WIP: device certificate update poc

Author: pennam

examples/ArduinoIoTCloud-UpdateDevicecertificate/ArduinoIoTCloud-UpdateDevicecertificate.ino

@@ -0,0 +1,58 @@
+#include "arduino_secrets.h"
+/*
+  Sketch generated by the Arduino IoT Cloud Thing "Untitled"
+  https://create.arduino.cc/cloud/things/cc13b5b3-b496-44af-b55a-a20394c27398
+
+  Arduino IoT Cloud Variables description
+
+  The following variables are automatically generated and updated when changes are made to the Thing
+
+  int seconds;
+
+  Variables which are marked as READ/WRITE in the Cloud Thing will also have functions
+  which are called when their values are changed from the Dashboard.
+  These functions are generated with the Thing and added at the end of this sketch.
+*/
+
+#include "thingProperties.h"
+
+
+
+void setup() {
+  // Initialize serial and wait for port to open:
+  Serial.begin(9600);
+  // This delay gives the chance to wait for a Serial Monitor without blocking if none is found
+  delay(1500);
+
+  // Defined in thingProperties.h
+  initProperties();
+
+  // Connect to Arduino IoT Cloud
+  ArduinoCloud.begin(ArduinoIoTPreferredConnection, true, "iot.oniudra.cc");
+
+  /*
+     The following function allows you to obtain more information
+     related to the state of network and IoT Cloud connection and errors
+     the higher number the more granular information you’ll get.
+     The default is 0 (only errors).
+     Maximum is 4
+ */
+  setDebugMessageLevel(2);
+  ArduinoCloud.printDebugInfo();
+}
+
+void loop() {
+  ArduinoCloud.update();
+  // Your code here
+  seconds = millis()/1000;
+}
+
+
+
+/*
+  Since Seconds is READ_WRITE variable, onSecondsChange() is
+  executed every time a new value is received from IoT Cloud.
+*/
+void onSecondsChange()  {
+  // Add your code here to act upon Seconds change
+}

examples/ArduinoIoTCloud-UpdateDevicecertificate/arduino_secrets.h

@@ -0,0 +1,11 @@
+#define SECRET_OPTIONAL_PASS ""
+#define SECRET_SSID ""
+
+#define SECRET_ISSUE_YEAR ""
+#define SECRET_ISSUE_MONTH ""
+#define SECRET_ISSUE_DAY ""
+#define SECRET_ISSUE_HOUR ""
+#define SECRET_EXPIRE_YEARS ""
+#define SECRET_SERIAL_NUMBER ""
+#define SECRET_AUTHORITY_KEY_ID ""
+#define SECRET_SIGNATURE ""

examples/ArduinoIoTCloud-UpdateDevicecertificate/thingProperties.h

@@ -0,0 +1,29 @@
+// Code generated by Arduino IoT Cloud, DO NOT EDIT.
+
+#include <ArduinoIoTCloud.h>
+#include <Arduino_ConnectionHandler.h>
+
+const char SSID[]     = SECRET_SSID;    // Network SSID (name)
+const char PASS[]     = SECRET_OPTIONAL_PASS;    // Network password (use for WPA, or use as key for WEP)
+
+const char ISSUE_YEAR[]       = SECRET_ISSUE_YEAR;
+const char ISSUE_MONTH[]      = SECRET_ISSUE_MONTH;
+const char ISSUE_DAY[]        = SECRET_ISSUE_DAY;
+const char ISSUE_HOUR[]       = SECRET_ISSUE_HOUR;
+const char EXPIRE_YEARS[]     = SECRET_EXPIRE_YEARS;
+const char SERIAL_NUMBER[]    = SECRET_SERIAL_NUMBER;
+const char AUTHORITY_KEY_ID[] = SECRET_AUTHORITY_KEY_ID;
+const char SIGNATURE[]        = SECRET_SIGNATURE;
+
+void onSecondsChange();
+
+int seconds;
+
+void initProperties(){
+
+  ArduinoCloud.addProperty(seconds, READWRITE, ON_CHANGE, onSecondsChange);
+  ArduinoCloud.updateCertificate(ISSUE_YEAR, ISSUE_MONTH, ISSUE_DAY, ISSUE_HOUR, EXPIRE_YEARS, SERIAL_NUMBER, AUTHORITY_KEY_ID,SIGNATURE);
+
+}
+
+WiFiConnectionHandler ArduinoIoTPreferredConnection(SSID, PASS);

src/ArduinoIoTCloudTCP.cpp

@@ -204,6 +204,108 @@ int ArduinoIoTCloudTCP::begin(bool const enable_watchdog, String brokerAddress,
   return 1;
 }
 
+#if defined(BOARD_HAS_SECURE_ELEMENT)
+static void hexStringToBytes(String& in, byte out[], int length) {
+  int inLength = in.length();
+  in.toUpperCase();
+  int outLength = 0;
+
+  for (int i = 0; i < inLength && outLength < length; i += 2) {
+    char highChar = in[i];
+    char lowChar = in[i + 1];
+
+    byte highByte = (highChar <= '9') ? (highChar - '0') : (highChar + 10 - 'A');
+    byte lowByte = (lowChar <= '9') ? (lowChar - '0') : (lowChar + 10 - 'A');
+
+    out[outLength++] = (highByte << 4) | (lowByte & 0xF);
+  }
+}
+
+int ArduinoIoTCloudTCP::updateCertificate(String issueYear, String issueMonth, String issueDay, String issueHour, String expireYears, String serialNumber, String authorityKeyIdentifier, String signature)
+{
+  ECP256Certificate Certificate;
+
+  byte serialNumberBytes[ECP256_CERT_SERIAL_NUMBER_LENGTH];
+  byte authorityKeyIdentifierBytes[ECP256_CERT_AUTHORITY_KEY_ID_LENGTH];
+  byte signatureBytes[ECP256_CERT_SIGNATURE_LENGTH];
+
+  hexStringToBytes(serialNumber, serialNumberBytes, sizeof(serialNumberBytes));
+  hexStringToBytes(authorityKeyIdentifier, authorityKeyIdentifierBytes, sizeof(authorityKeyIdentifierBytes));
+  hexStringToBytes(signature, signatureBytes, sizeof(signatureBytes));
+
+  if (!_selement.begin())
+  {
+    DEBUG_ERROR("ArduinoIoTCloudTCP::%s could not initialize secure element.", __FUNCTION__);
+#if defined(ARDUINO_UNOWIFIR4)
+    if (String(WiFi.firmwareVersion()) < String("0.4.1")) {
+      DEBUG_ERROR("ArduinoIoTCloudTCP::%s In order to read device certificate, WiFi firmware needs to be >= 0.4.1, current %s", __FUNCTION__, WiFi.firmwareVersion());
+    }
+#endif
+    return 0;
+  }
+  if (!SElementArduinoCloudDeviceId::read(_selement, getDeviceId(), SElementArduinoCloudSlot::DeviceId))
+  {
+    DEBUG_ERROR("ArduinoIoTCloudTCP::%s could not read device id.", __FUNCTION__);
+    return 0;
+  }
+  if (!SElementArduinoCloudCertificate::read(_selement, _cert, SElementArduinoCloudSlot::CompressedCertificate))
+  {
+    DEBUG_ERROR("ArduinoIoTCloudTCP::%s could not read device certificate.", __FUNCTION__);
+    return 0;
+  }
+
+  if (!Certificate.begin()) {
+    /* WARNING: This string is parsed from IoTCloud frontend */
+    Serial.println("Error starting crypto storage!");
+  }
+
+  Certificate.setSubjectCommonName(getDeviceId());
+  Certificate.setIssuerCountryName("US");
+  Certificate.setIssuerOrganizationName("Arduino LLC US");
+  Certificate.setIssuerOrganizationalUnitName("IT");
+  Certificate.setIssuerCommonName("Arduino");
+  Certificate.setSignature(signatureBytes, sizeof(signatureBytes));
+  Certificate.setAuthorityKeyId(authorityKeyIdentifierBytes, sizeof(authorityKeyIdentifierBytes));
+  Certificate.setSerialNumber(serialNumberBytes, sizeof(serialNumberBytes));
+  Certificate.setIssueYear(issueYear.toInt());
+  Certificate.setIssueMonth(issueMonth.toInt());
+  Certificate.setIssueDay(issueDay.toInt());
+  Certificate.setIssueHour(issueHour.toInt());
+  Certificate.setExpireYears(expireYears.toInt());
+
+  if (!SElementArduinoCloudCertificate::build(_selement, Certificate, static_cast<int>(SElementArduinoCloudSlot::Key))) {
+    Serial.println("Error building cert!");
+  }
+
+  String cert = Certificate.getCertPEM();
+  if (!cert) {
+    Serial.println("Error generating cert!");
+  }
+  Serial.println("New Cert PEM = ");
+  Serial.println();
+  Serial.println(cert);
+
+  String oldcert = _cert.getCertPEM();
+  if (!oldcert) {
+    Serial.println("Error generating cert!");
+  }
+  Serial.println("Old Cert PEM = ");
+  Serial.println();
+  Serial.println(oldcert);
+
+
+  Serial.println("We have a certificate update");
+
+  if ((Certificate.length() != _cert.length()) || memcmp(_cert.bytes(), Certificate.bytes(), _cert.length() ))
+  {
+    Serial.println("Certificate are different");
+    if (!SElementArduinoCloudCertificate::write(_selement, Certificate, SElementArduinoCloudSlot::CompressedCertificate)) {
+      Serial.println("Error storing cert!");
+    }
+  }
+}
+#endif
+
 void ArduinoIoTCloudTCP::update()
 {
   /* Feed the watchdog. If any of the functions called below

src/ArduinoIoTCloudTCP.h

@@ -77,6 +77,10 @@ class ArduinoIoTCloudTCP: public ArduinoIoTCloudClass
     int begin(ConnectionHandler & connection, bool const enable_watchdog = true, String brokerAddress = DEFAULT_BROKER_ADDRESS_SECURE_AUTH, uint16_t brokerPort = DEFAULT_BROKER_PORT_SECURE_AUTH);
     int begin(bool const enable_watchdog = true, String brokerAddress = DEFAULT_BROKER_ADDRESS_SECURE_AUTH, uint16_t brokerPort = DEFAULT_BROKER_PORT_SECURE_AUTH);
 
+#if defined(BOARD_HAS_SECURE_ELEMENT)
+    int updateCertificate(String issueYear, String issueMonth, String issueDay, String issueHour, String expireYears, String serialNumber, String authorityKeyIdentifier, String signature);
+#endif
+
     #ifdef BOARD_HAS_SECRET_KEY
     inline void setBoardId        (String const device_id) { setDeviceId(device_id); }
     inline void setSecretDeviceKey(String const password)  { _password = password;  }