mirror of
https://github.com/openharmony/third_party_openhitls.git
synced 2026-07-01 10:05:26 -04:00
fix:Fix the failure to obtain the peer certificate during the handshake process &&
fix the issue of not ignoring duplicate certificates when loading them - In the certificate verification phase, users need to obtain the peer certificate by calling HITLS_GetPeerCertChain. Currently, the peer certificate is stored in the finish phase, which needs to be modified. - When certificates are duplicated, an error should not be reported. Instead, the duplicated certificates should be ignored and a success message should be returned. Cherry-picked from: https://gitcode.com/openHiTLS/openhitls/merge_requests/1307 Signed-off-by: Dongjianwei001 <dongjianwei1@huawei.com>
This commit is contained in:
committed by
Dongjianwei001
parent
b8d4c91f15
commit
58eab462f0
@@ -335,7 +335,9 @@ typedef enum {
|
||||
/* clear flag */
|
||||
HITLS_X509_STORECTX_CLR_PARAM_FLAGS,
|
||||
HITLS_X509_STORECTX_DEEP_COPY_SET_CA,
|
||||
HITLS_X509_STORECTX_SHALLOW_COPY_SET_CA,
|
||||
HITLS_X509_STORECTX_SHALLOW_COPY_SET_CA,/**< After a successful shallow copy, the ownership of the certificate
|
||||
pointer is transferred, and it is no longer held. The same certificate
|
||||
pointer cannot be set twice. Otherwise, an error is reported. */
|
||||
HITLS_X509_STORECTX_SET_CRL,
|
||||
HITLS_X509_STORECTX_SET_VFY_SM2_USERID,
|
||||
HITLS_X509_STORECTX_SET_VERIFY_CB,
|
||||
|
||||
@@ -84,7 +84,10 @@ typedef struct BslList HITLS_CERT_CRLList;
|
||||
*/
|
||||
typedef enum {
|
||||
CERT_STORE_CTRL_SET_VERIFY_DEPTH = 0, /**< Set the certificate verification depth. */
|
||||
CERT_STORE_CTRL_ADD_CERT_LIST, /**< Add ca and chain certificate to store */
|
||||
CERT_STORE_CTRL_ADD_CERT_LIST, /**< Add ca and chain certificate to store. After a successful shallow copy,
|
||||
the ownership of the certificate pointer is transferred, and it is no
|
||||
longer held. The same certificate pointer cannot be set twice.
|
||||
Otherwise, an error is reported. */
|
||||
CERT_STORE_CTRL_GET_VERIFY_DEPTH, /**< Get the certificate verification depth. */
|
||||
CERT_STORE_CTRL_ADD_CRL_LIST, /**< Add CRL list to verify store */
|
||||
CERT_STORE_CTRL_CLEAR_CRL_LIST, /**< Clear all CRLs from verify store */
|
||||
|
||||
@@ -333,7 +333,7 @@ static int32_t X509_SetPurpose(HITLS_X509_StoreCtx *storeCtx, int32_t *val, uint
|
||||
return HITLS_PKI_SUCCESS;
|
||||
}
|
||||
|
||||
static int32_t X509_CheckCert(HITLS_X509_StoreCtx *storeCtx, HITLS_X509_Cert *cert)
|
||||
static int32_t X509_CheckCert(HITLS_X509_StoreCtx *storeCtx, HITLS_X509_Cert *cert, HITLS_X509_Cert **findCert)
|
||||
{
|
||||
if (!HITLS_X509_CertIsCA(cert)) {
|
||||
BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_CERT_NOT_CA);
|
||||
@@ -342,7 +342,7 @@ static int32_t X509_CheckCert(HITLS_X509_StoreCtx *storeCtx, HITLS_X509_Cert *ce
|
||||
HITLS_X509_List *certStore = storeCtx->store;
|
||||
HITLS_X509_Cert *tmp = BSL_LIST_SearchDataConst(certStore, cert, (BSL_LIST_PFUNC_CMP)HITLS_X509_CertCmp, NULL);
|
||||
if (tmp != NULL) {
|
||||
BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_CERT_EXIST);
|
||||
*findCert = tmp;
|
||||
return HITLS_X509_ERR_CERT_EXIST;
|
||||
}
|
||||
|
||||
@@ -351,7 +351,18 @@ static int32_t X509_CheckCert(HITLS_X509_StoreCtx *storeCtx, HITLS_X509_Cert *ce
|
||||
|
||||
static int32_t X509_SetCA(HITLS_X509_StoreCtx *storeCtx, void *val, bool isCopy)
|
||||
{
|
||||
int32_t ret = X509_CheckCert(storeCtx, val);
|
||||
HITLS_X509_Cert *findCert = NULL;
|
||||
int32_t ret = X509_CheckCert(storeCtx, val, &findCert);
|
||||
if (ret == HITLS_X509_ERR_CERT_EXIST) {
|
||||
if (findCert == val) {
|
||||
BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_CERT_EXIST);
|
||||
return HITLS_X509_ERR_CERT_EXIST;
|
||||
}
|
||||
if (!isCopy) {
|
||||
HITLS_X509_CertFree(val);
|
||||
}
|
||||
return HITLS_PKI_SUCCESS;
|
||||
}
|
||||
if (ret != HITLS_PKI_SUCCESS) {
|
||||
return ret;
|
||||
}
|
||||
|
||||
@@ -377,7 +377,7 @@ void SDV_X509_STORE_CTRL_CERT_FUNC_TC002(void)
|
||||
ASSERT_EQ(cert->references.count, 2);
|
||||
ASSERT_EQ(BSL_LIST_COUNT(store->store), 1);
|
||||
ret = HITLS_X509_StoreCtxCtrl(store, HITLS_X509_STORECTX_DEEP_COPY_SET_CA, cert, sizeof(HITLS_X509_Cert));
|
||||
ASSERT_TRUE(ret != HITLS_PKI_SUCCESS);
|
||||
ASSERT_EQ(ret, HITLS_X509_ERR_CERT_EXIST);
|
||||
HITLS_X509_Crl *crl = NULL;
|
||||
ret = HITLS_X509_CrlParseFile(BSL_FORMAT_ASN1, "../testdata/cert/asn1/ca-empty-rsa-sha256-v2.der", &crl);
|
||||
ret = HITLS_X509_StoreCtxCtrl(store, HITLS_X509_STORECTX_SET_CRL, crl, sizeof(HITLS_X509_Crl));
|
||||
@@ -386,6 +386,7 @@ void SDV_X509_STORE_CTRL_CERT_FUNC_TC002(void)
|
||||
ASSERT_EQ(BSL_LIST_COUNT(store->crl), 1);
|
||||
ret = HITLS_X509_StoreCtxCtrl(store, HITLS_X509_STORECTX_SET_CRL, crl, sizeof(HITLS_X509_Crl));
|
||||
ASSERT_TRUE(ret != HITLS_PKI_SUCCESS);
|
||||
ASSERT_TRUE(TestIsErrStackNotEmpty());
|
||||
|
||||
EXIT:
|
||||
HITLS_X509_StoreCtxFree(store);
|
||||
|
||||
@@ -1523,7 +1523,7 @@ EXIT:
|
||||
* 2. Transfer valid parameters with idx=-1 before handshake. Expected result 2.
|
||||
* 3. Transfer valid parameters with idx=0 with NULL pointers before handshake. Expected result 3.
|
||||
* @expect 1. Returns 0
|
||||
* 2. Returns 0
|
||||
* 2. Returns 0
|
||||
* 3. Returns 0
|
||||
@ */
|
||||
/* BEGIN_CASE */
|
||||
@@ -1707,7 +1707,7 @@ void UT_TLS_CM_GET_SHARED_SIGALGS_FUNC_TC002(int version)
|
||||
ASSERT_EQ(ret, 0);
|
||||
|
||||
ASSERT_TRUE(TestIsErrStackEmpty());
|
||||
|
||||
|
||||
EXIT:
|
||||
HITLS_CFG_FreeConfig(config);
|
||||
HITLS_Free(ctx);
|
||||
@@ -2384,6 +2384,7 @@ uint32_t Compare_Certificates(FRAME_LinkObj *client, FRAME_LinkObj *server, bool
|
||||
HITLS_CERT_X509 *server_PeerChainCert = NULL;
|
||||
HITLS_CERT_X509 *server_ChainCert = NULL;
|
||||
HITLS_CERT_X509 *client_PeerEECert = NULL;
|
||||
HITLS_CERT_X509 *server_PeerEECert = NULL;
|
||||
HITLS_CERT_X509 *client_PeerChainCert = NULL;
|
||||
|
||||
if (!isClientPeerCertNull) {
|
||||
@@ -2393,7 +2394,8 @@ uint32_t Compare_Certificates(FRAME_LinkObj *client, FRAME_LinkObj *server, bool
|
||||
}
|
||||
if (!isServerPeerCertNull) {
|
||||
client_ChainCert = (HITLS_CERT_X509*)client_Chain->first->data; // client chain cert
|
||||
server_PeerChainCert = (HITLS_CERT_X509*)server_PeerChain->first->data; // client chain cert
|
||||
server_PeerEECert = (HITLS_CERT_X509*)server_PeerChain->first->data; // client ee cert
|
||||
server_PeerChainCert = (HITLS_CERT_X509*)server_PeerChain->last->data; // client chain cert
|
||||
}
|
||||
|
||||
int client_result = 0;
|
||||
@@ -2417,7 +2419,7 @@ uint32_t Compare_Certificates(FRAME_LinkObj *client, FRAME_LinkObj *server, bool
|
||||
server_result = 1;
|
||||
} else {
|
||||
ASSERT_TRUE(server_PeerCert != NULL);
|
||||
if (X509_CertCmp(server_PeerCert, client_Cert) == 0 &&
|
||||
if (X509_CertCmp(server_PeerCert, client_Cert) == 0 && X509_CertCmp(server_PeerEECert, client_Cert) == 0 &&
|
||||
X509_CertCmp(server_PeerChainCert, client_ChainCert) == 0) {
|
||||
server_result = 1;
|
||||
} else {
|
||||
@@ -3000,7 +3002,7 @@ void SDV_HiTLS_KeepPeerCertificate_TC006(void)
|
||||
verifyStore = SAL_CERT_StoreNew(s_config->certMgrCtx);
|
||||
ASSERT_TRUE(verifyStore != NULL);
|
||||
SAL_CERT_StoreCtrl(s_config, verifyStore, CERT_STORE_CTRL_ADD_CERT_LIST, caCert, NULL);
|
||||
|
||||
|
||||
ASSERT_EQ(HITLS_CFG_SetVerifyStore(&client->ssl->config.tlsConfig, verifyStore, false), HITLS_SUCCESS);
|
||||
ASSERT_EQ(HITLS_CFG_SetVerifyStore(&server->ssl->config.tlsConfig, verifyStore, true), HITLS_SUCCESS);
|
||||
|
||||
@@ -3293,7 +3295,7 @@ void SDV_HiTLS_KeepPeerCertificate_TC009(void)
|
||||
ASSERT_EQ(Compare_Certificates(client, server, false, true), HITLS_SUCCESS);
|
||||
|
||||
ASSERT_TRUE(TestIsErrStackNotEmpty());
|
||||
|
||||
|
||||
EXIT:
|
||||
HITLS_CFG_FreeConfig(c_config);
|
||||
HITLS_CFG_FreeConfig(s_config);
|
||||
@@ -3932,7 +3934,7 @@ void SDV_HiTLS_KeepPeerCertificate_TC014(void)
|
||||
ASSERT_EQ(Compare_ResumeCertificates(client, server), HITLS_SUCCESS);
|
||||
|
||||
ASSERT_TRUE(TestIsErrStackNotEmpty());
|
||||
|
||||
|
||||
EXIT:
|
||||
HITLS_SESS_Free(Session);
|
||||
HITLS_CFG_FreeConfig(c_config);
|
||||
@@ -4291,4 +4293,55 @@ EXIT:
|
||||
FRAME_FreeLink(client);
|
||||
FRAME_FreeLink(server);
|
||||
}
|
||||
/* END_CASE */
|
||||
|
||||
/* @
|
||||
* @test SDV_HiTLS_HsCtx_Get_PeerCertificate_TC001
|
||||
* @spec -
|
||||
* @title The test obtains the peer certificate chain during the handshake process, and it is expected to succeed.
|
||||
* @precon nan
|
||||
* @brief
|
||||
* 1. Initialize the TLS12 client and server.
|
||||
* 2. Establish a link. Stop the handshake state at the TRY_RECV_SERVER_KEY_EXCHANGE state, the HITLS_GetPeerCertificate
|
||||
* and HITLS_GetPeerCertChain interfaces are invoked to check the peer certificate cached at both ends.
|
||||
* @expect
|
||||
* 1. Initialization succeeded.
|
||||
* 2. The link is successfully established. The certificate cached on the client is the same as the certificate sent by the
|
||||
* server.The peer certificate cached on the server is NULL.
|
||||
* @prior Level 1
|
||||
* @auto TRUE
|
||||
@ */
|
||||
/* BEGIN_CASE */
|
||||
void SDV_HiTLS_HsCtx_Get_PeerCertificate_TC001(void)
|
||||
{
|
||||
FRAME_Init();
|
||||
FRAME_LinkObj *client = NULL;
|
||||
FRAME_LinkObj *server = NULL;
|
||||
HITLS_CERT_X509 *client_PeerCert = NULL;
|
||||
|
||||
HITLS_Config *c_config = HITLS_CFG_NewTLS12Config();
|
||||
ASSERT_TRUE(c_config != NULL);
|
||||
HITLS_Config *s_config = HITLS_CFG_NewTLS12Config();
|
||||
ASSERT_TRUE(s_config != NULL);
|
||||
|
||||
client = FRAME_CreateLink(c_config, BSL_UIO_TCP);
|
||||
ASSERT_TRUE(client != NULL);
|
||||
server = FRAME_CreateLink(s_config, BSL_UIO_TCP);
|
||||
ASSERT_TRUE(server != NULL);
|
||||
ASSERT_EQ(FRAME_CreateConnection(client, server, true, TRY_RECV_SERVER_KEY_EXCHANGE), HITLS_SUCCESS);
|
||||
|
||||
ASSERT_TRUE(client->ssl->hsCtx->peerCert != NULL);
|
||||
client_PeerCert = HITLS_GetPeerCertificate(client->ssl);
|
||||
ASSERT_TRUE(client->ssl->hsCtx->peerCert->cert == client_PeerCert);
|
||||
ASSERT_TRUE(client->ssl->hsCtx->peerCert->chain == HITLS_GetPeerCertChain(client->ssl));
|
||||
|
||||
ASSERT_TRUE(TestIsErrStackEmpty());
|
||||
|
||||
EXIT:
|
||||
HITLS_CFG_FreeCert(c_config, client_PeerCert);
|
||||
HITLS_CFG_FreeConfig(c_config);
|
||||
HITLS_CFG_FreeConfig(s_config);
|
||||
FRAME_FreeLink(client);
|
||||
FRAME_FreeLink(server);
|
||||
}
|
||||
/* END_CASE */
|
||||
@@ -242,4 +242,4 @@ UT_TLS_PARSE_RECORD_SIZE_LIMIT_LENGTH_TC001
|
||||
UT_TLS_PARSE_RECORD_SIZE_LIMIT_LENGTH_TC001:
|
||||
|
||||
UT_TLS_PROCESS_SERVER_KX_NAMED_CURVE_TC001
|
||||
UT_TLS_PROCESS_SERVER_KX_NAMED_CURVE_TC001:
|
||||
UT_TLS_PROCESS_SERVER_KX_NAMED_CURVE_TC001:
|
||||
|
||||
@@ -526,7 +526,7 @@ void UT_TLS_CFG_SET_CIPHERSUITES_FUNC_TC001(int tlsVersion)
|
||||
ASSERT_TRUE(server != NULL);
|
||||
|
||||
ASSERT_EQ(FRAME_CreateConnection(client, server, true, HS_STATE_BUTT), HITLS_SUCCESS);
|
||||
|
||||
|
||||
ASSERT_TRUE(TestIsErrStackEmpty());
|
||||
|
||||
EXIT:
|
||||
@@ -1992,7 +1992,7 @@ EXIT:
|
||||
* 5. Call HITLS_CFG_BuildCertChain to verify the client certificate.
|
||||
* @expect
|
||||
* 1. The interface returns success.
|
||||
* 2. The client certificate verification fails.
|
||||
* 2. The client certificate verification success.
|
||||
@ */
|
||||
/* BEGIN_CASE */
|
||||
void UT_TLS_CFG_USECERTCHAINFILE_TC003(void)
|
||||
@@ -2005,7 +2005,7 @@ void UT_TLS_CFG_USECERTCHAINFILE_TC003(void)
|
||||
int32_t ret = HITLS_CFG_UseCertificateChainFile(config, path);
|
||||
ASSERT_EQ(ret, HITLS_SUCCESS);
|
||||
|
||||
ASSERT_EQ(HITLS_CFG_BuildCertChain(config, HITLS_BUILD_CHAIN_FLAG_CHECK), HITLS_X509_ERR_CERT_EXIST);
|
||||
ASSERT_EQ(HITLS_CFG_BuildCertChain(config, HITLS_BUILD_CHAIN_FLAG_CHECK), HITLS_SUCCESS);
|
||||
EXIT:
|
||||
HITLS_CFG_FreeConfig(config);
|
||||
}
|
||||
@@ -3896,3 +3896,43 @@ void SDV_CONFIG_CONCURRENT_READ_WRITE_DTLCP_TC001(void)
|
||||
#endif
|
||||
}
|
||||
/* END_CASE */
|
||||
|
||||
/* @
|
||||
* @test SDV_CONFIG_SET_SAME_CERT_TC001
|
||||
* @spec -
|
||||
* @title When setting the same certificate in the test, verify whether the certificate can be successfully set.
|
||||
* @precon nan
|
||||
* @brief
|
||||
* 1. Create one TLS1.2 config. Expected result 1.
|
||||
* 2. Parse a certificate twice, and then set it to the store through deep copy and shallow copy respectively.
|
||||
* Expected result 2.
|
||||
* 3. Set the same certificate pointer twice. Expected result 2.
|
||||
* @expect
|
||||
* 1. Shared TLS1.2 config connections complete concurrent I/O successfully.
|
||||
* 2. Setup successful.
|
||||
* @prior Level 1
|
||||
* @auto TRUE
|
||||
@ */
|
||||
/* BEGIN_CASE */
|
||||
void SDV_CONFIG_SET_SAME_CERT_TC001(void)
|
||||
{
|
||||
HitlsInit();
|
||||
HITLS_Config *tlsConfig = NULL;
|
||||
tlsConfig = HITLS_CFG_NewTLS12Config();
|
||||
ASSERT_TRUE(tlsConfig != NULL);
|
||||
const char *path1 = "../testdata/tls/certificate/pem/rsa_sha256/ca.pem";
|
||||
HITLS_CERT_X509 *caCert = HITLS_CFG_ParseCert(tlsConfig, (const uint8_t *)path1, strlen(path1) + 1,
|
||||
TLS_PARSE_TYPE_FILE, TLS_PARSE_FORMAT_PEM);
|
||||
ASSERT_TRUE(caCert != NULL);
|
||||
HITLS_CERT_X509 *caCert2 = HITLS_CFG_ParseCert(tlsConfig, (const uint8_t *)path1, strlen(path1) + 1,
|
||||
TLS_PARSE_TYPE_FILE, TLS_PARSE_FORMAT_PEM);
|
||||
ASSERT_TRUE(caCert2 != NULL);
|
||||
|
||||
ASSERT_EQ(HITLS_CFG_AddCertToStore(tlsConfig, caCert, TLS_CERT_STORE_TYPE_DEFAULT, false), HITLS_SUCCESS);
|
||||
ASSERT_EQ(HITLS_CFG_AddCertToStore(tlsConfig, caCert, TLS_CERT_STORE_TYPE_DEFAULT, true), HITLS_X509_ERR_CERT_EXIST);
|
||||
ASSERT_EQ(HITLS_CFG_AddCertToStore(tlsConfig, caCert, TLS_CERT_STORE_TYPE_DEFAULT, false), HITLS_X509_ERR_CERT_EXIST);
|
||||
ASSERT_EQ(HITLS_CFG_AddCertToStore(tlsConfig, caCert2, TLS_CERT_STORE_TYPE_DEFAULT, false), HITLS_SUCCESS);
|
||||
EXIT:
|
||||
HITLS_CFG_FreeConfig(tlsConfig);
|
||||
}
|
||||
/* END_CASE */
|
||||
|
||||
@@ -266,3 +266,6 @@ SDV_CONFIG_CONCURRENT_READ_WRITE_TLCP_TC001:
|
||||
|
||||
SDV_CONFIG_CONCURRENT_READ_WRITE_DTLCP_TC001
|
||||
SDV_CONFIG_CONCURRENT_READ_WRITE_DTLCP_TC001:
|
||||
|
||||
SDV_CONFIG_SET_SAME_CERT_TC001
|
||||
SDV_CONFIG_SET_SAME_CERT_TC001:
|
||||
|
||||
@@ -760,7 +760,7 @@ void UT_TLS_CERT_GET_CALIST_FUNC_TC001(int version)
|
||||
ret = BSL_LIST_AddElement((BslList *)certChain, cert3, BSL_LIST_POS_END);
|
||||
ASSERT_TRUE(ret == 0);
|
||||
|
||||
ret = SESS_SetPeerCert(session, peerCert, false);
|
||||
ret = SESS_SetPeerCert(session, peerCert);
|
||||
ASSERT_TRUE(ret == HITLS_SUCCESS);
|
||||
|
||||
|
||||
|
||||
@@ -464,7 +464,8 @@ static bool TlcpCheckEncCertKeyUsage(HITLS_Ctx *ctx, HITLS_CERT_X509 *encCert)
|
||||
}
|
||||
#endif
|
||||
|
||||
int32_t ParseChain(HITLS_Ctx *ctx, CERT_Item *item, HITLS_CERT_Chain **chain, HITLS_CERT_X509 **encCert)
|
||||
int32_t ParseChain(HITLS_Ctx *ctx, CERT_Item *item, HITLS_CERT_Chain **chain, HITLS_CERT_X509 **encCert,
|
||||
HITLS_CERT_X509 *signCert)
|
||||
{
|
||||
if (ctx == NULL || chain == NULL) {
|
||||
BSL_ERR_PUSH_ERROR(HITLS_NULL_INPUT);
|
||||
@@ -476,6 +477,11 @@ int32_t ParseChain(HITLS_Ctx *ctx, CERT_Item *item, HITLS_CERT_Chain **chain, HI
|
||||
if (newChain == NULL) {
|
||||
return RETURN_ERROR_NUMBER_PROCESS(HITLS_MEMALLOC_FAIL, BINLOG_ID15049, "ChainNew fail");
|
||||
}
|
||||
HITLS_CERT_X509 *tempCert = SAL_CERT_X509Ref(config->certMgrCtx, signCert);
|
||||
if (SAL_CERT_ChainAppend(newChain, tempCert) != HITLS_SUCCESS) {
|
||||
DestoryParseChain(NULL, tempCert, newChain);
|
||||
return RETURN_ERROR_NUMBER_PROCESS(HITLS_MEMALLOC_FAIL, BINLOG_ID15054, "Append signCert fail");
|
||||
}
|
||||
|
||||
CERT_Item *listNode = item;
|
||||
while (listNode != NULL) {
|
||||
@@ -496,9 +502,7 @@ int32_t ParseChain(HITLS_Ctx *ctx, CERT_Item *item, HITLS_CERT_Chain **chain, HI
|
||||
#ifdef HITLS_TLS_PROTO_TLCP11
|
||||
if ((encCert != NULL) && (TlcpCheckEncCertKeyUsage(ctx, cert) == true)) {
|
||||
SAL_CERT_X509Free(encCertLocal);
|
||||
encCertLocal = cert;
|
||||
listNode = listNode->next;
|
||||
continue;
|
||||
encCertLocal = SAL_CERT_X509Ref(config->certMgrCtx, cert);
|
||||
}
|
||||
#endif
|
||||
/* Add a certificate to the certificate chain. */
|
||||
@@ -552,7 +556,7 @@ int32_t SAL_CERT_ParseCertChain(HITLS_Ctx *ctx, CERT_Item *item, CERT_Pair **cer
|
||||
/* Parse other certificates in the certificate chain. */
|
||||
HITLS_CERT_Chain *chain = NULL;
|
||||
HITLS_CERT_X509 **inParseEnc = ctx->negotiatedInfo.version == HITLS_VERSION_TLCP_DTLCP11 ? &encCert : NULL;
|
||||
int32_t ret = ParseChain(ctx, item->next, &chain, inParseEnc);
|
||||
int32_t ret = ParseChain(ctx, item->next, &chain, inParseEnc, cert);
|
||||
if (ret != HITLS_SUCCESS) {
|
||||
SAL_CERT_X509Free(cert);
|
||||
return RETURN_ERROR_NUMBER_PROCESS(ret, BINLOG_ID16330, "ParseChain fail");
|
||||
@@ -607,7 +611,15 @@ int32_t SAL_CERT_VerifyCertChain(HITLS_Ctx *ctx, CERT_Pair *certPair, bool isTlc
|
||||
certPair->cert;
|
||||
for (BslListNode *chainNode = BSL_LIST_FirstNode(chain); chainNode != NULL;
|
||||
chainNode = BSL_LIST_GetNextNode(chain, chainNode)) {
|
||||
certList[i++] = (HITLS_CERT_X509 *)BSL_LIST_GetData(chainNode);
|
||||
HITLS_CERT_X509 *cert = (HITLS_CERT_X509 *)BSL_LIST_GetData(chainNode);
|
||||
if (certPair->cert == cert
|
||||
#ifdef HITLS_TLS_PROTO_TLCP11
|
||||
|| certPair->encCert == cert
|
||||
#endif
|
||||
) {
|
||||
continue;
|
||||
}
|
||||
certList[i++] = cert;
|
||||
}
|
||||
|
||||
/* Verify the certificate chain. */
|
||||
|
||||
@@ -38,6 +38,7 @@
|
||||
#include "conn_init.h"
|
||||
#include "crypt.h"
|
||||
#include "cipher_suite.h"
|
||||
#include "hs_ctx.h"
|
||||
|
||||
#ifdef HITLS_TLS_FEATURE_CERTIFICATE_AUTHORITIES
|
||||
static int32_t PeerInfoInit(HITLS_Ctx *ctx)
|
||||
@@ -743,6 +744,10 @@ HITLS_CERT_Chain *HITLS_GetPeerCertChain(const HITLS_Ctx *ctx)
|
||||
return NULL;
|
||||
}
|
||||
|
||||
if (ctx->hsCtx != NULL && ctx->hsCtx->peerCert != NULL) {
|
||||
return SAL_CERT_PAIR_GET_CHAIN(ctx->hsCtx->peerCert);
|
||||
}
|
||||
|
||||
int32_t ret = SESS_GetPeerCert(ctx->session, &certPair);
|
||||
if (ret != HITLS_SUCCESS || certPair == NULL) {
|
||||
BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16478, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
|
||||
|
||||
+10
-6
@@ -24,6 +24,7 @@
|
||||
#endif
|
||||
#include "cert_method.h"
|
||||
#include "record.h"
|
||||
#include "hs_ctx.h"
|
||||
|
||||
#ifdef HITLS_TLS_CONNECTION_INFO_NEGOTIATION
|
||||
int32_t HITLS_GetNegotiatedVersion(const HITLS_Ctx *ctx, uint16_t *version)
|
||||
@@ -181,12 +182,15 @@ HITLS_CERT_X509 *HITLS_GetPeerCertificate(const HITLS_Ctx *ctx)
|
||||
}
|
||||
|
||||
CERT_Pair *peerCert = NULL;
|
||||
|
||||
int32_t ret = SESS_GetPeerCert(ctx->session, &peerCert);
|
||||
if (ret != HITLS_SUCCESS) {
|
||||
BSL_LOG_BINLOG_FIXLEN(BINLOG_ID17157, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
|
||||
"GetPeerCert fail", 0, 0, 0, 0);
|
||||
return NULL;
|
||||
if (ctx->hsCtx != NULL && ctx->hsCtx->peerCert != NULL) {
|
||||
peerCert = ctx->hsCtx->peerCert;
|
||||
} else {
|
||||
int32_t ret = SESS_GetPeerCert(ctx->session, &peerCert);
|
||||
if (ret != HITLS_SUCCESS) {
|
||||
BSL_LOG_BINLOG_FIXLEN(BINLOG_ID17157, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
|
||||
"GetPeerCert fail", 0, 0, 0, 0);
|
||||
return NULL;
|
||||
}
|
||||
}
|
||||
|
||||
HITLS_CERT_X509 *cert = SAL_CERT_PAIR_GET_X509_EX(peerCert);
|
||||
|
||||
@@ -406,7 +406,7 @@ int32_t HITLS_SESS_GetProtocolVersion(const HITLS_Session *sess, uint16_t *versi
|
||||
}
|
||||
|
||||
#ifdef HITLS_TLS_CONNECTION_INFO_NEGOTIATION
|
||||
int32_t SESS_SetPeerCert(HITLS_Session *sess, CERT_Pair *peerCert, bool isClient)
|
||||
int32_t SESS_SetPeerCert(HITLS_Session *sess, CERT_Pair *peerCert)
|
||||
{
|
||||
int32_t ret = HITLS_SUCCESS;
|
||||
if (sess == NULL) {
|
||||
@@ -417,34 +417,7 @@ int32_t SESS_SetPeerCert(HITLS_Session *sess, CERT_Pair *peerCert, bool isClient
|
||||
|
||||
BSL_SAL_ThreadWriteLock(sess->lock);
|
||||
sess->peerCert = peerCert;
|
||||
/* The peer_cert_chain of the client stores the device certificate of the server */
|
||||
if (isClient && peerCert != NULL) {
|
||||
/* Obtain the cert */
|
||||
HITLS_CERT_X509 *tmpCert = SAL_CERT_PAIR_GET_X509(peerCert);
|
||||
if (tmpCert == NULL) {
|
||||
/* If cert in CERT_Pair is empty, the unlocking is returned */
|
||||
goto EXIT;
|
||||
}
|
||||
/* Obtain the chain */
|
||||
HITLS_CERT_Chain *tmpChain = SAL_CERT_PAIR_GET_CHAIN(peerCert);
|
||||
if (tmpChain == NULL) {
|
||||
/* If the chain in CERT_Pair is empty, the unlocking is returned */
|
||||
goto EXIT;
|
||||
}
|
||||
|
||||
/* Make a copy of the cert */
|
||||
HITLS_CERT_X509 *newSubjectCert = SAL_CERT_X509Dup(sess->certMgrCtx, tmpCert);
|
||||
if (newSubjectCert == NULL) {
|
||||
ret = HITLS_CERT_ERR_X509_DUP;
|
||||
goto EXIT;
|
||||
}
|
||||
|
||||
ret = (int32_t)BSL_LIST_AddElement(tmpChain, newSubjectCert, BSL_LIST_POS_BEGIN);
|
||||
if (ret != 0) {
|
||||
SAL_CERT_X509Free(newSubjectCert);
|
||||
}
|
||||
}
|
||||
EXIT:
|
||||
BSL_SAL_ThreadUnlock(sess->lock);
|
||||
return ret;
|
||||
}
|
||||
|
||||
@@ -147,7 +147,7 @@ static int32_t SessionConfig(TLS_Ctx *ctx)
|
||||
}
|
||||
#if defined(HITLS_TLS_CONNECTION_INFO_NEGOTIATION) && defined(HITLS_TLS_FEATURE_SESSION)
|
||||
if (ctx->config.tlsConfig.isKeepPeerCert) {
|
||||
ret = SESS_SetPeerCert(ctx->session, hsCtx->peerCert, ctx->isClient);
|
||||
ret = SESS_SetPeerCert(ctx->session, hsCtx->peerCert);
|
||||
if (ret != HITLS_SUCCESS) {
|
||||
return ret;
|
||||
}
|
||||
@@ -169,7 +169,7 @@ int32_t HsSetSessionInfo(TLS_Ctx *ctx)
|
||||
if ((mode & HITLS_SESS_DISABLE_AUTO_CLEANUP) == 0) {
|
||||
SESSMGR_ClearTimeout(ctx->globalConfig, (uint64_t)BSL_SAL_CurrentSysTimeGet());
|
||||
}
|
||||
|
||||
|
||||
/* This parameter is not required for session multiplexing */
|
||||
if (ctx->negotiatedInfo.isResume == true) {
|
||||
return HITLS_SUCCESS;
|
||||
|
||||
@@ -39,7 +39,7 @@ HITLS_Session *SESS_Copy(HITLS_Session *src);
|
||||
void SESS_Disable(HITLS_Session *sess);
|
||||
|
||||
/* set peerCert */
|
||||
int32_t SESS_SetPeerCert(HITLS_Session *sess, CERT_Pair *peerCert, bool isClient);
|
||||
int32_t SESS_SetPeerCert(HITLS_Session *sess, CERT_Pair *peerCert);
|
||||
|
||||
/* get peerCert */
|
||||
int32_t SESS_GetPeerCert(HITLS_Session *sess, CERT_Pair **peerCert);
|
||||
|
||||
Reference in New Issue
Block a user