17. Relevant Connext APIs
17.1. Relevant functions
The Core Libraries include some API functions that are relevant to the Security Plugins.
17.1.1. banish_ignored_participants
This method complements ignore_participant
, which prevents the
local DomainParticipant from processing traffic from the remote DomainParticipant. When security is
enabled, this method prevents already ignored remote DomainParticipants from processing
traffic from the local DomainParticipant by implementing the key regeneration and
redistribution capabilities described in the section
Limiting the Usage of Specific Key Material.
Note
For a demonstration of this method, see
<path to examples>/connext_dds/c/hello_banish
.
17.1.2. discovered_participant_subject_name
This method works almost as documented in the
RTI Connext Modern C++ API DomainParticipant Class Reference.
The main difference is that when security is enabled, this method retrieves the
Identity Certificate’s subject name (see
Identity Certificates) instead of the
participant_name.name
. With this functionality, you can make a list
of currently discovered subject names and make decisions based on these names.
The format of the resulting subject name differs between OpenSSL and wolfSSL. If you use OpenSSL, the subject name attributes will be separated by spaces and commas. If you use wolfSSL, the subject name attributes will be separated only by slashes. Here is an example:
C = US, ST = CA, L = Sunnyvale, O = ACME Inc., OU = CTO Of-fice, CN = DDS Shapes Demo, emailAddress = cto@acme.com
/C=US/ST=CA/L=Sunnyvale/O=ACME Inc./OU=CTO Of-fice/CN=DDS Shapes Demo/emailAddress=cto@acme.com
If the discovered DomainParticipant has not completed authentication, then DDS_RETCODE_NO_DATA is the result.
Note
For a demonstration of this method, see
<path to examples>/connext_dds/c/hello_banish
.
17.1.3. discovered_participants_from_subject_name
This method works almost as documented in the
RTI Connext Modern C++ API DomainParticipant Class Reference.
The main difference is that when security is enabled, this method takes as an
input the Identity Certificate’s subject name (see
Identity Certificates) instead of the
participant_name.name
. As a consequence, the subject name input may
not be NULL
or malformed (e.g., with attributes that don’t exist
according to RFC 4514). With
this functionality, the Security Plugins bridge the gap between InstanceHandle_t and subject
names. For example, if you know the subject name of a discovered DomainParticipant that you
want to ignore, and you need to get the associated InstanceHandle_t, you can
call this method and then pass the result into ignore_participant
.
If a discovered DomainParticipant has not completed authentication, then it is not included in the resulting sequence of InstanceHandle_t.
If using “RTPS-HMAC-Only”, this method returns DDS_RETCODE_UNSUPPORTED.
Otherwise, if the subject name input is NULL
or malformed, this
method returns DDS_RETCODE_BAD_PARAMETER.
Note
For a demonstration of this method, see
<path to examples>/connext_dds/c/hello_banish
.
17.1.4. discovered_participant_data
This method works as documented in the RTI Connext Modern C++ API DomainParticipant Class Reference. The returned participant data contains security information about the remote DomainParticipant. This information is in the trust_protection_info and trust_algorithm_info members of the participant builtin topic data, which have a type of ParticipantTrustProtectionInfo and ParticipantTrustAlgorithmInfo.
The equivalent APIs for the Endpoints (matched_publication_data and matched_subscription_data) also return data that has the trust_protection_info and trust_algorithm_info information associated with them.
The contents of the trust_protection_info participant and endpoint data structures are according to the descriptions in the ParticipantSecurityInfo and EndpointSecurityInfo of the OMG DDS Security specification. You can learn more about the contents of the trust_algorithm_info data structures by reading about the security algorithms and the matching process for two Secure DomainParticipants (or Secure Endpoints) in sections allowed_security_algorithms (domain_rule) and Discovery of a Remote Secure Entity of this User’s Manual.
17.1.5. on_invalid_local_identity_status_advance_notice
This function is a
DomainParticipantListener
callback. It gets invoked when the local DomainParticipant’s Identity Certificate or Identity CA
has already expired or will expire within the duration specified by the
dds.participant.trust_plugins.certificate_expiration_advance_notice_duration.sec
property. For more information, please see
Dynamic Certificate Expiration of the Local DomainParticipant.
17.2. Relevant types for the Governance Document
The Core Libraries include some types that are relevant to the Security Plugins Governance Document.
DDS Type |
Security Plugins Type |
---|---|
DDS_ParticipantSecurityProtectionInfo |
|
DDS_ParticipantTrustAttributesMask bitmask |
DDS_ParticipantSecurityAttributesMask participant_attributes |
DDS_PluginParticipantTrustAttributesMask plugin_bitmask |
DDS_PluginParticipantSecurityAttributesMask plugin_participant_attributes |
DDS_PluginParticipantTrustAttributesMask |
DDS_PluginParticipantSecurityAttributesMask |
DDS_EndpointSecurityProtectionInfo |
|
DDS_EndpointTrustAttributesMask bitmask |
DDS_EndpointSecurityAttributesMask endpoint_attributes |
DDS_PluginEndpointTrustAttributesMask plugin_bitmask |
DDS_PluginEndpointSecurityAttributesMask plugin_endpoint_attributes |
DDS_EndpointTrustAttributesMask |
DDS_EndpointSecurityAttributesMask |
DDS_PluginEndpointTrustAttributesMask |
DDS_PluginEndpointSecurityAttributesMask |
bitmask bit value |
Definition in the Security Plugins (prefix with |
Configuration |
---|---|---|
|
IS_RTPS_PROTECTED |
Governance Document |
|
IS_DISCOVERY_PROTECTED |
Governance Document |
|
IS_LIVELINESS_PROTECTED |
Governance Document |
|
ARE_KEY_REVISIONS_ENABLED |
PropertyQosPolicy |
|
IS_RTPS_PROTECTED_WITH_PRESHARED_KEY |
Governance Document |
|
IS_VALID |
This bit indicates whether the rest of the |
plugin_bitmask bit value |
Definition in the Security Plugins (prefix with |
Configuration in the Governance Document |
---|---|---|
|
IS_RTPS_ENCRYPTED |
|
|
IS_DISCOVERY_ENCRYPTED |
|
|
IS_LIVELINESS_ENCRYPTED |
|
|
IS_RTPS_ORIGIN_AUTHENTICATED |
|
|
IS_DISCOVERY_ORIGIN_AUTHENTICATED |
|
|
IS_LIVELINESS_ORIGIN_AUTHENTICATED |
|
|
IS_RTPS_ENCRYPTED_WITH_PRESHARED_KEY |
|
|
IS_VALID |
This bit indicates whether the rest of the |
bitmask bit value |
Definition in the Security Plugins (prefix with |
Configuration in the Governance Document |
---|---|---|
|
IS_READ_PROTECTED |
|
|
IS_WRITE_PROTECTED |
|
|
IS_DISCOVERY_PROTECTED |
|
|
IS_SUBMESSAGE_PROTECTED |
|
|
IS_PAYLOAD_PROTECTED |
|
|
IS_KEY_PROTECTED |
|
|
IS_LIVELINESS_PROTECTED |
|
|
IS_VALID |
This bit indicates whether the rest of the |
plugin_bitmask bit value |
Definition in the Security Plugins (prefix with |
Configuration in the Governance Document |
---|---|---|
|
IS_SUBMESSAGE_ENCRYPTED |
|
|
IS_PAYLOAD_ENCRYPTED |
|
|
IS_SUBMESSAGE_ORIGIN_AUTHENTICATED |
|
|
IS_VALID |
This bit indicates whether the rest of the |
17.3. Relevant types for the Security Algorithms
The Core Libraries include some types that are relevant to the algorithms used in the Security Plugins.
DDS Type |
Security Plugins Type |
---|---|
DDS_TrustAlgorithmSet |
DDS_CryptoAlgorithmSet |
DDS_TrustAlgorithmRequirements |
DDS_CryptoAlgorithmRequirements |
DDS_ParticipantSecurityAlgorithmInfo |
|
DDS_ParticipantSecurityDigitalSignatureAlgorithmInfo |
|
DDS_TrustAlgorithmRequirements trust_chain DDS_TrustAlgorithmRequirements message_auth |
DDS_CryptoAlgorithmRequirements trust_chain DDS_CryptoAlgorithmRequirements message_auth |
DDS_ParticipantSecurityKeyEstablishmentAlgorithmInfo |
|
DDS_TrustAlgorithmRequirements shared_secret |
DDS_CryptoAlgorithmRequirements shared_secret |
DDS_ParticipantSecuritySymmetricCipherAlgorithmInfo |
|
DDS_TrustAlgorithmSet supported_mask DDS_TrustAlgorithmSet builtin_endpoints_required_mask DDS_TrustAlgorithmSet builtin_kx_endpoints_required_mask |
DDS_CryptoAlgorithmSet supported_mask DDS_CryptoAlgorithmSet builtin_endpoints_required_mask DDS_CryptoAlgorithmSet builtin_kx_endpoints_required_mask |
DDS_EndpointSecurityAlgorithmInfo |
|
DDS_EndpointSecuritySymmetricCipherAlgorithmInfo |
|
DDS_TrustAlgorithmSet required_mask |
DDS_CryptoAlgorithmSet required_mask |
Read section Discovery of a Remote Secure Entity to understand how the previous types are used and the consequences of having one value or another. The following tables list the possible values and the algorithms associated with each of them:
Bit value |
Definition in the Security Plugins (prefix with
|
Configuration |
---|---|---|
|
RSASSA_PSS_MGF1SHA256_2048_SHA256 RSASSA-PSS-MGF1SHA256+2048+SHA256 |
|
|
RSASSA_PKCS1V15_2048_SHA256 RSASSA-PKCS1-V1_5+2048+SHA256 |
|
|
ECDSA_P256_SHA256 ECDSA+P256+SHA256 |
|
|
ECDSA_P384_SHA384 ECDSA+P384+SHA384 |
|
|
CUSTOM CUSTOM |
|
Bit value |
Definition in the Security Plugins (prefix with
|
Configuration |
---|---|---|
|
DHE_MODP_2048_256 DHE+MODP-2048-256 |
|
|
ECDHE_CEUM_P256 ECDHE-CEUM+P256 |
|
|
ECDHE_CEUM_P384 ECDHE-CEUM+P384 |
|
|
CUSTOM CUSTOM |
|
Bit value |
Definition in the Security Plugins (prefix with
|
Configuration |
---|---|---|
|
AES128_GCM AES128+GCM |
|
|
AES256_GCM AES256+GCM |
|
|
CUSTOM CUSTOM |
|
The highest bit
(RTI_SECURITY_CRYPTO_ALGORITHM_INFO_BIT_COMPATIBILITY_MODE: 0x1 << 31
) is
always reserved and has a special meaning: it’s used to simplify how to check if
two cryptographic algorithm masks are compatible. When the compatibility mode
bit is not set, all algorithms in the mask of required algorithms must be in the
supported mask as well. When the compatibility mode bit is set, the masks will
be compatible as long as one algorithm is both supported and required.
For more information read the note in section
Discovery of a Remote Secure Entity.
Bit value |
Definition in the Security Plugins (prefix with
|
Configuration |
---|---|---|
|
COMPATIBILITY_MODE PARTIAL_MATCH_ALLOWED |
This bit is set only as part of the |
Note
We use the custom bit to represent any custom security algorithm in a category. The RTI_SECURITY_DIGITAL_SIGNATURE_ALGORITHM_INFO_BIT_EDDSA_ED25519_SHA512, and RTI_SECURITY_DIGITAL_SIGNATURE_ALGORITHM_INFO_BIT_EDDSA_ED448_SHAKE256 definitions map to RTI_SECURITY_DIGITAL_SIGNATURE_ALGORITHM_INFO_BIT_CUSTOM. The RTI_SECURITY_KEY_ESTABLISHMENT_ALGORITHM_INFO_BIT_ECDHE_CEUM_X25519, and RTI_SECURITY_KEY_ESTABLISHMENT_ALGORITHM_INFO_BIT_ECDHE_CEUM_X448 definitions map to RTI_SECURITY_KEY_ESTABLISHMENT_ALGORITHM_INFO_BIT_CUSTOM. RTI_SECURITY_SYMMETRIC_CIPHER_ALGORITHM_INFO_BIT_AES192_GCM maps to RTI_SECURITY_SYMMETRIC_CIPHER_ALGORITHM_INFO_BIT_CUSTOM.
Attention
The security algorithm masks are not transmitted (to minimize discovery overhead) if their contents match the default values for discovery. For more information, see allowed_security_algorithms (domain_rule).