ua_pki_default.c 8.9 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246
  1. /* This work is licensed under a Creative Commons CCZero 1.0 Universal License.
  2. * See http://creativecommons.org/publicdomain/zero/1.0/ for more information.
  3. *
  4. * Copyright 2018 (c) Mark Giraud, Fraunhofer IOSB
  5. * Copyright 2019 (c) Kalycito Infotech Private Limited
  6. */
  7. #include <open62541/plugin/pki_default.h>
  8. #ifdef UA_ENABLE_ENCRYPTION
  9. #include <mbedtls/x509.h>
  10. #include <mbedtls/x509_crt.h>
  11. #endif
  12. /************/
  13. /* AllowAll */
  14. /************/
  15. static UA_StatusCode
  16. verifyCertificateAllowAll(void *verificationContext,
  17. const UA_ByteString *certificate) {
  18. return UA_STATUSCODE_GOOD;
  19. }
  20. static UA_StatusCode
  21. verifyApplicationURIAllowAll(void *verificationContext,
  22. const UA_ByteString *certificate,
  23. const UA_String *applicationURI) {
  24. return UA_STATUSCODE_GOOD;
  25. }
  26. static void
  27. deleteVerifyAllowAll(UA_CertificateVerification *cv) {
  28. }
  29. void UA_CertificateVerification_AcceptAll(UA_CertificateVerification *cv) {
  30. cv->verifyCertificate = verifyCertificateAllowAll;
  31. cv->verifyApplicationURI = verifyApplicationURIAllowAll;
  32. cv->deleteMembers = deleteVerifyAllowAll;
  33. }
  34. #ifdef UA_ENABLE_ENCRYPTION
  35. typedef struct {
  36. mbedtls_x509_crt certificateTrustList;
  37. mbedtls_x509_crl certificateRevocationList;
  38. } CertInfo;
  39. static UA_StatusCode
  40. certificateVerification_verify(void *verificationContext,
  41. const UA_ByteString *certificate) {
  42. CertInfo *ci = (CertInfo*)verificationContext;
  43. if(!ci)
  44. return UA_STATUSCODE_BADINTERNALERROR;
  45. /* Parse the certificate */
  46. mbedtls_x509_crt remoteCertificate;
  47. mbedtls_x509_crt_init(&remoteCertificate);
  48. int mbedErr = mbedtls_x509_crt_parse(&remoteCertificate, certificate->data,
  49. certificate->length);
  50. if(mbedErr) {
  51. /* char errBuff[300]; */
  52. /* mbedtls_strerror(mbedErr, errBuff, 300); */
  53. /* UA_LOG_WARNING(data->policyContext->securityPolicy->logger, UA_LOGCATEGORY_SECURITYPOLICY, */
  54. /* "Could not parse the remote certificate with error: %s", errBuff); */
  55. return UA_STATUSCODE_BADSECURITYCHECKSFAILED;
  56. }
  57. /* Verify */
  58. mbedtls_x509_crt_profile crtProfile = {
  59. MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA1) | MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA256),
  60. 0xFFFFFF, 0x000000, 128 * 8 // in bits
  61. }; // TODO: remove magic numbers
  62. uint32_t flags = 0;
  63. mbedErr = mbedtls_x509_crt_verify_with_profile(&remoteCertificate,
  64. &ci->certificateTrustList,
  65. &ci->certificateRevocationList,
  66. &crtProfile, NULL, &flags, NULL, NULL);
  67. // TODO: Extend verification
  68. /* This condition will check whether the certificate is a User certificate
  69. * or a CA certificate. If the MBEDTLS_X509_KU_KEY_CERT_SIGN and
  70. * MBEDTLS_X509_KU_CRL_SIGN of key_usage are set, then the certificate
  71. * shall be condidered as CA Certificate and cannot be used to establish a
  72. * connection. Refer the test case CTT/Security/Security Certificate Validation/029.js
  73. * for more details */
  74. if((remoteCertificate.key_usage & MBEDTLS_X509_KU_KEY_CERT_SIGN) &&
  75. (remoteCertificate.key_usage & MBEDTLS_X509_KU_CRL_SIGN)) {
  76. return UA_STATUSCODE_BADCERTIFICATEUSENOTALLOWED;
  77. }
  78. UA_StatusCode retval = UA_STATUSCODE_GOOD;
  79. if(mbedErr) {
  80. /* char buff[100]; */
  81. /* mbedtls_x509_crt_verify_info(buff, 100, "", flags); */
  82. /* UA_LOG_ERROR(channelContextData->policyContext->securityPolicy->logger, */
  83. /* UA_LOGCATEGORY_SECURITYPOLICY, */
  84. /* "Verifying the certificate failed with error: %s", buff); */
  85. if(flags & (uint32_t)MBEDTLS_X509_BADCERT_NOT_TRUSTED) {
  86. retval = UA_STATUSCODE_BADCERTIFICATEUNTRUSTED;
  87. } else if(flags & (uint32_t)MBEDTLS_X509_BADCERT_FUTURE ||
  88. flags & (uint32_t)MBEDTLS_X509_BADCERT_EXPIRED) {
  89. retval = UA_STATUSCODE_BADCERTIFICATETIMEINVALID;
  90. } else if(flags & (uint32_t)MBEDTLS_X509_BADCERT_REVOKED ||
  91. flags & (uint32_t)MBEDTLS_X509_BADCRL_EXPIRED) {
  92. retval = UA_STATUSCODE_BADCERTIFICATEREVOKED;
  93. } else {
  94. retval = UA_STATUSCODE_BADSECURITYCHECKSFAILED;
  95. }
  96. }
  97. mbedtls_x509_crt_free(&remoteCertificate);
  98. return retval;
  99. }
  100. /* Find binary substring. Taken and adjusted from
  101. * http://tungchingkai.blogspot.com/2011/07/binary-strstr.html */
  102. static const unsigned char *
  103. bstrchr(const unsigned char *s, const unsigned char ch, size_t l) {
  104. /* find first occurrence of c in char s[] for length l*/
  105. /* handle special case */
  106. if(l == 0)
  107. return (NULL);
  108. for(; *s != ch; ++s, --l)
  109. if(l == 0)
  110. return (NULL);
  111. return s;
  112. }
  113. static const unsigned char *
  114. bstrstr(const unsigned char *s1, size_t l1, const unsigned char *s2, size_t l2) {
  115. /* find first occurrence of s2[] in s1[] for length l1*/
  116. const unsigned char *ss1 = s1;
  117. const unsigned char *ss2 = s2;
  118. /* handle special case */
  119. if(l1 == 0)
  120. return (NULL);
  121. if(l2 == 0)
  122. return s1;
  123. /* match prefix */
  124. for (; (s1 = bstrchr(s1, *s2, (uintptr_t)ss1-(uintptr_t)s1+(uintptr_t)l1)) != NULL &&
  125. (uintptr_t)ss1-(uintptr_t)s1+(uintptr_t)l1 != 0; ++s1) {
  126. /* match rest of prefix */
  127. const unsigned char *sc1, *sc2;
  128. for (sc1 = s1, sc2 = s2; ;)
  129. if (++sc2 >= ss2+l2)
  130. return s1;
  131. else if (*++sc1 != *sc2)
  132. break;
  133. }
  134. return NULL;
  135. }
  136. static UA_StatusCode
  137. certificateVerification_verifyApplicationURI(void *verificationContext,
  138. const UA_ByteString *certificate,
  139. const UA_String *applicationURI) {
  140. CertInfo *ci = (CertInfo*)verificationContext;
  141. if(!ci)
  142. return UA_STATUSCODE_BADINTERNALERROR;
  143. /* Parse the certificate */
  144. mbedtls_x509_crt remoteCertificate;
  145. mbedtls_x509_crt_init(&remoteCertificate);
  146. int mbedErr = mbedtls_x509_crt_parse(&remoteCertificate, certificate->data,
  147. certificate->length);
  148. if(mbedErr)
  149. return UA_STATUSCODE_BADSECURITYCHECKSFAILED;
  150. /* Poor man's ApplicationUri verification. mbedTLS does not parse all fields
  151. * of the Alternative Subject Name. Instead test whether the URI-string is
  152. * present in the v3_ext field in general.
  153. *
  154. * TODO: Improve parsing of the Alternative Subject Name */
  155. UA_StatusCode retval = UA_STATUSCODE_GOOD;
  156. if(bstrstr(remoteCertificate.v3_ext.p, remoteCertificate.v3_ext.len,
  157. applicationURI->data, applicationURI->length) == NULL)
  158. retval = UA_STATUSCODE_BADCERTIFICATEURIINVALID;
  159. mbedtls_x509_crt_free(&remoteCertificate);
  160. return retval;
  161. }
  162. static void
  163. certificateVerification_deleteMembers(UA_CertificateVerification *cv) {
  164. CertInfo *ci = (CertInfo*)cv->context;
  165. if(!ci)
  166. return;
  167. mbedtls_x509_crt_free(&ci->certificateTrustList);
  168. mbedtls_x509_crl_free(&ci->certificateRevocationList);
  169. UA_free(ci);
  170. cv->context = NULL;
  171. }
  172. UA_StatusCode
  173. UA_CertificateVerification_Trustlist(UA_CertificateVerification *cv,
  174. const UA_ByteString *certificateTrustList,
  175. size_t certificateTrustListSize,
  176. const UA_ByteString *certificateRevocationList,
  177. size_t certificateRevocationListSize) {
  178. CertInfo *ci = (CertInfo*)UA_malloc(sizeof(CertInfo));
  179. if(!ci)
  180. return UA_STATUSCODE_BADOUTOFMEMORY;
  181. mbedtls_x509_crt_init(&ci->certificateTrustList);
  182. mbedtls_x509_crl_init(&ci->certificateRevocationList);
  183. cv->context = (void*)ci;
  184. if(certificateTrustListSize > 0)
  185. cv->verifyCertificate = certificateVerification_verify;
  186. else
  187. cv->verifyCertificate = verifyCertificateAllowAll;
  188. cv->deleteMembers = certificateVerification_deleteMembers;
  189. cv->verifyApplicationURI = certificateVerification_verifyApplicationURI;
  190. int err = 0;
  191. for(size_t i = 0; i < certificateTrustListSize; i++) {
  192. err = mbedtls_x509_crt_parse(&ci->certificateTrustList,
  193. certificateTrustList[i].data,
  194. certificateTrustList[i].length);
  195. if(err)
  196. goto error;
  197. }
  198. for(size_t i = 0; i < certificateRevocationListSize; i++) {
  199. err = mbedtls_x509_crl_parse(&ci->certificateRevocationList,
  200. certificateRevocationList[i].data,
  201. certificateRevocationList[i].length);
  202. if(err)
  203. goto error;
  204. }
  205. return UA_STATUSCODE_GOOD;
  206. error:
  207. certificateVerification_deleteMembers(cv);
  208. return UA_STATUSCODE_BADINTERNALERROR;
  209. }
  210. #endif