Security iotivity-node #178
Comments
|
The examples coming with iotivity-node assume the nodes are pre-provisioned and all of them are based on pre-shared keys. You will need to manually override the .dat files created by default in ~/iotivity-node/ for the provisoningclient to work. |
|
Hello Kelsayed! My apologizes for late reply! i notice that when i start high-level-server.coaps.jsr ~/iotivity-node/js it automatically create a sha256sum based folder name in ~/.iotivity-node with the file below: But none of these file. how do i modified these file to add the acl? Regards Yann |
|
Yes, there are not much examples out there. But it is gradually being solved. I have written a script that helps me set the proper .dat file. It is here for your reference. Replace JSON2CBOR with where your json2cbor executable resides #!/bin/bash WFILE=$PWD"/"$1 mkdir -p ~/.iotivity-node/$folder_name eval $JSON2CBOR $2 ~/.iotivity-node/$folder_name/oic_svr_db.dat |
|
Hello Kelsayed! Thanks for your prompt reply. I have been able to produce a .dat file based on this file: oic_svr_db_server_justworks.json anytime i run an example within the js folder which enable security(i.e : iotivity.OCResourceProperty.OC_SECURE). From your script and the info here: https://github.com/intel/iotivity-node/blob/master/js/README.md one need to run this command echo -n high-level-server.coaps.js | sha256sum | awk -F ' ' '{print $1}' In my case the command above return folder 1: 47a6396c28df5c83d750d87fa1cb30142fdac018624d4c8cfeaa2d3f10e85cff whereas the automatically created folder is: This is confusing to me. the JS program is actually using the security info in "folder 2" which it automatically created. this file "oic_svr_db.dat" under folder 2 does not define any ACL. i had to manually modified to add ACL. it only works( client can do CRUDN request) however i wanted to allow only a specification client those permissions as below but this never works , the high-level-client.coaps.js of which the id can you help me sort this out? Regards Yann |
|
You need to provide the full path for the script for which you want to produce .dat file. This should fix the issue. |
|
Hello Kelsayed! am not sure i understand what you mean here. The high-level-server.coaps.js is inside the iotivity-node/js directory. i ran the above command from there. this the output of the command but this folder(690d9b3699ea037feec29b60622ec0cec990d3eede18cc4ee689162ac0ef78ca) get immedaitely create when i launch the the server as |
|
You need to invoke it as echo -n
'~/iotivity-node/js/high-level-server.coaps.js'
replacing the ~ with ful path to your home folder. Check the script I
shared with you.
…On Thu, Feb 28, 2019 at 9:52 AM yannS2016 ***@***.***> wrote:
Hello Kelsayed!
am not sure i understand what you mean here.
The high-level-server.coaps.js is inside the iotivity-node/js directory. i
ran the above command from there. this the output of the command
***@***.***:~/iotivity-node/js$ echo -n 'high-level-server.coaps.js' | sha256sum |awk -F ' ' '{print $1}'
47a6396c28df5c83d750d87fa1cb30142fdac018624d4c8cfeaa2d3f10e85cff
but this
folder(690d9b3699ea037feec29b60622ec0cec990d3eede18cc4ee689162ac0ef78ca)
get immedaitely create when i launch the the server as
node high-level-server.coaps.js
it is the .dat file created under the latter that are definetely being
used. this is where my confusion comes from
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#178 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ACcLJ5nxiusCbM-sTnyPRdJTM6pJ_whhks5vR4rZgaJpZM4YvLoI>
.
|
|
hello Kelsayed! indeed you are right , iusing the script, the sha256sum is equivalent to the automatically created one. Now the right sha256sum is created and when starting the server it does not overwrite the .dat however, when i run the client based on these instrution security the client fails to communicate. Regards Yann |
|
Check the cred entries in the json files of both client and server. I
assume you know what to include in the json to share a key between two
peers with known UUIDs.
…On Thu, Feb 28, 2019 at 5:29 PM yannS2016 ***@***.***> wrote:
hello Kelsayed!
indeed you are right , iusing the script, the sha256sum is equivalent to
the automatically created one.
this is the output of the running the script:
./setup_sec_json.sh high-level-server.coaps.js oic_svr_db_server.json
Usage: setup_sec_json <node.js program name> <SVR .json file>
Should be called with the current working directory in the js scripts
folder
Edit the variable JSON2CBOR to point to the path where iotivity-node is
installed
/home/vcs/iotivity-node/js/high-level-server.coaps.js
690d9b3699ea037feec29b60622ec0cec990d3eede18cc4ee689162ac0ef78ca
Created
folder:/home/vcs/.iotivity-node/690d9b3699ea037feec29b60622ec0cec990d3eede18cc4ee689162ac0ef78ca
JSON File Name: oic_svr_db_server.json
CBOR File Name:
/home/vcs/.iotivity-node/690d9b3699ea037feec29b60622ec0cec990d3eede18cc4ee689162ac0ef78ca/oic_svr_db.dat
/acl json :
{"aclist2":[{"aceid":1,"subject":{"conntype":"anon-clear"},"resources":[{"href":"/oic/res"},{"href":"/oic/d"},{"href":"/oic/p"}],"permission":2},{"aceid":2,"subject":{"conntype":"auth-crypt"},"resources":[{"href":"/oic/res"},{"href":"/oic/d"},{"href":"/oic/p"}],"permission":2},{"aceid":3,"subject":{"conntype":"anon-clear"},"resources":[{"href":"/oic/sec/doxm"},{"wc":"-"}],"permission":14},{"aceid":4,"subject":{"conntype":"auth-crypt"},"resources":[{"href":"/oic/sec/doxm"},{"href":"/oic/sec/roles"},{"href":"/CoapCloudConfResURI"},{"wc":"+"}],"permission":14}],"rowneruuid":"00000000-0000-0000-0000-000000000000"}
Found 'aclist2' tag... resource is oic.r.acl2 type.
OUT JSONToAclBin: success
ACL Cbor Size: 516
/pstat json :
{"dos":{"s":1,"p":false},"isop":false,"cm":2,"tm":0,"om":4,"sm":4,"rowneruuid":"00000000-0000-0000-0000-000000000000"}
OUT JSONToPstatBin: success
PSTAT Cbor Size: 119
/sp json :
(null)
JSON contains no /sp
/doxm json :
{"oxms":[0],"oxmsel":0,"sct":9,"owned":false,"deviceuuid":"12345678-1234-1234-1234-123456789012","devowneruuid":"00000000-0000-0000-0000-000000000000","rowneruuid":"00000000-0000-0000-0000-000000000000"}
IN JSONToDoxmBin
OUT JSONToDoxmBin: success
DOXM Cbor Size: 213
/amacl json :
(null)
JSON contains no /amacl
/cred json :
(null)
JSON contains no /cred
JSON contains no deviceProps
Total Cbor Size : 848```
Now the right sha256sum is created and when starting the server it does not overwrite the .dat
however, when i run the client based on these instrution [security](https://github.com/intel/iotivity-node/blob/master/js/README.md) the client fails to communicate.
Note: i used your script to generate both client and server .dat file based on the one suggested on the link above. also i got the provisioning client to work now with the server.
i guess i mam missing something with the client. can you point me to how i can get a secure client( not anon-clear) to work here?
Regards
Yann
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#178 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ACcLJ6JsVLtYK2cqrQ1zWDNty2fGPc0Tks5vR_XIgaJpZM4YvLoI>
.
|
|
Hello Kelsayed! Actually, i not accustomed to this part of iotivity. can provide with a simple working example i can get started with. Regards |
|
Have a look at the examples here
https://github.com/iotivity/iotivity/tree/master/examples/OCFSecure
…On Mon, Mar 4, 2019 at 8:28 PM yannS2016 ***@***.***> wrote:
Hello Kelsayed!
Actually, i not accustomed to this part of iotivity. can provide with a
simple working example i can get started with.
Regards
Yann
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#178 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ACcLJ6GD-7D-FD6I2npAj-SvgcNsfYpCks5vTWXogaJpZM4YvLoI>
.
|
|
Thank you Kelsayed! |
|
hello Kelsayed! Unfortunately am not getting the security to works as expected. I followed the link, though security works for iotivity based C/C++ code. iotivity node is still a mystery for me. can you take a look at these JSON file from client and server i put together and let me know what i can do to make this work? Regards Yann |
I am running iotivity node on Debian jessie 64 bits:
firt i could not get the compilation of iotivity node by first compiling iotivity with secured=1 via the
OCTBSTACK_CFLAGS it all complain about missing include files.
so i just ran npm install
enter the iotivity-native path and run there: scons SECURED=1
in iotivity-node path i remove the node_modules directory and iotivity -installed
and run npm install : it all build without error:
I then followed the steps for COAPS up until step 6 of the README file.
This my output from the server side:
node high-level-server.coaps.js
Acquiring OCF device
Resource registered: {
"properties": {},
"deviceId": "0573e772-2aca-5937-dee4-8e8887cdb70e",
"resourcePath": "/a/light",
"resourceTypes": [
"core.light"
],
"interfaces": [
"oic.if.baseline"
],
"slow": false,
"active": true,
"secure": true,
"observable": true,
"discoverable": true
}
when running the provisioning client: ./provisioningclient
type: 11 --> uuid = 0573E772-2ACA-5937-DEE4-8E8887CDB70E
but provisioning fail when i enter 20 as below:
Enter Menu Number: 20
Registering All Discovered Unowned Devices..
(null): 35:00.933 ERROR: provisioningclient: Ownership Transfer FAILED - ctx: Provision Manager Client Application Context
[1] 0573E772-2ACA-5937-DEE4-8E8887CDB70E - result: 21
The text was updated successfully, but these errors were encountered: