Re: [leshan-dev] Need information to test X509 certificate authenticatio

[Rahul Miryala <miryala.rahul@xxxxxxxxx>]

Hi Simon,

It worked like a champ..Thank so much for your help!!

Thanks

Rahul

On Fri, Sep 11, 2020 at 9:17 PM Simon Bernard <contact@xxxxxxxxxxxxxxx> wrote:

Hi,

  This is because at server side you should explain that device : urn:gsma:imei:459241719596716 will connect to server using x509.
  In security tab, add a new  client security configuration with x509 certificate security mode (as I explained in my first mail).
  

And another problem I am facing is with the leshan-1.0.0-M13 version. When I run the demo client I don't see any DTLS handshake messages.Please have a look at the following logs.

Those logs was added later, why do you want to use an old version of Leshan ? I really don't advice you to do that.

Simon

Le 11/09/2020 à 16:30, Rahul Miryala a écrit :

Hi Simon,

Thank you so much for your timely reply. I was already using the endpoint name as CN. However you have correctly pointed out the port 5684 and thanks for it.
But now when I try to run the client I see the DTLS handshake is successful but the registration is shown as FORBIDDEN. Please help.

2020-09-11 19:47:38,471 INFO LeshanClient - Leshan client[endpoint:urn:gsma:imei:459241719596716] started.
2020-09-11 19:47:38,472 INFO DefaultRegistrationEngine - Trying to register to coaps://localhost:5684 ...
2020-09-11 19:47:38,568 INFO LeshanClientDemo - DTLS Full Handshake initiated by client : STARTED ...
2020-09-11 19:47:38,784 INFO LeshanClientDemo - DTLS Full Handshake initiated by client : SUCCEED
2020-09-11 19:47:38,839 INFO DefaultRegistrationEngine - Registration failed: FORBIDDEN .
2020-09-11 19:47:38,842 INFO DefaultRegistrationEngine - Try to register to coaps://localhost:5684 again in 600s...
2020-09-11 19:47:52,596 INFO LeshanClient - Destroying Leshan client ...
2020-09-11 19:47:52,604 INFO LeshanClient - Leshan client destroyed.

And another problem I am facing is with the leshan-1.0.0-M13 version. When I run the demo client I don't see any DTLS handshake messages.Please have a look at the following logs.

java -jar leshan-client-demo-1.0.0-M13-jar-with-dependencies.jar -cprik cprik.der -ccert self_signed_cert.der -scert serverCertificate.der -u localhost:5684 -n urn:gsma:imei:459241719596716
.......
.......
2020-09-11 19:55:29,970 INFO LeshanClientDemo - Press 'w','a','s','d' to change reported Location (-19.0,-27.0).
2020-09-11 19:55:29,970 INFO LeshanClient - Starting Leshan client ...
2020-09-11 19:55:33,905 INFO CaliforniumEndpointsManager - New endpoint created for server coaps://localhost:5684 at coaps://0.0.0.0:49474
2020-09-11 19:55:33,907 INFO LeshanClient - Leshan client[endpoint:urn:gsma:imei:459241719596716] started.
2020-09-11 19:55:33,908 INFO RegistrationEngine - Trying to register to coaps://localhost:5684 ...
2020-09-11 19:55:34,208 ERROR RegistrationEngine - Registration failed: FORBIDDEN .
2020-09-11 19:55:34,210 INFO RegistrationEngine - Try to register to coaps://localhost:5684 again in

Can you please help me in resolving this.

Thanks

Rahul

On Fri, Sep 11, 2020 at 6:25 PM Simon Bernard <contact@xxxxxxxxxxxxxxx> wrote:

Hi,

   I see at least 1 issue : you are using port 5683 : -u localhost:5683, correct port for DTLS is 5684 but if you are using standard port, you can omit the port leshan-client-demo will take the right one for you.

   I just test it on my own and it works for me.

   When you create the certificate for client, last step :

openssl req -x509 -new -key keys.pem -sha256 -days 36500 -outform DER -out self_signed_cert.der

   You should have this kind of question :

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []: urn:gsma:imei:459241719596716
Email Address []:

For common name did you set your device endpoint name ? as said in :

 -ccert <arg>   The path to your client certificate file.
                The certificate Common Name (CN) should generaly be equal to the client
                endpoint name (see -n option).

By the way to not forget to do reply-all to send you answer to the mailing list.

HTH

Simon

Le 11/09/2020 à 12:15, Rahul Miryala a écrit :

Hi Simon,

I have tried as per your suggestion but the client is not getting connected to the server as COAP Version assertion failure.

Steps I have followed
1.downloaded latest jar files client and server
2. created the client certificate with following steps(-ccert -scert and -cprik)using (https://github.com/eclipse/leshan/wiki/Credential-files-format#x509---scroll)

openssl ecparam -out keys.pem -name prime256v1 -genkey 
openssl pkcs8 -topk8 -inform PEM -outform DER -in keys.pem -out cprik.der -nocrypt
openssl req -x509 -new -key keys.pem -sha256 -days 36500 -outform DER -out self_signed_cert.der
After running above commands I could see three files (cprik.der,self_signed_cert.der,keys.pem)
As I understand -ccert is self_signed_cert.der and -cprik is cprik.der 

and -scert downloaded from  http://localhost:8080/#/security and named it as serverCertificate

3. Ran the client like this  java -jar leshan-client-demo.jar -cprik cprik.der -scert serverCertificate.der -ccert self_signed_cert.der -u localhost:5683 -n urn:gsma:imei:459241719596716

Finally
I see this in server log
15:26:38.264 [CoapServer(main)#4] DEBUG org.eclipse.californium.core.network.CoapEndpoint - [LWM2M Server-coap://] discarding malformed message from [UDP(127.0.0.1:62506)]: Message has invalid version: 0

15:26:51.288 [UDP-Receiver-0.0.0.0/0.0.0.0:5683[0]] DEBUG org.eclipse.californium.elements.UDPConnector - UDPConnector (0.0.0.0:5683) received 105 bytes from /127.0.0.1:62506
15:26:51.290 [CoapServer(main)#2] DEBUG org.eclipse.californium.core.network.CoapEndpoint - [LWM2M Server-coap://] discarding malformed message from [UDP(127.0.0.1:62506)]: Messa

in Client log
2020-09-11 15:43:28,602 INFO LeshanClientDemo - DTLS Full Handshake initiated by client : FAILED (Handshake flight 1 failed! Stopped by timeout after 4 retransmissions!)
2020-09-11 15:43:28,604 INFO DefaultRegistrationEngine - Registration failed: Timeout.

Can you please confirm whether I am doing it correctly or not and help me in doing it correctly

Thanks

Rahul

On Tue, Sep 8, 2020 at 8:45 PM Simon Bernard <contact@xxxxxxxxxxxxxxx> wrote:

Hi,

   AFIAK, there is not a list like this.
   But If you want to write code, you could have a look to all integrations tests about x509 [1]. or look at demos sources code.

   If you just want to make demos works, you should start from leshan-client-demo option :

                 ================================[X509]==================================

                | By default Leshan demo use non secure connection.                    |

                | To use X509, -ccert -cprik -scert options should be used together.   |

                | To get helps about files format and how to generate it, see :        |

                | See https://github.com/eclipse/leshan/wiki/Credential-files-format   |

                ------------------------------------------------------------------------

 -ccert <arg>   The path to your client certificate file.

                The certificate Common Name (CN) should generaly be equal to the client

                endpoint name (see -n option).

                The certificate should be in X509v3 format (DER encoding).

 -scert <arg>   The path to your server certificate file.

                The certificate should be in X509v3 format (DER encoding).

So look at the recommanded page to create your certificate with a private key and you will have what you need for -cprik -ccert option. (warning : by default the certificate Common Name (CN) should be equal to the client)

For -scert you need to download it on security tab of server-demo. (see https://leshan.eclipseprojects.io/#/security)

Then you should configure the server to make it understand that your device will connect using x509. (By adding a new  client security configuration with x509 certificate security mode)
By default DEMO server trust any certificate but in real world you need to sign device certificate with a certificate you will put in the server truststore.

HTH

Simon

[1] https://github.com/eclipse/leshan/blob/leshan-1.1.0/leshan-integration-tests/src/test/java/org/eclipse/leshan/integration/tests/SecurityTest.java#L566

 

Le 08/09/2020 à 16:20, Rahul Miryala a écrit :

Hi All,

I am trying to test X509 certificate based authentication using leshan client and server but I am really confused with steps to be followed to test it.

Can someone help in this? Is there any list of steps to be followed to test it correctly.

Thanks

Rahul

_______________________________________________
leshan-dev mailing list
leshan-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/leshan-dev