How to use X.509 certificate in CoAP communication #655
Comments
|
What's the difference between this question and #652 ?
If you want to use mutual authentication (let's say, the client has a certificate too), I can't say if that's possible with the latest californium version, we applied a couple of commits to allow client certificates, see californium-2.0.0-M5-Artik. |
|
Hi Alexis, Thanks for the information. |
|
As I said, I don't know remember how it works in the current californium, I think you register the trusted CAs on the server and when a client sends its certificate, the server validates that the certificate is signed by one of the trusted CAs. On our fork, what we did is to defer this validation to a custom client certificate validator. |
|
https://github.com/eclipse/californium/tree/2.0.x/demo-certs I think above link in the project README, explains clearly how the server and client are mutually authenticated using the example key and trust stores provided by
I did not understand, what it means actually? |
|
Vikram, “ how can we be sure about mutual authentication” was in relation to Alexis point that he wasn’t sure if mutual authentication was supported in californium. |
|
I apologize to confuse you, mutual authentication is supported, since the time I was working with californium, there have been several improvements and I'm not sure how it works at the moment. |
|
@jas-singh14 I also request you to refer to standard RFC 7252 about mutual authentication for CoAP. |
|
We are using Californium and .Net library (https://github.com/Com-AugustCellars/CoAP-CSharp). However it seems that we are able to use the public keys from a self signed certificate from .Net library but such a functionality is not available in Californium. Can you please confirm this? and if possible suggest a workaround in californium. Basically our intention is that we should be able to use Californium in the same fashion as .Net library.
//Initialize a object of Pre-Shared Key UserKeys = new KeySet(); //Initialize Coap Endpoint using userkey and Coaps port //Initialize CoapServer _server.AddEndPoint(endpoint);
//Read Client Certificate //Initialize a object of Pre-Shared Key //Initialize Coap Endpoint using userkey and Coaps port |
|
Also in our understanding, private key is not required for certificate based authentication, So we are bit confused why Cf library is expecting that as one of the parameters (e.g. C# library mentioned above doesn't require private key). Can you please help here as well? |
|
You say that you C# library works just with a certificate without private key. But as far as I know, this does not make sense. A public key must be used with a private key to be able to do asymetric cryptography. If you are owner of those 2 certificates (ServerCert.cer and ClientCert.cer), you should also have the linked private keys as this is the first step to get your certificate : |
|
Basically we want some clarification about why there is a need of specifying private key in Cf and not in we are using Cf API's below: |
|
The real question is why the private key is not needed in the C# library... |
|
If you want answers, maybe you provide a wireshark capture of your C# client using only a "public key".
smells, that something happens totally different than assumed :-). And Com-AugustCellars/CoAP-CSharp#46 seems also indicating, that x.509 is NOT working at all in the C# implementation your using. If possible, could you check the above snippet, if it makes any sense to you? |
|
I agree that private key is required for certificate generation. But is private key required during handshake between client and server is the prime question? |
|
In asymmetric cryptography, you need the private and the public key, one key is used to cipher and the other one to decipher, if you provide a x509 certificate (it includes a public key) but not a private key, it is very likely that the traffic isn't being ciphered (assuming that your C# example works at all). |
|
Are you now willing and able to provide a wireshark capture of your DTLS handshake of the C# implementation your using? Are you understand, that the C# implementation your using doesn't support x.509 at all? If you can't provide the capture nor understand the limitaion of the C# implementation your using, I assume, that your setup just uses the public key as PSK secret (according the comment in your snippet), or, as AlexITC wrote, doesn't use DTLS at all. The wireshark capture will therefore show, that a "TLS_PSK_WITH_AES_128_???" is used in the SERVER_HELLO and not the "TLS_ECDHE_ECDSA_WITH_AES_128_???", or doesn't contain any valid DTLS records at all, because it doesn't use DTLS. So without answers, I would like to close this issue and recommed that you use a other DTLS implementation (e.g. the one of java 9) to test your stuff! |
And the only answer will be the wireshark capture. |
Yes ! Again if that was not the case anybody could just get your public certificate and usurp your identity ... |
|
sorry, I didn't get it! If you agree with Simon, and you also accept, that the C# implementation currently not supports certificates, could you then please make a final comment with that and close this issue? |
|
Yes, I agree with the observations. Thanks all for the valuable inputs. |
We are using Californium library to establish CoAP communication between client and server using X.509 certificates (mutual authentication over DTLS).
Please help in pointing to the code flow that needs to be implemented on the server and client side to achieve this functionality.
The text was updated successfully, but these errors were encountered: