e-bike-tracker/docs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

update certificate generation and phone-device pairing

Browse source
This commit is contained in:
Vladan Popovic 2022-05-30 11:43:09 +02:00
parent c40da7350f
commit 8a3ab216ee
1 changed files with 23 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

33
todo.org
View file

@ -1,5 +1,5 @@
:PROPERTIES: :PROPERTIES:
:LOGGING: PROGRESS(!) DONE(!) CANCELED(!) :LOGGING: PROGRESS(!) HOLD(!) DONE(!) CANCELED(!)
:END: :END:
#+SETUPFILE: ~/src/org-themes/src/white_clean/white_clean.theme #+SETUPFILE: ~/src/org-themes/src/white_clean/white_clean.theme
@ -162,17 +162,20 @@ Then in some function executed in a thread ...
#+end_src #+end_src
* Device and phone registration * Device and phone registration
The device will have the cert baked into the image, so it will be the
only party (other than the phone) which will have an identity on the
server. This will enable the device to pair with the phone on the
server, by sending a request with the cert and pairing info.
#+begin_src plantuml :file img/registration.png #+begin_src plantuml :file img/registration.png
Phone -> Device: Get device ID Phone <- Device: Get Phone ID
Phone <-- Device: Device ID Phone --> Device: Phone ID
Phone -> Server: Register IDs (device_id, phone_id) Device -> Server: Register IDs (device_id, phone_id)
Phone <-- Server: Client TLS certificate
Phone -> Device: Set TLS certificate
Phone <-- Device: OK
Device -> Server: ID verification request Phone -> Server: ID verification request
Device <-- Server: ID verification response Phone <-- Server: ID verification response
Server -> Server: Write phone ID and pair with device
#+end_src #+end_src
** TODO [#A] Phone gets its own device ID ** TODO [#A] Phone gets its own device ID
@ -185,12 +188,22 @@ The phone needs to retrieve the device ID via BLE and pack it together
with the phone's ID before sending it to the server as part of the with the phone's ID before sending it to the server as part of the
registration procedure. registration procedure.
** TODO [#A] Generate client certificates with rustls ** HOLD [#A] Generate client certificates with rustls
- State "HOLD" from "PROGRESS" [2022-05-30 Mon 11:39]
- State "PROGRESS" from "TODO" [2022-05-30 Mon 11:23]
After the CA cert and server keys are all set up, we can use it to After the CA cert and server keys are all set up, we can use it to
generate client certificates for the devices. This should all be done generate client certificates for the devices. This should all be done
in the web server code, i.e. no exit to shell and call openssl, but in the web server code, i.e. no exit to shell and call openssl, but
use rustls to generate the cert itself. use rustls to generate the cert itself.
*Update*:
This seems like a bigger bite at this time. Generate the certs [[https://jamielinux.com/docs/openssl-certificate-authority/create-the-root-pair.html][with
openssl]], or another tool (e.g. [[https://github.com/cloudflare/cfssl][cloudflare's cfssl]], or [[https://ocaml.org/p/x509/0.16.0][ocaml's x509]])
and continue with validation and authentication from Rust.
** TODO Generate device certificates when pushing the image on the device
No need to download certs and put ourselves to danger anymore :)
** TODO [#A] Phone sets client certs to device ** TODO [#A] Phone sets client certs to device
The phone needs to retrieve the certificate from the server and pass The phone needs to retrieve the certificate from the server and pass
it to the device. it to the device.