Protocol adapters should allow devices to send certificate chains for authenticating

[sophokles73]

The protocol adapters currently use the issuer DN from the device's end-entity certificate to look up the tenant that the device belongs to. Let's assume a chain of trust as follows:

A <- B <- C

where x <- y indicates that certificate x has been signed using the private key belonging to certificate y and thus issuer(x) = subject(y)

Let's assume that device D belongs to tenant T. Based on the current implementation of the protocol adapters, authentication only works if B has been registered as trust anchor for T and D presents a certificate chain consisting of just [A] during the TLS handshake.

In order to put less restrictions and constraints on the client (device), the adapters should also be able to successfully authenticate the device if

• B or C has been registered as trust anchor for T and
• D presents either [A,B] or [A,B,C]

[sophokles73]

I am no longer sure if it is a good idea to support this as it would allow Tenant 1 to have C configured as its trust anchor and Tenant 2 to have B configured as its trust anchor. When a device now presents a chain [A,B], it would no longer be clear to which tenant the device belongs because we would have two matches:

1. Tenant 1 because A's issuer DN matches B's subject DN and
2. Tenant 2 because B's issuer DN matches C's subject DN.