-
Notifications
You must be signed in to change notification settings - Fork 364
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reg. Coap Server using Scandium #362
Comments
as far as I know, there is no way, we required something similar and ended up implementing it by our selves (thought we are using an old version, so hopefully there is a way in the current one). |
Currently (1.0, 1.1, 2.0) there is a "sender principal" in incoming request. There are plans to extend that for other messages as well as for outgoing messages. Unfortunately, I'm currently busy with the "transparent blockwise" and it will take some time to provide a PR, which shows, how a generally usage of the available artefacts will work. |
@lakshT what kind of information do you want to extract/get access to? |
in cf-secure / SecureServer you can access the principal as above. See the different implementations of Principal to see how to get the details. |
@boaks how would you access the X509 certificate? |
FMPOV, the X.509 certificate chain of the client is only used, when you evaluate the trust. After the certificate is trusted, the DN should do it. |
@boaks that's what we are doing, another use case would be to validate the certificate and keep the information to use it for another purpose later. |
So I would say, a "trust callback" extension will do it for the first use case.
(I'm not sure, why there is no accessor for the |
Issue #301 is also requesting more flexibility in the credentials management. We will see, when we can implement it. |
@sophokles73 I would like to access SubjectDN from the client's certificate at server end. |
@lakshT our solution could help you, basically you need to modify the source code to attach the certificate to CoAP Request, then you could get the subject related fields, you could try it or hopefully we will upload a pool request soon. |
@AlexITC Do you mean to say that certificate goes in the body of every request or a method needs to be added for Request class, something like addCertificate(....) ? |
@lakshT it goes something like this, CoAP ServerHandshaker receives the client certificate, you could modify it to store the peer certificate in the session, then using CoAP endpoint, you could get the certificate from the session and store it in the Request. |
@lakshT if you just want to access the subject DN then simply invoke the If the client has been authenticated via DTLS using an X509 certificate, then the principal returned by |
Depending on the californium version you use, you may get different Principal implementations (based on different credential data). |
@sophokles73 I'm using X509 certificate. The principal which is returned by getSenderIdentity in my implementation is of the type org.eclipse.californium.scandium.auth.RawPublicKeyIdentity. Do you have an any idea what could I be doing wrong in my implementation? |
@boaks |
@lakshT, if you are ok to use a non-released version then I would suggest that you use 2.0.0-SNAPSHOT instead of 1.1.0-SNAPSHOT. We currently do not have any plans to do a 1.1.0 release. Regarding your issue with the |
The easiest way is add your client identification either to the "payload" or to some coap options (e.g. URI Query "name=temprature1"). |
@sophokles73 I have been following code from cf-secure to write my client and server. I think that it uses RawPublicKeys. Is there any example code which uses X.509 certificates instead? And I am designing a light weight application for small IoT devices. Would it be better to use RawPublicKeys over X.509 certificates? I would really appreciate any suggestions. |
The cf-secure client configures the DTLS layer to use RawPublicKeys by means of
It already uses the client certificate from the key store but is configured to send only the RawPublicKey from the certificate for authentication.
with
i.e. replace the Be aware that many (most?) constrained devices have a hard time doing an X.509 based handshake (in particular when using RSA instead of EC based keys) simply because of the CPU and memory constraints these devices usually are designed with. Such a handshake easily takes up to 30 -50 seconds, depending on the hardware platform at hand. Most projects I am aware of therefore use PSK based cipher suites instead, i.e. a kind of username/password based approach which puts much less burden on the device during the handshake. RawPublicKey could probably considered to lie somewhere in between, be aware, though that the server needs to establish a trust relationship with the device in an out of band fashion, similar to PSK based approaches, because there is no way the server can establish a chain-of-trust up to its trust anchors ... |
@sophokles73 Thanks for your suggestions. I changed the boolean parameter to true in setIdentity method in both client and server code. Now when the handshake occurs, it terminates in the middle and I get the message INFO: Aborting handshake with peer [/127.0.0.1:40140]: Certificate chain could not be validated I'm using the script provided with demo certs to create my own certificates and using the cf-secure code for the handshake. The validity of certificates created seems to be till 24th August 2017. What could be going wrong here? |
Can you please first validate if everything works as expected when you use the provided demo certificates and keys? |
I tired with demo certificates and keys, I got the same error message. |
which version of Cf are you using? |
Its, 2.0.0-SNAPSHOT. |
I have taken a look, it seems you have discovered a bug :-) I also think that I know what the problem is. Thanks, |
Sure, I'll open an issue. |
@lakshT is this still an issue for you? If not, can you close the issue? |
Hi,
Is there a way to extract information at server end from a client certificate sent to the server during a handshake. I've been referring to cf-secure but couldn't find a way out. Can you please help.
Thanks
The text was updated successfully, but these errors were encountered: