==========================================================
RTI Connext Hello_dynamic_certificates Example Application
==========================================================

Welcome to Connext! This example demonstrates the mutability of the Certificate
Revocation List (CRL) and Identity Certificate. You can read more about this
capability in the Security Plugins User's Manual chapter called
"Authentication".


Compiling this Example
======================
You must set the environment variable NDDSHOME to your Connext
installation directory.

To build this example on a Windows platform, open the appropriate solution
file for your version of Microsoft Visual Studio in the win32 directory. Select
from the configuration pull-down menu: Debug, Release, Debug DLL, or Release
DLL, where "DLL" is for dynamic linking.

To build this example for a QNX platform, you must set the environment variables QNX_HOST
and QNX_TARGET. For example:

setenv QNX_BASE /opt/qnx660
setenv QNX_HOST ${QNX_BASE}/host/linux/x86
setenv QNX_TARGET ${QNX_BASE}/target/qnx6

To build this example on a Linux or macOS system, type the following in a command
shell:

  > make -f make/makefile_HelloWorld_<architecture>

This example is not supported on VxWorks or Android architectures.

All combinations of static/dynamic libraries and release/debug libraries are
supported. The dynamic libraries use the QoS profile for specifying the security plugin, and
the static libraries use code for that. Static/release is the default.
To use dynamic libraries, run:

 > make -f make/makefile_HelloWorld_<architecture> SHAREDLIB=1

To use debug libraries, run:

 > make -f make/makefile_HelloWorld_<architecture> DEBUG=1

By default, the OpenSSL crypto library is used. To use the wolfSSL crypto
library, run:

> make -f make/makefile_HelloWorld_<architecture> WOLFSSL=1

or

> make -f make/makefile_HelloWorld_<architecture> CRYPTO_LIB=WOLFSSL

You can use the wolfSSL crypto library if your Connext installation includes the
Security Plugins for wolfSSL.

Running this Example
====================

Linux and macOS systems
-----------------------
If you are using dynamic libraries, your LD_LIBRARY_PATH must include
$NDDSHOME/lib/<architecture>.

You must also include the path to your crypto library. If you are compiling
against the Security Plugins with OpenSSL, your LD_LIBRARY_PATH must include
$NDDSHOME/third_party/openssl-<version>/<architecture>/<release or debug>/lib
(location of libcrypto.so).
If you are compiling against the Security Plugins for use with wolfSSL, your
LD_LIBRARY_PATH must include $NDDSHOME/third_party/wolfssl-<version>/<architecture>/<release or debug>/lib
(location of libwolfssl.so).

If you are compiling for wolfSSL, your LD_LIBRARY_PATH must also include the
path to the Security Plugins for wolfSSL libraries (libnddssecurity.so). Add
$NDDSHOME/lib/<architecture>/wolfssl-<version>/ to your LD_LIBRARY_PATH. Make
sure to add this before the path to the general libraries
($NDDSHOME/lib/<architecture>). Otherwise, your application may attempt to load
the default Security Plugins for OpenSSL library.

To run this example, type the following commands in two different command shells (one command in each shell), either
on the same machine or on different machines:

  > objs/<architecture>/HelloWorld_subscriber
  > objs/<architecture>/HelloWorld_publisher

Windows systems
---------------
If you are using dynamic libraries, your PATH must include
%NDDSHOME%\lib\<architecture> and %NDDSHOME%\third_party\openssl-<version>\<architecture>\<release or debug>\bin
(location of the libcrypto DLL).

To run this example, type the following commands in two different command shells (one command in each shell), either
on the same machine or on different machines:

  > objs\<architecture>\HelloWorld_subscriber.exe
  > objs\<architecture>\HelloWorld_publisher.exe

Accepted parameters
-------------------
This example is a modified version of an rtiddsgen generated HelloWorld application.
It has been modified to use security profiles. On the publisher side, the first
two parameters are the domain ID and sample count, just like the hello_world example.
On the subscriber side, the first parameter is the domain ID. This example uses
ECDSA-ECDH.

Demonstrating mutability of CRL and identity certificate
--------------------------------------------------------
The example uses a scripted set of actions in order to demonstrate the
mutability of the CRL and identity certificate properties.
If you prefer to choose your own set of actions, you can uncomment this line in
HelloWorld_publisher.c and HelloWorld_subscriber.c:

/* #define RTI_INTERACTIVE_MODE */

The following steps are suggested for the demonstration:

1. Run objs/x64Linux4gcc7.3.0/HelloWorld_publisher <domainId>
2. Run objs/x64Linux4gcc7.3.0/HelloWorld_subscriber <domainId>

Subscriber output if using OpenSSL:
    Only discovered 0 out of 1 publications. Continuing to wait for discovery...
    Only discovered 0 out of 1 publications. Continuing to wait for discovery...
    Only discovered 0 out of 1 publications. Continuing to wait for discovery...
    subscription matched count changed by 1. Current count: 1
    Discovery complete! Reading samples and performing an action every 10 samples...
    HelloWorld subscriber sleeping for 1 sec...
    Received data:

       msg: "Hello World Secure (0)"
    HelloWorld subscriber sleeping for 1 sec...
    Received data:

       msg: "Hello World Secure (1)"
    HelloWorld subscriber sleeping for 1 sec...
    Received data:

       msg: "Hello World Secure (2)"

3. On the publisher, type "2" to change the CRL from an empty one to one that
   revokes the subscriber.

Publisher output if using OpenSSL:
    Selected option 2
    ERROR [0xDFCD91E1,0x6868B395,0xA84DF008:0x000001C1|VALIDATE REMOTE PARTICIPANT IDENTITY|CHECK AUTHENTICATION STATUS|LC:Security]RTI_Security_CertHelper_verifyCert:{"DDS:Security:LogTopic":{"f":"10","s":"3","t":{"s":"1687542240","n":"663649999"},"h":"bld-ubuntu1804","i":"0.0.0.0","a":"RTI Secure DDS Application","p":"15368","k":"33554496","x":[{"DDS":[{"domain_id":"12"},{"guid":"DFCD91E1.6868B395.A84DF008.000001C1"},{"plugin_class":"RTI:Common"},{"plugin_method":"RTI_Security_CertHelper_verifyCert"}]}],"m":"X509_verify_cert returned 0 with error 23: certificate revoked
    subject name: /C=US/ST=CA/O=Real Time Innovations/CN=RTI ECDSA01 (p256) PEER22 (revoked)/emailAddress=ecdsa01Peer22@rti.com
    issuer name: /C=US/ST=CA/L=Santa Clara/O=Real Time Innovations/CN=RTI ECDSA01 (p256) ROOT CA/emailAddress=ecdsa01RootCa@rti.com"}}
    ERROR [0xDFCD91E1,0x6868B395,0xA84DF008:0x000001C1|VALIDATE REMOTE PARTICIPANT IDENTITY|CHECK AUTHENTICATION STATUS|LC:Security]RTI_Security_Authentication_validateCertificateChain:{"DDS:Security:LogTopic":{"f":"10","s":"3","t":{"s":"1687542240","n":"699223999"},"h":"bld-ubuntu1804","i":"0.0.0.0","a":"RTI Secure DDS Application","p":"15368","k":"33554496","x":[{"DDS":[{"domain_id":"12"},{"guid":"DFCD91E1.6868B395.A84DF008.000001C1"},{"plugin_class":"DDS:Auth:PKI-DH"},{"plugin_method":"RTI_Security_Authentication_validateCertificateChain"}]}],"m":"Identity verification failed. Make sure it was signed by the right authority."}}
    ERROR [0xDFCD91E1,0x6868B395,0xA84DF008:0x000001C1|VALIDATE REMOTE PARTICIPANT IDENTITY|CHECK AUTHENTICATION STATUS|LC:Security]RTI_Security_CertHelper_logMessageForEveryCa:{"DDS:Security:LogTopic":{"f":"10","s":"3","t":{"s":"1687542240","n":"701107999"},"h":"bld-ubuntu1804","i":"0.0.0.0","a":"RTI Secure DDS Application","p":"15368","k":"33554496","x":[{"DDS":[{"domain_id":"12"},{"guid":"DFCD91E1.6868B395.A84DF008.000001C1"},{"plugin_class":"RTI:Common"},{"plugin_method":"RTI_Security_CertHelper_logMessageForEveryCa"}]}],"m":"Failed to verify identity. Used authority: /C=US/ST=CA/L=Santa Clara/O=Real Time Innovations/CN=RTI ECDSA01 (p256) ROOT CA/emailAddress=ecdsa01RootCa@rti.com"}}
    publication matched count changed by -1. Current count: 0
    Writing HelloWorld Secure, count 11
    Writing HelloWorld Secure, count 12
    Writing HelloWorld Secure, count 13
    Writing HelloWorld Secure, count 14
    Writing HelloWorld Secure, count 15
    Writing HelloWorld Secure, count 16
    Writing HelloWorld Secure, count 17
    Writing HelloWorld Secure, count 18
    Writing HelloWorld Secure, count 19
    Writing HelloWorld Secure, count 20
    Options:
    0: continue
    1: exit
    2: change CRL from revoking ecdsa01Peer22RevokedCert to empty

4. From this point on, whenever the publisher prompts you to select an option,
   always type "0" to continue.

5. On the subscriber, type "2" to change the identity certificate. Then, type
   "0" to select ecdsa01Peer01Cert, which has a different public key from the
   certificate that is currently being used (ecdsa01Peer22RevokedCert).

Subscriber output if using OpenSSL:
    Selected option 0
    ERROR [0xD514EDD6,0xE6B4C1C9,0xB568EEE4:0x000001C1{Domain=12}|SET QOS] RTI_Security_Authentication_isNewCertificateCompatible:{"DDS:Security:LogTopic":{"f":"10","s":"3","t":{"s":"1687542248","n":"635952999"},"h":"bld-ubuntu1804","i":"0.0.0.0","a":"RTI Secure DDS Application","p":"15370","k":"33554496","x":[{"DDS":[{"domain_id":"12"},{"guid":"D514EDD6.E6B4C1C9.B568EEE4.000001C1"},{"plugin_class":"DDS:Auth:PKI-DH"},{"plugin_method":"RTI_Security_Authentication_isNewCertificateCompatible"}]}],"m":"new certificate has different public key"}}
    ERROR [0xD514EDD6,0xE6B4C1C9,0xB568EEE4:0x000001C1{Domain=12}|SET QOS] RTI_Security_Authentication_updateIdentityCertificate:{"DDS:Security:LogTopic":{"f":"10","s":"3","t":{"s":"1687542248","n":"656534999"},"h":"bld-ubuntu1804","i":"0.0.0.0","a":"RTI Secure DDS Application","p":"15370","k":"33554496","x":[{"DDS":[{"domain_id":"12"},{"guid":"D514EDD6.E6B4C1C9.B568EEE4.000001C1"},{"plugin_class":"DDS:Auth:PKI-DH"},{"plugin_method":"RTI_Security_Authentication_updateIdentityCertificate"}]}],"m":"new certificate is not compatible with the old one"}}
    ERROR [0xD514EDD6,0xE6B4C1C9,0xB568EEE4:0x000001C1{Domain=12}|SET QOS] RTI_Security_Authentication_set_property_qos:{"DDS:Security:LogTopic":{"f":"10","s":"3","t":{"s":"1687542248","n":"657579999"},"h":"bld-ubuntu1804","i":"0.0.0.0","a":"RTI Secure DDS Application","p":"15370","k":"33554496","x":[{"DDS":[{"domain_id":"12"},{"guid":"D514EDD6.E6B4C1C9.B568EEE4.000001C1"},{"plugin_class":"DDS:Auth:PKI-DH"},{"plugin_method":"RTI_Security_Authentication_set_property_qos"}]}],"m":"failed to update local identity certificate"}}
    ERROR [0xD514EDD6,0xE6B4C1C9,0xB568EEE4:0x000001C1{Domain=12}|SET QOS] DDS_DomainParticipantTrustPlugins_setupSecureProperties:ASSERT FAILURE | Property QoS. Plugin message: Properties are inconsistent
    ERROR [0xD514EDD6,0xE6B4C1C9,0xB568EEE4:0x000001C1{Domain=12}|SET QOS] DDS_DomainParticipant_setupSecureProperties:UPDATE FAILURE | Security Plugin properties.
    ERROR [0xD514EDD6,0xE6B4C1C9,0xB568EEE4:0x000001C1{Domain=12}|SET QOS] DDS_DomainParticipant_set_qos:!update the DomainParticipant's secure properties
    Unable to set participant qos. Return value: 1000
    HelloWorld subscriber sleeping for 1 sec...
    HelloWorld subscriber sleeping for 1 sec...
    HelloWorld subscriber sleeping for 1 sec...
    HelloWorld subscriber sleeping for 1 sec...
    HelloWorld subscriber sleeping for 1 sec...
    HelloWorld subscriber sleeping for 1 sec...
    HelloWorld subscriber sleeping for 1 sec...
    HelloWorld subscriber sleeping for 1 sec...
    HelloWorld subscriber sleeping for 1 sec...
    HelloWorld subscriber sleeping for 1 sec...
    Options:
    0: continue
    1: exit
    2: change Identity Certificate

6. On the subscriber, type "2" to change the identity certificate. Then, type
   "2" to select ecdsa01Peer22Cert2, which has the same public key as the
   certificate that is currently being used (ecdsa01Peer22RevokedCert).

Subscriber output if using OpenSSL:
    Selected option 2
    HelloWorld subscriber sleeping for 1 sec...
    HelloWorld subscriber sleeping for 1 sec...
    subscription matched count changed by -1. Current count: 0
    HelloWorld subscriber sleeping for 1 sec...
    subscription matched count changed by 1. Current count: 1
    Received data:

       msg: "Hello World Secure (11)"
    Received data:

       msg: "Hello World Secure (12)"
    Received data:

       msg: "Hello World Secure (13)"
    Received data:

       msg: "Hello World Secure (14)"
    Received data:

       msg: "Hello World Secure (15)"
    Received data:

       msg: "Hello World Secure (16)"
    Received data:

       msg: "Hello World Secure (17)"
    Received data:

       msg: "Hello World Secure (18)"
    Received data:

       msg: "Hello World Secure (19)"
    Received data:

       msg: "Hello World Secure (20)"
    Received data:

       msg: "Hello World Secure (21)"
    Received data:

       msg: "Hello World Secure (22)"
    Received data:

       msg: "Hello World Secure (23)"
    Received data:

       msg: "Hello World Secure (24)"
    Received data:

       msg: "Hello World Secure (25)"
    Received data:

       msg: "Hello World Secure (26)"
    Received data:

       msg: "Hello World Secure (27)"
    Received data:

       msg: "Hello World Secure (28)"
    Received data:

       msg: "Hello World Secure (29)"
    Received data:

       msg: "Hello World Secure (30)"
    Received data:

       msg: "Hello World Secure (32)"
    HelloWorld subscriber sleeping for 1 sec...
    Received data:

       msg: "Hello World Secure (33)"
    HelloWorld subscriber sleeping for 1 sec...
    Received data:

       msg: "Hello World Secure (34)"
    HelloWorld subscriber sleeping for 1 sec...
    Received data:

       msg: "Hello World Secure (35)"
    HelloWorld subscriber sleeping for 1 sec...
    Received data:

       msg: "Hello World Secure (36)"
    HelloWorld subscriber sleeping for 1 sec...
    Received data:

       msg: "Hello World Secure (37)"
    HelloWorld subscriber sleeping for 1 sec...
    Received data:

       msg: "Hello World Secure (38)"
    HelloWorld subscriber sleeping for 1 sec...
    Received data:

       msg: "Hello World Secure (39)"
    Options:
    0: continue
    1: exit
    2: change Identity Certificate

For more information, please consult the "RTI Security Plugins Getting Started
Guide".
