-
Notifications
You must be signed in to change notification settings - Fork 408
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Certificate usage support to leshan demos #991
Conversation
leshan-client-core/src/main/java/org/eclipse/leshan/client/object/Security.java
Show resolved
Hide resolved
leshan-client-demo/src/main/java/org/eclipse/leshan/client/demo/LeshanClientDemo.java
Show resolved
Hide resolved
leshan-client-demo/src/main/java/org/eclipse/leshan/client/demo/LeshanClientDemo.java
Show resolved
Hide resolved
System.err.println( | ||
"You need to set a truststore when you are using \"service_certificate_constraint\" usage"); | ||
formatter.printHelp(USAGE, options); | ||
return; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If I'm not wrong only SERVICE_CERTIFICATE_CONSTRAINT need a truststore as other mode can use the server certificate as truststore directly.
(For CA constraint I think it should no be used as truststore too : see #936)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Need to have a bit of fresher mind in order to think this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
leshan-client-demo/src/main/java/org/eclipse/leshan/client/demo/LeshanClientDemo.java
Outdated
Show resolved
Hide resolved
f7f77a4
to
f4e15db
Compare
I added change about the UI. I think the missing part for this feature are :
@dachaac I'm waiting for your feedback about all of those before to go further. :) |
2de240b
to
6f25ea5
Compare
(rebased on master) |
// and so we can set DTLS Connection as client only by default. | ||
if (serverInfo.bootstrap && incompleteConfig.isClientOnly() == null) { | ||
newBuilder.setClientOnly(); | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I ended up having auto detection from certificate what to configure:
dachaac@fea11c8
as one could either have client certificate with or without serverAuth -- clientAuth should be there always.
and the matching one for server:
dachaac@613b6fb
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This changes is about the library itself and not really related to certificate.
Having LWM2M client and server which could act as both DTLS client and DTLS server is mainly needed when DTLS connection is lost (reboot/crash/connection expired) and server initiated request. (for more details)
In case of bootstrap session we don't need it, because session is short and always initiated by client. So I prefer to set the LWM2M client as DTLS clientOnly for bootstrap.
About "auto detection" this could be a good idea for demo, we add a warning explaining that failover will not work in case we provide a clientAuth
or serverAuth
only certificate.
@@ -104,7 +104,7 @@ keytool -genkeypair -alias server -keyalg EC -dname 'CN=localhost' \ | |||
-storetype $DEFAULT_STORE_TYPE \ | |||
-ext BasicConstraints=ca:false \ | |||
-ext KeyUsage:critical=digitalSignature,keyAgreement \ | |||
-ext ExtendedkeyUsage=serverAuth \ | |||
-ext ExtendedkeyUsage=serverAuth,clientAuth \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a note -- making multi purpose certificates can hide problems from real deployments where one should not have multi purpose certificates. -- in server it is easier but especially in client you do not have necessary information to verify that device is acting as a server. That is the reason why I made them explicit.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As explained here, I can not see how we can make "none queue mode" work in reliable way without supporting both role at both side.
So in my mind, "multi purpose" is the default behavior.
But I can imagine that I maybe missed some real life constraint about x509 world.
So could you elaborate about :
"in server it is easier but especially in client you do not have necessary information to verify that device is acting as a server" ?
About :
making multi purpose certificates can hide problems from real deployments where one should not have multi purpose certificates.
A solution could be to add some test with clientOnly ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@dachaac, I will integrate this PR without commit.
Hoping you're fine with the rest of the PR. |
Signed-off-by: Vesa Jääskeläinen <dachaac@gmail.com>
Signed-off-by: Vesa Jääskeläinen <dachaac@gmail.com> also-by: Simon Bernard <sbernard@sierrawireless.com>
configuration. For now use LWM2M default mode domain issuer certificate (3). Signed-off-by: Vesa Jääskeläinen <dachaac@gmail.com>
Adds Web UI for configuring certificate usage setting for registered clients. Signed-off-by: Vesa Jääskeläinen <dachaac@gmail.com> also-by: Simon Bernard <sbernard@sierrawireless.com>
Signed-off-by: Vesa Jääskeläinen <dachaac@gmail.com>
Add certficate chain support for -cert option. Signed-off-by: Vesa Jääskeläinen <dachaac@gmail.com> also-by: Simon Bernard <sbernard@sierrawireless.com>
Add certficate chain support for -cert option. Signed-off-by: Vesa Jääskeläinen <dachaac@gmail.com> also-by: Simon Bernard <sbernard@sierrawireless.com>
Because for now this is not possible to change server certificate during bootstrap session, we do not allow CA constraint and trust anchor assertion certificate usage. Hoping we will do better with the new UI.
6f25ea5
to
2765896
Compare
@dachaac this is integrated in master now but feel free to give feedback anyway. |
Modified version of #983