mbed-cloud-client 1.3.3

Author: teetak01

CHANGELOG.md

@@ -1,6 +1,28 @@
 ## Changelog for Mbed Cloud Client
 
-### Release R1.3.2 (22.05.2018)
+### Release 1.3.3 (11.06.2018)
+
+#### Mbed Cloud Client
+
+* Fixed issue: Wrong CoAP ping message. CoAP ping must be sent as an empty confirmable message.
+* In the previous versions, the client in queue mode went to sleep while in reconnection mode. Now, it completes the connection before going to sleep.
+* This version of Cloud Client supports Mbed OS 5.8.5 and onwards patch releases.
+
+#### Factory configurator client
+
+* Full support for the `device generated keys` mode. You can activate the mode using the factory configurator utility (FCU) or the KCM APIs.
+
+    <span class="notes">**Note:** Cloud Client and Mbed Cloud do not yet support this mode.</span>
+* A certificate signed request (CSR) that is generated on the device, can be created with the `Extended key usage` extension.
+* A new KCM API introduced:
+  * `kcm_certificate_verify_with_private_key` - a self-generated certificate can be checked against a stored private key.
+* Fixed the `FtcdCommBase::wait_for_message` function to receive multiple messages.
+
+#### Platform Adaptation Layer (PAL)
+
+* The u-blox ODIN-W2 board now requires support for RSA crypto from Mbed TLS. RSA crypto has been enabled by default for the target `MODULE_UBLOX_ODIN_W2`. Enabling RSA crypto increases the flash size by 20KB. More details in Mbed OS PR [#6963](https://github.com/ARMmbed/mbed-os/pull/6963).
+
+### Release 1.3.2 (22.05.2018)
 
 #### Mbed Cloud Client
 
@@ -35,28 +57,27 @@
 
 * Linux: Converted all timers to use signal-based timer (SIGEV_SIGNAL) instead of (SIGEV_THREAD).
   * This fixes the Valgrind warnings for possible memory leaks caused by LIBC's internal timer helper thread.
-  
+
     <span class="notes">**Note**: If the client application is creating a pthread before instantiating MbedCloudClient,
     it needs to block the PAL_TIMER_SIGNAL from it. Otherwise the thread may get an exception caused
     by the default signal handler with a message such as "Process terminating with default action
-    of signal 34 (SIGRT2)". For a suggested way to handle this please see `mcc_platform_init()` in
-    https://github.com/ARMmbed/mbed-cloud-client-example/blob/master/source/platform/Linux/common_setup.c.</span>
-* Linux: Linux specific version of pal_accept()'s addressLen parameter was requiring a platform specific socket address structure size, not a platform independent one.
+    of signal 34 (SIGRT2)". For a suggested way to handle this please see `mcc_platform_init()` in [here](https://github.com/ARMmbed/mbed-cloud-client-example/blob/master/source/platform/Linux/common_setup.c).</span>
+* Linux: Fixed the Linux-specific version of `pal_accept()'s` `addressLen` parameter which previously required a platform-specific socket address structure size, not a platform independent one.
 * Fixed a hard fault issue that occurred when calling `pal_ECKeyGenerateKey`.
 * Return PAL_ERR_BUFFER_TOO_SMALL if the output buffer is too small for write in `pal_writePrivateKeyToDer`, `pal_writePublicKeyToDer`  and `pal_x509CSRWriteDER APIs`.
 * Fixed the missing handling for initialization failure of SOTP.
 * New API `pal_x509CertGetHTBS`: Calculate the hash of the _To Be Signed_ part of an X509 certificate.
 
-#### Mbed cloud update
+#### Mbed Cloud Update
 
 * Improvements to the scheduler to ensure that events are not lost. The scheduler now uses a pool allocation mechanism and queue element locks.
-* Implement API to get the active firmware details.
-* Rollback protection error will now be reported as "Firmware update failed" (8) when MCCP=1.
-* Issue an error when the firmware payload exceeds the maximum storage-size limit.
-* Use constant time binary compare function.
-* Fix build error for Cortex-A9 target.
+* Implemented an API to get the active firmware details.
+* A rollback protection error will now be reported as "Firmware update failed" (8) when MCCP=1.
+* An error is issued when the firmware payload exceeds the maximum storage-size limit.
+* Mbed Cloud Update now uses a constant time binary compare function.
+* Fixed a build error for Cortex-A9 target when retrieving the current interrupt enabled state.
 
-### Release R1.3.1.1 (27.04.2018)
+### Release 1.3.1.1 (27.04.2018)
 
 #### Mbed Cloud Client
 
@@ -73,7 +94,7 @@
 
 * Linux: Replaced `fflush(NULL)` with `sync()` in `pal_osReboot` which was causing deadlock in Raspberry Pi3.
 
-### Release R1.3.1 (19.04.2018)
+### Release 1.3.1 (19.04.2018)
 
 #### Mbed Cloud Client
 
@@ -102,5 +123,5 @@ Using PAL for asyncronous handling of DNS enables firmware update with mesh.
 * Removed the thread-priority requirement.
 * Fixed the compatibility issues with Mbed OS 5.8/5.9.
 
-### Release R1.3.0 (27.3.2018)
+### Release 1.3.0 (27.3.2018)
 * Initial public release.

factory-configurator-client/crypto-service/source/cs_der_keys_and_csrs.c

@@ -257,12 +257,16 @@ static kcm_status_e cs_csr_generate_int(palECKeyHandle_t key_handle, const kcm_c
     palx509CSRHandle_t x509CSR_handle = NULLPTR;
     palMDType_t pal_md_type;
     uint32_t pal_key_usage = 0;
+    uint32_t pal_ext_key_usage = 0;
+    uint32_t eku_all_bits = KCM_CSR_EXT_KU_ANY | KCM_CSR_EXT_KU_SERVER_AUTH | KCM_CSR_EXT_KU_CLIENT_AUTH |
+        KCM_CSR_EXT_KU_CODE_SIGNING | KCM_CSR_EXT_KU_EMAIL_PROTECTION | KCM_CSR_EXT_KU_TIME_STAMPING | KCM_CSR_EXT_KU_OCSP_SIGNING;
 
     SA_PV_ERR_RECOVERABLE_RETURN_IF((csr_params == NULL), KCM_STATUS_INVALID_PARAMETER, "Invalid csr_params pointer");
     SA_PV_ERR_RECOVERABLE_RETURN_IF((csr_params->subject == NULL), KCM_STATUS_INVALID_PARAMETER, "Invalid subject pointer in csr_params");
     SA_PV_ERR_RECOVERABLE_RETURN_IF((csr_buff_out == NULL), KCM_STATUS_INVALID_PARAMETER, "Invalid out csr buffer");
     SA_PV_ERR_RECOVERABLE_RETURN_IF((csr_buff_max_size == 0), KCM_STATUS_INVALID_PARAMETER, "Invalid max csr buffer size");
     SA_PV_ERR_RECOVERABLE_RETURN_IF((csr_buff_act_size_out == NULL), KCM_STATUS_INVALID_PARAMETER, "Invalid out csr buffer size");
+    SA_PV_ERR_RECOVERABLE_RETURN_IF((csr_params->ext_key_usage & (~eku_all_bits)), KCM_STATUS_INVALID_PARAMETER, "Invalid extended key usage options");
 
     // Initialize x509 CSR handle 
     pal_status = pal_x509CSRInit(&x509CSR_handle);
@@ -301,6 +305,34 @@ static kcm_status_e cs_csr_generate_int(palECKeyHandle_t key_handle, const kcm_c
         pal_status = pal_x509CSRSetKeyUsage(x509CSR_handle, pal_key_usage);
         SA_PV_ERR_RECOVERABLE_GOTO_IF((PAL_SUCCESS != pal_status), kcm_status = cs_error_handler(pal_status), exit, "Failed to set CSR key usage");
     }
+
+    // Set CSR extended key usage
+    if (csr_params->ext_key_usage != KCM_CSR_EXT_KU_NONE) {
+        if (csr_params->ext_key_usage & KCM_CSR_EXT_KU_ANY) {
+            pal_ext_key_usage |= PAL_X509_EXT_KU_ANY;
+        }
+        if (csr_params->ext_key_usage & KCM_CSR_EXT_KU_SERVER_AUTH) {
+            pal_ext_key_usage |= PAL_X509_EXT_KU_SERVER_AUTH;
+        }
+        if (csr_params->ext_key_usage & KCM_CSR_EXT_KU_CLIENT_AUTH) {
+            pal_ext_key_usage |= PAL_X509_EXT_KU_CLIENT_AUTH;
+        }
+        if (csr_params->ext_key_usage & KCM_CSR_EXT_KU_CODE_SIGNING) {
+            pal_ext_key_usage |= PAL_X509_EXT_KU_CODE_SIGNING;
+        }
+        if (csr_params->ext_key_usage & KCM_CSR_EXT_KU_EMAIL_PROTECTION) {
+            pal_ext_key_usage |= PAL_X509_EXT_KU_EMAIL_PROTECTION;
+        }
+        if (csr_params->ext_key_usage & KCM_CSR_EXT_KU_TIME_STAMPING) {
+            pal_ext_key_usage |= PAL_X509_EXT_KU_TIME_STAMPING;
+        }
+        if (csr_params->ext_key_usage & KCM_CSR_EXT_KU_OCSP_SIGNING) {
+            pal_ext_key_usage |= PAL_X509_EXT_KU_OCSP_SIGNING;
+        }
+        pal_status = pal_x509CSRSetExtendedKeyUsage(x509CSR_handle, pal_ext_key_usage);
+        SA_PV_ERR_RECOVERABLE_GOTO_IF((PAL_SUCCESS != pal_status), kcm_status = cs_error_handler(pal_status), exit, "Failed to set CSR extended key usage");
+    }
+
     // Write the CSR to out buffer in DER format
     pal_status = pal_x509CSRWriteDER(x509CSR_handle, csr_buff_out, csr_buff_max_size, csr_buff_act_size_out);
     SA_PV_ERR_RECOVERABLE_GOTO_IF((PAL_SUCCESS != pal_status), kcm_status = cs_error_handler(pal_status), exit, "Failed to write the CSR to out buffer");
@@ -345,7 +377,6 @@ kcm_status_e cs_csr_generate(const uint8_t *priv_key, size_t priv_key_size, cons
     }
     return kcm_status;
 }
-
 kcm_status_e cs_generate_keys_and_csr(kcm_crypto_key_scheme_e curve_name, const kcm_csr_params_s *csr_params, uint8_t *priv_key_out,
                                       size_t priv_key_max_size, size_t *priv_key_act_size_out, uint8_t *pub_key_out,
                                       size_t pub_key_max_size, size_t *pub_key_act_size_out, uint8_t *csr_buff_out,
@@ -374,4 +405,4 @@ kcm_status_e cs_generate_keys_and_csr(kcm_crypto_key_scheme_e curve_name, const
         SA_PV_ERR_RECOVERABLE_RETURN_IF((key_handle != NULLPTR && kcm_status == KCM_STATUS_SUCCESS), KCM_STATUS_ERROR, "Free key handle failed ");
     }
     return kcm_status;
-}
+}

factory-configurator-client/crypto-service/source/cs_utils.c

@@ -100,7 +100,6 @@ kcm_status_e cs_error_handler(palStatus_t pal_status)
     }
 }
 
-
 /* The function checks private and certificate's public key correlation
 */
 kcm_status_e cs_check_certifcate_public_key(palX509Handle_t x509_cert, const uint8_t *private_key_data, size_t size_of_private_key_data)

factory-configurator-client/factory-configurator-client/factory-configurator-client/fcc_status.h

@@ -63,7 +63,8 @@ extern "C" {
         FCC_STATUS_CERTIFICATE_PUBLIC_KEY_CORRELATION_ERROR, //!< Certificate's public key failed do not matches to corresponding private key
         FCC_STATUS_CERTIFICATE_CHAIN_VERIFICATION_FAILED, //!< One of the certificates in the chain does not match its predecessor 
         FCC_STATUS_BUNDLE_INVALID_KEEP_ALIVE_SESSION_STATUS,//!< The message status is invalid.
-        FCC_MAX_STATUS = 0xffffffff
+        FCC_STATUS_TOO_MANY_CSR_REQUESTS,     //!< The message contained more than CSR_MAX_NUMBER_OF_CSRS CSR requests
+        FCC_MAX_STATUS = 0x7fffffff
 } fcc_status_e;
 
 #ifdef __cplusplus

factory-configurator-client/factory-configurator-client/source/fcc_utils.c

@@ -73,53 +73,74 @@ fcc_status_e fcc_convert_kcm_to_fcc_status(kcm_status_e kcm_result)
     fcc_status_e fcc_status = FCC_STATUS_SUCCESS;
 
     switch (kcm_result) {
-        case (KCM_STATUS_SUCCESS):
+        case KCM_STATUS_SUCCESS:
             fcc_status = FCC_STATUS_SUCCESS;
             break;
-        case (KCM_STATUS_ERROR):
-        case (KCM_STATUS_INVALID_PARAMETER):
-        case (KCM_STATUS_OUT_OF_MEMORY):
-        case (KCM_STATUS_INSUFFICIENT_BUFFER):
+        case KCM_STATUS_ERROR:
+        case KCM_STATUS_INVALID_PARAMETER:
+        case KCM_STATUS_OUT_OF_MEMORY:
+        case KCM_STATUS_INSUFFICIENT_BUFFER:
             fcc_status = FCC_STATUS_KCM_ERROR;
             break;
-        case (KCM_STATUS_ITEM_NOT_FOUND):
+        case KCM_STATUS_ITEM_NOT_FOUND:
             fcc_status = FCC_STATUS_ITEM_NOT_EXIST;
             break;
-        case (KCM_STATUS_STORAGE_ERROR):
+        case KCM_STATUS_STORAGE_ERROR:
+        case KCM_STATUS_META_DATA_NOT_FOUND:
+        case KCM_STATUS_META_DATA_SIZE_ERROR:
+        case KCM_STATUS_NOT_PERMITTED:
+        case KCM_STATUS_ITEM_IS_EMPTY:
+        case KCM_STATUS_INVALID_FILE_VERSION:
+        case KCM_STATUS_UNKNOWN_STORAGE_ERROR:
+        case KCM_STATUS_NOT_INITIALIZED:
+        case KCM_STATUS_CLOSE_INCOMPLETE_CHAIN:
+        case KCM_STATUS_INVALID_NUM_OF_CERT_IN_CHAIN:
+        case KCM_STATUS_FILE_CORRUPTED:
+        case KCM_STATUS_FILE_NAME_CORRUPTED:
+        case KCM_STATUS_INVALID_FILE_ACCESS_MODE:
+        case KCM_STATUS_CORRUPTED_CHAIN_FILE:
+        case KCM_STATUS_FILE_NAME_TOO_LONG:
             fcc_status = FCC_STATUS_KCM_STORAGE_ERROR;
             break;
-        case (KCM_STATUS_FILE_EXIST):
+        case KCM_STATUS_SELF_GENERATED_CERTIFICATE_VERIFICATION_ERROR:
+            fcc_status = FCC_STATUS_CERTIFICATE_PUBLIC_KEY_CORRELATION_ERROR;
+        case KCM_STATUS_FILE_EXIST:
+        case (KCM_STATUS_KEY_EXIST):
             fcc_status = FCC_STATUS_KCM_FILE_EXIST_ERROR;
             break;
-        case (KCM_CRYPTO_STATUS_UNSUPPORTED_HASH_MODE):
-        case (KCM_CRYPTO_STATUS_PARSING_DER_PRIVATE_KEY):
-        case (KCM_CRYPTO_STATUS_PARSING_DER_PUBLIC_KEY):
-        case (KCM_CRYPTO_STATUS_PK_KEY_INVALID_FORMAT):
-        case (KCM_CRYPTO_STATUS_INVALID_PK_PUBKEY):
-        case (KCM_CRYPTO_STATUS_ECP_INVALID_KEY):
-        case (KCM_CRYPTO_STATUS_PK_KEY_INVALID_VERSION):
-        case (KCM_CRYPTO_STATUS_PK_PASSWORD_REQUIRED):
-        case (KCM_CRYPTO_STATUS_PRIVATE_KEY_VERIFICATION_FAILED):
-        case (KCM_CRYPTO_STATUS_PUBLIC_KEY_VERIFICATION_FAILED):
-        case (KCM_CRYPTO_STATUS_PK_UNKNOWN_PK_ALG):
-        case (KCM_CRYPTO_STATUS_UNSUPPORTED_CURVE):
-        case (KCM_CRYPTO_STATUS_PARSING_DER_CERT):
-        case (KCM_CRYPTO_STATUS_CERT_EXPIRED):
-        case (KCM_CRYPTO_STATUS_CERT_FUTURE):
-        case (KCM_CRYPTO_STATUS_CERT_MD_ALG):
-        case (KCM_CRYPTO_STATUS_CERT_PUB_KEY_TYPE):
-        case (KCM_CRYPTO_STATUS_CERT_PUB_KEY):
-        case (KCM_CRYPTO_STATUS_CERT_NOT_TRUSTED):
-        case (KCM_CRYPTO_STATUS_INVALID_X509_ATTR):
-        case (KCM_CRYPTO_STATUS_VERIFY_SIGNATURE_FAILED):
-        case (KCM_CRYPTO_STATUS_INVALID_MD_TYPE):
-        case (KCM_CRYPTO_STATUS_FAILED_TO_WRITE_SIGNATURE):
+        case KCM_CRYPTO_STATUS_UNSUPPORTED_HASH_MODE:
+        case KCM_CRYPTO_STATUS_PARSING_DER_PRIVATE_KEY:
+        case KCM_CRYPTO_STATUS_PARSING_DER_PUBLIC_KEY:
+        case KCM_CRYPTO_STATUS_PK_KEY_INVALID_FORMAT:
+        case KCM_CRYPTO_STATUS_INVALID_PK_PUBKEY:
+        case KCM_CRYPTO_STATUS_ECP_INVALID_KEY:
+        case KCM_CRYPTO_STATUS_PK_KEY_INVALID_VERSION:
+        case KCM_CRYPTO_STATUS_PK_PASSWORD_REQUIRED:
+        case KCM_CRYPTO_STATUS_PRIVATE_KEY_VERIFICATION_FAILED:
+        case KCM_CRYPTO_STATUS_PUBLIC_KEY_VERIFICATION_FAILED:
+        case KCM_CRYPTO_STATUS_PK_UNKNOWN_PK_ALG:
+        case KCM_CRYPTO_STATUS_UNSUPPORTED_CURVE:
+        case KCM_CRYPTO_STATUS_PARSING_DER_CERT:
+        case KCM_CRYPTO_STATUS_CERT_EXPIRED:
+        case KCM_CRYPTO_STATUS_CERT_FUTURE:
+        case KCM_CRYPTO_STATUS_CERT_MD_ALG:
+        case KCM_CRYPTO_STATUS_CERT_PUB_KEY_TYPE:
+        case KCM_CRYPTO_STATUS_CERT_PUB_KEY:
+        case KCM_CRYPTO_STATUS_CERT_NOT_TRUSTED:
+        case KCM_CRYPTO_STATUS_INVALID_X509_ATTR:
+        case KCM_CRYPTO_STATUS_VERIFY_SIGNATURE_FAILED:
+        case KCM_CRYPTO_STATUS_INVALID_MD_TYPE:
+        case KCM_CRYPTO_STATUS_FAILED_TO_WRITE_SIGNATURE:
+        case KCM_STATUS_CERTIFICATE_CHAIN_VERIFICATION_FAILED:
+        case KCM_CRYPTO_STATUS_FAILED_TO_WRITE_PRIVATE_KEY:
+        case KCM_CRYPTO_STATUS_FAILED_TO_WRITE_PUBLIC_KEY:
+        case KCM_CRYPTO_STATUS_INVALID_OID:
+        case KCM_CRYPTO_STATUS_INVALID_NAME_FORMAT:
+        case KCM_CRYPTO_STATUS_FAILED_TO_WRITE_CSR:
+        case KCM_MAX_STATUS:
             fcc_status = FCC_STATUS_KCM_CRYPTO_ERROR;
             break;
-        default:
-            SA_PV_LOG_INFO("Invalid kcm_result result (%u)!", kcm_result);
-            fcc_status = FCC_STATUS_ERROR;
-            break;
+
     }
     return fcc_status;
 }