Add to checking logic to set subject of cred in case of NULL or *

Issue : If deviceuuid is null and required pre-install certificate in SVR DB,
        it is impossible to set a subject of SIGNED_ASYMMETRIC_KEY type (certificate).

According to OCF Security Spec and Raml, subject of Cred allows UUID format only,
so CTT decides a failure in case of wildcard(*).
But, it is not clear how to set a subject of cred in case of SIGNED_ASYMMETRIC_KEY on spec.

So, this patch set it with own deviceuuid in case of NULL or wildcard,
because own deviceuuid is only UUID a device knows at all time.

Patch 1,2: Upload patch
Patch 3 : Set subject of cred with own deviceuuid in case of NULL or wildcard
Patch 4: Apply review comment
Patch 5-8 : Re-trigger jenkins build

Change-Id: Idb09357a821be81bb9f05489ebb40403e66c3514
Signed-off-by: js126.lee <js126.lee@samsung.com>
Reviewed-on: https://gerrit.iotivity.org/gerrit/17153
Tested-by: jenkins-iotivity <jenkins@iotivity.org>
Reviewed-by: Kevin Kane <kkane@microsoft.com>
Reviewed-by: Randeep Singh <randeep.s@samsung.com>

diff --git a/resource/csdk/security/provisioning/src/secureresourceprovider.c b/resource/csdk/security/provisioning/src/secureresourceprovider.c
index 3a9ffeb..2b110af 100644 (file)
--- a/resource/csdk/security/provisioning/src/secureresourceprovider.c
+++ b/resource/csdk/security/provisioning/src/secureresourceprovider.c
@@ -547,7 +547,13 @@ OCStackResult SRPSaveTrustCertChain(uint8_t *trustCertChain, size_t chainSize,
     OicSecCred_t *cred = (OicSecCred_t *)OICCalloc(1, sizeof(*cred));
     VERIFY_NOT_NULL_RETURN(TAG, cred, ERROR, OC_STACK_NO_MEMORY);
 
-    memcpy(cred->subject.id, &WILDCARD_SUBJECT_ID, WILDCARD_SUBJECT_ID_LEN);
+    res = GetDoxmDeviceID(&cred->subject);
+    if (OC_STACK_OK != res)
+    {
+        OIC_LOG(ERROR, TAG, "Cann't get the device id(GetDoxmDeviceID)");
+        DeleteCredList(cred);
+        return res;
+    }
 
     cred->credUsage= (char *)OICCalloc(1, strlen(TRUST_CA)+1 );
     VERIFY_NOT_NULL_RETURN(TAG, cred->credUsage, ERROR, OC_STACK_NO_MEMORY);
@@ -610,9 +616,12 @@ OCStackResult SRPSaveOwnCertChain(OicSecKey_t * cert, OicSecKey_t * key, uint16_
 
     OIC_LOG_V(DEBUG, TAG, "IN: %s", __func__);
 
-    if (OC_STACK_OK != GetDoxmDeviceID(&cred->subject))
+    res = GetDoxmDeviceID(&cred->subject);
+    if (OC_STACK_OK != res)
     {
         OIC_LOG(ERROR, TAG, "Cann't get the device id(GetDoxmDeviceID)");
+        DeleteCredList(cred);
+        return res;
     }
 
     cred->credUsage= (char *)OICCalloc(1, strlen(PRIMARY_CERT)+1 );

diff --git a/resource/csdk/security/src/credresource.c b/resource/csdk/security/src/credresource.c
index 19cfc97..f7441a0 100644 (file)
--- a/resource/csdk/security/src/credresource.c
+++ b/resource/csdk/security/src/credresource.c
@@ -105,6 +105,41 @@ static bool ValueWithinBounds(uint64_t value, uint64_t maxValue)
 }
 
 /**
+ * Internal function to check a subject of SIGNED_ASYMMETRIC_KEY(Certificate).
+ * If that subject is NULL or wildcard, set it to own deviceID.
+ * @param cred credential on SVR DB file
+ * @param deviceID own deviceuuid of doxm resource
+ *
+ * @return
+ *     true successfully done
+ *     false Invalid cred
+ */
+
+static bool CheckSubjectOfCertificate(OicSecCred_t* cred, OicUuid_t deviceID)
+{
+    OicUuid_t emptyUuid = {.id={0}};
+    OIC_LOG(DEBUG, TAG, "IN CheckSubjectOfCertificate");
+    VERIFY_NOT_NULL(TAG, cred, ERROR);
+
+#if defined(__WITH_DTLS__) || defined(__WITH_TLS__)
+    if ( SIGNED_ASYMMETRIC_KEY == cred->credType)
+    {
+        if((0 == memcmp(cred->subject.id, emptyUuid.id, sizeof(cred->subject.id))) ||
+            (0 == memcmp(cred->subject.id, &WILDCARD_SUBJECT_ID, sizeof(cred->subject.id))))
+        {
+            memcpy(cred->subject.id, deviceID.id, sizeof(deviceID.id));
+        }
+    }
+#endif
+
+    OIC_LOG(DEBUG, TAG, "OUT CheckSubjectOfCertificate");
+    return true;
+exit:
+    OIC_LOG(ERROR, TAG, "OUT CheckSubjectOfCertificate");
+    return false;
+}
+
+/**
  * Internal function to check credential
  */
 static bool IsValidCredential(const OicSecCred_t* cred)
@@ -2210,7 +2245,7 @@ OCStackResult InitCredResource()
 
     if ((ret == OC_STACK_OK) && data)
     {
-        // Read ACL resource from PS
+        // Read Cred resource from PS
         ret = CBORPayloadToCred(data, size, &gCred);
 
 #ifdef HAVE_WINDOWS_H
@@ -2267,18 +2302,43 @@ OCStackResult InitCredResource()
         gCred = GetCredDefault();
     }
 
-    //Add a log to track the invalid credential.
-    LL_FOREACH(gCred, cred)
+    if (gCred)
     {
-        if (false == IsValidCredential(cred))
+        OicUuid_t deviceID;
+        OicUuid_t emptyUuid = {.id={0}};
+
+        ret = GetDoxmDeviceID(&deviceID);
+        VERIFY_SUCCESS(TAG, ret == OC_STACK_OK, ERROR);
+
+        //Add a log to track the invalid credential.
+        LL_FOREACH(gCred, cred)
+        {
+            if (false == CheckSubjectOfCertificate(cred, deviceID))
+            {
+                OIC_LOG(WARNING, TAG, "Check subject of Certificate was failed while InitCredResource");
+            }
+            if (false == IsValidCredential(cred))
+            {
+                OIC_LOG(WARNING, TAG, "Invalid credential data was dectected while InitCredResource");
+                OIC_LOG_V(WARNING, TAG, "Invalid credential ID = %d", cred->credId);
+            }
+        }
+
+        if (0 == memcmp(&gCred->rownerID, &emptyUuid, sizeof(OicUuid_t)))
         {
-            OIC_LOG(WARNING, TAG, "Invalid credential data was dectected while InitCredResource");
-            OIC_LOG_V(WARNING, TAG, "Invalid credential ID = %d", cred->credId);
+            memcpy(&gCred->rownerID, &deviceID, sizeof(OicUuid_t));
         }
-    }
 
+        if (!UpdatePersistentStorage(gCred))
+        {
+            OIC_LOG(FATAL, TAG, "UpdatePersistentStorage failed!");
+        }
+    }
     //Instantiate 'oic.sec.cred'
     ret = CreateCredResource();
+
+exit:
+    OIC_LOG(DEBUG, TAG, "OUT InitCredResource.");
     OICClearMemory(data, size);
     OICFree(data);
     return ret;