oc_pki: clean up implementations of oc_pki APIs

Signed-off-by: Kishen Maloor <kishen.maloor@intel.com>

apps/client_certification_tests.c

@@ -426,7 +426,7 @@ read_pem(const char *file_path, char *buffer, size_t *buffer_len)
     fclose(fp);
     return -1;
   }
-  if (pem_len > (long)*buffer_len) {
+  if (pem_len >= (long)*buffer_len) {
     PRINT("ERROR: buffer provided too small\n");
     fclose(fp);
     return -1;
@@ -442,6 +442,7 @@ read_pem(const char *file_path, char *buffer, size_t *buffer_len)
     return -1;
   }
   fclose(fp);
+  buffer[pem_len] = '\0';
   *buffer_len = (size_t)pem_len;
   return 0;
 }

apps/smart_home_server_linux.c

@@ -627,7 +627,7 @@ read_pem(const char *file_path, char *buffer, size_t *buffer_len)
     fclose(fp);
     return -1;
   }
-  if (pem_len > (long)*buffer_len) {
+  if (pem_len >= (long)*buffer_len) {
     PRINT("ERROR: buffer provided too small\n");
     fclose(fp);
     return -1;
@@ -643,6 +643,7 @@ read_pem(const char *file_path, char *buffer, size_t *buffer_len)
     return -1;
   }
   fclose(fp);
+  buffer[pem_len] = '\0';
   *buffer_len = (size_t)pem_len;
   return 0;
 }
@@ -681,7 +682,6 @@ factory_presets_cb(size_t device, void *data)
     PRINT("ERROR: unable to read certificates\n");
     return;
   }
-
   int subca_credid = oc_pki_add_mfg_intermediate_cert(
     0, ee_credid, (const unsigned char *)cert, cert_len);
 

apps/smart_home_server_with_mock_swupdate.cpp

@@ -211,7 +211,7 @@ read_pem(const char *file_path, char *buffer, size_t *buffer_len)
     fclose(fp);
     return -1;
   }
-  if (pem_len > (long)*buffer_len) {
+  if (pem_len >= (long)*buffer_len) {
     PRINT("ERROR: buffer provided too small\n");
     fclose(fp);
     return -1;
@@ -227,6 +227,7 @@ read_pem(const char *file_path, char *buffer, size_t *buffer_len)
     return -1;
   }
   fclose(fp);
+  buffer[pem_len] = '\0';
   *buffer_len = (size_t)pem_len;
   return 0;
 }

security/oc_pki.c

@@ -42,16 +42,17 @@ pki_add_intermediate_cert(size_t device, int credid, const unsigned char *cert,
   }
 
   /* Parse the to-be-added intermediate cert */
-  unsigned char cert_copy[4096];
-  memcpy(cert_copy, cert, cert_size);
+  size_t c_size = cert_size;
   mbedtls_x509_crt int_ca;
   mbedtls_x509_crt_init(&int_ca);
-  if (oc_certs_is_PEM((const unsigned char *)cert, cert_size) == 0) {
-    cert_copy[cert_size] = '\0';
-    cert_size += 1;
+  if (oc_certs_is_PEM((const unsigned char *)cert, cert_size) != 0) {
+    return -1;
+  }
+  if (cert[cert_size - 1] != '\0') {
+    c_size += 1;
   }
-  ret = mbedtls_x509_crt_parse(&int_ca, (const unsigned char *)cert_copy,
-                               cert_size);
+
+  ret = mbedtls_x509_crt_parse(&int_ca, (const unsigned char *)cert, c_size);
   if (ret < 0) {
     OC_ERR("could not parse intermediate cert %d", ret);
     return -1;
@@ -95,20 +96,21 @@ pki_add_intermediate_cert(size_t device, int credid, const unsigned char *cert,
    * in the chain, if not return.
    */
   if (oc_certs_is_subject_the_issuer(&int_ca, id_cert) == 0) {
-    id_cert->next = &int_ca;
-
-    char chain[4096];
-    ret = oc_certs_serialize_chain_to_pem(&id_cert_chain, chain, 4096);
-    if (ret > 0) {
-      OC_DBG("adding a new intermediate CA cert to /oic/sec/cred");
-      oc_free_string(&c->publicdata.data);
-      oc_new_string(&c->publicdata.data, chain, ret);
-      oc_sec_dump_cred(device);
-    }
-
-    id_cert->next = NULL;
+    oc_string_t chain = c->publicdata.data;
+    size_t new_publicdata_size = oc_string_len(chain) + c_size;
+    oc_alloc_string(&c->publicdata.data, new_publicdata_size);
+    memcpy(oc_string(c->publicdata.data), oc_string(chain),
+           oc_string_len(chain));
+    memcpy(oc_string(c->publicdata.data) + oc_string_len(chain), cert,
+           cert_size);
+    oc_string(c->publicdata.data)[new_publicdata_size - 1] = '\0';
+    oc_free_string(&chain);
+    OC_DBG("adding a new intermediate CA cert to /oic/sec/cred");
+    oc_sec_dump_cred(device);
+    ret = 1;
   } else {
     OC_ERR("supplied intermediate CA cert is not issuer of identity cert");
+    ret = -1;
   }
 
   mbedtls_x509_crt_free(&int_ca);
@@ -130,25 +132,25 @@ pki_add_identity_cert(size_t device, const unsigned char *cert,
 {
   OC_DBG("attempting to add an identity certificate chain");
 
+  size_t c_size = cert_size, k_size = key_size;
   mbedtls_pk_context pkey;
   mbedtls_pk_init(&pkey);
-  unsigned char cert_copy[4096];
-  unsigned char key_copy[4096];
-  memcpy(cert_copy, cert, cert_size);
-  memcpy(key_copy, key, key_size);
-
-  if (oc_certs_is_PEM(cert, cert_size) == 0) {
-    cert_copy[cert_size] = '\0';
-    cert_size += 1;
+
+  if (oc_certs_is_PEM(cert, cert_size) != 0) {
+    return -1;
+  }
+  if (cert[cert_size - 1] != '\0') {
+    c_size += 1;
   }
   if (oc_certs_is_PEM(key, key_size) == 0) {
-    key_copy[key_size] = '\0';
-    key_size += 1;
+    if (key[key_size - 1] != '\0') {
+      k_size += 1;
+    }
   }
 
   /* Parse identity cert's private key */
-  int ret = mbedtls_pk_parse_key(&pkey, (const unsigned char *)key_copy,
-                                 key_size, NULL, 0);
+  int ret =
+    mbedtls_pk_parse_key(&pkey, (const unsigned char *)key, k_size, NULL, 0);
   if (ret != 0) {
     OC_ERR("could not parse identity cert's private key %d", ret);
     return -1;
@@ -172,8 +174,7 @@ pki_add_identity_cert(size_t device, const unsigned char *cert,
   mbedtls_x509_crt_init(&cert1);
 
   /* Parse identity cert chain */
-  ret =
-    mbedtls_x509_crt_parse(&cert1, (const unsigned char *)cert_copy, cert_size);
+  ret = mbedtls_x509_crt_parse(&cert1, (const unsigned char *)cert, c_size);
   if (ret < 0) {
     OC_ERR("could not parse the provided identity cert");
     return -1;
@@ -220,25 +221,19 @@ pki_add_identity_cert(size_t device, const unsigned char *cert,
 
   OC_DBG("adding a new identity cert chain to /oic/sec/cred");
 
-  char chain[4096];
-  ret = oc_certs_serialize_chain_to_pem(&cert1, chain, 4096);
-
   mbedtls_x509_crt_free(&cert1);
 
-  int credid = -1;
-  if (ret > 0) {
-    credid = oc_sec_add_new_cred(
-      device, false, NULL, -1, OC_CREDTYPE_CERT, credusage,
-      oc_string(subjectuuid), OC_ENCODING_RAW, private_key_size,
-      privkbuf + (200 - private_key_size), OC_ENCODING_PEM, ret,
-      (const uint8_t *)chain, NULL, NULL);
-
-    if (credid != -1) {
-      OC_DBG("added new identity cert chain to /oic/sec/cred");
-      oc_sec_dump_cred(device);
-    } else {
-      OC_ERR("could not add identity cert chain to /oic/sec/cred");
-    }
+  int credid = oc_sec_add_new_cred(
+    device, false, NULL, -1, OC_CREDTYPE_CERT, credusage,
+    oc_string(subjectuuid), OC_ENCODING_RAW, private_key_size,
+    privkbuf + (200 - private_key_size), OC_ENCODING_PEM, c_size - 1,
+    (const uint8_t *)cert, NULL, NULL);
+
+  if (credid != -1) {
+    OC_DBG("added new identity cert chain to /oic/sec/cred");
+    oc_sec_dump_cred(device);
+  } else {
+    OC_ERR("could not add identity cert chain to /oic/sec/cred");
   }
 
   oc_free_string(&subjectuuid);
@@ -269,17 +264,16 @@ pki_add_trust_anchor(size_t device, const unsigned char *cert, size_t cert_size,
 
   mbedtls_x509_crt cert1, cert2;
   mbedtls_x509_crt_init(&cert1);
-
-  unsigned char cert_copy[4096];
-  memcpy(cert_copy, cert, cert_size);
+  size_t c_size = cert_size;
 
   /* Parse root cert */
-  if (oc_certs_is_PEM((const unsigned char *)cert, cert_size) == 0) {
-    cert_copy[cert_size] = '\0';
-    cert_size += 1;
+  if (oc_certs_is_PEM((const unsigned char *)cert, cert_size) != 0) {
+    return -1;
   }
-  int ret =
-    mbedtls_x509_crt_parse(&cert1, (const unsigned char *)cert_copy, cert_size);
+  if (cert[cert_size - 1] != '\0') {
+    c_size += 1;
+  }
+  int ret = mbedtls_x509_crt_parse(&cert1, (const unsigned char *)cert, c_size);
   if (ret < 0) {
     return -1;
   }
@@ -321,18 +315,14 @@ pki_add_trust_anchor(size_t device, const unsigned char *cert, size_t cert_size,
 
   OC_DBG("adding a new trust anchor entry to /oic/sec/cred");
 
-  char chain[4096];
-  ret = oc_certs_serialize_chain_to_pem(&cert1, chain, 4096);
-  if (ret > 0) {
-    ret = oc_sec_add_new_cred(device, false, NULL, -1, OC_CREDTYPE_CERT,
-                              credusage, "*", 0, 0, NULL, OC_ENCODING_PEM, ret,
-                              (const uint8_t *)chain, NULL, NULL);
-    if (ret != -1) {
-      OC_DBG("added new trust anchor entry to /oic/sec/cred");
-      oc_sec_dump_cred(device);
-    } else {
-      OC_ERR("could not add trust anchor entry to /oic/sec/cred");
-    }
+  ret = oc_sec_add_new_cred(device, false, NULL, -1, OC_CREDTYPE_CERT,
+                            credusage, "*", 0, 0, NULL, OC_ENCODING_PEM,
+                            c_size - 1, (const uint8_t *)cert, NULL, NULL);
+  if (ret != -1) {
+    OC_DBG("added new trust anchor entry to /oic/sec/cred");
+    oc_sec_dump_cred(device);
+  } else {
+    OC_ERR("could not add trust anchor entry to /oic/sec/cred");
   }
 
   mbedtls_x509_crt_free(&cert1);