Private Key support from TPM Hardware for Aws Iot and Mqtt connection #675
-
|
We need an information from
|
Beta Was this translation helpful? Give feedback.
Replies: 3 comments 2 replies
-
|
Any update |
Beta Was this translation helpful? Give feedback.
-
|
On Linux, tpm support is via pkcs11: https://github.com/awslabs/aws-crt-cpp/blob/v0.26.1/include/aws/crt/io/TlsOptions.h#L95-L106 Both of these features have been available for the last two years or so. |
Beta Was this translation helpful? Give feedback.
-
|
I gone through the URL and we do not need like below. • This all are specifying the private key externally. We need that AWS sdk should directly read the private key from TPM instead of providing externally. |
Beta Was this translation helpful? Give feedback.
-
|
I am having a hard time following. There is (or should be) no way to read a private key from a TPM. That would fatally undermine the security advantage. All you should be able to do with a TPM is request (via API calls) that it perform well-defined cryptographic operations on pieces of data. The device SDKs support one specific way to use TPMs: perform the necessary private key operations on the parts of the TLS handshake required to do the "m"(mutual) part of m(utual)TLS. This means you'll end up using a different initialization API for TlsContext rather than the cert-and-key one. On Linux this is done by using a PKCS11-compliant library specific to the TPM. It's the developers job to deploy that library to the device and configure the SDK to use it properly via the PKCS11-specific API in the TLS Context type. On Windows, the OS handles the device driver interface details and you'll need to configure an entry in the Windows cert store appropriately and use the cert store specific API to initialize the TLS Context. The tpm2 branch that supposedly contains what you want only contained an update to samples to use the pkcs11/cert store APIs on TlsContext. |
Beta Was this translation helpful? Give feedback.
-
|
Following up, Looked into this further and I wasn't fully accurate with the "one specific way to use TPMs." Internally, the C implementation also supports Parsec via this commit. This support is only bound out in Java: awslabs/aws-crt-java@35813b7 If this functionality would be of interest to your C++ SDK usage, engage your AWS product/account contact with the details of your specific needs. |
Beta Was this translation helpful? Give feedback.
Following up,
Looked into this further and I wasn't fully accurate with the "one specific way to use TPMs." Internally, the C implementation also supports Parsec via this commit.
This support is only bound out in Java: awslabs/aws-crt-java@35813b7
If this functionality would be of interest to your C++ SDK usage, engage your AWS product/account contact with the details of your specific needs.