[IOT-2752] Update invalid cert chain handling 79/22579/3
authorAlex Kelley <alexke@microsoft.com>
Fri, 22 Sep 2017 00:05:54 +0000 (17:05 -0700)
committerNathan Heldt-Sheller <nathan.heldt-sheller@intel.com>
Wed, 27 Sep 2017 23:15:28 +0000 (23:15 +0000)
Update the handling of an invalid cert chain so that we move to the
next chain before cleaning up the invalid chain.

Change-Id: I95e4e410a9bca81a698f2c074cfca18b203e5133
Signed-off-by: Alex Kelley <alexke@microsoft.com>
resource/csdk/security/src/rolesresource.c

index 0bebc9e..a60a5fc 100644 (file)
@@ -1261,8 +1261,10 @@ OCStackResult GetEndpointRoles(const CAEndpoint_t *endpoint, OicSecRole_t **role
         return res;
     }
 
-    for (RoleCertChain_t *chain = targetEntry->chains; NULL != chain; chain = chain->next)
+    RoleCertChain_t *chain = targetEntry->chains;
+    while (NULL != chain)
     {
+        RoleCertChain_t *chainToRemove = NULL;
         OicSecRole_t *currCertRoles = NULL;
         size_t currCertRolesCount = 0;
         struct tm notValidAfter;
@@ -1277,7 +1279,7 @@ OCStackResult GetEndpointRoles(const CAEndpoint_t *endpoint, OicSecRole_t **role
             OIC_LOG_V(ERROR, TAG, "Failed to verify a role certificate: %d", res);
             /* Remove the invalid cert chain, but don't exit; try all certificates presented. */
             LL_DELETE(targetEntry->chains, chain);
-            FreeRoleCertChain(chain);
+            chainToRemove = chain;
         }
         else
         {
@@ -1315,6 +1317,13 @@ OCStackResult GetEndpointRoles(const CAEndpoint_t *endpoint, OicSecRole_t **role
         {
             memcpy(&targetEntry->cacheValidUntil, &notValidAfter, sizeof(targetEntry->cacheValidUntil));
         }
+
+        /*
+         * If the cert chain was invalid it has already been removed from the list.
+         * We clean it up here so that we can continue checking all of the certificates.
+         */
+        chain = chain->next;
+        FreeRoleCertChain(chainToRemove);
     }
 
     targetEntry->cachedRoles = rolesToReturn;