est_client.c
Go to the documentation of this file.
1 /**
2  * @file est_client.c
3  * @brief EST client
4  *
5  * @section License
6  *
7  * SPDX-License-Identifier: GPL-2.0-or-later
8  *
9  * Copyright (C) 2024-2025 Oryx Embedded SARL. All rights reserved.
10  *
11  * This file is part of CycloneEST Open.
12  *
13  * This program is free software; you can redistribute it and/or
14  * modify it under the terms of the GNU General Public License
15  * as published by the Free Software Foundation; either version 2
16  * of the License, or (at your option) any later version.
17  *
18  * This program is distributed in the hope that it will be useful,
19  * but WITHOUT ANY WARRANTY; without even the implied warranty of
20  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21  * GNU General Public License for more details.
22  *
23  * You should have received a copy of the GNU General Public License
24  * along with this program; if not, write to the Free Software Foundation,
25  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
26  *
27  * @section Description
28  *
29  * EST is a protocol used to determine the current status of a digital
30  * certificate without requiring CRLs. Refer to the following RFCs for
31  * complete details:
32  * - RFC 6960: X.509 Internet Public Key Infrastructure EST
33  * - RFC 8954: Online Certificate Status Protocol (EST) Nonce Extension
34  *
35  * @author Oryx Embedded SARL (www.oryx-embedded.com)
36  * @version 2.5.4
37  **/
38 
39 //Switch to the appropriate trace level
40 #define TRACE_LEVEL EST_TRACE_LEVEL
41 
42 //Dependencies
43 #include "est/est_client.h"
44 #include "est/est_client_operations.h"
45 #include "est/est_client_misc.h"
46 #include "pkix/pem_import.h"
47 #include "pkix/pem_key_import.h"
48 #include "pkix/pem_export.h"
49 #include "encoding/asn1.h"
50 #include "debug.h"
51 
52 //Check crypto library configuration
53 #if (EST_CLIENT_SUPPORT == ENABLED)
54 
55 
56 /**
57  * @brief EST client initialization
58  * @param[in] context Pointer to the EST client context
59  * @return Error code
60  **/
61 
62 error_t estClientInit(EstClientContext *context)
63 {
64  error_t error;
65 
66  //Make sure the EST client context is valid
67  if(context == NULL)
68  return ERROR_INVALID_PARAMETER;
69 
70  //Debug message
71  TRACE_INFO("Initializing EST client...\r\n");
72 
73  //Initialize context
74  osMemset(context, 0, sizeof(EstClientContext));
75 
76  //Initialize HTTP client context
77  error = httpClientInit(&context->httpClientContext);
78  //Any error to report?
79  if(error)
80  return error;
81 
82  //Initialize EST client state
83  context->state = EST_CLIENT_STATE_DISCONNECTED;
84 
85  //Default timeout
86  context->timeout = EST_CLIENT_DEFAULT_TIMEOUT;
87 
88  //The EST server must support the use of the path-prefix of "/.well-known/"
89  //and the registered name of "est" (refer to RFC 7030, section 3.2.2)
90  osStrcpy(context->pathPrefix, "/.well-known/est/");
91 
92  //Clients should support the Basic and Digest authentication mechanism
93  //(refer to RFC 7030, section 3.2.3)
94  context->allowedAuthModes = HTTP_AUTH_MODE_BASIC |
95  HTTP_AUTH_MODE_DIGEST;
96 
97  //Successful initialization
98  return NO_ERROR;
99 }
100 
101 
102 /**
103  * @brief Register TLS initialization callback function
104  * @param[in] context Pointer to the EST client context
105  * @param[in] callback TLS initialization callback function
106  * @return Error code
107  **/
108 
109 error_t estClientRegisterTlsInitCallback(EstClientContext *context,
110  EstClientTlsInitCallback callback)
111 {
112  //Make sure the EST client context is valid
113  if(context == NULL)
114  return ERROR_INVALID_PARAMETER;
115 
116  //Save callback function
117  context->tlsInitCallback = callback;
118 
119  //Successful processing
120  return NO_ERROR;
121 }
122 
123 
124 /**
125  * @brief Register CSR generation callback function
126  * @param[in] context Pointer to the EST client context
127  * @param[in] callback CSR generation callback function
128  * @return Error code
129  **/
130 
131 error_t estClientRegisterCsrGenCallback(EstClientContext *context,
132  EstClientCsrGenCallback callback)
133 {
134  //Make sure the EST client context is valid
135  if(context == NULL)
136  return ERROR_INVALID_PARAMETER;
137 
138  //Save callback function
139  context->csrGenCallback = callback;
140 
141  //Successful processing
142  return NO_ERROR;
143 }
144 
145 
146 /**
147  * @brief Set the pseudo-random number generator to be used
148  * @param[in] context Pointer to the EST client context
149  * @param[in] prngAlgo PRNG algorithm
150  * @param[in] prngContext Pointer to the PRNG context
151  * @return Error code
152  **/
153 
154 error_t estClientSetPrng(EstClientContext *context, const PrngAlgo *prngAlgo,
155  void *prngContext)
156 {
157  //Check parameters
158  if(context == NULL || prngAlgo == NULL || prngContext == NULL)
159  return ERROR_INVALID_PARAMETER;
160 
161  //PRNG algorithm that will be used to generate nonces
162  context->prngAlgo = prngAlgo;
163  //PRNG context
164  context->prngContext = prngContext;
165 
166  //Successful processing
167  return NO_ERROR;
168 }
169 
170 
171 /**
172  * @brief Set communication timeout
173  * @param[in] context Pointer to the EST client context
174  * @param[in] timeout Timeout value, in milliseconds
175  * @return Error code
176  **/
177 
178 error_t estClientSetTimeout(EstClientContext *context, systime_t timeout)
179 {
180  //Make sure the EST client context is valid
181  if(context == NULL)
182  return ERROR_INVALID_PARAMETER;
183 
184  //Save timeout value
185  context->timeout = timeout;
186 
187  //Successful processing
188  return NO_ERROR;
189 }
190 
191 
192 /**
193  * @brief Set the domain name of the EST server
194  * @param[in] context Pointer to the EST client context
195  * @param[in] host NULL-terminated string containing the host name
196  * @return Error code
197  **/
198 
199 error_t estClientSetHost(EstClientContext *context, const char_t *host)
200 {
201  //Check parameters
202  if(context == NULL || host == NULL)
203  return ERROR_INVALID_PARAMETER;
204 
205  //Make sure the length of the host name is acceptable
206  if(osStrlen(host) > EST_CLIENT_MAX_HOST_LEN)
207  return ERROR_INVALID_LENGTH;
208 
209  //Save host name
210  osStrcpy(context->serverName, host);
211 
212  //Successful processing
213  return NO_ERROR;
214 }
215 
216 
217 /**
218  * @brief Set path prefix
219  * @param[in] context Pointer to the EST client context
220  * @param[in] uri NULL-terminated string that contains the path prefix
221  * @return Error code
222  **/
223 
224 error_t estClientSetPathPrefix(EstClientContext *context,
225  const char_t *pathPrefix)
226 {
227  //Check parameters
228  if(context == NULL || pathPrefix == NULL)
229  return ERROR_INVALID_PARAMETER;
230 
231  //Make sure the length of the path prefix is acceptable
232  if(osStrlen(pathPrefix) > EST_CLIENT_MAX_URI_LEN)
233  return ERROR_INVALID_LENGTH;
234 
235  //Save the path prefix
236  osStrcpy(context->pathPrefix, pathPrefix);
237 
238  //Successful processing
239  return NO_ERROR;
240 }
241 
242 
243 /**
244  * @brief Set allowed HTTP authentication modes
245  * @param[in] context Pointer to the EST client context
246  * @param[in] allowedAuthModes Logic OR of allowed HTTP authentication schemes
247  * @return Error code
248  **/
249 
250 error_t estClientSetAllowedAuthModes(EstClientContext *context,
251  uint_t allowedAuthModes)
252 {
253  //Make sure the EST client context is valid
254  if(context == NULL)
255  return ERROR_INVALID_PARAMETER;
256 
257  //Save allowed HTTP authentication modes
258  context->allowedAuthModes = allowedAuthModes;
259 
260  //Successful processing
261  return NO_ERROR;
262 }
263 
264 
265 /**
266  * @brief Set authentication information
267  * @param[in] context Pointer to the EST client context
268  * @param[in] username NULL-terminated string containing the user name to be used
269  * @param[in] password NULL-terminated string containing the password to be used
270  * @return Error code
271  **/
272 
273 error_t estClientSetAuthInfo(EstClientContext *context, const char_t *username,
274  const char_t *password)
275 {
276  //The EST client can use an out-of-band distributed username/password to
277  //authenticate itself to the EST server
278  return httpClientSetAuthInfo(&context->httpClientContext, username,
279  password);
280 }
281 
282 
283 /**
284  * @brief Bind the EST client to a particular network interface
285  * @param[in] context Pointer to the EST client context
286  * @param[in] interface Network interface to be used
287  * @return Error code
288  **/
289 
290 error_t estClientBindToInterface(EstClientContext *context,
291  NetInterface *interface)
292 {
293  //Make sure the EST client context is valid
294  if(context == NULL)
295  return ERROR_INVALID_PARAMETER;
296 
297  //Explicitly associate the EST client with the specified interface
298  context->interface = interface;
299 
300  //Successful processing
301  return NO_ERROR;
302 }
303 
304 
305 /**
306  * @brief Specify the address of the EST server
307  * @param[in] context Pointer to the EST client context
308  * @param[in] serverIpAddr IP address of the EST server to connect to
309  * @param[in] serverPort UDP port number
310  * @return Error code
311  **/
312 
313 error_t estClientConnect(EstClientContext *context,
314  const IpAddr *serverIpAddr, uint16_t serverPort)
315 {
316  error_t error;
317 
318  //Make sure the EST client context is valid
319  if(context == NULL)
320  return ERROR_INVALID_PARAMETER;
321 
322  //Initialize status code
323  error = NO_ERROR;
324 
325  //Establish connection with the HTTP server
326  while(!error)
327  {
328  //Check EST client state
329  if(context->state == EST_CLIENT_STATE_DISCONNECTED)
330  {
331  //Save the TCP port number to be used
332  context->serverPort = serverPort;
333 
334  //HTTPS must be used (refer to RFC 7030, section 3.3)
335  if(context->tlsInitCallback != NULL)
336  {
337  //Register TLS initialization callback
338  error = httpClientRegisterTlsInitCallback(&context->httpClientContext,
339  estClientInitTlsContext, context);
340  }
341  else
342  {
343  //Report an error
344  error = ERROR_INVALID_PARAMETER;
345  }
346 
347  //Check status code
348  if(!error)
349  {
350  //Select HTTP protocol version
351  error = httpClientSetVersion(&context->httpClientContext,
352  HTTP_VERSION_1_1);
353  }
354 
355  //Check status code
356  if(!error)
357  {
358  //Set timeout value for blocking operations
359  error = httpClientSetTimeout(&context->httpClientContext,
360  context->timeout);
361  }
362 
363  //Check status code
364  if(!error)
365  {
366  //Bind the HTTP client to the relevant network interface
367  error = httpClientBindToInterface(&context->httpClientContext,
368  context->interface);
369  }
370 
371  //Check status code
372  if(!error)
373  {
374  //Establish HTTP connection
375  context->state = EST_CLIENT_STATE_CONNECTING;
376  }
377  }
378  else if(context->state == EST_CLIENT_STATE_CONNECTING)
379  {
380  //Establish HTTP connection
381  error = httpClientConnect(&context->httpClientContext, serverIpAddr,
382  serverPort);
383 
384  //Check status code
385  if(error == NO_ERROR)
386  {
387  //The HTTP connection is established
388  context->state = EST_CLIENT_STATE_CONNECTED;
389  }
390  }
391  else if(context->state == EST_CLIENT_STATE_CONNECTED)
392  {
393  //The client is connected to the EST server
394  break;
395  }
396  else
397  {
398  //Invalid state
399  error = ERROR_WRONG_STATE;
400  }
401  }
402 
403  //Failed to establish connection with the EST server?
404  if(error != NO_ERROR && error != ERROR_WOULD_BLOCK)
405  {
406  //Clean up side effects
407  httpClientClose(&context->httpClientContext);
408  //Update EST client state
409  context->state = EST_CLIENT_STATE_DISCONNECTED;
410  }
411 
412  //Return status code
413  return error;
414 }
415 
416 
417 /**
418  * @brief Load public/private key pair
419  * @param[in] context Pointer to the EST client context
420  * @param[in] publicKey Public key (PEM format)
421  * @param[in] publicKeyLen Length of the public key
422  * @param[in] privateKey Private key (PEM format)
423  * @param[in] privateKeyLen Length of the private key
424  * @param[in] password NULL-terminated string containing the password. This
425  * parameter is required if the private key is encrypted
426  * @return Error code
427  **/
428 
429 error_t estClientLoadKeyPair(EstClientContext *context,
430  const char_t *publicKey, size_t publicKeyLen, const char_t *privateKey,
431  size_t privateKeyLen, const char_t *password)
432 {
433  error_t error;
434  X509KeyType type;
435 
436  //Check parameters
437  if(context == NULL || publicKey == NULL || publicKeyLen == 0 ||
438  privateKey == NULL || privateKeyLen == 0)
439  {
440  return ERROR_INVALID_PARAMETER;
441  }
442 
443  //Release the current key pair, if any
444  estClientUnloadKeyPair(context);
445 
446  //Extract the type of the public key
447  type = pemGetPublicKeyType(publicKey, publicKeyLen);
448 
449 #if (EST_CLIENT_RSA_SUPPORT == ENABLED)
450  //RSA public key?
451  if(type == X509_KEY_TYPE_RSA)
452  {
453  //Save public key type
454  context->keyType = X509_KEY_TYPE_RSA;
455 
456  //Initialize RSA public and private keys
457  rsaInitPublicKey(&context->rsaPublicKey);
458  rsaInitPrivateKey(&context->rsaPrivateKey);
459 
460  //Decode the PEM file that contains the RSA public key
461  error = pemImportRsaPublicKey(&context->rsaPublicKey, publicKey,
462  publicKeyLen);
463 
464  //Check status code
465  if(!error)
466  {
467  //Decode the PEM file that contains the RSA private key
468  error = pemImportRsaPrivateKey(&context->rsaPrivateKey, privateKey,
469  privateKeyLen, password);
470  }
471  }
472  else
473 #endif
474 #if (EST_CLIENT_ECDSA_SUPPORT == ENABLED)
475  //EC public key?
476  if(type == X509_KEY_TYPE_EC)
477  {
478  //Save public key type
479  context->keyType = X509_KEY_TYPE_EC;
480 
481  //Initialize EC public and private keys
482  ecInitPublicKey(&context->ecPublicKey);
483  ecInitPrivateKey(&context->ecPrivateKey);
484 
485  //Decode the PEM file that contains the EC public key
486  error = pemImportEcPublicKey(&context->ecPublicKey, publicKey,
487  publicKeyLen);
488 
489  //Check status code
490  if(!error)
491  {
492  //Decode the PEM file that contains the EC private key
493  error = pemImportEcPrivateKey(&context->ecPrivateKey, privateKey,
494  privateKeyLen, password);
495  }
496  }
497  else
498 #endif
499  //Invalid public key?
500  {
501  //The supplied public key is not valid
502  error = ERROR_INVALID_KEY;
503  }
504 
505  //Any error to report?
506  if(error)
507  {
508  //Clean up side effects
509  estClientUnloadKeyPair(context);
510  }
511 
512  //Return status code
513  return error;
514 }
515 
516 
517 /**
518  * @brief Unload public/private key pair
519  * @param[in] context Pointer to the EST client context
520  **/
521 
522 void estClientUnloadKeyPair(EstClientContext *context)
523 {
524  //Make sure the EST client context is valid
525  if(context != NULL)
526  {
527 #if (EST_CLIENT_RSA_SUPPORT == ENABLED)
528  //RSA key pair?
529  if(context->keyType == X509_KEY_TYPE_RSA)
530  {
531  //Release RSA public and private keys
532  rsaFreePublicKey(&context->rsaPublicKey);
533  rsaFreePrivateKey(&context->rsaPrivateKey);
534  }
535  else
536 #endif
537 #if (EST_CLIENT_ECDSA_SUPPORT == ENABLED)
538  //EC key pair?
539  if(context->keyType == X509_KEY_TYPE_EC)
540  {
541  //Release EC public and private keys
542  ecFreePublicKey(&context->ecPublicKey);
543  ecFreePrivateKey(&context->ecPrivateKey);
544  }
545  else
546 #endif
547  //Invalid key pair?
548  {
549  //Just for sanity
550  }
551  }
552 }
553 
554 
555 /**
556  * @brief Load client's certificate
557  * @param[in] context Pointer to the EST client context
558  * @param[out] input Pointer to the PEM-encoded certificate
559  * @param[out] length Length of the PEM-encoded certificate
560  * @return Error code
561  **/
562 
563 error_t estClientLoadCert(EstClientContext *context,
564  const char_t *input, size_t length)
565 {
566  error_t error;
567  size_t n;
568 
569  //Initialize status code
570  error = NO_ERROR;
571 
572  //Make sure the EST client context is valid
573  if(context != NULL)
574  {
575  //Valid certificate?
576  if(input != NULL && length > 0)
577  {
578  //The first pass calculates the length of the DER-encoded certificate
579  error = pemImportCertificate(input, length, NULL, &n, NULL);
580 
581  //Check status code
582  if(!error)
583  {
584  //Check the length of the certificate
585  if(n <= EST_CLIENT_MAX_CERT_LEN)
586  {
587  //The second pass decodes the PEM certificate
588  error = pemImportCertificate(input, length, context->cert,
589  &context->certLen, NULL);
590  }
591  else
592  {
593  //Report an error
594  error = ERROR_INVALID_LENGTH;
595  }
596  }
597  }
598  else
599  {
600  //Clear certificate
601  context->certLen = 0;
602  }
603  }
604  else
605  {
606  //Report an error
607  error = ERROR_INVALID_PARAMETER;
608  }
609 
610  //Return status code
611  return error;
612 }
613 
614 
615 /**
616  * @brief Store client's certificate
617  * @param[in] context Pointer to the EST client context
618  * @param[out] output Pointer to the buffer where to store the PEM-encoded
619  * certificate (optional parameter)
620  * @param[out] written Length of the resulting PEM string
621  * @return Error code
622  **/
623 
624 error_t estClientStoreCert(EstClientContext *context,
625  char_t *output, size_t *written)
626 {
627  error_t error;
628 
629  //Check parameters
630  if(context == NULL || written == NULL)
631  return ERROR_INVALID_PARAMETER;
632 
633  //Valid certificate?
634  if(context->certLen > 0)
635  {
636  //Export the certificate to PEM format
637  error = pemExportCertificate(context->cert, context->certLen, output,
638  written);
639  }
640  else
641  {
642  //Report an error
643  error = ERROR_NO_CERTIFICATE;
644  }
645 
646  //Return status code
647  return error;
648 }
649 
650 
651 /**
652  * @brief Load implicit TA database
653  * @param[in] context Pointer to the EST client context
654  * @param[out] input Pointer to the PEM-encoded CA certificates
655  * @param[out] length Length of the PEM-encoded CA certificates
656  * @return Error code
657  **/
658 
659 error_t estClientLoadCaCerts(EstClientContext *context,
660  const char_t *input, size_t length)
661 {
662  error_t error;
663 
664  //Initialize status code
665  error = NO_ERROR;
666 
667  //Make sure the EST client context is valid
668  if(context != NULL)
669  {
670  //Valid CA certificates?
671  if(input != NULL && length > 0)
672  {
673  //Check the length of the CA certificate
674  if(length <= EST_CLIENT_MAX_CA_CERTS_LEN)
675  {
676  //Copy the CA certificates
677  osMemcpy(context->caCerts, input, length);
678  context->caCertsLen = length;
679 
680  //The client must maintain a distinction between the use of explicit
681  //and implicit TA databases during authentication in order to
682  //support proper authorization (refer to RFC 7030, section 3.3.1)
683  context->useExplicitTa = FALSE;
684  }
685  else
686  {
687  //Report an error
688  error = ERROR_INVALID_LENGTH;
689  }
690  }
691  else
692  {
693  //Clear CA certificates
694  context->caCertsLen = 0;
695  }
696  }
697  else
698  {
699  //Report an error
700  error = ERROR_INVALID_PARAMETER;
701  }
702 
703  //Return status code
704  return error;
705 }
706 
707 
708 /**
709  * @brief Store CA certificates
710  * @param[in] context Pointer to the EST client context
711  * @param[out] output Pointer to the buffer where to store the PEM-encoded
712  * CA certificates (optional parameter)
713  * @param[out] written Length of the resulting PEM string
714  * @return Error code
715  **/
716 
717 error_t estClientStoreCaCerts(EstClientContext *context,
718  char_t *output, size_t *written)
719 {
720  error_t error;
721 
722  //Check parameters
723  if(context == NULL || written == NULL)
724  return ERROR_INVALID_PARAMETER;
725 
726  //Initialize status code
727  error = NO_ERROR;
728 
729  //Valid CA certificates?
730  if(context->caCertsLen > 0)
731  {
732  //If the output parameter is NULL, then the function calculates the
733  //length of the CA certificates without copying any data
734  if(output != NULL)
735  {
736  //Copy the CA certificates
737  osMemcpy(output, context->caCerts, context->caCertsLen);
738  //Properly terminate the string with a NULL character
739  output[context->caCertsLen] = '\0';
740  }
741 
742  //Return the length of the PEM string (excluding the terminating NULL)
743  *written = context->caCertsLen;
744  }
745  else
746  {
747  //Report an error
748  error = ERROR_NO_CERTIFICATE;
749  }
750 
751  //Return status code
752  return error;
753 }
754 
755 
756 /**
757  * @brief Get CA certificates
758  * @param[in] context Pointer to the EST client context
759  * @return Error code
760  **/
761 
762 error_t estClientGetCaCerts(EstClientContext *context)
763 {
764  error_t error;
765 
766  //Make sure the EST client context is valid
767  if(context == NULL)
768  return ERROR_INVALID_PARAMETER;
769 
770  //Initialize variables
771  error = NO_ERROR;
772 
773  //Execute the sequence of HTTP requests
774  while(!error)
775  {
776  //Check EST client state
777  if(context->state == EST_CLIENT_STATE_CONNECTED)
778  {
779  //Update EST client state
780  context->state = EST_CLIENT_STATE_GET_CA;
781  }
782  else if(context->state == EST_CLIENT_STATE_GET_CA)
783  {
784  //Perform "cacerts" operation
785  error = estClientSendCaCerts(context);
786 
787  //Check status code
788  if(!error)
789  {
790  //Update EST client state
791  context->state = EST_CLIENT_STATE_CONNECTED;
792  break;
793  }
794  }
795  else
796  {
797  //Invalid state
798  error = ERROR_WRONG_STATE;
799  }
800  }
801 
802  //Check status code
803  if(error == ERROR_UNEXPECTED_STATUS || error == ERROR_INVALID_RESPONSE ||
804  error == ERROR_RESPONSE_TOO_LARGE)
805  {
806  //Revert to default state
807  context->state = EST_CLIENT_STATE_CONNECTED;
808  }
809 
810  //Return status code
811  return error;
812 }
813 
814 
815 /**
816  * @brief Certificate enrollment
817  * @param[in] context Pointer to the EST client context
818  * @return Error code
819  **/
820 
821 error_t estClientEnroll(EstClientContext *context)
822 {
823  error_t error;
824 
825  //Make sure the EST client context is valid
826  if(context == NULL)
827  return ERROR_INVALID_PARAMETER;
828 
829  //Initialize variables
830  error = NO_ERROR;
831 
832  //Execute the sequence of HTTP requests
833  while(!error)
834  {
835  //Check EST client state
836  if(context->state == EST_CLIENT_STATE_CONNECTED)
837  {
838  //Update EST client state
839  context->state = EST_CLIENT_STATE_GET_CA;
840  }
841  else if(context->state == EST_CLIENT_STATE_GET_CA)
842  {
843  //It is recommended that a client obtain the current CA certificates,
844  //as described in Section 4.1, before performing certificate request
845  //functions (refer to RFC 7030, section 4.2)
846  error = estClientSendCaCerts(context);
847 
848  //Check status code
849  if(!error)
850  {
851  //Update EST client state
852  context->state = EST_CLIENT_STATE_CSR_GEN;
853  }
854  }
855  else if(context->state == EST_CLIENT_STATE_CSR_GEN)
856  {
857  //Generate PKCS #10 certificate request
858  error = estClientGenerateCsr(context);
859 
860  //Check status code
861  if(!error)
862  {
863  //Update EST client state
864  context->state = EST_CLIENT_STATE_ENROLL;
865  }
866  }
867  else if(context->state == EST_CLIENT_STATE_ENROLL)
868  {
869  //Perform "simpleenroll" operation
870  error = estClientSendSimpleEnroll(context);
871 
872  //Check status code
873  if(!error)
874  {
875  //Update EST client state
876  context->state = EST_CLIENT_STATE_CONNECTED;
877  break;
878  }
879  }
880  else
881  {
882  //Invalid state
883  error = ERROR_WRONG_STATE;
884  }
885  }
886 
887  //Check status code
888  if(error == ERROR_UNEXPECTED_STATUS || error == ERROR_INVALID_RESPONSE ||
889  error == ERROR_RESPONSE_TOO_LARGE || error == ERROR_REQUEST_REJECTED)
890  {
891  //Revert to default state
892  context->state = EST_CLIENT_STATE_CONNECTED;
893  }
894  else
895  {
896  //Just for sanity
897  }
898 
899  //Return status code
900  return error;
901 }
902 
903 
904 /**
905  * @brief Certificate re-enrollment
906  * @param[in] context Pointer to the EST client context
907  * @return Error code
908  **/
909 
910 error_t estClientReEnroll(EstClientContext *context)
911 {
912  error_t error;
913 
914  //Make sure the EST client context is valid
915  if(context == NULL)
916  return ERROR_INVALID_PARAMETER;
917 
918  //Check whether the previously issued certificate is valid
919  if(context->certLen == 0)
920  return ERROR_BAD_CERTIFICATE;
921 
922  //Initialize variables
923  error = NO_ERROR;
924 
925  //Execute the sequence of HTTP requests
926  while(!error)
927  {
928  //Check EST client state
929  if(context->state == EST_CLIENT_STATE_CONNECTED)
930  {
931  //Update EST client state
932  context->state = EST_CLIENT_STATE_GET_CA;
933  }
934  else if(context->state == EST_CLIENT_STATE_GET_CA)
935  {
936  //It is recommended that a client obtain the current CA certificates,
937  //as described in Section 4.1, before performing certificate request
938  //functions (refer to RFC 7030, section 4.2)
939  error = estClientSendCaCerts(context);
940 
941  //Check status code
942  if(!error)
943  {
944  //Update EST client state
945  context->state = EST_CLIENT_STATE_CSR_GEN;
946  }
947  }
948  else if(context->state == EST_CLIENT_STATE_CSR_GEN)
949  {
950  //Generate PKCS #10 certificate request
951  error = estClientGenerateCsr(context);
952 
953  //Check status code
954  if(!error)
955  {
956  //Update EST client state
957  context->state = EST_CLIENT_STATE_REENROLL;
958  }
959  }
960  else if(context->state == EST_CLIENT_STATE_REENROLL)
961  {
962  //Perform "simplereenroll" operation
963  error = estClientSendSimpleReEnroll(context);
964 
965  //Check status code
966  if(!error)
967  {
968  //Update EST client state
969  context->state = EST_CLIENT_STATE_CONNECTED;
970  break;
971  }
972  }
973  else
974  {
975  //Invalid state
976  error = ERROR_WRONG_STATE;
977  }
978  }
979 
980  //Check status code
981  if(error == ERROR_UNEXPECTED_STATUS || error == ERROR_INVALID_RESPONSE ||
982  error == ERROR_RESPONSE_TOO_LARGE || error == ERROR_REQUEST_REJECTED)
983  {
984  //Revert to default state
985  context->state = EST_CLIENT_STATE_CONNECTED;
986  }
987  else
988  {
989  //Just for sanity
990  }
991 
992  //Return status code
993  return error;
994 }
995 
996 
997 /**
998  * @brief Gracefully disconnect from the EST server
999  * @param[in] context Pointer to the EST client context
1000  * @return Error code
1001  **/
1002 
1003 error_t estClientDisconnect(EstClientContext *context)
1004 {
1005  error_t error;
1006 
1007  //Make sure the EST client context is valid
1008  if(context == NULL)
1009  return ERROR_INVALID_PARAMETER;
1010 
1011  //Initialize status code
1012  error = NO_ERROR;
1013 
1014  //Gracefully disconnect from the EST server
1015  while(!error)
1016  {
1017  //Check EST client state
1018  if(context->state == EST_CLIENT_STATE_CONNECTED)
1019  {
1020  //Gracefully shutdown HTTP connection
1021  context->state = EST_CLIENT_STATE_DISCONNECTING;
1022  }
1023  else if(context->state == EST_CLIENT_STATE_DISCONNECTING)
1024  {
1025  //Gracefully shutdown HTTP connection
1026  error = httpClientDisconnect(&context->httpClientContext);
1027 
1028  //Check status code
1029  if(error == NO_ERROR)
1030  {
1031  //Close HTTP connection
1032  httpClientClose(&context->httpClientContext);
1033  //Update EST client state
1034  context->state = EST_CLIENT_STATE_DISCONNECTED;
1035  }
1036  }
1037  else if(context->state == EST_CLIENT_STATE_DISCONNECTED)
1038  {
1039  //The client is disconnected from the EST server
1040  break;
1041  }
1042  else
1043  {
1044  //Invalid state
1045  error = ERROR_WRONG_STATE;
1046  }
1047  }
1048 
1049  //Failed to gracefully disconnect from the EST server?
1050  if(error != NO_ERROR && error != ERROR_WOULD_BLOCK)
1051  {
1052  //Close HTTP connection
1053  httpClientClose(&context->httpClientContext);
1054  //Update EST client state
1055  context->state = EST_CLIENT_STATE_DISCONNECTED;
1056  }
1057 
1058  //Return status code
1059  return error;
1060 }
1061 
1062 
1063 /**
1064  * @brief Close the connection with the EST server
1065  * @param[in] context Pointer to the EST client context
1066  * @return Error code
1067  **/
1068 
1069 error_t estClientClose(EstClientContext *context)
1070 {
1071  //Make sure the EST client context is valid
1072  if(context == NULL)
1073  return ERROR_INVALID_PARAMETER;
1074 
1075  //Close HTTP connection
1076  httpClientClose(&context->httpClientContext);
1077  //Update EST client state
1078  context->state = EST_CLIENT_STATE_DISCONNECTED;
1079 
1080  //Successful processing
1081  return NO_ERROR;
1082 }
1083 
1084 
1085 /**
1086  * @brief Release EST client context
1087  * @param[in] context Pointer to the EST client context
1088  **/
1089 
1090 void estClientDeinit(EstClientContext *context)
1091 {
1092  //Make sure the EST client context is valid
1093  if(context != NULL)
1094  {
1095  //Release HTTP client context
1096  httpClientDeinit(&context->httpClientContext);
1097 
1098  //Release public/private key pair
1099  estClientUnloadKeyPair(context);
1100 
1101  //Clear EST client context
1102  osMemset(context, 0, sizeof(EstClientContext));
1103  }
1104 }
1105 
1106 #endif
EST_CLIENT_MAX_CA_CERTS_LEN
#define EST_CLIENT_MAX_CA_CERTS_LEN
Definition: est_client.h:147
EST_CLIENT_MAX_URI_LEN
#define EST_CLIENT_MAX_URI_LEN
Definition: est_client.h:119
X509_KEY_TYPE_RSA
@ X509_KEY_TYPE_RSA
Definition: x509_common.h:637
httpClientDisconnect
error_t httpClientDisconnect(HttpClientContext *context)
Gracefully disconnect from the HTTP server.
Definition: http_client.c:2202
rsaFreePublicKey
void rsaFreePublicKey(RsaPublicKey *key)
Release an RSA public key.
Definition: rsa.c:113
estClientSetAuthInfo
error_t estClientSetAuthInfo(EstClientContext *context, const char_t *username, const char_t *password)
Set authentication information.
Definition: est_client.c:273
estClientEnroll
error_t estClientEnroll(EstClientContext *context)
Certificate enrollment.
Definition: est_client.c:821
httpClientBindToInterface
error_t httpClientBindToInterface(HttpClientContext *context, NetInterface *interface)
Bind the HTTP client to a particular network interface.
Definition: http_client.c:297
ERROR_WOULD_BLOCK
@ ERROR_WOULD_BLOCK
Definition: error.h:96
IpAddr
IP network address.
Definition: ip.h:90
PrngAlgo
#define PrngAlgo
Definition: crypto.h:1008
EST_CLIENT_STATE_CONNECTED
@ EST_CLIENT_STATE_CONNECTED
Definition: est_client.h:175
EST_CLIENT_STATE_DISCONNECTED
@ EST_CLIENT_STATE_DISCONNECTED
Definition: est_client.h:173
estClientInitTlsContext
error_t estClientInitTlsContext(HttpClientContext *httpClientContext, TlsContext *tlsContext, void *param)
TLS initialization.
Definition: est_client_misc.c:108
est_client.h
EST client.
EST_CLIENT_DEFAULT_TIMEOUT
#define EST_CLIENT_DEFAULT_TIMEOUT
Definition: est_client.h:98
httpClientSetAuthInfo
error_t httpClientSetAuthInfo(HttpClientContext *context, const char_t *username, const char_t *password)
Set authentication information.
Definition: http_client.c:253
pemImportEcPrivateKey
error_t pemImportEcPrivateKey(EcPrivateKey *privateKey, const char_t *input, size_t length, const char_t *password)
Decode a PEM file containing an EC private key.
Definition: pem_key_import.c:749
estClientReEnroll
error_t estClientReEnroll(EstClientContext *context)
Certificate re-enrollment.
Definition: est_client.c:910
estClientLoadCert
error_t estClientLoadCert(EstClientContext *context, const char_t *input, size_t length)
Load client's certificate.
Definition: est_client.c:563
type
uint8_t type
Definition: coap_common.h:176
EST_CLIENT_STATE_REENROLL
@ EST_CLIENT_STATE_REENROLL
Definition: est_client.h:179
pem_key_import.h
PEM key file import functions.
HTTP_AUTH_MODE_BASIC
@ HTTP_AUTH_MODE_BASIC
Definition: http_common.h:74
estClientRegisterTlsInitCallback
error_t estClientRegisterTlsInitCallback(EstClientContext *context, EstClientTlsInitCallback callback)
Register TLS initialization callback function.
Definition: est_client.c:109
osStrlen
#define osStrlen(s)
Definition: os_port.h:168
estClientBindToInterface
error_t estClientBindToInterface(EstClientContext *context, NetInterface *interface)
Bind the EST client to a particular network interface.
Definition: est_client.c:290
estClientSendSimpleReEnroll
error_t estClientSendSimpleReEnroll(EstClientContext *context)
Perform "simplereenroll" operation.
Definition: est_client_operations.c:239
EST_CLIENT_STATE_CSR_GEN
@ EST_CLIENT_STATE_CSR_GEN
Definition: est_client.h:177
estClientSetTimeout
error_t estClientSetTimeout(EstClientContext *context, systime_t timeout)
Set communication timeout.
Definition: est_client.c:178
rsaInitPrivateKey
void rsaInitPrivateKey(RsaPrivateKey *key)
Initialize an RSA private key.
Definition: rsa.c:126
EST_CLIENT_MAX_CERT_LEN
#define EST_CLIENT_MAX_CERT_LEN
Definition: est_client.h:140
estClientRegisterCsrGenCallback
error_t estClientRegisterCsrGenCallback(EstClientContext *context, EstClientCsrGenCallback callback)
Register CSR generation callback function.
Definition: est_client.c:131
httpClientSetVersion
error_t httpClientSetVersion(HttpClientContext *context, HttpVersion version)
Set the HTTP protocol version to be used.
Definition: http_client.c:171
estClientUnloadKeyPair
void estClientUnloadKeyPair(EstClientContext *context)
Unload public/private key pair.
Definition: est_client.c:522
ERROR_WRONG_STATE
@ ERROR_WRONG_STATE
Definition: error.h:210
httpClientDeinit
void httpClientDeinit(HttpClientContext *context)
Release HTTP client context.
Definition: http_client.c:2298
estClientLoadKeyPair
error_t estClientLoadKeyPair(EstClientContext *context, const char_t *publicKey, size_t publicKeyLen, const char_t *privateKey, size_t privateKeyLen, const char_t *password)
Load public/private key pair.
Definition: est_client.c:429
EstClientTlsInitCallback
error_t(* EstClientTlsInitCallback)(EstClientContext *context, TlsContext *tlsContext)
TLS initialization callback function.
Definition: est_client.h:207
X509_KEY_TYPE_EC
@ X509_KEY_TYPE_EC
Definition: x509_common.h:640
FALSE
#define FALSE
Definition: os_port.h:46
estClientSetAllowedAuthModes
error_t estClientSetAllowedAuthModes(EstClientContext *context, uint_t allowedAuthModes)
Set allowed HTTP authentication modes.
Definition: est_client.c:250
pemImportCertificate
error_t pemImportCertificate(const char_t *input, size_t inputLen, uint8_t *output, size_t *outputLen, size_t *consumed)
Decode a PEM file containing a certificate.
Definition: pem_import.c:55
pemImportRsaPrivateKey
error_t pemImportRsaPrivateKey(RsaPrivateKey *privateKey, const char_t *input, size_t length, const char_t *password)
Decode a PEM file containing an RSA private key.
Definition: pem_key_import.c:183
estClientConnect
error_t estClientConnect(EstClientContext *context, const IpAddr *serverIpAddr, uint16_t serverPort)
Specify the address of the EST server.
Definition: est_client.c:313
pem_import.h
PEM file import functions.
ERROR_INVALID_PARAMETER
@ ERROR_INVALID_PARAMETER
Invalid parameter.
Definition: error.h:47
ERROR_UNEXPECTED_STATUS
@ ERROR_UNEXPECTED_STATUS
Definition: error.h:284
osMemcpy
#define osMemcpy(dest, src, length)
Definition: os_port.h:144
error_t
error_t
Error codes.
Definition: error.h:43
estClientDisconnect
error_t estClientDisconnect(EstClientContext *context)
Gracefully disconnect from the EST server.
Definition: est_client.c:1003
ecInitPublicKey
void ecInitPublicKey(EcPublicKey *key)
Initialize an EC public key.
Definition: ec.c:52
rsaFreePrivateKey
void rsaFreePrivateKey(RsaPrivateKey *key)
Release an RSA private key.
Definition: rsa.c:148
estClientClose
error_t estClientClose(EstClientContext *context)
Close the connection with the EST server.
Definition: est_client.c:1069
httpClientRegisterTlsInitCallback
error_t httpClientRegisterTlsInitCallback(HttpClientContext *context, HttpClientTlsInitCallback callback, void *param)
Register TLS initialization callback function.
Definition: http_client.c:118
ERROR_RESPONSE_TOO_LARGE
@ ERROR_RESPONSE_TOO_LARGE
Definition: error.h:285
est_client_misc.h
Helper functions for EST client.
pemImportRsaPublicKey
error_t pemImportRsaPublicKey(RsaPublicKey *publicKey, const char_t *input, size_t length)
Decode a PEM file containing an RSA public key.
Definition: pem_key_import.c:56
NetInterface
#define NetInterface
Definition: net.h:36
estClientLoadCaCerts
error_t estClientLoadCaCerts(EstClientContext *context, const char_t *input, size_t length)
Load implicit TA database.
Definition: est_client.c:659
EST_CLIENT_MAX_HOST_LEN
#define EST_CLIENT_MAX_HOST_LEN
Definition: est_client.h:112
httpClientSetTimeout
error_t httpClientSetTimeout(HttpClientContext *context, systime_t timeout)
Set communication timeout.
Definition: http_client.c:196
httpClientClose
error_t httpClientClose(HttpClientContext *context)
Close the connection with the HTTP server.
Definition: http_client.c:2277
ERROR_INVALID_LENGTH
@ ERROR_INVALID_LENGTH
Definition: error.h:111
ERROR_BAD_CERTIFICATE
@ ERROR_BAD_CERTIFICATE
Definition: error.h:236
estClientStoreCert
error_t estClientStoreCert(EstClientContext *context, char_t *output, size_t *written)
Store client's certificate.
Definition: est_client.c:624
ERROR_NO_CERTIFICATE
@ ERROR_NO_CERTIFICATE
Definition: error.h:235
estClientGetCaCerts
error_t estClientGetCaCerts(EstClientContext *context)
Get CA certificates.
Definition: est_client.c:762
TRACE_INFO
#define TRACE_INFO(...)
Definition: debug.h:105
ecFreePrivateKey
void ecFreePrivateKey(EcPrivateKey *key)
Release an EC private key.
Definition: ec.c:100
length
uint8_t length
Definition: tcp.h:375
httpClientInit
error_t httpClientInit(HttpClientContext *context)
Initialize HTTP client context.
Definition: http_client.c:66
estClientGenerateCsr
error_t estClientGenerateCsr(EstClientContext *context)
Generate PKCS #10 certificate request.
Definition: est_client_misc.c:52
EstClientCsrGenCallback
error_t(* EstClientCsrGenCallback)(EstClientContext *context, const char_t *challengePwd, uint8_t *buffer, size_t size, size_t *length)
CSR generation callback function.
Definition: est_client.h:215
pem_export.h
PEM file export functions.
EST_CLIENT_STATE_CONNECTING
@ EST_CLIENT_STATE_CONNECTING
Definition: est_client.h:174
systime_t
uint32_t systime_t
System time.
Definition: os_port_chibios.h:101
char_t
char char_t
Definition: compiler_port.h:55
est_client_operations.h
EST operations.
httpClientConnect
error_t httpClientConnect(HttpClientContext *context, const IpAddr *serverIpAddr, uint16_t serverPort)
Establish a connection with the specified HTTP server.
Definition: http_client.c:320
estClientInit
error_t estClientInit(EstClientContext *context)
EST client initialization.
Definition: est_client.c:62
n
uint8_t n
Definition: dhcpv6_common.h:416
HTTP_VERSION_1_1
@ HTTP_VERSION_1_1
Definition: http_common.h:63
HTTP_AUTH_MODE_DIGEST
@ HTTP_AUTH_MODE_DIGEST
Definition: http_common.h:75
pemExportCertificate
error_t pemExportCertificate(const uint8_t *cert, size_t certLen, char_t *output, size_t *written)
Export an X.509 certificate to PEM format.
Definition: pem_export.c:53
estClientSendCaCerts
error_t estClientSendCaCerts(EstClientContext *context)
Perform "cacerts" operation.
Definition: est_client_operations.c:52
ecInitPrivateKey
void ecInitPrivateKey(EcPrivateKey *key)
Initialize an EC private key.
Definition: ec.c:80
estClientSendSimpleEnroll
error_t estClientSendSimpleEnroll(EstClientContext *context)
Perform "simpleenroll" operation.
Definition: est_client_operations.c:128
pemImportEcPublicKey
error_t pemImportEcPublicKey(EcPublicKey *publicKey, const char_t *input, size_t length)
Decode a PEM file containing an EC public key.
Definition: pem_key_import.c:669
EST_CLIENT_STATE_GET_CA
@ EST_CLIENT_STATE_GET_CA
Definition: est_client.h:176
estClientDeinit
void estClientDeinit(EstClientContext *context)
Release EST client context.
Definition: est_client.c:1090
estClientSetPrng
error_t estClientSetPrng(EstClientContext *context, const PrngAlgo *prngAlgo, void *prngContext)
Set the pseudo-random number generator to be used.
Definition: est_client.c:154
estClientSetPathPrefix
error_t estClientSetPathPrefix(EstClientContext *context, const char_t *pathPrefix)
Set path prefix.
Definition: est_client.c:224
ERROR_REQUEST_REJECTED
@ ERROR_REQUEST_REJECTED
Definition: error.h:273
uint_t
unsigned int uint_t
Definition: compiler_port.h:57
osMemset
#define osMemset(p, value, length)
Definition: os_port.h:138
estClientStoreCaCerts
error_t estClientStoreCaCerts(EstClientContext *context, char_t *output, size_t *written)
Store CA certificates.
Definition: est_client.c:717
estClientSetHost
error_t estClientSetHost(EstClientContext *context, const char_t *host)
Set the domain name of the EST server.
Definition: est_client.c:199
X509KeyType
X509KeyType
Public Key types.
Definition: x509_common.h:635
EST_CLIENT_STATE_DISCONNECTING
@ EST_CLIENT_STATE_DISCONNECTING
Definition: est_client.h:180
EstClientContext
#define EstClientContext
Definition: est_client.h:159
osStrcpy
#define osStrcpy(s1, s2)
Definition: os_port.h:210
ERROR_INVALID_RESPONSE
@ ERROR_INVALID_RESPONSE
Definition: error.h:71
EST_CLIENT_STATE_ENROLL
@ EST_CLIENT_STATE_ENROLL
Definition: est_client.h:178
ERROR_INVALID_KEY
@ ERROR_INVALID_KEY
Definition: error.h:106
NO_ERROR
@ NO_ERROR
Success.
Definition: error.h:44
pemGetPublicKeyType
X509KeyType pemGetPublicKeyType(const char_t *input, size_t length)
Extract the public key type from a PEM file.
Definition: pem_key_import.c:1177
debug.h
Debugging facilities.
rsaInitPublicKey
void rsaInitPublicKey(RsaPublicKey *key)
Initialize an RSA public key.
Definition: rsa.c:100
ecFreePublicKey
void ecFreePublicKey(EcPublicKey *key)
Release an EC public key.
Definition: ec.c:68
asn1.h
ASN.1 (Abstract Syntax Notation One)