From 1244007426dd810a7ea082e03af31003eabbf2fb Mon Sep 17 00:00:00 2001 From: Evgeny Margolis Date: Tue, 11 Jul 2023 08:16:48 -1000 Subject: [PATCH] Implemented ExtractCRLDistributionPointURIFromX509Cert() Helper Function (#26913) * Implemented ExtractCRLDistributionPointURIFromX509Cert() Helper Function - Extracts the CRL Distribution Point (CDP) extension from an X509 ASN.1 Encoded Certificate - The returned value only covers the URI of the CDP - Only a single URI distribution point GeneralName is supported - The valid URL should start with "http://" or "https://" - Added OpenSSL, mbedTLS, and TinyCrypt implementations - Added CDP extension support to the chip-cert tool - Added new test vectors * Update OpenSSL Impelementation to Address Review Comments. Added documentation to clarify each step of the implementation. * Added documentation to the mbedTLS-based implementations * Restyled by clang-format --------- Co-authored-by: Restyled.io --- ...hip-Test-DAC-FFF1-8000-0000-2CDPs-Cert.der | Bin 0 -> 596 bytes ...hip-Test-DAC-FFF1-8000-0000-2CDPs-Cert.pem | 15 + ...Chip-Test-DAC-FFF1-8000-0000-2CDPs-Key.der | Bin 0 -> 121 bytes ...Chip-Test-DAC-FFF1-8000-0000-2CDPs-Key.pem | 5 + ...Test-DAC-FFF1-8000-0000-CDP-2URIs-Cert.der | Bin 0 -> 590 bytes ...Test-DAC-FFF1-8000-0000-CDP-2URIs-Cert.pem | 15 + ...-Test-DAC-FFF1-8000-0000-CDP-2URIs-Key.der | Bin 0 -> 121 bytes ...-Test-DAC-FFF1-8000-0000-CDP-2URIs-Key.pem | 5 + .../Chip-Test-DAC-FFF1-8000-0000-CDP-Cert.der | Bin 0 -> 551 bytes .../Chip-Test-DAC-FFF1-8000-0000-CDP-Cert.pem | 14 + ...Test-DAC-FFF1-8000-0000-CDP-HTTPS-Cert.der | Bin 0 -> 553 bytes ...Test-DAC-FFF1-8000-0000-CDP-HTTPS-Cert.pem | 14 + ...-Test-DAC-FFF1-8000-0000-CDP-HTTPS-Key.der | Bin 0 -> 121 bytes ...-Test-DAC-FFF1-8000-0000-CDP-HTTPS-Key.pem | 5 + .../Chip-Test-DAC-FFF1-8000-0000-CDP-Key.der | Bin 0 -> 121 bytes .../Chip-Test-DAC-FFF1-8000-0000-CDP-Key.pem | 5 + ...-Test-DAC-FFF1-8000-0000-CDP-Long-Cert.der | Bin 0 -> 599 bytes ...-Test-DAC-FFF1-8000-0000-CDP-Long-Cert.pem | 15 + ...p-Test-DAC-FFF1-8000-0000-CDP-Long-Key.der | Bin 0 -> 121 bytes ...p-Test-DAC-FFF1-8000-0000-CDP-Long-Key.pem | 5 + ...C-FFF1-8000-0000-CDP-Wrong-Prefix-Cert.der | Bin 0 -> 521 bytes ...C-FFF1-8000-0000-CDP-Wrong-Prefix-Cert.pem | 13 + ...AC-FFF1-8000-0000-CDP-Wrong-Prefix-Key.der | Bin 0 -> 121 bytes ...AC-FFF1-8000-0000-CDP-Wrong-Prefix-Key.pem | 5 + .../test/gen-test-attestation-certs.sh | 59 ++- .../tests/CHIPAttCert_test_vectors.cpp | 364 +++++++++++++++++- .../tests/CHIPAttCert_test_vectors.h | 32 +- src/crypto/CHIPCryptoPAL.h | 14 + src/crypto/CHIPCryptoPALOpenSSL.cpp | 81 ++++ src/crypto/CHIPCryptoPALPSA.cpp | 123 ++++++ src/crypto/CHIPCryptoPALmbedTLS.cpp | 123 ++++++ src/crypto/tests/CHIPCryptoPALTest.cpp | 49 +++ .../common/crypto/CHIPCryptoPALTinyCrypt.cpp | 123 ++++++ .../crypto/CHIPCryptoPALNXPUltrafastP256.cpp | 123 ++++++ .../silabs/SiWx917/CHIPCryptoPALTinyCrypt.cpp | 123 ++++++ .../silabs/efr32/CHIPCryptoPALPsaEfr32.cpp | 123 ++++++ src/tools/chip-cert/CertUtils.cpp | 11 +- src/tools/chip-cert/Cmd_GenAttCert.cpp | 41 +- src/tools/chip-cert/chip-cert.h | 3 +- 39 files changed, 1487 insertions(+), 21 deletions(-) create mode 100644 credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-2CDPs-Cert.der create mode 100644 credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-2CDPs-Cert.pem create mode 100644 credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-2CDPs-Key.der create mode 100644 credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-2CDPs-Key.pem create mode 100644 credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-2URIs-Cert.der create mode 100644 credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-2URIs-Cert.pem create mode 100644 credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-2URIs-Key.der create mode 100644 credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-2URIs-Key.pem create mode 100644 credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-Cert.der create mode 100644 credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-Cert.pem create mode 100644 credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-HTTPS-Cert.der create mode 100644 credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-HTTPS-Cert.pem create mode 100644 credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-HTTPS-Key.der create mode 100644 credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-HTTPS-Key.pem create mode 100644 credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-Key.der create mode 100644 credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-Key.pem create mode 100644 credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-Long-Cert.der create mode 100644 credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-Long-Cert.pem create mode 100644 credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-Long-Key.der create mode 100644 credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-Long-Key.pem create mode 100644 credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-Wrong-Prefix-Cert.der create mode 100644 credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-Wrong-Prefix-Cert.pem create mode 100644 credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-Wrong-Prefix-Key.der create mode 100644 credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-Wrong-Prefix-Key.pem diff --git a/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-2CDPs-Cert.der b/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-2CDPs-Cert.der new file mode 100644 index 0000000000000000000000000000000000000000..880b441bd42cc6ca50f5790b0ad817706dc771c6 GIT binary patch literal 596 zcmXqLVhS*5V*Iv%nTe5!iNiDZ_igLAP0j{fY#dr`9_MUXn3)XR3?&T2*qB3En0fep z6H7``ixfgqi%S#&96b$1420OYwAmP07@HQ=FfsD5xVgC*qKPu`uvi!Xfr2=%k)eT^ zk%gg&k+F$!lmx#e5EvR61Cgnvsb!Qwh@qN+3dAN^WSd+ZofW_)gp}tiIJ*QCquGGp z-be#sHg>RYm>8knVrFD#c4A=hS{wI8@mKpI&a5vDF~_%^y3hap!Uj{5%Yy2YZp>l4 zFT7op@zW93j7hV9%-*fRzaf1xuaAb)&*C7VaLfK}Mw9L=Zrp3oxXXYC=ww-8M#ldv zOa=@Fd>|e_hzATj_67r45TB1lj77xt&L7iLk{X4J--&G!?aq*X{IaXZKprHm%mNJJ z29fnn+c|w-Ulo0mciwo1pr}&3QBa404oHDKi>iULf#L%B1+s0@86_nJ#a8RAVYO0;@)fW@Zlt16L*mEenRd)(o?ru_%^8x- zmdL*T?bKQCd7>G$`FGBv2FUMgdVBA-{Pn2sk~<@t)`gecxTdPK_vjX CE38QX literal 0 HcmV?d00001 diff --git a/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-2CDPs-Cert.pem b/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-2CDPs-Cert.pem new file mode 100644 index 00000000000000..e9568978ab1aea --- /dev/null +++ b/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-2CDPs-Cert.pem @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE----- +MIICUDCCAfagAwIBAgIISW372zteskMwCgYIKoZIzj0EAwIwRjEYMBYGA1UEAwwP +TWF0dGVyIFRlc3QgUEFJMRQwEgYKKwYBBAGConwCAQwERkZGMTEUMBIGCisGAQQB +gqJ8AgIMBDgwMDAwIBcNMjEwNjI4MTQyMzQzWhgPOTk5OTEyMzEyMzU5NTlaMFQx +JjAkBgNVBAMMHU1hdHRlciBUZXN0IERBQyAwMDAwIFR3byBDRFBzMRQwEgYKKwYB +BAGConwCAQwERkZGMTEUMBIGCisGAQQBgqJ8AgIMBDgwMDAwWTATBgcqhkjOPQIB +BggqhkjOPQMBBwNCAARKrV70IfqHoglq9IBcx7bK3w/30LA1NNMRJ5LYnAHfE7cV +AfLEBWiSm/ibuygPsGeTDUwoQvlzUhJXOY+2MpLco4G9MIG6MAwGA1UdEwEB/wQC +MAAwDgYDVR0PAQH/BAQDAgeAMB0GA1UdDgQWBBRF3Pw1yhkocaPuFrIVi2gb4+mK +jDAfBgNVHSMEGDAWgBSvQrcJTevVFexuzzO4ERUiXzJSiDAsBgNVHR8EJTAjMCGg +H6AdhhtodHRwczovL2V4YW1wbGUuY29tL2NybC5wZW0wLAYDVR0fBCUwIzAhoB+g +HYYbaHR0cDovL2V4YW1wbGUuY29tL2NybDIucGVtMAoGCCqGSM49BAMCA0gAMEUC +ICo4AL07AB1JwKlxGLhw/UsJVGsGYQev7ZWa7wxbASuPAiEA4YlR6OPubKM9Z7Jg +jBq99l+UvHneNRsmIWpB3JKzESI= +-----END CERTIFICATE----- diff --git a/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-2CDPs-Key.der b/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-2CDPs-Key.der new file mode 100644 index 0000000000000000000000000000000000000000..6db711ca7bde9c17d06f721587d41036be8165c0 GIT binary patch literal 121 zcmV-<0EYiCcLD(c1R$9DLf8*RoJGcPYNtuQA%Fq4*vQ%_#BN2{N?d5D-+rJ91_&yK zNX|V20SBQ(13~}A^L}+32O9!T*tP`-w*fDur)N(5hs$^oB`hxw-o{M#06-Q boA{f%C=ak_lMPHLLiux25?48owlb335lu9W literal 0 HcmV?d00001 diff --git a/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-2CDPs-Key.pem b/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-2CDPs-Key.pem new file mode 100644 index 00000000000000..39a7c256c79722 --- /dev/null +++ b/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-2CDPs-Key.pem @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIJj6QtgPRpxFxnBqp0m+IYABttjI2ijEbkXYSlxoqN9+oAoGCCqGSM49 +AwEHoUQDQgAESq1e9CH6h6IJavSAXMe2yt8P99CwNTTTESeS2JwB3xO3FQHyxAVo +kpv4m7soD7Bnkw1MKEL5c1ISVzmPtjKS3A== +-----END EC PRIVATE KEY----- diff --git a/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-2URIs-Cert.der b/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-2URIs-Cert.der new file mode 100644 index 0000000000000000000000000000000000000000..3e725cc85cd818fade063a80fae48781c44d7d53 GIT binary patch literal 590 zcmXqLV)8O*V*IdxnTe5!i6h=dWNF!~P+bEqHV&;ek8`#x%uEJuh7ty1Y|No7%sl+Q zi6teeMG7IQ#U%;>j-G}h210CH+H8z0j7^Jbm>79j+}zv@(L|YeSS$>HKtY_>$k4#d z$imRX$k@aykfymU-)H2E-%23BZ3u2QpvP~|I&I(`?oLvGGG(yVr6+(kN zi#5^g!Ebw{fiN38*iTH1P|q=%sBmLEOwGKurFAWPQ!^?lmRGq-7eRbY17(qmFJac2AD@WqWA4I0-O@Bkey zE6m9FpM}YQ!GI6M;|KA8LCD@BLE0aQ&h{<7}%UgY9 zmd`%Q;q?6O)wkO#jxK6_xh^E}zigRhJ(D8CTi-{_m!hs-F8saOH)hWFeJh2ob-2cP O-G888&zWN1u?GN$I(=BLHT>0$}X b5d>=QuZ}ANnYJnQAOk|Qj5K5FE8;4e#$2nUTW+nqSLkR;hHs(+kW*&au z#FCQKB88CD;u3`bM^8f$10gmpZ8k<0#->FzOpH7%Zf>nmZsK=NY*_oXfSROOV-J2g6wfW_)$*TW8Sx-A#7-RLy;#{L#$DiEi zYYfzse=le2w&T3~FJ!jhnRvd)9KYM=?5Y>3%kQ`_>x<$%+r^E2294bYJU~aw3NteP zXJIm6FyI66_(42i@Ub@-$b$HMEMhDo8O|q+7hBGs;UsFeam{)CsS)u~0S59QX=N5* zAUBAtciPVB`}(Tro4oVJI|N0Q;*Ekj475QCLPcF*QD@e^njyYxz1_M_ng;XyeVe6B(d_^iuSN~DDs`F;?g8oHcp1nG> wF2PaW?CTOHMTS)}3n$C(nf3pgyV2^;ax1FzOpH7%ZfQ%L+>t&1p^Ws)jur6-wH)!lJ-~qZ?R+y3T zKMRuqg8?6i#}DEG!;iheKo-R3V-aH!Sa#t9KC|nT;#Z8_Fyn@Wl{)!^XisOtoQbS)6aig^EYdTz*#iYovH9T(5a_N@3@~c-bIa{mDQ*;f;uS7M+3LT6@C<+UaEKnvjQ;2 literal 0 HcmV?d00001 diff --git a/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-HTTPS-Key.pem b/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-HTTPS-Key.pem new file mode 100644 index 00000000000000..ccd6216112c5e8 --- /dev/null +++ b/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-HTTPS-Key.pem @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIASkFQOGOdFOYpJvRhpiVdejCwvcrGqYzfiLFnAqcp87oAoGCCqGSM49 +AwEHoUQDQgAE2Ssk3lFrjs0+aGLeh/w7935wEXHHC1mM/18CfwK4IOf6B7rU5Ni+ +JhwI+zGV1ag0gjoozEcDt8UVfhSeXqp4BQ== +-----END EC PRIVATE KEY----- diff --git a/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-Key.der b/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-Key.der new file mode 100644 index 0000000000000000000000000000000000000000..7d63f00c9bcfa480b6624c9304cdffeee1be57f2 GIT binary patch literal 121 zcmV-<0EYiCcLD(c1Rw@k@)ma(=?@Yky6;3N@vzRsa0U+1_&yK zNX|V20SBQ(13~}<;{hJtpHW(~>AI68{_;DP&2d~h>Nw7U9*F#H=d3U$Bm1WYi#`d{ b{#2V0%wG;!Y);$GK6|1kAGpw(^dX)-&PX)- literal 0 HcmV?d00001 diff --git a/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-Key.pem b/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-Key.pem new file mode 100644 index 00000000000000..48fe09ad29812d --- /dev/null +++ b/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-Key.pem @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIAZZ8hZ3GOkPEiO670Qo8bDOxHK1X7sH6ofXOYmc9zFqoAoGCCqGSM49 +AwEHoUQDQgAE4wEe3p9RWrPpupMl/vI7ls1xXDrqOM6BHoj8beesMCYj+6cGiz4J +0/5UmxHMXw5ZbE7bzj57oicfuNCa9CGePQ== +-----END EC PRIVATE KEY----- diff --git a/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-Long-Cert.der b/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-Long-Cert.der new file mode 100644 index 0000000000000000000000000000000000000000..1ece300335a5fe455a5ab9cc6c3805be3d67b412 GIT binary patch literal 599 zcmXqLVhT2BV*I&)nTe5!i9H#av!G*KoV77GI)P!Q)eGBhwV zvM@9;GBz=elHj)l0z)HXATqTywTv>bHsm$nhS740wPplNDxU{LjKBg$nEDr|Bja<>;nl7MB!dCY6?C=I7}a*(QqeneSr*i)y-+5qtsZiDX6v8|1_&yK zNX|V20SBQ(13~}bx&~J8eY=<^}8HmoI8P?bIB`e1-3>-Cd literal 0 HcmV?d00001 diff --git a/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-Long-Key.pem b/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-Long-Key.pem new file mode 100644 index 00000000000000..d868b79ee31833 --- /dev/null +++ b/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-Long-Key.pem @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEINFUmafW3jhThp3mpGxLUtE7c1kW1Kq9UCaqrR5yeWbroAoGCCqGSM49 +AwEHoUQDQgAEQyj7uHFCjDXiJLN/noBkA1+yzHL48XEYU0bDIOGohbXkCQle7IVf +fVKvl6HQb3ZxbIc2fhmIzqEZ1tf0JSvHLw== +-----END EC PRIVATE KEY----- diff --git a/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-Wrong-Prefix-Cert.der b/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-Wrong-Prefix-Cert.der new file mode 100644 index 0000000000000000000000000000000000000000..2ad2f7c7190a4dec4d7f1a22d134ac6d24ce157d GIT binary patch literal 521 zcmXqLVq!IDVqCp|nTe5!iKBpxW7WdzYjX{_*f_M>JkHs&Ff$pr8A=$4u`!3TF!S*H zCYF?>7Ab_J7MCalIC>h27znX(X|pl1Fg7i!VPfQAadUGsL=$D=VX-g(0tIniBSQl- zBMUe~a zVfJ7!aAi_tc($WM?k(T4f~Errb#C8IwXhhjelYQxcx)q&#lj~aT+5jhEZO4s{rtN` e+I;=#jo)W6T1_&yK zNX|V20SBQ(13~}<{LRQIx?(qc#>ca6r@^mw%@xBayi0D42Y9+!f4lPv=MuJ8()sea b75F1ehvK6<_2*f3;7)4LJ%tO=WI6NCdHOjc literal 0 HcmV?d00001 diff --git a/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-Wrong-Prefix-Key.pem b/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-Wrong-Prefix-Key.pem new file mode 100644 index 00000000000000..f9c33a94072281 --- /dev/null +++ b/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-Wrong-Prefix-Key.pem @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIKUdzfzZVduHJDVshxIakL0TGFN4p6mMcfRwRKKm2+vboAoGCCqGSM49 +AwEHoUQDQgAE/M3IKbpiN3zGx7Nup8Gvds0Vwyi8S26NB3i6WX+78wrnErZX0vny +uRX4I0yH4qM79edZduBOatA9hQvRZDnzzw== +-----END EC PRIVATE KEY----- diff --git a/credentials/test/gen-test-attestation-certs.sh b/credentials/test/gen-test-attestation-certs.sh index 83bc7668a62bb2..04d0ba6130dac8 100755 --- a/credentials/test/gen-test-attestation-certs.sh +++ b/credentials/test/gen-test-attestation-certs.sh @@ -1,7 +1,7 @@ #!/usr/bin/env bash # -# Copyright (c) 2021-2022 Project CHIP Authors +# Copyright (c) 2021-2023 Project CHIP Authors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -340,6 +340,59 @@ cert_lifetime=4294967295 "$chip_cert_tool" gen-att-cert --type i --subject-cn "Matter Test PAI" --subject-vid "$vid" --valid-from "$cert_valid_from" --lifetime "$cert_lifetime" --ca-key "$paa_key_file".pem --ca-cert "$paa_cert_file".pem --key "$pai_key_file".pem --out "$pai_cert_file".pem } +# Set #8: +# - Generate DACs with CRL Distribution Point (CDP) Extensions (Valid and Invalid cases) +{ + vid=FFF1 + pid=8000 + dac=0000 + + pai_key_file="$dest_dir/Chip-Test-PAI-$vid-$pid-Key" + pai_cert_file="$dest_dir/Chip-Test-PAI-$vid-$pid-Cert" + + dac_key_file="$dest_dir/Chip-Test-DAC-$vid-$pid-$dac-CDP-Key" + dac_cert_file="$dest_dir/Chip-Test-DAC-$vid-$pid-$dac-CDP-Cert" + + cdp_example="URI:http://example.com/crl.pem" + + "$chip_cert_tool" gen-att-cert --type d --subject-cn "Matter Test DAC $dac CDP (HTTP)" --subject-vid "$vid" --subject-pid "$pid" --valid-from "$cert_valid_from" --lifetime "$cert_lifetime" --cpd-ext "$cdp_example" --ca-key "$pai_key_file".pem --ca-cert "$pai_cert_file".pem --out-key "$dac_key_file".pem --out "$dac_cert_file".pem + + dac_key_file="$dest_dir/Chip-Test-DAC-$vid-$pid-$dac-CDP-HTTPS-Key" + dac_cert_file="$dest_dir/Chip-Test-DAC-$vid-$pid-$dac-CDP-HTTPS-Cert" + + cdp_example="URI:https://example.com/crl.pem" + + "$chip_cert_tool" gen-att-cert --type d --subject-cn "Matter Test DAC $dac CDP (HTTPS)" --subject-vid "$vid" --subject-pid "$pid" --valid-from "$cert_valid_from" --lifetime "$cert_lifetime" --cpd-ext "$cdp_example" --ca-key "$pai_key_file".pem --ca-cert "$pai_cert_file".pem --out-key "$dac_key_file".pem --out "$dac_cert_file".pem + + dac_key_file="$dest_dir/Chip-Test-DAC-$vid-$pid-$dac-2CDPs-Key" + dac_cert_file="$dest_dir/Chip-Test-DAC-$vid-$pid-$dac-2CDPs-Cert" + + cdp_example2="URI:http://example.com/crl2.pem" + + "$chip_cert_tool" gen-att-cert --type d --subject-cn "Matter Test DAC $dac Two CDPs" --subject-vid "$vid" --subject-pid "$pid" --valid-from "$cert_valid_from" --lifetime "$cert_lifetime" --cpd-ext "$cdp_example" --cpd-ext "$cdp_example2" --ca-key "$pai_key_file".pem --ca-cert "$pai_cert_file".pem --out-key "$dac_key_file".pem --out "$dac_cert_file".pem + + dac_key_file="$dest_dir/Chip-Test-DAC-$vid-$pid-$dac-CDP-2URIs-Key" + dac_cert_file="$dest_dir/Chip-Test-DAC-$vid-$pid-$dac-CDP-2URIs-Cert" + + cdp_example2in1="URI:http://example.com/crl.pem,URI:http://example.com/crl2.pem" + + "$chip_cert_tool" gen-att-cert --type d --subject-cn "Matter Test DAC $dac CDP (Two URIs)" --subject-vid "$vid" --subject-pid "$pid" --valid-from "$cert_valid_from" --lifetime "$cert_lifetime" --cpd-ext "$cdp_example2in1" --ca-key "$pai_key_file".pem --ca-cert "$pai_cert_file".pem --out-key "$dac_key_file".pem --out "$dac_cert_file".pem + + dac_key_file="$dest_dir/Chip-Test-DAC-$vid-$pid-$dac-CDP-Long-Key" + dac_cert_file="$dest_dir/Chip-Test-DAC-$vid-$pid-$dac-CDP-Long-Cert" + + cdp_example="URI:https://example.com/this-is-an-example-of-crl-distribution-point-extension-which-is-101-chars/crl.pem" + + "$chip_cert_tool" gen-att-cert --type d --subject-cn "Long" --subject-vid "$vid" --subject-pid "$pid" --valid-from "$cert_valid_from" --lifetime "$cert_lifetime" --cpd-ext "$cdp_example" --ca-key "$pai_key_file".pem --ca-cert "$pai_cert_file".pem --out-key "$dac_key_file".pem --out "$dac_cert_file".pem + + dac_key_file="$dest_dir/Chip-Test-DAC-$vid-$pid-$dac-CDP-Wrong-Prefix-Key" + dac_cert_file="$dest_dir/Chip-Test-DAC-$vid-$pid-$dac-CDP-Wrong-Prefix-Cert" + + cdp_example="URI:www.example.com/crl.pem" + + "$chip_cert_tool" gen-att-cert --type d --subject-cn "Long" --subject-vid "$vid" --subject-pid "$pid" --valid-from "$cert_valid_from" --lifetime "$cert_lifetime" --cpd-ext "$cdp_example" --ca-key "$pai_key_file".pem --ca-cert "$pai_cert_file".pem --out-key "$dac_key_file".pem --out "$dac_cert_file".pem +} + # In addition to PEM format also create certificates in DER form. for cert_file_pem in "$dest_dir"/*Cert.pem; do cert_file_der="${cert_file_pem/.pem/.der}" @@ -357,7 +410,7 @@ if [ ! -z "$output_cstyle_file" ]; then copyright_note='/* * - * Copyright (c) 2021-2022 Project CHIP Authors + * Copyright (c) 2021-2023 Project CHIP Authors * All rights reserved. * * Licensed under the Apache License, Version 2.0 (the "License"); @@ -380,6 +433,8 @@ if [ ! -z "$output_cstyle_file" ]; then ' header_includes=' #pragma once + +#include ' namespaces_open=' diff --git a/src/credentials/tests/CHIPAttCert_test_vectors.cpp b/src/credentials/tests/CHIPAttCert_test_vectors.cpp index 82cda1285d8980..7318d5b925a4e5 100644 --- a/src/credentials/tests/CHIPAttCert_test_vectors.cpp +++ b/src/credentials/tests/CHIPAttCert_test_vectors.cpp @@ -1,6 +1,6 @@ /* * - * Copyright (c) 2021-2022 Project CHIP Authors + * Copyright (c) 2021-2023 Project CHIP Authors * All rights reserved. * * Licensed under the Apache License, Version 2.0 (the "License"); @@ -22,6 +22,368 @@ namespace chip { namespace TestCerts { +// ${chip_root}/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-2CDPs-Cert.pem + +constexpr uint8_t sTestCert_DAC_FFF1_8000_0000_2CDPs_Cert_Array[] = { + 0x30, 0x82, 0x02, 0x50, 0x30, 0x82, 0x01, 0xf6, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x08, 0x49, 0x6d, 0xfb, 0xdb, 0x3b, 0x5e, + 0xb2, 0x43, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x30, 0x46, 0x31, 0x18, 0x30, 0x16, 0x06, + 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, 0x4d, 0x61, 0x74, 0x74, 0x65, 0x72, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x50, 0x41, 0x49, + 0x31, 0x14, 0x30, 0x12, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0xa2, 0x7c, 0x02, 0x01, 0x0c, 0x04, 0x46, 0x46, 0x46, + 0x31, 0x31, 0x14, 0x30, 0x12, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0xa2, 0x7c, 0x02, 0x02, 0x0c, 0x04, 0x38, 0x30, + 0x30, 0x30, 0x30, 0x20, 0x17, 0x0d, 0x32, 0x31, 0x30, 0x36, 0x32, 0x38, 0x31, 0x34, 0x32, 0x33, 0x34, 0x33, 0x5a, 0x18, 0x0f, + 0x39, 0x39, 0x39, 0x39, 0x31, 0x32, 0x33, 0x31, 0x32, 0x33, 0x35, 0x39, 0x35, 0x39, 0x5a, 0x30, 0x54, 0x31, 0x26, 0x30, 0x24, + 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x1d, 0x4d, 0x61, 0x74, 0x74, 0x65, 0x72, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x44, 0x41, + 0x43, 0x20, 0x30, 0x30, 0x30, 0x30, 0x20, 0x54, 0x77, 0x6f, 0x20, 0x43, 0x44, 0x50, 0x73, 0x31, 0x14, 0x30, 0x12, 0x06, 0x0a, + 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0xa2, 0x7c, 0x02, 0x01, 0x0c, 0x04, 0x46, 0x46, 0x46, 0x31, 0x31, 0x14, 0x30, 0x12, 0x06, + 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0xa2, 0x7c, 0x02, 0x02, 0x0c, 0x04, 0x38, 0x30, 0x30, 0x30, 0x30, 0x59, 0x30, 0x13, + 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, 0x42, + 0x00, 0x04, 0x4a, 0xad, 0x5e, 0xf4, 0x21, 0xfa, 0x87, 0xa2, 0x09, 0x6a, 0xf4, 0x80, 0x5c, 0xc7, 0xb6, 0xca, 0xdf, 0x0f, 0xf7, + 0xd0, 0xb0, 0x35, 0x34, 0xd3, 0x11, 0x27, 0x92, 0xd8, 0x9c, 0x01, 0xdf, 0x13, 0xb7, 0x15, 0x01, 0xf2, 0xc4, 0x05, 0x68, 0x92, + 0x9b, 0xf8, 0x9b, 0xbb, 0x28, 0x0f, 0xb0, 0x67, 0x93, 0x0d, 0x4c, 0x28, 0x42, 0xf9, 0x73, 0x52, 0x12, 0x57, 0x39, 0x8f, 0xb6, + 0x32, 0x92, 0xdc, 0xa3, 0x81, 0xbd, 0x30, 0x81, 0xba, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x02, + 0x30, 0x00, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x01, 0x01, 0xff, 0x04, 0x04, 0x03, 0x02, 0x07, 0x80, 0x30, 0x1d, 0x06, + 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x45, 0xdc, 0xfc, 0x35, 0xca, 0x19, 0x28, 0x71, 0xa3, 0xee, 0x16, 0xb2, 0x15, + 0x8b, 0x68, 0x1b, 0xe3, 0xe9, 0x8a, 0x8c, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0xaf, + 0x42, 0xb7, 0x09, 0x4d, 0xeb, 0xd5, 0x15, 0xec, 0x6e, 0xcf, 0x33, 0xb8, 0x11, 0x15, 0x22, 0x5f, 0x32, 0x52, 0x88, 0x30, 0x2c, + 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x25, 0x30, 0x23, 0x30, 0x21, 0xa0, 0x1f, 0xa0, 0x1d, 0x86, 0x1b, 0x68, 0x74, 0x74, 0x70, + 0x73, 0x3a, 0x2f, 0x2f, 0x65, 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x63, 0x72, 0x6c, 0x2e, 0x70, + 0x65, 0x6d, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x25, 0x30, 0x23, 0x30, 0x21, 0xa0, 0x1f, 0xa0, 0x1d, 0x86, 0x1b, + 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x65, 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x63, 0x72, + 0x6c, 0x32, 0x2e, 0x70, 0x65, 0x6d, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x03, 0x48, 0x00, + 0x30, 0x45, 0x02, 0x20, 0x2a, 0x38, 0x00, 0xbd, 0x3b, 0x00, 0x1d, 0x49, 0xc0, 0xa9, 0x71, 0x18, 0xb8, 0x70, 0xfd, 0x4b, 0x09, + 0x54, 0x6b, 0x06, 0x61, 0x07, 0xaf, 0xed, 0x95, 0x9a, 0xef, 0x0c, 0x5b, 0x01, 0x2b, 0x8f, 0x02, 0x21, 0x00, 0xe1, 0x89, 0x51, + 0xe8, 0xe3, 0xee, 0x6c, 0xa3, 0x3d, 0x67, 0xb2, 0x60, 0x8c, 0x1a, 0xbd, 0xf6, 0x5f, 0x94, 0xbc, 0x79, 0xde, 0x35, 0x1b, 0x26, + 0x21, 0x6a, 0x41, 0xdc, 0x92, 0xb3, 0x11, 0x22, +}; + +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_2CDPs_Cert = ByteSpan(sTestCert_DAC_FFF1_8000_0000_2CDPs_Cert_Array); + +constexpr uint8_t sTestCert_DAC_FFF1_8000_0000_2CDPs_SKID_Array[] = { + 0x45, 0xDC, 0xFC, 0x35, 0xCA, 0x19, 0x28, 0x71, 0xA3, 0xEE, 0x16, 0xB2, 0x15, 0x8B, 0x68, 0x1B, 0xE3, 0xE9, 0x8A, 0x8C, +}; + +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_2CDPs_SKID = ByteSpan(sTestCert_DAC_FFF1_8000_0000_2CDPs_SKID_Array); + +// ${chip_root}/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-2CDPs-Key.pem + +constexpr uint8_t sTestCert_DAC_FFF1_8000_0000_2CDPs_PublicKey_Array[] = { + 0x04, 0x4a, 0xad, 0x5e, 0xf4, 0x21, 0xfa, 0x87, 0xa2, 0x09, 0x6a, 0xf4, 0x80, 0x5c, 0xc7, 0xb6, 0xca, + 0xdf, 0x0f, 0xf7, 0xd0, 0xb0, 0x35, 0x34, 0xd3, 0x11, 0x27, 0x92, 0xd8, 0x9c, 0x01, 0xdf, 0x13, 0xb7, + 0x15, 0x01, 0xf2, 0xc4, 0x05, 0x68, 0x92, 0x9b, 0xf8, 0x9b, 0xbb, 0x28, 0x0f, 0xb0, 0x67, 0x93, 0x0d, + 0x4c, 0x28, 0x42, 0xf9, 0x73, 0x52, 0x12, 0x57, 0x39, 0x8f, 0xb6, 0x32, 0x92, 0xdc, +}; + +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_2CDPs_PublicKey = ByteSpan(sTestCert_DAC_FFF1_8000_0000_2CDPs_PublicKey_Array); + +constexpr uint8_t sTestCert_DAC_FFF1_8000_0000_2CDPs_PrivateKey_Array[] = { + 0x98, 0xfa, 0x42, 0xd8, 0x0f, 0x46, 0x9c, 0x45, 0xc6, 0x70, 0x6a, 0xa7, 0x49, 0xbe, 0x21, 0x80, + 0x01, 0xb6, 0xd8, 0xc8, 0xda, 0x28, 0xc4, 0x6e, 0x45, 0xd8, 0x4a, 0x5c, 0x68, 0xa8, 0xdf, 0x7e, +}; + +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_2CDPs_PrivateKey = ByteSpan(sTestCert_DAC_FFF1_8000_0000_2CDPs_PrivateKey_Array); + +// ${chip_root}/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-2URIs-Cert.pem + +constexpr uint8_t sTestCert_DAC_FFF1_8000_0000_CDP_2URIs_Cert_Array[] = { + 0x30, 0x82, 0x02, 0x4a, 0x30, 0x82, 0x01, 0xf0, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x08, 0x5f, 0x3c, 0x14, 0xa5, 0x76, 0x9a, + 0x55, 0x2d, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x30, 0x46, 0x31, 0x18, 0x30, 0x16, 0x06, + 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, 0x4d, 0x61, 0x74, 0x74, 0x65, 0x72, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x50, 0x41, 0x49, + 0x31, 0x14, 0x30, 0x12, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0xa2, 0x7c, 0x02, 0x01, 0x0c, 0x04, 0x46, 0x46, 0x46, + 0x31, 0x31, 0x14, 0x30, 0x12, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0xa2, 0x7c, 0x02, 0x02, 0x0c, 0x04, 0x38, 0x30, + 0x30, 0x30, 0x30, 0x20, 0x17, 0x0d, 0x32, 0x31, 0x30, 0x36, 0x32, 0x38, 0x31, 0x34, 0x32, 0x33, 0x34, 0x33, 0x5a, 0x18, 0x0f, + 0x39, 0x39, 0x39, 0x39, 0x31, 0x32, 0x33, 0x31, 0x32, 0x33, 0x35, 0x39, 0x35, 0x39, 0x5a, 0x30, 0x5a, 0x31, 0x2c, 0x30, 0x2a, + 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x23, 0x4d, 0x61, 0x74, 0x74, 0x65, 0x72, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x44, 0x41, + 0x43, 0x20, 0x30, 0x30, 0x30, 0x30, 0x20, 0x43, 0x44, 0x50, 0x20, 0x28, 0x54, 0x77, 0x6f, 0x20, 0x55, 0x52, 0x49, 0x73, 0x29, + 0x31, 0x14, 0x30, 0x12, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0xa2, 0x7c, 0x02, 0x01, 0x0c, 0x04, 0x46, 0x46, 0x46, + 0x31, 0x31, 0x14, 0x30, 0x12, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0xa2, 0x7c, 0x02, 0x02, 0x0c, 0x04, 0x38, 0x30, + 0x30, 0x30, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, + 0x3d, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, 0x04, 0xda, 0x46, 0x42, 0x76, 0xca, 0x8a, 0x5b, 0x0f, 0x9f, 0x48, 0xcb, 0xa6, 0x07, + 0xff, 0xed, 0x92, 0xf6, 0xa8, 0x13, 0x14, 0x67, 0x61, 0xf8, 0x7b, 0xb9, 0x00, 0xef, 0x6c, 0x43, 0x6b, 0xe8, 0x01, 0xe6, 0xa7, + 0xc5, 0xc8, 0xe9, 0x62, 0x09, 0xcb, 0x11, 0x04, 0x6a, 0xef, 0xaf, 0x8e, 0x2b, 0x03, 0x99, 0xb6, 0x29, 0xf5, 0x20, 0x03, 0x42, + 0xb4, 0x8c, 0x34, 0x7a, 0x91, 0x99, 0x87, 0xe3, 0x57, 0xa3, 0x81, 0xb1, 0x30, 0x81, 0xae, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, + 0x13, 0x01, 0x01, 0xff, 0x04, 0x02, 0x30, 0x00, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x01, 0x01, 0xff, 0x04, 0x04, 0x03, + 0x02, 0x07, 0x80, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0xcc, 0xac, 0x78, 0x09, 0x9a, 0xc4, 0x7f, + 0xad, 0x7a, 0x0e, 0xb9, 0x01, 0x2c, 0xc8, 0xf4, 0x22, 0x88, 0x09, 0xab, 0x61, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, + 0x18, 0x30, 0x16, 0x80, 0x14, 0xaf, 0x42, 0xb7, 0x09, 0x4d, 0xeb, 0xd5, 0x15, 0xec, 0x6e, 0xcf, 0x33, 0xb8, 0x11, 0x15, 0x22, + 0x5f, 0x32, 0x52, 0x88, 0x30, 0x4e, 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x47, 0x30, 0x45, 0x30, 0x20, 0xa0, 0x1e, 0xa0, 0x1c, + 0x86, 0x1a, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x65, 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, + 0x63, 0x72, 0x6c, 0x2e, 0x70, 0x65, 0x6d, 0x30, 0x21, 0xa0, 0x1f, 0xa0, 0x1d, 0x86, 0x1b, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, + 0x2f, 0x65, 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x63, 0x72, 0x6c, 0x32, 0x2e, 0x70, 0x65, 0x6d, + 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x03, 0x48, 0x00, 0x30, 0x45, 0x02, 0x20, 0x6a, 0x14, + 0x34, 0xc3, 0x4c, 0xd3, 0xb5, 0x4c, 0x1c, 0xa7, 0x9b, 0xc5, 0x08, 0x42, 0xe7, 0xdd, 0xd5, 0xed, 0xb7, 0x78, 0xc5, 0xa2, 0x85, + 0xe9, 0xae, 0x54, 0x61, 0xff, 0x1d, 0x76, 0x39, 0x7f, 0x02, 0x21, 0x00, 0xed, 0x4d, 0xe2, 0x03, 0xd2, 0x5a, 0xd5, 0xd3, 0x71, + 0xfb, 0xb3, 0x4d, 0x5c, 0x9c, 0xf7, 0xbe, 0xa9, 0x12, 0xd6, 0x88, 0x45, 0x5e, 0x4a, 0xdf, 0xe0, 0x2f, 0x7f, 0x09, 0x64, 0x3f, + 0x88, 0xbc, +}; + +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_CDP_2URIs_Cert = ByteSpan(sTestCert_DAC_FFF1_8000_0000_CDP_2URIs_Cert_Array); + +constexpr uint8_t sTestCert_DAC_FFF1_8000_0000_CDP_2URIs_SKID_Array[] = { + 0xCC, 0xAC, 0x78, 0x09, 0x9A, 0xC4, 0x7F, 0xAD, 0x7A, 0x0E, 0xB9, 0x01, 0x2C, 0xC8, 0xF4, 0x22, 0x88, 0x09, 0xAB, 0x61, +}; + +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_CDP_2URIs_SKID = ByteSpan(sTestCert_DAC_FFF1_8000_0000_CDP_2URIs_SKID_Array); + +// ${chip_root}/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-2URIs-Key.pem + +constexpr uint8_t sTestCert_DAC_FFF1_8000_0000_CDP_2URIs_PublicKey_Array[] = { + 0x04, 0xda, 0x46, 0x42, 0x76, 0xca, 0x8a, 0x5b, 0x0f, 0x9f, 0x48, 0xcb, 0xa6, 0x07, 0xff, 0xed, 0x92, + 0xf6, 0xa8, 0x13, 0x14, 0x67, 0x61, 0xf8, 0x7b, 0xb9, 0x00, 0xef, 0x6c, 0x43, 0x6b, 0xe8, 0x01, 0xe6, + 0xa7, 0xc5, 0xc8, 0xe9, 0x62, 0x09, 0xcb, 0x11, 0x04, 0x6a, 0xef, 0xaf, 0x8e, 0x2b, 0x03, 0x99, 0xb6, + 0x29, 0xf5, 0x20, 0x03, 0x42, 0xb4, 0x8c, 0x34, 0x7a, 0x91, 0x99, 0x87, 0xe3, 0x57, +}; + +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_CDP_2URIs_PublicKey = + ByteSpan(sTestCert_DAC_FFF1_8000_0000_CDP_2URIs_PublicKey_Array); + +constexpr uint8_t sTestCert_DAC_FFF1_8000_0000_CDP_2URIs_PrivateKey_Array[] = { + 0xbd, 0xc5, 0xcc, 0x3d, 0x9b, 0x85, 0x0d, 0x14, 0x0b, 0x6e, 0x1d, 0xea, 0xf5, 0xd2, 0xb7, 0xcb, + 0x63, 0xfc, 0x71, 0xf6, 0x4e, 0x6c, 0xa8, 0x9a, 0xf3, 0x34, 0xb9, 0x98, 0x43, 0x7e, 0x6d, 0xc7, +}; + +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_CDP_2URIs_PrivateKey = + ByteSpan(sTestCert_DAC_FFF1_8000_0000_CDP_2URIs_PrivateKey_Array); + +// ${chip_root}/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-Cert.pem + +constexpr uint8_t sTestCert_DAC_FFF1_8000_0000_CDP_Cert_Array[] = { + 0x30, 0x82, 0x02, 0x23, 0x30, 0x82, 0x01, 0xc9, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x08, 0x71, 0x65, 0x6d, 0x1b, 0x7a, 0x2e, + 0x16, 0xa4, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x30, 0x46, 0x31, 0x18, 0x30, 0x16, 0x06, + 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, 0x4d, 0x61, 0x74, 0x74, 0x65, 0x72, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x50, 0x41, 0x49, + 0x31, 0x14, 0x30, 0x12, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0xa2, 0x7c, 0x02, 0x01, 0x0c, 0x04, 0x46, 0x46, 0x46, + 0x31, 0x31, 0x14, 0x30, 0x12, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0xa2, 0x7c, 0x02, 0x02, 0x0c, 0x04, 0x38, 0x30, + 0x30, 0x30, 0x30, 0x20, 0x17, 0x0d, 0x32, 0x31, 0x30, 0x36, 0x32, 0x38, 0x31, 0x34, 0x32, 0x33, 0x34, 0x33, 0x5a, 0x18, 0x0f, + 0x39, 0x39, 0x39, 0x39, 0x31, 0x32, 0x33, 0x31, 0x32, 0x33, 0x35, 0x39, 0x35, 0x39, 0x5a, 0x30, 0x56, 0x31, 0x28, 0x30, 0x26, + 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x1f, 0x4d, 0x61, 0x74, 0x74, 0x65, 0x72, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x44, 0x41, + 0x43, 0x20, 0x30, 0x30, 0x30, 0x30, 0x20, 0x43, 0x44, 0x50, 0x20, 0x28, 0x48, 0x54, 0x54, 0x50, 0x29, 0x31, 0x14, 0x30, 0x12, + 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0xa2, 0x7c, 0x02, 0x01, 0x0c, 0x04, 0x46, 0x46, 0x46, 0x31, 0x31, 0x14, 0x30, + 0x12, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0xa2, 0x7c, 0x02, 0x02, 0x0c, 0x04, 0x38, 0x30, 0x30, 0x30, 0x30, 0x59, + 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, + 0x03, 0x42, 0x00, 0x04, 0xe3, 0x01, 0x1e, 0xde, 0x9f, 0x51, 0x5a, 0xb3, 0xe9, 0xba, 0x93, 0x25, 0xfe, 0xf2, 0x3b, 0x96, 0xcd, + 0x71, 0x5c, 0x3a, 0xea, 0x38, 0xce, 0x81, 0x1e, 0x88, 0xfc, 0x6d, 0xe7, 0xac, 0x30, 0x26, 0x23, 0xfb, 0xa7, 0x06, 0x8b, 0x3e, + 0x09, 0xd3, 0xfe, 0x54, 0x9b, 0x11, 0xcc, 0x5f, 0x0e, 0x59, 0x6c, 0x4e, 0xdb, 0xce, 0x3e, 0x7b, 0xa2, 0x27, 0x1f, 0xb8, 0xd0, + 0x9a, 0xf4, 0x21, 0x9e, 0x3d, 0xa3, 0x81, 0x8e, 0x30, 0x81, 0x8b, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, + 0x04, 0x02, 0x30, 0x00, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x01, 0x01, 0xff, 0x04, 0x04, 0x03, 0x02, 0x07, 0x80, 0x30, + 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x68, 0x43, 0xc8, 0x33, 0xa3, 0x39, 0x9f, 0x98, 0x42, 0x15, 0x3e, + 0xb1, 0xac, 0xcf, 0x2f, 0x95, 0x58, 0x5f, 0x1a, 0x50, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, + 0x14, 0xaf, 0x42, 0xb7, 0x09, 0x4d, 0xeb, 0xd5, 0x15, 0xec, 0x6e, 0xcf, 0x33, 0xb8, 0x11, 0x15, 0x22, 0x5f, 0x32, 0x52, 0x88, + 0x30, 0x2b, 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x24, 0x30, 0x22, 0x30, 0x20, 0xa0, 0x1e, 0xa0, 0x1c, 0x86, 0x1a, 0x68, 0x74, + 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x65, 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x63, 0x72, 0x6c, 0x2e, + 0x70, 0x65, 0x6d, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x03, 0x48, 0x00, 0x30, 0x45, 0x02, + 0x20, 0x65, 0x4a, 0x4c, 0x13, 0x3b, 0xc9, 0xda, 0x4d, 0x14, 0x78, 0x35, 0xab, 0xfc, 0x24, 0xd5, 0x2c, 0xec, 0xa3, 0xa0, 0x8f, + 0xa2, 0xf4, 0xe6, 0xea, 0xc2, 0xae, 0x60, 0x41, 0x1f, 0x36, 0xf5, 0xa4, 0x02, 0x21, 0x00, 0xaa, 0x1c, 0xa1, 0x93, 0x1f, 0xbc, + 0x9a, 0xff, 0xd6, 0x47, 0x32, 0xab, 0xf3, 0x1e, 0xa8, 0xf6, 0x13, 0xc1, 0x67, 0x1f, 0x0f, 0x22, 0xa4, 0x31, 0x67, 0xe2, 0x8e, + 0x9d, 0xac, 0x93, 0x1e, 0x18, +}; + +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_CDP_Cert = ByteSpan(sTestCert_DAC_FFF1_8000_0000_CDP_Cert_Array); + +constexpr uint8_t sTestCert_DAC_FFF1_8000_0000_CDP_SKID_Array[] = { + 0x68, 0x43, 0xC8, 0x33, 0xA3, 0x39, 0x9F, 0x98, 0x42, 0x15, 0x3E, 0xB1, 0xAC, 0xCF, 0x2F, 0x95, 0x58, 0x5F, 0x1A, 0x50, +}; + +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_CDP_SKID = ByteSpan(sTestCert_DAC_FFF1_8000_0000_CDP_SKID_Array); + +// ${chip_root}/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-Key.pem + +constexpr uint8_t sTestCert_DAC_FFF1_8000_0000_CDP_PublicKey_Array[] = { + 0x04, 0xe3, 0x01, 0x1e, 0xde, 0x9f, 0x51, 0x5a, 0xb3, 0xe9, 0xba, 0x93, 0x25, 0xfe, 0xf2, 0x3b, 0x96, + 0xcd, 0x71, 0x5c, 0x3a, 0xea, 0x38, 0xce, 0x81, 0x1e, 0x88, 0xfc, 0x6d, 0xe7, 0xac, 0x30, 0x26, 0x23, + 0xfb, 0xa7, 0x06, 0x8b, 0x3e, 0x09, 0xd3, 0xfe, 0x54, 0x9b, 0x11, 0xcc, 0x5f, 0x0e, 0x59, 0x6c, 0x4e, + 0xdb, 0xce, 0x3e, 0x7b, 0xa2, 0x27, 0x1f, 0xb8, 0xd0, 0x9a, 0xf4, 0x21, 0x9e, 0x3d, +}; + +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_CDP_PublicKey = ByteSpan(sTestCert_DAC_FFF1_8000_0000_CDP_PublicKey_Array); + +constexpr uint8_t sTestCert_DAC_FFF1_8000_0000_CDP_PrivateKey_Array[] = { + 0x06, 0x59, 0xf2, 0x16, 0x77, 0x18, 0xe9, 0x0f, 0x12, 0x23, 0xba, 0xef, 0x44, 0x28, 0xf1, 0xb0, + 0xce, 0xc4, 0x72, 0xb5, 0x5f, 0xbb, 0x07, 0xea, 0x87, 0xd7, 0x39, 0x89, 0x9c, 0xf7, 0x31, 0x6a, +}; + +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_CDP_PrivateKey = ByteSpan(sTestCert_DAC_FFF1_8000_0000_CDP_PrivateKey_Array); + +// ${chip_root}/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-HTTPS-Cert.pem + +constexpr uint8_t sTestCert_DAC_FFF1_8000_0000_CDP_HTTPS_Cert_Array[] = { + 0x30, 0x82, 0x02, 0x25, 0x30, 0x82, 0x01, 0xcb, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x08, 0x34, 0xa8, 0x41, 0x5b, 0x7d, 0x3f, + 0x2b, 0x1e, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x30, 0x46, 0x31, 0x18, 0x30, 0x16, 0x06, + 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, 0x4d, 0x61, 0x74, 0x74, 0x65, 0x72, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x50, 0x41, 0x49, + 0x31, 0x14, 0x30, 0x12, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0xa2, 0x7c, 0x02, 0x01, 0x0c, 0x04, 0x46, 0x46, 0x46, + 0x31, 0x31, 0x14, 0x30, 0x12, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0xa2, 0x7c, 0x02, 0x02, 0x0c, 0x04, 0x38, 0x30, + 0x30, 0x30, 0x30, 0x20, 0x17, 0x0d, 0x32, 0x31, 0x30, 0x36, 0x32, 0x38, 0x31, 0x34, 0x32, 0x33, 0x34, 0x33, 0x5a, 0x18, 0x0f, + 0x39, 0x39, 0x39, 0x39, 0x31, 0x32, 0x33, 0x31, 0x32, 0x33, 0x35, 0x39, 0x35, 0x39, 0x5a, 0x30, 0x57, 0x31, 0x29, 0x30, 0x27, + 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x20, 0x4d, 0x61, 0x74, 0x74, 0x65, 0x72, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x44, 0x41, + 0x43, 0x20, 0x30, 0x30, 0x30, 0x30, 0x20, 0x43, 0x44, 0x50, 0x20, 0x28, 0x48, 0x54, 0x54, 0x50, 0x53, 0x29, 0x31, 0x14, 0x30, + 0x12, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0xa2, 0x7c, 0x02, 0x01, 0x0c, 0x04, 0x46, 0x46, 0x46, 0x31, 0x31, 0x14, + 0x30, 0x12, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0xa2, 0x7c, 0x02, 0x02, 0x0c, 0x04, 0x38, 0x30, 0x30, 0x30, 0x30, + 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, + 0x07, 0x03, 0x42, 0x00, 0x04, 0xd9, 0x2b, 0x24, 0xde, 0x51, 0x6b, 0x8e, 0xcd, 0x3e, 0x68, 0x62, 0xde, 0x87, 0xfc, 0x3b, 0xf7, + 0x7e, 0x70, 0x11, 0x71, 0xc7, 0x0b, 0x59, 0x8c, 0xff, 0x5f, 0x02, 0x7f, 0x02, 0xb8, 0x20, 0xe7, 0xfa, 0x07, 0xba, 0xd4, 0xe4, + 0xd8, 0xbe, 0x26, 0x1c, 0x08, 0xfb, 0x31, 0x95, 0xd5, 0xa8, 0x34, 0x82, 0x3a, 0x28, 0xcc, 0x47, 0x03, 0xb7, 0xc5, 0x15, 0x7e, + 0x14, 0x9e, 0x5e, 0xaa, 0x78, 0x05, 0xa3, 0x81, 0x8f, 0x30, 0x81, 0x8c, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, + 0xff, 0x04, 0x02, 0x30, 0x00, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x01, 0x01, 0xff, 0x04, 0x04, 0x03, 0x02, 0x07, 0x80, + 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0xa3, 0x02, 0x33, 0xf8, 0x6f, 0x40, 0xd1, 0x1a, 0xc5, 0x5f, + 0x80, 0xa5, 0xc0, 0xa9, 0x2a, 0x50, 0x6f, 0xea, 0x9f, 0x31, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, + 0x80, 0x14, 0xaf, 0x42, 0xb7, 0x09, 0x4d, 0xeb, 0xd5, 0x15, 0xec, 0x6e, 0xcf, 0x33, 0xb8, 0x11, 0x15, 0x22, 0x5f, 0x32, 0x52, + 0x88, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x25, 0x30, 0x23, 0x30, 0x21, 0xa0, 0x1f, 0xa0, 0x1d, 0x86, 0x1b, 0x68, + 0x74, 0x74, 0x70, 0x73, 0x3a, 0x2f, 0x2f, 0x65, 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x63, 0x72, + 0x6c, 0x2e, 0x70, 0x65, 0x6d, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x03, 0x48, 0x00, 0x30, + 0x45, 0x02, 0x20, 0x53, 0xec, 0xea, 0xda, 0x3c, 0x5d, 0x4b, 0xb7, 0x50, 0xcb, 0xe7, 0xf8, 0xd1, 0x09, 0x59, 0x12, 0xd4, 0xc8, + 0xe5, 0xfb, 0x1f, 0xef, 0x30, 0x24, 0x1f, 0xcf, 0x95, 0x83, 0x29, 0x40, 0xd0, 0x9a, 0x02, 0x21, 0x00, 0xb5, 0x57, 0x5e, 0xbc, + 0xa7, 0x1b, 0x84, 0x7e, 0x77, 0xd5, 0xd5, 0xd1, 0x41, 0x06, 0xbb, 0x87, 0xbf, 0x37, 0x9d, 0x92, 0xa4, 0x9d, 0xea, 0x8d, 0x10, + 0xa0, 0xe1, 0x8b, 0x48, 0x10, 0x2e, 0x1f, +}; + +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_CDP_HTTPS_Cert = ByteSpan(sTestCert_DAC_FFF1_8000_0000_CDP_HTTPS_Cert_Array); + +constexpr uint8_t sTestCert_DAC_FFF1_8000_0000_CDP_HTTPS_SKID_Array[] = { + 0xA3, 0x02, 0x33, 0xF8, 0x6F, 0x40, 0xD1, 0x1A, 0xC5, 0x5F, 0x80, 0xA5, 0xC0, 0xA9, 0x2A, 0x50, 0x6F, 0xEA, 0x9F, 0x31, +}; + +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_CDP_HTTPS_SKID = ByteSpan(sTestCert_DAC_FFF1_8000_0000_CDP_HTTPS_SKID_Array); + +// ${chip_root}/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-HTTPS-Key.pem + +constexpr uint8_t sTestCert_DAC_FFF1_8000_0000_CDP_HTTPS_PublicKey_Array[] = { + 0x04, 0xd9, 0x2b, 0x24, 0xde, 0x51, 0x6b, 0x8e, 0xcd, 0x3e, 0x68, 0x62, 0xde, 0x87, 0xfc, 0x3b, 0xf7, + 0x7e, 0x70, 0x11, 0x71, 0xc7, 0x0b, 0x59, 0x8c, 0xff, 0x5f, 0x02, 0x7f, 0x02, 0xb8, 0x20, 0xe7, 0xfa, + 0x07, 0xba, 0xd4, 0xe4, 0xd8, 0xbe, 0x26, 0x1c, 0x08, 0xfb, 0x31, 0x95, 0xd5, 0xa8, 0x34, 0x82, 0x3a, + 0x28, 0xcc, 0x47, 0x03, 0xb7, 0xc5, 0x15, 0x7e, 0x14, 0x9e, 0x5e, 0xaa, 0x78, 0x05, +}; + +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_CDP_HTTPS_PublicKey = + ByteSpan(sTestCert_DAC_FFF1_8000_0000_CDP_HTTPS_PublicKey_Array); + +constexpr uint8_t sTestCert_DAC_FFF1_8000_0000_CDP_HTTPS_PrivateKey_Array[] = { + 0x04, 0xa4, 0x15, 0x03, 0x86, 0x39, 0xd1, 0x4e, 0x62, 0x92, 0x6f, 0x46, 0x1a, 0x62, 0x55, 0xd7, + 0xa3, 0x0b, 0x0b, 0xdc, 0xac, 0x6a, 0x98, 0xcd, 0xf8, 0x8b, 0x16, 0x70, 0x2a, 0x72, 0x9f, 0x3b, +}; + +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_CDP_HTTPS_PrivateKey = + ByteSpan(sTestCert_DAC_FFF1_8000_0000_CDP_HTTPS_PrivateKey_Array); + +// ${chip_root}/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-Long-Cert.pem + +constexpr uint8_t sTestCert_DAC_FFF1_8000_0000_CDP_Long_Cert_Array[] = { + 0x30, 0x82, 0x02, 0x53, 0x30, 0x82, 0x01, 0xf9, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x08, 0x1d, 0x6e, 0x6d, 0x50, 0x41, 0x86, + 0x00, 0x07, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x30, 0x46, 0x31, 0x18, 0x30, 0x16, 0x06, + 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, 0x4d, 0x61, 0x74, 0x74, 0x65, 0x72, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x50, 0x41, 0x49, + 0x31, 0x14, 0x30, 0x12, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0xa2, 0x7c, 0x02, 0x01, 0x0c, 0x04, 0x46, 0x46, 0x46, + 0x31, 0x31, 0x14, 0x30, 0x12, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0xa2, 0x7c, 0x02, 0x02, 0x0c, 0x04, 0x38, 0x30, + 0x30, 0x30, 0x30, 0x20, 0x17, 0x0d, 0x32, 0x31, 0x30, 0x36, 0x32, 0x38, 0x31, 0x34, 0x32, 0x33, 0x34, 0x33, 0x5a, 0x18, 0x0f, + 0x39, 0x39, 0x39, 0x39, 0x31, 0x32, 0x33, 0x31, 0x32, 0x33, 0x35, 0x39, 0x35, 0x39, 0x5a, 0x30, 0x3b, 0x31, 0x0d, 0x30, 0x0b, + 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x04, 0x4c, 0x6f, 0x6e, 0x67, 0x31, 0x14, 0x30, 0x12, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, + 0x01, 0x82, 0xa2, 0x7c, 0x02, 0x01, 0x0c, 0x04, 0x46, 0x46, 0x46, 0x31, 0x31, 0x14, 0x30, 0x12, 0x06, 0x0a, 0x2b, 0x06, 0x01, + 0x04, 0x01, 0x82, 0xa2, 0x7c, 0x02, 0x02, 0x0c, 0x04, 0x38, 0x30, 0x30, 0x30, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, + 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, 0x04, 0x43, 0x28, + 0xfb, 0xb8, 0x71, 0x42, 0x8c, 0x35, 0xe2, 0x24, 0xb3, 0x7f, 0x9e, 0x80, 0x64, 0x03, 0x5f, 0xb2, 0xcc, 0x72, 0xf8, 0xf1, 0x71, + 0x18, 0x53, 0x46, 0xc3, 0x20, 0xe1, 0xa8, 0x85, 0xb5, 0xe4, 0x09, 0x09, 0x5e, 0xec, 0x85, 0x5f, 0x7d, 0x52, 0xaf, 0x97, 0xa1, + 0xd0, 0x6f, 0x76, 0x71, 0x6c, 0x87, 0x36, 0x7e, 0x19, 0x88, 0xce, 0xa1, 0x19, 0xd6, 0xd7, 0xf4, 0x25, 0x2b, 0xc7, 0x2f, 0xa3, + 0x81, 0xd9, 0x30, 0x81, 0xd6, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x02, 0x30, 0x00, 0x30, 0x0e, + 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x01, 0x01, 0xff, 0x04, 0x04, 0x03, 0x02, 0x07, 0x80, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, + 0x04, 0x16, 0x04, 0x14, 0xf6, 0x4c, 0x7b, 0xf1, 0xa8, 0xb6, 0xe0, 0xba, 0x10, 0x8e, 0xbd, 0xeb, 0x4f, 0xe1, 0xf6, 0x77, 0x7c, + 0xc9, 0x2c, 0x29, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0xaf, 0x42, 0xb7, 0x09, 0x4d, + 0xeb, 0xd5, 0x15, 0xec, 0x6e, 0xcf, 0x33, 0xb8, 0x11, 0x15, 0x22, 0x5f, 0x32, 0x52, 0x88, 0x30, 0x76, 0x06, 0x03, 0x55, 0x1d, + 0x1f, 0x04, 0x6f, 0x30, 0x6d, 0x30, 0x6b, 0xa0, 0x69, 0xa0, 0x67, 0x86, 0x65, 0x68, 0x74, 0x74, 0x70, 0x73, 0x3a, 0x2f, 0x2f, + 0x65, 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x74, 0x68, 0x69, 0x73, 0x2d, 0x69, 0x73, 0x2d, 0x61, + 0x6e, 0x2d, 0x65, 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65, 0x2d, 0x6f, 0x66, 0x2d, 0x63, 0x72, 0x6c, 0x2d, 0x64, 0x69, 0x73, 0x74, + 0x72, 0x69, 0x62, 0x75, 0x74, 0x69, 0x6f, 0x6e, 0x2d, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x2d, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, + 0x69, 0x6f, 0x6e, 0x2d, 0x77, 0x68, 0x69, 0x63, 0x68, 0x2d, 0x69, 0x73, 0x2d, 0x31, 0x30, 0x31, 0x2d, 0x63, 0x68, 0x61, 0x72, + 0x73, 0x2f, 0x63, 0x72, 0x6c, 0x2e, 0x70, 0x65, 0x6d, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, + 0x03, 0x48, 0x00, 0x30, 0x45, 0x02, 0x20, 0x43, 0x43, 0x62, 0x74, 0x55, 0x45, 0xb8, 0x10, 0xeb, 0x33, 0x3d, 0x59, 0x2d, 0x3f, + 0x46, 0x82, 0x3c, 0x53, 0xf5, 0x61, 0x19, 0xf0, 0x86, 0x44, 0xe2, 0x79, 0x4c, 0xba, 0x4a, 0xda, 0xb7, 0xb1, 0x02, 0x21, 0x00, + 0xaf, 0x51, 0x97, 0x6a, 0x44, 0x4d, 0x43, 0x9e, 0xba, 0x17, 0xb8, 0xa1, 0x63, 0x75, 0x81, 0x53, 0x09, 0x93, 0xf6, 0x18, 0xc2, + 0x74, 0x18, 0x87, 0xd3, 0xe6, 0xde, 0x47, 0x91, 0xa4, 0xc9, 0xa4, +}; + +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_CDP_Long_Cert = ByteSpan(sTestCert_DAC_FFF1_8000_0000_CDP_Long_Cert_Array); + +constexpr uint8_t sTestCert_DAC_FFF1_8000_0000_CDP_Long_SKID_Array[] = { + 0xF6, 0x4C, 0x7B, 0xF1, 0xA8, 0xB6, 0xE0, 0xBA, 0x10, 0x8E, 0xBD, 0xEB, 0x4F, 0xE1, 0xF6, 0x77, 0x7C, 0xC9, 0x2C, 0x29, +}; + +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_CDP_Long_SKID = ByteSpan(sTestCert_DAC_FFF1_8000_0000_CDP_Long_SKID_Array); + +// ${chip_root}/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-Long-Key.pem + +constexpr uint8_t sTestCert_DAC_FFF1_8000_0000_CDP_Long_PublicKey_Array[] = { + 0x04, 0x43, 0x28, 0xfb, 0xb8, 0x71, 0x42, 0x8c, 0x35, 0xe2, 0x24, 0xb3, 0x7f, 0x9e, 0x80, 0x64, 0x03, + 0x5f, 0xb2, 0xcc, 0x72, 0xf8, 0xf1, 0x71, 0x18, 0x53, 0x46, 0xc3, 0x20, 0xe1, 0xa8, 0x85, 0xb5, 0xe4, + 0x09, 0x09, 0x5e, 0xec, 0x85, 0x5f, 0x7d, 0x52, 0xaf, 0x97, 0xa1, 0xd0, 0x6f, 0x76, 0x71, 0x6c, 0x87, + 0x36, 0x7e, 0x19, 0x88, 0xce, 0xa1, 0x19, 0xd6, 0xd7, 0xf4, 0x25, 0x2b, 0xc7, 0x2f, +}; + +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_CDP_Long_PublicKey = + ByteSpan(sTestCert_DAC_FFF1_8000_0000_CDP_Long_PublicKey_Array); + +constexpr uint8_t sTestCert_DAC_FFF1_8000_0000_CDP_Long_PrivateKey_Array[] = { + 0xd1, 0x54, 0x99, 0xa7, 0xd6, 0xde, 0x38, 0x53, 0x86, 0x9d, 0xe6, 0xa4, 0x6c, 0x4b, 0x52, 0xd1, + 0x3b, 0x73, 0x59, 0x16, 0xd4, 0xaa, 0xbd, 0x50, 0x26, 0xaa, 0xad, 0x1e, 0x72, 0x79, 0x66, 0xeb, +}; + +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_CDP_Long_PrivateKey = + ByteSpan(sTestCert_DAC_FFF1_8000_0000_CDP_Long_PrivateKey_Array); + +// ${chip_root}/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-Wrong-Prefix-Cert.pem + +constexpr uint8_t sTestCert_DAC_FFF1_8000_0000_CDP_Wrong_Prefix_Cert_Array[] = { + 0x30, 0x82, 0x02, 0x05, 0x30, 0x82, 0x01, 0xab, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x08, 0x70, 0x06, 0x08, 0xaa, 0xa1, 0xd7, + 0xad, 0x6d, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x30, 0x46, 0x31, 0x18, 0x30, 0x16, 0x06, + 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, 0x4d, 0x61, 0x74, 0x74, 0x65, 0x72, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x50, 0x41, 0x49, + 0x31, 0x14, 0x30, 0x12, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0xa2, 0x7c, 0x02, 0x01, 0x0c, 0x04, 0x46, 0x46, 0x46, + 0x31, 0x31, 0x14, 0x30, 0x12, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0xa2, 0x7c, 0x02, 0x02, 0x0c, 0x04, 0x38, 0x30, + 0x30, 0x30, 0x30, 0x20, 0x17, 0x0d, 0x32, 0x31, 0x30, 0x36, 0x32, 0x38, 0x31, 0x34, 0x32, 0x33, 0x34, 0x33, 0x5a, 0x18, 0x0f, + 0x39, 0x39, 0x39, 0x39, 0x31, 0x32, 0x33, 0x31, 0x32, 0x33, 0x35, 0x39, 0x35, 0x39, 0x5a, 0x30, 0x3b, 0x31, 0x0d, 0x30, 0x0b, + 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x04, 0x4c, 0x6f, 0x6e, 0x67, 0x31, 0x14, 0x30, 0x12, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, + 0x01, 0x82, 0xa2, 0x7c, 0x02, 0x01, 0x0c, 0x04, 0x46, 0x46, 0x46, 0x31, 0x31, 0x14, 0x30, 0x12, 0x06, 0x0a, 0x2b, 0x06, 0x01, + 0x04, 0x01, 0x82, 0xa2, 0x7c, 0x02, 0x02, 0x0c, 0x04, 0x38, 0x30, 0x30, 0x30, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, + 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, 0x04, 0xfc, 0xcd, + 0xc8, 0x29, 0xba, 0x62, 0x37, 0x7c, 0xc6, 0xc7, 0xb3, 0x6e, 0xa7, 0xc1, 0xaf, 0x76, 0xcd, 0x15, 0xc3, 0x28, 0xbc, 0x4b, 0x6e, + 0x8d, 0x07, 0x78, 0xba, 0x59, 0x7f, 0xbb, 0xf3, 0x0a, 0xe7, 0x12, 0xb6, 0x57, 0xd2, 0xf9, 0xf2, 0xb9, 0x15, 0xf8, 0x23, 0x4c, + 0x87, 0xe2, 0xa3, 0x3b, 0xf5, 0xe7, 0x59, 0x76, 0xe0, 0x4e, 0x6a, 0xd0, 0x3d, 0x85, 0x0b, 0xd1, 0x64, 0x39, 0xf3, 0xcf, 0xa3, + 0x81, 0x8b, 0x30, 0x81, 0x88, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x02, 0x30, 0x00, 0x30, 0x0e, + 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x01, 0x01, 0xff, 0x04, 0x04, 0x03, 0x02, 0x07, 0x80, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, + 0x04, 0x16, 0x04, 0x14, 0x07, 0x30, 0x1c, 0xef, 0x8b, 0x9e, 0x44, 0x26, 0xd2, 0xe4, 0x6e, 0xc6, 0xfa, 0x3a, 0xd3, 0xb7, 0x44, + 0x1d, 0xef, 0xbd, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0xaf, 0x42, 0xb7, 0x09, 0x4d, + 0xeb, 0xd5, 0x15, 0xec, 0x6e, 0xcf, 0x33, 0xb8, 0x11, 0x15, 0x22, 0x5f, 0x32, 0x52, 0x88, 0x30, 0x28, 0x06, 0x03, 0x55, 0x1d, + 0x1f, 0x04, 0x21, 0x30, 0x1f, 0x30, 0x1d, 0xa0, 0x1b, 0xa0, 0x19, 0x86, 0x17, 0x77, 0x77, 0x77, 0x2e, 0x65, 0x78, 0x61, 0x6d, + 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x63, 0x72, 0x6c, 0x2e, 0x70, 0x65, 0x6d, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, + 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x03, 0x48, 0x00, 0x30, 0x45, 0x02, 0x21, 0x00, 0xe6, 0xb8, 0x88, 0x1e, 0xed, 0x0e, 0xa6, + 0x70, 0x82, 0xc0, 0x60, 0x7e, 0x46, 0xf6, 0xca, 0x84, 0x04, 0x31, 0xab, 0xe0, 0x91, 0xd6, 0x17, 0x5d, 0x81, 0x0c, 0x38, 0xa1, + 0xe4, 0xf0, 0x45, 0x77, 0x02, 0x20, 0x39, 0x06, 0x5f, 0xbe, 0xf9, 0xfd, 0xa4, 0x1b, 0x37, 0xaf, 0xcb, 0xb1, 0xf6, 0xdf, 0x09, + 0x0e, 0x1a, 0x44, 0x3b, 0xac, 0x6e, 0x65, 0x2c, 0x3b, 0xda, 0xc1, 0x03, 0xf4, 0xd3, 0xac, 0x4e, 0x76, +}; + +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_CDP_Wrong_Prefix_Cert = + ByteSpan(sTestCert_DAC_FFF1_8000_0000_CDP_Wrong_Prefix_Cert_Array); + +constexpr uint8_t sTestCert_DAC_FFF1_8000_0000_CDP_Wrong_Prefix_SKID_Array[] = { + 0x07, 0x30, 0x1C, 0xEF, 0x8B, 0x9E, 0x44, 0x26, 0xD2, 0xE4, 0x6E, 0xC6, 0xFA, 0x3A, 0xD3, 0xB7, 0x44, 0x1D, 0xEF, 0xBD, +}; + +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_CDP_Wrong_Prefix_SKID = + ByteSpan(sTestCert_DAC_FFF1_8000_0000_CDP_Wrong_Prefix_SKID_Array); + +// ${chip_root}/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-Wrong-Prefix-Key.pem + +constexpr uint8_t sTestCert_DAC_FFF1_8000_0000_CDP_Wrong_Prefix_PublicKey_Array[] = { + 0x04, 0xfc, 0xcd, 0xc8, 0x29, 0xba, 0x62, 0x37, 0x7c, 0xc6, 0xc7, 0xb3, 0x6e, 0xa7, 0xc1, 0xaf, 0x76, + 0xcd, 0x15, 0xc3, 0x28, 0xbc, 0x4b, 0x6e, 0x8d, 0x07, 0x78, 0xba, 0x59, 0x7f, 0xbb, 0xf3, 0x0a, 0xe7, + 0x12, 0xb6, 0x57, 0xd2, 0xf9, 0xf2, 0xb9, 0x15, 0xf8, 0x23, 0x4c, 0x87, 0xe2, 0xa3, 0x3b, 0xf5, 0xe7, + 0x59, 0x76, 0xe0, 0x4e, 0x6a, 0xd0, 0x3d, 0x85, 0x0b, 0xd1, 0x64, 0x39, 0xf3, 0xcf, +}; + +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_CDP_Wrong_Prefix_PublicKey = + ByteSpan(sTestCert_DAC_FFF1_8000_0000_CDP_Wrong_Prefix_PublicKey_Array); + +constexpr uint8_t sTestCert_DAC_FFF1_8000_0000_CDP_Wrong_Prefix_PrivateKey_Array[] = { + 0xa5, 0x1d, 0xcd, 0xfc, 0xd9, 0x55, 0xdb, 0x87, 0x24, 0x35, 0x6c, 0x87, 0x12, 0x1a, 0x90, 0xbd, + 0x13, 0x18, 0x53, 0x78, 0xa7, 0xa9, 0x8c, 0x71, 0xf4, 0x70, 0x44, 0xa2, 0xa6, 0xdb, 0xeb, 0xdb, +}; + +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_CDP_Wrong_Prefix_PrivateKey = + ByteSpan(sTestCert_DAC_FFF1_8000_0000_CDP_Wrong_Prefix_PrivateKey_Array); + // ${chip_root}/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-Cert.pem constexpr uint8_t sTestCert_DAC_FFF1_8000_0000_Cert_Array[] = { diff --git a/src/credentials/tests/CHIPAttCert_test_vectors.h b/src/credentials/tests/CHIPAttCert_test_vectors.h index 2419c6bfd578c3..1e59b5321cf19d 100644 --- a/src/credentials/tests/CHIPAttCert_test_vectors.h +++ b/src/credentials/tests/CHIPAttCert_test_vectors.h @@ -1,6 +1,6 @@ /* * - * Copyright (c) 2021-2022 Project CHIP Authors + * Copyright (c) 2021-2023 Project CHIP Authors * All rights reserved. * * Licensed under the Apache License, Version 2.0 (the "License"); @@ -23,6 +23,36 @@ namespace chip { namespace TestCerts { +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_2CDPs_Cert; +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_2CDPs_SKID; +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_2CDPs_PublicKey; +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_2CDPs_PrivateKey; + +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_CDP_2URIs_Cert; +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_CDP_2URIs_SKID; +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_CDP_2URIs_PublicKey; +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_CDP_2URIs_PrivateKey; + +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_CDP_Cert; +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_CDP_SKID; +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_CDP_PublicKey; +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_CDP_PrivateKey; + +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_CDP_HTTPS_Cert; +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_CDP_HTTPS_SKID; +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_CDP_HTTPS_PublicKey; +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_CDP_HTTPS_PrivateKey; + +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_CDP_Long_Cert; +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_CDP_Long_SKID; +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_CDP_Long_PublicKey; +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_CDP_Long_PrivateKey; + +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_CDP_Wrong_Prefix_Cert; +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_CDP_Wrong_Prefix_SKID; +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_CDP_Wrong_Prefix_PublicKey; +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_CDP_Wrong_Prefix_PrivateKey; + extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_Cert; extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_SKID; extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_PublicKey; diff --git a/src/crypto/CHIPCryptoPAL.h b/src/crypto/CHIPCryptoPAL.h index a5e2c080f012a6..1ad60b4c68d61a 100644 --- a/src/crypto/CHIPCryptoPAL.h +++ b/src/crypto/CHIPCryptoPAL.h @@ -52,6 +52,10 @@ constexpr size_t kSubjectKeyIdentifierLength = kSHA1_Hash_Length; constexpr size_t kAuthorityKeyIdentifierLength = kSHA1_Hash_Length; constexpr size_t kMaxCertificateSerialNumberLength = 20; constexpr size_t kMaxCertificateDistinguishedNameLength = 200; +constexpr size_t kMaxCRLDistributionPointURLLength = 100; + +constexpr const char * kValidCDPURIHttpPrefix = "http://"; +constexpr const char * kValidCDPURIHttpsPrefix = "https://"; constexpr size_t CHIP_CRYPTO_GROUP_SIZE_BYTES = kP256_FE_Length; constexpr size_t CHIP_CRYPTO_PUBLIC_KEY_SIZE_BYTES = kP256_Point_Length; @@ -1568,6 +1572,16 @@ CHIP_ERROR ExtractSKIDFromX509Cert(const ByteSpan & certificate, MutableByteSpan **/ CHIP_ERROR ExtractAKIDFromX509Cert(const ByteSpan & certificate, MutableByteSpan & akid); +/** + * @brief Extracts the CRL Distribution Point (CDP) extension from an X509 ASN.1 Encoded Certificate. + * The returned value only covers the URI of the CDP. Only a single URI distribution point + * GeneralName is supported, and only those that start with "http://" and "https://". + * + * @returns CHIP_ERROR_NOT_FOUND if not found or wrong format. + * CHIP_NO_ERROR otherwise. + **/ +CHIP_ERROR ExtractCRLDistributionPointURIFromX509Cert(const ByteSpan & certificate, MutableCharSpan & cdpurl); + /** * @brief Extracts Serial Number from X509 Certificate. **/ diff --git a/src/crypto/CHIPCryptoPALOpenSSL.cpp b/src/crypto/CHIPCryptoPALOpenSSL.cpp index e181190a109bb6..741603e0829d5f 100644 --- a/src/crypto/CHIPCryptoPALOpenSSL.cpp +++ b/src/crypto/CHIPCryptoPALOpenSSL.cpp @@ -1971,6 +1971,87 @@ CHIP_ERROR ExtractAKIDFromX509Cert(const ByteSpan & certificate, MutableByteSpan return ExtractKIDFromX509Cert(false, certificate, akid); } +CHIP_ERROR ExtractCRLDistributionPointURIFromX509Cert(const ByteSpan & certificate, MutableCharSpan & cdpurl) +{ + CHIP_ERROR err = CHIP_NO_ERROR; + X509 * x509certificate = nullptr; + const unsigned char * pCertificate = certificate.data(); + const unsigned char ** ppCertificate = &pCertificate; + STACK_OF(DIST_POINT) * crldp = nullptr; + DIST_POINT * dp = nullptr; + GENERAL_NAMES * gens = nullptr; + GENERAL_NAME * gen = nullptr; + ASN1_STRING * uri = nullptr; + const char * urlptr = nullptr; + size_t len = 0; + + VerifyOrReturnError(!certificate.empty() && CanCastTo(certificate.size()), CHIP_ERROR_INVALID_ARGUMENT); + + x509certificate = d2i_X509(nullptr, ppCertificate, static_cast(certificate.size())); + VerifyOrExit(x509certificate != nullptr, err = CHIP_ERROR_NO_MEMORY); + + // CRL Distribution Point Extension is encoded as a secuense of DistributionPoint: + // CRLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint + // + // This implementation only supports a single DistributionPoint (sequence of size 1) + crldp = + reinterpret_cast(X509_get_ext_d2i(x509certificate, NID_crl_distribution_points, nullptr, nullptr)); + VerifyOrExit(crldp != nullptr, err = CHIP_ERROR_NOT_FOUND); + VerifyOrExit(sk_DIST_POINT_num(crldp) == 1, err = CHIP_ERROR_NOT_FOUND); + + dp = sk_DIST_POINT_value(crldp, 0); + VerifyOrExit(dp != nullptr, err = CHIP_ERROR_NOT_FOUND); + VerifyOrExit(dp->distpoint != nullptr && dp->distpoint->type == 0, err = CHIP_ERROR_NOT_FOUND); + + // The DistributionPoint is a sequence of three optional elements: + // DistributionPoint ::= SEQUENCE { + // distributionPoint [0] DistributionPointName OPTIONAL, + // reasons [1] ReasonFlags OPTIONAL, + // cRLIssuer [2] GeneralNames OPTIONAL } + // + // where the DistributionPointName is a CHOICE of: + // DistributionPointName ::= CHOICE { + // fullName [0] GeneralNames, + // nameRelativeToCRLIssuer [1] RelativeDistinguishedName } + // + // The URI should be encoded in the fullName element. + // This implementation only supports a single GeneralName in the fullName sequence: + // GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName + gens = dp->distpoint->name.fullname; + VerifyOrExit(sk_GENERAL_NAME_num(gens) == 1, err = CHIP_ERROR_NOT_FOUND); + + // The CDP URI is encoded as a uniformResourceIdentifier field of the GeneralName: + // GeneralName ::= CHOICE { + // otherName [0] OtherName, + // rfc822Name [1] IA5String, + // dNSName [2] IA5String, + // x400Address [3] ORAddress, + // directoryName [4] Name, + // ediPartyName [5] EDIPartyName, + // uniformResourceIdentifier [6] IA5String, + // iPAddress [7] OCTET STRING, + // registeredID [8] OBJECT IDENTIFIER } + gen = sk_GENERAL_NAME_value(gens, 0); + VerifyOrExit(gen->type == GEN_URI, err = CHIP_ERROR_NOT_FOUND); + + uri = reinterpret_cast(GENERAL_NAME_get0_value(gen, nullptr)); + urlptr = reinterpret_cast(ASN1_STRING_get0_data(uri)); + VerifyOrExit(CanCastTo(ASN1_STRING_length(uri)), err = CHIP_ERROR_NOT_FOUND); + len = static_cast(ASN1_STRING_length(uri)); + VerifyOrExit( + (len > strlen(kValidCDPURIHttpPrefix) && strncmp(urlptr, kValidCDPURIHttpPrefix, strlen(kValidCDPURIHttpPrefix)) == 0) || + (len > strlen(kValidCDPURIHttpsPrefix) && + strncmp(urlptr, kValidCDPURIHttpsPrefix, strlen(kValidCDPURIHttpsPrefix)) == 0), + err = CHIP_ERROR_NOT_FOUND); + err = CopyCharSpanToMutableCharSpan(CharSpan(urlptr, len), cdpurl); + +exit: + sk_DIST_POINT_pop_free(crldp, DIST_POINT_free); + X509_free(x509certificate); + + return err; +} + CHIP_ERROR ExtractSerialNumberFromX509Cert(const ByteSpan & certificate, MutableByteSpan & serialNumber) { CHIP_ERROR err = CHIP_NO_ERROR; diff --git a/src/crypto/CHIPCryptoPALPSA.cpp b/src/crypto/CHIPCryptoPALPSA.cpp index e8d4b75c9221b1..d1afbf1dbb05e3 100644 --- a/src/crypto/CHIPCryptoPALPSA.cpp +++ b/src/crypto/CHIPCryptoPALPSA.cpp @@ -1218,6 +1218,7 @@ constexpr uint8_t sOID_Extension_BasicConstraints[] = { 0x55, 0x1D, 0x13 } constexpr uint8_t sOID_Extension_KeyUsage[] = { 0x55, 0x1D, 0x0F }; constexpr uint8_t sOID_Extension_SubjectKeyIdentifier[] = { 0x55, 0x1D, 0x0E }; constexpr uint8_t sOID_Extension_AuthorityKeyIdentifier[] = { 0x55, 0x1D, 0x23 }; +constexpr uint8_t sOID_Extension_CRLDistributionPoint[] = { 0x55, 0x1D, 0x1F }; /** * Compares an mbedtls_asn1_buf structure (oidBuf) to a reference OID represented as uint8_t array (oid). @@ -1684,6 +1685,128 @@ CHIP_ERROR ExtractAKIDFromX509Cert(const ByteSpan & certificate, MutableByteSpan return ExtractKIDFromX509Cert(false, certificate, akid); } +CHIP_ERROR ExtractCRLDistributionPointURIFromX509Cert(const ByteSpan & certificate, MutableCharSpan & cdpurl) +{ +#if defined(MBEDTLS_X509_CRT_PARSE_C) + CHIP_ERROR error = CHIP_ERROR_NOT_FOUND; + mbedtls_x509_crt mbed_cert; + unsigned char * p = nullptr; + const unsigned char * end = nullptr; + size_t len = 0; + size_t cdpExtCount = 0; + + VerifyOrReturnError(!certificate.empty() && CanCastTo(certificate.size()), CHIP_ERROR_INVALID_ARGUMENT); + + mbedtls_x509_crt_init(&mbed_cert); + + int result = mbedtls_x509_crt_parse(&mbed_cert, Uint8::to_const_uchar(certificate.data()), certificate.size()); + VerifyOrExit(result == 0, error = CHIP_ERROR_INTERNAL); + + p = mbed_cert.CHIP_CRYPTO_PAL_PRIVATE_X509(v3_ext).CHIP_CRYPTO_PAL_PRIVATE_X509(p); + end = mbed_cert.CHIP_CRYPTO_PAL_PRIVATE_X509(v3_ext).CHIP_CRYPTO_PAL_PRIVATE_X509(p) + + mbed_cert.CHIP_CRYPTO_PAL_PRIVATE_X509(v3_ext).CHIP_CRYPTO_PAL_PRIVATE_X509(len); + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE); + VerifyOrExit(result == 0, error = CHIP_ERROR_WRONG_CERT_TYPE); + + while (p < end) + { + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE); + VerifyOrExit(result == 0, error = CHIP_ERROR_WRONG_CERT_TYPE); + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OID); + VerifyOrExit(result == 0, error = CHIP_ERROR_WRONG_CERT_TYPE); + + mbedtls_x509_buf extOID = { MBEDTLS_ASN1_OID, len, p }; + bool isCurrentExtCDP = OID_CMP(sOID_Extension_CRLDistributionPoint, extOID); + p += len; + + int is_critical = 0; + result = mbedtls_asn1_get_bool(&p, end, &is_critical); + VerifyOrExit(result == 0 || result == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG, error = CHIP_ERROR_WRONG_CERT_TYPE); + + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OCTET_STRING); + VerifyOrExit(result == 0, error = CHIP_ERROR_WRONG_CERT_TYPE); + + unsigned char * end_of_ext = p + len; + + if (isCurrentExtCDP) + { + // Only one CRL Distribution Point Extension is allowed. + cdpExtCount++; + VerifyOrExit(cdpExtCount <= 1, error = CHIP_ERROR_NOT_FOUND); + + // CRL Distribution Point Extension is encoded as a secuense of DistributionPoint: + // CRLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint + // + // This implementation only supports a single DistributionPoint (sequence of size 1), + // which is verified by comparing (p + len == end_of_ext) + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE); + VerifyOrExit(result == 0, error = CHIP_ERROR_NOT_FOUND); + VerifyOrExit(p + len == end_of_ext, error = CHIP_ERROR_NOT_FOUND); + + // The DistributionPoint is a sequence of three optional elements: + // DistributionPoint ::= SEQUENCE { + // distributionPoint [0] DistributionPointName OPTIONAL, + // reasons [1] ReasonFlags OPTIONAL, + // cRLIssuer [2] GeneralNames OPTIONAL } + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE); + VerifyOrExit(result == 0, error = CHIP_ERROR_NOT_FOUND); + VerifyOrExit(p + len == end_of_ext, error = CHIP_ERROR_NOT_FOUND); + + // The DistributionPointName is: + // DistributionPointName ::= CHOICE { + // fullName [0] GeneralNames, + // nameRelativeToCRLIssuer [1] RelativeDistinguishedName } + // + // The URI should be encoded in the fullName element. + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | 0); + VerifyOrExit(result == 0, error = CHIP_ERROR_NOT_FOUND); + + // GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED); + VerifyOrExit(result == 0, error = CHIP_ERROR_NOT_FOUND); + + // The CDP URI is encoded as a uniformResourceIdentifier field of the GeneralName: + // GeneralName ::= CHOICE { + // otherName [0] OtherName, + // rfc822Name [1] IA5String, + // dNSName [2] IA5String, + // x400Address [3] ORAddress, + // directoryName [4] Name, + // ediPartyName [5] EDIPartyName, + // uniformResourceIdentifier [6] IA5String, + // iPAddress [7] OCTET STRING, + // registeredID [8] OBJECT IDENTIFIER } + result = + mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER); + VerifyOrExit(result == 0, error = CHIP_ERROR_NOT_FOUND); + + const char * urlptr = reinterpret_cast(p); + VerifyOrExit((len > strlen(kValidCDPURIHttpPrefix) && + strncmp(urlptr, kValidCDPURIHttpPrefix, strlen(kValidCDPURIHttpPrefix)) == 0) || + (len > strlen(kValidCDPURIHttpsPrefix) && + strncmp(urlptr, kValidCDPURIHttpsPrefix, strlen(kValidCDPURIHttpsPrefix)) == 0), + error = CHIP_ERROR_NOT_FOUND); + error = CopyCharSpanToMutableCharSpan(CharSpan(urlptr, len), cdpurl); + SuccessOrExit(error); + } + p = end_of_ext; + } + + VerifyOrExit(cdpExtCount == 1, error = CHIP_ERROR_NOT_FOUND); + +exit: + logMbedTLSError(result); + mbedtls_x509_crt_free(&mbed_cert); + +#else + (void) certificate; + (void) cdpurl; + CHIP_ERROR error = CHIP_ERROR_NOT_IMPLEMENTED; +#endif // defined(MBEDTLS_X509_CRT_PARSE_C) + + return error; +} + CHIP_ERROR ExtractSerialNumberFromX509Cert(const ByteSpan & certificate, MutableByteSpan & serialNumber) { #if defined(MBEDTLS_X509_CRT_PARSE_C) diff --git a/src/crypto/CHIPCryptoPALmbedTLS.cpp b/src/crypto/CHIPCryptoPALmbedTLS.cpp index 92ec3048fe8de6..195bd56cf745a2 100644 --- a/src/crypto/CHIPCryptoPALmbedTLS.cpp +++ b/src/crypto/CHIPCryptoPALmbedTLS.cpp @@ -1309,6 +1309,7 @@ constexpr uint8_t sOID_Extension_BasicConstraints[] = { 0x55, 0x1D, 0x13 } constexpr uint8_t sOID_Extension_KeyUsage[] = { 0x55, 0x1D, 0x0F }; constexpr uint8_t sOID_Extension_SubjectKeyIdentifier[] = { 0x55, 0x1D, 0x0E }; constexpr uint8_t sOID_Extension_AuthorityKeyIdentifier[] = { 0x55, 0x1D, 0x23 }; +constexpr uint8_t sOID_Extension_CRLDistributionPoint[] = { 0x55, 0x1D, 0x1F }; /** * Compares an mbedtls_asn1_buf structure (oidBuf) to a reference OID represented as uint8_t array (oid). @@ -1776,6 +1777,128 @@ CHIP_ERROR ExtractAKIDFromX509Cert(const ByteSpan & certificate, MutableByteSpan return ExtractKIDFromX509Cert(false, certificate, akid); } +CHIP_ERROR ExtractCRLDistributionPointURIFromX509Cert(const ByteSpan & certificate, MutableCharSpan & cdpurl) +{ +#if defined(MBEDTLS_X509_CRT_PARSE_C) + CHIP_ERROR error = CHIP_ERROR_NOT_FOUND; + mbedtls_x509_crt mbed_cert; + unsigned char * p = nullptr; + const unsigned char * end = nullptr; + size_t len = 0; + size_t cdpExtCount = 0; + + VerifyOrReturnError(!certificate.empty() && CanCastTo(certificate.size()), CHIP_ERROR_INVALID_ARGUMENT); + + mbedtls_x509_crt_init(&mbed_cert); + + int result = mbedtls_x509_crt_parse(&mbed_cert, Uint8::to_const_uchar(certificate.data()), certificate.size()); + VerifyOrExit(result == 0, error = CHIP_ERROR_INTERNAL); + + p = mbed_cert.CHIP_CRYPTO_PAL_PRIVATE_X509(v3_ext).CHIP_CRYPTO_PAL_PRIVATE_X509(p); + end = mbed_cert.CHIP_CRYPTO_PAL_PRIVATE_X509(v3_ext).CHIP_CRYPTO_PAL_PRIVATE_X509(p) + + mbed_cert.CHIP_CRYPTO_PAL_PRIVATE_X509(v3_ext).CHIP_CRYPTO_PAL_PRIVATE_X509(len); + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE); + VerifyOrExit(result == 0, error = CHIP_ERROR_WRONG_CERT_TYPE); + + while (p < end) + { + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE); + VerifyOrExit(result == 0, error = CHIP_ERROR_WRONG_CERT_TYPE); + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OID); + VerifyOrExit(result == 0, error = CHIP_ERROR_WRONG_CERT_TYPE); + + mbedtls_x509_buf extOID = { MBEDTLS_ASN1_OID, len, p }; + bool isCurrentExtCDP = OID_CMP(sOID_Extension_CRLDistributionPoint, extOID); + p += len; + + int is_critical = 0; + result = mbedtls_asn1_get_bool(&p, end, &is_critical); + VerifyOrExit(result == 0 || result == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG, error = CHIP_ERROR_WRONG_CERT_TYPE); + + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OCTET_STRING); + VerifyOrExit(result == 0, error = CHIP_ERROR_WRONG_CERT_TYPE); + + unsigned char * end_of_ext = p + len; + + if (isCurrentExtCDP) + { + // Only one CRL Distribution Point Extension is allowed. + cdpExtCount++; + VerifyOrExit(cdpExtCount <= 1, error = CHIP_ERROR_NOT_FOUND); + + // CRL Distribution Point Extension is encoded as a secuense of DistributionPoint: + // CRLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint + // + // This implementation only supports a single DistributionPoint (sequence of size 1), + // which is verified by comparing (p + len == end_of_ext) + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE); + VerifyOrExit(result == 0, error = CHIP_ERROR_NOT_FOUND); + VerifyOrExit(p + len == end_of_ext, error = CHIP_ERROR_NOT_FOUND); + + // The DistributionPoint is a sequence of three optional elements: + // DistributionPoint ::= SEQUENCE { + // distributionPoint [0] DistributionPointName OPTIONAL, + // reasons [1] ReasonFlags OPTIONAL, + // cRLIssuer [2] GeneralNames OPTIONAL } + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE); + VerifyOrExit(result == 0, error = CHIP_ERROR_NOT_FOUND); + VerifyOrExit(p + len == end_of_ext, error = CHIP_ERROR_NOT_FOUND); + + // The DistributionPointName is: + // DistributionPointName ::= CHOICE { + // fullName [0] GeneralNames, + // nameRelativeToCRLIssuer [1] RelativeDistinguishedName } + // + // The URI should be encoded in the fullName element. + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | 0); + VerifyOrExit(result == 0, error = CHIP_ERROR_NOT_FOUND); + + // GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED); + VerifyOrExit(result == 0, error = CHIP_ERROR_NOT_FOUND); + + // The CDP URI is encoded as a uniformResourceIdentifier field of the GeneralName: + // GeneralName ::= CHOICE { + // otherName [0] OtherName, + // rfc822Name [1] IA5String, + // dNSName [2] IA5String, + // x400Address [3] ORAddress, + // directoryName [4] Name, + // ediPartyName [5] EDIPartyName, + // uniformResourceIdentifier [6] IA5String, + // iPAddress [7] OCTET STRING, + // registeredID [8] OBJECT IDENTIFIER } + result = + mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER); + VerifyOrExit(result == 0, error = CHIP_ERROR_NOT_FOUND); + + const char * urlptr = reinterpret_cast(p); + VerifyOrExit((len > strlen(kValidCDPURIHttpPrefix) && + strncmp(urlptr, kValidCDPURIHttpPrefix, strlen(kValidCDPURIHttpPrefix)) == 0) || + (len > strlen(kValidCDPURIHttpsPrefix) && + strncmp(urlptr, kValidCDPURIHttpsPrefix, strlen(kValidCDPURIHttpsPrefix)) == 0), + error = CHIP_ERROR_NOT_FOUND); + error = CopyCharSpanToMutableCharSpan(CharSpan(urlptr, len), cdpurl); + SuccessOrExit(error); + } + p = end_of_ext; + } + + VerifyOrExit(cdpExtCount == 1, error = CHIP_ERROR_NOT_FOUND); + +exit: + _log_mbedTLS_error(result); + mbedtls_x509_crt_free(&mbed_cert); + +#else + (void) certificate; + (void) cdpurl; + CHIP_ERROR error = CHIP_ERROR_NOT_IMPLEMENTED; +#endif // defined(MBEDTLS_X509_CRT_PARSE_C) + + return error; +} + CHIP_ERROR ExtractSerialNumberFromX509Cert(const ByteSpan & certificate, MutableByteSpan & serialNumber) { #if defined(MBEDTLS_X509_CRT_PARSE_C) diff --git a/src/crypto/tests/CHIPCryptoPALTest.cpp b/src/crypto/tests/CHIPCryptoPALTest.cpp index 5f377841935725..9eb01b6723dabb 100644 --- a/src/crypto/tests/CHIPCryptoPALTest.cpp +++ b/src/crypto/tests/CHIPCryptoPALTest.cpp @@ -2106,6 +2106,54 @@ static void TestAKID_x509Extraction(nlTestSuite * inSuite, void * inContext) } } +static void TestCDPExtension_x509Extraction(nlTestSuite * inSuite, void * inContext) +{ + using namespace TestCerts; + + HeapChecker heapChecker(inSuite); + CHIP_ERROR err = CHIP_NO_ERROR; + + struct CDPTestCase + { + ByteSpan Cert; + CHIP_ERROR mExpectedError; + CharSpan mExpectedResult; + }; + + constexpr const char * exampleHttpURI = "http://example.com/crl.pem"; + constexpr const char * exampleHttpsURI = "https://example.com/crl.pem"; + + // clang-format off + static CDPTestCase sCDPTestCases[] = { + // Cert Expected Error Expected Output + // =============================================================================================== + { ByteSpan(), CHIP_ERROR_INVALID_ARGUMENT, CharSpan() }, + { sTestCert_PAA_FFF1_Cert, CHIP_ERROR_NOT_FOUND, CharSpan() }, + { sTestCert_PAI_FFF2_8001_Cert, CHIP_ERROR_NOT_FOUND, CharSpan() }, + { sTestCert_DAC_FFF2_8003_0019_FB_Cert, CHIP_ERROR_NOT_FOUND, CharSpan() }, + { sTestCert_DAC_FFF1_8000_0000_CDP_Cert, CHIP_NO_ERROR, CharSpan::fromCharString(exampleHttpURI) }, + { sTestCert_DAC_FFF1_8000_0000_CDP_HTTPS_Cert, CHIP_NO_ERROR, CharSpan::fromCharString(exampleHttpsURI) }, + { sTestCert_DAC_FFF1_8000_0000_2CDPs_Cert, CHIP_ERROR_NOT_FOUND, CharSpan() }, + { sTestCert_DAC_FFF1_8000_0000_CDP_2URIs_Cert, CHIP_ERROR_NOT_FOUND, CharSpan() }, + { sTestCert_DAC_FFF1_8000_0000_CDP_Wrong_Prefix_Cert, CHIP_ERROR_NOT_FOUND, CharSpan() }, + { sTestCert_DAC_FFF1_8000_0000_CDP_Long_Cert, CHIP_ERROR_BUFFER_TOO_SMALL, CharSpan() }, + }; + // clang-format on + + for (auto & testCase : sCDPTestCases) + { + char cdpBuf[kMaxCRLDistributionPointURLLength] = { '\0' }; + MutableCharSpan cdp(cdpBuf); + err = ExtractCRLDistributionPointURIFromX509Cert(testCase.Cert, cdp); + NL_TEST_ASSERT(inSuite, err == testCase.mExpectedError); + if (err == CHIP_NO_ERROR) + { + NL_TEST_ASSERT(inSuite, cdp.size() == testCase.mExpectedResult.size()); + NL_TEST_ASSERT(inSuite, cdp.data_equal(testCase.mExpectedResult)); + } + } +} + static void TestSerialNumber_x509Extraction(nlTestSuite * inSuite, void * inContext) { using namespace TestCerts; @@ -2703,6 +2751,7 @@ static const nlTest sTests[] = { NL_TEST_DEF("Test x509 Certificate Timestamp Validation", TestX509_IssuingTimestampValidation), NL_TEST_DEF("Test Subject Key Id Extraction from x509 Certificate", TestSKID_x509Extraction), NL_TEST_DEF("Test Authority Key Id Extraction from x509 Certificate", TestAKID_x509Extraction), + NL_TEST_DEF("Test CRL Distribution Point Extension Extraction from x509 Certificate", TestCDPExtension_x509Extraction), NL_TEST_DEF("Test Serial Number Extraction from x509 Certificate", TestSerialNumber_x509Extraction), NL_TEST_DEF("Test Subject Extraction from x509 Certificate", TestSubject_x509Extraction), NL_TEST_DEF("Test Issuer Extraction from x509 Certificate", TestIssuer_x509Extraction), diff --git a/src/platform/nxp/common/crypto/CHIPCryptoPALTinyCrypt.cpp b/src/platform/nxp/common/crypto/CHIPCryptoPALTinyCrypt.cpp index e5fedf2d7f994d..96973dcf12046d 100644 --- a/src/platform/nxp/common/crypto/CHIPCryptoPALTinyCrypt.cpp +++ b/src/platform/nxp/common/crypto/CHIPCryptoPALTinyCrypt.cpp @@ -1150,6 +1150,7 @@ constexpr uint8_t sOID_Extension_BasicConstraints[] = { 0x55, 0x1D, 0x13 } constexpr uint8_t sOID_Extension_KeyUsage[] = { 0x55, 0x1D, 0x0F }; constexpr uint8_t sOID_Extension_SubjectKeyIdentifier[] = { 0x55, 0x1D, 0x0E }; constexpr uint8_t sOID_Extension_AuthorityKeyIdentifier[] = { 0x55, 0x1D, 0x23 }; +constexpr uint8_t sOID_Extension_CRLDistributionPoint[] = { 0x55, 0x1D, 0x1F }; /** * Compares an mbedtls_asn1_buf structure (oidBuf) to a reference OID represented as uint8_t array (oid). @@ -1612,6 +1613,128 @@ CHIP_ERROR ExtractAKIDFromX509Cert(const ByteSpan & certificate, MutableByteSpan return ExtractKIDFromX509Cert(false, certificate, akid); } +CHIP_ERROR ExtractCRLDistributionPointURIFromX509Cert(const ByteSpan & certificate, MutableCharSpan & cdpurl) +{ +#if defined(MBEDTLS_X509_CRT_PARSE_C) + CHIP_ERROR error = CHIP_ERROR_NOT_FOUND; + mbedtls_x509_crt mbed_cert; + unsigned char * p = nullptr; + const unsigned char * end = nullptr; + size_t len = 0; + size_t cdpExtCount = 0; + + VerifyOrReturnError(!certificate.empty() && CanCastTo(certificate.size()), CHIP_ERROR_INVALID_ARGUMENT); + + mbedtls_x509_crt_init(&mbed_cert); + + int result = mbedtls_x509_crt_parse(&mbed_cert, Uint8::to_const_uchar(certificate.data()), certificate.size()); + VerifyOrExit(result == 0, error = CHIP_ERROR_INTERNAL); + + p = mbed_cert.CHIP_CRYPTO_PAL_PRIVATE_X509(v3_ext).CHIP_CRYPTO_PAL_PRIVATE_X509(p); + end = mbed_cert.CHIP_CRYPTO_PAL_PRIVATE_X509(v3_ext).CHIP_CRYPTO_PAL_PRIVATE_X509(p) + + mbed_cert.CHIP_CRYPTO_PAL_PRIVATE_X509(v3_ext).CHIP_CRYPTO_PAL_PRIVATE_X509(len); + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE); + VerifyOrExit(result == 0, error = CHIP_ERROR_WRONG_CERT_TYPE); + + while (p < end) + { + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE); + VerifyOrExit(result == 0, error = CHIP_ERROR_WRONG_CERT_TYPE); + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OID); + VerifyOrExit(result == 0, error = CHIP_ERROR_WRONG_CERT_TYPE); + + mbedtls_x509_buf extOID = { MBEDTLS_ASN1_OID, len, p }; + bool isCurrentExtCDP = OID_CMP(sOID_Extension_CRLDistributionPoint, extOID); + p += len; + + int is_critical = 0; + result = mbedtls_asn1_get_bool(&p, end, &is_critical); + VerifyOrExit(result == 0 || result == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG, error = CHIP_ERROR_WRONG_CERT_TYPE); + + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OCTET_STRING); + VerifyOrExit(result == 0, error = CHIP_ERROR_WRONG_CERT_TYPE); + + unsigned char * end_of_ext = p + len; + + if (isCurrentExtCDP) + { + // Only one CRL Distribution Point Extension is allowed. + cdpExtCount++; + VerifyOrExit(cdpExtCount <= 1, error = CHIP_ERROR_NOT_FOUND); + + // CRL Distribution Point Extension is encoded as a secuense of DistributionPoint: + // CRLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint + // + // This implementation only supports a single DistributionPoint (sequence of size 1), + // which is verified by comparing (p + len == end_of_ext) + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE); + VerifyOrExit(result == 0, error = CHIP_ERROR_NOT_FOUND); + VerifyOrExit(p + len == end_of_ext, error = CHIP_ERROR_NOT_FOUND); + + // The DistributionPoint is a sequence of three optional elements: + // DistributionPoint ::= SEQUENCE { + // distributionPoint [0] DistributionPointName OPTIONAL, + // reasons [1] ReasonFlags OPTIONAL, + // cRLIssuer [2] GeneralNames OPTIONAL } + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE); + VerifyOrExit(result == 0, error = CHIP_ERROR_NOT_FOUND); + VerifyOrExit(p + len == end_of_ext, error = CHIP_ERROR_NOT_FOUND); + + // The DistributionPointName is: + // DistributionPointName ::= CHOICE { + // fullName [0] GeneralNames, + // nameRelativeToCRLIssuer [1] RelativeDistinguishedName } + // + // The URI should be encoded in the fullName element. + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | 0); + VerifyOrExit(result == 0, error = CHIP_ERROR_NOT_FOUND); + + // GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED); + VerifyOrExit(result == 0, error = CHIP_ERROR_NOT_FOUND); + + // The CDP URI is encoded as a uniformResourceIdentifier field of the GeneralName: + // GeneralName ::= CHOICE { + // otherName [0] OtherName, + // rfc822Name [1] IA5String, + // dNSName [2] IA5String, + // x400Address [3] ORAddress, + // directoryName [4] Name, + // ediPartyName [5] EDIPartyName, + // uniformResourceIdentifier [6] IA5String, + // iPAddress [7] OCTET STRING, + // registeredID [8] OBJECT IDENTIFIER } + result = + mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER); + VerifyOrExit(result == 0, error = CHIP_ERROR_NOT_FOUND); + + const char * urlptr = reinterpret_cast(p); + VerifyOrExit((len > strlen(kValidCDPURIHttpPrefix) && + strncmp(urlptr, kValidCDPURIHttpPrefix, strlen(kValidCDPURIHttpPrefix)) == 0) || + (len > strlen(kValidCDPURIHttpsPrefix) && + strncmp(urlptr, kValidCDPURIHttpsPrefix, strlen(kValidCDPURIHttpsPrefix)) == 0), + error = CHIP_ERROR_NOT_FOUND); + error = CopyCharSpanToMutableCharSpan(CharSpan(urlptr, len), cdpurl); + SuccessOrExit(error); + } + p = end_of_ext; + } + + VerifyOrExit(cdpExtCount == 1, error = CHIP_ERROR_NOT_FOUND); + +exit: + _log_mbedTLS_error(result); + mbedtls_x509_crt_free(&mbed_cert); + +#else + (void) certificate; + (void) cdpurl; + CHIP_ERROR error = CHIP_ERROR_NOT_IMPLEMENTED; +#endif // defined(MBEDTLS_X509_CRT_PARSE_C) + + return error; +} + CHIP_ERROR ExtractSerialNumberFromX509Cert(const ByteSpan & certificate, MutableByteSpan & serialNumber) { #if defined(MBEDTLS_X509_CRT_PARSE_C) diff --git a/src/platform/nxp/k32w/k32w0/crypto/CHIPCryptoPALNXPUltrafastP256.cpp b/src/platform/nxp/k32w/k32w0/crypto/CHIPCryptoPALNXPUltrafastP256.cpp index 93c286c0edaa9f..b7d49c4fdb2e66 100644 --- a/src/platform/nxp/k32w/k32w0/crypto/CHIPCryptoPALNXPUltrafastP256.cpp +++ b/src/platform/nxp/k32w/k32w0/crypto/CHIPCryptoPALNXPUltrafastP256.cpp @@ -1120,6 +1120,7 @@ constexpr uint8_t sOID_Extension_BasicConstraints[] = { 0x55, 0x1D, 0x13 } constexpr uint8_t sOID_Extension_KeyUsage[] = { 0x55, 0x1D, 0x0F }; constexpr uint8_t sOID_Extension_SubjectKeyIdentifier[] = { 0x55, 0x1D, 0x0E }; constexpr uint8_t sOID_Extension_AuthorityKeyIdentifier[] = { 0x55, 0x1D, 0x23 }; +constexpr uint8_t sOID_Extension_CRLDistributionPoint[] = { 0x55, 0x1D, 0x1F }; /** * Compares an mbedtls_asn1_buf structure (oidBuf) to a reference OID represented as uint8_t array (oid). @@ -1581,6 +1582,128 @@ CHIP_ERROR ExtractAKIDFromX509Cert(const ByteSpan & certificate, MutableByteSpan return ExtractKIDFromX509Cert(false, certificate, akid); } +CHIP_ERROR ExtractCRLDistributionPointURIFromX509Cert(const ByteSpan & certificate, MutableCharSpan & cdpurl) +{ +#if defined(MBEDTLS_X509_CRT_PARSE_C) + CHIP_ERROR error = CHIP_ERROR_NOT_FOUND; + mbedtls_x509_crt mbed_cert; + unsigned char * p = nullptr; + const unsigned char * end = nullptr; + size_t len = 0; + size_t cdpExtCount = 0; + + VerifyOrReturnError(!certificate.empty() && CanCastTo(certificate.size()), CHIP_ERROR_INVALID_ARGUMENT); + + mbedtls_x509_crt_init(&mbed_cert); + + int result = mbedtls_x509_crt_parse(&mbed_cert, Uint8::to_const_uchar(certificate.data()), certificate.size()); + VerifyOrExit(result == 0, error = CHIP_ERROR_INTERNAL); + + p = mbed_cert.CHIP_CRYPTO_PAL_PRIVATE_X509(v3_ext).CHIP_CRYPTO_PAL_PRIVATE_X509(p); + end = mbed_cert.CHIP_CRYPTO_PAL_PRIVATE_X509(v3_ext).CHIP_CRYPTO_PAL_PRIVATE_X509(p) + + mbed_cert.CHIP_CRYPTO_PAL_PRIVATE_X509(v3_ext).CHIP_CRYPTO_PAL_PRIVATE_X509(len); + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE); + VerifyOrExit(result == 0, error = CHIP_ERROR_WRONG_CERT_TYPE); + + while (p < end) + { + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE); + VerifyOrExit(result == 0, error = CHIP_ERROR_WRONG_CERT_TYPE); + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OID); + VerifyOrExit(result == 0, error = CHIP_ERROR_WRONG_CERT_TYPE); + + mbedtls_x509_buf extOID = { MBEDTLS_ASN1_OID, len, p }; + bool isCurrentExtCDP = OID_CMP(sOID_Extension_CRLDistributionPoint, extOID); + p += len; + + int is_critical = 0; + result = mbedtls_asn1_get_bool(&p, end, &is_critical); + VerifyOrExit(result == 0 || result == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG, error = CHIP_ERROR_WRONG_CERT_TYPE); + + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OCTET_STRING); + VerifyOrExit(result == 0, error = CHIP_ERROR_WRONG_CERT_TYPE); + + unsigned char * end_of_ext = p + len; + + if (isCurrentExtCDP) + { + // Only one CRL Distribution Point Extension is allowed. + cdpExtCount++; + VerifyOrExit(cdpExtCount <= 1, error = CHIP_ERROR_NOT_FOUND); + + // CRL Distribution Point Extension is encoded as a secuense of DistributionPoint: + // CRLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint + // + // This implementation only supports a single DistributionPoint (sequence of size 1), + // which is verified by comparing (p + len == end_of_ext) + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE); + VerifyOrExit(result == 0, error = CHIP_ERROR_NOT_FOUND); + VerifyOrExit(p + len == end_of_ext, error = CHIP_ERROR_NOT_FOUND); + + // The DistributionPoint is a sequence of three optional elements: + // DistributionPoint ::= SEQUENCE { + // distributionPoint [0] DistributionPointName OPTIONAL, + // reasons [1] ReasonFlags OPTIONAL, + // cRLIssuer [2] GeneralNames OPTIONAL } + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE); + VerifyOrExit(result == 0, error = CHIP_ERROR_NOT_FOUND); + VerifyOrExit(p + len == end_of_ext, error = CHIP_ERROR_NOT_FOUND); + + // The DistributionPointName is: + // DistributionPointName ::= CHOICE { + // fullName [0] GeneralNames, + // nameRelativeToCRLIssuer [1] RelativeDistinguishedName } + // + // The URI should be encoded in the fullName element. + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | 0); + VerifyOrExit(result == 0, error = CHIP_ERROR_NOT_FOUND); + + // GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED); + VerifyOrExit(result == 0, error = CHIP_ERROR_NOT_FOUND); + + // The CDP URI is encoded as a uniformResourceIdentifier field of the GeneralName: + // GeneralName ::= CHOICE { + // otherName [0] OtherName, + // rfc822Name [1] IA5String, + // dNSName [2] IA5String, + // x400Address [3] ORAddress, + // directoryName [4] Name, + // ediPartyName [5] EDIPartyName, + // uniformResourceIdentifier [6] IA5String, + // iPAddress [7] OCTET STRING, + // registeredID [8] OBJECT IDENTIFIER } + result = + mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER); + VerifyOrExit(result == 0, error = CHIP_ERROR_NOT_FOUND); + + const char * urlptr = reinterpret_cast(p); + VerifyOrExit((len > strlen(kValidCDPURIHttpPrefix) && + strncmp(urlptr, kValidCDPURIHttpPrefix, strlen(kValidCDPURIHttpPrefix)) == 0) || + (len > strlen(kValidCDPURIHttpsPrefix) && + strncmp(urlptr, kValidCDPURIHttpsPrefix, strlen(kValidCDPURIHttpsPrefix)) == 0), + error = CHIP_ERROR_NOT_FOUND); + error = CopyCharSpanToMutableCharSpan(CharSpan(urlptr, len), cdpurl); + SuccessOrExit(error); + } + p = end_of_ext; + } + + VerifyOrExit(cdpExtCount == 1, error = CHIP_ERROR_NOT_FOUND); + +exit: + _log_mbedTLS_error(result); + mbedtls_x509_crt_free(&mbed_cert); + +#else + (void) certificate; + (void) cdpurl; + CHIP_ERROR error = CHIP_ERROR_NOT_IMPLEMENTED; +#endif // defined(MBEDTLS_X509_CRT_PARSE_C) + + return error; +} + CHIP_ERROR ExtractSerialNumberFromX509Cert(const ByteSpan & certificate, MutableByteSpan & serialNumber) { #if defined(MBEDTLS_X509_CRT_PARSE_C) diff --git a/src/platform/silabs/SiWx917/CHIPCryptoPALTinyCrypt.cpp b/src/platform/silabs/SiWx917/CHIPCryptoPALTinyCrypt.cpp index 321aaac5363d19..1bcfbdc59edaa5 100644 --- a/src/platform/silabs/SiWx917/CHIPCryptoPALTinyCrypt.cpp +++ b/src/platform/silabs/SiWx917/CHIPCryptoPALTinyCrypt.cpp @@ -1151,6 +1151,7 @@ constexpr uint8_t sOID_Extension_BasicConstraints[] = { 0x55, 0x1D, 0x13 } constexpr uint8_t sOID_Extension_KeyUsage[] = { 0x55, 0x1D, 0x0F }; constexpr uint8_t sOID_Extension_SubjectKeyIdentifier[] = { 0x55, 0x1D, 0x0E }; constexpr uint8_t sOID_Extension_AuthorityKeyIdentifier[] = { 0x55, 0x1D, 0x23 }; +constexpr uint8_t sOID_Extension_CRLDistributionPoint[] = { 0x55, 0x1D, 0x1F }; /** * Compares an mbedtls_asn1_buf structure (oidBuf) to a reference OID represented as uint8_t array (oid). @@ -1612,6 +1613,128 @@ CHIP_ERROR ExtractAKIDFromX509Cert(const ByteSpan & certificate, MutableByteSpan return ExtractKIDFromX509Cert(false, certificate, akid); } +CHIP_ERROR ExtractCRLDistributionPointURIFromX509Cert(const ByteSpan & certificate, MutableCharSpan & cdpurl) +{ +#if defined(MBEDTLS_X509_CRT_PARSE_C) + CHIP_ERROR error = CHIP_ERROR_NOT_FOUND; + mbedtls_x509_crt mbed_cert; + unsigned char * p = nullptr; + const unsigned char * end = nullptr; + size_t len = 0; + size_t cdpExtCount = 0; + + VerifyOrReturnError(!certificate.empty() && CanCastTo(certificate.size()), CHIP_ERROR_INVALID_ARGUMENT); + + mbedtls_x509_crt_init(&mbed_cert); + + int result = mbedtls_x509_crt_parse(&mbed_cert, Uint8::to_const_uchar(certificate.data()), certificate.size()); + VerifyOrExit(result == 0, error = CHIP_ERROR_INTERNAL); + + p = mbed_cert.CHIP_CRYPTO_PAL_PRIVATE_X509(v3_ext).CHIP_CRYPTO_PAL_PRIVATE_X509(p); + end = mbed_cert.CHIP_CRYPTO_PAL_PRIVATE_X509(v3_ext).CHIP_CRYPTO_PAL_PRIVATE_X509(p) + + mbed_cert.CHIP_CRYPTO_PAL_PRIVATE_X509(v3_ext).CHIP_CRYPTO_PAL_PRIVATE_X509(len); + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE); + VerifyOrExit(result == 0, error = CHIP_ERROR_WRONG_CERT_TYPE); + + while (p < end) + { + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE); + VerifyOrExit(result == 0, error = CHIP_ERROR_WRONG_CERT_TYPE); + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OID); + VerifyOrExit(result == 0, error = CHIP_ERROR_WRONG_CERT_TYPE); + + mbedtls_x509_buf extOID = { MBEDTLS_ASN1_OID, len, p }; + bool isCurrentExtCDP = OID_CMP(sOID_Extension_CRLDistributionPoint, extOID); + p += len; + + int is_critical = 0; + result = mbedtls_asn1_get_bool(&p, end, &is_critical); + VerifyOrExit(result == 0 || result == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG, error = CHIP_ERROR_WRONG_CERT_TYPE); + + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OCTET_STRING); + VerifyOrExit(result == 0, error = CHIP_ERROR_WRONG_CERT_TYPE); + + unsigned char * end_of_ext = p + len; + + if (isCurrentExtCDP) + { + // Only one CRL Distribution Point Extension is allowed. + cdpExtCount++; + VerifyOrExit(cdpExtCount <= 1, error = CHIP_ERROR_NOT_FOUND); + + // CRL Distribution Point Extension is encoded as a secuense of DistributionPoint: + // CRLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint + // + // This implementation only supports a single DistributionPoint (sequence of size 1), + // which is verified by comparing (p + len == end_of_ext) + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE); + VerifyOrExit(result == 0, error = CHIP_ERROR_NOT_FOUND); + VerifyOrExit(p + len == end_of_ext, error = CHIP_ERROR_NOT_FOUND); + + // The DistributionPoint is a sequence of three optional elements: + // DistributionPoint ::= SEQUENCE { + // distributionPoint [0] DistributionPointName OPTIONAL, + // reasons [1] ReasonFlags OPTIONAL, + // cRLIssuer [2] GeneralNames OPTIONAL } + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE); + VerifyOrExit(result == 0, error = CHIP_ERROR_NOT_FOUND); + VerifyOrExit(p + len == end_of_ext, error = CHIP_ERROR_NOT_FOUND); + + // The DistributionPointName is: + // DistributionPointName ::= CHOICE { + // fullName [0] GeneralNames, + // nameRelativeToCRLIssuer [1] RelativeDistinguishedName } + // + // The URI should be encoded in the fullName element. + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | 0); + VerifyOrExit(result == 0, error = CHIP_ERROR_NOT_FOUND); + + // GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED); + VerifyOrExit(result == 0, error = CHIP_ERROR_NOT_FOUND); + + // The CDP URI is encoded as a uniformResourceIdentifier field of the GeneralName: + // GeneralName ::= CHOICE { + // otherName [0] OtherName, + // rfc822Name [1] IA5String, + // dNSName [2] IA5String, + // x400Address [3] ORAddress, + // directoryName [4] Name, + // ediPartyName [5] EDIPartyName, + // uniformResourceIdentifier [6] IA5String, + // iPAddress [7] OCTET STRING, + // registeredID [8] OBJECT IDENTIFIER } + result = + mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER); + VerifyOrExit(result == 0, error = CHIP_ERROR_NOT_FOUND); + + const char * urlptr = reinterpret_cast(p); + VerifyOrExit((len > strlen(kValidCDPURIHttpPrefix) && + strncmp(urlptr, kValidCDPURIHttpPrefix, strlen(kValidCDPURIHttpPrefix)) == 0) || + (len > strlen(kValidCDPURIHttpsPrefix) && + strncmp(urlptr, kValidCDPURIHttpsPrefix, strlen(kValidCDPURIHttpsPrefix)) == 0), + error = CHIP_ERROR_NOT_FOUND); + error = CopyCharSpanToMutableCharSpan(CharSpan(urlptr, len), cdpurl); + SuccessOrExit(error); + } + p = end_of_ext; + } + + VerifyOrExit(cdpExtCount == 1, error = CHIP_ERROR_NOT_FOUND); + +exit: + _log_mbedTLS_error(result); + mbedtls_x509_crt_free(&mbed_cert); + +#else + (void) certificate; + (void) cdpurl; + CHIP_ERROR error = CHIP_ERROR_NOT_IMPLEMENTED; +#endif // defined(MBEDTLS_X509_CRT_PARSE_C) + + return error; +} + CHIP_ERROR ExtractSerialNumberFromX509Cert(const ByteSpan & certificate, MutableByteSpan & serialNumber) { #if defined(MBEDTLS_X509_CRT_PARSE_C) diff --git a/src/platform/silabs/efr32/CHIPCryptoPALPsaEfr32.cpp b/src/platform/silabs/efr32/CHIPCryptoPALPsaEfr32.cpp index 63a7a17308ab13..e0b5906c1a816b 100644 --- a/src/platform/silabs/efr32/CHIPCryptoPALPsaEfr32.cpp +++ b/src/platform/silabs/efr32/CHIPCryptoPALPsaEfr32.cpp @@ -1457,6 +1457,7 @@ constexpr uint8_t sOID_Extension_BasicConstraints[] = { 0x55, 0x1D, 0x13 } constexpr uint8_t sOID_Extension_KeyUsage[] = { 0x55, 0x1D, 0x0F }; constexpr uint8_t sOID_Extension_SubjectKeyIdentifier[] = { 0x55, 0x1D, 0x0E }; constexpr uint8_t sOID_Extension_AuthorityKeyIdentifier[] = { 0x55, 0x1D, 0x23 }; +constexpr uint8_t sOID_Extension_CRLDistributionPoint[] = { 0x55, 0x1D, 0x1F }; /** * Compares an mbedtls_asn1_buf structure (oidBuf) to a reference OID represented as uint8_t array (oid). @@ -1973,6 +1974,128 @@ CHIP_ERROR ExtractAKIDFromX509Cert(const ByteSpan & certificate, MutableByteSpan return ExtractKIDFromX509Cert(false, certificate, akid); } +CHIP_ERROR ExtractCRLDistributionPointURIFromX509Cert(const ByteSpan & certificate, MutableCharSpan & cdpurl) +{ +#if defined(MBEDTLS_X509_CRT_PARSE_C) + CHIP_ERROR error = CHIP_ERROR_NOT_FOUND; + mbedtls_x509_crt mbed_cert; + unsigned char * p = nullptr; + const unsigned char * end = nullptr; + size_t len = 0; + size_t cdpExtCount = 0; + + VerifyOrReturnError(!certificate.empty() && CanCastTo(certificate.size()), CHIP_ERROR_INVALID_ARGUMENT); + + mbedtls_x509_crt_init(&mbed_cert); + + int result = mbedtls_x509_crt_parse(&mbed_cert, Uint8::to_const_uchar(certificate.data()), certificate.size()); + VerifyOrExit(result == 0, error = CHIP_ERROR_INTERNAL); + + p = mbed_cert.CHIP_CRYPTO_PAL_PRIVATE_X509(v3_ext).CHIP_CRYPTO_PAL_PRIVATE_X509(p); + end = mbed_cert.CHIP_CRYPTO_PAL_PRIVATE_X509(v3_ext).CHIP_CRYPTO_PAL_PRIVATE_X509(p) + + mbed_cert.CHIP_CRYPTO_PAL_PRIVATE_X509(v3_ext).CHIP_CRYPTO_PAL_PRIVATE_X509(len); + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE); + VerifyOrExit(result == 0, error = CHIP_ERROR_WRONG_CERT_TYPE); + + while (p < end) + { + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE); + VerifyOrExit(result == 0, error = CHIP_ERROR_WRONG_CERT_TYPE); + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OID); + VerifyOrExit(result == 0, error = CHIP_ERROR_WRONG_CERT_TYPE); + + mbedtls_x509_buf extOID = { MBEDTLS_ASN1_OID, len, p }; + bool isCurrentExtCDP = OID_CMP(sOID_Extension_CRLDistributionPoint, extOID); + p += len; + + int is_critical = 0; + result = mbedtls_asn1_get_bool(&p, end, &is_critical); + VerifyOrExit(result == 0 || result == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG, error = CHIP_ERROR_WRONG_CERT_TYPE); + + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OCTET_STRING); + VerifyOrExit(result == 0, error = CHIP_ERROR_WRONG_CERT_TYPE); + + unsigned char * end_of_ext = p + len; + + if (isCurrentExtCDP) + { + // Only one CRL Distribution Point Extension is allowed. + cdpExtCount++; + VerifyOrExit(cdpExtCount <= 1, error = CHIP_ERROR_NOT_FOUND); + + // CRL Distribution Point Extension is encoded as a secuense of DistributionPoint: + // CRLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint + // + // This implementation only supports a single DistributionPoint (sequence of size 1), + // which is verified by comparing (p + len == end_of_ext) + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE); + VerifyOrExit(result == 0, error = CHIP_ERROR_NOT_FOUND); + VerifyOrExit(p + len == end_of_ext, error = CHIP_ERROR_NOT_FOUND); + + // The DistributionPoint is a sequence of three optional elements: + // DistributionPoint ::= SEQUENCE { + // distributionPoint [0] DistributionPointName OPTIONAL, + // reasons [1] ReasonFlags OPTIONAL, + // cRLIssuer [2] GeneralNames OPTIONAL } + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE); + VerifyOrExit(result == 0, error = CHIP_ERROR_NOT_FOUND); + VerifyOrExit(p + len == end_of_ext, error = CHIP_ERROR_NOT_FOUND); + + // The DistributionPointName is: + // DistributionPointName ::= CHOICE { + // fullName [0] GeneralNames, + // nameRelativeToCRLIssuer [1] RelativeDistinguishedName } + // + // The URI should be encoded in the fullName element. + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | 0); + VerifyOrExit(result == 0, error = CHIP_ERROR_NOT_FOUND); + + // GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED); + VerifyOrExit(result == 0, error = CHIP_ERROR_NOT_FOUND); + + // The CDP URI is encoded as a uniformResourceIdentifier field of the GeneralName: + // GeneralName ::= CHOICE { + // otherName [0] OtherName, + // rfc822Name [1] IA5String, + // dNSName [2] IA5String, + // x400Address [3] ORAddress, + // directoryName [4] Name, + // ediPartyName [5] EDIPartyName, + // uniformResourceIdentifier [6] IA5String, + // iPAddress [7] OCTET STRING, + // registeredID [8] OBJECT IDENTIFIER } + result = + mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER); + VerifyOrExit(result == 0, error = CHIP_ERROR_NOT_FOUND); + + const char * urlptr = reinterpret_cast(p); + VerifyOrExit((len > strlen(kValidCDPURIHttpPrefix) && + strncmp(urlptr, kValidCDPURIHttpPrefix, strlen(kValidCDPURIHttpPrefix)) == 0) || + (len > strlen(kValidCDPURIHttpsPrefix) && + strncmp(urlptr, kValidCDPURIHttpsPrefix, strlen(kValidCDPURIHttpsPrefix)) == 0), + error = CHIP_ERROR_NOT_FOUND); + error = CopyCharSpanToMutableCharSpan(CharSpan(urlptr, len), cdpurl); + SuccessOrExit(error); + } + p = end_of_ext; + } + + VerifyOrExit(cdpExtCount == 1, error = CHIP_ERROR_NOT_FOUND); + +exit: + _log_mbedTLS_error(result); + mbedtls_x509_crt_free(&mbed_cert); + +#else + (void) certificate; + (void) cdpurl; + CHIP_ERROR error = CHIP_ERROR_NOT_IMPLEMENTED; +#endif // defined(MBEDTLS_X509_CRT_PARSE_C) + + return error; +} + CHIP_ERROR ExtractSerialNumberFromX509Cert(const ByteSpan & certificate, MutableByteSpan & serialNumber) { #if defined(MBEDTLS_X509_CRT_PARSE_C) diff --git a/src/tools/chip-cert/CertUtils.cpp b/src/tools/chip-cert/CertUtils.cpp index 2fece459ac4495..3fcf474e9abba8 100644 --- a/src/tools/chip-cert/CertUtils.cpp +++ b/src/tools/chip-cert/CertUtils.cpp @@ -1,6 +1,6 @@ /* * - * Copyright (c) 2021-2022 Project CHIP Authors + * Copyright (c) 2021-2023 Project CHIP Authors * Copyright (c) 2013-2017 Nest Labs, Inc. * All rights reserved. * @@ -1284,7 +1284,8 @@ bool ResignCert(X509 * cert, X509 * caCert, EVP_PKEY * caKey) bool MakeAttCert(AttCertType attCertType, const char * subjectCN, uint16_t subjectVID, uint16_t subjectPID, bool encodeVIDandPIDasCN, X509 * caCert, EVP_PKEY * caKey, const struct tm & validFrom, uint32_t validDays, - X509 * newCert, EVP_PKEY * newKey, CertStructConfig & certConfig) + X509 * newCert, EVP_PKEY * newKey, CertStructConfig & certConfig, const FutureExtensionWithNID * exts, + uint8_t extsCount) { bool res = true; uint16_t vid = certConfig.IsSubjectVIDMismatch() ? static_cast(subjectVID + 1) : subjectVID; @@ -1468,6 +1469,12 @@ bool MakeAttCert(AttCertType attCertType, const char * subjectCN, uint16_t subje VerifyTrueOrExit(res); } + for (uint8_t i = 0; i < extsCount; i++) + { + res = AddExtension(newCert, exts[i].nid, exts[i].info); + VerifyTrueOrExit(res); + } + // Sign the new certificate. if (!X509_sign(newCert, caKey, certConfig.GetSignatureAlgorithmDER())) { diff --git a/src/tools/chip-cert/Cmd_GenAttCert.cpp b/src/tools/chip-cert/Cmd_GenAttCert.cpp index 270e42cfcbd1d6..7f57e1df20542d 100644 --- a/src/tools/chip-cert/Cmd_GenAttCert.cpp +++ b/src/tools/chip-cert/Cmd_GenAttCert.cpp @@ -1,6 +1,6 @@ /* * - * Copyright (c) 2021-2022 Project CHIP Authors + * Copyright (c) 2021-2023 Project CHIP Authors * All rights reserved. * * Licensed under the Apache License, Version 2.0 (the "License"); @@ -57,6 +57,7 @@ OptionDef gCmdOptionDefs[] = { "out-key", kArgumentRequired, 'O' }, { "valid-from", kArgumentRequired, 'f' }, { "lifetime", kArgumentRequired, 'l' }, + { "cpd-ext", kArgumentRequired, 'x' }, #if CHIP_CONFIG_INTERNAL_FLAG_GENERATE_DA_TEST_CASES { "ignore-error", kNoArgument, 'I' }, { "error-type", kArgumentRequired, 'E' }, @@ -125,6 +126,11 @@ const char * const gCmdOptionHelp = " 4294967295 to indicate that certificate doesn't have well defined\n" " expiration date\n" "\n" + " -x, --cpd-ext \n" + "\n" + " CRL Distribution Points (CDP) extension (NID_crl_distribution_points) extension to be added to the list\n" + " of certificate extensions.\n" + "\n" #if CHIP_CONFIG_INTERNAL_FLAG_GENERATE_DA_TEST_CASES " -I, --ignore-error\n" "\n" @@ -201,17 +207,19 @@ OptionSet *gCmdOptionSets[] = }; // clang-format on -AttCertType gAttCertType = kAttCertType_NotSpecified; -const char * gSubjectCN = nullptr; -uint16_t gSubjectVID = VendorId::NotSpecified; -uint16_t gSubjectPID = 0; -bool gEncodeVIDandPIDasCN = false; -const char * gCACertFileNameOrStr = nullptr; -const char * gCAKeyFileNameOrStr = nullptr; -const char * gInKeyFileNameOrStr = nullptr; -const char * gOutCertFileName = nullptr; -const char * gOutKeyFileName = nullptr; -uint32_t gValidDays = kCertValidDays_Undefined; +AttCertType gAttCertType = kAttCertType_NotSpecified; +const char * gSubjectCN = nullptr; +uint16_t gSubjectVID = VendorId::NotSpecified; +uint16_t gSubjectPID = 0; +bool gEncodeVIDandPIDasCN = false; +const char * gCACertFileNameOrStr = nullptr; +const char * gCAKeyFileNameOrStr = nullptr; +const char * gInKeyFileNameOrStr = nullptr; +const char * gOutCertFileName = nullptr; +const char * gOutKeyFileName = nullptr; +uint32_t gValidDays = kCertValidDays_Undefined; +FutureExtensionWithNID gCPDExtensions[3] = { { 0, nullptr } }; +uint8_t gCPDExtensionsCount = 0; struct tm gValidFrom; CertStructConfig gCertConfig; @@ -291,6 +299,11 @@ bool HandleOption(const char * progName, OptionSet * optSet, int id, const char return false; } break; + case 'x': + gCPDExtensions[gCPDExtensionsCount].nid = NID_crl_distribution_points; + gCPDExtensions[gCPDExtensionsCount].info = arg; + gCPDExtensionsCount++; + break; #if CHIP_CONFIG_INTERNAL_FLAG_GENERATE_DA_TEST_CASES case 'I': gCertConfig.EnableErrorTestCase(); @@ -555,7 +568,7 @@ bool Cmd_GenAttCert(int argc, char * argv[]) if (gAttCertType == kAttCertType_PAA) { res = MakeAttCert(gAttCertType, gSubjectCN, gSubjectVID, gSubjectPID, gEncodeVIDandPIDasCN, newCert.get(), newKey.get(), - gValidFrom, gValidDays, newCert.get(), newKey.get(), gCertConfig); + gValidFrom, gValidDays, newCert.get(), newKey.get(), gCertConfig, gCPDExtensions, gCPDExtensionsCount); VerifyTrueOrExit(res); } else @@ -570,7 +583,7 @@ bool Cmd_GenAttCert(int argc, char * argv[]) VerifyTrueOrExit(res); res = MakeAttCert(gAttCertType, gSubjectCN, gSubjectVID, gSubjectPID, gEncodeVIDandPIDasCN, caCert.get(), caKey.get(), - gValidFrom, gValidDays, newCert.get(), newKey.get(), gCertConfig); + gValidFrom, gValidDays, newCert.get(), newKey.get(), gCertConfig, gCPDExtensions, gCPDExtensionsCount); VerifyTrueOrExit(res); } diff --git a/src/tools/chip-cert/chip-cert.h b/src/tools/chip-cert/chip-cert.h index 1c0e4a2b1d90d9..2f203193e38e44 100644 --- a/src/tools/chip-cert/chip-cert.h +++ b/src/tools/chip-cert/chip-cert.h @@ -437,7 +437,8 @@ extern bool ResignCert(X509 * cert, X509 * caCert, EVP_PKEY * caKey); extern bool MakeAttCert(AttCertType attCertType, const char * subjectCN, uint16_t subjectVID, uint16_t subjectPID, bool encodeVIDandPIDasCN, X509 * caCert, EVP_PKEY * caKey, const struct tm & validFrom, uint32_t validDays, - X509 * newCert, EVP_PKEY * newKey, CertStructConfig & certConfig); + X509 * newCert, EVP_PKEY * newKey, CertStructConfig & certConfig, const FutureExtensionWithNID * exts, + uint8_t extsCount); extern bool GenerateKeyPair(EVP_PKEY * key); extern bool GenerateKeyPair_Secp256k1(EVP_PKEY * key); extern bool ReadKey(const char * fileNameOrStr, std::unique_ptr & key,