Merge pull request open62541#6732 from jpfr/merge_13_14_17

Merge 1.3 to 1.4

plugins/ua_config_default.c

@@ -439,7 +439,12 @@ setDefaultConfig(UA_ServerConfig *conf, UA_UInt16 portNumber) {
 
     /* Certificate Verification that accepts every certificate. Can be
      * overwritten when the policy is specialized. */
+    if(conf->secureChannelPKI.clear)
+        conf->secureChannelPKI.clear(&conf->secureChannelPKI);
     UA_CertificateVerification_AcceptAll(&conf->secureChannelPKI);
+
+    if(conf->sessionPKI.clear)
+        conf->sessionPKI.clear(&conf->sessionPKI);
     UA_CertificateVerification_AcceptAll(&conf->sessionPKI);
 
     /* * Global Node Lifecycle * */
@@ -987,6 +992,8 @@ UA_ServerConfig_setDefaultWithSecurityPolicies(UA_ServerConfig *conf,
         return retval;
     }
 
+    if(conf->sessionPKI.clear)
+        conf->sessionPKI.clear(&conf->sessionPKI);
     retval = UA_CertificateVerification_Trustlist(&conf->sessionPKI,
                                                   trustList, trustListSize,
                                                   issuerList, issuerListSize,
@@ -1185,6 +1192,8 @@ UA_ClientConfig_setDefaultEncryption(UA_ClientConfig *config,
     if(retval != UA_STATUSCODE_GOOD)
         return retval;
 
+    if(config->certificateVerification.clear)
+        config->certificateVerification.clear(&config->certificateVerification);
     retval = UA_CertificateVerification_Trustlist(&config->certificateVerification,
                                                   trustList, trustListSize,
                                                   NULL, 0,

src/ua_securechannel.c

@@ -73,6 +73,7 @@ hideErrors(UA_TcpErrorMessage *const error) {
     switch(error->error) {
     case UA_STATUSCODE_BADCERTIFICATEUNTRUSTED:
     case UA_STATUSCODE_BADCERTIFICATEREVOKED:
+    case UA_STATUSCODE_BADCERTIFICATEISSUERREVOKED:
         error->error = UA_STATUSCODE_BADSECURITYCHECKSFAILED;
         error->reason = UA_STRING_NULL;
         break;

tests/encryption/check_save_rejected_cert.c

@@ -466,7 +466,7 @@ START_TEST(encryption_connect_reject_cert) {
 #ifdef __linux__
     /* Secure client connect */
     retval = UA_Client_connect(client, "opc.tcp://localhost:4840");
-    ck_assert_uint_eq(retval, UA_STATUSCODE_BADSECURITYCHECKSFAILED);
+    ck_assert_uint_eq(retval, UA_STATUSCODE_BADCERTIFICATETIMEINVALID);
 
     char rejectedFileName [256] = {0};
     strcat(rejectedFileName, "./");

tests/pubsub/check_pubsub_sks_client.c

@@ -11,6 +11,7 @@
 #include <open62541/plugin/securitypolicy_default.h>
 #include <open62541/server_config_default.h>
 #include <open62541/server_pubsub.h>
+#include <open62541/plugin/pki_default.h>
 
 #include "ua_pubsub.h"
 #include "ua_pubsub_keystorage.h"
@@ -148,10 +149,23 @@ skssetup(void) {
     privateKey.length = KEY_DER_LENGTH;
     privateKey.data = KEY_DER_DATA;
 
-    size_t trustListSize = 0;
-    UA_ByteString *trustList = NULL;
-    size_t issuerListSize = 0;
-    UA_ByteString *issuerList = NULL;
+    UA_ByteString rootCa = {ROOT_CERT_DER_LENGTH, ROOT_CERT_DER_DATA};
+    UA_ByteString rootCaCrl = {ROOT_CRL_PEM_LENGTH, ROOT_CRL_PEM_DATA};
+    UA_ByteString intermediateCa = {INTERMEDIATE_CERT_DER_LENGTH, INTERMEDIATE_CERT_DER_DATA};
+    UA_ByteString intermediateCaCrl = {INTERMEDIATE_EMPTY_CRL_PEM_LENGTH, INTERMEDIATE_EMPTY_CRL_PEM_DATA};
+
+    /* Load the trustlist */
+    size_t trustListSize = 2;
+    UA_STACKARRAY(UA_ByteString, trustList, trustListSize);
+    trustList[0] = intermediateCa;
+    trustList[1] = rootCa;
+
+    /* Load the issuerList */
+    size_t issuerListSize = 2;
+    UA_STACKARRAY(UA_ByteString, issuerList, issuerListSize);
+    issuerList[0] = rootCa;
+    issuerList[1] = intermediateCa;
+
     UA_ByteString *revocationList = NULL;
     size_t revocationListSize = 0;
 
@@ -456,12 +470,12 @@ newEncryptedClientConfig(const char *username, const char *password) {
 
     /* Load certificate and private key */
     UA_ByteString certificate;
-    certificate.length = CERT_DER_LENGTH;
-    certificate.data = CERT_DER_DATA;
+    certificate.length = APPLICATION_CERT_DER_LENGTH;
+    certificate.data = APPLICATION_CERT_DER_DATA;
 
     UA_ByteString privateKey;
-    privateKey.length = KEY_DER_LENGTH;
-    privateKey.data = KEY_DER_DATA;
+    privateKey.length = APPLICATION_KEY_DER_LENGTH;
+    privateKey.data = APPLICATION_KEY_DER_DATA;
 
     /* Secure client initialization */
 
@@ -474,6 +488,8 @@ newEncryptedClientConfig(const char *username, const char *password) {
     cc->securityPolicyUri =
         UA_STRING_ALLOC("http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256");
 
+    UA_CertificateVerification_AcceptAll(&cc->certificateVerification);
+
     UA_UserNameIdentityToken* identityToken = UA_UserNameIdentityToken_new();
     identityToken->userName = UA_STRING_ALLOC(username);
     identityToken->password = UA_STRING_ALLOC(password);

tests/pubsub/check_pubsub_sks_pull.c

@@ -11,6 +11,7 @@
 #include <open62541/plugin/securitypolicy_default.h>
 #include <open62541/server_config_default.h>
 #include <open62541/server_pubsub.h>
+#include <open62541/plugin/pki_default.h>
 
 #include "ua_pubsub.h"
 #include "ua_pubsub_keystorage.h"
@@ -113,12 +114,27 @@ setup(void) {
     privateKey.length = KEY_DER_LENGTH;
     privateKey.data = KEY_DER_DATA;
 
-    size_t trustListSize = 0;
-    UA_ByteString *trustList = NULL;
-    size_t issuerListSize = 0;
-    UA_ByteString *issuerList = NULL;
+    UA_ByteString rootCa = {ROOT_CERT_DER_LENGTH, ROOT_CERT_DER_DATA};
+    UA_ByteString rootCaCrl = {ROOT_CRL_PEM_LENGTH, ROOT_CRL_PEM_DATA};
+    UA_ByteString intermediateCa = {INTERMEDIATE_CERT_DER_LENGTH, INTERMEDIATE_CERT_DER_DATA};
+    UA_ByteString intermediateCaCrl = {INTERMEDIATE_EMPTY_CRL_PEM_LENGTH, INTERMEDIATE_EMPTY_CRL_PEM_DATA};
+
+    /* Load the trustlist */
+    size_t trustListSize = 2;
+    UA_STACKARRAY(UA_ByteString, trustList, trustListSize);
+    trustList[0] = intermediateCa;
+    trustList[1] = rootCa;
+
+    /* Load the issuerList */
+    size_t issuerListSize = 2;
+    UA_STACKARRAY(UA_ByteString, issuerList, issuerListSize);
+    issuerList[0] = rootCa;
+    issuerList[1] = intermediateCa;
+
     UA_ByteString *revocationList = NULL;
     size_t revocationListSize = 0;
+
+
     UA_StatusCode retVal = UA_STATUSCODE_GOOD;
     sksServer = UA_Server_new();
     UA_ServerConfig *config = UA_Server_getConfig(sksServer);
@@ -192,13 +208,12 @@ encyrptedclientconnect(UA_Client *client) {
 
     /* Load certificate and private key */
     UA_ByteString certificate;
-    certificate.length = CERT_DER_LENGTH;
-    certificate.data = CERT_DER_DATA;
-    ck_assert_uint_ne(certificate.length, 0);
+    certificate.length = APPLICATION_CERT_DER_LENGTH;
+    certificate.data = APPLICATION_CERT_DER_DATA;
 
     UA_ByteString privateKey;
-    privateKey.length = KEY_DER_LENGTH;
-    privateKey.data = KEY_DER_DATA;
+    privateKey.length = APPLICATION_KEY_DER_LENGTH;
+    privateKey.data = APPLICATION_KEY_DER_DATA;
     ck_assert_uint_ne(privateKey.length, 0);
 
     /* Secure client initialization */
@@ -212,6 +227,8 @@ encyrptedclientconnect(UA_Client *client) {
         UA_STRING_ALLOC("http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256");
     ck_assert(client != NULL);
 
+    UA_CertificateVerification_AcceptAll(&cc->certificateVerification);
+
     return UA_STATUSCODE_GOOD;
 }
 

tests/pubsub/check_pubsub_sks_push.c

@@ -12,6 +12,7 @@
 #include <open62541/client.h>
 #include <open62541/client_config_default.h>
 #include <open62541/client_highlevel.h>
+#include <open62541/plugin/pki_default.h>
 
 #include "../encryption/certificates.h"
 #include "ua_pubsub.h"
@@ -74,14 +75,12 @@ encyrptedclientconnect(UA_Client *client) {
 
     /* Load certificate and private key */
     UA_ByteString certificate;
-    certificate.length = CERT_DER_LENGTH;
-    certificate.data = CERT_DER_DATA;
-    ck_assert_uint_ne(certificate.length, 0);
+    certificate.length = APPLICATION_CERT_DER_LENGTH;
+    certificate.data = APPLICATION_CERT_DER_DATA;
 
     UA_ByteString privateKey;
-    privateKey.length = KEY_DER_LENGTH;
-    privateKey.data = KEY_DER_DATA;
-    ck_assert_uint_ne(privateKey.length, 0);
+    privateKey.length = APPLICATION_KEY_DER_LENGTH;
+    privateKey.data = APPLICATION_KEY_DER_DATA;
 
     /* Secure client initialization */
     UA_ClientConfig *cc = UA_Client_getConfig(client);
@@ -94,6 +93,8 @@ encyrptedclientconnect(UA_Client *client) {
         UA_STRING_ALLOC("http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256");
     ck_assert(client != NULL);
 
+    UA_CertificateVerification_AcceptAll(&cc->certificateVerification);
+
     /* Secure client connect */
     return UA_Client_connect(client, "opc.tcp://localhost:4840");
 }
@@ -195,10 +196,23 @@ setup(void) {
     privateKey.length = KEY_DER_LENGTH;
     privateKey.data = KEY_DER_DATA;
 
-    size_t trustListSize = 0;
-    UA_ByteString *trustList = NULL;
-    size_t issuerListSize = 0;
-    UA_ByteString *issuerList = NULL;
+    UA_ByteString rootCa = {ROOT_CERT_DER_LENGTH, ROOT_CERT_DER_DATA};
+    UA_ByteString rootCaCrl = {ROOT_CRL_PEM_LENGTH, ROOT_CRL_PEM_DATA};
+    UA_ByteString intermediateCa = {INTERMEDIATE_CERT_DER_LENGTH, INTERMEDIATE_CERT_DER_DATA};
+    UA_ByteString intermediateCaCrl = {INTERMEDIATE_EMPTY_CRL_PEM_LENGTH, INTERMEDIATE_EMPTY_CRL_PEM_DATA};
+
+    /* Load the trustlist */
+    size_t trustListSize = 2;
+    UA_STACKARRAY(UA_ByteString, trustList, trustListSize);
+    trustList[0] = intermediateCa;
+    trustList[1] = rootCa;
+
+    /* Load the issuerList */
+    size_t issuerListSize = 2;
+    UA_STACKARRAY(UA_ByteString, issuerList, issuerListSize);
+    issuerList[0] = rootCa;
+    issuerList[1] = intermediateCa;
+
     UA_ByteString *revocationList = NULL;
     size_t revocationListSize = 0;