Public Key Interface: handle multiple certificate authorities and certificate revocation lists
Analysis
The current SOPC_PKIProviderStack
implementation does not handle validation of certificates based on multiple authority.
It also mentions certificate revocation lists but does not use them.
On the PKI side, Create()
only usage of the serialized CA is its deserialization, which makes the caller the owner of the serialized certificate.
This is currently visible in the SOPC_Server_Config
structure which stores a pointer to the certificateAuthoriy
only to clean it on its destruction.
Some issued certificates (that are not certificate authorities) must be trusted without trusting the signing certificate authority (or chain). This validation is not available on mbedtls.
Changes
Manage multiple CertAuth
- mbedtls chains certificates, so
SOPC_Certificate
is rather aSOPC_CertificateList
(this change may be reverted later if the certificate list concept is not easily handled with other cryptographic libraries), - older functions, such as the serialization functions, expects a single certificate; an API should be added to count the number of certificates in the chain and assert the copy is only done on one (restriction),
- change the
SOPC_PKIProviderStack
API:- use paths instead of serialized certificates: PKI will own the certificates, hence simplifying the task for the users of the PKI interface,
- add functions
_AddTrusted
to add CA instead of pre-creating them (add either from path or buffer, the buffer is used on systems that don't have filesystems),
- all trusted certificates (CA or issued) are placed in
bind/trusted
.
Manage certificate revocation list
- change the type
SOPC_CertificateRevList
toSOPC_CRLList
, a list of certificate revocation lists, - load multiple CRLs,
- verify that each trusted CA has a valid CRL,
- all CRLs are placed in
bin/revoked
.
Miscellaneous
- verify Key Usage and Extended Key Usage of exchanged certificates, as specified by the OPC UA protocol.
Edited by Pierre-Antoine BRAMERET