Add basic support for recognizing and validating Network Identity cer…

…ts (#30114)

* Make BitFlags more constexpr friendly

* Add basic support for recognizing and validating Network Identity certs

This involves changing some Extract*FromCert methods from using
ChipCertificateSet to load the certificate to just using
DecodeChipCert, since ChipCertificateSet makes additional assumptions.

Also remove unused ChipCertificateData.mCertificate member

* Address review comments

src/credentials/CHIPCert.cpp

@@ -31,7 +31,7 @@
 
 #include <stddef.h>
 
-#include <credentials/CHIPCert.h>
+#include <credentials/CHIPCert_Internal.h>
 #include <credentials/CHIPCertificateSet.h>
 #include <lib/asn1/ASN1.h>
 #include <lib/asn1/ASN1Macros.h>
@@ -468,6 +468,7 @@ ChipCertificateData::~ChipCertificateData() {}
 
 void ChipCertificateData::Clear()
 {
+    mSerialNumber = ByteSpan();
     mSubjectDN.Clear();
     mIssuerDN.Clear();
     mSubjectKeyId      = CertificateKeyId();
@@ -612,6 +613,13 @@ CHIP_ERROR ChipDN::GetCertType(CertType & certType) const
     bool catsPresent     = false;
     uint8_t rdnCount     = RDNCount();
 
+    if (rdnCount == 1 && rdn[0].mAttrOID == kOID_AttributeType_CommonName && !rdn[0].mAttrIsPrintableString &&
+        rdn[0].mString.data_equal(kNetworkIdentityCN))
+    {
+        certType = CertType::kNetworkIdentity;
+        return CHIP_NO_ERROR;
+    }
+
     certType = CertType::kNotSpecified;
 
     for (uint8_t i = 0; i < rdnCount; i++)
@@ -672,6 +680,7 @@ CHIP_ERROR ChipDN::GetCertType(CertType & certType) const
 CHIP_ERROR ChipDN::GetCertChipId(uint64_t & chipId) const
 {
     uint8_t rdnCount = RDNCount();
+    bool foundId     = false;
 
     chipId = 0;
 
@@ -683,15 +692,17 @@ CHIP_ERROR ChipDN::GetCertChipId(uint64_t & chipId) const
         case kOID_AttributeType_MatterICACId:
         case kOID_AttributeType_MatterNodeId:
         case kOID_AttributeType_MatterFirmwareSigningId:
-            VerifyOrReturnError(chipId == 0, CHIP_ERROR_WRONG_CERT_DN);
+            VerifyOrReturnError(!foundId, CHIP_ERROR_WRONG_CERT_DN);
 
-            chipId = rdn[i].mChipVal;
+            chipId  = rdn[i].mChipVal;
+            foundId = true;
             break;
         default:
             break;
         }
     }
 
+    VerifyOrReturnError(foundId, CHIP_ERROR_WRONG_CERT_DN);
     return CHIP_NO_ERROR;
 }
 
@@ -1304,78 +1315,48 @@ CHIP_ERROR ExtractCATsFromOpCert(const ChipCertificateData & opcert, CATValues &
 
 CHIP_ERROR ExtractFabricIdFromCert(const ByteSpan & opcert, FabricId * fabricId)
 {
-    ChipCertificateSet certSet;
     ChipCertificateData certData;
-    ReturnErrorOnFailure(certSet.Init(&certData, 1));
-    ReturnErrorOnFailure(certSet.LoadCert(opcert, BitFlags<CertDecodeFlags>()));
+    ReturnErrorOnFailure(DecodeChipCert(opcert, certData));
     return ExtractFabricIdFromCert(certData, fabricId);
 }
 
 CHIP_ERROR ExtractNodeIdFabricIdFromOpCert(const ByteSpan & opcert, NodeId * nodeId, FabricId * fabricId)
 {
-    ChipCertificateSet certSet;
     ChipCertificateData certData;
-
-    ReturnErrorOnFailure(certSet.Init(&certData, 1));
-
-    ReturnErrorOnFailure(certSet.LoadCert(opcert, BitFlags<CertDecodeFlags>()));
-
+    ReturnErrorOnFailure(DecodeChipCert(opcert, certData));
     return ExtractNodeIdFabricIdFromOpCert(certData, nodeId, fabricId);
 }
 
 CHIP_ERROR ExtractPublicKeyFromChipCert(const ByteSpan & chipCert, P256PublicKeySpan & publicKey)
 {
-    ChipCertificateSet certSet;
     ChipCertificateData certData;
-
-    ReturnErrorOnFailure(certSet.Init(&certData, 1));
-
-    ReturnErrorOnFailure(certSet.LoadCert(chipCert, BitFlags<CertDecodeFlags>()));
-
+    ReturnErrorOnFailure(DecodeChipCert(chipCert, certData));
     publicKey = certData.mPublicKey;
-
     return CHIP_NO_ERROR;
 }
 
 CHIP_ERROR ExtractNotBeforeFromChipCert(const ByteSpan & chipCert, chip::System::Clock::Seconds32 & notBeforeChipEpochTime)
 {
-    ChipCertificateSet certSet;
     ChipCertificateData certData;
-
-    ReturnErrorOnFailure(certSet.Init(&certData, 1));
-
-    ReturnErrorOnFailure(certSet.LoadCert(chipCert, BitFlags<CertDecodeFlags>()));
-
+    ReturnErrorOnFailure(DecodeChipCert(chipCert, certData));
     notBeforeChipEpochTime = chip::System::Clock::Seconds32(certData.mNotBeforeTime);
-
     return CHIP_NO_ERROR;
 }
 
 CHIP_ERROR ExtractSKIDFromChipCert(const ByteSpan & chipCert, CertificateKeyId & skid)
 {
-    ChipCertificateSet certSet;
     ChipCertificateData certData;
-
-    ReturnErrorOnFailure(certSet.Init(&certData, 1));
-
-    ReturnErrorOnFailure(certSet.LoadCert(chipCert, BitFlags<CertDecodeFlags>()));
-
+    ReturnErrorOnFailure(DecodeChipCert(chipCert, certData));
+    VerifyOrReturnError(certData.mCertFlags.Has(CertFlags::kExtPresent_AuthKeyId), CHIP_ERROR_NOT_FOUND);
     skid = certData.mSubjectKeyId;
-
     return CHIP_NO_ERROR;
 }
 
 CHIP_ERROR ExtractSubjectDNFromChipCert(const ByteSpan & chipCert, ChipDN & dn)
 {
-    ChipCertificateSet certSet;
     ChipCertificateData certData;
-
-    ReturnErrorOnFailure(certSet.Init(&certData, 1));
-
-    ReturnErrorOnFailure(certSet.LoadCert(chipCert, BitFlags<CertDecodeFlags>()));
-
+    ReturnErrorOnFailure(DecodeChipCert(chipCert, certData));
     dn = certData.mSubjectDN;
-
     return CHIP_NO_ERROR;
 }
 
@@ -1446,5 +1427,33 @@ CHIP_ERROR CertificateValidityPolicy::ApplyDefaultPolicy(const ChipCertificateDa
     }
 }
 
+CHIP_ERROR ValidateChipNetworkIdentity(const ByteSpan & cert)
+{
+    ChipCertificateData certData;
+    ReturnErrorOnFailure(DecodeChipCert(cert, certData, CertDecodeFlags::kGenerateTBSHash));
+
+    CertType certType;
+    ReturnErrorOnFailure(certData.mSubjectDN.GetCertType(certType));
+    VerifyOrReturnError(certType == CertType::kNetworkIdentity, CHIP_ERROR_WRONG_CERT_TYPE);
+
+    VerifyOrReturnError(certData.mSerialNumber.data_equal(kNetworkIdentitySerialNumber), CHIP_ERROR_WRONG_CERT_TYPE);
+    VerifyOrReturnError(certData.mNotBeforeTime == kNetworkIdentityNotBeforeTime, CHIP_ERROR_WRONG_CERT_TYPE);
+    VerifyOrReturnError(certData.mNotAfterTime == kNetworkIdentityNotAfterTime, CHIP_ERROR_WRONG_CERT_TYPE);
+    VerifyOrReturnError(certData.mIssuerDN.IsEqual(certData.mSubjectDN), CHIP_ERROR_WRONG_CERT_TYPE);
+
+    VerifyOrReturnError(certData.mCertFlags.Has(CertFlags::kExtPresent_BasicConstraints) &&
+                            !certData.mCertFlags.Has(CertFlags::kIsCA),
+                        CHIP_ERROR_WRONG_CERT_TYPE);
+    VerifyOrReturnError(certData.mCertFlags.Has(CertFlags::kExtPresent_KeyUsage) &&
+                            certData.mKeyUsageFlags == kNetworkIdentityKeyUsage,
+                        CHIP_ERROR_WRONG_CERT_TYPE);
+    VerifyOrReturnError(certData.mCertFlags.Has(CertFlags::kExtPresent_ExtendedKeyUsage) &&
+                            certData.mKeyPurposeFlags == kNetworkIdentityKeyPurpose,
+                        CHIP_ERROR_WRONG_CERT_TYPE);
+
+    ReturnErrorOnFailure(VerifyCertSignature(certData, certData));
+    return CHIP_NO_ERROR;
+}
+
 } // namespace Credentials
 } // namespace chip

src/credentials/CHIPCert.h

@@ -112,6 +112,7 @@ enum class CertType : uint8_t
                                   firmware image signing is manufacturer-specific. The CHIP
                                   certificate format supports encoding of firmware signing
                                   certificates if chosen by the manufacturer to use them. */
+    kNetworkIdentity = 0x05, /**< A CHIP Network (Client) Identity. */
 };
 
 /** X.509 Certificate Key Purpose Flags
@@ -428,7 +429,7 @@ struct ChipCertificateData
     void Clear();
     bool IsEqual(const ChipCertificateData & other) const;
 
-    ByteSpan mCertificate;                      /**< Original raw buffer data. */
+    ByteSpan mSerialNumber;                     /**< Certificate Serial Number. */
     ChipDN mSubjectDN;                          /**< Certificate Subject DN. */
     ChipDN mIssuerDN;                           /**< Certificate Issuer DN. */
     CertificateKeyId mSubjectKeyId;             /**< Certificate Subject public key identifier. */
@@ -529,6 +530,20 @@ CHIP_ERROR VerifyCertSignature(const ChipCertificateData & cert, const ChipCerti
  */
 CHIP_ERROR ValidateChipRCAC(const ByteSpan & rcac);
 
+/**
+ * Validates a Network (Client) Identity in TLV-encoded form.
+ *
+ * This function parses the certificate, ensures the rigid fields have the values mandated by the
+ * specification, and validates the certificate signature.
+ *
+ * @return CHIP_NO_ERROR on success, CHIP_ERROR_WRONG_CERT_TYPE if the certificate does
+ *         not conform to the requirements for a Network Identity, CHIP_ERROR_INVALID_SIGNATURE
+ *         if the certificate has an invalid signature, or another CHIP_ERROR.
+ *
+ * @see section 11.24 (Wi-Fi Authentication with Per-Device Credentials) of the Matter spec
+ */
+CHIP_ERROR ValidateChipNetworkIdentity(const ByteSpan & cert);
+
 struct FutureExtension
 {
     ByteSpan OID;

src/credentials/CHIPCertToX509.cpp

@@ -511,11 +511,12 @@ static CHIP_ERROR DecodeConvertTBSCert(TLVReader & reader, ASN1Writer & writer,
         }
         ASN1_END_CONSTRUCTED;
 
-        ReturnErrorOnFailure(reader.Next(kTLVType_ByteString, ContextTag(kTag_SerialNumber)));
-
         // serialNumber CertificateSerialNumber
         // CertificateSerialNumber ::= INTEGER
-        ReturnErrorOnFailure(writer.PutValue(kASN1TagClass_Universal, kASN1UniversalTag_Integer, false, reader));
+        ReturnErrorOnFailure(reader.Next(kTLVType_ByteString, ContextTag(kTag_SerialNumber)));
+        ReturnErrorOnFailure(reader.Get(certData.mSerialNumber));
+        ReturnErrorOnFailure(writer.PutValue(kASN1TagClass_Universal, kASN1UniversalTag_Integer, false,
+                                             certData.mSerialNumber.data(), static_cast<uint16_t>(certData.mSerialNumber.size())));
 
         // signature AlgorithmIdentifier
         // AlgorithmIdentifier ::= SEQUENCE

src/credentials/CHIPCert_Internal.h

@@ -0,0 +1,39 @@
+/*
+ *
+ *    Copyright (c) 2023 Project CHIP Authors
+ *    All rights reserved.
+ *
+ *    Licensed under the Apache License, Version 2.0 (the "License");
+ *    you may not use this file except in compliance with the License.
+ *    You may obtain a copy of the License at
+ *
+ *        http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *    Unless required by applicable law or agreed to in writing, software
+ *    distributed under the License is distributed on an "AS IS" BASIS,
+ *    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *    See the License for the specific language governing permissions and
+ *    limitations under the License.
+ */
+
+#pragma once
+
+#include <credentials/CHIPCert.h>
+
+namespace chip {
+namespace Credentials {
+
+// Constants for Network (Client) Identities as per section 11.24 (Wi-Fi
+// Authentication with Per-Device Credentials) of the Matter spec.
+inline constexpr CharSpan kNetworkIdentityCN           = "*"_span;
+inline constexpr ByteSpan kNetworkIdentitySerialNumber = ByteSpan((uint8_t[1]){ 1 });
+
+inline constexpr uint32_t kNetworkIdentityNotBeforeTime = 1;
+inline constexpr uint32_t kNetworkIdentityNotAfterTime  = kNullCertTime;
+
+inline constexpr auto kNetworkIdentityKeyUsage = BitFlags<KeyUsageFlags>(KeyUsageFlags::kDigitalSignature);
+inline constexpr auto kNetworkIdentityKeyPurpose =
+    BitFlags<KeyPurposeFlags>(KeyPurposeFlags::kClientAuth, KeyPurposeFlags::kServerAuth);
+
+} // namespace Credentials
+} // namespace chip