Trying to set up ROS2 security enclaves using an external CA
Hi,
I'm trying to get the basic talker / listener demo to work with security enabled using an external CA (instead of the self-signed that SROS2 generates). So what I've done is that I followed the README here to install everything and had the generic demo working without changing anything: https://github.com/ros2/sros2/blob/ma...
Then I created a root CA in Google cloud and two intermediates (identity and permissions CAs) and deleted the keys and certificates that sros2 created. Then I generated new keys and CSRs with the following command and signed with the identity CA:
openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-256 -out key.pem
openssl req -new -key key.pem -out cert.csr
Then signed the permissions and governance XMLs using permissions CA with OpenSSL.
When I try to start the talker node, I get an error:
[INFO] [1630576352.467432146] [rcl]: Found security directory: /home/kalle/sros2_demo/demo_keystore/enclaves/talker_listener/talker
2021-09-02 12:52:32.477 [RTPS_PARTICIPANT Error] Cannot create participant due to security initialization error -> Function createParticipant
>>> [rcutils|error_handling.c:108] rcutils_set_error_state()
This error state is being overwritten:
'create_node() could not create participant, at /tmp/binarydeb/ros-foxy-rmw-fastrtps-shared-cpp-1.2.5/src/participant.cpp:122, at /tmp/binarydeb/ros-foxy-rcl-1.1.11/src/rcl/node.c:276'
with this new error message:
'rcl node's rmw handle is invalid, at /tmp/binarydeb/ros-foxy-rcl-1.1.11/src/rcl/node.c:428'
rcutils_reset_error() should be called after error handling to avoid this.
<<<
[ERROR] [1630576352.478426754] [rcl]: Failed to fini publisher for node: 1
2021-09-02 12:52:32.478 [PARTICIPANT Error] Problem creating RTPSParticipant -> Function createParticipant
terminate called after throwing an instance of 'rclcpp::exceptions::RCLError'
what(): failed to initialize rcl node: rcl node's rmw handle is invalid, at /tmp/binarydeb/ros-foxy-rcl-1.1.11/src/rcl/node.c:428
The ROS Security log shows the following lines on my start attempts:
1629895113.497374301] [EMERGENCY] 1.f.32.d0.3f.10.0.0.1.0.0.0|0.0.1.c1 0 PKIDH::validate_local_identit>
[1629895230.680614723] [EMERGENCY] 1.f.32.d0.9e.10.0.0.1.0.0.0|0.0.1.c1 0 PKIDH::validate_local_identit>
[1629895341.303598691] [EMERGENCY] 1.f.32.d0.ec.10.0.0.1.0.0.0|0.0.1.c1 0 PKIDH::validate_local_identit>
[1629895357.65209485] [EMERGENCY] 1.f.32.d0.10.11.0.0.1.0.0.0|0.0.1.c1 0 PKIDH::validate_local_identity>
[1629898603.987131751] [EMERGENCY] 1.f.32.d0.a3.1b.0.0.1.0.0.0|0.0.1.c1 0 PKIDH::validate_local_identit>
[1630576352.477045125] [EMERGENCY] 1.f.32.d0.5b.a.0.0.1.0.0.0|0.0.1.c1 0 PKIDH::validate_local_identity>
ROS2 version: Foxy DDS implementation: FastDDS by eProsima (the one shipped with Foxy)
Can anybody suggest what I might be doing wrong? Is there any other logging output I could see to understand what is exactly failing?
