Commit 3b14423a authored by Oleksii Beketov's avatar Oleksii Beketov

[IOT-3276] Multiple CAs allowed

This patch unites reverted #22987 and CTT fix 23279.

PEM/DER casting removed,  allowing mbedtls to manage
certificate conversion by itself. Credresource loads
certificates that could be either PEM or DER encoded
to a linked list instead of pushing them to a buffer.

Change-Id: I6dd0d957721d59feaf70f3dd421bf65d7c02ef1d
Signed-off-by: default avatarOleksii Beketov <ol.beketov@samsung.com>
parent 5a93b8ee
...@@ -45,6 +45,13 @@ typedef struct ByteArray ...@@ -45,6 +45,13 @@ typedef struct ByteArray
size_t len; /**< Data size */ size_t len; /**< Data size */
} ByteArray_t; } ByteArray_t;
typedef struct ByteArrayLL ByteArrayLL_t;
struct ByteArrayLL
{
ByteArray_t *cert;
ByteArrayLL_t *next;
};
/**@def BYTE_ARRAY_INITIALIZER /**@def BYTE_ARRAY_INITIALIZER
* *
...@@ -53,6 +60,13 @@ typedef struct ByteArray ...@@ -53,6 +60,13 @@ typedef struct ByteArray
#undef BYTE_ARRAY_INITIALIZER #undef BYTE_ARRAY_INITIALIZER
#define BYTE_ARRAY_INITIALIZER {NULL, 0} #define BYTE_ARRAY_INITIALIZER {NULL, 0}
/**@def CERT_CHAIN_INITIALIZER
*
* Initializes of existing certificate chain pointer to \a NULL.
*/
#undef CERT_CHAIN_INITIALIZER
#define CERT_CHAIN_INITIALIZER {NULL, NULL}
/**@def INIT_BYTE_ARRAY(array) /**@def INIT_BYTE_ARRAY(array)
* *
* Initializes of existing byte array \a array. * Initializes of existing byte array \a array.
......
...@@ -109,6 +109,7 @@ bool CAGetSecureEndpointAttributes(const CAEndpoint_t* peer, uint32_t* allAttrib ...@@ -109,6 +109,7 @@ bool CAGetSecureEndpointAttributes(const CAEndpoint_t* peer, uint32_t* allAttrib
* *
*/ */
typedef void (*CAgetCredentialTypesHandler)(bool * list, const char* deviceId); typedef void (*CAgetCredentialTypesHandler)(bool * list, const char* deviceId);
/** /**
* Binary structure containing PKIX related info * Binary structure containing PKIX related info
* own certificate chain, public key, CA's and CRL's * own certificate chain, public key, CA's and CRL's
...@@ -119,9 +120,9 @@ typedef void (*CAgetCredentialTypesHandler)(bool * list, const char* deviceId); ...@@ -119,9 +120,9 @@ typedef void (*CAgetCredentialTypesHandler)(bool * list, const char* deviceId);
*/ */
typedef struct typedef struct
{ {
ByteArray_t crt; /**< own certificate chain as a null-terminated PEM string of certificates */ ByteArrayLL_t crt; /**< own certificate chain as a null-terminated PEM string of certificates */
ByteArray_t key; /**< own private key as binary-encoded DER */ ByteArray_t key; /**< own private key as binary-encoded DER */
ByteArray_t ca; /**< trusted CAs as a null-terminated PEM string of certificates */ ByteArrayLL_t ca; /**< trusted CAs as a null-terminated PEM string of certificates */
ByteArray_t crl; /**< trusted CRLs as binary-encoded DER */ ByteArray_t crl; /**< trusted CRLs as binary-encoded DER */
} PkiInfo_t; } PkiInfo_t;
...@@ -333,4 +334,3 @@ void CAcloseSslConnectionAll(CATransportAdapter_t transportType); ...@@ -333,4 +334,3 @@ void CAcloseSslConnectionAll(CATransportAdapter_t transportType);
#endif /* CA_SECURITY_INTERFACE_H_ */ #endif /* CA_SECURITY_INTERFACE_H_ */
...@@ -27,6 +27,9 @@ ca_common_src = [ ...@@ -27,6 +27,9 @@ ca_common_src = [
os.path.join(ca_common_src_path, 'caremotehandler.c') os.path.join(ca_common_src_path, 'caremotehandler.c')
] ]
if connectivity_env.get('SECURED') == '1':
ca_common_src.append(os.path.join(ca_common_src_path, 'parsechain.c'))
if connectivity_env['POSIX_SUPPORTED'] or target_os in ['windows']: if connectivity_env['POSIX_SUPPORTED'] or target_os in ['windows']:
ca_common_src.append(os.path.join(ca_common_src_path, 'cathreadpool_pthreads.c')) ca_common_src.append(os.path.join(ca_common_src_path, 'cathreadpool_pthreads.c'))
......
/* ****************************************************************
*
* Copyright 2017 Samsung Electronics All Rights Reserved.
*
*
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
******************************************************************/
#ifndef U_PARSECHAIN_H_
#define U_PARSECHAIN_H_
#include <mbedtls/ssl.h>
#include "casecurityinterface.h"
#ifdef __cplusplus
extern "C"
{
#endif
/**
* Parse chain of X.509 certificates.
*
* @param[out] crt container for X.509 certificates
* @param[in] certs array of X.509 certificates
* @param[in] errNum number of certificates that failed to parse
*
* @return number of successfully parsed certificates or -1 on error
*/
int ParseChain(mbedtls_x509_crt *crt, const ByteArrayLL_t *certs, int *errNum);
/**
* Free chain of X.509 certificates.
*
* @param[in] certs array of X.509 certificates
*/
void FreeCertChain(ByteArrayLL_t *certs);
#ifdef __cplusplus
}
#endif
#endif /* U_ARRAYLIST_H_ */
/******************************************************************
*
* Copyright 2017 Samsung Electronics All Rights Reserved.
*
*
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
******************************************************************/
#include "parsechain.h"
#include "utlist.h"
#include "caadapterutils.h"
#include "oic_malloc.h"
#define PARSE_CHAIN_TAG "OIC_PARSE_CHAIN"
int ParseChain(mbedtls_x509_crt *crt, const ByteArrayLL_t *certs, int *errNum)
{
OIC_LOG_V(DEBUG, PARSE_CHAIN_TAG, "In %s", __func__);
VERIFY_NON_NULL_RET(crt, PARSE_CHAIN_TAG, "Param crt is NULL", -1);
VERIFY_NON_NULL_RET(certs, PARSE_CHAIN_TAG, "Param certs is NULL", -1);
VERIFY_NON_NULL_RET(errNum, PARSE_CHAIN_TAG, "Param errNum is NULL", -1);
VERIFY_NON_NULL_RET(certs->cert, PARSE_CHAIN_TAG, "certs->cert is NULL", -1);
int count = 0;
int ret = 0;
*errNum = 0;
const ByteArrayLL_t *temp = certs;
LL_FOREACH(certs, temp)
{
ret = mbedtls_x509_crt_parse(crt, temp->cert->data, temp->cert->len);
if (0 == ret)
{
count++;
}
else
{
(*errNum)++;
OIC_LOG_V(ERROR, PARSE_CHAIN_TAG, "mbedtls_x509_crt_parse returned -0x%04x\n", -(ret));
return -1;
}
}
OIC_LOG_V(DEBUG, PARSE_CHAIN_TAG, "%s successfully parsed %d certificates", __func__, count);
OIC_LOG_V(DEBUG, PARSE_CHAIN_TAG, "Out %s", __func__);
return count;
}
void FreeCertChain(ByteArrayLL_t *certs)
{
ByteArrayLL_t *tmp0 = certs, *tmp1 = NULL, *tmp2 = NULL;
LL_FOREACH_SAFE(tmp0, tmp1, tmp2)
{
LL_DELETE(tmp0, tmp1);
if (NULL != tmp1->cert) {
if (NULL != tmp1->cert->data)
{
OICFree(tmp1->cert->data);
}
OICFree(tmp1->cert);
}
tmp1 = NULL;
}
}
...@@ -38,6 +38,8 @@ ...@@ -38,6 +38,8 @@
#include "experimental/byte_array.h" #include "experimental/byte_array.h"
#include "octhread.h" #include "octhread.h"
#include "octimer.h" #include "octimer.h"
#include "utlist.h"
#include "parsechain.h"
// headers required for mbed TLS // headers required for mbed TLS
#include "mbedtls/platform.h" #include "mbedtls/platform.h"
...@@ -647,57 +649,6 @@ static int RecvCallBack(void * tep, unsigned char * data, size_t dataLen) ...@@ -647,57 +649,6 @@ static int RecvCallBack(void * tep, unsigned char * data, size_t dataLen)
return (int)retLen; return (int)retLen;
} }
/**
* Parse chain of X.509 certificates.
*
* @param[out] crt container for X.509 certificates
* @param[in] buf buffer with X.509 certificates. Certificates must be in a single null-terminated
* string, with each certificate in PEM encoding with headers.
* @param[in] bufLen buffer length
* @param[in] errNum number certificates that failed to parse
*
* @return number of successfully parsed certificates or -1 on error
*/
static int ParseChain(mbedtls_x509_crt * crt, unsigned char * buf, size_t bufLen, int * errNum)
{
int ret;
OIC_LOG_V(DEBUG, NET_SSL_TAG, "In %s", __func__);
VERIFY_NON_NULL_RET(crt, NET_SSL_TAG, "Param crt is NULL", -1);
VERIFY_NON_NULL_RET(buf, NET_SSL_TAG, "Param buf is NULL", -1);
if (NULL != errNum)
{
*errNum = 0;
}
if ((bufLen >= 2) && (buf[0] == 0x30) && (buf[1] == 0x82))
{
OIC_LOG_V(ERROR, NET_SSL_TAG, "DER-encoded certificate passed to ParseChain");
return -1;
}
ret = mbedtls_x509_crt_parse(crt, buf, bufLen);
if (0 > ret)
{
OIC_LOG_V(ERROR, NET_SSL_TAG, "mbedtls_x509_crt_parse failed: -0x%04x", -(ret));
return -1;
}
if (NULL != errNum)
{
*errNum = ret;
}
ret = 0;
for (const mbedtls_x509_crt *cur = crt; cur != NULL; cur = cur->next)
{
ret++;
}
OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
return ret;
}
/** /**
* Deinit Pki Info * Deinit Pki Info
* *
...@@ -714,9 +665,9 @@ static void DeInitPkixInfo(PkiInfo_t * inf) ...@@ -714,9 +665,9 @@ static void DeInitPkixInfo(PkiInfo_t * inf)
return; return;
} }
DEINIT_BYTE_ARRAY(inf->crt); FreeCertChain(&(inf->crt));
DEINIT_BYTE_ARRAY(inf->key); DEINIT_BYTE_ARRAY(inf->key);
DEINIT_BYTE_ARRAY(inf->ca); FreeCertChain(&(inf->ca));
DEINIT_BYTE_ARRAY(inf->crl); DEINIT_BYTE_ARRAY(inf->crl);
OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__); OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
...@@ -729,9 +680,9 @@ static int InitPKIX(CATransportAdapter_t adapter) ...@@ -729,9 +680,9 @@ static int InitPKIX(CATransportAdapter_t adapter)
VERIFY_NON_NULL_RET(g_getPkixInfoCallback, NET_SSL_TAG, "PKIX info callback is NULL", -1); VERIFY_NON_NULL_RET(g_getPkixInfoCallback, NET_SSL_TAG, "PKIX info callback is NULL", -1);
// load pk key, cert, trust chain and crl // load pk key, cert, trust chain and crl
PkiInfo_t pkiInfo = { PkiInfo_t pkiInfo = {
CERT_CHAIN_INITIALIZER,
BYTE_ARRAY_INITIALIZER, BYTE_ARRAY_INITIALIZER,
BYTE_ARRAY_INITIALIZER, CERT_CHAIN_INITIALIZER,
BYTE_ARRAY_INITIALIZER,
BYTE_ARRAY_INITIALIZER BYTE_ARRAY_INITIALIZER
}; };
...@@ -739,7 +690,6 @@ static int InitPKIX(CATransportAdapter_t adapter) ...@@ -739,7 +690,6 @@ static int InitPKIX(CATransportAdapter_t adapter)
{ {
g_getPkixInfoCallback(&pkiInfo); g_getPkixInfoCallback(&pkiInfo);
} }
VERIFY_NON_NULL_RET(g_caSslContext, NET_SSL_TAG, "SSL Context is NULL", -1); VERIFY_NON_NULL_RET(g_caSslContext, NET_SSL_TAG, "SSL Context is NULL", -1);
mbedtls_x509_crt_free(&g_caSslContext->ca); mbedtls_x509_crt_free(&g_caSslContext->ca);
...@@ -751,7 +701,6 @@ static int InitPKIX(CATransportAdapter_t adapter) ...@@ -751,7 +701,6 @@ static int InitPKIX(CATransportAdapter_t adapter)
mbedtls_x509_crt_init(&g_caSslContext->crt); mbedtls_x509_crt_init(&g_caSslContext->crt);
mbedtls_pk_init(&g_caSslContext->pkey); mbedtls_pk_init(&g_caSslContext->pkey);
mbedtls_x509_crl_init(&g_caSslContext->crl); mbedtls_x509_crl_init(&g_caSslContext->crl);
mbedtls_ssl_config * serverConf = (adapter == CA_ADAPTER_IP || mbedtls_ssl_config * serverConf = (adapter == CA_ADAPTER_IP ||
adapter == CA_ADAPTER_GATT_BTLE ? adapter == CA_ADAPTER_GATT_BTLE ?
&g_caSslContext->serverDtlsConf : &g_caSslContext->serverTlsConf); &g_caSslContext->serverDtlsConf : &g_caSslContext->serverTlsConf);
...@@ -761,7 +710,7 @@ static int InitPKIX(CATransportAdapter_t adapter) ...@@ -761,7 +710,7 @@ static int InitPKIX(CATransportAdapter_t adapter)
// optional // optional
int ret; int ret;
int errNum; int errNum;
int count = ParseChain(&g_caSslContext->crt, pkiInfo.crt.data, pkiInfo.crt.len, &errNum); int count = ParseChain(&g_caSslContext->crt, &(pkiInfo.crt), &errNum);
if (0 >= count) if (0 >= count)
{ {
OIC_LOG(WARNING, NET_SSL_TAG, "Own certificate chain parsing error"); OIC_LOG(WARNING, NET_SSL_TAG, "Own certificate chain parsing error");
...@@ -810,7 +759,7 @@ static int InitPKIX(CATransportAdapter_t adapter) ...@@ -810,7 +759,7 @@ static int InitPKIX(CATransportAdapter_t adapter)
} }
required: required:
count = ParseChain(&g_caSslContext->ca, pkiInfo.ca.data, pkiInfo.ca.len, &errNum); count = ParseChain(&g_caSslContext->ca, &(pkiInfo.ca), &errNum);
if(0 >= count) if(0 >= count)
{ {
OIC_LOG(ERROR, NET_SSL_TAG, "CA chain parsing error"); OIC_LOG(ERROR, NET_SSL_TAG, "CA chain parsing error");
......
...@@ -81,7 +81,7 @@ void adapter_handler(CATransportAdapter_t /*adapter*/, ...@@ -81,7 +81,7 @@ void adapter_handler(CATransportAdapter_t /*adapter*/,
{ {
} }
void connection_handler(const CAEndpoint_t * /*endpoint*/, void connection_handler(const CAEndpoint_t * /*endpoint*/,
bool /*connected*/) bool /*connected*/)
{ {
} }
...@@ -199,12 +199,14 @@ void provide_x509_cert_and_key(PkiInfo_t* inf) ...@@ -199,12 +199,14 @@ void provide_x509_cert_and_key(PkiInfo_t* inf)
{ {
/* PEM data must end in newline and be null terminated for IoTivity */ /* PEM data must end in newline and be null terminated for IoTivity */
inf->crt.data = (uint8_t*) our_cert; inf->crt.cert->data = (uint8_t*) our_cert;
inf->crt.len = strlen(our_cert) + 1; inf->crt.cert->len = strlen(our_cert) + 1;
inf->crt.next = NULL;
inf->key.data = (uint8_t*) our_key; inf->key.data = (uint8_t*) our_key;
inf->key.len = strlen(our_key) + 1; inf->key.len = strlen(our_key) + 1;
inf->ca.data = (uint8_t*) our_ca; inf->ca.cert->data = (uint8_t*) our_ca;
inf->ca.len = strlen(our_ca) + 1; inf->ca.cert->len = strlen(our_ca) + 1;
inf->ca.next = NULL;
// CRL not provided // CRL not provided
inf->crl.data = NULL; inf->crl.data = NULL;
...@@ -222,11 +224,11 @@ void provide_supported_credential_types(bool* list, const char* /*deviceId*/) ...@@ -222,11 +224,11 @@ void provide_supported_credential_types(bool* list, const char* /*deviceId*/)
{ {
list[1] = true; list[1] = true;
/* /*
* Note: there is a default implementation of this in credresource.c, exposed by * Note: there is a default implementation of this in credresource.c, exposed by
* pkix_interface.h, called InitManufacturerCipherSuiteList. If the cred resource * pkix_interface.h, called InitManufacturerCipherSuiteList. If the cred resource
* has a credential of the required type, it updates list accordingly. * has a credential of the required type, it updates list accordingly.
* *
* In a separate test, we could use the cred resource and APIs (credresource.h). * In a separate test, we could use the cred resource and APIs (credresource.h).
*/ */
return; return;
} }
...@@ -365,9 +367,9 @@ TEST_F(CATests, DISABLED_PkiTest) ...@@ -365,9 +367,9 @@ TEST_F(CATests, DISABLED_PkiTest)
{ {
// @todo: this test is disabled for now, it crashes with an invalid write. Cert data // @todo: this test is disabled for now, it crashes with an invalid write. Cert data
// provided by the provide_x509_cert_and_key is stored as const char, but ParseChain() // provided by the provide_x509_cert_and_key is stored as const char, but ParseChain()
// (in ca_adapter_net_ssl.c) writes to it while reading. We could change the test to // (in ca_adapter_net_ssl.c) writes to it while reading. We could change the test to
// provide data on the heap, but the CA stack should not be changing data provided to it // provide data on the heap, but the CA stack should not be changing data provided to it
// by callbacks. // by callbacks.
const char* local_addr = "127.0.0.1"; const char* local_addr = "127.0.0.1";
uint16_t local_port = 5503; uint16_t local_port = 5503;
...@@ -391,7 +393,7 @@ TEST_F(CATests, DISABLED_PkiTest) ...@@ -391,7 +393,7 @@ TEST_F(CATests, DISABLED_PkiTest)
// Register a working callback to provide the keys, expect success. // Register a working callback to provide the keys, expect success.
EXPECT_EQ(CA_STATUS_OK, CAregisterPkixInfoHandler(provide_x509_cert_and_key)); EXPECT_EQ(CA_STATUS_OK, CAregisterPkixInfoHandler(provide_x509_cert_and_key));
EXPECT_EQ(CA_STATUS_OK, CAInitiateHandshake(serverAddr)); EXPECT_EQ(CA_STATUS_OK, CAInitiateHandshake(serverAddr));
CADestroyEndpoint(serverAddr); CADestroyEndpoint(serverAddr);
} }
......
...@@ -23,8 +23,9 @@ ...@@ -23,8 +23,9 @@
#if defined(__WITH_TLS__) || defined(__WITH_DTLS__) #if defined(__WITH_TLS__) || defined(__WITH_DTLS__)
#include "mbedtls/pk.h" #include <mbedtls/pk.h>
#include <time.h> #include <time.h>
#include "casecurityinterface.h"
/** /**
* Internal certificate request function; used by CSR resource handler * Internal certificate request function; used by CSR resource handler
...@@ -40,7 +41,7 @@ ...@@ -40,7 +41,7 @@
* *
* @return 0 on success, <0 on failure * @return 0 on success, <0 on failure
*/ */
int OCInternalCSRRequest(const char *subject, mbedtls_pk_context *keyPair, int OCInternalCSRRequest(const char *subject, mbedtls_pk_context *keyPair,
OicEncodingType_t encoding, OCByteString *csr); OicEncodingType_t encoding, OCByteString *csr);
/** /**
...@@ -65,7 +66,7 @@ int OCInternalGenerateKeyPair(mbedtls_pk_context *keyPair); ...@@ -65,7 +66,7 @@ int OCInternalGenerateKeyPair(mbedtls_pk_context *keyPair);
* 3. It contains at least one Subject Alternative Name extension that validly encodes a role. * 3. It contains at least one Subject Alternative Name extension that validly encodes a role.
* *
* It does NOT validate the cryptographic signature nor check its time validity. * It does NOT validate the cryptographic signature nor check its time validity.
* These checks should be done when the certificate is being used as part of an access control check, * These checks should be done when the certificate is being used as part of an access control check,
* as that is when the time validity check should be made, and when trusted CAs are known. * as that is when the time validity check should be made, and when trusted CAs are known.
* *
* @param[in] buf Buffer containing certificate as a PEM string * @param[in] buf Buffer containing certificate as a PEM string
...@@ -86,7 +87,7 @@ OCStackResult OCInternalIsValidRoleCertificate(const uint8_t *buf, size_t bufLen ...@@ -86,7 +87,7 @@ OCStackResult OCInternalIsValidRoleCertificate(const uint8_t *buf, size_t bufLen
/** /**
* Determine if a buffer contains a valid chain of certificates. This is intended to verify * Determine if a buffer contains a valid chain of certificates. This is intended to verify
* one or more intermediate CA certificates are valid. * one or more intermediate CA certificates are valid.
* *
* This only checks that they are valid X.509 structures; no verification of the cryptographic * This only checks that they are valid X.509 structures; no verification of the cryptographic
* signature of time-validity is performed. These should be done at point of use. * signature of time-validity is performed. These should be done at point of use.
* *
...@@ -110,8 +111,7 @@ OCStackResult OCInternalIsValidCertChain(const uint8_t *buf, size_t bufLen); ...@@ -110,8 +111,7 @@ OCStackResult OCInternalIsValidCertChain(const uint8_t *buf, size_t bufLen);
* parameters. * parameters.
* *
* @param[in] certificateChain OicSecKey_t containing one or more certificates * @param[in] certificateChain OicSecKey_t containing one or more certificates
* @param[in] trustedCaCerts PEM string containing the trusted CAs certificates * @param[in] trustedCaCerts Trusted CAs certificates chain container
* @param[in] trustedCaCertsLength Length of trustedCaCerts (including terminating NULL)
* @param[out] roles Pointer to receive array of OicSecRole_t objects listing roles * @param[out] roles Pointer to receive array of OicSecRole_t objects listing roles
* Caller must call OICFree to release this memory when finished * Caller must call OICFree to release this memory when finished
* @param[out] rolesLength Length of returned roles array * @param[out] rolesLength Length of returned roles array
...@@ -121,7 +121,8 @@ OCStackResult OCInternalIsValidCertChain(const uint8_t *buf, size_t bufLen); ...@@ -121,7 +121,8 @@ OCStackResult OCInternalIsValidCertChain(const uint8_t *buf, size_t bufLen);
* OC_STACK_INVALID_PARAM if the certificate is not valid. * OC_STACK_INVALID_PARAM if the certificate is not valid.
* OC_STACK_NO_MEMORY or OC_STACK_ERROR if some other error arose during validation. * OC_STACK_NO_MEMORY or OC_STACK_ERROR if some other error arose during validation.
*/ */
OCStackResult OCInternalVerifyRoleCertificate(const OicSecKey_t *certificateChain, const uint8_t *trustedCaCerts, OCStackResult OCInternalVerifyRoleCertificate(const OicSecKey_t *certificateChain,
size_t trustedCaCertsLength, OicSecRole_t **roles, const ByteArrayLL_t *trustedCaCerts,
size_t *rolesLength, struct tm *notValidAfter); OicSecRole_t **roles, size_t *rolesLength,
struct tm *notValidAfter);
#endif #endif
...@@ -248,7 +248,7 @@ OCStackResult GetCredRownerId(OicUuid_t *rowneruuid); ...@@ -248,7 +248,7 @@ OCStackResult GetCredRownerId(OicUuid_t *rowneruuid);
* @param[out] crt certificates to be filled. * @param[out] crt certificates to be filled.
* @param[in] usage credential usage string. * @param[in] usage credential usage string.
*/ */
OCStackResult GetPemCaCert(ByteArray_t * crt, const char * usage); void GetCaCert(ByteArrayLL_t * crt, const char * usage);
/** /**
* Get a list of all role certificates. Used when asserting roles. * Get a list of all role certificates. Used when asserting roles.
...@@ -267,7 +267,7 @@ OCStackResult GetAllRoleCerts(RoleCertChain_t** roleCerts); ...@@ -267,7 +267,7 @@ OCStackResult GetAllRoleCerts(RoleCertChain_t** roleCerts);
* @param[out] crt certificate chain to be filled. * @param[out] crt certificate chain to be filled.
* @param[in] usage credential usage string. * @param[in] usage credential usage string.
*/ */
void GetPemOwnCert(ByteArray_t * crt, const char * usage); void GetOwnCert(ByteArrayLL_t * crt, const char * usage);
/** /**
* Used by mbedTLS to retrieve own private key * Used by mbedTLS to retrieve own private key
* *
......
...@@ -29,6 +29,7 @@ ...@@ -29,6 +29,7 @@
#include "cacommon.h" #include "cacommon.h"
#include "experimental/ocrandom.h" #include "experimental/ocrandom.h"
#include "cacommonutil.h" #include "cacommonutil.h"
#include "parsechain.h"
#include "ocpayload.h" #include "ocpayload.h"
#include "experimental/payload_logging.h" #include "experimental/payload_logging.h"
...@@ -440,9 +441,10 @@ static const mbedtls_x509_crt_profile s_certProfile = { ...@@ -440,9 +441,10 @@ static const mbedtls_x509_crt_profile s_certProfile = {
0 /* RSA minimum key length - not used because we only use EC key pairs */ 0 /* RSA minimum key length - not used because we only use EC key pairs */
}; };
OCStackResult OCInternalVerifyRoleCertificate(const OicSecKey_t *certificateChain, const uint8_t *trustedCaCerts, OCStackResult OCInternalVerifyRoleCertificate(const OicSecKey_t *certificateChain,
size_t trustedCaCertsLength, OicSecRole_t **roles, const ByteArrayLL_t *trustedCaCerts,
size_t *rolesLength, struct tm *notValidAfter) OicSecRole_t **roles, size_t *rolesLength,
struct tm *notValidAfter)
{ {
bool freeData = false; bool freeData = false;
uint8_t *data = certificateChain->data; uint8_t *data = certificateChain->data;
...@@ -502,10 +504,17 @@ OCStackResult OCInternalVerifyRoleCertificate(const OicSecKey_t *certificateChai ...@@ -502,10 +504,17 @@ OCStackResult OCInternalVerifyRoleCertificate(const OicSecKey_t *certificateChai
goto exit; goto exit;
} }
mbedRet = mbedtls_x509_crt_parse(&trustedCas, trustedCaCerts, trustedCaCertsLength); int errNum;
if (0 > mbedRet) int count = ParseChain(&trustedCas, trustedCaCerts, &errNum);