WSO2 IOT code - Mutual Authentication failing while comparing certificates

[sumit1dec]

I was trying to implement Mutual SSL communication between the Device (Client) and the WSO2IOT server version3.3.0.

PART1:

For mutual authentication to happen, it was required to upload the client certificate on the server (Certificate upload UI) in Certificate tab under Settings. On upload the below mentioned API gets called: (/admin/certificates)

This saves the certificate details in the "WSO2DM_DB" db under "DM_DEVICE_CERTIFICATE" table. While saving the certificate in DB the it converts the CN value of the Certificate serialNumber like this “certificate.setSerial(x509Certificate.getSerialNumber().toString());”.

Here is the screenshot of the code in “CertificateManagementAdminServiceImpl.java”:

This result is storing the Certificate in the above mentioned table which looks like this:

PART2:

When the mutual authentication is in action, the client sends certificate after “HelloServerDone”.

Now when client sends it's Certificate the WSO2 code takes out the CN value of the certificate in the below mentioned code in AuthenticationHandler.java:

The “getCommonName” method trims the “CN=” by splitting the value passed to the method and returns only the value of CN.

Thereafter, it compares the CN value (returned by above method) of the Client certificate with the Serial number of the uploaded certificate without converting into the format as when it converted during upload.

FAIL1:

Taking the above example , if the client certificate CN value is “CN=testCN” , the codes compares the value “testCN” with the converted serial number in DB and they fail to match even though the CN value in both the case (during upload and on receiving Client certificate ) is same. In the below mentioned code the serialNumber that is getting passed is “testCN” and it is failing the match the query on DB:

FAIL2 : Just to test my scenario for Mutual SSL, I tried doing a manual update to the above mentioned table to show the CN value without conversion. Now the DB has serialNumber as “testCN” value. In this case also, when client certificate is passed, the “getCommonName” method is trimming the value of “CN=testCN” into “testCN” and passing the result to “verifyCertificateDN” method under CertificateGenerator.java.

The distinguishedName passed over here is “testCN” and it check whether it contains a string with “/CN=” value.(which the code has trimmed out in getCommonName method)

It goes to the else block and fails with an LDAP exception.

What I did not understand is - Why the the above method looking for the string “/CN=” value when it has trimmed out that value in “getCommonName” method.

Thus, in this case also, the code is failing to execute Mutual Authentication even though the Upload certificate and client passed certificate are same. Once they match everything will be achieved.

Please suggest if I am doing something wrong here. Or do we need to modify the existing WSO2 code to achieve the right comparison of the Certificates??

While debugging the entire flow of Mutual SSL, we got these observation of the code which I have mentioned above.

Thank You

[ruwanta]

hi @sumit1dec , Thanks for reporting. However the report is about IOT Server, hence better to report on the respective project.

This repository is for Identity Server [1]

[1] https://is.docs.wso2.com/en/5.9.0/

[isharak]

This issue is being closed due to extended inactivity. Please feel free to reopen it if further attention is needed. Thank you for helping us keep the issue list relevant and focused!