Commit 3b14423a authored by Oleksii Beketov's avatar Oleksii Beketov

[IOT-3276] Multiple CAs allowed

This patch unites reverted #22987 and CTT fix 23279.

PEM/DER casting removed,  allowing mbedtls to manage
certificate conversion by itself. Credresource loads
certificates that could be either PEM or DER encoded
to a linked list instead of pushing them to a buffer.

Change-Id: I6dd0d957721d59feaf70f3dd421bf65d7c02ef1d
Signed-off-by: default avatarOleksii Beketov <ol.beketov@samsung.com>
parent 5a93b8ee
......@@ -45,6 +45,13 @@ typedef struct ByteArray
size_t len; /**< Data size */
} ByteArray_t;
typedef struct ByteArrayLL ByteArrayLL_t;
struct ByteArrayLL
{
ByteArray_t *cert;
ByteArrayLL_t *next;
};
/**@def BYTE_ARRAY_INITIALIZER
*
......@@ -53,6 +60,13 @@ typedef struct ByteArray
#undef BYTE_ARRAY_INITIALIZER
#define BYTE_ARRAY_INITIALIZER {NULL, 0}
/**@def CERT_CHAIN_INITIALIZER
*
* Initializes of existing certificate chain pointer to \a NULL.
*/
#undef CERT_CHAIN_INITIALIZER
#define CERT_CHAIN_INITIALIZER {NULL, NULL}
/**@def INIT_BYTE_ARRAY(array)
*
* Initializes of existing byte array \a array.
......
......@@ -109,6 +109,7 @@ bool CAGetSecureEndpointAttributes(const CAEndpoint_t* peer, uint32_t* allAttrib
*
*/
typedef void (*CAgetCredentialTypesHandler)(bool * list, const char* deviceId);
/**
* Binary structure containing PKIX related info
* own certificate chain, public key, CA's and CRL's
......@@ -119,9 +120,9 @@ typedef void (*CAgetCredentialTypesHandler)(bool * list, const char* deviceId);
*/
typedef struct
{
ByteArray_t crt; /**< own certificate chain as a null-terminated PEM string of certificates */
ByteArrayLL_t crt; /**< own certificate chain as a null-terminated PEM string of certificates */
ByteArray_t key; /**< own private key as binary-encoded DER */
ByteArray_t ca; /**< trusted CAs as a null-terminated PEM string of certificates */
ByteArrayLL_t ca; /**< trusted CAs as a null-terminated PEM string of certificates */
ByteArray_t crl; /**< trusted CRLs as binary-encoded DER */
} PkiInfo_t;
......@@ -333,4 +334,3 @@ void CAcloseSslConnectionAll(CATransportAdapter_t transportType);
#endif /* CA_SECURITY_INTERFACE_H_ */
......@@ -27,6 +27,9 @@ ca_common_src = [
os.path.join(ca_common_src_path, 'caremotehandler.c')
]
if connectivity_env.get('SECURED') == '1':
ca_common_src.append(os.path.join(ca_common_src_path, 'parsechain.c'))
if connectivity_env['POSIX_SUPPORTED'] or target_os in ['windows']:
ca_common_src.append(os.path.join(ca_common_src_path, 'cathreadpool_pthreads.c'))
......
/* ****************************************************************
*
* Copyright 2017 Samsung Electronics All Rights Reserved.
*
*
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
******************************************************************/
#ifndef U_PARSECHAIN_H_
#define U_PARSECHAIN_H_
#include <mbedtls/ssl.h>
#include "casecurityinterface.h"
#ifdef __cplusplus
extern "C"
{
#endif
/**
* Parse chain of X.509 certificates.
*
* @param[out] crt container for X.509 certificates
* @param[in] certs array of X.509 certificates
* @param[in] errNum number of certificates that failed to parse
*
* @return number of successfully parsed certificates or -1 on error
*/
int ParseChain(mbedtls_x509_crt *crt, const ByteArrayLL_t *certs, int *errNum);
/**
* Free chain of X.509 certificates.
*
* @param[in] certs array of X.509 certificates
*/
void FreeCertChain(ByteArrayLL_t *certs);
#ifdef __cplusplus
}
#endif
#endif /* U_ARRAYLIST_H_ */
/******************************************************************
*
* Copyright 2017 Samsung Electronics All Rights Reserved.
*
*
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
******************************************************************/
#include "parsechain.h"
#include "utlist.h"
#include "caadapterutils.h"
#include "oic_malloc.h"
#define PARSE_CHAIN_TAG "OIC_PARSE_CHAIN"
int ParseChain(mbedtls_x509_crt *crt, const ByteArrayLL_t *certs, int *errNum)
{
OIC_LOG_V(DEBUG, PARSE_CHAIN_TAG, "In %s", __func__);
VERIFY_NON_NULL_RET(crt, PARSE_CHAIN_TAG, "Param crt is NULL", -1);
VERIFY_NON_NULL_RET(certs, PARSE_CHAIN_TAG, "Param certs is NULL", -1);
VERIFY_NON_NULL_RET(errNum, PARSE_CHAIN_TAG, "Param errNum is NULL", -1);
VERIFY_NON_NULL_RET(certs->cert, PARSE_CHAIN_TAG, "certs->cert is NULL", -1);
int count = 0;
int ret = 0;
*errNum = 0;
const ByteArrayLL_t *temp = certs;
LL_FOREACH(certs, temp)
{
ret = mbedtls_x509_crt_parse(crt, temp->cert->data, temp->cert->len);
if (0 == ret)
{
count++;
}
else
{
(*errNum)++;
OIC_LOG_V(ERROR, PARSE_CHAIN_TAG, "mbedtls_x509_crt_parse returned -0x%04x\n", -(ret));
return -1;
}
}
OIC_LOG_V(DEBUG, PARSE_CHAIN_TAG, "%s successfully parsed %d certificates", __func__, count);
OIC_LOG_V(DEBUG, PARSE_CHAIN_TAG, "Out %s", __func__);
return count;
}
void FreeCertChain(ByteArrayLL_t *certs)
{
ByteArrayLL_t *tmp0 = certs, *tmp1 = NULL, *tmp2 = NULL;
LL_FOREACH_SAFE(tmp0, tmp1, tmp2)
{
LL_DELETE(tmp0, tmp1);
if (NULL != tmp1->cert) {
if (NULL != tmp1->cert->data)
{
OICFree(tmp1->cert->data);
}
OICFree(tmp1->cert);
}
tmp1 = NULL;
}
}
......@@ -38,6 +38,8 @@
#include "experimental/byte_array.h"
#include "octhread.h"
#include "octimer.h"
#include "utlist.h"
#include "parsechain.h"
// headers required for mbed TLS
#include "mbedtls/platform.h"
......@@ -647,57 +649,6 @@ static int RecvCallBack(void * tep, unsigned char * data, size_t dataLen)
return (int)retLen;
}
/**
* Parse chain of X.509 certificates.
*
* @param[out] crt container for X.509 certificates
* @param[in] buf buffer with X.509 certificates. Certificates must be in a single null-terminated
* string, with each certificate in PEM encoding with headers.
* @param[in] bufLen buffer length
* @param[in] errNum number certificates that failed to parse
*
* @return number of successfully parsed certificates or -1 on error
*/
static int ParseChain(mbedtls_x509_crt * crt, unsigned char * buf, size_t bufLen, int * errNum)
{
int ret;
OIC_LOG_V(DEBUG, NET_SSL_TAG, "In %s", __func__);
VERIFY_NON_NULL_RET(crt, NET_SSL_TAG, "Param crt is NULL", -1);
VERIFY_NON_NULL_RET(buf, NET_SSL_TAG, "Param buf is NULL", -1);
if (NULL != errNum)
{
*errNum = 0;
}
if ((bufLen >= 2) && (buf[0] == 0x30) && (buf[1] == 0x82))
{
OIC_LOG_V(ERROR, NET_SSL_TAG, "DER-encoded certificate passed to ParseChain");
return -1;
}
ret = mbedtls_x509_crt_parse(crt, buf, bufLen);
if (0 > ret)
{
OIC_LOG_V(ERROR, NET_SSL_TAG, "mbedtls_x509_crt_parse failed: -0x%04x", -(ret));
return -1;
}
if (NULL != errNum)
{
*errNum = ret;
}
ret = 0;
for (const mbedtls_x509_crt *cur = crt; cur != NULL; cur = cur->next)
{
ret++;
}
OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
return ret;
}
/**
* Deinit Pki Info
*
......@@ -714,9 +665,9 @@ static void DeInitPkixInfo(PkiInfo_t * inf)
return;
}
DEINIT_BYTE_ARRAY(inf->crt);
FreeCertChain(&(inf->crt));
DEINIT_BYTE_ARRAY(inf->key);
DEINIT_BYTE_ARRAY(inf->ca);
FreeCertChain(&(inf->ca));
DEINIT_BYTE_ARRAY(inf->crl);
OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
......@@ -729,9 +680,9 @@ static int InitPKIX(CATransportAdapter_t adapter)
VERIFY_NON_NULL_RET(g_getPkixInfoCallback, NET_SSL_TAG, "PKIX info callback is NULL", -1);
// load pk key, cert, trust chain and crl
PkiInfo_t pkiInfo = {
CERT_CHAIN_INITIALIZER,
BYTE_ARRAY_INITIALIZER,
BYTE_ARRAY_INITIALIZER,
BYTE_ARRAY_INITIALIZER,
CERT_CHAIN_INITIALIZER,
BYTE_ARRAY_INITIALIZER
};
......@@ -739,7 +690,6 @@ static int InitPKIX(CATransportAdapter_t adapter)
{
g_getPkixInfoCallback(&pkiInfo);
}
VERIFY_NON_NULL_RET(g_caSslContext, NET_SSL_TAG, "SSL Context is NULL", -1);
mbedtls_x509_crt_free(&g_caSslContext->ca);
......@@ -751,7 +701,6 @@ static int InitPKIX(CATransportAdapter_t adapter)
mbedtls_x509_crt_init(&g_caSslContext->crt);
mbedtls_pk_init(&g_caSslContext->pkey);
mbedtls_x509_crl_init(&g_caSslContext->crl);
mbedtls_ssl_config * serverConf = (adapter == CA_ADAPTER_IP ||
adapter == CA_ADAPTER_GATT_BTLE ?
&g_caSslContext->serverDtlsConf : &g_caSslContext->serverTlsConf);
......@@ -761,7 +710,7 @@ static int InitPKIX(CATransportAdapter_t adapter)
// optional
int ret;
int errNum;
int count = ParseChain(&g_caSslContext->crt, pkiInfo.crt.data, pkiInfo.crt.len, &errNum);
int count = ParseChain(&g_caSslContext->crt, &(pkiInfo.crt), &errNum);
if (0 >= count)
{
OIC_LOG(WARNING, NET_SSL_TAG, "Own certificate chain parsing error");
......@@ -810,7 +759,7 @@ static int InitPKIX(CATransportAdapter_t adapter)
}
required:
count = ParseChain(&g_caSslContext->ca, pkiInfo.ca.data, pkiInfo.ca.len, &errNum);
count = ParseChain(&g_caSslContext->ca, &(pkiInfo.ca), &errNum);
if(0 >= count)
{
OIC_LOG(ERROR, NET_SSL_TAG, "CA chain parsing error");
......
......@@ -81,7 +81,7 @@ void adapter_handler(CATransportAdapter_t /*adapter*/,
{
}
void connection_handler(const CAEndpoint_t * /*endpoint*/,
void connection_handler(const CAEndpoint_t * /*endpoint*/,
bool /*connected*/)
{
}
......@@ -199,12 +199,14 @@ void provide_x509_cert_and_key(PkiInfo_t* inf)
{
/* PEM data must end in newline and be null terminated for IoTivity */
inf->crt.data = (uint8_t*) our_cert;
inf->crt.len = strlen(our_cert) + 1;
inf->crt.cert->data = (uint8_t*) our_cert;
inf->crt.cert->len = strlen(our_cert) + 1;
inf->crt.next = NULL;
inf->key.data = (uint8_t*) our_key;
inf->key.len = strlen(our_key) + 1;
inf->ca.data = (uint8_t*) our_ca;
inf->ca.len = strlen(our_ca) + 1;
inf->ca.cert->data = (uint8_t*) our_ca;
inf->ca.cert->len = strlen(our_ca) + 1;
inf->ca.next = NULL;
// CRL not provided
inf->crl.data = NULL;
......@@ -222,11 +224,11 @@ void provide_supported_credential_types(bool* list, const char* /*deviceId*/)
{
list[1] = true;
/*
* Note: there is a default implementation of this in credresource.c, exposed by
* pkix_interface.h, called InitManufacturerCipherSuiteList. If the cred resource
* has a credential of the required type, it updates list accordingly.
* Note: there is a default implementation of this in credresource.c, exposed by
* pkix_interface.h, called InitManufacturerCipherSuiteList. If the cred resource
* has a credential of the required type, it updates list accordingly.
*
* In a separate test, we could use the cred resource and APIs (credresource.h).
* In a separate test, we could use the cred resource and APIs (credresource.h).
*/
return;
}
......@@ -365,9 +367,9 @@ TEST_F(CATests, DISABLED_PkiTest)
{
// @todo: this test is disabled for now, it crashes with an invalid write. Cert data
// provided by the provide_x509_cert_and_key is stored as const char, but ParseChain()
// (in ca_adapter_net_ssl.c) writes to it while reading. We could change the test to
// (in ca_adapter_net_ssl.c) writes to it while reading. We could change the test to
// provide data on the heap, but the CA stack should not be changing data provided to it
// by callbacks.
// by callbacks.
const char* local_addr = "127.0.0.1";
uint16_t local_port = 5503;
......@@ -391,7 +393,7 @@ TEST_F(CATests, DISABLED_PkiTest)
// Register a working callback to provide the keys, expect success.
EXPECT_EQ(CA_STATUS_OK, CAregisterPkixInfoHandler(provide_x509_cert_and_key));
EXPECT_EQ(CA_STATUS_OK, CAInitiateHandshake(serverAddr));
EXPECT_EQ(CA_STATUS_OK, CAInitiateHandshake(serverAddr));
CADestroyEndpoint(serverAddr);
}
......
......@@ -23,8 +23,9 @@
#if defined(__WITH_TLS__) || defined(__WITH_DTLS__)
#include "mbedtls/pk.h"
#include <mbedtls/pk.h>
#include <time.h>
#include "casecurityinterface.h"
/**
* Internal certificate request function; used by CSR resource handler
......@@ -40,7 +41,7 @@
*
* @return 0 on success, <0 on failure
*/
int OCInternalCSRRequest(const char *subject, mbedtls_pk_context *keyPair,
int OCInternalCSRRequest(const char *subject, mbedtls_pk_context *keyPair,
OicEncodingType_t encoding, OCByteString *csr);
/**
......@@ -65,7 +66,7 @@ int OCInternalGenerateKeyPair(mbedtls_pk_context *keyPair);
* 3. It contains at least one Subject Alternative Name extension that validly encodes a role.
*
* It does NOT validate the cryptographic signature nor check its time validity.
* These checks should be done when the certificate is being used as part of an access control check,
* These checks should be done when the certificate is being used as part of an access control check,
* as that is when the time validity check should be made, and when trusted CAs are known.
*
* @param[in] buf Buffer containing certificate as a PEM string
......@@ -86,7 +87,7 @@ OCStackResult OCInternalIsValidRoleCertificate(const uint8_t *buf, size_t bufLen
/**
* Determine if a buffer contains a valid chain of certificates. This is intended to verify
* one or more intermediate CA certificates are valid.
*
*
* This only checks that they are valid X.509 structures; no verification of the cryptographic
* signature of time-validity is performed. These should be done at point of use.
*
......@@ -110,8 +111,7 @@ OCStackResult OCInternalIsValidCertChain(const uint8_t *buf, size_t bufLen);
* parameters.
*
* @param[in] certificateChain OicSecKey_t containing one or more certificates
* @param[in] trustedCaCerts PEM string containing the trusted CAs certificates
* @param[in] trustedCaCertsLength Length of trustedCaCerts (including terminating NULL)
* @param[in] trustedCaCerts Trusted CAs certificates chain container
* @param[out] roles Pointer to receive array of OicSecRole_t objects listing roles
* Caller must call OICFree to release this memory when finished
* @param[out] rolesLength Length of returned roles array
......@@ -121,7 +121,8 @@ OCStackResult OCInternalIsValidCertChain(const uint8_t *buf, size_t bufLen);
* OC_STACK_INVALID_PARAM if the certificate is not valid.
* OC_STACK_NO_MEMORY or OC_STACK_ERROR if some other error arose during validation.
*/
OCStackResult OCInternalVerifyRoleCertificate(const OicSecKey_t *certificateChain, const uint8_t *trustedCaCerts,
size_t trustedCaCertsLength, OicSecRole_t **roles,
size_t *rolesLength, struct tm *notValidAfter);
OCStackResult OCInternalVerifyRoleCertificate(const OicSecKey_t *certificateChain,
const ByteArrayLL_t *trustedCaCerts,
OicSecRole_t **roles, size_t *rolesLength,
struct tm *notValidAfter);
#endif
......@@ -248,7 +248,7 @@ OCStackResult GetCredRownerId(OicUuid_t *rowneruuid);
* @param[out] crt certificates to be filled.
* @param[in] usage credential usage string.
*/
OCStackResult GetPemCaCert(ByteArray_t * crt, const char * usage);
void GetCaCert(ByteArrayLL_t * crt, const char * usage);
/**
* Get a list of all role certificates. Used when asserting roles.
......@@ -267,7 +267,7 @@ OCStackResult GetAllRoleCerts(RoleCertChain_t** roleCerts);
* @param[out] crt certificate chain to be filled.
* @param[in] usage credential usage string.
*/
void GetPemOwnCert(ByteArray_t * crt, const char * usage);
void GetOwnCert(ByteArrayLL_t * crt, const char * usage);
/**
* Used by mbedTLS to retrieve own private key
*
......
......@@ -29,6 +29,7 @@
#include "cacommon.h"
#include "experimental/ocrandom.h"
#include "cacommonutil.h"
#include "parsechain.h"
#include "ocpayload.h"
#include "experimental/payload_logging.h"
......@@ -440,9 +441,10 @@ static const mbedtls_x509_crt_profile s_certProfile = {
0 /* RSA minimum key length - not used because we only use EC key pairs */
};
OCStackResult OCInternalVerifyRoleCertificate(const OicSecKey_t *certificateChain, const uint8_t *trustedCaCerts,
size_t trustedCaCertsLength, OicSecRole_t **roles,
size_t *rolesLength, struct tm *notValidAfter)
OCStackResult OCInternalVerifyRoleCertificate(const OicSecKey_t *certificateChain,
const ByteArrayLL_t *trustedCaCerts,
OicSecRole_t **roles, size_t *rolesLength,
struct tm *notValidAfter)
{
bool freeData = false;
uint8_t *data = certificateChain->data;
......@@ -502,10 +504,17 @@ OCStackResult OCInternalVerifyRoleCertificate(const OicSecKey_t *certificateChai
goto exit;
}
mbedRet = mbedtls_x509_crt_parse(&trustedCas, trustedCaCerts, trustedCaCertsLength);
if (0 > mbedRet)
int errNum;
int count = ParseChain(&trustedCas, trustedCaCerts, &errNum);
if (0 >= count)
{
OIC_LOG(WARNING, TAG, "Could not parse trusted CA certs");
res = OC_STACK_ERROR;
goto exit;
}
if (0 != errNum)
{
OIC_LOG_V(ERROR, TAG, "Could not parse trusted CA certs: %d", mbedRet);
OIC_LOG_V(WARNING, TAG, "Trusted CA certs parsing error: %d certs failed to parse", errNum);
res = OC_STACK_ERROR;
goto exit;
}
......@@ -640,4 +649,4 @@ exit:
OIC_LOG_V(DEBUG, TAG, "OCInternalVerifyRoleCertificate out: %d", res);
return res;
}
\ No newline at end of file
}
This diff is collapsed.
......@@ -36,8 +36,8 @@ void GetPkixInfo(PkiInfo_t * inf)
return;
}
GetPemOwnCert(&inf->crt, PRIMARY_CERT);
if (inf->crt.len == 0)
GetOwnCert(&inf->crt, PRIMARY_CERT);
if (NULL == inf->crt.cert || 0 == inf->crt.cert->len)
{
OIC_LOG_V(WARNING, TAG, "%s: empty certificate", __func__);
}
......@@ -48,8 +48,8 @@ void GetPkixInfo(PkiInfo_t * inf)
OIC_LOG_V(WARNING, TAG, "%s: empty key", __func__);
}
(void)GetPemCaCert(&inf->ca, TRUST_CA);
if (inf->ca.len == 0)
GetCaCert(&inf->ca, TRUST_CA);
if (NULL == inf->ca.cert || 0 == inf->ca.cert->len)
{
OIC_LOG_V(WARNING, TAG, "%s: empty CA cert", __func__);
}
......@@ -67,9 +67,17 @@ void GetManufacturerPkixInfo(PkiInfo_t * inf)
OIC_LOG_V(DEBUG, TAG, "Out %s", __func__);
return;
}
GetPemOwnCert(&inf->crt, MF_PRIMARY_CERT);
GetOwnCert(&inf->crt, MF_PRIMARY_CERT);
if (NULL == inf->crt.cert || 0 == inf->crt.cert->len)
{
OIC_LOG_V(WARNING, TAG, "%s: empty certificate", __func__);
}
GetDerKey(&inf->key, MF_PRIMARY_CERT);
(void)GetPemCaCert(&inf->ca, MF_TRUST_CA);
GetCaCert(&inf->ca, MF_TRUST_CA);
if (NULL == inf->ca.cert || 0 == inf->ca.cert->len)
{
OIC_LOG_V(WARNING, TAG, "%s: empty CA cert", __func__);
}
// CRL not provided
inf->crl.data = NULL;
inf->crl.len = 0;
......
......@@ -49,6 +49,7 @@
#include "ocstackinternal.h"
#include "rolesresource.h"
#include "secureresourcemanager.h"
#include "parsechain.h"
#define TAG "OIC_SRM_ROLES"
......@@ -1159,7 +1160,7 @@ OCStackResult GetEndpointRoles(const CAEndpoint_t *endpoint, OicSecRole_t **role
RolesEntry_t *targetEntry = NULL;
OicSecRole_t *rolesToReturn = NULL;
size_t rolesToReturnCount = 0;
ByteArray_t trustedCaCerts;
ByteArrayLL_t trustedCaCerts;
memset(&trustedCaCerts, 0, sizeof(trustedCaCerts));
OCStackResult res = GetPeerPublicKeyFromEndpoint(endpoint, &publicKey, &publicKeyLength);
......@@ -1274,8 +1275,8 @@ OCStackResult GetEndpointRoles(const CAEndpoint_t *endpoint, OicSecRole_t **role
InvalidateRoleCache(targetEntry);
/* Retrieve the current set of trusted CAs from the cred resource. */
res = GetPemCaCert(&trustedCaCerts, TRUST_CA);
if (OC_STACK_OK != res)
GetCaCert(&trustedCaCerts, TRUST_CA);
if (NULL == trustedCaCerts.cert || 0 == trustedCaCerts.cert->len)
{
OIC_LOG_V(ERROR, TAG, "Could not get CA certs: %d", res);
OICFree(publicKey);
......@@ -1291,8 +1292,7 @@ OCStackResult GetEndpointRoles(const CAEndpoint_t *endpoint, OicSecRole_t **role
struct tm notValidAfter;
memset(&notValidAfter, 0, sizeof(notValidAfter));
res = OCInternalVerifyRoleCertificate(&chain->certificate, trustedCaCerts.data,
trustedCaCerts.len, &currCertRoles,
res = OCInternalVerifyRoleCertificate(&chain->certificate, &trustedCaCerts, &currCertRoles,
&currCertRolesCount, &notValidAfter);
if (OC_STACK_OK != res)
......@@ -1312,7 +1312,7 @@ OCStackResult GetEndpointRoles(const CAEndpoint_t *endpoint, OicSecRole_t **role
{
OIC_LOG(ERROR, TAG, "No memory reallocating rolesToReturn");
memset(&targetEntry->cacheValidUntil, 0, sizeof(targetEntry->cacheValidUntil));
OICFree(trustedCaCerts.data);
FreeCertChain(&trustedCaCerts);
OICFree(savePtr);
OICFree(currCertRoles);
OICFree(publicKey);
......@@ -1355,14 +1355,14 @@ OCStackResult GetEndpointRoles(const CAEndpoint_t *endpoint, OicSecRole_t **role
if (NULL == *roles)
{
OICFree(publicKey);
OICFree(trustedCaCerts.data);
FreeCertChain(&trustedCaCerts);
return OC_STACK_NO_MEMORY;
}
memcpy(*roles, targetEntry->cachedRoles, (targetEntry->cachedRolesLength * sizeof(OicSecRole_t)));
*roleCount = targetEntry->cachedRolesLength;
OICFree(publicKey);
OICFree(trustedCaCerts.data);
FreeCertChain(&trustedCaCerts);
return OC_STACK_OK;
}
......
......@@ -61,6 +61,14 @@ typedef enum SubOperationType
BACK = 99
} SubOperationType_t;
typedef struct
{
ByteArray_t crt; /**< own certificate chain as a null-terminated PEM string of certificates */
ByteArray_t key; /**< own private key as binary-encoded DER */
ByteArray_t ca; /**< trusted CAs as a null-terminated PEM string of certificates */
ByteArray_t crl; /**< trusted CRLs as binary-encoded DER */
} PkiInfoCrt_t;
void PrintUuid(const OicUuid_t *uuid);
void PrintIntArray(const int *array, size_t length);
void PrintStringArray(const char **array, size_t length);
......
......@@ -528,7 +528,7 @@ void PrintCredList(const OicSecCred_t *creds)
char buf[2048];
mbedtls_x509_crt crt;
mbedtls_x509_crt *tmpCrt = NULL;
PkiInfo_t inf;
PkiInfoCrt_t inf;
int i = 0;
memset(&inf, 0x00, sizeof(PkiInfo_t));
......@@ -553,7 +553,7 @@ void PrintCredList(const OicSecCred_t *creds)
char buf[2048];
mbedtls_x509_crt ca;
mbedtls_x509_crt *tmpCa = NULL;
PkiInfo_t inf;
PkiInfoCrt_t inf;
int i = 0;
memset(&inf, 0x00, sizeof(PkiInfo_t));
......@@ -596,7 +596,7 @@ void PrintCredList(const OicSecCred_t *creds)
char buf[2048];
mbedtls_x509_crt ca;
mbedtls_x509_crt *tmpCa = NULL;
PkiInfo_t inf;
PkiInfoCrt_t inf;
int i = 0;
memset(&inf, 0x00, sizeof(PkiInfo_t));
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment