Use of PSK for DTLS about python-mbedtls HOT 8 CLOSED

Hi @Krolken,

Thank you for your interest.

libmbedtls has some support for this, see
mbedtls_ssl_conf_psk and mbedtls_ssl_conf_psk_cb.

Could you check with the documentation linked above whether this is what you are looking for?

from python-mbedtls.

mbedtls_ssl_conf_psk_cb seems to be what I need since I am interested in making a DTLS server. But maybe it is also good to implement the client side with mbedtls_ss_conf_psk to be able to test the server implementation.

I guess _BaseConfiguration is where it could be added. What is you opinion on API?
Just add it as another kwarg and always prefer PSK over cert if specified? Since the configuration is done on the context I guess not much more needs to be changed in the handshake procedure.

It would be nice to keep it callback based so that it is possible to implement an external PSK store.
For example it can be OK to store in memory from config for a few fixed PSK but when you have thousands of PSKs that are changed over time it would get annoying to stop the server and add the new PSKs. On the top of my head I think I would implement a store with a simple redis backend which would fit in nicely with device management.

Example: callback

# psk_identity in ClientKeyExange seems to be an UTF8 encoded string"
def my_psk_callback(psk_identity: str)-> Union[byte, None]:
    my_psks = {'client1': b'verysecretkey', 'client2': b'alsoverysecret'}
    return my_psks.get(psk_identity, None)


dtls_srv_ctx = tls.ServerContext(tls.DTLSConfiguration(get_psk_callback=my_psk_callback))

It might also be easy for people of there where a simple way to quickly add some psks so
it could also be a solution to just be able to add a dict as keystore.

dtls_srv_ctx = tls.ServerContext(tls.DTLSConfiguration(psk_store={'client1': b'verysecretkey', 'client2': b'alsoverysecret'}))

Alt always provide a PskStore object and then override get_psk to add external store

class PskStore:
   # inherit from DIct instead?
    def __init__(self, psk_map)
        self.psk_map = psk_map

   def get_psk(psk_identity):
       return self.psk_map.get(psk_identity, None)


dtls_srv_ctx = tls.ServerContext(tls.DTLSConfiguration(psk_store=PskStore({'client1': b'verysecretkey', 'client2': b'alsoverysecret'}))

from python-mbedtls.

@Krolken : I agree with pretty much everything you write above.

Would you prepare a pull request? If so:

• Regarding the callback interface: you will need a wrapper as the callbacks need to go down to C.
• Please write unit tests and tests that exemplify usage.
• CI is still running on 2.7 and 3.4+. You may break 3.4 but not 2.7.
• If you want type hints, I would prefer them in stub files for the moment. Inline would break 2.7 and I do not like comments...
• Also, the CI does not currently run mypy and I do not know how well mypy plays with cython.

Otherwise, I would happily support this feature but I cannot promise doing it in a timely fashion.

from python-mbedtls.

Hi @Krolken,

I have drafted something now and I would rather expose two configuration options only and keep the callback an implementation detail on the C side.

The two options are the key for the client and a store for the server. The key must be a two-tuple with an identifier and the PSK. The store must have the Sequence protocol, that is __len__() and __getitem__() and map identifiers to PSKs.

This way, the store may be a dict as you suggested for the simplest case or a database as well. Users may need to write some glue but implementing two methods is not much.

In the end, it is like your class PskStore.

Now I have to make sure it actually works 😉

from python-mbedtls.

Mapping type makes more sense than Sequence. I have pushed my draft to https://github.com/Synss/python-mbedtls/tree/issue_29 now. Maybe it works already, maybe not. I need more tests.

Also note that this is a temporary branch and I allow myself to change the history in that case. You may want to be careful if you fetch the branch (or just let me know and I will try to be more careful).

You can have a look anyway.

from python-mbedtls.

I have added tests and fixed a bug in the callback. The latest version is once more in the issue_29 branch. I still have to document the feature before releasing.

Anyway, now it should work. Feedback is welcome.

from python-mbedtls.

Hi.
Thanks for taking the time. And sorry for my late reponse. I have been bogged down in some other issues.

I agree that Mapping seems more appropriate than Sequence. I am looking into using DLTS for IoT use cases and it can become a lot of devices and keys to keep track of.

I will receive some test devices hopefully next week and can see if the DTLS works with them. I'll try and make a simple socketserver using the psk implementation and see what happens.

My end goal is to have a proper CoAP server that is implemented similar to HTTP servers so I can build out LWM2M functionality on top of CoAP. I had to use the Java implementation Leshan to keep the project going further and wrap it an a RPC-interface so I can build my device management in Python. But I would rather use python all the way.
And if this works I guess the next step is to get it to work with asyncio. Just trying to get my head around asyncio ssl_proto gave me a headache...

from python-mbedtls.

Hi,

Your project looks interesting as well! If you go that far, you can most likely use python-mbedtls in asyncio.

Anyway, PSK is in master now. So this issue is closed.

Feel free to report bugs, your success, or submit patches here!

from python-mbedtls.