diff --git a/.clang-format b/.clang-format new file mode 100644 index 0000000..87eaf54 --- /dev/null +++ b/.clang-format @@ -0,0 +1,240 @@ +--- +Language: Cpp +# BasedOnStyle: WebKit +AccessModifierOffset: -4 +AlignAfterOpenBracket: Align +AlignConsecutiveAssignments: true +AlignConsecutiveDeclarations: false +AlignEscapedNewlines: Right +AlignOperands: false +AlignTrailingComments: true +AllowAllParametersOfDeclarationOnNextLine: true +AllowShortBlocksOnASingleLine: false +AllowShortCaseLabelsOnASingleLine: false +AllowShortFunctionsOnASingleLine: Inline +AllowShortIfStatementsOnASingleLine: false +AllowShortLoopsOnASingleLine: false +AlwaysBreakAfterDefinitionReturnType: None +AlwaysBreakAfterReturnType: None +AlwaysBreakBeforeMultilineStrings: false +AlwaysBreakTemplateDeclarations: true +BinPackArguments: true +BinPackParameters: true +BraceWrapping: + AfterClass: true + AfterControlStatement: true + AfterEnum: true + AfterFunction: true + AfterNamespace: false + AfterObjCDeclaration: true + AfterStruct: true + AfterUnion: true + BeforeCatch: false + BeforeElse: true + IndentBraces: false + SplitEmptyFunction: false + SplitEmptyRecord: true + SplitEmptyNamespace: true +BreakBeforeBinaryOperators: None +BreakBeforeBraces: Custom +BreakBeforeInheritanceComma: false +BreakBeforeTernaryOperators: true +BreakConstructorInitializersBeforeComma: false +BreakConstructorInitializers: AfterColon +BreakAfterJavaFieldAnnotations: false +BreakStringLiterals: true +ColumnLimit: 132 +CommentPragmas: '^ IWYU pragma:' +CompactNamespaces: false +ConstructorInitializerAllOnOneLineOrOnePerLine: false +ConstructorInitializerIndentWidth: 4 +ContinuationIndentWidth: 4 +Cpp11BracedListStyle: false +DerivePointerAlignment: false +DisableFormat: false +ExperimentalAutoDetectBinPacking: false +FixNamespaceComments: true +ForEachMacros: + - foreach + - Q_FOREACH + - BOOST_FOREACH +IncludeCategories: + - Regex: '^ + +| --input-p12-path + -k | Path to the PKCS12 File -| pkcs12-password +| input-p12-password | p -| --pkcs12-password + +| --input-p12-password + -p + (Defaults to 'changeit' if not supplied) | Password to decrypt input P12 File -| config-path +| config | L -| --config-path + +| --config + -L + (Defaults to 'libcertifier.cfg' if not supplied) | Pass in custom set of configurations for commandline utility @@ -152,10 +152,10 @@ The command below fetches a Matter-compliant Operational Certificate with a desi | Enable verbose log output mode. + Disabled by default - Only error messages are shown. -| crt-type +| auth-type | X -| --crt-type + --X +| --auth-type + +-X | Select Output CRT Type (X509 or other values) | auth-token @@ -173,9 +173,9 @@ Only valid and mandatory when client option is also passed in. | Input CRT (Base64). + It is an optional parameter, but will take precedence (against auth token) if used -| overwrite-p12-file +| overwrite-p12 | f -| --overwrite-p12-file + +| --overwrite-p12 + -f | Overwrite P12 File @@ -185,49 +185,53 @@ It is an optional parameter, but will take precedence (against auth token) if us -P | Choose type of Certificate to be fetched from PKI (Either DAC Certificate - XFN_DL_PAI_1_Class_3 - or Matter Operational Certificate - XFN_Matter_OP_Class_3_ICA) -| output-p12-file +| output-p12-path | o -| --output-p12-file + +| --output-p12-path + -o | Choose pathname of the resulting file that will store the P12 Chain that will include the generated certificate -| output-p12-pass +| output-p12-password | w -| --output-12-pass + +| --output-12-password + -w | Password to encrypt the output p12 file +| validity-days +| v +| --validity-days + +-v +| Choose number of validity days that a certificate is issued with + | product-id | i | --product-id + + -n -| Choose NodeID (64-bit integer) to be assigned to the resulting certificate +| Choose ProductID (16-bit integer) to be assigned to the resulting certificate. + +Matter Only certificate parameter | node-id | n | --node-id + + -n -| Choose NodeID (64-bit integer) to be assigned to the resulting certificate +| Choose NodeID (64-bit integer) to be assigned to the resulting certificate + +Matter Only certificate | fabric-id | F | --fabric-id + -F -| Choose FabricID (64-bit integer) to be assigned to the resulting certificate +| Choose FabricID (64-bit integer) to be assigned to the resulting certificate + +Matter Only certificate | case-auth-tag | a | --case-auth-tag + -a -| Choose CASE Authentication Tag (32-bit integer) to be assigned to the resulting certificate - -| validity-days -| v -| --validity-days + --v -| Choose number of validity days that a certificate is issued with +| Choose CASE Authentication Tag (32-bit integer) to be assigned to the resulting certificate + +Matter Only certificate |=== @@ -242,22 +246,22 @@ It is an optional parameter, but will take precedence (against auth token) if us -h | Display this summary -| pkcs12-path +| input-p12-path | k -| --pkcs12-path + +| --input-p12-path + -k | Path to the PKCS12 File -| pkcs12-password +| input-p12-password | p -| --pkcs12-password + +| --input-p12-password + -p + (Defaults to 'changeit' if not supplied) | Password to decrypt input P12 File -| config-path +| config | L -| --config-path + +| --config + -L + (Defaults to 'libcertifier.cfg' if not supplied) | Pass in custom set of configurations for commandline utility @@ -269,10 +273,10 @@ It is an optional parameter, but will take precedence (against auth token) if us | Enable verbose log output mode. + Disabled by default - Only error messages are shown. -| crt-type +| auth-type | X -| --crt-type + --X +| --auth-type + +-X | Select Output CRT Type (X509 or other values) | auth-token @@ -295,15 +299,15 @@ Disabled by default - Only error messages are shown. -h | Display this summary -| pkcs12-path +| input-p12-path | k -| --pkcs12-path + +| --input-p12-path + -k | Path to the PKCS12 File -| pkcs12-password +| input-p12-password | p -| --pkcs12-password + +| --input-p12-password + -p + (Defaults to 'changeit' if not supplied) | Password to decrypt input P12 File @@ -335,15 +339,15 @@ Disabled by default - Only error messages are shown. -h | Display this summary -| pkcs12-path +| input-p12-path | k -| --pkcs12-path + +| --input-p12-path + -k | Path to the PKCS12 File -| pkcs12-password +| input-p12-password | p -| --pkcs12-password + +| --input-p12-password + -p + (Defaults to 'changeit' if not supplied) | Password to decrypt input P12 File @@ -362,12 +366,6 @@ Disabled by default - Only error messages are shown. | Enable verbose log output mode. + Disabled by default - Only error messages are shown. -| validity-days -| t -| --validity-days + --t -| Choose number of validity days that a certificate is issued with - |=== == *certifierUtil print-cert options* @@ -381,16 +379,16 @@ Disabled by default - Only error messages are shown. -h | Display this summary -| pkcs12-path +| input-p12-path | k -| --pkcs12-path + +| --input-p12-path + -k | Path to the PKCS12 File -| pkcs12-password +| input-p12-password | p -| --pkcs12-password + +| --input-p12-password + -p + (Defaults to 'changeit' if not supplied) | Password to decrypt input P12 File @@ -422,15 +420,15 @@ Disabled by default - Only error messages are shown. -h | Display this summary -| pkcs12-path +| input-p12-path | k -| --pkcs12-path + +| --input-p12-path + -k | Path to the PKCS12 File -| pkcs12-password +| input-p12-password | p -| --pkcs12-password + +| --input-p12-password + -p + (Defaults to 'changeit' if not supplied) | Password to decrypt input P12 File @@ -468,19 +466,14 @@ Here are the details for every valid entry that can be added to the Configuratio | "XFN_Matter_OP_Class_3_ICA" | Set Profile name for the desired certificate to fetch (Defaults to Matter Operational Certificate) -| libcertifier.num.days +| libcertifier.validity.days | 365 | Set the number of validity days of the issuing certificate -| libcertifier.crt.type +| libcertifier.auth.type | "X509" | Choose CRT input type -| libcertifier.disable.auto.renewal -| 0 -| Enable automatic certificate renewal. + -Note: value type = `bool` - | libcertifier.ecc.curve.id | "prime256v1" | Select ECC Curve ID for the issuing certificate @@ -497,14 +490,14 @@ Note: value type = `bool` | 0 | Enable Debug/Trace output during HTTP exchange -| libcertifier.int.ca -| -| Store device's Intermediate CA Certificate - -| libcertifier.keystore -| "lrg" +| libcertifier.input.p12.path +| "seed.p12" | Set Path to the input PKCS#12 File containing a keypair and client certificate +| libcertifier.input.p12.password +| "changeit" +| Set password of the PKCS#12 file + | libcertifier.log.file | "/tmp/libcertifier.log" | Set file to store all logs of the xPKI transaction @@ -522,17 +515,9 @@ Note: value type = `bool` | Enable performance logs. + Note: value type = `bool` -| libcertifier.password -| "changeit" -| Set password of the keystore/PKCS#12 file - -| libcertifier.root.ca -| -| Store device's Root Certificate - -| libcertifier.source.name +| libcertifier.source.id | "libcertifier-opensource" -| Set the request source name +| Set the request source id | libcertifier.tls.insecure.host | 0 diff --git a/include/certifier/certifier_api_easy.h b/include/certifier/certifier_api_easy.h index 950fd6f..7c65db1 100644 --- a/include/certifier/certifier_api_easy.h +++ b/include/certifier/certifier_api_easy.h @@ -19,9 +19,7 @@ #ifndef CERTIFIER_API_EASY_H #define CERTIFIER_API_EASY_H -#include "certifier.h" #include "certifier/property.h" -#include "certifier/types.h" #ifdef __cplusplus extern "C" { @@ -29,8 +27,6 @@ extern "C" { typedef struct CERTIFIER CERTIFIER; -typedef struct http_response http_response; - /** * Modes for certifier_api_easy_perform. * @note Postconditions are true only after calling certifier_api_easy_perform and receiving a 0 (OK) result code. @@ -224,28 +220,6 @@ const char *certifier_api_easy_get_result_json(CERTIFIER *easy); */ const char *certifier_api_easy_get_result(CERTIFIER *easy); -/** - * Send a CSR to HTTP server - * @param easy - * @param url - * @param http_headers - * @param csr - * @return HTTP response - */ -http_response *certifier_api_easy_http_post( const CERTIFIER *easy, - const char *url, - const char *http_headers[], - const char *csr); - -int certifier_api_easy_set_keys_and_node_address(CERTIFIER *easy, ECC_KEY *new_key); - -void certifier_api_easy_set_ecc_key(CERTIFIER *easy, const ECC_KEY *key); - -const ECC_KEY *certifier_api_easy_get_priv_key(CERTIFIER *easy); - -int certifier_api_easy_create_json_csr(CERTIFIER *easy, unsigned char *csr, char *node_address, char **json_csr); - -const char *certifier_api_easy_get_node_address(CERTIFIER *easy); /** * @} */ diff --git a/include/certifier/property.h b/include/certifier/property.h index ad46b31..f4e9d8a 100644 --- a/include/certifier/property.h +++ b/include/certifier/property.h @@ -19,8 +19,6 @@ #ifndef PROPERTY_H #define PROPERTY_H -#include "certifier/types.h" - #ifdef __cplusplus extern "C" { #endif @@ -39,17 +37,18 @@ typedef enum CERTIFIER_OPT * @post The file at the given path is loaded and any options are set (when the file exists and is valid). */ CERTIFIER_OPT_CFG_FILENAME = 1, - CERTIFIER_OPT_CRT_TYPE = 2, + CERTIFIER_OPT_AUTH_TYPE = 2, CERTIFIER_OPT_CERTIFIER_URL = 3, CERTIFIER_OPT_HTTP_TIMEOUT = 4, CERTIFIER_OPT_HTTP_CONNECT_TIMEOUT = 5, - CERTIFIER_OPT_KEYSTORE = 6, - CERTIFIER_OPT_PASSWORD = 7, - CERTIFIER_OPT_PASSWORD_OUT = 8, - CERTIFIER_OPT_CA_INFO = 9, - CERTIFIER_OPT_CA_PATH = 10, - CERTIFIER_OPT_CRT = 11, - CERTIFIER_OPT_PROFILE_NAME = 12, + CERTIFIER_OPT_INPUT_P12_PATH = 6, + CERTIFIER_OPT_INPUT_P12_PASSWORD = 7, + CERTIFIER_OPT_OUTPUT_P12_PATH = 8, + CERTIFIER_OPT_OUTPUT_P12_PASSWORD = 9, + CERTIFIER_OPT_CA_INFO = 10, + CERTIFIER_OPT_CA_PATH = 11, + CERTIFIER_OPT_CRT = 12, + CERTIFIER_OPT_PROFILE_NAME = 13, /** * Bitmap containing boolean options (read-only). @@ -57,18 +56,17 @@ typedef enum CERTIFIER_OPT * @see CERTIFIER_OPT_OPTION for bits and CERTIFIER_OPT for available options * @note value type: int */ - CERTIFIER_OPT_OPTIONS = 13, - CERTIFIER_OPT_ECC_CURVE_ID = 14, + CERTIFIER_OPT_OPTIONS = 14, + CERTIFIER_OPT_ECC_CURVE_ID = 15, /** * Set this to request certificates with an X.509 subjectAltName (otherName type). * @note value type: string */ - CERTIFIER_OPT_SYSTEM_ID = 15, - CERTIFIER_OPT_FABRIC_ID = 16, - CERTIFIER_OPT_PRODUCT_ID = 17, - CERTIFIER_OPT_ROOT_CA = 18, - CERTIFIER_OPT_INT_CA = 19, + CERTIFIER_OPT_SYSTEM_ID = 16, + CERTIFIER_OPT_FABRIC_ID = 17, + CERTIFIER_OPT_PRODUCT_ID = 18, + // 19 is unused CERTIFIER_OPT_LOG_FILENAME = 20, CERTIFIER_OPT_LOG_LEVEL = 21, // 22 is unused @@ -92,7 +90,7 @@ typedef enum CERTIFIER_OPT */ CERTIFIER_OPT_SOURCE = 45, CERTIFIER_OPT_CN_PREFIX = 46, - CERTIFIER_OPT_NUM_DAYS = 47, + CERTIFIER_OPT_VALIDITY_DAYS = 47, CERTIFIER_OPT_EXT_KEY_USAGE = 48, /** @@ -128,18 +126,6 @@ typedef enum CERTIFIER_OPT */ CERTIFIER_OPT_TRACE_HTTP, - /** - * Disable TLS host (subject/subject alternative name(s)) authentication - * @note value type: bool - */ - CERTIFIER_OPT_TLS_INSECURE_HOST, - - /** - * Disable TLS peer (certificate issuer) authentication - * @note value type: bool - */ - CERTIFIER_OPT_TLS_INSECURE_PEER, - /** * Disable any existing keystore when registering. * This can be set, for example, when attempting to recover from a corrupted keystore, or to force a re-key. @@ -164,11 +150,6 @@ typedef enum CERTIFIER_OPT CERTIFIER_OPT_MAC_ADDRESS, - /** - * @note value type: string - */ - CERTIFIER_OPT_OUTPUT_KEYSTORE, - /** * Simulate the "not-valid-before" date. * @note value type: ASN.1 time string in the format 'YYYYMMDDHHMMSSZ' @@ -202,13 +183,10 @@ typedef enum CERTIFIER_OPT typedef enum { CERTIFIER_OPTION_DEBUG_HTTP = 1, CERTIFIER_OPTION_TRACE_HTTP = 2, - CERTIFIER_OPTION_TLS_INSECURE_HOST = 4, - CERTIFIER_OPTION_TLS_INSECURE_PEER = 8, - CERTIFIER_OPTION_FORCE_REGISTRATION = 16, - // 32 is unused - CERTIFIER_OPTION_CERTIFICATE_LITE = 64, - CERTIFIER_OPTION_MEASURE_PERFORMANCE = 128, - // 256, 512, 1024 are unused + CERTIFIER_OPTION_FORCE_REGISTRATION = 4, + CERTIFIER_OPTION_MEASURE_PERFORMANCE = 8, + CERTIFIER_OPTION_CERTIFICATE_LITE = 16, + // 32, 64, 128, 256, 512, 1024 are unused } CERTIFIER_OPT_OPTION; /** diff --git a/include/certifier/xpki_client.h b/include/certifier/xpki_client.h new file mode 100644 index 0000000..4b1b25e --- /dev/null +++ b/include/certifier/xpki_client.h @@ -0,0 +1,154 @@ +/** + * Copyright 2022 Comcast Cable Communications Management, LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * SPDX-License-Identifier: Apache-2.0 + */ + +#ifndef XPKI_CLIENT_H +#define XPKI_CLIENT_H + +#ifdef __cplusplus +extern "C" { +#endif + +#include +#include +#include + +typedef enum +{ + XPKI_CLIENT_SUCCESS = 0, + XPKI_CLIENT_ERROR_INTERNAL, + XPKI_CLIENT_INVALID_ARGUMENT, + XPKI_CLIENT_NOT_IMPLEMENTED, + XPKI_CLIENT_CERT_ALREADY_VALID, + XPKI_CLIENT_ERROR_NO_MEMORY, +} XPKI_CLIENT_ERROR_CODE; + +typedef enum +{ + XPKI_CLIENT_CERT_VALID = 0, + XPKI_CLIENT_CERT_ABOUT_TO_EXPIRE = 1 << 0, + XPKI_CLIENT_CERT_EXPIRED = 1 << 1, + XPKI_CLIENT_CERT_NOT_YET_VALID = 1 << 2, + XPKI_CLIENT_CERT_REVOKED = 1 << 3, + XPKI_CLIENT_CERT_UNKNOWN = 1 << 4, +} XPKI_CLIENT_CERT_STATUS; + +typedef enum +{ + XPKI_AUTH_X509_CRT, + XPKI_AUTH_TOKEN, +} XPKI_AUTH_TYPE; + +#define FOREACH_PROFILE_NAME(PROFILE_NAME) \ + PROFILE_NAME(Comcast_RDKDRI_Issuing_ECC_ICA) \ + PROFILE_NAME(Comcast_RDK_Device_Issuing_ECC_ICA) \ + PROFILE_NAME(Comcast_RDK_Issuing_ECC_ICA) \ + PROFILE_NAME(NSE_Platform_Services_Cassandra_RSA_ICA) \ + PROFILE_NAME(NSE_Platform_Services_Hadoop_RSA_ICA) \ + PROFILE_NAME(NSE_Platform_Services_Kafka_RSA_ICA) \ + PROFILE_NAME(NSE_Platform_Services_VSG_RSA_ICA) \ + PROFILE_NAME(OTT_Issuing_ECC_ICA) \ + PROFILE_NAME(SAT_NG_Issuing_ECC_ICA) \ + PROFILE_NAME(Sky_RDKDRI_Issuing_ECC_ICA) \ + PROFILE_NAME(Sky_RDK_Device_Issuing_ECC_ICA) \ + PROFILE_NAME(Sky_RDK_Issuing_ECC_ICA) \ + PROFILE_NAME(TPX_Advanced_Voice_CPE_RSA_ICA) \ + PROFILE_NAME(XFN_AS_PAI_1) \ + PROFILE_NAME(XFN_DL_PAI_1) \ + PROFILE_NAME(XFN_DL_PAI_1_Class_3) \ + PROFILE_NAME(XFN_Matter_OP_Class_3_ICA) \ + PROFILE_NAME(XFN_Matter_OP_ICA) \ + PROFILE_NAME(Xfinity_Default_Issuing_ECC_ICA) \ + PROFILE_NAME(Xfinity_Digital_Home_Issuing_RSA_ICA) \ + PROFILE_NAME(Xfinity_Remote_Device_Issuing_RSA_ICA) \ + PROFILE_NAME(Xfinity_Subscriber_Issuing_ECC_ICA) \ + PROFILE_NAME(Xfinity_Subscriber_Issuing_RSA_ICA) + +#define GENERATE_ENUM(ENUM) ENUM, +#define GENERATE_STRING(STRING) #STRING, + +typedef enum +{ + FOREACH_PROFILE_NAME(GENERATE_ENUM) XPKI_PROFILE_MAX +} XPKI_PROFILE_NAME; + +/** @struct get_cert_param_t + * @brief This structure contains all parameters that can be manipulated for a certificate generation. + * @var get_cert_param_t::input_p12_path + * Contains the path to the PKCS12 Seed. + * @var get_cert_param_t::input_p12_password + * Contains the password for the PKCS12 Seed + * @var get_cert_param_t::output_p12_path. + * Contains the path where the resulting certificate shall be written to. + * @var get_cert_param_t::output_p12_password + * Contains the password for resulting certificate. + * @var get_cert_param_t::auth_type + * Selects the Authentication type when requesting a certificate to the Server. + * See XPKI_AUTH_TYPE enum for more details. + * @var get_cert_param_t::profile_name + * Selects the Profle Name/Certificate Issuer for the certificate being requested from the Server. + * See XPKI_PROFILE_NAME enum for more details. + * @var get_cert_param_t::overwrite_p12 + * Enables output file being overwritten if already existing. + * @var get_cert_param_t::validity_days + * Select the number of valid days the certificate being requested shall last. + * @var get_cert_param_t::lite + * Select to request a lite certificate. + * @var get_cert_param_t::product_id + * Choose the Product ID to be registered in the certificate being requested. + * Matter Only Cerificate Parameter + * @var get_cert_param_t::node_id + * Choose the Node ID to be registered in the certificate being requested. + * Matter Only Cerificate Parameter + * @var get_cert_param_t::fabric_id + * Choose the Fabric ID to be registered in the certificate being requested. + * Matter Only Cerificate Parameter + * @var get_cert_param_t::case_auth_tag + * Choose the Case Authentaiction Tag to be registered in the certificate being requested. + * Matter Only Cerificate Parameter + */ +typedef struct +{ + const char * input_p12_path; + const char * input_p12_password; + const char * output_p12_path; + const char * output_p12_password; + XPKI_AUTH_TYPE auth_type; + XPKI_PROFILE_NAME profile_name; + bool overwrite_p12; + size_t validity_days; + bool lite; + // matter only parameters below + uint16_t product_id; + uint64_t node_id; + uint64_t fabric_id; + uint32_t case_auth_tag; +} get_cert_param_t; + +XPKI_CLIENT_ERROR_CODE xc_get_default_cert_param(get_cert_param_t * params); + +XPKI_CLIENT_ERROR_CODE xc_get_cert(get_cert_param_t * params); + +XPKI_CLIENT_ERROR_CODE xc_renew_cert(const char * p12_path, const char * password); + +XPKI_CLIENT_CERT_STATUS xc_get_cert_status(const char * p12_path, const char * password); + +#ifdef __cplusplus +} +#endif + +#endif // XPKI_CLIENT_H diff --git a/include/certifier/certifier.h b/internal_headers/certifier/certifier.h similarity index 74% rename from include/certifier/certifier.h rename to internal_headers/certifier/certifier.h index 3dc63bb..2c406da 100644 --- a/include/certifier/certifier.h +++ b/internal_headers/certifier/certifier.h @@ -20,6 +20,7 @@ #define CERTIFIER_H #include "certifier/property.h" +#include "certifier/types.h" #ifdef __cplusplus extern "C" { @@ -28,57 +29,6 @@ extern "C" { /* CHUNK is the size of the memory chunk used by the zlib routines. */ #define CHUNK 10000 -// Digicert CIS -#define DEFAULT_ROOT_CA "-----BEGIN CERTIFICATE-----\n" \ -"MIIDnDCCAoSgAwIBAgIBETANBgkqhkiG9w0BAQUFADBfMQswCQYDVQQGEwJVUzEV\n" \ -"MBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29t\n" \ -"MR4wHAYDVQQDExVEaWdpQ2VydCBUZXN0IFJvb3QgQ0EwHhcNMDYxMTEwMDAwMDAw\n" \ -"WhcNMzExMTEwMDAwMDAwWjBfMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNl\n" \ -"cnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMR4wHAYDVQQDExVEaWdp\n" \ -"Q2VydCBUZXN0IFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB\n" \ -"AQC2mEEv1NiVWb1x7GlRVwmW7tAUQhslTr+5Iz8tHrUq1l1+7rAxjkLzovibesr+\n" \ -"orXuL++zlpBAQKxIOQ1T9Kw8m+OKDtAjRiMhP4Mx6O2Qpe4N3Pras2pCPGToXrKf\n" \ -"/68lPmt52Fnqd8ISoaBh0+i+SUWM2aNm6e+JFq6IQ/iE2crOXBHaRpv4/IOMCfrT\n" \ -"6zAaFnsmWoUjGc6ISqb2nwsYMMOCZtH57ygc54GcIp7t6mmJ3S/Myewtkkk+AGrm\n" \ -"hRAgi8/eE6eU++jQoGrZ8UfgYZahTSZkJHZtRj+m9sSUsMX2Lw4Uxk2gUUkdNHvo\n" \ -"Odzd+sBLmiw5z6vI9d0YYfwBAgMBAAGjYzBhMA4GA1UdDwEB/wQEAwIBhjAPBgNV\n" \ -"HRMBAf8EBTADAQH/MB0GA1UdDgQWBBRGsHII/DXl+vr/nd5REG5ilV3XsDAfBgNV\n" \ -"HSMEGDAWgBRGsHII/DXl+vr/nd5REG5ilV3XsDANBgkqhkiG9w0BAQUFAAOCAQEA\n" \ -"WcypG3UOkkFw+FEtQmXQDxPBWmS36KwQ64myJXnqcd41ZskYjyCE62iXd2qfQOQ0\n" \ -"aoTkbcIo3Ov7RX9M5+m3kpzZmlHHwef0ePd5p1dtVsmnR22TXdmpyxPDOLtYz7wd\n" \ -"3DTG2G5fUN2/dgeTK8mITonetrVOkpVx8WtJkMGgVN5Dhy6gVYw0XpNfweyPNacq\n" \ -"u0BwrelLn5qTBXCYwg7IWFP2Ca34Xr2tLcQ17zE+PX51TonA7RdB4eOZ2JE6cJp9\n" \ -"5D0dyY/RjQvQpn8d7ZjSaHq0HzBMwcXkVMcoKjhOpmwoJz/sJzlt7WFpjd+xyNEr\n" \ -"ChW/tdOxL+vy0HBs7NYzkQ==\n" \ -"-----END CERTIFICATE-----" - -// Digicert CIS -#define DEFAULT_INT_CA "-----BEGIN CERTIFICATE-----\n" \ -"MIIECzCCAvOgAwIBAgIQDz6kXMM9nbbLagSg9vLw2TANBgkqhkiG9w0BAQwFADBf\n" \ -"MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3\n" \ -"d3cuZGlnaWNlcnQuY29tMR4wHAYDVQQDExVEaWdpQ2VydCBUZXN0IFJvb3QgQ0Ew\n" \ -"HhcNMTYwNzExMTIwNDE1WhcNMjYwNzExMTIwNDE1WjBVMQwwCgYDVQQGEwNVU0Ex\n" \ -"FzAVBgNVBAoTDkRpZ2lDZXJ0LCBJbmMuMSwwKgYDVQQDEyNEaWdpQ2VydCBUZXN0\n" \ -"IEVDQyBJbnRlcm1lZGlhdGUgQ0EtMTB2MBAGByqGSM49AgEGBSuBBAAiA2IABI5j\n" \ -"ChFeoXBv6z51jk6bmNEZaNmHt6uLtUIwG+sLux+ROjI2qgbXLywWdeD6JlARaz9z\n" \ -"PplVfTJb3s73L7VUCcBMw2tb/VGfD/yZ31bqiuuNJqxEbJtdZ3pwUgYBWKgw5KOC\n" \ -"AXkwggF1MB0GA1UdDgQWBBTCVPHjfLke82pOZhLs3w0cKQihOTAfBgNVHSMEGDAW\n" \ -"gBRGsHII/DXl+vr/nd5REG5ilV3XsDASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1Ud\n" \ -"DwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwNAYIKwYB\n" \ -"BQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20w\n" \ -"ewYDVR0fBHQwcjA3oDWgM4YxaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lD\n" \ -"ZXJ0VGVzdFJvb3RDQUcyLmNybDA3oDWgM4YxaHR0cDovL2NybDQuZGlnaWNlcnQu\n" \ -"Y29tL0RpZ2lDZXJ0VGVzdFJvb3RDQUcyLmNybDA9BgNVHSAENjA0MDIGBFUdIAAw\n" \ -"KjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzANBgkq\n" \ -"hkiG9w0BAQwFAAOCAQEAO6xbaIjuI+Xwore7bCEvfmWD8UJ+bwJjSK5mwDAEKOXY\n" \ -"nK7rNpK3nuLxK1I4gqUspBLXZx4I9WaSQ12o5+H2yDc+2C+klxhAZNtK7GAtTpyX\n" \ -"Mjr9VndKuxunEfoil/hpN8JA0KTmWNnlljxkq6UahDyTgMxIOcHUrFEcP7yatXeM\n" \ -"IHHCzEgL2sVe2wsMosjjjyutibA82/jZIA/CXyC/VdO/e0prTEgEELtjSzQ68pik\n" \ -"GqnNUj6bnL/AGO+UpVqPWC4ZwuNYX9c30umItzvWDDRVNaNX4VCHsRQMj9etXoI1\n" \ -"kQdzN/2TPfJCUMk2yysrSCDoe3EbMr62QmzOhQQ6gw==\n" \ -"-----END CERTIFICATE-----" - - #define ALLOWABLE_CHARACTERS "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnpqrstuvwxyz0123456879" #define CERTIFIER_ERR_INIT_CERTIFIER 1000 diff --git a/internal_headers/certifier/certifier_api_easy_internal.h b/internal_headers/certifier/certifier_api_easy_internal.h new file mode 100644 index 0000000..f30223f --- /dev/null +++ b/internal_headers/certifier/certifier_api_easy_internal.h @@ -0,0 +1,61 @@ +/** + * Copyright 2022 Comcast Cable Communications Management, LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * SPDX-License-Identifier: Apache-2.0 + */ + +#ifndef CERTIFIER_API_EASY_INTERNAL_H +#define CERTIFIER_API_EASY_INTERNAL_H + +#include "certifier/types.h" + +#ifdef __cplusplus +extern "C" { +#endif + +typedef struct CERTIFIER CERTIFIER; + +typedef struct http_response http_response; + +/** + * Send a CSR to HTTP server + * @param easy + * @param url + * @param http_headers + * @param csr + * @return HTTP response + */ +http_response * certifier_api_easy_http_post(const CERTIFIER * easy, const char * url, const char * http_headers[], + const char * csr); + +int certifier_api_easy_set_keys_and_node_address(CERTIFIER * easy, ECC_KEY * new_key); + +void certifier_api_easy_set_ecc_key(CERTIFIER * easy, const ECC_KEY * key); + +const ECC_KEY * certifier_api_easy_get_priv_key(CERTIFIER * easy); + +int certifier_api_easy_create_json_csr(CERTIFIER * easy, unsigned char * csr, char * node_address, char ** json_csr); + +const char * certifier_api_easy_get_node_address(CERTIFIER * easy); + +/** + * @} + */ + +#ifdef __cplusplus +} +#endif + +#endif // CERTIFIER_API_EASY_INTERNAL_H diff --git a/internal_headers/certifier/http.h b/internal_headers/certifier/http.h index 51b3fa2..a812a15 100644 --- a/internal_headers/certifier/http.h +++ b/internal_headers/certifier/http.h @@ -39,12 +39,12 @@ extern "C" { } \ } \ -struct http_response { +typedef struct http_response { const char *error_msg; const char *payload; int http_code; int error; -}; +} http_response; int http_init(void); diff --git a/internal_headers/certifier/security.h b/internal_headers/certifier/security.h index fef6c43..6a2cd98 100644 --- a/internal_headers/certifier/security.h +++ b/internal_headers/certifier/security.h @@ -234,6 +234,8 @@ unsigned char *security_X509_to_DER(X509_CERT *cert, size_t *out_len); X509_CERT *security_X509_from_DER(const unsigned char *der, size_t der_len); +int security_X509List_from_X509s(X509_LIST* ca_chain, X509_CERT *ca_cert, X509_CERT *root_cert); + void security_print_subject_issuer(const X509_CERT *cert); /** diff --git a/include/certifier/types.h b/internal_headers/certifier/types.h similarity index 100% rename from include/certifier/types.h rename to internal_headers/certifier/types.h diff --git a/libcertifier.cfg.sample b/libcertifier.cfg.sample index 6e4e5d0..230c5b6 100644 --- a/libcertifier.cfg.sample +++ b/libcertifier.cfg.sample @@ -1,25 +1,21 @@ { "libcertifier.certifier.url": "https://certifier.xpki.io/v1/certifier", "libcertifier.profile.name": "XFN_Matter_OP_Class_3_ICA", - "libcertifier.num.days": 365, - "libcertifier.crt.type": "X509", + "libcertifier.validity.days": 365, + "libcertifier.auth.type": "X509", "libcertifier.ecc.curve.id": "prime256v1", "libcertifier.http.connect.timeout": 20, "libcertifier.http.timeout": 20, "libcertifier.http.trace": 0, - "libcertifier.int.ca": "-----BEGIN CERTIFICATE-----\nMIIBvDCCAWKgAwIBAgIILYozPqRVXXwwCgYIKoZIzj0EAwIwMDEuMCwGA1UEAwwl\nWGZpbml0eSBTdWJzY3JpYmVyIEVDQyBDbGFzcyBJSUkgUm9vdDAeFw0xOTA0MDQx\nNzA5NDlaFw00NDAzMjgxNzA5NDlaMDAxLjAsBgNVBAMMJVhmaW5pdHkgU3Vic2Ny\naWJlciBFQ0MgQ2xhc3MgSUlJIFJvb3QwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC\nAAT+6HxsHxMJleLuNhlbC8QImb0rN3/1imQQrNAvRz6L5Cr9ELkXmmC+4fopTk+K\nKgmEsmZ19Eb7I1ZtUDQGEHomo2YwZDASBgNVHRMBAf8ECDAGAQH/AgEBMB8GA1Ud\nIwQYMBaAFEKPSE8KFTbOPJRbagklXxMZoVRoMB0GA1UdDgQWBBRCj0hPChU2zjyU\nW2oJJV8TGaFUaDAOBgNVHQ8BAf8EBAMCAYYwCgYIKoZIzj0EAwIDSAAwRQIhAKMr\nI0kLwf8cZab2aCXk25NQdOKhczQa8bbiplWsbdODAiBkJv+nhWCxiC3WWS6bHz/1\nqhgaI6GMwrYxrvkX1OL0BA==\n-----END CERTIFICATE-----\n", - "libcertifier.keystore": "lrg", + "libcertifier.input.p12.path": "seed.p12", + "libcertifier.input.p12.password": "changeit", "libcertifier.log.file": "/tmp/libcertifier.log", "libcertifier.log.level": 4, "libcertifier.log.max.size": 5000000, "libcertifier.autorenew.interval": 86400, "libcertifier.autorenew.certs.path.list": "~/.libcertifier:~/.libcertifier2", "libcertifier.measure.performance": 0, - "libcertifier.password": "changeit", - "libcertifier.root.ca": "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVqgAwIBAgIUYvPZjjnyEEDek8yWYoM2GMIgnMUwCgYIKoZIzj0EAwIw\nJjEkMCIGA1UEAwwbWGZpbml0eSBTdWJzY3JpYmVyIEVDQyBSb290MB4XDTE5MTAw\nNzE4MzIwOFoXDTQ0MDkzMDE4MzIwOFowJjEkMCIGA1UEAwwbWGZpbml0eSBTdWJz\nY3JpYmVyIEVDQyBSb290MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEZuTzvLrO\n+7G2+Ylr4O2PHMibVq1qVJMzKvQtJ8JAe1DL0HkJXRnliWT1QC5iqJuaA4Ngh31T\nj2T1tOJcYr6B36NmMGQwEgYDVR0TAQH/BAgwBgEB/wIBATAfBgNVHSMEGDAWgBSV\nn8KUP9J2ueLExe2EjezHdq/fpzAdBgNVHQ4EFgQUlZ/ClD/SdrnixMXthI3sx3av\n36cwDgYDVR0PAQH/BAQDAgGGMAoGCCqGSM49BAMCA0gAMEUCICpOBWu6UWgEIigH\n35DeYeNyAZHsGRv6/enBvbmQUzGFAiEAgR4Dhur1nQO1NSDwkHQeUsz3HV5Ahpgn\n5eHkhyAn2S0=\n-----END CERTIFICATE-----\n", - "libcertifier.source.name": "libcertifier-opensource", - "libcertifier.tls.insecure.host": 0, - "libcertifier.tls.insecure.peer": 0, + "libcertifier.source.id": "libcertifier-opensource", "libcertifier.certificate.lite": 1, "libcertifier.system.id":"BBBBBBBBBBBBBBBB", "libcertifier.fabric.id":"DDDDDDDDDDDDDDDD", diff --git a/matter_plugin/CertifierOperationalCredentialsIssuer.cpp b/matter_plugin/CertifierOperationalCredentialsIssuer.cpp index b86a1d2..5d1257d 100644 --- a/matter_plugin/CertifierOperationalCredentialsIssuer.cpp +++ b/matter_plugin/CertifierOperationalCredentialsIssuer.cpp @@ -35,6 +35,7 @@ #include #include +#include #include #include #include diff --git a/matter_plugin/libcertifier.cfg b/matter_plugin/libcertifier.cfg deleted file mode 100644 index 491a774..0000000 --- a/matter_plugin/libcertifier.cfg +++ /dev/null @@ -1,28 +0,0 @@ -{ - "libcertifier.certifier.url": "https://certifier.xpki.io/v1/certifier", - "libcertifier.profile.name": "XFN_Matter_OP_Class_3_ICA", - "libcertifier.num.days": 365, - "libcertifier.crt.type": "X509", - "libcertifier.ecc.curve.id": "prime256v1", - "libcertifier.http.connect.timeout": 10000, - "libcertifier.http.timeout": 10000, - "libcertifier.http.trace": 0, - "libcertifier.int.ca": "-----BEGIN CERTIFICATE-----\nMIIBvDCCAWKgAwIBAgIILYozPqRVXXwwCgYIKoZIzj0EAwIwMDEuMCwGA1UEAwwl\nWGZpbml0eSBTdWJzY3JpYmVyIEVDQyBDbGFzcyBJSUkgUm9vdDAeFw0xOTA0MDQx\nNzA5NDlaFw00NDAzMjgxNzA5NDlaMDAxLjAsBgNVBAMMJVhmaW5pdHkgU3Vic2Ny\naWJlciBFQ0MgQ2xhc3MgSUlJIFJvb3QwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC\nAAT+6HxsHxMJleLuNhlbC8QImb0rN3/1imQQrNAvRz6L5Cr9ELkXmmC+4fopTk+K\nKgmEsmZ19Eb7I1ZtUDQGEHomo2YwZDASBgNVHRMBAf8ECDAGAQH/AgEBMB8GA1Ud\nIwQYMBaAFEKPSE8KFTbOPJRbagklXxMZoVRoMB0GA1UdDgQWBBRCj0hPChU2zjyU\nW2oJJV8TGaFUaDAOBgNVHQ8BAf8EBAMCAYYwCgYIKoZIzj0EAwIDSAAwRQIhAKMr\nI0kLwf8cZab2aCXk25NQdOKhczQa8bbiplWsbdODAiBkJv+nhWCxiC3WWS6bHz/1\nqhgaI6GMwrYxrvkX1OL0BA==\n-----END CERTIFICATE-----\n", - "libcertifier.keystore": "lrg", - "libcertifier.log.file": "/tmp/libcertifier.log", - "libcertifier.log.level": 4, - "libcertifier.log.max.size": 5000000, - "libcertifier.measure.performance": 0, - "libcertifier.password": "changeit", - "libcertifier.root.ca": "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVqgAwIBAgIUYvPZjjnyEEDek8yWYoM2GMIgnMUwCgYIKoZIzj0EAwIw\nJjEkMCIGA1UEAwwbWGZpbml0eSBTdWJzY3JpYmVyIEVDQyBSb290MB4XDTE5MTAw\nNzE4MzIwOFoXDTQ0MDkzMDE4MzIwOFowJjEkMCIGA1UEAwwbWGZpbml0eSBTdWJz\nY3JpYmVyIEVDQyBSb290MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEZuTzvLrO\n+7G2+Ylr4O2PHMibVq1qVJMzKvQtJ8JAe1DL0HkJXRnliWT1QC5iqJuaA4Ngh31T\nj2T1tOJcYr6B36NmMGQwEgYDVR0TAQH/BAgwBgEB/wIBATAfBgNVHSMEGDAWgBSV\nn8KUP9J2ueLExe2EjezHdq/fpzAdBgNVHQ4EFgQUlZ/ClD/SdrnixMXthI3sx3av\n36cwDgYDVR0PAQH/BAQDAgGGMAoGCCqGSM49BAMCA0gAMEUCICpOBWu6UWgEIigH\n35DeYeNyAZHsGRv6/enBvbmQUzGFAiEAgR4Dhur1nQO1NSDwkHQeUsz3HV5Ahpgn\n5eHkhyAn2S0=\n-----END CERTIFICATE-----\n", - "libcertifier.source.name": "libcertifier-opensource", - "libcertifier.tls.insecure.host": 0, - "libcertifier.tls.insecure.peer": 0, - "libcertifier.certificate.lite": 1, - "libcertifier.system.id":"BBBBBBBBBBBBBBBB", - "libcertifier.fabric.id":"DDDDDDDDDDDDDDDD", - "libcertifier.product.id":"1101", - "libcertifier.cn.name":"AAAAAAAA", - "libcertifier.node.id":"CCCCCCCCCCCCCCCC", - "libcertifier.ext.key.usage":"critical,clientAuth,serverAuth" -} diff --git a/matter_plugin/matter-sdk b/matter_plugin/matter-sdk index e1966f5..26a054c 160000 --- a/matter_plugin/matter-sdk +++ b/matter_plugin/matter-sdk @@ -1 +1 @@ -Subproject commit e1966f57428dcd0e0fd1aba5aa753867c86e069a +Subproject commit 26a054c31144478e3c27391c06b0dc3230bb0882 diff --git a/src/certifier.c b/src/certifier.c index 4e124c6..9e3464c 100644 --- a/src/certifier.c +++ b/src/certifier.c @@ -72,8 +72,8 @@ static void set_last_error(Certifier *certifier, const int error_code, char *err /** * Load certificate info * @pre This device is registered - * @pre CERTIFIER_OPT_KEYSTORE is set to a valid pkcs#12 file - * @pre CERTIFIER_OPT_PASSWORD is set + * @pre CERTIFIER_OPT_INPUT_P12_PATH is set to a valid pkcs#12 file + * @pre CERTIFIER_OPT_INPUT_P12_PASSWORD is set * @post tmp_map.x509_cert is set * @post last error info is set on failure * @return 0 on success or an error code @@ -185,8 +185,8 @@ certifier_setup_keys(Certifier *certifier) { int return_code = 0; char *tmp_node_address = NULL; - const char *p12_filename = certifier_get_property(certifier, CERTIFIER_OPT_KEYSTORE); - const char *password = certifier_get_property(certifier, CERTIFIER_OPT_PASSWORD); + const char *p12_filename = certifier_get_property(certifier, CERTIFIER_OPT_INPUT_P12_PATH); + const char *password = certifier_get_property(certifier, CERTIFIER_OPT_INPUT_P12_PASSWORD); const char *ecc_curve_id = certifier_get_property(certifier, CERTIFIER_OPT_ECC_CURVE_ID); char *cn_prefix = certifier_get_property(certifier, CERTIFIER_OPT_CN_PREFIX); @@ -225,8 +225,8 @@ certifier_setup_keys(Certifier *certifier) { static int load_cert(Certifier *certifier) { X509_CERT *cert = NULL; - const char *p12_filename = certifier_get_property(certifier, CERTIFIER_OPT_KEYSTORE); - const char *password = certifier_get_property(certifier, CERTIFIER_OPT_PASSWORD); + const char *p12_filename = certifier_get_property(certifier, CERTIFIER_OPT_INPUT_P12_PATH); + const char *password = certifier_get_property(certifier, CERTIFIER_OPT_INPUT_P12_PASSWORD); int return_code = 0; // If there is a .p12 file, then we were already registered @@ -402,7 +402,7 @@ static int save_x509certs_to_filesystem(Certifier *certifier, char *x509_certs, goto cleanup; } - const char *password = certifier_get_property(certifier, CERTIFIER_OPT_PASSWORD); + const char *password = certifier_get_property(certifier, CERTIFIER_OPT_INPUT_P12_PASSWORD); //FIXME: This decision is done too late. Overwrite policy should be explicit // and checked before trying to register (e.g., CERTIFIER_OPT_FORCE_REGISTRATION). @@ -439,7 +439,7 @@ int certifier_renew_certificate(Certifier *certifier) { unsigned char *p_der_cert = NULL; size_t der_cert_len = 0; char *x509_certs = NULL; - char *p12_filename = certifier_get_property(certifier, CERTIFIER_OPT_KEYSTORE); + char *p12_filename = certifier_get_property(certifier, CERTIFIER_OPT_INPUT_P12_PATH); free_tmp(certifier); @@ -947,8 +947,8 @@ int certifier_set_property(Certifier *certifier, int name, const void *value) { certifier_set_log_callback(certifier, value); break; - case CERTIFIER_OPT_KEYSTORE: - case CERTIFIER_OPT_PASSWORD: + case CERTIFIER_OPT_INPUT_P12_PATH: + case CERTIFIER_OPT_INPUT_P12_PASSWORD: case CERTIFIER_OPT_ECC_CURVE_ID: free_tmp(certifier); break; @@ -1076,7 +1076,7 @@ int certifier_register(Certifier *certifier) { int force_registration = 0; - const char *p12_filename = certifier_get_property(certifier, CERTIFIER_OPT_KEYSTORE); + const char *p12_filename = certifier_get_property(certifier, CERTIFIER_OPT_INPUT_P12_PATH); double start_user_cpu_time = 0, end_user_cpu_time = 0; double start_system_cpu_time = 0, end_system_cpu_time = 0; @@ -1307,7 +1307,7 @@ char* certifier_create_csr_post_data(CertifierPropMap *props, const char *profile_name = property_get(props, CERTIFIER_OPT_PROFILE_NAME); const char *product_id = property_get(props, CERTIFIER_OPT_PRODUCT_ID); const char *authenticated_tag_1 = property_get(props, CERTIFIER_OPT_AUTH_TAG_1); - size_t num_days = (size_t) property_get(props, CERTIFIER_OPT_NUM_DAYS); + size_t num_days = (size_t) property_get(props, CERTIFIER_OPT_VALIDITY_DAYS); bool is_certificate_lite = property_is_option_set(props, CERTIFIER_OPTION_CERTIFICATE_LITE); json_object_set_string(root_object, "csr", (const char *) csr); diff --git a/src/certifier_api_easy.c b/src/certifier_api_easy.c index b5cd2a7..1c36221 100644 --- a/src/certifier_api_easy.c +++ b/src/certifier_api_easy.c @@ -22,6 +22,7 @@ #include "certifier/log.h" #include "certifier/util.h" #include "certifier/certifier_api_easy.h" +#include "certifier/certifier_api_easy_internal.h" #include "certifier/types.h" #include "certifier/security.h" #include "certifier/http.h" @@ -32,7 +33,7 @@ #include // Defines -#define DEFAULT_PASSWORD "changeit" +#define DEFAULT_PASSWORD "changeit" #define VERY_SMALL_STRING_SIZE 32 #define VERY_LARGE_STRING_SIZE 2048 @@ -41,9 +42,6 @@ #define NODE_ID_LENGTH 16ul #define FABRIC_ID_LENGTH 16ul -#define KEYMGR_FIFO_IN_PATH "/tmp/certifier-fifo-in" -#define KEYMGR_FIFO_OUT_PATH "/tmp/certifier-fifo-out" - #define NULL_CHECK(p) \ if (p == NULL) \ return CERTIFIER_ERR_EMPTY_OR_INVALID_PARAM_1 @@ -55,30 +53,30 @@ if (p == NULL) \ #define GET_CERT_SHORT_OPTIONS "fT:P:o:i:n:F:a:w:" #define VALIDITY_DAYS_SHORT_OPTION "t:" -#define BASE_LONG_OPTIONS \ - {"help", no_argument, NULL, 'h'}, \ - {"pkcs12-path", required_argument, NULL, 'k'}, \ - {"pkcs12-password",required_argument, NULL, 'p'}, \ - {"config", required_argument, NULL, 'L'}, \ - {"verbose", no_argument, NULL, 'v'} - -#define GET_CRT_TOKEN_LONG_OPTIONS \ - {"crt-type", required_argument, NULL, 'X'}, \ - {"auth-token", required_argument, NULL, 'S'} - -#define GET_CERT_LONG_OPTIONS \ - {"remove-pkcs12", no_argument, NULL, 'f'}, \ - {"crt", required_argument, NULL, 'T'}, \ - {"profile-name", required_argument, NULL, 'P'}, \ - {"output-p12-file",required_argument, NULL, 'o'}, \ - {"output-p12-pass",required_argument, NULL, 'w'}, \ - {"product-id", required_argument, NULL, 'i'}, \ - {"node-id", required_argument, NULL, 'n'}, \ - {"fabric-id", required_argument, NULL, 'F'}, \ - {"case-auth-tag", required_argument, NULL, 'a'} - -#define VALIDITY_DAYS_LONG_OPTION \ - {"validity-days", required_argument, NULL, 't'} +#define BASE_LONG_OPTIONS \ + {"help", no_argument, NULL, 'h'}, \ + {"input-p12-path", required_argument, NULL, 'k'}, \ + {"input-p12-password",required_argument, NULL, 'p'}, \ + {"config", required_argument, NULL, 'L'}, \ + {"verbose", no_argument, NULL, 'v'} + +#define GET_CRT_TOKEN_LONG_OPTIONS \ + {"auth-type", required_argument, NULL, 'X'}, \ + {"auth-token", required_argument, NULL, 'S'} + +#define GET_CERT_LONG_OPTIONS \ + {"overwrite-p12", no_argument, NULL, 'f'}, \ + {"crt", required_argument, NULL, 'T'}, \ + {"profile-name", required_argument, NULL, 'P'}, \ + {"output-p12-path", required_argument, NULL, 'o'}, \ + {"output-p12-password",required_argument, NULL, 'w'}, \ + {"product-id", required_argument, NULL, 'i'}, \ + {"node-id", required_argument, NULL, 'n'}, \ + {"fabric-id", required_argument, NULL, 'F'}, \ + {"case-auth-tag", required_argument, NULL, 'a'} + +#define VALIDITY_DAYS_LONG_OPTION \ + {"validity-days", required_argument, NULL, 't'} static void finish_operation(CERTIFIER *easy, int return_code, const char *operation_output); @@ -117,24 +115,24 @@ static const char * get_command_opt_helper(CERTIFIER_MODE mode) { #define BASE_HELPER \ "Usage: certifierUtil %s [OPTIONS]\n" \ "--help (-h)\n" \ - "--pkcs12-path [PKCS12 Path] (-k)\n" \ - "--pkcs12-password (-p)\n" \ + "--input-p12-path [PKCS12 Path] (-k)\n" \ + "--input-p12-password (-p)\n" \ "--config [value] (-L)\n" \ "--verbose (-v)\n" #define GET_CRT_TOKEN_HELPER \ - "--crt-type [value] (-X)\n" \ + "--auth-type [value] (-X)\n" \ "--auth-token [value] (-S)\n" -#define GET_CERT_HELPER \ - "--crt [value] (-T)\n" \ - "--overwrite-p12-file (-f)\n" \ - "--profile-name (-P)\n" \ - "--output-p12-file (-o)\n" \ - "--output-p12-pass (-w)\n" \ - "--product-id (-i)\n" \ - "--node-id (-n)\n" \ - "--fabric-id (-F)\n" \ +#define GET_CERT_HELPER \ + "--crt [value] (-T)\n" \ + "--overwrite-p12 (-f)\n" \ + "--profile-name (-P)\n" \ + "--output-p12-path (-o)\n" \ + "--output-p12-password (-w)\n" \ + "--product-id (-i)\n" \ + "--node-id (-n)\n" \ + "--fabric-id (-F)\n" \ "--case-auth-tag (-a)\n" #define VALIDITY_DAYS_HELPER \ @@ -169,16 +167,6 @@ static void free_easy_info(CERTIFIERInfo *info) { CERTIFIER *certifier_api_easy_new(void) { CERTIFIER *easy = NULL; - unlink(KEYMGR_FIFO_IN_PATH); - if (mkfifo(KEYMGR_FIFO_IN_PATH, 0666) != 0) { - return NULL; - } - - unlink(KEYMGR_FIFO_OUT_PATH); - if (mkfifo(KEYMGR_FIFO_OUT_PATH, 0666) != 0) { - return NULL; - } - Certifier *certifier = certifier_new(); if (certifier == NULL) { log_error("Received a null certifier."); @@ -235,9 +223,6 @@ void certifier_api_easy_destroy(CERTIFIER *easy) { free_easy_info(&easy->last_info); } - unlink(KEYMGR_FIFO_IN_PATH); - unlink(KEYMGR_FIFO_OUT_PATH); - XFREE(easy); } @@ -421,7 +406,7 @@ static int do_create_crt(CERTIFIER *easy) { char *crt = NULL; char *tmp_crt = NULL; - char *crt_type = certifier_get_property(easy->certifier, CERTIFIER_OPT_CRT_TYPE); + char *crt_type = certifier_get_property(easy->certifier, CERTIFIER_OPT_AUTH_TYPE); if (util_is_empty(crt_type)) { return_code = CERTIFIER_ERR_EMPTY_OR_INVALID_PARAM_1; @@ -709,61 +694,6 @@ static bool is_valid_id(const char *id, const size_t id_length) { return true; } -static int is_password_an_fd(const char *arg, char *fd_password, const size_t fd_password_length) { - int ret = 0; - const char *fd_path = NULL; - char fdneedle[4] = "fd:"; - size_t fd_length = 3; - int fd = 0; - ssize_t bytes_read = 0; - - if (strncmp(fdneedle, arg, fd_length) == 0) { - fd_path = &arg[fd_length]; - - fd = open(fd_path, O_RDONLY); - - if (fd != -1) { - bytes_read = read(fd, fd_password, fd_password_length - 1); - - if (bytes_read != -1) { - fd_password[bytes_read] = '\0'; - ret = 1; - } - - close(fd); - unlink(fd_path); - } - } - - return ret; -} - -static int is_password_in_keymgr(bool in, const char *arg, char *fd_password, const size_t fd_password_length) { - int ret = 0; - char keymgr_needle[4] = "km:"; - size_t keymgr_neddle_length = 3; - int fd = 0; - ssize_t bytes_read = 0; - - if (strncmp(keymgr_needle, arg, keymgr_neddle_length) == 0) { - - fd = open(in ? KEYMGR_FIFO_IN_PATH : KEYMGR_FIFO_OUT_PATH, O_RDONLY); - - if (fd != -1) { - bytes_read = read(fd, fd_password, fd_password_length - 1); - - if (bytes_read != -1) { - fd_password[bytes_read] = '\0'; - ret = 1; - } - - close(fd); - } - } - - return ret; -} - static int process_command_line(CERTIFIER *easy) { int return_code = 0; @@ -808,7 +738,6 @@ static int process_command_line(CERTIFIER *easy) { char *version_string = certifier_api_easy_get_version(easy); - char fd_password[LARGE_STRING_SIZE + 1] = {0}; char id_array[NODE_ID_LENGTH + 1] = {0}; char *end_id_array = &id_array[NODE_ID_LENGTH]; // keep last index as \0. We want this to be a null terminated string. @@ -832,22 +761,10 @@ static int process_command_line(CERTIFIER *easy) { return_code = certifier_set_property(easy->certifier, CERTIFIER_OPT_FORCE_REGISTRATION, (void *) true); break; case 'p': - if (is_password_an_fd(optarg, fd_password, sizeof(fd_password)) || - is_password_in_keymgr(true, optarg, fd_password, sizeof(fd_password))) { - - return_code = certifier_set_property(easy->certifier, CERTIFIER_OPT_PASSWORD, fd_password); - } else { - return_code = certifier_set_property(easy->certifier, CERTIFIER_OPT_PASSWORD, optarg); - } + return_code = certifier_set_property(easy->certifier, CERTIFIER_OPT_INPUT_P12_PASSWORD, optarg); break; case 'w': - if (is_password_an_fd(optarg, fd_password, sizeof(fd_password)) || - is_password_in_keymgr(false, optarg, fd_password, sizeof(fd_password))) { - - return_code = certifier_set_property(easy->certifier, CERTIFIER_OPT_PASSWORD_OUT, fd_password); - } else { - return_code = certifier_set_property(easy->certifier, CERTIFIER_OPT_PASSWORD_OUT, optarg); - } + return_code = certifier_set_property(easy->certifier, CERTIFIER_OPT_OUTPUT_P12_PASSWORD, optarg); break; case 'L': return_code = certifier_set_property(easy->certifier, CERTIFIER_OPT_CFG_FILENAME, optarg); @@ -865,7 +782,7 @@ static int process_command_line(CERTIFIER *easy) { break; } - return_code = certifier_set_property(easy->certifier, CERTIFIER_OPT_CRT_TYPE, optarg); + return_code = certifier_set_property(easy->certifier, CERTIFIER_OPT_AUTH_TYPE, optarg); break; case 'S': @@ -879,14 +796,14 @@ static int process_command_line(CERTIFIER *easy) { if (optarg == NULL) { break; } - return_code = certifier_set_property(easy->certifier, CERTIFIER_OPT_KEYSTORE, optarg); + return_code = certifier_set_property(easy->certifier, CERTIFIER_OPT_INPUT_P12_PATH, optarg); break; case 'o': if (optarg == NULL) { break; } - return_code = certifier_set_property(easy->certifier, CERTIFIER_OPT_OUTPUT_KEYSTORE, optarg); + return_code = certifier_set_property(easy->certifier, CERTIFIER_OPT_OUTPUT_P12_PATH, optarg); break; case 'P': @@ -921,7 +838,7 @@ static int process_command_line(CERTIFIER *easy) { if (optarg == NULL) { break; } - return_code = certifier_set_property(easy->certifier, CERTIFIER_OPT_OUTPUT_KEYSTORE, optarg); + return_code = certifier_set_property(easy->certifier, CERTIFIER_OPT_OUTPUT_P12_PATH, optarg); if (strlen(optarg) > NODE_ID_LENGTH) { log_error("Node ID is expected to be a 64-bit hex number"); @@ -987,7 +904,7 @@ static int process_command_line(CERTIFIER *easy) { } if (atoi(optarg) > 0) { - return_code = certifier_set_property(easy->certifier, CERTIFIER_OPT_NUM_DAYS, (const void *) (size_t) atoi(optarg)); + return_code = certifier_set_property(easy->certifier, CERTIFIER_OPT_VALIDITY_DAYS, (const void *) (size_t) atoi(optarg)); } else { log_error("Expected input to be of positive integer type"); return_code = 1; @@ -1093,26 +1010,26 @@ int certifier_api_easy_perform(CERTIFIER *easy) { force_registration = certifier_is_option_set(easy->certifier, CERTIFIER_OPTION_FORCE_REGISTRATION); - const char *password = certifier_get_property(easy->certifier, CERTIFIER_OPT_PASSWORD); + const char *password = certifier_get_property(easy->certifier, CERTIFIER_OPT_INPUT_P12_PASSWORD); if (util_is_empty(password)) { - return_code = certifier_set_property(easy->certifier, CERTIFIER_OPT_PASSWORD, DEFAULT_PASSWORD); + return_code = certifier_set_property(easy->certifier, CERTIFIER_OPT_INPUT_P12_PASSWORD, DEFAULT_PASSWORD); if (return_code != 0) { - log_error("Received return_code: <%i> while setting default CERTIFIER_OPT_PASSWORD. Exiting.", + log_error("Received return_code: <%i> while setting default CERTIFIER_OPT_INPUT_P12_PASSWORD. Exiting.", return_code); safe_exit(easy, return_code); goto cleanup; } - log_info("Default CERTIFIER_OPT_PASSWORD was set."); + log_info("Default CERTIFIER_OPT_INPUT_P12_PASSWORD was set."); } - if (util_is_empty(certifier_get_property(easy->certifier, CERTIFIER_OPT_PASSWORD_OUT))) { - return_code = certifier_set_property(easy->certifier, CERTIFIER_OPT_PASSWORD_OUT, password); + if (util_is_empty(certifier_get_property(easy->certifier, CERTIFIER_OPT_OUTPUT_P12_PASSWORD))) { + return_code = certifier_set_property(easy->certifier, CERTIFIER_OPT_OUTPUT_P12_PASSWORD, password); if (return_code != 0) { - log_error("Received return_code: <%i> while setting CERTIFIER_OPT_PASSWORD_OUT. Exiting.", + log_error("Received return_code: <%i> while setting CERTIFIER_OPT_OUTPUT_P12_PASSWORD. Exiting.", return_code); safe_exit(easy, return_code); goto cleanup; } - log_info("CERTIFIER_OPT_PASSWORD_OUT was set with the same value as the input Password."); + log_info("CERTIFIER_OPT_OUTPUT_P12_PASSWORD was set with the same value as the input Password."); } switch (easy->mode) { @@ -1120,11 +1037,11 @@ int certifier_api_easy_perform(CERTIFIER *easy) { break; case CERTIFIER_MODE_REGISTER: - if (certifier_get_property(easy->certifier, CERTIFIER_OPT_OUTPUT_KEYSTORE) != NULL) { - certifier_set_property(easy->certifier, CERTIFIER_OPT_KEYSTORE, - certifier_get_property(easy->certifier, CERTIFIER_OPT_OUTPUT_KEYSTORE)); + if (certifier_get_property(easy->certifier, CERTIFIER_OPT_OUTPUT_P12_PATH) != NULL) { + certifier_set_property(easy->certifier, CERTIFIER_OPT_INPUT_P12_PATH, + certifier_get_property(easy->certifier, CERTIFIER_OPT_OUTPUT_P12_PATH)); } - certifier_set_property(easy->certifier, CERTIFIER_OPT_PASSWORD, certifier_get_property(easy->certifier, CERTIFIER_OPT_PASSWORD_OUT)); + certifier_set_property(easy->certifier, CERTIFIER_OPT_INPUT_P12_PASSWORD, certifier_get_property(easy->certifier, CERTIFIER_OPT_OUTPUT_P12_PASSWORD)); do_registration(easy); break; @@ -1151,12 +1068,12 @@ int certifier_api_easy_perform(CERTIFIER *easy) { do_create_crt(easy); - if (certifier_get_property(easy->certifier, CERTIFIER_OPT_OUTPUT_KEYSTORE) != NULL) { - certifier_set_property(easy->certifier, CERTIFIER_OPT_KEYSTORE, - certifier_get_property(easy->certifier, CERTIFIER_OPT_OUTPUT_KEYSTORE)); + if (certifier_get_property(easy->certifier, CERTIFIER_OPT_OUTPUT_P12_PATH) != NULL) { + certifier_set_property(easy->certifier, CERTIFIER_OPT_INPUT_P12_PATH, + certifier_get_property(easy->certifier, CERTIFIER_OPT_OUTPUT_P12_PATH)); } certifier_set_property(easy->certifier, CERTIFIER_OPT_FORCE_REGISTRATION, (void *) force_registration); - certifier_set_property(easy->certifier, CERTIFIER_OPT_PASSWORD, certifier_get_property(easy->certifier, CERTIFIER_OPT_PASSWORD_OUT)); + certifier_set_property(easy->certifier, CERTIFIER_OPT_INPUT_P12_PASSWORD, certifier_get_property(easy->certifier, CERTIFIER_OPT_OUTPUT_P12_PASSWORD)); do_registration(easy); break; diff --git a/src/http.c b/src/http.c index ac083af..d3f7b44 100644 --- a/src/http.c +++ b/src/http.c @@ -25,8 +25,8 @@ static void set_curl_options(CURL *curl, CertifierPropMap *prop_map) { - int host_validation = property_is_option_set(prop_map, CERTIFIER_OPTION_TLS_INSECURE_HOST) ? 0 : 2; - int peer_validation = property_is_option_set(prop_map, CERTIFIER_OPTION_TLS_INSECURE_PEER) ? 0 : 1; + int host_validation = 2; + int peer_validation = 1; int is_debug_http_enabled = property_is_option_set(prop_map, CERTIFIER_OPTION_DEBUG_HTTP); int is_trace_http_enabled = property_is_option_set(prop_map, CERTIFIER_OPTION_TRACE_HTTP); long http_timeout = (long) property_get(prop_map, CERTIFIER_OPT_HTTP_TIMEOUT); diff --git a/src/main.c b/src/main.c index 12132ee..3d4e179 100644 --- a/src/main.c +++ b/src/main.c @@ -1,20 +1,20 @@ /** -* Copyright 2019 Comcast Cable Communications Management, LLC -* -* Licensed under the Apache License, Version 2.0 (the "License"); -* you may not use this file except in compliance with the License. -* You may obtain a copy of the License at -* -* http://www.apache.org/licenses/LICENSE-2.0 -* -* Unless required by applicable law or agreed to in writing, software -* distributed under the License is distributed on an "AS IS" BASIS, -* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -* See the License for the specific language governing permissions and -* limitations under the License. -* -* SPDX-License-Identifier: Apache-2.0 -*/ + * Copyright 2019 Comcast Cable Communications Management, LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * SPDX-License-Identifier: Apache-2.0 + */ #define _POSIX_C_SOURCE 2 @@ -24,8 +24,8 @@ #include "certifier/log.h" // Main -int -main(int argc, char *argv[]) { +int main(int argc, char *argv[]) +{ int return_code = 0; CERTIFIER *easy = certifier_api_easy_new(); @@ -33,9 +33,10 @@ main(int argc, char *argv[]) { certifier_api_easy_set_mode(easy, certifier_api_easy_get_mode(easy)); return_code = certifier_api_easy_perform(easy); - const char *result = certifier_api_easy_get_result_json(easy); + const char *result = certifier_api_easy_get_result_json(easy); - if (result != NULL) { + if (result != NULL) + { log_info(result); } diff --git a/src/openssl.c b/src/openssl.c index 3f7d22c..df8e122 100644 --- a/src/openssl.c +++ b/src/openssl.c @@ -1050,6 +1050,14 @@ unsigned char *security_X509_to_DER(X509_CERT *cert, size_t *out_len) { return out; } +int security_X509List_from_X509s(X509_LIST* ca_chain, X509_CERT *ca_cert, X509_CERT *root_cert) +{ + sk_X509_push(ca_chain, ca_cert); + sk_X509_push(ca_chain, root_cert); + + return 0; +} + void security_print_subject_issuer(const X509_CERT *cert) { X509_NAME *subject = NULL; X509_NAME *issuer = NULL; diff --git a/src/property.c b/src/property.c index 616765c..100429c 100644 --- a/src/property.c +++ b/src/property.c @@ -32,11 +32,11 @@ #define DEFAULT_HTTP_TIMEOUT 15 #define DEFAULT_HTTP_CONNECT_TIMEOUT 15 #define DEFAULT_ECC_CURVE_ID "prime256v1" -#define DEFAULT_OUTPUT_KEYSTORE "output.p12" +#define DEFAULT_OUTPUT_P12_PATH "output.p12" #define DEFAULT_CFG_FILENAME "libcertifier.cfg" #define DEFAULT_USER_CFG_FILENAME "/usr/local/etc/certifier/libcertifier.cfg" #define DEFAULT_GLOBAL_CFG_FILENAME "/etc/certifier/libcertifier.cfg" -#define DEFAULT_CRT_TYPE "X509" +#define DEFAULT_AUTH_TYPE "X509" #define DEFAULT_CA_INFO "libcertifier-cert.crt" #define DEFAULT_USER_CA_INFO "/usr/local/etc/certfier/libcertifier-cert.crt" #define DEFAULT_GLOBAL_CA_INFO "/etc/certifier/libcertifier-cert.crt" @@ -126,14 +126,14 @@ struct _PropMap { int http_timeout; int options; int cert_min_time_left_s; - int num_days; + int validity_days; int autorenew_interval; char *log_file; char *ca_info; char *ca_path; char *certifier_url; char *cfg_filename; - char *crt_type; + char *auth_type; char *p12_filename; char *output_p12_filename; char *password; @@ -154,8 +154,6 @@ struct _PropMap { char *ecc_curve_id; char *simulated_cert_expiration_date_after; char *simulated_cert_expiration_date_before; - char *root_ca; - char *int_ca; char *auth_token; char *output_node; char *target_node; @@ -257,8 +255,8 @@ property_set_int(CertifierPropMap *prop_map, CERTIFIER_OPT name, int value) { prop_map->cert_min_time_left_s = value; break; - case CERTIFIER_OPT_NUM_DAYS: - prop_map->num_days = value; + case CERTIFIER_OPT_VALIDITY_DAYS: + prop_map->validity_days = value; break; case CERTIFIER_OPT_AUTORENEW_INTERVAL: @@ -284,7 +282,7 @@ property_set(CertifierPropMap *prop_map, CERTIFIER_OPT name, const void *value) case CERTIFIER_OPT_LOG_LEVEL: case CERTIFIER_OPT_LOG_FUNCTION: case CERTIFIER_OPT_CERT_MIN_TIME_LEFT_S: - case CERTIFIER_OPT_NUM_DAYS: + case CERTIFIER_OPT_VALIDITY_DAYS: case CERTIFIER_OPT_AUTORENEW_INTERVAL: // do nothing; break; @@ -302,8 +300,8 @@ property_set(CertifierPropMap *prop_map, CERTIFIER_OPT name, const void *value) case CERTIFIER_OPT_CFG_FILENAME: SV(prop_map->cfg_filename, value); break; - case CERTIFIER_OPT_CRT_TYPE: - SV(prop_map->crt_type, value); + case CERTIFIER_OPT_AUTH_TYPE: + SV(prop_map->auth_type, value); break; case CERTIFIER_OPT_CERTIFIER_URL: if (util_starts_with(value, "https://")) { @@ -313,19 +311,19 @@ property_set(CertifierPropMap *prop_map, CERTIFIER_OPT name, const void *value) } break; - case CERTIFIER_OPT_KEYSTORE: + case CERTIFIER_OPT_INPUT_P12_PATH: SV(prop_map->p12_filename, value); break; - case CERTIFIER_OPT_OUTPUT_KEYSTORE: + case CERTIFIER_OPT_OUTPUT_P12_PATH: SV(prop_map->output_p12_filename, value); break; - case CERTIFIER_OPT_PASSWORD: + case CERTIFIER_OPT_INPUT_P12_PASSWORD: SV(prop_map->password, value); break; - case CERTIFIER_OPT_PASSWORD_OUT: + case CERTIFIER_OPT_OUTPUT_P12_PASSWORD: SV(prop_map->password_out, value); break; @@ -387,19 +385,11 @@ property_set(CertifierPropMap *prop_map, CERTIFIER_OPT name, const void *value) case CERTIFIER_OPT_LOG_LEVEL: case CERTIFIER_OPT_LOG_MAX_SIZE: case CERTIFIER_OPT_CERT_MIN_TIME_LEFT_S: - case CERTIFIER_OPT_NUM_DAYS: + case CERTIFIER_OPT_VALIDITY_DAYS: case CERTIFIER_OPT_AUTORENEW_INTERVAL: retval = property_set_int(prop_map, name, (int) (size_t) value); break; - case CERTIFIER_OPT_ROOT_CA: - SV(prop_map->root_ca, value); - break; - - case CERTIFIER_OPT_INT_CA: - SV(prop_map->int_ca, value); - break; - case CERTIFIER_OPT_LOG_FILENAME: SV(prop_map->log_file, value); log_set_file_name(value); @@ -457,8 +447,6 @@ property_set(CertifierPropMap *prop_map, CERTIFIER_OPT name, const void *value) case CERTIFIER_OPT_DEBUG_HTTP: case CERTIFIER_OPT_TRACE_HTTP: - case CERTIFIER_OPT_TLS_INSECURE_HOST: - case CERTIFIER_OPT_TLS_INSECURE_PEER: case CERTIFIER_OPT_FORCE_REGISTRATION: case CERTIFIER_OPT_MEASURE_PERFORMANCE: case CERTIFIER_OPT_CERTIFICATE_LITE: { @@ -492,8 +480,8 @@ property_get(CertifierPropMap *prop_map, CERTIFIER_OPT name) { retval = prop_map->cfg_filename; break; - case CERTIFIER_OPT_CRT_TYPE: - retval = prop_map->crt_type; + case CERTIFIER_OPT_AUTH_TYPE: + retval = prop_map->auth_type; break; case CERTIFIER_OPT_CERTIFIER_URL: @@ -508,19 +496,19 @@ property_get(CertifierPropMap *prop_map, CERTIFIER_OPT name) { retval = (void *) (size_t) prop_map->http_connect_timeout; break; - case CERTIFIER_OPT_KEYSTORE: + case CERTIFIER_OPT_INPUT_P12_PATH: retval = prop_map->p12_filename; break; - case CERTIFIER_OPT_OUTPUT_KEYSTORE: + case CERTIFIER_OPT_OUTPUT_P12_PATH: retval = prop_map->output_p12_filename; break; - case CERTIFIER_OPT_PASSWORD: + case CERTIFIER_OPT_INPUT_P12_PASSWORD: retval = prop_map->password; break; - case CERTIFIER_OPT_PASSWORD_OUT: + case CERTIFIER_OPT_OUTPUT_P12_PASSWORD: retval = prop_map->password_out; break; @@ -580,14 +568,6 @@ property_get(CertifierPropMap *prop_map, CERTIFIER_OPT name) { retval = prop_map->simulated_cert_expiration_date_after; break; - case CERTIFIER_OPT_ROOT_CA: - retval = prop_map->root_ca; - break; - - case CERTIFIER_OPT_INT_CA: - retval = prop_map->int_ca; - break; - case CERTIFIER_OPT_LOG_LEVEL: retval = (void *) (size_t) prop_map->log_level; break; @@ -631,8 +611,8 @@ property_get(CertifierPropMap *prop_map, CERTIFIER_OPT name) { case CERTIFIER_OPT_CN_PREFIX: retval = prop_map->cn_prefix; break; - case CERTIFIER_OPT_NUM_DAYS: - retval = (void *) (size_t) prop_map->num_days; // TODO - need to revisit these casts + case CERTIFIER_OPT_VALIDITY_DAYS: + retval = (void *) (size_t) prop_map->validity_days; // TODO - need to revisit these casts break; case CERTIFIER_OPT_AUTORENEW_INTERVAL: @@ -658,8 +638,6 @@ property_get(CertifierPropMap *prop_map, CERTIFIER_OPT name) { case CERTIFIER_OPT_DEBUG_HTTP: case CERTIFIER_OPT_TRACE_HTTP: - case CERTIFIER_OPT_TLS_INSECURE_HOST: - case CERTIFIER_OPT_TLS_INSECURE_PEER: case CERTIFIER_OPT_FORCE_REGISTRATION: case CERTIFIER_OPT_MEASURE_PERFORMANCE: case CERTIFIER_OPT_CERTIFICATE_LITE: { @@ -704,10 +682,10 @@ property_set_defaults(CertifierPropMap *prop_map) { } } - if (prop_map->crt_type == NULL) { - return_code = property_set(prop_map, CERTIFIER_OPT_CRT_TYPE, DEFAULT_CRT_TYPE); + if (prop_map->auth_type == NULL) { + return_code = property_set(prop_map, CERTIFIER_OPT_AUTH_TYPE, DEFAULT_AUTH_TYPE); if (return_code != 0) { - log_error("Failed to set default property name: CERTIFIER_OPT_CRT_TYPE with error code: %i", return_code); + log_error("Failed to set default property name: CERTIFIER_OPT_AUTH_TYPE with error code: %i", return_code); return return_code; } } @@ -778,22 +756,6 @@ property_set_defaults(CertifierPropMap *prop_map) { } } - if (prop_map->root_ca == NULL) { - return_code = property_set(prop_map, CERTIFIER_OPT_ROOT_CA, DEFAULT_ROOT_CA); - if (return_code != 0) { - log_error("Failed to set default property name: CERTIFIER_OPT_ROOT_CA with error code: %i", return_code); - return return_code; - } - } - - if (prop_map->int_ca == NULL) { - return_code = property_set(prop_map, CERTIFIER_OPT_INT_CA, DEFAULT_INT_CA); - if (return_code != 0) { - log_error("Failed to set default property name: CERTIFIER_OPT_INT_CA with error code: %i", return_code); - return return_code; - } - } - return_code = property_set(prop_map, CERTIFIER_OPT_LOG_LEVEL, (void *)DEFAULT_LOG_LEVEL); if (return_code != 0) { log_error("Failed to set default property name: CERTIFIER_OPT_LOG_LEVEL with error code: %i", return_code); @@ -816,9 +778,9 @@ property_set_defaults(CertifierPropMap *prop_map) { } if (prop_map->output_p12_filename == NULL) { - return_code = property_set(prop_map, CERTIFIER_OPT_OUTPUT_KEYSTORE, DEFAULT_OUTPUT_KEYSTORE); + return_code = property_set(prop_map, CERTIFIER_OPT_OUTPUT_P12_PATH, DEFAULT_OUTPUT_P12_PATH); if (return_code != 0) { - log_error("Failed to set default property name: CERTIFIER_OPT_OUTPUT_KEYSTORE with error code: %i", return_code); + log_error("Failed to set default property name: CERTIFIER_OPT_OUTPUT_P12_PATH with error code: %i", return_code); return return_code; } } @@ -894,7 +856,7 @@ property_set_defaults_from_cfg_file(CertifierPropMap *propMap) { const char *certifier_url_value = NULL; const char *profile_name_value = NULL; - const char *crt_type_value = NULL; + const char *auth_type_value = NULL; const char *password_value = NULL; const char *system_id_value = NULL; const char *fabric_id_value = NULL; @@ -904,20 +866,16 @@ property_set_defaults_from_cfg_file(CertifierPropMap *propMap) { int http_timeout_value; int http_connect_timeout_value; int http_trace_value; - const char *keystore_value = NULL; + const char *input_p12_path_value = NULL; const char *ca_info_value = NULL; const char *ca_path_value = NULL; - int tls_verify_peer_value; - int tls_verify_host_value; const char *ecc_curve_id_value = NULL; - const char *root_ca_value = NULL; - const char *int_ca_value = NULL; const char *log_file_value = NULL; int log_level_value; int log_max_size_value; int measure_performance_value; int autorenew_interval_value; - int num_days; + int validity_days; const char *source = NULL; int certificate_lite_value; const char *cn_prefix = NULL; @@ -960,17 +918,17 @@ property_set_defaults_from_cfg_file(CertifierPropMap *propMap) { property_set(propMap, CERTIFIER_OPT_PROFILE_NAME, profile_name_value); } - crt_type_value = json_object_get_string(json_object(json), "libcertifier.crt.type"); - if (crt_type_value) { - log_info("Loaded crt.type: %s from config file.", crt_type_value); - property_set(propMap, CERTIFIER_OPT_CRT_TYPE, crt_type_value); + auth_type_value = json_object_get_string(json_object(json), "libcertifier.auth.type"); + if (auth_type_value) { + log_info("Loaded crt.type: %s from config file.", auth_type_value); + property_set(propMap, CERTIFIER_OPT_AUTH_TYPE, auth_type_value); } password_value = json_object_get_string(json_object(json), "libcertifier.password"); if (password_value) { print_warning("password"); log_info("Loaded password from config file."); - property_set(propMap, CERTIFIER_OPT_PASSWORD, password_value); + property_set(propMap, CERTIFIER_OPT_INPUT_P12_PASSWORD, password_value); } system_id_value = json_object_get_string(json_object(json), "libcertifier.system.id"); @@ -1034,10 +992,10 @@ property_set_defaults_from_cfg_file(CertifierPropMap *propMap) { property_set(propMap, CERTIFIER_OPT_AUTORENEW_INTERVAL, (void *) (size_t) autorenew_interval_value); } - keystore_value = json_object_get_string(json_object(json), "libcertifier.keystore"); - if (keystore_value) { - log_info("Loaded keystore_value: %s from cfg file.", keystore_value); - property_set(propMap, CERTIFIER_OPT_KEYSTORE, keystore_value); + input_p12_path_value = json_object_get_string(json_object(json), "libcertifier.input.p12.path"); + if (input_p12_path_value) { + log_info("Loaded input_p12_path_value: %s from cfg file.", input_p12_path_value); + property_set(propMap, CERTIFIER_OPT_INPUT_P12_PATH, input_p12_path_value); } ca_info_value = json_object_get_string(json_object(json), "libcertifier.ca.info"); @@ -1052,25 +1010,11 @@ property_set_defaults_from_cfg_file(CertifierPropMap *propMap) { property_set(propMap, CERTIFIER_OPT_CA_PATH, ca_path_value); } - num_days = json_object_get_number(json_object(json), "libcertifier.num.days"); - if (num_days) + validity_days = json_object_get_number(json_object(json), "libcertifier.validity.days"); + if (validity_days) { - log_info("Loaded num_days: %d", num_days); - property_set(propMap, CERTIFIER_OPT_NUM_DAYS, (void *)(size_t)num_days); - } - - tls_verify_peer_value = json_object_get_number(json_object(json), "libcertifier.tls.insecure.peer"); - if (tls_verify_peer_value == 1) { - print_warning("tls.insecure.peer"); - log_info("Loaded tls_verify_peer_value: %i from cfg file.", tls_verify_peer_value); - propMap->options |= CERTIFIER_OPTION_TLS_INSECURE_PEER; - } - - tls_verify_host_value = json_object_get_number(json_object(json), "libcertifier.tls.insecure.host"); - if (tls_verify_host_value == 1) { - print_warning("tls.insecure.host"); - log_info("Loaded tls_verify_host_value: %i from cfg file.", tls_verify_host_value); - propMap->options |= CERTIFIER_OPTION_TLS_INSECURE_HOST; + log_info("Loaded validity_days: %d", validity_days); + property_set(propMap, CERTIFIER_OPT_VALIDITY_DAYS, (void *)(size_t)validity_days); } ecc_curve_id_value = json_object_get_string(json_object(json), "libcertifier.ecc.curve.id"); @@ -1079,18 +1023,6 @@ property_set_defaults_from_cfg_file(CertifierPropMap *propMap) { property_set(propMap, CERTIFIER_OPT_ECC_CURVE_ID, ecc_curve_id_value); } - root_ca_value = json_object_get_string(json_object(json), "libcertifier.root.ca"); - if (root_ca_value) { - log_info("Loaded root_ca_value: %s from cfg file.", root_ca_value); - property_set(propMap, CERTIFIER_OPT_ROOT_CA, root_ca_value); - } - - int_ca_value = json_object_get_string(json_object(json), "libcertifier.int.ca"); - if (int_ca_value) { - log_info("Loaded int_ca_value: %s from cfg file.", int_ca_value); - property_set(propMap, CERTIFIER_OPT_INT_CA, int_ca_value); - } - log_file_value = json_object_get_string(json_object(json), "libcertifier.log.file"); if (log_file_value) { log_info("Loaded Log File Value: %s from cfg file.", log_file_value); @@ -1112,9 +1044,9 @@ property_set_defaults_from_cfg_file(CertifierPropMap *propMap) { } log_set_max_size(propMap->log_max_size); - source = json_object_get_string(json_object(json), "libcertifier.source.name"); + source = json_object_get_string(json_object(json), "libcertifier.source.id"); if (source) { - log_info("Loaded source.name %s from cfg file.", source); + log_info("Loaded source.id %s from cfg file.", source); property_set(propMap, CERTIFIER_OPT_SOURCE, source); } @@ -1158,7 +1090,7 @@ static void free_prop_map_values(CertifierPropMap *prop_map) { FV(prop_map->ca_info); FV(prop_map->ca_path); FV(prop_map->certifier_url); - FV(prop_map->crt_type); + FV(prop_map->auth_type); FV(prop_map->cfg_filename); FV(prop_map->p12_filename); FV(prop_map->output_p12_filename); @@ -1176,8 +1108,6 @@ static void free_prop_map_values(CertifierPropMap *prop_map) { FV(prop_map->ecc_curve_id); FV(prop_map->simulated_cert_expiration_date_after); FV(prop_map->simulated_cert_expiration_date_before); - FV(prop_map->root_ca); - FV(prop_map->int_ca); FV(prop_map->auth_token); FV(prop_map->output_node); FV(prop_map->target_node); diff --git a/src/xpki_client.c b/src/xpki_client.c new file mode 100644 index 0000000..7f9c032 --- /dev/null +++ b/src/xpki_client.c @@ -0,0 +1,359 @@ +/** + * Copyright 2022 Comcast Cable Communications Management, LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * SPDX-License-Identifier: Apache-2.0 + */ + +#include + +#include +#include +#include + +#define ReturnErrorOnFailure(expr) \ + do \ + { \ + XPKI_CLIENT_ERROR_CODE __err = (expr); \ + if (__err != 0) \ + { \ + return __err; \ + } \ + } while (0) + +#define VerifyOrReturnError(expr, code) \ + do \ + { \ + if (!(expr)) \ + { \ + return (code); \ + } \ + } while (0) + +#define VerifyOrExit(statement, action) \ + do \ + { \ + if ((statement) != 1) \ + { \ + action; \ + goto exit; \ + } \ + } while (0) + +static const char * XPKI_PROFILE_NAME_STRING[] = { FOREACH_PROFILE_NAME(GENERATE_STRING) }; + +static inline Certifier * get_certifier_instance() +{ + static Certifier * certifier = NULL; + + if (certifier == NULL) + { + certifier = certifier_new(); + } + + return certifier; +} + +static XPKI_AUTH_TYPE map_to_xpki_auth_type(const char * str) +{ + if (strcmp(str, "X509") == 0) + { + return XPKI_AUTH_X509_CRT; + } + else + { + return XPKI_AUTH_TOKEN; + } +} + +static XPKI_PROFILE_NAME map_to_xpki_profile_name(const char * str) +{ + for (XPKI_PROFILE_NAME profile_name = 0; profile_name < sizeof(XPKI_PROFILE_NAME_STRING) / sizeof(*XPKI_PROFILE_NAME_STRING); + ++profile_name) + { + if (strcmp(XPKI_PROFILE_NAME_STRING[profile_name], str) == 0) + { + return profile_name; + } + } + return XPKI_PROFILE_MAX; +} + +static uint16_t get_product_id(const char * str) +{ + uint16_t id; + + if (sscanf(str, "%" SCNx16, &id) == 1) + { + return id; + } + + return 0; +} + +static uint64_t get_node_id(const char * str) +{ + uint64_t id; + + if (sscanf(str, "%" SCNx64, &id) == 1) + { + return id; + } + + return 0; +} + +#define get_fabric_id get_node_id + +static uint32_t get_auth_tag(const char * str) +{ + uint32_t id; + + if (sscanf(str, "%" SCNx32, &id) == 1) + { + return id; + } + + return 0; +} + +XPKI_CLIENT_ERROR_CODE xc_get_default_cert_param(get_cert_param_t * params) +{ + Certifier * certifier = get_certifier_instance(); + + memset(params, 0, sizeof(get_cert_param_t)); + + void * param = NULL; + + param = certifier_get_property(certifier, CERTIFIER_OPT_INPUT_P12_PATH); + params->input_p12_path = param ? (const char *) param : NULL; + + param = certifier_get_property(certifier, CERTIFIER_OPT_INPUT_P12_PASSWORD); + params->input_p12_password = param ? (const char *) param : NULL; + + param = certifier_get_property(certifier, CERTIFIER_OPT_OUTPUT_P12_PATH); + params->output_p12_path = param ? (const char *) param : NULL; + + param = certifier_get_property(certifier, CERTIFIER_OPT_OUTPUT_P12_PASSWORD); + params->output_p12_password = param ? (const char *) param : NULL; + + param = certifier_get_property(certifier, CERTIFIER_OPT_AUTH_TYPE); + params->auth_type = param ? map_to_xpki_auth_type(param) : XPKI_AUTH_X509_CRT; + + param = certifier_get_property(certifier, CERTIFIER_OPT_PROFILE_NAME); + params->profile_name = param ? map_to_xpki_profile_name(param) : XFN_Matter_OP_Class_3_ICA; + + param = certifier_get_property(certifier, CERTIFIER_OPT_FORCE_REGISTRATION); + params->overwrite_p12 = (bool) param; // bool value + + param = certifier_get_property(certifier, CERTIFIER_OPT_PRODUCT_ID); + params->product_id = param ? get_product_id(param) : 0; + + param = certifier_get_property(certifier, CERTIFIER_OPT_NODE_ID); + params->node_id = param ? get_node_id(param) : 0; + + param = certifier_get_property(certifier, CERTIFIER_OPT_FABRIC_ID); + params->fabric_id = param ? get_fabric_id(param) : 0; + + param = certifier_get_property(certifier, CERTIFIER_OPT_AUTH_TAG_1); + params->case_auth_tag = param ? get_auth_tag(param) : 0; + + param = certifier_get_property(certifier, CERTIFIER_OPT_VALIDITY_DAYS); + params->validity_days = param ? (size_t) param : 365; + + param = certifier_get_property(certifier, CERTIFIER_OPT_CERTIFICATE_LITE); + params->lite = (bool) param; // bool value + + return XPKI_CLIENT_SUCCESS; +} + +static XPKI_CLIENT_ERROR_CODE xc_create_x509_crt() +{ + XPKI_CLIENT_ERROR_CODE xc_error = XPKI_CLIENT_SUCCESS; + int return_code = 0; + Certifier * certifier = get_certifier_instance(); + + return_code = certifier_setup_keys(certifier); + VerifyOrReturnError(return_code == 0, XPKI_CLIENT_ERROR_INTERNAL); + + char * tmp_crt = NULL; + char * cert = NULL; + + return_code = certifier_create_x509_crt(certifier, &tmp_crt); + VerifyOrExit(return_code == 0, xc_error = XPKI_CLIENT_ERROR_INTERNAL); + VerifyOrExit(tmp_crt != NULL, xc_error = XPKI_CLIENT_ERROR_NO_MEMORY); + + const int cert_len = (int) XSTRLEN(tmp_crt); + cert = XMALLOC(base64_encode_len(cert_len)); + base64_encode(cert, (const unsigned char *) tmp_crt, cert_len); + return_code = certifier_set_property(certifier, CERTIFIER_OPT_CRT, cert); + VerifyOrExit(return_code == 0, xc_error = XPKI_CLIENT_ERROR_INTERNAL); + +exit: + XFREE(cert); + XFREE(tmp_crt); + + return xc_error; +} + +static XPKI_CLIENT_ERROR_CODE xc_register_certificate() +{ + Certifier * certifier = get_certifier_instance(); + int return_code = certifier_register(certifier); + + return return_code == 0 ? XPKI_CLIENT_SUCCESS : XPKI_CLIENT_ERROR_INTERNAL; +} + +XPKI_CLIENT_ERROR_CODE xc_get_cert(get_cert_param_t * params) +{ + // TODO: Implement Auth Token CRT + // TODO: Check boundaries on enums + VerifyOrReturnError(params->auth_type == XPKI_AUTH_X509_CRT, XPKI_CLIENT_NOT_IMPLEMENTED); + + Certifier * certifier = get_certifier_instance(); + + ReturnErrorOnFailure(certifier_set_property(certifier, CERTIFIER_OPT_INPUT_P12_PATH, params->input_p12_path)); + ReturnErrorOnFailure(certifier_set_property(certifier, CERTIFIER_OPT_INPUT_P12_PASSWORD, params->input_p12_password)); + ReturnErrorOnFailure(certifier_set_property(certifier, CERTIFIER_OPT_OUTPUT_P12_PATH, params->output_p12_path)); + ReturnErrorOnFailure(certifier_set_property(certifier, CERTIFIER_OPT_OUTPUT_P12_PASSWORD, params->output_p12_password)); + + ReturnErrorOnFailure(certifier_set_property(certifier, CERTIFIER_OPT_VALIDITY_DAYS, (const void *) (size_t) params->validity_days)); + ReturnErrorOnFailure(certifier_set_property(certifier, CERTIFIER_OPT_CERTIFICATE_LITE, (void *) params->lite)); + + ReturnErrorOnFailure( + certifier_set_property(certifier, CERTIFIER_OPT_PROFILE_NAME, XPKI_PROFILE_NAME_STRING[params->profile_name])); + + if (params->node_id != 0) + { + char node_id[sizeof(uint64_t) * 2 + 1] = { 0 }; + snprintf(node_id, sizeof(node_id), "%" PRIx64, params->node_id); + ReturnErrorOnFailure(certifier_set_property(certifier, CERTIFIER_OPT_NODE_ID, (void *) node_id)); + } + if (params->product_id != 0) + { + char product_id[sizeof(uint16_t) * 2 + 1] = { 0 }; + snprintf(product_id, sizeof(product_id), "%" PRIx16, params->product_id); + ReturnErrorOnFailure(certifier_set_property(certifier, CERTIFIER_OPT_PRODUCT_ID, (void *) product_id)); + } + if (params->fabric_id != 0) + { + char fabric_id[sizeof(uint64_t) * 2 + 1] = { 0 }; + snprintf(fabric_id, sizeof(fabric_id), "%" PRIx64, params->fabric_id); + ReturnErrorOnFailure(certifier_set_property(certifier, CERTIFIER_OPT_FABRIC_ID, (void *) (size_t) fabric_id)); + } + if (params->case_auth_tag != 0) + { + char case_auth_tag[sizeof(uint32_t) * 2 + 1] = { 0 }; + snprintf(case_auth_tag, sizeof(case_auth_tag), "%" PRIx32, params->case_auth_tag); + ReturnErrorOnFailure(certifier_set_property(certifier, CERTIFIER_OPT_AUTH_TAG_1, (void *) (size_t) case_auth_tag)); + } + + ReturnErrorOnFailure(xc_create_x509_crt(certifier)); + + if (certifier_get_property(certifier, CERTIFIER_OPT_OUTPUT_P12_PATH) != NULL) + { + ReturnErrorOnFailure(certifier_set_property(certifier, CERTIFIER_OPT_INPUT_P12_PATH, + certifier_get_property(certifier, CERTIFIER_OPT_OUTPUT_P12_PATH))); + } + ReturnErrorOnFailure(certifier_set_property(certifier, CERTIFIER_OPT_FORCE_REGISTRATION, (void *) params->overwrite_p12)); + ReturnErrorOnFailure( + certifier_set_property(certifier, CERTIFIER_OPT_INPUT_P12_PASSWORD, certifier_get_property(certifier, CERTIFIER_OPT_OUTPUT_P12_PASSWORD))); + + return xc_register_certificate(certifier); +} + +static XPKI_CLIENT_ERROR_CODE _xc_renew_certificate() +{ + Certifier * certifier = get_certifier_instance(); + + int return_code = certifier_get_device_registration_status(certifier); + if (return_code == CERTIFIER_ERR_REGISTRATION_STATUS_CERT_ABOUT_TO_EXPIRE || + return_code == CERTIFIER_ERR_REGISTRATION_STATUS_CERT_EXPIRED_1) + { + ReturnErrorOnFailure(xc_create_x509_crt(certifier)); + return certifier_renew_certificate(certifier) == 0 ? XPKI_CLIENT_SUCCESS : XPKI_CLIENT_ERROR_INTERNAL; + } + else + { + return XPKI_CLIENT_CERT_ALREADY_VALID; + } +} + +XPKI_CLIENT_ERROR_CODE xc_renew_cert(const char * p12_path, const char * password) +{ + Certifier * certifier = get_certifier_instance(); + + ReturnErrorOnFailure(certifier_set_property(certifier, CERTIFIER_OPT_INPUT_P12_PATH, p12_path)); + ReturnErrorOnFailure(certifier_set_property(certifier, CERTIFIER_OPT_INPUT_P12_PASSWORD, password)); + return _xc_renew_certificate(certifier); +} + +static XPKI_CLIENT_CERT_STATUS xc_map_cert_status(int value) +{ + XPKI_CLIENT_CERT_STATUS cert_status = XPKI_CLIENT_CERT_VALID; + + switch (value) + { + case CERTIFIER_ERR_REGISTRATION_STATUS_CERT_ABOUT_TO_EXPIRE: + cert_status = XPKI_CLIENT_CERT_ABOUT_TO_EXPIRE; + break; + case 0: + cert_status = XPKI_CLIENT_CERT_VALID; + break; + case CERTIFIER_ERR_REGISTRATION_STATUS_CERT_EXPIRED_2: + cert_status = XPKI_CLIENT_CERT_EXPIRED; + break; + case CERTIFIER_ERR_REGISTRATION_STATUS_CERT_EXPIRED_1: + cert_status = XPKI_CLIENT_CERT_NOT_YET_VALID; + break; + case CERTIFIER_ERR_GET_CERT_STATUS_REVOKED: + cert_status = XPKI_CLIENT_CERT_REVOKED; + break; + case CERTIFIER_ERR_GET_CERT_STATUS_UNKOWN | CERTIFIER_ERR_REGISTRATION_STATUS_CERT_ABOUT_TO_EXPIRE: + cert_status = XPKI_CLIENT_CERT_ABOUT_TO_EXPIRE; + // fall through + case CERTIFIER_ERR_GET_CERT_STATUS_UNKOWN: + default: + cert_status |= XPKI_CLIENT_CERT_UNKNOWN; + } + + return cert_status; +} + +static XPKI_CLIENT_CERT_STATUS _xc_get_cert_status() +{ + Certifier * certifier = get_certifier_instance(); + int return_code = 0; + XPKI_CLIENT_CERT_STATUS cert_status = XPKI_CLIENT_CERT_VALID; + + return_code = certifier_get_device_certificate_status(certifier); + cert_status = xc_map_cert_status(return_code); + + if (cert_status == XPKI_CLIENT_CERT_ABOUT_TO_EXPIRE || cert_status == XPKI_CLIENT_CERT_VALID) + { + return_code = certifier_get_device_registration_status(certifier); + cert_status |= xc_map_cert_status(return_code); + } + + return cert_status; +} + +XPKI_CLIENT_CERT_STATUS xc_get_cert_status(const char * p12_path, const char * password) +{ + Certifier * certifier = get_certifier_instance(); + + ReturnErrorOnFailure(certifier_set_property(certifier, CERTIFIER_OPT_INPUT_P12_PATH, p12_path)); + ReturnErrorOnFailure(certifier_set_property(certifier, CERTIFIER_OPT_INPUT_P12_PASSWORD, password)); + return _xc_get_cert_status(certifier); +} diff --git a/tests/keymgr/CMakeLists.txt b/tests/keymgr/CMakeLists.txt deleted file mode 100644 index bdf0e11..0000000 --- a/tests/keymgr/CMakeLists.txt +++ /dev/null @@ -1,5 +0,0 @@ -project(certifierKeymgr) - -file(GLOB SOURCES "*.c") - -add_executable(${PROJECT_NAME} ${SOURCES}) diff --git a/tests/keymgr/main.c b/tests/keymgr/main.c deleted file mode 100644 index 8e512c5..0000000 --- a/tests/keymgr/main.c +++ /dev/null @@ -1,61 +0,0 @@ -#include -#include -#include -#include -#include -#include -#include - -#define FIFO_PATH_MAX_LENGTH 128 -#define PASSWORD_IN "changeit" -#define PASSWORD_IN_LENGTH 8 -#define PASSWORD_OUT "newpass" -#define PASSWORD_OUT_LENGTH 7 - -static int manage_fifo(const char* fifo, const size_t fifo_len, const char* password, const size_t password_len) -{ - int rc = 0; - -// rc = mkfifo(fifo, 0666); -// if (rc != 0 && errno != EEXIST) -// { -// perror("mkfifo"); -// return rc; -// } - - int fd = open(fifo, O_WRONLY); - if (fd < 0) - { - return 1; - } - - write(fd, password, password_len); - - close(fd); - - return rc; -} - -int main(int argc, char** argv) -{ - int rc = 0; - int opt; - char fifo_in[FIFO_PATH_MAX_LENGTH] = "/tmp/certifier-fifo-in"; - char fifo_out[FIFO_PATH_MAX_LENGTH] = "/tmp/certifier-fifo-out"; - - while ((opt = getopt(argc, argv, "io")) != - 1 && rc == 0) { - switch (opt) - { - case 'i': - rc = manage_fifo(fifo_in, sizeof(fifo_in), PASSWORD_IN, PASSWORD_IN_LENGTH); - break; - case 'o': - rc = manage_fifo(fifo_out, sizeof(fifo_out), PASSWORD_OUT, PASSWORD_OUT_LENGTH); - break; - default: - rc = 1; - } - } - - return rc; -} diff --git a/tests/tests.c b/tests/tests.c index acd5d4d..6838e9d 100644 --- a/tests/tests.c +++ b/tests/tests.c @@ -205,11 +205,11 @@ static void test_certifier_client_requests1(void **state) { return_code = certifier_set_property(certifier, CERTIFIER_OPT_CN_PREFIX, "xcal.tv"); assert_int_equal(0, return_code); - return_code = certifier_set_property(certifier, CERTIFIER_OPT_NUM_DAYS, 730); + return_code = certifier_set_property(certifier, CERTIFIER_OPT_VALIDITY_DAYS, 730); assert_int_equal(0, return_code); cn_prefix = certifier_get_property(certifier, CERTIFIER_OPT_CN_PREFIX); - num_days = certifier_get_property(certifier, CERTIFIER_OPT_NUM_DAYS); + num_days = certifier_get_property(certifier, CERTIFIER_OPT_VALIDITY_DAYS); assert_int_equal(730, num_days); if (cn_prefix) { return_code = strncmp(cn_prefix, "xcal.tv", 8); @@ -1411,9 +1411,9 @@ static void test_pkcs12(void **state) { security_free_cert(cert); // test public certifier methods - certifier_set_property(certifier, CERTIFIER_OPT_PASSWORD, pkcs12_passwd); + certifier_set_property(certifier, CERTIFIER_OPT_INPUT_P12_PASSWORD, pkcs12_passwd); certifier_set_property(certifier, CERTIFIER_OPT_ECC_CURVE_ID, "prime256v1"); - certifier_set_property(certifier, CERTIFIER_OPT_KEYSTORE, pkcs12_file_name); + certifier_set_property(certifier, CERTIFIER_OPT_INPUT_P12_PATH, pkcs12_file_name); ret = certifier_setup_keys(certifier); assert_int_equal(0, ret); assert_non_null(certifier_get_node_address(certifier)); @@ -1424,12 +1424,12 @@ static void test_pkcs12(void **state) { XFREE(pem); pem = NULL; - certifier_set_property(certifier, CERTIFIER_OPT_KEYSTORE, ""); + certifier_set_property(certifier, CERTIFIER_OPT_INPUT_P12_PATH, ""); ret = certifier_setup_keys(certifier); assert_int_equal(4, ret); - certifier_set_property(certifier, CERTIFIER_OPT_KEYSTORE, pkcs12_file_name); - certifier_set_property(certifier, CERTIFIER_OPT_PASSWORD, ""); + certifier_set_property(certifier, CERTIFIER_OPT_INPUT_P12_PATH, pkcs12_file_name); + certifier_set_property(certifier, CERTIFIER_OPT_INPUT_P12_PASSWORD, ""); ret = certifier_setup_keys(certifier); assert_int_equal(5, ret); @@ -1438,13 +1438,13 @@ static void test_pkcs12(void **state) { XFREE(pem); pem = NULL; - certifier_set_property(certifier, CERTIFIER_OPT_PASSWORD, pkcs12_passwd); + certifier_set_property(certifier, CERTIFIER_OPT_INPUT_P12_PASSWORD, pkcs12_passwd); certifier_set_property(certifier, CERTIFIER_OPT_ECC_CURVE_ID, ""); ret = certifier_setup_keys(certifier); assert_int_equal(6, ret); - certifier_set_property(certifier, CERTIFIER_OPT_KEYSTORE, pkcs12_file_name); - certifier_set_property(certifier, CERTIFIER_OPT_PASSWORD, pkcs12_passwd); + certifier_set_property(certifier, CERTIFIER_OPT_INPUT_P12_PATH, pkcs12_file_name); + certifier_set_property(certifier, CERTIFIER_OPT_INPUT_P12_PASSWORD, pkcs12_passwd); certifier_set_property(certifier, CERTIFIER_OPT_ECC_CURVE_ID, "prime256v1"); ret = certifier_get_device_registration_status(certifier); @@ -1457,8 +1457,8 @@ static void test_pkcs12(void **state) { //assert_int_equal(0, ret); //assert_non_null(output_x509_cert); - certifier_set_property(certifier, CERTIFIER_OPT_KEYSTORE, "/tmp/test.p12"); - certifier_set_property(certifier, CERTIFIER_OPT_PASSWORD, "fake_password"); + certifier_set_property(certifier, CERTIFIER_OPT_INPUT_P12_PATH, "/tmp/test.p12"); + certifier_set_property(certifier, CERTIFIER_OPT_INPUT_P12_PASSWORD, "fake_password"); ret = certifier_setup_keys(certifier); assert_int_equal(1, ret); @@ -1546,13 +1546,13 @@ static void test_logging(void **state) { static void test_options(void **state) { CertifierPropMap *props = _certifier_get_properties(certifier); - certifier_set_property(certifier, CERTIFIER_OPT_TLS_INSECURE_HOST, (void *) true); - assert_true(certifier_get_property(certifier, CERTIFIER_OPT_TLS_INSECURE_HOST)); - assert_true(property_is_option_set(props, CERTIFIER_OPTION_TLS_INSECURE_HOST)); + certifier_set_property(certifier, CERTIFIER_OPT_CERTIFICATE_LITE, (void *) true); + assert_true(certifier_get_property(certifier, CERTIFIER_OPT_CERTIFICATE_LITE)); + assert_true(property_is_option_set(props, CERTIFIER_OPTION_CERTIFICATE_LITE)); - certifier_set_property(certifier, CERTIFIER_OPT_TLS_INSECURE_HOST, false); - assert_false(certifier_get_property(certifier, CERTIFIER_OPT_TLS_INSECURE_HOST)); - assert_false(property_is_option_set(props, CERTIFIER_OPTION_TLS_INSECURE_HOST)); + certifier_set_property(certifier, CERTIFIER_OPT_CERTIFICATE_LITE, false); + assert_false(certifier_get_property(certifier, CERTIFIER_OPT_CERTIFICATE_LITE)); + assert_false(property_is_option_set(props, CERTIFIER_OPTION_CERTIFICATE_LITE)); } int main(int argc, char **argv) { diff --git a/tests/xc_apis/xc_api_tests.c b/tests/xc_apis/xc_api_tests.c new file mode 100644 index 0000000..6545f0c --- /dev/null +++ b/tests/xc_apis/xc_api_tests.c @@ -0,0 +1,103 @@ +/** + * Copyright 2022 Comcast Cable Communications Management, LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * SPDX-License-Identifier: Apache-2.0 + */ + +#include +#include + +#include + +static void test_get_cert() +{ + get_cert_param_t params = { 0 }; + + xc_get_default_cert_param(¶ms); + + params.auth_type = XPKI_AUTH_X509_CRT; + params.fabric_id = 0xABCDABCDABCDABCD; + params.node_id = 0x1234123412341234; + params.input_p12_password = "changeit"; + params.input_p12_path = "seed.p12"; + params.output_p12_password = "newpass"; + params.output_p12_path = "output-xc-test-renewable.p12"; + params.overwrite_p12 = true; + params.product_id = 0xABCD; + params.profile_name = XFN_Matter_OP_Class_3_ICA; + params.validity_days = 90; + params.lite = true; + + XPKI_CLIENT_ERROR_CODE error = xc_get_cert(¶ms); + TEST_ASSERT_EQUAL_INT(XPKI_CLIENT_SUCCESS, error); + + params.validity_days = 100; + params.output_p12_path = "output-xc-test-not-renewable.p12"; + error = xc_get_cert(¶ms); + TEST_ASSERT_EQUAL_INT(XPKI_CLIENT_SUCCESS, error); +} + +static void test_get_cert_status() +{ + XPKI_CLIENT_ERROR_CODE error = xc_get_cert_status("output-xc-test-renewable.p12", "newpass"); + TEST_ASSERT_EQUAL_INT(XPKI_CLIENT_CERT_ABOUT_TO_EXPIRE, error); + + error = xc_get_cert_status("output-xc-test-not-renewable.p12", "newpass"); + TEST_ASSERT_EQUAL_INT(XPKI_CLIENT_CERT_VALID, error); +} + +static void test_renew_cert() +{ + XPKI_CLIENT_ERROR_CODE error = xc_renew_cert("output-xc-test-not-renewable.p12", "newpass"); + TEST_ASSERT_EQUAL_INT(XPKI_CLIENT_CERT_ALREADY_VALID, error); +#if 0 // disable test below because we're not allowed to mess with the certifier url during run-time. + get_cert_param_t params = { 0 }; + + xc_get_default_cert_param(¶ms); + + params.auth_type = XPKI_AUTH_X509_CRT; + params.input_password = "SE051"; + params.input_pkcs12_path = "stage-seed.p12"; + params.output_password = "newpass"; + params.output_pkcs12_path = "stage-output-renewable.p12"; + params.overwrite_p12 = true; + params.profile_name = Xfinity_Default_Issuing_ECC_ICA; + params.validity_days = 20; + params.lite = false; + + char * certifier_url = XSTRDUP(certifier_get_property(certifier, CERTIFIER_OPT_CERTIFIER_URL)); + certifier_set_property(certifier, CERTIFIER_OPT_CERTIFIER_URL, "https://certifier-stage.xpki.io/v1/certifier"); + + error = xc_get_cert(¶ms); + TEST_ASSERT_EQUAL_INT(XPKI_CLIENT_SUCCESS, error); + + error = xc_renew_cert("stage-output-renewable.p12", "newpass"); + TEST_ASSERT_EQUAL_INT(XPKI_CLIENT_SUCCESS, error); + + certifier_set_property(certifier, CERTIFIER_OPT_CERTIFIER_URL, certifier_url); + XFREE(certifier_url); +#endif +} + +int main(int argc, char ** argv) +{ + UNITY_BEGIN(); + + RUN_TEST(test_get_cert); + RUN_TEST(test_get_cert_status); + RUN_TEST(test_renew_cert); + + return UNITY_END(); +}