S2OPC OPCUA Toolkit
|
Defines the minimal PKI implementation provided by the stack. More...
Go to the source code of this file.
Functions | |
SOPC_ReturnStatus | SOPC_PKIProviderStack_Create (SOPC_SerializedCertificate *pCertAuth, SOPC_CRLList *pRevocationList, SOPC_PKIProvider **ppPKI) |
Creates the minimal validation implementation provided by the stack, which fulfills the SOPC_PKIProvider interface. More... | |
SOPC_ReturnStatus | SOPC_PKIProviderStack_SetUserCert (SOPC_PKIProvider *pPKI, bool bIsUserPki) |
Define whether the PKI is used for user or application certificates, The extensions verification for users: More... | |
SOPC_ReturnStatus | SOPC_PKIProviderStack_CreateFromPaths (char **lPathTrustedIssuerRoots, char **lPathTrustedIssuerLinks, char **lPathUntrustedIssuerRoots, char **lPathUntrustedIssuerLinks, char **lPathIssuedCerts, char **lPathCRL, SOPC_PKIProvider **ppPKI) |
Creates a SOPC_PKIProviderStack using lists of paths. More... | |
Defines the minimal PKI implementation provided by the stack.
The stack will not to provide a full-blown configurable PKI. The stack provides only a minimal, always safe validating PKI.
SOPC_ReturnStatus SOPC_PKIProviderStack_Create | ( | SOPC_SerializedCertificate * | pCertAuth, |
SOPC_CRLList * | pRevocationList, | ||
SOPC_PKIProvider ** | ppPKI | ||
) |
Creates the minimal validation implementation provided by the stack, which fulfills the SOPC_PKIProvider interface.
This verifies the certificate in the safest manner (whole certificate chain, with date validation), with a single certificate authority, and its revocation list. Certificate authority requirements depend on the chosen OPC UA security policy. The CRL must be the CRL of the certificate authority.
pCertAuth | A valid pointer to the serialized certificate of the certification authority. This object is internally copied, and only the internal copy is freed by SOPC_PKIProvider_Free. |
pRevocationList | An certificate chain containing the revocation list of the certificate authority. This object is borrowed and is freed by SOPC_PKIProvider_Free. |
ppPKI | A valid pointer to the newly created SOPC_PKIProvider. You should free such provider with SOPC_PKIProvider_Free(). |
SOPC_ReturnStatus SOPC_PKIProviderStack_SetUserCert | ( | SOPC_PKIProvider * | pPKI, |
bool | bIsUserPki | ||
) |
Define whether the PKI is used for user or application certificates, The extensions verification for users:
pPKI | A valid pointer to the SOPC_PKIProvider. |
bIsUserPki | Define whether the PKI is used for user or application certificates. |
pPKI
is NULL. SOPC_ReturnStatus SOPC_PKIProviderStack_CreateFromPaths | ( | char ** | lPathTrustedIssuerRoots, |
char ** | lPathTrustedIssuerLinks, | ||
char ** | lPathUntrustedIssuerRoots, | ||
char ** | lPathUntrustedIssuerLinks, | ||
char ** | lPathIssuedCerts, | ||
char ** | lPathCRL, | ||
SOPC_PKIProvider ** | ppPKI | ||
) |
Creates a SOPC_PKIProviderStack using lists of paths.
This verifies the certificate in the safest manner (whole certificate chain, with date validation, mandatory certificate revocation lists). Certificate Authority (CA) requirements (such as the hash algorithm used for the signature) depend on the chosen OPC UA security policy.
There are 3 types of certificates to provide to the PKI:
In addition, there are two more concepts:
The list of Certificate Revocation List (CRL) must contain exactly one list for each CA of the provided CAs, either link or root, trusted or untrusted.
Issued certificates should not have CRLs, as they cannot be used to trust any other certificate. When an issued certificate is used to protect a Secure Channel, it's signing chain will be verified. For instance, if the certificate is not self signed and appears on the CRL of its signing CA, the connection will fail as the certificate is in fact invalid.
lPathTrustedIssuerRoots | A pointer to an array of paths to root trusted issuers of the validation chains. The array must contain a NULL pointer to indicate its end. Each path is a zero-terminated relative path to the certificate from the current working directory. |
lPathTrustedIssuerLinks | A pointer to an array of paths to intermediate certificate authorities. This list contain only the trusted intermediate issuers. This list must be ordered so that certificate signed by a parent must be present in the list before its signing parent. Each issued certificate must have its signing certificate chain in this list. |
lPathUntrustedIssuerRoots | A pointer to an array of paths to root untrusted issuers of the validation chains. The array must contain a NULL pointer to indicate its end. Each path is a zero-terminated relative path to the certificate from the current working directory. |
lPathUntrustedIssuerLinks | A pointer to an array of paths to intermediate certificate authorities. This list contain only the untrusted intermediate issuers. This list must be ordered so that certificate signed by a parent must be present in the list before its signing parent. Each issued certificate must have its signing certificate chain in this list. |
lPathIssuedCerts | A pointer to an array of paths to issued certificates. The array must contain a NULL pointer to indicate its end. Each path is a zero-terminated relative path to the certificate from the current working directory. |
lPathCRL | A pointer to an array of paths to each certificate revocation list to use. Each CA of the trusted issuers list and the untrusted issuers list must have a CRL in the list. The array must contain a NULL pointer to indicate its end. Each path is a zero-terminated relative path to the CRL from the current working directory. |
ppPKI | A valid pointer to the newly created PKIProvider. You should free such provider with SOPC_PKIProvider_Free(). |
lPathTrustedIssuerLinks
and lPathUntrustedIssuerLinks
must be sorted: certificates must be provided in the child -> parent order. In other words, there may be several chains provided in the list, but a signed certificate must always be provided before the certificate that signed it.