Who knew openssl was so much more than keys and certificates…

Manufacturer Usage Description (MUD) uses a Yang-based Json file to pass access controls from a manufacturer server to IOT devices. This ensures IOT security in environments where many IOT devices are connected to the network and systematically assigning network access controls is too tedious. To ensure the validity of MUD json files, they need to be validated with a signature that comes in the form of a p7s file. This is done through Openssl and Cryptographic Message Syntax.

According to Wikipedia (my favourite source of information), Cryptographic Message Syntax (CMS) is the IETF’s standard for cryptographically protected messages, used by cryptographic schemes and protocols to digitally sign, digest, authenticate or encrypt any form of digital data. Essentially, we can use a verified certificate to sign and encrypt messages for transit.

To get started, we first need to generate our own keys and certificates. We’ll do this using openssl.

  1. Generate your root key and certificate using the terminal
    openssl genrsa -des3 -out myroot.key 2048
    openssl req -x509 -new -nodes -days 1825 -sha256 -key myroot.key -out mycertificate.crt
  2. Create a “Signer” key, certificate signing request and certificate.
    openssl genrsa -out signer.key 2048
    openssl req -new -key signer.key -out signer.csr
  3. Sign and validate the signer request using the root certificate. This Signer certificate will be used to sign the message, and validated by the root.
    openssl x509 -req -in signer.csr -CA mycertificate.crt -CAkey myroot.key -CAcreateserial -days 1825 -sha256 -out signer.crt

Signing and Verifiying the MUD json File

cp mycertificate.crt mycertificate.pem

# Sign
openssl cms -sign -signer signer.pem -in mudfile.json -inkey signer.key -binary -outform DER -certfile mycertificate.pem -out mudfile.p7s

# Verify
openssl cms -verify -in mudfile.p7s -inform DER  -content mud.json -binary -CAfile mycertificate.pem -out /dev/null

# Verify
openssl cms -verify -in %s -inform DER -content %s -purpose any -binary -out /dev/null

And that’s it. If the json files are verified, import mycertificate.pem into the MUD server so that it can be used to check against your p7s signatures.