Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implementing mosquitto_psk_key_get for certificate whitelisting #292

Open
rianorie opened this issue Aug 31, 2023 · 8 comments
Open

Implementing mosquitto_psk_key_get for certificate whitelisting #292

rianorie opened this issue Aug 31, 2023 · 8 comments

Comments

@rianorie
Copy link

Hello!

I'm fairly new to Mosquitto and MQTT brokers, so I may be misunderstanding the API/documentation.

We are wanting to use client certificates for our devices and be able to revoke these without having to restart the broker. Go auth implements the username and password solution, which is amazing, and a huge leap from having to use the static files on the server.

I was wondering if mosquitto_psk_key_get could be used to implement the crlfile feature, after a fashion? My situation is using PostgreSQL, so I would probably create a password hash the certificate that we give out for a client and store that hash, and then do a hash check against the database..?

Thoughts are welcome :) Also, if this is not the right place for this, please close the issue and direct me in the right direction!

I'd be happy to build it and send in a PR if others are interested.

@iegomez
Copy link
Owner

iegomez commented Aug 31, 2023

Hi, @rianorie!
Sadly, when I started the plugin I didn't have any similar need and never got to implement it, as you can see in this default error response: https://github.com/iegomez/mosquitto-go-auth/blob/master/auth-plugin.c#L158

I don't really have any thoughts on the matter and don't have time to look into it in the near future, but PRs are very welcome.

@rianorie
Copy link
Author

Hey @iegomez , I just want to confirm that I understand the documentation correctly and that this would be a solution that can be implemented like I proposed?

@iegomez
Copy link
Owner

iegomez commented Sep 1, 2023

Sadly, I don't know because as I said I never looked into PSK functionality regarding Mosquitto and don't have time to do the research right now, so you're probably better off checking Mosquitto docs to understand the feature and the plugin general interface to see if there's a fit.
Sorry again for not being more helpful.

@rianorie
Copy link
Author

rianorie commented Sep 1, 2023

not to worry! I'll dig into it and see if it works like I want it to :) Thanks!

@rianorie
Copy link
Author

rianorie commented Sep 4, 2023

@iegomez sorry, I know you're short on time. I'm tinkering with it, the go part I get.. but how does that auth-plugin.c file get incorporated into Mosquitto? In other words, how can I get my it to start using my AuthPskKeyGet() function?

@iegomez
Copy link
Owner

iegomez commented Sep 4, 2023

You'd call your exported Go function from the C file's mosquitto_auth_psk_key_get one.
When/how is that called from Mosquitto? Again, I don't know because I never looked into it.

@rianorie
Copy link
Author

rianorie commented Sep 4, 2023

I'm probably not communicating my question clearly.. How will Mosquitto know about my (new) function? I will need to specify it in mosquitto_auth_psk_key_get, sure. I can do that in auth-plugin.c. But do I need to build Mosquitto with that file?

You made AuthUnpwdCheck(), defined it in the auth-plugin.c, ben when did that auth-plugin.c file get built/used?

I've been building the docker env and changes I make to the C file are not being picked up as far as I can see.

@iegomez
Copy link
Owner

iegomez commented Sep 4, 2023

After implementing your Go side function and using it in mosquitto_auth_psqk_key_get, you simply rebuild the .so shared object file that's loaded by Mosquitto. No need to rebuild Mosquitto itself, it'll load the plugin at start time.

Rebuilding is just a matter of running make, you can check the Makefile at https://github.com/iegomez/mosquitto-go-auth/blob/master/Makefile.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants