Skip to content

Commit

Permalink
Fixed ValidateCertificateChain() Implementation for mbedTLS. (project…
Browse files Browse the repository at this point in the history 
…-chip#16727)

In the mbedTLS implementation the root certificate shouldn't be included
in the certificate chain. It is sufficient that it is included in the
trusted certificates list.
  • Loading branch information
@emargolis @rochaferraz
emargolis authored and rochaferraz committed Mar 31, 2022
1 parent 5831e14 commit 2667d61
Showing 1 changed file with 0 additions and 4 deletions.
4 changes: 0 additions & 4 deletions src/crypto/CHIPCryptoPALmbedTLS.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1302,10 +1302,6 @@ CHIP_ERROR ValidateCertificateChain(const uint8_t * rootCertificate, size_t root
mbedResult = mbedtls_x509_crt_parse(&certChain, Uint8::to_const_uchar(caCertificate), caCertificateLen);
VerifyOrExit(mbedResult == 0, (result = CertificateChainValidationResult::kICAFormatInvalid, error = CHIP_ERROR_INTERNAL));

/* Add the root to the chain */
mbedResult = mbedtls_x509_crt_parse(&certChain, Uint8::to_const_uchar(rootCertificate), rootCertificateLen);
VerifyOrExit(mbedResult == 0, (result = CertificateChainValidationResult::kRootFormatInvalid, error = CHIP_ERROR_INTERNAL));

/* Parse the root cert */
mbedResult = mbedtls_x509_crt_parse(&rootCert, Uint8::to_const_uchar(rootCertificate), rootCertificateLen);
VerifyOrExit(mbedResult == 0, (result = CertificateChainValidationResult::kRootFormatInvalid, error = CHIP_ERROR_INTERNAL));
Expand Down

0 comments on commit 2667d61

Please sign in to comment.