Comments (8)
Hi @Krolken,
Thank you for your interest.
libmbedtls
has some support for this, see
mbedtls_ssl_conf_psk and mbedtls_ssl_conf_psk_cb.
Could you check with the documentation linked above whether this is what you are looking for?
from python-mbedtls.
mbedtls_ssl_conf_psk_cb seems to be what I need since I am interested in making a DTLS server. But maybe it is also good to implement the client side with mbedtls_ss_conf_psk to be able to test the server implementation.
I guess _BaseConfiguration
is where it could be added. What is you opinion on API?
Just add it as another kwarg and always prefer PSK over cert if specified? Since the configuration is done on the context I guess not much more needs to be changed in the handshake procedure.
It would be nice to keep it callback based so that it is possible to implement an external PSK store.
For example it can be OK to store in memory from config for a few fixed PSK but when you have thousands of PSKs that are changed over time it would get annoying to stop the server and add the new PSKs. On the top of my head I think I would implement a store with a simple redis backend which would fit in nicely with device management.
Example: callback
# psk_identity in ClientKeyExange seems to be an UTF8 encoded string"
def my_psk_callback(psk_identity: str)-> Union[byte, None]:
my_psks = {'client1': b'verysecretkey', 'client2': b'alsoverysecret'}
return my_psks.get(psk_identity, None)
dtls_srv_ctx = tls.ServerContext(tls.DTLSConfiguration(get_psk_callback=my_psk_callback))
It might also be easy for people of there where a simple way to quickly add some psks so
it could also be a solution to just be able to add a dict as keystore.
dtls_srv_ctx = tls.ServerContext(tls.DTLSConfiguration(psk_store={'client1': b'verysecretkey', 'client2': b'alsoverysecret'}))
Alt always provide a PskStore object and then override get_psk to add external store
class PskStore:
# inherit from DIct instead?
def __init__(self, psk_map)
self.psk_map = psk_map
def get_psk(psk_identity):
return self.psk_map.get(psk_identity, None)
dtls_srv_ctx = tls.ServerContext(tls.DTLSConfiguration(psk_store=PskStore({'client1': b'verysecretkey', 'client2': b'alsoverysecret'}))
from python-mbedtls.
@Krolken : I agree with pretty much everything you write above.
Would you prepare a pull request? If so:
- Regarding the callback interface: you will need a wrapper as the callbacks need to go down to C.
- Please write unit tests and tests that exemplify usage.
- CI is still running on 2.7 and 3.4+. You may break 3.4 but not 2.7.
- If you want type hints, I would prefer them in stub files for the moment. Inline would break 2.7 and I do not like comments...
- Also, the CI does not currently run mypy and I do not know how well mypy plays with cython.
Otherwise, I would happily support this feature but I cannot promise doing it in a timely fashion.
from python-mbedtls.
Hi @Krolken,
I have drafted something now and I would rather expose two configuration options only and keep the callback an implementation detail on the C side.
The two options are the key for the client and a store for the server. The key must be a two-tuple with an identifier and the PSK. The store must have the Sequence
protocol, that is __len__()
and __getitem__()
and map identifiers to PSKs.
This way, the store may be a dict as you suggested for the simplest case or a database as well. Users may need to write some glue but implementing two methods is not much.
In the end, it is like your class PskStore
.
Now I have to make sure it actually works 😉
from python-mbedtls.
Mapping
type makes more sense than Sequence
. I have pushed my draft to https://github.com/Synss/python-mbedtls/tree/issue_29
now. Maybe it works already, maybe not. I need more tests.
Also note that this is a temporary branch and I allow myself to change the history in that case. You may want to be careful if you fetch the branch (or just let me know and I will try to be more careful).
You can have a look anyway.
from python-mbedtls.
I have added tests and fixed a bug in the callback. The latest version is once more in the issue_29
branch. I still have to document the feature before releasing.
Anyway, now it should work. Feedback is welcome.
from python-mbedtls.
Hi.
Thanks for taking the time. And sorry for my late reponse. I have been bogged down in some other issues.
I agree that Mapping seems more appropriate than Sequence. I am looking into using DLTS for IoT use cases and it can become a lot of devices and keys to keep track of.
I will receive some test devices hopefully next week and can see if the DTLS works with them. I'll try and make a simple socketserver using the psk implementation and see what happens.
My end goal is to have a proper CoAP server that is implemented similar to HTTP servers so I can build out LWM2M functionality on top of CoAP. I had to use the Java implementation Leshan to keep the project going further and wrap it an a RPC-interface so I can build my device management in Python. But I would rather use python all the way.
And if this works I guess the next step is to get it to work with asyncio. Just trying to get my head around asyncio ssl_proto gave me a headache...
from python-mbedtls.
Hi,
Your project looks interesting as well! If you go that far, you can most likely use python-mbedtls
in asyncio.
Anyway, PSK is in master now. So this issue is closed.
Feel free to report bugs, your success, or submit patches here!
from python-mbedtls.
Related Issues (20)
- Possibility to change mbedtls_ssl_conf_read_timeout HOT 7
- Chunking while sending more than 1024B data during handshake HOT 5
- TLS error when running client.py and server.py HOT 2
- server.py and client.py still have bugs when running on the Ubuntu system. HOT 2
- DTLSConnection Id Support HOT 1
- Vulnerable shared libraries might make python-mbedtls vulnerable. Can you help upgrade to patch versions? HOT 3
- won't install/compile HOT 1
- fails to run HOT 2
- error control nb args HOT 1
- Executing server.py gives:
- server.py error HOT 2
- Tests fail if mbedtls built without ARIA support HOT 1
- Issue with loading private keys and trailing null bytes HOT 4
- AES GCM 128 and 256 fails TAG test vector HOT 2
- Provide an example of DTLS server and client with certificates instead of PSK HOT 14
- Possibility to change MTU (max_frag_len) fragmentation size. HOT 8
- TLSWrappedSocket.shutdown(int) does not send DTLS Alert Close Notify message (mbedtls_ssl_close_notify) HOT 4
- Python handle of "record from another epoch: expected 1, received 0" HOT 4
- test_version() test fails due to Mbed TLS spelling change HOT 2
- Random error in HelloVerifyRequest() HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from python-mbedtls.