Skip to content

Commit

Permalink
Merge pull request #98 from PelionIoT/release-4.12.0
Browse files Browse the repository at this point in the history
mbed-cloud-client 4.12.0
  • Loading branch information
jenia81 authored Mar 1, 2022
2 parents 08d12fb + 9e052d4 commit 54282bc
Show file tree
Hide file tree
Showing 15 changed files with 2,807 additions and 13 deletions.
7 changes: 7 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,12 @@
## Changelog for Pelion Device Management Client

### Release 4.12.0 (01.03.2022)

- [Linux] Security improvement - the update encryption key is stored in the NVM and not in the header.
- Enable connection to any LwM2M compliant bootstrap and device management services.
- Introduce a new `LWM2M_COMPLIANT` flag that enables connection to any LwM2M compliant bootstrap and device management services. Disabled by default.
- Introduce a new `DISABLE_SERVER_CERT_VERIFY` flag that disables the server certificate verification during the TLS handshake. Disabled by default.

### Release 4.11.2 (01.12.2021)

Fixed a potential dead-lock situation in sn_nsdl.c CoAP tracing when tracing is enabled but trace-level is set below INFO. This fixes a regression introduced in 4.11.0 release.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -178,6 +178,10 @@ extern const char g_fcc_class_id_name[];

extern const char g_fcc_vendor_id_name[];

#ifdef MBED_CONF_MBED_CLIENT_DISABLE_BOOTSTRAP_FEATURE
extern const char g_fcc_mbed_internal_endpoint[];
extern const char g_fcc_account_id[];
#endif

#ifdef __cplusplus
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,11 @@ const char g_fcc_update_authentication_certificate_name[] = "mbed.UpdateAuthCert
const char g_fcc_class_id_name[] = "mbed.ClassId";
const char g_fcc_vendor_id_name[] = "mbed.VendorId";

#ifdef MBED_CONF_MBED_CLIENT_DISABLE_BOOTSTRAP_FEATURE
const char g_fcc_mbed_internal_endpoint[] = "mbed.InternalEndpoint";
const char g_fcc_account_id[] = "mbed.AccountID";
#endif

static bool g_is_fcc_initialized = false;
bool g_is_session_finished = true;

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -53,13 +53,21 @@ extern const char MBED_CLOUD_DEV_HARDWARE_VERSION[];
//device total memory
extern const uint32_t MBED_CLOUD_DEV_MEMORY_TOTAL_KB;

#ifdef MBED_CONF_MBED_CLIENT_DISABLE_BOOTSTRAP_FEATURE
extern const char MBED_CLOUD_DEV_ACCOUNT_ID[];
#endif


fcc_status_e fcc_developer_flow(void)
{
kcm_status_e kcm_status = KCM_STATUS_SUCCESS;
fcc_status_e fcc_status = FCC_STATUS_SUCCESS;
const bool is_factory_item = true;
#ifdef MBED_CONF_MBED_CLIENT_DISABLE_BOOTSTRAP_FEATURE
static const uint32_t is_bootstrap_mode = 0;
#else
static const uint32_t is_bootstrap_mode = 1;
#endif
const fcc_deloveper_mode_item_params_s fcc_deloveper_mode_item_params_table[] = {

//param name //param kcm type //param data //param data_size
Expand All @@ -68,11 +76,25 @@ fcc_status_e fcc_developer_flow(void)
#if !defined(MBED_CONF_MBED_CLOUD_CLIENT_SECURE_ELEMENT_SUPPORT) || (defined(MBED_CONF_MBED_CLOUD_CLIENT_SECURE_ELEMENT_SUPPORT) && defined(MBED_CONF_MBED_CLOUD_CLIENT_CLEAN_CREDENTIALS_SE))
{ g_fcc_endpoint_parameter_name, KCM_CONFIG_ITEM, (const uint8_t*)MBED_CLOUD_DEV_BOOTSTRAP_ENDPOINT_NAME, (uint32_t)strlen((char*)MBED_CLOUD_DEV_BOOTSTRAP_ENDPOINT_NAME) },
//Bootstrap configuration
#ifndef MBED_CONF_MBED_CLIENT_DISABLE_BOOTSTRAP_FEATURE
{ g_fcc_bootstrap_device_certificate_name, KCM_CERTIFICATE_ITEM, MBED_CLOUD_DEV_BOOTSTRAP_DEVICE_CERTIFICATE, MBED_CLOUD_DEV_BOOTSTRAP_DEVICE_CERTIFICATE_SIZE },
{ g_fcc_bootstrap_device_private_key_name, KCM_PRIVATE_KEY_ITEM, MBED_CLOUD_DEV_BOOTSTRAP_DEVICE_PRIVATE_KEY, MBED_CLOUD_DEV_BOOTSTRAP_DEVICE_PRIVATE_KEY_SIZE },
#endif
#else
{ g_fcc_lwm2m_device_certificate_name, KCM_CERTIFICATE_ITEM, MBED_CLOUD_DEV_BOOTSTRAP_DEVICE_CERTIFICATE, MBED_CLOUD_DEV_BOOTSTRAP_DEVICE_CERTIFICATE_SIZE },
{ g_fcc_lwm2m_device_private_key_name, KCM_PRIVATE_KEY_ITEM, MBED_CLOUD_DEV_BOOTSTRAP_DEVICE_PRIVATE_KEY, MBED_CLOUD_DEV_BOOTSTRAP_DEVICE_PRIVATE_KEY_SIZE },
{ g_fcc_mbed_internal_endpoint, KCM_CONFIG_ITEM, (const uint8_t*)MBED_CLOUD_DEV_BOOTSTRAP_ENDPOINT_NAME, (uint32_t)strlen((char*)MBED_CLOUD_DEV_BOOTSTRAP_ENDPOINT_NAME) },
// The account id is not really needed, but the MCC requires it.
{ g_fcc_account_id, KCM_CONFIG_ITEM, (const uint8_t*)MBED_CLOUD_DEV_ACCOUNT_ID, (uint32_t)strlen((char*)MBED_CLOUD_DEV_ACCOUNT_ID) },
#endif //MBED_CONF_MBED_CLIENT_DISABLE_BOOTSTRAP_FEATURE
#endif //!defined(MBED_CONF_MBED_CLOUD_CLIENT_SECURE_ELEMENT_SUPPORT) || (defined(MBED_CONF_MBED_CLOUD_CLIENT_SECURE_ELEMENT_SUPPORT) && defined(MBED_CONF_MBED_CLOUD_CLIENT_CLEAN_CREDENTIALS_SE))

#ifndef MBED_CONF_MBED_CLIENT_DISABLE_BOOTSTRAP_FEATURE
{ g_fcc_bootstrap_server_ca_certificate_name, KCM_CERTIFICATE_ITEM, MBED_CLOUD_DEV_BOOTSTRAP_SERVER_ROOT_CA_CERTIFICATE, MBED_CLOUD_DEV_BOOTSTRAP_SERVER_ROOT_CA_CERTIFICATE_SIZE },
{ g_fcc_bootstrap_server_uri_name, KCM_CONFIG_ITEM, (const uint8_t*)MBED_CLOUD_DEV_BOOTSTRAP_SERVER_URI, (uint32_t)strlen((char*)MBED_CLOUD_DEV_BOOTSTRAP_SERVER_URI) },
#else
{ g_fcc_lwm2m_server_ca_certificate_name, KCM_CERTIFICATE_ITEM, MBED_CLOUD_DEV_BOOTSTRAP_SERVER_ROOT_CA_CERTIFICATE, MBED_CLOUD_DEV_BOOTSTRAP_SERVER_ROOT_CA_CERTIFICATE_SIZE },
{ g_fcc_lwm2m_server_uri_name, KCM_CONFIG_ITEM, (const uint8_t*)MBED_CLOUD_DEV_BOOTSTRAP_SERVER_URI, (uint32_t)strlen((char*)MBED_CLOUD_DEV_BOOTSTRAP_SERVER_URI) },
#endif //MBED_CONF_MBED_CLIENT_DISABLE_BOOTSTRAP_FEATURE
//device meta data
{ g_fcc_manufacturer_parameter_name, KCM_CONFIG_ITEM, (const uint8_t*)MBED_CLOUD_DEV_MANUFACTURER, (uint32_t)strlen((char*)MBED_CLOUD_DEV_MANUFACTURER) },
{ g_fcc_model_number_parameter_name, KCM_CONFIG_ITEM, (const uint8_t*)MBED_CLOUD_DEV_MODEL_NUMBER, (uint32_t)strlen((char*)MBED_CLOUD_DEV_MODEL_NUMBER) },
Expand Down Expand Up @@ -112,9 +134,10 @@ fcc_status_e fcc_developer_flow(void)
SA_PV_ERR_RECOVERABLE_RETURN_IF((kcm_status != KCM_STATUS_SUCCESS), fcc_convert_kcm_to_fcc_status(kcm_status), "Store status: %d, Failed to store %s", kcm_status, mandatory_items_iter->item_name);
}

#if defined (PAL_USE_SECURE_TIME) && (PAL_USE_SECURE_TIME == 1)
fcc_status = fcc_trust_ca_cert_id_set();
SA_PV_ERR_RECOVERABLE_RETURN_IF((fcc_status != FCC_STATUS_SUCCESS), fcc_status, "Failed to set ca certificate identifier");

#endif
SA_PV_LOG_INFO_FUNC_EXIT_NO_ARGS();

return fcc_status;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -143,6 +143,7 @@ static fcc_status_e fcc_check_uri_contents(bool use_bootstrap, uint8_t* uri_data
SA_PV_ERR_RECOVERABLE_GOTO_IF(true, fcc_status = FCC_STATUS_URI_WRONG_FORMAT, exit, "Wrong uri prefix");
}

#ifndef LWM2M_COMPLIANT // Account ID is a Pelion thing
// Check if uri_string contains uri_aid (indicate the uri contains AccountId)
if ((strstr(uri_string, URI_AID_PREFIX1) != NULL) || (strstr(uri_string, URI_AID_PREFIX2) != NULL)) {
has_uri_aid = true;
Expand All @@ -154,6 +155,7 @@ static fcc_status_e fcc_check_uri_contents(bool use_bootstrap, uint8_t* uri_data
} else {
SA_PV_ERR_RECOVERABLE_GOTO_IF(has_uri_aid == false, fcc_status = FCC_STATUS_URI_WRONG_FORMAT, exit, "Wrong uri data");
}
#endif

exit:
fcc_free(uri_string);
Expand Down Expand Up @@ -546,6 +548,7 @@ static fcc_status_e verify_root_ca_certificate(bool use_bootstrap)
fcc_status = verify_existence_and_set_warning(secondary_ca_cert_name, secondary_ca_cert_name_len, KCM_CERTIFICATE_ITEM, false);
SA_PV_ERR_RECOVERABLE_GOTO_IF((fcc_status != FCC_STATUS_SUCCESS), fcc_status = fcc_status, store_error_and_exit, "Failed in verify_existence_and_set_warning");

#if defined (PAL_USE_SECURE_TIME) && (PAL_USE_SECURE_TIME == 1)
if (use_bootstrap == true) {
fcc_status = fcc_get_certificate_attribute_by_name((const uint8_t*)root_ca_cert_name,
root_ca_cert_name_len,
Expand All @@ -570,6 +573,7 @@ static fcc_status_e verify_root_ca_certificate(bool use_bootstrap)
}
fcc_status = FCC_STATUS_SUCCESS;
}
#endif //#if defined (PAL_USE_SECURE_TIME) && (PAL_USE_SECURE_TIME == 1)

//TBD : check of mbed crypto scheme IOTPREQ-1417
store_error_and_exit:
Expand Down Expand Up @@ -709,11 +713,13 @@ static fcc_status_e verify_device_certificate_and_private_key(bool use_bootstrap
fcc_status = compare_cn_with_endpoint(x509_cert_handle);
SA_PV_ERR_RECOVERABLE_GOTO_IF((fcc_status != FCC_STATUS_SUCCESS), fcc_status = fcc_status, close_chain, "Failed to compare_cn_with_endpoint");

#ifndef LWM2M_COMPLIANT // Account ID is Pelion specific
//In case LWM2M certificate check it's OU attribute with aid of server link
if (strcmp((const char*)exist_item_name, g_fcc_lwm2m_device_certificate_name) == 0) {
fcc_status = compare_ou_with_aid_server(x509_cert_handle);
SA_PV_ERR_RECOVERABLE_GOTO_IF((fcc_status != FCC_STATUS_SUCCESS), fcc_status = fcc_status, close_chain, "Failed to compare_ou_with_aid_server");
}
#endif

//Check that device certificate not self-signed
kcm_status = cs_is_self_signed_x509_cert(x509_cert_handle, &is_self_signed);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -470,9 +470,10 @@ fcc_status_e fcc_bundle_handler(const uint8_t *encoded_blob, size_t encoded_blob
// in SOTP, if in the future more error conditions will be attached to FCC_STATUS_CA_ERROR error code
// then the logic here MUST be change.
// Only if this is the last message - set the certificate ID
#if defined (PAL_USE_SECURE_TIME) && (PAL_USE_SECURE_TIME == 1)
fcc_status = fcc_trust_ca_cert_id_set();
SA_PV_ERR_RECOVERABLE_GOTO_IF(((fcc_status != FCC_STATUS_SUCCESS) && (fcc_status != FCC_STATUS_CA_ERROR)), (fcc_status = fcc_status), exit_and_response, "CA store error %u", fcc_status);

#endif
}

if (fcc_verify_status == true) {
Expand Down
2 changes: 1 addition & 1 deletion fota/fota.c
Original file line number Diff line number Diff line change
Expand Up @@ -1589,7 +1589,7 @@ static int prepare_and_program_header(void)

#if (MBED_CLOUD_CLIENT_FOTA_ENCRYPTION_SUPPORT == 1)
header_info.flags |= FOTA_HEADER_ENCRYPTED_FLAG;
#if (MBED_CLOUD_CLIENT_FOTA_KEY_ENCRYPTION == FOTA_USE_ENCRYPTED_ONE_TIME_FW_KEY)
#if (MBED_CLOUD_CLIENT_FOTA_KEY_ENCRYPTION == FOTA_USE_ENCRYPTED_ONE_TIME_FW_KEY) && !defined(TARGET_LIKE_LINUX)
// encrypt fw_key buffer using device key and store it in the header
uint8_t fw_key[FOTA_ENCRYPT_KEY_SIZE];
ret = fota_nvm_fw_encryption_key_get(fw_key);
Expand Down
3 changes: 2 additions & 1 deletion fota/fota_candidate.c
Original file line number Diff line number Diff line change
Expand Up @@ -269,7 +269,8 @@ static int fota_candidate_extract_start(bool force_encrypt, const char *expected
uint8_t zero_key[FOTA_ENCRYPT_KEY_SIZE] = {0};
size_t volatile loop_check;

#if (MBED_CLOUD_CLIENT_FOTA_KEY_ENCRYPTION != FOTA_USE_ENCRYPTED_ONE_TIME_FW_KEY)
#if (MBED_CLOUD_CLIENT_FOTA_KEY_ENCRYPTION != FOTA_USE_ENCRYPTED_ONE_TIME_FW_KEY) || \
defined(TARGET_LIKE_LINUX)
ret = fota_nvm_fw_encryption_key_get(fw_key);
#else
ret = fota_decrypt_fw_key(fw_key,
Expand Down
Loading

0 comments on commit 54282bc

Please sign in to comment.