Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WSO2 IOT code - Mutual Authentication failing while comparing certificates #1943

Open
sumit1dec opened this issue May 4, 2020 · 1 comment

Comments

@sumit1dec
Copy link

I was trying to implement Mutual SSL communication between the Device (Client) and the WSO2IOT server version3.3.0.

PART1:

For mutual authentication to happen, it was required to upload the client certificate on the server (Certificate upload UI) in Certificate tab under Settings. On upload the below mentioned API gets called: (/admin/certificates)

image

This saves the certificate details in the "WSO2DM_DB" db under "DM_DEVICE_CERTIFICATE" table. While saving the certificate in DB the it converts the CN value of the Certificate serialNumber like this “certificate.setSerial(x509Certificate.getSerialNumber().toString());”.

Here is the screenshot of the code in “CertificateManagementAdminServiceImpl.java”:

image

This result is storing the Certificate in the above mentioned table which looks like this:

image

PART2:

When the mutual authentication is in action, the client sends certificate after “HelloServerDone”.

Now when client sends it's Certificate the WSO2 code takes out the CN value of the certificate in the below mentioned code in AuthenticationHandler.java:

image

The “getCommonName” method trims the “CN=” by splitting the value passed to the method and returns only the value of CN.

Thereafter, it compares the CN value (returned by above method) of the Client certificate with the Serial number of the uploaded certificate without converting into the format as when it converted during upload.

image

FAIL1:

Taking the above example , if the client certificate CN value is “CN=testCN” , the codes compares the value “testCN” with the converted serial number in DB and they fail to match even though the CN value in both the case (during upload and on receiving Client certificate ) is same. In the below mentioned code the serialNumber that is getting passed is “testCN” and it is failing the match the query on DB:

image

FAIL2 : Just to test my scenario for Mutual SSL, I tried doing a manual update to the above mentioned table to show the CN value without conversion. Now the DB has serialNumber as “testCN” value.
In this case also, when client certificate is passed, the “getCommonName” method is trimming the value of “CN=testCN” into “testCN” and passing the result to “verifyCertificateDN” method under CertificateGenerator.java.

image

The distinguishedName passed over here is “testCN” and it check whether it contains a string with “/CN=” value.(which the code has trimmed out in getCommonName method)

It goes to the else block and fails with an LDAP exception.

What I did not understand is - Why the the above method looking for the string “/CN=” value when it has trimmed out that value in “getCommonName” method.

Thus, in this case also, the code is failing to execute Mutual Authentication even though the Upload certificate and client passed certificate are same. Once they match everything will be achieved.

Please suggest if I am doing something wrong here.
Or do we need to modify the existing WSO2 code to achieve the right comparison of the Certificates??

While debugging the entire flow of Mutual SSL, we got these observation of the code which I have mentioned above.

Thank You

@stale
Copy link

stale bot commented May 15, 2020

This issue has been automatically marked as stale because it has not had recent activity.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant