1 /***************************************************************************
2 * Copyright (c) 2024 Microsoft Corporation
3 *
4 * This program and the accompanying materials are made available under the
5 * terms of the MIT License which is available at
6 * https://opensource.org/licenses/MIT.
7 *
8 * SPDX-License-Identifier: MIT
9 **************************************************************************/
10
11
12 /**************************************************************************/
13 /**************************************************************************/
14 /** */
15 /** NetX Secure Component */
16 /** */
17 /** Transport Layer Security (TLS) */
18 /** */
19 /**************************************************************************/
20 /**************************************************************************/
21
22 #define NX_SECURE_SOURCE_CODE
23
24 #include "nx_secure_tls.h"
25 #include "nx_secure_x509.h"
26
27 /**************************************************************************/
28 /* */
29 /* FUNCTION RELEASE */
30 /* */
31 /* _nx_secure_remote_certificate_verify PORTABLE C */
32 /* 6.2.0 */
33 /* AUTHOR */
34 /* */
35 /* Yanwu Cai, Microsoft Corporation */
36 /* */
37 /* DESCRIPTION */
38 /* */
39 /* This function verifies the authenticity of a certificate provided */
40 /* by the remote host by checking its digital signature against the */
41 /* trusted store, checking the certificate's validity period, and */
42 /* optionally checking the Common Name against the Top-Level Domain */
43 /* (TLD) name used to access the remote host. */
44 /* */
45 /* INPUT */
46 /* */
47 /* store Pointer to certificate store */
48 /* certificate Pointer to cert chain */
49 /* current_time Current timestamp */
50 /* */
51 /* OUTPUT */
52 /* */
53 /* status Certificate validity status */
54 /* */
55 /* CALLS */
56 /* */
57 /* _nx_secure_x509_certificate_chain_verify */
58 /* Verify cert against stores */
59 /* */
60 /* CALLED BY */
61 /* */
62 /* _nx_secure_tls_remote_certificate_verify */
63 /* Verify the server certificate */
64 /* */
65 /* RELEASE HISTORY */
66 /* */
67 /* DATE NAME DESCRIPTION */
68 /* */
69 /* 10-31-2022 Yanwu Cai Initial Version 6.2.0 */
70 /* */
71 /**************************************************************************/
_nx_secure_remote_certificate_verify(NX_SECURE_X509_CERTIFICATE_STORE * store,NX_SECURE_X509_CERT * certificate,ULONG current_time)72 UINT _nx_secure_remote_certificate_verify(NX_SECURE_X509_CERTIFICATE_STORE *store,
73 NX_SECURE_X509_CERT *certificate, ULONG current_time)
74 {
75 UINT status;
76
77 /* Now verify our remote certificate chain. If the certificate can be linked to an issuer in the trusted store
78 through an issuer chain, this function will return NX_SUCCESS. */
79 status = _nx_secure_x509_certificate_chain_verify(store, certificate, current_time);
80
81 if (status != NX_SUCCESS)
82 {
83
84 /* Translate some X.509 return values into TLS return values. NX_SECURE_X509_CERTIFICATE_NOT_FOUND is removed
85 as _nx_secure_x509_certificate_chain_verify() will not return this value. */
86 switch (status)
87 {
88 case NX_SECURE_X509_UNSUPPORTED_PUBLIC_CIPHER:
89 return(NX_SECURE_TLS_UNSUPPORTED_PUBLIC_CIPHER);
90 case NX_SECURE_X509_UNKNOWN_CERT_SIG_ALGORITHM:
91 return(NX_SECURE_TLS_UNKNOWN_CERT_SIG_ALGORITHM);
92 case NX_SECURE_X509_CERTIFICATE_SIG_CHECK_FAILED:
93 return(NX_SECURE_TLS_CERTIFICATE_SIG_CHECK_FAILED);
94 #ifndef NX_SECURE_ALLOW_SELF_SIGNED_CERTIFICATES
95 case NX_SECURE_X509_INVALID_SELF_SIGNED_CERT:
96 return(NX_SECURE_TLS_INVALID_SELF_SIGNED_CERT);
97 #endif
98 case NX_SECURE_X509_ISSUER_CERTIFICATE_NOT_FOUND:
99 return(NX_SECURE_TLS_ISSUER_CERTIFICATE_NOT_FOUND);
100 case NX_SECURE_X509_MISSING_CRYPTO_ROUTINE:
101 return(NX_SECURE_TLS_MISSING_CRYPTO_ROUTINE);
102 default:
103 return(status);
104 }
105 }
106
107 return(status);
108 }
109
110
