1 /**************************************************************************/
2 /* */
3 /* Copyright (c) Microsoft Corporation. All rights reserved. */
4 /* */
5 /* This software is licensed under the Microsoft Software License */
6 /* Terms for Microsoft Azure RTOS. Full text of the license can be */
7 /* found in the LICENSE file at https://aka.ms/AzureRTOS_EULA */
8 /* and in the root directory of this software. */
9 /* */
10 /**************************************************************************/
11
12
13 /**************************************************************************/
14 /**************************************************************************/
15 /** */
16 /** NetX Secure Component */
17 /** */
18 /** Transport Layer Security (TLS) */
19 /** */
20 /**************************************************************************/
21 /**************************************************************************/
22
23 #define NX_SECURE_SOURCE_CODE
24
25 #include "nx_secure_tls.h"
26 #include "nx_secure_x509.h"
27
28 /**************************************************************************/
29 /* */
30 /* FUNCTION RELEASE */
31 /* */
32 /* _nx_secure_remote_certificate_verify PORTABLE C */
33 /* 6.2.0 */
34 /* AUTHOR */
35 /* */
36 /* Yanwu Cai, Microsoft Corporation */
37 /* */
38 /* DESCRIPTION */
39 /* */
40 /* This function verifies the authenticity of a certificate provided */
41 /* by the remote host by checking its digital signature against the */
42 /* trusted store, checking the certificate's validity period, and */
43 /* optionally checking the Common Name against the Top-Level Domain */
44 /* (TLD) name used to access the remote host. */
45 /* */
46 /* INPUT */
47 /* */
48 /* store Pointer to certificate store */
49 /* certificate Pointer to cert chain */
50 /* current_time Current timestamp */
51 /* */
52 /* OUTPUT */
53 /* */
54 /* status Certificate validity status */
55 /* */
56 /* CALLS */
57 /* */
58 /* _nx_secure_x509_certificate_chain_verify */
59 /* Verify cert against stores */
60 /* */
61 /* CALLED BY */
62 /* */
63 /* _nx_secure_tls_remote_certificate_verify */
64 /* Verify the server certificate */
65 /* */
66 /* RELEASE HISTORY */
67 /* */
68 /* DATE NAME DESCRIPTION */
69 /* */
70 /* 10-31-2022 Yanwu Cai Initial Version 6.2.0 */
71 /* */
72 /**************************************************************************/
_nx_secure_remote_certificate_verify(NX_SECURE_X509_CERTIFICATE_STORE * store,NX_SECURE_X509_CERT * certificate,ULONG current_time)73 UINT _nx_secure_remote_certificate_verify(NX_SECURE_X509_CERTIFICATE_STORE *store,
74 NX_SECURE_X509_CERT *certificate, ULONG current_time)
75 {
76 UINT status;
77
78 /* Now verify our remote certificate chain. If the certificate can be linked to an issuer in the trusted store
79 through an issuer chain, this function will return NX_SUCCESS. */
80 status = _nx_secure_x509_certificate_chain_verify(store, certificate, current_time);
81
82 if (status != NX_SUCCESS)
83 {
84
85 /* Translate some X.509 return values into TLS return values. NX_SECURE_X509_CERTIFICATE_NOT_FOUND is removed
86 as _nx_secure_x509_certificate_chain_verify() will not return this value. */
87 switch (status)
88 {
89 case NX_SECURE_X509_UNSUPPORTED_PUBLIC_CIPHER:
90 return(NX_SECURE_TLS_UNSUPPORTED_PUBLIC_CIPHER);
91 case NX_SECURE_X509_UNKNOWN_CERT_SIG_ALGORITHM:
92 return(NX_SECURE_TLS_UNKNOWN_CERT_SIG_ALGORITHM);
93 case NX_SECURE_X509_CERTIFICATE_SIG_CHECK_FAILED:
94 return(NX_SECURE_TLS_CERTIFICATE_SIG_CHECK_FAILED);
95 #ifndef NX_SECURE_ALLOW_SELF_SIGNED_CERTIFICATES
96 case NX_SECURE_X509_INVALID_SELF_SIGNED_CERT:
97 return(NX_SECURE_TLS_INVALID_SELF_SIGNED_CERT);
98 #endif
99 case NX_SECURE_X509_ISSUER_CERTIFICATE_NOT_FOUND:
100 return(NX_SECURE_TLS_ISSUER_CERTIFICATE_NOT_FOUND);
101 case NX_SECURE_X509_MISSING_CRYPTO_ROUTINE:
102 return(NX_SECURE_TLS_MISSING_CRYPTO_ROUTINE);
103 default:
104 return(status);
105 }
106 }
107
108 return(status);
109 }
110
111
