The existing implementation was occasionally failing especially when there was a migration from using non-TPM keys to supporting TPM protected keys (TSS2). Issues were observed during the loading and unloading of providers. There was also some concern that another call could impact which providers were loaded and their property strings.
There were significant improvements once the the tpm2-abrmd daemon was included and running. Generating keys, CSRs etc. didn't appear to need tpm2-abrmd however once TLS was being used tpm2-abrmd became essential.
It also became clear that the provider configuration depends on the key type. Hence the first line of the PEM key file is read so that the provider can be configured before actually loading the key.
Updates
feat: OpenSSL provider implementation now default for OpenSSL v3
feat: OpenSSL tpm2 provider load on first use, configured via property strings
feat: OpenSSL property strings configurable via cmake
feat: unit tests run for OpenSSL v1 and v3
feat: additional unit tests for tpm2 provider (OpenSSL v3 only)
provider handling changed following testing on an embedded system. Loading and unloading providers was proving unreliable. Approach changed to load providers early and use the property string to control which provider is used.
A mutex has been added so that another call can't change the provider configuration whilst in use.
There is support for general operations using the global OpenSSL library context and a separate context for use with TLS.
Note: the tpm2-abrmd daemon needs to be running for tpm2 where TLS is being used.
Functionality change
The meaning of UseTPM has been clarified to support interworking and upgrades from non-TPM keys to TPM protected keys.
For TLS the provider chosen is based on the PEM file and not the UseTPM OCPP configuration variable.
UseTPM is used to determine how a new key is to be generated and not how an existing key is used.
(part of this will be in a subsequent update to libocpp)
Configuration
cmake -DUSING_TPM2 to enable use of the tpm2 OpenSSL provider (disabled by default).
The propquery strings can be modified to suit the target e.g.
Background
The existing implementation was occasionally failing especially when there was a migration from using non-TPM keys to supporting TPM protected keys (TSS2). Issues were observed during the loading and unloading of providers. There was also some concern that another call could impact which providers were loaded and their property strings.
There were significant improvements once the the tpm2-abrmd daemon was included and running. Generating keys, CSRs etc. didn't appear to need tpm2-abrmd however once TLS was being used tpm2-abrmd became essential.
It also became clear that the provider configuration depends on the key type. Hence the first line of the PEM key file is read so that the provider can be configured before actually loading the key.
Updates
feat: OpenSSL provider implementation now default for OpenSSL v3 feat: OpenSSL tpm2 provider load on first use, configured via property strings feat: OpenSSL property strings configurable via cmake feat: unit tests run for OpenSSL v1 and v3 feat: additional unit tests for tpm2 provider (OpenSSL v3 only)
provider handling changed following testing on an embedded system. Loading and unloading providers was proving unreliable. Approach changed to load providers early and use the property string to control which provider is used.
A mutex has been added so that another call can't change the provider configuration whilst in use. There is support for general operations using the global OpenSSL library context and a separate context for use with TLS.
OpenSSL v3 uses providers. OpenSSL v1 uses previous code.
Note: the tpm2-abrmd daemon needs to be running for tpm2 where TLS is being used.
Functionality change
The meaning of UseTPM has been clarified to support interworking and upgrades from non-TPM keys to TPM protected keys. For TLS the provider chosen is based on the PEM file and not the UseTPM OCPP configuration variable. UseTPM is used to determine how a new key is to be generated and not how an existing key is used. (part of this will be in a subsequent update to libocpp)
Configuration
cmake -DUSING_TPM2to enable use of the tpm2 OpenSSL provider (disabled by default). The propquery strings can be modified to suit the target e.g.The options configured in this PR were based on testing in a single environment so may need to be adapted for another system.