Add support to EST

[sbernard31]

There are 4 bootstrap mode :

• 0: Pre-Shared Key mode
• 1: Raw Public Key mode
• 2: Certificate mode
• 3: NoSec mode
• 4: Certificate mode with EST

We currently support the first four but not the Certificate mode with EST.

The specifications about EST :

• LWM2M-v1.0.2@7.1.11 - Certificate mode with EST
• LWM2M-v1.1@transport§5.2.4 - Bootstrapping

@dachaac begins to work on this but we get no more news from him since a long time. (I really really hope he is doing fine 🤞)

It's ongoing works is available at #859.

To support EST a change about the way we handle x509 certificate chain at client must be changed. For now we get the chain from the Security Object and the security object can only contains Cert Chain with only 1 Certificate. (see OpenMobileAlliance/OMA_LwM2M_for_Developers#502). This could be limiting for an EST use cases.

[sbernard31]

Unfortunately, the active contributor who was working on this project disappeared overnight without giving any news. (I hope he is doing well)

The issue is that @dachaac has much more experience than me about X509 world and so he was a great help to move forward on this.

Currently this work is totally in standby and there is no plan at short/mid term to work on it.
But I see there is some interest about it : #1386 (comment)

Just to have a big picture about the situation :

@JaroslawLegierski @cyril2maq is it something that you will need at some point ?

@Sylphe88, @RomainPelletant, is it something where you could help ?
If no, it's OK I totally understand.
If yes, which kind of help could you provide ?

• clarify needs and help to specify API / behavior ?
• x509 expertise ?
• code review ?
• test code ?
• providing code ?

(I will be not too much available in May, so don't worry if I didn't answer this month)

[cyril2maq]

We have no current plan for it, but one of the device makers we work with did mention it; so it might change in the future.

[RomainPelletant]

A sprint dedicated to EST is pending for approval in few months.
It concerns both server and client so I think we could cover some points.

[dachaac]

Unfortunately, the active contributor who was working on this project disappeared overnight without giving any news. (I hope he is doing well)

Sorry for that.

Unfortunately I am not able to use any time for this anymore.

If someone wants to pick up the pieces I am willing to give free use for those commits that has been made in the branches that are still available. So feel free to modify them as you wish and re-purpose them in any form which you see fit. Feel free to have any changes with your own signed-offs. Related branches / repos will live for a while at least but I cannot guarantee any further activity on those.

At one point of time the server side worked with client from commercial offering. There may be need to have proof-of-possession support (DTLS Channel Binding) for CoAP-EST.

Just in case you are not aware CoAP-EST is now official RFC that future developments should be based on https://www.rfc-editor.org/rfc/rfc9148.html.

[sbernard31]

@dachaac

Sorry for that.
Unfortunately I am not able to use any time for this anymore.

No problem, this is how open source works. Sometime people stop to have time or interest on a project.
Happy to have some news from you. I was really concerned that maybe something very bad happened to you.

If someone wants to pick up the pieces I am willing to give free use for those commits that has been made in the branches that are still available.

Thank you 🙏 and many thanks all your previous valuable contributions 🙏 🙏