Merge pull request #98 from PelionIoT/release-4.12.0

mbed-cloud-client 4.12.0

CHANGELOG.md

@@ -1,5 +1,12 @@
 ## Changelog for Pelion Device Management Client
 
+### Release 4.12.0 (01.03.2022)
+
+- [Linux] Security improvement - the update encryption key is stored in the NVM and not in the header.
+- Enable connection to any LwM2M compliant bootstrap and device management services.
+   - Introduce a new `LWM2M_COMPLIANT` flag that enables connection to any LwM2M compliant bootstrap and device management services. Disabled by default.
+   - Introduce a new `DISABLE_SERVER_CERT_VERIFY` flag that disables the server certificate verification during the TLS handshake. Disabled by default.
+
 ### Release 4.11.2 (01.12.2021)
 
 Fixed a potential dead-lock situation in sn_nsdl.c CoAP tracing when tracing is enabled but trace-level is set below INFO. This fixes a regression introduced in 4.11.0 release.

factory-configurator-client/factory-configurator-client/factory-configurator-client/fcc_defs.h

@@ -178,6 +178,10 @@ extern const char g_fcc_class_id_name[];
 
 extern const char g_fcc_vendor_id_name[];
 
+#ifdef MBED_CONF_MBED_CLIENT_DISABLE_BOOTSTRAP_FEATURE
+extern const char g_fcc_mbed_internal_endpoint[];
+extern const char g_fcc_account_id[];
+#endif
 
 #ifdef __cplusplus
 }

factory-configurator-client/factory-configurator-client/source/factory_configurator_client.c

@@ -74,6 +74,11 @@ const char g_fcc_update_authentication_certificate_name[] = "mbed.UpdateAuthCert
 const char g_fcc_class_id_name[] = "mbed.ClassId";
 const char g_fcc_vendor_id_name[] = "mbed.VendorId";
 
+#ifdef MBED_CONF_MBED_CLIENT_DISABLE_BOOTSTRAP_FEATURE
+const char g_fcc_mbed_internal_endpoint[] = "mbed.InternalEndpoint";
+const char g_fcc_account_id[] = "mbed.AccountID";
+#endif
+
 static bool g_is_fcc_initialized = false;
 bool g_is_session_finished = true;
 

factory-configurator-client/factory-configurator-client/source/fcc_dev_flow.c

@@ -53,13 +53,21 @@ extern const char MBED_CLOUD_DEV_HARDWARE_VERSION[];
 //device total memory
 extern const uint32_t MBED_CLOUD_DEV_MEMORY_TOTAL_KB;
 
+#ifdef MBED_CONF_MBED_CLIENT_DISABLE_BOOTSTRAP_FEATURE
+extern const char MBED_CLOUD_DEV_ACCOUNT_ID[];
+#endif
+
 
 fcc_status_e fcc_developer_flow(void)
 {
     kcm_status_e kcm_status = KCM_STATUS_SUCCESS;
     fcc_status_e  fcc_status =  FCC_STATUS_SUCCESS;
     const bool is_factory_item = true;
+#ifdef MBED_CONF_MBED_CLIENT_DISABLE_BOOTSTRAP_FEATURE
+    static const uint32_t is_bootstrap_mode = 0;
+#else
     static const uint32_t is_bootstrap_mode = 1;
+#endif
     const fcc_deloveper_mode_item_params_s fcc_deloveper_mode_item_params_table[] = {
 
         //param name                                //param kcm type        //param data                                              //param data_size
@@ -68,11 +76,25 @@ fcc_status_e fcc_developer_flow(void)
 #if  !defined(MBED_CONF_MBED_CLOUD_CLIENT_SECURE_ELEMENT_SUPPORT) || (defined(MBED_CONF_MBED_CLOUD_CLIENT_SECURE_ELEMENT_SUPPORT) && defined(MBED_CONF_MBED_CLOUD_CLIENT_CLEAN_CREDENTIALS_SE))
         { g_fcc_endpoint_parameter_name,               KCM_CONFIG_ITEM,      (const uint8_t*)MBED_CLOUD_DEV_BOOTSTRAP_ENDPOINT_NAME,   (uint32_t)strlen((char*)MBED_CLOUD_DEV_BOOTSTRAP_ENDPOINT_NAME) },
         //Bootstrap configuration
+#ifndef MBED_CONF_MBED_CLIENT_DISABLE_BOOTSTRAP_FEATURE
         { g_fcc_bootstrap_device_certificate_name,     KCM_CERTIFICATE_ITEM,  MBED_CLOUD_DEV_BOOTSTRAP_DEVICE_CERTIFICATE,             MBED_CLOUD_DEV_BOOTSTRAP_DEVICE_CERTIFICATE_SIZE },
         { g_fcc_bootstrap_device_private_key_name,     KCM_PRIVATE_KEY_ITEM,  MBED_CLOUD_DEV_BOOTSTRAP_DEVICE_PRIVATE_KEY,             MBED_CLOUD_DEV_BOOTSTRAP_DEVICE_PRIVATE_KEY_SIZE },
-#endif        
+#else
+        { g_fcc_lwm2m_device_certificate_name,         KCM_CERTIFICATE_ITEM,  MBED_CLOUD_DEV_BOOTSTRAP_DEVICE_CERTIFICATE,             MBED_CLOUD_DEV_BOOTSTRAP_DEVICE_CERTIFICATE_SIZE },
+        { g_fcc_lwm2m_device_private_key_name,         KCM_PRIVATE_KEY_ITEM,  MBED_CLOUD_DEV_BOOTSTRAP_DEVICE_PRIVATE_KEY,             MBED_CLOUD_DEV_BOOTSTRAP_DEVICE_PRIVATE_KEY_SIZE },
+        { g_fcc_mbed_internal_endpoint,                KCM_CONFIG_ITEM,      (const uint8_t*)MBED_CLOUD_DEV_BOOTSTRAP_ENDPOINT_NAME,   (uint32_t)strlen((char*)MBED_CLOUD_DEV_BOOTSTRAP_ENDPOINT_NAME) },
+        // The account id is not really needed, but the MCC requires it.
+        { g_fcc_account_id,                            KCM_CONFIG_ITEM,      (const uint8_t*)MBED_CLOUD_DEV_ACCOUNT_ID,                (uint32_t)strlen((char*)MBED_CLOUD_DEV_ACCOUNT_ID) },
+#endif //MBED_CONF_MBED_CLIENT_DISABLE_BOOTSTRAP_FEATURE
+#endif //!defined(MBED_CONF_MBED_CLOUD_CLIENT_SECURE_ELEMENT_SUPPORT) || (defined(MBED_CONF_MBED_CLOUD_CLIENT_SECURE_ELEMENT_SUPPORT) && defined(MBED_CONF_MBED_CLOUD_CLIENT_CLEAN_CREDENTIALS_SE))
+
+#ifndef MBED_CONF_MBED_CLIENT_DISABLE_BOOTSTRAP_FEATURE
         { g_fcc_bootstrap_server_ca_certificate_name,  KCM_CERTIFICATE_ITEM,  MBED_CLOUD_DEV_BOOTSTRAP_SERVER_ROOT_CA_CERTIFICATE,     MBED_CLOUD_DEV_BOOTSTRAP_SERVER_ROOT_CA_CERTIFICATE_SIZE },
         { g_fcc_bootstrap_server_uri_name,             KCM_CONFIG_ITEM,       (const uint8_t*)MBED_CLOUD_DEV_BOOTSTRAP_SERVER_URI,     (uint32_t)strlen((char*)MBED_CLOUD_DEV_BOOTSTRAP_SERVER_URI) },
+#else
+        { g_fcc_lwm2m_server_ca_certificate_name,      KCM_CERTIFICATE_ITEM,  MBED_CLOUD_DEV_BOOTSTRAP_SERVER_ROOT_CA_CERTIFICATE,     MBED_CLOUD_DEV_BOOTSTRAP_SERVER_ROOT_CA_CERTIFICATE_SIZE },
+        { g_fcc_lwm2m_server_uri_name,                 KCM_CONFIG_ITEM,       (const uint8_t*)MBED_CLOUD_DEV_BOOTSTRAP_SERVER_URI,     (uint32_t)strlen((char*)MBED_CLOUD_DEV_BOOTSTRAP_SERVER_URI) },
+#endif //MBED_CONF_MBED_CLIENT_DISABLE_BOOTSTRAP_FEATURE
         //device meta data
         { g_fcc_manufacturer_parameter_name,           KCM_CONFIG_ITEM,      (const uint8_t*)MBED_CLOUD_DEV_MANUFACTURER,              (uint32_t)strlen((char*)MBED_CLOUD_DEV_MANUFACTURER) },
         { g_fcc_model_number_parameter_name,           KCM_CONFIG_ITEM,      (const uint8_t*)MBED_CLOUD_DEV_MODEL_NUMBER,              (uint32_t)strlen((char*)MBED_CLOUD_DEV_MODEL_NUMBER) },
@@ -112,9 +134,10 @@ fcc_status_e fcc_developer_flow(void)
         SA_PV_ERR_RECOVERABLE_RETURN_IF((kcm_status != KCM_STATUS_SUCCESS), fcc_convert_kcm_to_fcc_status(kcm_status), "Store status: %d, Failed to store %s", kcm_status, mandatory_items_iter->item_name);
     }
 
+#if defined (PAL_USE_SECURE_TIME) && (PAL_USE_SECURE_TIME == 1)
     fcc_status = fcc_trust_ca_cert_id_set();
     SA_PV_ERR_RECOVERABLE_RETURN_IF((fcc_status != FCC_STATUS_SUCCESS), fcc_status, "Failed to set ca certificate identifier");
-
+#endif
     SA_PV_LOG_INFO_FUNC_EXIT_NO_ARGS();
 
     return fcc_status;

factory-configurator-client/factory-configurator-client/source/fcc_verification.c

@@ -143,6 +143,7 @@ static fcc_status_e fcc_check_uri_contents(bool use_bootstrap, uint8_t* uri_data
         SA_PV_ERR_RECOVERABLE_GOTO_IF(true, fcc_status = FCC_STATUS_URI_WRONG_FORMAT, exit, "Wrong uri prefix");
     }
 
+#ifndef LWM2M_COMPLIANT // Account ID is a Pelion thing
     // Check if uri_string contains uri_aid (indicate the uri contains AccountId)
     if ((strstr(uri_string, URI_AID_PREFIX1) != NULL) || (strstr(uri_string, URI_AID_PREFIX2) != NULL)) {
         has_uri_aid = true;
@@ -154,6 +155,7 @@ static fcc_status_e fcc_check_uri_contents(bool use_bootstrap, uint8_t* uri_data
     } else {
         SA_PV_ERR_RECOVERABLE_GOTO_IF(has_uri_aid == false, fcc_status = FCC_STATUS_URI_WRONG_FORMAT, exit, "Wrong uri data");
     }
+#endif
 
 exit:
     fcc_free(uri_string);
@@ -546,6 +548,7 @@ static fcc_status_e verify_root_ca_certificate(bool use_bootstrap)
     fcc_status = verify_existence_and_set_warning(secondary_ca_cert_name, secondary_ca_cert_name_len, KCM_CERTIFICATE_ITEM, false);
     SA_PV_ERR_RECOVERABLE_GOTO_IF((fcc_status != FCC_STATUS_SUCCESS), fcc_status = fcc_status, store_error_and_exit, "Failed in verify_existence_and_set_warning");
 
+#if defined (PAL_USE_SECURE_TIME) && (PAL_USE_SECURE_TIME == 1)
     if (use_bootstrap == true) {
         fcc_status = fcc_get_certificate_attribute_by_name((const uint8_t*)root_ca_cert_name,
                      root_ca_cert_name_len,
@@ -570,6 +573,7 @@ static fcc_status_e verify_root_ca_certificate(bool use_bootstrap)
         }
         fcc_status = FCC_STATUS_SUCCESS;
     }
+#endif //#if defined (PAL_USE_SECURE_TIME) && (PAL_USE_SECURE_TIME == 1)
 
     //TBD : check of mbed crypto scheme IOTPREQ-1417
 store_error_and_exit:
@@ -709,11 +713,13 @@ static fcc_status_e verify_device_certificate_and_private_key(bool use_bootstrap
     fcc_status = compare_cn_with_endpoint(x509_cert_handle);
     SA_PV_ERR_RECOVERABLE_GOTO_IF((fcc_status != FCC_STATUS_SUCCESS), fcc_status = fcc_status, close_chain, "Failed to compare_cn_with_endpoint");
 
+#ifndef LWM2M_COMPLIANT // Account ID is Pelion specific
     //In case LWM2M certificate check it's OU attribute with aid of server link
     if (strcmp((const char*)exist_item_name, g_fcc_lwm2m_device_certificate_name) == 0) {
         fcc_status = compare_ou_with_aid_server(x509_cert_handle);
         SA_PV_ERR_RECOVERABLE_GOTO_IF((fcc_status != FCC_STATUS_SUCCESS), fcc_status = fcc_status, close_chain, "Failed to compare_ou_with_aid_server");
     }
+#endif
 
     //Check that device certificate not self-signed
     kcm_status = cs_is_self_signed_x509_cert(x509_cert_handle, &is_self_signed);

factory-configurator-client/fcc-bundle-handler/source/fcc_bundle_handler.c

@@ -470,9 +470,10 @@ fcc_status_e fcc_bundle_handler(const uint8_t *encoded_blob, size_t encoded_blob
         // in SOTP, if in the future more error conditions will be attached to FCC_STATUS_CA_ERROR error code
         // then the logic here MUST be change.
         // Only if this is the last message - set the certificate ID
+#if defined (PAL_USE_SECURE_TIME) && (PAL_USE_SECURE_TIME == 1)
         fcc_status = fcc_trust_ca_cert_id_set();
         SA_PV_ERR_RECOVERABLE_GOTO_IF(((fcc_status != FCC_STATUS_SUCCESS) && (fcc_status != FCC_STATUS_CA_ERROR)), (fcc_status = fcc_status), exit_and_response, "CA store error %u", fcc_status);
-
+#endif
     }
 
     if (fcc_verify_status == true) {

fota/fota.c

@@ -1589,7 +1589,7 @@ static int prepare_and_program_header(void)
 
 #if (MBED_CLOUD_CLIENT_FOTA_ENCRYPTION_SUPPORT == 1)
     header_info.flags |= FOTA_HEADER_ENCRYPTED_FLAG;
-#if (MBED_CLOUD_CLIENT_FOTA_KEY_ENCRYPTION == FOTA_USE_ENCRYPTED_ONE_TIME_FW_KEY)
+#if (MBED_CLOUD_CLIENT_FOTA_KEY_ENCRYPTION == FOTA_USE_ENCRYPTED_ONE_TIME_FW_KEY) && !defined(TARGET_LIKE_LINUX)
     // encrypt fw_key buffer using device key and store it in the header
     uint8_t fw_key[FOTA_ENCRYPT_KEY_SIZE];
     ret = fota_nvm_fw_encryption_key_get(fw_key);

fota/fota_candidate.c

@@ -269,7 +269,8 @@ static int fota_candidate_extract_start(bool force_encrypt, const char *expected
             uint8_t zero_key[FOTA_ENCRYPT_KEY_SIZE] = {0};
             size_t volatile loop_check;
 
-#if (MBED_CLOUD_CLIENT_FOTA_KEY_ENCRYPTION != FOTA_USE_ENCRYPTED_ONE_TIME_FW_KEY)
+#if (MBED_CLOUD_CLIENT_FOTA_KEY_ENCRYPTION != FOTA_USE_ENCRYPTED_ONE_TIME_FW_KEY) || \
+    defined(TARGET_LIKE_LINUX)
             ret = fota_nvm_fw_encryption_key_get(fw_key);
 #else
             ret = fota_decrypt_fw_key(fw_key,