def securityContextLookup(self, kid):
kidBuf = u.str2buf(kid)
eui64 = kidBuf[:-1]
senderID = eui64 + [0x01] # sender ID of JRC is reversed
recipientID = eui64 + [0x00]
# if eui-64 is found in the list of joined nodes, return the appropriate context
# this is important for replay protection
for dict in self.joinResource.joinedNodes:
if dict['eui64'] == u.buf2str(eui64):
log.info(
"Node {0} found in joinedNodes. Returning context {1}.".
format(binascii.hexlify(dict['eui64']),
str(dict['context'])))
return dict['context']
# if eui-64 is not found, create a new tentative context but only add it to the list of joined nodes in the GET
# handler of the join resource
context = oscoap.SecurityContext(
masterSecret=self.MASTERSECRET,
senderID=u.buf2str(senderID),
recipientID=u.buf2str(recipientID),
aeadAlgorithm=oscoap.AES_CCM_16_64_128())
log.info(
"Node {0} not found in joinedNodes. Instantiating new context based on the master secret."
.format(binascii.hexlify(u.buf2str(eui64))))
return context
def securityContextLookup(self, kid):
kidBuf = u.str2buf(kid)
eui64 = kidBuf[:-1]
senderID = eui64 + [0x01] # sender ID of JRC is reversed
recipientID = eui64 + [0x00]
# if eui-64 is found in the list of joined nodes, return the appropriate context
# this is important for replay protection
for dict in self.joinResource.joinedNodes:
if dict['eui64'] == u.buf2str(eui64):
log.info("Node {0} found in joinedNodes. Returning context {1}.".format(binascii.hexlify(dict['eui64']),
str(dict['context'])))
return dict['context']
# if eui-64 is not found, create a new tentative context but only add it to the list of joined nodes in the GET
# handler of the join resource
context = oscoap.SecurityContext(masterSecret=self.MASTERSECRET,
senderID=u.buf2str(senderID),
recipientID=u.buf2str(recipientID),
aeadAlgorithm=oscoap.AES_CCM_16_64_128())
log.info("Node {0} not found in joinedNodes. Instantiating new context based on the master secret.".format(
binascii.hexlify(u.buf2str(eui64))))
return context
def _encodeCompressedCOSE(partialIV, kid, ciphertext):
buffer = []
if kid:
kidFlag = 1
else:
kidFlag = 0
buffer += [kidFlag << 3 | len(partialIV)] # flag byte
if partialIV:
buffer += u.str2buf(partialIV)
if kid:
buffer += [len(kid)]
buffer += u.str2buf(kid)
buffer += u.str2buf(ciphertext)
return buffer
def __init__(self):
self.joinedNodes = []
#self.networkKey = u.str2buf(os.urandom(16)) # random key every time OpenVisualizer is initialized
self.networkKey = u.str2buf(binascii.unhexlify('11111111111111111111111111111111')) # value of K1/K2 from 6TiSCH TD
self.networkKeyIndex = 0x01 # L2 key index
# initialize parent class
coapResource.coapResource.__init__(
self,
path = 'j',
)
self.addSecurityBinding((None, [d.METHOD_POST])) # security context should be returned by the callback
def __init__(self):
self.joinedNodes = []
self.networkKey = u.str2buf(os.urandom(
16)) # random key every time OpenVisualizer is initialized
self.networkKeyIndex = 0x01 # L2 key index
# initialize parent class
coapResource.coapResource.__init__(
self,
path='j',
)
self.addSecurityBinding(
(None, [d.METHOD_POST
])) # security context should be returned by the callback
def unprotectMessage(context,
version,
code,
options=[],
ciphertext=[],
partialIV=None):
'''
\brief A function which verifies and decrypts the incoming CoAP message using OSCOAP.
This function verifies the incoming CoAP message determined by input parameters according to
draft-ietf-core-object-security-03.
\param[in] Security context to use to verify+decrypt the outgoing message.
\param[in] version CoAP version field of the incoming message.
\param[in] code CoAP code field of the incoming message.
\param[in] options A list of 'outer' options that are not encrypted.
\param[in] ciphertext Ciphertext of the incoming CoAP message.
\param[in] partialIV In case of request, partialIV corresponds to the one parsed from the message. In case
of response, it corresponds to the appropriate partialIV used in request. Expected string of length given
by the context algorithm.
\return A tuple with the following elements:
- element 0 is the list of inner (encrypted) CoAP options.
- element 1 is the decrypted payload.
'''
assert objectSecurityOptionLookUp(options)
(optionsClassE, optionsClassI, optionsClassU) = _splitOptions(options)
if optionsClassE:
raise e.messageFormatError(
'invalid oscoap message. E-class option present in the outer message'
)
if _isRequest(code):
requestKid = context.recipientID
if not context.replayWindowLookup(u.buf2int(u.str2buf(partialIV))):
raise e.oscoapError('Replay protection failed')
else:
requestKid = context.senderID
if isinstance(partialIV, str):
partialIV = partialIV.encode(encoding='utf-8')
#print(type(partialIV))
#print(partialIV)
requestSeq = partialIV.lstrip(b'\0')
aad = _constructAAD(version, code, u.buf2str(encodeOptions(optionsClassI)),
context.aeadAlgorithm.value, requestKid, requestSeq)
# construct nonce
if _isRequest(code): # verifying request
nonce = u.xorStrings(context.recipientIV, partialIV)
else: # verifying response
nonce = u.xorStrings(u.flipFirstBit(context.recipientIV), partialIV)
try:
plaintext = context.aeadAlgorithm.authenticateAndDecrypt(
aad=aad,
ciphertext=u.buf2str(ciphertext),
key=context.recipientKey,
nonce=nonce)
except e.oscoapError:
raise
if _isRequest(code):
context.replayWindowUpdate(u.buf2int(u.str2buf(partialIV)))
# returns a tuple (innerOptions, payload)
return decodeOptionsAndPayload(u.str2buf(plaintext))