search

eProsima / Fast-DDS

The most complete DDS - Proven: Plenty of success cases. Looking for commercial support? Contact info@eprosima.com
https://eprosima.com
Apache License 2.0
2.14k stars 762 forks source link

FastDDS <-> CycloneDDS interoperability issue, when security is turned on #3259

Closed husnaini798 closed 1 year ago

husnaini798 commented 1 year ago

Is there an already existing issue for this?

Expected behavior

Trying to check FastDDS and CycloneDDS , interoperability with security turned on.

Results should be :

FastDDS (C++) Cyclone (C) Results (with security)
Publisher Subscriber works fine
Subscriber Publisher should work fine but doesn't

Now, Cyclone subscriber and FastDDS publisher works fine. But if FastDDS is subscribing and Cyclone tries to publish, we see the following error:

Current behavior

FastDDS (C++) Cyclone (C) Results (with security)
Publisher Subscriber works fine
Subscriber Publisher should work fine but doesn't

/dev/cyclone-C-security-helloworld$ ./HelloworldPublisher === [Publisher] Waiting for a reader to be discovered ... 1674445166.046838 [0] fsm: Begin handshake reply failed: Failed to convert octet sequence to ASN1 integer: 140077165520640:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:../crypto/asn1/tasn_dec.c:1149: 140077165520640:error:0D06C03A:asn1 encoding routines:asn1_d2i_ex_primitive:nested asn1 error:../crypto/asn1/tasn_dec.c:713: (code: 200) 1674445167.047152 [0] fsm: Begin handshake reply failed: Failed to convert octet sequence to ASN1 integer: 140077165520640:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:../crypto/asn1/tasn_dec.c:1149: 140077165520640:error:0D06C03A:asn1 encoding routines:asn1_d2i_ex_primitive:nested asn1 error:../crypto/asn1/tasn_dec.c:713: (code: 200) 1674445168.052006 [0] fsm: Begin handshake reply failed: Failed to convert octet sequence to ASN1 integer: 140077165520640:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:../crypto/asn1/tasn_dec.c:1149: 140077165520640:error:0D06C03A:asn1 encoding routines:asn1_d2i_ex_primitive:nested asn1 error:../crypto/asn1/tasn_dec.c:713: (code: 200)

We've used the same maincacert.pem, maincakey.pem, governance.smime, permissions.smime, mainpubcert.pem, mainpubkey.pem, mainsubcert.pem and mainsubkey.pem, on both sides, but for some reason when Cyclone tries to publish to FastDDS, we get the error message above.

Steps to reproduce

Asked the same question on Cyclone DDS forum and the contributor replied : " That probably means that Fast-DDS isn't sending a key in ASN1 format. The spec only says public keys are to be encoded on the wire as "The CDR Big Endian Serialization of a Diffie-Hellman Public Key". That's completely undefined gobbledygook.

Cyclone follows Vortex OpenSplice in using an ASN.1 encoded public key, because that at least is standardised. I suspect Fast-DDS isn't doing that.

One reason for that suspicion is that at least at some point in the past some DDS implementations just used OpenSSL's BN_bn2bin (or similar, I am not 100% sure). That simply converts to an unspecified, internal to OpenSSL representation, but that's by definition completely unsuited to an on-the-wire representation of a multi-vendor, multi-crypto-implementation, multi-architecture middleware. It could be that FastDDS is one those and hasn't mended its ways. "

Could you please assist with this issue and let me know where the problem might be?

thanks

Fast DDS version/commit

version 2.8.1

Platform/Architecture

Ubuntu Focal 20.04 amd64

Transport layer

Default configuration, UDPv4 & SHM

Additional context

No response

XML configuration file

I also tried to regenerate the all the required certificates again and use the same certs on both sides (just changing the mainsubcert/key.pem and mainputcert/key.pem was changed in the code for the corresponding publisher or subscriber). The commands were


- Generate a set of CA and identity certificates using OpenSSL
$$ openssl genrsa -out maincakey.pem 2048
$$ openssl req -x509 -key maincakey.pem -out maincacert.pem -days 3650 -subj "/C=ES/ST=MA/L=Symonston/O=eProsima/OU=eProsima/CN=Main CA/emailAddress=mainca@eprosima.com"

- Create Identity certificates for publisher and subscriber
-- Generate private key for pub and sub
$$ openssl genrsa -out mainpubkey.pem 2048
$$ openssl genrsa -out mainsubkey.pem 2048

-- Create a certificate signing request (CSR) to request the identity CA to generate a certificate,for publisher:
$$ openssl req -new -key mainpubkey.pem -out mainpub.csr -subj "/C=ES/ST=MA/L=Symonston/O=eProsima/OU=eProsima/CN=Main Publisher/emailAddress=mainpub@eprosima.com"
-- Create a "certificate signing request (CSR)" to request the identity CA to generate a certificate,for subscriber:
$$ openssl req -new -key mainsubkey.pem -out mainsub.csr -subj "/C=ES/ST=MA/L=Symonston/O=eProsima/OU=eProsima/CN=Main Subscriber/emailAddress=mainsub@eprosima.com"

-- Create identity certificate for pub
$$ openssl x509 -req -CA maincacert.pem -CAkey maincakey.pem -CAcreateserial -days 3650 -in mainpub.csr -out mainpubcert.pem
-- Create identity certificate for sub
$$ openssl x509 -req -CA maincacert.pem -CAkey maincakey.pem -CAcreateserial -days 3650 -in mainsub.csr -out mainsubcert.pem

- Create Signed governance certificate
$$ openssl smime -sign -in governance.xml -text -out governance.smime -signer maincacert.pem -inkey maincakey.pem

- Create Signed permissions certificate
$$ openssl smime -sign -in permissions.xml -text -out permissions.smime -signer maincacert.pem -inkey maincakey.pem

The permissions.xml used was

<?xml version="1.0" encoding="utf-8"?>
<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://www.omg.org/spec/DDS-Security/20170801/omg_shared_ca_permissions.xsd">
    <permissions>
        <grant name="PublisherPermissions">
            <subject_name>emailAddress=mainpub@eprosima.com,CN=Main Publisher,OU=eProsima,O=eProsima,L=Symonston,ST=MA,C=ES</subject_name>
            <validity>
                <not_before>2013-06-01T13:00:00</not_before>
                <not_after>2038-06-01T13:00:00</not_after>
            </validity>
            <allow_rule>
                <domains>
                    <id_range>
                        <min>0</min>
                        <max>230</max>
                    </id_range>
                </domains>
                <publish>
                    <topics>
                        <topic>HelloWorldTopic</topic>
                    </topics>
                </publish>
            </allow_rule>
            <default>DENY</default>
        </grant>
        <grant name="SubscriberPermissions">
            <subject_name>emailAddress=mainsub@eprosima.com,CN=Main Subscriber,OU=eProsima,O=eProsima,L=Symonston,ST=MA,C=ES</subject_name>
            <validity>
                <not_before>2013-06-01T13:00:00</not_before>
                <not_after>2038-06-01T13:00:00</not_after>
            </validity>
            <allow_rule>
                <domains>
                    <id_range>
                        <min>0</min>
                        <max>230</max>
                    </id_range>
                </domains>
                <subscribe>
                    <topics>
                        <topic>HelloWorldTopic</topic>
                    </topics>
                </subscribe>
            </allow_rule>
            <default>DENY</default>
        </grant>
    </permissions>
</dds>

The governance.xml used was:

<?xml version="1.0" encoding="utf-8"?>
<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:noNamespaceSchemaLocation="omg_shared_ca_domain_governance.xsd">
    <domain_access_rules>
        <domain_rule>
            <domains>
                <id_range>
                    <min>0</min>
                    <max>230</max>
                </id_range>
            </domains>
            <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
            <enable_join_access_control>true</enable_join_access_control>
            <discovery_protection_kind>ENCRYPT</discovery_protection_kind>
            <liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
            <rtps_protection_kind>ENCRYPT</rtps_protection_kind>
            <topic_access_rules>
                <topic_rule>
                    <topic_expression>HelloWorldTopic</topic_expression>
                    <enable_discovery_protection>true</enable_discovery_protection>
                    <enable_liveliness_protection>false</enable_liveliness_protection>
                    <enable_read_access_control>true</enable_read_access_control>
                    <enable_write_access_control>true</enable_write_access_control>
                    <metadata_protection_kind>ENCRYPT</metadata_protection_kind>
                    <data_protection_kind>ENCRYPT</data_protection_kind>
                </topic_rule>
            </topic_access_rules>
        </domain_rule>
    </domain_access_rules>
</dds>


### Relevant log output

_No response_

### Network traffic capture

_No response_
Mario-DL commented 1 year ago

Hi @husnaini798,

Fast-DDS implements OMG DDS Security Standard Specification. The issue may has to do with some formatting or missing tags. Please, re-check it again with the proposed examples and templates found there.

JesusPoderoso commented 1 year ago

According to our CONTRIBUTING.md guidelines, I am closing this issue due to inactivity. Please, feel free to reopen it if necessary.