Example on how to use TPM 2.0 keys to stablish a Mutual TLS connection. TPM 2.0 keys are accessed using the TPM2 PKCS#11 module.
Setup PKI and run a test with openssl s_server
and openssl s_client
[test@fedora-server ~]$ sudo ./tls-pkcs11-test.sh
Then, test with the custom NodeJS application.
Start the server in background:
[test@fedora-server ~]$ sudo openssl s_server -CAfile ./tls-server/ca.crt -cert ./tls-server/server.crt -key ./tls-server/server.key -Verify 1 <<< '1' &
Get the private key id:
[test@fedora-server ~]$ sudo tpm2_ptool listobjects --label tls
- CKA_CLASS: CKO_PRIVATE_KEY
CKA_ID: '37303964363438613061376363363763'
CKA_KEY_TYPE: CKK_RSA
CKA_LABEL: ''
id: 1
- CKA_CLASS: CKO_PUBLIC_KEY
CKA_ID: '37303964363438613061376363363763'
CKA_KEY_TYPE: CKK_RSA
CKA_LABEL: ''
id: 2
Run the NodeJS application from the host:
[test@fedora-server ~]$ sudo OPENSSL_CONF=./ossl.cnf node tls.js pkcs11 37303964363438613061376363363763 ./tls-client/ca.crt ./tls-client/client.crt localhost 4433
Connection authorized by a Certificate Authority.
Run the NodeJS application from the container:
[test@fedora-server ~]$ docker build . -t test
[test@fedora-server ~]$ docker run --rm --device /dev/tpmrm0 --volume /etc/tpm2_pkcs11/:/etc/tpm2_pkcs11 --volume "$PWD":/root/test --net host test bash -c "OPENSSL_CONF=./ossl.cnf node tls.js pkcs11 37303964363438613061376363363763 ./tls-client/ca.crt ./tls-client/client.crt localhost 4433"
Connection authorized by a Certificate Authority.
On successful connection, the openssl s_server
will display the following output:
verify depth is 1, must return a certificate
Using default temp DH parameters
ACCEPT
depth=1 CN = Easy-RSA CA
verify return:1
depth=0 C = US, ST = Oregon, L = Hillsboro, O = Intel Corp, OU = Internet of Things Group, CN = fedora-server.mshome.net
verify return:1
DONE
shutdown accept socket
shutting down SSL
CONNECTION CLOSED
0 items in the session cache
0 client connects (SSL_connect())
0 client renegotiates (SSL_connect())
0 client connects that finished
1 server accepts (SSL_accept())
0 server renegotiates (SSL_accept())
1 server accepts that finished
0 session cache hits
0 session cache misses
0 session cache timeouts
0 callback cache hits
0 cache full overflows (128 allowed)