#ifndef CA_SECURITY_INTERFACE_H_
#define CA_SECURITY_INTERFACE_H_
-#ifdef __WITH_X509__
-#include "pki.h"
-#endif //__WITH_X509__
-
+#if defined(__WITH_DTLS__) || defined(__WITH_TLS__)
+#include "mbedtls/ssl.h"
+#include "mbedtls/x509_crt.h"
+#endif //__WITH_DTLS__ or __WITH_TLS__
#include "cacommon.h"
+#include "byte_array.h"
#ifdef __cplusplus
extern "C"
{
#endif
-
-#ifdef __WITH_DTLS__
/**
* @enum CADtlsPskCredType_t
* Type of PSK credential required during DTLS handshake
} CADtlsPskCredType_t;
/**
+ *@enum CASslEkcbRole_t
+ * type of SSL role to be used when invoking export key callback
+ */
+typedef enum
+{
+ CA_SSL_EKCB_CLIENT = 0,
+ CA_SSL_EKCB_SERVER = 1
+}CASslEkcbRole_t;
+
+/**
+ *@enum CASslEkcbProtocol_t
+ * type of SSL protocol(TLS or DTLS) to be used when invoking export key callback
+ */
+typedef enum
+{
+ CA_SSL_EKCB_TLS = 0,
+ CA_SSL_EKCB_DTLS = 1
+}CASslEkcbProtocol_t;
+
+/**
* This internal callback is used by CA layer to
* retrieve PSK credentials from SRM.
*
* @return The number of bytes written to @p result or a value
* less than zero on error.
*/
-typedef int (*CAGetDTLSPskCredentialsHandler)(CADtlsPskCredType_t type,
- const uint8_t *desc, size_t desc_len,
- uint8_t *result, size_t result_length);
+typedef int (*CAgetPskCredentialsHandler)(CADtlsPskCredType_t type,
+ const uint8_t *desc, size_t desc_len,
+ uint8_t *result, size_t result_length);
+#if defined(__WITH_DTLS__) || defined(__WITH_TLS__)
+#ifdef MULTIPLE_OWNER
/**
- * Register callback to receive the result of DTLS handshake.
- * @param[in] dtlsHandshakeCallback callback for get dtls handshake result
- * @return ::CA_STATUS_OK
+ * API to get a secure connected peer information
+ *
+ * @param[in] peer peer information includs IP address and port.
+ *
+ * @return secure connected peer information on success, otherwise NULL
*/
-CAResult_t CARegisterDTLSHandshakeCallback(CAErrorCallback dtlsHandshakeCallback);
+const CASecureEndpoint_t *CAGetSecureEndpointData(const CAEndpoint_t *peer);
+#endif //MULTIPLE_OWNER
+#endif
/**
- * Register callback to get DTLS PSK credentials.
- * @param[in] GetDTLSCredentials GetDTLS Credetials callback.
- * @return ::CA_STATUS_OK
+ * This internal callback is used by CA layer to
+ * retrieve all credential types from SRM
+ *
+ * @param[out] list of enabled credential types for CA handshake
+ *
*/
-CAResult_t CARegisterDTLSCredentialsHandler(CAGetDTLSPskCredentialsHandler GetDTLSCredentials);
-
-#endif //__WITH_DTLS__
-
-#ifdef __WITH_X509__
+typedef void (*CAgetCredentialTypesHandler)(bool * list);
/**
- * Binary structure containing certificate chain and certificate credentials
- * for this device.
+ * Binary structure containing PKIX related info
+ * own certificate chain, public key, CA's and CRL's
*/
typedef struct
{
- // certificate message for DTLS
- unsigned char certificateChain[MAX_CERT_MESSAGE_LEN];
- // length of the certificate message
- uint32_t certificateChainLen;
- // number of certificates in certificate message
- uint8_t chainLen;
- // x component of EC public key
- uint8_t rootPublicKeyX[PUBLIC_KEY_SIZE / 2];
- // y component of EC public key
- uint8_t rootPublicKeyY[PUBLIC_KEY_SIZE / 2];
- // EC private key
- uint8_t devicePrivateKey[PRIVATE_KEY_SIZE];
-
-} CADtlsX509Creds_t;
-
-/**
- * @brief Callback function type for getting certificate credentials.
- * @param credInfo [OUT] Certificate credentials info. Handler has to allocate new memory for
- * credInfo which is then freed by CA
- * @return NONE
+ // own certificate chain
+ ByteArray_t crt;
+ // own public key
+ ByteArray_t key;
+ // trusted CA's
+ ByteArray_t ca;
+ // trusted CRL's
+ ByteArray_t crl;
+} PkiInfo_t;
+
+#if defined(__WITH_DTLS__) || defined(__WITH_TLS__)
+/**
+ * this callback will be invoked to utilize peer certificate information
*/
-typedef int (*CAGetDTLSX509CredentialsHandler)(CADtlsX509Creds_t *credInfo);
+typedef int (*PeerCertCallback)(void *ctx, const mbedtls_x509_crt *peerCert,
+ int depth);
+
/**
- * @brief Callback function type for getting CRL.
- * @param crlInfo [OUT] Certificate credentials info. Handler has to allocate new memory for
- * credInfo which is then freed by CA
- * @return NONE
+ * API to set callback used to utilize peer certificate information
+ * @param[in] peerCertCallback callback to utilize certificate information
+ *
+ * return CA_STATUS_OK on success
+ */
+CAResult_t CAsetPeerCertCallback(void *ctx, PeerCertCallback peerCertCallback);
+#endif
+
+/**
+ * Register callback to receive credential types.
+ * @param[in] credTypesCallback callback to get cerdential types
+ * @return ::CA_STATUS_OK
*/
-typedef void (*CAGetDTLSCrlHandler)(ByteArray* crlInfo);
+CAResult_t CAregisterGetCredentialTypesHandler(CAgetCredentialTypesHandler credTypesCallback);
+/**
+ * Register callback to receive the result of TLS handshake.
+ * @param[in] tlsHandshakeCallback callback for get tls handshake result
+ * @return ::CA_STATUS_OK
+ */
+CAResult_t CAregisterSslHandshakeCallback(CAErrorCallback tlsHandshakeCallback);
/**
- * @brief Register callback to get DTLS Cert credentials.
- * @param GetCertCredentials [IN] GetCert Credetials callback
- * @return #CA_STATUS_OK
+ * Register callback to get TLS PSK credentials.
+ * @param[in] getTLSCredentials GetDTLS Credetials callback.
+ * @return ::CA_STATUS_OK
*/
-CAResult_t CARegisterDTLSX509CredentialsHandler(CAGetDTLSX509CredentialsHandler GetX509Credentials);
+CAResult_t CAregisterPskCredentialsHandler(CAgetPskCredentialsHandler getTlsCredentials);
+
+/**
+ * @brief Callback function type for getting PKIX info
+ *
+ * @param inf[out] PKIX related info
+ *
+ * @return NONE
+ */
+typedef void (*CAgetPkixInfoHandler)(PkiInfo_t * inf);
+
+#if defined(__WITH_DTLS__) || defined(__WITH_TLS__)
/**
- * @brief Register callback to get CRL.
- * @param GetCrl [IN] GetCrl callback
- * @return #CA_STATUS_OK
+ * @brief Callback function type for setup PK context
+ *
+ * @param pkCtx[in] mbedtls's PK context
+ *
+ * @return 0 on success
*/
-CAResult_t CARegisterDTLSCrlHandler(CAGetDTLSCrlHandler GetCrl);
-#endif //__WITH_X509__
+typedef int (*CAsetupPkContextHandler)(mbedtls_pk_context * pkCtx);
+/**
+ * Register callback to setup PK Context
+ * @param[in] setupPkContextCallback Callback function to setup PK context.
+ * @return ::CA_STATUS_OK or appropriate error code.
+ */
+CAResult_t CAregisterSetupPkContextHandler(CAsetupPkContextHandler setupPkContextHandler);
+#endif //__WITH_DTLS__ or __WITH_TLS__
-#ifdef __WITH_DTLS__
+/**
+ * Register callback to get PKIX related info.
+ * @param[in] getPkixInfoHandler Get PKIX related info callback.
+ * @return ::CA_STATUS_OK or appropriate error code.
+ */
+CAResult_t CAregisterPkixInfoHandler(CAgetPkixInfoHandler getPkixInfoHandler);
+/**
+ * Register callback to get types of TLS suites.
+ * @param[in] getCredTypesHandler Get types of TLS suites callback.
+ * @return ::CA_STATUS_OK or appropriate error code.
+ */
+CAResult_t CAregisterGetCredentialTypesHandler(CAgetCredentialTypesHandler getCredTypesHandler);
/**
* Select the cipher suite for dtls handshake.
*
* @param[in] cipher cipher suite (Note : Make sure endianness).
- * 0xC018 : TLS_ECDH_anon_WITH_AES_128_CBC_SHA
- * 0xC0A8 : TLS_PSK_WITH_AES_128_CCM_8
- * 0xC0AE : TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8
+ * TLS_RSA_WITH_AES_256_CBC_SHA256 0x3D
+ * TLS_RSA_WITH_AES_128_GCM_SHA256 0x009C
+ * TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 0xC02B
+ * TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 0xC0AE
+ * TLS_ECDHE_ECDSA_WITH_AES_128_CCM 0xC0AC
+ * TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 0xC023
+ * TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 0xC024
+ * TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 0xC02C
+ * TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 0xC037
+ * TLS_ECDH_anon_WITH_AES_128_CBC_SHA 0xC018
+ * @param[in] adapter transport adapter (TCP/IP/BLE)
*
* @retval ::CA_STATUS_OK Successful.
* @retval ::CA_STATUS_INVALID_PARAM Invalid input arguments.
* @retval ::CA_STATUS_FAILED Operation failed.
*/
-CAResult_t CASelectCipherSuite(const uint16_t cipher);
+CAResult_t CASelectCipherSuite(const uint16_t cipher, CATransportAdapter_t adapter);
/**
* Enable TLS_ECDH_anon_WITH_AES_128_CBC_SHA cipher suite in dtls.
* @param[in] provServerDeviceID label of previous owner.
* @param[in] provServerDeviceIDLen byte length of provServerDeviceID.
* @param[in,out] ownerPSK Output buffer for owner PSK.
- * @param[in] ownerPSKSize Byte length of the ownerPSK to be generated.
+ * @param[in] ownerPskSize Byte length of the ownerPSK to be generated.
*
* @retval ::CA_STATUS_OK Successful.
* @retval ::CA_STATUS_FAILED Operation failed.
const size_t rsrcServerDeviceIDLen,
const uint8_t* provServerDeviceID,
const size_t provServerDeviceIDLen,
- uint8_t* ownerPSK, const size_t ownerPSKSize);
+ uint8_t* ownerPSK, const size_t ownerPskSize);
/**
* Initiate DTLS handshake with selected cipher suite.
* @retval ::CA_STATUS_OK Successful.
* @retval ::CA_STATUS_FAILED Operation failed.
*/
-CAResult_t CACloseDtlsSession(const CAEndpoint_t *endpoint);
+CAResult_t CAcloseSslSession(const CAEndpoint_t *endpoint);
+
+/**
+ * Initiate TLS handshake with selected cipher suite.
+ *
+ * @param[in] endpoint information of network address.
+ *
+ * @retval ::CA_STATUS_OK Successful.
+ * @retval ::CA_STATUS_FAILED Operation failed.
+ */
+CAResult_t CAinitiateSslHandshake(const CAEndpoint_t *endpoint);
+
+/**
+ * Close the DTLS session.
+ *
+ * @param[in] endpoint information of network address.
+ *
+ * @retval ::CA_STATUS_OK Successful.
+ * @retval ::CA_STATUS_FAILED Operation failed.
+ */
+CAResult_t CAcloseSslConnection(const CAEndpoint_t *endpoint);
+
+/**
+ * Close the TLS session using UUID
+ *
+ * @param[in] identity UUID of target device
+ * @param[in] idLength Byte length of 'identity'
+ *
+ * @retval ::CA_STATUS_OK Successful.
+ * @retval ::CA_STATUS_FAILED Operation failed.
+ */
+CAResult_t CAcloseSslConnectionUsingUuid(const uint8_t *identity, size_t idLength);
+
+/**
+ * Close All of DTLS sessions.
+ */
+void CAcloseSslConnectionAll(CATransportAdapter_t transportType);
+
+#if defined(__WITH_TLS__) || defined(__WITH_DTLS__)
+
+/**
+ * @brief Callback type: Export key block and master secret
+ * @note This is required for certain uses of TLS, e.g. EAP-TLS
+ * (RFC 5216) and Thread. The key pointers are ephemeral and
+ * therefore must not be stored. The master secret and keys
+ * should not be used directly except as an input to a key
+ * derivation function.
+ *
+ * @aram[in] masterSecret Pointer to master secret (fixed length: 48 bytes)
+ * @param[in] keyBlock Pointer to key block, see RFC 5246 section 6.3
+ * (variable length: 2 * maclen + 2 * keylen + 2 * ivlen).
+ * @param[in] maclen MAC length
+ * @param[in] keylen Key length
+ * @param[in] ivlen IV length
+ */
+typedef void (*SslExportKeysCallback_t)(const unsigned char* masterSecret,
+ const unsigned char* keyBlock,
+ size_t macLen, size_t keyLen, size_t ivLen);
+
+/**
+ * API to set a export SSL(TLS/DTLS) key callback.
+ * This callback will be invoked when SSL handshake occured.
+ *
+ * @param[in] exportKeysCb implementation of SslExportKeysCallback_t
+ * @param[in] protocol CA_SSL_EKCB_TLS=TLS, CA_SSL_EKCB_DTLS=DTLS (@ref CASslEkcbProtocol_t)
+ * @param[in] role CA_SSL_EKCB_CLIENT=client, CA_SSL_EKCB_SERVER=server (@ref CASslEkcbRole_t)
+ *
+ * @return CA_STATUS_OK on success, otherwise fail.
+ */
+CAResult_t CASetSslExportKeysCallback(SslExportKeysCallback_t exportKeysCb,
+ CASslEkcbProtocol_t protocol, CASslEkcbRole_t role);
-#endif /* __WITH_DTLS__ */
+#endif //__WITH_TLS__ or __WITH_DTLS__
#ifdef __cplusplus