michaelh/zephyr
1
0
Fork 0
Code Releases Activity

net: lib: tls_credentials: Rename TLS_CREDENTIAL_SERVER_CERTIFICATE

Browse source 
TLS_CREDENTIAL_SERVER_CERTIFICATE credential type is misleading, as in
fact it just represents a public certificate, it does not matter if the
certificate belongs to a server or a client. And actually, it was
already used in-tree for clients as well, for example in LwM2M.

Therefore rename the credential type to a more generic
TLS_CREDENTIAL_PUBLIC_CERTIFICATE and deprecate the old one.

Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
This commit is contained in:
Robert Lubos 2025-03-19 12:45:41 +01:00 committed by Benjamin Cabé
commit a61287e876
19 changed files with 42 additions and 31 deletions
Download patch file Download diff file Expand all files Collapse all files

2
doc/connectivity/networking/api/sockets.rst
View file

@ -93,7 +93,7 @@ socket options.
The following TLS credential types can be registered in the system:
- ``TLS_CREDENTIAL_CA_CERTIFICATE``
- ``TLS_CREDENTIAL_SERVER_CERTIFICATE``
- ``TLS_CREDENTIAL_PUBLIC_CERTIFICATE``
- ``TLS_CREDENTIAL_PRIVATE_KEY``
- ``TLS_CREDENTIAL_PSK``
- ``TLS_CREDENTIAL_PSK_ID``

4
doc/releases/migration-guide-4.2.rst
View file

@ -176,6 +176,10 @@ Networking
(because the addr is not a pointer) and must be changed to ``if (lladdr->len == 0)``
if the code wants to check that the link address is not set.
* TLS credential type ``TLS_CREDENTIAL_SERVER_CERTIFICATE`` was renamed to
more generic :c:enumerator:`TLS_CREDENTIAL_PUBLIC_CERTIFICATE` to better
reflect the purpose of this credential type.
SPI
===

3
doc/releases/release-notes-4.2.rst
View file

@ -61,6 +61,9 @@ Deprecated APIs and options
renamed and deprecated. Use :kconfig:option:`CONFIG_SCHED_SIMPLE` and
:kconfig:option:`CONFIG_WAITQ_SIMPLE` instead.
* TLS credential type ``TLS_CREDENTIAL_SERVER_CERTIFICATE`` was renamed and
deprecated, use :c:enumerator:`TLS_CREDENTIAL_PUBLIC_CERTIFICATE` instead.
===========================
* ``arduino_uno_r4_minima`` and ``arduino_uno_r4_wifi`` board targets have been deprecated in favor

2
drivers/wifi/eswifi/eswifi_socket_offload.c
View file

@ -191,7 +191,7 @@ static int map_credentials(int sd, const void *optval, socklen_t optlen)
case TLS_CREDENTIAL_CA_CERTIFICATE:
id = 0;
break;
case TLS_CREDENTIAL_SERVER_CERTIFICATE:
case TLS_CREDENTIAL_PUBLIC_CERTIFICATE:
id = 1;
break;
case TLS_CREDENTIAL_PRIVATE_KEY:

2
drivers/wifi/simplelink/simplelink_sockets.c
View file

@ -674,7 +674,7 @@ static int map_credentials(int sd, const void *optval, socklen_t optlen)
case TLS_CREDENTIAL_CA_CERTIFICATE:
opt = SL_SO_SECURE_FILES_CA_FILE_NAME;
break;
case TLS_CREDENTIAL_SERVER_CERTIFICATE:
case TLS_CREDENTIAL_PUBLIC_CERTIFICATE:
opt = SL_SO_SECURE_FILES_CERTIFICATE_FILE_NAME;
break;
case TLS_CREDENTIAL_PRIVATE_KEY:

10
include/zephyr/net/tls_credentials.h
View file

@ -36,11 +36,15 @@ enum tls_credential_type {
*/
TLS_CREDENTIAL_CA_CERTIFICATE,
/** A public server certificate. Use this to register your own server
/** A public client or server certificate. Use this to register your own
* certificate. Should be registered together with a corresponding
* private key. Used with certificate-based ciphersuites.
*/
TLS_CREDENTIAL_SERVER_CERTIFICATE,
TLS_CREDENTIAL_PUBLIC_CERTIFICATE,
/** @deprecated Use TLS_CREDENTIAL_PUBLIC_CERTIFICATE instead.
*/
TLS_CREDENTIAL_SERVER_CERTIFICATE = TLS_CREDENTIAL_PUBLIC_CERTIFICATE,
/** Private key. Should be registered together with a corresponding
* public certificate. Used with certificate-based ciphersuites.
@ -64,7 +68,7 @@ enum tls_credential_type {
* in the system.
*
* @note Some TLS credentials come in pairs:
* - TLS_CREDENTIAL_SERVER_CERTIFICATE with TLS_CREDENTIAL_PRIVATE_KEY,
* - TLS_CREDENTIAL_PUBLIC_CERTIFICATE with TLS_CREDENTIAL_PRIVATE_KEY,
* - TLS_CREDENTIAL_PSK with TLS_CREDENTIAL_PSK_ID.
* Such pairs of credentials must be assigned the same secure tag to be
* correctly handled in the system.

2
modules/thrift/src/thrift/transport/TSSLSocket.cpp
View file

@ -450,7 +450,7 @@ void TSSLSocketFactory::loadCertificateFromBuffer(const char *aCertificate, cons
if (strcmp(format, "PEM") == 0) {
const int status = tls_credential_add(Thrift_TLS_SERVER_CERT_TAG,
TLS_CREDENTIAL_SERVER_CERTIFICATE,
TLS_CREDENTIAL_PUBLIC_CERTIFICATE,
aCertificate, strlen(aCertificate) + 1);
if (status != 0) {

2
samples/net/prometheus/src/main.c
View file

@ -120,7 +120,7 @@ static void setup_tls(void)
}
#endif /* defined(CONFIG_NET_SAMPLE_CERTS_WITH_SC) */
err = tls_credential_add(HTTP_SERVER_CERTIFICATE_TAG, TLS_CREDENTIAL_SERVER_CERTIFICATE,
err = tls_credential_add(HTTP_SERVER_CERTIFICATE_TAG, TLS_CREDENTIAL_PUBLIC_CERTIFICATE,
server_certificate, sizeof(server_certificate));
if (err < 0) {
LOG_ERR("Failed to register public certificate: %d", err);

2
samples/net/sockets/dumb_http_server_mt/src/main.c
View file

@ -413,7 +413,7 @@ int main(void)
{
#if defined(CONFIG_NET_SOCKETS_SOCKOPT_TLS)
int err = tls_credential_add(SERVER_CERTIFICATE_TAG,
TLS_CREDENTIAL_SERVER_CERTIFICATE,
TLS_CREDENTIAL_PUBLIC_CERTIFICATE,
server_certificate,
sizeof(server_certificate));
if (err < 0) {

2
samples/net/sockets/echo_server/src/echo-server.c
View file

@ -153,7 +153,7 @@ static void init_app(void)
#endif /* defined(CONFIG_NET_SAMPLE_CERTS_WITH_SC) */
err = tls_credential_add(SERVER_CERTIFICATE_TAG,
TLS_CREDENTIAL_SERVER_CERTIFICATE,
TLS_CREDENTIAL_PUBLIC_CERTIFICATE,
server_certificate,
sizeof(server_certificate));
if (err < 0) {

2
samples/net/sockets/http_server/src/main.c
View file

@ -312,7 +312,7 @@ static void setup_tls(void)
int err;
err = tls_credential_add(HTTP_SERVER_CERTIFICATE_TAG,
TLS_CREDENTIAL_SERVER_CERTIFICATE,
TLS_CREDENTIAL_PUBLIC_CERTIFICATE,
server_certificate,
sizeof(server_certificate));
if (err < 0) {

2
samples/subsys/mgmt/updatehub/src/main.c
View file

@ -89,7 +89,7 @@ int main(void)
#if defined(CONFIG_UPDATEHUB_DTLS)
if (tls_credential_add(CA_CERTIFICATE_TAG,
TLS_CREDENTIAL_SERVER_CERTIFICATE,
TLS_CREDENTIAL_PUBLIC_CERTIFICATE,
server_certificate,
sizeof(server_certificate)) < 0) {
LOG_ERR("Failed to register server certificate");

4
subsys/net/lib/lwm2m/lwm2m_engine.c
View file

@ -922,7 +922,7 @@ static void delete_tls_credentials(sec_tag_t tag)
{
tls_credential_delete(tag, TLS_CREDENTIAL_PSK_ID);
tls_credential_delete(tag, TLS_CREDENTIAL_PSK);
tls_credential_delete(tag, TLS_CREDENTIAL_SERVER_CERTIFICATE);
tls_credential_delete(tag, TLS_CREDENTIAL_PUBLIC_CERTIFICATE);
tls_credential_delete(tag, TLS_CREDENTIAL_PRIVATE_KEY);
tls_credential_delete(tag, TLS_CREDENTIAL_CA_CERTIFICATE);
}
@ -1003,7 +1003,7 @@ static int lwm2m_load_x509_credentials(struct lwm2m_ctx *ctx)
delete_tls_credentials(ctx->tls_tag);
ret = load_tls_type(ctx, 3, TLS_CREDENTIAL_SERVER_CERTIFICATE);
ret = load_tls_type(ctx, 3, TLS_CREDENTIAL_PUBLIC_CERTIFICATE);
if (ret < 0) {
return ret;
}

4
subsys/net/lib/sockets/sockets_tls.c
View file

@ -1078,7 +1078,7 @@ static int tls_set_credential(struct tls_context *tls,
case TLS_CREDENTIAL_CA_CERTIFICATE:
return tls_add_ca_certificate(tls, cred);
case TLS_CREDENTIAL_SERVER_CERTIFICATE:
case TLS_CREDENTIAL_PUBLIC_CERTIFICATE:
return tls_add_own_cert(tls, cred);
case TLS_CREDENTIAL_PRIVATE_KEY:
@ -1133,7 +1133,7 @@ static int tls_mbedtls_set_credentials(struct tls_context *tls)
if (cred->type == TLS_CREDENTIAL_CA_CERTIFICATE) {
ca_cert_present = true;
} else if (cred->type == TLS_CREDENTIAL_SERVER_CERTIFICATE) {
} else if (cred->type == TLS_CREDENTIAL_PUBLIC_CERTIFICATE) {
own_cert_present = true;
}
}

12
subsys/net/lib/tls_credentials/tls_credentials_shell.c
View file

@ -40,12 +40,12 @@ static const struct cred_type_string type_strings[] = {
{"CA_CERT", TLS_CREDENTIAL_CA_CERTIFICATE},
{"CA", TLS_CREDENTIAL_CA_CERTIFICATE},
{"SERVER_CERT", TLS_CREDENTIAL_SERVER_CERTIFICATE},
{"CLIENT_CERT", TLS_CREDENTIAL_SERVER_CERTIFICATE},
{"SELF_CERT", TLS_CREDENTIAL_SERVER_CERTIFICATE},
{"SELF", TLS_CREDENTIAL_SERVER_CERTIFICATE},
{"CLIENT", TLS_CREDENTIAL_SERVER_CERTIFICATE},
{"SERV", TLS_CREDENTIAL_SERVER_CERTIFICATE},
{"SERVER_CERT", TLS_CREDENTIAL_PUBLIC_CERTIFICATE},
{"CLIENT_CERT", TLS_CREDENTIAL_PUBLIC_CERTIFICATE},
{"SELF_CERT", TLS_CREDENTIAL_PUBLIC_CERTIFICATE},
{"SELF", TLS_CREDENTIAL_PUBLIC_CERTIFICATE},
{"CLIENT", TLS_CREDENTIAL_PUBLIC_CERTIFICATE},
{"SERV", TLS_CREDENTIAL_PUBLIC_CERTIFICATE},
{"PRIVATE_KEY", TLS_CREDENTIAL_PRIVATE_KEY},
{"PK", TLS_CREDENTIAL_PRIVATE_KEY},

4
tests/net/lib/http_server/tls/src/main.c
View file

@ -239,7 +239,7 @@ static void *setup(void)
zassert_equal(ret, 0, "failed to add CA Certificate (%d)", ret);
ret = tls_credential_add(SERVER_CERTIFICATE_TAG,
TLS_CREDENTIAL_SERVER_CERTIFICATE,
TLS_CREDENTIAL_PUBLIC_CERTIFICATE,
server, sizeof(server));
zassert_equal(ret, 0, "failed to add Server Certificate (%d)", ret);
@ -249,7 +249,7 @@ static void *setup(void)
zassert_equal(ret, 0, "failed to add Server Private Key (%d)", ret);
ret = tls_credential_add(CLIENT_CERTIFICATE_TAG,
TLS_CREDENTIAL_SERVER_CERTIFICATE,
TLS_CREDENTIAL_PUBLIC_CERTIFICATE,
client, sizeof(client));
zassert_equal(ret, 0, "failed to add Client Certificate (%d)", ret);

2
tests/net/lib/lwm2m/lwm2m_engine/src/main.c
View file

@ -467,7 +467,7 @@ ZTEST(lwm2m_engine, test_security)
zassert_equal(z_impl_zsock_setsockopt_fake.arg2_history[1], TLS_PEER_VERIFY);
zassert_equal(z_impl_zsock_setsockopt_fake.arg2_history[2], TLS_CIPHERSUITE_LIST);
zassert_true(tls_credential_add_fake.call_count == 3);
zassert_equal(tls_credential_add_fake.arg1_history[0], TLS_CREDENTIAL_SERVER_CERTIFICATE);
zassert_equal(tls_credential_add_fake.arg1_history[0], TLS_CREDENTIAL_PUBLIC_CERTIFICATE);
zassert_equal(tls_credential_add_fake.arg1_history[1], TLS_CREDENTIAL_PRIVATE_KEY);
zassert_equal(tls_credential_add_fake.arg1_history[2], TLS_CREDENTIAL_CA_CERTIFICATE);
zassert_equal(lwm2m_engine_stop(&ctx), 0);

8
tests/net/lib/tls_credentials/src/main.c
View file

@ -34,10 +34,10 @@ static void test_credential_add(void)
/* Function should allow to add credentials of different types
* with the same tag
*/
ret = tls_credential_add(common_tag, TLS_CREDENTIAL_SERVER_CERTIFICATE,
ret = tls_credential_add(common_tag, TLS_CREDENTIAL_PUBLIC_CERTIFICATE,
test_server_cert, sizeof(test_server_cert));
zassert_equal(ret, 0, "Failed to add credential %d %d",
common_tag, TLS_CREDENTIAL_SERVER_CERTIFICATE);
common_tag, TLS_CREDENTIAL_PUBLIC_CERTIFICATE);
ret = tls_credential_add(common_tag, TLS_CREDENTIAL_PRIVATE_KEY,
test_server_key, sizeof(test_server_key));
@ -87,7 +87,7 @@ static void test_credential_get(void)
/* Try to read with too small buffer */
credlen = sizeof(test_server_cert) - 1;
ret = tls_credential_get(common_tag, TLS_CREDENTIAL_SERVER_CERTIFICATE,
ret = tls_credential_get(common_tag, TLS_CREDENTIAL_PUBLIC_CERTIFICATE,
cred, &credlen);
zassert_equal(ret, -EFBIG, "Should have failed with EFBIG");
}
@ -121,7 +121,7 @@ static void test_credential_internal_iterate(void)
cert = temp;
}
zassert_equal(cert->type, TLS_CREDENTIAL_SERVER_CERTIFICATE,
zassert_equal(cert->type, TLS_CREDENTIAL_PUBLIC_CERTIFICATE,
"Invalid type for cert");
zassert_equal(cert->tag, common_tag, "Invalid tag for cert");
zassert_equal(cert->len, sizeof(test_server_cert),

4
tests/net/socket/tls_ext/src/main.c
View file

@ -449,7 +449,7 @@ static void *setup(void)
zassert_equal(r, 0, "failed to add CA Certificate (%d)", r);
r = tls_credential_add(SERVER_CERTIFICATE_TAG,
TLS_CREDENTIAL_SERVER_CERTIFICATE,
TLS_CREDENTIAL_PUBLIC_CERTIFICATE,
server, sizeof(server));
zassert_equal(r, 0, "failed to add Server Certificate (%d)", r);
@ -459,7 +459,7 @@ static void *setup(void)
zassert_equal(r, 0, "failed to add Server Private Key (%d)", r);
r = tls_credential_add(CLIENT_CERTIFICATE_TAG,
TLS_CREDENTIAL_SERVER_CERTIFICATE,
TLS_CREDENTIAL_PUBLIC_CERTIFICATE,
client, sizeof(client));
zassert_equal(r, 0, "failed to add Client Certificate (%d)", r);