Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bootstrap Server: configuring SecurityStore with X509 #1200

Closed
gerardolenski opened this issue Jan 17, 2022 · 16 comments
Closed

Bootstrap Server: configuring SecurityStore with X509 #1200

gerardolenski opened this issue Jan 17, 2022 · 16 comments
Labels
question Any question about leshan

Comments

@gerardolenski
Copy link

Hi guys,

I'm using Leshan v 2.0.0.-M5. I have the correct configuration of the DTLS-based security with X509 Certificate mode in Bootstrap Server - meaning I configured only the possibility of using X509 certificates, not PSK which I don't want to support, and also with disabled unsecured COAP endpoints.
Now I'm trying to add the SecurityStore to the configuration to enable validation if the endpoint client name matches the X509 certificate common name. Unfortunately, after adding this component I got the exception:

Caused by: java.lang.IllegalStateException: All CoAP enpoints are deactivated, at least one endpoint should be activated
	at org.eclipse.leshan.server.californium.bootstrap.LeshanBootstrapServerBuilder.build(LeshanBootstrapServerBuilder.java:554)
	at com.redbend.lwm2mbs.domain.server.BootstrapServerConfig.bootstrapServer(BootstrapServerConfig.java:62)

I checked that the problem is in the LeshanBootstrapServerBuilder.class in line 257:

           DtlsConnectorConfig incompleteConfig = this.dtlsConfigBuilder.getIncompleteConfig();
            if (incompleteConfig.getAdvancedPskStore() != null) {
                LOG.warn("PskStore should be automatically set by Leshan. Using a custom implementation is not advised.");
            } else if (this.securityStore != null) {
                this.dtlsConfigBuilder.setAdvancedPskStore(new LwM2mBootstrapPskStore(this.securityStore));
            }

To be honest I quite don't get why you are trying to set AdvancedPskStore always when the SecurityStore was added to the configuration. Can you please help with that?
@boaks
Copy link

boaks commented Jan 17, 2022

You may consider the LwM2M spec. I'm not sure, but it may be required to support PSK to be compliant.

(Just to mention: I guess, without the (upcoming) RFC9146 you won't get too happy with x509. We will see ... )

@Frendzel
Copy link

@boaks how it looks like in previous Leshan versions like 1.3.2? Do you have any implementation provided for this case?

@gerardolenski
Copy link
Author

Well, in LWM2M spec there is no need to support all modes. You can support only X509 or only PSK or only Raw Keys if you want to.

BTW, I just realized that in the 2.0.0-SNAPSHOT that configuration was changed:

           // Handle PSK Store
            if (incompleteConfig.getAdvancedPskStore() != null) {
                LOG.warn(
                        "PskStore should be automatically set by Leshan. Using a custom implementation is not advised.");
            } else if (securityStore != null) {
                List<CipherSuite> ciphers = incompleteConfig.getConfiguration().get(DtlsConfig.DTLS_CIPHER_SUITES);
                if (ciphers == null // if null ciphers will be chosen automatically by Scandium
                        || CipherSuite.containsPskBasedCipherSuite(ciphers)) {
                    dtlsConfigBuilder.setAdvancedPskStore(new LwM2mBootstrapPskStore(securityStore));
                }
            }

And now it depends also on CIPHER SUITES. In my case when in the configuration I'm using only recommended for X509: TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 the server started and works as expected.

@boaks
Copy link

boaks commented Jan 17, 2022

Noop, I don't have any implementation. I mainly use the leshan master to check, if it still works with newer Californium versions. I only run the unit tests. I don't have a setup to run the demo-servers anymore.

When I prepared PR #1073 to migrate Leshan to Californium 3.0 (new Configuration), I tried to keep the old function. If you have doubts, you may check the leshan version before that commit. PR #1130 is also a candidate.

But I don't know, if using the leshan server without PSK was possible before using the new Californium Configuration. If that is the case, and it's considered by the leshan team as compliant, I will check, if I can provide a new PR.

@boaks
Copy link

boaks commented Jan 17, 2022

Well, in LWM2M spec there is no need to support all modes. You can support only X509 or only PSK or only Raw Keys if you want to.

Too long ago when I was familiar with LwM2M ;-).

And now it depends also on CIPHER SUITES.

That makes sense. So it works for you?

@gerardolenski
Copy link
Author

Yes, also agree it makes sense. And yes - it works for me but in SNAPSHOT version. Any chance for the 2.0.0-M6 release?

@sbernard31
Copy link
Contributor

And now it depends also on CIPHER SUITES. In my case when in the configuration I'm using only recommended for X509: TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 the server started and
works as expected.

I was just about to ask if this could be same issue than : #1126
(bug existing in 2.0.0-M5 but which should be fixed in master)

You may consider the LwM2M spec. I'm not sure, but it may be required to support PSK to be compliant.

The spec says that :

 If a LwM2M Server supports the pre-shared key credentials it MUST support the following: ...
 ...
 If a LwM2M Server supports the raw public key credentials it MUST support the following: ..
 ...

So I understand this is not mandatory.

@sbernard31
Copy link
Contributor

sbernard31 commented Jan 17, 2022
edited
Loading

Yes, also agree it makes sense. And yes - it works for me but in SNAPSHOT version. Any chance for the 2.0.0-M6 release?

Waiting you can play / test with nightly as I said with #1191 (comment)

I can release a 2.0.0-M6 but maybe it is better you finished what you tried to achieve with the nightly. Once you validate it works for yo, I release a 2.0.0-M6. Does it make sense ?

@gerardolenski
Copy link
Author

So I validated the X509 configuration with SecurityStore with 2.0.0-SNAPSHOT. I used only X509 recommended cipher suites. Works fine. The server started and behaves as expected. The SecuritySore verifies if X509 CN matches the endpoint client name.

@sbernard31
Copy link
Contributor

Do you plan to test some other point before the release ?

@gerardolenski
Copy link
Author

I've tested the full flow in my project. All my integration tests passed, so no regression. Also tested the X509 CN with endpoint name matching after adding SecurityStore. So ... looks like everything works correctly with the current master

@sbernard31
Copy link
Contributor

Thx @gerardolenski 🙏

So, I will release the 2.0.0-M6 in the week does that sounds good to you ?
Let me know if you find any problem until that.

@gerardolenski
Copy link
Author

Great. Many thanks

@sbernard31 sbernard31 added the question Any question about leshan label Jan 20, 2022
@sbernard31
Copy link
Contributor

@gerardolenski @Frendzel the 2.0.0-M6 is now available.

@sbernard31
Copy link
Contributor

(Should we close this issue ?)

@gerardolenski
Copy link
Author

Many thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Any question about leshan
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@sbernard31 @Frendzel @boaks @gerardolenski