Access for peer credentials from initial DTLS connection to later phases #861
Comments
|
This seems to be most challening problem to solve as it touched quite a many places. An advice is asked where to store this properly. To get forward I have added it to Identity class but that kind feels incorrect but then again feels only place it could be placed: As: |
|
I'm not sure to get the point. Could you explain this a bit more maybe with an exemple or point me some code where this is used ? |
|
I am currently having a workout with test suite after some changes so not everything is nice and tidy yet... but just pushed by local version here: Perhaps most related points are: Those declarations are in here: Capturing of the peer credentials: Then in here I think the actual checking if device is allowed in or not (still needs work): More or less the changes all around are somehow related to this :| One part of the changes is related to getting trust store a bit more configurable so that this information can be used later. Code flow kinda happens something like this:
|
The API will depends a lot of what we want to do here. (This is the part which is not clear to me) My vision is that DTLS layer ensure authentication. It ensure that the device is really who it pretends to be, then at LWM2M layer we only have the DTLS Adding the whole certificate + certificates chain in I don't know if you aware about this class CertificateVerifier but this could also be a good place for PKIX validation. (We need to define which part of PKIX validation must be done in |
For normal TLS Server Certificates where there is server location in Subject DN's CN field or in Subject Alternative Name then just having a list of trusted Root CA's is enough. There is set of rules that just need to be matched and we are fine. But the TLS Client Certificate is rather problematic in sense of validating when certificate can be considered valid. It does not have source location (as that varies). When there is only one Root CA and one knows how that is managed then you could just trust in Certrificate Serial Number, or in additional OID in extended key usage, or Subject DN., and/or some other certificate details. How to build identity from here is a rather good question. In theory it is the whole certificate (and its chain). As an example I have seen machine certificates where subject DN was empty and then in Subject Alternative Name had information. So this is completely up to PKI admin of particular Root CA to decide how things are done there. While this gives flexibility for systems operations it gives headache for anyone using the system. Some standard (or at least limited number of differences) would be really nice for this. Now if we have multiple root CA's in picture this gets a bit messy. All those different Root CA's might behave differently. So far the best idea I have had is that once we know the Root CA for the connecting client we can assign a policy for that Root CA. Policy might be rule set how to interpret the TLS Client Certificate and Endpoint Client Name. If we consider bootstrapping service that can have multiple Manufacturer Root CA's registered and then force client to transition to TLS Client Certificate that is service managed (issued under Service Specific Root CA) then we kinda have complexity only in bootstrapping phase and rest of the services could just trust in Subject DN field (or so). This forced transition works for both Certificate mode and EST mode. Now this leads us back to question to what information do we need in what phase. I believe that in DTLS phase we have list of Root CA's so that we can verify that when client does TLS Client Certificate Authentication then it must be issued by one of those Root CA's. BUT we need to carry out this Root CA issuer information (or policy information) forward somehow so that we can then look in LWM2M protocol level whether the client is actually allowed in or not. LWM2M Specification states following about Endpoint Client Name:
Most important part here I believe is Now in context of Leshan as it is a library for making a LWM2M software it is a bit more complex as there might be different needs in different implementors. For this reason I was thinking that if we pass whole certificate chain forward it allows one to do system of their liking. Now for the wish of having a standard way for TLS Client Certificate there seems to be several references in RFC's (like CoAP-EST) for IEEE Std 802.1AR-2018: Secure Device Identity standard. It also seems that IEEE Secure Device Identity just got a bit bigger as it seems to be now ISO/IEC/IEEE 8802-1AR:2020 (under paywall so I have not checked it out yet) giving it even more trustworthiness. What I see good in IEEE Secure Device Identity standard is that it tells what kind of certificate one should be making. If device manufacturer would be following IDevID specification then job gets a bit easier. It says (in 8.6 subject) that:
How I interpret this is that then: There are couple of things to think in here:
So once again we are having a problem what information from TLS Client Certificate we use and how it relates to Endpoint Client Name. One solution for this is to recommend manufacturer if you manufacture your device with IEEE Secure Device Identity based IDevID then when doing LWM2M then send you Endpoint Client Name in certain format. What is good in this kind of operation is that there could be standard option -- mark this Manufacturer CA operating in IEEE Secure Device Identity mode. Eg. pre-existing policy/rule that can be selected. Best idea so far that I have is utilizing dev-urn-ops form for Endpoint Client Name as that could be easily matched to certificate. O == organization == enterprise OID (globally unique as there is registry -- and manufacturer knows their OID) So this would cause following sequence to happen:
Both are needed. We need to do PKIX validation and then also look on the chain later. |
This is mandatory : "The Endpoint Client Name identifier MUST be unique at the server or servers it is being used with." ( see 7.3.1. Endpoint Client Name)
We can do that even if for now I have still some doubts that some part of the certificate could really be useful at LWM2M level (e.g. Public Key)
As endpoint client name MUST be unique are you agree this is finally not needed ?
Of course both are needed but maybe cert chain could only be used at DTLS/Scandium level using
(I will bring more feedback tomorrow) |
|
About Endpoint Client Name. In Core v1.1.1 - 7.3 there is:
It says here that it is optional if security protocol provides authenticated identity. And for (D)TLS with X.509 TLS Client Certificate we do get authenticated identity from certificate itself (and from its chain) so in theory Endpoint Client Name cloud be omitted altogether. Then in Core v1.1.1 - 7.3.1 is a bit more verbose on that but still contains the same information but adds:
And then in Transport v1.1.1 - 5.2.6 - Endpoint Client Name:
Where as "comparison may either be an equality match or may involve a dedicated lookup table" gives freedom how X.509 certificate details shall be interpreted. Based on those text I would interpret it as:
And resulting in-memory object related to particular connection there should be Endpoint Client Name that can be used as unique device identity in context of particular LWM2M service. Additional problem is that if same identity is given by different (Manufacturer) Root CA's which may require us to store also issuer information in the device registry on auto-registration cases so that another device does not have possibility to steal the identity. If we do have PSK or Raw Public Key then it must be matched with pre-registered information stored in device registry. And then either take Endpoint Client Name from registry if missing or when provided then match that it matches what is in registry. |
|
About X.509 Certificate Details. I do not know what is the right amount of details to store in-memory and in device registry. When one does auto-registration thru the bootstrapping then it might be good enough to store issuer information in addition to subject information. Issuer information should be in format that can be matched to information in bootstrapping trust store. In normal operations LWM2M Server should only have smaller service specific trust store only listing services own Service Specific Device Root CA where it is issuing device certificates. When device is later connecting back to bootstrapping service it must be possible to match DTLS TLS Client Certificate either to previously stored Manufacturer Root CA (in case of factory reset or so in the device) or to Service Specific Device Root CA used by service. Issuer information and subject information are a bit problematic as subjectAlternativeName is also in picture. This is only problem for Manufacturer Root CA issued TLS Client Certificates and Service Specific Device Root CA issued certificates can have clean and easier contents. If we can always do whole chain verification then in device registry we could store reference to Manufacturer's Root CA and then Endpoint Client Name as generated by rules or extracted from field in certificate itself. About Public Key in X.509 Certificate -- we don't actually care about the value -- we trust in chain and it is used only in authenticating that client posesses associated private key and then in chain validation that it was really issued under by trusted root ca. Haven't yet though if there is a need to store "next credentials" also in device registry. Like in case when device connects back to bootstrapping service to get new credentials while the old credentials are still valid. For X.509 certificates probably not needed as Endpoint Client Name should not be changing but might be needed for PSK/Raw Public Key cases. There may be need to have different Bootstrapping credentials (pre-registration case) vs. Given credentials (given by bootstrapping service with security object). |
|
Now about this ApplicationLevelInfoSupplier: This might do the trick -- need to play more with it. |
|
You thought a lot about all of this and I must to confess that It's pretty hard to me to follow you. Probably because the problem is very vast and complex and there is also some terminology which is not so clear to me. Maybe I'm wrong but is it possible that you try to achieve too many issues/use-cases at the same time. (knowing that we are in development phase for the 2.0.x, so it's OK to me to break API between 2 milestone releases ) |
|
I think we can close this one. |
In order to support deployments with automated device registration during device bootstrapping one needs to have access to TLS Client Certificate detail in order to approve auto registration.
Due to nature of bootstrapping process with the need to support different kind of authentication methods this decision cannot be made at time when DTLS is first validated but needs to be carried later so that rule based analysis can be performed by bootstrap service.
This is also required in for the EST support: #859
The text was updated successfully, but these errors were encountered: