net: lwm2m_client_utils: Clear sec_tag content when overwriting

SeppoTakalo · rlubos · commit 71ea8751dc42 · 2024-11-18T20:07:09.000+01:00
When writing new content to security tag, clear existing
information first, that might cause problems.

For example, when writing PSK, delete all certificates.
When writing certificates, delete all PSK data.

Signed-off-by: Seppo Takalo &lt;seppo.takalo@nordicsemi.no&gt;
diff --git a/subsys/net/lib/lwm2m_client_utils/lwm2m/lwm2m_security.c b/subsys/net/lib/lwm2m_client_utils/lwm2m/lwm2m_security.c
@@ -128,11 +128,30 @@ static int write_credential_type(int sec_obj_inst, int sec_tag, int res_id,
 	return 0;
 }
 
+static void delete_credential_if_exist(int sec_tag, enum modem_key_mgmt_cred_type type)
+{
+	bool exist = false;
+	int ret;
+
+	ret = modem_key_mgmt_exists(sec_tag, type, &exist);
+	if (exist) {
+		ret = modem_key_mgmt_delete(sec_tag, type);
+		LOG_DBG("Deleted sec_tag %d, type %d", sec_tag, type);
+	}
+	if (ret < 0) {
+		LOG_ERR("Failed to delete credential %d", ret);
+	}
+}
+
 static int write_sec_obj_to_sec_tag(int sec_obj_inst, int sec_tag, int mode)
 {
 	int ret;
 
 	if (mode == SEC_MODE_PSK) {
+		delete_credential_if_exist(sec_tag, MODEM_KEY_MGMT_CRED_TYPE_CA_CHAIN);
+		delete_credential_if_exist(sec_tag, MODEM_KEY_MGMT_CRED_TYPE_PUBLIC_CERT);
+		delete_credential_if_exist(sec_tag, MODEM_KEY_MGMT_CRED_TYPE_PRIVATE_CERT);
+
 		ret = write_credential_type(sec_obj_inst, sec_tag, SECURITY_CLIENT_PK_ID,
 					    MODEM_KEY_MGMT_CRED_TYPE_IDENTITY);
 		if (ret) {
@@ -145,6 +164,9 @@ static int write_sec_obj_to_sec_tag(int sec_obj_inst, int sec_tag, int mode)
 			goto out;
 		}
 	} else if (mode == SEC_MODE_CERTIFICATE) {
+		delete_credential_if_exist(sec_tag, MODEM_KEY_MGMT_CRED_TYPE_PSK);
+		delete_credential_if_exist(sec_tag, MODEM_KEY_MGMT_CRED_TYPE_IDENTITY);
+
 		/* Don't fail if we already have a given data in the modem and we did not receive
 		 * that as part of bootstrap. It might have been written as part of EST process.
 		 */
diff --git a/tests/subsys/net/lib/lwm2m_client_utils/src/security.c b/tests/subsys/net/lib/lwm2m_client_utils/src/security.c
@@ -502,11 +502,19 @@ ZTEST(lwm2m_client_utils_security, test_load_credentials_PSK)
 	modem_key_mgmt_write_fake.custom_fake = write_to_modem;
 	modem_key_mgmt_exists_fake.custom_fake = modem_key_mgmt_exists_custom_fake;
 	ctx.bootstrap_mode = false;
+	keys_exist = true;
 
 	rc = ctx.load_credentials(&ctx);
 	zassert_equal(rc, 0, "wrong return value");
-	zassert_equal(modem_key_mgmt_exists_fake.call_count, 5, "Did not check existing (%d)",
+	zassert_equal(modem_key_mgmt_exists_fake.call_count, 8, "Did not check existing (%d)",
 		      modem_key_mgmt_exists_fake.call_count);
+	zassert_equal(modem_key_mgmt_delete_fake.call_count, 3, "Did not remove old keys");
+	zassert_equal(modem_key_mgmt_delete_fake.arg1_history[0], MODEM_KEY_MGMT_CRED_TYPE_CA_CHAIN,
+		      "");
+	zassert_equal(modem_key_mgmt_delete_fake.arg1_history[1],
+		      MODEM_KEY_MGMT_CRED_TYPE_PUBLIC_CERT, "");
+	zassert_equal(modem_key_mgmt_delete_fake.arg1_history[2],
+		      MODEM_KEY_MGMT_CRED_TYPE_PRIVATE_CERT, "");
 	zassert_equal(modem_key_mgmt_write_fake.call_count, 2, "Did not write PSK");
 	zassert_equal(lte_lc_func_mode_set_fake.call_count, 1, "Did not set mode");
 	zassert_equal(lte_lc_func_mode_set_fake.arg0_val, LTE_LC_FUNC_MODE_OFFLINE,
diff --git a/tests/subsys/net/lib/lwm2m_client_utils/src/stubs.c b/tests/subsys/net/lib/lwm2m_client_utils/src/stubs.c
@@ -56,6 +56,7 @@ DEFINE_FAKE_VALUE_FUNC(int, modem_key_mgmt_exists, nrf_sec_tag_t, enum modem_key
 		       bool *);
 DEFINE_FAKE_VALUE_FUNC(int, modem_key_mgmt_write, nrf_sec_tag_t, enum modem_key_mgmt_cred_type,
 		       const void *, size_t);
+DEFINE_FAKE_VALUE_FUNC(int, modem_key_mgmt_delete, nrf_sec_tag_t, enum modem_key_mgmt_cred_type);
 DEFINE_FAKE_VALUE_FUNC(int, lte_lc_func_mode_set, enum lte_lc_func_mode);
 DEFINE_FAKE_VALUE_FUNC(int, lte_lc_connect);
 DEFINE_FAKE_VALUE_FUNC(int, lte_lc_offline);
diff --git a/tests/subsys/net/lib/lwm2m_client_utils/src/stubs.h b/tests/subsys/net/lib/lwm2m_client_utils/src/stubs.h
@@ -50,6 +50,7 @@ DECLARE_FAKE_VALUE_FUNC(int, modem_key_mgmt_exists, nrf_sec_tag_t, enum modem_ke
 			bool *);
 DECLARE_FAKE_VALUE_FUNC(int, modem_key_mgmt_write, nrf_sec_tag_t, enum modem_key_mgmt_cred_type,
 			const void *, size_t);
+DECLARE_FAKE_VALUE_FUNC(int, modem_key_mgmt_delete, nrf_sec_tag_t, enum modem_key_mgmt_cred_type);
 DECLARE_FAKE_VALUE_FUNC(int, lte_lc_func_mode_set, enum lte_lc_func_mode);
 DECLARE_FAKE_VALUE_FUNC(int, lte_lc_connect);
 DECLARE_FAKE_VALUE_FUNC(int, lte_lc_offline);
@@ -140,6 +141,7 @@ DECLARE_FAKE_VOID_FUNC(boot_write_img_confirmed);
 	FUNC(lwm2m_rd_client_update)                    \
 	FUNC(modem_key_mgmt_exists)                     \
 	FUNC(modem_key_mgmt_write)                      \
+	FUNC(modem_key_mgmt_delete)			\
 	FUNC(modem_info_init)                           \
 	FUNC(modem_info_params_init)                    \
 	FUNC(modem_info_params_get)                     \
