Commit 610af146 authored by Dmitrii Zhuravlev's avatar Dmitrii Zhuravlev Committed by Sachin Agrawal

CA retrieve PKIX resource from SRM using callbacks

Change-Id: I179c485a4b71003115d579b4d9c80ed0bc59f4f6
Signed-off-by: default avatarDmitrii Zhuravlev <d.zhuravlev@samsung.com>
Reviewed-on: https://gerrit.iotivity.org/gerrit/2601Reviewed-by: default avatardongik Lee <dongik.lee@samsung.com>
Reviewed-by: default avatarSachin Agrawal <sachin.agrawal@intel.com>
Tested-by: default avatarSachin Agrawal <sachin.agrawal@intel.com>
parent 66efb873
......@@ -110,7 +110,7 @@ typedef struct
// EC private key
uint8_t devicePrivateKey[PRIVATE_KEY_SIZE];
} CADtlsCertCreds_t;
} CADtlsX509Creds_t;
/**
* @brief Callback function type for getting certificate credentials.
......@@ -118,7 +118,14 @@ typedef struct
* credInfo which is then freed by CA
* @return NONE
*/
typedef void (*CAGetCertCredentialsHandler)(CADtlsCertCreds_t *credInfo);
typedef int (*CAGetDTLSX509CredentialsHandler)(CADtlsX509Creds_t *credInfo);
/**
* @brief Callback function type for getting CRL.
* @param crlInfo [OUT] Certificate credentials info. Handler has to allocate new memory for
* credInfo which is then freed by CA
* @return NONE
*/
typedef void (*CAGetDTLSCrlHandler)(ByteArray crlInfo);
#endif //__WITH_X509__
/**
......@@ -179,7 +186,13 @@ CAResult_t CARegisterDTLSCredentialsHandler(CAGetDTLSCredentialsHandler GetDTLSC
* @param GetCertCredentials [IN] GetCert Credetials callback
* @return #CA_STATUS_OK
*/
CAResult_t CARegisterCertCredentialsHandler(CAGetCertCredentialsHandler GetCertCredentials);
CAResult_t CARegisterDTLSX509CredentialsHandler(CAGetDTLSX509CredentialsHandler GetX509Credentials);
/**
* @brief Register callback to get CRL.
* @param GetCrl [IN] GetCrl callback
* @return #CA_STATUS_OK
*/
CAResult_t CARegisterDTLSCrlHandler(CAGetDTLSCrlHandler GetCrl);
#endif //__WITH_X509__
/**
......
......@@ -253,13 +253,6 @@ CAResult_t CAAdapterNetDtlsDecrypt(const CASecureEndpoint_t *sep,
uint8_t *data,
uint32_t dataLen);
#ifdef __WITH_X509__
/**
* @fn CADeInitX509
* @brief Deinitializes certificate based credential
*/
void CADeInitX509();
#endif //__WITH_X509__
#endif /* CA_ADAPTER_NET_DTLS_H_ */
......@@ -52,6 +52,17 @@ typedef struct
ByteArray signS; /**< Signature s value.*/
} CertificateList;
/**@def CRL_INITIALIZER
*
* Initializes of existing CRL fields to {NULL, 0}.
*/
#undef CRL_INITIALIZER
#define CRL_INITIALIZER {BYTE_ARRAY_INITIALIZER,\
BYTE_ARRAY_INITIALIZER,\
BYTE_ARRAY_INITIALIZER,\
BYTE_ARRAY_INITIALIZER,\
BYTE_ARRAY_INITIALIZER}
#ifdef X509_DEBUG
/**
* Prints Certificate List to console.
......
......@@ -135,6 +135,18 @@ void clearDtlsCredentialInfo()
printf("clearDtlsCredentialInfo OUT\n");
}
#ifdef __WITH_X509__
int GetDtlsX509Credentials(CADtlsX509Creds_t *credInfo)
{
(void) credInfo;
return -1;
}
int * GetCRLResource()
{
return (int*) NULL;
}
#endif
// Internal API. Invoked by CA stack to retrieve credentials from this module
void CAGetDtlsPskCredentials(CADtlsPskCredsBlob_t **credInfo)
{
......
......@@ -28,8 +28,13 @@
#ifdef __WITH_X509__
#include "pki.h"
#include "crl.h"
#include "cainterface.h"
#include "credresource.h"
/* lenght of ASN.1 header in DER format
* for subject field in X.509 certificate */
#define DER_SUBJECT_HEADER_LEN (9)
#undef VERIFY_SUCCESS
#define VERIFY_SUCCESS(op, successCode) { if ((op) != (successCode)) \
{OIC_LOG_V(FATAL, NET_DTLS_TAG, "%s failed!!", #op); goto exit;} }
......@@ -59,6 +64,19 @@ static ca_mutex g_dtlsContextMutex = NULL;
*/
static CAGetDTLSCredentialsHandler g_getCredentialsCallback = NULL;
#ifdef __WITH_X509__
/**
* @var g_getX509CredentialsCallback
* @brief callback to get DTLS certificate credentials
*/
static CAGetDTLSX509CredentialsHandler g_getX509CredentialsCallback = NULL;
/**
* @var g_getCrlCallback
* @brief callback to get CRL for DTLS
*/
static CAGetDTLSCrlHandler g_getCrlCallback = NULL;
#endif //__WITH_X509__
static CASecureEndpoint_t *GetPeerInfo(const CAEndpoint_t *peer)
{
uint32_t list_index = 0;
......@@ -622,6 +640,22 @@ void CADTLSSetCredentialsCallback(CAGetDTLSCredentialsHandler credCallback)
OIC_LOG(DEBUG, NET_DTLS_TAG, "OUT");
}
#ifdef __WITH_X509__
void CADTLSSetX509CredentialsCallback(CAGetDTLSX509CredentialsHandler credCallback)
{
OIC_LOG(DEBUG, NET_DTLS_TAG, "IN");
g_getX509CredentialsCallback = credCallback;
OIC_LOG(DEBUG, NET_DTLS_TAG, "OUT");
}
void CADTLSSetCrlCallback(CAGetDTLSCrlHandler crlCallback)
{
// TODO Does this method needs protection of DtlsContextMutex ?
OIC_LOG(DEBUG, NET_DTLS_TAG, "IN");
g_getCrlCallback = crlCallback;
OIC_LOG(DEBUG, NET_DTLS_TAG, "OUT");
}
#endif // __WITH_X509__
CAResult_t CADtlsSelectCipherSuite(const dtls_cipher_t cipher)
{
OIC_LOG(DEBUG, NET_DTLS_TAG, "IN CADtlsSelectCipherSuite");
......@@ -782,23 +816,39 @@ CAResult_t CADtlsGenerateOwnerPSK(const CAEndpoint_t *endpoint,
}
#ifdef __WITH_X509__
static CADtlsCertCreds_t g_X509Cred = {{0}, 0, 0, {0}, {0}, {0}};
static int g_IsX509Init = 0;
static CADtlsX509Creds_t g_X509Cred = {{0}, 0, 0, {0}, {0}, {0}};
int CAInitX509()
{
OIC_LOG(DEBUG, NET_DTLS_TAG, "IN CAInitX509");
g_IsX509Init = (OC_STACK_OK == GetDtlsCertCredentials(&g_X509Cred));
OIC_LOG(DEBUG, NET_DTLS_TAG, "OUT CAInitX509");
return !g_IsX509Init;
}
VERIFY_NON_NULL_RET(g_getX509CredentialsCallback, NET_DTLS_TAG, "GetX509Credential callback", -1);
int isX509Init = (0 == g_getX509CredentialsCallback(&g_X509Cred));
if (isX509Init)
{
uint8_t crlData[CRL_MAX_LEN] = {0};
ByteArray crlArray = {crlData, CRL_MAX_LEN};
g_getCrlCallback(crlArray);
if (crlArray.len > 0)
{
uint8_t keyData[PUBLIC_KEY_SIZE] = {0};
CertificateList crl = CRL_INITIALIZER;
ByteArray rootPubKey = {keyData, PUBLIC_KEY_SIZE};
memcpy(keyData, g_X509Cred.rootPublicKeyX, PUBLIC_KEY_SIZE / 2);
memcpy(keyData + PUBLIC_KEY_SIZE / 2, g_X509Cred.rootPublicKeyY, PUBLIC_KEY_SIZE / 2);
DecodeCertificateList(crlArray, &crl, rootPubKey);
}
}
void CADeInitX509()
{
g_IsX509Init = 0;
OIC_LOG(DEBUG, NET_DTLS_TAG, "OUT CAInitX509");
if (isX509Init)
{
return 0;
}
else
{
return 1;
}
}
......@@ -816,10 +866,7 @@ static int CAGetDeviceKey(struct dtls_context_t *ctx,
static dtls_ecc_key_t ecdsa_key = {DTLS_ECDH_CURVE_SECP256R1, NULL, NULL, NULL};
int ret = 1;
if (!g_IsX509Init)
{
VERIFY_SUCCESS(CAInitX509(), 0);
}
VERIFY_SUCCESS(CAInitX509(), 0);
ecdsa_key.priv_key = g_X509Cred.devicePrivateKey;
*result = &ecdsa_key;
......@@ -837,10 +884,9 @@ CAGetDeviceCertificate(struct dtls_context_t *ctx,
{
OIC_LOG(DEBUG, NET_DTLS_TAG, "CAGetDeviceCertificate");
int ret = 1;
if (!g_IsX509Init)
{
VERIFY_SUCCESS(CAInitX509(), 0);
}
VERIFY_SUCCESS(CAInitX509(), 0);
*cert = g_X509Cred.certificateChain;
*cert_size = g_X509Cred.certificateChainLen;
#ifdef X509_DEBUG
......@@ -863,10 +909,9 @@ static int CAGetRootKey(const unsigned char **ca_pub_x, const unsigned char **ca
{
OIC_LOG(DEBUG, NET_DTLS_TAG, "CAGetRootKey");
int ret = 1;
if (!g_IsX509Init)
{
VERIFY_SUCCESS(CAInitX509(), 0);
}
VERIFY_SUCCESS(CAInitX509(), 0);
*ca_pub_x = g_X509Cred.rootPublicKeyX;
*ca_pub_y = g_X509Cred.rootPublicKeyY;
......@@ -932,7 +977,7 @@ static int CAVerifyCertificate(struct dtls_context_t *ctx, const session_t *sess
CAConvertAddrToName(&(addrInfo->addr.st), peerAddr, &port);
CAResult_t result = CAAddIdToPeerInfoList(peerAddr, port,
crtChain[0].subject.data + crtChain[0].subject.len - sizeof(OicUuid_t), sizeof(OicUuid_t));
crtChain[0].subject.data + DER_SUBJECT_HEADER_LEN + 2, crtChain[0].subject.data[DER_SUBJECT_HEADER_LEN + 1]);
if (CA_STATUS_OK != result )
{
OIC_LOG(ERROR, NET_DTLS_TAG, "Fail to add peer id to gDtlsPeerInfoList");
......@@ -948,9 +993,6 @@ exit:
#endif
CAResult_t CAAdapterNetDtlsInit()
{
OIC_LOG(DEBUG, NET_DTLS_TAG, "IN");
......@@ -1017,8 +1059,7 @@ CAResult_t CAAdapterNetDtlsInit()
g_caDtlsContext->callbacks.event = CAHandleSecureEvent;
#ifdef __WITH_X509__
CAInitX509();
if (g_IsX509Init == 0)
if (0 == CAInitX509())
#endif //__WITH_X509__
g_caDtlsContext->callbacks.get_psk_info = CAGetPskCredentials;
#ifdef __WITH_X509__
......
......@@ -46,6 +46,13 @@ static bool g_isInitialized = false;
extern void CADTLSSetCredentialsCallback(CAGetDTLSCredentialsHandler credCallback);
#endif
#ifdef __WITH_X509__
// CAAdapterNetDTLS will register the callback.
// Taking callback all the way through adapters not the right approach, hence calling here.
extern void CADTLSSetX509CredentialsCallback(CAGetDTLSX509CredentialsHandler credCallback);
extern void CADTLSSetCrlCallback(CAGetDTLSCrlHandler crlCallback);
#endif
CAResult_t CAInitialize()
{
OIC_LOG(DEBUG, TAG, "CAInitialize");
......@@ -129,6 +136,34 @@ CAResult_t CARegisterDTLSCredentialsHandler(CAGetDTLSCredentialsHandler GetDTLSC
}
#endif //__WITH_DTLS__
#ifdef __WITH_X509__
CAResult_t CARegisterDTLSX509CredentialsHandler(CAGetDTLSX509CredentialsHandler GetDTLSX509CredentialsHandler)
{
OIC_LOG(DEBUG, TAG, "CARegisterDTLSX509CredentialsHandler");
if(!g_isInitialized)
{
return CA_STATUS_NOT_INITIALIZED;
}
CADTLSSetX509CredentialsCallback(GetDTLSX509CredentialsHandler);
return CA_STATUS_OK;
}
CAResult_t CARegisterDTLSCrlHandler(CAGetDTLSCrlHandler GetDTLSCrlHandler)
{
OIC_LOG(DEBUG, TAG, "CARegisterDTLSCrlHandler");
if(!g_isInitialized)
{
return CA_STATUS_NOT_INITIALIZED;
}
CADTLSSetCrlCallback(GetDTLSCrlHandler);
return CA_STATUS_OK;
}
#endif //__WITH_X509__
CAResult_t CACreateEndpoint(CATransportFlags_t flags,
CATransportAdapter_t adapter,
const char *addr,
......
......@@ -152,9 +152,9 @@ OCStackResult AddTmpPskWithPIN(const OicUuid_t* tmpSubject, OicSecCredType_t cre
* @param credInfo
* binary structure containing certificate credentials
*
* @retval OC_STACK_OK on scuccess
* @retval 0 on scuccess
*/
OCStackResult GetDtlsCertCredentials(CADtlsCertCreds_t *credInfo);
int GetDtlsX509Credentials(CADtlsX509Creds_t *credInfo);
#endif /*__WITH_X509__*/
/**
......
......@@ -43,6 +43,12 @@ OCStackResult UpdateCRLResource(const OicSecCrl_t *crl);
* @note Caller responsible for resulting string memory (use OICFree to remove it)
*/
char* GetBase64CRL();
/**
* This function get encoded with DER CRL from SRM
*
* @returns encoded CRL with DER format. array len is 0 if error occured (e.g. CRL did not set)
*/
void GetDerCrl(ByteArray crlArray);
/**
* This function get CRL from SRM
......
......@@ -1028,7 +1028,7 @@ exit:
return ret;
}
static OCStackResult GetCAPublicKeyData(CADtlsCertCreds_t *credInfo){
static OCStackResult GetCAPublicKeyData(CADtlsX509Creds_t *credInfo){
OCStackResult ret = OC_STACK_ERROR;
uint8_t *ccPtr = credInfo->certificateChain;
for(uint32_t i =0; i < credInfo->chainLen - 1; ++i)
......@@ -1054,7 +1054,7 @@ static OCStackResult GetCAPublicKeyData(CADtlsCertCreds_t *credInfo){
return ret;
}
static OCStackResult GetCertCredPublicData(CADtlsCertCreds_t *credInfo, OicSecCred_t *cred)
static OCStackResult GetCertCredPublicData(CADtlsX509Creds_t *credInfo, OicSecCred_t *cred)
{
OCStackResult ret = OC_STACK_ERROR;
VERIFY_NON_NULL(TAG, credInfo, ERROR);
......@@ -1090,7 +1090,7 @@ exit:
return ret;
}
static OCStackResult GetCertCredPrivateData(CADtlsCertCreds_t *credInfo, OicSecCred_t *cred)
static OCStackResult GetCertCredPrivateData(CADtlsX509Creds_t *credInfo, OicSecCred_t *cred)
{
OCStackResult ret = OC_STACK_ERROR;
VERIFY_NON_NULL(TAG, credInfo, ERROR);
......@@ -1114,9 +1114,9 @@ exit:
return ret;
}
OCStackResult GetDtlsCertCredentials(CADtlsCertCreds_t *credInfo)
int GetDtlsX509Credentials(CADtlsX509Creds_t *credInfo)
{
OCStackResult ret = OC_STACK_ERROR;
int ret = 1;
VERIFY_NON_NULL(TAG, credInfo, ERROR);
if (NULL == gCred)
{
......@@ -1130,7 +1130,7 @@ OCStackResult GetDtlsCertCredentials(CADtlsCertCreds_t *credInfo)
VERIFY_SUCCESS(TAG, OC_STACK_OK == GetCertCredPrivateData(credInfo, cred), ERROR);
VERIFY_SUCCESS(TAG, OC_STACK_OK == GetCertCredPublicData(credInfo, cred), ERROR);
ret = OC_STACK_OK;
ret = 0;
exit:
return ret;
......
......@@ -34,7 +34,6 @@
#ifdef __WITH_X509__
#include "crlresource.h"
#include "crl.h"
#include "ckm_info.h"
#endif /* __WITH_X509__ */
#define TAG PCF("SRM-CRL")
......@@ -507,3 +506,18 @@ exit:
cJSON_Delete(jsonRoot);
return ret;
}
void GetDerCrl(ByteArray crlArray)
{
OicSecCrl_t * crlRes = GetCRLResource();
if (crlRes && crlRes->CrlData.len <= crlArray.len)
{
memcpy(crlArray.data, crlRes->CrlData.data, crlRes->CrlData.len);
crlArray.len = crlRes->CrlData.len;
}
else
{
crlArray.len = 0;
}
DeleteCrlBinData(crlRes);
}
......@@ -32,6 +32,10 @@
#include "utlist.h"
#include <string.h>
#ifdef __WITH_X509__
#include "crlresource.h"
#endif // __WITH_X509__
#define TAG PCF("SRM-RM")
/**
......
......@@ -28,6 +28,10 @@
#include "oic_string.h"
#include <string.h>
#ifdef __WITH_X509__
#include "crlresource.h"
#endif // __WITH_X509__
#define TAG PCF("SRM")
//Request Callback handler
......@@ -253,6 +257,10 @@ OCStackResult SRMInitSecureResources()
#if defined(__WITH_DTLS__)
CARegisterDTLSCredentialsHandler(GetDtlsPskCredentials);
#endif // (__WITH_DTLS__)
#if defined(__WITH_X509__)
CARegisterDTLSX509CredentialsHandler(GetDtlsX509Credentials);
CARegisterDTLSCrlHandler(GetDerCrl);
#endif // (__WITH_X509__)
return OC_STACK_OK;
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment