PKIX

INTRO

The reason we chose Erlang for securing SSL connections is simple — there was no heartbleed for Erlang SSL application yet! Here you can find simple 200 LOC Certificate Authority Server that is used to enroll server cerficates (for SYNRC applications) and client certificates (for securing device connections).

SYNRC CA

SETUP CA

SYNRC CA supports Elixir package manager MIX:.

$ git clone [email protected]:synrc/ca && cd ca $ mix deps.get $ mix release $ _build/dev/rel/ca/bin/ca daemon $ _build/dev/rel/ca/bin/ca remote

You can either use you own instance or SYNRC CA instance. Here is how to obtain the SYNRC root certificate:

$ curl http://ca.n2o.dev:8046/up/ecc -----BEGIN CERTIFICATE----- MIICCTCCAY+gAwIBAgIJAL7mRQ3V5XfRMAoGCCqGSM49BAMDMDkxCzAJBgNVBAYT AlVBMQ0wCwYDVQQIDARLeWl2MQ4wDAYDVQQKDAVTWU5SQzELMAkGA1UEAwwCQ0Ew HhcNMTkwODI4MTUxNjAwWhcNMjkwODI1MTUxNjAwWjA5MQswCQYDVQQGEwJVQTEN MAsGA1UECAwES3lpdjEOMAwGA1UECgwFU1lOUkMxCzAJBgNVBAMMAkNBMHYwEAYH KoZIzj0CAQYFK4EEACIDYgAETgSyGA+SvE1opUuTfgzB8l5v/oMrixxmiaL/0MBs HfavVIc1kBccyVJLXa4hXkJ7gu29owsAQa8KqQbzOqE4z0O+Y0pveHayGAFOlKzg Rzf1FPJwbgwKiE8DziiwXnGOo2MwYTAdBgNVHQ4EFgQUp+knJG+Hjx6QGSmL3XNr VO8A5d8wHwYDVR0jBBgwFoAUp+knJG+Hjx6QGSmL3XNrVO8A5d8wDwYDVR0TAQH/ BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwCgYIKoZIzj0EAwMDaAAwZQIwEmCAed7n UdyIdmlbVq+b/ecUWx6DdqltragIeaNFXCA+2tFL071wJTId8HWl4xqrAjEAu8OE AnIXa+Pv5M4XqjmqDwvx+6VffF2ZmSUrkV/FBG0tyPVwyfbwNODEcziUq++E -----END CERTIFICATE-----

It can be stored in cert/ecc/caroot.pem with the following command:

$ mad ecc ca

ISSUE SERVER CERT

For securing your N2O application just issue server certificate with your [unique] application name and specify the path to keys as a cowboy's variables.

$ mad ecc server BANK CERT: ECC SERVER 'BANK' KEY: {'OTPSubjectPublicKeyInfo', {'PublicKeyAlgorithm', {1,2,840,10045,2,1}, {namedCurve,{1,3,132,0,34}}}, {'ECPoint', <<4,211,65,158,185,219,65,140,77,139,66,124,65,245,152,113,143, 20,103,239,206,247,99,56,248,242,0,167,24,212,86,194,228,60, 247,18,44,183,151,26,200,1,238,142,160,45,11,149,74,230,0,35, 12,134,179,219,81,230,83,214,39,1,189,223,201,49,216,66,71,42, 140,18,134,164,217,44,189,115,54,169,16,154,38,58,104,64,66, 252,49,202,98,5,109,204,254,111,103>>}} OK

Here is example which you should include as a startup for ranch/cowboy server:

[ {certfile, "cert/ecc/BANK.pem"}, {keyfile, "cert/ecc/BANK.key"}, {cacertfile, "cert/ecc/caroot.pem"} ]

ISSUE CLIENT CERT

Here is an example how to obtain end-user certificate that should be installed manually at the device:

$ mad ecc client Max Socha CERT: ECC CLIENT 'Max Socha' KEY: {'OTPSubjectPublicKeyInfo', {'PublicKeyAlgorithm', {1,2,840,10045,2,1}, {namedCurve,{1,3,132,0,34}}}, {'ECPoint', <<4,58,170,214,161,218,195,236,109,105,150,102,84,169,147,155, 27,88,54,237,210,191,172,253,170,212,32,92,146,239,99,135,91, 247,199,22,248,182,208,20,57,107,141,191,195,85,212,119,77, 179,139,125,95,139,42,18,55,0,85,158,77,147,60,37,215,151,39, 56,50,88,89,186,88,16,117,123,250,249,140,190,253,122,95,134, 177,127,165,172,194,178,103,113,211,118,87,134,11>>}}

Here is e.g. how to secure MQTT IoT connection with ECC cryptography. First install Mosquitto, NanoMQ or EMQX server and protect is with server cerficate (as described above). And then use emqtt client and your personal client certificate:

1> {ok, Conn} = emqtt:start_link([ {client_id, <<"5HT">>}, {ssl, true}, {port, 8883}, {ssl_opts, [ {verify,verify_peer}, {customize_hostname_check, [{match_fun, fun ({ip,{127,0,0,1}},{dNSName,"localhost"}) -> true; (_,_) -> false end}]}, {certfile,"cert/ecc/Max Socha.pem"}, {keyfile,"cert/ecc/Max Socha.key"}, {cacertfile,"cert/ecc/caroot.pem"}]}]). {ok,<0.193.0>} 2> emqtt:connect(Conn). {ok,undefined} 3> emqtt:subscribe(Conn, {<<"hello">>, 0}). {ok,undefined,[0]} 4> emqtt:publish(Conn, <<"hello">>, <<"Hello World!">>, 0). ok 5> flush(). Shell got {publish,#{client_pid => <0.193.0>,dup => false, packet_id => undefined,payload => <<"Hello World!">>, properties => undefined,qos => 0,retain => false, topic => <<"hello">>}} ok

˙