lib: modem_key_mgmt: Add function to get digest and list entries

Add two new functions to modem key management interface.
A function to retrieve the SHA1 digest of the credential in persistent
storage.
A function that iterates over all entries in persistent storage and
calls a callback with the security tag and the credential type.

Signed-off-by: Joakim Andersson <[email protected]>

Author: joerchan

include/modem/modem_key_mgmt.h

@@ -23,7 +23,10 @@ extern "C" {
  * @{
  */
 
-/**@brief Credential types. */
+/** @brief The digest is 32 bytes long. */
+#define MODEM_KEY_MGMT_DIGEST_SIZE (32)
+
+/** @brief Credential types. */
 enum modem_key_mgmt_cred_type {
 	MODEM_KEY_MGMT_CRED_TYPE_CA_CHAIN,
 	MODEM_KEY_MGMT_CRED_TYPE_PUBLIC_CERT,
@@ -32,6 +35,15 @@ enum modem_key_mgmt_cred_type {
 	MODEM_KEY_MGMT_CRED_TYPE_IDENTITY
 };
 
+/**
+ * @brief Credential list entry handler function prototype.
+ *
+ * @param[in] sec_tag      The security tag.
+ * @param[in] cred_type    The credential type.
+ */
+typedef void (*modem_key_mgmt_list_cb_t)(
+	nrf_sec_tag_t sec_tag, enum modem_key_mgmt_cred_type cred_type);
+
 /**
  * @brief Write or update a credential in persistent storage.
  *
@@ -136,6 +148,23 @@ int modem_key_mgmt_cmp(nrf_sec_tag_t sec_tag,
 		       enum modem_key_mgmt_cred_type cred_type,
 		       const void *buf, size_t len);
 
+/**
+ * @brief Read the SHA1 digest of a credential from persistent storage.
+ *
+ * @param[in]           sec_tag         The security tag of the credential.
+ * @param[in]           cred_type       The credential type.
+ * @param[out]          buf             Buffer to read the credential into.
+ * @param[in]           len             Length of the buffer.
+ *
+ * @retval 0            On success.
+ * @retval -ENOMEM      Credential does not fit in @p buf. See @ref MODEM_KEY_MGMT_DIGEST_SIZE
+ * @retval -ENOENT      No credential associated with the given
+ *                      @p sec_tag and @p cred_type.
+ */
+int modem_key_mgmt_digest(nrf_sec_tag_t sec_tag,
+			  enum modem_key_mgmt_cred_type cred_type,
+			  void *buf, size_t len);
+
 /**
  * @brief Check if a credential exists in persistent storage.
  *
@@ -152,6 +181,17 @@ int modem_key_mgmt_exists(nrf_sec_tag_t sec_tag,
 			  enum modem_key_mgmt_cred_type cred_type,
 			  bool *exists);
 
+/**
+ * @brief List all the available credentials in persistent storage.
+ *
+ * @param[in]           list_cb         Callback called for each available
+ *                                      credential in persistent storage.
+ *
+ * @retval 0            On success.
+ * @retval -ENOBUFS     Internal buffer is too small.
+ */
+int modem_key_mgmt_list(modem_key_mgmt_list_cb_t list_cb);
+
 /**@} */
 
 #ifdef __cplusplus

lib/modem_key_mgmt/modem_key_mgmt.c

@@ -267,6 +267,68 @@ int modem_key_mgmt_cmp(nrf_sec_tag_t sec_tag,
 	return err;
 }
 
+#define MODEM_KEY_MGMT_DIGEST_STR_SIZE_WITHOUT_NULL_TERM 64
+
+int modem_key_mgmt_digest(nrf_sec_tag_t sec_tag,
+			  enum modem_key_mgmt_cred_type cred_type,
+			  void *buf, size_t len)
+{
+	char cmd[sizeof("AT%CMNG=1,##########,##")];
+	bool cmee_was_enabled;
+	int ret;
+
+	if (buf == NULL) {
+		return -EINVAL;
+	}
+
+	if (len < MODEM_KEY_MGMT_DIGEST_SIZE) {
+		return -ENOMEM;
+	}
+
+	cmee_enable(&cmee_was_enabled);
+
+	snprintk(cmd, sizeof(cmd), "AT%%CMNG=1,%u,%u", sec_tag, cred_type);
+
+	k_mutex_lock(&key_mgmt_mutex, K_FOREVER);
+
+	ret = nrf_modem_at_scanf(
+		cmd,
+		"%%CMNG: "
+		"%*u," /* Ignore tag. */
+		"%*u," /* Ignore type. */
+		"\"%" STRINGIFY(MODEM_KEY_MGMT_DIGEST_STR_SIZE_WITHOUT_NULL_TERM) "s\"",
+		scratch_buf);
+
+	if (!cmee_was_enabled) {
+		cmee_disable();
+	}
+
+	switch (ret) {
+	case 1:
+		len = hex2bin(scratch_buf, strlen(scratch_buf), buf, len);
+
+		if (len != MODEM_KEY_MGMT_DIGEST_SIZE) {
+			ret = -EINVAL;
+			break;
+		}
+
+		ret = 0;
+		break;
+	case 0:
+		ret = -ENOENT;
+	default:
+		break;
+	}
+
+	k_mutex_unlock(&key_mgmt_mutex);
+	if (ret) {
+		return translate_error(ret);
+	}
+
+	return 0;
+
+}
+
 int modem_key_mgmt_delete(nrf_sec_tag_t sec_tag,
 			  enum modem_key_mgmt_cred_type cred_type)
 {
@@ -366,3 +428,43 @@ int modem_key_mgmt_exists(nrf_sec_tag_t sec_tag,
 	k_mutex_unlock(&key_mgmt_mutex);
 	return err;
 }
+
+int modem_key_mgmt_list(modem_key_mgmt_list_cb_t list_cb)
+{
+	int err;
+	char *token;
+	uint32_t tag, type;
+	bool cmee_was_enabled;
+
+	k_mutex_lock(&key_mgmt_mutex, K_FOREVER);
+
+	cmee_enable(&cmee_was_enabled);
+
+	scratch_buf[0] = '\0';
+	err = nrf_modem_at_cmd(scratch_buf, sizeof(scratch_buf),
+			       "AT%%CMNG=1");
+
+	if (!cmee_was_enabled) {
+		cmee_disable();
+	}
+
+	if (err) {
+		err = translate_error(err);
+		goto out;
+	}
+
+	token = strtok(scratch_buf, "\n");
+	while (token != NULL) {
+		int match = sscanf(token, "%%CMNG: %u,%u,\"", &tag, &type);
+
+		if (match == 2 && tag < NRF_SEC_TAG_TLS_DECRYPT_BASE) {
+			list_cb(tag, type);
+		}
+
+		token = strtok(NULL, "\n");
+	}
+
+out:
+	k_mutex_unlock(&key_mgmt_mutex);
+	return err;
+}