How to verify an mTLS connection on a linux (rpi) client?

[necrobious]

Not sure if github issues was the place to ask questions, I didn't see a TrustM section over on the Infineon forums.

I've been able to build the cli tools and openssl engine on an rpi v4, using Raspbian (buster), and was able to verify connectivity to the TrustM using trustm_chipinfo. I love the trustm, and overall my experience with it has been very positive. thank you!

Following the examples in README.md, I was able to to successfully use the engine to create a key pair, to export the public key, and generate a CSR. I then was able to use the CSR with AWS IoT, get back an AWS signed X.509 cert and loaded the cert and the AWS CA root cert into the TrustM.

My question is, on a linux rpi, is there a tested mTLS example, using, for example s_client?

So far, my attempts to get s_client w/ the trustm_engine working have not been successful (testing against the tls_echo_server.go from the mbedTLS Infineon repo, which I am able to connect to without using the trustm_engine). Before I spend more time attempting to troubleshoot my s_client failure, I wanted to ask if there was a known mTLS linux client example.

This is the failure output I'm seeing from s_client (I have debugging enabled where I can):

pi@raspberrypi:~ $ openssl s_client -showcerts -debug -security_debug_verbose -connect 192.168.42.83:9000 -keyform ENGINE -engine trustm_engine -key 0xE0FC 
trustm_engine/trustm_engine.c:401 bind: >
trustm_engine/trustm_engine.c:345 engine_init: > Engine 0x1d9a740 init
trustm_engine/trustm_engine.c:348 engine_init: Initializing
trustm_helper/trustm_helper.c:648 trustm_Open: >
trustm_helper/trustm_helper.c:661 trustm_Open: TrustM Open. 

trustm_helper/trustm_helper.c:677 trustm_Open: waiting (max count: 50)
....................................................................trustm_helper/trustm_helper.c:59 optiga_util_callback: optiga_lib_status: 0

trustm_helper/trustm_helper.c:699 trustm_Open: Success : optiga_util_open_application 

trustm_helper/trustm_helper.c:704 trustm_Open: <
trustm_engine/trustm_engine_rand.c:63 trustmEngine_init_rand: >
trustm_engine/trustm_engine_rand.c:67 trustmEngine_init_rand: <
trustm_engine/trustm_engine_rsa.c:573 trustmEngine_init_rsa: >
trustm_engine/trustm_engine_rsa.c:600 trustmEngine_init_rsa: <
trustm_engine/trustm_engine.c:393 engine_init: <
trustm_engine/trustm_engine.c:455 bind: <
trustm_engine/trustm_engine.c:324 engine_ctrl: >
trustm_engine/trustm_engine.c:325 engine_ctrl: >
trustm_engine/trustm_engine.c:326 engine_ctrl: cmd: 1
trustm_engine/trustm_engine.c:327 engine_ctrl: P : L���
Message:trustm_engine/trustm_engine.c:330 engine_ctrl: Function Not implemented.
trustm_engine/trustm_engine.c:334 engine_ctrl: <
engine "trustm_engine" set.
trustm_engine/trustm_engine.c:210 engine_load_privkey: > key_id : 0xE0FC
trustm_engine/trustm_engine.c:46 parseKeyParams: >
trustm_engine/trustm_engine.c:153 parseKeyParams: <
trustm_engine/trustm_engine.c:215 engine_load_privkey: KEY_OID       : 0xe0fc 

trustm_engine/trustm_engine.c:216 engine_load_privkey: Pubkey        :  

trustm_engine/trustm_engine.c:218 engine_load_privkey: RSA key type  : 0x42 

trustm_engine/trustm_engine.c:219 engine_load_privkey: RSA key usage : 0x01 

trustm_engine/trustm_engine.c:220 engine_load_privkey: RSA key flag  : 0x00 

trustm_engine/trustm_engine.c:222 engine_load_privkey: EC key type  : 0x00 

trustm_engine/trustm_engine.c:223 engine_load_privkey: EC key usage : 0x00 

trustm_engine/trustm_engine.c:224 engine_load_privkey: EC key flag  : 0x00 

trustm_engine/trustm_engine.c:237 engine_load_privkey: RSA Private Key.
trustm_engine/trustm_engine_rsa.c:176 trustm_rsa_loadkey: >
trustm_engine/trustm_engine_rsa.c:184 trustm_rsa_loadkey: no new key request

trustm_engine/trustm_engine_rsa.c:219 trustm_rsa_loadkey: No plubic Key found, Register Private Key only
trustm_engine/trustm_engine_rsa.c:541 trustmEngine_rsa_init: >
trustm_engine/trustm_engine_rsa.c:548 trustmEngine_rsa_init: <
trustm_engine/trustm_engine_rsa.c:230 trustm_rsa_loadkey: <
trustm_engine/trustm_engine.c:252 engine_load_privkey: <
trustm_engine/trustm_engine_rand.c:88 trustmEngine_getrandom: > num : 16
trustm_engine/trustm_engine_rand.c:176 trustmEngine_getrandom: optiga_crypt_destory
trustm_engine/trustm_engine_rand.c:189 trustmEngine_getrandom: <
trustm_engine/trustm_engine_rand.c:88 trustmEngine_getrandom: > num : 32
trustm_engine/trustm_engine_rand.c:176 trustmEngine_getrandom: optiga_crypt_destory
trustm_engine/trustm_engine_rand.c:189 trustmEngine_getrandom: <
trustm_engine/trustm_engine_rand.c:88 trustmEngine_getrandom: > num : 32
trustm_engine/trustm_engine_rand.c:176 trustmEngine_getrandom: optiga_crypt_destory
trustm_engine/trustm_engine_rand.c:189 trustmEngine_getrandom: <
trustm_engine/trustm_engine_rand.c:88 trustmEngine_getrandom: > num : 32
trustm_engine/trustm_engine_rand.c:176 trustmEngine_getrandom: optiga_crypt_destory
trustm_engine/trustm_engine_rand.c:189 trustmEngine_getrandom: <
connect:errno=4
trustm_engine/trustm_engine_rsa.c:555 trustmEngine_rsa_finish: >
trustm_engine/trustm_engine_rsa.c:561 trustmEngine_rsa_finish: <
trustm_engine/trustm_engine.c:193 engine_finish: > Engine 0x1d9a740 finish (releasing functional reference)
trustm_engine/trustm_engine.c:194 engine_finish: <
trustm_engine/trustm_engine.c:162 engine_destroy: > Engine 0x1d9a740 destroy
trustm_helper/trustm_helper.c:715 trustm_Close: >
trustm_helper/trustm_helper.c:59 optiga_util_callback: optiga_lib_status: 0

trustm_helper/trustm_helper.c:752 trustm_Close: Success : optiga_util_close_application 

trustm_helper/trustm_helper.c:760 trustm_Close: TrustM Closed.

trustm_helper/trustm_helper.c:761 trustm_Close: <
trustm_engine/trustm_engine.c:187 engine_destroy: <

Thanks again!

[ayushev]

Thanks @necrobious for you interest, this is the right place to ask questions. Regarding your question, it should work with openssl client as well, let me figure out the reason.

[ayushev]

Hi, @necrobious, sorry that it took so much time. It turns out we need some more time to investigate the reason (it can take a few weeks). In the meantime if you don't need the RSA or shielded connection functionality, you can use Trust X CLI as these products are compatible for features they share.