Re: [dev] FW: Android SECURED mode

[Morrow, Joseph L]

Hi Arthur,

My coworker Michael and I just found the following solution. We placed this in 
our Client’s Discovery Callback for the timebeing. As you may notice, you can 
call setHost() at any time after discovery has occurred.

The reason you need to perform the setHost() function, is because the C++ SDK 
doesn’t automatically assume you want to use the "coaps://“ (ie. Secure 
communications) version of the Resource’s URI. It assumes you want to use the 
“coap://“ version and the Server will reject this if your resource(s) were 
created with the OC_SECURE flag. (Note: I’ve just recently heard you no longer 
need to specify the “OC_SECURE” flag as all resources are created as Secure 
Resources now by default.)

foo( std::shared_ptr<OC::OCResource> resource )
{
  //
  // Find the first secure coaps endpoint in the list of hosts. If it's there
  // then use it; otherwise use the unsecure coap endpoint.
  //
  auto resourceHostList = resource->getAllHosts();

  for (auto &host : resourceHostList)
  {
    if (std::string::npos != host.find("coaps://"))
    {
      resource->setHost(host);

      break;
    }
  }

// If you keep a single copy of your discovered resource, take the copy of it 
here for you to use later in your application.
MyDiscoveredResources.push_back(resource); // For a quick test, just call 
"resource.get()" and see if the server side is honoring your request now.

}

Thanks,

Joey Morrow

From: 
<iotivity-dev-boun...@lists.iotivity.org<mailto:iotivity-dev-boun...@lists.iotivity.org>>
 on behalf of Arthur Barros Lapprand <a...@cin.ufpe.br<mailto:a...@cin.ufpe.br>>
Date: Sunday, December 24, 2017 at 6:51 PM
To: Tonny Tzeng <tonny.tz...@gmail.com<mailto:tonny.tz...@gmail.com>>
Cc: iotivity 
<iotivity-dev@lists.iotivity.org<mailto:iotivity-dev@lists.iotivity.org>>, Rami 
Alshafi <ralsh...@vtmgroup.com<mailto:ralsh...@vtmgroup.com>>
Subject: Re: [dev] FW: Android SECURED mode

I am using both OC_NONSECURE and OC_SECURE flags when registering the resources 
and attempting a GET request with the OcResource I get from the OnResourceFound 
callback. Odd, isn't it?

Thank you,
A. Lapprand

Em dom, 24 de dez de 2017 às 23:46, Tonny Tzeng 
<tonny.tz...@gmail.com<mailto:tonny.tz...@gmail.com>> escreveu:
What flags did you pass to the registerResource() function? note that if you 
want to communicate over non-secure endpoint, you need to pass OC_NONSECURE 
flag explicitly while registering the resource. The simpleserver server doesn't 
work in non-secure mode for the same reason, no passing OC_SECURE flag doesn't 
imply the use of non-secured endpoint. Hope this helps.

Regards,
Tonny

On 25 December 2017 at 10:09, Arthur Barros Lapprand 
<a...@cin.ufpe.br<mailto:a...@cin.ufpe.br>> wrote:
Hi all,

I got to test the ACLs Rami provided while changing the server json by adding 
these ACEs:


{
    "aceid": 6,
    "subject": {"conntype": "anon-clear"},
    "resources":[
        { "href":"*"}
    ],
    "permission": 14
},
{
    "aceid": 7,
    "subject": {"conntype": "auth-crypt"},
    "resources":[
        { "href":"*"}
    ],
    "permission": 14
}


So in theory I guess my server should respond to any request. Sadly that didn't
work so now I'm somewhat confused. I noticed the UNAUTHORIZED_REQ message
 is sent to the client by a COAP host (not COAPS). Maybe I'm compiling IoTivity
 with the wrong scons settings? Also, how do I know my client is using COAPS? 
I've
seen someone asking this recently but I don't remember where. Is it also 
obligatory
for me to do the pairing/onboarding/credentials stuff aside setting them 
through the json?


Thank you,

A. Lapprand

Em qui, 21 de dez de 2017 às 15:11, Rami Alshafi 
<ralsh...@vtmgroup.com<mailto:ralsh...@vtmgroup.com>> escreveu:
That’s a mistake! Thanks for pointing that out! I will fix it. The “1” at the 
beginning should not be there ☺
Thanks,
-Rami

From: Arthur Barros Lapprand [mailto:a...@cin.ufpe.br<mailto:a...@cin.ufpe.br>]
Sent: Thursday, December 21, 2017 8:02 AM
To: Rami Alshafi <ralsh...@vtmgroup.com<mailto:ralsh...@vtmgroup.com>>
Subject: Re: FW: [dev] Android SECURED mode

Hi,
I just noticed the sample you linked has "rowneruuid": 
"132323232-3232-3232-3232-323232323232" in the pstat section. Is there an 
explanation to that "1" at the beginning of the id? shouldn't it be the same as 
the client's id?
Thanks again,
A. Lapprand

Em qui, 21 de dez de 2017 às 10:18, Arthur Barros Lapprand 
<a...@cin.ufpe.br<mailto:a...@cin.ufpe.br>> escreveu:
Hi Rami,
Sorry for the delayed answer. I'm pretty overcrumbed these days so I can't test 
it right now, but the email was very useful! Like I said to the others I'll 
give feedback once I manage to test those suggestions.
Thank you,
A. Lapprand

Em ter, 19 de dez de 2017 às 15:42, Rami Alshafi 
<ralsh...@vtmgroup.com<mailto:ralsh...@vtmgroup.com>> escreveu:
Arthur,
I meant to send this e-mail to you but I just learned it did not make to you. 
Hopefully, this one will.
Thanks,
-Rami

From: Wouter van der Beek (wovander) 
[mailto:wovan...@cisco.com<mailto:wovan...@cisco.com>]
Sent: Tuesday, December 19, 2017 5:22 AM
To: Rami Alshafi <ralsh...@vtmgroup.com<mailto:ralsh...@vtmgroup.com>>
Subject: RE: [dev] Android SECURED mode

This is email is now on the dmtools reflector and not on the iotivity 
reflector..
Hence Arthur can’t see this email

From: Rami Alshafi [mailto:ralsh...@vtmgroup.com]
Sent: 18 December 2017 18:43
To: Wouter van der Beek (wovander) 
<wovan...@cisco.com<mailto:wovan...@cisco.com>>; 
dmtools...@members.openconnectivity.org<mailto:dmtools...@members.openconnectivity.org>
Subject: RE: [dev] Android SECURED mode

Arthur,
Please reference my sample applications at 
https://gerrit.iotivity.org/gerrit/#/c/22513/<https://urlf.duocircle.io/?url=https%3A%2F%2Fgerrit.iotivity.org%2Fgerrit%2F%23%2Fc%2F22513%2F&id=31d5&rcpt=ralsh...@vtmgroup.com&tss=1513689724&msgid=99c3285a-e4bf-11e7-8fcd-5f906d21262c&html=1&h=b068c5c2>
For convenience, I will explain the server’s SVR database.
There are 4 main sections which are ACL, Pstat, Doxm and Cred.
Assuming your client cannot onboard devices, the server\device needs to be in 
RFNOP state which is reflected in the following settings.
The ACL must have an ACE giving the client the right permissions
                Aceid: whatever number
                Subject: set it to {“uuid”: The uuid of the client}
                Resources: information of the resource like its href and 
interface and resource type.
                Permission: this is bitmask
Set the rowneruuid of the ACL to the uuid of the client
In the pstat section, set the dos.s to 3 and isop to true and cm to 0 and the 
rowneruuid to the uuid of the client
In the doxm section, set the owned flag to true and the devowneruuid and 
rowneruuid to the uuid of the client.
Assuming you want to use the “justworks” security model, set the cred section 
like in the sample applications.
Thanks,
-Rami

From:dmtools...@members.openconnectivity.org<mailto:dmtools...@members.openconnectivity.org>
 [mailto:dmtools...@members.openconnectivity.org] On Behalf Of Wouter van der 
Beek (wovander)
Sent: Monday, December 18, 2017 2:38 AM
To: 
dmtools...@members.openconnectivity.org<mailto:dmtools...@members.openconnectivity.org>
Subject: [OCF dmtools_tg] FW: [dev] Android SECURED mode

FYI

From:iotivity-dev-boun...@lists.iotivity.org<mailto:iotivity-dev-boun...@lists.iotivity.org>
 [mailto:iotivity-dev-boun...@lists.iotivity.org] On Behalf Of Tonny Tzeng
Sent: 17 December 2017 08:16
To: Max Kholmyansky <max...@gmail.com<mailto:max...@gmail.com>>
Cc: iotivity 
<iotivity-dev@lists.iotivity.org<mailto:iotivity-dev@lists.iotivity.org>>

Subject: Re: [dev] Android SECURED mode

Hi,

We just posted an article at 
01.org<https://urlf.duocircle.io/?url=https%3A%2F%2F01.org%2Fblogs%2Fttzeng%2F2017%2Fsecurely-accessing-iot-devices-based-javascript&id=31d5&rcpt=ralsh...@vtmgroup.com&tss=1513593475&msgid=8131ebd8-e3df-11e7-8fcd-5f906d21262c&html=1&h=7e525f59>
 talking few security concept in IoTivity. Though we were using iotivity-node 
as an example, I think the following steps would get your Client accesses to 
the Server securely:
(1) your Server need to register the resource with ResourceProperty.SECURE flag 
in order to use the secured endpoint;
(2) allow the "auth-crypt" connection requests in the SVD dB;
(3) use an Onboarding Tool to establish ownership with both the Client and the 
Server;
(4) mutual install the credentials of each other by pairing the devices with 
the OBT

Regards,
Tonny

On 17 December 2017 at 14:38, Max Kholmyansky 
<max...@gmail.com<mailto:max...@gmail.com>> wrote:
Hi Arthur,

You should be able to communicate between the client and the server on Android, 
using SECURED=1 library.

First, to set your "di" (client or server) - you need to specify the "di" value 
inside the DAT file (containing security information) - you can look at the 
samples. I never succeeded with setting the "di" using API, and I don't know if 
it's supported.

Second, even using SECURED=1, in the server, you can allow any client (even not 
authenticated) to access any resource.
The relevant ACL entry looks like: (you may need to change the "aceid"):
{

    "aceid": 5,
    "subject": { "conntype": "anon-clear" },
    "resources": [
        { "href": "*" }
    ],
    "permission": 14
}

This is definitely not the way to configure it in production, but it should 
allow you to keep developing, without caring about access permissions for a 
while.



Max




On Thu, Dec 14, 2017 at 8:54 PM, Arthur Barros Lapprand 
<a...@cin.ufpe.br<mailto:a...@cin.ufpe.br>> wrote:
Hi all,
I have a few beginner-leveled questions about secure mode in Android. Let me 
explain the situation:
I have created two apps (one for Server/Controlee and the other for the 
Client/Controller) and I'm able to FIND and GET/POST/OBSERVE them without 
problems. As this is a simple example, I now want to do the same things but 
with SECURED=1. I should note that I am usually running both apps in the same 
device (not the emulator, but my cellphone).
So I started looking everywhere and discovered I could do this with a local ACL 
and supposedly everything would be ok. Turns out it didn't, which is why I am 
here. So my questions are:
- Do I need anything else to use the SECURED flag in Android apart from 
registering resource as secure and passing the ACL to the PlatformConfig and 
configure it?
- I read that when configuring the Platform with an ACL the DeviceID should be 
set with the ID inside it. So as it failed I tried debugging the ID, which led 
me to confusion about PlatformID and DeviceID. When loading the ACL the 
DeviceID comes as a random byte[]. However, I can set the DeviceID in the code 
and retrieve it just fine. The thing is, the ID recieved by the Client 
(ServerID) isn't the same I set in the code. I'm not sure if it's something 
about the encoding tricking me or if it's something else. Can someone please 
shed me some light?

In short, the Client can find the resources (they are registered with SECURE 
type) but can't make a correct GET/POST/OBSERVE request, returning 
UNAUTHORIZED_REQ. Any tips about this flag and Android are welcome.
Sorry for the long post, thank you in advance!

_______________________________________________
iotivity-dev mailing list
iotivity-dev@lists.iotivity.org<mailto:iotivity-dev@lists.iotivity.org>
https://lists.iotivity.org/mailman/listinfo/iotivity-dev<https://urlf.duocircle.io/?url=https%3A%2F%2Flists.iotivity.org%2Fmailman%2Flistinfo%2Fiotivity-dev&id=31d5&rcpt=ralsh...@vtmgroup.com&tss=1513593475&msgid=8131ebd8-e3df-11e7-8fcd-5f906d21262c&html=1&h=0ab5454f>


_______________________________________________
iotivity-dev mailing list
iotivity-dev@lists.iotivity.org<mailto:iotivity-dev@lists.iotivity.org>
https://lists.iotivity.org/mailman/listinfo/iotivity-dev<https://urlf.duocircle.io/?url=https%3A%2F%2Flists.iotivity.org%2Fmailman%2Flistinfo%2Fiotivity-dev&id=31d5&rcpt=ralsh...@vtmgroup.com&tss=1513593475&msgid=8131ebd8-e3df-11e7-8fcd-5f906d21262c&html=1&h=0ab5454f>



_______________________________________________
iotivity-dev mailing list
iotivity-dev@lists.iotivity.org
https://lists.iotivity.org/mailman/listinfo/iotivity-dev