This repository includes a proof-of-concept of the solution presented in the paper:
N. Fotiou, C. D. Nassar Kyriakidou, A. Maria Papathanasiou, I. Pittaras, Y. Thomas, G Xylomenos, "Certificate Management for Cloud-Hosted Digital Twins", in 14th ISCC Workshop on Management of Cloud and Smart City Systems, 2024
The proposed solution allows digital twins to securely received a short-lived digital certificate that can be used for signing data.
This PoC includes the following entities:
- An emulated DT. This DT generates a self-attestation using a pre-configured public-private key pair. In real deployments, this attestation should be generated by the Cloud provider.
- An OpenID IdP. This IdP generated identity tokens for the DTs.
- Fulcio CA configuration. A sample configuration to be used with a local instance of Fulcio CA.
OIDC IdP includes two configuration files, one for the development environment (appsettings.Development.json)
and another for the production environment (appsettings.Production.json). You should configure both
of them. Your should configure the IdP section in the configuration file.
OIDC IdP platform generates and signs an identity token
used for obtaining a certificate from Fulcio. For this reason you need to generate a signing key.
This key can be generated using OpenSSL using the following command (make sure you are using a proper password):
openssl ecparam -out ecparam.pem -name prime256v1
openssl genpkey -paramfile ecparam.pem -out idtoken-key.pem -aes-128-cbc -pass pass:"1234564"
Configure the IdP section with the path to the generated key and the used password. Moreover,
configure the iss parameter with the URL of your deployment.
We are using a self-hosted version of Fulcio CA
Particularly, we are using Fulcio v1.4.4 with in-disk file keys. Generate a CA certificate and a key using the following command (make sure you are using a proper password)
openssl req -x509 \
-newkey ed25519 \
-sha256 \
-keyout fulcio-key.pem \
-out fulcio-cert.pem \
-subj "/CN=fulcioCA" \
-days 36500 \
-addext basicConstraints=critical,CA:TRUE,pathlen:1 \
-passout pass:"123456"
Then, modify the configuration included in the Fulcio directory and
place it under /etc/fulcio-config/config.json to include the provided IdP
platform in its least of IdPs. You should add the following lines.
Add the following lines
{
"OIDCIssuers": {
"mm-idp": {
"IssuerURL": "http://localhost:6001",
"ClientID": "sigstore",
"Type": "email"
}
}
}
You have to install the jwcrypto package. This can be done using the following
command
python3 -m pip install jwcrypto
The dt.py is configured with a JWK. You can generate a new one using the following
python script:
key = jwk.JWK.generate(kty='EC', crv='P-256')
key.export() Compile and execute the OIDC IdP
dotnet build
dotnet run
Supposedly, the keys generated with the set up step are
stored in /etc/fulcio-config/ Fulcio can be started using the
following command:
fulcio serve \
--port 6002 \
--ca fileca \
--fileca-cert=/etc/fulcio-config/fulcio-cert.pem \
--fileca-key=/etc/fulcio-config/fulcio-key.pem \
--fileca-key-passwd="123456" \