feat(coap): replace special-purpose security configs with general-pur…

…pose builder

With this, all example specific code is moved out of coapcore over to
ariel-os-coap, from where it can move to configuration.

src/ariel-os-coap/Cargo.toml

@@ -33,6 +33,8 @@ static_cell = "2.1.0"
 
 # FIXME: Should go out eventually
 hexlit = "0.5.5"
+cbor-macro = "0.1.0"
+cboritem = "0.1.2"
 
 # For the udp_nal
 embedded-io-async = "0.6.1"

src/ariel-os-coap/src/lib.rs

@@ -60,15 +60,39 @@ pub async fn coap_run(handler: impl coap_handler::Handler + coap_handler::Report
         .await
         .unwrap();
 
+    use cbor_macro::cbor;
+    use hexlit::hex;
+
+    let own_key = hex!("72cc4761dbd4c78f758931aa589d348d1ef874a7e303ede2f140dcf3e6aa4aac");
+    let own_credential = lakers::Credential::parse_ccs(&hex!("A2026008A101A5010202410A2001215820BBC34960526EA4D32E940CAD2A234148DDC21791A12AFBCBAC93622046DD44F02258204519E257236B2A0CE2023F0931F1F386CA7AFDA64FCDE0108C224C51EABF6072")).expect("Credential should be processable");
+
+    let unauthenticated_scope: &[u8] = &cbor!([["/.well-known/core", 1], ["/poem", 1]]);
+    let unauthenticated_scope = coapcore::scope::AifValue::try_from(unauthenticated_scope)
+        .expect("hard-coded scope fits this type")
+        .into();
+    let admin_key = lakers::Credential::parse_ccs(&hex!("A2027734322D35302D33312D46462D45462D33372D33322D333908A101A5010202412B2001215820AC75E9ECE3E50BFC8ED60399889522405C47BF16DF96660A41298CB4307F7EB62258206E5DE611388A4B8A8211334AC7D37ECB52A387D257E6DB3C2A93DF21FF3AFFC8"))
+                            .expect("hard-coded credential fits this type");
+    let admin_scope: &[u8] = &cbor!([
+            ["/stdout", 17 / GET and FETCH /],
+            ["/.well-known/core", 1],
+            ["/poem", 1]
+    ]);
+    let admin_scope = coapcore::scope::AifValue::try_from(admin_scope)
+        .expect("hard-coded scope fits this type")
+        .into();
+
     // FIXME: Should we allow users to override that? After all, this is just convenience and may
     // be limiting in special applications.
     let handler = handler.with_wkc();
     let mut handler = coapcore::OscoreEdhocHandler::new(
         handler,
+        coapcore::seccfg::ConfigBuilder::new()
+            .allow_unauthenticated(unauthenticated_scope)
+            .with_own_edhoc_credential(own_credential, own_key)
+            .with_known_edhoc_credential(admin_key, admin_scope),
         || lakers_crypto_rustcrypto::Crypto::new(ariel_os_random::crypto_rng()),
         ariel_os_random::crypto_rng(),
-    )
-    .allow_arbitrary();
+    );
 
     info!("Server is ready.");
 

src/lib/coapcore/Cargo.toml

@@ -25,7 +25,6 @@ arrayvec = { version = "0.7.4", default-features = false }
 coap-message-implementations = { version = "0.1.2", features = ["downcast"] }
 coap-message-utils = "0.3.3"
 coap-numbers = "0.2.3"
-hexlit = "0.5.5"
 lakers-crypto-rustcrypto = "0.7.2"
 liboscore = "0.2.2"
 liboscore-msgbackend = "0.2.2"
@@ -44,8 +43,6 @@ document-features = "0.2.10"
 # dependencies.
 ccm = { version = "0.5.0", default-features = false }
 aes = { version = "0.8.4", default-features = false }
-cbor-macro = "0.1.0"
-cboritem = "0.1.2"
 
 [features]
 #! Cargo features

src/lib/coapcore/src/scope.rs

@@ -85,7 +85,7 @@ const AIF_SCOPE_MAX_LEN: usize = 64;
 ///
 /// This completely disregards proper URI splitting; this works for very simple URI references in
 /// the AIF. This could be mitigated by switching to a CRI based model.
-#[derive(Debug, defmt::Format)]
+#[derive(Debug, defmt::Format, Clone)]
 pub struct AifValue([u8; AIF_SCOPE_MAX_LEN]);
 
 impl TryFrom<&[u8]> for AifValue {
@@ -209,7 +209,7 @@ impl<S: Scope + From<AifValue>> ScopeGenerator for ParsingAif<S> {
 /// This is useful when combining multiple authentication methods, eg. allowing ACE tokens (that
 /// need an [`AifValue`] to express their arbitrary scopes) as well as a configured admin key (that
 /// has "all" permission, which are not expressible in an [`AifValue`].
-#[derive(Debug, defmt::Format)]
+#[derive(Debug, defmt::Format, Clone)]
 pub enum UnionScope {
     AifValue(AifValue),
     AllowAll,