-
-
Notifications
You must be signed in to change notification settings - Fork 3.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[knx] Allow decoding of KNX Data Secure frames #12434
Conversation
This PR brings support to KNX IP secure, and partial support for KNX data secure (listening only). See previous discussions in #8872. What has been tested:
What is to be tested by someone else:
|
2e2d5d3
to
ca6de24
Compare
@kaikreuzer I followed your advise and have only included the passive support for data secure. Outgoing writes and poll requests for secure group adresses are dropped at lowest level. Though, when I change a switch connected to a secure GA, the event log still shows the "Item ... predicted to become ..." (which of course will not happen as I drop the write). Is there a clean way to signal a failed write to the upper layer? Throwing an exception is probably too much, as it gets logged with a full stack trace. |
<default>false</default> | ||
<advanced>true</advanced> | ||
</parameter> | ||
<parameter name="keyringFile" type="text" groupName="knxsecure"> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wouldn't it make sense to add that directly to the JSON database (i.e. add the file content directly here instead of a filename).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@J-N-K thanks for looking into this. I am not sure. At least there are a few practical reasons to keep it as a separate file:
- keyring files need to be replaced everytime you add devices or secure group adresses, this is much easier if you can copy it over using scp
- Calimero Keyring expects an URI for a file location, and does not provide other constructors besides Keyring::load()
- Keyring files contain a signature, which might be invalid if we use a copy-paste approach here....
ca6de24
to
c5180cc
Compare
c5180cc
to
7f52886
Compare
This pull request has been mentioned on openHAB Community. There might be relevant details there: https://community.openhab.org/t/knx-secure-initial-implementation/134133/1 |
2553802
to
021cd88
Compare
021cd88
to
c7114f5
Compare
84bc872
to
14daa8d
Compare
@slueder Not sure about the problem with Keyring files you mentioned in #8872. I have added several keyrings to the tests in this PR, all working fine. Spaces may be a problem, the code uses Which branch did you use for your testing? |
I retested the keyring approach with the latest version of ETS (6.0.4) and reasonably strong keyring export passwords (8 characters, consisting of upper & lower letters, digits and a limited set of special chars :#,;) and it worked now. I am using commit ID holgerfriedrich@c7114f5 Happy to re-test as soon as you let me know. |
14daa8d
to
53c5f37
Compare
Just FYI you program KNX using a program called ETS and the keyring required here is exported from the ETS, it’s the same keyring that allows the ETS full access to the KNX bus. |
c2f7d0f
to
48488cd
Compare
@holgerfriedrich did this PR get some test mileage on different installations ? |
@lsiepel unfortunately not yet, at least not after the rebase and latest modifications. I typically deploy to RPI, and I am using Enertex IP interface (connected via IP, with IP secure), Weinzierl 730 (IP w/o IP secure), or Weinzierl kBerry (RPI hat, using serial connection). Give me some time to double check that data secure (decoding incoming encrypted frames) still works as expected..... |
bundles/org.openhab.binding.knx/src/main/resources/OH-INF/thing/ip.xml
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Left two comments. LGTM, but ift would also be nice of @J-N-K and @florian-h05 to confirm.
I am currently busy till beginning of October, but then should be able to review. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, let's wait for @florian-h05's review before merge.
* add passive (listening only) access for KNX Data Secure frames, openhab#8872 * add config options for KNX keyring file and password * ease setup if IP Secure, as required parameters can be read from keyring * add tests for security functions * update user documentation Signed-off-by: Holger Friedrich <mail@holger-friedrich.de>
Signed-off-by: Holger Friedrich <mail@holger-friedrich.de>
b705bc7
to
7a937ac
Compare
Accidentally pushed to this PR when working on a followup PR, rolled back, rebased to current main as a force push was anyway necessary. |
Signed-off-by: Holger Friedrich <mail@holger-friedrich.de>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Code LGTM, thanks! Just one minor comment:
I would have loved to give it a try, but I don't have KNX Data nor IP Secure devices.
I have of course tested it against my system - everything still works as expected.
...hab.binding.knx/src/main/java/org/openhab/binding/knx/internal/client/AbstractKNXClient.java
Outdated
Show resolved
Hide resolved
@lsiepel You can merge now 🚀 |
* [knx] Allow decoding of KNX Data Secure frames Signed-off-by: Holger Friedrich <mail@holger-friedrich.de>
* [knx] Allow decoding of KNX Data Secure frames Signed-off-by: Holger Friedrich <mail@holger-friedrich.de>
* [knx] Allow decoding of KNX Data Secure frames Signed-off-by: Holger Friedrich <mail@holger-friedrich.de>
Signed-off-by: Holger Friedrich mail@holger-friedrich.de