diff --git a/include/certifier/xpki_client.h b/include/certifier/xpki_client.h index 6f53e58..6a5ac49 100644 --- a/include/certifier/xpki_client.h +++ b/include/certifier/xpki_client.h @@ -28,9 +28,6 @@ extern "C" { #endif -#define CERTIFIER_STATIC_URL "https://certifier-p01.xpki.io/v1/certifier" -#define DEFAULT_CERTIFIER_URL "https://certifier.xpki.io/v1/certifier" - typedef enum { XPKI_CLIENT_SUCCESS = 0, diff --git a/libcertifier.cfg.sample b/libcertifier.cfg.sample index 570ab17..2923877 100644 --- a/libcertifier.cfg.sample +++ b/libcertifier.cfg.sample @@ -1,5 +1,5 @@ { - "libcertifier.certifier.url": "https://certifier.xpki.io/v1/certifier", + "libcertifier.certifier.url": "https://certifier-p01.xpki.io/v1/certifier", "libcertifier.profile.name": "XFN_Matter_OP_Class_3_ICA", "libcertifier.validity.days": 365, "libcertifier.auth.type": "X509", diff --git a/src/certifier.c b/src/certifier.c index 93b0f3f..6a9e2d2 100644 --- a/src/certifier.c +++ b/src/certifier.c @@ -951,6 +951,19 @@ Certifier * certifier_new(void) { /* This will reconfigure() automatically. */ error_code = certifier_load_cfg_file(certifier); + if (error_code != 0) + { + goto exit; + } + + /* certifier_url must be specified */ + const char * url = certifier_get_property(certifier, CERTIFIER_OPT_CERTIFIER_URL); + if (url == NULL || XSTRLEN(url) == 0) + { + log_error("certifier_url must be set in config (libcertifier.certifier.url)"); + error_code = CERTIFIER_ERR_INIT_CERTIFIER; + goto exit; + } } else { diff --git a/src/mbedtls.c b/src/mbedtls.c index 3589d37..d176af7 100644 --- a/src/mbedtls.c +++ b/src/mbedtls.c @@ -889,6 +889,12 @@ static int pkcs5_parse_pbkdf2_params(const mbedtls_asn1_buf * params, mbedtls_as return (0); } +/* + * This function is a derivative of mbedtls_pkcs5_pbes2() from the + * official Mbed TLS library. + * Source: https://github.com/Mbed-TLS/mbedtls/blob/mbedtls-3.6/library/pkcs5.c + * License: Apache 2.0 (re-licensed by ARM from the original PolarSSL GPLv2) + */ static int test_pkcs5_pbes2(const mbedtls_asn1_buf * pbe_params, int mode, const unsigned char * pwd, size_t pwdlen, const unsigned char * data, size_t datalen, unsigned char * output) { @@ -1699,38 +1705,15 @@ typedef struct IndefiniteItems int depth; } IndefiniteItems; -/* ASN Tags */ -enum ASN_Tags -{ - ASN_EOC = 0x00, - ASN_BOOLEAN = 0x01, - ASN_INTEGER = 0x02, - ASN_BIT_STRING = 0x03, - ASN_OCTET_STRING = 0x04, - ASN_TAG_NULL = 0x05, - ASN_OBJECT_ID = 0x06, - ASN_ENUMERATED = 0x0a, - ASN_UTF8STRING = 0x0c, - ASN_SEQUENCE = 0x10, - ASN_SET = 0x11, - ASN_PRINTABLE_STRING = 0x13, - ASN_UTC_TIME = 0x17, - ASN_OTHER_TYPE = 0x00, - ASN_RFC822_TYPE = 0x01, - ASN_DNS_TYPE = 0x02, - ASN_DIR_TYPE = 0x04, - ASN_URI_TYPE = 0x06, /* the value 6 is from GeneralName OID */ - ASN_GENERALIZED_TIME = 0x18, - CRL_EXTENSIONS = 0xa0, - ASN_EXTENSIONS = 0xa3, - ASN_LONG_LENGTH = 0x80, - ASN_INDEF_LENGTH = 0x80, - - /* ASN_Flags - Bitmask */ - ASN_CONSTRUCTED = 0x20, - ASN_APPLICATION = 0x40, - ASN_CONTEXT_SPECIFIC = 0x80, -}; +/* ASN Tags + * Derived from ITU-T X.690 and https://github.com/Mbed-TLS/mbedtls/blob/mbedtls-3.6/include/mbedtls/asn1.h + * License: Apache 2.0 (re-licensed by ARM from the original PolarSSL GPLv2) + */ +#define ASN_EOC 0x00 +#define ASN_SEQUENCE 0x10 +#define ASN_SET 0x11 +#define ASN_CONSTRUCTED 0x20 +#define ASN_LONG_LENGTH 0x80 enum { diff --git a/src/property.c b/src/property.c index 8413ed6..d5ba5b2 100644 --- a/src/property.c +++ b/src/property.c @@ -45,7 +45,6 @@ #define DEFAULT_USER_CA_PATH "/usr/local/etc/certfier" #define DEFAULT_GLOBAL_CA_PATH "/etc/certifier" #define DEFAULT_CURDIR_CA_PATH "." -#define DEFAULT_CERTIFIER_URL "https://certifier.xpki.io/v1/certifier" #define DEFAULT_PROFILE_NAME "XFN_Matter_OP_Class_3_ICA" #define DEFAULT_CERT_MIN_TIME_LEFT_S 90 * 24 * 60 * 60; #define DEFAULT_OPT_SOURCE "unset-libcertifier-c-native" @@ -818,16 +817,6 @@ int property_set_defaults(CertifierPropMap * prop_map) } } - if (prop_map->certifier_url == NULL) - { - return_code = property_set(prop_map, CERTIFIER_OPT_CERTIFIER_URL, DEFAULT_CERTIFIER_URL); - if (return_code != 0) - { - log_error("Failed to set default property name: CERTIFIER_OPT_CERTIFIER_URL with error code: %i", return_code); - return return_code; - } - } - if (prop_map->profile_name == NULL) { return_code = property_set(prop_map, CERTIFIER_OPT_PROFILE_NAME, DEFAULT_PROFILE_NAME); diff --git a/src/xpki_client.c b/src/xpki_client.c index ac233e5..b7c99f8 100644 --- a/src/xpki_client.c +++ b/src/xpki_client.c @@ -403,20 +403,10 @@ XPKI_CLIENT_ERROR_CODE xc_get_cert(get_cert_param_t * params) } else { ReturnErrorOnFailure(certifier_set_property(certifier, CERTIFIER_OPT_CRT, params->crt)); } - if (params->static_certifier == true) - { - ReturnErrorOnFailure(certifier_set_property(certifier, CERTIFIER_OPT_CERTIFIER_URL, CERTIFIER_STATIC_URL)); - } - else - { - /* Use DEFAULT_CERTIFIER_URL if the certifier.url is not present in the config file. */ - const char * certifier_url = (char *) certifier_get_property(certifier, CERTIFIER_OPT_CERTIFIER_URL); - if ((NULL == certifier_url) || (0 == XSTRLEN(certifier_url))) - { - ReturnErrorOnFailure(certifier_set_property(certifier, CERTIFIER_OPT_CERTIFIER_URL, DEFAULT_CERTIFIER_URL)); - } - } + /* certifier.url must be present in the config file. */ + const char * certifier_url = (char *) certifier_get_property(certifier, CERTIFIER_OPT_CERTIFIER_URL); + VerifyOrReturnError(certifier_url != NULL, XPKI_CLIENT_INVALID_ARGUMENT); if (certifier_get_property(certifier, CERTIFIER_OPT_OUTPUT_P12_PATH) != NULL) { @@ -472,22 +462,12 @@ XPKI_CLIENT_ERROR_CODE xc_renew_cert(renew_cert_param_t * params) } ReturnErrorOnFailure(certifier_set_property(certifier, CERTIFIER_OPT_INPUT_P12_PATH, params->p12_path)); ReturnErrorOnFailure(certifier_set_property(certifier, CERTIFIER_OPT_INPUT_P12_PASSWORD, params->p12_password)); - if (params->static_certifier == true) - { - ReturnErrorOnFailure(certifier_set_property(certifier, CERTIFIER_OPT_CERTIFIER_URL, CERTIFIER_STATIC_URL)); - } - else - { - /** - * Use DEFAULT_CERTIFIER_URL if the certifier.url is not present in the config file. - */ - const char * certifier_url = (char *) certifier_get_property(certifier, CERTIFIER_OPT_CERTIFIER_URL); + /** + * certifier.url must be present in the config file. + */ + const char * certifier_url = (char *) certifier_get_property(certifier, CERTIFIER_OPT_CERTIFIER_URL); + VerifyOrReturnError(certifier_url != NULL, XPKI_CLIENT_INVALID_ARGUMENT); - if ((NULL == certifier_url) || (0 == XSTRLEN(certifier_url))) - { - ReturnErrorOnFailure(certifier_set_property(certifier, CERTIFIER_OPT_CERTIFIER_URL, DEFAULT_CERTIFIER_URL)); - } - } ReturnErrorOnFailure(xc_set_source_id(params->source_id)); ReturnErrorOnFailure(certifier_set_property(certifier, CERTIFIER_OPT_AUTH_TYPE, xpki_auth_type_to_string(params->auth_type))); @@ -624,20 +604,9 @@ XPKI_CLIENT_ERROR_CODE xc_get_cert_status(get_cert_status_param_t * params, XPKI ReturnErrorOnFailure(certifier_set_property(certifier, CERTIFIER_OPT_INPUT_P12_PASSWORD, params->p12_password)); ReturnErrorOnFailure(xc_set_source_id(params->source_id)); - if (params->static_certifier == true) - { - ReturnErrorOnFailure(certifier_set_property(certifier, CERTIFIER_OPT_CERTIFIER_URL, CERTIFIER_STATIC_URL)); - } - else - { - /* Use DEFAULT_CERTIFIER_URL if the certifier.url is not present in the config file. */ - const char * certifier_url = (char *) certifier_get_property(certifier, CERTIFIER_OPT_CERTIFIER_URL); - - if ((NULL == certifier_url) || (0 == XSTRLEN(certifier_url))) - { - ReturnErrorOnFailure(certifier_set_property(certifier, CERTIFIER_OPT_CERTIFIER_URL, DEFAULT_CERTIFIER_URL)); - } - } + /* certifier.url must be present in the config file */ + const char * certifier_url = (char *) certifier_get_property(certifier, CERTIFIER_OPT_CERTIFIER_URL); + VerifyOrReturnError(certifier_url != NULL, XPKI_CLIENT_INVALID_ARGUMENT); return _xc_get_cert_status(status); }