IoT Certificate Lifecycle

This project demonstrates the certificate lifecycle for IoT devices in a oneM2M compliant system:

1. Certificate generation
2. Device authentication with valid certificate
3. Certificate revocation
4. Device authentication with revoked certificate

The project includes:

• OCSP (Online Certificate Status Protocol) for real-time certificate revocation checking
• SDS (Secret Discovery Service) for Envoy to dynamically retrieve certificates

System Architecture

The system implements a complete certificate lifecycle with the following components:

Components

• IoT Device: Authenticates using X.509 certificates
• oneM2M Server: Validates device certificates and provides access to resources
• OCSP Responder: Provides real-time certificate status information
• Certificate Authority (CA): Issues and revokes certificates
• Secret Discovery Service (SDS): Provides certificate information to Envoy
• Envoy Proxy: Optional TLS termination and authentication layer

Process Flow

1. Certificate Generation

   • Certificate Authority generates and provisions device certificate
   • Certificate registered with SDS

2. Authentication with Valid Certificate

   • Device connects through Envoy with its certificate
   • Envoy validates certificate via SDS
   • Server checks certificate status via OCSP
   • Access granted if certificate is valid

3. Certificate Revocation

   • Administrator revokes certificate via CA
   • CA updates OCSP with revocation status

4. Authentication with Revoked Certificate

   • Device attempts connection with revoked certificate
   • Server checks certificate via OCSP
   • OCSP reports revoked status
   • Access denied

File Architecture

cert_revoke/
│
├── certificate_authority.py   # Core CA functionality, certificate generation/revocation
├── server.py                  # oneM2M server with OCSP certificate validation
├── device.py                  # IoT device client for certificate-based authentication
├── admin.py                   # Admin tool for certificate management
├── ocsp_responder.py          # OCSP server for certificate status verification
├── envoy_sds.py               # Secret Discovery Service for Envoy integration
├── envoy.yaml                 # Envoy Proxy configuration
├── demo.py                    # Complete demo script
├── requirements.txt           # Project dependencies
├── README.md                  # Project documentation
└── .gitignore                 # Git ignore rules
│
├── ca/                        # Generated at runtime - Certificate storage
│   ├── certs/                 # Public certificates
│   │   ├── ca_cert.pem        # CA certificate
│   │   ├── device_*_cert.pem  # Device certificates
│   │   └── issued_certs.json  # Record of issued certificates
│   ├── private/               # Private keys (would be secured in production)
│   │   ├── ca_key.pem         # CA private key
│   │   └── device_*_key.pem   # Device private keys
│   └── crl/                   # Certificate revocation information
│       └── revoked.txt        # List of revoked certificate serial numbers
│
└── __pycache__/               # Python cache files (not committed)

Component Relationships

+---------------+      +----------------+      +-----------------+
| Admin Tool    | ---> | Certificate    | <--- | oneM2M Server   |
| (admin.py)    |      | Authority      |      | (server.py)     |
+---------------+      | (cert_auth.py) |      +-----------------+
                       +----------------+              ^
                              ^   |                    |
                              |   v                    |
+---------------+      +----------------+      +-----------------+
| IoT Device    | ---> | OCSP Responder | <--- | Envoy Proxy    |
| (device.py)   |      | (ocsp_resp.py) |      | (envoy.yaml)   |
+---------------+      +----------------+      +-----------------+
                                                      ^
                                                      |
                                               +-----------------+
                                               | Secret Discovery|
                                               | (envoy_sds.py) |
                                               +-----------------+

oneM2M Integration

This project aligns with the oneM2M security specifications for certificate-based authentication:

• The certificate lifecycle follows the oneM2M TS-0003 Security Solutions standard
• Certificate revocation uses OCSP as specified in oneM2M
• The implementation can be integrated with oneM2M CSEs (Common Service Entities)
• The authentication mechanism supports oneM2M entities (AEs, CSEs)

Requirements

• Python 3.7+
• Dependencies listed in requirements.txt
• Envoy Proxy (optional, for SDS demo)

Installation

1. Clone the repository:

git clone https://github.com/yourusername/cert_revoke.git
cd cert_revoke

2. Create a virtual environment and activate it:

python -m venv venv
# On Windows:
venv\Scripts\activate
# On macOS/Linux:
source venv/bin/activate

3. Install dependencies:

pip install -r requirements.txt

4. (Optional) Install Envoy Proxy for SDS demo:
   • Follow instructions at https://www.envoyproxy.io/docs/envoy/latest/start/install

Usage

Run the Demo

To run the certificate lifecycle demo with OCSP and Secret Discovery Service:

python demo.py

This will:

1. Start the oneM2M server, OCSP responder, and SDS server
2. Generate a certificate for a device
3. Test certificate status using OCSP
4. Test certificate retrieval using SDS
5. Show successful authentication with the valid certificate
6. Revoke the certificate
7. Show failed authentication with the revoked certificate

Manual Usage

1. Start All Services

# Start the oneM2M server
python server.py

# In another terminal, start the OCSP responder
python ocsp_responder.py

# In another terminal, start the SDS server
python envoy_sds.py

# Optional: Start Envoy proxy
envoy -c envoy.yaml

2. Generate a Certificate

python admin.py generate device001

3. Check Certificate Status with OCSP

curl -X POST http://localhost:5002/ocsp \
  -H "Content-Type: application/json" \
  -d '{"serial_number": "<serial_number>"}'

4. Retrieve Certificate from SDS

curl -X POST http://localhost:5003/v3/discovery:secrets \
  -H "Content-Type: application/json" \
  -d '{"type_url": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret", "resource_names": ["certificate:device001"]}'

5. Run the Device with a Valid Certificate

python device.py device001

6. Revoke a Certificate

python admin.py revoke <serial_number>

Project Structure

• certificate_authority.py: Implements the Certificate Authority (CA) functionality with OCSP extensions
• server.py: oneM2M server that validates certificates using OCSP
• device.py: IoT device client that authenticates using certificates
• admin.py: Administration tool for generating and revoking certificates
• ocsp_responder.py: OCSP responder for certificate status checking
• envoy_sds.py: Secret Discovery Service for Envoy
• envoy.yaml: Envoy Proxy configuration with SDS integration
• demo.py: Demo showing the complete certificate lifecycle with OCSP and SDS

Troubleshooting

Common Issues

1. Certificate Not Found: Make sure to generate the certificate before running the device
2. Services Not Starting: Check port conflicts (5000, 5002, 5003)
3. OCSP Connection Error: Make sure the OCSP responder is running
4. SDS Connection Error: Make sure the SDS server is running

Debugging Tips

• Check log output from each service
• Use --debug flag with device.py for more detailed logs
• Verify certificate file paths

Security Notes

This is a simplified demonstration for educational purposes and is not suitable for production use without significant security enhancements:

1. Uses HTTP instead of HTTPS for some services for demo simplicity
2. Simplified certificate validation
3. No protection against various security attacks
4. Certificates and keys are not properly protected
5. OCSP responses aren't signed (they should be in production)
6. SDS implementation is simplified compared to production standards