feat: add support for mDTLS

felixgateru · felixgateru · commit 84f9a99198b4 · 2025-10-30T16:03:25.000+03:00
Signed-off-by: Felix Gateru &lt;felix.gateru@gmail.com&gt;
diff --git a/.env b/.env
@@ -103,4 +103,14 @@ MGATE_COAP_WITH_DTLS_TARGET_PORT=5683
 MGATE_COAP_WITH_DTLS_CERT_FILE=ssl/certs/server.crt
 MGATE_COAP_WITH_DTLS_KEY_FILE=ssl/certs/server.key
 MGATE_COAP_WITH_DTLS_SERVER_CA_FILE=ssl/certs/ca.crt
-MGATE_COAP_WITH_DTLS_CLIENT_CA_FILE=ssl/certs/ca.crt
+
+MGATE_COAP_WITH_MDTLS_HOST=
+MGATE_COAP_WITH_MDTLS_PORT=5685
+MGATE_COAP_WITH_MDTLS_TARGET_HOST=localhost
+MGATE_COAP_WITH_MDTLS_TARGET_PORT=5683
+MGATE_COAP_WITH_MDTLS_CERT_FILE=ssl/certs/server.crt
+MGATE_COAP_WITH_MDTLS_KEY_FILE=ssl/certs/server.key
+MGATE_COAP_WITH_MDTLS_SERVER_CA_FILE=ssl/certs/ca.crt
+MGATE_COAP_WITH_MDTLS_CLIENT_CA_FILE=ssl/certs/ca.crt
+MGATE_COAP_WITH_MDTLS_CERT_VERIFICATION_METHODS=ocsp
+MGATE_COAP_WITH_MDTLS_OCSP_RESPONDER_URL=http://localhost:8880/ocsp
diff --git a/cmd/main.go b/cmd/main.go
@@ -38,6 +38,7 @@ const (
 
 	coapWithoutDTLS = "MGATE_COAP_WITHOUT_DTLS_"
 	coapWithDTLS    = "MGATE_COAP_WITH_DTLS_"
+	coapWithmDTLS   = "MGATE_COAP_WITH_MDTLS_"
 )
 
 func main() {
@@ -200,6 +201,18 @@ func main() {
 		return coapDTLSProxy.Listen(ctx)
 	})
 
+	// mGate server Configuration for CoAP with mDTLS
+	coapmDTLSConfig, err := mgate.NewConfig(env.Options{Prefix: coapWithmDTLS})
+	if err != nil {
+		panic(err)
+	}
+
+	// mGate server for CoAP with mDTLS
+	coapmDTLSProxy := coap.NewProxy(coapmDTLSConfig, handler, logger)
+	g.Go(func() error {
+		return coapmDTLSProxy.Listen(ctx)
+	})
+
 	g.Go(func() error {
 		return StopSignalHandler(ctx, cancel, logger)
 	})
diff --git a/pkg/coap/coap.go b/pkg/coap/coap.go
@@ -120,7 +120,7 @@ func (p *Proxy) Listen(ctx context.Context) error {
 	}
 
 	status := mptls.SecurityStatus(p.config.DTLSConfig)
-	p.logger.Info(fmt.Sprintf("COAP proxy server started at %s  with %s", net.JoinHostPort(p.config.Host, p.config.Port), status))
+	p.logger.Info(fmt.Sprintf("COAP proxy server started at %s with %s", net.JoinHostPort(p.config.Host, p.config.Port), status))
 
 	if err := g.Wait(); err != nil {
 		p.logger.Info(fmt.Sprintf("COAP proxy server at %s exiting with errors", net.JoinHostPort(p.config.Host, p.config.Port)), slog.String("error", err.Error()))
diff --git a/pkg/tls/tls.go b/pkg/tls/tls.go
@@ -143,7 +143,12 @@ func SecurityStatus[sc TLSConfig](s sc) string {
 		}
 		return ret
 	case *dtls.Config:
-		return "DTLS"
+		ret := "DTLS"
+
+		if c.ClientCAs != nil {
+			ret += " and " + toClientAuthString(c.ClientAuth)
+		}
+		return ret
 	default:
 		return "no TLS"
 	}
@@ -155,3 +160,20 @@ func loadCertFile(certFile string) ([]byte, error) {
 	}
 	return []byte{}, nil
 }
+
+func toClientAuthString(cat dtls.ClientAuthType) string {
+	switch cat {
+	case dtls.NoClientCert:
+		return "NoClientCert"
+	case dtls.RequestClientCert:
+		return "RequestClientCert"
+	case dtls.RequireAnyClientCert:
+		return "RequestAnyClientCert"
+	case dtls.VerifyClientCertIfGiven:
+		return "VerifyClientCertIfGiven"
+	case dtls.RequireAndVerifyClientCert:
+		return "RequireAndVerifyClientCert"
+	default:
+		return ""
+	}
+}

Original file line number	Diff line number	Diff line change
`@@ -120,7 +120,7 @@ func (p *Proxy) Listen(ctx context.Context) error {`
`120`	`120`	`}`
`121`	`121`
`122`	`122`	`status := mptls.SecurityStatus(p.config.DTLSConfig)`
`123`		`- p.logger.Info(fmt.Sprintf("COAP proxy server started at %s with %s", net.JoinHostPort(p.config.Host, p.config.Port), status))`
	`123`	`+ p.logger.Info(fmt.Sprintf("COAP proxy server started at %s with %s", net.JoinHostPort(p.config.Host, p.config.Port), status))`
`124`	`124`
`125`	`125`	`if err := g.Wait(); err != nil {`
`126`	`126`	`p.logger.Info(fmt.Sprintf("COAP proxy server at %s exiting with errors", net.JoinHostPort(p.config.Host, p.config.Port)), slog.String("error", err.Error()))`