Extending the HelloWorld with security extension

[Rodario]

Hi,

I am currently in the process of extending the HelloWorld example with the security extensions as described in the documentation.

Activating the Authentication plug-in and creating the needed certificates was no problem, the access plug-in however is currently blocking me.

My Error Message when running:
2022-03-08 17:59:41.061 [RTPS_PARTICIPANT Error] Cannot create participant due to security initialization error -> Function createParticipant
2022-03-08 17:59:41.062 [DOMAIN_PARTICIPANT Error] Problem creating RTPSParticipant -> Function enable

I tested it with the certs folder from the SecureHelloWorld example and that works. So my certification process for the access plug-in is faulty.

For the permissions.xml I copy pasted the name of the Subject-string in the corresponding certificates of publisher and subscriber into the <subject_name> tag of the permissions.xml.

I compiled FastDDS with the EPROSIMA_BUILD=ON flag to get the coarse Logs but it did not change the output.

How can I find out what part of the certification process went wrong?
I can post specific file contents if that is interesting.

Thanks in advance :)

[JLBuenoLopez]

Hi @Rodario,

Fast DDS Security implements also the logging plugin. Security events are logged into this plugin and not into the Logging module. The documentation also explains how to enable the plugin. I hope you find this helpful!

[Rodario]

Thanks for the detailed requirements.

* [ ]  The code: the HelloWorld example with your modifications.

Found in src_rodri.zip

* [ ]  XML configuration files and how are you loading them (using the environment variable or calling the file with the default filename)

Found in xml_rodri.zip

The steps I am using are the following two lines I bundled in a bash script:

Governance:
openssl smime -sign -in governance.xml -text -out governance.smime -signer maincacert.pem -inkey maincakey.pem
Permission:
openssl smime -sign -in permissions.xml -text -out permissions.smime -signer maincacert.pem -inkey maincakey.pem

As visible in the src folder, I am loading them with their absolute file path.

* [ ]  Steps you are following to generate the certificates you are using

I am building the maincakey and cert with the following commands from the tutorial:
openssl ecparam -name prime256v1 > ecdsaparam
followed by
openssl req -nodes -x509 -days 3650 -newkey ec:ecdsaparam -keyout maincakey.pem -out maincacert.pem -config maincaconf.cnf

The cert and key for the publisher / subscriber are generated by:
openssl ecparam -name prime256v1 > ecdsaparam
followed by:
openssl req -nodes -new -newkey ec:ecdsaparam -config pubconf.cnf -keyout pubkey.pem -out pubreq.pem
and
openssl ca -batch -create_serial -config maincaconf.cnf -days 3650 -in pubreq.pem -out pubcert.pem
The same for subscriber but with changed file names pub > sub.

* [ ]  The certificates themselves

I bundled the folder containing certs and db files here: certs_rodri.zip
This folder also contains the scripts I used to generate the certificates.

Thanks in advance :)

[JLBuenoLopez]

Thanks for the information, @Rodario!

I regret to say that right now we have a tight schedule and I cannot look into your issue. I will try to find some time in the next few weeks and see if I can determine if it is a misconfiguration or a malfunction.

Sorry for not being of help right now!

[Rodario]

Any possibility of an update?

[EduardoCavValenca]

Hello @Rodario I am in the same situation as yours. Did you identified the error cause ? Any help would be appreciated.

[JesusPoderoso]

Hi @Rodario @EduardoCavValenca, sorry for the late response.
We are performing a refactor in all examples for the next release v3.0.0.
In the next few weeks, when it takes the turn of the secure HelloWorld example, I will take a look at your reproducer.
Thanks for your patience!

[Santti4go]

[SOLVED]
Hey, is there any update on this topic?
I'm getting the same error message working with SROS 2 + Humble.

If I use an intermediate CA instead of a self-signed CA for signing the identity_certificate for Auth plugin as well as S/MIME signing both permissions and governance files for Access Control plugin, even though I'm including the full_chain, i.e. attaching root CA public key to identity_ca, I get the same error showed in the initial message

2024-12-26 12:30:10.087 [RTPS_PARTICIPANT Error] Cannot create participant due to initialization error -> Function createParticipant
2024-12-26 12:30:10.087 [DOMAIN_PARTICIPANT Error] Problem creating RTPSParticipant -> Function enable

I verified all following signatures with openssl verify ... or opensl smime -verify and they look OK.
root CA --> identity_ca : OK
identity_ca --> identity_certificate : OK
permissions_ca (same as identity_ca) --> governance : OK (S/MIME)
permissions_ca (same as identity_ca) --> permissions : OK (S/MIME)

Any ideas where the issue might be?

EDIT: (solved) after installing fastdds from source the error went away. My best guess is it was related to some bug already fixed upstream but not in my ROS 2 binaries.

EDIT 2: the creation of a DataPublisher works fine but after creating a second process to consume the data both process crash