No trouble at all and sorry this is so painful... we are working on getting Certificate onboarding support into our sample Onboarding Tool, so that all this manual configuration you are doing can be automated. We are also in the process of building certificate support into IoTivity Lite which is simpler to work with.
In the meantime to get you running can you catch me up on what you have working, and where you are getting stuck? I'm getting back from vacation so not sure where you are now. I might be able to help from a "what should be working" perspective. Aleksey (Security Maintainer) is still your best person to look at IoTivity logs in the mbedtls layer so hopefully he can take a look soon. Thanks, Nathan -------- Original message -------- From: Khaled Elsayed <khaledi...@gmail.com> Date: 1/10/19 12:15 AM (GMT-08:00) To: a.vol...@samsung.com Cc: Gregg Reynolds <d...@mobileink.com>, iotivity-dev <iotivity-dev@lists.iotivity.org>, "Heldt-Sheller, Nathan" <nathan.heldt-shel...@intel.com>, Mats Wichmann <m...@wichmann.us> Subject: Re: Re: [dev] Certificate-based credential (DTLS fails to find cipher suite) Hi Aleksey and Nathan, Excuse me for bothering you again. It still complains about DTLS handshake message failure. I made some search and I saw the "system time" issue that you resolved. However, I made sure the time is set correctly. Still no luck. I tried both the certificates/keys I created and those coming with the provisioning example after of course changing mfgtrust to trust etc. Seems to me everything is properly set, still something is wrong with the certificate chain. I attach the client and server logs and the json files based on the certificates from the provisioning example. I am using the client/server at examples/OCFSecure. Thanks for any pointers. Not sure if the mailing list will pass these large attachments. Best regards, Khaled On Thu, Jan 3, 2019 at 4:56 PM Oleksiy Volkov <a.vol...@samsung.com<mailto:a.vol...@samsung.com>> wrote: Khaled, one more thing :) If you planned to use same trustca for mfg otm and authentication (so-called mutual certificate), you need to create 2 credentials with different credUsage type (oic.sec.cred.mfgtrustca and oic.sec.cred.trustca), but with the same certificate data. Or you can customize the source code for that case.. Best regards, Aleksey Volkov --------- Original Message --------- Sender : Oleksiy Volkov <a.vol...@samsung.com<mailto:a.vol...@samsung.com>> Staff Engineer/Security Certification Part /SRK/Samsung Electronics Date : 2019-01-03 16:41 (GMT+2) Title : Re: [dev] Certificate-based credential (DTLS fails to find cipher suite) Khaled, Important addition: for the root certificate you need to use "oic.sec.cred.trustca" value credUsage field instead of "oic.sec.cred.mfgtrustca", since cipher suite list formed by trustca certificates. "oic.sec.cred.mfgcert" and "oic.sec.cred.mfgtrustca" types used only at the otm process, and will never used then for authentication by default. Best regards, Aleksey Volkov --------- Original Message --------- Sender : Khaled Elsayed <khaledi...@gmail.com<mailto:khaledi...@gmail.com>> Date : 2019-01-03 12:13 (GMT+2) Title : Re: Re: [dev] Certificate-based credential (DTLS fails to find cipher suite) Thanks again. Will retry using 'oic.sec.cred.cert'. Was using "credusage": "oic.sec.cred.mfgcert" for the client own certificate and intermediate certificate and "credusage": "oic.sec.cred.mfgtrustca" for the peer certificate. I guess you meant oic.sec.cred.cert in place of the oic.sec.cred.mfgcert but the oic.sec.cred.mfgtrustca should remain the same as this is what is used to verify the peer certificate. I attach the client and server .json files. For simplicity, I am assuming a pre-provisioned server here. As mentioned earlier no problem in getting the server provisioned via provisioningclient (of course the json file doxm entry is different for that case). I will retry and share the logs if that change still does not work. Best regards, Khaled On Thu, Jan 3, 2019 at 11:26 AM Oleksiy Volkov <a.vol...@samsung.com<mailto:a.vol...@samsung.com>> wrote: ...Also, credUsage type must be 'oic.sec.cred.cert'... Best regards, Aleksey Volkov --------- Original Message --------- Sender : Oleksiy Volkov <a.vol...@samsung.com<mailto:a.vol...@samsung.com>> Staff Engineer/Security Certification Part /SRK/Samsung Electronics Date : 2019-01-03 11:16 (GMT+2) Title : Re: [dev] Certificate-based credential (DTLS fails to find cipher suite) Hi Khaled, InitManufacturerCipherSuiteList callback used at the one step of the mfg otm process. In all other cases (yours also) should be used InitCipherSuiteList as g_getCredentialTypesCallback (Please check SRMInitSecureResources function). According to your log, InitCipherSuiteList is called successfully, so it's normal behavior, and there are no other issues than the lack of credentials. Could you share full log from the beginning and dat file of yours 3rd client, please? Best regards, Aleksey Volkov --------- Original Message --------- Sender : Khaled Elsayed <khaledi...@gmail.com<mailto:khaledi...@gmail.com>> Date : 2019-01-02 23:44 (GMT+2) Title : Re: Re: [dev] Certificate-based credential (DTLS fails to find cipher suite) Hi Aleksey, Thanks for taking a close look at the log. You are absolutely right about the observation that InitCiherSuite comes back empty handed. The credentials are perfect and have credtype=8 and I check that the .dat files are read correctly by both the client and server codes. There is a bug in the code either in the function SetupCipher or initialization of callbacks before invoking SetupCipher. It will not work currently as is. I will report this via jira. Here is why: In SetupCipher, I added some logs for g_caSslContext->cipherFlag[0] and g_caSslContext->cipherFlag[1] both are false after calling g_getCredentialTypesCallback(g_caSslContext->cipherFlag, deviceId); So, it will not be able to find any ciphersuite. There is a need to properly initialize the g_getCredentialTypesCallback to use the mfg_cert callback functions. Something like what is done in the function OTMSetOTCallback in ownershiptransfermanager.c where it calls PrepareMCertificateCallback to set the callbacks in case it identifies a certificate-based credential. There must be something like this before SetupCipher is called, otherwise no certificates will work. I tried to add some similar code to the function below but got all types of linking errors as I am not really into scons/sconscript :) OCStackResult PrepareMCertificateCallback(OTMContext_t *otmCtx) { OIC_LOG(INFO, TAG, "IN PrepareMCertificateCallback"); if (!otmCtx || !otmCtx->selectedDeviceInfo) { return OC_STACK_INVALID_PARAM; } if (CA_STATUS_OK != CAregisterPkixInfoHandler(GetManufacturerPkixInfo)) { OIC_LOG(ERROR, TAG, "Failed to register PkixInfohandler"); return OC_STACK_ERROR; } if (CA_STATUS_OK != CAregisterIdentityHandler(NULL)) { OIC_LOG(ERROR, TAG, "Failed to register IdentityHandler"); return OC_STACK_ERROR; } if (CA_STATUS_OK != CAregisterGetCredentialTypesHandler(InitManufacturerCipherSuiteList)) { OIC_LOG(ERROR, TAG, "Failed to register CredentialTypesHandler"); return OC_STACK_ERROR; } OIC_LOG(INFO, TAG, "OUT PrepareMCertificateCallback"); return OC_STACK_OK; } On Wed, Jan 2, 2019 at 3:46 PM Oleksiy Volkov <a.vol...@samsung.com<mailto:a.vol...@samsung.com>> wrote: Hi Khaled, I noticed that in your log between the lines 'In InitCipherSuiteListInternal' & 'Out InitCipherSuiteListInternal' there are no any messages. This may indicate that there are no suitable credentials in the cred resource, or they have the wrong type value. (As I understand it should be the SIGNED_ASYMMETRIC_KEY type credential for your case). So, please check your dat file for necessary credential. entries. Best regards, Aleksey Volkov --------- Original Message --------- Sender : Khaled Elsayed <kha...@ieee.org<mailto:kha...@ieee.org>> Date : 2019-01-02 13:22 (GMT+2) Title : Re: [dev] Certificate-based credential (DTLS fails to find cipher suite) Thanks Aleksey. For sure I am using OC_CLIENT_SERVER mode. My code is based on ~/iotivity/examples/OCFSecure which already took core of this in the client.cpp code. On Fri, Dec 28, 2018 at 1:40 PM Oleksiy Volkov <a.vol...@samsung.com<mailto:a.vol...@samsung.com>> wrote: Hi Khaled, maybe you use 'client only' (OC_CLIENT) mode instead of 'client-server' (OC_CLIENT_SERVER) to initialize the Iotivity stack. Best regards, Aleksey Volkov -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#10140): https://lists.iotivity.org/g/iotivity-dev/message/10140 Mute This Topic: https://lists.iotivity.org/mt/28611921/21656 Group Owner: iotivity-dev+ow...@lists.iotivity.org Unsubscribe: https://lists.iotivity.org/g/iotivity-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
