From 6dd5c585f63d352850298eb1aa99bd62702628e0 Mon Sep 17 00:00:00 2001
From: Oleksii Beketov
Date: Thu, 18 Aug 2016 14:04:36 +0300
Subject: [PATCH] Modify TLS adapter implementation to store subjectAltName
CAdecryptTls() from ca_adapter_net_tls.c modified to check certificate
for subject alternative name (SAN) optional field. It will be stored
as userId.
Change-Id: I5a018f1030873f031966d785658db8c9b36f2839
Signed-off-by: Oleksii Beketov
Reviewed-on: https://gerrit.iotivity.org/gerrit/10613
Tested-by: jenkins-iotivity
Reviewed-by: Dmitriy Zhuravlev
Reviewed-by: Randeep Singh
---
.../src/adapter_util/ca_adapter_net_tls.c | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/resource/csdk/connectivity/src/adapter_util/ca_adapter_net_tls.c b/resource/csdk/connectivity/src/adapter_util/ca_adapter_net_tls.c
index f4a568c..faade61 100644
--- a/resource/csdk/connectivity/src/adapter_util/ca_adapter_net_tls.c
+++ b/resource/csdk/connectivity/src/adapter_util/ca_adapter_net_tls.c
@@ -65,6 +65,11 @@
* @brief uuid prefix in certificate subject field
*/
#define UUID_PREFIX "uuid:"
+/**
+ * @def USERID_PREFIX
+ * @brief userid prefix in certificate alternative subject name field
+ */
+#define USERID_PREFIX "userid:"
/**
* @def NET_TLS_TAG
@@ -1274,6 +1279,7 @@ CAResult_t CAdecryptTls(const CASecureEndpoint_t *sep, uint8_t *data, uint32_t d
{
char uuid[UUID_LENGTH * 2 + 5] = {0};
void * uuidPos = NULL;
+ void * userIdPos = NULL;
const mbedtls_x509_crt * peerCert = mbedtls_ssl_get_peer_cert(&peer->ssl);
ret = (NULL == peerCert ? -1 : 0);
TLS_CHECK_HANDSHAKE_FAIL(peer, ret, "Failed to retrieve subject",
@@ -1292,6 +1298,20 @@ CAResult_t CAdecryptTls(const CASecureEndpoint_t *sep, uint8_t *data, uint32_t d
ret = ConvertStrToUuid(uuid, &peer->sep.identity);
TLS_CHECK_HANDSHAKE_FAIL(peer, ret, "Failed to convert subject",
1, CA_STATUS_FAILED);
+
+ userIdPos = memmem((void *) peerCert->subject_raw.p, peerCert->subject_raw.len,
+ (void *) USERID_PREFIX, sizeof(USERID_PREFIX) - 1);
+ if (NULL != userIdPos)
+ {
+ memcpy(uuid, userIdPos + sizeof(USERID_PREFIX) - 1, UUID_LENGTH * 2 + 4);
+ ret = ConvertStrToUuid(uuid, &peer->sep.userId);
+ TLS_CHECK_HANDSHAKE_FAIL(peer, ret,
+ "Failed to convert subject alternative name", 1, CA_STATUS_FAILED);
+ }
+ else
+ {
+ OIC_LOG(DEBUG, NET_TLS_TAG, "Subject alternative name not found");
+ }
}
}
ca_mutex_unlock(g_tlsContextMutex);
--
2.7.4