Use ECC keys for authentication between Mender client server

msaenger · June 22, 2020, 8:03pm

Thanks for this! Very helpful guide.

I got all of this working just fine but would like to use ECC instead of RSA. I followed this guide and generated the ECC keys using the following:

openssl ecparam -genkey -name prime256v1 -out private-and-params.key
openssl ec -in private-and-params.key -out private.key
openssl ec -in private-and-params.key -pubout -out public.key

Then I use the same method to generate a signature

X_MEN_SIGNATURE=$(echo -n "${REQUEST_BODY}" | openssl dgst -sha256 -sign private.key | openssl base64 -A)

But when I go to send the authorization request I get an error about not being able to decode the public key. Any suggestions? Am I generating the keys correctly?

mirzak · June 22, 2020, 8:48pm

Hi @msaenger, glad you found the guide useful.

Regarding ECC, unfortunately this is a limitation in the backend and it only accepts RSA. It is something that we are looking at, but nothing committed yet.

msaenger · June 22, 2020, 9:24pm

Ah okay. Thanks for the quick response.

bunniesfield · April 22, 2022, 9:06am

Hello.

I think the client side key-pair will be generated by keygen-client script. At this point this script only generates key pair using RSA algorithm for master branch or 3.2.x branch.

github.com

mendersoftware/mender/blob/3.2.x/support/keygen-client

#!/bin/bash
set -e

if [[ $PREFIX_KEY = *"/"* ]]; then
  echo "ERROR: Environment variable PREFIX_KEY contains path separators: $PREFIX_KEY"
  echo "Example: PREFIX_KEY=\"0001-\" $0"
  exit 1
fi

PRIVATE_KEY="private.key"
PUBLIC_KEY="public.key"

FILE_NAME_PRIVATE_KEY="$PREFIX_KEY$PRIVATE_KEY"
FILE_NAME_PUBLIC_KEY="$PREFIX_KEY$PUBLIC_KEY"

# verify openssl is present and sufficiently recent (genpkey seems to require openssl 1.0+)
command -v openssl >/dev/null 2>&1 || { echo >&2 "ERROR: Please install the openssl utility version 1.0.0 or newer to generate keys."; exit 1; }

OPENSSL_VERSION_REGEX_MAJOR_BACKREF="OpenSSL ([0-9]+).*"
OPENSSL_VERSION_STRING=$(openssl version)

This file has been truncated. show original

But now, the server side release note states there added ED25519 and ECDSA support.

add support for ED25519 and ECDSA public keys in auth requests ([MEN-3728])

https://docs.mender.io/3.2/release-information/release-notes-changelog/mender-server#deviceauth-2-4-0

So how we can use ED25519 / ECDSA keys for client connection? Is it possible now?

dellgreen · April 22, 2022, 10:12am

If it helps, I have been using ECDSA secp384r1 with my mender 2.4.1 server for a year and a half now, albeit I manage the keys/certs myself rather than using the scripts. So there is support in the server for it now.

bunniesfield · April 24, 2022, 10:39am

Oh that information is very helpful.
Now I will try using ED25529 or ECDSA in keygen script and try confirming it is now working.

Topic		Replies	Views
Using an already existing certificate while installing Mender General Discussions	9	1077	June 27, 2019
Certificates and Keys Question while Installing General Discussions	3	432	June 18, 2019
Openssl command not found General Discussions	2	1383	March 5, 2020
Issue with connecting client to 2.4 production mender server General Discussions	5	402	August 11, 2020
Certificate issue when upgrading server from 2.6 to 3.2.1 General Discussions	8	531	May 4, 2022

Use ECC keys for authentication between Mender client server

Related Topics