using HSM in tedge-mapper-c8y

Signed-off-by: Marcel Guzik <marcel.guzik@cumulocity.com>
thin-edge · Jan 29, 2025 · a308296 · a308296
1 parent 649a5f7
commit a308296
Show file tree

Hide file tree

Showing 7 changed files with 59 additions and 29 deletions.
diff --git a/crates/common/tedge_config/src/tedge_config_cli/tedge_config.rs b/crates/common/tedge_config/src/tedge_config_cli/tedge_config.rs
@@ -102,7 +102,7 @@ impl TEdgeConfig {
             self.mqtt.client.auth.cert_file.as_ref(),
             self.mqtt.client.auth.key_file.as_ref(),
         )) {
-            mqtt_config.with_client_auth(client_cert, client_key)?;
+            // mqtt_config.with_client_auth(client_cert, client_key)?;
         }
 
         Ok(mqtt_config)

diff --git a/crates/core/tedge/src/bridge/config.rs b/crates/core/tedge/src/bridge/config.rs
@@ -123,20 +123,28 @@ impl BridgeConfig {
             )));
         }
 
-        if !use_basic_auth {
-            if !self.bridge_certfile.exists() {
-                return Err(ConnectError::Certificate(anyhow!(
-                    "Bridge certificate {:?} does not exist",
-                    self.bridge_certfile
-                )));
-            }
+        if use_basic_auth {
+            return Ok(());
+        }
 
-            if !self.bridge_keyfile.exists() {
-                return Err(ConnectError::Certificate(anyhow!(
-                    "Bridge key {:?} does not exist",
-                    self.bridge_keyfile
-                )));
-            }
+        // for HSM, to make sure we're not using the private key I renamed it
+        // but this check here needs to be temporarily overridden
+
+        // TODO: remove this and do a proper check if using the PIV device
+        return Ok(());
+
+        if !self.bridge_certfile.exists() {
+            return Err(ConnectError::Certificate(anyhow!(
+                "Bridge certificate {:?} does not exist",
+                self.bridge_certfile
+            )));
+        }
+
+        if !self.bridge_keyfile.exists() {
+            return Err(ConnectError::Certificate(anyhow!(
+                "Bridge key {:?} does not exist",
+                self.bridge_keyfile
+            )));
         }
 
         Ok(())

diff --git a/crates/core/tedge/src/cli/connect/c8y_direct_connection.rs b/crates/core/tedge/src/cli/connect/c8y_direct_connection.rs
@@ -57,18 +57,17 @@ pub fn create_device_with_direct_connection(
         );
         create_tls_config_without_client_cert(&bridge_config.bridge_root_cert_path)?
     } else if let Some(use_piv_serial) = use_piv_serial {
-        dbg!(certificate::parse_root_certificate::create_tls_config_piv(
+        certificate::parse_root_certificate::create_tls_config_piv(
             &bridge_config.bridge_root_cert_path,
             use_piv_serial,
-        )?)
+        )?
     } else {
         create_tls_config(
             &bridge_config.bridge_root_cert_path,
             &bridge_config.bridge_keyfile,
             &bridge_config.bridge_certfile,
         )?
     };
-    dbg!(&tls_config);
     mqtt_options.set_transport(Transport::tls_with_config(tls_config.into()));
 
     let (mut client, mut connection) = Client::new(mqtt_options, 10);

diff --git a/crates/core/tedge/src/cli/connect/command.rs b/crates/core/tedge/src/cli/connect/command.rs
@@ -253,7 +253,6 @@ impl ConnectCommand {
     }
     fn check_connection(&self, config: &TEdgeConfig) -> Result<DeviceStatus, Fancy<ConnectError>> {
         let spinner = Spinner::start("Verifying device is connected to cloud");
-        dbg!("'ere m8");
         let res = match &self.cloud {
             Cloud::Azure(profile) => check_device_status_azure(config, profile.as_deref()),
             Cloud::Aws(profile) => check_device_status_aws(config, profile.as_deref()),
@@ -562,15 +561,15 @@ fn check_device_status_c8y(
 
     mqtt_options.set_keep_alive(RESPONSE_TIMEOUT);
 
-    if let Ok(piv_serial) = tedge_config.device.use_piv_serial.or_config_not_set() {
-        let tls_config = certificate::rustls022::parse_root_certificate::create_tls_config_piv(
-            &c8y_config.root_cert_path,
-            piv_serial.clone(),
-        )?;
-        dbg!("weeee");
-        dbg!(&tls_config);
-        mqtt_options.set_transport(rumqttc::Transport::tls_with_config(tls_config.into()));
-    }
+    // if let Ok(piv_serial) = tedge_config.device.use_piv_serial.or_config_not_set() {
+    //     let tls_config = dbg!(
+    //         certificate::rustls022::parse_root_certificate::create_tls_config_piv(
+    //             &c8y_config.root_cert_path,
+    //             piv_serial.clone(),
+    //         )?
+    //     );
+    //     mqtt_options.set_transport(rumqttc::Transport::tls_with_config(tls_config.into()));
+    // }
 
     let (client, mut connection) = rumqttc::Client::new(mqtt_options, 10);
     connection

diff --git a/crates/core/tedge_mapper/src/c8y/mapper.rs b/crates/core/tedge_mapper/src/c8y/mapper.rs
@@ -22,6 +22,7 @@ use tedge_http_ext::HttpActor;
 use tedge_mqtt_bridge::rumqttc::LastWill;
 use tedge_mqtt_bridge::use_credentials;
 use tedge_mqtt_bridge::use_key_and_cert;
+use tedge_mqtt_bridge::use_piv;
 use tedge_mqtt_bridge::BridgeConfig;
 use tedge_mqtt_bridge::MqttBridgeActorBuilder;
 use tedge_mqtt_bridge::QoS;
@@ -153,7 +154,11 @@ impl TEdgeComponent for CumulocityMapper {
             cloud_config.set_clean_session(true);
 
             if use_certificate {
-                use_key_and_cert(&mut cloud_config, c8y_config)?;
+                if let Some(piv_serial) = tedge_config.device.use_piv_serial.or_none() {
+                    use_piv(&mut cloud_config, c8y_config)?;
+                } else {
+                    use_key_and_cert(&mut cloud_config, c8y_config)?;
+                }
             } else {
                 let (username, password) = read_c8y_credentials(&c8y_config.credentials_path)?;
                 use_credentials(

diff --git a/crates/extensions/tedge_mqtt_bridge/src/config.rs b/crates/extensions/tedge_mqtt_bridge/src/config.rs
@@ -1,6 +1,7 @@
 use crate::topics::matches_ignore_dollar_prefix;
 use crate::topics::TopicConverter;
 use certificate::parse_root_certificate::create_tls_config;
+use certificate::parse_root_certificate::create_tls_config_piv;
 use certificate::parse_root_certificate::create_tls_config_without_client_cert;
 use certificate::rustls022 as certificate;
 use rumqttc::valid_filter;
@@ -24,6 +25,12 @@ pub fn use_key_and_cert(
     Ok(())
 }
 
+pub fn use_piv(config: &mut MqttOptions, cloud_config: &dyn CloudConfig) -> anyhow::Result<()> {
+    let tls_config = create_tls_config_piv(cloud_config.root_cert_path(), "1234".into())?;
+    config.set_transport(Transport::tls_with_config(tls_config.into()));
+    Ok(())
+}
+
 pub fn use_credentials(
     config: &mut MqttOptions,
     root_cert_path: impl AsRef<Path>,

diff --git a/crates/extensions/tedge_mqtt_bridge/src/lib.rs b/crates/extensions/tedge_mqtt_bridge/src/lib.rs
@@ -84,7 +84,19 @@ impl MqttBridgeActorBuilder {
                 ca_dir: Some(ca_dir),
                 client: Some(client),
                 ..
-            } => Some(create_tls_config(ca_dir, &client.key_file, &client.cert_file).unwrap()),
+            } => {
+                if let Some(piv_serial) = tedge_config.device.use_piv_serial.or_none() {
+                    Some(
+                        certificate::rustls022::parse_root_certificate::create_tls_config_piv(
+                            ca_dir,
+                            piv_serial.clone(),
+                        )
+                        .unwrap(),
+                    )
+                } else {
+                    Some(create_tls_config(ca_dir, &client.key_file, &client.cert_file).unwrap())
+                }
+            }
             MqttAuthConfig {
                 ca_file: Some(ca_file),
                 client: Some(client),