BLE Secure#

This module includes functions that control BLE Secure (TLS over BLE) communication.

This module includes functions that implement TCAT communication.

The functions in this module are available when BLE Secure API feature (OPENTHREAD_CONFIG_BLE_TCAT_ENABLE) is enabled.

The functions in this module are available when TCAT feature (OPENTHREAD_CONFIG_BLE_TCAT_ENABLE) is enabled.

Modules#

otTcatVendorInfo

Enumerations#

enum
otTcatStatusCode {
OT_TCAT_STATUS_SUCCESS = 0
OT_TCAT_STATUS_UNSUPPORTED = 1
OT_TCAT_STATUS_PARSE_ERROR = 2
OT_TCAT_STATUS_VALUE_ERROR = 3
OT_TCAT_STATUS_GENERAL_ERROR = 4
OT_TCAT_STATUS_BUSY = 5
OT_TCAT_STATUS_UNDEFINED = 6
OT_TCAT_STATUS_HASH_ERROR = 7
OT_TCAT_STATUS_UNAUTHORIZED = 16
}

Represents TCAT status code.

enum
otTcatApplicationProtocol {
OT_TCAT_APPLICATION_PROTOCOL_NONE = 0
OT_TCAT_APPLICATION_PROTOCOL_STATUS = 1
OT_TCAT_APPLICATION_PROTOCOL_TCP = 2
}

Represents TCAT application protocol.

enum
otTcatCommandClass {
OT_TCAT_COMMAND_CLASS_GENERAL = 0
OT_TCAT_COMMAND_CLASS_COMMISSIONING = 1
OT_TCAT_COMMAND_CLASS_EXTRACTION = 2
OT_TCAT_COMMAND_CLASS_DECOMMISSIONING = 3
OT_TCAT_COMMAND_CLASS_APPLICATION = 4
}

Represents a TCAT command class.

Typedefs#

typedef void(*
otHandleBleSecureConnect)(otInstance *aInstance, bool aConnected, bool aBleConnectionOpen, void *aContext)

Pointer to call when ble secure connection state changes.

typedef otHandleTcatApplicationDataReceive
otHandleBleSecureReceive

Pointer to call when data was received over a BLE Secure TLS connection.

typedef enum otTcatStatusCode
otTcatStatusCode

Represents TCAT status code.

typedef enum otTcatApplicationProtocol
otTcatApplicationProtocol

Represents TCAT application protocol.

typedef enum otTcatCommandClass
otTcatCommandClass

Represents a TCAT command class.

typedef struct otTcatVendorInfo
otTcatVendorInfo

This structure represents a TCAT vendor information.

typedef void(*
otHandleTcatApplicationDataReceive)(otInstance *aInstance, const otMessage *aMessage, int32_t aOffset, otTcatApplicationProtocol aTcatApplicationProtocol, const char *aServiceName, void *aContext)

Pointer to call when application data was received over a TCAT TLS connection.

typedef void(*
otHandleTcatJoin)(otError aError, void *aContext)

Pointer to call to notify the completion of a join operation.

Functions#

otError
otBleSecureStart(otInstance *aInstance, otHandleBleSecureConnect aConnectHandler, otHandleBleSecureReceive aReceiveHandler, bool aTlvMode, void *aContext)

Starts the BLE Secure service.

otError
otBleSecureTcatStart(otInstance *aInstance, const otTcatVendorInfo *aVendorInfo, otHandleTcatJoin aHandler)

Enables the TCAT protocol over BLE Secure.

void
otBleSecureStop(otInstance *aInstance)

Stops the BLE Secure server.

void
otBleSecureSetPsk(otInstance *aInstance, const uint8_t *aPsk, uint16_t aPskLength, const uint8_t *aPskIdentity, uint16_t aPskIdLength)

Sets the Pre-Shared Key (PSK) and cipher suite TLS_PSK_WITH_AES_128_CCM_8.

otError
otBleSecureGetPeerCertificateBase64(otInstance *aInstance, unsigned char *aPeerCert, size_t *aCertLength)

Returns the peer x509 certificate base64 encoded.

otError
otBleSecureGetPeerSubjectAttributeByOid(otInstance *aInstance, const char *aOid, size_t aOidLength, uint8_t *aAttributeBuffer, size_t *aAttributeLength, int *aAsn1Type)

Returns an attribute value identified by its OID from the subject of the peer x509 certificate.

otError
otBleSecureGetThreadAttributeFromPeerCertificate(otInstance *aInstance, int aThreadOidDescriptor, uint8_t *aAttributeBuffer, size_t *aAttributeLength)

Returns an attribute value for the OID 1.3.6.1.4.1.44970.x from the v3 extensions of the peer x509 certificate, where the last digit x is set to aThreadOidDescriptor.

otError
otBleSecureGetThreadAttributeFromOwnCertificate(otInstance *aInstance, int aThreadOidDescriptor, uint8_t *aAttributeBuffer, size_t *aAttributeLength)

Returns an attribute value for the OID 1.3.6.1.4.1.44970.x from the v3 extensions of the own x509 certificate, where the last digit x is set to aThreadOidDescriptor.

void
otBleSecureSetSslAuthMode(otInstance *aInstance, bool aVerifyPeerCertificate)

Sets the authentication mode for the BLE secure connection.

void
otBleSecureSetCertificate(otInstance *aInstance, const uint8_t *aX509Cert, uint32_t aX509Length, const uint8_t *aPrivateKey, uint32_t aPrivateKeyLength)

Sets the local device's X509 certificate with corresponding private key for TLS session with TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8.

void
otBleSecureSetCaCertificateChain(otInstance *aInstance, const uint8_t *aX509CaCertificateChain, uint32_t aX509CaCertChainLength)

Sets the trusted top level CAs.

otError
otBleSecureConnect(otInstance *aInstance)

Initializes TLS session with a peer using an already open BLE connection.

void
otBleSecureDisconnect(otInstance *aInstance)

Stops the BLE and TLS connection.

bool
otBleSecureIsConnectionActive(otInstance *aInstance)

Indicates whether or not the TLS session is active (connected or conneting).

bool
otBleSecureIsConnected(otInstance *aInstance)

Indicates whether or not the TLS session is connected.

bool
otBleSecureIsTcatEnabled(otInstance *aInstance)

Indicates whether or not the TCAT agent is enabled.

bool
otBleSecureIsCommandClassAuthorized(otInstance *aInstance, otTcatCommandClass aCommandClass)

Indicates whether or not a TCAT command class is authorized.

otError
otBleSecureSendMessage(otInstance *aInstance, otMessage *aMessage)

Sends a secure BLE message.

otError
otBleSecureSend(otInstance *aInstance, uint8_t *aBuf, uint16_t aLength)

Sends a secure BLE data packet.

otError
otBleSecureSendApplicationTlv(otInstance *aInstance, uint8_t *aBuf, uint16_t aLength)

Sends a secure BLE data packet containing a TCAT Send Application Data TLV.

otError
otBleSecureFlush(otInstance *aInstance)

Flushes the send buffer.

Macros#

#define
OT_TCAT_MAX_SERVICE_NAME_LENGTH 15

Maximum string length of a UDP or TCP service name (does not include null char).

Enumeration Documentation#

otTcatStatusCode#

otTcatStatusCode

Represents TCAT status code.

Enumerator
OT_TCAT_STATUS_SUCCESS

Command or request was successfully processed.

OT_TCAT_STATUS_UNSUPPORTED

Requested command or received TLV is not supported.

OT_TCAT_STATUS_PARSE_ERROR

Request / command could not be parsed correctly.

OT_TCAT_STATUS_VALUE_ERROR

The value of the transmitted TLV has an error.

OT_TCAT_STATUS_GENERAL_ERROR

An error not matching any other category occurred.

OT_TCAT_STATUS_BUSY

Command cannot be executed because the resource is busy.

OT_TCAT_STATUS_UNDEFINED

The requested value, data or service is not defined (currently) or not present.

OT_TCAT_STATUS_HASH_ERROR

The hash value presented by the commissioner was incorrect.

OT_TCAT_STATUS_UNAUTHORIZED

Sender does not have sufficient authorization for the given command.


Definition at line 74 of file include/openthread/tcat.h

otTcatApplicationProtocol#

otTcatApplicationProtocol

Represents TCAT application protocol.

Enumerator
OT_TCAT_APPLICATION_PROTOCOL_NONE

Message which has been sent without activating the TCAT agent.

OT_TCAT_APPLICATION_PROTOCOL_STATUS

Message directed to a UDP service.

OT_TCAT_APPLICATION_PROTOCOL_TCP

Message directed to a TCP service.


Definition at line 92 of file include/openthread/tcat.h

otTcatCommandClass#

otTcatCommandClass

Represents a TCAT command class.

Enumerator
OT_TCAT_COMMAND_CLASS_GENERAL

TCAT commands related to general operations.

OT_TCAT_COMMAND_CLASS_COMMISSIONING

TCAT commands related to commissioning.

OT_TCAT_COMMAND_CLASS_EXTRACTION

TCAT commands related to key extraction.

OT_TCAT_COMMAND_CLASS_DECOMMISSIONING

TCAT commands related to de-commissioning.

OT_TCAT_COMMAND_CLASS_APPLICATION

TCAT commands related to application layer.


Definition at line 104 of file include/openthread/tcat.h

Typedef Documentation#

otHandleBleSecureConnect#

typedef void(* otHandleBleSecureConnect) (otInstance *aInstance, bool aConnected, bool aBleConnectionOpen, void *aContext) )(otInstance *aInstance, bool aConnected, bool aBleConnectionOpen, void *aContext)

Pointer to call when ble secure connection state changes.

Parameters
[in]aInstance

A pointer to an OpenThread instance.

[in]aConnected

TRUE, if a secure connection was established, FALSE otherwise.

[in]aBleConnectionOpen

TRUE if a BLE connection was established to carry a TLS data stream, FALSE otherwise.

[in]aContext

A pointer to arbitrary context information.


Definition at line 78 of file include/openthread/ble_secure.h

otHandleBleSecureReceive#

typedef otHandleTcatApplicationDataReceive otHandleBleSecureReceive

Pointer to call when data was received over a BLE Secure TLS connection.


Definition at line 87 of file include/openthread/ble_secure.h

otTcatStatusCode#

typedef enum otTcatStatusCode otTcatStatusCode

Represents TCAT status code.


Definition at line 86 of file include/openthread/tcat.h

otTcatApplicationProtocol#

typedef enum otTcatApplicationProtocol otTcatApplicationProtocol

Represents TCAT application protocol.


Definition at line 98 of file include/openthread/tcat.h

otTcatCommandClass#

typedef enum otTcatCommandClass otTcatCommandClass

Represents a TCAT command class.


Definition at line 112 of file include/openthread/tcat.h

otTcatVendorInfo#

typedef struct otTcatVendorInfo otTcatVendorInfo

This structure represents a TCAT vendor information.

The content of this structure MUST persist and remain unchanged while a TCAT session is running.


Definition at line 131 of file include/openthread/tcat.h

otHandleTcatApplicationDataReceive#

typedef void(* otHandleTcatApplicationDataReceive) (otInstance *aInstance, const otMessage *aMessage, int32_t aOffset, otTcatApplicationProtocol aTcatApplicationProtocol, const char *aServiceName, void *aContext) )(otInstance *aInstance, const otMessage *aMessage, int32_t aOffset, otTcatApplicationProtocol aTcatApplicationProtocol, const char *aServiceName, void *aContext)

Pointer to call when application data was received over a TCAT TLS connection.

Parameters
[in]aInstance

A pointer to an OpenThread instance.

[in]aMessage

A pointer to the message.

[in]aOffset

The offset where the application data begins.

[in]aTcatApplicationProtocol

The protocol type of the message received.

[in]aServiceName

The name of the service the message is direced to.

[in]aContext

A pointer to arbitrary context information.


Definition at line 144 of file include/openthread/tcat.h

otHandleTcatJoin#

typedef void(* otHandleTcatJoin) (otError aError, void *aContext) )(otError aError, void *aContext)

Pointer to call to notify the completion of a join operation.

Parameters
[in]aError

OT_ERROR_NONE if the join process succeeded. OT_ERROR_SECURITY if the join process failed due to security credentials.

[in]aContext

A pointer to arbitrary context information.


Definition at line 159 of file include/openthread/tcat.h

Function Documentation#

otBleSecureStart#

otError otBleSecureStart (otInstance * aInstance, otHandleBleSecureConnect aConnectHandler, otHandleBleSecureReceive aReceiveHandler, bool aTlvMode, void * aContext)

Starts the BLE Secure service.

Parameters
[in]aInstance

A pointer to an OpenThread instance.

[in]aConnectHandler

A pointer to a function that will be called when the connection state changes.

[in]aReceiveHandler

A pointer to a function that will be called once data has been received over the TLS connection.

[in]aTlvMode

A boolean value indicating if line mode shall be activated.

[in]aContext

A pointer to arbitrary context information. May be NULL if not used.

When TLV mode is active, the function aReceiveHandler will be called once a complete TLV was received and the message offset points to the TLV value.


Definition at line 106 of file include/openthread/ble_secure.h

otBleSecureTcatStart#

otError otBleSecureTcatStart (otInstance * aInstance, const otTcatVendorInfo * aVendorInfo, otHandleTcatJoin aHandler)

Enables the TCAT protocol over BLE Secure.

Parameters
[in]aInstance

A pointer to an OpenThread instance.

[in]aVendorInfo

A pointer to the Vendor Information (must remain valid after the method call, may be NULL).

[in]aHandler

A pointer to a function that is called when the join operation completes.


Definition at line 125 of file include/openthread/ble_secure.h

otBleSecureStop#

void otBleSecureStop (otInstance * aInstance)

Stops the BLE Secure server.

Parameters
[in]aInstance

A pointer to an OpenThread instance.


Definition at line 133 of file include/openthread/ble_secure.h

otBleSecureSetPsk#

void otBleSecureSetPsk (otInstance * aInstance, const uint8_t * aPsk, uint16_t aPskLength, const uint8_t * aPskIdentity, uint16_t aPskIdLength)

Sets the Pre-Shared Key (PSK) and cipher suite TLS_PSK_WITH_AES_128_CCM_8.

Parameters
[in]aInstance

A pointer to an OpenThread instance.

[in]aPsk

A pointer to the PSK.

[in]aPskLength

The PSK length.

[in]aPskIdentity

The Identity Name for the PSK.

[in]aPskIdLength

The PSK Identity Length.

Note

  • Requires the build-time feature MBEDTLS_KEY_EXCHANGE_PSK_ENABLED to be enabled.


Definition at line 148 of file include/openthread/ble_secure.h

otBleSecureGetPeerCertificateBase64#

otError otBleSecureGetPeerCertificateBase64 (otInstance * aInstance, unsigned char * aPeerCert, size_t * aCertLength)

Returns the peer x509 certificate base64 encoded.

Parameters
[in]aInstance

A pointer to an OpenThread instance.

[out]aPeerCert

A pointer to the base64 encoded certificate buffer.

[inout]aCertLength

On input, the size the max size of aPeerCert. On output, the length of the base64 encoded peer certificate.

Note

  • Requires the build-time features MBEDTLS_BASE64_C and MBEDTLS_SSL_KEEP_PEER_CERTIFICATE to be enabled.


Definition at line 171 of file include/openthread/ble_secure.h

otBleSecureGetPeerSubjectAttributeByOid#

otError otBleSecureGetPeerSubjectAttributeByOid (otInstance * aInstance, const char * aOid, size_t aOidLength, uint8_t * aAttributeBuffer, size_t * aAttributeLength, int * aAsn1Type)

Returns an attribute value identified by its OID from the subject of the peer x509 certificate.

Parameters
[in]aInstance

A pointer to an OpenThread instance.

[in]aOid

A pointer to the OID to be found.

[in]aOidLength

The length of the OID.

[out]aAttributeBuffer

A pointer to the attribute buffer.

[inout]aAttributeLength

On input, the size the max size of aAttributeBuffer. On output, the length of the attribute written to the buffer.

[out]aAsn1Type

A pointer to the ASN.1 type of the attribute written to the buffer.

The peer OID is provided in binary format. The attribute length is set if the attribute was successfully read or zero if unsuccessful. The ASN.1 type as is set as defineded in the ITU-T X.690 standard if the attribute was successfully read.

Note

  • Requires the build-time feature MBEDTLS_SSL_KEEP_PEER_CERTIFICATE to be enabled.


Definition at line 197 of file include/openthread/ble_secure.h

otBleSecureGetThreadAttributeFromPeerCertificate#

otError otBleSecureGetThreadAttributeFromPeerCertificate (otInstance * aInstance, int aThreadOidDescriptor, uint8_t * aAttributeBuffer, size_t * aAttributeLength)

Returns an attribute value for the OID 1.3.6.1.4.1.44970.x from the v3 extensions of the peer x509 certificate, where the last digit x is set to aThreadOidDescriptor.

Parameters
[in]aInstance

A pointer to an OpenThread instance.

[in]aThreadOidDescriptor

The last digit of the Thread attribute OID.

[out]aAttributeBuffer

A pointer to the attribute buffer.

[inout]aAttributeLength

On input, the size the max size of aAttributeBuffer. On output, the length of the attribute written to the buffer.

The attribute length is set if the attribute was successfully read or zero if unsuccessful. Requires a connection to be active.

Note

  • Requires the build-time feature MBEDTLS_SSL_KEEP_PEER_CERTIFICATE to be enabled.


Definition at line 228 of file include/openthread/ble_secure.h

otBleSecureGetThreadAttributeFromOwnCertificate#

otError otBleSecureGetThreadAttributeFromOwnCertificate (otInstance * aInstance, int aThreadOidDescriptor, uint8_t * aAttributeBuffer, size_t * aAttributeLength)

Returns an attribute value for the OID 1.3.6.1.4.1.44970.x from the v3 extensions of the own x509 certificate, where the last digit x is set to aThreadOidDescriptor.

Parameters
[in]aInstance

A pointer to an OpenThread instance.

[in]aThreadOidDescriptor

The last digit of the Thread attribute OID.

[out]aAttributeBuffer

A pointer to the attribute buffer.

[inout]aAttributeLength

On input, the size the max size of aAttributeBuffer. On output, the length of the attribute written to the buffer.

The attribute length is set if the attribute was successfully read or zero if unsuccessful. Requires a connection to be active.


Definition at line 254 of file include/openthread/ble_secure.h

otBleSecureSetSslAuthMode#

void otBleSecureSetSslAuthMode (otInstance * aInstance, bool aVerifyPeerCertificate)

Sets the authentication mode for the BLE secure connection.

Parameters
[in]aInstance

A pointer to an OpenThread instance.

[in]aVerifyPeerCertificate

true, to verify the peer certificate.

Disable or enable the verification of peer certificate. Must be called before start.


Definition at line 269 of file include/openthread/ble_secure.h

otBleSecureSetCertificate#

void otBleSecureSetCertificate (otInstance * aInstance, const uint8_t * aX509Cert, uint32_t aX509Length, const uint8_t * aPrivateKey, uint32_t aPrivateKeyLength)

Sets the local device's X509 certificate with corresponding private key for TLS session with TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8.

Parameters
[in]aInstance

A pointer to an OpenThread instance.

[in]aX509Cert

A pointer to the PEM formatted X509 certificate.

[in]aX509Length

The length of certificate.

[in]aPrivateKey

A pointer to the PEM formatted private key.

[in]aPrivateKeyLength

The length of the private key.

Note

  • Requires MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED=1.


Definition at line 284 of file include/openthread/ble_secure.h

otBleSecureSetCaCertificateChain#

void otBleSecureSetCaCertificateChain (otInstance * aInstance, const uint8_t * aX509CaCertificateChain, uint32_t aX509CaCertChainLength)

Sets the trusted top level CAs.

Parameters
[in]aInstance

A pointer to an OpenThread instance.

[in]aX509CaCertificateChain

A pointer to the PEM formatted X509 CA chain.

[in]aX509CaCertChainLength

The length of chain.

It is needed for validating the certificate of the peer.

TLS mode "ECDHE ECDSA with AES 128 CCM 8" for secure BLE.

Note

  • Requires MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED=1.


Definition at line 303 of file include/openthread/ble_secure.h

otBleSecureConnect#

otError otBleSecureConnect (otInstance * aInstance)

Initializes TLS session with a peer using an already open BLE connection.

Parameters
[in]aInstance

A pointer to an OpenThread instance.


Definition at line 315 of file include/openthread/ble_secure.h

otBleSecureDisconnect#

void otBleSecureDisconnect (otInstance * aInstance)

Stops the BLE and TLS connection.

Parameters
[in]aInstance

A pointer to an OpenThread instance.


Definition at line 323 of file include/openthread/ble_secure.h

otBleSecureIsConnectionActive#

bool otBleSecureIsConnectionActive (otInstance * aInstance)

Indicates whether or not the TLS session is active (connected or conneting).

Parameters
[in]aInstance

A pointer to an OpenThread instance.


Definition at line 334 of file include/openthread/ble_secure.h

otBleSecureIsConnected#

bool otBleSecureIsConnected (otInstance * aInstance)

Indicates whether or not the TLS session is connected.

Parameters
[in]aInstance

A pointer to an OpenThread instance.


Definition at line 345 of file include/openthread/ble_secure.h

otBleSecureIsTcatEnabled#

bool otBleSecureIsTcatEnabled (otInstance * aInstance)

Indicates whether or not the TCAT agent is enabled.

Parameters
N/AaInstance

Definition at line 354 of file include/openthread/ble_secure.h

otBleSecureIsCommandClassAuthorized#

bool otBleSecureIsCommandClassAuthorized (otInstance * aInstance, otTcatCommandClass aCommandClass)

Indicates whether or not a TCAT command class is authorized.

Parameters
[in]aInstance

A pointer to an OpenThread instance.

[in]aCommandClass

A command class to check.


Definition at line 366 of file include/openthread/ble_secure.h

otBleSecureSendMessage#

otError otBleSecureSendMessage (otInstance * aInstance, otMessage * aMessage)

Sends a secure BLE message.

Parameters
[in]aInstance

A pointer to an OpenThread instance.

[in]aMessage

A pointer to the message to send.

If the return value is OT_ERROR_NONE, OpenThread takes ownership of aMessage, and the caller should no longer reference aMessage. If the return value is not OT_ERROR_NONE, the caller retains ownership of aMessage, including freeing aMessage if the message buffer is no longer needed.


Definition at line 383 of file include/openthread/ble_secure.h

otBleSecureSend#

otError otBleSecureSend (otInstance * aInstance, uint8_t * aBuf, uint16_t aLength)

Sends a secure BLE data packet.

Parameters
[in]aInstance

A pointer to an OpenThread instance.

[in]aBuf

A pointer to the data to send as the Value of the TCAT Send Application Data TLV.

[in]aLength

A number indicating the length of the data buffer.


Definition at line 397 of file include/openthread/ble_secure.h

otBleSecureSendApplicationTlv#

otError otBleSecureSendApplicationTlv (otInstance * aInstance, uint8_t * aBuf, uint16_t aLength)

Sends a secure BLE data packet containing a TCAT Send Application Data TLV.

Parameters
[in]aInstance

A pointer to an OpenThread instance.

[in]aBuf

A pointer to the data to send as the Value of the TCAT Send Application Data TLV.

[in]aLength

A number indicating the length of the data buffer.


Definition at line 411 of file include/openthread/ble_secure.h

otBleSecureFlush#

otError otBleSecureFlush (otInstance * aInstance)

Flushes the send buffer.

Parameters
[in]aInstance

A pointer to an OpenThread instance.


Definition at line 423 of file include/openthread/ble_secure.h

Macro Definition Documentation#

OT_TCAT_MAX_SERVICE_NAME_LENGTH#

#define OT_TCAT_MAX_SERVICE_NAME_LENGTH
Value:
    15

Maximum string length of a UDP or TCP service name (does not include null char).


Definition at line 67 of file include/openthread/tcat.h