Certificate set API changed. (ARMmbed#73)

One pointer only for certificate chain data.

Author: Tero Heinonen

coap-service/coap_service_api.h

@@ -316,18 +316,16 @@ extern int8_t coap_service_set_duplicate_message_buffer(int8_t service_id, uint8
  * Set DTLS certificates.
  *
  * \param service_id       Id number of the current service.
- * \param root_cert        Pointer to CA certificate
- * \param root_cert_len    CA certificate length
- * \param own_cert         pointer to own certificate
- * \param own_cert_len     length of own certificate
+ * \param cert             Pointer to certificate chain
+ * \param cert_len         Certificate length
  * \param priv_key         pointer to private key
  * \param priv_key_len     length of private key
  *
  * \return -1              For failure
  *-         0              For success
  */
 
-extern int8_t coap_service_certificate_set(int8_t service_id, const unsigned char *root_cert, uint16_t root_cert_len, const unsigned char *own_cert, uint16_t own_cert_len, const unsigned char *priv_key, uint8_t priv_key_len);
+extern int8_t coap_service_certificate_set(int8_t service_id, const unsigned char *cert, uint16_t cert_len, const unsigned char *priv_key, uint8_t priv_key_len);
 #ifdef __cplusplus
 }
 #endif

source/coap_security_handler.c

@@ -282,12 +282,8 @@ static int coap_security_handler_configure_keys (coap_security_t *sec, coap_secu
     switch( sec->_conn_mode ){
         case CERTIFICATE:{
 #if defined(MBEDTLS_X509_CRT_PARSE_C)
-        if(  mbedtls_x509_crt_parse( &sec->_cacert, keys._ca_cert,
-                                     keys._ca_cert_len ) < 0 ){
-            break;
-        }
-        if( mbedtls_x509_crt_parse( &sec->_owncert, keys._own_cert,
-                                    keys._own_cert_len ) < 0 ){
+        if( keys._cert && mbedtls_x509_crt_parse( &sec->_owncert, keys._cert,
+                                    keys._cert_len ) < 0 ){
             break;
         }
         if( mbedtls_pk_parse_key(&sec->_pkey, keys._priv_key, keys._priv_key_len, NULL, 0) < 0){
@@ -302,15 +298,15 @@ static int coap_security_handler_configure_keys (coap_security_t *sec, coap_secu
             //TODO: add server certi
         }
         //TODO: use MBEDTLS_SSL_VERIFY_REQUIRED instead of optional
-        mbedtls_ssl_conf_authmode( &sec->_conf, MBEDTLS_SSL_VERIFY_OPTIONAL );
+        mbedtls_ssl_conf_authmode( &sec->_conf, MBEDTLS_SSL_VERIFY_NONE );
         mbedtls_ssl_conf_ca_chain( &sec->_conf, &sec->_cacert, NULL );
         ret = 0;
 #endif
         break;
         }
         case PSK: {
 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
-        if( 0 != mbedtls_ssl_conf_psk(&sec->_conf, keys._priv_key, keys._priv_key_len, keys._own_cert, keys._own_cert_len) ){
+        if( 0 != mbedtls_ssl_conf_psk(&sec->_conf, keys._priv_key, keys._priv_key_len, keys._cert, keys._cert_len) ){
             break;
         }
         mbedtls_ssl_conf_ciphersuites(&sec->_conf, PSK_SUITES);
@@ -395,6 +391,7 @@ int coap_security_handler_connect_non_blocking(coap_security_t *sec, bool is_ser
 #endif
 
     if (coap_security_handler_configure_keys(sec, keys, is_server) != 0) {
+        tr_debug("security credential configure failed");
         return -1;
     }
 

source/coap_service_api.c

@@ -554,7 +554,7 @@ uint16_t coap_service_id_find_by_socket(int8_t socket_id)
     return this ? this->service_id:0;
 }
 
-int8_t coap_service_certificate_set(int8_t service_id, const unsigned char *root_cert, uint16_t root_cert_len, const unsigned char *own_cert, uint16_t own_cert_len, const unsigned char *priv_key, uint8_t priv_key_len)
+int8_t coap_service_certificate_set(int8_t service_id, const unsigned char *cert, uint16_t cert_len, const unsigned char *priv_key, uint8_t priv_key_len)
 {
     coap_service_t *this = service_find(service_id);
     if (!this) {
@@ -571,11 +571,8 @@ int8_t coap_service_certificate_set(int8_t service_id, const unsigned char *root
 
     memset(this->conn_handler->security_keys, 0, sizeof(coap_security_keys_t));
 
-    this->conn_handler->security_keys->_ca_cert = root_cert;
-    this->conn_handler->security_keys->_ca_cert_len = root_cert_len;
-
-    this->conn_handler->security_keys->_own_cert = own_cert;
-    this->conn_handler->security_keys->_own_cert_len = own_cert_len;
+    this->conn_handler->security_keys->_cert = cert;
+    this->conn_handler->security_keys->_cert_len = cert_len;
 
     this->conn_handler->security_keys->_priv_key = priv_key;
     this->conn_handler->security_keys->_priv_key_len = priv_key_len;

source/include/coap_security_handler.h

@@ -60,10 +60,8 @@ typedef enum {
 typedef struct {
     SecureConnectionMode mode;
     /* Certificate pointers, not owned */
-    const unsigned char *_ca_cert;
-    uint16_t _ca_cert_len;
-    const unsigned char *_own_cert;
-    uint16_t _own_cert_len;
+    const unsigned char *_cert;
+    uint16_t _cert_len;
     const unsigned char *_priv_key;
     uint8_t _priv_key_len;
     /* Secure key pointer, owned */

test/coap-service/unittest/coap_service_api/test_coap_service_api.c

@@ -433,7 +433,7 @@ bool test_conn_handler_callbacks()
 bool test_certificate_set()
 {
     /* Service not found, return failure */
-    if (-1 != coap_service_certificate_set(1, NULL, 0, NULL, 0, NULL, 0)) {
+    if (-1 != coap_service_certificate_set(1, NULL, 0, NULL, 0)) {
         return false;
     }
 
@@ -446,13 +446,13 @@ bool test_certificate_set()
         return false;
 
     /* Allocation fails */
-    if (-1 != coap_service_certificate_set(1, NULL, 0, NULL, 0, NULL, 0)) {
+    if (-1 != coap_service_certificate_set(1, NULL, 0, NULL, 0)) {
         return false;
     }
 
     /* All OK */
     nsdynmemlib_stub.returnCounter = 1;
-    if (0 != coap_service_certificate_set(1, NULL, 0, NULL, 0, NULL, 0)) {
+    if (0 != coap_service_certificate_set(1, NULL, 0, NULL, 0)) {
         return false;
     }