Implementing mosquitto_psk_key_get for certificate whitelisting

[rianorie]

Hello!

I'm fairly new to Mosquitto and MQTT brokers, so I may be misunderstanding the API/documentation.

We are wanting to use client certificates for our devices and be able to revoke these without having to restart the broker. Go auth implements the username and password solution, which is amazing, and a huge leap from having to use the static files on the server.

I was wondering if mosquitto_psk_key_get could be used to implement the crlfile feature, after a fashion? My situation is using PostgreSQL, so I would probably create a password hash the certificate that we give out for a client and store that hash, and then do a hash check against the database..?

Thoughts are welcome :) Also, if this is not the right place for this, please close the issue and direct me in the right direction!

I'd be happy to build it and send in a PR if others are interested.

[iegomez]

Hi, @rianorie!
Sadly, when I started the plugin I didn't have any similar need and never got to implement it, as you can see in this default error response: https://github.com/iegomez/mosquitto-go-auth/blob/master/auth-plugin.c#L158

I don't really have any thoughts on the matter and don't have time to look into it in the near future, but PRs are very welcome.

[rianorie]

Hey @iegomez , I just want to confirm that I understand the documentation correctly and that this would be a solution that can be implemented like I proposed?

[iegomez]

Sadly, I don't know because as I said I never looked into PSK functionality regarding Mosquitto and don't have time to do the research right now, so you're probably better off checking Mosquitto docs to understand the feature and the plugin general interface to see if there's a fit.
Sorry again for not being more helpful.

[rianorie]

not to worry! I'll dig into it and see if it works like I want it to :) Thanks!

[rianorie]

@iegomez sorry, I know you're short on time. I'm tinkering with it, the go part I get.. but how does that auth-plugin.c file get incorporated into Mosquitto? In other words, how can I get my it to start using my AuthPskKeyGet() function?

[iegomez]

You'd call your exported Go function from the C file's mosquitto_auth_psk_key_get one.
When/how is that called from Mosquitto? Again, I don't know because I never looked into it.

[rianorie]

I'm probably not communicating my question clearly.. How will Mosquitto know about my (new) function? I will need to specify it in mosquitto_auth_psk_key_get, sure. I can do that in auth-plugin.c. But do I need to build Mosquitto with that file?

You made AuthUnpwdCheck(), defined it in the auth-plugin.c, ben when did that auth-plugin.c file get built/used?

I've been building the docker env and changes I make to the C file are not being picked up as far as I can see.

[iegomez]

After implementing your Go side function and using it in mosquitto_auth_psqk_key_get, you simply rebuild the .so shared object file that's loaded by Mosquitto. No need to rebuild Mosquitto itself, it'll load the plugin at start time.

Rebuilding is just a matter of running make, you can check the Makefile at https://github.com/iegomez/mosquitto-go-auth/blob/master/Makefile.