PKI: Add a way to disable revocation check
PKI API, file src/Common/crypto/lib_dep/mbedtls/pki_mbedtls.c
:
As described in part 12 §7.4.10 v1.05, we shall check the signature of the new certificate with the given issuer for the ServerConfiguration.UpdateCertificate method (PUSH model). The mantis issue 0008470 seems to indicate that we should apply the validation process defined in part 4. Since no CRL is provided with the given issuers, then the PKI API shall be updated to make CRLs checking optional during validation. Moreover we should allow to create an instance of the PKI without CRL.
to achieve this:
- Add a flag to
SOPC_PKI_ChainProfile
andSOPC_CheckTrustedAndCRLinChain
in order to indicate if no error is reported if a CA certificate has no revocation list. - Update the declaration of
sopc_validate_certificate
andsopc_verify_every_certificate
to get the new flag as input argument. - Update
check_lists
to not return error if no revocation list is given.
Edited by Robin Barrucand