Add method to Scandium for setting trusted RPKs

[LudwigSeitz]

When doing a raw-public-key handshake according to RFC 7250 the raw public key of the other peer is said to be verified out-of-band.

I would like to have a feature in Scandium where I can add a list of trusted raw public keys, from which I will accept DTLS connections (and reject others).

[boaks]

Request offers getSenderIdentity, which provides the access to the raw public key.
So I think, you could check it on incoming request.

[LudwigSeitz]

True, but it would be nice to be able to check this in Scandium and not in the application, so that the handshake is aborted.

[sophokles73]

I agree, it would be nice to have something along the lines of the PSKStore for RPKs as well.

[LudwigSeitz]

Referring to the comment from boaks: How do I check the same thing at the client side? The server's public key seems to be encapsulated in the ClientHandshaker and I cannot find an (obvious) method to access it at client side.

[LudwigSeitz]

I've written some code to solve this issue, what is the preferred procedure for contributing this?

[boaks]

The raw public keys are used to create the RawPublicKeyIdentity (which implements Principal).
But your right, if the client sends application data, the application layer will not get the principal until the server replies. So, if you can't wait for the servers response, scandium must be enhanced.

I've written some code to solve this issue, what is the preferred procedure for contributing this?
That's defined by eclipse. A PR requires a ECA.

https://www.eclipse.org/legal/ECA.php

[LudwigSeitz]

Did a pull request with code for that feature. Please review.

[boaks]

Should be solve with the merging of your PR.