Hello, Could you please describe or point me to the steps one must follow to take ownership of simpleclient and simpleserver using the provisioning tool, provision pairwise credentials, and provision ACLs to simpleserver?
Could this same procedure be applied to the combination of an IoTivity client and a non-IoTivity but fully OCF compliant server? If it doesn?t, then we have a problem of spec non-compliance. Thanks, -Kishen. - Kishen Maloor Intel Open Source Technology Center From: Muhammad Mushfiqul Islam <i.mushfiq at samsung.com<mailto:[email protected]>> Reply-To: "i.mushfiq at samsung.com<mailto:i.mushfiq at samsung.com>" <i.mushfiq at samsung.com<mailto:i.mushfiq at samsung.com>> Date: Wednesday, April 13, 2016 at 10:22 PM To: Kishen Maloor <kishen.maloor at intel.com<mailto:kishen.maloor at intel.com>> Cc: "iotivity-dev at lists.iotivity.org<mailto:iotivity-dev at lists.iotivity.org>" <iotivity-dev at lists.iotivity.org<mailto:iotivity-dev at lists.iotivity.org>> Subject: Re: Re: [dev] IoTivity security provisioning tools broken. Dear Mr. Kishen, Thanks for you concern on security resources. Here are some of my findings according to your query: 1) The database files supplied with simpleclient & simpleserver are already provisioned, so that a secured simpleclient can instantly start communication with a simpleserver. Hence you can not discover them as un-owned resources or own them. Also, the database files are not automatically generated, vendor must provide appropriate database files for resource server and client server. 2) Database files provided in this location: "resource/csdk/security/provisioning/sample/" are un-owned and you can use them as your server/client databases. However, you can not use single database file and use(copy & rename) them for multiple servers. At least, you need to provide separate deviceuuid for different servers. 3&4) As of these points, as I don't know your exact procedures, I can not reproduce it. For me, ownership transfer, provision credentials and provision acl all are working fine using the database files supplied at: "resource/csdk/security/provisioning/sample/" - Thanks & Regards, Mushfiqul Islam Antu ------- Original Message ------- Sender : Heldt-Sheller, Nathan<nathan.heldt-sheller at intel.com<mailto:nathan.heldt-sheller at intel.com>> Date : Apr 14, 2016 04:14 (GMT+09:00) Title : Re: [dev] IoTivity security provisioning tools broken. Thanks Kishen this is good information to have. Just so you know, simpleclient and simpleserver are not currently validated with SECURED=1 builds, and I do not believe they can be expected to "just work". I agree with you that they *should* be enabled and tested, however! But at this point, you are attempting untested uses, so failing to provision simpleserver (for example) doesn't necessarily mean the provisioning tool is broken. As an aside, enabling the sample applications for SECURED=1 builds is something that would be very helpful to the community if you or anyone else is so inclined! Otherwise, it will have to wait until more critical tasks are completed (which has resulted in this task being pushed out again and again). I believe the enabling steps are very simple for anyone familiar with a given app. As for your issue, I'm just guessing at this point (since I haven't tried those two apps nor looked at them recently) but if you are seeing code in those two applications to enable security, it may be that the code is out of date... have you checked the code in "simpleserver.cpp" against the "ocserverbasicsops.cpp" code, which *is* tested with SECURED=1? Thanks, Nathan -----Original Message----- From: iotivity-dev-bounces at lists.iotivity.org<mailto:iotivity-dev-bounces at lists.iotivity.org> [mailto:[email protected]] On Behalf Of Maloor, Kishen Sent: Wednesday, April 13, 2016 11:17 AM To: iotivity-dev at lists.iotivity.org<mailto:iotivity-dev at lists.iotivity.org> Subject: [dev] IoTivity security provisioning tools broken. Hello, It appears that the sample provisioning tools in IoTivity are broken. I?m working off the 1.1-rel branch. I want to be able to 1) take ownership of both simpleclient and simpleserver using ?Just Works", 2) Provision credentials between simpleclient and simpleserver, and 3) Provision ACLs. Both samples seem to be configured via the persistent storage interface to support security; so I expect 1), 2) and 3) above to just work using the two available provisioning tools, but neither work. In all tests below, I?m using resource/provisioning/examples/provisioningclient , with its PDM.db deleted and a fresh oic_svr_db_client.dat each time, for consistency sake. Here are some observations: 1) After deleting oic_svr_db_client/server.dat in resource/examples to start afresh (I assume they?ll get recreated), I run each of the apps separately along with the provisioning tool, and can discover them, but receive the ?Error!!! in OwnershipTransfer? message. 2) If I however copy the prebuilt resource/csdk/security/provisioning/sample/oic_svr_db_svr_justworks.dat into either oic_svr_db_client/server.dat, and again separately run the samples with the tool, I am able to discover them as un-owned and provision them successfully. This makes no sense to me, but I say it to provide more data to possibly help with the fix. 3) Even if I?m able to get two apps ?owned" in the view of the provisioning tool through hacks, I?m unable to provision a 128-bit symmetric key between the two samples. I see the following error messages: 31:56.294 INFO: SRPAPI: In SRPProvisionCredentials 31:56.294 DEBUG: PDM: Binding Done 31:56.294 ERROR: PDM: Requested value not found 31:56.294 ERROR: SRPAPI: Internal error occured provisionCredentials is failed 4) If I try to provision an ACL, the tool asks me for "16 digit URNs" instead of a text representation of UUIDs, which is what I would?ve expected. I?ve noticed that the parsing code in the ACL resource handler expects a CBOR Text String with the UUID, so this clearly seems to be an issue. Is there a plan or intention to fix these issues? Will it get into the 1.1 release? I believe they are essential, if we are at all serious about demonstrating and better exercising security features in IoTivity? Thanks. - Kishen Maloor Intel Open Source Technology Center _______________________________________________ iotivity-dev mailing list iotivity-dev at lists.iotivity.org<mailto:iotivity-dev at lists.iotivity.org> https://lists.iotivity.org/mailman/listinfo/iotivity-dev _______________________________________________ iotivity-dev mailing list iotivity-dev at lists.iotivity.org<mailto:iotivity-dev at lists.iotivity.org> https://lists.iotivity.org/mailman/listinfo/iotivity-dev [cid:Z5JE7EUABGFC at namo.co.kr] -------------- next part -------------- A non-text attachment was scrubbed... Name: 201604141422316_BEI0XT4N.gif Type: image/gif Size: 13168 bytes Desc: 201604141422316_BEI0XT4N.gif URL: <http://lists.iotivity.org/pipermail/iotivity-dev/attachments/20160414/94ebf14f/attachment.gif>
