Added IDevID and LDevID certificate validation

Border Router (authenticator) now forces nodes i.e. clients to use
IDevID/LDevID (top) certificates defined by Wi-SUN.

Client certificate must contain SubjectAlternativeName extension (SANE)
with OtherName of type id-on-hardwareModuleName containing hwType and
hwSerialNum. HW type and serial are traced by TLS library interface
module. Certificate must also contain ExtendedKeyUsage with
id-kp-wisun-fan-device object identifier.

Clients verify now that if either id-on-hardwareModuleName or ExtendedKeyUsage
is present with Wi-SUN fields in Server certificate, both of them shall
be present and valid.

Added also check for all certificates that certificates are signed
with SHA256withECDSA to certification validation callback.

Author: Mika Leppänen

source/Security/protocols/tls_sec_prot/tls_sec_prot_lib.c

@@ -49,6 +49,7 @@
 #include "mbedtls/ctr_drbg.h"
 #include "mbedtls/ssl_ciphersuites.h"
 #include "mbedtls/debug.h"
+#include "mbedtls/oid.h"
 
 #include "mbedtls/ssl_internal.h"
 
@@ -57,7 +58,10 @@
 #define TLS_HANDSHAKE_TIMEOUT_MIN 25000
 #define TLS_HANDSHAKE_TIMEOUT_MAX 201000
 
-//#define TLS_SEC_PROT_LIB_TLS_DEBUG   // Enable mbed TLS debug traces
+//#define TLS_SEC_PROT_LIB_TLS_DEBUG       // Enable mbed TLS debug traces
+#define TLS_SEC_PROT_LIB_CERT_VALID_SKIP   // Skip certificate validation
+
+typedef int tls_sec_prot_lib_crt_verify_cb(mbedtls_x509_crt *crt, uint32_t *flags);
 
 struct tls_security_s {
     mbedtls_ssl_config             conf;                 /**< mbed TLS SSL configuration */
@@ -71,6 +75,7 @@ struct tls_security_s {
     mbedtls_x509_crt               owncert;              /**< Own certificate(s) */
     mbedtls_pk_context             pkey;                 /**< Private key for own certificate */
     void                           *handle;              /**< Handle provided in callbacks (defined by library user) */
+    tls_sec_prot_lib_crt_verify_cb *crt_verify;          /**< Verify function for top certificate */
     tls_sec_prot_lib_send          *send;                /**< Send callback */
     tls_sec_prot_lib_receive       *receive;             /**< Receive callback */
     tls_sec_prot_lib_export_keys   *export_keys;         /**< Export keys callback */
@@ -88,15 +93,23 @@ static int tls_sec_prot_lib_ssl_export_keys(void *p_expkey, const unsigned char
                                             size_t ivlen, const unsigned char client_random[32],
                                             const unsigned char server_random[32],
                                             mbedtls_tls_prf_types tls_prf_type);
+
+static int tls_sec_prot_lib_x509_crt_verify(void *ctx, mbedtls_x509_crt *crt, int certificate_depth, uint32_t *flags);
+static int8_t tls_sec_prot_lib_subject_alternative_name_validate(mbedtls_x509_crt *crt);
+static int8_t tls_sec_prot_lib_extended_key_usage_validate(mbedtls_x509_crt *crt);
+#ifdef HAVE_PAE_AUTH
+static int tls_sec_prot_lib_x509_crt_idevid_ldevid_verify(mbedtls_x509_crt *crt, uint32_t *flags);
+#endif
+#ifdef HAVE_PAE_SUPP
+static int tls_sec_prot_lib_x509_crt_server_verify(mbedtls_x509_crt *crt, uint32_t *flags);
+#endif
 #ifdef TLS_SEC_PROT_LIB_TLS_DEBUG
 static void tls_sec_prot_lib_debug(void *ctx, int level, const char *file, int line, const char *string);
 #endif
-
 #ifdef MBEDTLS_PLATFORM_MEMORY
 // Disable for now
 //#define TLS_SEC_PROT_LIB_USE_MBEDTLS_PLATFORM_MEMORY
 #endif
-
 #ifdef TLS_SEC_PROT_LIB_USE_MBEDTLS_PLATFORM_MEMORY
 static void *tls_sec_prot_lib_mem_calloc(size_t count, size_t size);
 static void tls_sec_prot_lib_mem_free(void *ptr);
@@ -272,18 +285,37 @@ static int tls_sec_prot_lib_configure_certificates(tls_security_t *sec, const se
     return 0;
 }
 
+#if defined(HAVE_PAE_AUTH) && defined(HAVE_PAE_SUPP)
+#define is_server_is_set (is_server == true)
+#define is_server_is_not_set (is_server == false)
+#elif defined(HAVE_PAE_AUTH)
+#define is_server_is_set true
+#define is_server_is_not_set false
+#elif defined(HAVE_PAE_SUPP)
+#define is_server_is_set false
+#define is_server_is_not_set true
+#endif
+
 int8_t tls_sec_prot_lib_connect(tls_security_t *sec, bool is_server, const sec_prot_certs_t *certs)
 {
     if (!sec) {
         return -1;
     }
 
-    int endpoint = MBEDTLS_SSL_IS_CLIENT;
-    if (is_server) {
-        endpoint = MBEDTLS_SSL_IS_SERVER;
+#ifdef HAVE_PAE_SUPP
+    if (is_server_is_not_set) {
+        sec->crt_verify = tls_sec_prot_lib_x509_crt_server_verify;
+    }
+#endif
+#ifdef HAVE_PAE_AUTH
+    if (is_server_is_set) {
+        sec->crt_verify = tls_sec_prot_lib_x509_crt_idevid_ldevid_verify;
     }
+#endif
 
-    if ((mbedtls_ssl_config_defaults(&sec->conf, endpoint, MBEDTLS_SSL_TRANSPORT_STREAM, 0)) != 0) {
+    if ((mbedtls_ssl_config_defaults(&sec->conf,
+                                     is_server_is_set ? MBEDTLS_SSL_IS_SERVER : MBEDTLS_SSL_IS_CLIENT,
+                                     MBEDTLS_SSL_TRANSPORT_STREAM, 0)) != 0) {
         tr_error("config defaults fail");
         return -1;
     }
@@ -331,8 +363,11 @@ int8_t tls_sec_prot_lib_connect(tls_security_t *sec, bool is_server, const sec_p
     mbedtls_ssl_conf_min_version(&sec->conf, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MAJOR_VERSION_3);
     mbedtls_ssl_conf_max_version(&sec->conf, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MAJOR_VERSION_3);
 
+    // Set certificate verify callback
+    mbedtls_ssl_set_verify(&sec->ssl, tls_sec_prot_lib_x509_crt_verify, sec);
+
 #ifdef MBEDTLS_ECP_RESTARTABLE
-    if (endpoint == MBEDTLS_SSL_IS_SERVER) {
+    if (is_server_is_set) {
         // Temporary to enable non blocking ECC */
         sec->ssl.handshake->ecrs_enabled = 1;
     }
@@ -433,6 +468,109 @@ static int tls_sec_prot_lib_ssl_export_keys(void *p_expkey, const unsigned char
     return 0;
 }
 
+static int tls_sec_prot_lib_x509_crt_verify(void *ctx, mbedtls_x509_crt *crt, int certificate_depth, uint32_t *flags)
+{
+    /* MD/PK forced also by configuration flags and dynamic settings but still verified
+       here to prevent invalid configurations/certificates */
+    if (crt->sig_md != MBEDTLS_MD_SHA256) {
+        tr_error("Invalid signature md algorithm");
+        *flags |= MBEDTLS_X509_BADCRL_BAD_MD;
+        return MBEDTLS_ERR_X509_CERT_VERIFY_FAILED;
+    }
+    if (crt->sig_pk != MBEDTLS_PK_ECDSA) {
+        tr_error("Invalid signature pk algorithm");
+        *flags |= MBEDTLS_X509_BADCRL_BAD_PK;
+        return MBEDTLS_ERR_X509_CERT_VERIFY_FAILED;
+    }
+
+    // Verify top certificate of the chain
+    if (certificate_depth == 0) {
+        tls_security_t *sec = (tls_security_t *)ctx;
+        return sec->crt_verify(crt, flags);
+    }
+
+    // No further checks for intermediate and root certificates at the moment
+    return 0;
+}
+
+static int8_t tls_sec_prot_lib_subject_alternative_name_validate(mbedtls_x509_crt *crt)
+{
+    mbedtls_asn1_sequence *seq = &crt->subject_alt_names;
+    int8_t result = -1;
+    while (seq) {
+        mbedtls_x509_subject_alternative_name san;
+        int ret_value = mbedtls_x509_parse_subject_alt_name((mbedtls_x509_buf *)&seq->buf, &san);
+        if (ret_value == 0 && san.type == MBEDTLS_X509_SAN_OTHER_NAME) {
+            // id-on-hardwareModuleName must be present (1.3.6.1.5.5.7.8.4)
+            if (MBEDTLS_OID_CMP(MBEDTLS_OID_ON_HW_MODULE_NAME, &san.san.other_name.value.hardware_module_name.oid)) {
+                // Traces hardwareModuleName (1.3.6.1.4.1.<enteprise number>.<model,version,etc.>)
+                char buffer[30];
+                ret_value = mbedtls_oid_get_numeric_string(buffer, sizeof(buffer), &san.san.other_name.value.hardware_module_name.oid);
+                if (ret_value != MBEDTLS_ERR_OID_BUF_TOO_SMALL) {
+                    tr_info("id-on-hardwareModuleName %s", buffer);
+                }
+                // Traces serial number as hex string
+                mbedtls_x509_buf *val = &san.san.other_name.value.hardware_module_name.val;
+                if (val->p) {
+                    tr_info("id-on-hardwareModuleName hwSerialNum %s", trace_array(val->p, val->len));
+                }
+                result = 0;
+            }
+        } else {
+            tr_debug("Ignored subject alt name: %i", san.type);
+        }
+        seq = seq->next;
+    }
+    return result;
+}
+
+static int8_t tls_sec_prot_lib_extended_key_usage_validate(mbedtls_x509_crt *crt)
+{
+    // Extended key usage must be present
+    if (mbedtls_x509_crt_check_extended_key_usage(crt, MBEDTLS_OID_WISUN_FAN, sizeof(MBEDTLS_OID_WISUN_FAN) - 1) != 0) {
+        return -1; // FAIL
+    }
+    return 0;
+}
+
+#ifdef HAVE_PAE_AUTH
+static int tls_sec_prot_lib_x509_crt_idevid_ldevid_verify(mbedtls_x509_crt *crt, uint32_t *flags)
+{
+    // For both IDevID and LDevId both subject alternative name or extended key usage must be valid
+    if (tls_sec_prot_lib_subject_alternative_name_validate(crt) < 0 ||
+            tls_sec_prot_lib_extended_key_usage_validate(crt) < 0) {
+        tr_error("invalid cert");
+#ifndef TLS_SEC_PROT_LIB_CERT_VALID_SKIP
+        *flags |= MBEDTLS_X509_BADCERT_OTHER;
+        return MBEDTLS_ERR_X509_CERT_VERIFY_FAILED;
+#endif
+    }
+    return 0;
+}
+#endif
+
+#ifdef HAVE_PAE_SUPP
+static int tls_sec_prot_lib_x509_crt_server_verify(mbedtls_x509_crt *crt, uint32_t *flags)
+{
+    int8_t sane_res = tls_sec_prot_lib_subject_alternative_name_validate(crt);
+    int8_t ext_key_res = tls_sec_prot_lib_extended_key_usage_validate(crt);
+
+    // If either subject alternative name or extended key usage is present
+    if (sane_res >= 0 || ext_key_res >= 0) {
+        // Then both subject alternative name and extended key usage must be valid
+        if (sane_res < 0 || ext_key_res < 0) {
+            tr_error("invalid cert");
+#ifndef TLS_SEC_PROT_LIB_CERT_VALID_SKIP
+            *flags |= MBEDTLS_X509_BADCERT_OTHER;
+            return MBEDTLS_ERR_X509_CERT_VERIFY_FAILED;
+#endif
+        }
+    }
+
+    return 0;
+}
+#endif
+
 static int tls_sec_lib_entropy_poll(void *ctx, unsigned char *output, size_t len, size_t *olen)
 {
     (void)ctx;