Check Oscore Identity of server at client side

eclipse-leshan · Mar 18, 2022 · 48b1d60 · 48b1d60
1 parent fa9c632
commit 48b1d60
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 2 deletions.
diff --git a/...t-cf/src/main/java/org/eclipse/leshan/client/californium/CaliforniumEndpointsManager.java b/...t-cf/src/main/java/org/eclipse/leshan/client/californium/CaliforniumEndpointsManager.java
@@ -33,6 +33,7 @@
 import org.eclipse.californium.cose.AlgorithmID;
 import org.eclipse.californium.cose.CoseException;
 import org.eclipse.californium.elements.Connector;
+import org.eclipse.californium.elements.EndpointContext;
 import org.eclipse.californium.elements.auth.RawPublicKeyIdentity;
 import org.eclipse.californium.elements.config.Configuration;
 import org.eclipse.californium.elements.util.CertPathUtil;
@@ -52,6 +53,7 @@
 import org.eclipse.leshan.client.servers.ServerInfo;
 import org.eclipse.leshan.core.CertificateUsage;
 import org.eclipse.leshan.core.SecurityMode;
+import org.eclipse.leshan.core.californium.EndpointContextUtil;
 import org.eclipse.leshan.core.californium.EndpointFactory;
 import org.eclipse.leshan.core.californium.oscore.cf.InMemoryOscoreContextDB;
 import org.eclipse.leshan.core.californium.oscore.cf.OscoreParameters;
@@ -357,7 +359,8 @@ public synchronized Endpoint getEndpoint(ServerIdentity server) {
         return null;
     }
 
-    public synchronized ServerIdentity getServerIdentity(Endpoint endpoint, InetSocketAddress serverAddress) {
+    public synchronized ServerIdentity getServerIdentity(Endpoint endpoint, InetSocketAddress serverAddress,
+            EndpointContext endpointContext) {
         // TODO support multi server
 
         // knowing used CoAP endpoint we should be able to know the server identity because :
@@ -370,6 +373,19 @@ public synchronized ServerIdentity getServerIdentity(Endpoint endpoint, InetSock
                     && !currentServer.getIdentity().getPeerAddress().equals(serverAddress)) {
                 return null;
             }
+            // For OSCORE, be sure OSCORE is used.
+            if (currentServer.getIdentity().isOSCORE()) {
+                Identity foreignPeerIdentity = EndpointContextUtil.extractIdentity(endpointContext);
+                if (!foreignPeerIdentity.isOSCORE() //
+                        // we also check OscoreIdentity but this is probably not useful
+                        // because we are using static OSCOREstore which holds only 1 OscoreParameter,
+                        // so if the request was successfully decrypted and OSCORE is used, this MUST be the right
+                        // server.
+                        || !foreignPeerIdentity.getOscoreIdentity()
+                                .equals(currentServer.getIdentity().getOscoreIdentity())) {
+                    return null;
+                }
+            }
             return currentServer;
         }
         return null;

diff --git a/...lient-cf/src/main/java/org/eclipse/leshan/client/californium/LwM2mClientCoapResource.java b/...lient-cf/src/main/java/org/eclipse/leshan/client/californium/LwM2mClientCoapResource.java
@@ -73,6 +73,7 @@ protected ServerIdentity getServerOrRejectRequest(CoapExchange exchange) {
      * @throws IllegalStateException if we are not able to extract {@link ServerIdentity}.
      */
     protected ServerIdentity extractIdentity(CoapExchange exchange) {
-        return endpointsManager.getServerIdentity(exchange.advanced().getEndpoint(), exchange.getSourceSocketAddress());
+        return endpointsManager.getServerIdentity(exchange.advanced().getEndpoint(), exchange.getSourceSocketAddress(),
+                exchange.advanced().getRequest().getSourceContext());
     }
 }