Skip to content

Commit

Permalink
Implemented ExtractCRLDistributionPointURIFromX509Cert() Helper Funct…
Browse files Browse the repository at this point in the history
…ion (#26913)

* Implemented ExtractCRLDistributionPointURIFromX509Cert() Helper Function

  - Extracts the CRL Distribution Point (CDP) extension from an X509 ASN.1 Encoded Certificate
  - The returned value only covers the URI of the CDP
  - Only a single URI distribution point GeneralName is supported
  - The valid URL should start with "http://" or "https://"
  - Added OpenSSL, mbedTLS, and TinyCrypt implementations
  - Added CDP extension support to the chip-cert tool
  - Added new test vectors

* Update OpenSSL Impelementation to Address Review Comments.

Added documentation to clarify each step of the implementation.

* Added documentation to the mbedTLS-based implementations

* Restyled by clang-format

---------

Co-authored-by: Restyled.io <[email protected]>
  • Loading branch information
2 people authored and pull[bot] committed Jul 25, 2023
1 parent b1c1556 commit 2272792
Show file tree
Hide file tree
Showing 39 changed files with 1,487 additions and 21 deletions.
Binary file not shown.
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
-----BEGIN CERTIFICATE-----
MIICUDCCAfagAwIBAgIISW372zteskMwCgYIKoZIzj0EAwIwRjEYMBYGA1UEAwwP
TWF0dGVyIFRlc3QgUEFJMRQwEgYKKwYBBAGConwCAQwERkZGMTEUMBIGCisGAQQB
gqJ8AgIMBDgwMDAwIBcNMjEwNjI4MTQyMzQzWhgPOTk5OTEyMzEyMzU5NTlaMFQx
JjAkBgNVBAMMHU1hdHRlciBUZXN0IERBQyAwMDAwIFR3byBDRFBzMRQwEgYKKwYB
BAGConwCAQwERkZGMTEUMBIGCisGAQQBgqJ8AgIMBDgwMDAwWTATBgcqhkjOPQIB
BggqhkjOPQMBBwNCAARKrV70IfqHoglq9IBcx7bK3w/30LA1NNMRJ5LYnAHfE7cV
AfLEBWiSm/ibuygPsGeTDUwoQvlzUhJXOY+2MpLco4G9MIG6MAwGA1UdEwEB/wQC
MAAwDgYDVR0PAQH/BAQDAgeAMB0GA1UdDgQWBBRF3Pw1yhkocaPuFrIVi2gb4+mK
jDAfBgNVHSMEGDAWgBSvQrcJTevVFexuzzO4ERUiXzJSiDAsBgNVHR8EJTAjMCGg
H6AdhhtodHRwczovL2V4YW1wbGUuY29tL2NybC5wZW0wLAYDVR0fBCUwIzAhoB+g
HYYbaHR0cDovL2V4YW1wbGUuY29tL2NybDIucGVtMAoGCCqGSM49BAMCA0gAMEUC
ICo4AL07AB1JwKlxGLhw/UsJVGsGYQev7ZWa7wxbASuPAiEA4YlR6OPubKM9Z7Jg
jBq99l+UvHneNRsmIWpB3JKzESI=
-----END CERTIFICATE-----
Binary file not shown.
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIJj6QtgPRpxFxnBqp0m+IYABttjI2ijEbkXYSlxoqN9+oAoGCCqGSM49
AwEHoUQDQgAESq1e9CH6h6IJavSAXMe2yt8P99CwNTTTESeS2JwB3xO3FQHyxAVo
kpv4m7soD7Bnkw1MKEL5c1ISVzmPtjKS3A==
-----END EC PRIVATE KEY-----
Binary file not shown.
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
-----BEGIN CERTIFICATE-----
MIICSjCCAfCgAwIBAgIIXzwUpXaaVS0wCgYIKoZIzj0EAwIwRjEYMBYGA1UEAwwP
TWF0dGVyIFRlc3QgUEFJMRQwEgYKKwYBBAGConwCAQwERkZGMTEUMBIGCisGAQQB
gqJ8AgIMBDgwMDAwIBcNMjEwNjI4MTQyMzQzWhgPOTk5OTEyMzEyMzU5NTlaMFox
LDAqBgNVBAMMI01hdHRlciBUZXN0IERBQyAwMDAwIENEUCAoVHdvIFVSSXMpMRQw
EgYKKwYBBAGConwCAQwERkZGMTEUMBIGCisGAQQBgqJ8AgIMBDgwMDAwWTATBgcq
hkjOPQIBBggqhkjOPQMBBwNCAATaRkJ2yopbD59Iy6YH/+2S9qgTFGdh+Hu5AO9s
Q2voAeanxcjpYgnLEQRq76+OKwOZtin1IANCtIw0epGZh+NXo4GxMIGuMAwGA1Ud
EwEB/wQCMAAwDgYDVR0PAQH/BAQDAgeAMB0GA1UdDgQWBBTMrHgJmsR/rXoOuQEs
yPQiiAmrYTAfBgNVHSMEGDAWgBSvQrcJTevVFexuzzO4ERUiXzJSiDBOBgNVHR8E
RzBFMCCgHqAchhpodHRwOi8vZXhhbXBsZS5jb20vY3JsLnBlbTAhoB+gHYYbaHR0
cDovL2V4YW1wbGUuY29tL2NybDIucGVtMAoGCCqGSM49BAMCA0gAMEUCIGoUNMNM
07VMHKebxQhC593V7bd4xaKF6a5UYf8ddjl/AiEA7U3iA9Ja1dNx+7NNXJz3vqkS
1ohFXkrf4C9/CWQ/iLw=
-----END CERTIFICATE-----
Binary file not shown.
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIL3FzD2bhQ0UC24d6vXSt8tj/HH2TmyomvM0uZhDfm3HoAoGCCqGSM49
AwEHoUQDQgAE2kZCdsqKWw+fSMumB//tkvaoExRnYfh7uQDvbENr6AHmp8XI6WIJ
yxEEau+vjisDmbYp9SADQrSMNHqRmYfjVw==
-----END EC PRIVATE KEY-----
Binary file not shown.
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
-----BEGIN CERTIFICATE-----
MIICIzCCAcmgAwIBAgIIcWVtG3ouFqQwCgYIKoZIzj0EAwIwRjEYMBYGA1UEAwwP
TWF0dGVyIFRlc3QgUEFJMRQwEgYKKwYBBAGConwCAQwERkZGMTEUMBIGCisGAQQB
gqJ8AgIMBDgwMDAwIBcNMjEwNjI4MTQyMzQzWhgPOTk5OTEyMzEyMzU5NTlaMFYx
KDAmBgNVBAMMH01hdHRlciBUZXN0IERBQyAwMDAwIENEUCAoSFRUUCkxFDASBgor
BgEEAYKifAIBDARGRkYxMRQwEgYKKwYBBAGConwCAgwEODAwMDBZMBMGByqGSM49
AgEGCCqGSM49AwEHA0IABOMBHt6fUVqz6bqTJf7yO5bNcVw66jjOgR6I/G3nrDAm
I/unBos+CdP+VJsRzF8OWWxO284+e6InH7jQmvQhnj2jgY4wgYswDAYDVR0TAQH/
BAIwADAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0OBBYEFGhDyDOjOZ+YQhU+sazPL5VY
XxpQMB8GA1UdIwQYMBaAFK9CtwlN69UV7G7PM7gRFSJfMlKIMCsGA1UdHwQkMCIw
IKAeoByGGmh0dHA6Ly9leGFtcGxlLmNvbS9jcmwucGVtMAoGCCqGSM49BAMCA0gA
MEUCIGVKTBM7ydpNFHg1q/wk1Szso6CPovTm6sKuYEEfNvWkAiEAqhyhkx+8mv/W
RzKr8x6o9hPBZx8PIqQxZ+KOnayTHhg=
-----END CERTIFICATE-----
Binary file not shown.
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
-----BEGIN CERTIFICATE-----
MIICJTCCAcugAwIBAgIINKhBW30/Kx4wCgYIKoZIzj0EAwIwRjEYMBYGA1UEAwwP
TWF0dGVyIFRlc3QgUEFJMRQwEgYKKwYBBAGConwCAQwERkZGMTEUMBIGCisGAQQB
gqJ8AgIMBDgwMDAwIBcNMjEwNjI4MTQyMzQzWhgPOTk5OTEyMzEyMzU5NTlaMFcx
KTAnBgNVBAMMIE1hdHRlciBUZXN0IERBQyAwMDAwIENEUCAoSFRUUFMpMRQwEgYK
KwYBBAGConwCAQwERkZGMTEUMBIGCisGAQQBgqJ8AgIMBDgwMDAwWTATBgcqhkjO
PQIBBggqhkjOPQMBBwNCAATZKyTeUWuOzT5oYt6H/Dv3fnARcccLWYz/XwJ/Argg
5/oHutTk2L4mHAj7MZXVqDSCOijMRwO3xRV+FJ5eqngFo4GPMIGMMAwGA1UdEwEB
/wQCMAAwDgYDVR0PAQH/BAQDAgeAMB0GA1UdDgQWBBSjAjP4b0DRGsVfgKXAqSpQ
b+qfMTAfBgNVHSMEGDAWgBSvQrcJTevVFexuzzO4ERUiXzJSiDAsBgNVHR8EJTAj
MCGgH6AdhhtodHRwczovL2V4YW1wbGUuY29tL2NybC5wZW0wCgYIKoZIzj0EAwID
SAAwRQIgU+zq2jxdS7dQy+f40QlZEtTI5fsf7zAkH8+VgylA0JoCIQC1V168pxuE
fnfV1dFBBruHvzedkqSd6o0QoOGLSBAuHw==
-----END CERTIFICATE-----
Binary file not shown.
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIASkFQOGOdFOYpJvRhpiVdejCwvcrGqYzfiLFnAqcp87oAoGCCqGSM49
AwEHoUQDQgAE2Ssk3lFrjs0+aGLeh/w7935wEXHHC1mM/18CfwK4IOf6B7rU5Ni+
JhwI+zGV1ag0gjoozEcDt8UVfhSeXqp4BQ==
-----END EC PRIVATE KEY-----
Binary file not shown.
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIAZZ8hZ3GOkPEiO670Qo8bDOxHK1X7sH6ofXOYmc9zFqoAoGCCqGSM49
AwEHoUQDQgAE4wEe3p9RWrPpupMl/vI7ls1xXDrqOM6BHoj8beesMCYj+6cGiz4J
0/5UmxHMXw5ZbE7bzj57oicfuNCa9CGePQ==
-----END EC PRIVATE KEY-----
Binary file not shown.
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
-----BEGIN CERTIFICATE-----
MIICUzCCAfmgAwIBAgIIHW5tUEGGAAcwCgYIKoZIzj0EAwIwRjEYMBYGA1UEAwwP
TWF0dGVyIFRlc3QgUEFJMRQwEgYKKwYBBAGConwCAQwERkZGMTEUMBIGCisGAQQB
gqJ8AgIMBDgwMDAwIBcNMjEwNjI4MTQyMzQzWhgPOTk5OTEyMzEyMzU5NTlaMDsx
DTALBgNVBAMMBExvbmcxFDASBgorBgEEAYKifAIBDARGRkYxMRQwEgYKKwYBBAGC
onwCAgwEODAwMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABEMo+7hxQow14iSz
f56AZANfssxy+PFxGFNGwyDhqIW15AkJXuyFX31Sr5eh0G92cWyHNn4ZiM6hGdbX
9CUrxy+jgdkwgdYwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0O
BBYEFPZMe/GotuC6EI6960/h9nd8ySwpMB8GA1UdIwQYMBaAFK9CtwlN69UV7G7P
M7gRFSJfMlKIMHYGA1UdHwRvMG0wa6BpoGeGZWh0dHBzOi8vZXhhbXBsZS5jb20v
dGhpcy1pcy1hbi1leGFtcGxlLW9mLWNybC1kaXN0cmlidXRpb24tcG9pbnQtZXh0
ZW5zaW9uLXdoaWNoLWlzLTEwMS1jaGFycy9jcmwucGVtMAoGCCqGSM49BAMCA0gA
MEUCIENDYnRVRbgQ6zM9WS0/RoI8U/VhGfCGROJ5TLpK2rexAiEAr1GXakRNQ566
F7ihY3WBUwmT9hjCdBiH0+beR5GkyaQ=
-----END CERTIFICATE-----
Binary file not shown.
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEINFUmafW3jhThp3mpGxLUtE7c1kW1Kq9UCaqrR5yeWbroAoGCCqGSM49
AwEHoUQDQgAEQyj7uHFCjDXiJLN/noBkA1+yzHL48XEYU0bDIOGohbXkCQle7IVf
fVKvl6HQb3ZxbIc2fhmIzqEZ1tf0JSvHLw==
-----END EC PRIVATE KEY-----
Binary file not shown.
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
-----BEGIN CERTIFICATE-----
MIICBTCCAaugAwIBAgIIcAYIqqHXrW0wCgYIKoZIzj0EAwIwRjEYMBYGA1UEAwwP
TWF0dGVyIFRlc3QgUEFJMRQwEgYKKwYBBAGConwCAQwERkZGMTEUMBIGCisGAQQB
gqJ8AgIMBDgwMDAwIBcNMjEwNjI4MTQyMzQzWhgPOTk5OTEyMzEyMzU5NTlaMDsx
DTALBgNVBAMMBExvbmcxFDASBgorBgEEAYKifAIBDARGRkYxMRQwEgYKKwYBBAGC
onwCAgwEODAwMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABPzNyCm6Yjd8xsez
bqfBr3bNFcMovEtujQd4ull/u/MK5xK2V9L58rkV+CNMh+KjO/XnWXbgTmrQPYUL
0WQ588+jgYswgYgwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0O
BBYEFAcwHO+LnkQm0uRuxvo607dEHe+9MB8GA1UdIwQYMBaAFK9CtwlN69UV7G7P
M7gRFSJfMlKIMCgGA1UdHwQhMB8wHaAboBmGF3d3dy5leGFtcGxlLmNvbS9jcmwu
cGVtMAoGCCqGSM49BAMCA0gAMEUCIQDmuIge7Q6mcILAYH5G9sqEBDGr4JHWF12B
DDih5PBFdwIgOQZfvvn9pBs3r8ux9t8JDhpEO6xuZSw72sED9NOsTnY=
-----END CERTIFICATE-----
Binary file not shown.
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIKUdzfzZVduHJDVshxIakL0TGFN4p6mMcfRwRKKm2+vboAoGCCqGSM49
AwEHoUQDQgAE/M3IKbpiN3zGx7Nup8Gvds0Vwyi8S26NB3i6WX+78wrnErZX0vny
uRX4I0yH4qM79edZduBOatA9hQvRZDnzzw==
-----END EC PRIVATE KEY-----
59 changes: 57 additions & 2 deletions credentials/test/gen-test-attestation-certs.sh
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
#!/usr/bin/env bash

#
# Copyright (c) 2021-2022 Project CHIP Authors
# Copyright (c) 2021-2023 Project CHIP Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
Expand Down Expand Up @@ -340,6 +340,59 @@ cert_lifetime=4294967295
"$chip_cert_tool" gen-att-cert --type i --subject-cn "Matter Test PAI" --subject-vid "$vid" --valid-from "$cert_valid_from" --lifetime "$cert_lifetime" --ca-key "$paa_key_file".pem --ca-cert "$paa_cert_file".pem --key "$pai_key_file".pem --out "$pai_cert_file".pem
}

# Set #8:
# - Generate DACs with CRL Distribution Point (CDP) Extensions (Valid and Invalid cases)
{
vid=FFF1
pid=8000
dac=0000

pai_key_file="$dest_dir/Chip-Test-PAI-$vid-$pid-Key"
pai_cert_file="$dest_dir/Chip-Test-PAI-$vid-$pid-Cert"

dac_key_file="$dest_dir/Chip-Test-DAC-$vid-$pid-$dac-CDP-Key"
dac_cert_file="$dest_dir/Chip-Test-DAC-$vid-$pid-$dac-CDP-Cert"

cdp_example="URI:http://example.com/crl.pem"

"$chip_cert_tool" gen-att-cert --type d --subject-cn "Matter Test DAC $dac CDP (HTTP)" --subject-vid "$vid" --subject-pid "$pid" --valid-from "$cert_valid_from" --lifetime "$cert_lifetime" --cpd-ext "$cdp_example" --ca-key "$pai_key_file".pem --ca-cert "$pai_cert_file".pem --out-key "$dac_key_file".pem --out "$dac_cert_file".pem

dac_key_file="$dest_dir/Chip-Test-DAC-$vid-$pid-$dac-CDP-HTTPS-Key"
dac_cert_file="$dest_dir/Chip-Test-DAC-$vid-$pid-$dac-CDP-HTTPS-Cert"

cdp_example="URI:https://example.com/crl.pem"

"$chip_cert_tool" gen-att-cert --type d --subject-cn "Matter Test DAC $dac CDP (HTTPS)" --subject-vid "$vid" --subject-pid "$pid" --valid-from "$cert_valid_from" --lifetime "$cert_lifetime" --cpd-ext "$cdp_example" --ca-key "$pai_key_file".pem --ca-cert "$pai_cert_file".pem --out-key "$dac_key_file".pem --out "$dac_cert_file".pem

dac_key_file="$dest_dir/Chip-Test-DAC-$vid-$pid-$dac-2CDPs-Key"
dac_cert_file="$dest_dir/Chip-Test-DAC-$vid-$pid-$dac-2CDPs-Cert"

cdp_example2="URI:http://example.com/crl2.pem"

"$chip_cert_tool" gen-att-cert --type d --subject-cn "Matter Test DAC $dac Two CDPs" --subject-vid "$vid" --subject-pid "$pid" --valid-from "$cert_valid_from" --lifetime "$cert_lifetime" --cpd-ext "$cdp_example" --cpd-ext "$cdp_example2" --ca-key "$pai_key_file".pem --ca-cert "$pai_cert_file".pem --out-key "$dac_key_file".pem --out "$dac_cert_file".pem

dac_key_file="$dest_dir/Chip-Test-DAC-$vid-$pid-$dac-CDP-2URIs-Key"
dac_cert_file="$dest_dir/Chip-Test-DAC-$vid-$pid-$dac-CDP-2URIs-Cert"

cdp_example2in1="URI:http://example.com/crl.pem,URI:http://example.com/crl2.pem"

"$chip_cert_tool" gen-att-cert --type d --subject-cn "Matter Test DAC $dac CDP (Two URIs)" --subject-vid "$vid" --subject-pid "$pid" --valid-from "$cert_valid_from" --lifetime "$cert_lifetime" --cpd-ext "$cdp_example2in1" --ca-key "$pai_key_file".pem --ca-cert "$pai_cert_file".pem --out-key "$dac_key_file".pem --out "$dac_cert_file".pem

dac_key_file="$dest_dir/Chip-Test-DAC-$vid-$pid-$dac-CDP-Long-Key"
dac_cert_file="$dest_dir/Chip-Test-DAC-$vid-$pid-$dac-CDP-Long-Cert"

cdp_example="URI:https://example.com/this-is-an-example-of-crl-distribution-point-extension-which-is-101-chars/crl.pem"

"$chip_cert_tool" gen-att-cert --type d --subject-cn "Long" --subject-vid "$vid" --subject-pid "$pid" --valid-from "$cert_valid_from" --lifetime "$cert_lifetime" --cpd-ext "$cdp_example" --ca-key "$pai_key_file".pem --ca-cert "$pai_cert_file".pem --out-key "$dac_key_file".pem --out "$dac_cert_file".pem

dac_key_file="$dest_dir/Chip-Test-DAC-$vid-$pid-$dac-CDP-Wrong-Prefix-Key"
dac_cert_file="$dest_dir/Chip-Test-DAC-$vid-$pid-$dac-CDP-Wrong-Prefix-Cert"

cdp_example="URI:www.example.com/crl.pem"

"$chip_cert_tool" gen-att-cert --type d --subject-cn "Long" --subject-vid "$vid" --subject-pid "$pid" --valid-from "$cert_valid_from" --lifetime "$cert_lifetime" --cpd-ext "$cdp_example" --ca-key "$pai_key_file".pem --ca-cert "$pai_cert_file".pem --out-key "$dac_key_file".pem --out "$dac_cert_file".pem
}

# In addition to PEM format also create certificates in DER form.
for cert_file_pem in "$dest_dir"/*Cert.pem; do
cert_file_der="${cert_file_pem/.pem/.der}"
Expand All @@ -357,7 +410,7 @@ if [ ! -z "$output_cstyle_file" ]; then

copyright_note='/*
*
* Copyright (c) 2021-2022 Project CHIP Authors
* Copyright (c) 2021-2023 Project CHIP Authors
* All rights reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License");
Expand All @@ -380,6 +433,8 @@ if [ ! -z "$output_cstyle_file" ]; then
'
header_includes='
#pragma once
#include <lib/support/Span.h>
'

namespaces_open='
Expand Down
Loading

0 comments on commit 2272792

Please sign in to comment.