Greetings All,
Per the manufacturing cert profile requirements that have been established for
Bangkok, I am in the process of writing a cert profile validation util that
will receive a cert and cert type (CA/INT/EE), and return whether or not the
cert meets OCF profile requirements.
Starting with a focus on the server side, my intent is to apply the cert
profile checks during the DTLS handshake to both own cert, and peer cert I
wanted to share my current thinking RE where to apply these checks, to see if I
am on the right track.
Server checks own certs:
During DTLS handshake in
resource/csdk/connectivity/src/adapter_util/ca_adapter_net_ssl.c:: InitPKIX(),
the servers cert info is retrieved like so
if (g_getPkixInfoCallback)
{
g_getPkixInfoCallback(&pkiInfo);
}
// pkiInfo contains own server mfgcert chain, and mfgtrustca cert
// I propose adding Bangkok profile check for both of them here, seem OK?
Server checks peer (client) certs:
During DTLS handshake in
resource/csdk/connectivity/src/adapter_util/ca_adapter_net_ssl.c::
CAdecryptSsl(), the following code for checking peer cert:
if (MBEDTLS_SSL_CERTIFICATE_VERIFY == peer->ssl.state)
{
mbedtls_x509_crt *peerCert = peer->ssl.session_negotiate->peer_cert;
if (NULL != peerCert)
{
ret = PeerCertExtractCN(peerCert);
if (CA_STATUS_OK != ret)
{
oc_mutex_unlock(g_sslContextMutex);
OIC_LOG_V(ERROR, NET_SSL_TAG, "ProcessPeerCert failed with
%d", ret);
OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
return CA_STATUS_FAILED;
}
// I propose adding Bangkok profile check here against peer cert here, seem OK?
}
}
Let me know your thoughts on the items in red.
Kind Regards
Steve
_______________________________________________
iotivity-dev mailing list
[email protected]
https://lists.iotivity.org/mailman/listinfo/iotivity-dev
