Skip to main content


Eclipse Community Forums
Forum Search:

Search      Help    Register    Login    Home
Home » Eclipse Projects » Californium (Cf) CoAP Framework » rpk without certificate(rpk without certificate)
rpk without certificate [message #1854996] Thu, 22 September 2022 16:16 Go to next message
Jorge Coronado is currently offline Jorge CoronadoFriend
Messages: 1
Registered: September 2022
Junior Member
Hi guys,
We have a question about rpk credentials,
is it posible to use multiple rpk without certificate?
When we wanted to use that credentials we noticed the framework needs using of a keystore (java.security). According java keystore's documentation to add a new entry to the keystore we have to use an alias, private key, password (optional) and certificate chain.
Is there another way to add multiple rpk without a keystore?
We saw all options about CertificateProvider but we couldn't find a solution.

Thanks
Regards!

Report message to a moderator

Re: rpk without certificate [message #1855006 is a reply to message #1854996] Fri, 23 September 2022 06:43 Go to previous message
Achim Kraus is currently offline Achim KrausFriend
Messages: 6
Registered: August 2021
Junior Member
> is it posible to use multiple rpk without certificate?

That depends on where you want to use it.
Just a remark about the terms: Raw Public Key rfc7250 uses also certificates.
It's not a x509 certificate, it leaves a out the valid date range and it's has no signature from a CA, but it may be also seen as a x509 reduced to the public key.
Therefore the most stuff for "certificates" in Californium support also RPK.

> When we wanted to use that credentials we noticed the framework needs using of a keystore (java.security)

No, the java KeyStore is just one provider.

> Is there another way to add multiple rpk without a keystore?

You may use any other provider by implementing the CertificateProvider and/or NewAdvancedCertificateVerifier. The implementations in org.eclipse.californium.scandium.dtls.x509 may be used as example.
See also CertificateIdentityResult and CertificateVerificationResult for the usage of RawPublikKey

The StaticNewAdvancedCertificateVerifier should be easy to use to trust multiple rpks of other peers.

If you want to use multiple rpks for authentication of the peer itself, the question would be, which one of the multiple rpks should be used for a specific other peer?
If you know that, just implement a CertificateProvider, which keeps multiple rpks and returns the right one for the specific other peer.

	CertificateIdentityResult requestCertificateIdentity(ConnectionId cid, boolean client, List<X500Principal> issuers,
			ServerNames serverNames, List<CertificateKeyAlgorithm> certificateKeyAlgorithms,
			List<SignatureAndHashAlgorithm> signatureAndHashAlgorithms, List<SupportedGroup> curves);


The cid is to correlate the requestCertificateIdentity with the CertificateIdentityResult, just copy it into the result.
For rpk, the issuers will be empty. The server names are not directly usable. for x509 such names are commonly used as (alt.) subject of the certificate.
The other parameters are mainly useful, if you want to use e.g. ECC secp256r1 and ED25519 both on the server. The server may then be able to chose
the right one for the client according the parameters in the ClientHello.

SumUp:
The API makes it possible, but it may require detailed knowledge about the related RFCs.

Report message to a moderator

Previous Topic:Adding extra option header to Coap
Next Topic:how many request /sec a coap server can handle ?
Goto Forum:
  

[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Thu May 23 04:50:43 GMT 2024

Powered by FUDForum. Page generated in 0.03585 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software

Back to the top

Sign up to our Newsletter

A fresh new issue delivered monthly