PKCS11/HSM Support for authentication/authorization and signature verification

General Discussions
21

@oleorhagen also note PKCS11 not working on mender client with TPM - #4 by sandevins

1 Like
22

I dont think you can override your API direct provider from a cnf definition. But then, I dont know that with certainty; maybe we need to do a bit of verification?
I would note a couple things that are specific to our use, and may not perturb anyone else’s deployments: in the implementation you have described, if one of our installations requires proxy without passthrough, then we’re out of luck, because the mender client cant be dynamically configured to use our customers provider(s). This is particularly finicky with our FIPS/gov clients.
Further, if a critical vulnerability is discovered in a suite, there is no remediation I can perform. This has a direct impact on our published business continuity and disaster recovery plans.
At any rate, I feel like the missions of v3 was flexibility, as long as that intention isnt crippled by your implementation ¯_(ツ)_/¯
To be honest, Im mostly happy to see someone is digging into this at all :slight_smile:

1 Like
23

Thanks, great feedback! I have changed it to do implicit loading of the providers now, so that the providers will have to be loaded through the cnf, same as for the Engines.

It even seems to be working :slight_smile: But one never really knows until it goes through battle I guess

24

Hmm, why not? Can you not give a custom ssl cnf to the client?

25

dears, I’m trying to migrate the mender-client (3.5.2 - > 4.0.5) and stucking on new 4.0.5 with failing of mender-auth and loading openssl config.

I’am on yocto4-kirkstone with the kirkstone branch (ca667e65).

Openssl used:

openssl - 3.0.5
openssl-bin - 3.0.5
openssl-conf - 3.0.5
openssl-ossl-module-legacy - 3.0.5

I just updated the mender-client and builded new image with mender-client now 4.0.5.

I use OpenSSL engine pkcs11 in my openssl.cnf

My Problem is, mender-client - 3.5.2 can do auth with my openssl.cnf, but mender-client - 4.0.5 not.

Here is the trace output from mender-auth now:

record_id=1 severity=debug time="2024-Dec-13 09:23:52.002156" name="Global" msg="Failed to load config from '/var/lib/mender/mender.conf': Failed to open '/var/lib/mender/mender.conf': No such file or directory" 
record_id=2 severity=trace time="2024-Dec-13 09:23:52.003060" name="Global" msg="Loading the keystore" 
record_id=3 severity=warning time="2024-Dec-13 09:23:52.005796" name="Global" msg="Failed to load OpenSSL configuration file: error:1300006D:engine routines::init failed
error:13000066:engine routines::engine configuration error
error:0700006D:configuration file routines::module initialization error" 
record_id=4 severity=trace time="2024-Dec-13 09:23:52.005982" name="Global" msg="Loading private key" 
record_id=5 severity=trace time="2024-Dec-13 09:23:52.006050" name="Global" msg="Loading the private key from HSM" 
record_id=6 severity=debug time="2024-Dec-13 09:23:52.006115" name="Global" msg="Loaded the HSM engine successfully!" 
record_id=7 severity=debug time="2024-Dec-13 09:23:52.006182" name="Global" msg="Successfully initialised the HSM engine" 
record_id=8 severity=debug time="2024-Dec-13 09:23:52.019662" name="Global" msg="Successfully loaded the private key from the HSM Engine: pkcs11" 
record_id=9 severity=info time="2024-Dec-13 09:23:52.019852" name="Global" msg="Successfully loaded private key from pkcs11:token=myToken;object=MyAuthKey;type=private;pin-value=1234" 
record_id=10 severity=info time="2024-Dec-13 09:23:52.034717" name="Global" msg="The authentication daemon is now ready to accept incoming authentication request"

My working mender.conf is under /etc/mender/mender.conf, it is the same as for mender-client - 3.5.2.

Any Ideas?

P.S.
I see also this commit in my working kirkstone branch, from my POV it should fix more or less this issue?

commit 717ed2a4461183cab122b95413ebc77c24f0e10a
Author: Daniel Skinstad Drabitzius <daniel.drabitzius@northern.tech>
Date:   Thu Oct 3 20:25:19 2024 +0200

    fix: explicitly initialize ssl
    
    From the OpenSSL man pages:
    Numerous internal OpenSSL functions call OPENSSL_init_ssl().
    Therefore, in order to perform nondefault initialisation,
    OPENSSL_init_ssl() MUST be called by application code prior to any other OpenSSL function calls.
    See: https://docs.openssl.org/3.3/man3/OPENSSL_init_ssl/#description
    
    This fixes errors where e.g. the openssl config configures ssl_conf,
    which requires ssl to be initialized.
    
    Ticket: MEN-7549
    Changelog: Fix error while loading OpenSSL config file, by explicitly
    initializing the SSL context prior to loading. Without the explicit
    initialisation of SSL, the config might not be properly loaded if e.g.
    it has sections specifying ssl settings. This was the case with the
    example configuration for OpenSSL 1.1.1w from Debian Bullseye.
    
    Signed-off-by: Daniel Skinstad Drabitzius <daniel.drabitzius@northern.tech>
    (cherry picked from commit 4a3d82b834d5c7e7cbc850189d5e1afd54c53a74)
26

evenmore, it does crash on boot (mender-authd.service: Main process exited, code=dumped, status=11/SEGV):

systemd[1]: Started Mender authentication service.
record_id=1 severity=warning time="2024-Dec-13 15:54:00.953414" name="Global" msg="Failed to load OpenSSL configuration file: error:1300006D:engine routines::init failed
error:13000066:engine routines::engine configuration error
error:0700006D:configuration file routines::module initialization error"
record_id=2 severity=info time="2024-Dec-13 15:54:00.994691" name="Global" msg="Successfully loaded private key from pkcs11:token=myToken;object=MenderAuthKey;type=private;pin-value=1234"
record_id=3 severity=info time="2024-Dec-13 15:54:01.014167" name="Global" msg="The authentication daemon is now ready to accept incoming authentication request"
record_id=4 severity=warning time="2024-Dec-13 15:54:01.589833" name="Global" msg="Failed to load OpenSSL configuration file: error:1300006D:engine routines::init failed
error:13000066:engine routines::engine configuration error
error:0700006D:configuration file routines::module initialization error
System error, code=11, Resource temporarily unavailable"
record_id=5 severity=warning time="2024-Dec-13 15:54:01.600524" name="Global" msg="Failed to load OpenSSL configuration file: error:1300006D:engine routines::init failed
error:13000066:engine routines::engine configuration error
error:0700006D:configuration file routines::module initialization error
System error, code=11, Resource temporarily unavailable"
record_id=6 severity=info time="2024-Dec-13 15:54:01.603342" name="Global" msg="Signing with: pkcs11:token=myToken;object=MenderAuthKey;type=private;pin-value=1234"
mender-authd.service: Main process exited, code=dumped, status=11/SEGV
mender-authd.service: Failed with result 'core-dump'.
mender-authd.service: Scheduled restart job, restart counter is at 1.
Stopped Mender authentication service.
Started Mender authentication service.
record_id=1 severity=warning time="2024-Dec-13 15:54:02.659766" name="Global" msg="Failed to load OpenSSL configuration file: error:1300006D:engine routines::init failed
error:13000066:engine routines::engine configuration error
error:0700006D:configuration file routines::module initialization error"
record_id=2 severity=info time="2024-Dec-13 15:54:02.674024" name="Global" msg="Successfully loaded private key from pkcs11:token=myToken;object=MenderAuthKey;type=private;pin-value=1234"
record_id=3 severity=info time="2024-Dec-13 15:54:02.689768" name="Global" msg="The authentication daemon is now ready to accept incoming authentication request"

Are openssl-engines still supported by mender-client 4.x.x or do I have to change to “providers” mandatory now?

Please advice