Added Wi-Sun certificate and security test interfaces

Mika Leppänen · Mika Leppänen · commit a83472e6a47a · 2019-02-08T09:50:05.000+02:00
Added interface to add/remove additional trusted certificates and
to add/remove certificate revocation lists.

Added test interfaces to add GTKs, to set key index, to set key
lifetimes and to initiate node revocation of access procedure.
diff --git a/nanostack/net_interface.h b/nanostack/net_interface.h
@@ -235,6 +235,18 @@ typedef struct {
     const uint8_t *key_chain[4];    /**< Certificate private key. */
 } arm_certificate_chain_entry_s;
 
+/** Certificate structure. */
+typedef struct {
+    const uint8_t *cert;           /**< Certificate pointer. */
+    uint16_t cert_len;             /**< Certificate length. */
+} arm_certificate_entry_s;
+
+/** Certificate Revocation List structure. */
+typedef struct {
+    const uint8_t *crl;            /**< Certificate Revocation List pointer. */
+    uint16_t crl_len;              /**< Certificate Revocation List length. */
+} arm_cert_revocation_list_entry_s;
+
 /** Structure for the network keys used by net_network_key_get */
 typedef struct ns_keys_t
 
@@ -880,12 +892,56 @@ extern int8_t arm_net_route_delete(const uint8_t *prefix, uint8_t prefix_len, co
 extern int8_t arm_nwk_6lowpan_border_router_nd_context_load(int8_t interface_id, uint8_t *contex_data);  //NVM
 
 /**
- * Set certificate chain for PANA
+ * Set certificate chain
+ *
  * \param chain_info Certificate chain.
  * \return 0 on success, negative on failure.
  */
 extern int8_t arm_network_certificate_chain_set(const arm_certificate_chain_entry_s *chain_info);
 
+/**
+ * Add trusted certificate
+ *
+ * This is used to add trusted root or intermediate certificate in addition to those
+ * added using certificate chain set call. Function can be called several times to add
+ * more than one certificate.
+ *
+ * \param cert Certificate.
+ * \return 0 on success, negative on failure.
+ */
+extern int8_t arm_network_trusted_certificate_add(const arm_certificate_entry_s *cert);
+
+/**
+ * Remove trusted certificate
+ *
+ * This is used to remove trusted root or intermediate certificate.
+ *
+ * \param cert Certificate.
+ * \return 0 on success, negative on failure.
+ */
+extern int8_t arm_network_trusted_certificate_remove(const arm_certificate_entry_s *cert);
+
+/**
+ * Add Certificate Revocation List
+ *
+ * This is used to add Certificate Revocation List (CRL). Function can be called several
+ * times to add more than one Certificate Revocation List.
+ *
+ * \param crl Certificate revocation list
+ * \return 0 on success, negative on failure.
+ */
+extern int8_t arm_network_certificate_revocation_list_add(const arm_cert_revocation_list_entry_s *crl);
+
+/**
+ * Remove Certificate Revocation List
+ *
+ * This is used to remove Certificate Revocation List.
+ *
+ * \param crl Certificate revocation list
+ * \return 0 on success, negative on failure.
+ */
+extern int8_t arm_network_certificate_revocation_list_remove(const arm_cert_revocation_list_entry_s *crl);
+
 /**
  * \brief Add PSK key to TLS library.
  *
diff --git a/nanostack/net_ws_test.h b/nanostack/net_ws_test.h
@@ -72,6 +72,83 @@ int ws_test_pan_size_set(int8_t interface_id, uint16_t pan_size);
  */
 int ws_test_max_child_count_set(int8_t interface_id, uint16_t child_count);
 
+/**
+ * Sets Group Transient Keys.
+ *
+ * Sets Group Transient Keys (GTKs). Up to four GTKs can be set (GTKs from index
+ * 0 to 3). At least one GTK must be set. GTKs provided in this function call are
+ * compared to current GTKs on node or border router GTK storage. If GTK is new
+ * or modified it is updated to GTK storage. If GTK is same as previous one, no
+ * changes are made. If GTK is NULL then it is removed from GTK storage. When a
+ * new GTK is inserted or GTK is modified, GTK lifetime is set to default. If GTKs
+ * are set to border router after bootstrap, border router initiates GTK update
+ * to network.
+ *
+ * \param interface_id Network interface ID.
+ * \param gtk GTK array, if GTK is not set, pointer for the index shall be NULL.
+ *
+ * \return 0                         GTKs are set
+ * \return <0                        GTK set has failed
+ */
+int ws_test_gtk_set(int8_t interface_id, uint8_t *gtk[4]);
+
+/**
+ * Sets index of active key.
+ *
+ * Sets index of active Group Transient Key (GTK) to border router. If index is
+ * set after bootstrap, initiates dissemination of new key index to network.
+ *
+ * \param interface_id Network interface ID.
+ * \param index Key index
+ *
+ * \return 0                         Active key index has been set
+ * \return <0                        Active key index set has failed
+ */
+int ws_test_active_key_set(int8_t interface_id, uint8_t index);
+
+/**
+ * Sets lifetime for keys
+ *
+ * Sets Group Transient Key (GTK), Pairwise Master Key (PMK) and
+ * Pairwise Transient Key (PTK) lifetimes.
+ *
+ * \param interface_id Network interface ID.
+ * \param gtk_lifetime GTK lifetime in minutes
+ * \param pmk_lifetime PMK lifetime in minutes
+ * \param ptk_lifetime PTK lifetime in minutes
+ *
+ * \return 0                         Lifetimes are set
+ * \return <0                        Lifetime set has failed
+ */
+int ws_test_key_lifetime_set(
+    int8_t interface_id,
+    uint32_t gtk_lifetime,
+    uint32_t pmk_lifetime,
+    uint32_t ptk_lifetime
+);
+
+/**
+ * Sets time configurations for GTK keys
+ *
+ * Sets GTK Revocation Lifetime Reduction and GTK New Activation Time values
+ * as parts of the GTK lifetime (e.g. value 3 is 1/3 * lifetime). Sets GTK
+ * maximum mismatch time in minutes.
+ *
+ * \param interface_id Network interface ID.
+ * \param revocat_lifetime_reduct GTK Revocation Lifetime Reduction (1 / value * GTK lifetime)
+ * \param new_activation_time GTK New Activation Time (1 / value * GTK lifetime)
+ * \param max_mismatch GTK maximum mismatch in minutes
+ *
+ * \return 0                         Lifetimes are set
+ * \return <0                        Lifetime set has failed.
+ */
+int ws_test_gtk_time_settings_set(
+    int8_t interface_id,
+    uint8_t revocat_lifetime_reduct,
+    uint8_t new_activation_time,
+    uint32_t max_mismatch
+);
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/nanostack/ws_bbr_api.h b/nanostack/ws_bbr_api.h
@@ -68,5 +68,38 @@ int ws_bbr_start(int8_t interface_id, int8_t backbone_interface_id);
  */
 void ws_bbr_stop(int8_t interface_id);
 
+/**
+ * Remove node's keys from border router
+ *
+ * Removes node's keys from border router i.e. Pairwise Master Key (PMK)
+ * and Pairwise Transient Key (PTK). This function is used on revocation of
+ * node's access procedure after authentication service is configured
+ * to reject authentication attempts of the node (e.g. node's certificate is
+ * revoked). Sub sequential calls to function can be used to remove several
+ * nodes from border router.
+ *
+ * \param interface_id Network interface ID.
+ * \param eui64 EUI-64 of revoked node
+ *
+ * \return 0, Node's keys has been removed
+ * \return <0 Node's key remove has failed (e.g. unknown address)
+ */
+int ws_bbr_node_keys_remove(int8_t interface_id, uint8_t *eui64);
+
+/**
+ * Start revocation of node's access
+ *
+ * Starts revocation of node's access procedure on border router. Before
+ * the call to this function, authentication service must be configured to
+ * reject authentication attempts of the removed nodes (e.g. certificates
+ * of the nodes are revoked). Also the keys for the nodes must be removed
+ * from the border router.
+ *
+ * \param interface_id Network interface ID.
+ *
+ * \return 0, Revocation started OK.
+ * \return <0 Revocation start failed.
+ */
+int ws_bbr_node_access_revoke_start(int8_t interface_id);
 
 #endif /* WS_BBR_API_H_ */
diff --git a/source/6LoWPAN/ws/ws_bbr_api.c b/source/6LoWPAN/ws/ws_bbr_api.c
@@ -471,3 +471,18 @@ void ws_bbr_stop(int8_t interface_id)
     (void)interface_id;
 #endif
 }
+
+int ws_bbr_node_keys_remove(int8_t interface_id, uint8_t *eui64)
+{
+    (void) interface_id;
+    (void) eui64;
+
+    return -1;
+}
+
+int ws_bbr_node_access_revoke_start(int8_t interface_id)
+{
+    (void) interface_id;
+
+    return -1;
+}
diff --git a/source/6LoWPAN/ws/ws_empty_functions.c b/source/6LoWPAN/ws/ws_empty_functions.c
@@ -145,5 +145,41 @@ int ws_test_max_child_count_set(int8_t interface_id, uint16_t child_count)
     return -1;
 }
 
+int ws_test_gtk_set(int8_t interface_id, uint8_t *gtk[4])
+{
+    (void) interface_id;
+    (void) gtk;
+
+    return -1;
+}
+
+int ws_test_active_key_set(int8_t interface_id, uint8_t index)
+{
+    (void) interface_id;
+    (void) index;
+
+    return -1;
+}
+
+int ws_test_key_lifetime_set(int8_t interface_id, uint32_t gtk_lifetime, uint32_t pmk_lifetime, uint32_t ptk_lifetime)
+{
+    (void) interface_id;
+    (void) gtk_lifetime;
+    (void) pmk_lifetime;
+    (void) ptk_lifetime;
+
+    return -1;
+}
+
+int ws_test_gtk_time_settings_set(int8_t interface_id, uint8_t revocat_lifetime_reduct, uint8_t new_activation_time, uint32_t max_mismatch)
+{
+    (void) interface_id;
+    (void) revocat_lifetime_reduct;
+    (void) new_activation_time;
+    (void) max_mismatch;
+
+    return -1;
+}
+
 #endif // no HAVE_WS
 
diff --git a/source/6LoWPAN/ws/ws_test_api.c b/source/6LoWPAN/ws/ws_test_api.c
@@ -55,4 +55,40 @@ int ws_test_max_child_count_set(int8_t interface_id, uint16_t child_count)
     return 0;
 }
 
+int ws_test_gtk_set(int8_t interface_id, uint8_t *gtk[4])
+{
+    (void) interface_id;
+    (void) gtk;
+
+    return 0;
+}
+
+int ws_test_active_key_set(int8_t interface_id, uint8_t index)
+{
+    (void) interface_id;
+    (void) index;
+
+    return 0;
+}
+
+int ws_test_key_lifetime_set(int8_t interface_id, uint32_t gtk_lifetime, uint32_t pmk_lifetime, uint32_t ptk_lifetime)
+{
+    (void) interface_id;
+    (void) gtk_lifetime;
+    (void) pmk_lifetime;
+    (void) ptk_lifetime;
+
+    return 0;
+}
+
+int ws_test_gtk_time_settings_set(int8_t interface_id, uint8_t revocat_lifetime_reduct, uint8_t new_activation_time, uint32_t max_mismatch)
+{
+    (void) interface_id;
+    (void) revocat_lifetime_reduct;
+    (void) new_activation_time;
+    (void) max_mismatch;
+
+    return 0;
+}
+
 #endif // HAVE_WS
diff --git a/source/libNET/src/ns_net.c b/source/libNET/src/ns_net.c
@@ -942,6 +942,30 @@ int8_t arm_network_certificate_chain_set(const arm_certificate_chain_entry_s *ch
     return pana_interface_certificate_chain_set(chain_info);
 }
 
+int8_t arm_network_trusted_certificate_add(const arm_certificate_entry_s *cert)
+{
+    (void) cert;
+    return -1;
+}
+
+int8_t arm_network_trusted_certificate_remove(const arm_certificate_entry_s *cert)
+{
+    (void) cert;
+    return -1;
+}
+
+int8_t arm_network_certificate_revocation_list_add(const arm_cert_revocation_list_entry_s *crl)
+{
+    (void) crl;
+    return -1;
+}
+
+int8_t arm_network_certificate_revocation_list_remove(const arm_cert_revocation_list_entry_s *crl)
+{
+    (void) crl;
+    return -1;
+}
+
 /**
  * \brief Read Pana server security key material
  *
