/* ALPN for http2? */
#ifdef USE_NGHTTP2
# undef HAS_ALPN
# ifdef MBEDTLS_SSL_ALPN
# define HAS_ALPN
# endif
#endif
/*
* profile
*/
const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_fr =
{
/* Hashes from SHA-1 and above */
MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA1) |
MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_RIPEMD160) |
MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA224) |
MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA256) |
MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA384) |
MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA512),
0xFFFFFFF, /* Any PK alg */
0xFFFFFFF, /* Any curve */
1024, /* RSA min key len */
};
/* See https://tls.mbed.org/discussions/generic/
howto-determine-exact-buffer-len-for-mbedtls_pk_write_pubkey_der
*/
#define RSA_PUB_DER_MAX_BYTES (38 + 2 * MBEDTLS_MPI_MAX_SIZE)
#define ECP_PUB_DER_MAX_BYTES (30 + 2 * MBEDTLS_ECP_MAX_BYTES)
static UA_StatusCode
certificateVerification_verify(void *verificationContext,
const UA_ByteString *certificate) {
CertInfo *ci = (CertInfo*)verificationContext;
if(!ci)
return UA_STATUSCODE_BADINTERNALERROR;
/* Parse the certificate */
mbedtls_x509_crt remoteCertificate;
mbedtls_x509_crt_init(&remoteCertificate);
int mbedErr = mbedtls_x509_crt_parse(&remoteCertificate, certificate->data,
certificate->length);
if(mbedErr) {
/* char errBuff[300]; */
/* mbedtls_strerror(mbedErr, errBuff, 300); */
/* UA_LOG_WARNING(data->policyContext->securityPolicy->logger, UA_LOGCATEGORY_SECURITYPOLICY, */
/* "Could not parse the remote certificate with error: %s", errBuff); */
return UA_STATUSCODE_BADSECURITYCHECKSFAILED;
}
/* Verify */
mbedtls_x509_crt_profile crtProfile = {
MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA1) | MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA256),
0xFFFFFF, 0x000000, 128 * 8 // in bits
}; // TODO: remove magic numbers
uint32_t flags = 0;
mbedErr = mbedtls_x509_crt_verify_with_profile(&remoteCertificate,
&ci->certificateTrustList,
&ci->certificateRevocationList,
&crtProfile, NULL, &flags, NULL, NULL);
// TODO: Extend verification
/* This condition will check whether the certificate is a User certificate
* or a CA certificate. If the MBEDTLS_X509_KU_KEY_CERT_SIGN and
* MBEDTLS_X509_KU_CRL_SIGN of key_usage are set, then the certificate
* shall be condidered as CA Certificate and cannot be used to establish a
* connection. Refer the test case CTT/Security/Security Certificate Validation/029.js
* for more details */
if((remoteCertificate.key_usage & MBEDTLS_X509_KU_KEY_CERT_SIGN) &&
(remoteCertificate.key_usage & MBEDTLS_X509_KU_CRL_SIGN)) {
return UA_STATUSCODE_BADCERTIFICATEUSENOTALLOWED;
}
UA_StatusCode retval = UA_STATUSCODE_GOOD;
if(mbedErr) {
/* char buff[100]; */
/* mbedtls_x509_crt_verify_info(buff, 100, "", flags); */
/* UA_LOG_ERROR(channelContextData->policyContext->securityPolicy->logger, */
/* UA_LOGCATEGORY_SECURITYPOLICY, */
/* "Verifying the certificate failed with error: %s", buff); */
if(flags & (uint32_t)MBEDTLS_X509_BADCERT_NOT_TRUSTED) {
retval = UA_STATUSCODE_BADCERTIFICATEUNTRUSTED;
} else if(flags & (uint32_t)MBEDTLS_X509_BADCERT_FUTURE ||
flags & (uint32_t)MBEDTLS_X509_BADCERT_EXPIRED) {
retval = UA_STATUSCODE_BADCERTIFICATETIMEINVALID;
} else if(flags & (uint32_t)MBEDTLS_X509_BADCERT_REVOKED ||
flags & (uint32_t)MBEDTLS_X509_BADCRL_EXPIRED) {
retval = UA_STATUSCODE_BADCERTIFICATEREVOKED;
} else {
retval = UA_STATUSCODE_BADSECURITYCHECKSFAILED;
}
}
mbedtls_x509_crt_free(&remoteCertificate);
return retval;
}
