anil.recoil.org / ocaml-mqtte
MQTT 3.1 and 5 in OCaml using Eio
fork atom
ocaml-mqtte / TODO.md
at main 3.2 kB view raw view code

RFC 9431 ACE-MQTT Implementation TODO#

Status: Pre-Implementation Tasks Complete#

Completed Tasks#

  • Fetch RFC 7519 (JWT) into spec/
  • Fetch RFC 7517 (JWK) into spec/
  • Fetch RFC 7518 (JWA) into spec/
  • Fetch RFC 8392 (CWT) into spec/
  • Fetch RFC 9237 (AIF) into spec/
  • Fetch RFC 9052 (COSE) into spec/
  • Enhance conpool with tls_epoch function (/Users/avsm/src/git/knot/conpool/)
  • Create ocaml-jwt library skeleton (/Users/avsm/src/git/knot/ocaml-jwt/)
  • Create ocaml-cwt library skeleton (/Users/avsm/src/git/knot/ocaml-cwt/)

Next Steps#

Phase 1: Foundation - Token and Scope Types#

Create lib/ace/ module in ocaml-mqtte:

  • lib/ace/dune - Build configuration
  • lib/ace/ace.ml - Main module exports
  • lib/ace/ace_scope.mli / ace_scope.ml - AIF-MQTT scope parsing (RFC 9237)
    • Parse JSON and CBOR scope formats
    • is_authorized : t -> topic:string -> action:permission -> bool
  • lib/ace/ace_token.mli / ace_token.ml - JWT/CWT token handling
    • Unified token type wrapping JWT or CWT
    • Pop_key type for proof-of-possession keys

Phase 2: Proof-of-Possession#

  • lib/ace/ace_pop.mli / ace_pop.ml - PoP operations
    • Challenge-response method (Section 2.2.4.2.2)
    • 8-byte nonce generation and verification
  • lib/ace/ace_tls.mli / ace_tls.ml - TLS exporter wrapper
    • Label: "EXPORTER-ACE-MQTT-Sign-Challenge"
    • 32-byte challenge derivation from TLS epoch

Phase 3: Client-Side ACE Authentication#

  • lib/ace/ace_client.mli / ace_client.ml
    • ace_config type with token, pop_method, private_key
    • TLS exporter authentication flow
    • Challenge-response authentication flow
    • Reauthentication support

Phase 4: Broker-Side ACE Validation#

  • lib/ace/ace_broker.mli / ace_broker.ml
    • Local token validation (signature verification)
    • Session management with scope-based authorization
  • lib/ace/ace_introspection.mli / ace_introspection.ml
    • Token introspection client for AS

Phase 5: authz-info Topic Support#

  • Support token upload via authz-info topic (RFC 9431 Section 2.2.2)
  • Token storage indexed by PoP key

Phase 6: MQTT v3.1.1 Support#

  • Token in Username field (prefixed with "ace")
  • PoP proof in Password field
  • TLS exporter method only

Phase 7: Integration and Testing#

  • End-to-end tests with JWT tokens
  • End-to-end tests with CWT tokens
  • Authorization tests (publish/subscribe scope checks)
  • Reauthentication tests

Library Locations#

Library Path Status
ocaml-mqtte /Users/avsm/src/git/knot/ocaml-mqtte/ Main project
ocaml-jwt /Users/avsm/src/git/knot/ocaml-jwt/ Skeleton complete
ocaml-cwt /Users/avsm/src/git/knot/ocaml-cwt/ Skeleton complete
conpool /Users/avsm/src/git/knot/conpool/ Enhanced with tls_epoch

Key Files#

  • Full plan: /Users/avsm/.claude/plans/refactored-exploring-boole.md
  • RFC 9431 spec: spec/rfc9431.txt
  • JWT spec: spec/rfc7519.txt
  • CWT spec: spec/rfc8392.txt
  • AIF spec: spec/rfc9237.txt
  • COSE spec: spec/rfc9052.txt