Hi Tonny, So that means I can't access a resource registered with ResourceProperty.SECURE flag by using coap:// while setting an ACE for it with "anon_clear", right?
Best regards, A. Lapprand Em ter, 19 de dez de 2017 às 10:38, Tonny Tzeng <[email protected]> escreveu: > Hi Arthur, > > Set the ResourceProperty.SECURE flag will instruct the stack to use the > secured coaps:// endpoint, so you must use "auth_crypt" connection type ACE > for that resource, and the credentials must be installed for mutual > authentication. As you only wanted to run the existing code, you might > leave the ResourceProperty.SECURE flag unset to use unsecured coap:// > endpoint, so that the SRM can match the "anon_clear" connection type ACE > and grant the access. FYR. > > Regards, > Tonny > > On 19 December 2017 at 21:10, Arthur Barros Lapprand <[email protected]> > wrote: > >> Hi Tonny, >> >> Yes, initially I want to run existing code and that ACE will hopefully be >> helpful even though I've once tried to use that wildcard ACE without >> success. I do use the ResourceProperty.SECURE flag when registering >> resources but I'm not sure if I really need to set credentials in the SVR >> database if I want a wildcard ACE to work. Right now I'm fighting some >> build issues when building SECURED=1 for Android that came with the 1.3.1 >> release. I'll certainly give feedback once I manage to do that. >> >> Thank you, >> A. Lapprand >> >> Em ter, 19 de dez de 2017 às 09:58, Tonny Tzeng <[email protected]> >> escreveu: >> >>> Hi Arthur, >>> >>> The concept to get secure access to a resource is the same for C++ and >>> JavaScript -- use secure endpoint in C++/JavaScript, and have proper ACL >>> and credential setup in the SVR database. If what you want is to run >>> existing code intact but with SECURED=1, then add an anonymous connection >>> type ACE as Max described above will work. Let us know it's not the case... >>> >>> Regards, >>> Tonny >>> >>> On 18 December 2017 at 21:15, Arthur Barros Lapprand <[email protected]> >>> wrote: >>> >>>> Sorry I meant I want to state this, not a few things, hehe. Basically I >>>> want to focus on local ACL permissions without dealing with the whole >>>> device ownership and pairing process. Thank you again! >>>> >>>> 2017-12-18 10:12 GMT-03:00 Arthur Barros Lapprand <[email protected]>: >>>> >>>>> Hi, thank you for the quick replies! >>>>> >>>>> @Max >>>>> >>>>>> I never succeeded with setting the "di" using API >>>>>> >>>>> >>>>> I also never succeeded. However, since there was a recent release I >>>>> should first give it a try. >>>>> >>>>> @Tonny >>>>> I had an overview of the article. Very interesting indeed! But it uses >>>>> javascript which isn't what I'm looking for this particular problem. >>>>> Nonetheless, it is related to security 😁. Since I didn't have the time to >>>>> read it in detail yet I may be saying things that are answered there, so >>>>> pardon me in advance if you may. I need to state a few things: >>>>> >>>>> (3) use an Onboarding Tool to establish ownership with both the Client >>>>>> and the Server; >>>>> >>>>> (4) mutual install the credentials of each other by pairing the >>>>>> devices with the OBT >>>>>> >>>>> I'm trying to simulate these by setting the device owner through the >>>>> ACL for development purposes. >>>>> >>>>> >>>>> >>>>> 2017-12-17 5:16 GMT-03:00 Tonny Tzeng <[email protected]>: >>>>> >>>>>> Hi, >>>>>> >>>>>> We just posted an article at 01.org >>>>>> <https://01.org/blogs/ttzeng/2017/securely-accessing-iot-devices-based-javascript> >>>>>> talking >>>>>> few security concept in IoTivity. Though we were using iotivity-node as >>>>>> an >>>>>> example, I think the following steps would get your Client accesses to >>>>>> the >>>>>> Server securely: >>>>>> (1) your Server need to register the resource with >>>>>> ResourceProperty.SECURE flag in order to use the secured endpoint; >>>>>> (2) allow the "auth-crypt" connection requests in the SVD dB; >>>>>> (3) use an Onboarding Tool to establish ownership with both the >>>>>> Client and the Server; >>>>>> (4) mutual install the credentials of each other by pairing the >>>>>> devices with the OBT >>>>>> >>>>>> Regards, >>>>>> Tonny >>>>>> >>>>>> On 17 December 2017 at 14:38, Max Kholmyansky <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> Hi Arthur, >>>>>>> >>>>>>> You should be able to communicate between the client and the server >>>>>>> on Android, using SECURED=1 library. >>>>>>> >>>>>>> First, to set your "di" (client or server) - you need to specify the >>>>>>> "di" value inside the DAT file (containing security information) - you >>>>>>> can >>>>>>> look at the samples. I never succeeded with setting the "di" using API, >>>>>>> and >>>>>>> I don't know if it's supported. >>>>>>> >>>>>>> Second, even using SECURED=1, in the server, you can allow any >>>>>>> client (even not authenticated) to access any resource. >>>>>>> The relevant ACL entry looks like: (you may need to change the >>>>>>> "aceid"): >>>>>>> { >>>>>>> >>>>>>> "aceid": 5, >>>>>>> "subject": { "conntype": "anon-clear" }, >>>>>>> "resources": [ >>>>>>> { "href": "*" } >>>>>>> ], >>>>>>> "permission": 14 >>>>>>> } >>>>>>> >>>>>>> This is definitely not the way to configure it in production, but it >>>>>>> should allow you to keep developing, without caring about access >>>>>>> permissions for a while. >>>>>>> >>>>>>> >>>>>>> Max >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Thu, Dec 14, 2017 at 8:54 PM, Arthur Barros Lapprand < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>>> Hi all, >>>>>>>> >>>>>>>> I have a few beginner-leveled questions about secure mode in >>>>>>>> Android. Let me explain the situation: >>>>>>>> >>>>>>>> I have created two apps (one for Server/Controlee and the other for >>>>>>>> the Client/Controller) and I'm able to FIND and GET/POST/OBSERVE them >>>>>>>> without problems. As this is a simple example, I now want to do the >>>>>>>> same >>>>>>>> things but with SECURED=1. I should note that I am usually running both >>>>>>>> apps in the same device (not the emulator, but my cellphone). >>>>>>>> >>>>>>>> So I started looking everywhere and discovered I could do this with >>>>>>>> a local ACL and supposedly everything would be ok. Turns out it didn't, >>>>>>>> which is why I am here. So my questions are: >>>>>>>> >>>>>>>> - Do I need anything else to use the SECURED flag in Android apart >>>>>>>> from registering resource as secure and passing the ACL to the >>>>>>>> PlatformConfig and configure it? >>>>>>>> >>>>>>>> - I read that when configuring the Platform with an ACL the >>>>>>>> DeviceID should be set with the ID inside it. So as it failed I tried >>>>>>>> debugging the ID, which led me to confusion about PlatformID and >>>>>>>> DeviceID. >>>>>>>> When loading the ACL the DeviceID comes as a random byte[]. However, I >>>>>>>> can >>>>>>>> set the DeviceID in the code and retrieve it just fine. The thing is, >>>>>>>> the >>>>>>>> ID recieved by the Client (ServerID) isn't the same I set in the code. >>>>>>>> I'm >>>>>>>> not sure if it's something about the encoding tricking me or if it's >>>>>>>> something else. Can someone please shed me some light? >>>>>>>> >>>>>>>> In short, the Client can find the resources (they are registered >>>>>>>> with SECURE type) but can't make a correct GET/POST/OBSERVE request, >>>>>>>> returning UNAUTHORIZED_REQ. Any tips about this flag and Android are >>>>>>>> welcome. >>>>>>>> >>>>>>>> Sorry for the long post, thank you in advance! >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> iotivity-dev mailing list >>>>>>>> [email protected] >>>>>>>> https://lists.iotivity.org/mailman/listinfo/iotivity-dev >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> iotivity-dev mailing list >>>>>>> [email protected] >>>>>>> https://lists.iotivity.org/mailman/listinfo/iotivity-dev >>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >
_______________________________________________ iotivity-dev mailing list [email protected] https://lists.iotivity.org/mailman/listinfo/iotivity-dev
