Can not connect to demo using x509 : Server certificate are invalid.

[stpolo1979]

Hi,

Please check what's wrong in my operations , thx.

1.downlowd client demo
wget https://ci.eclipse.org/leshan/job/leshan/lastSuccessfulBuild/artifact/leshan-client-demo.jar

2.add security information on
https://leshan.eclipseprojects.io/#/security
endpoint: polo_test_certificate
security mode : x509

3.refer to https://github.com/eclipse/leshan/wiki/Credential-files-format
X509 -> Using OpenSSL to create self-signed certificat
#gen key
openssl ecparam -out keys.pem -name prime256v1 -genkey
#Convert private Key to PKCS#8 format (DER encoding) for -cprik option
openssl pkcs8 -topk8 -inform PEM -outform DER -in keys.pem -out cprik.der -nocrypt
#create a self-signed certificate for -ccert option
openssl req -x509 -new -key keys.pem -sha256 -days 36500 -outform DER -out self_signed_cert.der

4.refer to https://leshan.eclipseprojects.io/#/server
download serverCertificate.der for -scert option

5.start launch leshan-client-demo.jar by

java -jar ./leshan-client-demo.jar -n polo_test_certificate -u 23.97.187.154:5684 -ccert ./self_signed_cert.der -scert ./serverCertificate.der -cprik ./cprik.der

6.got error

==========================================================
Unable to create and start client ...
java.security.ProviderException: java.security.InvalidKeyException: EC parameters error
at sun.security.pkcs11.P11Key$P11ECPrivateKey.getEncodedInternal(P11Key.java:950)
at sun.security.pkcs11.P11Key.getEncoded(P11Key.java:131)
at org.eclipse.leshan.client.demo.LeshanClientDemo.createAndStartClient(LeshanClientDemo.java:686)
at org.eclipse.leshan.client.demo.LeshanClientDemo.main(LeshanClientDemo.java:621)
Caused by: java.security.InvalidKeyException: EC parameters error
at sun.security.ec.ECParameters.getAlgorithmParameters(ECParameters.java:284)
at sun.security.ec.ECPrivateKeyImpl.(ECPrivateKeyImpl.java:86)
at sun.security.pkcs11.P11Key$P11ECPrivateKey.getEncodedInternal(P11Key.java:947)
... 3 more
Caused by: java.security.NoSuchProviderException: no such provider: SunEC
at sun.security.jca.GetInstance.getService(GetInstance.java:83)
at sun.security.jca.GetInstance.getInstance(GetInstance.java:206)
at java.security.Security.getImpl(Security.java:697)
at java.security.AlgorithmParameters.getInstance(AlgorithmParameters.java:199)
at sun.security.ec.ECParameters.getAlgorithmParameters(ECParameters.java:279)
... 5 more

[sbernard31]

It seems you are using a JDK/JRE which does not support EC (elliptic curves)

Which one are you using (version/OS) ?
Do you try with another one ?

[stpolo1979]

Thanks for reply
Here is my OS and version

__ $ > uname -a
Linux polo-linux 4.4.0-142-generic #168~14.04.1-Ubuntu SMP Sat Jan 19 11:26:28 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

[stpolo1979]

Hi,

I change to windows system and no more java error
but still failure due to validation

please check the following logs and share the idea , thx

C:>java -jar ./leshan-client-demo.jar -n polo_test_certificate -u 23.97.187.154:5684 -ccert ./self_signed_cert.der -scert ./serverCertificate.der -cprik ./cprik.der
2021-07-09 21:31:56,652 INFO LeshanClientDemo - Client uses X509 :
X509 Certificate (Hex): 3082028d30820233a003020102020900907a772cae96478c300a06082a8648ce3d0403023081a1310b3009060355040613025457310f300d06035504080c0654616977616e310f300d06035504070c0
6546169706569310f300d060355040a0c0647656d74656b310d300b060355040b0c0452444433311e301c06035504030c15706f6c6f5f746573745f63657274696669636174653130302e06092a864886f70d0109011621706f6c6f5
f746573745f63657274696669636174654067656d74656b732e636f6d3020170d3231303730393132323330375a180f32313231303631353132323330375a3081a1310b3009060355040613025457310f300d06035504080c0654616
977616e310f300d06035504070c06546169706569310f300d060355040a0c0647656d74656b310d300b060355040b0c0452444433311e301c06035504030c15706f6c6f5f746573745f63657274696669636174653130302e06092a8
64886f70d0109011621706f6c6f5f746573745f63657274696669636174654067656d74656b732e636f6d3059301306072a8648ce3d020106082a8648ce3d030107034200042c79b4756bbce0c274919f3f82384ad7467df720b11dd
b8ae6820711b25039066b1b70b41b32843ebea871be480ff9ae56b13c634f0ede99c237f3ceb9eef03aa350304e301d0603551d0e04160414e15b9de75fa4892bcf8de5f4d8ac71058ef44267301f0603551d23041830168014e15b9
de75fa4892bcf8de5f4d8ac71058ef44267300c0603551d13040530030101ff300a06082a8648ce3d0403020348003045022100b18216cd75dc8f0d4503536fe3203c4153e1a478cfa4b684148fb558736de36002207f0b45bbcc1de
d79b712d40beb1518c48cf3e71f93973537b5002dff3ea1c3fb
Private Key (Hex): 308187020100301306072a8648ce3d020106082a8648ce3d030107046d306b02010104202f5a3b291a67d8b015a64f197538f0d6c92d2e76a84ef5361694c17749e9107da144034200042c79b4756bbce0c2
74919f3f82384ad7467df720b11ddb8ae6820711b25039066b1b70b41b32843ebea871be480ff9ae56b13c634f0ede99c237f3ceb9eef03a
2021-07-09 21:31:56,655 INFO LeshanClientDemo - Commands available :

• create : to enable a new object.
• delete : to disable a new object.
• update : to trigger a registration update.
• w : to move to North.
• a : to move to East.
• s : to move to South.
• d : to move to West.

2021-07-09 21:31:56,666 INFO LeshanClient - Starting Leshan client ...
2021-07-09 21:31:57,600 INFO CaliforniumEndpointsManager - New endpoint created for server coaps://23.97.187.154:5684 at coaps://0.0.0.0:59338
2021-07-09 21:31:57,601 INFO LeshanClient - Leshan client[endpoint:polo_test_certificate] started.
2021-07-09 21:31:57,602 INFO DefaultRegistrationEngine - Trying to register to coaps://23.97.187.154:5684 ...
2021-07-09 21:31:57,627 INFO LeshanClientDemo - DTLS Full Handshake initiated by client : STARTED ...
2021-07-09 21:32:07,124 INFO DefaultRegistrationEngine - Unable to send register request : Certificate chain could not be validated - server identity does not match certificate
2021-07-09 21:32:07,124 INFO LeshanClientDemo - DTLS Full Handshake initiated by client : FAILED (Certificate chain could not be validated - server identity does not match certificate)

2021-07-09 21:32:07,125 INFO DefaultRegistrationEngine - Try to register to coaps://23.97.187.154:5684 again in 600s...
2021-07-09 21:32:09,658 INFO LeshanClient - Destroying Leshan client ...
2021-07-09 21:32:09,660 INFO LeshanClient - Leshan client destroyed.

[boaks]

Would it be possible, that you also execute

java -version

that should write something as:

openjdk version "1.8.0_292"
OpenJDK Runtime Environment (build 1.8.0_292-8u292-b10-0ubuntu1~18.04-b10)
OpenJDK 64-Bit Server VM (build 25.292-b10, mixed mode)

[stpolo1979]

hi
Here is Java version in my windows 7

C:>java -version
java version "1.8.0_261"
Java(TM) SE Runtime Environment (build 1.8.0_261-b12)
Java HotSpot(TM) Client VM (build 25.261-b12, mixed mode)

[boaks]

OK, it would have been interesting on the machine, where it is not working.
But now it starts, that should not longer be the issue.

[sbernard31]

I change to windows system and no more java error

@stpolo1979, it should work on linux too if you use a JVM with EC provider, anyway you have a working setup now.

still failure due to validation

I think that current certificate on sandbox are not correct since we add more x509 checks. (6e96cee)
I will double check this but I probably need to fix it. Thx for reporting that 🙏
I let you know when I believe its OK.

[sbernard31]

@stpolo1979, I update the certificate on https://leshan.eclipseprojects.io.

It should work now but you need to use domain name instead of ip adress :

java -jar ./leshan-client-demo.jar -n polo_test_certificate -u leshan.eclipseprojects.io:5684 -ccert ./self_signed_cert.der -scert ./serverCertificate.der -cprik ./cprik.der

(and you need to re-download the server certificate)

[sbernard31]

(I just fix LWM2M server, I need to deploy another certificate for LWM2M Bootstrap server sandbox too)

[sbernard31]

OK it should be fixed on LWM2M Bootstrap server sandbox too.

Now I need to change default certificate in demo setting CN=localhost as default. (or something like this)

[stpolo1979]

Thanks a lot

It works by reload server certificate

[sbernard31]

Thinking a bit more about this and looking at a bit more at the specification, I guess there is also a but at client side.

(see #1052 for more details)

[sbernard31]

Thx again for reporting this. That helps a lot. 🙏

[sbernard31]

I updated default demo certificates and 83a3f2b should fix #1052. We should be good now.