project-chip · andy31415 · Nov 12, 2021 · Nov 11, 2021
diff --git a/src/credentials/CHIPCert.cpp b/src/credentials/CHIPCert.cpp
@@ -883,6 +883,32 @@ CHIP_ERROR ExtractFabricIdFromCert(const ChipCertificateData & cert, FabricId *
     return CHIP_ERROR_INVALID_ARGUMENT;
 }
 
+CHIP_ERROR ExtractCATsFromOpCert(const ChipCertificateData & opcert, uint32_t * cats, uint8_t catsSize)
+{
+    uint8_t catCount = 0;
+    uint8_t certType;
+
+    ReturnErrorOnFailure(opcert.mSubjectDN.GetCertType(certType));
+    VerifyOrReturnError(certType == kCertType_Node, CHIP_ERROR_INVALID_ARGUMENT);
+
+    const ChipDN & subjectDN = opcert.mSubjectDN;
+    for (uint8_t i = 0; i < subjectDN.RDNCount(); ++i)
+    {
+        const auto & rdn = subjectDN.rdn[i];
+        if (rdn.mAttrOID == ASN1::kOID_AttributeType_ChipCASEAuthenticatedTag)
+        {
+            ReturnErrorCodeIf(catCount == catsSize, CHIP_ERROR_BUFFER_TOO_SMALL);
+            cats[catCount++] = static_cast<uint32_t>(rdn.mChipVal);
+        }
+    }
+    for (uint8_t i = catCount; i < catsSize; ++i)
+    {
+        cats[i] = 0;
+    }
+
+    return CHIP_NO_ERROR;
+}
+
 CHIP_ERROR ExtractNodeIdFabricIdFromOpCert(const ByteSpan & opcert, NodeId * nodeId, FabricId * fabricId)
 {
     ChipCertificateSet certSet;

diff --git a/src/credentials/CHIPCert.h b/src/credentials/CHIPCert.h
@@ -54,6 +54,9 @@ static constexpr uint32_t kMaxDERCertLength  = 600;
 // The decode buffer is used to reconstruct TBS section of X.509 certificate, which doesn't include signature.
 static constexpr uint32_t kMaxCHIPCertDecodeBufLength = kMaxDERCertLength - Crypto::kMax_ECDSA_Signature_Length_Der;
 
+// Muximum number of CASE Authenticated Tags (CAT) in the CHIP certificate subject.
+static constexpr size_t kMaxSubjectCATAttributeCount = CHIP_CONFIG_CERT_MAX_RDN_ATTRIBUTES - 2;
+
 /** Data Element Tags for the CHIP Certificate
  */
 enum
@@ -715,7 +718,7 @@ inline bool IsChip64bitDNAttr(chip::ASN1::OID oid)
  **/
 inline bool IsChip32bitDNAttr(chip::ASN1::OID oid)
 {
-    return (oid == chip::ASN1::kOID_AttributeType_ChipAuthTag1 || oid == chip::ASN1::kOID_AttributeType_ChipAuthTag2);
+    return (oid == chip::ASN1::kOID_AttributeType_ChipCASEAuthenticatedTag);
 }
 
 /**
@@ -796,6 +799,17 @@ CHIP_ERROR ExtractFabricIdFromCert(const ChipCertificateData & cert, FabricId *
  */
 CHIP_ERROR ExtractNodeIdFabricIdFromOpCert(const ChipCertificateData & opcert, NodeId * nodeId, FabricId * fabricId);
 
+/**
+ * Extract CASE Authenticated Tags from an operational certificate that has already been
+ * parsed.
+ *
+ * All values in the 'cats' array will be set either to a valid CAT value or zero (undefined) value.
+ *
+ * @return CHIP_ERROR_INVALID_ARGUMENT if the passed-in cert is not NOC.
+ * @return CHIP_ERROR_BUFFER_TOO_SMALL if the passed-in CATs array is too small.
+ */
+CHIP_ERROR ExtractCATsFromOpCert(const ChipCertificateData & opcert, uint32_t * cats, uint8_t catsSize);
+
 /**
  * Extract Node ID and Fabric ID from an operational certificate in ByteSpan TLV-encoded
  * form.  This does not perform any sort of validation on the certificate

diff --git a/src/credentials/tests/CHIPCert_test_vectors.cpp b/src/credentials/tests/CHIPCert_test_vectors.cpp
diff --git a/src/credentials/tests/CHIPCert_test_vectors.h b/src/credentials/tests/CHIPCert_test_vectors.h
diff --git a/src/credentials/tests/TestChipCert.cpp b/src/credentials/tests/TestChipCert.cpp
@@ -1039,6 +1039,7 @@ static void TestChipCert_ExtractPeerId(nlTestSuite * inSuite, void * inContext)
         {  TestCert::kNode02_05, TestCert::kICA02, 0xDEDEDEDE00020005, 0xFAB000000000001D },
         {  TestCert::kNode02_06, TestCert::kICA02, 0xDEDEDEDE00020006, 0xFAB000000000001D },
         {  TestCert::kNode02_07, TestCert::kICA02, 0xDEDEDEDE00020007, 0xFAB000000000001D },
+        {  TestCert::kNode02_08, TestCert::kICA02, 0xDEDEDEDE00020008, 0xFAB000000000001D },
     };
     // clang-format on
 
@@ -1107,6 +1108,80 @@ static void TestChipCert_ExtractPeerId(nlTestSuite * inSuite, void * inContext)
     }
 }
 
+static void TestChipCert_ExtractCATsFromOpCert(nlTestSuite * inSuite, void * inContext)
+{
+    struct TestCase
+    {
+        uint8_t Cert;
+        uint32_t ExpectedCAT[kMaxSubjectCATAttributeCount];
+    };
+
+    // clang-format off
+    static constexpr TestCase sTestCases[] = {
+        // Cert                  CATs
+        // =============================================================
+        {  TestCert::kNode01_01, {          0,          0,          0 } },
+        {  TestCert::kNode01_02, {          0,          0,          0 } },
+        {  TestCert::kNode02_01, {          0,          0,          0 } },
+        {  TestCert::kNode02_02, {          0,          0,          0 } },
+        {  TestCert::kNode02_03, { 0xABCD0001,          0,          0 } },
+        {  TestCert::kNode02_04, { 0xABCE1002, 0xABCD0003,          0 } },
+        {  TestCert::kNode02_05, { 0xABCD0010, 0xABCE1008,          0 } },
+        {  TestCert::kNode02_06, {          0,          0,          0 } },
+        {  TestCert::kNode02_07, {          0,          0,          0 } },
+        {  TestCert::kNode02_08, { 0xABCF00A0, 0xABCD0020, 0xABCE0100 } },
+    };
+    // clang-format on
+
+    // Test extraction from the raw ByteSpan form.
+    ChipCertificateSet certSet;
+    for (auto & testCase : sTestCases)
+    {
+        CHIP_ERROR err = certSet.Init(1);
+        NL_TEST_ASSERT(inSuite, err == CHIP_NO_ERROR);
+
+        err = LoadTestCert(certSet, testCase.Cert, sNullLoadFlag, sNullDecodeFlag);
+        NL_TEST_ASSERT(inSuite, err == CHIP_NO_ERROR);
+
+        uint32_t cats[kMaxSubjectCATAttributeCount];
+        err = ExtractCATsFromOpCert(certSet.GetCertSet()[0], cats, ArraySize(cats));
+        NL_TEST_ASSERT(inSuite, err == CHIP_NO_ERROR);
+        NL_TEST_ASSERT(inSuite, memcmp(cats, testCase.ExpectedCAT, sizeof(cats)) == 0);
+
+        certSet.Release();
+    }
+
+    // Error case: trying to extract CAT from Root Cert.
+    {
+        CHIP_ERROR err = certSet.Init(1);
+        NL_TEST_ASSERT(inSuite, err == CHIP_NO_ERROR);
+
+        err = LoadTestCert(certSet, TestCert::kRoot01, sNullLoadFlag, sNullDecodeFlag);
+        NL_TEST_ASSERT(inSuite, err == CHIP_NO_ERROR);
+
+        uint32_t cats[kMaxSubjectCATAttributeCount];
+        err = ExtractCATsFromOpCert(certSet.GetCertSet()[0], cats, ArraySize(cats));
+        NL_TEST_ASSERT(inSuite, err == CHIP_ERROR_INVALID_ARGUMENT);
+
+        certSet.Release();
+    }
+
+    // Error case: CAT array is too small.
+    {
+        CHIP_ERROR err = certSet.Init(1);
+        NL_TEST_ASSERT(inSuite, err == CHIP_NO_ERROR);
+
+        err = LoadTestCert(certSet, TestCert::kNode02_08, sNullLoadFlag, sNullDecodeFlag);
+        NL_TEST_ASSERT(inSuite, err == CHIP_NO_ERROR);
+
+        uint32_t cats[kMaxSubjectCATAttributeCount - 1];
+        err = ExtractCATsFromOpCert(certSet.GetCertSet()[0], cats, ArraySize(cats));
+        NL_TEST_ASSERT(inSuite, err == CHIP_ERROR_BUFFER_TOO_SMALL);
+
+        certSet.Release();
+    }
+}
+
 static void TestChipCert_ExtractPublicKeyAndSKID(nlTestSuite * inSuite, void * inContext)
 {
     struct TestCase
@@ -1134,6 +1209,7 @@ static void TestChipCert_ExtractPublicKeyAndSKID(nlTestSuite * inSuite, void * i
         {  TestCert::kNode02_05, sTestCert_Node02_05_PublicKey, sTestCert_Node02_05_SubjectKeyId },
         {  TestCert::kNode02_06, sTestCert_Node02_06_PublicKey, sTestCert_Node02_06_SubjectKeyId },
         {  TestCert::kNode02_07, sTestCert_Node02_07_PublicKey, sTestCert_Node02_07_SubjectKeyId },
+        {  TestCert::kNode02_08, sTestCert_Node02_08_PublicKey, sTestCert_Node02_08_SubjectKeyId },
     };
     // clang-format on
 
@@ -1200,6 +1276,7 @@ static const nlTest sTests[] = {
     NL_TEST_DEF("Test CHIP Verify Generated Cert Chain", TestChipCert_VerifyGeneratedCerts),
     NL_TEST_DEF("Test CHIP Verify Generated Cert Chain No ICA", TestChipCert_VerifyGeneratedCertsNoICA),
     NL_TEST_DEF("Test extracting PeerId from node certificate", TestChipCert_ExtractPeerId),
+    NL_TEST_DEF("Test extracting CAST Authenticated Tags from node certificate", TestChipCert_ExtractCATsFromOpCert),
     NL_TEST_DEF("Test extracting PublicKey and SKID from chip certificate", TestChipCert_ExtractPublicKeyAndSKID),
     NL_TEST_SENTINEL()
 };

diff --git a/src/lib/asn1/gen_asn1oid.py b/src/lib/asn1/gen_asn1oid.py
@@ -144,10 +144,8 @@ def identity(n):
         3), dod(6), internet(1), private(4), enterprise(1), zigbee(37244), chip(1), 4]),
     ("AttributeType",  "ChipFabricId",            21,      [iso(1), organization(
         3), dod(6), internet(1), private(4), enterprise(1), zigbee(37244), chip(1), 5]),
-    ("AttributeType",  "ChipAuthTag1",            22,      [iso(1), organization(
+    ("AttributeType",  "ChipCASEAuthenticatedTag", 22,      [iso(1), organization(
         3), dod(6), internet(1), private(4), enterprise(1), zigbee(37244), chip(1), 6]),
-    ("AttributeType",  "ChipAuthTag2",            23,      [iso(1), organization(
-        3), dod(6), internet(1), private(4), enterprise(1), zigbee(37244), chip(1), 7]),
 
     # Elliptic Curves
     ("EllipticCurve",  "prime256v1",              1,       [

diff --git a/src/tools/chip-cert/CertUtils.cpp b/src/tools/chip-cert/CertUtils.cpp
@@ -62,11 +62,8 @@ bool ToolChipDN::SetCertSubjectDN(X509 * cert) const
         case kOID_AttributeType_ChipFabricId:
             attrNID = gNIDChipFabricId;
             break;
-        case kOID_AttributeType_ChipAuthTag1:
-            attrNID = gNIDChipAuthTag1;
-            break;
-        case kOID_AttributeType_ChipAuthTag2:
-            attrNID = gNIDChipAuthTag2;
+        case kOID_AttributeType_ChipCASEAuthenticatedTag:
+            attrNID = gNIDChipCASEAuthenticatedTag;
             break;
         default:
             ExitNow(res = false);

diff --git a/src/tools/chip-cert/Cmd_GenCert.cpp b/src/tools/chip-cert/Cmd_GenCert.cpp
@@ -46,7 +46,7 @@ OptionDef gCmdOptionDefs[] =
     { "type",                kArgumentRequired, 't' },
     { "subject-chip-id",     kArgumentRequired, 'i' },
     { "subject-fab-id",      kArgumentRequired, 'f' },
-    { "subject-at",          kArgumentRequired, 'a' },
+    { "subject-cat",         kArgumentRequired, 'a' },
     { "subject-cn-u",        kArgumentRequired, 'c' },
     { "path-len-constraint", kArgumentRequired, 'p' },
     { "future-ext-sub",      kArgumentRequired, 'x' },
@@ -83,9 +83,9 @@ const char * const gCmdOptionHelp =
     "\n"
     "       Subject DN Fabric Id attribute (in hex).\n"
     "\n"
-    "   -a, --subject-at <hex-digits>\n"
+    "   -a, --subject-cat <hex-digits>\n"
     "\n"
-    "       Subject DN CHIP Authentication Tag (in hex).\n"
+    "       Subject DN CHIP CASE Authentication Tag (in hex).\n"
     "\n"
     "   -c, --subject-cn-u <string>\n"
     "\n"
@@ -266,20 +266,7 @@ bool HandleOption(const char * progName, OptionSet * optSet, int id, const char
             PrintArgError("%s: Invalid value specified for the subject authentication tag attribute: %s\n", progName, arg);
             return false;
         }
-
-        if (!gSubjectDN.HasAttr(kOID_AttributeType_ChipAuthTag1))
-        {
-            attrOID = kOID_AttributeType_ChipAuthTag1;
-        }
-        else if (!gSubjectDN.HasAttr(kOID_AttributeType_ChipAuthTag2))
-        {
-            attrOID = kOID_AttributeType_ChipAuthTag2;
-        }
-        else
-        {
-            PrintArgError("%s: Too many authentication tag attributes are specified: %s\n", progName, arg);
-            return false;
-        }
+        attrOID = kOID_AttributeType_ChipCASEAuthenticatedTag;
 
         err = gSubjectDN.AddAttribute(attrOID, chip32bitAttr);
         if (err != CHIP_NO_ERROR)

diff --git a/src/tools/chip-cert/GeneralUtils.cpp b/src/tools/chip-cert/GeneralUtils.cpp
@@ -38,8 +38,7 @@ int gNIDChipFirmwareSigningId;
 int gNIDChipICAId;
 int gNIDChipRootId;
 int gNIDChipFabricId;
-int gNIDChipAuthTag1;
-int gNIDChipAuthTag2;
+int gNIDChipCASEAuthenticatedTag;
 int gNIDChipAttAttrVID;
 int gNIDChipAttAttrPID;
 int gNIDChipCurveP256 = EC_curve_nist2nid("P-256");
@@ -83,14 +82,8 @@ bool InitOpenSSL()
         ReportOpenSSLErrorAndExit("OBJ_create", res = false);
     }
 
-    gNIDChipAuthTag1 = OBJ_create("1.3.6.1.4.1.37244.1.6", "ChipAuthTag1", "ChipAuthTag1");
-    if (gNIDChipAuthTag1 == 0)
-    {
-        ReportOpenSSLErrorAndExit("OBJ_create", res = false);
-    }
-
-    gNIDChipAuthTag2 = OBJ_create("1.3.6.1.4.1.37244.1.7", "ChipAuthTag2", "ChipAuthTag2");
-    if (gNIDChipAuthTag2 == 0)
+    gNIDChipCASEAuthenticatedTag = OBJ_create("1.3.6.1.4.1.37244.1.6", "ChipCASEAuthenticatedTag", "ChipCASEAuthenticatedTag");
+    if (gNIDChipCASEAuthenticatedTag == 0)
     {
         ReportOpenSSLErrorAndExit("OBJ_create", res = false);
     }
@@ -112,8 +105,7 @@ bool InitOpenSSL()
     ASN1_STRING_TABLE_add(gNIDChipICAId, 16, 16, B_ASN1_UTF8STRING, 0);
     ASN1_STRING_TABLE_add(gNIDChipRootId, 16, 16, B_ASN1_UTF8STRING, 0);
     ASN1_STRING_TABLE_add(gNIDChipFabricId, 16, 16, B_ASN1_UTF8STRING, 0);
-    ASN1_STRING_TABLE_add(gNIDChipAuthTag1, 8, 8, B_ASN1_UTF8STRING, 0);
-    ASN1_STRING_TABLE_add(gNIDChipAuthTag2, 8, 8, B_ASN1_UTF8STRING, 0);
+    ASN1_STRING_TABLE_add(gNIDChipCASEAuthenticatedTag, 8, 8, B_ASN1_UTF8STRING, 0);
     ASN1_STRING_TABLE_add(gNIDChipAttAttrVID, 4, 4, B_ASN1_UTF8STRING, 0);
     ASN1_STRING_TABLE_add(gNIDChipAttAttrPID, 4, 4, B_ASN1_UTF8STRING, 0);
 

diff --git a/src/tools/chip-cert/chip-cert.h b/src/tools/chip-cert/chip-cert.h
@@ -164,8 +164,7 @@ extern int gNIDChipFirmwareSigningId;
 extern int gNIDChipICAId;
 extern int gNIDChipRootId;
 extern int gNIDChipFabricId;
-extern int gNIDChipAuthTag1;
-extern int gNIDChipAuthTag2;
+extern int gNIDChipCASEAuthenticatedTag;
 extern int gNIDChipCurveP256;
 extern int gNIDChipAttAttrVID;
 extern int gNIDChipAttAttrPID;