diff --git a/src/app/tests/suites/credentials/TestHarnessDACProvider.cpp b/src/app/tests/suites/credentials/TestHarnessDACProvider.cpp index ebec0ec010ec7f..56b1b0edf8ef06 100644 --- a/src/app/tests/suites/credentials/TestHarnessDACProvider.cpp +++ b/src/app/tests/suites/credentials/TestHarnessDACProvider.cpp @@ -112,10 +112,7 @@ bool ReadValue(Json::Value jsonValue) { return true; } - else - { - return false; - } + return false; } // TODO: This should be moved to a method of P256Keypair diff --git a/src/credentials/tests/TestCommissionerDUTVectors.cpp b/src/credentials/tests/TestCommissionerDUTVectors.cpp index d841151a9b4bc8..99a586d1b5b5b8 100644 --- a/src/credentials/tests/TestCommissionerDUTVectors.cpp +++ b/src/credentials/tests/TestCommissionerDUTVectors.cpp @@ -157,11 +157,6 @@ static void TestCommissionerDUTVectors(nlTestSuite * inSuite, void * inContext) isSuccessCase = true; } - if (!isSuccessCase && (attestationResult == AttestationVerificationResult::kSuccess)) - { - fprintf(stderr, "DEBUG PRINT 02: %s\n", jsonFilePath.c_str()); - } - if (isSuccessCase) { NL_TEST_ASSERT(inSuite, attestationResult == AttestationVerificationResult::kSuccess); diff --git a/src/crypto/CHIPCryptoPALTinyCrypt.cpp b/src/crypto/CHIPCryptoPALTinyCrypt.cpp index 2697985182360d..3af44e91c933bc 100644 --- a/src/crypto/CHIPCryptoPALTinyCrypt.cpp +++ b/src/crypto/CHIPCryptoPALTinyCrypt.cpp @@ -1155,7 +1155,7 @@ CHIP_ERROR IsCertificateValidAtIssuance(const mbedtls_x509_crt * candidateCertif return CHIP_NO_ERROR; } -static int CallbackForCustomValidityCheck(void * data, mbedtls_x509_crt * crt, int depth, uint32_t * flags) +int CallbackForCustomValidityCheck(void * data, mbedtls_x509_crt * crt, int depth, uint32_t * flags) { mbedtls_x509_crt * leafCert = reinterpret_cast(data); mbedtls_x509_crt * issuerCert = crt; @@ -1172,6 +1172,24 @@ static int CallbackForCustomValidityCheck(void * data, mbedtls_x509_crt * crt, i return 0; } + +constexpr uint8_t sOID_AttributeType_CommonName[] = { 0x55, 0x04, 0x03 }; +constexpr uint8_t sOID_AttributeType_MatterVendorId[] = { 0x2B, 0x06, 0x01, 0x04, 0x01, 0x82, 0xA2, 0x7C, 0x02, 0x01 }; +constexpr uint8_t sOID_AttributeType_MatterProductId[] = { 0x2B, 0x06, 0x01, 0x04, 0x01, 0x82, 0xA2, 0x7C, 0x02, 0x02 }; +constexpr uint8_t sOID_SigAlgo_ECDSAWithSHA256[] = { 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x04, 0x03, 0x02 }; +constexpr uint8_t sOID_Extension_BasicConstraints[] = { 0x55, 0x1D, 0x13 }; +constexpr uint8_t sOID_Extension_KeyUsage[] = { 0x55, 0x1D, 0x0F }; +constexpr uint8_t sOID_Extension_SubjectKeyIdentifier[] = { 0x55, 0x1D, 0x0E }; +constexpr uint8_t sOID_Extension_AuthorityKeyIdentifier[] = { 0x55, 0x1D, 0x23 }; + +/** + * Compares an mbedtls_asn1_buf structure (oidBuf) to a reference OID represented as uint8_t array (oid). + */ +#define OID_CMP(oid, oidBuf) \ + ((MBEDTLS_ASN1_OID == (oidBuf).CHIP_CRYPTO_PAL_PRIVATE_X509(tag)) && \ + (sizeof(oid) == (oidBuf).CHIP_CRYPTO_PAL_PRIVATE_X509(len)) && \ + (memcmp((oid), (oidBuf).CHIP_CRYPTO_PAL_PRIVATE_X509(p), (oidBuf).CHIP_CRYPTO_PAL_PRIVATE_X509(len)) == 0)) + #endif // defined(MBEDTLS_X509_CRT_PARSE_C) } // anonymous namespace @@ -1198,10 +1216,8 @@ CHIP_ERROR VerifyAttestationCertificateFormat(const ByteSpan & cert, Attestation // "version" value is 1 higher than the actual encoded value. VerifyOrExit(mbed_cert.CHIP_CRYPTO_PAL_PRIVATE_X509(version) - 1 == 2, error = CHIP_ERROR_INTERNAL); - // Verify signature algorithms is ECDSA_WITH_SHA256. - p = mbed_cert.CHIP_CRYPTO_PAL_PRIVATE_X509(sig_oid).CHIP_CRYPTO_PAL_PRIVATE_X509(p); - len = mbed_cert.CHIP_CRYPTO_PAL_PRIVATE_X509(sig_oid).CHIP_CRYPTO_PAL_PRIVATE_X509(len); - VerifyOrExit((strlen(MBEDTLS_OID_ECDSA_SHA256) == len) && (memcmp(MBEDTLS_OID_ECDSA_SHA256, p, len) == 0), + // Verify signature algorithms is ECDSA with SHA256. + VerifyOrExit(OID_CMP(sOID_SigAlgo_ECDSAWithSHA256, mbed_cert.CHIP_CRYPTO_PAL_PRIVATE_X509(sig_oid)), error = CHIP_ERROR_INTERNAL); // Verify public key presence and format. @@ -1219,7 +1235,6 @@ CHIP_ERROR VerifyAttestationCertificateFormat(const ByteSpan & cert, Attestation { mbedtls_x509_buf extOID = { 0, 0, nullptr }; int extCritical = 0; - int extType = 0; result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE); VerifyOrExit(result == 0, error = CHIP_ERROR_INTERNAL); @@ -1241,8 +1256,7 @@ CHIP_ERROR VerifyAttestationCertificateFormat(const ByteSpan & cert, Attestation result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OCTET_STRING); VerifyOrExit(result == 0, error = CHIP_ERROR_INTERNAL); - mbedtls_oid_get_x509_ext_type(&extOID, &extType); - if (extType == MBEDTLS_X509_EXT_BASIC_CONSTRAINTS) + if (OID_CMP(sOID_Extension_BasicConstraints, extOID)) { int isCA = 0; int pathLen = -1; @@ -1278,7 +1292,7 @@ CHIP_ERROR VerifyAttestationCertificateFormat(const ByteSpan & cert, Attestation VerifyOrExit(isCA && (pathLen == -1 || pathLen == 0 || pathLen == 1), error = CHIP_ERROR_INTERNAL); } } - else if (extType == MBEDTLS_X509_EXT_KEY_USAGE) + else if (OID_CMP(sOID_Extension_KeyUsage, extOID)) { mbedtls_x509_bitstring bs = { 0, 0, nullptr }; unsigned int keyUsage = 0; @@ -1528,14 +1542,11 @@ namespace { CHIP_ERROR ExtractKIDFromX509Cert(bool extractSKID, const ByteSpan & certificate, MutableByteSpan & kid) { #if defined(MBEDTLS_X509_CRT_PARSE_C) - CHIP_ERROR error = CHIP_NO_ERROR; + CHIP_ERROR error = CHIP_ERROR_NOT_FOUND; mbedtls_x509_crt mbed_cert; - unsigned char * p; - const unsigned char * end; - size_t len; - - constexpr uint8_t sOID_Extension_SubjectKeyIdentifier[] = { 0x55, 0x1D, 0x0E }; - constexpr uint8_t sOID_Extension_AuthorityKeyIdentifier[] = { 0x55, 0x1D, 0x23 }; + unsigned char * p = nullptr; + const unsigned char * end = nullptr; + size_t len = 0; mbedtls_x509_crt_init(&mbed_cert); @@ -1558,10 +1569,9 @@ CHIP_ERROR ExtractKIDFromX509Cert(bool extractSKID, const ByteSpan & certificate result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OID); VerifyOrExit(result == 0, error = CHIP_ERROR_WRONG_CERT_TYPE); - bool extractCurrentExtSKID = extractSKID && (sizeof(sOID_Extension_SubjectKeyIdentifier) == len) && - (memcmp(p, sOID_Extension_SubjectKeyIdentifier, len) == 0); - bool extractCurrentExtAKID = !extractSKID && (sizeof(sOID_Extension_AuthorityKeyIdentifier) == len) && - (memcmp(p, sOID_Extension_AuthorityKeyIdentifier, len) == 0); + mbedtls_x509_buf extOID = { MBEDTLS_ASN1_OID, len, p }; + bool extractCurrentExtSKID = extractSKID && OID_CMP(sOID_Extension_SubjectKeyIdentifier, extOID); + bool extractCurrentExtAKID = !extractSKID && OID_CMP(sOID_Extension_AuthorityKeyIdentifier, extOID); p += len; int is_critical = 0; @@ -1627,10 +1637,6 @@ CHIP_ERROR ExtractAKIDFromX509Cert(const ByteSpan & certificate, MutableByteSpan CHIP_ERROR ExtractVIDPIDFromX509Cert(const ByteSpan & certificate, AttestationCertVidPid & vidpid) { #if defined(MBEDTLS_X509_CRT_PARSE_C) - constexpr uint8_t sOID_AttributeType_CommonName[] = { 0x55, 0x04, 0x03 }; - constexpr uint8_t sOID_AttributeType_MatterVendorId[] = { 0x2B, 0x06, 0x01, 0x04, 0x01, 0x82, 0xA2, 0x7C, 0x02, 0x01 }; - constexpr uint8_t sOID_AttributeType_MatterProductId[] = { 0x2B, 0x06, 0x01, 0x04, 0x01, 0x82, 0xA2, 0x7C, 0x02, 0x02 }; - CHIP_ERROR error = CHIP_NO_ERROR; mbedtls_x509_crt mbed_cert; mbedtls_asn1_named_data * dnIterator = nullptr; @@ -1644,32 +1650,24 @@ CHIP_ERROR ExtractVIDPIDFromX509Cert(const ByteSpan & certificate, AttestationCe for (dnIterator = &mbed_cert.CHIP_CRYPTO_PAL_PRIVATE_X509(subject); dnIterator != nullptr; dnIterator = dnIterator->CHIP_CRYPTO_PAL_PRIVATE_X509(next)) { - size_t oid_len = dnIterator->CHIP_CRYPTO_PAL_PRIVATE_X509(oid).CHIP_CRYPTO_PAL_PRIVATE_X509(len); - uint8_t * oid_p = dnIterator->CHIP_CRYPTO_PAL_PRIVATE_X509(oid).CHIP_CRYPTO_PAL_PRIVATE_X509(p); - size_t val_len = dnIterator->CHIP_CRYPTO_PAL_PRIVATE_X509(val).CHIP_CRYPTO_PAL_PRIVATE_X509(len); - uint8_t * val_p = dnIterator->CHIP_CRYPTO_PAL_PRIVATE_X509(val).CHIP_CRYPTO_PAL_PRIVATE_X509(p); - - if (oid_p != nullptr && val_p != nullptr) + DNAttrType attrType = DNAttrType::kUnspecified; + if (OID_CMP(sOID_AttributeType_CommonName, dnIterator->CHIP_CRYPTO_PAL_PRIVATE_X509(oid))) { - DNAttrType attrType = DNAttrType::kUnspecified; - if ((oid_len == sizeof(sOID_AttributeType_CommonName)) && (memcmp(sOID_AttributeType_CommonName, oid_p, oid_len) == 0)) - { - attrType = DNAttrType::kCommonName; - } - else if ((oid_len == sizeof(sOID_AttributeType_MatterVendorId)) && - (memcmp(sOID_AttributeType_MatterVendorId, oid_p, oid_len) == 0)) - { - attrType = DNAttrType::kMatterVID; - } - else if ((oid_len == sizeof(sOID_AttributeType_MatterProductId)) && - (memcmp(sOID_AttributeType_MatterProductId, oid_p, oid_len) == 0)) - { - attrType = DNAttrType::kMatterPID; - } - - error = ExtractVIDPIDFromAttributeString(attrType, ByteSpan(val_p, val_len), vidpid, vidpidFromCN); - SuccessOrExit(error); + attrType = DNAttrType::kCommonName; } + else if (OID_CMP(sOID_AttributeType_MatterVendorId, dnIterator->CHIP_CRYPTO_PAL_PRIVATE_X509(oid))) + { + attrType = DNAttrType::kMatterVID; + } + else if (OID_CMP(sOID_AttributeType_MatterProductId, dnIterator->CHIP_CRYPTO_PAL_PRIVATE_X509(oid))) + { + attrType = DNAttrType::kMatterPID; + } + + size_t val_len = dnIterator->CHIP_CRYPTO_PAL_PRIVATE_X509(val).CHIP_CRYPTO_PAL_PRIVATE_X509(len); + uint8_t * val_p = dnIterator->CHIP_CRYPTO_PAL_PRIVATE_X509(val).CHIP_CRYPTO_PAL_PRIVATE_X509(p); + error = ExtractVIDPIDFromAttributeString(attrType, ByteSpan(val_p, val_len), vidpid, vidpidFromCN); + SuccessOrExit(error); } // If Matter Attributes were not found use values extracted from the CN Attribute, diff --git a/src/crypto/CHIPCryptoPALmbedTLS.cpp b/src/crypto/CHIPCryptoPALmbedTLS.cpp index a50ba75c22e55b..d1b3d2940a1564 100644 --- a/src/crypto/CHIPCryptoPALmbedTLS.cpp +++ b/src/crypto/CHIPCryptoPALmbedTLS.cpp @@ -1296,7 +1296,7 @@ CHIP_ERROR IsCertificateValidAtIssuance(const mbedtls_x509_crt * candidateCertif return CHIP_NO_ERROR; } -static int CallbackForCustomValidityCheck(void * data, mbedtls_x509_crt * crt, int depth, uint32_t * flags) +int CallbackForCustomValidityCheck(void * data, mbedtls_x509_crt * crt, int depth, uint32_t * flags) { mbedtls_x509_crt * leafCert = reinterpret_cast(data); mbedtls_x509_crt * issuerCert = crt; @@ -1313,6 +1313,24 @@ static int CallbackForCustomValidityCheck(void * data, mbedtls_x509_crt * crt, i return 0; } + +constexpr uint8_t sOID_AttributeType_CommonName[] = { 0x55, 0x04, 0x03 }; +constexpr uint8_t sOID_AttributeType_MatterVendorId[] = { 0x2B, 0x06, 0x01, 0x04, 0x01, 0x82, 0xA2, 0x7C, 0x02, 0x01 }; +constexpr uint8_t sOID_AttributeType_MatterProductId[] = { 0x2B, 0x06, 0x01, 0x04, 0x01, 0x82, 0xA2, 0x7C, 0x02, 0x02 }; +constexpr uint8_t sOID_SigAlgo_ECDSAWithSHA256[] = { 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x04, 0x03, 0x02 }; +constexpr uint8_t sOID_Extension_BasicConstraints[] = { 0x55, 0x1D, 0x13 }; +constexpr uint8_t sOID_Extension_KeyUsage[] = { 0x55, 0x1D, 0x0F }; +constexpr uint8_t sOID_Extension_SubjectKeyIdentifier[] = { 0x55, 0x1D, 0x0E }; +constexpr uint8_t sOID_Extension_AuthorityKeyIdentifier[] = { 0x55, 0x1D, 0x23 }; + +/** + * Compares an mbedtls_asn1_buf structure (oidBuf) to a reference OID represented as uint8_t array (oid). + */ +#define OID_CMP(oid, oidBuf) \ + ((MBEDTLS_ASN1_OID == (oidBuf).CHIP_CRYPTO_PAL_PRIVATE_X509(tag)) && \ + (sizeof(oid) == (oidBuf).CHIP_CRYPTO_PAL_PRIVATE_X509(len)) && \ + (memcmp((oid), (oidBuf).CHIP_CRYPTO_PAL_PRIVATE_X509(p), (oidBuf).CHIP_CRYPTO_PAL_PRIVATE_X509(len)) == 0)) + #endif // defined(MBEDTLS_X509_CRT_PARSE_C) } // anonymous namespace @@ -1339,10 +1357,8 @@ CHIP_ERROR VerifyAttestationCertificateFormat(const ByteSpan & cert, Attestation // "version" value is 1 higher than the actual encoded value. VerifyOrExit(mbed_cert.CHIP_CRYPTO_PAL_PRIVATE_X509(version) - 1 == 2, error = CHIP_ERROR_INTERNAL); - // Verify signature algorithms is ECDSA_WITH_SHA256. - p = mbed_cert.CHIP_CRYPTO_PAL_PRIVATE_X509(sig_oid).CHIP_CRYPTO_PAL_PRIVATE_X509(p); - len = mbed_cert.CHIP_CRYPTO_PAL_PRIVATE_X509(sig_oid).CHIP_CRYPTO_PAL_PRIVATE_X509(len); - VerifyOrExit((strlen(MBEDTLS_OID_ECDSA_SHA256) == len) && (memcmp(MBEDTLS_OID_ECDSA_SHA256, p, len) == 0), + // Verify signature algorithms is ECDSA with SHA256. + VerifyOrExit(OID_CMP(sOID_SigAlgo_ECDSAWithSHA256, mbed_cert.CHIP_CRYPTO_PAL_PRIVATE_X509(sig_oid)), error = CHIP_ERROR_INTERNAL); // Verify public key presence and format. @@ -1360,7 +1376,6 @@ CHIP_ERROR VerifyAttestationCertificateFormat(const ByteSpan & cert, Attestation { mbedtls_x509_buf extOID = { 0, 0, nullptr }; int extCritical = 0; - int extType = 0; result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE); VerifyOrExit(result == 0, error = CHIP_ERROR_INTERNAL); @@ -1382,8 +1397,7 @@ CHIP_ERROR VerifyAttestationCertificateFormat(const ByteSpan & cert, Attestation result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OCTET_STRING); VerifyOrExit(result == 0, error = CHIP_ERROR_INTERNAL); - mbedtls_oid_get_x509_ext_type(&extOID, &extType); - if (extType == MBEDTLS_X509_EXT_BASIC_CONSTRAINTS) + if (OID_CMP(sOID_Extension_BasicConstraints, extOID)) { int isCA = 0; int pathLen = -1; @@ -1419,7 +1433,7 @@ CHIP_ERROR VerifyAttestationCertificateFormat(const ByteSpan & cert, Attestation VerifyOrExit(isCA && (pathLen == -1 || pathLen == 0 || pathLen == 1), error = CHIP_ERROR_INTERNAL); } } - else if (extType == MBEDTLS_X509_EXT_KEY_USAGE) + else if (OID_CMP(sOID_Extension_KeyUsage, extOID)) { mbedtls_x509_bitstring bs = { 0, 0, nullptr }; unsigned int keyUsage = 0; @@ -1679,9 +1693,6 @@ CHIP_ERROR ExtractKIDFromX509Cert(bool extractSKID, const ByteSpan & certificate const unsigned char * end = nullptr; size_t len = 0; - constexpr uint8_t sOID_Extension_SubjectKeyIdentifier[] = { 0x55, 0x1D, 0x0E }; - constexpr uint8_t sOID_Extension_AuthorityKeyIdentifier[] = { 0x55, 0x1D, 0x23 }; - mbedtls_x509_crt_init(&mbed_cert); int result = mbedtls_x509_crt_parse(&mbed_cert, Uint8::to_const_uchar(certificate.data()), certificate.size()); @@ -1703,10 +1714,9 @@ CHIP_ERROR ExtractKIDFromX509Cert(bool extractSKID, const ByteSpan & certificate result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OID); VerifyOrExit(result == 0, error = CHIP_ERROR_WRONG_CERT_TYPE); - bool extractCurrentExtSKID = extractSKID && (sizeof(sOID_Extension_SubjectKeyIdentifier) == len) && - (memcmp(p, sOID_Extension_SubjectKeyIdentifier, len) == 0); - bool extractCurrentExtAKID = !extractSKID && (sizeof(sOID_Extension_AuthorityKeyIdentifier) == len) && - (memcmp(p, sOID_Extension_AuthorityKeyIdentifier, len) == 0); + mbedtls_x509_buf extOID = { MBEDTLS_ASN1_OID, len, p }; + bool extractCurrentExtSKID = extractSKID && OID_CMP(sOID_Extension_SubjectKeyIdentifier, extOID); + bool extractCurrentExtAKID = !extractSKID && OID_CMP(sOID_Extension_AuthorityKeyIdentifier, extOID); p += len; int is_critical = 0; @@ -1773,10 +1783,6 @@ CHIP_ERROR ExtractAKIDFromX509Cert(const ByteSpan & certificate, MutableByteSpan CHIP_ERROR ExtractVIDPIDFromX509Cert(const ByteSpan & certificate, AttestationCertVidPid & vidpid) { #if defined(MBEDTLS_X509_CRT_PARSE_C) - constexpr uint8_t sOID_AttributeType_CommonName[] = { 0x55, 0x04, 0x03 }; - constexpr uint8_t sOID_AttributeType_MatterVendorId[] = { 0x2B, 0x06, 0x01, 0x04, 0x01, 0x82, 0xA2, 0x7C, 0x02, 0x01 }; - constexpr uint8_t sOID_AttributeType_MatterProductId[] = { 0x2B, 0x06, 0x01, 0x04, 0x01, 0x82, 0xA2, 0x7C, 0x02, 0x02 }; - CHIP_ERROR error = CHIP_NO_ERROR; mbedtls_x509_crt mbed_cert; mbedtls_asn1_named_data * dnIterator = nullptr; @@ -1790,32 +1796,24 @@ CHIP_ERROR ExtractVIDPIDFromX509Cert(const ByteSpan & certificate, AttestationCe for (dnIterator = &mbed_cert.CHIP_CRYPTO_PAL_PRIVATE_X509(subject); dnIterator != nullptr; dnIterator = dnIterator->CHIP_CRYPTO_PAL_PRIVATE_X509(next)) { - size_t oid_len = dnIterator->CHIP_CRYPTO_PAL_PRIVATE_X509(oid).CHIP_CRYPTO_PAL_PRIVATE_X509(len); - uint8_t * oid_p = dnIterator->CHIP_CRYPTO_PAL_PRIVATE_X509(oid).CHIP_CRYPTO_PAL_PRIVATE_X509(p); - size_t val_len = dnIterator->CHIP_CRYPTO_PAL_PRIVATE_X509(val).CHIP_CRYPTO_PAL_PRIVATE_X509(len); - uint8_t * val_p = dnIterator->CHIP_CRYPTO_PAL_PRIVATE_X509(val).CHIP_CRYPTO_PAL_PRIVATE_X509(p); - - if (oid_p != nullptr && val_p != nullptr) + DNAttrType attrType = DNAttrType::kUnspecified; + if (OID_CMP(sOID_AttributeType_CommonName, dnIterator->CHIP_CRYPTO_PAL_PRIVATE_X509(oid))) { - DNAttrType attrType = DNAttrType::kUnspecified; - if ((oid_len == sizeof(sOID_AttributeType_CommonName)) && (memcmp(sOID_AttributeType_CommonName, oid_p, oid_len) == 0)) - { - attrType = DNAttrType::kCommonName; - } - else if ((oid_len == sizeof(sOID_AttributeType_MatterVendorId)) && - (memcmp(sOID_AttributeType_MatterVendorId, oid_p, oid_len) == 0)) - { - attrType = DNAttrType::kMatterVID; - } - else if ((oid_len == sizeof(sOID_AttributeType_MatterProductId)) && - (memcmp(sOID_AttributeType_MatterProductId, oid_p, oid_len) == 0)) - { - attrType = DNAttrType::kMatterPID; - } - - error = ExtractVIDPIDFromAttributeString(attrType, ByteSpan(val_p, val_len), vidpid, vidpidFromCN); - SuccessOrExit(error); + attrType = DNAttrType::kCommonName; + } + else if (OID_CMP(sOID_AttributeType_MatterVendorId, dnIterator->CHIP_CRYPTO_PAL_PRIVATE_X509(oid))) + { + attrType = DNAttrType::kMatterVID; + } + else if (OID_CMP(sOID_AttributeType_MatterProductId, dnIterator->CHIP_CRYPTO_PAL_PRIVATE_X509(oid))) + { + attrType = DNAttrType::kMatterPID; } + + size_t val_len = dnIterator->CHIP_CRYPTO_PAL_PRIVATE_X509(val).CHIP_CRYPTO_PAL_PRIVATE_X509(len); + uint8_t * val_p = dnIterator->CHIP_CRYPTO_PAL_PRIVATE_X509(val).CHIP_CRYPTO_PAL_PRIVATE_X509(p); + error = ExtractVIDPIDFromAttributeString(attrType, ByteSpan(val_p, val_len), vidpid, vidpidFromCN); + SuccessOrExit(error); } // If Matter Attributes were not found use values extracted from the CN Attribute, diff --git a/src/platform/EFR32/CHIPCryptoPALPsaEfr32.cpp b/src/platform/EFR32/CHIPCryptoPALPsaEfr32.cpp index a2fa544d4cf73a..478ee5ba603d33 100644 --- a/src/platform/EFR32/CHIPCryptoPALPsaEfr32.cpp +++ b/src/platform/EFR32/CHIPCryptoPALPsaEfr32.cpp @@ -1299,6 +1299,23 @@ CHIP_ERROR Spake2p_P256_SHA256_HKDF_HMAC::PointIsValid(void * R) return CHIP_NO_ERROR; } +constexpr uint8_t sOID_AttributeType_CommonName[] = { 0x55, 0x04, 0x03 }; +constexpr uint8_t sOID_AttributeType_MatterVendorId[] = { 0x2B, 0x06, 0x01, 0x04, 0x01, 0x82, 0xA2, 0x7C, 0x02, 0x01 }; +constexpr uint8_t sOID_AttributeType_MatterProductId[] = { 0x2B, 0x06, 0x01, 0x04, 0x01, 0x82, 0xA2, 0x7C, 0x02, 0x02 }; +constexpr uint8_t sOID_SigAlgo_ECDSAWithSHA256[] = { 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x04, 0x03, 0x02 }; +constexpr uint8_t sOID_Extension_BasicConstraints[] = { 0x55, 0x1D, 0x13 }; +constexpr uint8_t sOID_Extension_KeyUsage[] = { 0x55, 0x1D, 0x0F }; +constexpr uint8_t sOID_Extension_SubjectKeyIdentifier[] = { 0x55, 0x1D, 0x0E }; +constexpr uint8_t sOID_Extension_AuthorityKeyIdentifier[] = { 0x55, 0x1D, 0x23 }; + +/** + * Compares an mbedtls_asn1_buf structure (oidBuf) to a reference OID represented as uint8_t array (oid). + */ +#define OID_CMP(oid, oidBuf) \ + ((MBEDTLS_ASN1_OID == (oidBuf).CHIP_CRYPTO_PAL_PRIVATE_X509(tag)) && \ + (sizeof(oid) == (oidBuf).CHIP_CRYPTO_PAL_PRIVATE_X509(len)) && \ + (memcmp((oid), (oidBuf).CHIP_CRYPTO_PAL_PRIVATE_X509(p), (oidBuf).CHIP_CRYPTO_PAL_PRIVATE_X509(len)) == 0)) + CHIP_ERROR VerifyAttestationCertificateFormat(const ByteSpan & cert, AttestationCertType certType) { #if defined(MBEDTLS_X509_CRT_PARSE_C) @@ -1321,10 +1338,8 @@ CHIP_ERROR VerifyAttestationCertificateFormat(const ByteSpan & cert, Attestation // "version" value is 1 higher than the actual encoded value. VerifyOrExit(mbed_cert.CHIP_CRYPTO_PAL_PRIVATE_X509(version) - 1 == 2, error = CHIP_ERROR_INTERNAL); - // Verify signature algorithms is ECDSA_WITH_SHA256. - p = mbed_cert.CHIP_CRYPTO_PAL_PRIVATE_X509(sig_oid).CHIP_CRYPTO_PAL_PRIVATE_X509(p); - len = mbed_cert.CHIP_CRYPTO_PAL_PRIVATE_X509(sig_oid).CHIP_CRYPTO_PAL_PRIVATE_X509(len); - VerifyOrExit((strlen(MBEDTLS_OID_ECDSA_SHA256) == len) && (memcmp(MBEDTLS_OID_ECDSA_SHA256, p, len) == 0), + // Verify signature algorithms is ECDSA with SHA256. + VerifyOrExit(OID_CMP(sOID_SigAlgo_ECDSAWithSHA256, mbed_cert.CHIP_CRYPTO_PAL_PRIVATE_X509(sig_oid)), error = CHIP_ERROR_INTERNAL); // Verify public key presence and format. @@ -1342,7 +1357,6 @@ CHIP_ERROR VerifyAttestationCertificateFormat(const ByteSpan & cert, Attestation { mbedtls_x509_buf extOID = { 0, 0, nullptr }; int extCritical = 0; - int extType = 0; result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE); VerifyOrExit(result == 0, error = CHIP_ERROR_INTERNAL); @@ -1364,8 +1378,7 @@ CHIP_ERROR VerifyAttestationCertificateFormat(const ByteSpan & cert, Attestation result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OCTET_STRING); VerifyOrExit(result == 0, error = CHIP_ERROR_INTERNAL); - mbedtls_oid_get_x509_ext_type(&extOID, &extType); - if (extType == MBEDTLS_X509_EXT_BASIC_CONSTRAINTS) + if (OID_CMP(sOID_Extension_BasicConstraints, extOID)) { int isCA = 0; int pathLen = -1; @@ -1401,7 +1414,7 @@ CHIP_ERROR VerifyAttestationCertificateFormat(const ByteSpan & cert, Attestation VerifyOrExit(isCA && (pathLen == -1 || pathLen == 0 || pathLen == 1), error = CHIP_ERROR_INTERNAL); } } - else if (extType == MBEDTLS_X509_EXT_KEY_USAGE) + else if (OID_CMP(sOID_Extension_KeyUsage, extOID)) { mbedtls_x509_bitstring bs = { 0, 0, nullptr }; unsigned int keyUsage = 0; @@ -1709,14 +1722,11 @@ namespace { CHIP_ERROR ExtractKIDFromX509Cert(bool extractSKID, const ByteSpan & certificate, MutableByteSpan & kid) { #if defined(MBEDTLS_X509_CRT_PARSE_C) - CHIP_ERROR error = CHIP_NO_ERROR; + CHIP_ERROR error = CHIP_ERROR_NOT_FOUND; mbedtls_x509_crt mbed_cert; - unsigned char * p; - const unsigned char * end; - size_t len; - - constexpr uint8_t sOID_Extension_SubjectKeyIdentifier[] = { 0x55, 0x1D, 0x0E }; - constexpr uint8_t sOID_Extension_AuthorityKeyIdentifier[] = { 0x55, 0x1D, 0x23 }; + unsigned char * p = nullptr; + const unsigned char * end = nullptr; + size_t len = 0; mbedtls_x509_crt_init(&mbed_cert); @@ -1739,10 +1749,9 @@ CHIP_ERROR ExtractKIDFromX509Cert(bool extractSKID, const ByteSpan & certificate result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OID); VerifyOrExit(result == 0, error = CHIP_ERROR_WRONG_CERT_TYPE); - bool extractCurrentExtSKID = extractSKID && (sizeof(sOID_Extension_SubjectKeyIdentifier) == len) && - (memcmp(p, sOID_Extension_SubjectKeyIdentifier, len) == 0); - bool extractCurrentExtAKID = !extractSKID && (sizeof(sOID_Extension_AuthorityKeyIdentifier) == len) && - (memcmp(p, sOID_Extension_AuthorityKeyIdentifier, len) == 0); + mbedtls_x509_buf extOID = { MBEDTLS_ASN1_OID, len, p }; + bool extractCurrentExtSKID = extractSKID && OID_CMP(sOID_Extension_SubjectKeyIdentifier, extOID); + bool extractCurrentExtAKID = !extractSKID && OID_CMP(sOID_Extension_AuthorityKeyIdentifier, extOID); p += len; int is_critical = 0; @@ -1808,10 +1817,6 @@ CHIP_ERROR ExtractAKIDFromX509Cert(const ByteSpan & certificate, MutableByteSpan CHIP_ERROR ExtractVIDPIDFromX509Cert(const ByteSpan & certificate, AttestationCertVidPid & vidpid) { #if defined(MBEDTLS_X509_CRT_PARSE_C) - constexpr uint8_t sOID_AttributeType_CommonName[] = { 0x55, 0x04, 0x03 }; - constexpr uint8_t sOID_AttributeType_MatterVendorId[] = { 0x2B, 0x06, 0x01, 0x04, 0x01, 0x82, 0xA2, 0x7C, 0x02, 0x01 }; - constexpr uint8_t sOID_AttributeType_MatterProductId[] = { 0x2B, 0x06, 0x01, 0x04, 0x01, 0x82, 0xA2, 0x7C, 0x02, 0x02 }; - CHIP_ERROR error = CHIP_NO_ERROR; mbedtls_x509_crt mbed_cert; mbedtls_asn1_named_data * dnIterator = nullptr; @@ -1825,32 +1830,24 @@ CHIP_ERROR ExtractVIDPIDFromX509Cert(const ByteSpan & certificate, AttestationCe for (dnIterator = &mbed_cert.CHIP_CRYPTO_PAL_PRIVATE_X509(subject); dnIterator != nullptr; dnIterator = dnIterator->CHIP_CRYPTO_PAL_PRIVATE_X509(next)) { - size_t oid_len = dnIterator->CHIP_CRYPTO_PAL_PRIVATE_X509(oid).CHIP_CRYPTO_PAL_PRIVATE_X509(len); - uint8_t * oid_p = dnIterator->CHIP_CRYPTO_PAL_PRIVATE_X509(oid).CHIP_CRYPTO_PAL_PRIVATE_X509(p); - size_t val_len = dnIterator->CHIP_CRYPTO_PAL_PRIVATE_X509(val).CHIP_CRYPTO_PAL_PRIVATE_X509(len); - uint8_t * val_p = dnIterator->CHIP_CRYPTO_PAL_PRIVATE_X509(val).CHIP_CRYPTO_PAL_PRIVATE_X509(p); - - if (oid_p != nullptr && val_p != nullptr) + DNAttrType attrType = DNAttrType::kUnspecified; + if (OID_CMP(sOID_AttributeType_CommonName, dnIterator->CHIP_CRYPTO_PAL_PRIVATE_X509(oid))) { - DNAttrType attrType = DNAttrType::kUnspecified; - if ((oid_len == sizeof(sOID_AttributeType_CommonName)) && (memcmp(sOID_AttributeType_CommonName, oid_p, oid_len) == 0)) - { - attrType = DNAttrType::kCommonName; - } - else if ((oid_len == sizeof(sOID_AttributeType_MatterVendorId)) && - (memcmp(sOID_AttributeType_MatterVendorId, oid_p, oid_len) == 0)) - { - attrType = DNAttrType::kMatterVID; - } - else if ((oid_len == sizeof(sOID_AttributeType_MatterProductId)) && - (memcmp(sOID_AttributeType_MatterProductId, oid_p, oid_len) == 0)) - { - attrType = DNAttrType::kMatterPID; - } - - error = ExtractVIDPIDFromAttributeString(attrType, ByteSpan(val_p, val_len), vidpid, vidpidFromCN); - SuccessOrExit(error); + attrType = DNAttrType::kCommonName; } + else if (OID_CMP(sOID_AttributeType_MatterVendorId, dnIterator->CHIP_CRYPTO_PAL_PRIVATE_X509(oid))) + { + attrType = DNAttrType::kMatterVID; + } + else if (OID_CMP(sOID_AttributeType_MatterProductId, dnIterator->CHIP_CRYPTO_PAL_PRIVATE_X509(oid))) + { + attrType = DNAttrType::kMatterPID; + } + + size_t val_len = dnIterator->CHIP_CRYPTO_PAL_PRIVATE_X509(val).CHIP_CRYPTO_PAL_PRIVATE_X509(len); + uint8_t * val_p = dnIterator->CHIP_CRYPTO_PAL_PRIVATE_X509(val).CHIP_CRYPTO_PAL_PRIVATE_X509(p); + error = ExtractVIDPIDFromAttributeString(attrType, ByteSpan(val_p, val_len), vidpid, vidpidFromCN); + SuccessOrExit(error); } // If Matter Attributes were not found use values extracted from the CN Attribute,