Security iotivity-node

[yannS2016]

I am running iotivity node on Debian jessie 64 bits:
firt i could not get the compilation of iotivity node by first compiling iotivity with secured=1 via the
OCTBSTACK_CFLAGS it all complain about missing include files.

so i just ran npm install
enter the iotivity-native path and run there: scons SECURED=1
in iotivity-node path i remove the node_modules directory and iotivity -installed
and run npm install : it all build without error:

I then followed the steps for COAPS up until step 6 of the README file.
This my output from the server side:

node high-level-server.coaps.js
Acquiring OCF device
Resource registered: {
"properties": {},
"deviceId": "0573e772-2aca-5937-dee4-8e8887cdb70e",
"resourcePath": "/a/light",
"resourceTypes": [
"core.light"
],
"interfaces": [
"oic.if.baseline"
],
"slow": false,
"active": true,
"secure": true,
"observable": true,
"discoverable": true
}

when running the provisioning client: ./provisioningclient
type: 11 --> uuid = 0573E772-2ACA-5937-DEE4-8E8887CDB70E
but provisioning fail when i enter 20 as below:
Enter Menu Number: 20

Registering All Discovered Unowned Devices..
(null): 35:00.933 ERROR: provisioningclient: Ownership Transfer FAILED - ctx: Provision Manager Client Application Context
[1] 0573E772-2ACA-5937-DEE4-8E8887CDB70E - result: 21

Registered Discovered Unowned Devices
Please Discover Owned Devices for the Registered Result, with [10|12] Menu
can anyone asist me on enabling security for iotivity node?

[kelsayed]

The examples coming with iotivity-node assume the nodes are pre-provisioned and all of them are based on pre-shared keys. You will need to manually override the .dat files created by default in ~/iotivity-node/ for the provisoningclient to work.

[yannS2016]

Hello Kelsayed!

My apologizes for late reply!
i had to be awya for some time! Actually, there is not much example on any iotivity work. that is not really welcoming. they should a step by step example that help to understand how to get thing working.

i notice that when i start high-level-server.coaps.jsr ~/iotivity-node/js it automatically create a sha256sum based folder name in ~/.iotivity-node with the file below:
oic_svr_db.dat
device_properties.dat

But none of these file.

how do i modified these file to add the acl?

Regards

Yann

[kelsayed]

Yes, there are not much examples out there. But it is gradually being solved.
I assume you know that the ACLs go to a json file. So, modify the json file that has the credntials. You can find example json files in iotivity (not iotivity-node) in the path resource/csdk/security/provisioning/sample

I have written a script that helps me set the proper .dat file. It is here for your reference. Replace JSON2CBOR with where your json2cbor executable resides

#!/bin/bash
echo "Usage: setup_sec_json <node.js program name> <SVR .json file>"
echo "Should be called with the current working directory in the js scripts folder"
echo "Edit the variable JSON2CBOR to point to the path where iotivity-node is installed"
JSON2CBOR="~/iotivity-node/iotivity-installed/bin/json2cbor"

WFILE=$PWD"/"$1
#echo $WFILE
folder_name=echo -n $WFILE| sha256sum|awk -F ' ' '{print $1}'

mkdir -p ~/.iotivity-node/$folder_name
echo -n "Created folder:"
echo ~/.iotivity-node/$folder_name

eval $JSON2CBOR $2 ~/.iotivity-node/$folder_name/oic_svr_db.dat

[yannS2016]

Hello Kelsayed!

Thanks for your prompt reply.

I have been able to produce a .dat file based on this file: oic_svr_db_server_justworks.json
however i have an issue regarding the folder in which to place that file. these are my observations.

anytime i run an example within the js folder which enable security(i.e : iotivity.OCResourceProperty.OC_SECURE).
it automatically create a under ~/.iotivity-node a sh256sum based folder with two file in it:

oic_svr_db.dat
device_properties.dat

From your script and the info here: https://github.com/intel/iotivity-node/blob/master/js/README.md

one need to run this command echo -n $WFILE| sha256sum|awk -F ' ' '{print $1}'
and create the sha256sum folder based on the output.

echo -n high-level-server.coaps.js | sha256sum | awk -F ' ' '{print $1}'

In my case the command above return

folder 1: 47a6396c28df5c83d750d87fa1cb30142fdac018624d4c8cfeaa2d3f10e85cff

whereas the automatically created folder is:
folder 2: 690d9b3699ea037feec29b60622ec0cec990d3eede18cc4ee689162ac0ef78ca

This is confusing to me. the JS program is actually using the security info in "folder 2" which it automatically created.

this file "oic_svr_db.dat" under folder 2 does not define any ACL. i had to manually modified to add ACL. it only works( client can do CRUDN request)
whith this aceid

	{
			"aceid": 5,
			"subject": { "conntype": "anon-clear" },
			"resources": [{ "href": "/a/light" }],
			"permission": 22
	} 

however i wanted to allow only a specification client those permissions as below

	{
			"aceid": 4,
			"subject": { "uuid": "fbbcd044-b2ab-ba61-71c7-6f97d9850fdf" },
			"resources": [{ "href": "/a/light" }],
			"permission": 31
	}

but this never works , the high-level-client.coaps.js of which the id fbbcd044-b2ab-ba61-71c7-6f97d9850fdf belongs alwas return
error code : 46, which i understand means that the request was denied.

can you help me sort this out?

Regards

Yann

[kelsayed]

You need to provide the full path for the script for which you want to produce .dat file. This should fix the issue.

[yannS2016]

Hello Kelsayed!

am not sure i understand what you mean here.

The high-level-server.coaps.js is inside the iotivity-node/js directory. i ran the above command from there. this the output of the command

vcs@vcsioc:~/iotivity-node/js$ echo -n 'high-level-server.coaps.js' | sha256sum |awk -F ' ' '{print $1}'
47a6396c28df5c83d750d87fa1cb30142fdac018624d4c8cfeaa2d3f10e85cff

but this folder(690d9b3699ea037feec29b60622ec0cec990d3eede18cc4ee689162ac0ef78ca) get immedaitely create when i launch the the server as
node high-level-server.coaps.js
it is the .dat file created under the latter that are definetely being used. this is where my confusion comes from

[kelsayed]

You need to invoke it as echo -n '~/iotivity-node/js/high-level-server.coaps.js' replacing the ~ with ful path to your home folder. Check the script I shared with you.

…

On Thu, Feb 28, 2019 at 9:52 AM yannS2016 ***@***.***> wrote: Hello Kelsayed! am not sure i understand what you mean here. The high-level-server.coaps.js is inside the iotivity-node/js directory. i ran the above command from there. this the output of the command ***@***.***:~/iotivity-node/js$ echo -n 'high-level-server.coaps.js' | sha256sum |awk -F ' ' '{print $1}' 47a6396c28df5c83d750d87fa1cb30142fdac018624d4c8cfeaa2d3f10e85cff but this folder(690d9b3699ea037feec29b60622ec0cec990d3eede18cc4ee689162ac0ef78ca) get immedaitely create when i launch the the server as node high-level-server.coaps.js it is the .dat file created under the latter that are definetely being used. this is where my confusion comes from — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#178 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ACcLJ5nxiusCbM-sTnyPRdJTM6pJ_whhks5vR4rZgaJpZM4YvLoI> .

[yannS2016]

hello Kelsayed!

indeed you are right , iusing the script, the sha256sum is equivalent to the automatically created one.
this is the output of the running the script:

./setup_sec_json.sh high-level-server.coaps.js oic_svr_db_server.json
Usage: setup_sec_json <node.js program name> <SVR .json file>
Should be called with the current working directory in the js scripts folder
Edit the variable JSON2CBOR to point to the path where iotivity-node is installed
/home/vcs/iotivity-node/js/high-level-server.coaps.js
690d9b3699ea037feec29b60622ec0cec990d3eede18cc4ee689162ac0ef78ca
Created folder:/home/vcs/.iotivity-node/690d9b3699ea037feec29b60622ec0cec990d3eede18cc4ee689162ac0ef78ca
JSON File Name: oic_svr_db_server.json
 CBOR File Name: /home/vcs/.iotivity-node/690d9b3699ea037feec29b60622ec0cec990d3eede18cc4ee689162ac0ef78ca/oic_svr_db.dat
/acl json :
{"aclist2":[{"aceid":1,"subject":{"conntype":"anon-clear"},"resources":[{"href":"/oic/res"},{"href":"/oic/d"},{"href":"/oic/p"}],"permission":2},{"aceid":2,"subject":{"conntype":"auth-crypt"},"resources":[{"href":"/oic/res"},{"href":"/oic/d"},{"href":"/oic/p"}],"permission":2},{"aceid":3,"subject":{"conntype":"anon-clear"},"resources":[{"href":"/oic/sec/doxm"},{"wc":"-"}],"permission":14},{"aceid":4,"subject":{"conntype":"auth-crypt"},"resources":[{"href":"/oic/sec/doxm"},{"href":"/oic/sec/roles"},{"href":"/CoapCloudConfResURI"},{"wc":"+"}],"permission":14}],"rowneruuid":"00000000-0000-0000-0000-000000000000"}
Found 'aclist2' tag... resource is oic.r.acl2 type.
OUT JSONToAclBin: success
ACL Cbor Size: 516
/pstat json :
{"dos":{"s":1,"p":false},"isop":false,"cm":2,"tm":0,"om":4,"sm":4,"rowneruuid":"00000000-0000-0000-0000-000000000000"}
OUT JSONToPstatBin: success
PSTAT Cbor Size: 119
/sp json :
(null)
JSON contains no /sp
/doxm json :
{"oxms":[0],"oxmsel":0,"sct":9,"owned":false,"deviceuuid":"12345678-1234-1234-1234-123456789012","devowneruuid":"00000000-0000-0000-0000-000000000000","rowneruuid":"00000000-0000-0000-0000-000000000000"}
IN JSONToDoxmBin
OUT JSONToDoxmBin: success
DOXM Cbor Size: 213
/amacl json :
(null)
JSON contains no /amacl
/cred json :
(null)
JSON contains no /cred
JSON contains no deviceProps
Total Cbor Size : 848

Now the right sha256sum is created and when starting the server it does not overwrite the .dat

however, when i run the client based on these instrution security the client fails to communicate.
Note: i used your script to generate both client and server .dat file based on the one suggested on the link above. also i got the provisioning client to work now with the server.
i guess i may be missing something with the client. can you point me to how i can get a secure client( not anon-clear) to work here?

Regards

Yann

[kelsayed]

Check the cred entries in the json files of both client and server. I assume you know what to include in the json to share a key between two peers with known UUIDs.

…

On Thu, Feb 28, 2019 at 5:29 PM yannS2016 ***@***.***> wrote: hello Kelsayed! indeed you are right , iusing the script, the sha256sum is equivalent to the automatically created one. this is the output of the running the script: ./setup_sec_json.sh high-level-server.coaps.js oic_svr_db_server.json Usage: setup_sec_json <node.js program name> <SVR .json file> Should be called with the current working directory in the js scripts folder Edit the variable JSON2CBOR to point to the path where iotivity-node is installed /home/vcs/iotivity-node/js/high-level-server.coaps.js 690d9b3699ea037feec29b60622ec0cec990d3eede18cc4ee689162ac0ef78ca Created folder:/home/vcs/.iotivity-node/690d9b3699ea037feec29b60622ec0cec990d3eede18cc4ee689162ac0ef78ca JSON File Name: oic_svr_db_server.json CBOR File Name: /home/vcs/.iotivity-node/690d9b3699ea037feec29b60622ec0cec990d3eede18cc4ee689162ac0ef78ca/oic_svr_db.dat /acl json : {"aclist2":[{"aceid":1,"subject":{"conntype":"anon-clear"},"resources":[{"href":"/oic/res"},{"href":"/oic/d"},{"href":"/oic/p"}],"permission":2},{"aceid":2,"subject":{"conntype":"auth-crypt"},"resources":[{"href":"/oic/res"},{"href":"/oic/d"},{"href":"/oic/p"}],"permission":2},{"aceid":3,"subject":{"conntype":"anon-clear"},"resources":[{"href":"/oic/sec/doxm"},{"wc":"-"}],"permission":14},{"aceid":4,"subject":{"conntype":"auth-crypt"},"resources":[{"href":"/oic/sec/doxm"},{"href":"/oic/sec/roles"},{"href":"/CoapCloudConfResURI"},{"wc":"+"}],"permission":14}],"rowneruuid":"00000000-0000-0000-0000-000000000000"} Found 'aclist2' tag... resource is oic.r.acl2 type. OUT JSONToAclBin: success ACL Cbor Size: 516 /pstat json : {"dos":{"s":1,"p":false},"isop":false,"cm":2,"tm":0,"om":4,"sm":4,"rowneruuid":"00000000-0000-0000-0000-000000000000"} OUT JSONToPstatBin: success PSTAT Cbor Size: 119 /sp json : (null) JSON contains no /sp /doxm json : {"oxms":[0],"oxmsel":0,"sct":9,"owned":false,"deviceuuid":"12345678-1234-1234-1234-123456789012","devowneruuid":"00000000-0000-0000-0000-000000000000","rowneruuid":"00000000-0000-0000-0000-000000000000"} IN JSONToDoxmBin OUT JSONToDoxmBin: success DOXM Cbor Size: 213 /amacl json : (null) JSON contains no /amacl /cred json : (null) JSON contains no /cred JSON contains no deviceProps Total Cbor Size : 848``` Now the right sha256sum is created and when starting the server it does not overwrite the .dat however, when i run the client based on these instrution [security](https://github.com/intel/iotivity-node/blob/master/js/README.md) the client fails to communicate. Note: i used your script to generate both client and server .dat file based on the one suggested on the link above. also i got the provisioning client to work now with the server. i guess i mam missing something with the client. can you point me to how i can get a secure client( not anon-clear) to work here? Regards Yann — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#178 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ACcLJ6JsVLtYK2cqrQ1zWDNty2fGPc0Tks5vR_XIgaJpZM4YvLoI> .

[yannS2016]

Hello Kelsayed!

Actually, i not accustomed to this part of iotivity. can provide with a simple working example i can get started with.

Regards
Yann

[kelsayed]

Have a look at the examples here https://github.com/iotivity/iotivity/tree/master/examples/OCFSecure

…

On Mon, Mar 4, 2019 at 8:28 PM yannS2016 ***@***.***> wrote: Hello Kelsayed! Actually, i not accustomed to this part of iotivity. can provide with a simple working example i can get started with. Regards Yann — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#178 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ACcLJ6GD-7D-FD6I2npAj-SvgcNsfYpCks5vTWXogaJpZM4YvLoI> .

[yannS2016]

Thank you Kelsayed!
Allow some time to digest this! will let you know of my progress

[yannS2016]

hello Kelsayed!

Unfortunately am not getting the security to works as expected. I followed the link, though security works for iotivity based C/C++ code. iotivity node is still a mystery for me.

can you take a look at these JSON file from client and server i put together and let me know what i can do to make this work?
security.zip

Regards

Yann