1 //******************************************************************
3 // Copyright 2015 Intel Mobile Communications GmbH All Rights Reserved.
5 //-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
7 // Licensed under the Apache License, Version 2.0 (the "License");
8 // you may not use this file except in compliance with the License.
9 // You may obtain a copy of the License at
11 // http://www.apache.org/licenses/LICENSE-2.0
13 // Unless required by applicable law or agreed to in writing, software
14 // distributed under the License is distributed on an "AS IS" BASIS,
15 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 // See the License for the specific language governing permissions and
17 // limitations under the License.
19 //-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
22 * Data type definitions for all oic.sec.* types defined in the
23 * OIC Security Specification.
25 * Note that throughout, ptrs are used rather than arrays. There
26 * are two primary reasons for this:
27 * 1) The Spec defines many structures with optional fields, so pre-
28 * allocating these would be wasteful.
29 * 2) There are in many cases arrays of Strings or arrays of Structs,
30 * which could not be defined as variable length arrays (e.g. array[])
31 * without breaking from the structure order and definition in the Spec.
33 * The primary drawback to this decision is that marshalling functions
34 * will have to be written by hand to marshal these structures (e.g. to/from
35 * Persistent Storage, or across memory boundaries).
37 * TODO reconcile against latest OIC Security Spec to ensure all fields correct.
38 * (Last checked against v0.95)
41 #ifndef OC_SECURITY_RESOURCE_TYPES_H
42 #define OC_SECURITY_RESOURCE_TYPES_H
44 #include <stdint.h> // for uint8_t typedef
47 #include "byte_array.h"
48 #endif /* __WITH_X509__ */
55 * Values used to create bit-maskable enums for single-value response with
58 #define ACCESS_GRANTED_DEF (1 << 0)
59 #define ACCESS_DENIED_DEF (1 << 1)
60 #define INSUFFICIENT_PERMISSION_DEF (1 << 2)
61 #define SUBJECT_NOT_FOUND_DEF (1 << 3)
62 #define RESOURCE_NOT_FOUND_DEF (1 << 4)
63 #define POLICY_ENGINE_ERROR_DEF (1 << 5)
64 #define INVALID_PERIOD_DEF (1 << 6)
65 #define ACCESS_WAITING_DEF (1 << 7)
66 #define AMS_SERVICE_DEF (1 << 8)
67 #define REASON_MASK_DEF (INSUFFICIENT_PERMISSION_DEF | \
68 INVALID_PERIOD_DEF | \
69 SUBJECT_NOT_FOUND_DEF | \
70 RESOURCE_NOT_FOUND_DEF | \
71 POLICY_ENGINE_ERROR_DEF)
75 * Access policy in least significant bits (from Spec):
77 * 2nd lsb: R (Read, Observe, Discover)
78 * 3rd lsb: U (Write, Update)
82 #define PERMISSION_CREATE (1 << 0)
83 #define PERMISSION_READ (1 << 1)
84 #define PERMISSION_WRITE (1 << 2)
85 #define PERMISSION_DELETE (1 << 3)
86 #define PERMISSION_NOTIFY (1 << 4)
87 #define PERMISSION_FULL_CONTROL (PERMISSION_CREATE | \
94 * @brief Response type for all Action requests from CA layer;
95 * may include a reason code.
97 * To extract codes use GetReasonCode function on SRMAccessResponse:
99 * SRMAccessResponse_t response = SRMRequestHandler(obj, info);
100 * if(SRM_TRUE == IsAccessGranted(response)) {
101 * SRMAccessResponseReasonCode_t reason = GetReasonCode(response);
103 * case INSUFFICIENT_PERMISSION:
110 ACCESS_GRANTED = ACCESS_GRANTED_DEF,
111 ACCESS_DENIED = ACCESS_DENIED_DEF,
112 ACCESS_DENIED_INVALID_PERIOD = ACCESS_DENIED_DEF
113 | INVALID_PERIOD_DEF,
114 ACCESS_DENIED_INSUFFICIENT_PERMISSION = ACCESS_DENIED_DEF
115 | INSUFFICIENT_PERMISSION_DEF,
116 ACCESS_DENIED_SUBJECT_NOT_FOUND = ACCESS_DENIED_DEF
117 | SUBJECT_NOT_FOUND_DEF,
118 ACCESS_DENIED_RESOURCE_NOT_FOUND = ACCESS_DENIED_DEF
119 | RESOURCE_NOT_FOUND_DEF,
120 ACCESS_DENIED_POLICY_ENGINE_ERROR = ACCESS_DENIED_DEF
121 | POLICY_ENGINE_ERROR_DEF,
122 ACCESS_WAITING_FOR_AMS = ACCESS_WAITING_DEF
124 ACCESS_DENIED_AMS_SERVICE_ERROR = ACCESS_DENIED
126 } SRMAccessResponse_t;
129 * Reason code for SRMAccessResponse.
134 INSUFFICIENT_PERMISSION = INSUFFICIENT_PERMISSION_DEF,
135 SUBJECT_NOT_FOUND = SUBJECT_NOT_FOUND_DEF,
136 RESOURCE_NOT_FOUND = RESOURCE_NOT_FOUND_DEF,
137 } SRMAccessResponseReasonCode_t;
140 * Extract Reason Code from Access Response.
142 static inline SRMAccessResponseReasonCode_t GetReasonCode(
143 SRMAccessResponse_t response)
145 SRMAccessResponseReasonCode_t reason =
146 (SRMAccessResponseReasonCode_t)(response & REASON_MASK_DEF);
151 * Returns 'true' iff request should be passed on to RI layer.
153 static inline bool IsAccessGranted(SRMAccessResponse_t response)
155 if(ACCESS_GRANTED == (response & ACCESS_GRANTED))
165 typedef struct OicSecAcl OicSecAcl_t;
167 typedef struct OicSecAmacl OicSecAmacl_t;
169 typedef struct OicSecCred OicSecCred_t;
172 * Aid for assigning/testing vals with OicSecCredType_t.
174 * OicSecCredType_t ct = PIN_PASSWORD | ASYMMETRIC_KEY;
175 * if((ct & PIN_PASSWORD) == PIN_PASSWORD)
177 * // ct contains PIN_PASSWORD flag.
180 typedef enum OSCTBitmask
182 NO_SECURITY_MODE = 0x0,
183 SYMMETRIC_PAIR_WISE_KEY = (0x1 << 0),
184 SYMMETRIC_GROUP_KEY = (0x1 << 1),
185 ASYMMETRIC_KEY = (0x1 << 2),
186 SIGNED_ASYMMETRIC_KEY = (0x1 << 3),
187 PIN_PASSWORD = (0x1 << 4),
188 ASYMMETRIC_ENCRYPTION_KEY = (0x1 << 5),
192 * /oic/sec/credtype (Credential Type) data type.
193 * Derived from OIC Security Spec /oic/sec/cred; see Spec for details.
194 * 0: no security mode
195 * 1: symmetric pair-wise key
196 * 2: symmetric group key
198 * 8: signed asymmetric key (aka certificate)
201 typedef OSCTBitmask_t OicSecCredType_t;
203 typedef struct OicSecDoxm OicSecDoxm_t;
205 typedef enum OicSecDpm
209 TAKE_OWNER = (0x1 << 1),
210 BOOTSTRAP_SERVICE = (0x1 << 2),
211 SECURITY_MANAGEMENT_SERVICES = (0x1 << 3),
212 PROVISION_CREDENTIALS = (0x1 << 4),
213 PROVISION_ACLS = (0x1 << 5),
214 // << 6 THROUGH 15 RESERVED
217 typedef enum OicSecDpom
219 MULTIPLE_SERVICE_SERVER_DRIVEN = 0x0,
220 SINGLE_SERVICE_SERVER_DRIVEN = 0x1,
221 MULTIPLE_SERVICE_CLIENT_DRIVEN = 0x2,
222 SINGLE_SERVICE_CLIENT_DRIVEN = 0x3,
225 typedef enum OicSecSvcType
227 SERVICE_UNKNOWN = 0x0,
228 ACCESS_MGMT_SERVICE = 0x1, //urn:oic.sec.ams
232 //TODO: Need more clarification on deviceIDFormat field type.
252 OIC_SEC_SVR_TYPE_COUNT, //define the value to number of SVR
253 NOT_A_SVR_RESOURCE = 99
258 OIC_JUST_WORKS = 0x0,
259 OIC_RANDOM_DEVICE_PIN = 0x1,
260 OIC_MANUFACTURER_CERTIFICATE = 0x2,
264 typedef struct OicSecKey OicSecKey_t;
266 typedef struct OicSecPstat OicSecPstat_t;
268 typedef struct OicSecRole OicSecRole_t;
270 typedef struct OicSecSacl OicSecSacl_t;
272 typedef struct OicSecSvc OicSecSvc_t;
274 typedef char *OicUrn_t; //TODO is URN type defined elsewhere?
276 typedef struct OicUuid OicUuid_t; //TODO is UUID type defined elsewhere?
280 typedef struct OicSecCrl OicSecCrl_t;
281 typedef ByteArray OicSecCert_t;
283 typedef void OicSecCert_t;
284 #endif /* __WITH_X509__ */
287 * /oic/uuid (Universal Unique Identifier) data type.
289 #define UUID_LENGTH 128/8 // 128-bit GUID length
290 //TODO: Confirm the length and type of ROLEID.
291 #define ROLEID_LENGTH 128/8 // 128-bit ROLEID length
292 #define OWNER_PSK_LENGTH_128 128/8 //byte size of 128-bit key size
293 #define OWNER_PSK_LENGTH_256 256/8 //byte size of 256-bit key size
297 // <Attribute ID>:<Read/Write>:<Multiple/Single>:<Mandatory?>:<Type>
298 //TODO fill in unless this is defined elsewhere?
299 uint8_t id[UUID_LENGTH];
303 * /oic/sec/jwk (JSON Web Key) data type.
304 * See JSON Web Key (JWK) draft-ietf-jose-json-web-key-41
306 #define JWK_LENGTH 256/8 // 256 bit key length
314 * /oic/sec/acl (Access Control List) data type.
315 * Derived from OIC Security Spec; see Spec for details.
319 // <Attribute ID>:<Read/Write>:<Multiple/Single>:<Mandatory?>:<Type>
320 OicUuid_t subject; // 0:R:S:Y:uuid TODO: this deviates
321 // from spec and needs to be updated
322 // in spec (where it's a String).
323 size_t resourcesLen; // the number of elts in Resources
324 char **resources; // 1:R:M:Y:String
325 uint16_t permission; // 2:R:S:Y:UINT16
326 size_t prdRecrLen; // the number of elts in Periods
327 char **periods; // 3:R:M*:N:String (<--M*; see Spec)
328 char **recurrences; // 5:R:M:N:String
329 OicUuid_t rownerID; // 8:R:S:Y:oic.uuid
334 * /oic/sec/amacl (Access Manager Service Accesss Control List) data type.
335 * Derived from OIC Security Spec; see Spec for details.
339 // <Attribute ID>:<Read/Write>:<Multiple/Single>:<Mandatory?>:<Type>
340 size_t resourcesLen; // the number of elts in Resources
341 char **resources; // 0:R:M:Y:String
342 size_t amssLen; // the number of elts in Amss
343 OicUuid_t *amss; // 1:R:M:Y:acl
344 OicUuid_t rownerID; // 2:R:S:Y:oic.uuid
349 * /oic/sec/cred (Credential) data type.
350 * Derived from OIC Security Spec; see Spec for details.
354 // <Attribute ID>:<Read/Write>:<Multiple/Single>:<Mandatory?>:<Type>
355 uint16_t credId; // 0:R:S:Y:UINT16
356 OicUuid_t subject; // 1:R:S:Y:oic.uuid
357 //Note: Need further clarification on roleID data type
358 //NOTE: Need further clarification on roleId datatype.
359 //size_t roleIdsLen; // the number of elts in RoleIds
360 //OicSecRole_t *roleIds; // 2:R:M:N:oic.sec.role
361 OicSecCredType_t credType; // 3:R:S:Y:oic.sec.credtype
363 OicSecCert_t publicData; // chain of certificates
364 #endif /* __WITH_X509__ */
365 OicSecKey_t privateData; // 6:R:S:N:oic.sec.key
366 char *period; // 7:R:S:N:String
367 OicUuid_t rownerID; // 8:R:S:Y:oic.uuid
372 * /oic/sec/doxm (Device Owner Transfer Methods) data type
373 * Derived from OIC Security Spec; see Spec for details.
377 // <Attribute ID>:<Read/Write>:<Multiple/Single>:<Mandatory?>:<Type>
378 OicUrn_t *oxmType; // 0:R:M:N:URN
379 size_t oxmTypeLen; // the number of elts in OxmType
380 OicSecOxm_t *oxm; // 1:R:M:N:UINT16
381 size_t oxmLen; // the number of elts in Oxm
382 OicSecOxm_t oxmSel; // 2:R/W:S:Y:UINT16
383 OicSecCredType_t sct; // 3:R:S:Y:oic.sec.credtype
384 bool owned; // 4:R:S:Y:Boolean
385 //TODO: Need more clarification on deviceIDFormat field type.
386 //OicSecDvcIdFrmt_t deviceIDFormat; // 5:R:S:Y:UINT8
387 OicUuid_t deviceID; // 6:R:S:Y:oic.uuid
388 bool dpc; // 7:R:S:Y:Boolean
389 OicUuid_t owner; // 8:R:S:Y:oic.uuid
390 OicUuid_t rownerID; // 9:R:S:Y:oic.uuid
394 * /oic/sec/pstat (Provisioning Status) data type.
395 * NOTE: this struct is ahead of Spec v0.95 in definition to include Sm.
396 * TODO: change comment when reconciled to Spec v0.96.
400 // <Attribute ID>:<Read/Write>:<Multiple/Single>:<Mandatory?>:<Type>
401 bool isOp; // 0:R:S:Y:Boolean
402 OicSecDpm_t cm; // 1:R:S:Y:oic.sec.dpm
403 OicSecDpm_t tm; // 2:RW:S:Y:oic.sec.dpm
404 OicUuid_t deviceID; // 3:R:S:Y:oic.uuid
405 OicSecDpom_t om; // 4:RW:M:Y:oic.sec.dpom
406 size_t smLen; // the number of elts in Sm
407 OicSecDpom_t *sm; // 5:R:M:Y:oic.sec.dpom
408 uint16_t commitHash; // 6:R:S:Y:oic.sec.sha256
409 OicUuid_t rownerID; // 7:R:S:Y:oic.uuid
413 * /oic/sec/role (Role) data type.
414 * Derived from OIC Security Spec; see Spec for details.
418 // <Attribute ID>:<Read/Write>:<Multiple/Single>:<Mandatory?>:<Type>
419 //TODO fill in with Role definition
420 uint8_t id[ROLEID_LENGTH];
424 * /oic/sec/sacl (Signed Access Control List) data type.
425 * Derived from OIC Security Spec; see Spec for details.
429 // <Attribute ID>:<Read/Write>:<Multiple/Single>:<Mandatory?>:<Type>
430 //TODO fill in from OIC Security Spec
434 * /oic/sec/svc (Service requiring a secure connection) data type.
435 * Derived from OIC Security Spec; see Spec for details.
439 // <Attribute ID>:<Read/Write>:<Multiple/Single>:<Mandatory?>:<Type>
440 OicUuid_t svcdid; //0:R:S:Y:oic.uuid
441 OicSecSvcType_t svct; //1:R:M:Y:OIC Service Type
442 size_t ownersLen; //2:the number of elts in Owners
443 OicUuid_t *owners; //3:R:M:Y:oic.uuid
451 ByteArray ThisUpdate;
454 #endif /* __WITH_X509__ */
457 * @brief direct pairing data type
459 typedef struct OicPin OicDpPin_t;
461 typedef struct OicSecPdAcl OicSecPdAcl_t;
463 typedef struct OicSecPconf OicSecPconf_t;
465 typedef struct OicSecDpairing OicSecDpairing_t;
467 #define DP_PIN_LENGTH 8 // temporary length
470 * @brief /oic/sec/prmtype (Pairing Method Type) data type.
472 * 1: pre-configured pin
475 typedef enum PRMBitmask
477 PRM_NOT_ALLOWED = 0x0,
478 PRM_PRE_CONFIGURED = (0x1 << 0),
479 PRM_RANDOM_PIN = (0x1 << 1),
482 typedef PRMBitmask_t OicSecPrm_t;
487 uint8_t val[DP_PIN_LENGTH];
491 * @brief oic.sec.dpacltype (Device Pairing Access Control List) data type.
495 // <Attribute ID>:<Read/Write>:<Multiple/Single>:<Mandatory?>:<Type>
496 char **resources; // 0:R:M:Y:String
497 size_t resourcesLen; // the number of elts in Resources
498 uint16_t permission; // 1:R:S:Y:UINT16
499 char **periods; // 2:R:M*:N:String (<--M*; see Spec)
500 char **recurrences; // 3:R:M:N:String
501 size_t prdRecrLen; // the number of elts in Periods/Recurrences
506 * @brief /oic/sec/pconf (Pairing Configuration) data type
510 // <Attribute ID>:<Read/Write>:<Multiple/Single>:<Mandatory?>:<Type>
511 bool edp; // 0:W:S:M:Boolean
512 OicSecPrm_t *prm; // 1:R:M:N:UINT16
513 size_t prmLen; // the number of elts in Prm
514 OicDpPin_t pin; // 2:R:S:Y:String
515 OicSecPdAcl_t *pdacls; // 3:R:M:Y:oic.sec.pdacltype
516 OicUuid_t *pddevs; // 4:R:M:Y:oic.uuid
517 size_t pddevLen; // the number of elts in pddev
518 OicUuid_t deviceID; // 5:R:S:Y:oic.uuid
519 OicUuid_t rownerID; // 6:R:S:Y:oic.uuid
523 * @brief /oic/sec/dpairing (Device Pairing) data type
525 struct OicSecDpairing
527 // <Attribute ID>:<Read/Write>:<Multiple/Single>:<Mandatory?>:<Type>
528 OicSecPrm_t spm; // 0:R/W:S:Y:UINT16
529 OicUuid_t pdeviceID; // 1:R:S:Y:oic.uuid
530 OicUuid_t rownerID; // 2:R:S:Y:oic.uuid
533 #define MAX_VERSION_LEN 16 // Security Version length. i.e., 00.00.000 + reserved space
536 * @brief security version data type
538 typedef struct OicSecVer OicSecVer_t;
541 * @brief /oic/sec/ver (Security Version) data type
545 // <Attribute ID>:<Read/Write>:<Multiple/Single>:<Mandatory?>:<Type>
546 char secv[MAX_VERSION_LEN]; // 0:R:S:Y:String
547 OicUuid_t deviceID; // 1:R:S:Y:oic.uuid
554 #endif //OC_SECURITY_RESOURCE_TYPES_H