This is part of the Registered Authentication process that is used to verify the Edge Node's identity and integrity, to then grant them a certificate.
This implementation is based on:
- Smallstep Step CA (Apache License 2.0).
An unmodified version is used as the CA Server. - ACME Device-Attest Demo Client (Apache License 2.0).
This component has been modified to interface with a physical TPM and to support the Attestation CA challenge through Go-Attestation.
Follow the steps and install all the necessary libraries and software as it is specified in the Attestation-Libraries and TPM-Libraries folder. Note that, for every step in Attestation-Libraries, it is stated if the instructions should be performed in the Attester or in the Edge Device. For simple testing,check the containers in Docker.
Note: If you want to automatize the process, check the corresponding section in Attestation-Libraries
Follow the instructions in Provisioning to get the CLI tool up and running. On the Edge Node, run the following commands:
./provision get-unique-id
./provision get-att-data
On the verifier side, add this information to the DB using the CLI:
./provision add-data
If the instructions in Attestation-Libraries were followed, then all the certificates should be already found in both ends to be able to sign the certificates as well as establishing the TLS connection.
Simply enter the folder and run it:
cd certificates
./bin/step-ca
Simply enter the folder and run it:
cd AttServer
go run server.go
Or, for a custom configuration, add:
--tlscert → Certificate for the TLS connection
--tlskey → Key for the TLS connection
--tpmcert → Certificate to sign the aikCert for ACME challenge
--tpmkey → Key to sign the aikCert for ACME challenge
--tpminter → Path to where whitelisted TPM CA Certificates are kept
--port → Port where to serve the CA
--pcr → PCR from the TPM to verify. Change accordingly in the Client
Simply enter the folder and run it:
cd Client
go run client.go
Or, for a custom configuration, add:
--ca_acme_address → Full address of the ACME CA
--ca_attest_address → Full address of the Attestation CA
--account → PEM file containing the ACME private key for the client
--persistentHandle → TPM Handle where to store the private key
--persistkey → Whether to persist the key in the TPM or not
--keytype → Choose whether to generate an RSA or an ECC key
--dnsnames → DNS names to add to the CSR that will be signed
--ipaddress → IP names to add to the CSR that will be signed
After this, you should get a certificate CertDevice.pem. If you want to verify that the Cert & Key works as expected, you can run the following commands, which will generate some random data, sign it with the private key that is stored in the TPM, and then verify the signature using the public key from the certificate:
#Generate 16 random bytes
tpm2_getrandom 16 | base64 > data.bin
#Get the public key from the generated Device Cert
openssl x509 -pubkey -noout -in CertDevice.pem > PubKey.pem
#Use OpenSSL to sign the data using the KeyDevice.pem that was obtained
openssl dgst -provider tpm2 -provider default -propquery "?provider=tpm2" -sha256 -sign KeyDevice.pem -out data.signed data.bin
#Verify if the signature is valid using the public key
openssl dgst -sha256 -verify PubKey.pem -signature data.signed data.bin
If it returns "Verified OK", the key and cert were correctly generated and are ready to be used. If you want to check on the Verifier side what information was generated and stored in the DB, you can run:
sudo mysql -u root -p
use attestationdata;
select * from attestationdata;
select * from provisionedatt;
Where the first "select" command will show the information generated for the authentication sessions, while the second "select" command will show the provisioned values of integrity for each Edge Node.