ROS2 DDS Security PKCS#11 URI support#332
ROS2 DDS Security PKCS#11 URI support#332MiguelCompany wants to merge 6 commits intoros2:gh-pagesfrom eProsima:pkcs11-support
Conversation
The DDS-Security specification defines the use of Hardware Security Modules (HSM) and PKCS#11 URIs as an alternative to private keys and certificates stored in the file system. Current implementation only supports these tokens to be directly stored in the file system as `.pem` files. This is a design proposal to support PKCS#11 URIs. The changes affect to the RMW implementations, as these are filling the DDS security attributes for the participant. However, it also affects the contents of the enclave directories in the keystore. Although the proposed changes are totally backwards compatible (meaning that current RMW implementations will continue working if no PKCS#11 URIS are used), description of the new enclave contents and the expected RMW behavior seems appropriate.
Signed-off-by: Miguel Company <MiguelCompany@eprosima.com>
Signed-off-by: Miguel Company <MiguelCompany@eprosima.com>
|
This is good |
|
👍 |
mikaelarguedas
left a comment
mikaelarguedas
left a comment
There was a problem hiding this comment.
looks great thanks for the update 🙏
Signed-off-by: Miguel Company <MiguelCompany@eprosima.com> Co-authored-by: Mikael Arguedas <mikael.arguedas@gmail.com>
|
@mikaelarguedas Thanks for the review. Just applied your fixes. |
ruffsl
left a comment
ruffsl
left a comment
There was a problem hiding this comment.
As discussed over today's the Security WG meeting, this LGTM.
|
Ping @clalancette or @tfoote ? Good to merge? |
|
In general this sounds good. However this site overall is deprecated and we would much prefer to land this as a REP instead so that we can have all of our reference materials in one place. Would you mind submitting it over there as a new informational REP instead? |
|
This pull request has been mentioned on ROS Discourse. There might be relevant details there: https://discourse.ros.org/t/ros-2-tsc-meeting-minutes-2023-02-16/29927/1 |
|
Hi @tfoote, we have gone ahead and moved this to a REP in ros-infrastructure/rep#375 |
fujitatomoya
left a comment
fujitatomoya
left a comment
There was a problem hiding this comment.
a few comments and questions.
| @@ -0,0 +1,86 @@ | |||
| --- | |||
| layout: default | |||
| title: ROS2 DDS security PKCS#11 URI support | |||
There was a problem hiding this comment.
| title: ROS2 DDS security PKCS#11 URI support | |
| title: ROS 2 DDS security PKCS#11 URI support |
| published: false | ||
| --- | ||
|
|
||
| - This will become a table of contents (this text will be scraped). |
There was a problem hiding this comment.
we need to remove this line?
|
|
||
| Original Author: {{ page.author }} | ||
|
|
||
| ## Scope |
There was a problem hiding this comment.
I take this into more like Motivation section? especially the end of this section would look like problem statement.
| Then, the RMW can be aware of the file extension and set the security property accordingly. | ||
| Taking the private key in the authentication plugin as an example: | ||
|
|
||
| 1. The RMW will look for a file with name `key.pem` or `key.p11` in the enclave. |
There was a problem hiding this comment.
What happens if both files are in the enclaves? key.p11 prevails to key.pem and if rmw implementation does not support key.p11, then it falls back to use key.pem?
|
Closing in favor of ros-infrastructure/rep#375 |
|
This pull request has been mentioned on ROS Discourse. There might be relevant details there: https://discourse.ros.org/t/announcing-rep-2015-ros-2-dds-security-pkcs-11-support/31357/1 |
10 participants
This is a rework of #319, addressing the comments there, since I don't have write access on the original contributor repository.