net: lwm2m: Add support for X509 certificates

Add support for using X509 certificates. Default settings use ECDSA certificates with SHA256 hash. When different settings are required clients should overwrite struct lwm2m_ctx->load_credentials() and struct lwm2m_ctx->set_socketoptions() Signed-off-by: Seppo Takalo <seppo.takalo@nordicsemi.no>
zephyrproject-rtos · Jun 8, 2023 · 12796b5 · 12796b5
1 parent 402d4eb
commit 12796b5
Show file tree

Hide file tree

Showing 8 changed files with 294 additions and 56 deletions.
diff --git a/include/zephyr/net/lwm2m.h b/include/zephyr/net/lwm2m.h
@@ -2239,5 +2239,38 @@ int lwm2m_engine_enable_cache(char const *resource_path, struct lwm2m_time_serie
 int lwm2m_enable_cache(const struct lwm2m_obj_path *path, struct lwm2m_time_series_elem *data_cache,
 		       size_t cache_len);
 
+/**
+ * @brief Security modes as defined in LwM2M Security object.
+ */
+enum lwm2m_security_mode_t {
+	LWM2M_SECURITY_PSK = 0,      /**< Pre-Shared Key mode */
+	LWM2M_SECURITY_RAW_PK = 1,   /**< Raw Public Key mode */
+	LWM2M_SECURITY_CERT = 2,     /**< Certificate mode */
+	LWM2M_SECURITY_NOSEC = 3,    /**< NoSec mode */
+	LWM2M_SECURITY_CERT_EST = 4, /**< Certificate mode with EST */
+};
+
+/**
+ * @brief Read security mode from selected security object instance.
+ *
+ * This data is only valid if RD client is running.
+ *
+ * @param ctx Pointer to client context.
+ * @return int Positive values are @ref lwm2m_security_mode_t, negative error codes otherwise.
+ */
+int lwm2m_security_mode(struct lwm2m_ctx *ctx);
+
+/**
+ * @brief Set default socket options for DTLS connections.
+ *
+ * Engine calls this when @ref lwm2m_ctx::set_socketoptions is not overwritten.
+ * You may call this from overwritten callback to set extra options after or
+ * before defaults.
+ *
+ * @param ctx Client context
+ * @return 0 for success or negative in case of error.
+ */
+int lwm2m_set_default_sockopt(struct lwm2m_ctx *ctx);
+
 #endif	/* ZEPHYR_INCLUDE_NET_LWM2M_H_ */
 /**@}  */
diff --git a/samples/net/lwm2m_client/overlay-dtls-cert.conf b/samples/net/lwm2m_client/overlay-dtls-cert.conf
@@ -0,0 +1,42 @@
+CONFIG_LWM2M_DTLS_SUPPORT=y
+CONFIG_LWM2M_PEER_PORT=5684
+
+# I need room to store certificates
+CONFIG_LWM2M_SECURITY_KEY_SIZE=2048
+
+# Select Zephyr mbedtls
+CONFIG_MBEDTLS=y
+CONFIG_MBEDTLS_TLS_VERSION_1_2=y
+
+# Special MbedTLS changes
+CONFIG_MBEDTLS_ENABLE_HEAP=y
+CONFIG_MBEDTLS_HEAP_SIZE=32768
+CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN=1500
+CONFIG_MBEDTLS_CIPHER_CCM_ENABLED=y
+
+# Disable RSA, use only ECC certificates
+CONFIG_MBEDTLS_KEY_EXCHANGE_RSA_ENABLED=n
+# Enable PSK and ECDHE_ECDSA
+CONFIG_MBEDTLS_KEY_EXCHANGE_PSK_ENABLED=y
+CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED=y
+# We only need prime256v1 curve
+CONFIG_MBEDTLS_ECP_DP_SECP256R1_ENABLED=y
+CONFIG_MBEDTLS_ECDH_C=y
+CONFIG_MBEDTLS_ECDSA_C=y
+CONFIG_MBEDTLS_ECP_C=y
+CONFIG_MBEDTLS_CIPHER_CCM_ENABLED=y
+CONFIG_MBEDTLS_CIPHER_GCM_ENABLED=y
+# Optional: we could use just binary DER certificates
+CONFIG_MBEDTLS_PEM_CERTIFICATE_FORMAT=y
+
+CONFIG_NET_SOCKETS_SOCKOPT_TLS=y
+CONFIG_NET_SOCKETS_TLS_MAX_CONTEXTS=4
+CONFIG_NET_SOCKETS_ENABLE_DTLS=y
+
+# MbedTLS needs a larger stack
+CONFIG_MAIN_STACK_SIZE=2048
+CONFIG_SYSTEM_WORKQUEUE_STACK_SIZE=2048
+
+CONFIG_SHELL_BACKEND_SERIAL_RX_RING_BUFFER_SIZE=4096
+CONFIG_SHELL_CMD_BUFF_SIZE=4096
+CONFIG_LWM2M_SECURITY_KEY_SIZE=1024
diff --git a/subsys/net/lib/lwm2m/Kconfig b/subsys/net/lib/lwm2m/Kconfig
@@ -316,7 +316,6 @@ config LWM2M_SECURITY_INSTANCE_COUNT
 config LWM2M_SECURITY_KEY_SIZE
 	int "Buffer size of the security key resources"
 	default 16
-	range 16 256
 	help
 	  This setting establishes the size of the key (pre-shared / public)
 	  resources in the security object instances.