1 /* *****************************************************************
3 * Copyright 2015 Samsung Electronics All Rights Reserved.
7 * Licensed under the Apache License, Version 2.0 (the "License");
8 * you may not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
11 * http://www.apache.org/licenses/LICENSE-2.0
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS,
15 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
19 ******************************************************************/
24 * This file contains the Security APIs for Resource Model to use.
27 #ifndef CA_SECURITY_INTERFACE_H_
28 #define CA_SECURITY_INTERFACE_H_
32 #endif //__WITH_X509__
37 #include "byte_array.h"
46 #if defined(__WITH_DTLS__) || defined(__WITH_TLS__)
48 * @enum CADtlsPskCredType_t
49 * Type of PSK credential required during DTLS handshake
50 * It does not make much sense in bringing in all definitions from dtls.h into here.
51 * Therefore, redefining them here.
58 } CADtlsPskCredType_t;
61 * This internal callback is used by CA layer to
62 * retrieve PSK credentials from SRM.
64 * @param[in] type type of PSK data required by CA layer during DTLS handshake set.
65 * @param[in] desc Additional request information.
66 * @param[in] desc_len The actual length of desc.
67 * @param[out] result Must be filled with the requested information.
68 * @param[in] result_length Maximum size of @p result.
70 * @return The number of bytes written to @p result or a value
71 * less than zero on error.
73 typedef int (*CAGetDTLSPskCredentialsHandler)(CADtlsPskCredType_t type,
74 const uint8_t *desc, size_t desc_len,
75 uint8_t *result, size_t result_length);
76 #endif // __WITH_DTLS__ or __WITH_TLS__
80 * Register callback to receive the result of DTLS handshake.
81 * @param[in] dtlsHandshakeCallback callback for get dtls handshake result
82 * @return ::CA_STATUS_OK
84 CAResult_t CARegisterDTLSHandshakeCallback(CAErrorCallback dtlsHandshakeCallback);
87 * Register callback to get DTLS PSK credentials.
88 * @param[in] GetDTLSCredentials GetDTLS Credetials callback.
89 * @return ::CA_STATUS_OK
91 CAResult_t CARegisterDTLSCredentialsHandler(CAGetDTLSPskCredentialsHandler GetDTLSCredentials);
93 #endif //__WITH_DTLS__
98 * Binary structure containing PKIX related info
99 * own certificate chain, public key, CA's and CRL's
103 // own certificate chain
114 * Register callback to receive the result of TLS handshake.
115 * @param[in] tlsHandshakeCallback callback for get tls handshake result
116 * @return ::CA_STATUS_OK
118 CAResult_t CAregisterTlsHandshakeCallback(CAErrorCallback tlsHandshakeCallback);
121 * Register callback to get TLS PSK credentials.
122 * @param[in] getTLSCredentials GetDTLS Credetials callback.
123 * @return ::CA_STATUS_OK
125 CAResult_t CAregisterTlsCredentialsHandler(CAGetDTLSPskCredentialsHandler getTlsCredentials);
128 * @brief Callback function type for getting PKIX info
130 * @param inf[out] PKIX related info
134 typedef void (*CAgetPkixInfoHandler)(PkiInfo_t * inf);
137 CAResult_t CAregisterPkixInfoHandler(CAgetPkixInfoHandler getPkixInfoHandler);
138 #endif //__WITH_TLS__
142 * Binary structure containing certificate chain and certificate credentials
147 // certificate message for DTLS
148 unsigned char certificateChain[MAX_CERT_MESSAGE_LEN];
149 // length of the certificate message
150 uint32_t certificateChainLen;
151 // number of certificates in certificate message
153 // x component of EC public key
154 uint8_t rootPublicKeyX[PUBLIC_KEY_SIZE / 2];
155 // y component of EC public key
156 uint8_t rootPublicKeyY[PUBLIC_KEY_SIZE / 2];
158 uint8_t devicePrivateKey[PRIVATE_KEY_SIZE];
163 * @brief Callback function type for getting certificate credentials.
164 * @param credInfo [OUT] Certificate credentials info. Handler has to allocate new memory for
165 * credInfo which is then freed by CA
168 typedef int (*CAGetDTLSX509CredentialsHandler)(CADtlsX509Creds_t *credInfo);
170 * @brief Callback function type for getting CRL.
171 * @param crlInfo [OUT] Certificate credentials info. Handler has to allocate new memory for
172 * credInfo which is then freed by CA
175 typedef void (*CAGetDTLSCrlHandler)(ByteArray* crlInfo);
178 * @brief Register callback to get DTLS Cert credentials.
179 * @param GetCertCredentials [IN] GetCert Credetials callback
180 * @return #CA_STATUS_OK
182 CAResult_t CARegisterDTLSX509CredentialsHandler(CAGetDTLSX509CredentialsHandler GetX509Credentials);
184 * @brief Register callback to get CRL.
185 * @param GetCrl [IN] GetCrl callback
186 * @return #CA_STATUS_OK
188 CAResult_t CARegisterDTLSCrlHandler(CAGetDTLSCrlHandler GetCrl);
189 #endif //__WITH_X509__
195 * Select the cipher suite for dtls handshake.
197 * @param[in] cipher cipher suite (Note : Make sure endianness).
198 * 0xC018 : TLS_ECDH_anon_WITH_AES_128_CBC_SHA
199 * 0xC0A8 : TLS_PSK_WITH_AES_128_CCM_8
200 * 0xC0AE : TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8
202 * @retval ::CA_STATUS_OK Successful.
203 * @retval ::CA_STATUS_INVALID_PARAM Invalid input arguments.
204 * @retval ::CA_STATUS_FAILED Operation failed.
206 CAResult_t CASelectCipherSuite(const uint16_t cipher, CATransportAdapter_t adapter);
209 * Enable TLS_ECDH_anon_WITH_AES_128_CBC_SHA cipher suite in dtls.
211 * @param[in] enable TRUE/FALSE enables/disables anonymous cipher suite.
213 * @retval ::CA_STATUS_OK Successful.
214 * @retval ::CA_STATUS_FAILED Operation failed.
216 * @note anonymous cipher suite should only be enabled for 'JustWorks' provisioning.
218 CAResult_t CAEnableAnonECDHCipherSuite(const bool enable);
222 * Generate ownerPSK using PRF.
223 * OwnerPSK = TLS-PRF('master key' , 'oic.sec.doxm.jw',
224 * 'ID of new device(Resource Server)',
225 * 'ID of owner smart-phone(Provisioning Server)')
227 * @param[in] endpoint information of network address.
228 * @param[in] label Ownership transfer method e.g)"oic.sec.doxm.jw".
229 * @param[in] labelLen Byte length of label.
230 * @param[in] rsrcServerDeviceID ID of new device(Resource Server).
231 * @param[in] rsrcServerDeviceIDLen Byte length of rsrcServerDeviceID.
232 * @param[in] provServerDeviceID label of previous owner.
233 * @param[in] provServerDeviceIDLen byte length of provServerDeviceID.
234 * @param[in,out] ownerPSK Output buffer for owner PSK.
235 * @param[in] ownerPSKSize Byte length of the ownerPSK to be generated.
237 * @retval ::CA_STATUS_OK Successful.
238 * @retval ::CA_STATUS_FAILED Operation failed.
240 CAResult_t CAGenerateOwnerPSK(const CAEndpoint_t *endpoint,
241 const uint8_t* label, const size_t labelLen,
242 const uint8_t* rsrcServerDeviceID,
243 const size_t rsrcServerDeviceIDLen,
244 const uint8_t* provServerDeviceID,
245 const size_t provServerDeviceIDLen,
246 uint8_t* ownerPSK, const size_t ownerPSKSize);
249 * Initiate DTLS handshake with selected cipher suite.
251 * @param[in] endpoint information of network address.
253 * @retval ::CA_STATUS_OK Successful.
254 * @retval ::CA_STATUS_FAILED Operation failed.
256 CAResult_t CAInitiateHandshake(const CAEndpoint_t *endpoint);
259 * Close the DTLS session.
261 * @param[in] endpoint information of network address.
263 * @retval ::CA_STATUS_OK Successful.
264 * @retval ::CA_STATUS_FAILED Operation failed.
266 CAResult_t CACloseDtlsSession(const CAEndpoint_t *endpoint);
268 #endif /* __WITH_DTLS__ */
273 * Initiate TLS handshake with selected cipher suite.
275 * @param[in] endpoint information of network address.
277 * @retval ::CA_STATUS_OK Successful.
278 * @retval ::CA_STATUS_FAILED Operation failed.
280 CAResult_t CAinitiateTlsHandshake(const CAEndpoint_t *endpoint);
283 * Close the DTLS session.
285 * @param[in] endpoint information of network address.
287 * @retval ::CA_STATUS_OK Successful.
288 * @retval ::CA_STATUS_FAILED Operation failed.
290 CAResult_t CAcloseTlsConnection(const CAEndpoint_t *endpoint);
292 #endif /* __WITH_TLS__ */
299 #endif /* CA_SECURITY_INTERFACE_H_ */