From 8a3ab216ee5e47d4f8a85eefeead17b0c3736a7f Mon Sep 17 00:00:00 2001 From: Vladan Popovic Date: Mon, 30 May 2022 11:43:09 +0200 Subject: [PATCH] update certificate generation and phone-device pairing --- todo.org | 33 +++++++++++++++++++++++---------- 1 file changed, 23 insertions(+), 10 deletions(-) diff --git a/todo.org b/todo.org index 8143efe..83ce4d0 100644 --- a/todo.org +++ b/todo.org @@ -1,5 +1,5 @@ :PROPERTIES: -:LOGGING: PROGRESS(!) DONE(!) CANCELED(!) +:LOGGING: PROGRESS(!) HOLD(!) DONE(!) CANCELED(!) :END: #+SETUPFILE: ~/src/org-themes/src/white_clean/white_clean.theme @@ -162,17 +162,20 @@ Then in some function executed in a thread ... #+end_src * Device and phone registration +The device will have the cert baked into the image, so it will be the +only party (other than the phone) which will have an identity on the +server. This will enable the device to pair with the phone on the +server, by sending a request with the cert and pairing info. + #+begin_src plantuml :file img/registration.png -Phone -> Device: Get device ID -Phone <-- Device: Device ID +Phone <- Device: Get Phone ID +Phone --> Device: Phone ID -Phone -> Server: Register IDs (device_id, phone_id) -Phone <-- Server: Client TLS certificate -Phone -> Device: Set TLS certificate -Phone <-- Device: OK +Device -> Server: Register IDs (device_id, phone_id) -Device -> Server: ID verification request -Device <-- Server: ID verification response +Phone -> Server: ID verification request +Phone <-- Server: ID verification response +Server -> Server: Write phone ID and pair with device #+end_src ** TODO [#A] Phone gets its own device ID @@ -185,12 +188,22 @@ The phone needs to retrieve the device ID via BLE and pack it together with the phone's ID before sending it to the server as part of the registration procedure. -** TODO [#A] Generate client certificates with rustls +** HOLD [#A] Generate client certificates with rustls +- State "HOLD" from "PROGRESS" [2022-05-30 Mon 11:39] +- State "PROGRESS" from "TODO" [2022-05-30 Mon 11:23] After the CA cert and server keys are all set up, we can use it to generate client certificates for the devices. This should all be done in the web server code, i.e. no exit to shell and call openssl, but use rustls to generate the cert itself. +*Update*: +This seems like a bigger bite at this time. Generate the certs [[https://jamielinux.com/docs/openssl-certificate-authority/create-the-root-pair.html][with +openssl]], or another tool (e.g. [[https://github.com/cloudflare/cfssl][cloudflare's cfssl]], or [[https://ocaml.org/p/x509/0.16.0][ocaml's x509]]) +and continue with validation and authentication from Rust. + +** TODO Generate device certificates when pushing the image on the device +No need to download certs and put ourselves to danger anymore :) + ** TODO [#A] Phone sets client certs to device The phone needs to retrieve the certificate from the server and pass it to the device.