Greetings All,
I am tyring to get cert-based OTM working using 2 deep certs chains (issued by
Kyrio test cert portal) like so:
`dev-ee` -> `dev-intermediate-ca` -> `dev-root-ca` (for `samlpleserver_mfg`)
`obt-ee` -> `obt-intermediate-ca` -> `obt-root-ca` (for `provisioningclient`)
( The details for these certs are at the bottom of this message )
provisioningclient <--> sampleserver_mfg OTM is is not working for me with
these certs (failing DTLS handshake), and I would like to ask some questions:
Here is how I have structred sampleserver_mfg cred resource
### oic_svr_db_server_mfg.json
cred1
- credtype: 8 / credusage: "oic.sec.cred.mfgcert"
- subjectuuid: "22222222-2222-2222-2222-222222222222",
- publicdata: der encoded `dev-ee` cert
- privatedata: raw key corresponding to `dev-ee`cert
cred2
- credtype: 8 / credusage: "oic.sec.cred.mfgcert"
- subjectuuid: "22222222-2222-2222-2222-222222222222",
- publicdata: der encoded `dev-intermediate-ca` cert
cred3
- credtype: 8 / credusage: "oic.sec.cred.mfgtrustca"
- subjectuuid: "*",
- publicdata: der encoded `obt-root-ca` cert
Questions
1. is it valid to create the mfgcert chain with 2 seperate cred entries, as in
[cred1, cred2] above?
2. I am assuming that mfgtrustca cred will be used to authenticate the
obt/client cert during DTLS handshake, which is why I added `obt-root-ca`, in
cred3, is this a correct assumption?
3. Does this cred list structure look correct?
Here is how I have structred provisioningclient (obt) cred resource
### oic_svr_db_client.json
cred1
- credtype: 8 / credusage: "oic.sec.cred.mfgcert"
- subjectuuid: "11111111-1111-1111-1111-111111111111",
- publicdata: der encoded `obt-ee` cert
- privatedata: raw key corresponding to `obt-ee`
cred2
- credtype: 8 / credusage: "oic.sec.cred.mfgcert"
- subjectuuid: "11111111-1111-1111-1111-111111111111",
- publicdata: der encoded `obt-intermediate-ca` cert
cred3
- credtype: 8 / credusage: "oic.sec.cred.mfgtrustca"
- subjectuuid: "*",
- publicdata: der encoded `dev-root-ca` cert
Questions
1. Does `provisioningclient` use mfgcert cred entries from
oic_svr_db_client.dat to determine the cert that gets sent to the deivce on OTM
ClientHello (i.e. cred entries 1-2 above)?
2. Does `provisioningclient` use mfgtrustca cred to authentiacte the cert sent
back from the device on OTM ServerHello?
3. Does this cred list structure look correct?
I have a feeling this is going to take me a while to get working, any
help/insights that I can get would be greatly appreciated.
Cheers!
Steve
------------------------------------------------
CERT DETAILS
------------------------------------------------
`dev-ee` -> `dev-intermediate-ca` -> `dev-root-ca` (for `samlpleserver_mfg`)
`obt-ee` -> `obt-intermediate-ca` -> `obt-root-ca` (for `provisioningclient`)
Device (sampleserver_mfg) cert chain
---------------------------------------------------
### Root Cert (`dev-root-ca`)
snum: fe:d1:ff:64:86:c5:8d:bb
issuer: O=OCF, OU=P256 Test Infrastructure, CN=Root Test CA
subject: O=OCF, OU=P256 Test Infrastructure, CN=Root Test CA
### Intermediate CA Cert (`dev-intermediate-ca`)
snum: fe:d1:ff:64:86:c5:8d:bc
issuer: O=OCF, OU=P256 Test Infrastructure, CN=Root Test CA
subject: O=OCF, OU=P256 Test Infrastructure, CN=Intermediate Test CA
### Device cert (`dev-ee`)
snum: e9:a1:d7:93:d3:ed:63:41
issuer: O=OCF, OU=P256 Test Infrastructure, CN=Intermediate Test CA
subject O=OCF, OU=P256 Test Infrastructure,
CN=22222222-2222-2222-2222-222222222222
OBT (provisioningclient) cert chain
---------------------------------------------
### Root Cert (``obt-root-ca`)
snum: 8e:6b:d4:38:57:38:68:a2
issuer: O=OCF, OU=P256 Test Infrastructure, CN=Root Test CA
subject: O=OCF, OU=P256 Test Infrastructure, CN=Root Test CA
### Intermediate CA Cert ((`obt-intermediate-ca`))
snum: 8e:6b:d4:38:57:38:68:a3
issuer: O=OCF, OU=P256 Test Infrastructure, CN=Root Test CA
subject: O=OCF, OU=P256 Test Infrastructure, CN=Intermediate Test CA
### OBT cert (`obt-ee`)
snum: b0:4e:f4:cc:a2:32:ac:fc
issuer: O=OCF, OU=P256 Test Infrastructure, CN=Intermediate Test CA
subject O=OCF, OU=P256 Test Infrastructure,
CN=11111111-1111-1111-1111-111111111111
_______________________________________________
iotivity-dev mailing list
[email protected]
https://lists.iotivity.org/mailman/listinfo/iotivity-dev
