MCU8MASS-348 MCU8MASS-942 MCU8MASS-976 Add security profile module for checking if provisioning is done

Author: M65649

src/http_client.cpp

@@ -1,5 +1,6 @@
 #include "http_client.h"
 #include "log.h"
+#include "security_profile.h"
 #include "sequans_controller.h"
 
 #include <Arduino.h>
@@ -20,10 +21,7 @@
 // This results in 36 + 127 + 5 + 1 + 1 = 170
 #define HTTP_CONFIGURE_SIZE 170
 
-#define QUERY_SECURITY_PROFILE "AT+SQNSPCFG"
-
-#define SECURITY_PROFILE_PREFIX_LENGTH 11
-#define HTTPS_SECURITY_PROFILE_NUMBER  '3'
+#define HTTPS_SECURITY_PROFILE_NUMBER 3
 
 #define HTTP_SEND    "AT+SQNHTTPSND=0,%u,\"%s\",%lu,\"%s\",\"%s\""
 #define HTTP_RECEIVE "AT+SQNHTTPRCV=0,%lu"
@@ -246,42 +244,9 @@ bool HttpClientClass::configure(const char* host,
                                 const bool enable_tls) {
 
     if (enable_tls) {
-
-        char response[256]    = "";
-        ResponseResult result = SequansController.writeCommand(
-            QUERY_SECURITY_PROFILE,
-            response,
-            sizeof(response));
-
-        if (result != ResponseResult::OK) {
-            Log.error("Failed to query HTTPS security profile");
-            return false;
-        }
-
-        // Split by line feed and carriage return to retrieve each entry
-        char* ptr                   = strtok(response, "\r\n");
-        bool security_profile_found = false;
-
-        while (ptr != NULL) {
-
-            // Skip the prefix of '+SQNSPCFG: '
-            ptr += SECURITY_PROFILE_PREFIX_LENGTH;
-
-            // Now we check if the entry has the third security profile
-            if (*ptr == HTTPS_SECURITY_PROFILE_NUMBER) {
-                security_profile_found = true;
-                break;
-            }
-
-            ptr = strtok(NULL, "\r\n");
-        }
-
-        if (!security_profile_found) {
-            Log.error(
-                "Security profile not set up for HTTPS. Run the "
-                "'https_configure_ca' Arduino sketch example to set this up."
-                "More information here: "
-                "https://iot.microchip.com/docs/arduino/userguide/http");
+        if (!SecurityProfile.profileExists(HTTPS_SECURITY_PROFILE_NUMBER)) {
+            Log.error("Security profile not set up for HTTPS. Run the "
+                      "'provision' Arduino sketch example to set this up.");
 
             return false;
         }

src/mqtt_client.cpp

@@ -1,8 +1,9 @@
+#include "mqtt_client.h"
 #include "ecc608.h"
 #include "led_ctrl.h"
 #include "log.h"
 #include "lte.h"
-#include "mqtt_client.h"
+#include "security_profile.h"
 #include "sequans_controller.h"
 
 #include <cryptoauthlib.h>
@@ -289,6 +290,7 @@ static bool generateSigningCommand(char* data, char* command_buffer) {
     uint8_t message_to_sign[HCESIGN_DIGEST_LENGTH / 2];
     char* position = digest;
 
+    // Convert hex representation in string to numerical hex values
     for (uint8_t i = 0; i < sizeof(message_to_sign); i++) {
         sscanf(position, "%2hhx", &message_to_sign[i]);
         position += 2;
@@ -298,7 +300,7 @@ static bool generateSigningCommand(char* data, char* command_buffer) {
     ATCA_STATUS result = atcab_sign(0, message_to_sign, (uint8_t*)digest);
 
     if (result != ATCA_SUCCESS) {
-        Log.error("ECC signing failed");
+        Log.errorf("ECC signing failed, status code: %x\r\n", result);
         return false;
     }
 
@@ -323,31 +325,30 @@ static bool generateSigningCommand(char* data, char* command_buffer) {
 }
 
 bool MqttClientClass::beginAWS() {
-    // Get the endoint and thing name
-    // -- Initialize the ECC
-    uint8_t err = ECC608.begin();
-    if (err != ATCA_SUCCESS) {
+
+    // Initialize the ECC
+    uint8_t status = ECC608.begin();
+    if (status != ECC608.ERR_OK) {
         Log.error("Could not initialize ECC hardware");
         return false;
     }
 
-    // -- Allocate the buffers
     uint8_t thingName[128];
     uint8_t thingNameLen = sizeof(thingName);
     uint8_t endpoint[128];
     uint8_t endpointLen = sizeof(endpoint);
 
-    // -- Get the thingname
-    err = ECC608.getThingName(thingName, &thingNameLen);
-    if (err != ECC608.ERR_OK) {
+    // Get the thingname
+    status = ECC608.getThingName(thingName, &thingNameLen);
+    if (status != ECC608.ERR_OK) {
         Log.error("Could not retrieve thing name from the ECC");
         return false;
     }
 
-    // -- Get the endpoint
-    err = ECC608.getEndpoint(endpoint, &endpointLen);
+    // Get the endpoint
+    status = ECC608.getEndpoint(endpoint, &endpointLen);
 
-    if (err != ECC608.ERR_OK) {
+    if (status != ECC608.ERR_OK) {
         Log.error("Could not retrieve endpoint from the ECC");
         return false;
     }
@@ -394,6 +395,21 @@ bool MqttClientClass::begin(const char* client_id,
                      username_length + password_length] = "";
 
         if (use_ecc) {
+
+            if (!SecurityProfile.profileExists(
+                    MQTT_TLS_ECC_SECURITY_PROFILE_ID)) {
+                Log.error("Security profile not set up for MQTT TLS with ECC. "
+                          "Run the 'provision' example Arduino sketch to set "
+                          "this up.");
+                return false;
+            }
+
+            uint8_t status = ECC608.begin();
+            if (status != ATCA_SUCCESS) {
+                Log.error("Could not initialize ECC hardware");
+                return false;
+            }
+
             sprintf(command,
                     MQTT_CONFIGURE_TLS,
                     client_id,
@@ -402,6 +418,12 @@ bool MqttClientClass::begin(const char* client_id,
                     MQTT_TLS_ECC_SECURITY_PROFILE_ID);
 
         } else {
+            if (!SecurityProfile.profileExists(MQTT_TLS_SECURITY_PROFILE_ID)) {
+                Log.error("Security profile not set up for MQTT TLS. Run the "
+                          "'provision' example Arduino sketch to set this up.");
+                return false;
+            }
+
             sprintf(command,
                     MQTT_CONFIGURE_TLS,
                     client_id,

src/security_profile.cpp

@@ -0,0 +1,45 @@
+#include "security_profile.h"
+
+#include "sequans_controller.h"
+
+#include "log.h"
+
+#define QUERY_SECURITY_PROFILE "AT+SQNSPCFG"
+
+#define SECURITY_PROFILE_PREFIX_LENGTH 11
+
+SecurityProfileClass SecurityProfile = SecurityProfileClass::instance();
+
+bool SecurityProfileClass::profileExists(const uint8_t id) {
+
+    char response[256]    = "";
+    ResponseResult result = SequansController.writeCommand(
+        QUERY_SECURITY_PROFILE,
+        response,
+        sizeof(response));
+
+    if (result != ResponseResult::OK) {
+        Log.error("Failed to query security profile");
+        return false;
+    }
+
+    // Split by line feed and carriage return to retrieve each entry
+    char* ptr = strtok(response, "\r\n");
+
+    while (ptr != NULL) {
+
+        // Skip the prefix of '+SQNSPCFG: '
+        ptr += SECURITY_PROFILE_PREFIX_LENGTH;
+
+        int security_profile_id;
+        sscanf(ptr, "%d", &security_profile_id);
+
+        if (security_profile_id == id) {
+            return true;
+        }
+
+        ptr = strtok(NULL, "\r\n");
+    }
+
+    return false;
+}

src/security_profile.h

@@ -0,0 +1,32 @@
+#ifndef SECURITY_PROFILE
+#define SECURITY_PROFILE
+
+#include <stdint.h>
+
+class SecurityProfileClass {
+
+  private:
+    SecurityProfileClass(){};
+
+  public:
+    /**
+     * @brief Singleton instance.
+     */
+    static SecurityProfileClass& instance(void) {
+        static SecurityProfileClass instance;
+        return instance;
+    }
+
+    /**
+     * @brief Probes the modem for whether a certain security profile exists.
+     *
+     * @param id The security profile identifier.
+     *
+     * @return true if it exists.
+     */
+    bool profileExists(const uint8_t id);
+};
+
+extern SecurityProfileClass SecurityProfile;
+
+#endif