Who knew openssl was so much more than keys and certificates…
Manufacturer Usage Description (MUD) uses a Yang-based Json file to pass access controls from a manufacturer server to IOT devices. This ensures IOT security in environments where many IOT devices are connected to the network and systematically assigning network access controls is too tedious. To ensure the validity of MUD json files, they need to be validated with a signature that comes in the form of a p7s file. This is done through Openssl and Cryptographic Message Syntax.
According to Wikipedia (my favourite source of information), Cryptographic Message Syntax (CMS) is the IETF’s standard for cryptographically protected messages, used by cryptographic schemes and protocols to digitally sign, digest, authenticate or encrypt any form of digital data. Essentially, we can use a verified certificate to sign and encrypt messages for transit.
To get started, we first need to generate our own keys and certificates. We’ll do this using openssl.
- Generate your root key and certificate using the terminal
openssl genrsa -des3 -out myroot.key 2048 openssl req -x509 -new -nodes -days 1825 -sha256 -key myroot.key -out mycertificate.crt
- Create a “Signer” key, certificate signing request and certificate.
openssl genrsa -out signer.key 2048 openssl req -new -key signer.key -out signer.csr
- Sign and validate the signer request using the root certificate. This Signer certificate will be used to sign the message, and validated by the root.
openssl x509 -req -in signer.csr -CA mycertificate.crt -CAkey myroot.key -CAcreateserial -days 1825 -sha256 -out signer.crt
Signing and Verifiying the MUD json File
cp mycertificate.crt mycertificate.pem # Sign openssl cms -sign -signer signer.pem -in mudfile.json -inkey signer.key -binary -outform DER -certfile mycertificate.pem -out mudfile.p7s # Verify openssl cms -verify -in mudfile.p7s -inform DER -content mud.json -binary -CAfile mycertificate.pem -out /dev/null # Verify openssl cms -verify -in %s -inform DER -content %s -purpose any -binary -out /dev/null
And that’s it. If the json files are verified, import mycertificate.pem into the MUD server so that it can be used to check against your p7s signatures.