Updates to thread extension bootstrap (ARMmbed#1714)

More logic added to thread extension bootstrapping.

Author: Tero Heinonen

source/6LoWPAN/Thread/thread_extension_bootstrap.c

@@ -54,6 +54,7 @@ typedef struct thread_extension_credentials {
     uint8_t domain_name[16];                        // Thread CCM domain name
     uint8_t ccm_addr[16];                           // CCM destination address
     const unsigned char *device_certificate_ptr;    // Pointer to CCM device certificate for Autonomous Enrollment
+    unsigned char *domain_ca_certificate_ptr;       // Pointer to Thread CCM domain CA certificate
     unsigned char *domain_certificate_ptr;          // Pointer to Thread CCM domain certificate
     unsigned char *domain_pk_ptr;                   // Pointer to Thread domain certificate private key
     const unsigned char *device_pk_ptr;             // Pointer to CCM device certificate private key
@@ -62,6 +63,7 @@ typedef struct thread_extension_credentials {
 
     uint16_t device_certificate_len;                // Device certificate length
     uint16_t domain_certificate_len;                // Domain certificate length
+    uint16_t domain_ca_certificate_len;             // Domain CA certificate length
     uint16_t device_pk_len;                         // Device certificate private key length
     uint16_t domain_pk_len;                         // Domain certificate private key length
     uint16_t ccm_port;                              // CCM destination port
@@ -74,6 +76,36 @@ typedef struct thread_extension_credentials {
 
 #ifdef HAVE_THREAD_V2
 
+/* Hardcoded CSR request/privatekey pairs */
+static const unsigned char csr_request[215] = {
+    0x30,0x81,0xd4,0x30,0x7c,0x02,0x01,0x00,0x30,0x1a,0x31,0x18,0x30,0x16,0x06,0x03,
+    0x55,0x04,0x03,0x0c,0x0f,0x54,0x68,0x72,0x65,0x61,0x64,0x44,0x65,0x76,0x69,0x63,
+    0x65,0x31,0x32,0x33,0x30,0x59,0x30,0x13,0x06,0x07,0x2a,0x86,0x48,0xce,0x3d,0x02,
+    0x01,0x06,0x08,0x2a,0x86,0x48,0xce,0x3d,0x03,0x01,0x07,0x03,0x42,0x00,0x04,0xb1,
+    0xab,0xe8,0xa2,0xa1,0xe6,0x62,0x5e,0xae,0x9e,0x7e,0x41,0xcf,0x7e,0x95,0x58,0x19,
+    0x51,0x47,0xea,0x0f,0xe2,0xf8,0xc2,0x1b,0x61,0xa5,0x30,0x05,0xc0,0x91,0xb6,0x07,
+    0xc2,0x43,0x46,0xda,0x75,0xc0,0x58,0xd8,0x08,0xa5,0xbb,0xdb,0xdc,0x0e,0xf2,0x05,
+    0x62,0xfb,0x28,0xbb,0xa7,0xd2,0x9e,0xef,0x8f,0xbf,0xba,0xcd,0x51,0xa5,0xfd,0xa0,
+    0x00,0x30,0x0a,0x06,0x08,0x2a,0x86,0x48,0xce,0x3d,0x04,0x03,0x02,0x03,0x48,0x00,
+    0x30,0x45,0x02,0x20,0x4e,0xb2,0x25,0x82,0x24,0xf6,0xe1,0x51,0xd6,0x0c,0x19,0x60,
+    0x88,0xb8,0xe2,0xfd,0x90,0xd2,0xc1,0x0f,0xb0,0x4f,0x8e,0x73,0x13,0x5c,0x9f,0x42,
+    0x09,0x68,0xdf,0x05,0x02,0x21,0x00,0xc9,0xc2,0x63,0x83,0x62,0x24,0x15,0x73,0xf1,
+    0x63,0xea,0xe3,0xd2,0xf1,0x50,0x48,0x56,0xdf,0x6b,0xcf,0xc4,0x31,0xc4,0xcf,0xbc,
+    0x26,0xe3,0x5a,0x74,0x62,0x0f,0x70
+};
+
+static const unsigned char private_key[138] = {
+    0x30,0x81,0x87,0x02,0x01,0x00,0x30,0x13,0x06,0x07,0x2a,0x86,0x48,0xce,0x3d,0x02,
+    0x01,0x06,0x08,0x2a,0x86,0x48,0xce,0x3d,0x03,0x01,0x07,0x04,0x6d,0x30,0x6b,0x02,
+    0x01,0x01,0x04,0x20,0xc4,0x65,0x01,0x7e,0x81,0xaa,0x16,0x93,0x31,0x7b,0x37,0x07,
+    0xc8,0x85,0x9f,0xee,0xf9,0x55,0x19,0x41,0xf2,0xe1,0x3f,0x2d,0x29,0xba,0x2b,0x7f,
+    0xdf,0x8c,0x50,0x66,0xa1,0x44,0x03,0x42,0x00,0x04,0xb1,0xab,0xe8,0xa2,0xa1,0xe6,
+    0x62,0x5e,0xae,0x9e,0x7e,0x41,0xcf,0x7e,0x95,0x58,0x19,0x51,0x47,0xea,0x0f,0xe2,
+    0xf8,0xc2,0x1b,0x61,0xa5,0x30,0x05,0xc0,0x91,0xb6,0x07,0xc2,0x43,0x46,0xda,0x75,
+    0xc0,0x58,0xd8,0x08,0xa5,0xbb,0xdb,0xdc,0x0e,0xf2,0x05,0x62,0xfb,0x28,0xbb,0xa7,
+    0xd2,0x9e,0xef,0x8f,0xbf,0xba,0xcd,0x51,0xa5,0xfd
+};
+
 const uint8_t meshcop_nmkp_resp_ignore[] = {
         MESHCOP_TLV_COMM_SIGNATURE,
         MESHCOP_TLV_COMM_TOKEN,
@@ -184,28 +216,58 @@ static int thread_joiner_application_csrattrs_response_cb(int8_t service_id, uin
     }
     tr_info("Receiving csrattrs response sending simpleenroll");
 
-    // TODO add certificate template to this message with included Private/Public key pair
+    // TODO Create CSR and private key here... Now we use hardcoded stuff.
+    thread_extension_bootstrap_network_private_key_set(cur, private_key, sizeof(private_key));
+
     coap_service_request_send(service_id, COAP_REQUEST_OPTIONS_SECURE_BYPASS, source_address, source_port,
-                              COAP_MSG_TYPE_CONFIRMABLE, COAP_MSG_CODE_REQUEST_POST, ".well-known/est/simpleenroll", THREAD_CONTENT_FORMAT_PKCS10, NULL, 0, thread_joiner_application_simple_enroll_response_cb);
+                              COAP_MSG_TYPE_CONFIRMABLE, COAP_MSG_CODE_REQUEST_POST, ".well-known/est/simpleenroll", THREAD_CONTENT_FORMAT_PKCS10,
+                              csr_request, sizeof(csr_request), thread_joiner_application_simple_enroll_response_cb);
 
     return 0;
 }
 
 static int thread_joiner_application_rat_response_cb(int8_t service_id, uint8_t source_address[static 16], uint16_t source_port, sn_coap_hdr_s *response_ptr)
 {
-    (void) response_ptr;
+    char *ca_cert_ptr;
+    uint16_t ca_cert_len = 0;
 
     protocol_interface_info_entry_t *cur = protocol_stack_interface_info_get_by_id(thread_extension_bootstrap_find_id_by_service(service_id));
 
     if (!cur || !cur->thread_info) {
         return -1;
     }
+
     tr_info("Receiving RAT response sending csrattrs request");
-    // TODO Parse CA certificate from RAT response
+
+    if(!response_ptr || !response_ptr->payload_ptr) {
+        tr_error("No response payload");
+        return -1;
+    }
+
+    // Parse CA certificate from RAT response
+    // Replace with CBOR library, when the time is right
+    ca_cert_ptr = strstr((const char *)response_ptr->payload_ptr, "domainCAcert");
+    if (ca_cert_ptr) {
+        ca_cert_ptr += 13; // Jump over "domainCAcert and some cbor format byte...
+        ca_cert_len = common_read_16_bit((uint8_t *)ca_cert_ptr);   // read length
+        ca_cert_ptr += 2;
+        tr_debug("CA cert len %d", ca_cert_len);
+        /* Set domain certificate pointer and length */
+        if (thread_info(cur)->extension_credentials_ptr->domain_ca_certificate_ptr) {
+            ns_dyn_mem_free(thread_info(cur)->extension_credentials_ptr->domain_ca_certificate_ptr);
+        }
+        thread_info(cur)->extension_credentials_ptr->domain_ca_certificate_ptr = ns_dyn_mem_alloc(ca_cert_len);
+        if (!thread_info(cur)->extension_credentials_ptr->domain_ca_certificate_ptr) {
+            return -1;
+        }
+        memcpy(thread_info(cur)->extension_credentials_ptr->domain_ca_certificate_ptr, ca_cert_ptr, ca_cert_len);
+        thread_info(cur)->extension_credentials_ptr->domain_ca_certificate_len = ca_cert_len;
+    } else {
+        tr_error("Response parse failed");
+    }
 
     // TODO Verify nonce
 
-    // TODO add certificate template to this message with included Private/Public key pair
     coap_service_request_send(service_id, COAP_REQUEST_OPTIONS_SECURE_BYPASS, source_address, source_port,
                               COAP_MSG_TYPE_CONFIRMABLE, COAP_MSG_CODE_REQUEST_GET, ".well-known/est/csrattrs", COAP_CT_NONE, NULL, 0, thread_joiner_application_csrattrs_response_cb);
 
@@ -422,13 +484,14 @@ int thread_extension_bootstrap_network_certificate_set(protocol_interface_info_e
 
     /* Set domain certificate pointer and length */
     if (domain_certificate_ptr) {
-        thread_info(cur)->extension_credentials_ptr->domain_certificate_ptr = ns_dyn_mem_alloc(domain_certificate_len);
+        thread_info(cur)->extension_credentials_ptr->domain_certificate_ptr = ns_dyn_mem_alloc(domain_certificate_len + thread_info(cur)->extension_credentials_ptr->domain_ca_certificate_len);
         if (!thread_info(cur)->extension_credentials_ptr->domain_certificate_ptr) {
             ns_dyn_mem_free(thread_info(cur)->extension_credentials_ptr);
             return -1;
         }
         memcpy(thread_info(cur)->extension_credentials_ptr->domain_certificate_ptr, domain_certificate_ptr, domain_certificate_len);
-        thread_info(cur)->extension_credentials_ptr->domain_certificate_len = domain_certificate_len;
+        memcpy(thread_info(cur)->extension_credentials_ptr->domain_certificate_ptr + domain_certificate_len, thread_info(cur)->extension_credentials_ptr->domain_ca_certificate_ptr, thread_info(cur)->extension_credentials_ptr->domain_ca_certificate_len);
+        thread_info(cur)->extension_credentials_ptr->domain_certificate_len = domain_certificate_len + thread_info(cur)->extension_credentials_ptr->domain_ca_certificate_len;
     }
 
     return 0;