fcc_bundle_certificate_chain_utils.c

00001 // ----------------------------------------------------------------------------
00002 // Copyright 2016-2017 ARM Ltd.
00003 //  
00004 // Licensed under the Apache License, Version 2.0 (the "License");
00005 // you may not use this file except in compliance with the License.
00006 // You may obtain a copy of the License at
00007 //  
00008 //     http://www.apache.org/licenses/LICENSE-2.0
00009 //  
00010 // Unless required by applicable law or agreed to in writing, software
00011 // distributed under the License is distributed on an "AS IS" BASIS,
00012 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
00013 // See the License for the specific language governing permissions and
00014 // limitations under the License.
00015 // ----------------------------------------------------------------------------
00016 #include "fcc_bundle_handler.h"
00017 #include "cn-cbor.h"
00018 #include "pv_error_handling.h"
00019 #include "fcc_bundle_utils.h"
00020 #include "key_config_manager.h"
00021 #include "fcc_output_info_handler.h"
00022 #include "fcc_malloc.h"
00023 #include "fcc_time_profiling.h"
00024 #include "fcc_utils.h"
00025 
00026 
00027 /** Processes  certificate chain list.
00028 * The function extracts data parameters for each certificate chain and stores it.
00029 *
00030 * @param cert_chains_list_cb[in]   The cbor structure with certificate chain list.
00031 *
00032 * @return
00033 *     true for success, false otherwise.
00034 */
00035 fcc_status_e  fcc_bundle_process_certificate_chains(const cn_cbor *cert_chains_list_cb)
00036 {
00037     bool status = false;
00038     fcc_status_e  fcc_status = FCC_STATUS_SUCCESS;
00039     fcc_status_e  output_info_fcc_status = FCC_STATUS_SUCCESS;
00040     kcm_status_e  kcm_result = KCM_STATUS_SUCCESS;
00041     uint32_t cert_chain_index = 0;
00042     uint32_t cert_index = 0;
00043     cn_cbor *cert_chain_cb = NULL;
00044     cn_cbor *cert_cb = NULL;
00045     fcc_bundle_data_param_s certificate_chain;
00046     uint8_t *certificate_data;
00047     size_t certificate_data_size = 0;
00048     kcm_cert_chain_handle cert_chain_handle = NULL;
00049 
00050     SA_PV_LOG_TRACE_FUNC_ENTER_NO_ARGS();
00051     SA_PV_ERR_RECOVERABLE_RETURN_IF((cert_chains_list_cb == NULL), fcc_status = FCC_STATUS_INVALID_PARAMETER, "Invalid cert_chains_list_cb pointer");
00052 
00053     //Initialize data struct
00054     memset(&certificate_chain, 0, sizeof(fcc_bundle_data_param_s));
00055 
00056     for (cert_chain_index = 0; cert_chain_index < (uint32_t)cert_chains_list_cb->length; cert_chain_index++) {
00057 
00058         FCC_SET_START_TIMER(fcc_certificate_chain_timer);
00059 
00060         certificate_data = NULL;
00061 
00062 
00063         //Get certificate chain CBOR struct at index cert_chain_index
00064         cert_chain_cb = cn_cbor_index(cert_chains_list_cb, cert_chain_index);
00065         SA_PV_ERR_RECOVERABLE_RETURN_IF((cert_chain_cb == NULL), fcc_status = FCC_STATUS_BUNDLE_ERROR, "Failed to get certificate chain at index (%" PRIu32 ") ", cert_chain_index);
00066         SA_PV_ERR_RECOVERABLE_RETURN_IF((cert_chain_cb->type != CN_CBOR_MAP), fcc_status = FCC_STATUS_BUNDLE_ERROR, "Wrong type of certificate chain CBOR struct at index (%" PRIu32 ") ", cert_chain_index);
00067 
00068         status = fcc_bundle_get_data_param(cert_chain_cb, &certificate_chain);
00069         SA_PV_ERR_RECOVERABLE_GOTO_IF((status != true), fcc_status = FCC_STATUS_BUNDLE_ERROR, exit, "Failed to get certificate chain data at index (%" PRIu32 ") ", cert_chain_index);
00070 
00071         // create chain
00072         kcm_result = kcm_cert_chain_create(&cert_chain_handle, certificate_chain.name, certificate_chain.name_len, (size_t)certificate_chain.array_cn->length, true);
00073         SA_PV_ERR_RECOVERABLE_GOTO_IF((kcm_result != KCM_STATUS_SUCCESS), fcc_status = FCC_STATUS_KCM_ERROR, exit, "Failed to create certificate chain");
00074         
00075         //Get all certificates in certificate chain and store it
00076         for (cert_index = 0; cert_index < (uint32_t)certificate_chain.array_cn->length; cert_index++) {
00077 
00078             cert_cb = cn_cbor_index(certificate_chain.array_cn, (unsigned int)cert_index);
00079             SA_PV_ERR_RECOVERABLE_GOTO_IF((cert_cb == NULL), fcc_status = FCC_STATUS_BUNDLE_ERROR, exit, "Failed to get cert cbor at index (%" PRIu32 ") ", cert_index);
00080 
00081             status = get_data_buffer_from_cbor(cert_cb, &certificate_data, &certificate_data_size);
00082             SA_PV_ERR_RECOVERABLE_GOTO_IF((status == false || certificate_data == NULL || certificate_data_size == 0), fcc_status = FCC_STATUS_BUNDLE_ERROR, exit, "Failed to get cert data at index (%" PRIu32 ") ", cert_index);
00083 
00084             //If private key name was passed - current leaf certificate is self generated and we need to perform verification against given private key
00085             if (cert_index == 0 && certificate_chain.private_key_name != NULL) {
00086                 //Try to retrieve the private key from the device and verify the leaf certificate against private key data
00087                 kcm_result = kcm_certificate_verify_with_private_key(
00088                     certificate_data,
00089                     certificate_data_size,
00090                     certificate_chain.private_key_name,
00091                     certificate_chain.private_key_name_len);
00092                     SA_PV_ERR_RECOVERABLE_GOTO_IF((kcm_result != KCM_STATUS_SUCCESS), fcc_status = FCC_STATUS_CERTIFICATE_PUBLIC_KEY_CORRELATION_ERROR, exit, "Failed to verify leaf certificate against given private key (%" PRIu32 ") ", cert_chain_index);
00093             }
00094             kcm_result = kcm_cert_chain_add_next(cert_chain_handle, certificate_data, certificate_data_size);            
00095             SA_PV_ERR_RECOVERABLE_GOTO_IF((kcm_result != KCM_STATUS_SUCCESS), fcc_status = fcc_convert_kcm_to_fcc_status(kcm_result), exit, "Failed to add certificate chain at index (%" PRIu32 ") ", cert_chain_index);
00096         }
00097         // close chain
00098         kcm_result = kcm_cert_chain_close(cert_chain_handle);
00099         cert_chain_handle = NULL;
00100         SA_PV_ERR_RECOVERABLE_GOTO_IF((kcm_result != KCM_STATUS_SUCCESS), fcc_status = FCC_STATUS_KCM_ERROR, exit, "Failed to close certificate chain");
00101         FCC_END_TIMER((char*)certificate_chain.name, certificate_chain.name_len, fcc_certificate_chain_timer);
00102     }
00103 
00104 exit:
00105     if (kcm_result != KCM_STATUS_SUCCESS) {
00106         if (cert_chain_handle != NULL) {
00107             kcm_cert_chain_close(cert_chain_handle);
00108         }
00109         //KCM_STATUS_ITEM_NOT_FOUND returned only if private key of self-generate certificate is missing.In this case we need to return name of themissing item -the private key.
00110         if (kcm_result == KCM_STATUS_ITEM_NOT_FOUND) {
00111             output_info_fcc_status = fcc_bundle_store_error_info(certificate_chain.private_key_name, certificate_chain.private_key_name_len, kcm_result);
00112         } else {
00113             output_info_fcc_status = fcc_bundle_store_error_info(certificate_chain.name, certificate_chain.name_len, kcm_result);
00114         }
00115 
00116     }
00117     fcc_bundle_clean_and_free_data_param(&certificate_chain);
00118     SA_PV_ERR_RECOVERABLE_RETURN_IF((output_info_fcc_status != FCC_STATUS_SUCCESS),
00119                                     fcc_status = FCC_STATUS_OUTPUT_INFO_ERROR,
00120                                     "Failed to create output kcm_status error %d", kcm_result);
00121 
00122     SA_PV_LOG_TRACE_FUNC_EXIT_NO_ARGS();
00123 
00124     return fcc_status;
00125 }