net: lib: tls_credentials: Rename TLS_CREDENTIAL_SERVER_CERTIFICATE

TLS_CREDENTIAL_SERVER_CERTIFICATE credential type is misleading, as in
fact it just represents a public certificate, it does not matter if the
certificate belongs to a server or a client. And actually, it was
already used in-tree for clients as well, for example in LwM2M.

Therefore rename the credential type to a more generic
TLS_CREDENTIAL_PUBLIC_CERTIFICATE and deprecate the old one.

Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>

doc/connectivity/networking/api/sockets.rst

@@ -93,7 +93,7 @@ socket options.
 The following TLS credential types can be registered in the system:
 
 - ``TLS_CREDENTIAL_CA_CERTIFICATE``
-- ``TLS_CREDENTIAL_SERVER_CERTIFICATE``
+- ``TLS_CREDENTIAL_PUBLIC_CERTIFICATE``
 - ``TLS_CREDENTIAL_PRIVATE_KEY``
 - ``TLS_CREDENTIAL_PSK``
 - ``TLS_CREDENTIAL_PSK_ID``

doc/releases/migration-guide-4.2.rst

@@ -176,6 +176,10 @@ Networking
   (because the addr is not a pointer) and must be changed to ``if (lladdr->len == 0)``
   if the code wants to check that the link address is not set.
 
+* TLS credential type ``TLS_CREDENTIAL_SERVER_CERTIFICATE`` was renamed to
+  more generic :c:enumerator:`TLS_CREDENTIAL_PUBLIC_CERTIFICATE` to better
+  reflect the purpose of this credential type.
+
 SPI
 ===
 

doc/releases/release-notes-4.2.rst

@@ -61,6 +61,9 @@ Deprecated APIs and options
   renamed and deprecated. Use :kconfig:option:`CONFIG_SCHED_SIMPLE` and
   :kconfig:option:`CONFIG_WAITQ_SIMPLE` instead.
 
+* TLS credential type ``TLS_CREDENTIAL_SERVER_CERTIFICATE`` was renamed and
+  deprecated, use :c:enumerator:`TLS_CREDENTIAL_PUBLIC_CERTIFICATE` instead.
+
 ===========================
 
 * ``arduino_uno_r4_minima`` and ``arduino_uno_r4_wifi`` board targets have been deprecated in favor

drivers/wifi/eswifi/eswifi_socket_offload.c

@@ -191,7 +191,7 @@ static int map_credentials(int sd, const void *optval, socklen_t optlen)
 			case TLS_CREDENTIAL_CA_CERTIFICATE:
 				id = 0;
 				break;
-			case TLS_CREDENTIAL_SERVER_CERTIFICATE:
+			case TLS_CREDENTIAL_PUBLIC_CERTIFICATE:
 				id = 1;
 				break;
 			case TLS_CREDENTIAL_PRIVATE_KEY:

drivers/wifi/simplelink/simplelink_sockets.c

@@ -674,7 +674,7 @@ static int map_credentials(int sd, const void *optval, socklen_t optlen)
 			case TLS_CREDENTIAL_CA_CERTIFICATE:
 				opt = SL_SO_SECURE_FILES_CA_FILE_NAME;
 				break;
-			case TLS_CREDENTIAL_SERVER_CERTIFICATE:
+			case TLS_CREDENTIAL_PUBLIC_CERTIFICATE:
 				opt = SL_SO_SECURE_FILES_CERTIFICATE_FILE_NAME;
 				break;
 			case TLS_CREDENTIAL_PRIVATE_KEY:

include/zephyr/net/tls_credentials.h

@@ -36,11 +36,15 @@ enum tls_credential_type {
 	 */
 	TLS_CREDENTIAL_CA_CERTIFICATE,
 
-	/** A public server certificate. Use this to register your own server
+	/** A public client or server certificate. Use this to register your own
 	 *  certificate. Should be registered together with a corresponding
 	 *  private key. Used with certificate-based ciphersuites.
 	 */
-	TLS_CREDENTIAL_SERVER_CERTIFICATE,
+	TLS_CREDENTIAL_PUBLIC_CERTIFICATE,
+
+	/** @deprecated Use TLS_CREDENTIAL_PUBLIC_CERTIFICATE instead.
+	 */
+	TLS_CREDENTIAL_SERVER_CERTIFICATE = TLS_CREDENTIAL_PUBLIC_CERTIFICATE,
 
 	/** Private key. Should be registered together with a corresponding
 	 *  public certificate. Used with certificate-based ciphersuites.
@@ -64,7 +68,7 @@ enum tls_credential_type {
  * in the system.
  *
  * @note Some TLS credentials come in pairs:
- *    - TLS_CREDENTIAL_SERVER_CERTIFICATE with TLS_CREDENTIAL_PRIVATE_KEY,
+ *    - TLS_CREDENTIAL_PUBLIC_CERTIFICATE with TLS_CREDENTIAL_PRIVATE_KEY,
  *    - TLS_CREDENTIAL_PSK with TLS_CREDENTIAL_PSK_ID.
  *    Such pairs of credentials must be assigned the same secure tag to be
  *    correctly handled in the system.

modules/thrift/src/thrift/transport/TSSLSocket.cpp

@@ -450,7 +450,7 @@ void TSSLSocketFactory::loadCertificateFromBuffer(const char *aCertificate, cons
 
 	if (strcmp(format, "PEM") == 0) {
 		const int status = tls_credential_add(Thrift_TLS_SERVER_CERT_TAG,
-						      TLS_CREDENTIAL_SERVER_CERTIFICATE,
+						      TLS_CREDENTIAL_PUBLIC_CERTIFICATE,
 						      aCertificate, strlen(aCertificate) + 1);
 
 		if (status != 0) {

samples/net/prometheus/src/main.c

@@ -120,7 +120,7 @@ static void setup_tls(void)
 	}
 #endif /* defined(CONFIG_NET_SAMPLE_CERTS_WITH_SC) */
 
-	err = tls_credential_add(HTTP_SERVER_CERTIFICATE_TAG, TLS_CREDENTIAL_SERVER_CERTIFICATE,
+	err = tls_credential_add(HTTP_SERVER_CERTIFICATE_TAG, TLS_CREDENTIAL_PUBLIC_CERTIFICATE,
 				 server_certificate, sizeof(server_certificate));
 	if (err < 0) {
 		LOG_ERR("Failed to register public certificate: %d", err);

samples/net/sockets/dumb_http_server_mt/src/main.c

@@ -413,7 +413,7 @@ int main(void)
 {
 #if defined(CONFIG_NET_SOCKETS_SOCKOPT_TLS)
 	int err = tls_credential_add(SERVER_CERTIFICATE_TAG,
-				     TLS_CREDENTIAL_SERVER_CERTIFICATE,
+				     TLS_CREDENTIAL_PUBLIC_CERTIFICATE,
 				     server_certificate,
 				     sizeof(server_certificate));
 	if (err < 0) {

samples/net/sockets/echo_server/src/echo-server.c

@@ -153,7 +153,7 @@ static void init_app(void)
 #endif /* defined(CONFIG_NET_SAMPLE_CERTS_WITH_SC) */
 
 	err = tls_credential_add(SERVER_CERTIFICATE_TAG,
-				 TLS_CREDENTIAL_SERVER_CERTIFICATE,
+				 TLS_CREDENTIAL_PUBLIC_CERTIFICATE,
 				 server_certificate,
 				 sizeof(server_certificate));
 	if (err < 0) {

samples/net/sockets/http_server/src/main.c

@@ -312,7 +312,7 @@ static void setup_tls(void)
 	int err;
 
 	err = tls_credential_add(HTTP_SERVER_CERTIFICATE_TAG,
-				 TLS_CREDENTIAL_SERVER_CERTIFICATE,
+				 TLS_CREDENTIAL_PUBLIC_CERTIFICATE,
 				 server_certificate,
 				 sizeof(server_certificate));
 	if (err < 0) {

samples/subsys/mgmt/updatehub/src/main.c

@@ -89,7 +89,7 @@ int main(void)
 
 #if defined(CONFIG_UPDATEHUB_DTLS)
 	if (tls_credential_add(CA_CERTIFICATE_TAG,
-			       TLS_CREDENTIAL_SERVER_CERTIFICATE,
+			       TLS_CREDENTIAL_PUBLIC_CERTIFICATE,
 			       server_certificate,
 			       sizeof(server_certificate)) < 0) {
 		LOG_ERR("Failed to register server certificate");

subsys/net/lib/lwm2m/lwm2m_engine.c

@@ -922,7 +922,7 @@ static void delete_tls_credentials(sec_tag_t tag)
 {
 	tls_credential_delete(tag, TLS_CREDENTIAL_PSK_ID);
 	tls_credential_delete(tag, TLS_CREDENTIAL_PSK);
-	tls_credential_delete(tag, TLS_CREDENTIAL_SERVER_CERTIFICATE);
+	tls_credential_delete(tag, TLS_CREDENTIAL_PUBLIC_CERTIFICATE);
 	tls_credential_delete(tag, TLS_CREDENTIAL_PRIVATE_KEY);
 	tls_credential_delete(tag, TLS_CREDENTIAL_CA_CERTIFICATE);
 }
@@ -1003,7 +1003,7 @@ static int lwm2m_load_x509_credentials(struct lwm2m_ctx *ctx)
 
 	delete_tls_credentials(ctx->tls_tag);
 
-	ret = load_tls_type(ctx, 3, TLS_CREDENTIAL_SERVER_CERTIFICATE);
+	ret = load_tls_type(ctx, 3, TLS_CREDENTIAL_PUBLIC_CERTIFICATE);
 	if (ret < 0) {
 		return ret;
 	}

subsys/net/lib/sockets/sockets_tls.c

@@ -1078,7 +1078,7 @@ static int tls_set_credential(struct tls_context *tls,
 	case TLS_CREDENTIAL_CA_CERTIFICATE:
 		return tls_add_ca_certificate(tls, cred);
 
-	case TLS_CREDENTIAL_SERVER_CERTIFICATE:
+	case TLS_CREDENTIAL_PUBLIC_CERTIFICATE:
 		return tls_add_own_cert(tls, cred);
 
 	case TLS_CREDENTIAL_PRIVATE_KEY:
@@ -1133,7 +1133,7 @@ static int tls_mbedtls_set_credentials(struct tls_context *tls)
 
 			if (cred->type == TLS_CREDENTIAL_CA_CERTIFICATE) {
 				ca_cert_present = true;
-			} else if (cred->type == TLS_CREDENTIAL_SERVER_CERTIFICATE) {
+			} else if (cred->type == TLS_CREDENTIAL_PUBLIC_CERTIFICATE) {
 				own_cert_present = true;
 			}
 		}

subsys/net/lib/tls_credentials/tls_credentials_shell.c

@@ -40,12 +40,12 @@ static const struct cred_type_string type_strings[] = {
 	{"CA_CERT",		TLS_CREDENTIAL_CA_CERTIFICATE},
 	{"CA",			TLS_CREDENTIAL_CA_CERTIFICATE},
 
-	{"SERVER_CERT",		TLS_CREDENTIAL_SERVER_CERTIFICATE},
-	{"CLIENT_CERT",		TLS_CREDENTIAL_SERVER_CERTIFICATE},
-	{"SELF_CERT",		TLS_CREDENTIAL_SERVER_CERTIFICATE},
-	{"SELF",		TLS_CREDENTIAL_SERVER_CERTIFICATE},
-	{"CLIENT",		TLS_CREDENTIAL_SERVER_CERTIFICATE},
-	{"SERV",		TLS_CREDENTIAL_SERVER_CERTIFICATE},
+	{"SERVER_CERT",		TLS_CREDENTIAL_PUBLIC_CERTIFICATE},
+	{"CLIENT_CERT",		TLS_CREDENTIAL_PUBLIC_CERTIFICATE},
+	{"SELF_CERT",		TLS_CREDENTIAL_PUBLIC_CERTIFICATE},
+	{"SELF",		TLS_CREDENTIAL_PUBLIC_CERTIFICATE},
+	{"CLIENT",		TLS_CREDENTIAL_PUBLIC_CERTIFICATE},
+	{"SERV",		TLS_CREDENTIAL_PUBLIC_CERTIFICATE},
 
 	{"PRIVATE_KEY",		TLS_CREDENTIAL_PRIVATE_KEY},
 	{"PK",			TLS_CREDENTIAL_PRIVATE_KEY},

tests/net/lib/http_server/tls/src/main.c

@@ -239,7 +239,7 @@ static void *setup(void)
 		zassert_equal(ret, 0, "failed to add CA Certificate (%d)", ret);
 
 		ret = tls_credential_add(SERVER_CERTIFICATE_TAG,
-					 TLS_CREDENTIAL_SERVER_CERTIFICATE,
+					 TLS_CREDENTIAL_PUBLIC_CERTIFICATE,
 					 server, sizeof(server));
 		zassert_equal(ret, 0, "failed to add Server Certificate (%d)", ret);
 
@@ -249,7 +249,7 @@ static void *setup(void)
 		zassert_equal(ret, 0, "failed to add Server Private Key (%d)", ret);
 
 		ret = tls_credential_add(CLIENT_CERTIFICATE_TAG,
-					 TLS_CREDENTIAL_SERVER_CERTIFICATE,
+					 TLS_CREDENTIAL_PUBLIC_CERTIFICATE,
 					 client, sizeof(client));
 		zassert_equal(ret, 0, "failed to add Client Certificate (%d)", ret);
 

tests/net/lib/lwm2m/lwm2m_engine/src/main.c

@@ -467,7 +467,7 @@ ZTEST(lwm2m_engine, test_security)
 	zassert_equal(z_impl_zsock_setsockopt_fake.arg2_history[1], TLS_PEER_VERIFY);
 	zassert_equal(z_impl_zsock_setsockopt_fake.arg2_history[2], TLS_CIPHERSUITE_LIST);
 	zassert_true(tls_credential_add_fake.call_count == 3);
-	zassert_equal(tls_credential_add_fake.arg1_history[0], TLS_CREDENTIAL_SERVER_CERTIFICATE);
+	zassert_equal(tls_credential_add_fake.arg1_history[0], TLS_CREDENTIAL_PUBLIC_CERTIFICATE);
 	zassert_equal(tls_credential_add_fake.arg1_history[1], TLS_CREDENTIAL_PRIVATE_KEY);
 	zassert_equal(tls_credential_add_fake.arg1_history[2], TLS_CREDENTIAL_CA_CERTIFICATE);
 	zassert_equal(lwm2m_engine_stop(&ctx), 0);

tests/net/lib/tls_credentials/src/main.c

@@ -34,10 +34,10 @@ static void test_credential_add(void)
 	/* Function should allow to add credentials of different types
 	 * with the same tag
 	 */
-	ret = tls_credential_add(common_tag, TLS_CREDENTIAL_SERVER_CERTIFICATE,
+	ret = tls_credential_add(common_tag, TLS_CREDENTIAL_PUBLIC_CERTIFICATE,
 				 test_server_cert, sizeof(test_server_cert));
 	zassert_equal(ret, 0, "Failed to add credential %d %d",
-		      common_tag, TLS_CREDENTIAL_SERVER_CERTIFICATE);
+		      common_tag, TLS_CREDENTIAL_PUBLIC_CERTIFICATE);
 
 	ret = tls_credential_add(common_tag, TLS_CREDENTIAL_PRIVATE_KEY,
 				 test_server_key, sizeof(test_server_key));
@@ -87,7 +87,7 @@ static void test_credential_get(void)
 
 	/* Try to read with too small buffer */
 	credlen = sizeof(test_server_cert) - 1;
-	ret = tls_credential_get(common_tag, TLS_CREDENTIAL_SERVER_CERTIFICATE,
+	ret = tls_credential_get(common_tag, TLS_CREDENTIAL_PUBLIC_CERTIFICATE,
 				 cred, &credlen);
 	zassert_equal(ret, -EFBIG, "Should have failed with EFBIG");
 }
@@ -121,7 +121,7 @@ static void test_credential_internal_iterate(void)
 		cert = temp;
 	}
 
-	zassert_equal(cert->type, TLS_CREDENTIAL_SERVER_CERTIFICATE,
+	zassert_equal(cert->type, TLS_CREDENTIAL_PUBLIC_CERTIFICATE,
 		      "Invalid type for cert");
 	zassert_equal(cert->tag, common_tag, "Invalid tag for cert");
 	zassert_equal(cert->len, sizeof(test_server_cert),

tests/net/socket/tls_ext/src/main.c

@@ -449,7 +449,7 @@ static void *setup(void)
 		zassert_equal(r, 0, "failed to add CA Certificate (%d)", r);
 
 		r = tls_credential_add(SERVER_CERTIFICATE_TAG,
-				       TLS_CREDENTIAL_SERVER_CERTIFICATE,
+				       TLS_CREDENTIAL_PUBLIC_CERTIFICATE,
 				       server, sizeof(server));
 		zassert_equal(r, 0, "failed to add Server Certificate (%d)", r);
 
@@ -459,7 +459,7 @@ static void *setup(void)
 		zassert_equal(r, 0, "failed to add Server Private Key (%d)", r);
 
 		r = tls_credential_add(CLIENT_CERTIFICATE_TAG,
-				       TLS_CREDENTIAL_SERVER_CERTIFICATE,
+				       TLS_CREDENTIAL_PUBLIC_CERTIFICATE,
 				       client, sizeof(client));
 		zassert_equal(r, 0, "failed to add Client Certificate (%d)", r);