Skip to content

Commit

Permalink
Structure for command class authorization added. TCAT agent evalautes…
Browse files Browse the repository at this point in the history 
… certificate when connected.
  • Loading branch information
Arnulf Rupp committed Jul 24, 2023
1 parent 0ccf5a0 commit 63864f1
Show file tree
Hide file tree
Showing 9 changed files with 602 additions and 233 deletions.
50 changes: 26 additions & 24 deletions include/openthread/ble_secure.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -130,7 +130,9 @@ otError otBleSecureStart(otInstance *aInstance,
* @retval OT_ERROR_INVALID_STATE The BLE function has not been started or line mode is not selected.
*
*/
otError otBleSecureTcatStart(otInstance *aInstance, otTcatVendorInfo *aVendorInfo, otHandleTcatJoin aHandler);
otError otBleSecureTcatStart(otInstance *aInstance,
otTcatVendorInfo *aVendorInfo,
otHandleTcatJoin aHandler);

/**
* This function stops the BLE Secure server.
Expand Down Expand Up @@ -203,13 +205,13 @@ otError otBleSecureGetPeerCertificateBase64(otInstance *aInstance,
* @retval OT_ERROR_NO_BUFS Insufficient memory for storing the attribute value.
*
*/
otError otBleSecureGetPeerSubjectAttributeByOid(otInstance *aInstance,
const char *aOid,
size_t aOidLength,
unsigned char *aAttributeBuffer,
size_t *aAttributeLength,
size_t aAttributeBufferSize,
int *aAns1Type);
otError otBleSecureGetPeerSubjectAttributeByOid(otInstance *aInstance,
const char *aOid,
size_t aOidLength,
uint8_t *aAttributeBuffer,
size_t *aAttributeLength,
size_t aAttributeBufferSize,
int *aAns1Type);

/**
* This method returns an attribute value for the OID 1.3.6.1.4.1.44970.x from the v3 extensions of
Expand All @@ -234,11 +236,11 @@ otError otBleSecureGetPeerSubjectAttributeByOid(otInstance *aInstance,
* @retval OT_ERROR_PARSE The certificate extensions could not be parsed.
*
*/
otError otBleSecureGetThreadAttributeFromPeerCertificate(otInstance *aInstance,
int aThreadOidDescriptor,
unsigned char *aAttributeBuffer,
size_t *aAttributeLength,
size_t aAttributeBufferSize);
otError otBleSecureGetThreadAttributeFromPeerCertificate(otInstance *aInstance,
int aThreadOidDescriptor,
uint8_t *aAttributeBuffer,
size_t *aAttributeLength,
size_t aAttributeBufferSize);

/**
* This method returns an attribute value for the OID 1.3.6.1.4.1.44970.x from the v3 extensions of
Expand All @@ -260,11 +262,11 @@ otError otBleSecureGetThreadAttributeFromPeerCertificate(otInstance *aInstanc
* @retval OT_ERROR_PARSE The certificate extensions could not be parsed.
*
*/
otError otBleSecureGetThreadAttributeFromOwnCertificate(otInstance *aInstance,
int aThreadOidDescriptor,
unsigned char *aAttributeBuffer,
size_t *aAttributeLength,
size_t aAttributeBufferSize);
otError otBleSecureGetThreadAttributeFromOwnCertificate(otInstance *aInstance,
int aThreadOidDescriptor,
uint8_t *aAttributeBuffer,
size_t *aAttributeLength,
size_t aAttributeBufferSize);

/**
* This method returns an attribute value for the OID 1.3.6.1.4.1.44970.x from the v3 extensions of
Expand All @@ -286,11 +288,11 @@ otError otBleSecureGetThreadAttributeFromOwnCertificate(otInstance *aInstance
* @retval OT_ERROR_PARSE The certificate extensions could not be parsed.
*
*/
otError otBleSecureGetThreadAttributeFromCaCertificateChain(otInstance *aInstance,
int aThreadOidDescriptor,
unsigned char *aAttributeBuffer,
size_t *aAttributeLength,
size_t aAttributeBufferSize);
otError otBleSecureGetThreadAttributeFromCaCertificateChain(otInstance *aInstance,
int aThreadOidDescriptor,
uint8_t *aAttributeBuffer,
size_t *aAttributeLength,
size_t aAttributeBufferSize);

/**
* This method sets the authentication mode for the BLE secure connection.
Expand Down Expand Up @@ -351,7 +353,7 @@ void otBleSecureSetCaCertificateChain(otInstance *aInstance,
otError otBleSecureConnect(otInstance *aInstance);

/**
* This method stops the TLS connection.
* This method stops the BLE and TLS connection.
*
* @param[in] aInstance A pointer to an OpenThread instance.
*
Expand Down
27 changes: 13 additions & 14 deletions include/openthread/tcat.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,8 @@ extern "C" {
*
*/

#define OT_TCAT_MAX_SERVICE_NAME_LENGTH 15 ///< Maximum string length of a UDP or TCP service name (does not include null char).

/**
* Represents TCAT TLV types.
*
Expand Down Expand Up @@ -140,9 +142,9 @@ typedef enum otTcatStatusCode
OT_TCAT_STATUS_VALUE_ERROR = 3, ///< The value of the transmitted TLV has an error
OT_TCAT_STATUS_GENERAL_ERROR = 4, ///< An error not matching any other category occurred
OT_TCAT_STATUS_BUSY = 5, ///< Command cannot be executed because the resource is busy
OT_TCAT_STATUS_UNDEFINED = 6, ///< The requested value, data or service is not defined (currently) or not present
OT_TCAT_STATUS_HASH_ERROR = 7, ///< The hash value presented by the commissioner was incorrect
OT_TCAT_STATUS_UNAUTHORIZED = 8, ///< Sender does not have sufficient authorization for the given command
OT_TCAT_STATUS_UNDEFINED = 6, ///< The requested value, data or service is not defined (currently) or not present
OT_TCAT_STATUS_HASH_ERROR = 7, ///< The hash value presented by the commissioner was incorrect
OT_TCAT_STATUS_UNAUTHORIZED = 8, ///< Sender does not have sufficient authorization for the given command

} otTcatStatusCode;

Expand All @@ -152,20 +154,17 @@ typedef enum otTcatStatusCode
*/
typedef enum otTcatMessageType
{
OT_TCAT_MESSAGE_TYPE_RAW = 0, ///< Message which has been sent without activating the TCAT agent
OT_TCAT_MESSAGE_TYPE_STATUS = 1, ///< Message containing a status code (byte) as defined in otTcatStatusCode
OT_TCAT_MESSAGE_TYPE_UDP = 2, ///< Message directed to a UDP service
OT_TCAT_MESSAGE_TYPE_TCP = 3, ///< Message directed to a TCP service
OT_TCAT_MESSAGE_TYPE_NONE = 0, ///< Message which has been sent without activating the TCAT agent
OT_TCAT_MESSAGE_TYPE_STATUS = 1, ///< Message containing a status code (byte) as defined in otTcatStatusCode
OT_TCAT_MESSAGE_TYPE_UDP = 2, ///< Message directed to a UDP service
OT_TCAT_MESSAGE_TYPE_TCP = 3, ///< Message directed to a TCP service
OT_TCAT_MESSAGE_TYPE_CHANGED_TO_UDP_SERVICE = 4, ///< Client has changed to a UDP service
OT_TCAT_MESSAGE_TYPE_CHANGED_TO_TCP_SERVICE = 5, ///< Client has changed to a TCP service

} otTcatMessageType;

/**
* The command class flag type to indicate which requirements apply for a given command class.
*
* This is a combination of bit-flags. The specific bit-flags are defined in the enumeration
* `OT_TCAT_COMMAND_CLASS_FLAG_*`.
* The certificate authorization field header type to indicate the type and version of the certificate.
*
*/
typedef uint8_t otTcatCertificateAuthorizationFieldHeader;
Expand All @@ -187,8 +186,7 @@ typedef uint8_t otTcatCommandClassFlags;

enum
{
OT_TCAT_COMMAND_CLASS_FLAG_ACCESS =
1 << 0, ///< Access to the command class (device: without without additional requirements).
OT_TCAT_COMMAND_CLASS_FLAG_ACCESS = 1 << 0, ///< Access to the command class (device: without without additional requirements).
OT_TCAT_COMMAND_CLASS_FLAG_PSKD = 1 << 1, ///< Access requires proof-of-possession of the device's PSKd
OT_TCAT_COMMAND_CLASS_FLAG_NETWORK_NAME = 1 << 2, ///< Access requires matching network name
OT_TCAT_COMMAND_CLASS_FLAG_XPANID = 1 << 3, ///< Access requires matching XPANID
Expand Down Expand Up @@ -232,14 +230,15 @@ typedef struct otTcatVendorInfo
const char *mVendorData; ///< Vendor specific data string
const char *mPskdString; ///< Vendor managed pre-shared key for device
const char *mInstallCode; ///< Vendor managed install code string
const char *mDeviceId; ///< Vendor managed device ID string (if NULL: device ID is set to EUI-64 in binary format)
const char *mDeviceId; ///< Vendor managed device ID string (if NULL: device ID is set to EUI-64 in binary format)

} otTcatVendorInfo;

/**
* This function pointer is called when application data was received over a TCAT TLS connection.
*
*
* @param[in] aInstance A pointer to an OpenThread instance.
* @param[in] aMessage A pointer to the message.
* @param[in] aTcatMessageType The message type received.
* @param[in] aServiceName The name of the service the message is direced to.
Expand Down
32 changes: 16 additions & 16 deletions src/core/api/ble_secure_api.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -93,7 +93,7 @@ otError otBleSecureGetPeerCertificateBase64(otInstance *aInstance,
otError otBleSecureGetPeerSubjectAttributeByOid(otInstance *aInstance,
const char *aOid,
size_t aOidLength,
unsigned char *aAttributeBuffer,
uint8_t *aAttributeBuffer,
size_t *aAttributeLength,
size_t aAttributeBufferSize,
int *aAns1Type)
Expand All @@ -102,32 +102,32 @@ otError otBleSecureGetPeerSubjectAttributeByOid(otInstance *aInstance,
aOid, aOidLength, aAttributeBuffer, aAttributeLength, aAttributeBufferSize, aAns1Type);
}

otError otBleSecureGetThreadAttributeFromPeerCertificate(otInstance *aInstance,
int aThreadOidDescriptor,
unsigned char *aAttributeBuffer,
size_t *aAttributeLength,
size_t aAttributeBufferSize)
otError otBleSecureGetThreadAttributeFromPeerCertificate(otInstance *aInstance,
int aThreadOidDescriptor,
uint8_t *aAttributeBuffer,
size_t *aAttributeLength,
size_t aAttributeBufferSize)
{
return AsCoreType(aInstance).Get<Ble::BleSecure>().GetThreadAttributeFromPeerCertificate(
aThreadOidDescriptor, aAttributeBuffer, aAttributeLength, aAttributeBufferSize);
}
#endif // defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)

otError otBleSecureGetThreadAttributeFromOwnCertificate(otInstance *aInstance,
int aThreadOidDescriptor,
unsigned char *aAttributeBuffer,
size_t *aAttributeLength,
size_t aAttributeBufferSize)
otError otBleSecureGetThreadAttributeFromOwnCertificate(otInstance *aInstance,
int aThreadOidDescriptor,
uint8_t *aAttributeBuffer,
size_t *aAttributeLength,
size_t aAttributeBufferSize)
{
return AsCoreType(aInstance).Get<Ble::BleSecure>().GetThreadAttributeFromOwnCertificate(
aThreadOidDescriptor, aAttributeBuffer, aAttributeLength, aAttributeBufferSize);
}

otError otBleSecureGetThreadAttributeFromCaCertificateChain(otInstance *aInstance,
int aThreadOidDescriptor,
unsigned char *aAttributeBuffer,
size_t *aAttributeLength,
size_t aAttributeBufferSize)
otError otBleSecureGetThreadAttributeFromCaCertificateChain(otInstance *aInstance,
int aThreadOidDescriptor,
uint8_t *aAttributeBuffer,
size_t *aAttributeLength,
size_t aAttributeBufferSize)
{
return AsCoreType(aInstance).Get<Ble::BleSecure>().GetThreadAttributeFromCaCertificateChain(
aThreadOidDescriptor, aAttributeBuffer, aAttributeLength, aAttributeBufferSize);
Expand Down
38 changes: 19 additions & 19 deletions src/core/meshcop/dtls.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -585,12 +585,12 @@ Error Dtls::GetPeerCertificateBase64(unsigned char *aPeerCert, size_t *aCertLeng
#endif // defined(MBEDTLS_BASE64_C) && defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)

#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
Error Dtls::GetPeerSubjectAttributeByOid(const char *aOid,
size_t aOidLength,
unsigned char *aAttributeBuffer,
size_t *aAttributeLength,
size_t aAttributeBufferSize,
int *aAns1Type)
Error Dtls::GetPeerSubjectAttributeByOid(const char *aOid,
size_t aOidLength,
uint8_t *aAttributeBuffer,
size_t *aAttributeLength,
size_t aAttributeBufferSize,
int *aAns1Type)
{
Error error = kErrorNone;
const mbedtls_asn1_named_data *data;
Expand Down Expand Up @@ -625,10 +625,10 @@ Error Dtls::GetPeerSubjectAttributeByOid(const char *aOid,
return error;
}

Error Dtls::GetThreadAttributeFromPeerCertificate(int aThreadOidDescriptor,
unsigned char *aAttributeBuffer,
size_t *aAttributeLength,
size_t aAttributeBufferSize)
Error Dtls::GetThreadAttributeFromPeerCertificate(int aThreadOidDescriptor,
uint8_t *aAttributeBuffer,
size_t *aAttributeLength,
size_t aAttributeBufferSize)
{
const mbedtls_x509_crt *cert = mbedtls_ssl_get_peer_cert(&mSsl);

Expand All @@ -638,21 +638,21 @@ Error Dtls::GetThreadAttributeFromPeerCertificate(int aThreadOidDescr

#endif // defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)

Error Dtls::GetThreadAttributeFromOwnCertificate(int aThreadOidDescriptor,
unsigned char *aAttributeBuffer,
size_t *aAttributeLength,
size_t aAttributeBufferSize)
Error Dtls::GetThreadAttributeFromOwnCertificate(int aThreadOidDescriptor,
uint8_t *aAttributeBuffer,
size_t *aAttributeLength,
size_t aAttributeBufferSize)
{
const mbedtls_x509_crt *cert = &mOwnCert;

return GetThreadAttributeFromCertificate(cert, aThreadOidDescriptor, aAttributeBuffer, aAttributeLength,
aAttributeBufferSize);
}

Error Dtls::GetThreadAttributeFromCaCertificateChain(int aThreadOidDescriptor,
unsigned char *aAttributeBuffer,
size_t *aAttributeLength,
size_t aAttributeBufferSize)
Error Dtls::GetThreadAttributeFromCaCertificateChain(int aThreadOidDescriptor,
uint8_t *aAttributeBuffer,
size_t *aAttributeLength,
size_t aAttributeBufferSize)
{
const mbedtls_x509_crt *cert = &mCaChain;

Expand All @@ -662,7 +662,7 @@ Error Dtls::GetThreadAttributeFromCaCertificateChain(int aThreadOidDe

Error Dtls::GetThreadAttributeFromCertificate(const mbedtls_x509_crt *aCert,
int aThreadOidDescriptor,
unsigned char *aAttributeBuffer,
uint8_t *aAttributeBuffer,
size_t *aAttributeLength,
size_t aAttributeBufferSize)
{
Expand Down
Loading

0 comments on commit 63864f1

Please sign in to comment.