A.3 Device onboarding for org.opcfoundation.ECC-nistP256

The example code below illustrates the use of GTA API to implement the scenario outlined in section 5.2.3.1, Figure 12.

The following assumptions apply:

  • Identifier used for the DCA Personality Set isurn:manufacturer.com:2024-10:myproduct:SN51235
  • Name used for the DCA Identity Personality isurn:manufacturer.com:2024-10:myproduct:SN51235?cg=DefaultApplicationGroup&ct=EccNistP256&ix=1
  • Name used for the DCA TrustList Personality isurn:manufacturer.com:2024-10:myproduct:SN51235?cg=DefaultApplicationGroup

Note that the example can be easily adjusted for any other profile by just switching to another profile (e.g., org.opcfoundation.Aes256-Sha256-RsaPss) and adjusting the identifier and personality names as desired.

  1. gta_errinfo_t errinfo = 0;
  3. char identifier_value[]
  4. = "urn:manufacturer.com:2024-10:myproduct:SN51235";
  5. char personality_name[]
  6. = "urn:manufacturer.com:2024-10:myproduct:SN51235?"
  7. "cg=DefaultApplicationGroup&ct=EccNistP256&ix=1";
  8. char identity_profile[]
  9. = "org.opcfoundation.ECC-nistP256";
  10. char application[] = "DCA Identity";
  11. char trustlist_personality_name[]
  12. = "urn:manufacturer.com:2024-10:myproduct:SN51235?"
  13. "cg=DefaultApplicationGroup";
  14. char trustlist_application[] = "DCA TrustList";
  15. char trustlist_profile[]
  16. = "ch.iec.30168.basic.local_data_integrity_only";
  18. /* Assign identifier */
  19. gta_identifier_assign(
  20. h_inst,
  21. "org.opcfoundation.application_instance_uri",
  22. identifier_value,
  23. &errinfo);
  25. /* Create DCA Identity Personality */
  26. gta_access_policy_handle_t h_auth_use = GTA_HANDLE_INVALID;
  27. h_auth_use = gta_access_policy_simple(
  28. h_inst,
  29. GTA_ACCESS_DESCRIPTOR_TYPE_INITIAL,
  30. &errinfo);
  31. gta_access_policy_handle_t h_auth_use = GTA_HANDLE_INVALID;
  32. h_auth_admin = gta_access_policy_simple(
  33. h_inst,
  34. GTA_ACCESS_DESCRIPTOR_TYPE_INITIAL,
  35. &errinfo);
  37. struct gta_protection_properties_t protection_props = {0};
  39. gta_personality_create(
  40. h_inst,
  41. identifier_value,
  42. personality_name,
  43. application,
  44. identity_profile,
  45. h_auth_use,
  46. h_auth_admin,
  47. protection_props,
  48. &errinfo);
  50. /* Generate CSR */
  51. gta_context_handle_t h_ctx = GTA_HANDLE_INVALID;
  52. h_ctx = gta_context_open(
  53. h_inst,
  54. personality_name,
  55. "com.github.generic-trust-anchor-api.basic.enroll",
  56. &errinfo);
  58. /* Set context attribute org.opcfoundation.csr.subject */
  59. const char subject_der[] = {…};
  60. size_t subject_der_len = …;
  61. myio_ibufstream_t istream_subject = { 0 };
  62. myio_open_ibufstream(
  63. &istream_subject,
  64. subject_der, subject_der_len,
  65. &errinfo);
  66. gta_context_set_attribute(
  67. h_ctx,
  68. "org.opcfoundation.csr.subject",
  69. (gtaio_istream_t*)&istream_subject,
  70. &errinfo);
  71. myio_close_ibufstream(&istream_subject, &errinfo);
  73. /* Set context attribute org.opcfoundation.csr.subjectAltName */
  74. const char subject_alt_name_der[] = {…};
  75. size_t subject_alt_name_der_len = …;
  76. myio_ibufstream_t istream_subject_alt_name = { 0 };
  77. myio_open_ibufstream(
  78. &istream_subject_alt_name,
  79. subject_alt_name_der, subject_alt_name_der_len,
  80. &errinfo);
  81. gta_context_set_attribute(
  82. h_ctx,
  83. "org.opcfoundation.csr.subjectAltName",
  84. (gtaio_istream_t*)&istream_subject_alt_name,
  85. &errinfo);
  86. myio_close_ibufstream(&istream_subject_alt_name, &errinfo);
  88. char csr_buffer[CSR_SIZE];
  89. myio_obufstream_t ostream_csr = { 0 };
  90. myio_open_obufstream(
  91. &ostream_csr,
  92. csr_buffer, sizeof(csr_buffer),
  93. &errinfo);
  94. gta_personality_enroll(
  95. h_ctx,
  96. (gtaio_ostream_t*)&ostream_csr,
  97. &errinfo);
  98. myio_close_obufstream(&ostream_csr, &errinfo);
  100. /* Send CSR and receive certificate */
  101. char cert_buffer[] = {…};
  102. size_t cert_len = …;
  104. /* Store DCA certificate (optional) */
  105. myio_ibufstream_t istream_cert = { 0 };
  106. myio_open_ibufstream(
  107. &istream_cert,
  108. cert_buffer, cert_len,
  109. &errinfo);
  110. gta_personality_add_attribute(
  111. h_ctx,
  112. "ch.iec.30168.trustlist.certificate.self.x509",
  113. "DCA certificate",
  114. (gtaio_istream_t*)&istream_cert,
  115. &errinfo);
  116. myio_close_ibufstream(&istream_cert, &errinfo);
  118. gta_context_close(h_ctx, &errinfo);
  120. /* Receive TrustList */
  121. char trustlist_buffer[] = {…};
  122. size_t trustlist_len = …;
  124. /* Create DCA TrustList Personality */
  125. gta_personality_create(
  126. h_inst,
  127. identifier_value,
  128. trustlist_personality_name,
  129. trustlist_application,
  130. trustlist_profile,
  131. h_auth_use,
  132. h_auth_admin,
  133. protection_props,
  134. &errinfo);
  136. /* Protect DCA TrustList objects */
  137. gta_context_handle_t h_ctx_seal = GTA_HANDLE_INVALID;
  138. h_ctx_seal = gta_context_open(
  139. h_inst,
  140. trustlist_personality_name,
  141. trustlist_profile,
  142. &errinfo);
  144. myio_ibufstream_t istream_trustlist = { 0 };
  145. myio_open_ibufstream(
  146. &istream_trustlist,
  147. trustlist_buffer, trustlist_len,
  148. &errinfo);
  149. #define INTEGRITY_PROTECTION_SEAL_LENGTH 32
  150. char seal_buffer[INTEGRITY_PROTECTION_SEAL_LENGTH];
  151. myio_obufstream_t ostream_seal = { 0 };
  152. myio_open_obufstream(
  153. &ostream_seal,
  154. seal_buffer, sizeof(seal_buffer),
  155. &errinfo);
  156. gta_authenticate_data_detached(
  157. h_ctx_seal,
  158. (gtaio_istream_t*)&istream_trustlist,
  159. (gtaio_ostream_t*)&ostream_seal,
  160. &errinfo);
  161. myio_close_ibufstream(&istream_trustlist, &errinfo);
  162. myio_close_obufstream(&ostream_seal, &errinfo);
  164. gta_context_close(h_ctx_seal, &errinfo);