PKCS12 builder support (#449)

TwistedTwigleg · web-flow · commit 81128a08b906 · 2023-05-01T16:24:54.000-04:00
Add PKCS12 support to MQTT builders. Add tests for PKCS12.
diff --git a/.builder/actions/crt-ci-test.py b/.builder/actions/crt-ci-test.py
@@ -28,6 +28,19 @@ def _write_secret_to_temp_file(self, env, secret_name):
 
         return filename
 
+    def _write_s3_to_temp_file(self, env, s3_file):
+        try:
+            tmp_file = tempfile.NamedTemporaryFile(delete=False)
+            tmp_file.flush()
+            tmp_s3_filepath = tmp_file.name
+            cmd = ['aws', '--region', 'us-east-1', 's3', 'cp',
+                    s3_file, tmp_s3_filepath]
+            env.shell.exec(*cmd, check=True, quiet=True)
+            return tmp_s3_filepath
+        except:
+            print (f"ERROR: Could not get S3 file from URL {s3_file}!")
+            raise RuntimeError("Could not get S3 file from URL")
+
     def _build_and_run_eventstream_echo_server(self, env):
         java_sdk_dir = None
 
@@ -89,6 +102,12 @@ def run(self, env):
 
             env.shell.setenv("AWS_TESTING_COGNITO_IDENTITY", env.shell.get_secret("aws-c-auth-testing/cognito-identity"), quiet=True)
 
+            # PKCS12 setup (MacOS only)
+            if (sys.platform == "darwin"):
+                pkcs12_file_name = self._write_s3_to_temp_file(env, "s3://aws-crt-test-stuff/unit-test-key-pkcs12.pem")
+                env.shell.setenv("AWS_TEST_MQTT311_IOT_CORE_PKCS12_KEY", pkcs12_file_name)
+                env.shell.setenv("AWS_TEST_MQTT311_IOT_CORE_PKCS12_KEY_PASSWORD", "PKCS12_KEY_PASSWORD")
+
             # Unfortunately, we can't use NamedTemporaryFile and a with-block because NamedTemporaryFile is not readable
             # on Windows.
             self._write_environment_script_secret_to_env(env, "mqtt5-testing/github-ci-environment")
diff --git a/MQTT5-UserGuide.md b/MQTT5-UserGuide.md
@@ -20,6 +20,8 @@
     * [Direct MQTT with X509-based mutual TLS](#direct-mqtt-with-x509-based-mutual-tls)
     * [MQTT over Websockets with Sigv4 authentication](#mqtt-over-websockets-with-sigv4-authentication)
     * [Direct MQTT with Custom Authentication](#direct-mqtt-with-custom-authentication)
+    * [Direct MQTT with PKCS11](#direct-mqtt-with-pkcs11-method)
+    * [Direct MQTT with PKCS12](#direct-mqtt-with-pkcs12-method)
     * [HTTP Proxy](#http-proxy)
   * [Browser](#browser)
     * [MQTT over Websockets with Sigv4 authentication](#mqtt-over-websockets-with-sigv4-authentication-1)
@@ -267,6 +269,44 @@ token-signing fields to the value of the username that you assign within the cus
 add any custom authentication related values to the username in the CONNECT configuration optionally attached to the client configuration.
 The builder will do everything for you.
 
+#### Direct MQTT with PKCS11 Method
+
+A MQTT5 direct connection can be made using a PKCS11 device rather than using a PEM encoded private key, the private key for mutual TLS is stored on a PKCS#11 compatible smart card or Hardware Security Module (HSM). To create a MQTT5 builder configured for this connection, see the following code:
+
+```typescript
+    let pkcs11Options : Pkcs11Options = {
+        pkcs11_lib: "<path to PKCS11 library>",
+        user_pin: "<Optional pin for PKCS11 device>",
+        slot_id: "<Optional slot ID containing PKCS11 token>",
+        token_label: "<Optional label of the PKCS11 token>",
+        private_key_object_label: "<Optional label of the private key object on the PKCS#11 token>",
+        cert_file_path: "<Path to certificate file. Not necessary if cert_file_contents is used>",
+        cert_file_contents: "<Contents of certificate file. Not necessary if cert_file_path is used>"
+    };
+    let builder = AwsIotMqtt5ClientConfigBuilder.newDirectMqttBuilderWithMtlsFromPkcs11(
+        "<account-specific endpoint>",
+        pkcs11Options
+    );
+    let client : Mqtt5Client = new mqtt5.Mqtt5Client(builder.build());
+```
+
+Note: Currently, TLS integration with PKCS#11 is only available on Unix devices.
+
+#### Direct MQTT with PKCS12 Method
+
+A MQTT5 direct connection can be made using a PKCS12 file rather than using a PEM encoded private key. To create a MQTT5 builder configured for this connection, see the following code:
+
+```typescript
+    let builder = AwsIotMqtt5ClientConfigBuilder.newDirectMqttBuilderWithMtlsFromPkcs12(
+        "<account-specific endpoint>",
+        "<PKCS12 file>",
+        "<PKCS12 password>"
+    );
+    let client : Mqtt5Client = new mqtt5.Mqtt5Client(builder.build());
+```
+
+Note: Currently, TLS integration with PKCS#12 is only available on MacOS devices.
+
 #### HTTP Proxy
 No matter what your connection transport or authentication method is, you may connect through an HTTP proxy
 by applying proxy configuration to the builder:
diff --git a/lib/native/aws_iot.spec.ts b/lib/native/aws_iot.spec.ts
@@ -13,7 +13,7 @@ import * as mqtt311 from "./mqtt";
 import * as aws_iot_mqtt311 from "./aws_iot";
 import { v4 as uuid } from 'uuid';
 
-test_utils.conditional_test(test_utils.ClientEnvironmentalConfig.hasIotCoreEnvironment())('Aws Iot Core Mqtt over websockets with Non-Signing Custom Auth - Connection Success', async () => {
+test_utils.conditional_test(test_utils.ClientEnvironmentalConfig.hasCustomAuthEnvironment())('Aws Iot Core Mqtt over websockets with Non-Signing Custom Auth - Connection Success', async () => {
 
     let builder = aws_iot_mqtt311.AwsIotMqttConnectionConfigBuilder.new_builder_for_websocket();
     builder.with_custom_authorizer(
@@ -33,7 +33,7 @@ test_utils.conditional_test(test_utils.ClientEnvironmentalConfig.hasIotCoreEnvir
     await connection.disconnect();
 });
 
-test_utils.conditional_test(test_utils.ClientEnvironmentalConfig.hasIotCoreEnvironment())('Aws Iot Core Mqtt over websockets with Signing Custom Auth - Connection Success', async () => {
+test_utils.conditional_test(test_utils.ClientEnvironmentalConfig.hasCustomAuthEnvironment())('Aws Iot Core Mqtt over websockets with Signing Custom Auth - Connection Success', async () => {
     let builder = aws_iot_mqtt311.AwsIotMqttConnectionConfigBuilder.new_builder_for_websocket();
     builder.with_custom_authorizer(
         test_utils.ClientEnvironmentalConfig.AWS_IOT_SIGNING_AUTHORIZER_USERNAME,
@@ -51,3 +51,16 @@ test_utils.conditional_test(test_utils.ClientEnvironmentalConfig.hasIotCoreEnvir
     await connection.connect();
     await connection.disconnect();
 });
+
+test_utils.conditional_test(test_utils.ClientEnvironmentalConfig.hasPKCS12Environment())('Aws Iot Core PKCS12 connection', async () => {
+    let builder = aws_iot_mqtt311.AwsIotMqttConnectionConfigBuilder.new_mtls_pkcs12_builder({
+        pkcs12_file : test_utils.ClientEnvironmentalConfig.AWS_TEST_MQTT311_IOT_CORE_PKCS12_KEY,
+        pkcs12_password : test_utils.ClientEnvironmentalConfig.AWS_TEST_MQTT311_IOT_CORE_PKCS12_KEY_PASSWORD});
+    builder.with_endpoint(test_utils.ClientEnvironmentalConfig.AWS_IOT_HOST);
+    builder.with_client_id(`node-mqtt-unit-test-${uuid()}`)
+    let config = builder.build();
+    let client = new mqtt311.MqttClient();
+    let connection = client.new_connection(config);
+    await connection.connect();
+    await connection.disconnect();
+});
diff --git a/lib/native/aws_iot.ts b/lib/native/aws_iot.ts
@@ -127,6 +127,25 @@ export class AwsIotMqttConnectionConfigBuilder {
         return builder;
     }
 
+    /**
+     * Create a new builder with mTLS using a PKCS#12 file for private key operations.
+     *
+     * Note: This configuration only works on MacOS devices.
+     *
+     * @param pkcs12_options - The PKCS#12 options to use in the builder.
+     */
+    static new_mtls_pkcs12_builder(pkcs12_options: io.Pkcs12Options) {
+        let builder = new AwsIotMqttConnectionConfigBuilder(TlsContextOptions.create_client_with_mtls_pkcs12_from_path(
+            pkcs12_options.pkcs12_file, pkcs12_options.pkcs12_password));
+        builder.params.port = 8883;
+
+        if (io.is_alpn_available()) {
+            builder.tls_ctx_options.alpn_list.unshift('x-amzn-mqtt-ca');
+        }
+
+        return builder;
+    }
+
     /**
      * Create a new builder with mTLS using a certificate in a Windows certificate store.
      *
diff --git a/lib/native/aws_iot_mqtt5.spec.ts b/lib/native/aws_iot_mqtt5.spec.ts
@@ -36,7 +36,7 @@ test_utils.conditional_test(test_utils.ClientEnvironmentalConfig.hasIotCoreEnvir
     await test_utils.testConnect(new mqtt5.Mqtt5Client(builder.build()));
 });
 
-test_utils.conditional_test(test_utils.ClientEnvironmentalConfig.hasIotCoreEnvironment())('Aws Iot Core Direct Mqtt Non-Signing Custom Auth - Connection Success', async () => {
+test_utils.conditional_test(test_utils.ClientEnvironmentalConfig.hasCustomAuthEnvironment())('Aws Iot Core Direct Mqtt Non-Signing Custom Auth - Connection Success', async () => {
     let customAuthConfig : iot.MqttConnectCustomAuthConfig = {
         authorizerName: test_utils.ClientEnvironmentalConfig.AWS_IOT_NO_SIGNING_AUTHORIZER_NAME,
         username: test_utils.ClientEnvironmentalConfig.AWS_IOT_NO_SIGNING_AUTHORIZER_USERNAME,
@@ -51,7 +51,7 @@ test_utils.conditional_test(test_utils.ClientEnvironmentalConfig.hasIotCoreEnvir
     await test_utils.testConnect(new mqtt5.Mqtt5Client(builder.build()));
 });
 
-test_utils.conditional_test(test_utils.ClientEnvironmentalConfig.hasIotCoreEnvironment())('Aws Iot Core Direct Mqtt Signing Custom Auth - Connection Success', async () => {
+test_utils.conditional_test(test_utils.ClientEnvironmentalConfig.hasCustomAuthEnvironment())('Aws Iot Core Direct Mqtt Signing Custom Auth - Connection Success', async () => {
     let customAuthConfig : iot.MqttConnectCustomAuthConfig = {
         authorizerName: test_utils.ClientEnvironmentalConfig.AWS_IOT_SIGNING_AUTHORIZER_NAME,
         username: test_utils.ClientEnvironmentalConfig.AWS_IOT_SIGNING_AUTHORIZER_USERNAME,
@@ -87,7 +87,7 @@ test_utils.conditional_test(test_utils.ClientEnvironmentalConfig.hasIotCoreEnvir
     await test_utils.testConnect(new mqtt5.Mqtt5Client(builder.build()));
 });
 
-test_utils.conditional_test(test_utils.ClientEnvironmentalConfig.hasIotCoreEnvironment())('Aws Iot Core Direct Mqtt Non-Signing Custom Auth - Connection Failure Bad Password', async () => {
+test_utils.conditional_test(test_utils.ClientEnvironmentalConfig.hasCustomAuthEnvironment())('Aws Iot Core Direct Mqtt Non-Signing Custom Auth - Connection Failure Bad Password', async () => {
     let customAuthConfig : iot.MqttConnectCustomAuthConfig = {
         authorizerName: test_utils.ClientEnvironmentalConfig.AWS_IOT_NO_SIGNING_AUTHORIZER_NAME,
         username: test_utils.ClientEnvironmentalConfig.AWS_IOT_NO_SIGNING_AUTHORIZER_USERNAME,
@@ -102,7 +102,7 @@ test_utils.conditional_test(test_utils.ClientEnvironmentalConfig.hasIotCoreEnvir
     await test_utils.testFailedConnection(new mqtt5.Mqtt5Client(builder.build()));
 });
 
-test_utils.conditional_test(test_utils.ClientEnvironmentalConfig.hasIotCoreEnvironment())('Aws Iot Core Direct Mqtt Signing Custom Auth - Connection Failure Bad Password', async () => {
+test_utils.conditional_test(test_utils.ClientEnvironmentalConfig.hasCustomAuthEnvironment())('Aws Iot Core Direct Mqtt Signing Custom Auth - Connection Failure Bad Password', async () => {
     let customAuthConfig : iot.MqttConnectCustomAuthConfig = {
         authorizerName: test_utils.ClientEnvironmentalConfig.AWS_IOT_SIGNING_AUTHORIZER_NAME,
         username: test_utils.ClientEnvironmentalConfig.AWS_IOT_SIGNING_AUTHORIZER_USERNAME,
@@ -120,7 +120,7 @@ test_utils.conditional_test(test_utils.ClientEnvironmentalConfig.hasIotCoreEnvir
     await test_utils.testFailedConnection(new mqtt5.Mqtt5Client(builder.build()));
 });
 
-test_utils.conditional_test(test_utils.ClientEnvironmentalConfig.hasIotCoreEnvironment())('Aws Iot Core Direct Mqtt Signing Custom Auth - Connection Failure Bad Token Value', async () => {
+test_utils.conditional_test(test_utils.ClientEnvironmentalConfig.hasCustomAuthEnvironment())('Aws Iot Core Direct Mqtt Signing Custom Auth - Connection Failure Bad Token Value', async () => {
     let customAuthConfig : iot.MqttConnectCustomAuthConfig = {
         authorizerName: test_utils.ClientEnvironmentalConfig.AWS_IOT_SIGNING_AUTHORIZER_NAME,
         username: test_utils.ClientEnvironmentalConfig.AWS_IOT_SIGNING_AUTHORIZER_USERNAME,
@@ -138,7 +138,7 @@ test_utils.conditional_test(test_utils.ClientEnvironmentalConfig.hasIotCoreEnvir
     await test_utils.testFailedConnection(new mqtt5.Mqtt5Client(builder.build()));
 });
 
-test_utils.conditional_test(test_utils.ClientEnvironmentalConfig.hasIotCoreEnvironment())('Aws Iot Core Direct Mqtt Signing Custom Auth - Connection Failure Bad Token Signature', async () => {
+test_utils.conditional_test(test_utils.ClientEnvironmentalConfig.hasCustomAuthEnvironment())('Aws Iot Core Direct Mqtt Signing Custom Auth - Connection Failure Bad Token Signature', async () => {
     let customAuthConfig : iot.MqttConnectCustomAuthConfig = {
         authorizerName: test_utils.ClientEnvironmentalConfig.AWS_IOT_SIGNING_AUTHORIZER_NAME,
         username: test_utils.ClientEnvironmentalConfig.AWS_IOT_SIGNING_AUTHORIZER_USERNAME,
@@ -156,7 +156,7 @@ test_utils.conditional_test(test_utils.ClientEnvironmentalConfig.hasIotCoreEnvir
     await test_utils.testFailedConnection(new mqtt5.Mqtt5Client(builder.build()));
 });
 
-test_utils.conditional_test(test_utils.ClientEnvironmentalConfig.hasIotCoreEnvironment())('Aws Iot Core Websocket Mqtt Non-Signing Custom Auth - Connection Success', async () => {
+test_utils.conditional_test(test_utils.ClientEnvironmentalConfig.hasCustomAuthEnvironment())('Aws Iot Core Websocket Mqtt Non-Signing Custom Auth - Connection Success', async () => {
     let customAuthConfig : iot.MqttConnectCustomAuthConfig = {
         authorizerName: test_utils.ClientEnvironmentalConfig.AWS_IOT_NO_SIGNING_AUTHORIZER_NAME,
         username: test_utils.ClientEnvironmentalConfig.AWS_IOT_NO_SIGNING_AUTHORIZER_USERNAME,
@@ -171,7 +171,7 @@ test_utils.conditional_test(test_utils.ClientEnvironmentalConfig.hasIotCoreEnvir
     await test_utils.testConnect(new mqtt5.Mqtt5Client(builder.build()));
 });
 
-test_utils.conditional_test(test_utils.ClientEnvironmentalConfig.hasIotCoreEnvironment())('Aws Iot Core Websocket Mqtt Signing Custom Auth - Connection Success', async () => {
+test_utils.conditional_test(test_utils.ClientEnvironmentalConfig.hasCustomAuthEnvironment())('Aws Iot Core Websocket Mqtt Signing Custom Auth - Connection Success', async () => {
     let customAuthConfig : iot.MqttConnectCustomAuthConfig = {
         authorizerName: test_utils.ClientEnvironmentalConfig.AWS_IOT_SIGNING_AUTHORIZER_NAME,
         username: test_utils.ClientEnvironmentalConfig.AWS_IOT_SIGNING_AUTHORIZER_USERNAME,
@@ -188,3 +188,15 @@ test_utils.conditional_test(test_utils.ClientEnvironmentalConfig.hasIotCoreEnvir
 
     await test_utils.testConnect(new mqtt5.Mqtt5Client(builder.build()));
 });
+
+test_utils.conditional_test(test_utils.ClientEnvironmentalConfig.hasPKCS12Environment())('Aws Iot Core PKCS12 - Connection Success', async () => {
+    let builder = iot.AwsIotMqtt5ClientConfigBuilder.newDirectMqttBuilderWithMtlsFromPkcs12(
+        test_utils.ClientEnvironmentalConfig.AWS_IOT_HOST,
+        {
+            pkcs12_file : test_utils.ClientEnvironmentalConfig.AWS_TEST_MQTT311_IOT_CORE_PKCS12_KEY,
+            pkcs12_password : test_utils.ClientEnvironmentalConfig.AWS_TEST_MQTT311_IOT_CORE_PKCS12_KEY_PASSWORD
+        }
+    );
+    await test_utils.testConnect(new mqtt5.Mqtt5Client(builder.build()));
+});
+
diff --git a/lib/native/aws_iot_mqtt5.ts b/lib/native/aws_iot_mqtt5.ts
@@ -140,6 +140,28 @@ export class AwsIotMqtt5ClientConfigBuilder {
         return builder;
     }
 
+    /**
+     * Create a new MQTT5 client builder that will create MQTT5 clients that connect to AWS IoT Core via mutual TLS
+     * using a PKCS12 file.
+     *
+     * Note: This configuration only works on MacOS devices.
+     *
+     * @param hostName - AWS IoT endpoint to connect to
+     * @param pkcs12_options - The PKCS#12 options to use in the builder.
+     */
+    static newDirectMqttBuilderWithMtlsFromPkcs12(hostName : string, pkcs12_options: io.Pkcs12Options) : AwsIotMqtt5ClientConfigBuilder {
+        let builder = new AwsIotMqtt5ClientConfigBuilder(
+            hostName,
+            AwsIotMqtt5ClientConfigBuilder.DEFAULT_DIRECT_MQTT_PORT,
+            io.TlsContextOptions.create_client_with_mtls_pkcs12_from_path(pkcs12_options.pkcs12_file, pkcs12_options.pkcs12_password));
+
+        if (io.is_alpn_available()) {
+            builder.tlsContextOptions.alpn_list.unshift('x-amzn-mqtt-ca');
+        }
+
+        return builder;
+    }
+
     /**
      * Create a new MQTT5 client builder that will create MQTT5 clients that connect to AWS IoT Core via mutual TLS
      * using a certificate entry in a Windows certificate store.
diff --git a/lib/native/io.ts b/lib/native/io.ts
@@ -160,6 +160,22 @@ export class SocketOptions extends NativeResource {
     }
 }
 
+/**
+ * Interface used to hold the options for creating a PKCS#12 connection in the builder.
+ *
+ * Note: Only supported on MacOS devices.
+ *
+ * NodeJS only
+ * @category TLS
+ */
+export interface Pkcs12Options {
+    /** Path to the PKCS#12 file */
+    pkcs12_file: string;
+
+    /** The password for the PKCS#12 file */
+    pkcs12_password : string;
+}
+
 /**
  * Options for creating a {@link ClientTlsContext} or {@link ServerTlsContext}.
  *
diff --git a/test/mqtt5.ts b/test/mqtt5.ts
@@ -59,12 +59,34 @@ export class ClientEnvironmentalConfig {
     public static AWS_IOT_SIGNING_AUTHORIZER_TOKEN_SIGNATURE = process.env.AWS_TEST_MQTT5_IOT_CORE_SIGNING_AUTHORIZER_TOKEN_SIGNATURE ?? "";
     public static AWS_IOT_SIGNING_AUTHORIZER_TOKEN_KEY_NAME = process.env.AWS_TEST_MQTT5_IOT_CORE_SIGNING_AUTHORIZER_TOKEN_KEY_NAME ?? "";
 
+    public static AWS_TEST_MQTT311_IOT_CORE_PKCS12_KEY = process.env.AWS_TEST_MQTT311_IOT_CORE_PKCS12_KEY ?? "";
+    public static AWS_TEST_MQTT311_IOT_CORE_PKCS12_KEY_PASSWORD = process.env.AWS_TEST_MQTT311_IOT_CORE_PKCS12_KEY_PASSWORD ?? "";
+
     public static hasIotCoreEnvironment() {
         return ClientEnvironmentalConfig.AWS_IOT_HOST !== "" &&
             ClientEnvironmentalConfig.AWS_IOT_CERTIFICATE_PATH !== "" &&
             ClientEnvironmentalConfig.AWS_IOT_KEY_PATH !== "";
     }
 
+    public static hasCustomAuthEnvironment() {
+        return ClientEnvironmentalConfig.AWS_IOT_HOST !== "" &&
+            ClientEnvironmentalConfig.AWS_IOT_NO_SIGNING_AUTHORIZER_NAME != "" &&
+            ClientEnvironmentalConfig.AWS_IOT_NO_SIGNING_AUTHORIZER_USERNAME != "" &&
+            ClientEnvironmentalConfig.AWS_IOT_NO_SIGNING_AUTHORIZER_PASSWORD != "" &&
+            ClientEnvironmentalConfig.AWS_IOT_SIGNING_AUTHORIZER_NAME != "" &&
+            ClientEnvironmentalConfig.AWS_IOT_SIGNING_AUTHORIZER_USERNAME != "" &&
+            ClientEnvironmentalConfig.AWS_IOT_SIGNING_AUTHORIZER_PASSWORD != "" &&
+            ClientEnvironmentalConfig.AWS_IOT_SIGNING_AUTHORIZER_TOKEN != "" &&
+            ClientEnvironmentalConfig.AWS_IOT_SIGNING_AUTHORIZER_TOKEN_SIGNATURE != "" &&
+            ClientEnvironmentalConfig.AWS_IOT_SIGNING_AUTHORIZER_TOKEN_KEY_NAME != "";
+    }
+
+    public static hasPKCS12Environment() {
+        return ClientEnvironmentalConfig.AWS_IOT_HOST !== "" &&
+            ClientEnvironmentalConfig.AWS_TEST_MQTT311_IOT_CORE_PKCS12_KEY !== "" &&
+            ClientEnvironmentalConfig.AWS_TEST_MQTT311_IOT_CORE_PKCS12_KEY_PASSWORD !== ""
+    }
+
     public static DIRECT_MQTT_HOST = process.env.AWS_TEST_MQTT5_DIRECT_MQTT_HOST ?? "";
     public static DIRECT_MQTT_PORT = parseInt(process.env.AWS_TEST_MQTT5_DIRECT_MQTT_PORT ?? "0");
     public static DIRECT_MQTT_BASIC_AUTH_HOST = process.env.AWS_TEST_MQTT5_DIRECT_MQTT_BASIC_AUTH_HOST ?? "";
@@ -415,7 +437,7 @@ export async function willTest(publisher: mqtt5.Mqtt5Client, subscriber: mqtt5.M
     publisher.stop({
         reasonCode: mqtt5.DisconnectReasonCode.DisconnectWithWillMessage
     });
-    
+
     await willReceived;
     await publisherStopped;
 
