TR069之CPE與ACS的Digest驗證

前言:通過了解CPE與ACS的驗證過程,可以初步認識TR069的一些規則。本文只是在實驗中的一點經驗記錄,並未對協議有深入講解,某些觀點可能存在紕漏。僅適用於剛接觸TR069的筒子。

環境

系統:Ubuntu14.04LTS
CPE:easyCWMP
ACS:GenieACS

*其他開源ACS:
openACS:早已停止維護,源碼也被作者刪除了。目前有一個openACS的官網,此openACS非彼openACS,大家注意了.
freeACS:安裝很方便,腳本一鍵安裝,可自行瀏覽官網。
GenieACS:我知道最新的開源ACS,目前仍在維護。文檔全面,推薦用這個來搭建測試服務器。*

easyCWMP安裝

官方文檔寫的算是很詳細了,95%的步驟沒問題。這裏只提一下按照官方文檔可能會出錯的幾個地方:
libubox在make時,報錯

blobmsg_json.c:78:2 error: implicit declaration of function 'is_error'
jshn.c:162:2: error: implicit declaration of function 'is_error'

解決辦法:在對應的文件加入以下代碼:

#define is_error(ptr) (ptr == NULL)

一共有2-3個文件有這個問題,都按上面添加。

運行easycwmp時報錯

error while loading shared libraries: libjson-c.so.3: cannot open shared object file: No such file or directory

解決辦法:執行如下命令

ln -sf /usr/local/lib/libjson-c.so.3.0.0 /usr/lib/libjson-c.so.3

GenieACS安裝

GenieACS的文檔很是詳細,這裏不贅述安裝過程了,參見官網文檔吧,注意文檔中的版本,避免各種版本不兼容的問題。

認證流程

TR069的認證規則有多種,本文只描述了Digest認證過程。Digest認證既可以從CPE端發起,也可以從ACS端發起,下面我們會分開討論,但有一些公用的步驟,我們先在這裏說明。
GenieACS與CPE的通信默認是建立在非加密的連接上的,在實際使用時,我們肯定是要用一些手段的。因爲TR069上層使用http協議的,我們很容易想到要使用https,這就需要證書了。本文是實驗性質,肯定是要自己動手製作一個證書的,執行如下命令即可(確保已安裝openssl)

openssl genrsa 1024 > key.pem
openssl req -new -x509 -key key.pem > cert.pem

最簡單的步驟了,證書有效期30天。
此段內容參考GenieACS文檔
注意:Component Name 填寫GenieACS所在PC的IP吧。

ACS端發起的Digest認證

認證流程如下:

CPE                                              ACS

1.<------------------http(不帶auth頭信息)-------------

2.------------------ 401 Unauthorized---------------->

3.<------------------http get(帶auth頭信息)-----------

4.------------------200 OK--------------------------->

5.<-----------------100 continue----------------------

6.------------------6 connect request---------------->

7.<------------------200 OK---------------------------

GenieACS文檔傳送門
用GenieACS來測試ACS發起的Digest認證比較簡單。在GenieACS安裝根目錄的config文件夾下,有一個auth-sample.js文件:

+++ RECEIVED HTTP REQUEST +++
http_digest_auth_fail_response(336):: http_digest_auth_fail_response: header: Digest realm="[email protected]",qop="auth",nonce="1057d42b5253defd585d849e59e803f70001b083",opaque="328458fab28345ae87ab3210a8513b14eff452a2"--- RECEIVED HTTP REQUEST ---
+++ HTTP SERVER CONNECTION FAILED +++
+++ RECEIVED HTTP REQUEST +++
http_digest_auth_check(379):: http_digest_auth_check: header: username="easycwmp",realm="[email protected]",nonce="1057d42b5253defd585d849e59e803f70001b083",uri="/",qop=auth,nc=00000001,cnonce="0a4f113b",response="4055d3c9d9284a0ec0e1340065414342",opaque="328458fab28345ae87ab3210a8513b14eff452a2"
--- RECEIVED HTTP REQUEST ---
+++ HTTP SERVER CONNECTION SUCCESS +++
2018-05-03 15:37:04 [easycwmp] NOTICE - acs initiated connection
2018-05-03 15:37:04 [easycwmp] NOTICE - add event '6 CONNECTION REQUEST'
2018-05-03 15:37:04 [easycwmp] NOTICE - start session
+++ HTTP CLIENT CONFIGURATION +++
http_client_init(51):: url: https://10.10.2.226:7547
http_client_init(53):: ssl_cert: /home/zzj/OpenWRT/genicacs/genieacs-gui/config/cert.pem
http_client_init(55):: ssl_cacert: /home/zzj/OpenWRT/genicacs/genieacs-gui/config/cert.pem
--- HTTP CLIENT CONFIGURATION ---
2018-05-03 15:37:04 [easycwmp] NOTICE - configured acs url https://10.10.2.226:7547
2018-05-03 15:37:04 [easycwmp] NOTICE - external script init
2018-05-03 15:37:04 [easycwmp] NOTICE - external: execute inform parameter 
2018-05-03 15:37:04 [easycwmp] NOTICE - send Inform
+++ SEND HTTP REQUEST +++
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <soap_env:Envelope
xmlns:soap_env="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:soap_enc="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:cwmp="urn:dslforum-org:cwmp-1-2">
  <soap_env:Header>
   <cwmp:ID soap_env:mustUnderstand="1">13</cwmp:ID>
  </soap_env:Header>
  <soap_env:Body>
   <cwmp:Inform>
    <DeviceId>
     <Manufacturer>easycwmp</Manufacturer>
     <OUI>FFFFFF</OUI>
     <ProductClass>easycwmp</ProductClass>
     <SerialNumber>number1</SerialNumber>
    </DeviceId>
    <Event soap_enc:arrayType="cwmp:EventStruct[1]">
     <EventStruct>
      <EventCode>6 CONNECTION REQUEST</EventCode>
      <CommandKey />
     </EventStruct>
    </Event>
    <MaxEnvelopes>1</MaxEnvelopes>
    <CurrentTime>2018-05-03T15:37:04+08:00</CurrentTime>
    <RetryCount>0</RetryCount>
    <ParameterList soap_enc:arrayType="cwmp:ParameterValueStruct[10]">
     <ParameterValueStruct>
      <Name>Device.DeviceInfo.SpecVersion</Name>
      <Value xsi:type="xsd:string">1.0</Value>
     </ParameterValueStruct>
     <ParameterValueStruct>
      <Name>Device.DeviceInfo.ProvisioningCode</Name>
      <Value xsi:type="xsd:string"></Value>
     </ParameterValueStruct>
     <ParameterValueStruct>
      <Name>Device.DeviceInfo.Manufacturer</Name>
      <Value xsi:type="xsd:string">easycwmp</Value>
     </ParameterValueStruct>
     <ParameterValueStruct>
      <Name>Device.DeviceInfo.ManufacturerOUI</Name>
      <Value xsi:type="xsd:string">FFFFFF</Value>
     </ParameterValueStruct>
     <ParameterValueStruct>
      <Name>Device.DeviceInfo.ProductClass</Name>
      <Value xsi:type="xsd:string">easycwmp</Value>
     </ParameterValueStruct>
     <ParameterValueStruct>
      <Name>Device.DeviceInfo.SerialNumber</Name>
      <Value xsi:type="xsd:string">number1</Value>
     </ParameterValueStruct>
     <ParameterValueStruct>
      <Name>Device.DeviceInfo.HardwareVersion</Name>
      <Value xsi:type="xsd:string">example_hw_version</Value>
     </ParameterValueStruct>
     <ParameterValueStruct>
      <Name>Device.DeviceInfo.SoftwareVersion</Name>
      <Value xsi:type="xsd:string">example_sw_version</Value>
     </ParameterValueStruct>
     <ParameterValueStruct>
      <Name>Device.ManagementServer.ConnectionRequestURL</Name>
      <Value xsi:type="xsd:string">http://10.10.2.226:7548/</Value>
     </ParameterValueStruct>
     <ParameterValueStruct>
      <Name>Device.ManagementServer.ParameterKey</Name>
      <Value xsi:type="xsd:string">unsetCommandKey</Value>
     </ParameterValueStruct>
    </ParameterList>
   </cwmp:Inform>
  </soap_env:Body>
 </soap_env:Envelope>
--- SEND HTTP REQUEST ---
* Rebuilt URL to: https://10.10.2.226:7547/
* Hostname was NOT found in DNS cache
*   Trying 10.10.2.226...
* Connected to 10.10.2.226 (10.10.2.226) port 7547 (#24)
* successfully set certificate verify locations:
*   CAfile: /home/zzj/OpenWRT/genicacs/genieacs-gui/config/cert.pem
  CApath: /etc/ssl/certs
* SSL connection using ECDHE-RSA-AES256-GCM-SHA384
* Server certificate:
*    subject: C=AU; ST=SZ; L=shenzhen; O=sedwt; CN=10.10.2.226; [email protected]
*    start date: 2018-05-03 01:58:02 GMT
*    expire date: 2018-06-02 01:58:02 GMT
*    issuer: C=AU; ST=SZ; L=shenzhen; O=sedwt; CN=10.10.2.226; [email protected]
*    SSL certificate verify ok.
> POST / HTTP/1.1
Host: 10.10.2.226:7547
User-Agent: easycwmp
Content-Type: text/xml; charset="utf-8"
SOAPAction:
Content-Length: 2742
Expect: 100-continue

< HTTP/1.1 401 Unauthorized
* Server nginx/1.4.6 (Ubuntu) is not blacklisted
< Server: nginx/1.4.6 (Ubuntu)
< Date: Thu, 03 May 2018 07:37:04 GMT
< Content-Type: text/html
< Content-Length: 203
< Connection: keep-alive
< WWW-Authenticate: Basic realm="Restricted"
< 
* Excess found in a non pipelined read: excess = 203 url = / (zero-length body)
* Closing connection 24
* Issue another request to this URL: 'https://10.10.2.226:7547/'
* Hostname was found in DNS cache
*   Trying 10.10.2.226...
* Connected to 10.10.2.226 (10.10.2.226) port 7547 (#25)
* successfully set certificate verify locations:
*   CAfile: /home/zzj/OpenWRT/genicacs/genieacs-gui/config/cert.pem
  CApath: /etc/ssl/certs
* SSL connection using ECDHE-RSA-AES256-GCM-SHA384
* Server certificate:
*    subject: C=AU; ST=SZ; L=shenzhen; O=sedwt; CN=10.10.2.226; emailAddress=[email protected]
*    start date: 2018-05-03 01:58:02 GMT
*    expire date: 2018-06-02 01:58:02 GMT
*    issuer: C=AU; ST=SZ; L=shenzhen; O=sedwt; CN=10.10.2.226; emailAddress=[email protected]
*    SSL certificate verify ok.
* Server auth using Basic with user 'zzj'
> POST / HTTP/1.1
Authorization: Basic enpqOjEyMzQ1Ng==
Host: 10.10.2.226:7547
User-Agent: easycwmp
Content-Type: text/xml; charset="utf-8"
Content-Length: 2742
Expect: 100-continue

< HTTP/1.1 100 Continue
< HTTP/1.1 200 OK
* Server nginx/1.4.6 (Ubuntu) is not blacklisted
< Server: nginx/1.4.6 (Ubuntu)
< Date: Thu, 03 May 2018 07:37:04 GMT
< Content-Type: text/xml; charset="utf-8"
< Content-Length: 523
< Connection: keep-alive
< SOAPServer: GenieACS/1.1.2
* Added cookie session="ed1d383f6e52e056" for domain 10.10.2.226, path /, expire 0
< Set-Cookie: session=ed1d383f6e52e056
< 
* Connection #25 to host 10.10.2.226 left intact
+++ RECEIVED HTTP RESPONSE +++
<?xml version="1.0" encoding="UTF-8"?>
<soap-env:Envelope xmlns:soap-enc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:soap-env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:cwmp="urn:dslforum-org:cwmp-1-2"><soap-env:Header><cwmp:ID soap-env:mustUnderstand="1">13</cwmp:ID></soap-env:Header><soap-env:Body><cwmp:InformResponse><MaxEnvelopes>1</MaxEnvelopes></cwmp:InformResponse></soap-env:Body></soap-env:Envelope>
--- RECEIVED HTTP RESPONSE ---
2018-05-03 15:37:04 [easycwmp] NOTICE - receive InformResponse from the ACS
2018-05-03 15:37:04 [easycwmp] NOTICE - send empty message to the ACS
+++ SEND EMPTY HTTP REQUEST +++
* Found bundle for host 10.10.2.226: 0x6f90d0
* Re-using existing connection! (#25) with host 10.10.2.226
* Connected to 10.10.2.226 (10.10.2.226) port 7547 (#25)
* Server auth using Basic with user 'zzj'
> POST / HTTP/1.1
Authorization: Basic enpqOjEyMzQ1Ng==
Host: 10.10.2.226:7547
Cookie: session=ed1d383f6e52e056
User-Agent: easycwmp
Content-Type: text/xml; charset="utf-8"
Content-Length: 0

< HTTP/1.1 204 No Content
* Server nginx/1.4.6 (Ubuntu) is not blacklisted
< Server: nginx/1.4.6 (Ubuntu)
< Date: Thu, 03 May 2018 07:37:04 GMT
< Content-Length: 0
< Connection: keep-alive
< SOAPServer: GenieACS/1.1.2
< 
* Connection #25 to host 10.10.2.226 left intact
+++ RECEIVED EMPTY HTTP RESPONSE +++
2018-05-03 15:37:04 [easycwmp] NOTICE - receive empty message from the ACS
2018-05-03 15:37:04 [easycwmp] NOTICE - external: execute apply service 
2018-05-03 15:37:04 [easycwmp] NOTICE - external script exit
2018-05-03 15:37:04 [easycwmp] NOTICE - end session success

以上日誌較長,主要內容在前幾十行,嚴格的遵循的上面的ACS發起的Digest認證流程。

CPE端發起的Digest認證

認證流程如下:

CPE                                                ACS

1.------------------inform(http不帶auth頭)----------->

2.<------------------401(http不帶auth頭)--------------

3.------------------inform(http帶auth頭)------------->

4.<------------------200 OK---------------------------

5.------------------ Content-Length: 0--------------->

我們發現這個流程甚至比ACS發起的認證還要簡單,但是因爲GenieACS目前還不支持CPE到ACS的認證,只能通過nginx代理來實現,因此要麻煩一點。
官方文檔傳送門
這裏簡介一下文檔內容,請務必要讀官網文檔。主要包含如下幾個步驟:
修改GenieACS的配置文件genieacs/config/config.json,將各IP都配爲內網IP,127.0.0.1:

{
  "MONGODB_CONNECTION_URL" : "mongodb://127.0.0.1/genieacs",
  "REDIS_PORT" : "6379",
  "REDIS_HOST" : "127.0.0.1",
  "CWMP_INTERFACE" : "127.0.0.1",
  "CWMP_PORT" : 7547,
  "NBI_INTERFACE" : "127.0.0.1",
  "NBI_PORT" : 7557,
  "FS_INTERFACE" : "127.0.0.1",
  "FS_PORT" : 7567,
  "FS_HOSTNAME" : "tr069.tdt.de",
  "FS_SSL" : true,
  "LOG_INFORMS" : true,
  "DEBUG" : false
}

安裝nginx:

sudo apt-get install nginx <- install nginx
touch /etc/nginx/sites-available/tr069.tdt.de <- add new nginx config
ln -s /etc/nginx/sites-available/tr069.tdt.de /etc/nginx/sites-enabled/tr069.tdt.de <- enable config

修改nginx配置文件/etc/nginx/nginx.conf,重定向訪問uri:

user www-data;
worker_processes 4;
pid /run/nginx.pid;

events {
    worker_connections 768;
    # multi_accept on;
}

http {

    server {
    listen 10.10.2.226:7557;
    server_name example.de;
    ssl on;
    ssl_certificate_key /home/zzj/OpenWRT/genicacs/genieacs-gui/config/key.pem;
    ssl_certificate /home/zzj/OpenWRT/genicacs/genieacs-gui/config/cert.pem;

    access_log /var/log/nginx/example.de.nbi.log combined;
    error_log /var/log/nginx/example.de.nbi.log;

    location / {
        proxy_pass http://127.0.0.1:7557;
        #proxy_http_version 1.1;
        #proxy_set_header Upgrade $http_upgrade;
        #proxy_set_header Connection 'upgrade';
        #proxy_set_header Host $host;
        #proxy_cache_bypass $http_upgrade;
        proxy_set_header Authorization "";
        auth_basic "Restricted";
        auth_basic_user_file /etc/nginx/ms-htpasswd;
    }
     }

     server {
    listen 10.10.2.226:7547;
    server_name example.de;
    ssl on;
    ssl_certificate_key /home/zzj/OpenWRT/genicacs/genieacs-gui/config/key.pem;
    ssl_certificate /home/zzj/OpenWRT/genicacs/genieacs-gui/config/cert.pem;
    access_log /var/log/nginx/example.de.cwmp.log combined;
    error_log /var/log/nginx/example.de.cwmp.log;

        location / {
        proxy_pass http://127.0.0.1:7547;
        #proxy_http_version 1.1;
        #proxy_set_header Upgrade $http_upgrade;
        #proxy_set_header Connection 'upgrade';
        #proxy_set_header Host $host;
        #proxy_cache_bypass $http_upgrade;
        proxy_set_header Authorization "";
        auth_basic "Restricted";
        auth_basic_user_file /etc/nginx/ms-htpasswd;
        }

     }

     server {
    listen 10.10.2.226:7567;
    server_name example.de;
    ssl on;
    ssl_certificate_key /home/zzj/OpenWRT/genicacs/genieacs-gui/config/key.pem;
    ssl_certificate /home/zzj/OpenWRT/genicacs/genieacs-gui/config/cert.pem;

    access_log /var/log/nginx/example.de.fs.log combined;
    error_log /var/log/nginx/example.de.fs.log;

    location / {
        proxy_pass https://127.0.0.1:7567;
        #proxy_http_version 1.1;
        #proxy_set_header Upgrade $http_upgrade;
        #proxy_set_header Connection 'upgrade';
        #proxy_set_header Host $host;
        #proxy_cache_bypass $http_upgrade;
        proxy_set_header Authorization "";
        auth_basic "Restricted";
        auth_basic_user_file /etc/nginx/ms-htpasswd;
    }
     }
}

簡短解釋一下就是把對10.10.2.26的訪問都重定向到127.0.0.1了,之前我們修改GenieACS的配置,把ACS的IP都設爲了127.0.0.1。
所以如果你在一臺電腦上測試,通過127.0.0.1也是可以訪問ACS的,但是就繞過了nginx,是無法認證的。因此我們還要修改easyCWMP的配置文件/etc/config/easycwmp,將acs部分的IP修改爲10.10.2.226,如下:

config local
    option interface 'eth0'
    option port '7548'
    option ubus_socket '/var/run/ubus.sock'
    option date_format '%FT%T%z'
    option username 'easycwmp'
    option password 'easycwmp'
    option logging_level '3'

config acs
    option url 'https://10.10.2.226:7547'
    option ssl_verify 'enabled'
    option ssl_cert '/home/zzj/OpenWRT/genicacs/genieacs-gui/config/cert.pem'
    option ssl_cacert '/home/zzj/OpenWRT/genicacs/genieacs-gui/config/cert.pem'
    option username 'zzj'
    option password '123456'
    option periodic_enable '1'
    option periodic_time '0001-01-01T00:00:00Z'
    option parameter_key 'unsetCommandKey'
    option periodic_interval '1800'

config device
    option manufacturer 'easycwmp'
    option oui 'FFFFFF'
    option product_class 'easycwmp'
    option serial_number 'number1'
    option hardware_version 'example_hw_version'
    option software_version 'example_sw_version'

在上面修改nginx配置是,有一個參數爲auth_basic_user_file,這是一個存放username,password的文件,因此我們要創建一個ms-htpasswd文件。官網是有給一個鏈接來講解如何製作這個文件,如果你看的不是很懂,可以參考這篇文章
最後我們還需要對easyCWMP的源碼做一點點修改,http.c的http_client_init函數中加入對證書key的設置:

if (config->acs->ssl_cert) {
        curl_easy_setopt(curl, CURLOPT_SSLCERT, config->acs->ssl_cert);
        curl_easy_setopt(curl, CURLOPT_SSLKEY, "/home/zzj/OpenWRT/genicacs/genieacs-gui/config/key.pem");
    }

我也搞不清楚爲啥acs結構體中沒有對key的定義。也許是因爲我的證書是用key生成的,所以必須要有key才能驗證?

驗證

GenieACS的開啓是有一點麻煩,這裏我把要開啓的命令列出來:
開啓mongodb: /usr/bin/mongod
開啓redis-server: /usr/bin/redis-server
開啓acs: ./genieacs/bin/genieacs-cwmp
開啓nbi: ./genieacs/bin/genieacs-nbi
開啓acs-gui: 在genieacs-gui目錄執行rails s

啓動easyCWMP:

sudo /usr/sbin/easycwmpd -f

查看easyCWMP的日誌:

[email protected]:/opt/dev/easycwmp$ sudo /usr/sbin/easycwmpd -f
2018-05-03 16:54:43 [easycwmp] NOTICE - add event '1 BOOT'
2018-05-03 16:54:43 [easycwmp] NOTICE - external script init
config_init_local(58):: [email protected][0].interface=eth0
config_init_local(68):: [email protected][0].port=7548
config_init_local(86):: [email protected][0].ubus_socket=/var/run/ubus.sock
config_init_local(74):: [email protected][0].username=easycwmp
config_init_local(80):: [email protected][0].password=easycwmp
config_init_local(97):: [email protected][0].logging_level=3
config_init_acs(162):: [email protected][0].url=https://10.10.2.226:7547
config_init_acs(220):: [email protected][0].ssl_verify=1
config_init_acs(205):: [email protected][0].ssl_cert=/home/zzj/OpenWRT/genicacs/genieacs-gui/config/cert.pem
config_init_acs(210):: [email protected][0].ssl_cacert=/home/zzj/OpenWRT/genicacs/genieacs-gui/config/cert.pem
config_init_acs(168):: [email protected][0].username=zzj
config_init_acs(174):: [email protected][0].password=123456
config_init_acs(180):: [email protected][0].periodic_enable=1
config_init_acs(193):: [email protected][0].periodic_time=0001-01-01T00:00:00Z
config_init_acs(186):: [email protected][0].periodic_interval=1800
2018-05-03 16:54:43 [easycwmp] NOTICE - init periodic inform: reference time = -62135625943, interval = 1800
2018-05-03 16:54:43 [easycwmp] NOTICE - external: execute update_value_change  
2018-05-03 16:54:43 [easycwmp] NOTICE - daemon started
2018-05-03 16:54:43 [easycwmp] NOTICE - external: execute inform device_id 
2018-05-03 16:54:43 [easycwmp] NOTICE - external script exit
2018-05-03 16:54:43 [easycwmp] NOTICE - interface eth0 has ip 10.10.2.226
main(329): ubus initialization failed
+++ HTTP SERVER CONFIGURATION +++
ip: '10.10.2.226'
port: '7548'
--- HTTP SERVER CONFIGURATION ---
2018-05-03 16:54:43 [easycwmp] NOTICE - http server initialized
2018-05-03 16:54:43 [easycwmp] NOTICE - entering main loop
2018-05-03 16:54:43 [easycwmp] NOTICE - start session
+++ HTTP CLIENT CONFIGURATION +++
http_client_init(51):: url: https://10.10.2.226:7547
http_client_init(53):: ssl_cert: /home/zzj/OpenWRT/genicacs/genieacs-gui/config/cert.pem
http_client_init(55):: ssl_cacert: /home/zzj/OpenWRT/genicacs/genieacs-gui/config/cert.pem
--- HTTP CLIENT CONFIGURATION ---
2018-05-03 16:54:43 [easycwmp] NOTICE - configured acs url https://10.10.2.226:7547
2018-05-03 16:54:43 [easycwmp] NOTICE - external script init
2018-05-03 16:54:43 [easycwmp] NOTICE - external: execute inform parameter 
2018-05-03 16:54:43 [easycwmp] NOTICE - send Inform
+++ SEND HTTP REQUEST +++
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <soap_env:Envelope
xmlns:soap_env="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:soap_enc="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:cwmp="urn:dslforum-org:cwmp-1-2">
  <soap_env:Header>
   <cwmp:ID soap_env:mustUnderstand="1">1</cwmp:ID>
  </soap_env:Header>
  <soap_env:Body>
   <cwmp:Inform>
    <DeviceId>
     <Manufacturer>easycwmp</Manufacturer>
     <OUI>FFFFFF</OUI>
     <ProductClass>easycwmp</ProductClass>
     <SerialNumber>number1</SerialNumber>
    </DeviceId>
    <Event soap_enc:arrayType="cwmp:EventStruct[1]">
     <EventStruct>
      <EventCode>1 BOOT</EventCode>
      <CommandKey />
     </EventStruct>
    </Event>
    <MaxEnvelopes>1</MaxEnvelopes>
    <CurrentTime>2018-05-03T16:54:43+08:00</CurrentTime>
    <RetryCount>0</RetryCount>
    <ParameterList soap_enc:arrayType="cwmp:ParameterValueStruct[10]">
     <ParameterValueStruct>
      <Name>Device.DeviceInfo.SpecVersion</Name>
      <Value xsi:type="xsd:string">1.0</Value>
     </ParameterValueStruct>
     <ParameterValueStruct>
      <Name>Device.DeviceInfo.ProvisioningCode</Name>
      <Value xsi:type="xsd:string"></Value>
     </ParameterValueStruct>
     <ParameterValueStruct>
      <Name>Device.DeviceInfo.Manufacturer</Name>
      <Value xsi:type="xsd:string">easycwmp</Value>
     </ParameterValueStruct>
     <ParameterValueStruct>
      <Name>Device.DeviceInfo.ManufacturerOUI</Name>
      <Value xsi:type="xsd:string">FFFFFF</Value>
     </ParameterValueStruct>
     <ParameterValueStruct>
      <Name>Device.DeviceInfo.ProductClass</Name>
      <Value xsi:type="xsd:string">easycwmp</Value>
     </ParameterValueStruct>
     <ParameterValueStruct>
      <Name>Device.DeviceInfo.SerialNumber</Name>
      <Value xsi:type="xsd:string">number1</Value>
     </ParameterValueStruct>
     <ParameterValueStruct>
      <Name>Device.DeviceInfo.HardwareVersion</Name>
      <Value xsi:type="xsd:string">example_hw_version</Value>
     </ParameterValueStruct>
     <ParameterValueStruct>
      <Name>Device.DeviceInfo.SoftwareVersion</Name>
      <Value xsi:type="xsd:string">example_sw_version</Value>
     </ParameterValueStruct>
     <ParameterValueStruct>
      <Name>Device.ManagementServer.ConnectionRequestURL</Name>
      <Value xsi:type="xsd:string">http://10.10.2.226:7548/</Value>
     </ParameterValueStruct>
     <ParameterValueStruct>
      <Name>Device.ManagementServer.ParameterKey</Name>
      <Value xsi:type="xsd:string">unsetCommandKey</Value>
     </ParameterValueStruct>
    </ParameterList>
   </cwmp:Inform>
  </soap_env:Body>
 </soap_env:Envelope>
--- SEND HTTP REQUEST ---
* Rebuilt URL to: https://10.10.2.226:7547/
* Hostname was NOT found in DNS cache
*   Trying 10.10.2.226...
* Connected to 10.10.2.226 (10.10.2.226) port 7547 (#0)
* successfully set certificate verify locations:
*   CAfile: /home/zzj/OpenWRT/genicacs/genieacs-gui/config/cert.pem
  CApath: /etc/ssl/certs
* SSL connection using ECDHE-RSA-AES256-GCM-SHA384
* Server certificate:
*    subject: C=AU; ST=SZ; L=shenzhen; O=sedwt; CN=10.10.2.226; [email protected]
*    start date: 2018-05-03 01:58:02 GMT
*    expire date: 2018-06-02 01:58:02 GMT
*    common name: 10.10.2.226 (matched)
*    issuer: C=AU; ST=SZ; L=shenzhen; O=sedwt; CN=10.10.2.226; [email protected]
*    SSL certificate verify ok.
> POST / HTTP/1.1
Host: 10.10.2.226:7547
User-Agent: easycwmp
Content-Type: text/xml; charset="utf-8"
SOAPAction:
Content-Length: 2727
Expect: 100-continue

< HTTP/1.1 401 Unauthorized
* Server nginx/1.4.6 (Ubuntu) is not blacklisted
< Server: nginx/1.4.6 (Ubuntu)
< Date: Thu, 03 May 2018 08:54:43 GMT
< Content-Type: text/html
< Content-Length: 203
< Connection: keep-alive
< WWW-Authenticate: Basic realm="Restricted"
< 
* Excess found in a non pipelined read: excess = 203 url = / (zero-length body)
* Closing connection 0
* Issue another request to this URL: 'https://10.10.2.226:7547/'
* Hostname was found in DNS cache
*   Trying 10.10.2.226...
* Connected to 10.10.2.226 (10.10.2.226) port 7547 (#1)
* successfully set certificate verify locations:
*   CAfile: /home/zzj/OpenWRT/genicacs/genieacs-gui/config/cert.pem
  CApath: /etc/ssl/certs
* SSL connection using ECDHE-RSA-AES256-GCM-SHA384
* Server certificate:
*    subject: C=AU; ST=SZ; L=shenzhen; O=sedwt; CN=10.10.2.226; emailAddress=[email protected]
*    start date: 2018-05-03 01:58:02 GMT
*    expire date: 2018-06-02 01:58:02 GMT
*    common name: 10.10.2.226 (matched)
*    issuer: C=AU; ST=SZ; L=shenzhen; O=sedwt; CN=10.10.2.226; emailAddress=[email protected]
*    SSL certificate verify ok.
* Server auth using Basic with user 'zzj'
> POST / HTTP/1.1
Authorization: Basic enpqOjEyMzQ1Ng==
Host: 10.10.2.226:7547
User-Agent: easycwmp
Content-Type: text/xml; charset="utf-8"
Content-Length: 2727
Expect: 100-continue

< HTTP/1.1 100 Continue
< HTTP/1.1 200 OK
* Server nginx/1.4.6 (Ubuntu) is not blacklisted
< Server: nginx/1.4.6 (Ubuntu)
< Date: Thu, 03 May 2018 08:54:43 GMT
< Content-Type: text/xml; charset="utf-8"
< Content-Length: 522
< Connection: keep-alive
< SOAPServer: GenieACS/1.1.2
* Added cookie session="e5fd17b60f6b9a3c" for domain 10.10.2.226, path /, expire 0
< Set-Cookie: session=e5fd17b60f6b9a3c
< 
* Connection #1 to host 10.10.2.226 left intact
+++ RECEIVED HTTP RESPONSE +++
<?xml version="1.0" encoding="UTF-8"?>
<soap-env:Envelope xmlns:soap-enc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:soap-env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:cwmp="urn:dslforum-org:cwmp-1-2"><soap-env:Header><cwmp:ID soap-env:mustUnderstand="1">1</cwmp:ID></soap-env:Header><soap-env:Body><cwmp:InformResponse><MaxEnvelopes>1</MaxEnvelopes></cwmp:InformResponse></soap-env:Body></soap-env:Envelope>
--- RECEIVED HTTP RESPONSE ---
2018-05-03 16:54:43 [easycwmp] NOTICE - receive InformResponse from the ACS
2018-05-03 16:54:43 [easycwmp] NOTICE - send empty message to the ACS
+++ SEND EMPTY HTTP REQUEST +++
* Found bundle for host 10.10.2.226: 0x156e970
* Re-using existing connection! (#1) with host 10.10.2.226
* Connected to 10.10.2.226 (10.10.2.226) port 7547 (#1)
* Server auth using Basic with user 'zzj'
> POST / HTTP/1.1
Authorization: Basic enpqOjEyMzQ1Ng==
Host: 10.10.2.226:7547
Cookie: session=e5fd17b60f6b9a3c
User-Agent: easycwmp
Content-Type: text/xml; charset="utf-8"
Content-Length: 0

< HTTP/1.1 204 No Content
* Server nginx/1.4.6 (Ubuntu) is not blacklisted
< Server: nginx/1.4.6 (Ubuntu)
< Date: Thu, 03 May 2018 08:54:43 GMT
< Content-Length: 0
< Connection: keep-alive
< SOAPServer: GenieACS/1.1.2
< 
* Connection #1 to host 10.10.2.226 left intact
+++ RECEIVED EMPTY HTTP RESPONSE +++
2018-05-03 16:54:43 [easycwmp] NOTICE - receive empty message from the ACS
2018-05-03 16:54:43 [easycwmp] NOTICE - external: execute apply service 
2018-05-03 16:54:43 [easycwmp] NOTICE - external script exit
2018-05-03 16:54:43 [easycwmp] NOTICE - end session success

從日誌中我們可以看到“好像”是做了認證,但是和上面介紹的流程又稍有不同,因爲這裏的CPE到ACS的認證並不是Digest認證,而是Basic認證?官網原文如下:

For this workaround it is only possible to make a auth with username/password the deviceid will not be checked!

結束

大致就這麼些內容了,寫的也不算特別詳細。有錯誤或者問題的話,可以留言一起討論。



*參考文章:
http://www.cnblogs.com/myblesh/p/6225665.html
https://www.cnblogs.com/AloneSword/p/5086918.html
https://github.com/genieacs/genieacs/wiki/GenieACS-SSL*

發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章