projects / platform / upstream / iotivity.git / blob
? search:


786658e03cee703b2f939a1b948da2e497943b9d
[platform/upstream/iotivity.git] / resource / csdk / security / include / securevirtualresourcetypes.h
1 //******************************************************************
2 //
3 // Copyright 2015 Intel Mobile Communications GmbH All Rights Reserved.
4 //
5 //-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
6 //
7 // Licensed under the Apache License, Version 2.0 (the "License");
8 // you may not use this file except in compliance with the License.
9 // You may obtain a copy of the License at
10 //
11 //      http://www.apache.org/licenses/LICENSE-2.0
12 //
13 // Unless required by applicable law or agreed to in writing, software
14 // distributed under the License is distributed on an "AS IS" BASIS,
15 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 // See the License for the specific language governing permissions and
17 // limitations under the License.
18 //
19 //-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
20
21 /**
22  * Data type definitions for all oic.sec.* types defined in the
23  * OIC Security Specification.
24  *
25  * Note that throughout, ptrs are used rather than arrays.  There
26  * are two primary reasons for this:
27  * 1) The Spec defines many structures with optional fields, so pre-
28  *    allocating these would be wasteful.
29  * 2) There are in many cases arrays of Strings or arrays of Structs,
30  *    which could not be defined as variable length arrays (e.g. array[])
31  *    without breaking from the structure order and definition in the Spec.
32  *
33  * The primary drawback to this decision is that marshalling functions
34  * will have to be written by hand to marshal these structures (e.g. to/from
35  * Persistent Storage, or across memory boundaries).
36  *
37  * TODO reconcile against latest OIC Security Spec to ensure all fields correct.
38  * (Last checked against v0.95)
39  */
40
41 #ifndef OC_SECURITY_RESOURCE_TYPES_H
42 #define OC_SECURITY_RESOURCE_TYPES_H
43
44 #include <stdint.h> // for uint8_t typedef
45 #include <stdbool.h>
46 #ifdef __WITH_X509__
47 #include "byte_array.h"
48 #endif /* __WITH_X509__ */
49
50 #ifdef __cplusplus
51 extern "C" {
52 #endif
53
54 /**
55  * Values used to create bit-maskable enums for single-value response with
56  * embedded code.
57  */
58 #define ACCESS_GRANTED_DEF            (1 << 0)
59 #define ACCESS_DENIED_DEF             (1 << 1)
60 #define INSUFFICIENT_PERMISSION_DEF   (1 << 2)
61 #define SUBJECT_NOT_FOUND_DEF         (1 << 3)
62 #define RESOURCE_NOT_FOUND_DEF        (1 << 4)
63 #define POLICY_ENGINE_ERROR_DEF       (1 << 5)
64 #define INVALID_PERIOD_DEF            (1 << 6)
65 #define ACCESS_WAITING_DEF            (1 << 7)
66 #define AMS_SERVICE_DEF               (1 << 8)
67 #define REASON_MASK_DEF               (INSUFFICIENT_PERMISSION_DEF | \
68                                        INVALID_PERIOD_DEF | \
69                                        SUBJECT_NOT_FOUND_DEF | \
70                                        RESOURCE_NOT_FOUND_DEF | \
71                                        POLICY_ENGINE_ERROR_DEF)
72
73
74 /**
75  * Access policy in least significant bits (from Spec):
76  * 1st lsb:  C (Create)
77  * 2nd lsb:  R (Read, Observe, Discover)
78  * 3rd lsb:  U (Write, Update)
79  * 4th lsb:  D (Delete)
80  * 5th lsb:  N (Notify)
81  */
82 #define PERMISSION_CREATE       (1 << 0)
83 #define PERMISSION_READ         (1 << 1)
84 #define PERMISSION_WRITE        (1 << 2)
85 #define PERMISSION_DELETE       (1 << 3)
86 #define PERMISSION_NOTIFY       (1 << 4)
87 #define PERMISSION_FULL_CONTROL (PERMISSION_CREATE | \
88                                  PERMISSION_READ | \
89                                  PERMISSION_WRITE | \
90                                  PERMISSION_DELETE | \
91                                  PERMISSION_NOTIFY)
92
93 /**
94  * @brief   Response type for all Action requests from CA layer;
95  *          may include a reason code.
96  *
97  * To extract codes use GetReasonCode function on SRMAccessResponse:
98  *
99  * SRMAccessResponse_t response = SRMRequestHandler(obj, info);
100  * if(SRM_TRUE == IsAccessGranted(response)) {
101  *     SRMAccessResponseReasonCode_t reason = GetReasonCode(response);
102  *     switch(reason) {
103  *         case INSUFFICIENT_PERMISSION:
104  *         ...etc.
105  *     }
106  * }
107  */
108 typedef enum
109 {
110     ACCESS_GRANTED = ACCESS_GRANTED_DEF,
111     ACCESS_DENIED = ACCESS_DENIED_DEF,
112     ACCESS_DENIED_INVALID_PERIOD = ACCESS_DENIED_DEF
113         | INVALID_PERIOD_DEF,
114     ACCESS_DENIED_INSUFFICIENT_PERMISSION = ACCESS_DENIED_DEF
115         | INSUFFICIENT_PERMISSION_DEF,
116     ACCESS_DENIED_SUBJECT_NOT_FOUND = ACCESS_DENIED_DEF
117         | SUBJECT_NOT_FOUND_DEF,
118     ACCESS_DENIED_RESOURCE_NOT_FOUND = ACCESS_DENIED_DEF
119         | RESOURCE_NOT_FOUND_DEF,
120     ACCESS_DENIED_POLICY_ENGINE_ERROR = ACCESS_DENIED_DEF
121         | POLICY_ENGINE_ERROR_DEF,
122     ACCESS_WAITING_FOR_AMS = ACCESS_WAITING_DEF
123         | AMS_SERVICE_DEF,
124     ACCESS_DENIED_AMS_SERVICE_ERROR = ACCESS_DENIED
125         | AMS_SERVICE_DEF
126 } SRMAccessResponse_t;
127
128 /**
129  * Reason code for SRMAccessResponse.
130  */
131 typedef enum
132 {
133     NO_REASON_GIVEN = 0,
134     INSUFFICIENT_PERMISSION = INSUFFICIENT_PERMISSION_DEF,
135     SUBJECT_NOT_FOUND = SUBJECT_NOT_FOUND_DEF,
136     RESOURCE_NOT_FOUND = RESOURCE_NOT_FOUND_DEF,
137 } SRMAccessResponseReasonCode_t;
138
139 /**
140  * Extract Reason Code from Access Response.
141  */
142 static inline SRMAccessResponseReasonCode_t GetReasonCode(
143     SRMAccessResponse_t response)
144 {
145     SRMAccessResponseReasonCode_t reason =
146         (SRMAccessResponseReasonCode_t)(response & REASON_MASK_DEF);
147     return reason;
148 }
149
150 /**
151  * Returns 'true' iff request should be passed on to RI layer.
152  */
153 static inline bool IsAccessGranted(SRMAccessResponse_t response)
154 {
155     if(ACCESS_GRANTED == (response & ACCESS_GRANTED))
156     {
157         return true;
158     }
159     else
160     {
161         return false;
162     }
163 }
164
165 typedef struct OicSecAcl OicSecAcl_t;
166
167 typedef struct OicSecAmacl OicSecAmacl_t;
168
169 typedef struct OicSecCred OicSecCred_t;
170
171 /**
172  * Aid for assigning/testing vals with OicSecCredType_t.
173  * Example:
174  *  OicSecCredType_t ct = PIN_PASSWORD | ASYMMETRIC_KEY;
175  *  if((ct & PIN_PASSWORD) == PIN_PASSWORD)
176  *  {
177  *      // ct contains PIN_PASSWORD flag.
178  *  }
179  */
180 typedef enum OSCTBitmask
181 {
182     NO_SECURITY_MODE                = 0x0,
183     SYMMETRIC_PAIR_WISE_KEY         = (0x1 << 0),
184     SYMMETRIC_GROUP_KEY             = (0x1 << 1),
185     ASYMMETRIC_KEY                  = (0x1 << 2),
186     SIGNED_ASYMMETRIC_KEY           = (0x1 << 3),
187     PIN_PASSWORD                    = (0x1 << 4),
188     ASYMMETRIC_ENCRYPTION_KEY       = (0x1 << 5),
189 } OSCTBitmask_t;
190
191 /**
192  * /oic/sec/credtype (Credential Type) data type.
193  * Derived from OIC Security Spec /oic/sec/cred; see Spec for details.
194  *              0:  no security mode
195  *              1:  symmetric pair-wise key
196  *              2:  symmetric group key
197  *              4:  asymmetric key
198  *              8:  signed asymmetric key (aka certificate)
199  *              16: PIN /password
200  */
201 typedef OSCTBitmask_t OicSecCredType_t;
202
203 typedef struct OicSecDoxm OicSecDoxm_t;
204
205 typedef enum OicSecDpm
206 {
207     NORMAL                          = 0x0,
208     RESET                           = (0x1 << 0),
209     TAKE_OWNER                      = (0x1 << 1),
210     BOOTSTRAP_SERVICE               = (0x1 << 2),
211     SECURITY_MANAGEMENT_SERVICES    = (0x1 << 3),
212     PROVISION_CREDENTIALS           = (0x1 << 4),
213     PROVISION_ACLS                  = (0x1 << 5),
214     // << 6 THROUGH 15 RESERVED
215 } OicSecDpm_t;
216
217 typedef enum OicSecDpom
218 {
219     MULTIPLE_SERVICE_SERVER_DRIVEN  = 0x0,
220     SINGLE_SERVICE_SERVER_DRIVEN    = 0x1,
221     MULTIPLE_SERVICE_CLIENT_DRIVEN  = 0x2,
222     SINGLE_SERVICE_CLIENT_DRIVEN    = 0x3,
223 } OicSecDpom_t;
224
225 typedef enum OicSecSvcType
226 {
227     SERVICE_UNKNOWN                 = 0x0,
228     ACCESS_MGMT_SERVICE             = 0x1,  //urn:oic.sec.ams
229 } OicSecSvcType_t;
230
231
232 //TODO: Need more clarification on deviceIDFormat field type.
233 #if 0
234 typedef enum
235 {
236     URN = 0x0
237 }OicSecDvcIdFrmt_t;
238 #endif
239
240 typedef enum
241 {
242     OIC_R_ACL_TYPE = 0,
243     OIC_R_AMACL_TYPE,
244     OIC_R_CRED_TYPE,
245     OIC_R_CRL_TYPE,
246     OIC_R_DOXM_TYPE,
247     OIC_R_DPAIRING_TYPE,
248     OIC_R_PCONF_TYPE,
249     OIC_R_PSTAT_TYPE,
250     OIC_R_SACL_TYPE,
251     OIC_R_SVC_TYPE,
252     OIC_SEC_SVR_TYPE_COUNT, //define the value to number of SVR
253     NOT_A_SVR_RESOURCE = 99
254 }OicSecSvrType_t;
255
256 typedef enum
257 {
258     OIC_JUST_WORKS                          = 0x0,
259     OIC_RANDOM_DEVICE_PIN                   = 0x1,
260     OIC_MANUFACTURER_CERTIFICATE           = 0x2,
261     OIC_OXM_COUNT
262 }OicSecOxm_t;
263
264 typedef struct OicSecKey OicSecKey_t;
265
266 typedef struct OicSecPstat OicSecPstat_t;
267
268 typedef struct OicSecRole OicSecRole_t;
269
270 typedef struct OicSecSacl OicSecSacl_t;
271
272 typedef struct OicSecSvc OicSecSvc_t;
273
274 typedef char *OicUrn_t; //TODO is URN type defined elsewhere?
275
276 typedef struct OicUuid OicUuid_t; //TODO is UUID type defined elsewhere?
277
278
279 #ifdef __WITH_X509__
280 typedef struct OicSecCrl OicSecCrl_t;
281 typedef ByteArray OicSecCert_t;
282 #else
283 typedef void OicSecCert_t;
284 #endif /* __WITH_X509__ */
285
286 /**
287  * /oic/uuid (Universal Unique Identifier) data type.
288  */
289 #define UUID_LENGTH 128/8 // 128-bit GUID length
290 //TODO: Confirm the length and type of ROLEID.
291 #define ROLEID_LENGTH 128/8 // 128-bit ROLEID length
292 #define OWNER_PSK_LENGTH_128 128/8 //byte size of 128-bit key size
293 #define OWNER_PSK_LENGTH_256 256/8 //byte size of 256-bit key size
294
295 struct OicUuid
296 {
297     // <Attribute ID>:<Read/Write>:<Multiple/Single>:<Mandatory?>:<Type>
298     //TODO fill in unless this is defined elsewhere?
299     uint8_t             id[UUID_LENGTH];
300 };
301
302 /**
303  * /oic/sec/jwk (JSON Web Key) data type.
304  * See JSON Web Key (JWK)  draft-ietf-jose-json-web-key-41
305  */
306 #define JWK_LENGTH 256/8 // 256 bit key length
307 struct OicSecKey
308 {
309     uint8_t                *data;
310     size_t                  len;
311 };
312
313 /**
314  * /oic/sec/acl (Access Control List) data type.
315  * Derived from OIC Security Spec; see Spec for details.
316  */
317 struct OicSecAcl
318 {
319     // <Attribute ID>:<Read/Write>:<Multiple/Single>:<Mandatory?>:<Type>
320     OicUuid_t           subject;        // 0:R:S:Y:uuid TODO: this deviates
321                                         // from spec and needs to be updated
322                                         // in spec (where it's a String).
323     size_t              resourcesLen;   // the number of elts in Resources
324     char                **resources;    // 1:R:M:Y:String
325     uint16_t            permission;     // 2:R:S:Y:UINT16
326     size_t              prdRecrLen;     // the number of elts in Periods
327     char                **periods;       // 3:R:M*:N:String (<--M*; see Spec)
328     char                **recurrences;   // 5:R:M:N:String
329     OicUuid_t           rownerID;        // 8:R:S:Y:oic.uuid
330     OicSecAcl_t         *next;
331 };
332
333 /**
334  * /oic/sec/amacl (Access Manager Service Accesss Control List) data type.
335  * Derived from OIC Security Spec; see Spec for details.
336  */
337 struct OicSecAmacl
338 {
339     // <Attribute ID>:<Read/Write>:<Multiple/Single>:<Mandatory?>:<Type>
340     size_t              resourcesLen;   // the number of elts in Resources
341     char                **resources;    // 0:R:M:Y:String
342     size_t              amssLen;        // the number of elts in Amss
343     OicUuid_t           *amss;          // 1:R:M:Y:acl
344     OicUuid_t           rownerID;        // 2:R:S:Y:oic.uuid
345     OicSecAmacl_t         *next;
346 };
347
348 /**
349  * /oic/sec/cred (Credential) data type.
350  * Derived from OIC Security Spec; see Spec for details.
351  */
352 struct OicSecCred
353 {
354     // <Attribute ID>:<Read/Write>:<Multiple/Single>:<Mandatory?>:<Type>
355     uint16_t            credId;         // 0:R:S:Y:UINT16
356     OicUuid_t           subject;        // 1:R:S:Y:oic.uuid
357     //Note: Need further clarification on roleID data type
358     //NOTE: Need further clarification on roleId datatype.
359     //size_t              roleIdsLen;     // the number of elts in RoleIds
360     //OicSecRole_t        *roleIds;       // 2:R:M:N:oic.sec.role
361     OicSecCredType_t    credType;       // 3:R:S:Y:oic.sec.credtype
362 #ifdef __WITH_X509__
363     OicSecCert_t        publicData;     // chain of certificates
364 #endif /* __WITH_X509__ */
365     OicSecKey_t         privateData;    // 6:R:S:N:oic.sec.key
366     char                *period;        // 7:R:S:N:String
367     OicUuid_t           rownerID;        // 8:R:S:Y:oic.uuid
368     OicSecCred_t        *next;
369 };
370
371 /**
372  * /oic/sec/doxm (Device Owner Transfer Methods) data type
373  * Derived from OIC Security Spec; see Spec for details.
374  */
375 struct OicSecDoxm
376 {
377     // <Attribute ID>:<Read/Write>:<Multiple/Single>:<Mandatory?>:<Type>
378     OicUrn_t            *oxmType;       // 0:R:M:N:URN
379     size_t              oxmTypeLen;     // the number of elts in OxmType
380     OicSecOxm_t         *oxm;           // 1:R:M:N:UINT16
381     size_t              oxmLen;         // the number of elts in Oxm
382     OicSecOxm_t         oxmSel;         // 2:R/W:S:Y:UINT16
383     OicSecCredType_t    sct;            // 3:R:S:Y:oic.sec.credtype
384     bool                owned;          // 4:R:S:Y:Boolean
385     //TODO: Need more clarification on deviceIDFormat field type.
386     //OicSecDvcIdFrmt_t   deviceIDFormat; // 5:R:S:Y:UINT8
387     OicUuid_t           deviceID;       // 6:R:S:Y:oic.uuid
388     bool                dpc;            // 7:R:S:Y:Boolean
389     OicUuid_t           owner;          // 8:R:S:Y:oic.uuid
390     OicUuid_t           rownerID;       // 9:R:S:Y:oic.uuid
391 };
392
393 /**
394  * /oic/sec/pstat (Provisioning Status) data type.
395  * NOTE: this struct is ahead of Spec v0.95 in definition to include Sm.
396  * TODO: change comment when reconciled to Spec v0.96.
397  */
398 struct OicSecPstat
399 {
400     // <Attribute ID>:<Read/Write>:<Multiple/Single>:<Mandatory?>:<Type>
401     bool                isOp;           // 0:R:S:Y:Boolean
402     OicSecDpm_t         cm;             // 1:R:S:Y:oic.sec.dpm
403     OicSecDpm_t         tm;             // 2:RW:S:Y:oic.sec.dpm
404     OicUuid_t           deviceID;       // 3:R:S:Y:oic.uuid
405     OicSecDpom_t        om;             // 4:RW:M:Y:oic.sec.dpom
406     size_t              smLen;          // the number of elts in Sm
407     OicSecDpom_t        *sm;            // 5:R:M:Y:oic.sec.dpom
408     uint16_t            commitHash;     // 6:R:S:Y:oic.sec.sha256
409     OicUuid_t           rownerID;       // 7:R:S:Y:oic.uuid
410 };
411
412 /**
413  * /oic/sec/role (Role) data type.
414  * Derived from OIC Security Spec; see Spec for details.
415  */
416 struct OicSecRole
417 {
418     // <Attribute ID>:<Read/Write>:<Multiple/Single>:<Mandatory?>:<Type>
419     //TODO fill in with Role definition
420     uint8_t             id[ROLEID_LENGTH];
421 };
422
423 /**
424  * /oic/sec/sacl (Signed Access Control List) data type.
425  * Derived from OIC Security Spec; see Spec for details.
426  */
427 struct OicSecSacl
428 {
429     // <Attribute ID>:<Read/Write>:<Multiple/Single>:<Mandatory?>:<Type>
430     //TODO fill in from OIC Security Spec
431 };
432
433 /**
434  * /oic/sec/svc (Service requiring a secure connection) data type.
435  * Derived from OIC Security Spec; see Spec for details.
436  */
437 struct OicSecSvc
438 {
439     // <Attribute ID>:<Read/Write>:<Multiple/Single>:<Mandatory?>:<Type>
440     OicUuid_t               svcdid;                 //0:R:S:Y:oic.uuid
441     OicSecSvcType_t         svct;                   //1:R:M:Y:OIC Service Type
442     size_t                  ownersLen;              //2:the number of elts in Owners
443     OicUuid_t               *owners;                //3:R:M:Y:oic.uuid
444     OicSecSvc_t             *next;
445 };
446
447 #ifdef __WITH_X509__
448 struct OicSecCrl
449 {
450     uint16_t CrlId;
451     ByteArray ThisUpdate;
452     ByteArray CrlData;
453 };
454 #endif /* __WITH_X509__ */
455
456 /**
457  * @brief   direct pairing data type
458  */
459 typedef struct OicPin OicDpPin_t;
460
461 typedef struct OicSecPdAcl OicSecPdAcl_t;
462
463 typedef struct OicSecPconf OicSecPconf_t;
464
465 typedef struct OicSecDpairing OicSecDpairing_t;
466
467 #define DP_PIN_LENGTH 8 // temporary length
468
469 /**
470  * @brief   /oic/sec/prmtype (Pairing Method Type) data type.
471  *              0:  not allowed
472  *              1:  pre-configured pin
473  *              2:  random pin
474  */
475 typedef enum PRMBitmask
476 {
477     PRM_NOT_ALLOWED             = 0x0,
478     PRM_PRE_CONFIGURED        = (0x1 << 0),
479     PRM_RANDOM_PIN               = (0x1 << 1),
480 } PRMBitmask_t;
481
482 typedef PRMBitmask_t OicSecPrm_t;
483
484
485 struct OicPin
486 {
487     uint8_t             val[DP_PIN_LENGTH];
488 };
489
490 /**
491  * @brief   oic.sec.dpacltype (Device Pairing Access Control List) data type.
492  */
493 struct OicSecPdAcl
494 {
495     // <Attribute ID>:<Read/Write>:<Multiple/Single>:<Mandatory?>:<Type>
496     char                  **resources;        // 0:R:M:Y:String
497     size_t                resourcesLen;      // the number of elts in Resources
498     uint16_t             permission;        // 1:R:S:Y:UINT16
499     char                  **periods;            // 2:R:M*:N:String (<--M*; see Spec)
500     char                  **recurrences;    // 3:R:M:N:String
501     size_t                prdRecrLen;         // the number of elts in Periods/Recurrences
502     OicSecPdAcl_t    *next;
503 };
504
505 /**
506  * @brief   /oic/sec/pconf (Pairing Configuration) data type
507  */
508 struct OicSecPconf
509 {
510     // <Attribute ID>:<Read/Write>:<Multiple/Single>:<Mandatory?>:<Type>
511     bool                  edp;                // 0:W:S:M:Boolean
512     OicSecPrm_t      *prm;              // 1:R:M:N:UINT16
513     size_t                prmLen;          // the number of elts in Prm
514     OicDpPin_t          pin;               // 2:R:S:Y:String
515     OicSecPdAcl_t    *pdacls;         // 3:R:M:Y:oic.sec.pdacltype
516     OicUuid_t           *pddevs;        // 4:R:M:Y:oic.uuid
517     size_t                 pddevLen;     // the number of elts in pddev
518     OicUuid_t           deviceID;       // 5:R:S:Y:oic.uuid
519     OicUuid_t           rownerID;          // 6:R:S:Y:oic.uuid
520 };
521
522 /**
523  * @brief   /oic/sec/dpairing (Device Pairing) data type
524  */
525 struct OicSecDpairing
526 {
527     // <Attribute ID>:<Read/Write>:<Multiple/Single>:<Mandatory?>:<Type>
528     OicSecPrm_t      spm;               // 0:R/W:S:Y:UINT16
529     OicUuid_t           pdeviceID;     // 1:R:S:Y:oic.uuid
530     OicUuid_t           rownerID;          // 2:R:S:Y:oic.uuid
531 };
532
533 #define MAX_VERSION_LEN 16 // Security Version length. i.e., 00.00.000 + reserved space
534
535 /**
536  * @brief   security version data type
537  */
538 typedef struct OicSecVer OicSecVer_t;
539
540 /**
541  * @brief   /oic/sec/ver (Security Version) data type
542  */
543 struct OicSecVer
544 {
545     // <Attribute ID>:<Read/Write>:<Multiple/Single>:<Mandatory?>:<Type>
546     char              secv[MAX_VERSION_LEN];          // 0:R:S:Y:String
547     OicUuid_t       deviceID;     // 1:R:S:Y:oic.uuid
548 };
549
550 #ifdef __cplusplus
551 }
552 #endif
553
554 #endif //OC_SECURITY_RESOURCE_TYPES_H
Domain: Network & Connectivity / IoT Connectivity;