diff options
author | Magnus Feuer <mfeuer@jaguarlandrover.com> | 2015-07-03 01:44:57 +0200 |
---|---|---|
committer | Gerrit Code Review <support@gerrithub.io> | 2015-07-03 01:44:57 +0200 |
commit | 145f416885b345fe74ec23517eba9ce30d57e175 (patch) | |
tree | 8bf54461b889058fd6f74d69853f1b79397b301e | |
parent | 30e91aaecea75ed39e751a88b51a32b378e20457 (diff) | |
parent | 0813721cafd1e8e5de58ecd38b93c43e6f52116f (diff) | |
download | rvi_core-145f416885b345fe74ec23517eba9ce30d57e175.tar.gz |
Merge changes from topics 'GitHub #36', 'GitHub #35' into release-next
* changes:
Fixed formatting issue
Updated token and initial certificate distribution mechanisms
-rw-r--r-- | doc/rvi_services.md | 47 |
1 files changed, 30 insertions, 17 deletions
diff --git a/doc/rvi_services.md b/doc/rvi_services.md index f7e43ac..0c290a0 100644 --- a/doc/rvi_services.md +++ b/doc/rvi_services.md @@ -138,21 +138,25 @@ The app is started for the first time and connects to the provisioning server. 2. Device sends authenticate to server<br> The command contains the auth cert (device public key) and the single, -pre-provisioned node certificate giving the device the right to invoke ```jlr.com/provisioning/setup``` - +pre-provisioned node certificate giving the device the right to +invoke ```jlr.com/provisioning/setup``` and the right to +register ```jlr.com/mobile/123456/dm/cert_provision```.<br> +See [Device Management](#device-management) for details. + 3. Server sends authenticate to device<br> The server's auth cert (server public key) is sent, but no node certificates, thus giving the server no rights to register or invoke services with the device. 4. Device sends a service announce to server<br> -The command is empty (and can be omitted) since the device has no -services to register. +The command contains the single service ```jlr.com/mobile/123456/dm/cert_provision```, +which can be invoked by the provisioning service to install a new +certificate on the device. 5. Server sends a service announce to device<br> The command contains the service ```jlr.com/provisioning/setup```. -6. Device invokes ```jlr.com/provisioning/setup on server```<br> +6. Device invokes ```jlr.com/provisioning/setup``` on server<br> The sole argument is the device ID, which is 1234. The command is validated by the server through the pre-provisioned cert. @@ -161,12 +165,24 @@ The created cert gives the holder the right to invoke ```jlr.com/vin/ABCD/unlock The certificate also gives the holder the right to register jlr.com/mobile/1234/status.<br> The certificate is signed by root cert and encrypted with device public key from step 2.<br> -8. Side band transmission of node certificate to device<br> -Server sends encrypted certificate to device through SMS or similar, -using the device ID from step 4 as the destination address. +8. Sideband token transmission from provisioning service to device<br> +The provsioning server transmits a 128 bit random token to the device +using a sideband channel such as SMS or similar. + +10. Device invokes ```jlr.com/provisioning/request_certificate``` on server<br> +The device provides its public key and the token received in step 9 as +arguments to the call. + +11. Provisioning service invokes ```jlr.com/mobile/123456/dm/cert_provision```<br> +The provisioning service invokes certificate provisioning service on +the device, announced by the device to the service in step 4, to +install the certificate created in step 7. + +12. Device unpacks and stores certificate<br> +The device decrypts the certificate using its private key, validates +the signature against a locally installed root certificate. + -9. Devices receives, decrypts, and stores certificate<br> -The device now has the certificate to present to the vehicle for lock/unlock.<br> #### Device authentication / authorization.<br> @@ -176,17 +192,14 @@ Connection is done over bluetooth, with no Internet connection. 2. Device sends authenticate to vehicle<br> The command contains the auth cert together with the received node -certificate, proving that it has the right to invoke - ```jlr.com/vin/ABCD/unlock```.<br> +certificate, proving that it has the right to invoke ```jlr.com/vin/ABCD/unlock```. It also proves that the device has the right to register - ```jlr.com/mobile/1234/status```. +<br> ```jlr.com/mobile/1234/status```. 3. Vehicle sends authenticate to device<br> The server's auth cert (server public key) is sent, together with a -pre-provisioned node certificate giving it the rights to register - ```jlr.com/vin/ABCD/unlock```.<br> -The certificate also gives the vehicle the right to invoke - ```jlr.com/mobile/*/status```. +pre-provisioned node certificate giving it the rights to register ```jlr.com/vin/ABCD/unlock```.<br> +The certificate also gives the vehicle the right to invoke ```jlr.com/mobile/*/status```. 4. Device sends service announce to vehicle<br> The command contains ```jlr.com/mobile/1234/status```.<br> |