diff --git a/examples/connext_dds/network_capture/03_security/c/USER_QOS_PROFILES.xml b/examples/connext_dds/network_capture/03_security/c/USER_QOS_PROFILES.xml index 3e5de2f84..b0ca0098c 100644 --- a/examples/connext_dds/network_capture/03_security/c/USER_QOS_PROFILES.xml +++ b/examples/connext_dds/network_capture/03_security/c/USER_QOS_PROFILES.xml @@ -10,9 +10,9 @@ use the software. --> + xsi:noNamespaceSchemaLocation="http://community.rti.com/schema/7.6.0/rti_dds_qos_profiles.xsd"> - + @@ -21,20 +21,41 @@ file:security/ecdsa01/certs/ca_cert.pem - dds.sec.auth.identity_certificate - file:security/ecdsa01/certs/peer1_cert.pem - - - dds.sec.auth.private_key - file:security/ecdsa01/certs/peer1_key.pem + dds.sec.access.governance + file:security/ecdsa01/xml/signed/signed_Governance.p7s dds.sec.access.permissions_ca file:security/ecdsa01/certs/ca_cert.pem - dds.sec.access.governance - file:security/ecdsa01/xml/signed/signed_Governance.p7s + dds.sec.crypto.rtps_psk_secret_passphrase + data:,0:PLEASE-CHANGE-THIS-DEFAULT-SEED + + + + + + + + + + + network_capture_Library::network_capture_ProfileMonitor + + + + + + + + + dds.sec.auth.identity_certificate + file:security/ecdsa01/certs/peer1_cert.pem + + + dds.sec.auth.private_key + file:security/ecdsa01/certs/peer1_key.pem dds.sec.access.permissions @@ -72,5 +93,37 @@ + + + network_capture_Library::network_capture_ProfileCommon + BuiltinQosLib::Generic.Monitoring2 + + + + + 8192 + + + 40 + + + + + + dds.sec.auth.identity_certificate + file:security/ecdsa01/certs/peerM_cert.pem + + + dds.sec.auth.private_key + file:security/ecdsa01/certs/peerM_key.pem + + + dds.sec.access.permissions + file:security/ecdsa01/xml/signed/signed_PermissionsM.p7s + + + + + diff --git a/examples/connext_dds/network_capture/04_advanced_api/c/USER_QOS_PROFILES.xml b/examples/connext_dds/network_capture/04_advanced_api/c/USER_QOS_PROFILES.xml index 3e5de2f84..bd328a426 100644 --- a/examples/connext_dds/network_capture/04_advanced_api/c/USER_QOS_PROFILES.xml +++ b/examples/connext_dds/network_capture/04_advanced_api/c/USER_QOS_PROFILES.xml @@ -10,9 +10,9 @@ use the software. --> + xsi:noNamespaceSchemaLocation="http://community.rti.com/schema/7.6.0/rti_dds_qos_profiles.xsd"> - + @@ -21,20 +21,41 @@ file:security/ecdsa01/certs/ca_cert.pem - dds.sec.auth.identity_certificate - file:security/ecdsa01/certs/peer1_cert.pem - - - dds.sec.auth.private_key - file:security/ecdsa01/certs/peer1_key.pem + dds.sec.access.governance + file:security/ecdsa01/xml/signed/signed_Governance.p7s dds.sec.access.permissions_ca file:security/ecdsa01/certs/ca_cert.pem - dds.sec.access.governance - file:security/ecdsa01/xml/signed/signed_Governance.p7s + dds.sec.crypto.rtps_psk_secret_passphrase + data:,0:PLEASE-CHANGE-THIS-DEFAULT-SEED + + + + + + + + + + + network_capture_Library::network_capture_ProfileMonitor + + + + + + + + + dds.sec.auth.identity_certificate + file:security/ecdsa01/certs/peer1_cert.pem + + + dds.sec.auth.private_key + file:security/ecdsa01/certs/peer1_key.pem dds.sec.access.permissions @@ -72,5 +93,37 @@ + + + network_capture_Library::network_capture_ProfileCommon + BuiltinQosLib::Generic.Monitoring2 + + + + + 8192 + + + 40 + + + + + + dds.sec.auth.identity_certificate + file:security/ecdsa01/certs/peerM_cert.pem + + + dds.sec.auth.private_key + file:security/ecdsa01/certs/peerM_key.pem + + + dds.sec.access.permissions + file:security/ecdsa01/xml/signed/signed_PermissionsM.p7s + + + + + diff --git a/examples/connext_dds/real_time_wan_transport/c++98/CLOUD_DISCOVERY_SERVICE.xml b/examples/connext_dds/real_time_wan_transport/c++98/CLOUD_DISCOVERY_SERVICE.xml index 4cc6e5b03..ec7a27bb1 100644 --- a/examples/connext_dds/real_time_wan_transport/c++98/CLOUD_DISCOVERY_SERVICE.xml +++ b/examples/connext_dds/real_time_wan_transport/c++98/CLOUD_DISCOVERY_SERVICE.xml @@ -58,12 +58,8 @@ - com.rti.serv.secure.authentication.participant_discovery_protection_key - str:key1 - - - com.rti.serv.secure.cryptography.rtps_protection_key - str:key0 + dds.sec.crypto.rtps_psk_secret_passphrase + data:,0:PLEASE-CHANGE-THIS-DEFAULT-SEED diff --git a/examples/connext_dds/real_time_wan_transport/c++98/USER_QOS_PROFILES.xml b/examples/connext_dds/real_time_wan_transport/c++98/USER_QOS_PROFILES.xml index 5360194b6..119d3afd3 100644 --- a/examples/connext_dds/real_time_wan_transport/c++98/USER_QOS_PROFILES.xml +++ b/examples/connext_dds/real_time_wan_transport/c++98/USER_QOS_PROFILES.xml @@ -1,6 +1,6 @@ + xsi:noNamespaceSchemaLocation="http://community.rti.com/schema/7.6.0/rti_dds_qos_profiles.xsd"> - + + + + + RWT_Library::Monitor_Security + + + + + + UDPv4_WAN @@ -47,50 +57,65 @@ - + - + BuiltinQosSnippetLib::Feature.Security.Enable - + - + - dds.sec.auth.identity_ca - file:security/ecdsa01/certs/ca_cert.pem + dds.sec.auth.identity_ca + file:security/ecdsa01/certs/ca_cert.pem - dds.sec.auth.identity_certificate - file:security/ecdsa01/certs/peer1_cert.pem + dds.sec.access.governance + file:security/ecdsa01/xml/signed/signed_Governance.p7s - dds.sec.auth.private_key - file:security/ecdsa01/certs/peer1_key.pem + dds.sec.access.permissions_ca + file:security/ecdsa01/certs/ca_cert.pem - dds.sec.access.permissions_ca - file:security/ecdsa01/certs/ca_cert.pem + dds.sec.crypto.rtps_psk_secret_passphrase + data:,0:PLEASE-CHANGE-THIS-DEFAULT-SEED + + + + + + + + + + RWT_Library::security_Common + + + + + - dds.sec.access.governance - file:security/ecdsa01/xml/signed/signed_Governance.p7s + dds.sec.auth.identity_certificate + file:security/ecdsa01/certs/peer1_cert.pem - dds.sec.access.permissions - file:security/ecdsa01/xml/signed/signed_Permissions1.p7s + dds.sec.auth.private_key + file:security/ecdsa01/certs/peer1_key.pem - com.rti.serv.secure.cryptography.rtps_protection_key - str:key0 + dds.sec.access.permissions + file:security/ecdsa01/xml/signed/signed_Permissions1.p7s @@ -101,16 +126,12 @@ - BuiltinQosSnippetLib::Feature.Security.Enable + RWT_Library::security_Common - - dds.sec.auth.identity_ca - file:security/ecdsa01/certs/ca_cert.pem - dds.sec.auth.identity_certificate file:security/ecdsa01/certs/peer2_cert.pem @@ -119,40 +140,47 @@ dds.sec.auth.private_key file:security/ecdsa01/certs/peer2_key.pem - - dds.sec.access.permissions_ca - file:security/ecdsa01/certs/ca_cert.pem - - - dds.sec.access.governance - file:security/ecdsa01/xml/signed/signed_Governance.p7s - dds.sec.access.permissions file:security/ecdsa01/xml/signed/signed_Permissions2.p7s - - com.rti.serv.secure.cryptography.rtps_protection_key - str:key0 - - - - - - - - com.rti.serv.secure.authentication.participant_discovery_protection_key - str:key1 - - - - - + + + RWT_Library::security_Common + BuiltinQosLib::Generic.Monitoring2 + + + + + 8192 + + + 40 + + + + + + dds.sec.auth.identity_certificate + file:security/ecdsa01/certs/peerM_cert.pem + + + dds.sec.auth.private_key + file:security/ecdsa01/certs/peerM_key.pem + + + dds.sec.access.permissions + file:security/ecdsa01/xml/signed/signed_PermissionsM.p7s + + + + + @@ -230,7 +258,6 @@ Publisher_Security_Snippet - Security_Participant_Key_Snippet @@ -239,7 +266,6 @@ Subscriber_Security_Snippet - Security_Participant_Key_Snippet diff --git a/examples/connext_secure/cds/c++11/CDS_publisher.cxx b/examples/connext_secure/cds/c++11/CDS_publisher.cxx index 093c27e88..7ce4cd08f 100644 --- a/examples/connext_secure/cds/c++11/CDS_publisher.cxx +++ b/examples/connext_secure/cds/c++11/CDS_publisher.cxx @@ -31,7 +31,7 @@ void run_publisher_application( dds::domain::DomainParticipant participant( domain_id, dds::core::QosProvider::Default().participant_qos( - "lite_library::lite_peer")); + "library_cds::peer")); // Create a Topic with a name and a datatype dds::topic::Topic topic(participant, "CDS LWS Example"); diff --git a/examples/connext_secure/cds/c++11/CDS_subscriber.cxx b/examples/connext_secure/cds/c++11/CDS_subscriber.cxx index 752776601..6cb701a98 100644 --- a/examples/connext_secure/cds/c++11/CDS_subscriber.cxx +++ b/examples/connext_secure/cds/c++11/CDS_subscriber.cxx @@ -46,7 +46,7 @@ void run_subscriber_application( dds::domain::DomainParticipant participant( domain_id, dds::core::QosProvider::Default().participant_qos( - "lite_library::lite_peer")); + "library_cds::peer")); // Create a Topic with a name and a datatype dds::topic::Topic topic(participant, "CDS LWS Example"); diff --git a/examples/connext_secure/cds/c++11/CMakeLists.txt b/examples/connext_secure/cds/c++11/CMakeLists.txt index 40f190534..e52fcdb42 100644 --- a/examples/connext_secure/cds/c++11/CMakeLists.txt +++ b/examples/connext_secure/cds/c++11/CMakeLists.txt @@ -17,6 +17,19 @@ list(APPEND CMAKE_MODULE_PATH include(ConnextDdsConfigureCmakeUtils) connextdds_configure_cmake_utils() +find_package(RTIConnextDDS + "7.0.0" + REQUIRED + COMPONENTS + core + cloud_discovery_service +) + +if(NOT TARGET RTIConnextDDS::cloud_discovery_service_c) + message(WARNING "RTIConnextDDS::cloud_discovery_service component is missing. Skipping example") + return() +endif() + # Include ConnextDdsAddExample.cmake from resources/cmake include(ConnextDdsAddExample) @@ -25,5 +38,4 @@ connextdds_add_example( LANG "C++11" ) -file(COPY "${CMAKE_CURRENT_SOURCE_DIR}/USER_QOS_PROFILES.xml" DESTINATION "${CMAKE_CURRENT_BINARY_DIR}") file(COPY "${CMAKE_CURRENT_SOURCE_DIR}/../cds.xml" DESTINATION "${CMAKE_CURRENT_BINARY_DIR}") diff --git a/examples/connext_secure/cds/c++11/USER_QOS_PROFILES.xml b/examples/connext_secure/cds/c++11/USER_QOS_PROFILES.xml index fb960f9df..0668d4b79 100644 --- a/examples/connext_secure/cds/c++11/USER_QOS_PROFILES.xml +++ b/examples/connext_secure/cds/c++11/USER_QOS_PROFILES.xml @@ -16,10 +16,9 @@ to use the software. --> A QoS library is a named set of QoS profiles. --> - + - UDPv4 @@ -33,12 +32,9 @@ to use the software. --> - - - - + @@ -68,9 +64,19 @@ to use the software. --> - + + + + + + library_cds::secure_common + + + + + diff --git a/examples/connext_secure/certificate_revocation_list/c++11/CMakeLists.txt b/examples/connext_secure/certificate_revocation_list/c++11/CMakeLists.txt index 736a28042..f70e2c9fd 100644 --- a/examples/connext_secure/certificate_revocation_list/c++11/CMakeLists.txt +++ b/examples/connext_secure/certificate_revocation_list/c++11/CMakeLists.txt @@ -26,4 +26,3 @@ connextdds_add_example( ) file(COPY "${CMAKE_CURRENT_SOURCE_DIR}/../security/" DESTINATION "${CMAKE_CURRENT_BINARY_DIR}/security/") -file(COPY "${CMAKE_CURRENT_SOURCE_DIR}/USER_QOS_PROFILES.xml" DESTINATION "${CMAKE_CURRENT_BINARY_DIR}/") diff --git a/examples/connext_secure/certificate_revocation_list/c++11/Crl_publisher.cxx b/examples/connext_secure/certificate_revocation_list/c++11/Crl_publisher.cxx index 9ae5c0cab..93a2b00cd 100644 --- a/examples/connext_secure/certificate_revocation_list/c++11/Crl_publisher.cxx +++ b/examples/connext_secure/certificate_revocation_list/c++11/Crl_publisher.cxx @@ -31,7 +31,7 @@ void run_publisher_application( dds::domain::DomainParticipant participant( domain_id, dds::core::QosProvider::Default().participant_qos( - "full_library::peer1")); + "crl::peer1")); // Create a Topic with a name and a datatype dds::topic::Topic topic(participant, "Crl Example"); diff --git a/examples/connext_secure/certificate_revocation_list/c++11/Crl_subscriber.cxx b/examples/connext_secure/certificate_revocation_list/c++11/Crl_subscriber.cxx index 7f9f25d38..a7afeea18 100644 --- a/examples/connext_secure/certificate_revocation_list/c++11/Crl_subscriber.cxx +++ b/examples/connext_secure/certificate_revocation_list/c++11/Crl_subscriber.cxx @@ -46,7 +46,7 @@ void run_subscriber_application( dds::domain::DomainParticipant participant( domain_id, dds::core::QosProvider::Default().participant_qos( - "full_library::peer2")); + "crl::peer2")); // Create a Topic with a name and a datatype dds::topic::Topic topic(participant, "Crl Example"); diff --git a/examples/connext_secure/certificate_revocation_list/c++11/USER_QOS_PROFILES.xml b/examples/connext_secure/certificate_revocation_list/c++11/USER_QOS_PROFILES.xml index 6613cb321..9257066ab 100644 --- a/examples/connext_secure/certificate_revocation_list/c++11/USER_QOS_PROFILES.xml +++ b/examples/connext_secure/certificate_revocation_list/c++11/USER_QOS_PROFILES.xml @@ -12,24 +12,52 @@ to use the software. --> - + - - + + + BuiltinQosSnippetLib::Feature.Security.Enable + + - dds.participant.trust_plugins.key_revision_max_history_depth - 7 + dds.sec.auth.identity_ca + file:security/ca/CaCert.pem - dds.sec.auth.identity_ca - file:./security/ca/CaCert.pem + dds.sec.access.governance + file:security/xml/signed/signed_Governance.p7s - dds.sec.access.permissions_ca - file:./security/ca/CaCert.pem + dds.sec.access.permissions_ca + file:security/ca/CaCert.pem + + dds.sec.crypto.rtps_psk_secret_passphrase + data:,0:PLEASE-CHANGE-THIS-DEFAULT-SEED + + + + + UDPv4 + + + + + + + + + + crl::monitor + + + + + + + dds.sec.auth.identity_certificate file:./security/identities/ParticipantA/ParticipantA.pem @@ -38,16 +66,12 @@ to use the software. --> dds.sec.auth.private_key file:./security/identities/ParticipantA/ParticipantAKey.pem - - dds.sec.access.governance - file:./security/xml/signed/signed_Governance.p7s - dds.sec.access.permissions file:./security/xml/signed/signed_Permissions.p7s - com.rti.serv.secure.authentication.crl + dds.sec.auth.crl file:./security/ca/CaCrl.crl @@ -65,9 +89,6 @@ to use the software. --> - - UDPv4 - @@ -87,5 +108,38 @@ to use the software. --> + + + + crl::common + BuiltinQosLib::Generic.Monitoring2 + + + + + 8192 + + + 40 + + + + + + dds.sec.auth.identity_certificate + file:./security/identities/ParticipantM/ParticipantM.pem + + + dds.sec.auth.private_key + file:./security/identities/ParticipantM/ParticipantMKey.pem + + + dds.sec.access.permissions + file:./security/xml/signed/signed_Permissions.p7s + + + + + diff --git a/examples/connext_secure/whitelist/security/identities/ParticipantB/ParticipantB.cnf b/examples/connext_secure/certificate_revocation_list/security/identities/ParticipantM/ParticipantM.cnf similarity index 70% rename from examples/connext_secure/whitelist/security/identities/ParticipantB/ParticipantB.cnf rename to examples/connext_secure/certificate_revocation_list/security/identities/ParticipantM/ParticipantM.cnf index a1f616198..2d2f111de 100644 --- a/examples/connext_secure/whitelist/security/identities/ParticipantB/ParticipantB.cnf +++ b/examples/connext_secure/certificate_revocation_list/security/identities/ParticipantM/ParticipantM.cnf @@ -6,5 +6,5 @@ countryName = US stateOrProvinceName = CA localityName = Santa Clara organizationName = Real Time Innovations -emailAddress = ecdsa01ParticipantB@rti.com -commonName = Whitelist Participant B \ No newline at end of file +emailAddress = ecdsa01ParticipantM@rti.com +commonName = Crl Participant M \ No newline at end of file diff --git a/examples/connext_secure/certificate_revocation_list/security/setup_security.py b/examples/connext_secure/certificate_revocation_list/security/setup_security.py index e941679b9..7bf9a0a54 100644 --- a/examples/connext_secure/certificate_revocation_list/security/setup_security.py +++ b/examples/connext_secure/certificate_revocation_list/security/setup_security.py @@ -17,6 +17,8 @@ "ec_paramgen_curve:prime256v1", "-keyout", "ca/private/CaKey.pem", + "-extensions", + "v3_ca", "-out", "ca/CaCert.pem", "-config", @@ -99,6 +101,43 @@ ] ) +subprocess.run( + [ + "openssl", + "req", + "-nodes", + "-new", + "-newkey", + "rsa:2048", + "-config", + "identities/ParticipantM/ParticipantM.cnf", + "-keyout", + "identities/ParticipantM/ParticipantMKey.pem", + "-out", + "identities/ParticipantM/ParticipantM.csr", + ] +) +subprocess.run( + [ + "openssl", + "x509", + "-req", + "-days", + "730", + "-text", + "-CAserial", + "ca/database/CaSerial", + "-CA", + "ca/CaCert.pem", + "-CAkey", + "ca/private/CaKey.pem", + "-in", + "identities/ParticipantM/ParticipantM.csr", + "-out", + "identities/ParticipantM/ParticipantM.pem", + ] +) + # Signing XMLs with S/MIME subprocess.run( [ diff --git a/examples/connext_secure/certificate_revocation_list/security/xml/Governance.xml b/examples/connext_secure/certificate_revocation_list/security/xml/Governance.xml index 1075f05c3..cc232dcae 100644 --- a/examples/connext_secure/certificate_revocation_list/security/xml/Governance.xml +++ b/examples/connext_secure/certificate_revocation_list/security/xml/Governance.xml @@ -1,12 +1,14 @@ + xsi:noNamespaceSchemaLocation="http://community.rti.com/schema/7.6.0/dds_security_governance.xsd"> 0 + RTI_o11y + false true diff --git a/examples/connext_secure/certificate_revocation_list/security/xml/Permissions.xml b/examples/connext_secure/certificate_revocation_list/security/xml/Permissions.xml index 02f1289c6..065db8ff6 100644 --- a/examples/connext_secure/certificate_revocation_list/security/xml/Permissions.xml +++ b/examples/connext_secure/certificate_revocation_list/security/xml/Permissions.xml @@ -21,5 +21,14 @@ ALLOW + + C = US, ST = CA, L = Santa Clara, O = Real Time Innovations, emailAddress = ecdsa01ParticipantM@rti.com, CN = Crl Participant M + + + 2014-06-01T13:00:00 + 2037-06-01T13:00:00 + + ALLOW + diff --git a/examples/connext_secure/dynamic_permissions/c++11/CMakeLists.txt b/examples/connext_secure/dynamic_permissions/c++11/CMakeLists.txt index c4fac74da..7f8461e13 100644 --- a/examples/connext_secure/dynamic_permissions/c++11/CMakeLists.txt +++ b/examples/connext_secure/dynamic_permissions/c++11/CMakeLists.txt @@ -47,7 +47,7 @@ add_custom_command( COMMAND ${CMAKE_COMMAND} -DINPUT_FILE="${CMAKE_CURRENT_BINARY_DIR}/security/ecdsa01/xml/Permissions2.xml" -DOUTPUT_FILE="${CMAKE_CURRENT_BINARY_DIR}/security/ecdsa01/xml/Permissions2_expiring.xml" - -P ${CMAKE_SOURCE_DIR}/modify_permissions.cmake + -P ${CMAKE_CURRENT_SOURCE_DIR}/modify_permissions.cmake DEPENDS "${CMAKE_CURRENT_BINARY_DIR}/security/ecdsa01/xml/Permissions2.xml" ) diff --git a/examples/connext_secure/dynamic_permissions/c++11/USER_QOS_PROFILES.xml b/examples/connext_secure/dynamic_permissions/c++11/USER_QOS_PROFILES.xml index 2b31c22dd..18d4aac9c 100644 --- a/examples/connext_secure/dynamic_permissions/c++11/USER_QOS_PROFILES.xml +++ b/examples/connext_secure/dynamic_permissions/c++11/USER_QOS_PROFILES.xml @@ -10,9 +10,9 @@ use the software. --> + xsi:noNamespaceSchemaLocation="http://community.rti.com/schema/7.6.0/rti_dds_qos_profiles.xsd"> - + @@ -21,20 +21,41 @@ file:security/ecdsa01/certs/ca_cert.pem - dds.sec.auth.identity_certificate - file:security/ecdsa01/certs/peer1_cert.pem - - - dds.sec.auth.private_key - file:security/ecdsa01/certs/peer1_key.pem + dds.sec.access.governance + file:security/ecdsa01/xml/signed/signed_Governance.p7s dds.sec.access.permissions_ca file:security/ecdsa01/certs/ca_cert.pem - dds.sec.access.governance - file:security/ecdsa01/xml/signed/signed_Governance.p7s + dds.sec.crypto.rtps_psk_secret_passphrase + data:,0:PLEASE-CHANGE-THIS-DEFAULT-SEED + + + + + + + + + + + dynamic_permissions_Library::monitor + + + + + + + + + dds.sec.auth.identity_certificate + file:security/ecdsa01/certs/peer1_cert.pem + + + dds.sec.auth.private_key + file:security/ecdsa01/certs/peer1_key.pem dds.sec.access.permissions @@ -44,7 +65,7 @@ - + @@ -64,5 +85,37 @@ + + + dynamic_permissions_Library::common + BuiltinQosLib::Generic.Monitoring2 + + + + + 8192 + + + 40 + + + + + + dds.sec.auth.identity_certificate + file:security/ecdsa01/certs/peerM_cert.pem + + + dds.sec.auth.private_key + file:security/ecdsa01/certs/peerM_key.pem + + + dds.sec.access.permissions + file:security/ecdsa01/xml/signed/signed_PermissionsM.p7s + + + + + diff --git a/examples/connext_secure/lightweight/README.md b/examples/connext_secure/lightweight/README.md index 238fdf2c6..b45512135 100644 --- a/examples/connext_secure/lightweight/README.md +++ b/examples/connext_secure/lightweight/README.md @@ -9,4 +9,5 @@ example code. The code has been modified so that 2 topics are used instead of one. The publisher and one of the subscribers use full security plugins, whereas the other subscriber uses lightweight security. The Governance file used showcases a configuration that is compatible with Lightweight security. However, -one of the topics uses a data_protection_kind ENCRYPT topic rule, which breaks compatibility. +one of the topics uses a data_protection_kind ENCRYPT topic rule, which breaks +compatibility. diff --git a/examples/connext_secure/lightweight/c++11/CMakeLists.txt b/examples/connext_secure/lightweight/c++11/CMakeLists.txt index 23a63b0f0..f87a33bf7 100644 --- a/examples/connext_secure/lightweight/c++11/CMakeLists.txt +++ b/examples/connext_secure/lightweight/c++11/CMakeLists.txt @@ -17,6 +17,18 @@ list(APPEND CMAKE_MODULE_PATH include(ConnextDdsConfigureCmakeUtils) connextdds_configure_cmake_utils() +find_package(RTIConnextDDS + "7.0.0" + REQUIRED + COMPONENTS + security_plugins +) + +if(NOT TARGET RTIConnextDDS::security_plugins) + message(WARNING "RTIConnextDDS::security_plugins component is missing. Skipping example") + return() +endif() + # Include ConnextDdsAddExample.cmake from resources/cmake include(ConnextDdsAddExample) @@ -25,5 +37,18 @@ connextdds_add_example( LANG "C++11" ) -file(COPY "${CMAKE_CURRENT_SOURCE_DIR}/../security/" DESTINATION "${CMAKE_CURRENT_BINARY_DIR}/security/") -file(COPY "${CMAKE_CURRENT_SOURCE_DIR}/USER_QOS_PROFILES.xml" DESTINATION "${CMAKE_CURRENT_BINARY_DIR}") +include (ConnextDdsGenerateSecurityArtifacts) +connextdds_generate_security_artifacts() + +connextdds_openssl_smime_sign( + INPUT "${CMAKE_CURRENT_SOURCE_DIR}/governance_lws.xml" + OUTPUT "${CMAKE_CURRENT_BINARY_DIR}/security/ecdsa01/xml/signed/signed_governance_lws.p7s" + SIGNER_CERTIFICATE "${CMAKE_CURRENT_BINARY_DIR}/security/ecdsa01/certs/ca_cert.pem" + PRIVATE_KEY_FILE "${CMAKE_CURRENT_BINARY_DIR}/security/ecdsa01/certs/ca_key.pem" +) + +add_custom_target(createExpiringPermissions + ALL + DEPENDS + lightweight_securityArtifacts + "${CMAKE_CURRENT_BINARY_DIR}/security/ecdsa01/xml/signed/signed_governance_lws.p7s") \ No newline at end of file diff --git a/examples/connext_secure/lightweight/c++11/README.md b/examples/connext_secure/lightweight/c++11/README.md index 74219dd6a..17dfccf48 100644 --- a/examples/connext_secure/lightweight/c++11/README.md +++ b/examples/connext_secure/lightweight/c++11/README.md @@ -17,17 +17,6 @@ Note: The build process also copies USER_QOS_PROFILES.xml into the build directory to ensure that it is loaded when you run the examples within the build directory. -## Setting up Security artifacts - -The build process copies the security folder with .cnf files into the build -directory. Use the provided python script to initialize them. This means that -`build/security` will contain all the security artifacts needed to run this example. - -```sh -cd security -python3 setup_security.py -``` - ## Running the example This example is based on a standard rtiddsgen publisher and subscriber example @@ -35,7 +24,8 @@ code. The code has been modified so that 2 topics are used instead of one. The publisher and one of the subscribers use full security plugins, whereas the other subscriber uses lightweight security. The Governance file used showcases a configuration that is compatible with Lightweight security. However, one of -the topics uses a data_protection_kind ENCRYPT topic rule, which breaks compatibility. +the topics uses a data_protection_kind ENCRYPT topic rule, which breaks +compatibility. Run one instance of the subscriber without any CLI arguments. This will use full security by default. diff --git a/examples/connext_secure/lightweight/c++11/USER_QOS_PROFILES.xml b/examples/connext_secure/lightweight/c++11/USER_QOS_PROFILES.xml index c866c262b..5cf40efaf 100644 --- a/examples/connext_secure/lightweight/c++11/USER_QOS_PROFILES.xml +++ b/examples/connext_secure/lightweight/c++11/USER_QOS_PROFILES.xml @@ -14,77 +14,126 @@ to use the software. --> xsi:noNamespaceSchemaLocation="http://community.rti.com/schema/7.3.0/rti_dds_profiles.xsd"> - - - BuiltinQosSnippetLib::Feature.Security.Enable - - - - - - UDPv4 - - - + + + BuiltinQosSnippetLib::Feature.Security.Enable + + + + + UDPv4 + + + - dds.sec.access.permissions_ca - file:./security/ca/CaCert.pem + dds.sec.auth.identity_ca + file:security/ecdsa01/certs/ca_cert.pem - dds.sec.auth.identity_ca - file:./security/ca/CaCert.pem + dds.sec.access.governance + file:security/ecdsa01/xml/signed/signed_governance_lws.p7s - dds.sec.auth.identity_certificate - file:./security/identities/ParticipantA/ParticipantA.pem + dds.sec.access.permissions_ca + file:security/ecdsa01/certs/ca_cert.pem - dds.sec.auth.private_key - file:./security/identities/ParticipantA/ParticipantAKey.pem - - - dds.sec.access.governance - file:./security/xml/signed/signed_governance_lws.p7s + dds.sec.crypto.rtps_psk_secret_passphrase + data:,0:PLEASE-CHANGE-THIS-DEFAULT-SEED + + dds.sec.crypto.symmetric_cipher_algorithm + AES256+GCM + + + + + + + + + + + + full_library::monitor + + + + + + + - dds.sec.access.permissions - file:./security/xml/signed/signed_permissions.p7s + dds.sec.auth.identity_certificate + file:security/ecdsa01/certs/peer1_cert.pem - dds.sec.crypto.rtps_psk_secret_passphrase - data:,0:uIqNqiN11xMbRcuUSdT4BGOEUjLapfosAyzCg7uUBFo= + dds.sec.auth.private_key + file:security/ecdsa01/certs/peer1_key.pem - com.rti.serv.secure.cryptography.encryption_algorithm - AES256+GCM + dds.sec.access.permissions + file:security/ecdsa01/xml/signed/signed_Permissions1.p7s - + dds.sec.auth.identity_certificate - file:./security/identities/ParticipantB/ParticipantB.pem + file:security/ecdsa01/certs/peer2_cert.pem dds.sec.auth.private_key - file:./security/identities/ParticipantB/ParticipantBKey.pem + file:security/ecdsa01/certs/peer2_key.pem - dds.sec.access.permissions - file:./security/xml/signed/signed_permissions.p7s + dds.sec.access.permissions + file:security/ecdsa01/xml/signed/signed_Permissions2.p7s + + + full_library::common + BuiltinQosLib::Generic.Monitoring2 + + + + + 8192 + + + 40 + + + + + + dds.sec.auth.identity_certificate + file:security/ecdsa01/certs/peerM_cert.pem + + + dds.sec.auth.private_key + file:security/ecdsa01/certs/peerM_key.pem + + + dds.sec.access.permissions + file:security/ecdsa01/xml/signed/signed_PermissionsM.p7s + + + + + @@ -112,11 +161,11 @@ to use the software. --> RTI_SecurityLightweight_PluginSuite_create - dds.sec.crypto.rtps_psk_secret_passphrase - data:,0:uIqNqiN11xMbRcuUSdT4BGOEUjLapfosAyzCg7uUBFo= + dds.sec.crypto.rtps_psk_secret_passphrase + data:,0:PLEASE-CHANGE-THIS-DEFAULT-SEED - dds.sec.crypto.rtps_psk_symmetric_cipher_algorithm + dds.sec.crypto.symmetric_cipher_algorithm AES256+GCM diff --git a/examples/connext_secure/lightweight/security/xml/governance_lws.xml b/examples/connext_secure/lightweight/c++11/governance_lws.xml similarity index 93% rename from examples/connext_secure/lightweight/security/xml/governance_lws.xml rename to examples/connext_secure/lightweight/c++11/governance_lws.xml index 4de78877d..289265bd4 100644 --- a/examples/connext_secure/lightweight/security/xml/governance_lws.xml +++ b/examples/connext_secure/lightweight/c++11/governance_lws.xml @@ -1,12 +1,14 @@ + xsi:noNamespaceSchemaLocation="http://community.rti.com/schema/7.6.0/dds_security_governance.xsd"> 0 + RTI_o11y + true false diff --git a/examples/connext_secure/lightweight/security/ca/Ca.cnf b/examples/connext_secure/lightweight/security/ca/Ca.cnf deleted file mode 100644 index 3067f2353..000000000 --- a/examples/connext_secure/lightweight/security/ca/Ca.cnf +++ /dev/null @@ -1,84 +0,0 @@ -# -# OpenSSL Certificate Authority configuration file. - -#################################################################### -[ ca ] -default_ca = CA_default - -# Variables defining this CA -name = pmiCa - -#################################################################### -[ CA_default ] -dir = . -certificate = $dir/CaCert.pem -private_key = $dir/CaKey.pem -crl_dir = $dir/crl - -new_certs_dir = ./temporary_files -database = $dir/database/CaIndex -crlnumber = $dir/crl/crlNumber - -serial = $dir/database/CaSerial - -# Comment out the following two lines for the "traditional" -# (and highly broken) format. -name_opt = ca_default # Subject Name options -cert_opt = ca_default # Certificate field options - -# Extension copying option: use with caution. -# copy_extensions = copy - -# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs -# so this is commented out by default to leave a V1 CRL. -# crlnumber must also be commented out to leave a V1 CRL. -# crl_extensions = crl_ext - -default_days = 7300 # how long to certify for -default_crl_days = 30 # how long before next CRL -default_md = sha256 # which md to use. -preserve = no # keep passed DN ordering - -# A few difference way of specifying how similar the request should look -# For type CA, the listed attributes must be the same, and the optional -# and supplied fields are just that :-) -policy = policy_match - -# For the CA policy -[ policy_match ] -countryName = match -stateOrProvinceName = match -localityName = optional -organizationName = match -emailAddress = optional -commonName = optional - -# For the 'anything' policy -# At this point in time, you must list all acceptable 'object' -# types. -[ policy_anything ] -countryName = optional -stateOrProvinceName = optional -localityName = optional -organizationName = optional -organizationalUnitName = optional -emailAddress = optional -commonName = supplied - -[ req ] -prompt = no - -distinguished_name = req_distinguished_name - -[ req_distinguished_name ] -countryName = US -stateOrProvinceName = CA -localityName = Santa Clara -0.organizationName = Real Time Innovations -commonName = RTI ECDSA01 (p256) ROOT CA -emailAddress = ecdsa01RootCa@rti.com - -[ v3_ca ] -# Extensions for a typical CA (`man x509v3_config`). -basicConstraints = CA:true - diff --git a/examples/connext_secure/lightweight/security/ca/database/CaSerial b/examples/connext_secure/lightweight/security/ca/database/CaSerial deleted file mode 100644 index 8a0f05e16..000000000 --- a/examples/connext_secure/lightweight/security/ca/database/CaSerial +++ /dev/null @@ -1 +0,0 @@ -01 diff --git a/examples/connext_secure/lightweight/security/ca/private/.gitkeep b/examples/connext_secure/lightweight/security/ca/private/.gitkeep deleted file mode 100644 index e69de29bb..000000000 diff --git a/examples/connext_secure/lightweight/security/identities/ParticipantA/ParticipantA.cnf b/examples/connext_secure/lightweight/security/identities/ParticipantA/ParticipantA.cnf deleted file mode 100644 index 6df8b8f38..000000000 --- a/examples/connext_secure/lightweight/security/identities/ParticipantA/ParticipantA.cnf +++ /dev/null @@ -1,10 +0,0 @@ -prompt = no -distinguished_name = req_distinguished_name - -[ req_distinguished_name ] -countryName = US -stateOrProvinceName = CA -localityName = Santa Clara -organizationName = Real Time Innovations -emailAddress = ecdsa01ParticipantA@rti.com -commonName = Lightweight Participant A diff --git a/examples/connext_secure/lightweight/security/identities/ParticipantB/ParticipantB.cnf b/examples/connext_secure/lightweight/security/identities/ParticipantB/ParticipantB.cnf deleted file mode 100644 index 5d28db2f0..000000000 --- a/examples/connext_secure/lightweight/security/identities/ParticipantB/ParticipantB.cnf +++ /dev/null @@ -1,10 +0,0 @@ -prompt = no -distinguished_name = req_distinguished_name - -[ req_distinguished_name ] -countryName = US -stateOrProvinceName = CA -localityName = Santa Clara -organizationName = Real Time Innovations -emailAddress = ecdsa01ParticipantB@rti.com -commonName = Lightweight Participant B \ No newline at end of file diff --git a/examples/connext_secure/lightweight/security/setup_security.py b/examples/connext_secure/lightweight/security/setup_security.py deleted file mode 100644 index 2c770c5a9..000000000 --- a/examples/connext_secure/lightweight/security/setup_security.py +++ /dev/null @@ -1,134 +0,0 @@ -import subprocess - -# Self Signed CA -subprocess.run( - [ - "openssl", - "req", - "-nodes", - "-x509", - "-days", - "1825", - "-text", - "-sha256", - "-newkey", - "ec", - "-pkeyopt", - "ec_paramgen_curve:prime256v1", - "-keyout", - "ca/private/CaKey.pem", - "-out", - "ca/CaCert.pem", - "-config", - "ca/Ca.cnf", - ] -) - -# Generate Certs -subprocess.run( - [ - "openssl", - "req", - "-nodes", - "-new", - "-newkey", - "rsa:2048", - "-config", - "identities/ParticipantA/ParticipantA.cnf", - "-keyout", - "identities/ParticipantA/ParticipantAKey.pem", - "-out", - "identities/ParticipantA/ParticipantA.csr", - ] -) -subprocess.run( - [ - "openssl", - "x509", - "-req", - "-days", - "730", - "-text", - "-CAserial", - "ca/database/CaSerial", - "-CA", - "ca/CaCert.pem", - "-CAkey", - "ca/private/CaKey.pem", - "-in", - "identities/ParticipantA/ParticipantA.csr", - "-out", - "identities/ParticipantA/ParticipantA.pem", - ] -) - -subprocess.run( - [ - "openssl", - "req", - "-nodes", - "-new", - "-newkey", - "rsa:2048", - "-config", - "identities/ParticipantB/ParticipantB.cnf", - "-keyout", - "identities/ParticipantB/ParticipantBKey.pem", - "-out", - "identities/ParticipantB/ParticipantB.csr", - ] -) -subprocess.run( - [ - "openssl", - "x509", - "-req", - "-days", - "730", - "-text", - "-CAserial", - "ca/database/CaSerial", - "-CA", - "ca/CaCert.pem", - "-CAkey", - "ca/private/CaKey.pem", - "-in", - "identities/ParticipantB/ParticipantB.csr", - "-out", - "identities/ParticipantB/ParticipantB.pem", - ] -) - -# Signing XMLs with S/MIME -subprocess.run( - [ - "openssl", - "smime", - "-sign", - "-in", - "xml/governance_lws.xml", - "-text", - "-out", - "xml/signed/signed_governance_lws.p7s", - "-signer", - "ca/CaCert.pem", - "-inkey", - "ca/private/CaKey.pem", - ] -) -subprocess.run( - [ - "openssl", - "smime", - "-sign", - "-in", - "xml/permissions.xml", - "-text", - "-out", - "xml/signed/signed_permissions.p7s", - "-signer", - "ca/CaCert.pem", - "-inkey", - "ca/private/CaKey.pem", - ] -) diff --git a/examples/connext_secure/lightweight/security/xml/permissions.xml b/examples/connext_secure/lightweight/security/xml/permissions.xml deleted file mode 100644 index 8047223e7..000000000 --- a/examples/connext_secure/lightweight/security/xml/permissions.xml +++ /dev/null @@ -1,25 +0,0 @@ - - - - - - /C=US/ST=CA/L=Santa Clara/O=Real Time Innovations/emailAddress=ecdsa01ParticipantA@rti.com/CN=Lightweight Participant A - - - 2013-06-01T13:00:00 - 2037-06-01T13:00:00 - - ALLOW - - - /C=US/ST=CA/L=Santa Clara/O=Real Time Innovations/emailAddress=ecdsa01ParticipantB@rti.com/CN=Lightweight Participant B - - - 2013-06-01T13:00:00 - 2037-06-01T13:00:00 - - ALLOW - - - \ No newline at end of file diff --git a/examples/connext_secure/lightweight/security/xml/signed/.gitkeep b/examples/connext_secure/lightweight/security/xml/signed/.gitkeep deleted file mode 100644 index e69de29bb..000000000 diff --git a/examples/connext_secure/whitelist/c++11/CMakeLists.txt b/examples/connext_secure/whitelist/c++11/CMakeLists.txt index 44aeb34aa..1b3bb857a 100644 --- a/examples/connext_secure/whitelist/c++11/CMakeLists.txt +++ b/examples/connext_secure/whitelist/c++11/CMakeLists.txt @@ -17,6 +17,19 @@ list(APPEND CMAKE_MODULE_PATH include(ConnextDdsConfigureCmakeUtils) connextdds_configure_cmake_utils() +find_package(RTIConnextDDS + "7.0.0" + REQUIRED + COMPONENTS + core + security_plugins +) + +if(NOT TARGET RTIConnextDDS::security_plugins) + message(WARNING "RTIConnextDDS::security_plugins component is missing. Skipping example") + return() +endif() + # Include ConnextDdsAddExample.cmake from resources/cmake include(ConnextDdsAddExample) @@ -25,5 +38,5 @@ connextdds_add_example( LANG "C++11" ) -file(COPY "${CMAKE_CURRENT_SOURCE_DIR}/../security/" DESTINATION "${CMAKE_CURRENT_BINARY_DIR}/security/") -file(COPY "${CMAKE_CURRENT_SOURCE_DIR}/USER_QOS_PROFILES.xml" DESTINATION "${CMAKE_CURRENT_BINARY_DIR}") +include (ConnextDdsGenerateSecurityArtifacts) +connextdds_generate_security_artifacts() diff --git a/examples/connext_secure/whitelist/c++11/README.md b/examples/connext_secure/whitelist/c++11/README.md index 7b9a9596a..d33dbddcd 100644 --- a/examples/connext_secure/whitelist/c++11/README.md +++ b/examples/connext_secure/whitelist/c++11/README.md @@ -17,17 +17,6 @@ Note: The build process also copies USER_QOS_PROFILES.xml into the build directory to ensure that it is loaded when you run the examples within the build directory. -## Setting up Security artifacts - -The build process copies the security folder with .cnf files into the build -directory. Use the provided python script to initialize them. This means that -`build/security` will contain all the security artifacts needed to run this example. - -```sh -cd security -python3 setup_security.py -``` - ## Running the example This example is based on a standard rtiddsgen publisher and subscriber example diff --git a/examples/connext_secure/whitelist/c++11/USER_QOS_PROFILES.xml b/examples/connext_secure/whitelist/c++11/USER_QOS_PROFILES.xml index bbe61bd75..7b4b7bfd9 100644 --- a/examples/connext_secure/whitelist/c++11/USER_QOS_PROFILES.xml +++ b/examples/connext_secure/whitelist/c++11/USER_QOS_PROFILES.xml @@ -11,44 +11,66 @@ any incidental or consequential damages arising out of the use or inability to use the software. --> - + xsi:noNamespaceSchemaLocation="http://community.rti.com/schema/7.6.0/rti_dds_profiles.xsd"> + - - + + + BuiltinQosSnippetLib::Feature.Security.Enable + + - + - dds.participant.trust_plugins.key_revision_max_history_depth - 7 + dds.sec.auth.identity_ca + file:security/ecdsa01/certs/ca_cert.pem - dds.sec.auth.identity_ca - file:./security/ca/CaCert.pem + dds.sec.access.governance + file:security/ecdsa01/xml/signed/signed_Governance.p7s - dds.sec.access.permissions_ca - file:./security/ca/CaCert.pem + dds.sec.access.permissions_ca + file:security/ecdsa01/certs/ca_cert.pem + + dds.sec.crypto.rtps_psk_secret_passphrase + data:,0:PLEASE-CHANGE-THIS-DEFAULT-SEED + + + + + + + + + + + + whitelist::monitor + + + + + + + + dds.sec.auth.identity_certificate - file:./security/identities/ParticipantA/ParticipantA.pem + file:security/ecdsa01/certs/peer1_cert.pem dds.sec.auth.private_key - file:./security/identities/ParticipantA/ParticipantAKey.pem - - - dds.sec.access.governance - file:./security/xml/signed/signed_Governance.p7s + file:security/ecdsa01/certs/peer1_key.pem dds.sec.access.permissions - file:./security/xml/signed/signed_Permissions.p7s + file:security/ecdsa01/xml/signed/signed_Permissions1.p7s dds.participant.trust_plugins.subject_name_whitelist - C=US, ST=CA, L=Santa Clara, O=Real Time Innovations, emailAddress=ecdsa01ParticipantB@rti.com, CN=Whitelist Participant B;C=US, ST=CA, L=Santa Clara, O=Real Time Innovations, emailAddress=ecdsa01ParticipantC@rti.com, CN=Whitelist Participant C + C=US, ST=CA, L=Santa Clara, O=Real Time Innovations, emailAddress=ecdsa01-peer2, CN=rticonnextdds-examples;C=US, ST=CA, L=Santa Clara, O=Real Time Innovations, emailAddress=ecdsa01-peer3, CN=rticonnextdds-examples com.rti.serv.secure.authentication.enable_discovery_subject_name_propagation @@ -57,6 +79,7 @@ to use the software. --> + UDPv4 @@ -81,51 +104,83 @@ to use the software. --> - - dds.sec.auth.identity_certificate - file:./security/identities/ParticipantB/ParticipantB.pem - - - dds.sec.auth.private_key - file:./security/identities/ParticipantB/ParticipantBKey.pem - - dds.sec.access.permissions - file:./security/xml/signed/signed_Permissions.p7s + dds.sec.auth.identity_certificate + file:security/ecdsa01/certs/peer2_cert.pem + + + dds.sec.auth.private_key + file:security/ecdsa01/certs/peer2_key.pem + + + dds.sec.access.permissions + file:security/ecdsa01/xml/signed/signed_Permissions2.p7s dds.participant.trust_plugins.subject_name_whitelist - C=US, ST=CA, L=Santa Clara, O=Real Time Innovations, emailAddress=ecdsa01ParticipantA@rti.com, CN=Whitelist Participant A + C=US, ST=CA, L=Santa Clara, O=Real Time Innovations, emailAddress=ecdsa01-peer1, CN=rticonnextdds-examples - + - - dds.sec.auth.identity_certificate - file:./security/identities/ParticipantC/ParticipantC.pem - - - dds.sec.auth.private_key - file:./security/identities/ParticipantC/ParticipantCKey.pem - - dds.sec.access.permissions - file:./security/xml/signed/signed_Permissions.p7s + dds.sec.auth.identity_certificate + file:security/ecdsa01/certs/peer3_cert.pem + + + dds.sec.auth.private_key + file:security/ecdsa01/certs/peer3_key.pem + + + dds.sec.access.permissions + file:security/ecdsa01/xml/signed/signed_Permissions3.p7s dds.participant.trust_plugins.subject_name_whitelist - C=US, ST=CA, L=Santa Clara, O=Real Time Innovations, emailAddress=ecdsa01ParticipantA@rti.com, CN=Whitelist Participant A + C=US, ST=CA, L=Santa Clara, O=Real Time Innovations, emailAddress=ecdsa01-peer1, CN=rticonnextdds-examples - + + + + whitelist::common + BuiltinQosLib::Generic.Monitoring2 + + + + + 8192 + + + 40 + + + + + + dds.sec.auth.identity_certificate + file:security/ecdsa01/certs/peerM_cert.pem + + + dds.sec.auth.private_key + file:security/ecdsa01/certs/peerM_key.pem + + + dds.sec.access.permissions + file:security/ecdsa01/xml/signed/signed_PermissionsM.p7s + + + + + diff --git a/examples/connext_secure/whitelist/c++11/Whitelist_publisher.cxx b/examples/connext_secure/whitelist/c++11/Whitelist_publisher.cxx index 3f8379b75..9d887f9c1 100644 --- a/examples/connext_secure/whitelist/c++11/Whitelist_publisher.cxx +++ b/examples/connext_secure/whitelist/c++11/Whitelist_publisher.cxx @@ -32,7 +32,7 @@ void run_publisher_application( dds::domain::DomainParticipant participant( domain_id, dds::core::QosProvider::Default().participant_qos( - "full_library::peer1")); + "whitelist::peer1")); // Create a Topic with a name and a datatype dds::topic::Topic topic(participant, "Whitelist Example"); @@ -66,45 +66,41 @@ void run_publisher_application( if (samples_written == 30) { std::cout << "\nWhitelisting C=US, ST=CA, L=Santa Clara, O=Real Time " - "Innovations, emailAddress=ecdsa01ParticipantB@rti.com, " - "CN=Whitelist Participant B\n" + "Innovations, emailAddress=ecdsa01-peer2, " + "CN=rticonnextdds-examples\n" << std::endl; participant.property( "dds.participant.trust_plugins.subject_name_whitelist", "C=US, ST=CA, L=Santa Clara, O=Real Time Innovations, " - "emailAddress=ecdsa01ParticipantB@rti.com, CN=Whitelist " - "Participant B", + "emailAddress=ecdsa01-peer2, CN=rticonnextdds-examples", true); } if (samples_written == 60) { std::cout << "\nWhitelisting C=US, ST=CA, L=Santa Clara, O=Real Time " - "Innovations, emailAddress=ecdsa01ParticipantC@rti.com, " - "CN=Whitelist Participant C\n" + "Innovations, emailAddress=ecdsa01-peer3, " + "CN=rticonnextdds-examples\n" << std::endl; participant.property( "dds.participant.trust_plugins.subject_name_whitelist", "C=US, ST=CA, L=Santa Clara, O=Real Time Innovations, " - "emailAddress=ecdsa01ParticipantC@rti.com, CN=Whitelist " - "Participant C", + "emailAddress=ecdsa01-peer3, CN=rticonnextdds-examples", true); } if (samples_written == 90) { std::cout << "\nWhitelisting C=US, ST=CA, L=Santa Clara, O=Real Time " - "Innovations, emailAddress=ecdsa01ParticipantB@rti.com, " - "CN=Whitelist Participant B;C=US, ST=CA, L=Santa Clara, " + "Innovations, emailAddress=ecdsa01-peer2, " + "CN=rticonnextdds-examples;C=US, ST=CA, L=Santa Clara, " "O=Real Time Innovations, " - "emailAddress=ecdsa01ParticipantC@rti.com, CN=Whitelist " - "Participant C" + "emailAddress=ecdsa01-peer3, CN=rticonnextdds-examples" << std::endl; participant.property( "dds.participant.trust_plugins.subject_name_whitelist", "C=US, ST=CA, L=Santa Clara, O=Real Time Innovations, " - "emailAddress=ecdsa01ParticipantB@rti.com, CN=Whitelist " - "Participant B;C=US, ST=CA, L=Santa Clara, O=Real Time " - "Innovations, emailAddress=ecdsa01ParticipantC@rti.com, " - "CN=Whitelist Participant C", + "emailAddress=ecdsa01-peer2, CN=rticonnextdds-examples;" + "C=US, ST=CA, L=Santa Clara, O=Real Time Innovations, " + "emailAddress=ecdsa01-peer3, CN=rticonnextdds-examples", true); } diff --git a/examples/connext_secure/whitelist/c++11/Whitelist_subscriber.cxx b/examples/connext_secure/whitelist/c++11/Whitelist_subscriber.cxx index 9e5c80a20..d192da685 100644 --- a/examples/connext_secure/whitelist/c++11/Whitelist_subscriber.cxx +++ b/examples/connext_secure/whitelist/c++11/Whitelist_subscriber.cxx @@ -45,7 +45,7 @@ void run_subscriber_application( dds::domain::qos::DomainParticipantQos participant_qos = dds::core::QosProvider::Default().participant_qos( - peer3 ? "full_library::peer3" : "full_library::peer2"); + peer3 ? "whitelist::peer3" : "whitelist::peer2"); dds::domain::DomainParticipant participant(domain_id, participant_qos); // Create a Topic with a name and a datatype diff --git a/examples/connext_secure/whitelist/security/ca/Ca.cnf b/examples/connext_secure/whitelist/security/ca/Ca.cnf deleted file mode 100644 index c875a22f6..000000000 --- a/examples/connext_secure/whitelist/security/ca/Ca.cnf +++ /dev/null @@ -1,86 +0,0 @@ -# -# OpenSSL Certificate Authority configuration file. - -#################################################################### -[ ca ] -default_ca = CA_default - -# Variables defining this CA -name = pmiCa - -#################################################################### -[ CA_default ] -dir = . -certificate = $dir/CaCert.pem -private_key = $dir/CaKey.pem -crl_dir = $dir/crl - -new_certs_dir = ./temporary_files -database = $dir/database/CaIndex -crlnumber = $dir/crl/crlNumber - -# Due to cmake code, we need to use certs/serial -# serial = cert/temporary_files/serial -serial = $dir/database/CaSerial - -# Comment out the following two lines for the "traditional" -# (and highly broken) format. -name_opt = ca_default # Subject Name options -cert_opt = ca_default # Certificate field options - -# Extension copying option: use with caution. -# copy_extensions = copy - -# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs -# so this is commented out by default to leave a V1 CRL. -# crlnumber must also be commented out to leave a V1 CRL. -# crl_extensions = crl_ext - -default_days = 7300 # how long to certify for -default_crl_days = 30 # how long before next CRL -default_md = sha256 # which md to use. -preserve = no # keep passed DN ordering - -# A few difference way of specifying how similar the request should look -# For type CA, the listed attributes must be the same, and the optional -# and supplied fields are just that :-) -policy = policy_match - -# For the CA policy -[ policy_match ] -countryName = match -stateOrProvinceName = match -localityName = optional -organizationName = match -emailAddress = optional -commonName = optional - -# For the 'anything' policy -# At this point in time, you must list all acceptable 'object' -# types. -[ policy_anything ] -countryName = optional -stateOrProvinceName = optional -localityName = optional -organizationName = optional -organizationalUnitName = optional -emailAddress = optional -commonName = supplied - -[ req ] -prompt = no - -distinguished_name = req_distinguished_name - -[ req_distinguished_name ] -countryName = US -stateOrProvinceName = CA -localityName = Santa Clara -0.organizationName = Real Time Innovations -commonName = RTI ECDSA01 (p256) ROOT CA -emailAddress = ecdsa01RootCa@rti.com - -[ v3_ca ] -# Extensions for a typical CA (`man x509v3_config`). -basicConstraints = CA:true - diff --git a/examples/connext_secure/whitelist/security/ca/database/CaSerial b/examples/connext_secure/whitelist/security/ca/database/CaSerial deleted file mode 100644 index a616ad491..000000000 --- a/examples/connext_secure/whitelist/security/ca/database/CaSerial +++ /dev/null @@ -1 +0,0 @@ -01 \ No newline at end of file diff --git a/examples/connext_secure/whitelist/security/ca/private/.gitkeep b/examples/connext_secure/whitelist/security/ca/private/.gitkeep deleted file mode 100644 index e69de29bb..000000000 diff --git a/examples/connext_secure/whitelist/security/identities/ParticipantA/ParticipantA.cnf b/examples/connext_secure/whitelist/security/identities/ParticipantA/ParticipantA.cnf deleted file mode 100644 index 614604c83..000000000 --- a/examples/connext_secure/whitelist/security/identities/ParticipantA/ParticipantA.cnf +++ /dev/null @@ -1,10 +0,0 @@ -prompt = no -distinguished_name = req_distinguished_name - -[ req_distinguished_name ] -countryName = US -stateOrProvinceName = CA -localityName = Santa Clara -organizationName = Real Time Innovations -emailAddress = ecdsa01ParticipantA@rti.com -commonName = Whitelist Participant A diff --git a/examples/connext_secure/whitelist/security/identities/ParticipantC/ParticipantC.cnf b/examples/connext_secure/whitelist/security/identities/ParticipantC/ParticipantC.cnf deleted file mode 100644 index 547444561..000000000 --- a/examples/connext_secure/whitelist/security/identities/ParticipantC/ParticipantC.cnf +++ /dev/null @@ -1,10 +0,0 @@ -prompt = no -distinguished_name = req_distinguished_name - -[ req_distinguished_name ] -countryName = US -stateOrProvinceName = CA -localityName = Santa Clara -organizationName = Real Time Innovations -emailAddress = ecdsa01ParticipantC@rti.com -commonName = Whitelist Participant C diff --git a/examples/connext_secure/whitelist/security/setup_security.py b/examples/connext_secure/whitelist/security/setup_security.py deleted file mode 100644 index 450525817..000000000 --- a/examples/connext_secure/whitelist/security/setup_security.py +++ /dev/null @@ -1,171 +0,0 @@ -import subprocess - -# Self Signed CA -subprocess.run( - [ - "openssl", - "req", - "-nodes", - "-x509", - "-days", - "1825", - "-text", - "-sha256", - "-newkey", - "ec", - "-pkeyopt", - "ec_paramgen_curve:prime256v1", - "-keyout", - "ca/private/CaKey.pem", - "-out", - "ca/CaCert.pem", - "-config", - "ca/Ca.cnf", - ] -) - -# Generate Certs -subprocess.run( - [ - "openssl", - "req", - "-nodes", - "-new", - "-newkey", - "rsa:2048", - "-config", - "identities/ParticipantA/ParticipantA.cnf", - "-keyout", - "identities/ParticipantA/ParticipantAKey.pem", - "-out", - "identities/ParticipantA/ParticipantA.csr", - ] -) -subprocess.run( - [ - "openssl", - "x509", - "-req", - "-days", - "730", - "-text", - "-CAserial", - "ca/database/CaSerial", - "-CA", - "ca/CaCert.pem", - "-CAkey", - "ca/private/CaKey.pem", - "-in", - "identities/ParticipantA/ParticipantA.csr", - "-out", - "identities/ParticipantA/ParticipantA.pem", - ] -) - -subprocess.run( - [ - "openssl", - "req", - "-nodes", - "-new", - "-newkey", - "rsa:2048", - "-config", - "identities/ParticipantB/ParticipantB.cnf", - "-keyout", - "identities/ParticipantB/ParticipantBKey.pem", - "-out", - "identities/ParticipantB/ParticipantB.csr", - ] -) -subprocess.run( - [ - "openssl", - "x509", - "-req", - "-days", - "730", - "-text", - "-CAserial", - "ca/database/CaSerial", - "-CA", - "ca/CaCert.pem", - "-CAkey", - "ca/private/CaKey.pem", - "-in", - "identities/ParticipantB/ParticipantB.csr", - "-out", - "identities/ParticipantB/ParticipantB.pem", - ] -) - -subprocess.run( - [ - "openssl", - "req", - "-nodes", - "-new", - "-newkey", - "rsa:2048", - "-config", - "identities/ParticipantC/ParticipantC.cnf", - "-keyout", - "identities/ParticipantC/ParticipantCKey.pem", - "-out", - "identities/ParticipantC/ParticipantC.csr", - ] -) -subprocess.run( - [ - "openssl", - "x509", - "-req", - "-days", - "730", - "-text", - "-CAserial", - "ca/database/CaSerial", - "-CA", - "ca/CaCert.pem", - "-CAkey", - "ca/private/CaKey.pem", - "-in", - "identities/ParticipantC/ParticipantC.csr", - "-out", - "identities/ParticipantC/ParticipantC.pem", - ] -) - -# Signing XMLs with S/MIME -subprocess.run( - [ - "openssl", - "smime", - "-sign", - "-in", - "xml/Governance.xml", - "-text", - "-out", - "xml/signed/signed_Governance.p7s", - "-signer", - "ca/CaCert.pem", - "-inkey", - "ca/private/CaKey.pem", - ] -) -subprocess.run( - [ - "openssl", - "smime", - "-sign", - "-in", - "xml/Permissions.xml", - "-text", - "-out", - "xml/signed/signed_Permissions.p7s", - "-signer", - "ca/CaCert.pem", - "-inkey", - "ca/private/CaKey.pem", - ] -) diff --git a/examples/connext_secure/whitelist/security/xml/Governance.xml b/examples/connext_secure/whitelist/security/xml/Governance.xml deleted file mode 100644 index 7a0bd9187..000000000 --- a/examples/connext_secure/whitelist/security/xml/Governance.xml +++ /dev/null @@ -1,29 +0,0 @@ - - - - - - - 0 - - - false - true - ENCRYPT - ENCRYPT - SIGN - - - * - true - true - true - true - ENCRYPT - ENCRYPT - - - - - diff --git a/examples/connext_secure/whitelist/security/xml/Permissions.xml b/examples/connext_secure/whitelist/security/xml/Permissions.xml deleted file mode 100644 index 5d077702c..000000000 --- a/examples/connext_secure/whitelist/security/xml/Permissions.xml +++ /dev/null @@ -1,34 +0,0 @@ - - - - - - C = US, ST = CA, L = Santa Clara, O = Real Time Innovations, emailAddress = ecdsa01ParticipantA@rti.com, CN = Whitelist Participant A - - - 2014-06-01T13:00:00 - 2037-06-01T13:00:00 - - ALLOW - - - C = US, ST = CA, L = Santa Clara, O = Real Time Innovations, emailAddress = ecdsa01ParticipantB@rti.com, CN = Whitelist Participant B - - - 2014-06-01T13:00:00 - 2037-06-01T13:00:00 - - ALLOW - - - C = US, ST = CA, L = Santa Clara, O = Real Time Innovations, emailAddress = ecdsa01ParticipantC@rti.com, CN = Whitelist Participant C - - - 2022-06-01T13:00:00 - 2032-06-01T13:00:00 - - ALLOW - - - diff --git a/examples/connext_secure/whitelist/security/xml/signed/.gitkeep b/examples/connext_secure/whitelist/security/xml/signed/.gitkeep deleted file mode 100644 index e69de29bb..000000000 diff --git a/resources/cmake/Modules/ConnextDdsGenerateSecurityArtifacts.cmake b/resources/cmake/Modules/ConnextDdsGenerateSecurityArtifacts.cmake index 168178f27..233b2023a 100644 --- a/resources/cmake/Modules/ConnextDdsGenerateSecurityArtifacts.cmake +++ b/resources/cmake/Modules/ConnextDdsGenerateSecurityArtifacts.cmake @@ -83,19 +83,22 @@ function(connextdds_generate_security_artifacts) set(ca_config_file "${openssl_working_dir}/ca.cnf") set(peer1_config_file "${openssl_working_dir}/peer1.cnf") set(peer2_config_file "${openssl_working_dir}/peer2.cnf") + set(peer3_config_file "${openssl_working_dir}/peer3.cnf") + set(peerM_config_file "${openssl_working_dir}/peerM.cnf") set(artifacts_input_files "${ca_config_file}" "${peer1_config_file}" "${peer2_config_file}" + "${peer3_config_file}" + "${peerM_config_file}" ) - set(xmls_name Governance Permissions1 Permissions2) + set(xmls_name Governance Permissions1 Permissions2 Permissions3 PermissionsM) foreach(xml ${xmls_name}) list(APPEND artifacts_input_files "${openssl_working_dir}/xml/${xml}.xml") endforeach() add_custom_command( OUTPUT ${artifacts_input_files} - PRE_BUILD COMMENT "Copying security resources to the example's binary directory" COMMAND ${CMAKE_COMMAND} -E make_directory ${artifacts_output_dir} @@ -123,6 +126,10 @@ function(connextdds_generate_security_artifacts) set(peer1_cert_file "${certificates_output_dir}/peer1_cert.pem") set(peer2_key_file "${certificates_output_dir}/peer2_key.pem") set(peer2_cert_file "${certificates_output_dir}/peer2_cert.pem") + set(peer3_key_file "${certificates_output_dir}/peer3_key.pem") + set(peer3_cert_file "${certificates_output_dir}/peer3_cert.pem") + set(peerM_key_file "${certificates_output_dir}/peerM_key.pem") + set(peerM_cert_file "${certificates_output_dir}/peerM_cert.pem") set(artifacts_output_files "${ca_key_file}" "${ca_cert_file}" @@ -130,6 +137,10 @@ function(connextdds_generate_security_artifacts) "${peer1_cert_file}" "${peer2_key_file}" "${peer2_cert_file}" + "${peer3_key_file}" + "${peer3_cert_file}" + "${peerM_key_file}" + "${peerM_cert_file}" ) # Set configuration options for the certificates. @@ -182,6 +193,36 @@ function(connextdds_generate_security_artifacts) WORKING_DIRECTORY "${openssl_working_dir}" ) + # RootCa signs Peer03Cert. + connextdds_openssl_generate_signed_certificate( + OUTPUT_CERT_FILE "${peer3_cert_file}" + OUTPUT_CERT_REQUEST_FILE "${openssl_temporary_dir}/peer3_req_cert.pem" + OUTPUT_KEY_FILE "${peer3_key_file}" + ECPARAM_NAME "prime256v1" + ECPARAM_OUTPUT_FILE "${openssl_temporary_dir}/ecdsaparam3" + CONFIG_FILE "${peer3_config_file}" + CA_KEY_FILE "${ca_key_file}" + CA_CONFIG_FILE "${ca_config_file}" + CA_CERT_FILE "${ca_cert_file}" + DAYS ${expiration_days} + WORKING_DIRECTORY "${openssl_working_dir}" + ) + + # RootCa signs PeerMCert. + connextdds_openssl_generate_signed_certificate( + OUTPUT_CERT_FILE "${peerM_cert_file}" + OUTPUT_CERT_REQUEST_FILE "${openssl_temporary_dir}/peerM_req_cert.pem" + OUTPUT_KEY_FILE "${peerM_key_file}" + ECPARAM_NAME "prime256v1" + ECPARAM_OUTPUT_FILE "${openssl_temporary_dir}/ecdsaparamM" + CONFIG_FILE "${peerM_config_file}" + CA_KEY_FILE "${ca_key_file}" + CA_CONFIG_FILE "${ca_config_file}" + CA_CERT_FILE "${ca_cert_file}" + DAYS ${expiration_days} + WORKING_DIRECTORY "${openssl_working_dir}" + ) + # ########################################################################## # Sign the permissions and governance files. # ########################################################################## diff --git a/resources/security/ecdsa01/peer3.cnf b/resources/security/ecdsa01/peer3.cnf new file mode 100644 index 000000000..dd7387234 --- /dev/null +++ b/resources/security/ecdsa01/peer3.cnf @@ -0,0 +1,10 @@ +prompt=no +distinguished_name = req_distinguished_name + +[ req_distinguished_name ] +countryName=US +stateOrProvinceName=CA +localityName=Santa Clara +organizationName=Real Time Innovations +emailAddress=ecdsa01-peer3 +commonName=rticonnextdds-examples diff --git a/resources/security/ecdsa01/peerM.cnf b/resources/security/ecdsa01/peerM.cnf new file mode 100644 index 000000000..dbe596b70 --- /dev/null +++ b/resources/security/ecdsa01/peerM.cnf @@ -0,0 +1,10 @@ +prompt=no +distinguished_name = req_distinguished_name + +[ req_distinguished_name ] +countryName=US +stateOrProvinceName=CA +localityName=Santa Clara +organizationName=Real Time Innovations +emailAddress=ecdsa01-peerM +commonName=rticonnextdds-examples diff --git a/resources/security/xml/Governance.xml b/resources/security/xml/Governance.xml index c24796be4..47d13869c 100644 --- a/resources/security/xml/Governance.xml +++ b/resources/security/xml/Governance.xml @@ -13,7 +13,8 @@ true NONE NONE - ENCRYPT + ENCRYPT_WITH_ORIGIN_AUTHENTICATION + ENCRYPT * @@ -21,7 +22,33 @@ false true true - ENCRYPT + NONE + NONE + + + + + + + + 101 + RTI_o11y + + false + true + true + NONE + NONE + ENCRYPT_WITH_ORIGIN_AUTHENTICATION + ENCRYPT + + + * + false + false + true + true + NONE NONE diff --git a/resources/security/xml/Permissions3.xml b/resources/security/xml/Permissions3.xml new file mode 100644 index 000000000..494600f57 --- /dev/null +++ b/resources/security/xml/Permissions3.xml @@ -0,0 +1,15 @@ + + + + + + C=US, ST=CA, L=Santa Clara, O=Real Time Innovations, CN=rticonnextdds-examples/emailAddress=ecdsa01-peer3 + + 2021-01-20T00:00:00 + 2031-01-20T00:00:00 + + ALLOW + + + diff --git a/resources/security/xml/PermissionsM.xml b/resources/security/xml/PermissionsM.xml new file mode 100644 index 000000000..ced657f49 --- /dev/null +++ b/resources/security/xml/PermissionsM.xml @@ -0,0 +1,22 @@ + + + + + + C=US, ST=CA, L=Santa Clara, O=Real Time Innovations, CN=rticonnextdds-examples/emailAddress=ecdsa01-peerM + + 2021-01-20T00:00:00 + 2031-01-20T00:00:00 + + + + 101 + RTI_o11y + + METRICS + + DENY + + +