INTRO
The reason we chose Erlang for securing SSL connections is simple — there was no heartbleed for Erlang SSL application yet! Here you can find simple 200 LOC Certificate Authority Server that is used to enroll server cerficates (for SYNRC applications) and client certificates (for securing device connections).
SYNRC CA
SETUP CA
SYNRC CA supports Elixir package manager MIX:.
$ git clone [email protected]:synrc/ca && cd ca
$ mix deps.get
$ mix release
$ _build/dev/rel/ca/bin/ca daemon
$ _build/dev/rel/ca/bin/ca remote
You can either use you own instance or SYNRC CA instance. Here is how to obtain the SYNRC root certificate:
$ curl http://ca.n2o.dev:8046/up/ecc
-----BEGIN CERTIFICATE-----
MIICCTCCAY+gAwIBAgIJAL7mRQ3V5XfRMAoGCCqGSM49BAMDMDkxCzAJBgNVBAYT
AlVBMQ0wCwYDVQQIDARLeWl2MQ4wDAYDVQQKDAVTWU5SQzELMAkGA1UEAwwCQ0Ew
HhcNMTkwODI4MTUxNjAwWhcNMjkwODI1MTUxNjAwWjA5MQswCQYDVQQGEwJVQTEN
MAsGA1UECAwES3lpdjEOMAwGA1UECgwFU1lOUkMxCzAJBgNVBAMMAkNBMHYwEAYH
KoZIzj0CAQYFK4EEACIDYgAETgSyGA+SvE1opUuTfgzB8l5v/oMrixxmiaL/0MBs
HfavVIc1kBccyVJLXa4hXkJ7gu29owsAQa8KqQbzOqE4z0O+Y0pveHayGAFOlKzg
Rzf1FPJwbgwKiE8DziiwXnGOo2MwYTAdBgNVHQ4EFgQUp+knJG+Hjx6QGSmL3XNr
VO8A5d8wHwYDVR0jBBgwFoAUp+knJG+Hjx6QGSmL3XNrVO8A5d8wDwYDVR0TAQH/
BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwCgYIKoZIzj0EAwMDaAAwZQIwEmCAed7n
UdyIdmlbVq+b/ecUWx6DdqltragIeaNFXCA+2tFL071wJTId8HWl4xqrAjEAu8OE
AnIXa+Pv5M4XqjmqDwvx+6VffF2ZmSUrkV/FBG0tyPVwyfbwNODEcziUq++E
-----END CERTIFICATE-----
It can be stored in cert/ecc/caroot.pem with the following command:
$ mad ecc ca
ISSUE SERVER CERT
For securing your N2O application just issue server certificate with your [unique] application name and specify the path to keys as a cowboy's variables.
$ mad ecc server BANK
CERT: ECC SERVER 'BANK'
KEY: {'OTPSubjectPublicKeyInfo',
{'PublicKeyAlgorithm',
{1,2,840,10045,2,1},
{namedCurve,{1,3,132,0,34}}},
{'ECPoint',
<<4,211,65,158,185,219,65,140,77,139,66,124,65,245,152,113,143,
20,103,239,206,247,99,56,248,242,0,167,24,212,86,194,228,60,
247,18,44,183,151,26,200,1,238,142,160,45,11,149,74,230,0,35,
12,134,179,219,81,230,83,214,39,1,189,223,201,49,216,66,71,42,
140,18,134,164,217,44,189,115,54,169,16,154,38,58,104,64,66,
252,49,202,98,5,109,204,254,111,103>>}}
OK
Here is example which you should include as a startup for ranch/cowboy server:
[
{certfile, "cert/ecc/BANK.pem"},
{keyfile, "cert/ecc/BANK.key"},
{cacertfile, "cert/ecc/caroot.pem"}
]
ISSUE CLIENT CERT
Here is an example how to obtain end-user certificate that should be installed manually at the device:
$ mad ecc client Max Socha
CERT: ECC CLIENT 'Max Socha'
KEY: {'OTPSubjectPublicKeyInfo',
{'PublicKeyAlgorithm',
{1,2,840,10045,2,1},
{namedCurve,{1,3,132,0,34}}},
{'ECPoint',
<<4,58,170,214,161,218,195,236,109,105,150,102,84,169,147,155,
27,88,54,237,210,191,172,253,170,212,32,92,146,239,99,135,91,
247,199,22,248,182,208,20,57,107,141,191,195,85,212,119,77,
179,139,125,95,139,42,18,55,0,85,158,77,147,60,37,215,151,39,
56,50,88,89,186,88,16,117,123,250,249,140,190,253,122,95,134,
177,127,165,172,194,178,103,113,211,118,87,134,11>>}}
Here is e.g. how to secure MQTT IoT connection with ECC cryptography. First install Mosquitto, NanoMQ or EMQX server and protect is with server cerficate (as described above). And then use emqtt client and your personal client certificate:
1> {ok, Conn} = emqtt:start_link([
{client_id, <<"5HT">>},
{ssl, true},
{port, 8883},
{ssl_opts, [
{verify,verify_peer},
{customize_hostname_check,
[{match_fun, fun ({ip,{127,0,0,1}},{dNSName,"localhost"}) -> true;
(_,_) -> false end}]},
{certfile,"cert/ecc/Max Socha.pem"},
{keyfile,"cert/ecc/Max Socha.key"},
{cacertfile,"cert/ecc/caroot.pem"}]}]).
{ok,<0.193.0>}
2> emqtt:connect(Conn).
{ok,undefined}
3> emqtt:subscribe(Conn, {<<"hello">>, 0}).
{ok,undefined,[0]}
4> emqtt:publish(Conn, <<"hello">>, <<"Hello World!">>, 0).
ok
5> flush().
Shell got {publish,#{client_pid => <0.193.0>,dup => false,
packet_id => undefined,payload => <<"Hello World!">>,
properties => undefined,qos => 0,retain => false,
topic => <<"hello">>}}
ok