From df063552a4dfab53662653566fe73ed491820aaf Mon Sep 17 00:00:00 2001 From: "js126.lee" Date: Thu, 9 Feb 2017 21:16:51 +0900 Subject: [PATCH] Add to checking logic to set subject of cred in case of NULL or * Issue : If deviceuuid is null and required pre-install certificate in SVR DB, it is impossible to set a subject of SIGNED_ASYMMETRIC_KEY type (certificate). According to OCF Security Spec and Raml, subject of Cred allows UUID format only, so CTT decides a failure in case of wildcard(*). But, it is not clear how to set a subject of cred in case of SIGNED_ASYMMETRIC_KEY on spec. So, this patch set it with own deviceuuid in case of NULL or wildcard, because own deviceuuid is only UUID a device knows at all time. Patch 1,2: Upload patch Patch 3 : Set subject of cred with own deviceuuid in case of NULL or wildcard Patch 4: Apply review comment Patch 5-8 : Re-trigger jenkins build Change-Id: Idb09357a821be81bb9f05489ebb40403e66c3514 Signed-off-by: js126.lee Reviewed-on: https://gerrit.iotivity.org/gerrit/17153 Tested-by: jenkins-iotivity Reviewed-by: Kevin Kane Reviewed-by: Randeep Singh --- .../provisioning/src/secureresourceprovider.c | 13 +++- resource/csdk/security/src/credresource.c | 74 ++++++++++++++++++++-- 2 files changed, 78 insertions(+), 9 deletions(-) diff --git a/resource/csdk/security/provisioning/src/secureresourceprovider.c b/resource/csdk/security/provisioning/src/secureresourceprovider.c index 3a9ffeb..2b110af 100644 --- a/resource/csdk/security/provisioning/src/secureresourceprovider.c +++ b/resource/csdk/security/provisioning/src/secureresourceprovider.c @@ -547,7 +547,13 @@ OCStackResult SRPSaveTrustCertChain(uint8_t *trustCertChain, size_t chainSize, OicSecCred_t *cred = (OicSecCred_t *)OICCalloc(1, sizeof(*cred)); VERIFY_NOT_NULL_RETURN(TAG, cred, ERROR, OC_STACK_NO_MEMORY); - memcpy(cred->subject.id, &WILDCARD_SUBJECT_ID, WILDCARD_SUBJECT_ID_LEN); + res = GetDoxmDeviceID(&cred->subject); + if (OC_STACK_OK != res) + { + OIC_LOG(ERROR, TAG, "Cann't get the device id(GetDoxmDeviceID)"); + DeleteCredList(cred); + return res; + } cred->credUsage= (char *)OICCalloc(1, strlen(TRUST_CA)+1 ); VERIFY_NOT_NULL_RETURN(TAG, cred->credUsage, ERROR, OC_STACK_NO_MEMORY); @@ -610,9 +616,12 @@ OCStackResult SRPSaveOwnCertChain(OicSecKey_t * cert, OicSecKey_t * key, uint16_ OIC_LOG_V(DEBUG, TAG, "IN: %s", __func__); - if (OC_STACK_OK != GetDoxmDeviceID(&cred->subject)) + res = GetDoxmDeviceID(&cred->subject); + if (OC_STACK_OK != res) { OIC_LOG(ERROR, TAG, "Cann't get the device id(GetDoxmDeviceID)"); + DeleteCredList(cred); + return res; } cred->credUsage= (char *)OICCalloc(1, strlen(PRIMARY_CERT)+1 ); diff --git a/resource/csdk/security/src/credresource.c b/resource/csdk/security/src/credresource.c index 19cfc97..f7441a0 100644 --- a/resource/csdk/security/src/credresource.c +++ b/resource/csdk/security/src/credresource.c @@ -105,6 +105,41 @@ static bool ValueWithinBounds(uint64_t value, uint64_t maxValue) } /** + * Internal function to check a subject of SIGNED_ASYMMETRIC_KEY(Certificate). + * If that subject is NULL or wildcard, set it to own deviceID. + * @param cred credential on SVR DB file + * @param deviceID own deviceuuid of doxm resource + * + * @return + * true successfully done + * false Invalid cred + */ + +static bool CheckSubjectOfCertificate(OicSecCred_t* cred, OicUuid_t deviceID) +{ + OicUuid_t emptyUuid = {.id={0}}; + OIC_LOG(DEBUG, TAG, "IN CheckSubjectOfCertificate"); + VERIFY_NOT_NULL(TAG, cred, ERROR); + +#if defined(__WITH_DTLS__) || defined(__WITH_TLS__) + if ( SIGNED_ASYMMETRIC_KEY == cred->credType) + { + if((0 == memcmp(cred->subject.id, emptyUuid.id, sizeof(cred->subject.id))) || + (0 == memcmp(cred->subject.id, &WILDCARD_SUBJECT_ID, sizeof(cred->subject.id)))) + { + memcpy(cred->subject.id, deviceID.id, sizeof(deviceID.id)); + } + } +#endif + + OIC_LOG(DEBUG, TAG, "OUT CheckSubjectOfCertificate"); + return true; +exit: + OIC_LOG(ERROR, TAG, "OUT CheckSubjectOfCertificate"); + return false; +} + +/** * Internal function to check credential */ static bool IsValidCredential(const OicSecCred_t* cred) @@ -2210,7 +2245,7 @@ OCStackResult InitCredResource() if ((ret == OC_STACK_OK) && data) { - // Read ACL resource from PS + // Read Cred resource from PS ret = CBORPayloadToCred(data, size, &gCred); #ifdef HAVE_WINDOWS_H @@ -2267,18 +2302,43 @@ OCStackResult InitCredResource() gCred = GetCredDefault(); } - //Add a log to track the invalid credential. - LL_FOREACH(gCred, cred) + if (gCred) { - if (false == IsValidCredential(cred)) + OicUuid_t deviceID; + OicUuid_t emptyUuid = {.id={0}}; + + ret = GetDoxmDeviceID(&deviceID); + VERIFY_SUCCESS(TAG, ret == OC_STACK_OK, ERROR); + + //Add a log to track the invalid credential. + LL_FOREACH(gCred, cred) + { + if (false == CheckSubjectOfCertificate(cred, deviceID)) + { + OIC_LOG(WARNING, TAG, "Check subject of Certificate was failed while InitCredResource"); + } + if (false == IsValidCredential(cred)) + { + OIC_LOG(WARNING, TAG, "Invalid credential data was dectected while InitCredResource"); + OIC_LOG_V(WARNING, TAG, "Invalid credential ID = %d", cred->credId); + } + } + + if (0 == memcmp(&gCred->rownerID, &emptyUuid, sizeof(OicUuid_t))) { - OIC_LOG(WARNING, TAG, "Invalid credential data was dectected while InitCredResource"); - OIC_LOG_V(WARNING, TAG, "Invalid credential ID = %d", cred->credId); + memcpy(&gCred->rownerID, &deviceID, sizeof(OicUuid_t)); } - } + if (!UpdatePersistentStorage(gCred)) + { + OIC_LOG(FATAL, TAG, "UpdatePersistentStorage failed!"); + } + } //Instantiate 'oic.sec.cred' ret = CreateCredResource(); + +exit: + OIC_LOG(DEBUG, TAG, "OUT InitCredResource."); OICClearMemory(data, size); OICFree(data); return ret; -- 2.7.4