fcc_bundle_certificate_chain_utils.c

00001 // ----------------------------------------------------------------------------
00002 // Copyright 2016-2017 ARM Ltd.
00003 //  
00004 // Licensed under the Apache License, Version 2.0 (the "License");
00005 // you may not use this file except in compliance with the License.
00006 // You may obtain a copy of the License at
00007 //  
00008 //     http://www.apache.org/licenses/LICENSE-2.0
00009 //  
00010 // Unless required by applicable law or agreed to in writing, software
00011 // distributed under the License is distributed on an "AS IS" BASIS,
00012 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
00013 // See the License for the specific language governing permissions and
00014 // limitations under the License.
00015 // ----------------------------------------------------------------------------
00016 #ifndef USE_TINY_CBOR
00017 #include "fcc_bundle_handler.h"
00018 #include "cn-cbor.h"
00019 #include "pv_error_handling.h"
00020 #include "fcc_bundle_utils.h"
00021 #include "key_config_manager.h"
00022 #include "fcc_output_info_handler.h"
00023 #include "fcc_malloc.h"
00024 #include "fcc_time_profiling.h"
00025 #include "fcc_utils.h"
00026 
00027 
00028 /** Processes  certificate chain list.
00029 * The function extracts data parameters for each certificate chain and stores it.
00030 *
00031 * @param cert_chains_list_cb[in]   The cbor structure with certificate chain list.
00032 *
00033 * @return
00034 *     true for success, false otherwise.
00035 */
00036 fcc_status_e  fcc_bundle_process_certificate_chains(const cn_cbor *cert_chains_list_cb)
00037 {
00038     bool status = false;
00039     fcc_status_e  fcc_status = FCC_STATUS_SUCCESS;
00040     fcc_status_e  output_info_fcc_status = FCC_STATUS_SUCCESS;
00041     kcm_status_e  kcm_result = KCM_STATUS_SUCCESS;
00042     uint32_t cert_chain_index = 0;
00043     uint32_t cert_index = 0;
00044     cn_cbor *cert_chain_cb = NULL;
00045     cn_cbor *cert_cb = NULL;
00046     fcc_bundle_data_param_s certificate_chain;
00047     uint8_t *certificate_data;
00048     size_t certificate_data_size = 0;
00049     kcm_cert_chain_handle cert_chain_handle = NULL;
00050 
00051     SA_PV_LOG_TRACE_FUNC_ENTER_NO_ARGS();
00052     SA_PV_ERR_RECOVERABLE_RETURN_IF((cert_chains_list_cb == NULL), fcc_status = FCC_STATUS_INVALID_PARAMETER, "Invalid cert_chains_list_cb pointer");
00053 
00054     //Initialize data struct
00055     memset(&certificate_chain, 0, sizeof(fcc_bundle_data_param_s));
00056 
00057     for (cert_chain_index = 0; cert_chain_index < (uint32_t)cert_chains_list_cb->length; cert_chain_index++) {
00058 
00059         FCC_SET_START_TIMER(fcc_certificate_chain_timer);
00060 
00061         certificate_data = NULL;
00062 
00063 
00064         //Get certificate chain CBOR struct at index cert_chain_index
00065         cert_chain_cb = cn_cbor_index(cert_chains_list_cb, cert_chain_index);
00066         SA_PV_ERR_RECOVERABLE_RETURN_IF((cert_chain_cb == NULL), fcc_status = FCC_STATUS_BUNDLE_ERROR, "Failed to get certificate chain at index (%" PRIu32 ") ", cert_chain_index);
00067         SA_PV_ERR_RECOVERABLE_RETURN_IF((cert_chain_cb->type != CN_CBOR_MAP), fcc_status = FCC_STATUS_BUNDLE_ERROR, "Wrong type of certificate chain CBOR struct at index (%" PRIu32 ") ", cert_chain_index);
00068 
00069         status = fcc_bundle_get_data_param(cert_chain_cb, &certificate_chain);
00070         SA_PV_ERR_RECOVERABLE_GOTO_IF((status != true), fcc_status = FCC_STATUS_BUNDLE_ERROR, exit, "Failed to get certificate chain data at index (%" PRIu32 ") ", cert_chain_index);
00071 
00072         // create chain
00073         kcm_result = kcm_cert_chain_create(&cert_chain_handle, certificate_chain.name, certificate_chain.name_len, (size_t)certificate_chain.array_cn->length, true);
00074         SA_PV_ERR_RECOVERABLE_GOTO_IF((kcm_result != KCM_STATUS_SUCCESS), fcc_status = FCC_STATUS_KCM_ERROR, exit, "Failed to create certificate chain");
00075         
00076         //Get all certificates in certificate chain and store it
00077         for (cert_index = 0; cert_index < (uint32_t)certificate_chain.array_cn->length; cert_index++) {
00078 
00079             cert_cb = cn_cbor_index(certificate_chain.array_cn, (unsigned int)cert_index);
00080             SA_PV_ERR_RECOVERABLE_GOTO_IF((cert_cb == NULL), fcc_status = FCC_STATUS_BUNDLE_ERROR, exit, "Failed to get cert cbor at index (%" PRIu32 ") ", cert_index);
00081 
00082             status = get_data_buffer_from_cbor(cert_cb, &certificate_data, &certificate_data_size);
00083             SA_PV_ERR_RECOVERABLE_GOTO_IF((status == false || certificate_data == NULL || certificate_data_size == 0), fcc_status = FCC_STATUS_BUNDLE_ERROR, exit, "Failed to get cert data at index (%" PRIu32 ") ", cert_index);
00084 
00085             //If private key name was passed - current leaf certificate is self generated and we need to perform verification against given private key
00086             if (cert_index == 0 && certificate_chain.private_key_name != NULL) {
00087                 //Try to retrieve the private key from the device and verify the leaf certificate against private key data
00088                 kcm_result = kcm_certificate_verify_with_private_key(
00089                     certificate_data,
00090                     certificate_data_size,
00091                     certificate_chain.private_key_name,
00092                     certificate_chain.private_key_name_len);
00093                     SA_PV_ERR_RECOVERABLE_GOTO_IF((kcm_result != KCM_STATUS_SUCCESS), fcc_status = FCC_STATUS_CERTIFICATE_PUBLIC_KEY_CORRELATION_ERROR, exit, "Failed to verify leaf certificate against given private key (%" PRIu32 ") ", cert_chain_index);
00094             }
00095             kcm_result = kcm_cert_chain_add_next(cert_chain_handle, certificate_data, certificate_data_size);            
00096             SA_PV_ERR_RECOVERABLE_GOTO_IF((kcm_result != KCM_STATUS_SUCCESS), fcc_status = fcc_convert_kcm_to_fcc_status(kcm_result), exit, "Failed to add certificate chain at index (%" PRIu32 ") ", cert_chain_index);
00097         }
00098         // close chain
00099         kcm_result = kcm_cert_chain_close(cert_chain_handle);
00100         cert_chain_handle = NULL;
00101         SA_PV_ERR_RECOVERABLE_GOTO_IF((kcm_result != KCM_STATUS_SUCCESS), fcc_status = FCC_STATUS_KCM_ERROR, exit, "Failed to close certificate chain");
00102         FCC_END_TIMER((char*)certificate_chain.name, certificate_chain.name_len, fcc_certificate_chain_timer);
00103     }
00104 
00105 exit:
00106     if (kcm_result != KCM_STATUS_SUCCESS) {
00107         if (cert_chain_handle != NULL) {
00108             kcm_cert_chain_close(cert_chain_handle);
00109         }
00110         //KCM_STATUS_ITEM_NOT_FOUND returned only if private key of self-generate certificate is missing.In this case we need to return name of themissing item -the private key.
00111         if (kcm_result == KCM_STATUS_ITEM_NOT_FOUND) {
00112             output_info_fcc_status = fcc_bundle_store_error_info(certificate_chain.private_key_name, certificate_chain.private_key_name_len, kcm_result);
00113         } else {
00114             output_info_fcc_status = fcc_bundle_store_error_info(certificate_chain.name, certificate_chain.name_len, kcm_result);
00115         }
00116 
00117     }
00118     fcc_bundle_clean_and_free_data_param(&certificate_chain);
00119     SA_PV_ERR_RECOVERABLE_RETURN_IF((output_info_fcc_status != FCC_STATUS_SUCCESS),
00120                                     fcc_status = FCC_STATUS_OUTPUT_INFO_ERROR,
00121                                     "Failed to create output kcm_status error %d", kcm_result);
00122 
00123     SA_PV_LOG_TRACE_FUNC_EXIT_NO_ARGS();
00124 
00125     return fcc_status;
00126 }
00127 #endif