[IOT-1785] [IOT-1870] Implement /oic/sec/roles resource

Also change "ret == 0" to "0 == ret" for IOT-1870; opened
from a previous code review.

Change-Id: I829192698b9a8fed920e865f9cd4c2b968f8c951
Signed-off-by: Kevin Kane <kkane@microsoft.com>
Reviewed-on: https://gerrit.iotivity.org/gerrit/17707Reviewed-by: Way Vadhanasin <wayvad@microsoft.com>
Reviewed-by: Dan Mihai <Daniel.Mihai@microsoft.com>
Tested-by: jenkins-iotivity <jenkins@iotivity.org>
Reviewed-by: Alex Kelley <alexke@microsoft.com>
Reviewed-by: Greg Zaverucha <gregz@microsoft.com>

resource/csdk/connectivity/api/cacommon.h

@@ -328,6 +328,8 @@ typedef struct
 #endif
 } CAEndpoint_t;
 
+#define CA_SECURE_ENDPOINT_PUBLIC_KEY_MAX_LENGTH    (128)
+
 /**
  * Endpoint information for secure messages.
  */
@@ -338,6 +340,8 @@ typedef struct
     CARemoteId_t identity;      /**< endpoint device uuid */
     CARemoteId_t userId;        /**< endpoint user uuid */
     uint32_t attributes;
+    uint8_t publicKey[CA_SECURE_ENDPOINT_PUBLIC_KEY_MAX_LENGTH]; /**< Peer's DER-encoded public key (if using certificate) */
+    size_t publicKeyLength;     /**< Length of publicKey; zero if not using certificate */
 } CASecureEndpoint_t;
 
 /**

resource/csdk/connectivity/api/casecurityinterface.h

@@ -72,10 +72,11 @@ typedef int (*CAgetPskCredentialsHandler)(CADtlsPskCredType_t type,
  * API to get a secure connected peer information
  *
  * @param[in] peer peer information includs IP address and port.
+ * @param[out] sep copy of secure endpoint info
  *
- * @return  secure connected peer information on success, otherwise NULL
+ * @return  CA_STATUS_OK on success; other error otherwise
  */
-const CASecureEndpoint_t *CAGetSecureEndpointData(const CAEndpoint_t *peer);
+CAResult_t CAGetSecureEndpointData(const CAEndpoint_t *peer, CASecureEndpoint_t *sep);
 #endif //MULTIPLE_OWNER
 
 /**

resource/csdk/connectivity/inc/ca_adapter_net_ssl.h

@@ -179,16 +179,15 @@ CAResult_t CAsslGenerateOwnerPsk(const CAEndpoint_t *endpoint,
                     const uint8_t* provServerDeviceId, const size_t provServerDeviceIdLen,
                     uint8_t* ownerPsk, const size_t ownerPskSize);
 
-#ifdef MULTIPLE_OWNER
 /**
- * Gets CA secure endpoint info corresponding for endpoint.
+ * Gets a copy of CA secure endpoint info corresponding for endpoint.
  *
  * @param[in]  peer    remote address
+ * @param[out] sep     copy of secure endpoint data
  *
- * @return  CASecureEndpoint or NULL
+ * @return  CA_STATUS_OK on success; other error code on failure
  */
-const CASecureEndpoint_t *GetCASecureEndpointData(const CAEndpoint_t* peer);
-#endif
+CAResult_t GetCASecureEndpointData(const CAEndpoint_t* peer, CASecureEndpoint_t *sep);
 
 /**
  * Adds a bit to the attributes field of a secure endpoint.

resource/csdk/connectivity/src/adapter_util/ca_adapter_net_ssl.c

@@ -25,6 +25,7 @@
 
 #include <stddef.h>
 #include <stdbool.h>
+#include <assert.h>
 #include "ca_adapter_net_ssl.h"
 #include "cacommon.h"
 #include "caipinterface.h"
@@ -846,15 +847,15 @@ static SslEndPoint_t *GetSslPeer(const CAEndpoint_t *peer)
     return NULL;
 }
 
-#ifdef MULTIPLE_OWNER
 /**
- * Gets CA secure endpoint info corresponding for endpoint.
+ * Gets a copy of CA secure endpoint info corresponding for endpoint.
  *
  * @param[in]  peer    remote address
+ * @param[out] sep     copy of secure endpoint data
  *
- * @return  CASecureEndpoint or NULL
+ * @return  CA_STATUS_OK on success; other error code on failure
  */
-const CASecureEndpoint_t *GetCASecureEndpointData(const CAEndpoint_t* peer)
+CAResult_t GetCASecureEndpointData(const CAEndpoint_t* peer, CASecureEndpoint_t* sep)
 {
     OIC_LOG_V(DEBUG, NET_SSL_TAG, "In %s", __func__);
 
@@ -863,23 +864,23 @@ const CASecureEndpoint_t *GetCASecureEndpointData(const CAEndpoint_t* peer)
     {
         OIC_LOG(ERROR, NET_SSL_TAG, "Context is NULL");
         oc_mutex_unlock(g_sslContextMutex);
-        return NULL;
+        return CA_STATUS_NOT_INITIALIZED;
     }
 
     SslEndPoint_t* sslPeer = GetSslPeer(peer);
     if(sslPeer)
     {
         OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
+        memcpy(sep, &sslPeer->sep, sizeof(sslPeer->sep));
         oc_mutex_unlock(g_sslContextMutex);
-        return &sslPeer->sep;
+        return CA_STATUS_OK;
     }
 
     OIC_LOG(DEBUG, NET_SSL_TAG, "Return NULL");
     OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
     oc_mutex_unlock(g_sslContextMutex);
-    return NULL;
+    return CA_STATUS_INVALID_PARAM;
 }
-#endif
 
 /**
  * Adds a bit to the attributes field of a secure endpoint.
@@ -2052,6 +2053,7 @@ CAResult_t CAdecryptSsl(const CASecureEndpoint_t *sep, uint8_t *data, size_t dat
             {
                 const mbedtls_x509_crt * peerCert = mbedtls_ssl_get_peer_cert(&peer->ssl);
                 const mbedtls_x509_name * name = NULL;
+                uint8_t pubKeyBuf[CA_SECURE_ENDPOINT_PUBLIC_KEY_MAX_LENGTH] = { 0 };
                 ret = (NULL == peerCert ? -1 : 0);
                 if (!checkSslOperation(peer,
                                        ret,
@@ -2063,6 +2065,30 @@ CAResult_t CAdecryptSsl(const CASecureEndpoint_t *sep, uint8_t *data, size_t dat
                     return CA_STATUS_FAILED;
                 }
 
+                /* mbedtls_pk_write_pubkey_der takes a non-const mbedtls_pk_context, but inspection
+                 * shows that every place it's used internally treats it as const, so casting its
+                 * constness away is safe.
+                 */
+                ret = mbedtls_pk_write_pubkey_der((mbedtls_pk_context *)&peerCert->pk, pubKeyBuf, sizeof(pubKeyBuf));
+                if (ret <= 0)
+                {
+                    OIC_LOG_V(ERROR, NET_SSL_TAG, "Failed to copy public key of remote peer: -0x%x", ret);
+                    oc_mutex_unlock(g_sslContextMutex);
+                    OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
+                    return CA_STATUS_FAILED;
+                }
+                else if (ret > sizeof(peer->sep.publicKey))
+                {
+                    assert(!"publicKey field of CASecureEndpoint_t is too small for the public key!");
+                    OIC_LOG(ERROR, NET_SSL_TAG, "Public key of remote peer was too large");
+                    oc_mutex_unlock(g_sslContextMutex);
+                    OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
+                    return CA_STATUS_FAILED;
+                }
+                /* DER data is written to the end of the buffer, so we have to skip ahead in it. */
+                memcpy(peer->sep.publicKey, (pubKeyBuf + sizeof(pubKeyBuf) - ret), ret);
+                peer->sep.publicKeyLength = ret;
+
                 /* Find the CN component of the subject name. */
                 for (name = &peerCert->subject; NULL != name; name = name->next)
                 {
@@ -2142,6 +2168,12 @@ CAResult_t CAdecryptSsl(const CASecureEndpoint_t *sep, uint8_t *data, size_t dat
                     }
                 }
             }
+            else
+            {
+                /* No public key information for non-certificate-using ciphersuites. */
+                memset(&peer->sep.publicKey, 0, sizeof(peer->sep.publicKey));
+                peer->sep.publicKeyLength = 0;
+            }
 
             oc_mutex_unlock(g_sslContextMutex);
             OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);

resource/csdk/connectivity/src/caconnectivitymanager.c

@@ -140,18 +140,18 @@ void CARegisterHandler(CARequestCallback ReqHandler, CAResponseCallback RespHand
 
 #if defined(__WITH_DTLS__) || defined(__WITH_TLS__)
 #ifdef MULTIPLE_OWNER
-const CASecureEndpoint_t *CAGetSecureEndpointData(const CAEndpoint_t *peer)
+CAResult_t CAGetSecureEndpointData(const CAEndpoint_t *peer, CASecureEndpoint_t *sep)
 {
     OIC_LOG(DEBUG, TAG, "IN CAGetSecurePeerInfo");
 
     if (!g_isInitialized)
     {
         OIC_LOG(DEBUG, TAG, "CA is not initialized");
-        return NULL;
+        return CA_STATUS_NOT_INITIALIZED;
     }
 
     OIC_LOG(DEBUG, TAG, "OUT CAGetSecurePeerInfo");
-    return GetCASecureEndpointData(peer);
+    return GetCASecureEndpointData(peer, sep);
 }
 #endif //MULTIPLE_OWNER
 

resource/csdk/connectivity/test/ssladapter_test.cpp

@@ -39,9 +39,7 @@
 #define CAsetTlsCipherSuite CAsetTlsCipherSuiteTest
 #define CAsslGenerateOwnerPsk CAsslGenerateOwnerPskTest
 #define CAcloseSslConnectionAll CAcloseSslConnectionAllTest
-#ifdef MULTIPLE_OWNER
 #define GetCASecureEndpointData GetCASecureEndpointDataTest
-#endif
 #define SetCASecureEndpointAttribute SetCASecureEndpointAttributeTest
 #define GetCASecureEndpointAttributes GetCASecureEndpointAttributesTest
 

resource/csdk/security/SConscript

@@ -64,7 +64,10 @@ if target_os in ['windows', 'msys_nt']:
     #    - Disabled due to the widespread usage in internal IoTivity components as well as external libs.
     #  - warning C4232: nonstandard extension used: 'read': address of dllimport 'fread' is not static, identity not guaranteed
     #    - fread, frwrite, etc are provided by the platform and cannot be changed.
-	libocsrm_env.AppendUnique(CCFLAGS=['/wd4201', '/wd4232', '/W4', '/WX'])
+    #  - warning C4200: nonstandard extension used: zero-sized array in struct/union
+    #  - warning C4214: nonstandard extension used: bit field types other than int
+    #    - warnings inherited from a header included from libcoap
+	libocsrm_env.AppendUnique(CCFLAGS=['/wd4201', '/wd4232', '/wd4200', '/wd4214', '/W4', '/WX'])
 
 if target_os in ['linux', 'android', 'tizen', 'msys_nt', 'windows'] and libocsrm_env.get('SECURED') == '1':
 	SConscript('provisioning/SConscript', 'libocsrm_env')
@@ -129,7 +132,9 @@ if libocsrm_env.get('SECURED') == '1':
 	libocsrm_src = libocsrm_src + [OCSRM_SRC + 'oxmpincommon.c', OCSRM_SRC + 'pbkdf2.c']
 	libocsrm_src = libocsrm_src + [OCSRM_SRC + 'crlresource.c', OCSRM_SRC + 'pkix_interface.c']
 	libocsrm_src = libocsrm_src + [OCSRM_SRC + 'oxmverifycommon.c']
-	libocsrm_src = libocsrm_src + [OCSRM_SRC + 'certhelpers.c', OCSRM_SRC + 'csrresource.c', OCSRM_SRC + 'occertutility.c' ]
+	libocsrm_src = libocsrm_src + [OCSRM_SRC + 'certhelpers.c', OCSRM_SRC + 'occertutility.c']
+	libocsrm_src = libocsrm_src + [OCSRM_SRC + 'csrresource.c']
+	libocsrm_src = libocsrm_src + [OCSRM_SRC + 'rolesresource.c']
 
 if target_os in ['windows', 'msys_nt']:
 	libocsrm_src  = libocsrm_src + [OCSRM_SRC + 'strptime.c']

resource/csdk/security/include/internal/certhelpers.h

@@ -53,4 +53,74 @@ int OCInternalGenerateKeyPair(mbedtls_pk_context *keyPair);
 
 #endif
 
+/**
+ * Determine if a buffer contains a role certificate, and optionally, return
+ * a DER encoding of the public key. This is intended as a simple check when the
+ * certificate is presented to reject obviously invalid certificates.
+ *
+ * The following properties are checked:
+ * 1. The certificate is a valid X.509 certificate.
+ * 2. It contains the role certificate Extended Key Usage.
+ * 3. It contains at least one Subject Alternative Name extension that validly encodes a role.
+ *
+ * It does NOT validate the cryptographic signature nor check its time validity.
+ * These checks should be done when the certificate is being used as part of an access control check, 
+ * as that is when the time validity check should be made, and when trusted CAs are known.
+ *
+ * @param[in] buf           Buffer containing certificate as a PEM string
+ * @param[in] bufLen        Length of buffer including terminating NULL
+ * @param[out] pubKey       Optional pointer to receive buffer containing binary DER encoding of public key.
+ *                          Caller must free with OICFree when finished. Pass NULL in to not retrieve the
+ *                          public key.
+ * @param[out] pubKeyLen    Pointer to variable to receive size of pubKey. Ignored if pubKey is NULL.
+ *
+ * @return OC_STACK_OK if certificate satisfies the properties above, and the public key is
+ *                     successfully extracted (if requested).
+ *         OC_STACK_INVALID_PARAM if the certificate does not meet the properties above.
+ *         OC_STACK_NO_MEMORY or OC_STACK_ERROR if some other error arose during the check.
+ */
+OCStackResult OCInternalIsValidRoleCertificate(const uint8_t *buf, size_t bufLen,
+                                               uint8_t **pubKey, size_t *pubKeyLen);
+
+/**
+ * Determine if a buffer contains a valid chain of certificates. This is intended to verify
+ * one or more intermediate CA certificates are valid.
+ * 
+ * This only checks that they are valid X.509 structures; no verification of the cryptographic
+ * signature of time-validity is performed. These should be done at point of use.
+ *
+ * @param[in] buf           Buffer containing certificates as a PEM string
+ * @param[in] bufLen        Length of buffer including terminating NULL
+ *
+ * @return OC_STACK_OK if buf contains a valid chain of certificates
+ *         OC_STACK_INVALID_PARAM if buf cannot be parsed as a chain of certificates
+ *         OC_STACK_ERROR if some other error arose during the check
+ */
+OCStackResult OCInternalIsValidCertChain(const uint8_t *buf, size_t bufLen);
+
+/**
+ * Verify the validity of a role certificate chain against a set of trusted certificate
+ * authorities. If successful, a list of roles authorized by this certificate is returned.
+ *
+ * The certificate's validity is also verified against the current time.
+ *
+ * The GetPemCaCert function from credresource.h can be used to retrieve the set of trusted CAs
+ * from the /oic/sec/cred resource in a form suitable for the trustedCaCerts and trustedCaCertsLength
+ * parameters.
+ *
+ * @param[in] certificate           OicSecKey_t containing the leaf certificate
+ * @param[in] optData               Optional OicSecOpt_t containing intermediate CAs and revocation status
+ * @param[in] trustedCaCerts        PEM string containing the trusted CAs certificates
+ * @param[in] trustedCaCertsLength  Length of trustedCaCerts (including terminating NULL)
+ * @param[out] roles                Pointer to receive array of OicSecRole_t objects listing roles
+ *                                  Caller must call OICFree to release this memory when finished
+ * @param[out] rolesLength          Length of returned roles array
+ *
+ * @return OC_STACK_OK if the certificate is valid.
+ *         OC_STACK_INVALID_PARAM if the certificate is not valid.
+ *         OC_STACK_NO_MEMORY or OC_STACK_ERROR if some other error arose during validation.
+ */
+OCStackResult OCInternalVerifyRoleCertificate(const OicSecKey_t *certificate, const OicSecOpt_t *optData,
+                                              const uint8_t *trustedCaCerts, size_t trustedCaCertsLength,
+                                              OicSecRole_t **roles, size_t *rolesLength);
 #endif

resource/csdk/security/include/internal/credresource.h

@@ -24,6 +24,7 @@
 #include "cainterface.h"
 #include "securevirtualresourcetypes.h"
 #include "octypes.h"
+#include <cbor.h>
 
 #ifdef __cplusplus
 extern "C" {
@@ -211,7 +212,14 @@ OCStackResult GetCredRownerId(OicUuid_t *rowneruuid);
 
 #if defined(__WITH_TLS__) || defined(__WITH_DTLS__)
 /**
- * Used by mbedTLS to retrieve trusted CA certificates
+ * Used by role certificate validator to get CA certificates as PEM
+ *
+ * @param[out] crt certificates to be filled.
+ * @param[in] usage credential usage string.
+ */
+OCStackResult GetPemCaCert(ByteArray_t * crt, const char * usage);
+/**
+ * Used by mbedTLS to retrieve trusted CA certificates as DER
  *
  * @param[out] crt certificates to be filled.
  * @param[in] usage credential usage string.
@@ -239,6 +247,13 @@ void GetDerKey(ByteArray_t * key, const char * usage);
  */
 void InitCipherSuiteListInternal(bool *list, const char * usage);
 #endif // __WITH_TLS__
+
+// Helpers shared by cred and roles resources
+CborError SerializeEncodingToCbor(CborEncoder *rootMap, const char *tag, const OicSecKey_t *value);
+CborError SerializeSecOptToCbor(CborEncoder *rootMap, const char *tag, const OicSecOpt_t *value);
+CborError DeserializeEncodingFromCbor(CborValue *rootMap, OicSecKey_t *value);
+CborError DeserializeSecOptFromCbor(CborValue *rootMap, OicSecOpt_t *value);
+
 #ifdef __cplusplus
 }
 #endif

resource/csdk/security/include/internal/csrresource.h

@@ -26,6 +26,9 @@
 #include "octypes.h"
 
 #if defined(__WITH_TLS__) || defined(__WITH_DTLS__)
+#ifdef __cplusplus
+extern "C" {
+#endif
 /**
  * Initialize the CSR resource.
  *
@@ -53,6 +56,9 @@ OCStackResult DeInitCSRResource();
 OCStackResult CBORPayloadToCSR(const uint8_t *cborPayload, size_t size, 
                                uint8_t **csr, size_t *csrLen, 
                                OicEncodingType_t *encoding);
+#ifdef __cplusplus
+}
+#endif
 #endif
 
 #endif

resource/csdk/security/include/internal/rolesresource.h

+//******************************************************************
+//
+// Copyright 2017 Microsoft
+//
+//-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+//******************************************************************
+
+#ifndef IOTVT_SRM_ROLESR_H
+#define IOTVT_SRM_ROLESR_H
+
+#if defined(__WITH_DTLS__) || defined(__WITH_TLS__)
+
+#include "cainterface.h"
+#include "securevirtualresourcetypes.h"
+#include "octypes.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+typedef struct RoleCertChain {
+    uint32_t                credId;             /**< locally assigned ID number for use with DELETE */
+    OicSecKey_t             certificate;        /**< leaf certificate data */
+    OicSecOpt_t             optData;            /**< intermediate CA certificates */
+
+    struct RoleCertChain    *next;              /**< next chain in list */
+} RoleCertChain_t;
+
+/**
+ * Initialize the roles resource.
+ *
+ * @return OC_STACK_OK if successful; error otherwise
+ */
+OCStackResult InitRolesResource();
+
+/**
+ * De-initialize the roles resource.
+ *
+ * @return OC_STACK_OK if successful; error otherwise
+ */
+OCStackResult DeInitRolesResource();
+
+/**
+ * Retrieve the roles asserted by a given endpoint with certificates.
+ *
+ * @param[in] endpoint      Endpoint to retrieve roles for
+ * @param[out] roles        Pointer to receive array of OicSecRole_t objects containing roles for this endpoint
+ *                          On success, caller must free the received array with OICFree when finished
+ * @param[out] roleCount    Variable to receive length of roles array.
+ *
+ * @note If the endpoint is found but has not asserted any roles with certificates, 
+ *       OC_STACK_OK will be returned, but NULL will be returned in roles and 0 in roleCount.
+ *
+ * @return OC_STACK_OK if list of roles is successfully populated; error otherwise.
+ */
+OCStackResult GetEndpointRoles(const CAEndpoint_t *endpoint, OicSecRole_t **roles, size_t *roleCount);
+
+/**
+ * This function converts a CBOR payload into a list of role certificates.
+ * Caller needs to call 'OICFree' on *roleCertList after use.
+ *
+ * @param[in] cborPayload Received CBOR payload to extract the role cert list from
+ * @param[in] size Size of cborPayload
+ * @param[out] roleCertList Pointer to receive linked list of RoleCertChain_t objects
+ *             On success, caller must call FreeRoleCertChainList on *roleCertList when finished
+ * @return OC_STACK_OK if payload is successfully converted; error code otherwise
+ */
+OCStackResult CBORPayloadToRoles(const uint8_t *cborPayload, size_t size, RoleCertChain_t **roleCertList);
+
+/**
+ * Free the memory used by a list of RoleCertChain_t objects created by CBORPayloadToRoles.
+ *
+ * @param[in] roleCertList List received from CBORPayloadToRoles
+ */
+void FreeRoleCertChainList(RoleCertChain_t *roleCertList);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* defined(__WITH_DTLS__) || defined(__WITH_TLS__) */
+
+#endif /* IOTVT_SRM_ROLESR_H */

resource/csdk/security/include/internal/srmresourcestrings.h

@@ -64,6 +64,11 @@ extern const char * OIC_RSRC_TYPE_SEC_CSR;
 extern const char * OIC_RSRC_CSR_URI;
 extern const char * OIC_JSON_CSR_NAME;
 
+//roles
+extern const char * OIC_RSRC_TYPE_SEC_ROLES;
+extern const char * OIC_RSRC_ROLES_URI;
+extern const char * OIC_JSON_ROLES_NAME;
+
 //CRL
 extern const char * OIC_RSRC_TYPE_SEC_CRL;
 extern const char * OIC_RSRC_CRL_URI;

resource/csdk/security/include/securevirtualresourcetypes.h

@@ -256,10 +256,12 @@ typedef enum
     OIC_R_AMACL_TYPE,
     OIC_R_CRED_TYPE,
     OIC_R_CRL_TYPE,
+    OIC_R_CSR_TYPE,
     OIC_R_DOXM_TYPE,
     OIC_R_DPAIRING_TYPE,
     OIC_R_PCONF_TYPE,
     OIC_R_PSTAT_TYPE,
+    OIC_R_ROLES_TYPE,
     OIC_R_SACL_TYPE,
     OIC_R_SVC_TYPE,
     OIC_SEC_SVR_TYPE_COUNT, //define the value to number of SVR
@@ -347,7 +349,8 @@ typedef void OicSecCert_t;
  */
 #define UUID_LENGTH 128/8 // 128-bit GUID length
 //TODO: Confirm the length and type of ROLEID.
-#define ROLEID_LENGTH 128/8 // 128-bit ROLEID length
+#define ROLEID_LENGTH 64 // 64-byte authority max length
+#define ROLEAUTHORITY_LENGTH 64 // 64-byte authority max length
 #define OWNER_PSK_LENGTH_128 128/8 //byte size of 128-bit key size
 #define OWNER_PSK_LENGTH_256 256/8 //byte size of 256-bit key size
 
@@ -530,8 +533,8 @@ struct OicSecPstat
 struct OicSecRole
 {
     // <Attribute ID>:<Read/Write>:<Multiple/Single>:<Mandatory?>:<Type>
-    //TODO fill in with Role definition
-    uint8_t             id[ROLEID_LENGTH];
+    char                id[ROLEID_LENGTH];                    // 0:R:S:Y:String
+    char                authority[ROLEAUTHORITY_LENGTH];      // 1:R:S:N:String
 };
 
 /**

resource/csdk/security/provisioning/include/internal/secureresourceprovider.h

@@ -80,13 +80,40 @@ OCStackResult SRPGetACLResource(void *ctx, const OCProvisionDev_t *selectedDevic
 /**
  * API to request the Certificate Signing Request (CSR) resource.
  *
+ * @param[in] ctx Application context to be returned in result callback.
  * @param[in] selectedDeviceInfo Selected target device.
  * @param[in] resultCallback callback provided by API user, callback will be called when
  *            provisioning request recieves a response from resource server.
  * @return OC_STACK_OK in case of success and other value otherwise.
  */
 OCStackResult SRPGetCSRResource(void *ctx, const OCProvisionDev_t *selectedDeviceInfo,
-    OCGetCSRResultCB resultCallback);
+                                OCGetCSRResultCB resultCallback);
+
+/**
+ * API to request the Roles resource.
+ *
+ * @param[in] ctx Application context to be returned in result callback.
+ * @param[in] selectedDeviceInfo Selected target device.
+ * @param[in] resultCallback Callback provided by API user. Callback will be called when
+ *            provisioning request receives a response from resource server.
+ * @return OC_STACK_OK in case of success or error value otherwise.
+ */
+OCStackResult SRPGetRolesResource(void *ctx, const OCProvisionDev_t *selectedDeviceInfo,
+                                  OCGetRolesResultCB resultCallback);
+
+/**
+ * This function requests the device delete a particular role certificate by credId.
+ *
+ * @param[in] ctx Application context that is returned in the result callback.
+ * @param[in] selectedDeviceInfo Selected target device.
+ * @param[in] resultCallback callback provided by the API user. Callback will be called when request receives
+ *            a response from the resource server.
+ * @param[in] credId credId to request be deleted.
+ *
+ * @return OC_STACK_OK in case of success, and error value otherwise.
+ */
+OCStackResult SRPDeleteRoleCertificateByCredId(void *ctx, const OCProvisionDev_t *selectedDeviceInfo,
+                                               OCProvisionResultCB resultCallback, uint32_t credId);
 
 #if defined(__WITH_DTLS__) || defined(__WITH_TLS__)
 

resource/csdk/security/provisioning/include/ocprovisioningmanager.h

@@ -265,6 +265,33 @@ OCStackResult OCGetACLResource(void* ctx, const OCProvisionDev_t *selectedDevice
 OCStackResult OCGetCSRResource(void* ctx, const OCProvisionDev_t *selectedDeviceInfo,
                                OCGetCSRResultCB resultCallback);
 
+/**
+ * This function requests the device provide its roles resource, listing the role certificates
+ * it has for the local requestor.
+ *
+ * @param[in] ctx Application context that is returned in the result callback.
+ * @param[in] selectedDeviceInfo Selected target device.
+ * @param[in] resultCallback callback provided by the API user. Callback will be called when provisioning
+ *                           request receives a response from the resource server.
+ * @return OC_STACK_OK in case of success, and error value otherwise.
+ */
+OCStackResult OCGetRolesResource(void *ctx, const OCProvisionDev_t *selectedDeviceInfo,
+                                 OCGetRolesResultCB resultCallback);
+
+/**
+ * This function requests the device delete a particular role certificate by credId.
+ *
+ * @param[in] ctx Application context that is returned in the result callback.
+ * @param[in] selectedDeviceInfo Selected target device.
+ * @param[in] resultCallback callback provided by the API user. Callback will be called when request receives
+ *            a response from the resource server.
+ * @param[in] credId credId to request be deleted. If 0, delete all role certificates for this peer.
+ *
+ * @return OC_STACK_OK in case of success, and error value otherwise.
+ */
+OCStackResult OCDeleteRoleCertificateByCredId(void *ctx, const OCProvisionDev_t *selectedDeviceInfo,
+                                              OCProvisionResultCB resultCallback, uint32_t credId);
+
 /**
  * this function sends Direct-Pairing Configuration to a device.
  *

resource/csdk/security/provisioning/include/pmtypes.h

@@ -110,6 +110,21 @@ typedef struct OCPMGetCsrResult
     OicEncodingType_t   encoding; /* Determines contents of csr; either OIC_ENCODING_DER or OIC_ENCODING_PEM */
 } OCPMGetCsrResult_t;
 
+typedef struct OCPMRoleCertChain
+{
+    uint64_t            credId;         /**< credential ID */
+    OicSecKey_t         certificate;    /**< leaf certificate */
+    OicSecOpt_t         optData;        /**< intermediate CA certificates (if any) */
+} OCPMRoleCertChain_t;
+
+typedef struct OCPMGetRolesResult
+{
+    OicUuid_t           deviceId;       /**< responding device ID */
+    OCStackResult       res;            /**< result for this device */
+    OCPMRoleCertChain_t *chains;        /**< cert chains (if res is OC_STACK_OK) */
+    size_t              chainsLength;   /**< length of chains array (if res is OC_STACK_OK */
+} OCPMGetRolesResult_t;
+
 /**
  * Owner device type
  */
@@ -160,6 +175,20 @@ typedef void (*OCProvisionResultCB)(void* ctx, size_t nOfRes, OCProvisionResult_
  */
 typedef void (*OCGetCSRResultCB)(void* ctx, size_t nOfRes, OCPMGetCsrResult_t *arr, bool hasError);
 
+/**
+ * Callback function definition of roles retrieve API
+ *
+ * @param[OUT] ctx - If user set a context, it will be returned here.
+ * @param[OUT] nOfRes - total number of results
+ * @param[OUT] arr - Array of OCPMGetRolesResult_t, containing one entry for each target device. If an entry's res
+ *                   member is OC_STACK_OK, then chains and chainsLength are valid; otherwise they should not be used.
+ *                   This memory is only valid while the callback is executing; callers must make copies if the data
+ *                   needs to be kept longer.
+ * @param[OUT] hasError - If all calls succeeded, this will be false. One or more errors, and this will
+ *                        be true. Examine the elements of arr to discover which failed.
+ */
+typedef void (*OCGetRolesResultCB)(void* ctx, size_t nOfRes, OCPMGetRolesResult_t *arr, bool hasError);
+
 /**
  * Callback function definition of direct-pairing
  *

resource/csdk/security/provisioning/src/ocprovisioningmanager.c

@@ -397,6 +397,17 @@ OCStackResult OCGetCSRResource(void* ctx, const OCProvisionDev_t *selectedDevice