[IOT-1785] Finish OCF 1.0 identity certificate support

Add unit test to exercise certificate provisioning and use
(previously only provisioning was tested).  Fixed bugs in
credresource and ca_adapter_net_ssl. Configure mbedtls to use
 OCF certificate EKUs. Added more logging in many places. Exposed
 API to remove credentials locally for use by test code.

Change-Id: Ia55c7f3a7518f12c99f60280062f156954bdf4ac
Signed-off-by: Greg Zaverucha <gregz@microsoft.com>
Reviewed-on: https://gerrit.iotivity.org/gerrit/17983Reviewed-by: Kevin Kane <kkane@microsoft.com>
Reviewed-by: Dmitriy Zhuravlev <d.zhuravlev@samsung.com>
Reviewed-by: Alex Kelley <alexke@microsoft.com>
Tested-by: jenkins-iotivity <jenkins@iotivity.org>
Reviewed-by: Dave Thaler <dthaler@microsoft.com>
Reviewed-by: Nathan Heldt-Sheller <nathan.heldt-sheller@intel.com>

resource/csdk/connectivity/src/adapter_util/ca_adapter_net_ssl.c

@@ -97,6 +97,7 @@
 /**
  * @def MMBED_TLS_DEBUG_LEVEL
  * @brief Logging level for mbedTLS library
+ * Level 1 logs errors only, level 4 is verbose logging.
  */
 #define MBED_TLS_DEBUG_LEVEL (4)
 
@@ -200,6 +201,12 @@ if (g_sslCallback)
     g_sslCallback(&(peer)->sep.endpoint, &errorInfo);                                              \
 }
 
+/* OCF-defined EKU value indicating an identity certificate, that can be used for
+ * TLS client and server authentication.  This is the DER encoding of the OID
+ * 1.3.6.1.4.1.44924.1.6.
+ */
+static const unsigned char EKU_IDENTITY[] = { 0x2B, 0x06, 0x01, 0x04, 0x01, 0x82, 0xDE, 0x7C, 0x01, 0x06 };
+
 /**@def CONF_SSL(clientConf, serverConf, fn, ...)
  *
  * Calls \a fn for \a clientConf and \a serverConf.
@@ -673,6 +680,22 @@ static int InitPKIX(CATransportAdapter_t adapter)
         goto required;
     }
 
+    /* If we get here, certificates could be used, so configure OCF EKUs. */
+    ret = mbedtls_ssl_conf_ekus(serverConf, (const char*)EKU_IDENTITY, sizeof(EKU_IDENTITY),
+        (const char*)EKU_IDENTITY, sizeof(EKU_IDENTITY));
+    if (0 == ret)
+    {
+        ret = mbedtls_ssl_conf_ekus(clientConf, (const char*)EKU_IDENTITY, sizeof(EKU_IDENTITY),
+            (const char*)EKU_IDENTITY, sizeof(EKU_IDENTITY));
+    }
+    if (0 != ret)
+    {
+        /* Cert-based ciphersuites will fail, but if PSK ciphersuites are in
+         * the list they might work, so don't return error.
+         */
+        OIC_LOG(WARNING, NET_SSL_TAG, "EKU configuration error");
+    }
+
     required:
     count = ParseChain(&g_caSslContext->ca, g_pkiInfo.ca.data, g_pkiInfo.ca.len, &errNum);
     if(0 >= count)
@@ -734,6 +757,9 @@ static int GetPskCredentialsCallback(void * notUsed, mbedtls_ssl_context * ssl,
         OIC_LOG(DEBUG, NET_SSL_TAG, "PSK:");
         OIC_LOG_BUFFER(DEBUG, NET_SSL_TAG, keyBuf, ret);
 
+        OIC_LOG(DEBUG, NET_SSL_TAG, "Identity:");
+        OIC_LOG_BUFFER(DEBUG, NET_SSL_TAG, desc, descLen);
+
         OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
         return(mbedtls_ssl_set_hs_psk(ssl, keyBuf, ret));
     }
@@ -2026,15 +2052,11 @@ CAResult_t CAdecryptSsl(const CASecureEndpoint_t *sep, uint8_t *data, size_t dat
                 /* Find the CN component of the subject name. */
                 for (name = &peerCert->subject; NULL != name; name = name->next)
                 {
-                    if (!name->oid.p)
-                    {
-                        continue;
-                    }
-
-                    if ((name->oid.len < MBEDTLS_OID_SIZE(MBEDTLS_OID_AT_CN) ||
-                        (0 != memcmp(MBEDTLS_OID_AT_CN, name->oid.p, name->oid.len))))
+                    if (name->oid.p &&
+                       (name->oid.len <= MBEDTLS_OID_SIZE(MBEDTLS_OID_AT_CN)) &&
+                       (0 == memcmp(MBEDTLS_OID_AT_CN, name->oid.p, name->oid.len)))
                     {
-                        continue;
+                        break;
                     }
                 }
 

resource/csdk/connectivity/src/camessagehandler.c

@@ -178,6 +178,10 @@ static CAData_t* CAGenerateHandlerData(const CAEndpoint_t *endpoint,
         {
             info->identity = *identity;
         }
+        else
+        {
+            OIC_LOG_V(INFO, TAG, "%s: No identity information provided", __func__);
+        }
         OIC_LOG(DEBUG, TAG, "Response Info :");
         CALogPayloadInfo(info);
     }

resource/csdk/connectivity/test/ssladapter_test.cpp

@@ -85,7 +85,6 @@
 #include "platform_features.h"
 #include "logger.h"
 
-#define MBED_TLS_DEBUG_LEVEL (4) // Verbose
 
 #define SEED "PREDICTED_SEED"
 #define dummyHandler 0xF123

resource/csdk/security/include/internal/credresource.h

@@ -124,11 +124,14 @@ OicSecCred_t * GenerateCredential(const OicUuid_t* subject, OicSecCredType_t cre
 OCStackResult AddCredential(OicSecCred_t * cred);
 
 /**
- * Function to remove the credential from SVR DB.
+ * Function to remove credentials from the SVR DB for the given subject UUID.
+ * If multiple credentials exist for the UUID, they will all be removed. 
  *
  * @param subject is the Credential Subject to be deleted.
  *
- * @return ::OC_STACK_OK for success, or errorcode otherwise.
+ * @return ::OC_STACK_RESOURCE_DELETED if credentials were removed, or 
+ * if there are no credentials with the given UUID.  An error is returned if
+ * removing credentials failed. 
  */
 OCStackResult RemoveCredential(const OicUuid_t *subject);
 

resource/csdk/security/provisioning/include/internal/secureresourceprovider.h

@@ -143,7 +143,7 @@ OCStackResult SRPProvisionTrustCertChain(void *ctx, OicSecCredType_t type, uint1
  * @param[out] credId CredId of saved trust certificate chain in Cred of SVR.
  * @return  OC_STACK_OK in case of success and other value otherwise.
  */
-OCStackResult SRPSaveTrustCertChain(uint8_t *trustCertChain, size_t chainSize,
+OCStackResult SRPSaveTrustCertChain(const uint8_t *trustCertChain, size_t chainSize,
                                         OicEncodingType_t encodingType,uint16_t *credId);
 
 /**

resource/csdk/security/provisioning/include/ocprovisioningmanager.h

@@ -539,6 +539,16 @@ OCStackResult OCGetLinkedStatus(const OicUuid_t* uuidOfDevice,
                                   OCUuidList_t** uuidList,
                                   size_t* numOfDevices);
 
+/**
+ * Remove locally stored credentials with the specified subject UUID.
+ *
+ * @param[in] subjectUuid The subject UUID of the credentials to remove
+ *
+ * @return OC_STACK_RESOURCE_DELETED if credentials were removed, or
+ * OC_STACK_ERROR if no credentials were removed.
+ */
+OCStackResult OCRemoveCredential(const OicUuid_t* subjectUuid);
+
 /**
  * API to delete memory allocated to linked list created by OCDiscover_XXX_Devices API.
  *
@@ -604,8 +614,8 @@ OCStackResult OCProvisionTrustCertChain(void *ctx, OicSecCredType_t type, uint16
  * @param[out] credId CredId of saved trust certificate chain in Cred of SVR.
  * @return  OC_STACK_OK in case of success and other value otherwise.
  */
-OCStackResult OCSaveTrustCertChain(uint8_t *trustCertChain, size_t chainSize,
-                                        OicEncodingType_t encodingType, uint16_t *credId);
+OCStackResult OCSaveTrustCertChain(const uint8_t *trustCertChain, size_t chainSize,
+                                   OicEncodingType_t encodingType, uint16_t *credId);
 
 /**
  * Function to save an identity certificate chain into Cred of SVR.
@@ -615,7 +625,7 @@ OCStackResult OCSaveTrustCertChain(uint8_t *trustCertChain, size_t chainSize,
  * @param[out] credId CredId of saved certificate chain in Cred of SVR.
  * @return  OC_STACK_OK in case of success and other value otherwise.
  */
-OCStackResult OCSaveOwnCertChain(char* cert, char* key, uint16_t *credId);
+OCStackResult OCSaveOwnCertChain(const char* cert, const char* key, uint16_t *credId);
 
 /**
  * function to register callback, for getting notification for TrustCertChain change.

resource/csdk/security/provisioning/sample/provisioningTest.py

@@ -64,7 +64,7 @@ parser.add_argument('--build', nargs='?', choices = ['debug', 'release'], help=
 args = parser.parse_args()
 
 # Number of unit tests in autoprovisioningclient
-NUM_TESTS = 2
+NUM_TESTS = 3
 
 iotivity_base_path = os.getcwd()
 os_name = platform.system()

resource/csdk/security/provisioning/sample/provisioningclient.c

@@ -875,8 +875,8 @@ static int provisionCred(void)
  *   3. Saves this root as a trust anchor locally.
  *   4. Generate and store an IoTivity key and cert (issued from the CA root cert).
  *      This is an EE cert the CA/OBT will use in DTLS.
- *
- *   @param[out] credid parameter for the ID of the CA credential
+ *   
+ *   The CA's key and cert are written to g_caKeyPem and g_caCertPem (resp.). 
  */
 static int setupCA()
 {

resource/csdk/security/provisioning/src/ocprovisioningmanager.c

@@ -1367,6 +1367,11 @@ OCStackResult OCGetLinkedStatus(const OicUuid_t* uuidOfDevice, OCUuidList_t** uu
     return PDMGetLinkedDevices(uuidOfDevice, uuidList, numOfDevices);
 }
 
+OCStackResult OCRemoveCredential(const OicUuid_t* subjectUuid)
+{
+    return RemoveCredential(subjectUuid);
+}
+
 void OCDeleteUuidList(OCUuidList_t* pList)
 {
     PDMDestoryOicUuidLinkList(pList);
@@ -1469,7 +1474,7 @@ OCStackResult OCProvisionTrustCertChain(void *ctx, OicSecCredType_t type, uint16
  * @param[out] credId CredId of saved trust certificate chain in Cred of SVR.
  * @return  OC_STACK_OK in case of success and other value otherwise.
  */
-OCStackResult OCSaveTrustCertChain(uint8_t *trustCertChain, size_t chainSize,
+OCStackResult OCSaveTrustCertChain(const uint8_t *trustCertChain, size_t chainSize,
                                     OicEncodingType_t encodingType, uint16_t *credId)
 {
     return SRPSaveTrustCertChain(trustCertChain, chainSize, encodingType, credId);
@@ -1483,7 +1488,7 @@ OCStackResult OCSaveTrustCertChain(uint8_t *trustCertChain, size_t chainSize,
  * @param[out] credId CredId of saved certificate chain in Cred of SVR.
  * @return  OC_STACK_OK in case of success and other value otherwise.
  */
-OCStackResult OCSaveOwnCertChain(char* cert, char* key, uint16_t *credId)
+OCStackResult OCSaveOwnCertChain(const char* cert, const char* key, uint16_t *credId)
 {
     OicSecKey_t ownCert = { 0 };
     ownCert.data = (uint8_t*) cert;

resource/csdk/security/provisioning/src/secureresourceprovider.c

@@ -588,7 +588,7 @@ OCStackResult SRPProvisionTrustCertChain(void *ctx, OicSecCredType_t type, uint1
     return OC_STACK_OK;
 }
 
-OCStackResult SRPSaveTrustCertChain(uint8_t *trustCertChain, size_t chainSize,
+OCStackResult SRPSaveTrustCertChain(const uint8_t *trustCertChain, size_t chainSize,
                                             OicEncodingType_t encodingType, uint16_t *credId)
 {
     OIC_LOG(DEBUG, TAG, "IN SRPSaveTrustCertChain");

resource/csdk/security/src/certhelpers.c

@@ -444,7 +444,7 @@ OCStackResult OCInternalIsValidCertChain(const uint8_t *buf, size_t bufLen)
 
 static const mbedtls_x509_crt_profile s_certProfile = {
     MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA256),            /* MD algorithms */
-    MBEDTLS_X509_ID_FLAG(MBEDTLS_PK_ECDSA),             /* Signature algorithms */
+    MBEDTLS_X509_ID_FLAG(MBEDTLS_PK_ECKEY),             /* Allowed key type */
     MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_SECP256R1),     /* EC curves */
     0                                                   /* RSA minimum key length - not used because we only use EC key pairs */
 };

resource/csdk/security/src/credresource.c

@@ -381,7 +381,7 @@ static CborError SerializeEncodingToCborInternal(CborEncoder *map, const OicSecK
     }
     else
     {
-        OIC_LOG_V(ERROR, TAG, "Unknown encoding type: %u.", value->encoding);
+        OIC_LOG_V(ERROR, TAG, "%s: Unknown encoding type: %u.", __func__, value->encoding);
         return CborErrorUnknownType;
     }
     exit:
@@ -496,7 +496,7 @@ static CborError DeserializeEncodingFromCborInternal(CborValue *map, char *name,
         {
             //For unit test
             value->encoding = OIC_ENCODING_RAW;
-            OIC_LOG(WARNING, TAG, "Unknown encoding type detected.");
+            OIC_LOG_V(WARNING, TAG, "%s: Unknown encoding type detected.", __func__);
         }
         //Because cbor using malloc directly, it is required to use free() instead of OICFree
         free(strEncoding);
@@ -1674,7 +1674,7 @@ exit:
 
 OCStackResult RemoveCredential(const OicUuid_t *subject)
 {
-    OCStackResult ret = OC_STACK_ERROR;
+    OCStackResult ret = OC_STACK_RESOURCE_DELETED;
     OicSecCred_t *cred = NULL;
     OicSecCred_t *tempCred = NULL;
     bool deleteFlag = false;
@@ -1691,9 +1691,9 @@ OCStackResult RemoveCredential(const OicUuid_t *subject)
 
     if (deleteFlag)
     {
-        if (UpdatePersistentStorage(gCred))
+        if (!UpdatePersistentStorage(gCred))
         {
-            ret = OC_STACK_RESOURCE_DELETED;
+            ret = OC_STACK_ERROR;
         }
     }
     return ret;
@@ -2853,36 +2853,51 @@ OCStackResult GetCredRownerId(OicUuid_t *rowneruuid)
 /* Caller must call OICFree on *der when finished. */
 static int ConvertPemCertToDer(const char *pem, size_t pemLen, uint8_t** der, size_t* derLen)
 {
-    size_t bufSize = B64DECODE_OUT_SAFESIZE(pemLen + 1);
-    uint8_t *buf = OICCalloc(1, bufSize);
-    if (NULL == buf)
+    const char* pemHeader = "-----BEGIN CERTIFICATE-----"; /* no newlines allowed here */
+    const char* pemFooter = "-----END CERTIFICATE-----";
+
+    mbedtls_pem_context ctx;
+    int ret;
+
+    OC_UNUSED(pemLen);
+
+    mbedtls_pem_init(&ctx);
+    size_t usedLen;
+    ret = mbedtls_pem_read_buffer(&ctx, pemHeader, pemFooter, (const uint8_t*) pem, NULL, 0, &usedLen);
+    if (ret != 0)
     {
-        OIC_LOG(ERROR, TAG, "Failed to allocate memory");
-        return -1;
+        OIC_LOG_V(ERROR, TAG, "%s: failed reading PEM cert", __func__);
+        goto exit;
     }
-    size_t outSize = 0;
-    if (B64_OK != b64Decode(pem, pemLen, buf, bufSize, &outSize))
+
+    uint8_t *buf = OICCalloc(1, ctx.buflen);
+    if (NULL == buf)
     {
-        OICFree(buf);
-        OIC_LOG(ERROR, TAG, "Failed to decode base64 data");
-        return -1;
+        OIC_LOG(ERROR, TAG, "Failed to allocate memory");
+        ret = -1;
+        goto exit;
     }
 
+    memcpy(buf, ctx.buf, ctx.buflen);
+
     *der = buf;
-    *derLen = outSize;
+    *derLen = ctx.buflen;
 
-    return 0;
+exit:
+    mbedtls_pem_free(&ctx);
+
+    return ret;
 }
 
 /* Caller must call OICFree on *pem when finished. */
 static int ConvertDerCertToPem(const uint8_t* der, size_t derLen, uint8_t** pem)
 {
-    const char* pemHeader = "-----BEGIN CERTIFICATE-----\n";
+    const char* pemHeader = "-----BEGIN CERTIFICATE-----\n";
     const char* pemFooter = "-----END CERTIFICATE-----\n";
 
     /* Get the length required for output */
     size_t pemLen;
-    int ret = mbedtls_pem_write_buffer(pemHeader, 
+    int ret = mbedtls_pem_write_buffer(pemHeader,
         pemFooter,
         der,
         derLen,
@@ -2903,7 +2918,8 @@ static int ConvertDerCertToPem(const uint8_t* der, size_t derLen, uint8_t** pem)
     }
 
     /* Try the conversion */
-    ret = mbedtls_pem_write_buffer(pemHeader, pemFooter,
+    ret = mbedtls_pem_write_buffer(pemHeader, 
+        pemFooter,
         der,
         derLen,
         *pem,
@@ -2938,7 +2954,7 @@ static OCStackResult GetCaCert(ByteArray_t * crt, const char * usage, OicEncodin
         OIC_LOG_V(ERROR, TAG, "%s: Unsupported encoding %d", __func__, desiredEncoding);
         return OC_STACK_INVALID_PARAM;
     }
-    
+
     crt->len = 0;
     OicSecCred_t* temp = NULL;
 
@@ -2948,14 +2964,23 @@ static OCStackResult GetCaCert(ByteArray_t * crt, const char * usage, OicEncodin
             (temp->credUsage != NULL) &&
             (0 == strcmp(temp->credUsage, usage)) && (false == temp->optionalData.revstat))
         {
+
+            if ((OIC_ENCODING_BASE64 != temp->optionalData.encoding) &&
+                (OIC_ENCODING_PEM != temp->optionalData.encoding) &&
+                (OIC_ENCODING_DER != temp->optionalData.encoding))
+            {
+                OIC_LOG_V(WARNING, TAG, "%s: Unknown encoding type", __func__);
+                continue;
+            }
+
             if (OIC_ENCODING_DER == desiredEncoding)
             {
                 if ((OIC_ENCODING_BASE64 == temp->optionalData.encoding) ||
                     (OIC_ENCODING_PEM == temp->optionalData.encoding))
                 {
-                    uint8_t *buf = NULL;
+                    uint8_t* buf = NULL;
                     size_t outSize = 0;
-                    int ret = ConvertPemCertToDer((const char *)temp->optionalData.data, temp->optionalData.len, &buf, &outSize);
+                    int ret = ConvertPemCertToDer((const char*)temp->optionalData.data, temp->optionalData.len, &buf, &outSize);
                     if (0 > ret)
                     {
                         OIC_LOG(ERROR, TAG, "Could not convert PEM cert to DER");
@@ -3164,45 +3189,48 @@ void GetDerKey(ByteArray_t * key, const char * usage)
     LL_FOREACH(gCred, temp)
     {
         if ((SIGNED_ASYMMETRIC_KEY == temp->credType || ASYMMETRIC_KEY == temp->credType) && 
+            temp->privateData.len > 0 &&
             NULL != temp->credUsage &&
             0 == strcmp(temp->credUsage, usage))
         {
-            
+
             if (temp->privateData.encoding == OIC_ENCODING_PEM)
             {
                 /* Convert PEM to DER */
-                mbedtls_pk_context ctx;
-                mbedtls_pk_init(&ctx);
+                const char* pemHeader = "-----BEGIN EC PRIVATE KEY-----"; /* no newlines allowed here */
+                const char* pemFooter = "-----END EC PRIVATE KEY-----";
 
-                int ret = mbedtls_pk_parse_key(&ctx, temp->privateData.data, temp->privateData.len, NULL, 0);
-                if (ret != 0)
+                if (temp->privateData.data[temp->privateData.len - 1] != 0)
                 {
-                    mbedtls_pk_free(&ctx);
-                    OIC_LOG_V(ERROR, TAG, "Key for %s found, but failed to convert from PEM to DER (while reading PEM)", usage);
+                    OIC_LOG(ERROR, TAG, "Bad PEM private key data (not null terminated)");
                     return;
                 }
 
-                key->data = OICRealloc(key->data, key->len + temp->privateData.len);
-                if (key->data == NULL)
+                mbedtls_pem_context ctx;
+                int ret;
+                size_t usedLen;
+
+                mbedtls_pem_init(&ctx);
+                ret = mbedtls_pem_read_buffer(&ctx, pemHeader, pemFooter, (const uint8_t*)temp->privateData.data, NULL, 0, &usedLen);
+                if (ret != 0)
                 {
-                    mbedtls_pk_free(&ctx);
-                    OIC_LOG(ERROR, TAG, "Realloc failed to increase key->data length");
+                    OIC_LOG_V(ERROR, TAG, "%s: failed reading PEM key", __func__);
+                    mbedtls_pem_free(&ctx);
                     return;
                 }
 
-                key->len += temp->privateData.len;
-                ret = mbedtls_pk_write_key_der(&ctx, key->data, key->len);
-                if (ret < 1) /* return value is the number of bytes written, or error */
+                key->data = OICRealloc(key->data, ctx.buflen);
+                if (NULL == key->data)
                 {
-                    mbedtls_pk_free(&ctx);
-                    key->len = 0;
-                    OIC_LOG_V(ERROR, TAG, "Key for %s found, but failed to convert from PEM to DER (while writing DER)", usage);
+                    OIC_LOG(ERROR, TAG, "Failed to allocate memory");
+                    mbedtls_pem_free(&ctx);
                     return;
                 }
-                key->data = OICRealloc(key->data, ret);
-                key->len = ret;
+
+                memcpy(key->data, ctx.buf, ctx.buflen);
+                key->len = ctx.buflen;
+                mbedtls_pem_free(&ctx);
                 break;
-                
             }
             else if(temp->privateData.encoding == OIC_ENCODING_DER)
             {
@@ -3214,7 +3242,7 @@ void GetDerKey(ByteArray_t * key, const char * usage)
             }
             else
             {
-                OIC_LOG_V(WARNING, TAG, "Key for %s found, but it has an unknown encoding", usage);
+                OIC_LOG_V(WARNING, TAG, "Key for %s found, but it has an unknown encoding (%d)", usage, temp->privateData.encoding);
             }
         }
     }

resource/csdk/security/src/csrresource.c

@@ -94,7 +94,7 @@ static OCStackResult StoreKeyPair(mbedtls_pk_context *keyPair, const OicUuid_t *
 
     cred = GenerateCredential(myUuid, ASYMMETRIC_KEY, &publicData, &privateData, myUuid, NULL);
     VERIFY_NOT_NULL(TAG, cred, ERROR);
-    cred->credUsage = OICStrdup(PRIMARY_KEY); // @todo: we may be able to use PRIMARY_CERT here too; need to investigate
+    cred->credUsage = OICStrdup(PRIMARY_CERT);
     VERIFY_NOT_NULL(TAG, cred->credUsage, ERROR);
 
     VERIFY_SUCCESS(TAG, OC_STACK_OK == AddCredential(cred), ERROR);
@@ -394,22 +394,14 @@ static OCEntityHandlerResult HandleCsrGetRequest(OCEntityHandlerRequest * ehRequ
 
     OIC_LOG(INFO, TAG, "HandleCsrGetRequest  processing GET request");
 
-    mbedtls_pk_init(&keyPair);
-
-    // Retrieve our current certificate, if we have one, and use that key
-    GetDerKey(&keyData, PRIMARY_CERT);
-
-    if (0 == keyData.len)
-    {
-        // No cert? Get our primary key pair, or generate it if absent.
-        GetDerKey(&keyData, PRIMARY_KEY);
-    }
-
     res = GetDoxmDeviceID(&myUuid);
     VERIFY_SUCCESS(TAG, OC_STACK_OK == res, ERROR);
     res = ConvertUuidToStr(&myUuid, &myUuidStr);
     VERIFY_SUCCESS(TAG, OC_STACK_OK == res, ERROR);
 
+    // Retrieve the key from our current certificate if present, otherwise create a new key
+    GetDerKey(&keyData, PRIMARY_CERT);
+    mbedtls_pk_init(&keyPair);
     if (0 < keyData.len)
     {
         ret = mbedtls_pk_parse_key(&keyPair, keyData.data, keyData.len, NULL, 0);

resource/csdk/security/src/pkix_interface.c

@@ -35,9 +35,25 @@ void GetPkixInfo(PkiInfo_t * inf)
         OIC_LOG_V(DEBUG, TAG, "Out %s", __func__);
         return;
     }
+
     GetPemOwnCert(&inf->crt, PRIMARY_CERT);
+    if (inf->crt.len == 0)
+    {
+        OIC_LOG_V(WARNING, TAG, "%s: empty certificate", __func__);
+    }
+
     GetDerKey(&inf->key, PRIMARY_CERT);
+    if (inf->key.len == 0)
+    {
+        OIC_LOG_V(WARNING, TAG, "%s: empty key", __func__);
+    }
+
     (void)GetPemCaCert(&inf->ca, TRUST_CA);
+    if (inf->ca.len == 0)
+    {
+        OIC_LOG_V(WARNING, TAG, "%s: empty CA cert", __func__);
+    }
+
     GetDerCrl(&inf->crl);
     OIC_LOG_V(DEBUG, TAG, "Out %s", __func__);
 }

resource/csdk/security/src/policyengine.c

@@ -115,8 +115,16 @@ static bool IsRequestFromDevOwner(SRMRequestContext_t *context)
     if (doxm)
     {
         retVal = UuidCmp(&doxm->owner, &context->subjectUuid);
-        OIC_LOG_V(DEBUG, TAG, "%s: request was %sreceived from device owner",
+        OIC_LOG_V(DEBUG, TAG, "%s: request was %s received from device owner",
             __func__, retVal ? "" : "NOT ");
+
+        if (!retVal)
+        {
+            OIC_LOG(DEBUG, TAG, "Owner UUID  :");
+            OIC_LOG_BUFFER(DEBUG, TAG, (const uint8_t *)&doxm->owner.id, sizeof(&doxm->owner.id));
+            OIC_LOG(DEBUG, TAG, "Request UUID:");
+            OIC_LOG_BUFFER(DEBUG, TAG, (const uint8_t *)&context->subjectUuid.id, sizeof(&context->subjectUuid.id));
+        }
     }
 
     return retVal;

resource/csdk/security/src/srmresourcestrings.c

@@ -175,7 +175,6 @@ const char * OIC_JSON_EMPTY_STRING = "";
 // Certificates provided by Cloud
 const char * TRUST_CA = "oic.sec.cred.trustca";
 const char * PRIMARY_CERT = "oic.sec.cred.cert";
-const char * PRIMARY_KEY = "primary_key";
 
 // Certificates provided by manufacturer
 const char * MF_TRUST_CA = "oic.sec.cred.mfgtrustca";

resource/csdk/stack/octbstack_product_secured.def

@@ -50,6 +50,7 @@ OCProvisionPairwiseDevices
 OCProvisionTrustCertChain
 OCReadTrustCertChain
 OCRegisterTrustCertChainNotifier
+OCRemoveCredential
 OCRemoveDevice
 OCRemoveDeviceWithUuid
 OCRemoveTrustCertChainNotifier
@@ -59,9 +60,9 @@ OCSaveTrustCertChain
 OCSaveOwnCertChain
 OCSelectOwnershipTransferMethod
 OCSetOwnerTransferCallbackData
-OCUnlinkDevices
 OCSetOxmAllowStatus
-OCVerifyCSRSignature 
+OCUnlinkDevices
+OCVerifyCSRSignature
 
 SetClosePinDisplayCB
 SetDisplayPinWithContextCB