Hi Arthur, You are right, unless you set both the ResourceProperty.NONSECURE and ResourceProperty.SECURE flags to enable both coap:// and coaps:// endpoints, so that anonymous requests can match the "anon_clear" ACE...
Regards, Tonny On 19 December 2017 at 21:59, Arthur Barros Lapprand <a...@cin.ufpe.br> wrote: > Hi Tonny, > > So that means I can't access a resource registered with > ResourceProperty.SECURE flag by using coap:// while setting an ACE for it > with "anon_clear", right? > > Best regards, > A. Lapprand > > Em ter, 19 de dez de 2017 às 10:38, Tonny Tzeng <tonny.tz...@gmail.com> > escreveu: > >> Hi Arthur, >> >> Set the ResourceProperty.SECURE flag will instruct the stack to use the >> secured coaps:// endpoint, so you must use "auth_crypt" connection type ACE >> for that resource, and the credentials must be installed for mutual >> authentication. As you only wanted to run the existing code, you might >> leave the ResourceProperty.SECURE flag unset to use unsecured coap:// >> endpoint, so that the SRM can match the "anon_clear" connection type ACE >> and grant the access. FYR. >> >> Regards, >> Tonny >> >> On 19 December 2017 at 21:10, Arthur Barros Lapprand <a...@cin.ufpe.br> >> wrote: >> >>> Hi Tonny, >>> >>> Yes, initially I want to run existing code and that ACE will hopefully >>> be helpful even though I've once tried to use that wildcard ACE without >>> success. I do use the ResourceProperty.SECURE flag when registering >>> resources but I'm not sure if I really need to set credentials in the SVR >>> database if I want a wildcard ACE to work. Right now I'm fighting some >>> build issues when building SECURED=1 for Android that came with the 1.3.1 >>> release. I'll certainly give feedback once I manage to do that. >>> >>> Thank you, >>> A. Lapprand >>> >>> Em ter, 19 de dez de 2017 às 09:58, Tonny Tzeng <tonny.tz...@gmail.com> >>> escreveu: >>> >>>> Hi Arthur, >>>> >>>> The concept to get secure access to a resource is the same for C++ and >>>> JavaScript -- use secure endpoint in C++/JavaScript, and have proper ACL >>>> and credential setup in the SVR database. If what you want is to run >>>> existing code intact but with SECURED=1, then add an anonymous connection >>>> type ACE as Max described above will work. Let us know it's not the case... >>>> >>>> Regards, >>>> Tonny >>>> >>>> On 18 December 2017 at 21:15, Arthur Barros Lapprand <a...@cin.ufpe.br> >>>> wrote: >>>> >>>>> Sorry I meant I want to state this, not a few things, hehe. Basically >>>>> I want to focus on local ACL permissions without dealing with the whole >>>>> device ownership and pairing process. Thank you again! >>>>> >>>>> 2017-12-18 10:12 GMT-03:00 Arthur Barros Lapprand <a...@cin.ufpe.br>: >>>>> >>>>>> Hi, thank you for the quick replies! >>>>>> >>>>>> @Max >>>>>> >>>>>>> I never succeeded with setting the "di" using API >>>>>>> >>>>>> >>>>>> I also never succeeded. However, since there was a recent release I >>>>>> should first give it a try. >>>>>> >>>>>> @Tonny >>>>>> I had an overview of the article. Very interesting indeed! But it >>>>>> uses javascript which isn't what I'm looking for this particular problem. >>>>>> Nonetheless, it is related to security 😁. Since I didn't have the time to >>>>>> read it in detail yet I may be saying things that are answered there, so >>>>>> pardon me in advance if you may. I need to state a few things: >>>>>> >>>>>> (3) use an Onboarding Tool to establish ownership with both the >>>>>>> Client and the Server; >>>>>> >>>>>> (4) mutual install the credentials of each other by pairing the >>>>>>> devices with the OBT >>>>>>> >>>>>> I'm trying to simulate these by setting the device owner through the >>>>>> ACL for development purposes. >>>>>> >>>>>> >>>>>> >>>>>> 2017-12-17 5:16 GMT-03:00 Tonny Tzeng <tonny.tz...@gmail.com>: >>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> We just posted an article at 01.org >>>>>>> <https://01.org/blogs/ttzeng/2017/securely-accessing-iot-devices-based-javascript> >>>>>>> talking >>>>>>> few security concept in IoTivity. Though we were using iotivity-node as >>>>>>> an >>>>>>> example, I think the following steps would get your Client accesses to >>>>>>> the >>>>>>> Server securely: >>>>>>> (1) your Server need to register the resource with >>>>>>> ResourceProperty.SECURE flag in order to use the secured endpoint; >>>>>>> (2) allow the "auth-crypt" connection requests in the SVD dB; >>>>>>> (3) use an Onboarding Tool to establish ownership with both the >>>>>>> Client and the Server; >>>>>>> (4) mutual install the credentials of each other by pairing the >>>>>>> devices with the OBT >>>>>>> >>>>>>> Regards, >>>>>>> Tonny >>>>>>> >>>>>>> On 17 December 2017 at 14:38, Max Kholmyansky <max...@gmail.com> >>>>>>> wrote: >>>>>>> >>>>>>>> Hi Arthur, >>>>>>>> >>>>>>>> You should be able to communicate between the client and the server >>>>>>>> on Android, using SECURED=1 library. >>>>>>>> >>>>>>>> First, to set your "di" (client or server) - you need to specify >>>>>>>> the "di" value inside the DAT file (containing security information) - >>>>>>>> you >>>>>>>> can look at the samples. I never succeeded with setting the "di" using >>>>>>>> API, >>>>>>>> and I don't know if it's supported. >>>>>>>> >>>>>>>> Second, even using SECURED=1, in the server, you can allow any >>>>>>>> client (even not authenticated) to access any resource. >>>>>>>> The relevant ACL entry looks like: (you may need to change the >>>>>>>> "aceid"): >>>>>>>> { >>>>>>>> >>>>>>>> "aceid": 5, >>>>>>>> "subject": { "conntype": "anon-clear" }, >>>>>>>> "resources": [ >>>>>>>> { "href": "*" } >>>>>>>> ], >>>>>>>> "permission": 14 >>>>>>>> } >>>>>>>> >>>>>>>> This is definitely not the way to configure it in production, but it >>>>>>>> should allow you to keep developing, without caring about access >>>>>>>> permissions for a while. >>>>>>>> >>>>>>>> >>>>>>>> Max >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Thu, Dec 14, 2017 at 8:54 PM, Arthur Barros Lapprand < >>>>>>>> a...@cin.ufpe.br> wrote: >>>>>>>> >>>>>>>>> Hi all, >>>>>>>>> >>>>>>>>> I have a few beginner-leveled questions about secure mode in >>>>>>>>> Android. Let me explain the situation: >>>>>>>>> >>>>>>>>> I have created two apps (one for Server/Controlee and the other >>>>>>>>> for the Client/Controller) and I'm able to FIND and GET/POST/OBSERVE >>>>>>>>> them >>>>>>>>> without problems. As this is a simple example, I now want to do the >>>>>>>>> same >>>>>>>>> things but with SECURED=1. I should note that I am usually running >>>>>>>>> both >>>>>>>>> apps in the same device (not the emulator, but my cellphone). >>>>>>>>> >>>>>>>>> So I started looking everywhere and discovered I could do this >>>>>>>>> with a local ACL and supposedly everything would be ok. Turns out it >>>>>>>>> didn't, which is why I am here. So my questions are: >>>>>>>>> >>>>>>>>> - Do I need anything else to use the SECURED flag in Android apart >>>>>>>>> from registering resource as secure and passing the ACL to the >>>>>>>>> PlatformConfig and configure it? >>>>>>>>> >>>>>>>>> - I read that when configuring the Platform with an ACL the >>>>>>>>> DeviceID should be set with the ID inside it. So as it failed I tried >>>>>>>>> debugging the ID, which led me to confusion about PlatformID and >>>>>>>>> DeviceID. >>>>>>>>> When loading the ACL the DeviceID comes as a random byte[]. However, >>>>>>>>> I can >>>>>>>>> set the DeviceID in the code and retrieve it just fine. The thing is, >>>>>>>>> the >>>>>>>>> ID recieved by the Client (ServerID) isn't the same I set in the >>>>>>>>> code. I'm >>>>>>>>> not sure if it's something about the encoding tricking me or if it's >>>>>>>>> something else. Can someone please shed me some light? >>>>>>>>> >>>>>>>>> In short, the Client can find the resources (they are registered >>>>>>>>> with SECURE type) but can't make a correct GET/POST/OBSERVE request, >>>>>>>>> returning UNAUTHORIZED_REQ. Any tips about this flag and Android are >>>>>>>>> welcome. >>>>>>>>> >>>>>>>>> Sorry for the long post, thank you in advance! >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> iotivity-dev mailing list >>>>>>>>> iotivity-dev@lists.iotivity.org >>>>>>>>> https://lists.iotivity.org/mailman/listinfo/iotivity-dev >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> iotivity-dev mailing list >>>>>>>> iotivity-dev@lists.iotivity.org >>>>>>>> https://lists.iotivity.org/mailman/listinfo/iotivity-dev >>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>
_______________________________________________ iotivity-dev mailing list iotivity-dev@lists.iotivity.org https://lists.iotivity.org/mailman/listinfo/iotivity-dev
