Skip to content

Commit

Permalink
Support mutual TLS using a certificate from a Windows cert store (#408)
Browse files Browse the repository at this point in the history
Add the ability to use a client certificate located in a Windows certificate store. Previously, the client certificate and private key had to be passed by filepath or file contents. With this change, certificates and keys stored on TPM devices can be used.

Add new `windows_cert_pub_sub` sample to show this in action.
  • Loading branch information
graebm authored Mar 24, 2022
1 parent 43d8d1b commit 581a92e
Show file tree
Hide file tree
Showing 5 changed files with 358 additions and 4 deletions.
1 change: 1 addition & 0 deletions .builder/actions/build_samples.py
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ def run(self, env):
'samples/mqtt/basic_pub_sub',
'samples/mqtt/pkcs11_pub_sub',
'samples/mqtt/raw_pub_sub',
'samples/mqtt/windows_cert_pub_sub',
'samples/shadow/shadow_sync',
'samples/greengrass/basic_discovery',
'samples/identity/fleet_provisioning',
Expand Down
69 changes: 66 additions & 3 deletions samples/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@

* [Basic MQTT Pub-Sub](#basic-mqtt-pub-sub)
* [PKCS#11 MQTT Pub-Sub](#pkcs11-mqtt-pub-sub)
* [Windows Certificate MQTT Pub-Sub](#windows-certificate-mqtt-pub-sub)
* [Raw MQTT Pub-Sub](#raw-mqtt-pub-sub)
* [Fleet provisioning](#fleet-provisioning)
* [Shadow](#shadow)
Expand Down Expand Up @@ -121,7 +122,7 @@ but the private key for mutual TLS is stored on a PKCS#11 compatible smart card

WARNING: Unix only. Currently, TLS integration with PKCS#11 is only available on Unix devices.

source: `samples/mqtt/pkcs11_pub_sub/main/cpp`
source: `samples/mqtt/pkcs11_pub_sub/main.cpp`

To run this sample using [SoftHSM2](https://www.opendnssec.org/softhsm/) as the PKCS#11 device:

Expand All @@ -144,9 +145,9 @@ To run this sample using [SoftHSM2](https://www.opendnssec.org/softhsm/) as the
If this spits out an error message, create a config file:
* Default location: `~/.config/softhsm2/softhsm2.conf`
* This file must specify token dir, default value is:
* This file must specify a valid token directory:
```
directories.tokendir = /usr/local/var/lib/softhsm/tokens/
directories.tokendir = /path/for/my/softhsm/tokens/
```
4) Create token and import private key.
Expand All @@ -167,6 +168,68 @@ To run this sample using [SoftHSM2](https://www.opendnssec.org/softhsm/) as the
./pkcs11-pub-sub --endpoint <xxxx-ats.iot.xxxx.amazonaws.com> --ca_file <AmazonRootCA.pem> --cert <certificate.pem.crt> --pkcs11_lib <libsofthsm2.so> --pin <user-pin> --token_label <token-label> --key_label <key-label>
```
## Windows Certificate MQTT Pub-Sub
WARNING: Windows only
This sample is similar to the [Basic Pub-Sub](#basic-mqtt-pub-sub),
but your certificate and private key are in a
[Windows certificate store](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/certificate-stores),
rather than simply being files on disk.
To run this sample you need the path to your certificate in the store,
which will look something like:
"CurrentUser\MY\A11F8A9B5DF5B98BA3508FBCA575D09570E0D2C6"
(where "CurrentUser\MY" is the store and "A11F8A9B5DF5B98BA3508FBCA575D09570E0D2C6" is the certificate's thumbprint)

If your certificate and private key are in a
[TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/trusted-platform-module-overview),
you would use them by passing their certificate store path.

source: `samples/mqtt/windows_cert_pub_sub/main.cpp`

To run this sample with a basic certificate from AWS IoT Core:

1) Create an IoT Thing with a certificate and key if you haven't already.
2) Combine the certificate and private key into a single .pfx file.
You will be prompted for a password while creating this file. Remember it for the next step.
If you have OpenSSL installed:
```powershell
openssl pkcs12 -in certificate.pem.crt -inkey private.pem.key -out certificate.pfx
```
Otherwise use [CertUtil](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil).
```powershell
certutil -mergePFX certificate.pem.crt,private.pem.key certificate.pfx
```
3) Add the .pfx file to a Windows certificate store using PowerShell's
[Import-PfxCertificate](https://docs.microsoft.com/en-us/powershell/module/pki/import-pfxcertificate)

In this example we're adding it to "CurrentUser\MY"
```powershell
$mypwd = Get-Credential -UserName 'Enter password below' -Message 'Enter password below'
Import-PfxCertificate -FilePath certificate.pfx -CertStoreLocation Cert:\CurrentUser\MY -Password $mypwd.Password
```
Note the certificate thumbprint that is printed out:
```
Thumbprint Subject
---------- -------
A11F8A9B5DF5B98BA3508FBCA575D09570E0D2C6 CN=AWS IoT Certificate
```
So this certificate's path would be: "CurrentUser\MY\A11F8A9B5DF5B98BA3508FBCA575D09570E0D2C6"

4) Now you can run the sample:

```
.\windows-cert-pub-sub.exe --endpoint xxxx-ats.iot.xxxx.amazonaws.com --ca_file AmazonRootCA.pem --cert CurrentUser\My\A11F8A9B5DF5B98BA3508FBCA575D09570E0D2C6
```

## Raw MQTT Pub-Sub

Expand Down
25 changes: 25 additions & 0 deletions samples/mqtt/windows_cert_pub_sub/CMakeLists.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
cmake_minimum_required(VERSION 3.1)
# note: cxx-17 requires cmake 3.8, cxx-20 requires cmake 3.12
project(windows-cert-pub-sub CXX)

file(GLOB SRC_FILES
"*.cpp"
"../../utils/CommandLineUtils.cpp"
"../../utils/CommandLineUtils.h"
)

add_executable(${PROJECT_NAME} ${SRC_FILES})

set_target_properties(${PROJECT_NAME} PROPERTIES
CXX_STANDARD 14)

# set warnings
if (MSVC)
target_compile_options(${PROJECT_NAME} PRIVATE /W4 /WX /wd4068)
else ()
target_compile_options(${PROJECT_NAME} PRIVATE -Wall -Wno-long-long -pedantic -Werror)
endif ()

find_package(aws-crt-cpp REQUIRED)

target_link_libraries(${PROJECT_NAME} PRIVATE AWS::aws-crt-cpp)
Loading

0 comments on commit 581a92e

Please sign in to comment.