1055811984

Committed 31 Oct 2023 08:02AM UTC coverage: 79.875%. Remained the same

Build # 1055811984

Build Type

push

gitlab-ci

Committed by

oleorhagen

Commit Message

feat(crypto): Add HSM support

This adds support for HSM key storage. This is a wrapper around the existing
OpenSSL external crypto support, and supports both the deprecated `ENGINE` API
in OpenSSL 1.x, and the new `Provider` API in OpenSSL 3.x.

Ticket: MEN-6668
Changelog: The client's HSM crypto-module support is changed so that the
`PrivateKey` used for `authentication` is always taken from the configurations:
`security.AuthPrivateKey`, and the `HttpsClient.private_key` is only used as the
key for the associated certificate `HttpsClient.client_certificate`. The two can
still use the same key, but this means now that you add the same key `url` in
both places.

Signed-off-by: Ole Petter <ole.orhagen@northern.tech>

Run Details

70 of 70 new or added lines in 8 files covered. (100.0%)

6882 of 8616 relevant lines covered (79.87%)

9337.27 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

70.0

/mender-auth/cli/keystore.cpp

// Copyright 2023 Northern.tech AS
//
//    Licensed under the Apache License, Version 2.0 (the "License");
//    you may not use this file except in compliance with the License.
//    You may obtain a copy of the License at
//
//        http://www.apache.org/licenses/LICENSE-2.0
//
//    Unless required by applicable law or agreed to in writing, software
//    distributed under the License is distributed on an "AS IS" BASIS,
//    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
//    See the License for the specific language governing permissions and
//    limitations under the License.

#include <mender-auth/cli/keystore.hpp>

#include <string>
#include <utility>

#include <common/log.hpp>
#include <common/crypto.hpp>


namespace mender {
namespace auth {
namespace cli {

using namespace std;

namespace log = mender::common::log;

namespace crypto = mender::common::crypto;

const KeyStoreErrorCategoryClass KeyStoreErrorCategory;

const char *KeyStoreErrorCategoryClass::name() const noexcept {
        return "KeyStoreErrorCategory";
}

string KeyStoreErrorCategoryClass::message(int code) const {
        switch (code) {
        case NoError:
                return "Success";
        case NoKeysError:
                return "No key in memory";
        case StaticKeyError:
                return "Cannot replace static key";
        }
        // Don't use "default" case. This should generate a warning if we ever add any enums. But
        // still assert here for safety.
        assert(false);
        return "Unknown";
}

error::Error MakeError(KeyStoreErrorCode code, const string &msg) {
        return error::Error(error_condition(code, KeyStoreErrorCategory), msg);
}

error::Error MenderKeyStore::Load() {
        log::Trace("Loading the keystore");
        auto exp_key = crypto::PrivateKey::Load({key_name_, passphrase_, ssl_engine_});
        if (!exp_key) {
                return MakeError(
                        NoKeysError,
                        "Error loading private key from " + key_name_ + ": " + exp_key.error().message);
        }
        log::Debug("Successfully loaded private key from " + key_name_);
        key_ = move(exp_key.value());

        return error::NoError;
}

error::Error MenderKeyStore::Save() {
        if (!key_) {
                return MakeError(NoKeysError, "Need to load or generate a key before save");
        }

        return key_.SaveToPEM(key_name_);
}

error::Error MenderKeyStore::Generate() {
        if (static_key_ == StaticKey::Yes) {
                return MakeError(StaticKeyError, "A static key cannot be re-generated");
        }

        auto exp_key = crypto::PrivateKey::Generate(MENDER_DEFAULT_KEY_LENGTH);
        if (!exp_key) {
                return exp_key.error();
        }
        key_ = std::move(exp_key.value());

        return error::NoError;
}

} // namespace cli
} // namespace auth
} // namespace mender

1	// Copyright 2023 Northern.tech AS
2	//
3	// Licensed under the Apache License, Version 2.0 (the "License");
4	// you may not use this file except in compliance with the License.
5	// You may obtain a copy of the License at
6	//
7	// http://www.apache.org/licenses/LICENSE-2.0
8	//
9	// Unless required by applicable law or agreed to in writing, software
10	// distributed under the License is distributed on an "AS IS" BASIS,
11	// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12	// See the License for the specific language governing permissions and
13	// limitations under the License.
14
15	#include <mender-auth/cli/keystore.hpp>
16
17	#include <string>
18	#include <utility>
19
20	#include <common/log.hpp>
21	#include <common/crypto.hpp>
22
23
24	namespace mender {
25	namespace auth {
26	namespace cli {
27
28	using namespace std;
29
30	namespace log = mender::common::log;
31
32	namespace crypto = mender::common::crypto;
33
34	const KeyStoreErrorCategoryClass KeyStoreErrorCategory;
35
36	const char *KeyStoreErrorCategoryClass::name() const noexcept {	×
37	return "KeyStoreErrorCategory";	×
38	}
39
40	string KeyStoreErrorCategoryClass::message(int code) const {	×
41	switch (code) {	×
42	case NoError:
43	return "Success";	×
44	case NoKeysError:
45	return "No key in memory";	×
46	case StaticKeyError:
47	return "Cannot replace static key";	×
48	}
49	// Don't use "default" case. This should generate a warning if we ever add any enums. But
50	// still assert here for safety.
51	assert(false);
52	return "Unknown";	×
53	}
54
55	error::Error MakeError(KeyStoreErrorCode code, const string &msg) {	9✔
56	return error::Error(error_condition(code, KeyStoreErrorCategory), msg);	14✔
57	}
58
59	error::Error MenderKeyStore::Load() {	6✔
60	log::Trace("Loading the keystore");	12✔
61	auto exp_key = crypto::PrivateKey::Load({key_name_, passphrase_, ssl_engine_});	12✔
62	if (!exp_key) {	6✔
63	return MakeError(
64	NoKeysError,
65	"Error loading private key from " + key_name_ + ": " + exp_key.error().message);	6✔
66	}
67	log::Debug("Successfully loaded private key from " + key_name_);	3✔
68	key_ = move(exp_key.value());	3✔
69
70	return error::NoError;	3✔
71	}
72
73	error::Error MenderKeyStore::Save() {	6✔
74	if (!key_) {	6✔
75	return MakeError(NoKeysError, "Need to load or generate a key before save");	2✔
76	}
77
78	return key_.SaveToPEM(key_name_);	5✔
79	}
80
81	error::Error MenderKeyStore::Generate() {	7✔
82	if (static_key_ == StaticKey::Yes) {	7✔
83	return MakeError(StaticKeyError, "A static key cannot be re-generated");	2✔
84	}
85
86	auto exp_key = crypto::PrivateKey::Generate(MENDER_DEFAULT_KEY_LENGTH);	6✔
87	if (!exp_key) {	6✔
88	return exp_key.error();	×
89	}
90	key_ = std::move(exp_key.value());	6✔
91
92	return error::NoError;	6✔
93	}
94
95	} // namespace cli
96	} // namespace auth
97	} // namespace mender

mendersoftware / mender / 1055811984

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous