[TASK] Check if a trusted certificate has a CRL file

- If there is no CRL file available for the corresponding parent certificate then return status code UA_STATUSCODE_BADCERTIFICATEREVOCATIONUNKNOWN - This resolves 042.js and 043.js test case in Security Certificate Validation Conformance Unit Change-Id: I9fda40356d7d271b3f6ffeefb31b7cda569ee873 Signed-off-by: Asish Ganesh <asish.g@kalycito.com>
2025-06-03 04:00:21 +00:00 · 2019-07-02 11:49:43 +05:30 · 2019-07-02 11:49:43 +05:30 · 21e32dd997
commit 21e32dd997
parent d31a8126f2
1 changed files with 44 additions and 3 deletions
--- a/plugins/ua_pki_default.c
+++ b/plugins/ua_pki_default.c
@ -81,9 +81,6 @@ certificateVerification_verify(void *verificationContext,
    /* Flag value to identify if the parent certificate found */
    int parentFound = 0;

-    /* Flag value to identify if that there is an intermediate CA present */
-    int dualParent = 0;
-
    mbedtls_x509_crt_init(&remoteCertificate);
    int mbedErr = mbedtls_x509_crt_parse(&remoteCertificate, certificate->data,
                                         certificate->length);
@ -131,6 +128,9 @@ certificateVerification_verify(void *verificationContext,

        /* Check if the parent certificate has a CRL file available */
        if(!mbedErr) {
+            /* Flag value to identify if that there is an intermediate CA present */
+            int dualParent = 0;
+
            /* Identify the topmost parent certificate for the remoteCertificate */
            for( parentCert = &ci->certificateIssuerList; parentCert != NULL; parentCert = parentCert->next ) {
                if(memcmp(remoteCertificate.issuer_raw.p, parentCert->subject_raw.p, parentCert->subject_raw.len) == 0) {
@ -186,6 +186,47 @@ certificateVerification_verify(void *verificationContext,
            }

        }
+
+    }
+    else if(!mbedErr && !TRUSTED) {
+        /* This else if section is to identify if the parent certificate which is present in trustList
+         * has CRL file corresponding to it */
+
+        /* Identify the parent certificate of the remoteCertificate */
+        for(parentCert = &ci->certificateTrustList; parentCert != NULL; parentCert = parentCert->next) {
+            if(memcmp(remoteCertificate.issuer_raw.p, parentCert->subject_raw.p, parentCert->subject_raw.len) == 0) {
+                parentFound = PARENTFOUND;
+                break;
+            }
+
+        }
+
+        /* If the parent certificate is found traverse the revocationList and identify
+         * if there is any CRL file that corresponds to the parentCertificate */
+        if(parentFound == PARENTFOUND &&
+            memcmp(remoteCertificate.issuer_raw.p, remoteCertificate.subject_raw.p, remoteCertificate.subject_raw.len) != 0) {
+            tempCrl = &ci->certificateRevocationList;
+            while(tempCrl != NULL) {
+                if(tempCrl->version != 0 &&
+                   tempCrl->issuer_raw.len == parentCert->subject_raw.len &&
+                   memcmp(tempCrl->issuer_raw.p,
+                          parentCert->subject_raw.p,
+                          tempCrl->issuer_raw.len) == 0) {
+                    issuerKnown = ISSUERKNOWN;
+                    break;
+                }
+
+                tempCrl = tempCrl->next;
+            }
+
+            /* If the CRL file corresponding to the parent certificate is not present
+             * then return UA_STATUSCODE_BADCERTIFICATEREVOCATIONUNKNOWN */
+            if(!issuerKnown) {
+                return UA_STATUSCODE_BADCERTIFICATEREVOCATIONUNKNOWN;
+            }
+
+        }
+
    }

    // TODO: Extend verification