On Jan 20, 2018 11:59 PM, <chiayu...@ite.com.tw> wrote: Dear Gregg,
According to https://wiki.iotivity.org/security_resource_manager |Requests from DevOwner are allowed without checking ACL. * |Requests from NonDevOwner are checked against ACL against subjectuuid, permission and period-recurrence. * The SVRs databases which I used are sample from "iotivity-1.3.1\resource\csdk\stack\samples\linux\secure\", the client is the device owner of the server, and they contain a cred pairs for each other. but due to the "D/OIC_SRM: ctx->subjectUuid for request: 00000000-0000-0000-0000-000000000000." problem, the client can't use cred to access the server. This is realy confusing. Here is what I think is happening, I hope someone smarter than me will chime in. The authorization service gets the subjectid from the device id of the DTLS session in case of secure access. IOW resource access authentication piggybacks on DTLS authentication. (Which means secure access is stateful at the transport layer - once you have authenticated by DTLS, any requests you make over that authenticated channel are deemed authenticated for resource access.) In case of an unsecure request - no DTLS session - the authorization service cannot obtain a deviceuuid, so it uses 0 - the anonymous uuid. In short, I'm guessing you're trying to access a secure (dtls-guarded) resource over coap instead of coaps. I hope I can figure out why the Android java api can't use the secured endpoint to get resource. Thank you for the reply. ChiaYu ________________________________ On Jan 18, 2018 12:00 AM, <chiayu...@ite.com.tw<mailto:chiayu...@ite.com.tw>> wrote: Dear all, I have questions about Android SECURED mode, too. Dunno anything about it, but since nobody else has responded here goes: Unauthorized is not the same as DTLS handshake failure. The former comes from ACL checking, the latter from cred checking. >From your description I'm not sure which problem you have. If you're seeing handshake failure, check your creds. Also check that your GET is using the secured endpoint. I don't use the c++ or java API so I can't help you there. If you're seeing authorization failure, that means you have a good connection but the ACL stuff is bonked. At least that's my understanding. HTH, Gregg I’m using IoTivity-1.3.1 SECURED=1 to create Android client/server apps with the sample SVRs databases from iotivity-1.3.1\resource\csdk\ stack\samples\linux\secure\ Scenario1: Android client, sample oic_svr_db_client_devowner Android server, sample oic_svr_db_server plus customized ACE2 of conntype: anon-clear for new resources => Discovery OK, Get new resources OK. Scenerio2: Android client, sample oic_svr_db_client_devowner Android server, sample oic_svr_db_server => Discovery OK, Get new resources Failed(UNAUTHORIZED_REQ) client: E/…: org.iotivity.base.OcException: stack error in onGetCallback UNAUTHORIZED_REQ server: D/OIC_SRM: ctx->subjectUuid for request: 00000000-0000-0000-0000- 000000000000. D/OIC_SRM: CA_SECURE flag is not set, and Subject ID of requester is NULL; indicates unsecure channel. According to https://wiki.iotivity.org/faq_s |Client selects appropriate channel based on the information it received about the resource via resource discovery. |Marking a resource as 'OC_SECURE' at hosting Server, allows Iotivity stack to include 'secure port' information in discovery responses. I followed https://wiki.iotivity.org/steps_for_enabling_security_ in_iotivity_applications to do this: - Client/server SVRs databases are ready. - Client OcPlatform.getDeviceId() is not nil uuid. - Server OcPlatform.registerResource with EnumSet.of(ResourceProperty.DISCOVERABLE, ResourceProperty.OBSERVABLE, ResourceProperty.SECURE) => After the client discovery finished, the client could just use ocResource.getConnectivityTypeSet() which tells the OcConnectivityType. CT_FLAG_SECURE is not set. Also the client ocResource.get() method are not allowed to set CA_SECURE manually. (BTW, I alse used platformConfig.setAvailableTransportType()); to both client and server side. It won’t impact the result.) The only way I could let Android client set the CA_SECURE flag is by OcPlatform.findResource with EnumSet.of(OcConnectivityType.CT_FLAG_SECURE) However it doesn’t make sence, because the caipadapter.c shows that Multicast discovery won’t trigger CaencryptSsl() Hence the server received an unencrypted message and secure flag set, when the server trys to decrypt it, it leads to bad handshake. Could anyone help me to figure out why the Android client can’t choose a 'secure' channel to get resources from Android server? Thanks. Best Regards, ChiaYu _______________________________________________ iotivity-dev mailing list iotivity-dev@lists.iotivity.org<mailto:iotivity-dev@lists.iotivity.org> https://lists.iotivity.org/mailman/listinfo/iotivity-dev
_______________________________________________ iotivity-dev mailing list iotivity-dev@lists.iotivity.org https://lists.iotivity.org/mailman/listinfo/iotivity-dev
