fix(plugin): fix hashing of certificate chains with Mbed tls

[MikeGranby]

Include only first certificate of a chain in SHA1 thumbprint hash.

Closes #6232

[jpfr]

Thanks for this.

We recently added something very similar:

open62541/src/ua_util.c

Line 502 in 5e76d25

getLeafCertificate(UA_ByteString chain) {

I'd like to see the following:

• Use the existing getLeafCertificate internally. So we only pass the leaf certificate into the plugin. There is only a small number of places where we call the thumbprint method callback. That solves the problem for OpenSSL at the same time.
• Do the change for the 1.4 branch. From this it gets merged to master.

Keep up the good work!

[MikeGranby]

A couple of observations:

• The OpenSSL path uses x509_digest which I believe already handles the DER decoding to ensure it gets the right data size, although I don't have an openssl build running here so I'm not 100% sure. We could certainly handle trimming the cert list earlier in the process, but I did it in mbed since that seemed to be where the problem is; and

• The getLeafCertificate implementation assumes a two byte length encoding of the certificate, which is probably reasonable in canonical form when considering the likely size of such an object, but in theory, the length could be an arbitrary number of bytes.

I'll rework this per your suggestions, but I will also improve getLeafCertificate to handle arbitrary lengths.

[jpfr]

Sounds great!

[MikeGranby]

Oh, and can you email me at mikeg@mikeg.net? Want to discuss any plans to add this library to Alpine as a package.