From 8ed8ec3305b6dd2f0d2711ab0507e0a14d233a37 Mon Sep 17 00:00:00 2001 From: Andy Doan Date: Wed, 13 Dec 2023 15:38:17 -0600 Subject: [PATCH 1/3] README: Update with steps for latest fioctl The latest fioctl makes this a little cleaner. Signed-off-by: Andy Doan --- README.md | 29 +++++++++++++++++------------ 1 file changed, 17 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index a62439f..101d3f4 100644 --- a/README.md +++ b/README.md @@ -34,27 +34,32 @@ The simple "standalone" server can be built with: ## Using -TLS certificates for the server can be generate by using the helper script -`contrib/mk-tls-keypair.sh`. Your factory's PKI directory was generated -with a `create_ca` script. Once a CA is created, you can upload/authorize -it with: +First you must create a TLS certificate for this server that your factory +devices will trust. This can be generated using the helper script +`contrib/mk-tls-keypair.sh`. + +Next you need to create an intermediate "device CA" this service can use to +sign certificates with. There is a Fioctl helper for this: ```bash -fioctl keys ca show --just-device-cas > /tmp/cas.pem -cat >> /tmp/cas.pem -fioctl keys ca update /tmp/cas.pem +fioctl keys ca add-device-ca --local-ca --local-ca-filename est-ca.pem +``` + +Finally, the this server needs a list of intermediate CAs to trust. This can +be obtained with: +```bash fioctl keys ca show --just-device-cas > client-cas.pem ``` -Then run the server with: +Now the server can be run with: ```bash $ ./bin/estserver \ -root-cert /factory_ca.pem \ - -tls-cert /local-tls.pem \ - -tls-key /local-tls.key \ - -ca-cert /local-ca.pem \ - -ca-key /local-ca.key \ + -tls-cert /local-tls.pem # cert from mk-tls-keypair above \ + -tls-key /local-tls.key # key from mk-tls-keypair above \ + -ca-cert /est-ca.pem # cert from fioctl keys ca add-device-ca \ + -ca-key /est-ca.key # key from fioctl keys ca add-device-ca \ -client-cas client-cas.pem ``` From 751724a93693ba996cbffb3f5a4de82c3ea01482 Mon Sep 17 00:00:00 2001 From: Andy Doan Date: Wed, 13 Dec 2023 15:51:53 -0600 Subject: [PATCH 2/3] handlers: Fix bad error handling We had the right intentions with `validateRequest`. However, we weren't handling its return value correctly when it actually failed. Signed-off-by: Andy Doan --- http_handlers.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/http_handlers.go b/http_handlers.go index 6147349..f055779 100644 --- a/http_handlers.go +++ b/http_handlers.go @@ -46,7 +46,7 @@ func RegisterEchoHandlers(svcHandler ServiceHandler, e *echo.Echo) { return c.String(http.StatusInternalServerError, err.Error()) } bytes, err := validateRequest(svc, c) - if err != nil { + if bytes == nil { // validateRequest failed and sent the response return err } peerCerts := c.Request().TLS.PeerCertificates From 8c19c0a3b55cc82ca181d772ab6102646565f905 Mon Sep 17 00:00:00 2001 From: Andy Doan Date: Wed, 13 Dec 2023 16:34:01 -0600 Subject: [PATCH 3/3] main: Fix loading of client CAs This happened to work because I usually test it with the "local-ca" used by the est server *and* my factory registration reference server. However, when you need to trust many client ca's, this was totally broken. Signed-off-by: Andy Doan --- cmd/main.go | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/cmd/main.go b/cmd/main.go index f3ca33a..507d816 100644 --- a/cmd/main.go +++ b/cmd/main.go @@ -72,7 +72,9 @@ func main() { pemBytes, err := os.ReadFile(*clientCas) if err != nil { log.Fatal().Err(err).Msg("Unable to load client CAs") - caPool.AppendCertsFromPEM(pemBytes) + } + if ok := caPool.AppendCertsFromPEM(pemBytes); !ok { + log.Fatal().Msg("Unable to load client CAs") } }