[IOT-2729] Update role resource and certhelpers 57/22557/2
authorAlex Kelley <alexke@microsoft.com>
Tue, 19 Sep 2017 19:30:36 +0000 (12:30 -0700)
committerRandeep Singh <randeep.s@samsung.com>
Mon, 25 Sep 2017 12:06:18 +0000 (12:06 +0000)
1. Update OCInternalVerifyRoleCertificate to add the issuer as the
   authority if the role certificate IoTivity received does not
   contain an authority in the subject alternative name.
2. Update GetEndpointRoles to check for OC_STACK_NO_RESOURCE and
   OC_STACK_INVALID_PARAM so it can fall back to symmetric key role
   handling when the connection is not secured with a certificate.

Change-Id: Ieba2bfbbf5edfb32d74c24b5f668a8ee9d530354
Signed-off-by: Alex Kelley <alexke@microsoft.com>
resource/csdk/security/src/certhelpers.c
resource/csdk/security/src/rolesresource.c

index c9f4175..f3f7496 100644 (file)
@@ -515,6 +515,7 @@ OCStackResult OCInternalVerifyRoleCertificate(const OicSecKey_t *certificateChai
             if (MBEDTLS_X509_GENERALNAME_DIRECTORYNAME == nameCur->general_name.name_type)
             {
                 bool advanceCount = false;
+                bool addAuthority = true;
                 for (const mbedtls_x509_name *dirName = nameCur->general_name.directory_name;
                      NULL != dirName;
                      dirName = dirName->next)
@@ -537,12 +538,32 @@ OCStackResult OCInternalVerifyRoleCertificate(const OicSecKey_t *certificateChai
                     {
                         assert(dirName->val.len < ROLEID_LENGTH);
                         memcpy(rolesTmp[rolesTmpCount].authority, dirName->val.p, dirName->val.len);
+                        addAuthority = false;
                     }
-
                 }
 
                 if (advanceCount)
                 {
+                    /* If the authority was absent in the subject alternative name we know that the certificate
+                     * issuer defined the role. We add the issuer as the authority here so that access checks
+                     * function properly when invoked.
+                     */
+                    if (addAuthority)
+                    {
+                        for (const mbedtls_x509_name *issuerName = &certChain.issuer;
+                             NULL != issuerName;
+                             issuerName = issuerName->next)
+                        {
+                            if ((MBEDTLS_OID_SIZE(MBEDTLS_OID_AT_CN) == issuerName->oid.len) &&
+                                (0 == memcmp(MBEDTLS_OID_AT_CN, issuerName->oid.p, MBEDTLS_OID_SIZE(MBEDTLS_OID_AT_CN))))
+                            {
+                                assert(issuerName->val.len < ROLEID_LENGTH);
+                                memcpy(rolesTmp[rolesTmpCount].authority, issuerName->val.p, issuerName->val.len);
+                                OIC_LOG_V(DEBUG, TAG, "Adding authority %s to role", rolesTmp[rolesTmpCount].authority);
+                            }
+                        }
+                    }
+
                     rolesTmpCount++;
                 }
             }
index c85c4de..4566071 100644 (file)
@@ -1131,11 +1131,11 @@ OCStackResult GetEndpointRoles(const CAEndpoint_t *endpoint, OicSecRole_t **role
     memset(&trustedCaCerts, 0, sizeof(trustedCaCerts));
 
     OCStackResult res = GetPeerPublicKeyFromEndpoint(endpoint, &publicKey, &publicKeyLength);
-    if (OC_STACK_INVALID_PARAM == res)
+    if ((OC_STACK_INVALID_PARAM == res) || (OC_STACK_NO_RESOURCE == res))
     {
         /*
-         * OC_STACK_INVALID_PARAM means the endpoint didn't authenticate with a certificate.
-         * Look for a symmetric key-based role and return that if present.
+         * OC_STACK_INVALID_PARAM or OC_STACK_NO_RESOURCE indicate the endpoint didn't authenticate
+         * with a certificate. Look for a symmetric key-based role and return that if present.
          */
         CASecureEndpoint_t sep;
         CAResult_t caRes = GetCASecureEndpointData(endpoint, &sep);