From 698d938cc85c0265d9fa246b0349bdecd1f6f5eb Mon Sep 17 00:00:00 2001 From: Javier Guerra Melgares Date: Mon, 7 Oct 2019 16:50:08 +0200 Subject: [PATCH 1/3] Replace DEKRA chain by Kyrio chain --- .../otgc/data/repository/IORepository.java | 12 ++++ .../domain/usecase/InitOicStackUseCase.java | 55 ++++++------------- .../otgc/utils/constant/OtgcConstant.java | 14 ++--- src/main/resources/data/kyrio-ee-cert.pem | 24 ++++++++ src/main/resources/data/kyrio-ee-key.pem | 5 ++ src/main/resources/data/kyrio-root-cert.pem | 13 +++++ src/main/resources/data/kyrio-subca-cert.pem | 18 ++++++ src/main/resources/data/root.crt | 12 ---- src/main/resources/data/root.prv | 5 -- 9 files changed, 96 insertions(+), 62 deletions(-) create mode 100644 src/main/resources/data/kyrio-ee-cert.pem create mode 100644 src/main/resources/data/kyrio-ee-key.pem create mode 100644 src/main/resources/data/kyrio-root-cert.pem create mode 100644 src/main/resources/data/kyrio-subca-cert.pem delete mode 100644 src/main/resources/data/root.crt delete mode 100644 src/main/resources/data/root.prv diff --git a/src/main/java/org/openconnectivity/otgc/data/repository/IORepository.java b/src/main/java/org/openconnectivity/otgc/data/repository/IORepository.java index 1dd5f6d..bcb195d 100644 --- a/src/main/java/org/openconnectivity/otgc/data/repository/IORepository.java +++ b/src/main/java/org/openconnectivity/otgc/data/repository/IORepository.java @@ -91,6 +91,18 @@ public Single getFileAsX509Certificate(String path) { }); } + public Single getBytesFromFile(String path) { + return Single.fromCallable(() -> { + byte[] fileBytes; + try (InputStream inputStream = new FileInputStream(OtgcConstant.DATA_PATH + path)) { + fileBytes = new byte[inputStream.available()]; + inputStream.read(fileBytes); + } + + return fileBytes; + }); + } + public Single getAssetSvrAsCbor(String resource, long device) { return Single.create(emitter -> { try (FileInputStream stream = new FileInputStream(OtgcConstant.OTGC_CREDS_DIR + File.separator + resource + "_" + device)) { diff --git a/src/main/java/org/openconnectivity/otgc/domain/usecase/InitOicStackUseCase.java b/src/main/java/org/openconnectivity/otgc/domain/usecase/InitOicStackUseCase.java index 75c9283..4be4d2e 100644 --- a/src/main/java/org/openconnectivity/otgc/domain/usecase/InitOicStackUseCase.java +++ b/src/main/java/org/openconnectivity/otgc/domain/usecase/InitOicStackUseCase.java @@ -20,10 +20,6 @@ package org.openconnectivity.otgc.domain.usecase; import io.reactivex.Completable; -import org.bouncycastle.asn1.ASN1Sequence; -import org.bouncycastle.asn1.pkcs.PrivateKeyInfo; -import org.bouncycastle.asn1.sec.ECPrivateKey; -import org.bouncycastle.jce.provider.BouncyCastleProvider; import org.iotivity.OCFactoryPresetsHandler; import org.iotivity.OCObt; import org.iotivity.OCPki; @@ -32,24 +28,18 @@ import org.openconnectivity.otgc.utils.constant.OtgcMode; import javax.inject.Inject; -import java.security.*; -import java.security.cert.X509Certificate; -import java.security.spec.ECGenParameterSpec; public class InitOicStackUseCase { private final IotivityRepository iotivityRepository; - private final CertRepository certRepository; private final IORepository ioRepository; private final SettingRepository settingRepository; @Inject public InitOicStackUseCase(IotivityRepository iotivityRepository, - CertRepository certRepository, IORepository ioRepository, SettingRepository settingRepository) { this.iotivityRepository = iotivityRepository; - this.certRepository = certRepository; this.ioRepository = ioRepository; this.settingRepository = settingRepository; } @@ -79,38 +69,29 @@ public Completable execute() { } }); private void factoryResetHandler(long device) throws Exception { - String uuid = iotivityRepository.getDeviceId().blockingGet(); + /* my cert */ + byte[] eeCertificate = ioRepository.getBytesFromFile(OtgcConstant.KYRIO_EE_CERTIFICATE).blockingGet(); - // Store root CA as trusted anchor - X509Certificate caCertificate = ioRepository.getAssetAsX509Certificate(OtgcConstant.ROOT_CERTIFICATE).blockingGet(); - PrivateKey caPrivateKey = ioRepository.getAssetAsPrivateKey(OtgcConstant.ROOT_PRIVATE_KEY).blockingGet(); + /* private key of my cert */ + byte[] eeKey = ioRepository.getBytesFromFile(OtgcConstant.KYRIO_EE_KEY).blockingGet(); - String strCACertificate = certRepository.x509CertificateToPemString(caCertificate).blockingGet(); - if (OCPki.addTrustAnchor(device, strCACertificate.getBytes()) == -1) { - throw new Exception("Add trust anchor error"); + /* intermediate cert */ + byte[] subcaCertificate = ioRepository.getBytesFromFile(OtgcConstant.KYRIO_SUBCA_CERTIFICATE).blockingGet(); + + /* root cert */ + byte[] rootcaCertificate = ioRepository.getBytesFromFile(OtgcConstant.KYRIO_ROOT_CERTIFICATE).blockingGet(); + + int credid = OCPki.addMfgCert(device, eeCertificate, eeKey); + if (credid == -1) { + throw new Exception("Add identity certificate error"); } - if (OCPki.addMfgTrustAnchor(device, strCACertificate.getBytes()) == -1) { - throw new Exception("Add manufacturer trust anchor error"); + + if (OCPki.addMfgIntermediateCert(device, credid, subcaCertificate) == -1) { + throw new Exception("Add intermediate certificate error"); } - // public/private key pair that we are creating certificate for - ECGenParameterSpec ecParamSpec = new ECGenParameterSpec("secp256r1"); - KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("EC", BouncyCastleProvider.PROVIDER_NAME); - keyPairGenerator.initialize(ecParamSpec); - KeyPair keyPair = keyPairGenerator.generateKeyPair(); - - // Public key - PublicKey publicKey = keyPair.getPublic(); - // PrivateKey - ASN1Sequence pkSeq = (ASN1Sequence)ASN1Sequence.fromByteArray(keyPair.getPrivate().getEncoded()); - PrivateKeyInfo pkInfo = PrivateKeyInfo.getInstance(pkSeq); - ECPrivateKey privateKey = ECPrivateKey.getInstance(pkInfo.parsePrivateKey()); - String strPrivateKey = certRepository.privateKeyToPemString(privateKey).blockingGet(); - - X509Certificate identityCertificate = certRepository.generateIdentityCertificate(uuid, publicKey, caPrivateKey).blockingGet(); - String strIdentityCertificate = certRepository.x509CertificateToPemString(identityCertificate).blockingGet(); - if (OCPki.addMfgCert(device, strIdentityCertificate.getBytes(), strPrivateKey.getBytes()) == -1) { - throw new Exception("Add identity certificate error"); + if (OCPki.addMfgTrustAnchor(device, rootcaCertificate) == -1) { + throw new Exception("Add root certificate error"); } OCObt.shutdown(); diff --git a/src/main/java/org/openconnectivity/otgc/utils/constant/OtgcConstant.java b/src/main/java/org/openconnectivity/otgc/utils/constant/OtgcConstant.java index da09de9..01fb222 100644 --- a/src/main/java/org/openconnectivity/otgc/utils/constant/OtgcConstant.java +++ b/src/main/java/org/openconnectivity/otgc/utils/constant/OtgcConstant.java @@ -30,19 +30,17 @@ private OtgcConstant() { } // Data resource path - private static final String DATA_PATH = "." + File.separator + "data" + File.separator; + public static final String DATA_PATH = "." + File.separator + "data" + File.separator; // Credential directory public static final String OTGC_CREDS_DIR = DATA_PATH + "otgc_creds"; // File databases for IoTivity - public static final String OIC_CLIENT_JSON_DB_FILE = DATA_PATH + "oic_svr_db_client.json"; - public static final String OIC_CLIENT_CBOR_DB_FILE = DATA_PATH + "oic_svr_db_client.dat"; public static final String INTROSPECTION_CBOR_FILE = DATA_PATH + "introspection.dat"; - public static final String OIC_SQL_DB_FILE = "Pdm.db"; - // Root certificate and keypair - public static String ROOT_CERTIFICATE = "root.crt"; - public static String ROOT_PRIVATE_KEY = "root.prv"; - public static String ROOT_PUBLIC_KEY = "root.pub"; + /* Kyrio certificate chain */ + public static String KYRIO_ROOT_CERTIFICATE = "kyrio-root-cert.pem"; + public static String KYRIO_SUBCA_CERTIFICATE = "kyrio-subca-cert.pem"; + public static String KYRIO_EE_CERTIFICATE = "kyrio-ee-cert.pem"; + public static String KYRIO_EE_KEY = "kyrio-ee-key.pem"; } diff --git a/src/main/resources/data/kyrio-ee-cert.pem b/src/main/resources/data/kyrio-ee-cert.pem new file mode 100644 index 0000000..6ab9a5d --- /dev/null +++ b/src/main/resources/data/kyrio-ee-cert.pem @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIEEzCCA7mgAwIBAgIJAI0K+3tTskzXMAoGCCqGSM49BAMCMFsxDDAKBgNVBAoM +A09DRjEiMCAGA1UECwwZS3lyaW8gVGVzdCBJbmZyYXN0cnVjdHVyZTEnMCUGA1UE +AwweS3lyaW8gVEVTVCBJbnRlcm1lZGlhdGUgQ0EwMDAyMB4XDTE5MDkyMzA5MjUx +OFoXDTE5MTAyMzA5MjUxOFowYTEMMAoGA1UECgwDT0NGMSIwIAYDVQQLDBlLeXJp +byBUZXN0IEluZnJhc3RydWN0dXJlMS0wKwYDVQQDDCQxZTFiZWJmYi04ZjAzLTQ3 +ODUtNWZhNy0xYjcwNGU2NTQzNjAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQj +V7MJwkO4J4PWR4KgbVHrFHSQipHMRNu704OPmnAQQ3tnEhjnYxn0TODDvN8YekE5 +voDDOX98mYpxhPa5hz52o4ICXjCCAlowCQYDVR0TBAIwADAOBgNVHQ8BAf8EBAMC +A4gwKQYDVR0lBCIwIAYIKwYBBQUHAwIGCCsGAQUFBwMBBgorBgEEAYLefAEGMB0G +A1UdDgQWBBRjlMq7Dkw3IN1X1CTuDLEITgjQGTAfBgNVHSMEGDAWgBQZc2oEGgsH +cE9TeVM2h/wMunyuCzCBlgYIKwYBBQUHAQEEgYkwgYYwXQYIKwYBBQUHMAKGUWh0 +dHA6Ly90ZXN0cGtpLmt5cmlvLmNvbS9vY2YvY2FjZXJ0cy9CQkU2NEY5QTdFRTM3 +RDI5QTA1RTRCQjc3NTk1RjMwOEJFNDFFQjA3LmNydDAlBggrBgEFBQcwAYYZaHR0 +cDovL3Rlc3RvY3NwLmt5cmlvLmNvbTBfBgNVHR8EWDBWMFSgUqBQhk5odHRwOi8v +dGVzdHBraS5reXJpby5jb20vb2NmL2NybHMvQkJFNjRGOUE3RUUzN0QyOUEwNUU0 +QkI3NzU5NUYzMDhCRTQxRUIwNy5jcmwwGAYDVR0gBBEwDzANBgsrBgEEAYORVgAB +AjBgBgorBgEEAYORVgEABFIwUDAJAgECAgEAAgEAMDYMGTEuMy42LjEuNC4xLjUx +NDE0LjAuMC4xLjAMGTEuMy42LjEuNC4xLjUxNDE0LjAuMC4yLjAMBE9UR0MMBURF +S1JBMCoGCisGAQQBg5FWAQEEHDAaBgsrBgEEAYORVgEBAAYLKwYBBAGDkVYBAQEw +MAYKKwYBBAGDkVYBAgQiMCAMDjEuMy42LjEuNC4xLjcxDAlEaXNjb3ZlcnkMAzEu +MDAKBggqhkjOPQQDAgNIADBFAiBLKD1R5LUOUJdMq2VWlzbzpZjvLeN1CFQIPS4y +cjbm9wIhANmGPf7y8/s/fKWy/dEaIGjo79lButKOe0JWZaburW3P +-----END CERTIFICATE----- diff --git a/src/main/resources/data/kyrio-ee-key.pem b/src/main/resources/data/kyrio-ee-key.pem new file mode 100644 index 0000000..74373c9 --- /dev/null +++ b/src/main/resources/data/kyrio-ee-key.pem @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIChO1xeRf0WA/npKbjLKPzlnTDhE7v95O5ZG2fhZbBjLoAoGCCqGSM49 +AwEHoUQDQgAEI1ezCcJDuCeD1keCoG1R6xR0kIqRzETbu9ODj5pwEEN7ZxIY52MZ +9Ezgw7zfGHpBOb6Awzl/fJmKcYT2uYc+dg== +-----END EC PRIVATE KEY----- diff --git a/src/main/resources/data/kyrio-root-cert.pem b/src/main/resources/data/kyrio-root-cert.pem new file mode 100644 index 0000000..465923b --- /dev/null +++ b/src/main/resources/data/kyrio-root-cert.pem @@ -0,0 +1,13 @@ +-----BEGIN CERTIFICATE----- +MIIB3zCCAYWgAwIBAgIJAPObjMBXKhGyMAoGCCqGSM49BAMCMFMxDDAKBgNVBAoM +A09DRjEiMCAGA1UECwwZS3lyaW8gVGVzdCBJbmZyYXN0cnVjdHVyZTEfMB0GA1UE +AwwWS3lyaW8gVEVTVCBST09UIENBMDAwMjAeFw0xODExMzAxNzMxMDVaFw0yODEx +MjcxNzMxMDVaMFMxDDAKBgNVBAoMA09DRjEiMCAGA1UECwwZS3lyaW8gVGVzdCBJ +bmZyYXN0cnVjdHVyZTEfMB0GA1UEAwwWS3lyaW8gVEVTVCBST09UIENBMDAwMjBZ +MBMGByqGSM49AgEGCCqGSM49AwEHA0IABGt1sU2QhQcK/kflKSF9TCrvKaDckLWd +ZoyvP6z0OrqNdtBscZgVYsSHMQZ1R19wWxsflvNr8bMVW1K3HWMkpsijQjBAMA8G +A1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMB0GA1UdDgQWBBQoSOTlJ1jZ +CO4JNOSxuz1ZZh/I9TAKBggqhkjOPQQDAgNIADBFAiAlMUwgVeL8d5W4jZdFJ5Zg +clk7XT66LNMfGkExSjU1ngIhANOvTmd32A0kEtIpHbiKA8+RFDCPJWjN4loxrBC7 +v0JE +-----END CERTIFICATE----- diff --git a/src/main/resources/data/kyrio-subca-cert.pem b/src/main/resources/data/kyrio-subca-cert.pem new file mode 100644 index 0000000..eea34a2 --- /dev/null +++ b/src/main/resources/data/kyrio-subca-cert.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC+jCCAqGgAwIBAgIJAPObjMBXKhG1MAoGCCqGSM49BAMCMFMxDDAKBgNVBAoM +A09DRjEiMCAGA1UECwwZS3lyaW8gVGVzdCBJbmZyYXN0cnVjdHVyZTEfMB0GA1UE +AwwWS3lyaW8gVEVTVCBST09UIENBMDAwMjAeFw0xODExMzAxODEyMTVaFw0yODEx +MjYxODEyMTVaMFsxDDAKBgNVBAoMA09DRjEiMCAGA1UECwwZS3lyaW8gVGVzdCBJ +bmZyYXN0cnVjdHVyZTEnMCUGA1UEAwweS3lyaW8gVEVTVCBJbnRlcm1lZGlhdGUg +Q0EwMDAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEvA+Gn3ofRpH40XuVppBR +f78mDtfclOkBd7/32yQcmK2LQ0wm/uyl2cyeABPuN6NFcR9+LYkXZ5P4Ovy9R43Q +vqOCAVQwggFQMBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMB0G +A1UdDgQWBBQZc2oEGgsHcE9TeVM2h/wMunyuCzAfBgNVHSMEGDAWgBQoSOTlJ1jZ +CO4JNOSxuz1ZZh/I9TCBjQYIKwYBBQUHAQEEgYAwfjBVBggrBgEFBQcwAoZJaHR0 +cDovL3Rlc3Rwa2kua3lyaW8uY29tL29jZi80RTY4RTNGQ0YwRjJFNEY4MEE4RDE0 +MzhGNkExQkE1Njk1NzEzRDYzLmNydDAlBggrBgEFBQcwAYYZaHR0cDovL3Rlc3Rv +Y3NwLmt5cmlvLmNvbTBaBgNVHR8EUzBRME+gTaBLhklodHRwOi8vdGVzdHBraS5r +eXJpby5jb20vb2NmLzRFNjhFM0ZDRjBGMkU0RjgwQThEMTQzOEY2QTFCQTU2OTU3 +MTNENjMuY3JsMAoGCCqGSM49BAMCA0cAMEQCHwXkRYd+u5pOPH544wBmBRJz/b0j +ppvUIHx8IUH0CioCIQDC8CnMVTOC5aIoo5Yg4k7BDDNxbRQoPujYes0OTVGgPA== +-----END CERTIFICATE----- diff --git a/src/main/resources/data/root.crt b/src/main/resources/data/root.crt deleted file mode 100644 index 12d01e8..0000000 --- a/src/main/resources/data/root.crt +++ /dev/null @@ -1,12 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIBxDCCAWugAwIBAgIJAOCtdsLGkAHVMAoGCCqGSM49BAMCMEYxCzAJBgNVBAYT -AlVTMSUwIwYDVQQKDBxPcGVuIENvbm5lY3Rpdml0eSBGb3VuZGF0aW9uMRAwDgYD -VQQDDAdSb290IENBMB4XDTE5MDUyMjA4MDY1NFoXDTI5MDUxOTA4MDY1NFowRjEL -MAkGA1UEBhMCVVMxJTAjBgNVBAoMHE9wZW4gQ29ubmVjdGl2aXR5IEZvdW5kYXRp -b24xEDAOBgNVBAMMB1Jvb3QgQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAS7 -0B6uWQzda/OaUHs0gRhWt5DzuUgou3M1aBF5HFCHRJ8IFpG5nRDhbbCRLu6xyj1p -4BQaARhfwLfjBGHrdHHPo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE -AwIBhjAdBgNVHQ4EFgQUUX9CUMUNAmLssx+15jZuJh8eAR8wCgYIKoZIzj0EAwID -RwAwRAIgOCJ4e6o9rm+i9fICRSTI/JoS18MUi3JX/EmnBa2aGzkCIEw8XrZDwP7l -hKESMzNh2IZJelimA+mPY/49iF6qPtK4 ------END CERTIFICATE----- diff --git a/src/main/resources/data/root.prv b/src/main/resources/data/root.prv deleted file mode 100644 index 09a36a5..0000000 --- a/src/main/resources/data/root.prv +++ /dev/null @@ -1,5 +0,0 @@ ------BEGIN EC PRIVATE KEY----- -MHcCAQEEIKdtJZE9IghVFGRm0LZRfnhwQEZK6DqjSe96i+oBlFVPoAoGCCqGSM49 -AwEHoUQDQgAEu9AerlkM3WvzmlB7NIEYVreQ87lIKLtzNWgReRxQh0SfCBaRuZ0Q -4W2wkS7usco9aeAUGgEYX8C34wRh63Rxzw== ------END EC PRIVATE KEY----- From 2cd031b5825d5161c7fa3c5fa3449e02ff73b26a Mon Sep 17 00:00:00 2001 From: Javier Guerra Melgares Date: Mon, 7 Oct 2019 16:53:58 +0200 Subject: [PATCH 2/3] Not announce /oc/con resource --- .../otgc/data/repository/IotivityRepository.java | 1 + 1 file changed, 1 insertion(+) diff --git a/src/main/java/org/openconnectivity/otgc/data/repository/IotivityRepository.java b/src/main/java/org/openconnectivity/otgc/data/repository/IotivityRepository.java index ef8e8d8..7b293f5 100644 --- a/src/main/java/org/openconnectivity/otgc/data/repository/IotivityRepository.java +++ b/src/main/java/org/openconnectivity/otgc/data/repository/IotivityRepository.java @@ -101,6 +101,7 @@ public Completable initOICStack() { byte[] introspectionData = Files.readAllBytes(introspectionFile.toPath()); OCIntrospection.setIntrospectionData(0 /* First device */, introspectionData); OCBufferSettings.setMaxAppDataSize(16384); // 16 KB + OCMain.setConResAnnounced(false); // Disable /oc/con resource int ret = OCMain.mainInit(new OCMainInitHandler() { @Override From eb4f964363c8f4e93596d3a4f2019aedf32172e5 Mon Sep 17 00:00:00 2001 From: Javier Guerra Melgares Date: Mon, 7 Oct 2019 16:57:22 +0200 Subject: [PATCH 3/3] Update version to 2.0.8 --- build/debian/control | 2 +- build/debian/otgc_native.sh | 2 +- pom.xml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/build/debian/control b/build/debian/control index a80b730..cc89f2b 100644 --- a/build/debian/control +++ b/build/debian/control @@ -1,5 +1,5 @@ Package: OTGC -Version: 2.0.7 +Version: 2.0.8 Section: custom Priority: optional Architecture: amd64 diff --git a/build/debian/otgc_native.sh b/build/debian/otgc_native.sh index cc7363c..b73af39 100755 --- a/build/debian/otgc_native.sh +++ b/build/debian/otgc_native.sh @@ -11,7 +11,7 @@ # Constants PROJECT_NAME="otgc" -VERSION="2.0.7" +VERSION="2.0.8" program=$0 diff --git a/pom.xml b/pom.xml index 5c76c27..ce0d2cf 100644 --- a/pom.xml +++ b/pom.xml @@ -6,7 +6,7 @@ otgc otgc - 2.0.7 + 2.0.8 UTF-8