Public Key Interface: handle certificates issued by untrusted issuers
Analysis
The OPC UA specification also require the notion of "untrusted certificate authorities". In a usual PKI approach, certificate issued by a Certificate Authorities (CA) are trusted when the CA is trusted, as well as the CA that issued the certificate (and so on until along the chain to the self signed root CA is reached).
The OPC UA specification adds the possibility to mark a certificate (either issued or self signed) as trusted. In this case however, the CA chain that issued the certificate must be verified. Certificates of this chain are called "untrusted CA", as one cannot add them to the trusted certificates, which would lead to accept all certificates issued by these certificates instead of the single trusted certificate. Also, if the certification chain of a trusted certificate is invalid or the trusted certificate is on the CRL of its issuer, it should be discarded.
The following image summarizes the different cases:
Changes
The configuration should be able to differentiate issuer certificates, trusted certificates, and untrusted certificates.
The PKIProvider
should be able to:
- keep a list of trusted issuers CAs
- keep a list of untrusted CAs
- keep a list of trusted certificates
- upon certificate validation, recognize whether the certificate is an issued certificate from a trusted issuer or a trusted certificate
- validate an issued certificate with the trusted issuers
- validate a trusted certificate with the untrusted CA chain
- remove the
static int verify_cert(...)
callback which was used to accept trusted certificates