CHIP credential serialization (#6400)

* CHIP certificate value changes * Addressed review comments, removed TODOs and ExtractPubKey method * Added 2 new tests: - Test OperationalCredentialSet Serialization - Test new method for retrieving Certificate CHIP ID * Fix CI builds * Update with bzbarsky-apple's suggestions, document lifetime assumption * Additional documentation, moved serializable objects to .data in order to avoid stack limitations * Cleanup old code remnants, size check for optional CA certificate * Sync with master, CHIPCert updates Co-authored-by: Boris Itkis <[email protected]>
project-chip · Aug 5, 2021 · 2305896 · 2305896
1 parent 232c81e
commit 2305896
Show file tree

Hide file tree

Showing 6 changed files with 270 additions and 4 deletions.
diff --git a/src/credentials/CHIPCert.cpp b/src/credentials/CHIPCert.cpp
@@ -156,13 +156,13 @@ CHIP_ERROR ChipCertificateSet::LoadCert(const uint8_t * chipCert, uint32_t chipC
     err = reader.Next(kTLVType_Structure, ProfileTag(Protocols::OpCredentials::Id.ToTLVProfileId(), kTag_ChipCertificate));
     SuccessOrExit(err);
 
-    err = LoadCert(reader, decodeFlags);
+    err = LoadCert(reader, decodeFlags, ByteSpan(chipCert, chipCertLen));
 
 exit:
     return err;
 }
 
-CHIP_ERROR ChipCertificateSet::LoadCert(TLVReader & reader, BitFlags<CertDecodeFlags> decodeFlags)
+CHIP_ERROR ChipCertificateSet::LoadCert(TLVReader & reader, BitFlags<CertDecodeFlags> decodeFlags, ByteSpan chipCert)
 {
     ASN1Writer writer; // ASN1Writer is used to encode TBS portion of the certificate for the purpose of signature
                        // validation, which should be performed on the TBS data encoded in ASN.1 DER form.
@@ -172,6 +172,8 @@ CHIP_ERROR ChipCertificateSet::LoadCert(TLVReader & reader, BitFlags<CertDecodeF
     // Must be positioned on the structure element representing the certificate.
     VerifyOrReturnError(reader.GetType() == kTLVType_Structure, CHIP_ERROR_INVALID_ARGUMENT);
 
+    cert.mCertificate = chipCert;
+
     {
         TLVType containerType;
 
@@ -776,6 +778,32 @@ CHIP_ERROR ChipDN::GetCertType(uint8_t & certType) const
     return err;
 }
 
+CHIP_ERROR ChipDN::GetCertChipId(uint64_t & chipId) const
+{
+    uint8_t rdnCount = RDNCount();
+
+    chipId = 0;
+
+    for (uint8_t i = 0; i < rdnCount; i++)
+    {
+        switch (rdn[i].mAttrOID)
+        {
+        case kOID_AttributeType_ChipRootId:
+        case kOID_AttributeType_ChipICAId:
+        case kOID_AttributeType_ChipNodeId:
+        case kOID_AttributeType_ChipFirmwareSigningId:
+            VerifyOrReturnError(chipId == 0, CHIP_ERROR_WRONG_CERT_TYPE);
+
+            chipId = rdn[i].mAttrValue.mChipVal;
+            break;
+        default:
+            break;
+        }
+    }
+
+    return CHIP_NO_ERROR;
+}
+
 bool ChipDN::IsEqual(const ChipDN & other) const
 {
     bool res         = true;

diff --git a/src/credentials/CHIPCert.h b/src/credentials/CHIPCert.h
@@ -251,6 +251,15 @@ class ChipDN
      **/
     CHIP_ERROR GetCertType(uint8_t & certType) const;
 
+    /**
+     * @brief Retrieve the ID of a CHIP certificate.
+     *
+     * @param certId  A reference to the certificate ID value.
+     *
+     * @return Returns a CHIP_ERROR on error, CHIP_NO_ERROR otherwise
+     **/
+    CHIP_ERROR GetCertChipId(uint64_t & chipId) const;
+
     bool IsEqual(const ChipDN & other) const;
 
     /**
@@ -301,6 +310,7 @@ struct ChipCertificateData
     void Clear();
     bool IsEqual(const ChipCertificateData & other) const;
 
+    ByteSpan mCertificate;                      /**< Original raw buffer data. */
     ChipDN mSubjectDN;                          /**< Certificate Subject DN. */
     ChipDN mIssuerDN;                           /**< Certificate Issuer DN. */
     CertificateKeyId mSubjectKeyId;             /**< Certificate Subject public key identifier. */
@@ -433,10 +443,12 @@ class DLL_EXPORT ChipCertificateSet
      *
      * @param reader       A TLVReader positioned at the CHIP certificate TLV structure.
      * @param decodeFlags  Certificate decoding option flags.
+     * @param chipCert     Buffer containing certificate encoded on CHIP format. It is required that this CHIP certificate
+     *                     in chipCert ByteSpan stays valid while the certificate data in the set is used.
      *
      * @return Returns a CHIP_ERROR on error, CHIP_NO_ERROR otherwise
      **/
-    CHIP_ERROR LoadCert(chip::TLV::TLVReader & reader, BitFlags<CertDecodeFlags> decodeFlags);
+    CHIP_ERROR LoadCert(chip::TLV::TLVReader & reader, BitFlags<CertDecodeFlags> decodeFlags, ByteSpan chipCert = ByteSpan());
 
     /**
      * @brief Load CHIP certificates into set.

diff --git a/src/credentials/CHIPOperationalCredentials.cpp b/src/credentials/CHIPOperationalCredentials.cpp
@@ -30,10 +30,14 @@
 #include <credentials/CHIPOperationalCredentials.h>
 #include <support/CHIPMem.h>
 #include <support/CodeUtils.h>
+#include <support/SafeInt.h>
 
 namespace chip {
 namespace Credentials {
 
+static constexpr size_t kOperationalCertificatesMax          = 3;
+static constexpr size_t kOperationalCertificateDecodeBufSize = 1024;
+
 using namespace chip::Crypto;
 
 CHIP_ERROR OperationalCredentialSet::Init(uint8_t maxCertsArraySize)
@@ -266,6 +270,83 @@ CHIP_ERROR OperationalCredentialSet::SetDevOpCredKeypair(const CertificateKeyId
     return CHIP_NO_ERROR;
 }
 
+CHIP_ERROR OperationalCredentialSet::ToSerializable(const CertificateKeyId & trustedRootId,
+                                                    OperationalCredentialSerializable & serializable)
+{
+    const NodeCredential * nodeCredential = GetNodeCredentialAt(trustedRootId);
+    P256Keypair * keypair                 = GetNodeKeypairAt(trustedRootId);
+    P256SerializedKeypair serializedKeypair;
+    ChipCertificateSet * certificateSet  = FindCertSet(trustedRootId);
+    const ChipCertificateData * dataSet  = nullptr;
+    uint8_t * ptrSerializableCerts[]     = { serializable.mRootCertificate, serializable.mCACertificate };
+    uint16_t * ptrSerializableCertsLen[] = { &serializable.mRootCertificateLen, &serializable.mCACertificateLen };
+
+    VerifyOrReturnError(certificateSet != nullptr, CHIP_ERROR_INVALID_ARGUMENT);
+    ReturnErrorOnFailure(keypair->Serialize(serializedKeypair));
+    VerifyOrReturnError(serializedKeypair.Length() <= sizeof(serializable.mNodeKeypair), CHIP_ERROR_INVALID_ARGUMENT);
+
+    dataSet = certificateSet->GetCertSet();
+    VerifyOrReturnError(dataSet != nullptr, CHIP_ERROR_INVALID_ARGUMENT);
+
+    memset(&serializable, 0, sizeof(serializable));
+    serializable.mNodeCredentialLen = nodeCredential->mLen;
+
+    memcpy(serializable.mNodeCredential, nodeCredential->mCredential, nodeCredential->mLen);
+    memcpy(serializable.mNodeKeypair, serializedKeypair, serializedKeypair.Length());
+    serializable.mNodeKeypairLen = static_cast<uint16_t>(serializedKeypair.Length());
+
+    for (uint8_t i = 0; i < certificateSet->GetCertCount(); ++i)
+    {
+        VerifyOrReturnError(CanCastTo<uint16_t>(dataSet[i].mCertificate.size()), CHIP_ERROR_INTERNAL);
+        memcpy(ptrSerializableCerts[i], dataSet[i].mCertificate.data(), dataSet[i].mCertificate.size());
+        *ptrSerializableCertsLen[i] = static_cast<uint16_t>(dataSet[i].mCertificate.size());
+    }
+
+    return CHIP_NO_ERROR;
+}
+
+CHIP_ERROR OperationalCredentialSet::FromSerializable(const OperationalCredentialSerializable & serializable)
+{
+    CHIP_ERROR err = CHIP_NO_ERROR;
+
+    P256Keypair keypair;
+    P256SerializedKeypair serializedKeypair;
+    ChipCertificateSet certificateSet;
+    CertificateKeyId trustedRootId;
+
+    SuccessOrExit(err = certificateSet.Init(kOperationalCertificatesMax, kOperationalCertificateDecodeBufSize));
+
+    err = certificateSet.LoadCert(serializable.mRootCertificate, serializable.mRootCertificateLen,
+                                  BitFlags<CertDecodeFlags>(CertDecodeFlags::kIsTrustAnchor));
+    SuccessOrExit(err);
+
+    trustedRootId.mId  = certificateSet.GetLastCert()->mAuthKeyId.mId;
+    trustedRootId.mLen = certificateSet.GetLastCert()->mAuthKeyId.mLen;
+
+    if (serializable.mCACertificateLen != 0)
+    {
+        err = certificateSet.LoadCert(serializable.mCACertificate, serializable.mCACertificateLen,
+                                      BitFlags<CertDecodeFlags>(CertDecodeFlags::kGenerateTBSHash));
+        SuccessOrExit(err);
+    }
+
+    LoadCertSet(&certificateSet);
+
+    memcpy(serializedKeypair, serializable.mNodeKeypair, serializable.mNodeKeypairLen);
+    SuccessOrExit(err = serializedKeypair.SetLength(serializable.mNodeKeypairLen));
+
+    SuccessOrExit(err = keypair.Deserialize(serializedKeypair));
+
+    SuccessOrExit(err = SetDevOpCredKeypair(trustedRootId, &keypair));
+
+    SuccessOrExit(err = SetDevOpCred(trustedRootId, serializable.mNodeCredential, serializable.mNodeCredentialLen));
+
+exit:
+    certificateSet.Release();
+
+    return err;
+}
+
 const NodeCredential * OperationalCredentialSet::GetNodeCredentialAt(const CertificateKeyId & trustedRootId) const
 {
     for (size_t i = 0; i < kOperationalCredentialsMax && mChipDeviceCredentials[i].nodeCredential.mCredential != nullptr; ++i)

diff --git a/src/credentials/CHIPOperationalCredentials.h b/src/credentials/CHIPOperationalCredentials.h
@@ -35,7 +35,8 @@
 namespace chip {
 namespace Credentials {
 
-static constexpr size_t kOperationalCredentialsMax = 5;
+static constexpr size_t kOperationalCredentialsMax     = 5;
+static constexpr size_t kOperationalCertificateMaxSize = 400;
 
 using namespace Crypto;
 
@@ -45,6 +46,18 @@ struct NodeCredential
     uint16_t mLen         = 0;
 };
 
+struct OperationalCredentialSerializable
+{
+    uint16_t mNodeCredentialLen;
+    uint8_t mNodeCredential[kOperationalCertificateMaxSize];
+    uint16_t mNodeKeypairLen;
+    uint8_t mNodeKeypair[kP256_PublicKey_Length + kP256_PrivateKey_Length];
+    uint16_t mRootCertificateLen;
+    uint8_t mRootCertificate[kOperationalCertificateMaxSize];
+    uint16_t mCACertificateLen;
+    uint8_t mCACertificate[kOperationalCertificateMaxSize];
+};
+
 struct NodeCredentialMap
 {
     CertificateKeyId trustedRootId;
@@ -219,6 +232,23 @@ class DLL_EXPORT OperationalCredentialSet
     CHIP_ERROR SetDevOpCred(const CertificateKeyId & trustedRootId, const uint8_t * chipDeviceCredentials,
                             uint16_t chipDeviceCredentialsLen);
 
+    /**
+     *  @brief
+     *    Serialize the OperationalCredentialSet indexed by a TrustedRootID to the given serializable data structure
+     *
+     *    This method must be called while the OperationalCredentialSet class is valid (After Init and before Release)
+     */
+    CHIP_ERROR ToSerializable(const CertificateKeyId & trustedRootId, OperationalCredentialSerializable & output);
+
+    /**
+     *  @brief
+     *    Reconstruct OperationalCredentialSet class from the serializable data structure.
+     *
+     *    This method must be called after initializing the OperationalCredentialSet class with internal allocation.
+     *    No references/pointers to the input parameter are made. The input parameter can be freed after calling this method.
+     */
+    CHIP_ERROR FromSerializable(const OperationalCredentialSerializable & input);
+
     P256Keypair & GetDevOpCredKeypair(const CertificateKeyId & trustedRootId) { return *GetNodeKeypairAt(trustedRootId); }
 
     CHIP_ERROR SetDevOpCredKeypair(const CertificateKeyId & trustedRootId, P256Keypair * newKeypair);

diff --git a/src/credentials/tests/TestChipCert.cpp b/src/credentials/tests/TestChipCert.cpp
@@ -639,6 +639,52 @@ static void TestChipCert_CertType(nlTestSuite * inSuite, void * inContext)
     }
 }
 
+static void TestChipCert_CertId(nlTestSuite * inSuite, void * inContext)
+{
+    CHIP_ERROR err;
+    ChipCertificateSet certSet;
+
+    struct TestCase
+    {
+        uint8_t Cert;
+        uint64_t ExpectedCertId;
+    };
+
+    // clang-format off
+    static TestCase sTestCases[] = {
+        // Cert                        ExpectedCertId
+        // =============================================================
+        {  TestCert::kRoot01,          0xCACACACA00000001 },
+        {  TestCert::kRoot02,          0xCACACACA00000002 },
+        {  TestCert::kICA01,           0xCACACACA00000003 },
+        {  TestCert::kICA02,           0xCACACACA00000004 },
+        {  TestCert::kICA01_1,         0xCACACACA00000005 },
+        {  TestCert::kFWSign01,        0xFFFFFFFF00000001 },
+        {  TestCert::kNode01_01,       0xDEDEDEDE00010001 },
+        {  TestCert::kNode01_02,       0xDEDEDEDE00010002 },
+        {  TestCert::kNode02_01,       0xDEDEDEDE00020001 },
+        {  TestCert::kNode02_02,       0xDEDEDEDE00020002 },
+    };
+    // clang-format on
+    static const size_t sNumTestCases = sizeof(sTestCases) / sizeof(sTestCases[0]);
+
+    for (unsigned i = 0; i < sNumTestCases; i++)
+    {
+        const TestCase & testCase = sTestCases[i];
+        uint64_t chipId;
+
+        // Initialize the certificate set and load the test certificate.
+        certSet.Init(1, kTestCertBufSize);
+        err = LoadTestCert(certSet, testCase.Cert, sNullLoadFlag, sNullDecodeFlag);
+        NL_TEST_ASSERT(inSuite, err == CHIP_NO_ERROR);
+
+        err = certSet.GetCertSet()->mSubjectDN.GetCertChipId(chipId);
+        NL_TEST_ASSERT(inSuite, err == CHIP_NO_ERROR);
+
+        NL_TEST_ASSERT(inSuite, chipId == testCase.ExpectedCertId);
+    }
+}
+
 static void TestChipCert_LoadDuplicateCerts(nlTestSuite * inSuite, void * inContext)
 {
     CHIP_ERROR err;
@@ -963,6 +1009,7 @@ static const nlTest sTests[] = {
     NL_TEST_DEF("Test CHIP Certificate Validation time", TestChipCert_CertValidTime),
     NL_TEST_DEF("Test CHIP Certificate Usage", TestChipCert_CertUsage),
     NL_TEST_DEF("Test CHIP Certificate Type", TestChipCert_CertType),
+    NL_TEST_DEF("Test CHIP Certificate ID", TestChipCert_CertId),
     NL_TEST_DEF("Test Loading Duplicate Certificates", TestChipCert_LoadDuplicateCerts),
     NL_TEST_DEF("Test CHIP Generate Root Certificate", TestChipCert_GenerateRootCert),
     NL_TEST_DEF("Test CHIP Generate Root Certificate with Fabric", TestChipCert_GenerateRootFabCert),