|
@@ -44,6 +44,7 @@ void UA_CertificateVerification_AcceptAll(UA_CertificateVerification *cv) {
|
|
|
|
|
|
typedef struct {
|
|
|
mbedtls_x509_crt certificateTrustList;
|
|
|
+ mbedtls_x509_crt certificateIssuerList;
|
|
|
mbedtls_x509_crl certificateRevocationList;
|
|
|
} CertInfo;
|
|
|
|
|
@@ -56,6 +57,10 @@ certificateVerification_verify(void *verificationContext,
|
|
|
|
|
|
/* Parse the certificate */
|
|
|
mbedtls_x509_crt remoteCertificate;
|
|
|
+
|
|
|
+ /* Temporary Object to parse the trustList */
|
|
|
+ mbedtls_x509_crt *tempCert;
|
|
|
+
|
|
|
mbedtls_x509_crt_init(&remoteCertificate);
|
|
|
int mbedErr = mbedtls_x509_crt_parse(&remoteCertificate, certificate->data,
|
|
|
certificate->length);
|
|
@@ -79,6 +84,29 @@ certificateVerification_verify(void *verificationContext,
|
|
|
&ci->certificateRevocationList,
|
|
|
&crtProfile, NULL, &flags, NULL, NULL);
|
|
|
|
|
|
+ /* Flag to check if the remote certificate is trusted or not */
|
|
|
+ int TRUSTED = 0;
|
|
|
+
|
|
|
+ /* Check if the remoteCertificate is present in the trustList while mbedErr value is not zero */
|
|
|
+ if(mbedErr && !(flags & MBEDTLS_X509_BADCERT_EXPIRED) && !(flags & MBEDTLS_X509_BADCERT_FUTURE)) {
|
|
|
+ for(tempCert = &ci->certificateTrustList; tempCert != NULL; tempCert = tempCert->next) {
|
|
|
+ if(remoteCertificate.raw.len == tempCert->raw.len &&
|
|
|
+ memcmp(remoteCertificate.raw.p, tempCert->raw.p, remoteCertificate.raw.len) == 0) {
|
|
|
+ TRUSTED = 1;
|
|
|
+ break;
|
|
|
+ }
|
|
|
+ }
|
|
|
+ }
|
|
|
+
|
|
|
+ /* If the remote certificate is present in the trustList then check if the issuer certificate
|
|
|
+ * of remoteCertificate is present in issuerList */
|
|
|
+ if(TRUSTED && mbedErr) {
|
|
|
+ mbedErr = mbedtls_x509_crt_verify_with_profile(&remoteCertificate,
|
|
|
+ &ci->certificateIssuerList,
|
|
|
+ &ci->certificateRevocationList,
|
|
|
+ &crtProfile, NULL, &flags, NULL, NULL);
|
|
|
+ }
|
|
|
+
|
|
|
// TODO: Extend verification
|
|
|
|
|
|
/* This condition will check whether the certificate is a User certificate
|
|
@@ -204,6 +232,8 @@ UA_StatusCode
|
|
|
UA_CertificateVerification_Trustlist(UA_CertificateVerification *cv,
|
|
|
const UA_ByteString *certificateTrustList,
|
|
|
size_t certificateTrustListSize,
|
|
|
+ const UA_ByteString *certificateIssuerList,
|
|
|
+ size_t certificateIssuerListSize,
|
|
|
const UA_ByteString *certificateRevocationList,
|
|
|
size_t certificateRevocationListSize) {
|
|
|
CertInfo *ci = (CertInfo*)UA_malloc(sizeof(CertInfo));
|
|
@@ -211,6 +241,7 @@ UA_CertificateVerification_Trustlist(UA_CertificateVerification *cv,
|
|
|
return UA_STATUSCODE_BADOUTOFMEMORY;
|
|
|
mbedtls_x509_crt_init(&ci->certificateTrustList);
|
|
|
mbedtls_x509_crl_init(&ci->certificateRevocationList);
|
|
|
+ mbedtls_x509_crt_init(&ci->certificateIssuerList);
|
|
|
|
|
|
cv->context = (void*)ci;
|
|
|
if(certificateTrustListSize > 0)
|
|
@@ -228,6 +259,13 @@ UA_CertificateVerification_Trustlist(UA_CertificateVerification *cv,
|
|
|
if(err)
|
|
|
goto error;
|
|
|
}
|
|
|
+ for(size_t i = 0; i < certificateIssuerListSize; i++) {
|
|
|
+ err = mbedtls_x509_crt_parse(&ci->certificateIssuerList,
|
|
|
+ certificateIssuerList[i].data,
|
|
|
+ certificateIssuerList[i].length);
|
|
|
+ if(err)
|
|
|
+ goto error;
|
|
|
+ }
|
|
|
for(size_t i = 0; i < certificateRevocationListSize; i++) {
|
|
|
err = mbedtls_x509_crl_parse(&ci->certificateRevocationList,
|
|
|
certificateRevocationList[i].data,
|