resource/csdk/security/include/securevirtualresourcetypes.h

   1 //******************************************************************
   2 //
   3 // Copyright 2015 Intel Mobile Communications GmbH All Rights Reserved.
   4 //
   5 //-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
   6 //
   7 // Licensed under the Apache License, Version 2.0 (the "License");
   8 // you may not use this file except in compliance with the License.
   9 // You may obtain a copy of the License at
  10 //
  11 //      http://www.apache.org/licenses/LICENSE-2.0
  12 //
  13 // Unless required by applicable law or agreed to in writing, software
  14 // distributed under the License is distributed on an "AS IS" BASIS,
  15 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  16 // See the License for the specific language governing permissions and
  17 // limitations under the License.
  18 //
  19 //-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
  20
  21 /**
  22  * Data type definitions for all oic.sec.* types defined in the
  23  * OIC Security Specification.
  24  *
  25  * Note that throughout, ptrs are used rather than arrays.  There
  26  * are two primary reasons for this:
  27  * 1) The Spec defines many structures with optional fields, so pre-
  28  *    allocating these would be wasteful.
  29  * 2) There are in many cases arrays of Strings or arrays of Structs,
  30  *    which could not be defined as variable length arrays (e.g. array[])
  31  *    without breaking from the structure order and definition in the Spec.
  32  *
  33  * The primary drawback to this decision is that marshalling functions
  34  * will have to be written by hand to marshal these structures (e.g. to/from
  35  * Persistent Storage, or across memory boundaries).
  36  *
  37  * TODO reconcile against latest OIC Security Spec to ensure all fields correct.
  38  * (Last checked against v0.95)
  39  */
  40
  41 #ifndef OC_SECURITY_RESOURCE_TYPES_H
  42 #define OC_SECURITY_RESOURCE_TYPES_H
  43
  44 #include <stdint.h> // for uint8_t typedef
  45 #include <stdbool.h>
  46
  47 #ifdef __cplusplus
  48 extern "C" {
  49 #endif
  50
  51 /**
  52  * @brief   Values used to create bit-maskable enums for single-value
  53  *          response with embedded code.
  54  */
  55 #define ACCESS_GRANTED_DEF            (1 << 0)
  56 #define ACCESS_DENIED_DEF             (1 << 1)
  57 #define INSUFFICIENT_PERMISSION_DEF   (1 << 2)
  58 #define SUBJECT_NOT_FOUND_DEF         (1 << 3)
  59 #define RESOURCE_NOT_FOUND_DEF        (1 << 4)
  60 #define POLICY_ENGINE_ERROR_DEF       (1 << 5)
  61 #define INVALID_PERIOD_DEF            (1 << 6)
  62 #define REASON_MASK_DEF               (INSUFFICIENT_PERMISSION_DEF | \
  63                                        INVALID_PERIOD_DEF | \
  64                                        SUBJECT_NOT_FOUND_DEF | \
  65                                        RESOURCE_NOT_FOUND_DEF | \
  66                                        POLICY_ENGINE_ERROR_DEF)
  67
  68
  69 /**
  70  * Access policy in least significant bits (from Spec):
  71  * 1st lsb:  C (Create)
  72  * 2nd lsb:  R (Read, Observe, Discover)
  73  * 3rd lsb:  U (Write, Update)
  74  * 4th lsb:  D (Delete)
  75  * 5th lsb:  N (Notify)
  76  */
  77 #define PERMISSION_CREATE       (1 << 0)
  78 #define PERMISSION_READ         (1 << 1)
  79 #define PERMISSION_WRITE        (1 << 2)
  80 #define PERMISSION_DELETE       (1 << 3)
  81 #define PERMISSION_NOTIFY       (1 << 4)
  82 #define PERMISSION_FULL_CONTROL (PERMISSION_CREATE | \
  83                                  PERMISSION_READ | \
  84                                  PERMISSION_WRITE | \
  85                                  PERMISSION_DELETE | \
  86                                  PERMISSION_NOTIFY)
  87
  88 /**
  89  * @brief   Response type for all Action requests from CA layer;
  90  *          may include a reason code.
  91  *
  92  * To extract codes use GetReasonCode function on SRMAccessResponse:
  93  *
  94  * SRMAccessResponse_t response = SRMRequestHandler(obj, info);
  95  * if(SRM_TRUE == IsAccessGranted(response)) {
  96  *     SRMAccessResponseReasonCode_t reason = GetReasonCode(response);
  97  *     switch(reason) {
  98  *         case INSUFFICIENT_PERMISSION:
  99  *         ...etc.
 100  *     }
 101  * }
 102  */
 103 typedef enum
 104 {
 105     ACCESS_GRANTED = ACCESS_GRANTED_DEF,
 106     ACCESS_DENIED = ACCESS_DENIED_DEF,
 107     ACCESS_DENIED_INVALID_PERIOD = ACCESS_DENIED_DEF
 108         | INVALID_PERIOD_DEF,
 109     ACCESS_DENIED_INSUFFICIENT_PERMISSION = ACCESS_DENIED_DEF
 110         | INSUFFICIENT_PERMISSION_DEF,
 111     ACCESS_DENIED_SUBJECT_NOT_FOUND = ACCESS_DENIED_DEF
 112         | SUBJECT_NOT_FOUND_DEF,
 113     ACCESS_DENIED_RESOURCE_NOT_FOUND = ACCESS_DENIED_DEF
 114         | RESOURCE_NOT_FOUND_DEF,
 115     ACCESS_DENIED_POLICY_ENGINE_ERROR = ACCESS_DENIED_DEF
 116         | POLICY_ENGINE_ERROR_DEF,
 117 } SRMAccessResponse_t;
 118
 119 /**
 120  * Reason code for SRMAccessResponse.
 121  */
 122 typedef enum
 123 {
 124     NO_REASON_GIVEN = 0,
 125     INSUFFICIENT_PERMISSION = INSUFFICIENT_PERMISSION_DEF,
 126     SUBJECT_NOT_FOUND = SUBJECT_NOT_FOUND_DEF,
 127     RESOURCE_NOT_FOUND = RESOURCE_NOT_FOUND_DEF,
 128 } SRMAccessResponseReasonCode_t;
 129
 130 /**
 131  * Extract Reason Code from Access Response.
 132  */
 133 static inline SRMAccessResponseReasonCode_t GetReasonCode(
 134     SRMAccessResponse_t response)
 135 {
 136     SRMAccessResponseReasonCode_t reason =
 137         (SRMAccessResponseReasonCode_t)(response & REASON_MASK_DEF);
 138     return reason;
 139 }
 140
 141 /**
 142  * Returns 'true' iff request should be passed on to RI layer.
 143  */
 144 static inline bool IsAccessGranted(SRMAccessResponse_t response)
 145 {
 146     if(ACCESS_GRANTED == (response & ACCESS_GRANTED))
 147     {
 148         return true;
 149     }
 150     else
 151     {
 152         return false;
 153     }
 154 }
 155
 156 typedef struct OicSecAcl OicSecAcl_t;
 157
 158 typedef struct OicSecAmacl OicSecAmacl_t;
 159
 160 typedef struct OicSecCred OicSecCred_t;
 161
 162 /**
 163  * @brief   /oic/sec/credtype (Credential Type) data type.
 164  *          Derived from OIC Security Spec /oic/sec/cred; see Spec for details.
 165  *              0:  no security mode
 166  *              1:  symmetric pair-wise key
 167  *              2:  symmetric group key
 168  *              4:  asymmetric key
 169  *              8:  signed asymmetric key (aka certificate)
 170  *              16: PIN /password
 171  */
 172 typedef uint16_t OicSecCredType_t;
 173
 174 /**
 175  * Aid for assigning/testing vals with OicSecCredType_t.
 176  * Example:
 177  *  OicSecCredType_t ct = PIN_PASSWORD | ASYMMETRIC_KEY;
 178  *  if((ct & PIN_PASSWORD) == PIN_PASSWORD)
 179  *  {
 180  *      // ct contains PIN_PASSWORD flag.
 181  *  }
 182  */
 183 typedef enum OSCTBitmask
 184 {
 185     NO_SECURITY_MODE                = 0x0,
 186     SYMMETRIC_PAIR_WISE_KEY         = (0x1 << 0),
 187     SYMMETRIC_GROUP_KEY             = (0x1 << 1),
 188     ASYMMETRIC_KEY                  = (0x1 << 2),
 189     SIGNED_ASYMMETRIC_KEY           = (0x1 << 3),
 190     PIN_PASSWORD                    = (0x1 << 4),
 191 } OSCTBitmask_t;
 192
 193 typedef struct OicSecDoxm OicSecDoxm_t;
 194
 195 typedef enum OicSecDpm
 196 {
 197     NORMAL                          = 0x0,
 198     RESET                           = (0x1 << 0),
 199     TAKE_OWNER                      = (0x1 << 1),
 200     BOOTSTRAP_SERVICE               = (0x1 << 2),
 201     SECURITY_MANAGEMENT_SERVICES    = (0x1 << 3),
 202     PROVISION_CREDENTIALS           = (0x1 << 4),
 203     PROVISION_ACLS                  = (0x1 << 5),
 204     // << 6 THROUGH 15 RESERVED
 205 } OicSecDpm_t;
 206
 207 typedef enum OicSecDpom
 208 {
 209     MULTIPLE_SERVICE_SERVER_DRIVEN  = 0x0,
 210     SINGLE_SERVICE_SERVER_DRIVEN    = 0x1,
 211     MULTIPLE_SERVICE_CLIENT_DRIVEN  = 0x2,
 212     SINGLE_SERVICE_CLIENT_DRIVEN    = 0x3,
 213 } OicSecDpom_t;
 214
 215 typedef enum OicSecSvcType
 216 {
 217     SERVICE_UNKNOWN                 = 0x0,
 218     ACCESS_MGMT_SERVICE             = 0x1,  //urn:oic.sec.ams
 219 } OicSecSvcType_t;
 220
 221
 222 //TODO: Need more clarification on deviceIDFormat field type.
 223 #if 0
 224 typedef enum
 225 {
 226     URN = 0x0
 227 }OicSecDvcIdFrmt_t;
 228 #endif
 229
 230 typedef enum
 231 {
 232     OIC_JUST_WORKS                          = 0x0,
 233     OIC_MODE_SWITCH                         = 0x1,
 234     OIC_RANDOM_DEVICE_PIN                   = 0x2,
 235     OIC_PRE_PROVISIONED_DEVICE_PIN          = 0x3,
 236     OIC_PRE_PROVISION_STRONG_CREDENTIAL     = 0x4
 237 }OicSecOxm_t;
 238
 239 typedef struct OicSecJwk OicSecJwk_t;
 240
 241 typedef struct OicSecPstat OicSecPstat_t;
 242
 243 typedef struct OicSecRole OicSecRole_t;
 244
 245 typedef struct OicSecSacl OicSecSacl_t;
 246
 247 typedef struct OicSecSvc OicSecSvc_t;
 248
 249 typedef char *OicUrn_t; //TODO is URN type defined elsewhere?
 250
 251 typedef struct OicUuid OicUuid_t; //TODO is UUID type defined elsewhere?
 252
 253
 254 /**
 255  * @brief   /oic/uuid (Universal Unique Identifier) data type.
 256  */
 257 #define UUID_LENGTH 128/8 // 128-bit GUID length
 258 //TODO: Confirm the length and type of ROLEID.
 259 #define ROLEID_LENGTH 128/8 // 128-bit ROLEID length
 260 #define OWNER_PSK_LENGTH_128 128/8 //byte size of 128-bit key size
 261 #define OWNER_PSK_LENGTH_256 256/8 //byte size of 256-bit key size
 262
 263 struct OicUuid
 264 {
 265     // <Attribute ID>:<Read/Write>:<Multiple/Single>:<Mandatory?>:<Type>
 266     //TODO fill in unless this is defined elsewhere?
 267     uint8_t             id[UUID_LENGTH];
 268 };
 269
 270 /**
 271  * @brief   /oic/sec/jwk (JSON Web Key) data type.
 272  *          See JSON Web Key (JWK)  draft-ietf-jose-json-web-key-41
 273  */
 274 #define JWK_LENGTH 256/8 // 256 bit key length
 275 struct OicSecJwk
 276 {
 277     char                *data;
 278 };
 279
 280 /**
 281  * @brief   /oic/sec/acl (Access Control List) data type.
 282  *          Derived from OIC Security Spec; see Spec for details.
 283  */
 284 struct OicSecAcl
 285 {
 286     // <Attribute ID>:<Read/Write>:<Multiple/Single>:<Mandatory?>:<Type>
 287     OicUuid_t           subject;        // 0:R:S:Y:uuid TODO: this deviates
 288                                         // from spec and needs to be updated
 289                                         // in spec (where it's a String).
 290     size_t              resourcesLen;   // the number of elts in Resources
 291     char                **resources;    // 1:R:M:Y:String
 292     uint16_t            permission;     // 2:R:S:Y:UINT16
 293     size_t              prdRecrLen;     // the number of elts in Periods
 294     char                **periods;       // 3:R:M*:N:String (<--M*; see Spec)
 295     char                **recurrences;   // 5:R:M:N:String
 296     size_t              ownersLen;      // the number of elts in Owners
 297     OicUuid_t           *owners;        // 8:R:M:Y:oic.uuid
 298     // NOTE: we are using UUID for Owners instead of Svc type for mid-April
 299     // SRM version only; this will change to Svc type for full implementation.
 300     //TODO change Owners type to oic.sec.svc
 301     //OicSecSvc_t         *Owners;        // 6:R:M:Y:oic.sec.svc
 302     OicSecAcl_t         *next;
 303 };
 304
 305 /**
 306  * @brief   /oic/sec/amacl (Access Manager Service Accesss Control List)
 307  *          data type.
 308  *          Derived from OIC Security Spec; see Spec for details.
 309  */
 310 struct OicSecAmacl
 311 {
 312     // <Attribute ID>:<Read/Write>:<Multiple/Single>:<Mandatory?>:<Type>
 313     size_t              resourcesLen;   // the number of elts in Resources
 314     char                **resources;    // 0:R:M:Y:String
 315     size_t              amssLen;        // the number of elts in Amss
 316     OicUuid_t           *amss;          // 1:R:M:Y:acl
 317     size_t              ownersLen;      // the number of elts in Owners
 318     OicUuid_t           *owners;        // 2:R:M:Y:oic.uuid
 319     // NOTE: we are using UUID for Owners instead of Svc type for mid-April
 320     // SRM version only; this will change to Svc type for full implementation.
 321     //TODO change Owners type to oic.sec.svc
 322     //OicSecSvc_t         *Owners;        // 2:R:M:Y:oic.sec.svc
 323     OicSecAmacl_t         *next;
 324 };
 325
 326 /**
 327  * @brief   /oic/sec/cred (Credential) data type.
 328  *          Derived from OIC Security Spec; see Spec for details.
 329  */
 330 struct OicSecCred
 331 {
 332     // <Attribute ID>:<Read/Write>:<Multiple/Single>:<Mandatory?>:<Type>
 333     uint16_t            credId;         // 0:R:S:Y:UINT16
 334     OicUuid_t           subject;        // 1:R:S:Y:oic.uuid
 335     //Note: Need further clarification on roleID data type
 336     //NOTE: Need further clarification on roleId datatype.
 337     //size_t              roleIdsLen;     // the number of elts in RoleIds
 338     //OicSecRole_t        *roleIds;       // 2:R:M:N:oic.sec.role
 339     OicSecCredType_t    credType;       // 3:R:S:Y:oic.sec.credtype
 340     OicSecJwk_t         publicData;     // 5:R:S:N:oic.sec.jwk
 341     OicSecJwk_t         privateData;    // 6:R:S:N:oic.sec.jwk
 342     char                *period;        // 7:R:S:N:String
 343     size_t              ownersLen;      // the number of elts in Owners
 344     OicUuid_t           *owners;        // 8:R:M:Y:oic.uuid
 345     // NOTE: we are using UUID for Owners instead of Svc type for mid-April
 346     // SRM version only; this will change to Svc type for full implementation.
 347     //OicSecSvc_t         *Owners;        // 8:R:M:Y:oic.sec.svc
 348     //TODO change Owners type to oic.sec.svc
 349     OicSecCred_t        *next;
 350 };
 351
 352 /**
 353  * @brief   /oic/sec/doxm (Device Owner Transfer Methods) data type
 354  *          Derived from OIC Security Spec; see Spec for details.
 355  */
 356 struct OicSecDoxm
 357 {
 358     // <Attribute ID>:<Read/Write>:<Multiple/Single>:<Mandatory?>:<Type>
 359     OicUrn_t            *oxmType;       // 0:R:M:N:URN
 360     size_t              oxmTypeLen;     // the number of elts in OxmType
 361     OicSecOxm_t         *oxm;           // 1:R:M:N:UINT16
 362     size_t              oxmLen;         // the number of elts in Oxm
 363     OicSecOxm_t         oxmSel;         // 2:R/W:S:Y:UINT16
 364     bool                owned;          // 3:R:S:Y:Boolean
 365     //TODO: Need more clarification on deviceIDFormat field type.
 366     //OicSecDvcIdFrmt_t   deviceIDFormat; // 4:R:S:Y:UINT8
 367     OicUuid_t           deviceID;       // 5:R:S:Y:oic.uuid
 368     OicUuid_t           owner;         // 6:R:S:Y:oic.uuid
 369     // NOTE: we are using UUID for Owner instead of Svc type for mid-April
 370     // SRM version only; this will change to Svc type for full implementation.
 371     //OicSecSvc_t       Owner;        // 5:R:S:Y:oic.sec.svc
 372     //TODO change Owner type to oic.sec.svc
 373 };
 374
 375 /**
 376  * @brief   /oic/sec/pstat (Provisioning Status) data type.
 377  * NOTE: this struct is ahead of Spec v0.95 in definition to include Sm.
 378  * TODO: change comment when reconciled to Spec v0.96.
 379  */
 380 struct OicSecPstat
 381 {
 382     // <Attribute ID>:<Read/Write>:<Multiple/Single>:<Mandatory?>:<Type>
 383     bool                isOp;           // 0:R:S:Y:Boolean
 384     OicSecDpm_t         cm;             // 1:R:S:Y:oic.sec.dpm
 385     OicSecDpm_t         tm;             // 2:RW:S:Y:oic.sec.dpm
 386     OicUuid_t           deviceID;       // 3:R:S:Y:oic.uuid
 387     OicSecDpom_t        om;             // 4:RW:M:Y:oic.sec.dpom
 388     size_t              smLen;          // the number of elts in Sm
 389     OicSecDpom_t        *sm;            // 5:R:M:Y:oic.sec.dpom
 390     uint16_t            commitHash;     // 6:R:S:Y:oic.sec.sha256
 391     //TODO: this is supposed to be a 256-bit uint; temporarily use uint16_t
 392     //TODO: need to decide which 256 bit and 128 bit types to use... boost?
 393 };
 394
 395 /**
 396  * @brief   /oic/sec/role (Role) data type.
 397  *          Derived from OIC Security Spec; see Spec for details.
 398  */
 399 struct OicSecRole
 400 {
 401     // <Attribute ID>:<Read/Write>:<Multiple/Single>:<Mandatory?>:<Type>
 402     //TODO fill in with Role definition
 403     uint8_t             id[ROLEID_LENGTH];
 404 };
 405
 406 /**
 407  * @brief   /oic/sec/sacl (Signed Access Control List) data type.
 408  *          Derived from OIC Security Spec; see Spec for details.
 409  */
 410 struct OicSecSacl
 411 {
 412     // <Attribute ID>:<Read/Write>:<Multiple/Single>:<Mandatory?>:<Type>
 413     //TODO fill in from OIC Security Spec
 414 };
 415
 416 /**
 417  * @brief   /oic/sec/svc (Service requiring a secure connection) data type.
 418  *          Derived from OIC Security Spec; see Spec for details.
 419  */
 420 struct OicSecSvc
 421 {
 422     // <Attribute ID>:<Read/Write>:<Multiple/Single>:<Mandatory?>:<Type>
 423     OicUuid_t               svcdid;                 //0:R:S:Y:oic.uuid
 424     OicSecSvcType_t         svct;                   //1:R:M:Y:OIC Service Type
 425     size_t                  ownersLen;              //2:the number of elts in Owners
 426     OicUuid_t               *owners;                //3:R:M:Y:oic.uuid
 427     OicSecSvc_t             *next;
 428 };
 429
 430 #ifdef __cplusplus
 431 }
 432 #endif
 433
 434 #endif //OC_SECURITY_RESOURCE_TYPES_H