Commit df063552 authored by js126.lee's avatar js126.lee Committed by Randeep

Add to checking logic to set subject of cred in case of NULL or *

Issue : If deviceuuid is null and required pre-install certificate in SVR DB,
        it is impossible to set a subject of SIGNED_ASYMMETRIC_KEY type (certificate).

According to OCF Security Spec and Raml, subject of Cred allows UUID format only,
so CTT decides a failure in case of wildcard(*).
But, it is not clear how to set a subject of cred in case of SIGNED_ASYMMETRIC_KEY on spec.

So, this patch set it with own deviceuuid in case of NULL or wildcard,
because own deviceuuid is only UUID a device knows at all time.

Patch 1,2: Upload patch
Patch 3 : Set subject of cred with own deviceuuid in case of NULL or wildcard
Patch 4: Apply review comment
Patch 5-8 : Re-trigger jenkins build

Change-Id: Idb09357a821be81bb9f05489ebb40403e66c3514
Signed-off-by: default avatarjs126.lee <js126.lee@samsung.com>
Reviewed-on: https://gerrit.iotivity.org/gerrit/17153Tested-by: default avatarjenkins-iotivity <jenkins@iotivity.org>
Reviewed-by: default avatarKevin Kane <kkane@microsoft.com>
Reviewed-by: Randeep's avatarRandeep Singh <randeep.s@samsung.com>
parent f869eb49
......@@ -547,7 +547,13 @@ OCStackResult SRPSaveTrustCertChain(uint8_t *trustCertChain, size_t chainSize,
OicSecCred_t *cred = (OicSecCred_t *)OICCalloc(1, sizeof(*cred));
VERIFY_NOT_NULL_RETURN(TAG, cred, ERROR, OC_STACK_NO_MEMORY);
memcpy(cred->subject.id, &WILDCARD_SUBJECT_ID, WILDCARD_SUBJECT_ID_LEN);
res = GetDoxmDeviceID(&cred->subject);
if (OC_STACK_OK != res)
{
OIC_LOG(ERROR, TAG, "Cann't get the device id(GetDoxmDeviceID)");
DeleteCredList(cred);
return res;
}
cred->credUsage= (char *)OICCalloc(1, strlen(TRUST_CA)+1 );
VERIFY_NOT_NULL_RETURN(TAG, cred->credUsage, ERROR, OC_STACK_NO_MEMORY);
......@@ -610,9 +616,12 @@ OCStackResult SRPSaveOwnCertChain(OicSecKey_t * cert, OicSecKey_t * key, uint16_
OIC_LOG_V(DEBUG, TAG, "IN: %s", __func__);
if (OC_STACK_OK != GetDoxmDeviceID(&cred->subject))
res = GetDoxmDeviceID(&cred->subject);
if (OC_STACK_OK != res)
{
OIC_LOG(ERROR, TAG, "Cann't get the device id(GetDoxmDeviceID)");
DeleteCredList(cred);
return res;
}
cred->credUsage= (char *)OICCalloc(1, strlen(PRIMARY_CERT)+1 );
......
......@@ -104,6 +104,41 @@ static bool ValueWithinBounds(uint64_t value, uint64_t maxValue)
return true;
}
/**
* Internal function to check a subject of SIGNED_ASYMMETRIC_KEY(Certificate).
* If that subject is NULL or wildcard, set it to own deviceID.
* @param cred credential on SVR DB file
* @param deviceID own deviceuuid of doxm resource
*
* @return
* true successfully done
* false Invalid cred
*/
static bool CheckSubjectOfCertificate(OicSecCred_t* cred, OicUuid_t deviceID)
{
OicUuid_t emptyUuid = {.id={0}};
OIC_LOG(DEBUG, TAG, "IN CheckSubjectOfCertificate");
VERIFY_NOT_NULL(TAG, cred, ERROR);
#if defined(__WITH_DTLS__) || defined(__WITH_TLS__)
if ( SIGNED_ASYMMETRIC_KEY == cred->credType)
{
if((0 == memcmp(cred->subject.id, emptyUuid.id, sizeof(cred->subject.id))) ||
(0 == memcmp(cred->subject.id, &WILDCARD_SUBJECT_ID, sizeof(cred->subject.id))))
{
memcpy(cred->subject.id, deviceID.id, sizeof(deviceID.id));
}
}
#endif
OIC_LOG(DEBUG, TAG, "OUT CheckSubjectOfCertificate");
return true;
exit:
OIC_LOG(ERROR, TAG, "OUT CheckSubjectOfCertificate");
return false;
}
/**
* Internal function to check credential
*/
......@@ -2210,7 +2245,7 @@ OCStackResult InitCredResource()
if ((ret == OC_STACK_OK) && data)
{
// Read ACL resource from PS
// Read Cred resource from PS
ret = CBORPayloadToCred(data, size, &gCred);
#ifdef HAVE_WINDOWS_H
......@@ -2267,18 +2302,43 @@ OCStackResult InitCredResource()
gCred = GetCredDefault();
}
//Add a log to track the invalid credential.
LL_FOREACH(gCred, cred)
if (gCred)
{
if (false == IsValidCredential(cred))
OicUuid_t deviceID;
OicUuid_t emptyUuid = {.id={0}};
ret = GetDoxmDeviceID(&deviceID);
VERIFY_SUCCESS(TAG, ret == OC_STACK_OK, ERROR);
//Add a log to track the invalid credential.
LL_FOREACH(gCred, cred)
{
if (false == CheckSubjectOfCertificate(cred, deviceID))
{
OIC_LOG(WARNING, TAG, "Check subject of Certificate was failed while InitCredResource");
}
if (false == IsValidCredential(cred))
{
OIC_LOG(WARNING, TAG, "Invalid credential data was dectected while InitCredResource");
OIC_LOG_V(WARNING, TAG, "Invalid credential ID = %d", cred->credId);
}
}
if (0 == memcmp(&gCred->rownerID, &emptyUuid, sizeof(OicUuid_t)))
{
OIC_LOG(WARNING, TAG, "Invalid credential data was dectected while InitCredResource");
OIC_LOG_V(WARNING, TAG, "Invalid credential ID = %d", cred->credId);
memcpy(&gCred->rownerID, &deviceID, sizeof(OicUuid_t));
}
}
if (!UpdatePersistentStorage(gCred))
{
OIC_LOG(FATAL, TAG, "UpdatePersistentStorage failed!");
}
}
//Instantiate 'oic.sec.cred'
ret = CreateCredResource();
exit:
OIC_LOG(DEBUG, TAG, "OUT InitCredResource.");
OICClearMemory(data, size);
OICFree(data);
return ret;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment