Allow using trust anchor in certificate mode #893
Comments
You mean You're correct regarding : https://tools.ietf.org/html/rfc6698#section-2.1.1 For LWM2M v1.1.x all certificate usages are supported.
So this is clearly something we need to implement for 2.0.0. (but not yet available :/) @boaks do you think it makes sense to create 4 new
Or should it be only in Leshan ? @dachaac is it something you need (direct or indirectly) to implement for EST ? |
sbernard31
added
bsserver
|
I guess, I have to read the LwM2M TS to see the differences :-). Californium currently verifies a I'm not sure, if it is important to explicit select the variant. |
|
@boaks, I think you only need the resource description in my previous comment and the https://tools.ietf.org/html/rfc6698#section-2.1.1. The idea is to define the server certificate validation behavior at client side.
For LWM2M, I think it make sense and as this is not specific LWM2M concept. I think this should maybe better placed in Scandium. But we can implement it in Leshan and you will see if this makes sense to move it to Scandium later. |
|
I have code already for this in: Needs the Unsigned Integer support (#880) and then we can start picking up those changes. |
Good news, I will try to make #880 forward. |
|
(I'm not a fan of that "micro-service-stuff, but ...) Just as remark: With Californium 2.5.0 the |
(Ok so probably added only in Leshan.)
Ok we will adapt the code when we will integrate cf-2.5. (thx for letting us know) |
That means: the API changes caused by the async certificate verifier may not really "pay off" for everybody. It's not too hard to migrate, but I'm not sure, how many will use the async feature, except of hono. |
Oh I didn't get this at all. 😅 |
|
@sbernard31 rebased my https://github.com/dachaac/leshan/commits/est-support branch with that all. It has couple of WIP commits in top -- but in theory one could pick up some commits before that. I would say all commits before EST stuff is something that could be considered eg.: X509CertUtil: Add new helper class for using X.509 certificates also: LeshanBootstrapServerDemo: Add support to load trust store from Java trust store could be taken. I can tune it a bit just tell what kind of PR would you like to have ;) I would say you need a lot of those to get to good level :) |
|
Let's start by certificate usage as this is requested by @mcocak :-)
We will discuss of this in PR(s) but I would rather go for one dedicated CertificateVerifier(in dedicated class) by certificate usage unless there is a good reason to keep on the logic in 1 class. |
|
Please, ensure to cover these modes with unit tests ;-). If the intention is to trust the certificate of the node itself (even if this is not a self-signed), then in my experience See my unit-tests: If you get different experience, I'm very interested to adapt my code as well. |
|
Since 2.0.0-M3 there is a functional certificate usage support in library and demos. |
LwM2M 1.0.2 only allows using the server's certificate directly which is currently implemented in Leshan, as stated in Resource 4 Server Public Key of Security object:
However, this was changed in LwM2M 1.1 where it is also added to use the trust anchor, not only server's certificate. Same Resource 4 Server Public Key of Security object:
Testing leshan-client with certificate mode and providing CA certificate of the server as input in -ccert, DTLS handshake is completed successfully but DTLSConnector drops the first CoAP message since the certificate I provide is not exactly the same as the certificate the server provides.
2020-09-16 19:22:08,368 INFO drops - DTLSConnector (DTLS-0.0.0.0:64254) drops 52 bytes outgoing, [CN=Great Bootstrap CA] != [x509 [CN=bootstrap.greatbootstrap.com,OU=Great cloud,O=Awesome Ltd,L=Hawaii,ST=Honolulu,C=US],TLS_ECDHE_ECDSA_WITH_AES_128_CCM]Server's certificate is derived from the CA certificate so Leshan client (Leshan v2.0) should be trusting the server according to LwM2M 1.1.
The text was updated successfully, but these errors were encountered: