[TASK] Pass issuer list separately

 - At present issuer list is passed in trust list
 - Add functionality to pass the issuer list separately
 - Handle condition where a client is connected using
   an (trusted) issued certificate of a CA that is not
   trusted but available
 - This resolves test case number 044.js and 045.js in
   Security Certificate Validation to pass simultaneously
 - usage : ./server_ctt <server-certificate.der> <private-key.der>
           [--trustlist <tl1.ctl> <tl2.ctl> ... ]
           [--issuerlist <il1.der> <il2.der> ... ]
           [--revocationlist <rv1.crl> <rv2.crl> ...]

Change-Id: I4a25af9f4c2b771da9492fafb534f72dcc6fc17d
Signed-off-by: Asish Ganesh <asish.g@kalycito.com>

examples/encryption/server_encryption.c

@@ -1,5 +1,9 @@
 /* This work is licensed under a Creative Commons CCZero 1.0 Universal License.
- * See http://creativecommons.org/publicdomain/zero/1.0/ for more information. */
+ * See http://creativecommons.org/publicdomain/zero/1.0/ for more information.
+ *
+ *    Copyright 2019 (c) Kalycito Infotech Private Limited
+ *
+ */
 
 #include <open62541/client_highlevel.h>
 #include <open62541/plugin/log_stdout.h>
@@ -42,6 +46,10 @@ int main(int argc, char* argv[]) {
     for(size_t i = 0; i < trustListSize; i++)
         trustList[i] = loadFile(argv[i+3]);
 
+    /* Loading of a issuer list, not used in this application */
+    size_t issuerListSize = 0;
+    UA_ByteString *issuerList = NULL;
+
     /* Loading of a revocation list currently unsupported */
     UA_ByteString *revocationList = NULL;
     size_t revocationListSize = 0;
@@ -53,6 +61,7 @@ int main(int argc, char* argv[]) {
         UA_ServerConfig_setDefaultWithSecurityPolicies(config, 4840,
                                                        &certificate, &privateKey,
                                                        trustList, trustListSize,
+                                                       issuerList, issuerListSize,
                                                        revocationList, revocationListSize);
     UA_ByteString_clear(&certificate);
     UA_ByteString_clear(&privateKey);

examples/server_ctt.c

@@ -448,6 +448,7 @@ usage(void) {
                    "Usage:\n"
                    "server_ctt <server-certificate.der> <private-key.der>\n"
                    "[--trustlist <tl1.ctl> <tl2.ctl> ... ]\n"
+                   "[--issuerlist <il1.der> <il2.der> ... ]\n"
                    "[--revocationlist <rv1.crl> <rv2.crl> ...]\n");
 }
 
@@ -489,15 +490,22 @@ int main(int argc, char **argv) {
 
         UA_ByteString trustList[100];
         size_t trustListSize = 0;
+        UA_ByteString issuerList[100];
+        size_t issuerListSize = 0;
         UA_ByteString revocationList[100];
         size_t revocationListSize = 0;
-        char filetype = ' '; /* t==trustlist, r==revocationlist */
+        char filetype = ' '; /* t==trustlist, l == issuerList, r==revocationlist */
         for(int i = 3; i < argc; i++) {
             if(strcmp(argv[i], "--trustlist") == 0) {
                 filetype = 't';
                 continue;
             }
 
+            if(strcmp(argv[i], "--issuerlist") == 0) {
+                filetype = 'l';
+                continue;
+            }
+
             if(strcmp(argv[i], "--revocationlist") == 0) {
                 filetype = 'r';
                 continue;
@@ -519,6 +527,22 @@ int main(int argc, char **argv) {
                 continue;
             }
 
+            if(filetype == 'l') {
+                if(issuerListSize >= 100) {
+                    UA_LOG_FATAL(UA_Log_Stdout, UA_LOGCATEGORY_USERLAND,
+                                 "Too many trust lists");
+                    return EXIT_FAILURE;
+                }
+                issuerList[issuerListSize] = loadFile(argv[i]);
+                if(issuerList[issuerListSize].data == NULL) {
+                    UA_LOG_FATAL(UA_Log_Stdout, UA_LOGCATEGORY_USERLAND,
+                                 "Unable to load trust list %s", argv[i]);
+                    return EXIT_FAILURE;
+                }
+                issuerListSize++;
+                continue;
+            }
+
             if(filetype == 'r') {
                 if(revocationListSize >= 100) {
                     UA_LOG_FATAL(UA_Log_Stdout, UA_LOGCATEGORY_USERLAND,
@@ -542,12 +566,15 @@ int main(int argc, char **argv) {
         UA_ServerConfig_setDefaultWithSecurityPolicies(config, 4840,
                                                        &certificate, &privateKey,
                                                        trustList, trustListSize,
+                                                       issuerList, issuerListSize,
                                                        revocationList, revocationListSize);
 
         UA_ByteString_clear(&certificate);
         UA_ByteString_clear(&privateKey);
         for(size_t i = 0; i < trustListSize; i++)
             UA_ByteString_clear(&trustList[i]);
+        for(size_t i = 0; i < issuerListSize; i++)
+            UA_ByteString_clear(&issuerList[i]);
         for(size_t i = 0; i < revocationListSize; i++)
             UA_ByteString_clear(&revocationList[i]);
     }

plugins/include/open62541/plugin/pki_default.h

@@ -2,6 +2,7 @@
  * See http://creativecommons.org/publicdomain/zero/1.0/ for more information.
  *
  *    Copyright 2018 (c) Mark Giraud, Fraunhofer IOSB
+ *    Copyright 2019 (c) Kalycito Infotech Private Limited
  */
 
 #ifndef UA_PKI_CERTIFICATE_H_
@@ -23,6 +24,8 @@ UA_EXPORT UA_StatusCode
 UA_CertificateVerification_Trustlist(UA_CertificateVerification *cv,
                                      const UA_ByteString *certificateTrustList,
                                      size_t certificateTrustListSize,
+                                     const UA_ByteString *certificateIssuerList,
+                                     size_t certificateIssuerListSize,
                                      const UA_ByteString *certificateRevocationList,
                                      size_t certificateRevocationListSize);
 

plugins/include/open62541/server_config_default.h

@@ -4,6 +4,7 @@
  *    Copyright 2017 (c) Fraunhofer IOSB (Author: Julius Pfrommer)
  *    Copyright 2017 (c) Stefan Profanter, fortiss GmbH
  *    Copyright 2018 (c) Mark Giraud, Fraunhofer IOSB
+ *    Copyright 2019 (c) Kalycito Infotech Private Limited
  */
 
 #ifndef UA_SERVER_CONFIG_DEFAULT_H_
@@ -66,6 +67,8 @@ UA_ServerConfig_setDefaultWithSecurityPolicies(UA_ServerConfig *conf,
                                                const UA_ByteString *privateKey,
                                                const UA_ByteString *trustList,
                                                size_t trustListSize,
+                                               const UA_ByteString *issuerList,
+                                               size_t issuerListSize,
                                                const UA_ByteString *revocationList,
                                                size_t revocationListSize);
 

plugins/ua_config_default.c

@@ -543,6 +543,8 @@ UA_ServerConfig_setDefaultWithSecurityPolicies(UA_ServerConfig *conf,
                                                const UA_ByteString *privateKey,
                                                const UA_ByteString *trustList,
                                                size_t trustListSize,
+                                               const UA_ByteString *issuerList,
+                                               size_t issuerListSize,
                                                const UA_ByteString *revocationList,
                                                size_t revocationListSize) {
     UA_StatusCode retval = setDefaultConfig(conf);
@@ -553,6 +555,7 @@ UA_ServerConfig_setDefaultWithSecurityPolicies(UA_ServerConfig *conf,
 
     retval = UA_CertificateVerification_Trustlist(&conf->certificateVerification,
                                                   trustList, trustListSize,
+                                                  issuerList, issuerListSize,
                                                   revocationList, revocationListSize);
     if (retval != UA_STATUSCODE_GOOD)
         return retval;
@@ -673,6 +676,7 @@ UA_ClientConfig_setDefaultEncryption(UA_ClientConfig *config,
 
     retval = UA_CertificateVerification_Trustlist(&config->certificateVerification,
                                                   trustList, trustListSize,
+                                                  NULL, 0,
                                                   revocationList, revocationListSize);
     if(retval != UA_STATUSCODE_GOOD)
         return retval;

plugins/ua_pki_default.c

@@ -44,6 +44,7 @@ void UA_CertificateVerification_AcceptAll(UA_CertificateVerification *cv) {
 
 typedef struct {
     mbedtls_x509_crt certificateTrustList;
+    mbedtls_x509_crt certificateIssuerList;
     mbedtls_x509_crl certificateRevocationList;
 } CertInfo;
 
@@ -56,6 +57,10 @@ certificateVerification_verify(void *verificationContext,
 
     /* Parse the certificate */
     mbedtls_x509_crt remoteCertificate;
+
+    /* Temporary Object to parse the trustList */
+    mbedtls_x509_crt *tempCert;
+
     mbedtls_x509_crt_init(&remoteCertificate);
     int mbedErr = mbedtls_x509_crt_parse(&remoteCertificate, certificate->data,
                                          certificate->length);
@@ -79,6 +84,29 @@ certificateVerification_verify(void *verificationContext,
                                                    &ci->certificateRevocationList,
                                                    &crtProfile, NULL, &flags, NULL, NULL);
 
+    /* Flag to check if the remote certificate is trusted or not */
+    int TRUSTED = 0;
+
+    /* Check if the remoteCertificate is present in the trustList while mbedErr value is not zero */
+    if(mbedErr && !(flags & MBEDTLS_X509_BADCERT_EXPIRED) && !(flags & MBEDTLS_X509_BADCERT_FUTURE)) {
+        for(tempCert = &ci->certificateTrustList; tempCert != NULL; tempCert = tempCert->next) {
+            if(remoteCertificate.raw.len == tempCert->raw.len &&
+               memcmp(remoteCertificate.raw.p, tempCert->raw.p, remoteCertificate.raw.len) == 0) {
+                TRUSTED = 1;
+                break;
+            }
+        }
+    }
+
+    /* If the remote certificate is present in the trustList then check if the issuer certificate
+     * of remoteCertificate is present in issuerList */
+    if(TRUSTED && mbedErr) {
+        mbedErr = mbedtls_x509_crt_verify_with_profile(&remoteCertificate,
+                                                       &ci->certificateIssuerList,
+                                                       &ci->certificateRevocationList,
+                                                       &crtProfile, NULL, &flags, NULL, NULL);
+    }
+
     // TODO: Extend verification
 
     /* This condition will check whether the certificate is a User certificate
@@ -204,6 +232,8 @@ UA_StatusCode
 UA_CertificateVerification_Trustlist(UA_CertificateVerification *cv,
                                      const UA_ByteString *certificateTrustList,
                                      size_t certificateTrustListSize,
+                                     const UA_ByteString *certificateIssuerList,
+                                     size_t certificateIssuerListSize,
                                      const UA_ByteString *certificateRevocationList,
                                      size_t certificateRevocationListSize) {
     CertInfo *ci = (CertInfo*)UA_malloc(sizeof(CertInfo));
@@ -211,6 +241,7 @@ UA_CertificateVerification_Trustlist(UA_CertificateVerification *cv,
         return UA_STATUSCODE_BADOUTOFMEMORY;
     mbedtls_x509_crt_init(&ci->certificateTrustList);
     mbedtls_x509_crl_init(&ci->certificateRevocationList);
+    mbedtls_x509_crt_init(&ci->certificateIssuerList);
 
     cv->context = (void*)ci;
     if(certificateTrustListSize > 0)
@@ -228,6 +259,13 @@ UA_CertificateVerification_Trustlist(UA_CertificateVerification *cv,
         if(err)
             goto error;
     }
+    for(size_t i = 0; i < certificateIssuerListSize; i++) {
+        err = mbedtls_x509_crt_parse(&ci->certificateIssuerList,
+                                     certificateIssuerList[i].data,
+                                     certificateIssuerList[i].length);
+        if(err)
+            goto error;
+    }
     for(size_t i = 0; i < certificateRevocationListSize; i++) {
         err = mbedtls_x509_crl_parse(&ci->certificateRevocationList,
                                      certificateRevocationList[i].data,

tests/encryption/check_encryption_basic128rsa15.c

@@ -1,6 +1,10 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ *    Copyright 2019 (c) Kalycito Infotech Private Limited
+ *
+ */
 
 #include <open62541/client_config_default.h>
 #include <open62541/plugin/securitypolicy_default.h>
@@ -45,6 +49,10 @@ static void setup(void) {
     size_t trustListSize = 0;
     UA_ByteString *trustList = NULL;
 
+    /* Load the issuerList */
+    size_t issuerListSize = 0;
+    UA_ByteString *issuerList = NULL;
+
     /* TODO test trustList
     if(argc > 3)
         trustListSize = (size_t)argc-3;
@@ -61,6 +69,7 @@ static void setup(void) {
     UA_ServerConfig_setDefaultWithSecurityPolicies(UA_Server_getConfig(server),
                                                    4840, &certificate, &privateKey,
                                                    trustList, trustListSize,
+                                                   issuerList, issuerListSize,
                                                    revocationList, revocationListSize);
 
     for(size_t i = 0; i < trustListSize; i++)

tests/encryption/check_encryption_basic256sha256.c

@@ -1,6 +1,10 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ *    Copyright 2019 (c) Kalycito Infotech Private Limited
+ *
+ */
 
 #include <open62541/client.h>
 #include <open62541/client_config_default.h>
@@ -48,6 +52,10 @@ static void setup(void) {
     size_t trustListSize = 0;
     UA_ByteString *trustList = NULL;
 
+    /* Load the issuerList */
+    size_t issuerListSize = 0;
+    UA_ByteString *issuerList = NULL;
+
     /* TODO test trustList
     if(argc > 3)
         trustListSize = (size_t)argc-3;
@@ -64,6 +72,7 @@ static void setup(void) {
     UA_ServerConfig_setDefaultWithSecurityPolicies(UA_Server_getConfig(server),
                                                    4840, &certificate, &privateKey,
                                                    trustList, trustListSize,
+                                                   issuerList, issuerListSize,
                                                    revocationList, revocationListSize);
 
     for(size_t i = 0; i < trustListSize; i++)