As I posted earlier, I am working on a mqtt-ocf gateway. As a start, I am
trying to deploy security on the OCF side. The proxy creates resources
corresponding to the MQTT topics on the fly for both subscribe and publish
request if the topic is new. This works perfectly and I tested that OCF
clients can discover and access the created resources and when an MQTT
publisher publishes a new value for the topic, it is pushed via
notification to the OCF client or the OCF can perform GET/PUT at its pace.
This works perfectly as long as security is not involved. Now, if I want to
the MQTT proxy to serve only authorized clients, I have a puzzle. The proxy
does not know the resources in advance. They are created on the fly. So, I
have two problems here:
1. ACL: I would like to create a new ACE for the created resource with
something like:
{
"aceid": n, // n is the number of resource created
"subject": {"conntype": "auth-crypt"},
"resources":[
{ "href":"</a/mqtt/mqtt_topic>", // the resource
created for the mqtt
"rt" : ["oic.r.mqtt"],
"if" : ["oic.if.baseline", "oic.if.a"]}
],
"permission": 22
}
Which API should I call to add this new ACL? What is the format used to
represent the ACL?
I am trying to avoid using wildcard, it is possible to have an ACL like the
following from the beginning and it should work (as far as I know)
{
"aceid": n, // n is the number of resource created
"subject": {"conntype": "auth-crypt"},
"resources":[
{ "wc": "+" // all secured resources created
}
],
"permission": 22
}
2. I asked before in the list about group symmetric keys and did not get
answers. So, I checked the source code, and currently it is not supported.
So, I found the following in "OCF Security Primer for Device Vendors"
Vendor-defined groups, via “roletype” Parameter of the ACE2 “subject”
property:
{
"aceid": 1,
"subject": { "roletype": “<made_up_string_that_matches_string_in_cred>” },
...
}
So, I tried to modify the SVR json file according to the above template,
and added a cred record with matching string. When I run json2cbor, it
fails. If I change the roletype to uuid, it works, so there is no syntax
error in the json file.
Anyway, here is my question: I would like to define a security group any
member of which can access the created resource. I don't want to populate
the proxy cred list with a separate entry for each new client. Can I use
certificates for this? Is there an example of using certificates to allow
clients with proper credentials to authenticate with an OCF server?
Thanks for any pointers :)
BR,
Khaled
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#10018):
https://lists.iotivity.org/g/iotivity-dev/message/10018
Mute This Topic: https://lists.iotivity.org/mt/28267159/21656
Group Owner: iotivity-dev+ow...@lists.iotivity.org
Unsubscribe: https://lists.iotivity.org/g/iotivity-dev/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
