update certificate generation and phone-device pairing
This commit is contained in:
parent
c40da7350f
commit
8a3ab216ee
33
todo.org
33
todo.org
|
|
@ -1,5 +1,5 @@
|
|||
:PROPERTIES:
|
||||
:LOGGING: PROGRESS(!) DONE(!) CANCELED(!)
|
||||
:LOGGING: PROGRESS(!) HOLD(!) DONE(!) CANCELED(!)
|
||||
:END:
|
||||
|
||||
#+SETUPFILE: ~/src/org-themes/src/white_clean/white_clean.theme
|
||||
|
|
@ -162,17 +162,20 @@ Then in some function executed in a thread ...
|
|||
#+end_src
|
||||
|
||||
* Device and phone registration
|
||||
The device will have the cert baked into the image, so it will be the
|
||||
only party (other than the phone) which will have an identity on the
|
||||
server. This will enable the device to pair with the phone on the
|
||||
server, by sending a request with the cert and pairing info.
|
||||
|
||||
#+begin_src plantuml :file img/registration.png
|
||||
Phone -> Device: Get device ID
|
||||
Phone <-- Device: Device ID
|
||||
Phone <- Device: Get Phone ID
|
||||
Phone --> Device: Phone ID
|
||||
|
||||
Phone -> Server: Register IDs (device_id, phone_id)
|
||||
Phone <-- Server: Client TLS certificate
|
||||
Phone -> Device: Set TLS certificate
|
||||
Phone <-- Device: OK
|
||||
Device -> Server: Register IDs (device_id, phone_id)
|
||||
|
||||
Device -> Server: ID verification request
|
||||
Device <-- Server: ID verification response
|
||||
Phone -> Server: ID verification request
|
||||
Phone <-- Server: ID verification response
|
||||
Server -> Server: Write phone ID and pair with device
|
||||
#+end_src
|
||||
|
||||
** TODO [#A] Phone gets its own device ID
|
||||
|
|
@ -185,12 +188,22 @@ The phone needs to retrieve the device ID via BLE and pack it together
|
|||
with the phone's ID before sending it to the server as part of the
|
||||
registration procedure.
|
||||
|
||||
** TODO [#A] Generate client certificates with rustls
|
||||
** HOLD [#A] Generate client certificates with rustls
|
||||
- State "HOLD" from "PROGRESS" [2022-05-30 Mon 11:39]
|
||||
- State "PROGRESS" from "TODO" [2022-05-30 Mon 11:23]
|
||||
After the CA cert and server keys are all set up, we can use it to
|
||||
generate client certificates for the devices. This should all be done
|
||||
in the web server code, i.e. no exit to shell and call openssl, but
|
||||
use rustls to generate the cert itself.
|
||||
|
||||
*Update*:
|
||||
This seems like a bigger bite at this time. Generate the certs [[https://jamielinux.com/docs/openssl-certificate-authority/create-the-root-pair.html][with
|
||||
openssl]], or another tool (e.g. [[https://github.com/cloudflare/cfssl][cloudflare's cfssl]], or [[https://ocaml.org/p/x509/0.16.0][ocaml's x509]])
|
||||
and continue with validation and authentication from Rust.
|
||||
|
||||
** TODO Generate device certificates when pushing the image on the device
|
||||
No need to download certs and put ourselves to danger anymore :)
|
||||
|
||||
** TODO [#A] Phone sets client certs to device
|
||||
The phone needs to retrieve the certificate from the server and pass
|
||||
it to the device.
|
||||
|
|
|
|||
Loading…
Reference in New Issue