From b16c9702f1f9f6bb7ae9f3da736669dee52b4b4d Mon Sep 17 00:00:00 2001
From: Seppo Takalo <seppo.takalo@nordicsemi.no>
Date: Thu, 14 Nov 2024 14:09:06 +0200
Subject: [PATCH] net: lwm2m_client_utils: Clear sec_tag content when
 overwriting

When writing new content to security tag, clear existing
information first, that might cause problems.

For example, when writing PSK, delete all certificates.
When writing certificates, delete all PSK data.

Signed-off-by: Seppo Takalo <seppo.takalo@nordicsemi.no>
---
 .../lwm2m_client_utils/lwm2m/lwm2m_security.c | 22 +++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/subsys/net/lib/lwm2m_client_utils/lwm2m/lwm2m_security.c b/subsys/net/lib/lwm2m_client_utils/lwm2m/lwm2m_security.c
index c90ba1ac07d6..4246c2b041f2 100644
--- a/subsys/net/lib/lwm2m_client_utils/lwm2m/lwm2m_security.c
+++ b/subsys/net/lib/lwm2m_client_utils/lwm2m/lwm2m_security.c
@@ -128,11 +128,30 @@ static int write_credential_type(int sec_obj_inst, int sec_tag, int res_id,
 	return 0;
 }
 
+static void delete_credential_if_exist(int sec_tag, enum modem_key_mgmt_cred_type type)
+{
+	bool exist = false;
+	int ret;
+
+	ret = modem_key_mgmt_exists(sec_tag, type, &exist);
+	if (exist) {
+		ret = modem_key_mgmt_delete(sec_tag, type);
+		LOG_DBG("Deleted sec_tag %d, type %d", sec_tag, type);
+	}
+	if (ret < 0) {
+		LOG_ERR("Failed to delete credential %d", ret);
+	}
+}
+
 static int write_sec_obj_to_sec_tag(int sec_obj_inst, int sec_tag, int mode)
 {
 	int ret;
 
 	if (mode == SEC_MODE_PSK) {
+		delete_credential_if_exist(sec_tag, MODEM_KEY_MGMT_CRED_TYPE_CA_CHAIN);
+		delete_credential_if_exist(sec_tag, MODEM_KEY_MGMT_CRED_TYPE_PUBLIC_CERT);
+		delete_credential_if_exist(sec_tag, MODEM_KEY_MGMT_CRED_TYPE_PRIVATE_CERT);
+
 		ret = write_credential_type(sec_obj_inst, sec_tag, SECURITY_CLIENT_PK_ID,
 					    MODEM_KEY_MGMT_CRED_TYPE_IDENTITY);
 		if (ret) {
@@ -145,6 +164,9 @@ static int write_sec_obj_to_sec_tag(int sec_obj_inst, int sec_tag, int mode)
 			goto out;
 		}
 	} else if (mode == SEC_MODE_CERTIFICATE) {
+		delete_credential_if_exist(sec_tag, MODEM_KEY_MGMT_CRED_TYPE_PSK);
+		delete_credential_if_exist(sec_tag, MODEM_KEY_MGMT_CRED_TYPE_IDENTITY);
+
 		/* Don't fail if we already have a given data in the modem and we did not receive
 		 * that as part of bootstrap. It might have been written as part of EST process.
 		 */