Open rvdgracht opened 9 months ago
When using an ssl engine with a slow secure key storage, i.e. OPTEE with pkcs11 TA on a stm32mp151 setting up a TLS connection can take some time (I've seen 5 to 50 seconds). Because rauc-hawkbit-updater creates a new connection to the server for EVERY status update and poll, this can be cumbersome. For that I've opened a different pull request with a change that keeps the connection open between request. See PR #170
Did you see #166? My understanding is that this PR is quite similar.
Did you see #166? My understanding is that this PR is quite similar.
Yes. At the last moment when I was creating the PR. I decided to create a separate PR anyway since #166 seemed stale, and had no support for pkcs11.
Would you be willing to add client cert authentication support for HTTP streaming installations?
We're not actually using the streaming installation feature, but I added it anyway. I added the mtls test as well.
The mtls test is heavily based on the work of @flobz (Florain Bezannier). Cherry picking his patch wasn't possible, since my API is slightly different and because I wanted to use key/cert supplied through the arguments of InstallBundle() instead of externally through a test fixture. I took the liberty of chopping Florians patch up in more manageble/reviewable chunks. I wanted to give Florian credit and added his signed-off to paches where I haven't (or barely) changed his code, I hope thats ok.
@rvdgracht Thanks for adding streaming support and testing. Do you want to have a look at the failing tests or should I?
The overall approach looks good to me, once the test failures and the heap-use-after-free are solved, I can fix up some minor Python formatting and maybe simplify a thing or two. Then, this should be ready.
I tend to reviewing/merging this instead of #166: the implementation seems more straight forward and the commits are more comprehensible.
@flobz What do you think of this? Would this work for you, too? Is there anything missing in comparison to #166?
@Bastian-Krause I found and fixed the heap-use-after-free.
Add support for mutual TLS authentication. This is the preferred method of authentication for bosch-iot-suite and the only one that allows you to keep the authenticator in a (f)TPM.
Optionally, an Openssl engine can be configured if required for access to the ssl private key.