e == "file:///mnt/cert/ca/ca.crt" || e == "file:///mnt/cert/ca/edge_ca.crt" + }) }) { out.push(WARN_UNEXPECTED_PATH) diff --git a/testfiles/identity_config_dps_tpm.toml b/testfiles/identity_config_dps_tpm.toml index cca59b8..ed748ec 100644 --- a/testfiles/identity_config_dps_tpm.toml +++ b/testfiles/identity_config_dps_tpm.toml @@ -13,12 +13,16 @@ trusted_certs = [ "file:///mnt/cert/ca/edge_ca.crt", ] +[cert_issuance.est.auth] +bootstrap_identity_cert = "file:///mnt/cert/priv/edge_ca_cert.pem" +bootstrap_identity_pk = "file:///mnt/cert/priv/edge_ca_cert_key.pem" + +[cert_issuance.est.urls] +default = "my-est-url" + [edge_ca] method = "est" common_name = "test" -url = "my-est-url" -bootstrap_identity_cert = "file:///mnt/cert/priv/edge_ca_cert.pem" -bootstrap_identity_pk = "file:///mnt/cert/priv/edge_ca_cert_key.pem" [edge_ca.auto_renew] rotate_key = true