Commit 890eb105 authored by Kevin Kane's avatar Kevin Kane Committed by Greg Zaverucha

[IOT-1785] [IOT-1870] Implement /oic/sec/roles resource

Also change "ret == 0" to "0 == ret" for IOT-1870; opened
from a previous code review.

Change-Id: I829192698b9a8fed920e865f9cd4c2b968f8c951
Signed-off-by: default avatarKevin Kane <kkane@microsoft.com>
Reviewed-on: https://gerrit.iotivity.org/gerrit/17707Reviewed-by: default avatarWay Vadhanasin <wayvad@microsoft.com>
Reviewed-by: default avatarDan Mihai <Daniel.Mihai@microsoft.com>
Tested-by: default avatarjenkins-iotivity <jenkins@iotivity.org>
Reviewed-by: default avatarAlex Kelley <alexke@microsoft.com>
Reviewed-by: default avatarGreg Zaverucha <gregz@microsoft.com>
parent 0c5e6d45
......@@ -328,6 +328,8 @@ typedef struct
#endif
} CAEndpoint_t;
#define CA_SECURE_ENDPOINT_PUBLIC_KEY_MAX_LENGTH (128)
/**
* Endpoint information for secure messages.
*/
......@@ -338,6 +340,8 @@ typedef struct
CARemoteId_t identity; /**< endpoint device uuid */
CARemoteId_t userId; /**< endpoint user uuid */
uint32_t attributes;
uint8_t publicKey[CA_SECURE_ENDPOINT_PUBLIC_KEY_MAX_LENGTH]; /**< Peer's DER-encoded public key (if using certificate) */
size_t publicKeyLength; /**< Length of publicKey; zero if not using certificate */
} CASecureEndpoint_t;
/**
......
......@@ -72,10 +72,11 @@ typedef int (*CAgetPskCredentialsHandler)(CADtlsPskCredType_t type,
* API to get a secure connected peer information
*
* @param[in] peer peer information includs IP address and port.
* @param[out] sep copy of secure endpoint info
*
* @return secure connected peer information on success, otherwise NULL
* @return CA_STATUS_OK on success; other error otherwise
*/
const CASecureEndpoint_t *CAGetSecureEndpointData(const CAEndpoint_t *peer);
CAResult_t CAGetSecureEndpointData(const CAEndpoint_t *peer, CASecureEndpoint_t *sep);
#endif //MULTIPLE_OWNER
/**
......
......@@ -179,16 +179,15 @@ CAResult_t CAsslGenerateOwnerPsk(const CAEndpoint_t *endpoint,
const uint8_t* provServerDeviceId, const size_t provServerDeviceIdLen,
uint8_t* ownerPsk, const size_t ownerPskSize);
#ifdef MULTIPLE_OWNER
/**
* Gets CA secure endpoint info corresponding for endpoint.
* Gets a copy of CA secure endpoint info corresponding for endpoint.
*
* @param[in] peer remote address
* @param[out] sep copy of secure endpoint data
*
* @return CASecureEndpoint or NULL
* @return CA_STATUS_OK on success; other error code on failure
*/
const CASecureEndpoint_t *GetCASecureEndpointData(const CAEndpoint_t* peer);
#endif
CAResult_t GetCASecureEndpointData(const CAEndpoint_t* peer, CASecureEndpoint_t *sep);
/**
* Adds a bit to the attributes field of a secure endpoint.
......
......@@ -25,6 +25,7 @@
#include <stddef.h>
#include <stdbool.h>
#include <assert.h>
#include "ca_adapter_net_ssl.h"
#include "cacommon.h"
#include "caipinterface.h"
......@@ -846,15 +847,15 @@ static SslEndPoint_t *GetSslPeer(const CAEndpoint_t *peer)
return NULL;
}
#ifdef MULTIPLE_OWNER
/**
* Gets CA secure endpoint info corresponding for endpoint.
* Gets a copy of CA secure endpoint info corresponding for endpoint.
*
* @param[in] peer remote address
* @param[out] sep copy of secure endpoint data
*
* @return CASecureEndpoint or NULL
* @return CA_STATUS_OK on success; other error code on failure
*/
const CASecureEndpoint_t *GetCASecureEndpointData(const CAEndpoint_t* peer)
CAResult_t GetCASecureEndpointData(const CAEndpoint_t* peer, CASecureEndpoint_t* sep)
{
OIC_LOG_V(DEBUG, NET_SSL_TAG, "In %s", __func__);
......@@ -863,23 +864,23 @@ const CASecureEndpoint_t *GetCASecureEndpointData(const CAEndpoint_t* peer)
{
OIC_LOG(ERROR, NET_SSL_TAG, "Context is NULL");
oc_mutex_unlock(g_sslContextMutex);
return NULL;
return CA_STATUS_NOT_INITIALIZED;
}
SslEndPoint_t* sslPeer = GetSslPeer(peer);
if(sslPeer)
{
OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
memcpy(sep, &sslPeer->sep, sizeof(sslPeer->sep));
oc_mutex_unlock(g_sslContextMutex);
return &sslPeer->sep;
return CA_STATUS_OK;
}
OIC_LOG(DEBUG, NET_SSL_TAG, "Return NULL");
OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
oc_mutex_unlock(g_sslContextMutex);
return NULL;
return CA_STATUS_INVALID_PARAM;
}
#endif
/**
* Adds a bit to the attributes field of a secure endpoint.
......@@ -2052,6 +2053,7 @@ CAResult_t CAdecryptSsl(const CASecureEndpoint_t *sep, uint8_t *data, size_t dat
{
const mbedtls_x509_crt * peerCert = mbedtls_ssl_get_peer_cert(&peer->ssl);
const mbedtls_x509_name * name = NULL;
uint8_t pubKeyBuf[CA_SECURE_ENDPOINT_PUBLIC_KEY_MAX_LENGTH] = { 0 };
ret = (NULL == peerCert ? -1 : 0);
if (!checkSslOperation(peer,
ret,
......@@ -2063,6 +2065,30 @@ CAResult_t CAdecryptSsl(const CASecureEndpoint_t *sep, uint8_t *data, size_t dat
return CA_STATUS_FAILED;
}
/* mbedtls_pk_write_pubkey_der takes a non-const mbedtls_pk_context, but inspection
* shows that every place it's used internally treats it as const, so casting its
* constness away is safe.
*/
ret = mbedtls_pk_write_pubkey_der((mbedtls_pk_context *)&peerCert->pk, pubKeyBuf, sizeof(pubKeyBuf));
if (ret <= 0)
{
OIC_LOG_V(ERROR, NET_SSL_TAG, "Failed to copy public key of remote peer: -0x%x", ret);
oc_mutex_unlock(g_sslContextMutex);
OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
return CA_STATUS_FAILED;
}
else if (ret > sizeof(peer->sep.publicKey))
{
assert(!"publicKey field of CASecureEndpoint_t is too small for the public key!");
OIC_LOG(ERROR, NET_SSL_TAG, "Public key of remote peer was too large");
oc_mutex_unlock(g_sslContextMutex);
OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
return CA_STATUS_FAILED;
}
/* DER data is written to the end of the buffer, so we have to skip ahead in it. */
memcpy(peer->sep.publicKey, (pubKeyBuf + sizeof(pubKeyBuf) - ret), ret);
peer->sep.publicKeyLength = ret;
/* Find the CN component of the subject name. */
for (name = &peerCert->subject; NULL != name; name = name->next)
{
......@@ -2142,6 +2168,12 @@ CAResult_t CAdecryptSsl(const CASecureEndpoint_t *sep, uint8_t *data, size_t dat
}
}
}
else
{
/* No public key information for non-certificate-using ciphersuites. */
memset(&peer->sep.publicKey, 0, sizeof(peer->sep.publicKey));
peer->sep.publicKeyLength = 0;
}
oc_mutex_unlock(g_sslContextMutex);
OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
......
......@@ -140,18 +140,18 @@ void CARegisterHandler(CARequestCallback ReqHandler, CAResponseCallback RespHand
#if defined(__WITH_DTLS__) || defined(__WITH_TLS__)
#ifdef MULTIPLE_OWNER
const CASecureEndpoint_t *CAGetSecureEndpointData(const CAEndpoint_t *peer)
CAResult_t CAGetSecureEndpointData(const CAEndpoint_t *peer, CASecureEndpoint_t *sep)
{
OIC_LOG(DEBUG, TAG, "IN CAGetSecurePeerInfo");
if (!g_isInitialized)
{
OIC_LOG(DEBUG, TAG, "CA is not initialized");
return NULL;
return CA_STATUS_NOT_INITIALIZED;
}
OIC_LOG(DEBUG, TAG, "OUT CAGetSecurePeerInfo");
return GetCASecureEndpointData(peer);
return GetCASecureEndpointData(peer, sep);
}
#endif //MULTIPLE_OWNER
......
......@@ -39,9 +39,7 @@
#define CAsetTlsCipherSuite CAsetTlsCipherSuiteTest
#define CAsslGenerateOwnerPsk CAsslGenerateOwnerPskTest
#define CAcloseSslConnectionAll CAcloseSslConnectionAllTest
#ifdef MULTIPLE_OWNER
#define GetCASecureEndpointData GetCASecureEndpointDataTest
#endif
#define SetCASecureEndpointAttribute SetCASecureEndpointAttributeTest
#define GetCASecureEndpointAttributes GetCASecureEndpointAttributesTest
......
......@@ -64,7 +64,10 @@ if target_os in ['windows', 'msys_nt']:
# - Disabled due to the widespread usage in internal IoTivity components as well as external libs.
# - warning C4232: nonstandard extension used: 'read': address of dllimport 'fread' is not static, identity not guaranteed
# - fread, frwrite, etc are provided by the platform and cannot be changed.
libocsrm_env.AppendUnique(CCFLAGS=['/wd4201', '/wd4232', '/W4', '/WX'])
# - warning C4200: nonstandard extension used: zero-sized array in struct/union
# - warning C4214: nonstandard extension used: bit field types other than int
# - warnings inherited from a header included from libcoap
libocsrm_env.AppendUnique(CCFLAGS=['/wd4201', '/wd4232', '/wd4200', '/wd4214', '/W4', '/WX'])
if target_os in ['linux', 'android', 'tizen', 'msys_nt', 'windows'] and libocsrm_env.get('SECURED') == '1':
SConscript('provisioning/SConscript', 'libocsrm_env')
......@@ -129,7 +132,9 @@ if libocsrm_env.get('SECURED') == '1':
libocsrm_src = libocsrm_src + [OCSRM_SRC + 'oxmpincommon.c', OCSRM_SRC + 'pbkdf2.c']
libocsrm_src = libocsrm_src + [OCSRM_SRC + 'crlresource.c', OCSRM_SRC + 'pkix_interface.c']
libocsrm_src = libocsrm_src + [OCSRM_SRC + 'oxmverifycommon.c']
libocsrm_src = libocsrm_src + [OCSRM_SRC + 'certhelpers.c', OCSRM_SRC + 'csrresource.c', OCSRM_SRC + 'occertutility.c' ]
libocsrm_src = libocsrm_src + [OCSRM_SRC + 'certhelpers.c', OCSRM_SRC + 'occertutility.c']
libocsrm_src = libocsrm_src + [OCSRM_SRC + 'csrresource.c']
libocsrm_src = libocsrm_src + [OCSRM_SRC + 'rolesresource.c']
if target_os in ['windows', 'msys_nt']:
libocsrm_src = libocsrm_src + [OCSRM_SRC + 'strptime.c']
......
......@@ -53,4 +53,74 @@ int OCInternalGenerateKeyPair(mbedtls_pk_context *keyPair);
#endif
/**
* Determine if a buffer contains a role certificate, and optionally, return
* a DER encoding of the public key. This is intended as a simple check when the
* certificate is presented to reject obviously invalid certificates.
*
* The following properties are checked:
* 1. The certificate is a valid X.509 certificate.
* 2. It contains the role certificate Extended Key Usage.
* 3. It contains at least one Subject Alternative Name extension that validly encodes a role.
*
* It does NOT validate the cryptographic signature nor check its time validity.
* These checks should be done when the certificate is being used as part of an access control check,
* as that is when the time validity check should be made, and when trusted CAs are known.
*
* @param[in] buf Buffer containing certificate as a PEM string
* @param[in] bufLen Length of buffer including terminating NULL
* @param[out] pubKey Optional pointer to receive buffer containing binary DER encoding of public key.
* Caller must free with OICFree when finished. Pass NULL in to not retrieve the
* public key.
* @param[out] pubKeyLen Pointer to variable to receive size of pubKey. Ignored if pubKey is NULL.
*
* @return OC_STACK_OK if certificate satisfies the properties above, and the public key is
* successfully extracted (if requested).
* OC_STACK_INVALID_PARAM if the certificate does not meet the properties above.
* OC_STACK_NO_MEMORY or OC_STACK_ERROR if some other error arose during the check.
*/
OCStackResult OCInternalIsValidRoleCertificate(const uint8_t *buf, size_t bufLen,
uint8_t **pubKey, size_t *pubKeyLen);
/**
* Determine if a buffer contains a valid chain of certificates. This is intended to verify
* one or more intermediate CA certificates are valid.
*
* This only checks that they are valid X.509 structures; no verification of the cryptographic
* signature of time-validity is performed. These should be done at point of use.
*
* @param[in] buf Buffer containing certificates as a PEM string
* @param[in] bufLen Length of buffer including terminating NULL
*
* @return OC_STACK_OK if buf contains a valid chain of certificates
* OC_STACK_INVALID_PARAM if buf cannot be parsed as a chain of certificates
* OC_STACK_ERROR if some other error arose during the check
*/
OCStackResult OCInternalIsValidCertChain(const uint8_t *buf, size_t bufLen);
/**
* Verify the validity of a role certificate chain against a set of trusted certificate
* authorities. If successful, a list of roles authorized by this certificate is returned.
*
* The certificate's validity is also verified against the current time.
*
* The GetPemCaCert function from credresource.h can be used to retrieve the set of trusted CAs
* from the /oic/sec/cred resource in a form suitable for the trustedCaCerts and trustedCaCertsLength
* parameters.
*
* @param[in] certificate OicSecKey_t containing the leaf certificate
* @param[in] optData Optional OicSecOpt_t containing intermediate CAs and revocation status
* @param[in] trustedCaCerts PEM string containing the trusted CAs certificates
* @param[in] trustedCaCertsLength Length of trustedCaCerts (including terminating NULL)
* @param[out] roles Pointer to receive array of OicSecRole_t objects listing roles
* Caller must call OICFree to release this memory when finished
* @param[out] rolesLength Length of returned roles array
*
* @return OC_STACK_OK if the certificate is valid.
* OC_STACK_INVALID_PARAM if the certificate is not valid.
* OC_STACK_NO_MEMORY or OC_STACK_ERROR if some other error arose during validation.
*/
OCStackResult OCInternalVerifyRoleCertificate(const OicSecKey_t *certificate, const OicSecOpt_t *optData,
const uint8_t *trustedCaCerts, size_t trustedCaCertsLength,
OicSecRole_t **roles, size_t *rolesLength);
#endif
......@@ -24,6 +24,7 @@
#include "cainterface.h"
#include "securevirtualresourcetypes.h"
#include "octypes.h"
#include <cbor.h>
#ifdef __cplusplus
extern "C" {
......@@ -211,7 +212,14 @@ OCStackResult GetCredRownerId(OicUuid_t *rowneruuid);
#if defined(__WITH_TLS__) || defined(__WITH_DTLS__)
/**
* Used by mbedTLS to retrieve trusted CA certificates
* Used by role certificate validator to get CA certificates as PEM
*
* @param[out] crt certificates to be filled.
* @param[in] usage credential usage string.
*/
OCStackResult GetPemCaCert(ByteArray_t * crt, const char * usage);
/**
* Used by mbedTLS to retrieve trusted CA certificates as DER
*
* @param[out] crt certificates to be filled.
* @param[in] usage credential usage string.
......@@ -239,6 +247,13 @@ void GetDerKey(ByteArray_t * key, const char * usage);
*/
void InitCipherSuiteListInternal(bool *list, const char * usage);
#endif // __WITH_TLS__
// Helpers shared by cred and roles resources
CborError SerializeEncodingToCbor(CborEncoder *rootMap, const char *tag, const OicSecKey_t *value);
CborError SerializeSecOptToCbor(CborEncoder *rootMap, const char *tag, const OicSecOpt_t *value);
CborError DeserializeEncodingFromCbor(CborValue *rootMap, OicSecKey_t *value);
CborError DeserializeSecOptFromCbor(CborValue *rootMap, OicSecOpt_t *value);
#ifdef __cplusplus
}
#endif
......
......@@ -26,6 +26,9 @@
#include "octypes.h"
#if defined(__WITH_TLS__) || defined(__WITH_DTLS__)
#ifdef __cplusplus
extern "C" {
#endif
/**
* Initialize the CSR resource.
*
......@@ -53,6 +56,9 @@ OCStackResult DeInitCSRResource();
OCStackResult CBORPayloadToCSR(const uint8_t *cborPayload, size_t size,
uint8_t **csr, size_t *csrLen,
OicEncodingType_t *encoding);
#ifdef __cplusplus
}
#endif
#endif
#endif
//******************************************************************
//
// Copyright 2017 Microsoft
//
//-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
//******************************************************************
#ifndef IOTVT_SRM_ROLESR_H
#define IOTVT_SRM_ROLESR_H
#if defined(__WITH_DTLS__) || defined(__WITH_TLS__)
#include "cainterface.h"
#include "securevirtualresourcetypes.h"
#include "octypes.h"
#ifdef __cplusplus
extern "C" {
#endif
typedef struct RoleCertChain {
uint32_t credId; /**< locally assigned ID number for use with DELETE */
OicSecKey_t certificate; /**< leaf certificate data */
OicSecOpt_t optData; /**< intermediate CA certificates */
struct RoleCertChain *next; /**< next chain in list */
} RoleCertChain_t;
/**
* Initialize the roles resource.
*
* @return OC_STACK_OK if successful; error otherwise
*/
OCStackResult InitRolesResource();
/**
* De-initialize the roles resource.
*
* @return OC_STACK_OK if successful; error otherwise
*/
OCStackResult DeInitRolesResource();
/**
* Retrieve the roles asserted by a given endpoint with certificates.
*
* @param[in] endpoint Endpoint to retrieve roles for
* @param[out] roles Pointer to receive array of OicSecRole_t objects containing roles for this endpoint
* On success, caller must free the received array with OICFree when finished
* @param[out] roleCount Variable to receive length of roles array.
*
* @note If the endpoint is found but has not asserted any roles with certificates,
* OC_STACK_OK will be returned, but NULL will be returned in roles and 0 in roleCount.
*
* @return OC_STACK_OK if list of roles is successfully populated; error otherwise.
*/
OCStackResult GetEndpointRoles(const CAEndpoint_t *endpoint, OicSecRole_t **roles, size_t *roleCount);
/**
* This function converts a CBOR payload into a list of role certificates.
* Caller needs to call 'OICFree' on *roleCertList after use.
*
* @param[in] cborPayload Received CBOR payload to extract the role cert list from
* @param[in] size Size of cborPayload
* @param[out] roleCertList Pointer to receive linked list of RoleCertChain_t objects
* On success, caller must call FreeRoleCertChainList on *roleCertList when finished
* @return OC_STACK_OK if payload is successfully converted; error code otherwise
*/
OCStackResult CBORPayloadToRoles(const uint8_t *cborPayload, size_t size, RoleCertChain_t **roleCertList);
/**
* Free the memory used by a list of RoleCertChain_t objects created by CBORPayloadToRoles.
*
* @param[in] roleCertList List received from CBORPayloadToRoles
*/
void FreeRoleCertChainList(RoleCertChain_t *roleCertList);
#ifdef __cplusplus
}
#endif
#endif /* defined(__WITH_DTLS__) || defined(__WITH_TLS__) */
#endif /* IOTVT_SRM_ROLESR_H */
......@@ -64,6 +64,11 @@ extern const char * OIC_RSRC_TYPE_SEC_CSR;
extern const char * OIC_RSRC_CSR_URI;
extern const char * OIC_JSON_CSR_NAME;
//roles
extern const char * OIC_RSRC_TYPE_SEC_ROLES;
extern const char * OIC_RSRC_ROLES_URI;
extern const char * OIC_JSON_ROLES_NAME;
//CRL
extern const char * OIC_RSRC_TYPE_SEC_CRL;
extern const char * OIC_RSRC_CRL_URI;
......
......@@ -256,10 +256,12 @@ typedef enum
OIC_R_AMACL_TYPE,
OIC_R_CRED_TYPE,
OIC_R_CRL_TYPE,
OIC_R_CSR_TYPE,
OIC_R_DOXM_TYPE,
OIC_R_DPAIRING_TYPE,
OIC_R_PCONF_TYPE,
OIC_R_PSTAT_TYPE,
OIC_R_ROLES_TYPE,
OIC_R_SACL_TYPE,
OIC_R_SVC_TYPE,
OIC_SEC_SVR_TYPE_COUNT, //define the value to number of SVR
......@@ -347,7 +349,8 @@ typedef void OicSecCert_t;
*/
#define UUID_LENGTH 128/8 // 128-bit GUID length
//TODO: Confirm the length and type of ROLEID.
#define ROLEID_LENGTH 128/8 // 128-bit ROLEID length
#define ROLEID_LENGTH 64 // 64-byte authority max length
#define ROLEAUTHORITY_LENGTH 64 // 64-byte authority max length
#define OWNER_PSK_LENGTH_128 128/8 //byte size of 128-bit key size
#define OWNER_PSK_LENGTH_256 256/8 //byte size of 256-bit key size
......@@ -530,8 +533,8 @@ struct OicSecPstat
struct OicSecRole
{
// <Attribute ID>:<Read/Write>:<Multiple/Single>:<Mandatory?>:<Type>
//TODO fill in with Role definition
uint8_t id[ROLEID_LENGTH];
char id[ROLEID_LENGTH]; // 0:R:S:Y:String
char authority[ROLEAUTHORITY_LENGTH]; // 1:R:S:N:String
};
/**
......
......@@ -80,13 +80,40 @@ OCStackResult SRPGetACLResource(void *ctx, const OCProvisionDev_t *selectedDevic
/**
* API to request the Certificate Signing Request (CSR) resource.
*
* @param[in] ctx Application context to be returned in result callback.
* @param[in] selectedDeviceInfo Selected target device.
* @param[in] resultCallback callback provided by API user, callback will be called when
* provisioning request recieves a response from resource server.
* @return OC_STACK_OK in case of success and other value otherwise.
*/
OCStackResult SRPGetCSRResource(void *ctx, const OCProvisionDev_t *selectedDeviceInfo,
OCGetCSRResultCB resultCallback);
OCGetCSRResultCB resultCallback);
/**
* API to request the Roles resource.
*
* @param[in] ctx Application context to be returned in result callback.
* @param[in] selectedDeviceInfo Selected target device.
* @param[in] resultCallback Callback provided by API user. Callback will be called when
* provisioning request receives a response from resource server.
* @return OC_STACK_OK in case of success or error value otherwise.
*/
OCStackResult SRPGetRolesResource(void *ctx, const OCProvisionDev_t *selectedDeviceInfo,
OCGetRolesResultCB resultCallback);
/**
* This function requests the device delete a particular role certificate by credId.
*
* @param[in] ctx Application context that is returned in the result callback.
* @param[in] selectedDeviceInfo Selected target device.
* @param[in] resultCallback callback provided by the API user. Callback will be called when request receives
* a response from the resource server.
* @param[in] credId credId to request be deleted.
*
* @return OC_STACK_OK in case of success, and error value otherwise.
*/
OCStackResult SRPDeleteRoleCertificateByCredId(void *ctx, const OCProvisionDev_t *selectedDeviceInfo,
OCProvisionResultCB resultCallback, uint32_t credId);
#if defined(__WITH_DTLS__) || defined(__WITH_TLS__)
......
......@@ -265,6 +265,33 @@ OCStackResult OCGetACLResource(void* ctx, const OCProvisionDev_t *selectedDevice
OCStackResult OCGetCSRResource(void* ctx, const OCProvisionDev_t *selectedDeviceInfo,
OCGetCSRResultCB resultCallback);
/**
* This function requests the device provide its roles resource, listing the role certificates
* it has for the local requestor.
*
* @param[in] ctx Application context that is returned in the result callback.
* @param[in] selectedDeviceInfo Selected target device.
* @param[in] resultCallback callback provided by the API user. Callback will be called when provisioning
* request receives a response from the resource server.
* @return OC_STACK_OK in case of success, and error value otherwise.
*/
OCStackResult OCGetRolesResource(void *ctx, const OCProvisionDev_t *selectedDeviceInfo,
OCGetRolesResultCB resultCallback);
/**
* This function requests the device delete a particular role certificate by credId.
*
* @param[in] ctx Application context that is returned in the result callback.
* @param[in] selectedDeviceInfo Selected target device.
* @param[in] resultCallback callback provided by the API user. Callback will be called when request receives
* a response from the resource server.
* @param[in] credId credId to request be deleted. If 0, delete all role certificates for this peer.
*
* @return OC_STACK_OK in case of success, and error value otherwise.
*/
OCStackResult OCDeleteRoleCertificateByCredId(void *ctx, const OCProvisionDev_t *selectedDeviceInfo,
OCProvisionResultCB resultCallback, uint32_t credId);
/**
* this function sends Direct-Pairing Configuration to a device.
*
......
......@@ -110,6 +110,21 @@ typedef struct OCPMGetCsrResult
OicEncodingType_t encoding; /* Determines contents of csr; either OIC_ENCODING_DER or OIC_ENCODING_PEM */
} OCPMGetCsrResult_t;
typedef struct OCPMRoleCertChain
{
uint64_t credId; /**< credential ID */
OicSecKey_t certificate; /**< leaf certificate */
OicSecOpt_t optData; /**< intermediate CA certificates (if any) */
} OCPMRoleCertChain_t;
typedef struct OCPMGetRolesResult
{
OicUuid_t deviceId; /**< responding device ID */
OCStackResult res; /**< result for this device */
OCPMRoleCertChain_t *chains; /**< cert chains (if res is OC_STACK_OK) */
size_t chainsLength; /**< length of chains array (if res is OC_STACK_OK */
} OCPMGetRolesResult_t;
/**
* Owner device type
*/
......@@ -160,6 +175,20 @@ typedef void (*OCProvisionResultCB)(void* ctx, size_t nOfRes, OCProvisionResult_
*/
typedef void (*OCGetCSRResultCB)(void* ctx, size_t nOfRes, OCPMGetCsrResult_t *arr, bool hasError);
/**
* Callback function definition of roles retrieve API
*
* @param[OUT] ctx - If user set a context, it will be returned here.
* @param[OUT] nOfRes - total number of results
* @param[OUT] arr - Array of OCPMGetRolesResult_t, containing one entry for each target device. If an entry's res
* member is OC_STACK_OK, then chains and chainsLength are valid; otherwise they should not be used.
* This memory is only valid while the callback is executing; callers must make copies if the data
* needs to be kept longer.
* @param[OUT] hasError - If all calls succeeded, this will be false. One or more errors, and this will
* be true. Examine the elements of arr to discover which failed.
*/
typedef void (*OCGetRolesResultCB)(void* ctx, size_t nOfRes, OCPMGetRolesResult_t *arr, bool hasError);
/**
* Callback function definition of direct-pairing
*
......
......@@ -397,6 +397,17 @@ OCStackResult OCGetCSRResource(void* ctx, const OCProvisionDev_t *selectedDevice