CBSD code for initial testing

[AvinavKaushik]

I'm working on CBSD side of code (in Python) for initial testing but facing some issues as I'm stuck in SSL authentication.

Please someone help me in initial bring up as I'm not familiar with SSL/TLS thing. Also If CBSD side of code is available, which I can refer for my initial testing, then please share.

What I have tried-

I have modified the conf.xml file of package (before running StartOfProject.py) as shown below. Also I'm using .pem and .key file provided in the package for both my server (this repository code for CBSD testing) & client (test code which I have written to emulate

CBSD).

conf.xml file-

<?xml version="1.0"?>
<cbrsParams>
    <jsonsRepoPath>jsonExpectedFolder</jsonsRepoPath>
    <testRepoPath>testFiles</testRepoPath>
    <hostIp>127.0.0.1</hostIp>
    <port>5000</port>
    <heartbeatLimit>30</heartbeatLimit>
    <pemFilePath>certificates/sasharnesscert.pem</pemFilePath>
    <keyFilePath>certificates/sasharnesspriv.key</keyFilePath>
    <caCerts>certificates/UUT/UUTCBSD.pem</caCerts>
    <cpiCert>certificates/cpicert.pem</cpiCert>
</cbrsParams>

test.py -(Test code emulating CBSD)

import ssl
import socket

host_addr = '127.0.0.1'
host_port = 5000
server_cert = 'sasharnesscert.pem'
client_cert = 'UUTCBSD.pem'
client_key = 'UUTCBSDprivkey.key'
WINNF_APPROVED_CIPHERS = 'AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:@STRENGTH' # string of ciphers separated by colons

context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
context.verify_mode = ssl.CERT_REQUIRED
context.set_ciphers(WINNF_APPROVED_CIPHERS)
context.load_verify_locations(cafile=server_cert)
context.load_cert_chain(certfile=client_cert, keyfile=client_key)

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
conn = context.wrap_socket(s, server_side=False, do_handshake_on_connect=True, server_hostname=None)
conn.connect((host_addr, host_port))
print("SSL connection to SAS established. Peer: {}".format(conn.getpeercert()))
print("Closing connection")
conn.close()

[saudawar]

Hi Avinav,

I believe, the error is in the usage of CA certs at both ends. The CA certs need to be the set of certificates that define CA certificates to trust for certificate verification.

If the certificates are generated using the readme file shared as part of mock sas code, then you would have received following set of certificates.

1. Root cert
2. SAS Intermediate cert
3. SAS end entity
4. CBSD Intermediate cert
5. CBSD end entity

Now, create two more files

1. CA_AT_CBSD.pem : Contents of CBSD Intermediate cert + Contents of root cert.
2. CA_AT_SAS.pem : Contents of SAS Intermediated cert + Contents of root cert.

• At CBSD end, CA file should point to CA_AT_CBSD.pem
• At SAS end, CA file should point to CA_AT_SAS.pem

Config at SAS, `<?xml version="1.0"?>

jsonExpectedFolder testFiles 127.0.0.1 5000 30 certificates/sasharnesscert.pem certificates/sasharnesspriv.key certificates/CA_AT_SAS.pem certificates/cpicert.pem ` Code change at CBSD, `server_cert = 'CA_AT_CBSD.pem'` If you still face issue after this, then try this in addition, -- In UUTCBSD.pem, append the contents of CBSD Intermediate cert. As per python documentation, "The certfile string must be the path to a single file in PEM format containing the certificate as well as any number of CA certificates needed to establish the certificate’s authenticity." -- Rename "UUTCBSDprivkey.key" to "UUTCBSDprivkey.pem"

[AvinavKaushik]

Hi Saudawar,

Thanks for replying.

I have generated following files (using readme given in mock SAS code). It would be great if you could point out which one are the files that you are referring in your comment.

rootcapriv.key cbrs_ca1.pem sascapriv.key sascacsr.csr sascacert.pem cbsdmfrcapriv.key cbsdmfrcacsr.csr cbsdmfrcacert1.pem cpicaprivkey.key cpicacsr.csr cbrs_ca1.srl cpicacert.pem sasharnesspriv.key sasharnesscsr.csr sascacert.srl sasharnesscert.pem cbsduutpriv.key cbsduutcsr.csr cbsdmfrcacert1.srl cbsduutcert.pem

Also I have done the modification in conf.xml file and python script as per your suggestion but still following error is coming (note that I'm still using the certificate file that were already present in the package).

SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)

Updated conf.xml-

<?xml version="1.0"?>
<cbrsParams>
    <jsonsRepoPath>jsonExpectedFolder</jsonsRepoPath>
    <testRepoPath>testFiles</testRepoPath>
    <hostIp>127.0.0.1</hostIp>
    <port>5000</port>
    <heartbeatLimit>30</heartbeatLimit>
    <pemFilePath>certificates/sasharnesscert.pem</pemFilePath>
    <keyFilePath>certificates/sasharnesspriv.key</keyFilePath>
    <caCerts>certificates/cbsdpkichain.pem</caCerts>
    <cpiCert>certificates/cpicert.pem</cpiCert>
</cbrsParams>

Updated test python script-

import ssl
import socket

host_addr = '127.0.0.1'
host_port = 5000
server_cert = 'TestLabSASPKIchain.pem'
client_cert = 'UUTCBSD.pem'
client_key = 'UUTCBSDprivkey.key'
WINNF_APPROVED_CIPHERS = 'AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:@STRENGTH' # string of ciphers separated by colons

context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
context.verify_mode = ssl.CERT_REQUIRED
context.set_ciphers(WINNF_APPROVED_CIPHERS)
context.load_verify_locations(cafile=server_cert)
context.load_cert_chain(certfile=client_cert, keyfile=client_key)

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
conn = context.wrap_socket(s, server_side=False, do_handshake_on_connect=True, server_hostname=None)
conn.connect((host_addr, host_port))
print("SSL connection to SAS established. Peer: {}".format(conn.getpeercert()))
print("Closing connection")
conn.close()

[saudawar]

Hi Avinav,

I don't remember the exact filenames that are used in help document, but they should be like this,

cbrs_ca1.pem --> Root cert

sascacert.pem --> SAS Intermediate cert

cbsdmfrcacert1.pem --> CBSD Intermediate cert

sasharnesscert.pem --> SAS end entity cert sasharnesspriv.key --> SAS end entity private key

cbsduutcert.pem --> CBSD end entity cert cbsduutpriv.key --> CBSD end entity private key

On Wed, Jun 19, 2019 at 6:02 PM AvinavKaushik notifications@github.com wrote:

Hi Saudawar,

Thanks for replying.

I have generated following files (using readme given in mock SAS code). It would be great if you could point out which one are the files that you are referring in your comment.

rootcapriv.key cbrs_ca1.pem sascapriv.key sascacsr.csr sascacert.pem cbsdmfrcapriv.key cbsdmfrcacsr.csr cbsdmfrcacert1.pem cpicaprivkey.key cpicacsr.csr cbrs_ca1.srl cpicacert.pem sasharnesspriv.key sasharnesscsr.csr sascacert.srl sasharnesscert.pem cbsduutpriv.key cbsduutcsr.csr cbsdmfrcacert1.srl cbsduutcert.pem

Also I have done the modification in conf.xml file and python script as per your suggestion but still following error is coming (note that I'm still using the certificate file that were already present in the package).

SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)

Updated conf.xml-

<?xml version="1.0"?>

jsonExpectedFolder testFiles 127.0.0.1 5000 30 certificates/sasharnesscert.pem certificates/sasharnesspriv.key certificates/cbsdpkichain.pem certificates/cpicert.pem

Updated test python script-

import ssl import socket

host_addr = '127.0.0.1' host_port = 5000 server_cert = 'TestLabSASPKIchain.pem' client_cert = 'UUTCBSD.pem' client_key = 'UUTCBSDprivkey.key' WINNF_APPROVED_CIPHERS = 'AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:@STRENGTH' # string of ciphers separated by colons

context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2) context.verify_mode = ssl.CERT_REQUIRED context.set_ciphers(WINNF_APPROVED_CIPHERS) context.load_verify_locations(cafile=server_cert) context.load_cert_chain(certfile=client_cert, keyfile=client_key)

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) conn = context.wrap_socket(s, server_side=False, do_handshake_on_connect=True, server_hostname=None) conn.connect((host_addr, host_port)) print("SSL connection to SAS established. Peer: {}".format(conn.getpeercert())) print("Closing connection") conn.close()

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/Wireless-Innovation-Forum/Citizens-Broadband-Radio-Service-Device/issues/140?email_source=notifications&email_token=AHGZ7ILOJLHJWWSCVCHPBX3P3IRNJA5CNFSM4HY64DZKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODYBWXXY#issuecomment-503540703, or mute the thread https://github.com/notifications/unsubscribe-auth/AHGZ7IMM6EOYT64RVZUCVYTP3IRNJANCNFSM4HY64DZA .

-- Regards, Saurabh Dawar 09711043848