net: lib: nrf_cloud: check relative size of root CA

Add two new Kconfig symbols to define thresholds for
approximate size of the CoAP root CA and the size of
combined CoAP + AWS root CAs.

Retrieve size of configured sec_tag's root CA.

Compare the size to the thresholds, display which
root CA(s) are likely present, and use this to judge
whether a cloud connection will likely succeed. If
connection seems possible, proceed with connection as
before.

Jira: IRIS-9151

Signed-off-by: Pete Skeggs <[email protected]>

Author: plskeggs

include/net/nrf_cloud.h

@@ -582,9 +582,12 @@ struct nrf_cloud_gnss_pvt {
 struct nrf_cloud_credentials_status {
 	/* Configured sec_tag for nRF Cloud */
 	uint32_t sec_tag;
+	size_t ca_size;
 
 	/* Flags to indicate if the specified credentials exist */
 	uint8_t ca:1;
+	uint8_t ca_coap:1;
+	uint8_t ca_aws:1;
 	uint8_t client_cert:1;
 	uint8_t prv_key:1;
 };
@@ -1179,11 +1182,14 @@ int nrf_cloud_credentials_check(struct nrf_cloud_credentials_status *const cs);
 /**
  * @brief Check if the credentials required for connecting to nRF Cloud exist.
  *        The application's configuration is used to determine which credentials
- *        are required.
+ *        are required. Check the size of the root CA certificates installed
+ *        and return an error code if the size of the root CA certificate(s) is not
+ *        appropriate for the configured transport type.
  *
  * @retval 0 Required credentials exist.
  * @retval -EIO Error checking if credentials exists.
  * @retval -ENOTSUP Required credentials do not exist.
+ * @retval -ENOPROTOOPT Size of root CA is not appropriate for the configured transport type.
  * @return A negative value indicates an error.
  */
 int nrf_cloud_credentials_configured_check(void);

subsys/net/lib/nrf_cloud/Kconfig

@@ -107,6 +107,23 @@ config NRF_CLOUD_JWT_SOURCE_CUSTOM
 	help
 	  JWTs are created and signed by the nRF Cloud library, not the modem.
 	  The signing key is obtained from the TLS credentials module.
+
+config NRF_CLOUD_AWS_CA_CERT_SIZE_THRESHOLD
+	int "Root CA size above which AWS cert is likely present"
+	default 1150
+	help
+	  This value is necessarily inexact as the underlying PEM data varies
+	  a bit in size when credentials are rotated or replaced. This is useful
+	  to determine if a sectag likely contains only an AWS root CA
+	  certificate.
+
+config NRF_CLOUD_COAP_CA_CERT_SIZE_THRESHOLD
+	int "Root CA size above which a CoAP cert is likely present"
+	default 550
+	help
+	  This necessarily inexact value is useful to determine if a sectag
+	  likely contains only a CoAP root CA certificate.
+
 endmenu # "Credentials"
 
 rsource "Kconfig.nrf_cloud_client_id"

subsys/net/lib/nrf_cloud/src/nrf_cloud_credentials.c

@@ -147,6 +147,30 @@ int nrf_cloud_credentials_configured_check(void)
 		}
 	}
 
+	if (IS_ENABLED(CONFIG_NRF_CLOUD_MQTT) || IS_ENABLED(CONFIG_NRF_CLOUD_REST)) {
+		if (!cs.ca_aws && cs.ca_coap) {
+			/* There is a CA, but not large enough to be correct */
+			LOG_WRN("Connection using MQTT or REST may fail as the size of the CA "
+				"cert indicates it is a CoAP root CA.");
+			ret = -ENOPROTOOPT;
+		}
+	}
+
+	if (IS_ENABLED(CONFIG_NRF_CLOUD_COAP)) {
+		if (!cs.ca_coap && cs.ca_aws) {
+			LOG_WRN("Connection using CoAP "
+				"may fail as the size of the CA cert indicates "
+				"CoAP CA certificate is missing but AWS CA is present.");
+			ret = -ENOPROTOOPT;
+		} else if (!IS_ENABLED(CONFIG_NRF_CLOUD_COAP_DOWNLOADS)) {
+			if (cs.ca && (!cs.ca_coap || !cs.ca_aws)) {
+				LOG_WRN("Connection using CoAP and downloading using HTTP "
+					"may fail as the size of the CA cert indicates both "
+					"CoAP and AWS root CA certs are not present.");
+				ret = -ENOPROTOOPT;
+			}
+		}
+	}
 	return ret;
 }
 
@@ -177,6 +201,34 @@ static int cred_exists(uint32_t sec_tag, int type, bool *exists)
 	return err;
 }
 
+static int cred_size_get(uint32_t sec_tag, int type, size_t *cred_sz)
+{
+	int err;
+
+	*cred_sz = 0; /* We just want to determine the size */
+
+#if defined(CONFIG_NRF_CLOUD_CREDENTIALS_MGMT_MODEM)
+	uint8_t buf[1];
+
+	err = modem_key_mgmt_read(sec_tag, (enum modem_key_mgmt_cred_type)cred_type[type],
+				  buf, cred_sz);
+	if (err && (err != -ENOMEM)) {
+		LOG_ERR("modem_key_mgmt_read() failed for type %d in sec tag %u, error: %d",
+			(enum modem_key_mgmt_cred_type)cred_type[type], sec_tag, err);
+	} else {
+		err = 0;
+	}
+#else
+	err = tls_credential_get(sec_tag, (enum tls_credential_type)cred_type[type],
+				 NULL, cred_sz);
+	if (err == -EFBIG) { /* Error expected since we only want the size */
+		err = 0;
+	}
+#endif
+
+	return err;
+}
+
 int nrf_cloud_credentials_check(struct nrf_cloud_credentials_status *const cs)
 {
 	if (!cs) {
@@ -192,27 +244,56 @@ int nrf_cloud_credentials_check(struct nrf_cloud_credentials_status *const cs)
 
 	ret = cred_exists(cs->sec_tag, CA_CERT, &exists);
 	if (ret < 0) {
+		LOG_ERR("Error checking CA exists");
 		return -EIO;
 	}
 	cs->ca = exists;
+	if (exists) {
+		ret = cred_size_get(cs->sec_tag, CA_CERT, &cs->ca_size);
+		if (ret < 0) {
+			LOG_ERR("Error checking CA size");
+			return -EIO;
+		}
+		/* These flags are approximate and only useful for logging to help diagnose
+		 * possible provisioning mistakes.
+		 */
+		size_t coap_min_sz = CONFIG_NRF_CLOUD_COAP_CA_CERT_SIZE_THRESHOLD;
+		size_t aws_min_sz = CONFIG_NRF_CLOUD_AWS_CA_CERT_SIZE_THRESHOLD;
+		size_t combined_min_sz = aws_min_sz + coap_min_sz;
+
+		if (cs->ca_size > combined_min_sz) {
+			cs->ca_aws = true;
+			cs->ca_coap = true;
+		} else if (cs->ca_size > aws_min_sz) {
+			cs->ca_aws = true;
+		} else if (cs->ca_size > coap_min_sz) {
+			cs->ca_coap = true;
+		}
+	}
 
 	ret = cred_exists(cs->sec_tag, CLIENT_CERT, &exists);
 	if (ret < 0) {
+		LOG_ERR("Error checking client cert exists");
 		return -EIO;
 	}
 	cs->client_cert = exists;
 
 	ret = cred_exists(cs->sec_tag, PRIVATE_KEY, &exists);
 	if (ret < 0) {
+		LOG_ERR("Error checking private key exists");
 		return -EIO;
 	}
 	cs->prv_key = exists;
 
-	LOG_DBG("Sec Tag: %u, CA: %s, Client Cert: %s, Private Key: %s",
+	LOG_INF("Sec Tag: %u; CA: %s, Client Cert: %s, Private Key: %s",
 		cs->sec_tag,
 		cs->ca		? "Yes" : "No",
 		cs->client_cert	? "Yes" : "No",
 		cs->prv_key	? "Yes" : "No");
+	LOG_INF("CA Size: %zd, AWS: %s, CoAP: %s",
+		cs->ca_size,
+		cs->ca_aws ? "Likely" : "Unlikely",
+		cs->ca_coap ? "Likely" : "Unlikely");
 
 	return 0;
 }

subsys/net/lib/nrf_cloud/src/nrf_cloud_info.c

@@ -106,6 +106,7 @@ int nrf_cloud_print_details(void)
 #if defined(CONFIG_NRF_CLOUD_VERBOSE_DETAILS)
 	const char *protocol = "Unknown";
 	const char *host_name = "Unknown";
+	const char *download_protocol;
 	char buf[100];
 
 	err = nrf_cloud_get_imei(buf, sizeof(buf));
@@ -137,9 +138,15 @@ int nrf_cloud_print_details(void)
 	protocol = "REST";
 	host_name = CONFIG_NRF_CLOUD_REST_HOST_NAME;
 #endif
-	LOG_INF("Protocol:  %s", protocol);
-	LOG_INF("Sec tag:   %d", nrf_cloud_sec_tag_get());
-	LOG_INF("Host name: %s", host_name);
+#if defined(CONFIG_NRF_CLOUD_COAP_DOWNLOADS)
+	download_protocol = "CoAP";
+#else
+	download_protocol = "HTTPS";
+#endif
+	LOG_INF("Protocol:          %s", protocol);
+	LOG_INF("Download protocol: %s", download_protocol);
+	LOG_INF("Sec tag:           %d", nrf_cloud_sec_tag_get());
+	LOG_INF("Host name:         %s", host_name);
 
 #endif /* CONFIG_NRF_CLOUD_VERBOSE_DETAILS */