PKI Hacking for Fun and Profit - Part II

Photo of Andy Doan

Posted on Jul 30, 2021 by Andy Doan

3 min read

Following the PKI Hacking for Fun and Profit article, I've created a simple example of an event logging agent that allows devices to use a customer owned mTLS server.

This is a simple, concrete example. It's not suitable for production. There are two pieces to this demo, the blog-log-agent and the blog-log-server.

Blog Log Agent

This is a simple Docker Compose application that can run on a LmP device. It periodically scans files under /var/run/events and will upload them as events to the blog log server using mTLS settings that were created when the device was registered with foundries.io (/var/sota/sota.toml).

This application was written in Golang so that I could copy the PKCS #11 logic I've written for fioconfig.

Blog Log Server

This is a Docker Compose application you'll run on an internet connected computer. It exposes Nginx with TLS certificates configured for your Factory. It simply accepts any valid connection and returns an HTTP 200 "OK". The idea of this project is to give users the skeleton they need for doing their own custom service.

Steps

Requirements

  • Internet connected server with port 443 exposed

  • Access to the PKI certs set up by the FoundriesFactory administrator. This directory will have files like:

    • factory_ca.key
    • sign_tls_csr
    • factory_ca.pem
    • local-ca.pem
  • LmP Device that has been registered with the Foundries backend (lmp-device-register has been run).

Part 1: Create TLS certs

From the computer with your Factory PKI certificates, run this create_new_server script. For example:

  # ./create_new_server <PATH TO PKI KEYS> <YOUR DOMAIN>
  # For example:
  $ ./create_new_server /secure-pki-keys andy-corp.io

Part 2: Start the server

These steps will be run from your internet connected server:

  $ git clone https://github.com/doanac/blog-log-server
  $ cd blog-log-server
  # Copy the certificates created from part 1, to ./certs/.
  # This should leave you with:
  #   ./certs/ca-chain.pem, ./certs/tls.key, ./certs/tls.pem
  $ docker-compose up

You now have an mTLS server up and running waiting for connections.

Part 3: Start the agent

These steps need to be run from an LmP device:

  $ git clone https://github.com/doanac/blog-log-agent
  $ cd blog-log-agent
  # Build the container
  $ docker-compose build

  # Launch the agent with the proper EVENTS_URL:
  #  EVENTS_URL=<URL> docker-compose up.
  # For example:
  $ EVENTS_URL="https://andy.corp.io/" docker-compose up

You can now test things work from another terminal by running something like:

  $ sudo -s
  $ echo hello_world > /var/run/events/event-1

The log agent looks every 10 seconds for new events and will remove the event-1 file once its been successfully processed. You can watch the output of the agent to see when it uploads to the server.

Conclusion

This should help inspire real world problems a customer may have. In the next article, I'll show how to connect devices to an AWS API Gateway and handle requests using Lambda.

Related posts