[nrf fromtree] net: lib: tls_credentials: Rename TLS_CREDENTIAL_SERVER_CERTIFICATE

rlubos · krish2718 · commit cca7995d9272 · 2025-04-10T01:55:09.000+05:30
TLS_CREDENTIAL_SERVER_CERTIFICATE credential type is misleading, as in fact it just represents a public certificate, it does not matter if the certificate belongs to a server or a client. And actually, it was already used in-tree for clients as well, for example in LwM2M. Therefore rename the credential type to a more generic TLS_CREDENTIAL_PUBLIC_CERTIFICATE and deprecate the old one. Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no> (cherry picked from commit a61287e)
diff --git a/doc/connectivity/networking/api/sockets.rst b/doc/connectivity/networking/api/sockets.rst
@@ -93,7 +93,7 @@ socket options.
 The following TLS credential types can be registered in the system:
 
 - ``TLS_CREDENTIAL_CA_CERTIFICATE``
-- ``TLS_CREDENTIAL_SERVER_CERTIFICATE``
+- ``TLS_CREDENTIAL_PUBLIC_CERTIFICATE``
 - ``TLS_CREDENTIAL_PRIVATE_KEY``
 - ``TLS_CREDENTIAL_PSK``
 - ``TLS_CREDENTIAL_PSK_ID``
diff --git a/doc/releases/migration-guide-4.2.rst b/doc/releases/migration-guide-4.2.rst
@@ -72,6 +72,10 @@ Networking
   (because the addr is not a pointer) and must be changed to ``if (lladdr->len == 0)``
   if the code wants to check that the link address is not set.
 
+* TLS credential type ``TLS_CREDENTIAL_SERVER_CERTIFICATE`` was renamed to
+  more generic :c:enumerator:`TLS_CREDENTIAL_PUBLIC_CERTIFICATE` to better
+  reflect the purpose of this credential type.
+
 SPI
 ===
 
diff --git a/doc/releases/release-notes-4.2.rst b/doc/releases/release-notes-4.2.rst
@@ -57,6 +57,9 @@ Deprecated APIs and options
   renamed and deprecated. Use :kconfig:option:`CONFIG_SCHED_SIMPLE` and
   :kconfig:option:`CONFIG_WAITQ_SIMPLE` instead.
 
+* TLS credential type ``TLS_CREDENTIAL_SERVER_CERTIFICATE`` was renamed and
+  deprecated, use :c:enumerator:`TLS_CREDENTIAL_PUBLIC_CERTIFICATE` instead.
+
 ===========================
 
 New APIs and options
diff --git a/drivers/wifi/eswifi/eswifi_socket_offload.c b/drivers/wifi/eswifi/eswifi_socket_offload.c
@@ -191,7 +191,7 @@ static int map_credentials(int sd, const void *optval, socklen_t optlen)
 			case TLS_CREDENTIAL_CA_CERTIFICATE:
 				id = 0;
 				break;
-			case TLS_CREDENTIAL_SERVER_CERTIFICATE:
+			case TLS_CREDENTIAL_PUBLIC_CERTIFICATE:
 				id = 1;
 				break;
 			case TLS_CREDENTIAL_PRIVATE_KEY:
diff --git a/drivers/wifi/simplelink/simplelink_sockets.c b/drivers/wifi/simplelink/simplelink_sockets.c
@@ -674,7 +674,7 @@ static int map_credentials(int sd, const void *optval, socklen_t optlen)
 			case TLS_CREDENTIAL_CA_CERTIFICATE:
 				opt = SL_SO_SECURE_FILES_CA_FILE_NAME;
 				break;
-			case TLS_CREDENTIAL_SERVER_CERTIFICATE:
+			case TLS_CREDENTIAL_PUBLIC_CERTIFICATE:
 				opt = SL_SO_SECURE_FILES_CERTIFICATE_FILE_NAME;
 				break;
 			case TLS_CREDENTIAL_PRIVATE_KEY:
diff --git a/include/zephyr/net/tls_credentials.h b/include/zephyr/net/tls_credentials.h
@@ -36,11 +36,15 @@ enum tls_credential_type {
 	 */
 	TLS_CREDENTIAL_CA_CERTIFICATE,
 
-	/** A public server certificate. Use this to register your own server
+	/** A public client or server certificate. Use this to register your own
 	 *  certificate. Should be registered together with a corresponding
 	 *  private key. Used with certificate-based ciphersuites.
 	 */
-	TLS_CREDENTIAL_SERVER_CERTIFICATE,
+	TLS_CREDENTIAL_PUBLIC_CERTIFICATE,
+
+	/** @deprecated Use TLS_CREDENTIAL_PUBLIC_CERTIFICATE instead.
+	 */
+	TLS_CREDENTIAL_SERVER_CERTIFICATE = TLS_CREDENTIAL_PUBLIC_CERTIFICATE,
 
 	/** Private key. Should be registered together with a corresponding
 	 *  public certificate. Used with certificate-based ciphersuites.
@@ -64,7 +68,7 @@ enum tls_credential_type {
  * in the system.
  *
  * @note Some TLS credentials come in pairs:
- *    - TLS_CREDENTIAL_SERVER_CERTIFICATE with TLS_CREDENTIAL_PRIVATE_KEY,
+ *    - TLS_CREDENTIAL_PUBLIC_CERTIFICATE with TLS_CREDENTIAL_PRIVATE_KEY,
  *    - TLS_CREDENTIAL_PSK with TLS_CREDENTIAL_PSK_ID.
  *    Such pairs of credentials must be assigned the same secure tag to be
  *    correctly handled in the system.
diff --git a/modules/thrift/src/thrift/transport/TSSLSocket.cpp b/modules/thrift/src/thrift/transport/TSSLSocket.cpp
@@ -450,7 +450,7 @@ void TSSLSocketFactory::loadCertificateFromBuffer(const char *aCertificate, cons
 
 	if (strcmp(format, "PEM") == 0) {
 		const int status = tls_credential_add(Thrift_TLS_SERVER_CERT_TAG,
-						      TLS_CREDENTIAL_SERVER_CERTIFICATE,
+						      TLS_CREDENTIAL_PUBLIC_CERTIFICATE,
 						      aCertificate, strlen(aCertificate) + 1);
 
 		if (status != 0) {
diff --git a/samples/net/prometheus/src/main.c b/samples/net/prometheus/src/main.c
@@ -120,7 +120,7 @@ static void setup_tls(void)
 	}
 #endif /* defined(CONFIG_NET_SAMPLE_CERTS_WITH_SC) */
 
-	err = tls_credential_add(HTTP_SERVER_CERTIFICATE_TAG, TLS_CREDENTIAL_SERVER_CERTIFICATE,
+	err = tls_credential_add(HTTP_SERVER_CERTIFICATE_TAG, TLS_CREDENTIAL_PUBLIC_CERTIFICATE,
 				 server_certificate, sizeof(server_certificate));
 	if (err < 0) {
 		LOG_ERR("Failed to register public certificate: %d", err);
diff --git a/samples/net/sockets/dumb_http_server_mt/src/main.c b/samples/net/sockets/dumb_http_server_mt/src/main.c
@@ -413,7 +413,7 @@ int main(void)
 {
 #if defined(CONFIG_NET_SOCKETS_SOCKOPT_TLS)
 	int err = tls_credential_add(SERVER_CERTIFICATE_TAG,
-				     TLS_CREDENTIAL_SERVER_CERTIFICATE,
+				     TLS_CREDENTIAL_PUBLIC_CERTIFICATE,
 				     server_certificate,
 				     sizeof(server_certificate));
 	if (err < 0) {
diff --git a/samples/net/sockets/echo_server/src/echo-server.c b/samples/net/sockets/echo_server/src/echo-server.c
@@ -153,7 +153,7 @@ static void init_app(void)
 #endif /* defined(CONFIG_NET_SAMPLE_CERTS_WITH_SC) */
 
 	err = tls_credential_add(SERVER_CERTIFICATE_TAG,
-				 TLS_CREDENTIAL_SERVER_CERTIFICATE,
+				 TLS_CREDENTIAL_PUBLIC_CERTIFICATE,
 				 server_certificate,
 				 sizeof(server_certificate));
 	if (err < 0) {
diff --git a/samples/net/sockets/http_server/src/main.c b/samples/net/sockets/http_server/src/main.c
@@ -312,7 +312,7 @@ static void setup_tls(void)
 	int err;
 
 	err = tls_credential_add(HTTP_SERVER_CERTIFICATE_TAG,
-				 TLS_CREDENTIAL_SERVER_CERTIFICATE,
+				 TLS_CREDENTIAL_PUBLIC_CERTIFICATE,
 				 server_certificate,
 				 sizeof(server_certificate));
 	if (err < 0) {
diff --git a/samples/subsys/mgmt/updatehub/src/main.c b/samples/subsys/mgmt/updatehub/src/main.c
@@ -89,7 +89,7 @@ int main(void)
 
 #if defined(CONFIG_UPDATEHUB_DTLS)
 	if (tls_credential_add(CA_CERTIFICATE_TAG,
-			       TLS_CREDENTIAL_SERVER_CERTIFICATE,
+			       TLS_CREDENTIAL_PUBLIC_CERTIFICATE,
 			       server_certificate,
 			       sizeof(server_certificate)) < 0) {
 		LOG_ERR("Failed to register server certificate");
diff --git a/subsys/net/lib/lwm2m/lwm2m_engine.c b/subsys/net/lib/lwm2m/lwm2m_engine.c
@@ -922,7 +922,7 @@ static void delete_tls_credentials(sec_tag_t tag)
 {
 	tls_credential_delete(tag, TLS_CREDENTIAL_PSK_ID);
 	tls_credential_delete(tag, TLS_CREDENTIAL_PSK);
-	tls_credential_delete(tag, TLS_CREDENTIAL_SERVER_CERTIFICATE);
+	tls_credential_delete(tag, TLS_CREDENTIAL_PUBLIC_CERTIFICATE);
 	tls_credential_delete(tag, TLS_CREDENTIAL_PRIVATE_KEY);
 	tls_credential_delete(tag, TLS_CREDENTIAL_CA_CERTIFICATE);
 }
@@ -1003,7 +1003,7 @@ static int lwm2m_load_x509_credentials(struct lwm2m_ctx *ctx)
 
 	delete_tls_credentials(ctx->tls_tag);
 
-	ret = load_tls_type(ctx, 3, TLS_CREDENTIAL_SERVER_CERTIFICATE);
+	ret = load_tls_type(ctx, 3, TLS_CREDENTIAL_PUBLIC_CERTIFICATE);
 	if (ret < 0) {
 		return ret;
 	}
diff --git a/subsys/net/lib/sockets/sockets_tls.c b/subsys/net/lib/sockets/sockets_tls.c
@@ -1078,7 +1078,7 @@ static int tls_set_credential(struct tls_context *tls,
 	case TLS_CREDENTIAL_CA_CERTIFICATE:
 		return tls_add_ca_certificate(tls, cred);
 
-	case TLS_CREDENTIAL_SERVER_CERTIFICATE:
+	case TLS_CREDENTIAL_PUBLIC_CERTIFICATE:
 		return tls_add_own_cert(tls, cred);
 
 	case TLS_CREDENTIAL_PRIVATE_KEY:
@@ -1133,7 +1133,7 @@ static int tls_mbedtls_set_credentials(struct tls_context *tls)
 
 			if (cred->type == TLS_CREDENTIAL_CA_CERTIFICATE) {
 				ca_cert_present = true;
-			} else if (cred->type == TLS_CREDENTIAL_SERVER_CERTIFICATE) {
+			} else if (cred->type == TLS_CREDENTIAL_PUBLIC_CERTIFICATE) {
 				own_cert_present = true;
 			}
 		}
diff --git a/subsys/net/lib/tls_credentials/tls_credentials_shell.c b/subsys/net/lib/tls_credentials/tls_credentials_shell.c
@@ -40,12 +40,12 @@ static const struct cred_type_string type_strings[] = {
 	{"CA_CERT",		TLS_CREDENTIAL_CA_CERTIFICATE},
 	{"CA",			TLS_CREDENTIAL_CA_CERTIFICATE},
 
-	{"SERVER_CERT",		TLS_CREDENTIAL_SERVER_CERTIFICATE},
-	{"CLIENT_CERT",		TLS_CREDENTIAL_SERVER_CERTIFICATE},
-	{"SELF_CERT",		TLS_CREDENTIAL_SERVER_CERTIFICATE},
-	{"SELF",		TLS_CREDENTIAL_SERVER_CERTIFICATE},
-	{"CLIENT",		TLS_CREDENTIAL_SERVER_CERTIFICATE},
-	{"SERV",		TLS_CREDENTIAL_SERVER_CERTIFICATE},
+	{"SERVER_CERT",		TLS_CREDENTIAL_PUBLIC_CERTIFICATE},
+	{"CLIENT_CERT",		TLS_CREDENTIAL_PUBLIC_CERTIFICATE},
+	{"SELF_CERT",		TLS_CREDENTIAL_PUBLIC_CERTIFICATE},
+	{"SELF",		TLS_CREDENTIAL_PUBLIC_CERTIFICATE},
+	{"CLIENT",		TLS_CREDENTIAL_PUBLIC_CERTIFICATE},
+	{"SERV",		TLS_CREDENTIAL_PUBLIC_CERTIFICATE},
 
 	{"PRIVATE_KEY",		TLS_CREDENTIAL_PRIVATE_KEY},
 	{"PK",			TLS_CREDENTIAL_PRIVATE_KEY},
diff --git a/tests/net/lib/http_server/tls/src/main.c b/tests/net/lib/http_server/tls/src/main.c
@@ -239,7 +239,7 @@ static void *setup(void)
 		zassert_equal(ret, 0, "failed to add CA Certificate (%d)", ret);
 
 		ret = tls_credential_add(SERVER_CERTIFICATE_TAG,
-					 TLS_CREDENTIAL_SERVER_CERTIFICATE,
+					 TLS_CREDENTIAL_PUBLIC_CERTIFICATE,
 					 server, sizeof(server));
 		zassert_equal(ret, 0, "failed to add Server Certificate (%d)", ret);
 
@@ -249,7 +249,7 @@ static void *setup(void)
 		zassert_equal(ret, 0, "failed to add Server Private Key (%d)", ret);
 
 		ret = tls_credential_add(CLIENT_CERTIFICATE_TAG,
-					 TLS_CREDENTIAL_SERVER_CERTIFICATE,
+					 TLS_CREDENTIAL_PUBLIC_CERTIFICATE,
 					 client, sizeof(client));
 		zassert_equal(ret, 0, "failed to add Client Certificate (%d)", ret);
 
diff --git a/tests/net/lib/lwm2m/lwm2m_engine/src/main.c b/tests/net/lib/lwm2m/lwm2m_engine/src/main.c
@@ -467,7 +467,7 @@ ZTEST(lwm2m_engine, test_security)
 	zassert_equal(z_impl_zsock_setsockopt_fake.arg2_history[1], TLS_PEER_VERIFY);
 	zassert_equal(z_impl_zsock_setsockopt_fake.arg2_history[2], TLS_CIPHERSUITE_LIST);
 	zassert_true(tls_credential_add_fake.call_count == 3);
-	zassert_equal(tls_credential_add_fake.arg1_history[0], TLS_CREDENTIAL_SERVER_CERTIFICATE);
+	zassert_equal(tls_credential_add_fake.arg1_history[0], TLS_CREDENTIAL_PUBLIC_CERTIFICATE);
 	zassert_equal(tls_credential_add_fake.arg1_history[1], TLS_CREDENTIAL_PRIVATE_KEY);
 	zassert_equal(tls_credential_add_fake.arg1_history[2], TLS_CREDENTIAL_CA_CERTIFICATE);
 	zassert_equal(lwm2m_engine_stop(&ctx), 0);
diff --git a/tests/net/lib/tls_credentials/src/main.c b/tests/net/lib/tls_credentials/src/main.c
@@ -34,10 +34,10 @@ static void test_credential_add(void)
 	/* Function should allow to add credentials of different types
 	 * with the same tag
 	 */
-	ret = tls_credential_add(common_tag, TLS_CREDENTIAL_SERVER_CERTIFICATE,
+	ret = tls_credential_add(common_tag, TLS_CREDENTIAL_PUBLIC_CERTIFICATE,
 				 test_server_cert, sizeof(test_server_cert));
 	zassert_equal(ret, 0, "Failed to add credential %d %d",
-		      common_tag, TLS_CREDENTIAL_SERVER_CERTIFICATE);
+		      common_tag, TLS_CREDENTIAL_PUBLIC_CERTIFICATE);
 
 	ret = tls_credential_add(common_tag, TLS_CREDENTIAL_PRIVATE_KEY,
 				 test_server_key, sizeof(test_server_key));
@@ -87,7 +87,7 @@ static void test_credential_get(void)
 
 	/* Try to read with too small buffer */
 	credlen = sizeof(test_server_cert) - 1;
-	ret = tls_credential_get(common_tag, TLS_CREDENTIAL_SERVER_CERTIFICATE,
+	ret = tls_credential_get(common_tag, TLS_CREDENTIAL_PUBLIC_CERTIFICATE,
 				 cred, &credlen);
 	zassert_equal(ret, -EFBIG, "Should have failed with EFBIG");
 }
@@ -121,7 +121,7 @@ static void test_credential_internal_iterate(void)
 		cert = temp;
 	}
 
-	zassert_equal(cert->type, TLS_CREDENTIAL_SERVER_CERTIFICATE,
+	zassert_equal(cert->type, TLS_CREDENTIAL_PUBLIC_CERTIFICATE,
 		      "Invalid type for cert");
 	zassert_equal(cert->tag, common_tag, "Invalid tag for cert");
 	zassert_equal(cert->len, sizeof(test_server_cert),
diff --git a/tests/net/socket/tls_ext/src/main.c b/tests/net/socket/tls_ext/src/main.c
@@ -447,7 +447,7 @@ static void *setup(void)
 		zassert_equal(r, 0, "failed to add CA Certificate (%d)", r);
 
 		r = tls_credential_add(SERVER_CERTIFICATE_TAG,
-				       TLS_CREDENTIAL_SERVER_CERTIFICATE,
+				       TLS_CREDENTIAL_PUBLIC_CERTIFICATE,
 				       server, sizeof(server));
 		zassert_equal(r, 0, "failed to add Server Certificate (%d)", r);
 
@@ -457,7 +457,7 @@ static void *setup(void)
 		zassert_equal(r, 0, "failed to add Server Private Key (%d)", r);
 
 		r = tls_credential_add(CLIENT_CERTIFICATE_TAG,
-				       TLS_CREDENTIAL_SERVER_CERTIFICATE,
+				       TLS_CREDENTIAL_PUBLIC_CERTIFICATE,
 				       client, sizeof(client));
 		zassert_equal(r, 0, "failed to add Client Certificate (%d)", r);
 

Original file line number	Diff line number	Diff line change
`@@ -120,7 +120,7 @@ static void setup_tls(void)`
`120`	`120`	`}`
`121`	`121`	`#endif /* defined(CONFIG_NET_SAMPLE_CERTS_WITH_SC) */`
`122`	`122`
`123`		`- err = tls_credential_add(HTTP_SERVER_CERTIFICATE_TAG, TLS_CREDENTIAL_SERVER_CERTIFICATE,`
	`123`	`+ err = tls_credential_add(HTTP_SERVER_CERTIFICATE_TAG, TLS_CREDENTIAL_PUBLIC_CERTIFICATE,`
`124`	`124`	`server_certificate, sizeof(server_certificate));`
`125`	`125`	`if (err < 0) {`
`126`	`126`	`LOG_ERR("Failed to register public certificate: %d", err);`
Original file line number	Diff line number	Diff line change
`@@ -413,7 +413,7 @@ int main(void)`
`413`	`413`	`{`
`414`	`414`	`#if defined(CONFIG_NET_SOCKETS_SOCKOPT_TLS)`
`415`	`415`	`int err = tls_credential_add(SERVER_CERTIFICATE_TAG,`
`416`		`- TLS_CREDENTIAL_SERVER_CERTIFICATE,`
	`416`	`+ TLS_CREDENTIAL_PUBLIC_CERTIFICATE,`
`417`	`417`	`server_certificate,`
`418`	`418`	`sizeof(server_certificate));`
`419`	`419`	`if (err < 0) {`
Original file line number	Diff line number	Diff line change
`@@ -922,7 +922,7 @@ static void delete_tls_credentials(sec_tag_t tag)`
`922`	`922`	`{`
`923`	`923`	`tls_credential_delete(tag, TLS_CREDENTIAL_PSK_ID);`
`924`	`924`	`tls_credential_delete(tag, TLS_CREDENTIAL_PSK);`
`925`		`- tls_credential_delete(tag, TLS_CREDENTIAL_SERVER_CERTIFICATE);`
	`925`	`+ tls_credential_delete(tag, TLS_CREDENTIAL_PUBLIC_CERTIFICATE);`
`926`	`926`	`tls_credential_delete(tag, TLS_CREDENTIAL_PRIVATE_KEY);`
`927`	`927`	`tls_credential_delete(tag, TLS_CREDENTIAL_CA_CERTIFICATE);`
`928`	`928`	`}`
`@@ -1003,7 +1003,7 @@ static int lwm2m_load_x509_credentials(struct lwm2m_ctx *ctx)`
`1003`	`1003`
`1004`	`1004`	`delete_tls_credentials(ctx->tls_tag);`
`1005`	`1005`
`1006`		`- ret = load_tls_type(ctx, 3, TLS_CREDENTIAL_SERVER_CERTIFICATE);`
	`1006`	`+ ret = load_tls_type(ctx, 3, TLS_CREDENTIAL_PUBLIC_CERTIFICATE);`
`1007`	`1007`	`if (ret < 0) {`
`1008`	`1008`	`return ret;`
`1009`	`1009`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1078,7 +1078,7 @@ static int tls_set_credential(struct tls_context *tls,`
`1078`	`1078`	`case TLS_CREDENTIAL_CA_CERTIFICATE:`
`1079`	`1079`	`return tls_add_ca_certificate(tls, cred);`
`1080`	`1080`
`1081`		`- case TLS_CREDENTIAL_SERVER_CERTIFICATE:`
	`1081`	`+ case TLS_CREDENTIAL_PUBLIC_CERTIFICATE:`
`1082`	`1082`	`return tls_add_own_cert(tls, cred);`
`1083`	`1083`
`1084`	`1084`	`case TLS_CREDENTIAL_PRIVATE_KEY:`
`@@ -1133,7 +1133,7 @@ static int tls_mbedtls_set_credentials(struct tls_context *tls)`
`1133`	`1133`
`1134`	`1134`	`if (cred->type == TLS_CREDENTIAL_CA_CERTIFICATE) {`
`1135`	`1135`	`ca_cert_present = true;`
`1136`		`- } else if (cred->type == TLS_CREDENTIAL_SERVER_CERTIFICATE) {`
	`1136`	`+ } else if (cred->type == TLS_CREDENTIAL_PUBLIC_CERTIFICATE) {`
`1137`	`1137`	`own_cert_present = true;`
`1138`	`1138`	`}`
`1139`	`1139`	`}`