oc_pki.c 10.5 KB
Newer Older
1
/*
2
// Copyright (c) 2018-2019 Intel Corporation
3 4 5 6 7 8 9 10 11 12 13 14 15 16
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//      http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
*/

17
#ifdef OC_SECURITY
18 19 20 21 22
#ifdef OC_PKI

#include "mbedtls/pk.h"
#include "mbedtls/x509_crt.h"
#include "oc_certs.h"
23
#include "oc_cred_internal.h"
24 25 26 27 28
#include "oc_store.h"
#include "oc_tls.h"
#include "port/oc_connectivity.h"

static int
29
pki_add_intermediate_cert(size_t device, int credid, const unsigned char *cert,
30
                          size_t cert_size)
31
{
32
  OC_DBG("attempting to add an intermediate CA certificate");
33 34 35 36 37 38 39 40 41 42 43 44
  int ret = 0;
  oc_sec_creds_t *creds = oc_sec_get_creds(device);
  oc_sec_cred_t *c = oc_list_head(creds->creds);
  for (; c != NULL && c->credid != credid; c = c->next)
    ;

  if (!c) {
    OC_ERR("could not find cred entry for identity cert chain");
    return -1;
  }

  /* Parse the to-be-added intermediate cert */
45
  size_t c_size = cert_size;
46 47
  mbedtls_x509_crt int_ca;
  mbedtls_x509_crt_init(&int_ca);
48
  if (oc_certs_is_PEM((const unsigned char *)cert, cert_size) != 0) {
49
    OC_ERR("provided cert is not in PEM format");
50 51 52 53
    return -1;
  }
  if (cert[cert_size - 1] != '\0') {
    c_size += 1;
54
  }
55 56

  ret = mbedtls_x509_crt_parse(&int_ca, (const unsigned char *)cert, c_size);
57
  if (ret < 0) {
58
    OC_ERR("could not parse intermediate cert: %d", ret);
59 60
    return -1;
  }
61
  OC_DBG("parsed intermediate CA cert");
62

63 64
  mbedtls_x509_crt id_cert_chain, *id_cert;
  mbedtls_x509_crt_init(&id_cert_chain);
65

66 67 68 69 70 71
  /* Parse the identity cert chain */
  ret = mbedtls_x509_crt_parse(
    &id_cert_chain, (const unsigned char *)oc_string(c->publicdata.data),
    oc_string_len(c->publicdata.data) + 1);
  if (ret < 0) {
    OC_ERR("could not parse existing identity cert that chains to this "
72
           "intermediate cert: %d",
73
           ret);
74 75 76 77
    mbedtls_x509_crt_free(&int_ca);
    return -1;
  }
  OC_DBG("parsed identity cert chain");
78

79 80 81 82 83 84 85 86 87
  id_cert = &id_cert_chain;
  for (; id_cert != NULL; id_cert = id_cert->next) {
    /* If this intermediate cert is already on the chain, return */
    if (id_cert->raw.len == int_ca.raw.len &&
        memcmp(id_cert->raw.p, int_ca.raw.p, int_ca.raw.len) == 0) {
      mbedtls_x509_crt_free(&id_cert_chain);
      mbedtls_x509_crt_free(&int_ca);
      OC_DBG("found intermediate cert in cred with credid %d", credid);
      return 0;
88 89
    }

90 91
    /* break with the last cert in the identity cert chain */
    if (!id_cert->next) {
92 93 94 95
      break;
    }
  }

96 97 98 99
  /* Confirm that the intermediate cert is the issuer of the last cert
   * in the chain, if not return.
   */
  if (oc_certs_is_subject_the_issuer(&int_ca, id_cert) == 0) {
100 101 102 103 104 105 106 107 108 109 110 111
    oc_string_t chain = c->publicdata.data;
    size_t new_publicdata_size = oc_string_len(chain) + c_size;
    oc_alloc_string(&c->publicdata.data, new_publicdata_size);
    memcpy(oc_string(c->publicdata.data), oc_string(chain),
           oc_string_len(chain));
    memcpy(oc_string(c->publicdata.data) + oc_string_len(chain), cert,
           cert_size);
    oc_string(c->publicdata.data)[new_publicdata_size - 1] = '\0';
    oc_free_string(&chain);
    OC_DBG("adding a new intermediate CA cert to /oic/sec/cred");
    oc_sec_dump_cred(device);
    ret = 1;
112 113
  } else {
    OC_ERR("supplied intermediate CA cert is not issuer of identity cert");
114
    ret = -1;
115 116 117
  }

  mbedtls_x509_crt_free(&int_ca);
118
  mbedtls_x509_crt_free(&id_cert_chain);
119

120 121 122 123 124 125 126
  if (ret > 0) {
    OC_DBG("added intermediate CA cert to /oic/sec/cred");
    oc_tls_refresh_identity_certs();
    return credid;
  }
  OC_ERR("could not add intermediate CA cert to /oic/sec/cred");
  return -1;
127 128 129
}

static int
130 131 132
pki_add_identity_cert(size_t device, const unsigned char *cert,
                      size_t cert_size, const unsigned char *key,
                      size_t key_size, oc_sec_credusage_t credusage)
133 134 135
{
  OC_DBG("attempting to add an identity certificate chain");

136
  size_t c_size = cert_size, k_size = key_size;
137 138
  mbedtls_pk_context pkey;
  mbedtls_pk_init(&pkey);
139 140

  if (oc_certs_is_PEM(cert, cert_size) != 0) {
141
    OC_ERR("provided cert is not in PEM format");
142 143 144 145
    return -1;
  }
  if (cert[cert_size - 1] != '\0') {
    c_size += 1;
146
  }
147
  if (oc_certs_is_PEM(key, key_size) == 0) {
148 149 150
    if (key[key_size - 1] != '\0') {
      k_size += 1;
    }
151 152 153
  }

  /* Parse identity cert's private key */
154 155
  int ret =
    mbedtls_pk_parse_key(&pkey, (const unsigned char *)key, k_size, NULL, 0);
156
  if (ret != 0) {
157
    OC_ERR("could not parse identity cert's private key %d", ret);
158 159
    return -1;
  }
160
  OC_DBG("parsed the provided identity cert's private key");
161 162 163 164 165 166 167 168

  /* Serialize identity cert's private key to DER */
  uint8_t privkbuf[200];
  ret = mbedtls_pk_write_key_der(&pkey, privkbuf, 200);

  mbedtls_pk_free(&pkey);

  if (ret < 0) {
169
    OC_ERR("could not write identity cert's DER encoded private key %d", ret);
170 171 172 173 174 175 176 177 178
    return -1;
  }

  size_t private_key_size = ret;

  mbedtls_x509_crt cert1, cert2;
  mbedtls_x509_crt_init(&cert1);

  /* Parse identity cert chain */
179
  ret = mbedtls_x509_crt_parse(&cert1, (const unsigned char *)cert, c_size);
180 181 182 183
  if (ret < 0) {
    OC_ERR("could not parse the provided identity cert");
    return -1;
  }
184
  OC_DBG("parsed the provided identity cert");
185 186 187 188 189

  /* Extract subjectUUID from the CN property in the identity certificate */
  oc_string_t subjectuuid;

  if (oc_certs_parse_CN_for_UUID(&cert1, &subjectuuid) < 0) {
190
    OC_DBG("could not extract a subjectUUID from the CN property.. Using "
191 192
           "'*'instead..");
    oc_new_string(&subjectuuid, "*", 1);
193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225
  }
  oc_sec_creds_t *creds = oc_sec_get_creds(device);
  oc_sec_cred_t *c = oc_list_head(creds->creds);
  for (; c != NULL; c = c->next) {
    /* Iterate over all identity certs provisioned to this logical
     * device.
     */
    if (c->credusage != credusage) {
      continue;
    }
    mbedtls_x509_crt_init(&cert2);

    ret = mbedtls_x509_crt_parse(
      &cert2, (const unsigned char *)oc_string(c->publicdata.data),
      oc_string_len(c->publicdata.data) + 1);
    if (ret < 0) {
      mbedtls_x509_crt_free(&cert2);
      continue;
    }

    if (cert1.raw.len == cert2.raw.len &&
        memcmp(cert1.raw.p, cert2.raw.p, cert2.raw.len) == 0) {
      mbedtls_x509_crt_free(&cert1);
      mbedtls_x509_crt_free(&cert2);
      oc_free_string(&subjectuuid);
      OC_DBG("found identity cert in cred with credid %d", c->credid);
      return c->credid;
    }
    mbedtls_x509_crt_free(&cert2);
  }

  OC_DBG("adding a new identity cert chain to /oic/sec/cred");

226 227
  mbedtls_x509_crt_free(&cert1);

228 229 230 231 232 233 234 235 236 237 238
  int credid = oc_sec_add_new_cred(
    device, false, NULL, -1, OC_CREDTYPE_CERT, credusage,
    oc_string(subjectuuid), OC_ENCODING_RAW, private_key_size,
    privkbuf + (200 - private_key_size), OC_ENCODING_PEM, c_size - 1,
    (const uint8_t *)cert, NULL, NULL);

  if (credid != -1) {
    OC_DBG("added new identity cert chain to /oic/sec/cred");
    oc_sec_dump_cred(device);
  } else {
    OC_ERR("could not add identity cert chain to /oic/sec/cred");
239 240 241
  }

  oc_free_string(&subjectuuid);
242

243 244 245 246
  return credid;
}

int
247 248
oc_pki_add_mfg_cert(size_t device, const unsigned char *cert, size_t cert_size,
                    const unsigned char *key, size_t key_size)
249 250 251 252 253 254
{
  return pki_add_identity_cert(device, cert, cert_size, key, key_size,
                               OC_CREDUSAGE_MFG_CERT);
}

int
255 256
oc_pki_add_mfg_intermediate_cert(size_t device, int credid,
                                 const unsigned char *cert, size_t cert_size)
257
{
258
  return pki_add_intermediate_cert(device, credid, cert, cert_size);
259 260 261
}

static int
262
pki_add_trust_anchor(size_t device, const unsigned char *cert, size_t cert_size,
263 264 265 266 267 268
                     oc_sec_credusage_t credusage)
{
  OC_DBG("attempting to add a trust anchor");

  mbedtls_x509_crt cert1, cert2;
  mbedtls_x509_crt_init(&cert1);
269
  size_t c_size = cert_size;
270

271
  /* Parse root cert */
272
  if (oc_certs_is_PEM((const unsigned char *)cert, cert_size) != 0) {
273
    OC_ERR("provided cert is not in PEM format");
274
    return -1;
275
  }
276 277 278 279
  if (cert[cert_size - 1] != '\0') {
    c_size += 1;
  }
  int ret = mbedtls_x509_crt_parse(&cert1, (const unsigned char *)cert, c_size);
280
  if (ret < 0) {
281
    OC_ERR("could not parse the provided trust anchor: %d", ret);
282 283
    return -1;
  }
284
  OC_DBG("parsed the provided trust anchor");
285 286 287 288 289 290 291 292 293 294 295 296 297

  /* Pass through all known trust anchors looking for a match */
  oc_sec_creds_t *creds = oc_sec_get_creds(device);
  oc_sec_cred_t *c = oc_list_head(creds->creds);
  for (; c != NULL; c = c->next) {
    if (c->credusage != credusage) {
      continue;
    }
    mbedtls_x509_crt_init(&cert2);
    ret = mbedtls_x509_crt_parse(
      &cert2, (const unsigned char *)oc_string(c->publicdata.data),
      oc_string_len(c->publicdata.data) + 1);
    if (ret < 0) {
298
      OC_ERR("could not parse stored certificate: %d", ret);
299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319
      mbedtls_x509_crt_free(&cert2);
      continue;
    }

    mbedtls_x509_crt *trustca = &cert2;
    for (; trustca != NULL; trustca = trustca->next) {
      if (trustca->raw.len == cert1.raw.len &&
          memcmp(trustca->raw.p, cert1.raw.p, cert1.raw.len) == 0) {
        break;
      }
    }

    mbedtls_x509_crt_free(&cert2);

    if (trustca) {
      mbedtls_x509_crt_free(&cert1);
      OC_DBG("found trust anchor in cred with credid %d", c->credid);
      return c->credid;
    }
  }

320 321
  OC_DBG("adding a new trust anchor entry to /oic/sec/cred");

322 323 324 325 326 327 328 329
  ret = oc_sec_add_new_cred(device, false, NULL, -1, OC_CREDTYPE_CERT,
                            credusage, "*", 0, 0, NULL, OC_ENCODING_PEM,
                            c_size - 1, (const uint8_t *)cert, NULL, NULL);
  if (ret != -1) {
    OC_DBG("added new trust anchor entry to /oic/sec/cred");
    oc_sec_dump_cred(device);
  } else {
    OC_ERR("could not add trust anchor entry to /oic/sec/cred");
330 331 332
  }

  mbedtls_x509_crt_free(&cert1);
333
  return ret;
334 335 336
}

int
337 338
oc_pki_add_mfg_trust_anchor(size_t device, const unsigned char *cert,
                            size_t cert_size)
339 340 341 342 343 344
{
  return pki_add_trust_anchor(device, cert, cert_size,
                              OC_CREDUSAGE_MFG_TRUSTCA);
}

int
345 346
oc_pki_add_trust_anchor(size_t device, const unsigned char *cert,
                        size_t cert_size)
347 348 349 350 351 352 353
{
  return pki_add_trust_anchor(device, cert, cert_size, OC_CREDUSAGE_TRUSTCA);
}

#else  /* OC_PKI */
typedef int dummy_declaration;
#endif /* !OC_PKI */
354
#endif /* OC_SECURITY */