From a61287e8766fe14d0055fba796c56948c483eaaf Mon Sep 17 00:00:00 2001 From: Robert Lubos Date: Wed, 19 Mar 2025 12:45:41 +0100 Subject: [PATCH] net: lib: tls_credentials: Rename TLS_CREDENTIAL_SERVER_CERTIFICATE TLS_CREDENTIAL_SERVER_CERTIFICATE credential type is misleading, as in fact it just represents a public certificate, it does not matter if the certificate belongs to a server or a client. And actually, it was already used in-tree for clients as well, for example in LwM2M. Therefore rename the credential type to a more generic TLS_CREDENTIAL_PUBLIC_CERTIFICATE and deprecate the old one. Signed-off-by: Robert Lubos --- doc/connectivity/networking/api/sockets.rst | 2 +- doc/releases/migration-guide-4.2.rst | 4 ++++ doc/releases/release-notes-4.2.rst | 3 +++ drivers/wifi/eswifi/eswifi_socket_offload.c | 2 +- drivers/wifi/simplelink/simplelink_sockets.c | 2 +- include/zephyr/net/tls_credentials.h | 10 +++++++--- modules/thrift/src/thrift/transport/TSSLSocket.cpp | 2 +- samples/net/prometheus/src/main.c | 2 +- samples/net/sockets/dumb_http_server_mt/src/main.c | 2 +- samples/net/sockets/echo_server/src/echo-server.c | 2 +- samples/net/sockets/http_server/src/main.c | 2 +- samples/subsys/mgmt/updatehub/src/main.c | 2 +- subsys/net/lib/lwm2m/lwm2m_engine.c | 4 ++-- subsys/net/lib/sockets/sockets_tls.c | 4 ++-- .../net/lib/tls_credentials/tls_credentials_shell.c | 12 ++++++------ tests/net/lib/http_server/tls/src/main.c | 4 ++-- tests/net/lib/lwm2m/lwm2m_engine/src/main.c | 2 +- tests/net/lib/tls_credentials/src/main.c | 8 ++++---- tests/net/socket/tls_ext/src/main.c | 4 ++-- 19 files changed, 42 insertions(+), 31 deletions(-) diff --git a/doc/connectivity/networking/api/sockets.rst b/doc/connectivity/networking/api/sockets.rst index bba4df9e788..8a1023a06cc 100644 --- a/doc/connectivity/networking/api/sockets.rst +++ b/doc/connectivity/networking/api/sockets.rst @@ -93,7 +93,7 @@ socket options. The following TLS credential types can be registered in the system: - ``TLS_CREDENTIAL_CA_CERTIFICATE`` -- ``TLS_CREDENTIAL_SERVER_CERTIFICATE`` +- ``TLS_CREDENTIAL_PUBLIC_CERTIFICATE`` - ``TLS_CREDENTIAL_PRIVATE_KEY`` - ``TLS_CREDENTIAL_PSK`` - ``TLS_CREDENTIAL_PSK_ID`` diff --git a/doc/releases/migration-guide-4.2.rst b/doc/releases/migration-guide-4.2.rst index 30ef05cbbf1..487363ddb9b 100644 --- a/doc/releases/migration-guide-4.2.rst +++ b/doc/releases/migration-guide-4.2.rst @@ -176,6 +176,10 @@ Networking (because the addr is not a pointer) and must be changed to ``if (lladdr->len == 0)`` if the code wants to check that the link address is not set. +* TLS credential type ``TLS_CREDENTIAL_SERVER_CERTIFICATE`` was renamed to + more generic :c:enumerator:`TLS_CREDENTIAL_PUBLIC_CERTIFICATE` to better + reflect the purpose of this credential type. + SPI === diff --git a/doc/releases/release-notes-4.2.rst b/doc/releases/release-notes-4.2.rst index 573e960c7d2..1b47130f0f8 100644 --- a/doc/releases/release-notes-4.2.rst +++ b/doc/releases/release-notes-4.2.rst @@ -61,6 +61,9 @@ Deprecated APIs and options renamed and deprecated. Use :kconfig:option:`CONFIG_SCHED_SIMPLE` and :kconfig:option:`CONFIG_WAITQ_SIMPLE` instead. +* TLS credential type ``TLS_CREDENTIAL_SERVER_CERTIFICATE`` was renamed and + deprecated, use :c:enumerator:`TLS_CREDENTIAL_PUBLIC_CERTIFICATE` instead. + =========================== * ``arduino_uno_r4_minima`` and ``arduino_uno_r4_wifi`` board targets have been deprecated in favor diff --git a/drivers/wifi/eswifi/eswifi_socket_offload.c b/drivers/wifi/eswifi/eswifi_socket_offload.c index 212bef4380a..5d37ae73042 100644 --- a/drivers/wifi/eswifi/eswifi_socket_offload.c +++ b/drivers/wifi/eswifi/eswifi_socket_offload.c @@ -191,7 +191,7 @@ static int map_credentials(int sd, const void *optval, socklen_t optlen) case TLS_CREDENTIAL_CA_CERTIFICATE: id = 0; break; - case TLS_CREDENTIAL_SERVER_CERTIFICATE: + case TLS_CREDENTIAL_PUBLIC_CERTIFICATE: id = 1; break; case TLS_CREDENTIAL_PRIVATE_KEY: diff --git a/drivers/wifi/simplelink/simplelink_sockets.c b/drivers/wifi/simplelink/simplelink_sockets.c index ff96fd91fe3..29819ad4564 100644 --- a/drivers/wifi/simplelink/simplelink_sockets.c +++ b/drivers/wifi/simplelink/simplelink_sockets.c @@ -674,7 +674,7 @@ static int map_credentials(int sd, const void *optval, socklen_t optlen) case TLS_CREDENTIAL_CA_CERTIFICATE: opt = SL_SO_SECURE_FILES_CA_FILE_NAME; break; - case TLS_CREDENTIAL_SERVER_CERTIFICATE: + case TLS_CREDENTIAL_PUBLIC_CERTIFICATE: opt = SL_SO_SECURE_FILES_CERTIFICATE_FILE_NAME; break; case TLS_CREDENTIAL_PRIVATE_KEY: diff --git a/include/zephyr/net/tls_credentials.h b/include/zephyr/net/tls_credentials.h index 2804df06101..1002eee7e64 100644 --- a/include/zephyr/net/tls_credentials.h +++ b/include/zephyr/net/tls_credentials.h @@ -36,11 +36,15 @@ enum tls_credential_type { */ TLS_CREDENTIAL_CA_CERTIFICATE, - /** A public server certificate. Use this to register your own server + /** A public client or server certificate. Use this to register your own * certificate. Should be registered together with a corresponding * private key. Used with certificate-based ciphersuites. */ - TLS_CREDENTIAL_SERVER_CERTIFICATE, + TLS_CREDENTIAL_PUBLIC_CERTIFICATE, + + /** @deprecated Use TLS_CREDENTIAL_PUBLIC_CERTIFICATE instead. + */ + TLS_CREDENTIAL_SERVER_CERTIFICATE = TLS_CREDENTIAL_PUBLIC_CERTIFICATE, /** Private key. Should be registered together with a corresponding * public certificate. Used with certificate-based ciphersuites. @@ -64,7 +68,7 @@ enum tls_credential_type { * in the system. * * @note Some TLS credentials come in pairs: - * - TLS_CREDENTIAL_SERVER_CERTIFICATE with TLS_CREDENTIAL_PRIVATE_KEY, + * - TLS_CREDENTIAL_PUBLIC_CERTIFICATE with TLS_CREDENTIAL_PRIVATE_KEY, * - TLS_CREDENTIAL_PSK with TLS_CREDENTIAL_PSK_ID. * Such pairs of credentials must be assigned the same secure tag to be * correctly handled in the system. diff --git a/modules/thrift/src/thrift/transport/TSSLSocket.cpp b/modules/thrift/src/thrift/transport/TSSLSocket.cpp index 3ac178ede3b..f23c6b4f96d 100644 --- a/modules/thrift/src/thrift/transport/TSSLSocket.cpp +++ b/modules/thrift/src/thrift/transport/TSSLSocket.cpp @@ -450,7 +450,7 @@ void TSSLSocketFactory::loadCertificateFromBuffer(const char *aCertificate, cons if (strcmp(format, "PEM") == 0) { const int status = tls_credential_add(Thrift_TLS_SERVER_CERT_TAG, - TLS_CREDENTIAL_SERVER_CERTIFICATE, + TLS_CREDENTIAL_PUBLIC_CERTIFICATE, aCertificate, strlen(aCertificate) + 1); if (status != 0) { diff --git a/samples/net/prometheus/src/main.c b/samples/net/prometheus/src/main.c index 399a783236c..f209f8ed750 100644 --- a/samples/net/prometheus/src/main.c +++ b/samples/net/prometheus/src/main.c @@ -120,7 +120,7 @@ static void setup_tls(void) } #endif /* defined(CONFIG_NET_SAMPLE_CERTS_WITH_SC) */ - err = tls_credential_add(HTTP_SERVER_CERTIFICATE_TAG, TLS_CREDENTIAL_SERVER_CERTIFICATE, + err = tls_credential_add(HTTP_SERVER_CERTIFICATE_TAG, TLS_CREDENTIAL_PUBLIC_CERTIFICATE, server_certificate, sizeof(server_certificate)); if (err < 0) { LOG_ERR("Failed to register public certificate: %d", err); diff --git a/samples/net/sockets/dumb_http_server_mt/src/main.c b/samples/net/sockets/dumb_http_server_mt/src/main.c index 06f9f0c6e71..ed19fa96833 100644 --- a/samples/net/sockets/dumb_http_server_mt/src/main.c +++ b/samples/net/sockets/dumb_http_server_mt/src/main.c @@ -413,7 +413,7 @@ int main(void) { #if defined(CONFIG_NET_SOCKETS_SOCKOPT_TLS) int err = tls_credential_add(SERVER_CERTIFICATE_TAG, - TLS_CREDENTIAL_SERVER_CERTIFICATE, + TLS_CREDENTIAL_PUBLIC_CERTIFICATE, server_certificate, sizeof(server_certificate)); if (err < 0) { diff --git a/samples/net/sockets/echo_server/src/echo-server.c b/samples/net/sockets/echo_server/src/echo-server.c index d7a80da8564..fd6bd4f6acf 100644 --- a/samples/net/sockets/echo_server/src/echo-server.c +++ b/samples/net/sockets/echo_server/src/echo-server.c @@ -153,7 +153,7 @@ static void init_app(void) #endif /* defined(CONFIG_NET_SAMPLE_CERTS_WITH_SC) */ err = tls_credential_add(SERVER_CERTIFICATE_TAG, - TLS_CREDENTIAL_SERVER_CERTIFICATE, + TLS_CREDENTIAL_PUBLIC_CERTIFICATE, server_certificate, sizeof(server_certificate)); if (err < 0) { diff --git a/samples/net/sockets/http_server/src/main.c b/samples/net/sockets/http_server/src/main.c index 1341a91169b..10c8224ae7b 100644 --- a/samples/net/sockets/http_server/src/main.c +++ b/samples/net/sockets/http_server/src/main.c @@ -312,7 +312,7 @@ static void setup_tls(void) int err; err = tls_credential_add(HTTP_SERVER_CERTIFICATE_TAG, - TLS_CREDENTIAL_SERVER_CERTIFICATE, + TLS_CREDENTIAL_PUBLIC_CERTIFICATE, server_certificate, sizeof(server_certificate)); if (err < 0) { diff --git a/samples/subsys/mgmt/updatehub/src/main.c b/samples/subsys/mgmt/updatehub/src/main.c index b8b1406ba0c..73d64a1a694 100644 --- a/samples/subsys/mgmt/updatehub/src/main.c +++ b/samples/subsys/mgmt/updatehub/src/main.c @@ -89,7 +89,7 @@ int main(void) #if defined(CONFIG_UPDATEHUB_DTLS) if (tls_credential_add(CA_CERTIFICATE_TAG, - TLS_CREDENTIAL_SERVER_CERTIFICATE, + TLS_CREDENTIAL_PUBLIC_CERTIFICATE, server_certificate, sizeof(server_certificate)) < 0) { LOG_ERR("Failed to register server certificate"); diff --git a/subsys/net/lib/lwm2m/lwm2m_engine.c b/subsys/net/lib/lwm2m/lwm2m_engine.c index 70ca2f52f74..26c0585b3ad 100644 --- a/subsys/net/lib/lwm2m/lwm2m_engine.c +++ b/subsys/net/lib/lwm2m/lwm2m_engine.c @@ -922,7 +922,7 @@ static void delete_tls_credentials(sec_tag_t tag) { tls_credential_delete(tag, TLS_CREDENTIAL_PSK_ID); tls_credential_delete(tag, TLS_CREDENTIAL_PSK); - tls_credential_delete(tag, TLS_CREDENTIAL_SERVER_CERTIFICATE); + tls_credential_delete(tag, TLS_CREDENTIAL_PUBLIC_CERTIFICATE); tls_credential_delete(tag, TLS_CREDENTIAL_PRIVATE_KEY); tls_credential_delete(tag, TLS_CREDENTIAL_CA_CERTIFICATE); } @@ -1003,7 +1003,7 @@ static int lwm2m_load_x509_credentials(struct lwm2m_ctx *ctx) delete_tls_credentials(ctx->tls_tag); - ret = load_tls_type(ctx, 3, TLS_CREDENTIAL_SERVER_CERTIFICATE); + ret = load_tls_type(ctx, 3, TLS_CREDENTIAL_PUBLIC_CERTIFICATE); if (ret < 0) { return ret; } diff --git a/subsys/net/lib/sockets/sockets_tls.c b/subsys/net/lib/sockets/sockets_tls.c index b28f8aa8be9..5b29c3077e8 100644 --- a/subsys/net/lib/sockets/sockets_tls.c +++ b/subsys/net/lib/sockets/sockets_tls.c @@ -1078,7 +1078,7 @@ static int tls_set_credential(struct tls_context *tls, case TLS_CREDENTIAL_CA_CERTIFICATE: return tls_add_ca_certificate(tls, cred); - case TLS_CREDENTIAL_SERVER_CERTIFICATE: + case TLS_CREDENTIAL_PUBLIC_CERTIFICATE: return tls_add_own_cert(tls, cred); case TLS_CREDENTIAL_PRIVATE_KEY: @@ -1133,7 +1133,7 @@ static int tls_mbedtls_set_credentials(struct tls_context *tls) if (cred->type == TLS_CREDENTIAL_CA_CERTIFICATE) { ca_cert_present = true; - } else if (cred->type == TLS_CREDENTIAL_SERVER_CERTIFICATE) { + } else if (cred->type == TLS_CREDENTIAL_PUBLIC_CERTIFICATE) { own_cert_present = true; } } diff --git a/subsys/net/lib/tls_credentials/tls_credentials_shell.c b/subsys/net/lib/tls_credentials/tls_credentials_shell.c index d72d6c1605f..7116de9ae13 100644 --- a/subsys/net/lib/tls_credentials/tls_credentials_shell.c +++ b/subsys/net/lib/tls_credentials/tls_credentials_shell.c @@ -40,12 +40,12 @@ static const struct cred_type_string type_strings[] = { {"CA_CERT", TLS_CREDENTIAL_CA_CERTIFICATE}, {"CA", TLS_CREDENTIAL_CA_CERTIFICATE}, - {"SERVER_CERT", TLS_CREDENTIAL_SERVER_CERTIFICATE}, - {"CLIENT_CERT", TLS_CREDENTIAL_SERVER_CERTIFICATE}, - {"SELF_CERT", TLS_CREDENTIAL_SERVER_CERTIFICATE}, - {"SELF", TLS_CREDENTIAL_SERVER_CERTIFICATE}, - {"CLIENT", TLS_CREDENTIAL_SERVER_CERTIFICATE}, - {"SERV", TLS_CREDENTIAL_SERVER_CERTIFICATE}, + {"SERVER_CERT", TLS_CREDENTIAL_PUBLIC_CERTIFICATE}, + {"CLIENT_CERT", TLS_CREDENTIAL_PUBLIC_CERTIFICATE}, + {"SELF_CERT", TLS_CREDENTIAL_PUBLIC_CERTIFICATE}, + {"SELF", TLS_CREDENTIAL_PUBLIC_CERTIFICATE}, + {"CLIENT", TLS_CREDENTIAL_PUBLIC_CERTIFICATE}, + {"SERV", TLS_CREDENTIAL_PUBLIC_CERTIFICATE}, {"PRIVATE_KEY", TLS_CREDENTIAL_PRIVATE_KEY}, {"PK", TLS_CREDENTIAL_PRIVATE_KEY}, diff --git a/tests/net/lib/http_server/tls/src/main.c b/tests/net/lib/http_server/tls/src/main.c index c14844eacea..9361fb1770d 100644 --- a/tests/net/lib/http_server/tls/src/main.c +++ b/tests/net/lib/http_server/tls/src/main.c @@ -239,7 +239,7 @@ static void *setup(void) zassert_equal(ret, 0, "failed to add CA Certificate (%d)", ret); ret = tls_credential_add(SERVER_CERTIFICATE_TAG, - TLS_CREDENTIAL_SERVER_CERTIFICATE, + TLS_CREDENTIAL_PUBLIC_CERTIFICATE, server, sizeof(server)); zassert_equal(ret, 0, "failed to add Server Certificate (%d)", ret); @@ -249,7 +249,7 @@ static void *setup(void) zassert_equal(ret, 0, "failed to add Server Private Key (%d)", ret); ret = tls_credential_add(CLIENT_CERTIFICATE_TAG, - TLS_CREDENTIAL_SERVER_CERTIFICATE, + TLS_CREDENTIAL_PUBLIC_CERTIFICATE, client, sizeof(client)); zassert_equal(ret, 0, "failed to add Client Certificate (%d)", ret); diff --git a/tests/net/lib/lwm2m/lwm2m_engine/src/main.c b/tests/net/lib/lwm2m/lwm2m_engine/src/main.c index 9331eae7e8b..e72d12896be 100644 --- a/tests/net/lib/lwm2m/lwm2m_engine/src/main.c +++ b/tests/net/lib/lwm2m/lwm2m_engine/src/main.c @@ -467,7 +467,7 @@ ZTEST(lwm2m_engine, test_security) zassert_equal(z_impl_zsock_setsockopt_fake.arg2_history[1], TLS_PEER_VERIFY); zassert_equal(z_impl_zsock_setsockopt_fake.arg2_history[2], TLS_CIPHERSUITE_LIST); zassert_true(tls_credential_add_fake.call_count == 3); - zassert_equal(tls_credential_add_fake.arg1_history[0], TLS_CREDENTIAL_SERVER_CERTIFICATE); + zassert_equal(tls_credential_add_fake.arg1_history[0], TLS_CREDENTIAL_PUBLIC_CERTIFICATE); zassert_equal(tls_credential_add_fake.arg1_history[1], TLS_CREDENTIAL_PRIVATE_KEY); zassert_equal(tls_credential_add_fake.arg1_history[2], TLS_CREDENTIAL_CA_CERTIFICATE); zassert_equal(lwm2m_engine_stop(&ctx), 0); diff --git a/tests/net/lib/tls_credentials/src/main.c b/tests/net/lib/tls_credentials/src/main.c index e45704d08ce..d620aaa0909 100644 --- a/tests/net/lib/tls_credentials/src/main.c +++ b/tests/net/lib/tls_credentials/src/main.c @@ -34,10 +34,10 @@ static void test_credential_add(void) /* Function should allow to add credentials of different types * with the same tag */ - ret = tls_credential_add(common_tag, TLS_CREDENTIAL_SERVER_CERTIFICATE, + ret = tls_credential_add(common_tag, TLS_CREDENTIAL_PUBLIC_CERTIFICATE, test_server_cert, sizeof(test_server_cert)); zassert_equal(ret, 0, "Failed to add credential %d %d", - common_tag, TLS_CREDENTIAL_SERVER_CERTIFICATE); + common_tag, TLS_CREDENTIAL_PUBLIC_CERTIFICATE); ret = tls_credential_add(common_tag, TLS_CREDENTIAL_PRIVATE_KEY, test_server_key, sizeof(test_server_key)); @@ -87,7 +87,7 @@ static void test_credential_get(void) /* Try to read with too small buffer */ credlen = sizeof(test_server_cert) - 1; - ret = tls_credential_get(common_tag, TLS_CREDENTIAL_SERVER_CERTIFICATE, + ret = tls_credential_get(common_tag, TLS_CREDENTIAL_PUBLIC_CERTIFICATE, cred, &credlen); zassert_equal(ret, -EFBIG, "Should have failed with EFBIG"); } @@ -121,7 +121,7 @@ static void test_credential_internal_iterate(void) cert = temp; } - zassert_equal(cert->type, TLS_CREDENTIAL_SERVER_CERTIFICATE, + zassert_equal(cert->type, TLS_CREDENTIAL_PUBLIC_CERTIFICATE, "Invalid type for cert"); zassert_equal(cert->tag, common_tag, "Invalid tag for cert"); zassert_equal(cert->len, sizeof(test_server_cert), diff --git a/tests/net/socket/tls_ext/src/main.c b/tests/net/socket/tls_ext/src/main.c index b122d05d38e..cc55c2b3684 100644 --- a/tests/net/socket/tls_ext/src/main.c +++ b/tests/net/socket/tls_ext/src/main.c @@ -449,7 +449,7 @@ static void *setup(void) zassert_equal(r, 0, "failed to add CA Certificate (%d)", r); r = tls_credential_add(SERVER_CERTIFICATE_TAG, - TLS_CREDENTIAL_SERVER_CERTIFICATE, + TLS_CREDENTIAL_PUBLIC_CERTIFICATE, server, sizeof(server)); zassert_equal(r, 0, "failed to add Server Certificate (%d)", r); @@ -459,7 +459,7 @@ static void *setup(void) zassert_equal(r, 0, "failed to add Server Private Key (%d)", r); r = tls_credential_add(CLIENT_CERTIFICATE_TAG, - TLS_CREDENTIAL_SERVER_CERTIFICATE, + TLS_CREDENTIAL_PUBLIC_CERTIFICATE, client, sizeof(client)); zassert_equal(r, 0, "failed to add Client Certificate (%d)", r);