From 39c0d4b9c1435a7f5377fe866112e2ecb99d6607 Mon Sep 17 00:00:00 2001
From: Seppo Takalo <seppo.takalo@nordicsemi.no>
Date: Thu, 14 Nov 2024 14:09:06 +0200
Subject: [PATCH] net: lwm2m_client_utils: Clear sec_tag content when
 overwriting

When writing new content to security tag, clear existing
information first, that might cause problems.

For example, when writing PSK, delete all certificates.
When writing certificates, delete all PSK data.

Signed-off-by: Seppo Takalo <seppo.takalo@nordicsemi.no>
---
 .../lwm2m_client_utils/lwm2m/lwm2m_security.c | 22 +++++++++++++++++++
 .../net/lib/lwm2m_client_utils/src/security.c | 10 ++++++++-
 .../net/lib/lwm2m_client_utils/src/stubs.c    |  1 +
 .../net/lib/lwm2m_client_utils/src/stubs.h    |  2 ++
 4 files changed, 34 insertions(+), 1 deletion(-)

diff --git a/subsys/net/lib/lwm2m_client_utils/lwm2m/lwm2m_security.c b/subsys/net/lib/lwm2m_client_utils/lwm2m/lwm2m_security.c
index c90ba1ac07d6..4246c2b041f2 100644
--- a/subsys/net/lib/lwm2m_client_utils/lwm2m/lwm2m_security.c
+++ b/subsys/net/lib/lwm2m_client_utils/lwm2m/lwm2m_security.c
@@ -128,11 +128,30 @@ static int write_credential_type(int sec_obj_inst, int sec_tag, int res_id,
 	return 0;
 }
 
+static void delete_credential_if_exist(int sec_tag, enum modem_key_mgmt_cred_type type)
+{
+	bool exist = false;
+	int ret;
+
+	ret = modem_key_mgmt_exists(sec_tag, type, &exist);
+	if (exist) {
+		ret = modem_key_mgmt_delete(sec_tag, type);
+		LOG_DBG("Deleted sec_tag %d, type %d", sec_tag, type);
+	}
+	if (ret < 0) {
+		LOG_ERR("Failed to delete credential %d", ret);
+	}
+}
+
 static int write_sec_obj_to_sec_tag(int sec_obj_inst, int sec_tag, int mode)
 {
 	int ret;
 
 	if (mode == SEC_MODE_PSK) {
+		delete_credential_if_exist(sec_tag, MODEM_KEY_MGMT_CRED_TYPE_CA_CHAIN);
+		delete_credential_if_exist(sec_tag, MODEM_KEY_MGMT_CRED_TYPE_PUBLIC_CERT);
+		delete_credential_if_exist(sec_tag, MODEM_KEY_MGMT_CRED_TYPE_PRIVATE_CERT);
+
 		ret = write_credential_type(sec_obj_inst, sec_tag, SECURITY_CLIENT_PK_ID,
 					    MODEM_KEY_MGMT_CRED_TYPE_IDENTITY);
 		if (ret) {
@@ -145,6 +164,9 @@ static int write_sec_obj_to_sec_tag(int sec_obj_inst, int sec_tag, int mode)
 			goto out;
 		}
 	} else if (mode == SEC_MODE_CERTIFICATE) {
+		delete_credential_if_exist(sec_tag, MODEM_KEY_MGMT_CRED_TYPE_PSK);
+		delete_credential_if_exist(sec_tag, MODEM_KEY_MGMT_CRED_TYPE_IDENTITY);
+
 		/* Don't fail if we already have a given data in the modem and we did not receive
 		 * that as part of bootstrap. It might have been written as part of EST process.
 		 */
diff --git a/tests/subsys/net/lib/lwm2m_client_utils/src/security.c b/tests/subsys/net/lib/lwm2m_client_utils/src/security.c
index 78d52ee3924d..c94ddbe8d026 100644
--- a/tests/subsys/net/lib/lwm2m_client_utils/src/security.c
+++ b/tests/subsys/net/lib/lwm2m_client_utils/src/security.c
@@ -502,11 +502,19 @@ ZTEST(lwm2m_client_utils_security, test_load_credentials_PSK)
 	modem_key_mgmt_write_fake.custom_fake = write_to_modem;
 	modem_key_mgmt_exists_fake.custom_fake = modem_key_mgmt_exists_custom_fake;
 	ctx.bootstrap_mode = false;
+	keys_exist = true;
 
 	rc = ctx.load_credentials(&ctx);
 	zassert_equal(rc, 0, "wrong return value");
-	zassert_equal(modem_key_mgmt_exists_fake.call_count, 5, "Did not check existing (%d)",
+	zassert_equal(modem_key_mgmt_exists_fake.call_count, 8, "Did not check existing (%d)",
 		      modem_key_mgmt_exists_fake.call_count);
+	zassert_equal(modem_key_mgmt_delete_fake.call_count, 3, "Did not remove old keys");
+	zassert_equal(modem_key_mgmt_delete_fake.arg1_history[0], MODEM_KEY_MGMT_CRED_TYPE_CA_CHAIN,
+		      "");
+	zassert_equal(modem_key_mgmt_delete_fake.arg1_history[1],
+		      MODEM_KEY_MGMT_CRED_TYPE_PUBLIC_CERT, "");
+	zassert_equal(modem_key_mgmt_delete_fake.arg1_history[2],
+		      MODEM_KEY_MGMT_CRED_TYPE_PRIVATE_CERT, "");
 	zassert_equal(modem_key_mgmt_write_fake.call_count, 2, "Did not write PSK");
 	zassert_equal(lte_lc_func_mode_set_fake.call_count, 1, "Did not set mode");
 	zassert_equal(lte_lc_func_mode_set_fake.arg0_val, LTE_LC_FUNC_MODE_OFFLINE,
diff --git a/tests/subsys/net/lib/lwm2m_client_utils/src/stubs.c b/tests/subsys/net/lib/lwm2m_client_utils/src/stubs.c
index fd54d913414c..a66c02150e5f 100644
--- a/tests/subsys/net/lib/lwm2m_client_utils/src/stubs.c
+++ b/tests/subsys/net/lib/lwm2m_client_utils/src/stubs.c
@@ -56,6 +56,7 @@ DEFINE_FAKE_VALUE_FUNC(int, modem_key_mgmt_exists, nrf_sec_tag_t, enum modem_key
 		       bool *);
 DEFINE_FAKE_VALUE_FUNC(int, modem_key_mgmt_write, nrf_sec_tag_t, enum modem_key_mgmt_cred_type,
 		       const void *, size_t);
+DEFINE_FAKE_VALUE_FUNC(int, modem_key_mgmt_delete, nrf_sec_tag_t, enum modem_key_mgmt_cred_type);
 DEFINE_FAKE_VALUE_FUNC(int, lte_lc_func_mode_set, enum lte_lc_func_mode);
 DEFINE_FAKE_VALUE_FUNC(int, lte_lc_connect);
 DEFINE_FAKE_VALUE_FUNC(int, lte_lc_offline);
diff --git a/tests/subsys/net/lib/lwm2m_client_utils/src/stubs.h b/tests/subsys/net/lib/lwm2m_client_utils/src/stubs.h
index 3a124a5870ad..35cd75d7e133 100644
--- a/tests/subsys/net/lib/lwm2m_client_utils/src/stubs.h
+++ b/tests/subsys/net/lib/lwm2m_client_utils/src/stubs.h
@@ -50,6 +50,7 @@ DECLARE_FAKE_VALUE_FUNC(int, modem_key_mgmt_exists, nrf_sec_tag_t, enum modem_ke
 			bool *);
 DECLARE_FAKE_VALUE_FUNC(int, modem_key_mgmt_write, nrf_sec_tag_t, enum modem_key_mgmt_cred_type,
 			const void *, size_t);
+DECLARE_FAKE_VALUE_FUNC(int, modem_key_mgmt_delete, nrf_sec_tag_t, enum modem_key_mgmt_cred_type);
 DECLARE_FAKE_VALUE_FUNC(int, lte_lc_func_mode_set, enum lte_lc_func_mode);
 DECLARE_FAKE_VALUE_FUNC(int, lte_lc_connect);
 DECLARE_FAKE_VALUE_FUNC(int, lte_lc_offline);
@@ -140,6 +141,7 @@ DECLARE_FAKE_VOID_FUNC(boot_write_img_confirmed);
 	FUNC(lwm2m_rd_client_update)                    \
 	FUNC(modem_key_mgmt_exists)                     \
 	FUNC(modem_key_mgmt_write)                      \
+	FUNC(modem_key_mgmt_delete)			\
 	FUNC(modem_info_init)                           \
 	FUNC(modem_info_params_init)                    \
 	FUNC(modem_info_params_get)                     \