-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
da_revocation: align the revocation set generation algorithm with spec changes #36225
base: master
Are you sure you want to change the base?
da_revocation: align the revocation set generation algorithm with spec changes #36225
Conversation
Review changes with SemanticDiff. Analyzed 1 of 1 files. Overall, the semantic diff is 18% smaller than the GitHub diff.
|
PR #36225: Size comparison from 75d7e6b to 7b138c4 Full report (44 builds for bl602, bl702, bl702l, cc13x4_26x4, cc32xx, cyw30739, efr32, nrfconnect, psoc6, qpg, stm32, telink, tizen)
|
PR #36225: Size comparison from 75d7e6b to c4a854b Full report (68 builds for bl602, bl702, bl702l, cc13x4_26x4, cc32xx, cyw30739, efr32, esp32, linux, nrfconnect, nxp, psoc6, qpg, stm32, telink, tizen)
|
@@ -91,6 +91,101 @@ def parse_vid_pid_from_distinguished_name(distinguished_name): | |||
return vid, pid | |||
|
|||
|
|||
def get_akid(cert: x509.Certificate) -> bytes: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since you are catching the exception, the bytes
output should be optional here.
# No point in creating an entry which has no revoked serial numbers | ||
if len(serialnumber_list) == 0: | ||
continue |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's generate 1 set for each, even if empty.
# will raise an exception if signature is invalid | ||
try: | ||
root.public_key().verify(cert.signature, cert.tbs_certificate_bytes, ec.ECDSA(cert.signature_hash_algorithm)) | ||
except Exception: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is too wide of an exception. Please catch the exception that the verification fails with.
@@ -91,6 +91,101 @@ def parse_vid_pid_from_distinguished_name(distinguished_name): | |||
return vid, pid | |||
|
|||
|
|||
def get_akid(cert: x509.Certificate) -> bytes: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
->
Optional[bytes]`
Requires from typing import Optional
try: | ||
return cert.extensions.get_extension_for_oid(x509.OID_SUBJECT_KEY_IDENTIFIER).value.key_identifier | ||
except Exception: | ||
return None |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please log in all exceptions what happened to help assist debugging.
return None | ||
|
||
|
||
def get_skid(cert: x509.Certificate) -> bytes: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same here, missing optional.
There has been some updates to the revocation set generation algorithm in https://github.com/CHIP-Specifications/connectedhomeip-spec/issues/10308.
Add some helper function to interact with certificates.
Tests
Locally tested