User Tools

Site Tools


steps_for_enabling_security_in_iotivity_applications

1. build

Iotivity stack should be built with SECURED=1 flag:

scons resource SECURED=1

Note by default 1.2-rel- has it set off, while 1.3-rel+ on.

2. server

An Iotivity Server hosting a resource should assign 'OC_SECURE' property during resource creation.:

 OCCreateResource(.......,  OC_DISCOVERABLE|OC_OBSERVABLE | OC_SECURE );  (C API)  
 OCPlatform::registerResource(.......,  OC_DISCOVERABLE|OC_OBSERVABLE | OC_SECURE ); (C++ API)  

See more here

NB: If you compile iotivity with the SECURED=1 flag, even resources for which OC_SECURE is not specified will be subject to access control as explained below. This is the intended behavior: access for any resource must be explicitly granted via the Access Control List (ACL). Without an ACL entry granting access, requests will be denied by default.

3. Security Virtual Resource (SVR) database

Configuration data such as Access Control List (ACL), PSK credentials, device certificates, device ID etc are stored and managed by Iotivity stack in SVR database in CBOR format. An Iotivity application can provide this data to Iotivity stack by invoking OCRegisterPersistentStorageHandler() API at startup. OCPersistentStorage structure is used to register “fopen, fread, fwrite, fclose, unlink” functions. e.g In file resource/csdk/stack/samples/linux/secure/ocserverbasicops.cpp, the functions server_fopen is registered which opens application specific dat file. Likewise fread, fwrite, fclose, unlink can also be implemented specific to the application.

 // C API
 // Implementation of application specific fopen function
 FILE* server_fopen(const char *path, const char *mode)
 {
   // Here OC_SECURITY_DB_DAT_FILE_NAME is application specific dat file name.
   if (0 == strcmp(path, OC_SECURITY_DB_DAT_FILE_NAME)) 
   {
      return fopen(CRED_FILE, mode);
   }
   else
   {
      return fopen(path, mode);
   }
 }
 
 // server_fopen is registered using
 OCPersistentStorage ps {server_fopen, fread, fwrite, fclose, unlink }; 
 
 // Note: this needs to be invoked before the call to OCInit() API.
 OCRegisterPersistentStorageHandler(&ps); // (C API)
 
 

Sample SVR database files:

 //C++ API
 static FILE* client_open(const char *path, const char *mode)
 {
   if (0 == strcmp(path, OC_SECURITY_DB_DAT_FILE_NAME))
   {
      return fopen(DAT_DB_PATH, mode);
   }
   else
   {
      return fopen(path, mode);
   }
 }
 OCPersistentStorage ps {client_open, fread, fwrite, fclose, unlink };
  // Create PlatformConfig object
  PlatformConfig cfg {
      OC::ServiceType::InProc,
          OC::ModeType::Both,
          "0.0.0.0",
          0,
          OC::QualityOfService::LowQos,
          &ps
  };
  //API for overwriting the default configuration of the OCPlatform object.
  //Any calls made to this AFTER the first call to OCPlatform::Instance will have no affect
  OCPlatform::Configure(cfg);
 //Java API
 private void initOICStack() {
  //create platform config
  PlatformConfig cfg = new PlatformConfig(
          this,
          ServiceType.IN_PROC,
          ModeType.CLIENT_SERVER,
          "0.0.0.0", // bind to all available interfaces
          0,
          QualityOfService.LOW, filePath + StringConstants.OIC_CLIENT_CBOR_DB_FILE);
  OcPlatform.Configure(cfg);

4. client

Due to an existing bug in iotivity, a Client application should register itself as OC_CLIENT_SERVER mode with Iotivity stack:

OCInit(NULL, 0, OC_CLIENT_SERVER); // (C API)
PlatformConfig cfg {......, OC::ModeType::Both, ....}; // (C++ API)
PlatformConfig platformConfig = new PlatformConfig( ..., ModeType.CLIENT_SERVER, ...); // (Java API)

More resources

steps_for_enabling_security_in_iotivity_applications.txt · Last modified: 2017/04/06 20:19 by Nathan Heldt-Sheller