1 //******************************************************************
3 // Copyright 2015 Intel Mobile Communications GmbH All Rights Reserved.
5 //-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
7 // Licensed under the Apache License, Version 2.0 (the "License");
8 // you may not use this file except in compliance with the License.
9 // You may obtain a copy of the License at
11 // http://www.apache.org/licenses/LICENSE-2.0
13 // Unless required by applicable law or agreed to in writing, software
14 // distributed under the License is distributed on an "AS IS" BASIS,
15 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 // See the License for the specific language governing permissions and
17 // limitations under the License.
19 //-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
22 * Data type definitions for all oic.sec.* types defined in the
23 * OIC Security Specification.
25 * Note that throughout, ptrs are used rather than arrays. There
26 * are two primary reasons for this:
27 * 1) The Spec defines many structures with optional fields, so pre-
28 * allocating these would be wasteful.
29 * 2) There are in many cases arrays of Strings or arrays of Structs,
30 * which could not be defined as variable length arrays (e.g. array[])
31 * without breaking from the structure order and definition in the Spec.
33 * The primary drawback to this decision is that marshalling functions
34 * will have to be written by hand to marshal these structures (e.g. to/from
35 * Persistent Storage, or across memory boundaries).
37 * TODO reconcile against latest OIC Security Spec to ensure all fields correct.
38 * (Last checked against v0.95)
41 #ifndef OC_SECURITY_RESOURCE_TYPES_H
42 #define OC_SECURITY_RESOURCE_TYPES_H
44 #include "iotivity_config.h"
46 #include <stdint.h> // for uint8_t typedef
48 #if defined(__WITH_DTLS__) || defined(__WITH_TLS__)
49 #include "byte_array.h"
50 #endif /* __WITH_DTLS__ or __WITH_TLS__*/
57 * Values used to create bit-maskable enums for single-value response with
60 #define ACCESS_GRANTED_DEF (1 << 0)
61 #define ACCESS_DENIED_DEF (1 << 1)
62 #define INSUFFICIENT_PERMISSION_DEF (1 << 2)
63 #define SUBJECT_NOT_FOUND_DEF (1 << 3)
64 #define RESOURCE_NOT_FOUND_DEF (1 << 4)
65 #define POLICY_ENGINE_ERROR_DEF (1 << 5)
66 #define INVALID_PERIOD_DEF (1 << 6)
67 #define ACCESS_WAITING_DEF (1 << 7)
68 #define AMS_SERVICE_DEF (1 << 8)
69 #define REASON_MASK_DEF (INSUFFICIENT_PERMISSION_DEF | \
70 INVALID_PERIOD_DEF | \
71 SUBJECT_NOT_FOUND_DEF | \
72 RESOURCE_NOT_FOUND_DEF | \
73 POLICY_ENGINE_ERROR_DEF)
77 * Access policy in least significant bits (from Spec):
79 * 2nd lsb: R (Read, Observe, Discover)
80 * 3rd lsb: U (Write, Update)
84 #define PERMISSION_CREATE (1 << 0)
85 #define PERMISSION_READ (1 << 1)
86 #define PERMISSION_WRITE (1 << 2)
87 #define PERMISSION_DELETE (1 << 3)
88 #define PERMISSION_NOTIFY (1 << 4)
89 #define PERMISSION_FULL_CONTROL (PERMISSION_CREATE | \
96 * @brief Response type for all Action requests from CA layer;
97 * may include a reason code.
99 * To extract codes use GetReasonCode function on SRMAccessResponse:
101 * SRMAccessResponse_t response = SRMRequestHandler(obj, info);
102 * if(SRM_TRUE == IsAccessGranted(response)) {
103 * SRMAccessResponseReasonCode_t reason = GetReasonCode(response);
105 * case INSUFFICIENT_PERMISSION:
112 ACCESS_GRANTED = ACCESS_GRANTED_DEF,
113 ACCESS_DENIED = ACCESS_DENIED_DEF,
114 ACCESS_DENIED_INVALID_PERIOD = ACCESS_DENIED_DEF
115 | INVALID_PERIOD_DEF,
116 ACCESS_DENIED_INSUFFICIENT_PERMISSION = ACCESS_DENIED_DEF
117 | INSUFFICIENT_PERMISSION_DEF,
118 ACCESS_DENIED_SUBJECT_NOT_FOUND = ACCESS_DENIED_DEF
119 | SUBJECT_NOT_FOUND_DEF,
120 ACCESS_DENIED_RESOURCE_NOT_FOUND = ACCESS_DENIED_DEF
121 | RESOURCE_NOT_FOUND_DEF,
122 ACCESS_DENIED_POLICY_ENGINE_ERROR = ACCESS_DENIED_DEF
123 | POLICY_ENGINE_ERROR_DEF,
124 ACCESS_WAITING_FOR_AMS = ACCESS_WAITING_DEF
126 ACCESS_DENIED_AMS_SERVICE_ERROR = ACCESS_DENIED
128 } SRMAccessResponse_t;
131 * Reason code for SRMAccessResponse.
136 INSUFFICIENT_PERMISSION = INSUFFICIENT_PERMISSION_DEF,
137 SUBJECT_NOT_FOUND = SUBJECT_NOT_FOUND_DEF,
138 RESOURCE_NOT_FOUND = RESOURCE_NOT_FOUND_DEF,
139 } SRMAccessResponseReasonCode_t;
142 * Extract Reason Code from Access Response.
144 INLINE_API SRMAccessResponseReasonCode_t GetReasonCode(
145 SRMAccessResponse_t response)
147 SRMAccessResponseReasonCode_t reason =
148 (SRMAccessResponseReasonCode_t)(response & REASON_MASK_DEF);
153 * Returns 'true' iff request should be passed on to RI layer.
155 INLINE_API bool IsAccessGranted(SRMAccessResponse_t response)
157 if(ACCESS_GRANTED == (response & ACCESS_GRANTED))
167 typedef struct OicSecRsrc OicSecRsrc_t;
169 typedef struct OicSecValidity OicSecValidity_t;
171 typedef struct OicSecAce OicSecAce_t;
173 typedef struct OicSecAcl OicSecAcl_t;
175 typedef struct OicSecAmacl OicSecAmacl_t;
177 typedef struct OicSecCred OicSecCred_t;
180 * Aid for assigning/testing vals with OicSecCredType_t.
182 * OicSecCredType_t ct = PIN_PASSWORD | ASYMMETRIC_KEY;
183 * if((ct & PIN_PASSWORD) == PIN_PASSWORD)
185 * // ct contains PIN_PASSWORD flag.
188 typedef enum OSCTBitmask
190 NO_SECURITY_MODE = 0x0,
191 SYMMETRIC_PAIR_WISE_KEY = (0x1 << 0),
192 SYMMETRIC_GROUP_KEY = (0x1 << 1),
193 ASYMMETRIC_KEY = (0x1 << 2),
194 SIGNED_ASYMMETRIC_KEY = (0x1 << 3),
195 PIN_PASSWORD = (0x1 << 4),
196 ASYMMETRIC_ENCRYPTION_KEY = (0x1 << 5),
200 * /oic/sec/credtype (Credential Type) data type.
201 * Derived from OIC Security Spec /oic/sec/cred; see Spec for details.
202 * 0: no security mode
203 * 1: symmetric pair-wise key
204 * 2: symmetric group key
206 * 8: signed asymmetric key (aka certificate)
209 typedef OSCTBitmask_t OicSecCredType_t;
211 typedef struct OicSecDoxm OicSecDoxm_t;
213 typedef enum OicSecDpm
217 TAKE_OWNER = (0x1 << 1),
218 BOOTSTRAP_SERVICE = (0x1 << 2),
219 SECURITY_MANAGEMENT_SERVICES = (0x1 << 3),
220 PROVISION_CREDENTIALS = (0x1 << 4),
221 PROVISION_ACLS = (0x1 << 5),
222 #ifdef _ENABLE_MULTIPLE_OWNER_
223 TAKE_SUB_OWNER = (0x1 << 6),
225 // << 7 THROUGH 15 RESERVED
228 // These types are taken from the Security Spec v1.1.12 /pstat resource definition
229 // Note that per the latest spec, there is NO definition for Multiple Service Client Directed
230 // provisioning mode, so that enum value has been removed.
231 typedef enum OicSecDpom
233 MULTIPLE_SERVICE_SERVER_DRIVEN = (0x1 << 0),
234 SINGLE_SERVICE_SERVER_DRIVEN = (0x1 << 1),
235 SINGLE_SERVICE_CLIENT_DRIVEN = (0x1 << 2),
238 typedef enum OicSecSvcType
240 SERVICE_UNKNOWN = 0x0,
241 ACCESS_MGMT_SERVICE = 0x1, //urn:oic.sec.ams
245 //TODO: Need more clarification on deviceIDFormat field type.
265 OIC_SEC_SVR_TYPE_COUNT, //define the value to number of SVR
266 NOT_A_SVR_RESOURCE = 99
271 OIC_JUST_WORKS = 0x0,
272 OIC_RANDOM_DEVICE_PIN = 0x1,
273 OIC_MANUFACTURER_CERTIFICATE = 0x2,
274 OIC_DECENTRALIZED_PUBLIC_KEY = 0x3,
276 #ifdef _ENABLE_MULTIPLE_OWNER_
277 OIC_PRECONFIG_PIN = 0xFF00,
278 #endif //_ENABLE_MULTIPLE_OWNER_
283 OIC_ENCODING_UNKNOW = 0,
284 OIC_ENCODING_RAW = 1,
285 OIC_ENCODING_BASE64 = 2,
286 OIC_ENCODING_PEM = 3,
290 #ifdef _ENABLE_MULTIPLE_OWNER_
293 MOT_STATUS_READY = 0,
294 MOT_STATUS_IN_PROGRESS = 1,
297 #endif //_ENABLE_MULTIPLE_OWNER_
300 * oic.sec.mom type definition
301 * TODO: This type will be included to OIC Security Spec.
302 * 0 : Disable multiple owner
303 * 1 : Enable multiple owner (Always on)
304 * 2 : Timely multiple owner enable
308 OIC_MULTIPLE_OWNER_DISABLE = 0,
309 OIC_MULTIPLE_OWNER_ENABLE = 1,
310 OIC_MULTIPLE_OWNER_TIMELY_ENABLE = 2,
311 OIC_NUMBER_OF_MOM_TYPE = 3
314 typedef struct OicSecKey OicSecKey_t;
316 typedef struct OicSecPstat OicSecPstat_t;
318 typedef struct OicSecRole OicSecRole_t;
320 typedef struct OicSecSacl OicSecSacl_t;
322 typedef struct OicSecSvc OicSecSvc_t;
324 typedef char *OicUrn_t; //TODO is URN type defined elsewhere?
326 typedef struct OicUuid OicUuid_t; //TODO is UUID type defined elsewhere?
328 #ifdef _ENABLE_MULTIPLE_OWNER_
329 typedef struct OicSecSubOwner OicSecSubOwner_t;
330 typedef struct OicSecMom OicSecMom_t;
331 #endif //_ENABLE_MULTIPLE_OWNER_
334 #if defined(__WITH_DTLS__) || defined(__WITH_TLS__)
335 typedef struct OicSecCrl OicSecCrl_t;
336 typedef ByteArray_t OicSecCert_t;
338 typedef void OicSecCert_t;
339 #endif /* __WITH_DTLS__ or __WITH_TLS__*/
342 * /oic/uuid (Universal Unique Identifier) data type.
344 #define UUID_LENGTH 128/8 // 128-bit GUID length
345 //TODO: Confirm the length and type of ROLEID.
346 #define ROLEID_LENGTH 128/8 // 128-bit ROLEID length
347 #define OWNER_PSK_LENGTH_128 128/8 //byte size of 128-bit key size
348 #define OWNER_PSK_LENGTH_256 256/8 //byte size of 256-bit key size
352 // <Attribute ID>:<Read/Write>:<Multiple/Single>:<Mandatory?>:<Type>
353 //TODO fill in unless this is defined elsewhere?
354 uint8_t id[UUID_LENGTH];
358 * /oic/sec/jwk (JSON Web Key) data type.
359 * See JSON Web Key (JWK) draft-ietf-jose-json-web-key-41
361 #define JWK_LENGTH 256/8 // 256 bit key length
367 // TODO: This field added as workaround. Will be replaced soon.
368 OicEncodingType_t encoding;
374 char *href; // 0:R:S:Y:String
375 char *rel; // 1:R:S:N:String
376 char** types; // 2:R:S:N:String Array
377 size_t typeLen; // the number of elts in types
378 char** interfaces; // 3:R:S:N:String Array
379 size_t interfaceLen; // the number of elts in interfaces
383 struct OicSecValidity
385 char* period; // 0:R:S:Y:String
386 char** recurrences; // 1:R:M:Y:Array of String
387 size_t recurrenceLen; // the number of elts in recurrence
388 OicSecValidity_t *next;
393 // <Attribute ID>:<Read/Write>:<Multiple/Single>:<Mandatory?>:<Type>
394 OicUuid_t subjectuuid; // 0:R:S:Y:uuid
395 OicSecRsrc_t *resources; // 1:R:M:Y:Resource
396 uint16_t permission; // 2:R:S:Y:UINT16
397 OicSecValidity_t *validities; // 3:R:M:N:Time-interval
398 #ifdef _ENABLE_MULTIPLE_OWNER_
399 OicUuid_t* eownerID; //4:R:S:N:oic.uuid
405 * /oic/sec/acl (Access Control List) data type.
406 * Derived from OIC Security Spec; see Spec for details.
410 // <Attribute ID>:<Read/Write>:<Multiple/Single>:<Mandatory?>:<Type>
411 OicUuid_t rownerID; // 0:R:S:Y:oic.uuid
412 OicSecAce_t *aces; // 1:R:M:N:ACE
416 * /oic/sec/amacl (Access Manager Service Accesss Control List) data type.
417 * Derived from OIC Security Spec; see Spec for details.
421 // <Attribute ID>:<Read/Write>:<Multiple/Single>:<Mandatory?>:<Type>
422 size_t resourcesLen; // the number of elts in Resources
423 char **resources; // 0:R:M:Y:String
424 size_t amssLen; // the number of elts in Amss
425 OicUuid_t *amss; // 1:R:M:Y:acl
426 OicUuid_t rownerID; // 2:R:S:Y:oic.uuid
431 * /oic/sec/cred (Credential) data type.
432 * Derived from OIC Security Spec; see Spec for details.
436 // <Attribute ID>:<Read/Write>:<Multiple/Single>:<Mandatory?>:<Type>
437 uint16_t credId; // 0:R:S:Y:UINT16
438 OicUuid_t subject; // 1:R:S:Y:oic.uuid
439 //Note: Need further clarification on roleID data type
440 //NOTE: Need further clarification on roleId datatype.
441 //size_t roleIdsLen; // the number of elts in RoleIds
442 //OicSecRole_t *roleIds; // 2:R:M:N:oic.sec.role
443 OicSecCredType_t credType; // 3:R:S:Y:oic.sec.credtype
444 #if defined(__WITH_DTLS__) || defined(__WITH_TLS__)
445 OicSecCert_t publicData; // own cerificate chain
446 char *credUsage; // 4:R:S:N:String
447 OicSecKey_t optionalData; // CA's cerificate chain
448 #endif /* __WITH_DTLS__ or __WITH_TLS__*/
449 OicSecKey_t privateData; // 6:R:S:N:oic.sec.key
450 char *period; // 7:R:S:N:String
451 OicUuid_t rownerID; // 8:R:S:Y:oic.uuid
452 #ifdef _ENABLE_MULTIPLE_OWNER_
453 OicUuid_t *eownerID; //9:R:S:N:oic.uuid
454 #endif //_ENABLE_MULTIPLE_OWNER_
458 #ifdef _ENABLE_MULTIPLE_OWNER_
459 struct OicSecSubOwner {
462 OicSecSubOwner_t* next;
466 OicSecMomType_t mode;
468 #endif //_ENABLE_MULTIPLE_OWNER_
471 * /oic/sec/doxm (Device Owner Transfer Methods) data type
472 * Derived from OIC Security Spec; see Spec for details.
476 // <Attribute ID>:<Read/Write>:<Multiple/Single>:<Mandatory?>:<Type>
477 OicUrn_t *oxmType; // 0:R:M:N:URN
478 size_t oxmTypeLen; // the number of elts in OxmType
479 OicSecOxm_t *oxm; // 1:R:M:N:UINT16
480 size_t oxmLen; // the number of elts in Oxm
481 OicSecOxm_t oxmSel; // 2:R/W:S:Y:UINT16
482 OicSecCredType_t sct; // 3:R:S:Y:oic.sec.credtype
483 bool owned; // 4:R:S:Y:Boolean
484 //TODO: Need more clarification on deviceIDFormat field type.
485 //OicSecDvcIdFrmt_t deviceIDFormat; // 5:R:S:Y:UINT8
486 OicUuid_t deviceID; // 6:R:S:Y:oic.uuid
487 bool dpc; // 7:R:S:Y:Boolean
488 OicUuid_t owner; // 8:R:S:Y:oic.uuid
489 #ifdef _ENABLE_MULTIPLE_OWNER_
490 OicSecSubOwner_t* subOwners; //9:R/W:M:N:oic.uuid
491 OicSecMom_t *mom; //10:R/W:S:N:oic.sec.mom
492 #endif //_ENABLE_MULTIPLE_OWNER_
493 OicUuid_t rownerID; // 11:R:S:Y:oic.uuid
497 * /oic/sec/pstat (Provisioning Status) data type.
501 // <Attribute ID>:<Read/Write>:<Multiple/Single>:<Mandatory?>:<Type>
502 bool isOp; // 0:R:S:Y:Boolean
503 OicSecDpm_t cm; // 1:R:S:Y:oic.sec.dpm
504 OicSecDpm_t tm; // 2:RW:S:Y:oic.sec.dpm
505 OicUuid_t deviceID; // 3:R:S:Y:oic.uuid
506 OicSecDpom_t om; // 4:RW:M:Y:oic.sec.dpom
507 size_t smLen; // the number of elts in Sm
508 OicSecDpom_t *sm; // 5:R:M:Y:oic.sec.dpom
509 uint16_t commitHash; // 6:R:S:Y:oic.sec.sha256
510 OicUuid_t rownerID; // 7:R:S:Y:oic.uuid
514 * /oic/sec/role (Role) data type.
515 * Derived from OIC Security Spec; see Spec for details.
519 // <Attribute ID>:<Read/Write>:<Multiple/Single>:<Mandatory?>:<Type>
520 //TODO fill in with Role definition
521 uint8_t id[ROLEID_LENGTH];
525 * /oic/sec/sacl (Signed Access Control List) data type.
526 * Derived from OIC Security Spec; see Spec for details.
530 // <Attribute ID>:<Read/Write>:<Multiple/Single>:<Mandatory?>:<Type>
531 //TODO fill in from OIC Security Spec
532 #if defined(_MSC_VER)
533 uint8_t unused; // VS doesn't like empty structs
538 * /oic/sec/svc (Service requiring a secure connection) data type.
539 * Derived from OIC Security Spec; see Spec for details.
543 // <Attribute ID>:<Read/Write>:<Multiple/Single>:<Mandatory?>:<Type>
544 OicUuid_t svcdid; //0:R:S:Y:oic.uuid
545 OicSecSvcType_t svct; //1:R:M:Y:OIC Service Type
546 size_t ownersLen; //2:the number of elts in Owners
547 OicUuid_t *owners; //3:R:M:Y:oic.uuid
551 #if defined(__WITH_DTLS__) || defined(__WITH_TLS__)
555 ByteArray_t ThisUpdate;
558 #endif /* __WITH_DTLS__ or __WITH_TLS__ */
561 * @brief direct pairing data type
563 typedef struct OicPin OicDpPin_t;
565 typedef struct OicSecPdAcl OicSecPdAcl_t;
567 typedef struct OicSecPconf OicSecPconf_t;
569 typedef struct OicSecDpairing OicSecDpairing_t;
571 #define DP_PIN_LENGTH 8 // temporary length
574 * @brief /oic/sec/prmtype (Pairing Method Type) data type.
576 * 1: pre-configured pin
579 typedef enum PRMBitmask
581 PRM_NOT_ALLOWED = 0x0,
582 PRM_PRE_CONFIGURED = (0x1 << 0),
583 PRM_RANDOM_PIN = (0x1 << 1),
586 typedef PRMBitmask_t OicSecPrm_t;
591 uint8_t val[DP_PIN_LENGTH];
595 * @brief oic.sec.dpacltype (Device Pairing Access Control List) data type.
599 // <Attribute ID>:<Read/Write>:<Multiple/Single>:<Mandatory?>:<Type>
600 char **resources; // 0:R:M:Y:String
601 size_t resourcesLen; // the number of elts in Resources
602 uint16_t permission; // 1:R:S:Y:UINT16
603 char **periods; // 2:R:M*:N:String (<--M*; see Spec)
604 char **recurrences; // 3:R:M:N:String
605 size_t prdRecrLen; // the number of elts in Periods/Recurrences
610 * @brief /oic/sec/pconf (Pairing Configuration) data type
614 // <Attribute ID>:<Read/Write>:<Multiple/Single>:<Mandatory?>:<Type>
615 bool edp; // 0:W:S:M:Boolean
616 OicSecPrm_t *prm; // 1:R:M:N:UINT16
617 size_t prmLen; // the number of elts in Prm
618 OicDpPin_t pin; // 2:R:S:Y:String
619 OicSecPdAcl_t *pdacls; // 3:R:M:Y:oic.sec.pdacltype
620 OicUuid_t *pddevs; // 4:R:M:Y:oic.uuid
621 size_t pddevLen; // the number of elts in pddev
622 OicUuid_t deviceID; // 5:R:S:Y:oic.uuid
623 OicUuid_t rownerID; // 6:R:S:Y:oic.uuid
627 * @brief /oic/sec/dpairing (Device Pairing) data type
629 struct OicSecDpairing
631 // <Attribute ID>:<Read/Write>:<Multiple/Single>:<Mandatory?>:<Type>
632 OicSecPrm_t spm; // 0:R/W:S:Y:UINT16
633 OicUuid_t pdeviceID; // 1:R:S:Y:oic.uuid
634 OicUuid_t rownerID; // 2:R:S:Y:oic.uuid
637 #define MAX_VERSION_LEN 16 // Security Version length. i.e., 00.00.000 + reserved space
640 * @brief security version data type
642 typedef struct OicSecVer OicSecVer_t;
645 * @brief /oic/sec/ver (Security Version) data type
649 // <Attribute ID>:<Read/Write>:<Multiple/Single>:<Mandatory?>:<Type>
650 char secv[MAX_VERSION_LEN]; // 0:R:S:Y:String
651 OicUuid_t deviceID; // 1:R:S:Y:oic.uuid
658 #endif //OC_SECURITY_RESOURCE_TYPES_H