[crypto] Added Method That Finds and Replaces Resigned Version of a C…

…ertificate (project-chip#24212)

* [crypto] Added Method That Finds and Replaces Resigned Version of a Certificate.

This method checks for resigned version of the reference certificate in the list and returns it.

The following conditions SHOULD be satisfied for the certificate to qualify as
a resigned version of a reference certificate:
  - SKID of the candidate and the reference certificate should match.
  - SubjectDN of the candidate and the reference certificate should match.

There is no specific use case for this method in Matter. However, specific ecosystem
implementations may find this method useful.

Some of the potential use cases could be finding resigned version of a PAI or DAC certificate.

Also, this method can be useful when Matter introduces attestation certificate revocation mechanism.

* Updated function description.

credentials/test/attestation/Chip-Test-PAA-NoVID-ToResignPAIs-Cert.pem

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBsDCCAVagAwIBAgIIfQAKFyO+3wYwCgYIKoZIzj0EAwIwKTEnMCUGA1UEAwwe
+TWF0dGVyIFRlc3QgUEFBIFRvIFJlc2lnbiBQQUlzMCAXDTIxMDYyODE0MjM0M1oY
+Dzk5OTkxMjMxMjM1OTU5WjApMScwJQYDVQQDDB5NYXR0ZXIgVGVzdCBQQUEgVG8g
+UmVzaWduIFBBSXMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQQ7wKoGoe2gSH7
+qNMZePgHoxflCqioKERoKJFLkz3o7dSlw5yf9xpM42R/1/YmU7fSSV/LpMD0f4do
+gAOeByBKo2YwZDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjAd
+BgNVHQ4EFgQUeFznBbhrj05vx5OqYMtD6mlogtUwHwYDVR0jBBgwFoAUeFznBbhr
+j05vx5OqYMtD6mlogtUwCgYIKoZIzj0EAwIDSAAwRQIge2P1stiHl9JjsD+th707
+jIa88A+Zb6hz6P0vgGDCHW8CIQCS4Uyz9pfBj4yFTR9wVL5vGqvOzPPVngzSwnIM
+svDIdg==
+-----END CERTIFICATE-----

credentials/test/attestation/Chip-Test-PAI-FFF2-8001-Resigned-Cert.pem

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBzTCCAXOgAwIBAgIIYnLHqgoTIJ0wCgYIKoZIzj0EAwIwKTEnMCUGA1UEAwwe
+TWF0dGVyIFRlc3QgUEFBIFRvIFJlc2lnbiBQQUlzMCAXDTIxMDYyODE0MjM0M1oY
+Dzk5OTkxMjMxMjM1OTU5WjBGMRgwFgYDVQQDDA9NYXR0ZXIgVGVzdCBQQUkxFDAS
+BgorBgEEAYKifAIBDARGRkYyMRQwEgYKKwYBBAGConwCAgwEODAwMTBZMBMGByqG
+SM49AgEGCCqGSM49AwEHA0IABCwGPCCLt88/idiccLJo3sLwrYkZLwIvlUetzHIq
+BoBpynI1YIO3JHcbIXZMskxXEbU+/of+T+C0cxQbzKEEso2jZjBkMBIGA1UdEwEB
+/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBTQWptncaGjepvB
+nZXotduPQwC2OjAfBgNVHSMEGDAWgBR4XOcFuGuPTm/Hk6pgy0PqaWiC1TAKBggq
+hkjOPQQDAgNIADBFAiEAnw1UN+kJn4U4ylMO6J0qs2QkXOkrIcnKvseb1U0Y5hwC
+IHbQ5x/16FDq3QfUgx51RtF51uK22OHGF6xWpeyhVAI4
+-----END CERTIFICATE-----

credentials/test/attestation/Chip-Test-PAI-FFF2-8001-ResignedSKIDDiff-Cert.pem

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBzDCCAXOgAwIBAgIITzzC3bEdxMswCgYIKoZIzj0EAwIwKTEnMCUGA1UEAwwe
+TWF0dGVyIFRlc3QgUEFBIFRvIFJlc2lnbiBQQUlzMCAXDTIxMDYyODE0MjM0M1oY
+Dzk5OTkxMjMxMjM1OTU5WjBGMRgwFgYDVQQDDA9NYXR0ZXIgVGVzdCBQQUkxFDAS
+BgorBgEEAYKifAIBDARGRkYyMRQwEgYKKwYBBAGConwCAgwEODAwMTBZMBMGByqG
+SM49AgEGCCqGSM49AwEHA0IABKH6SCo8kvOkZmOc4zVxOLakyd1EdhaOx+xcRQgr
+3BvAbZuU00x53wXfxAsnEIBEC3qItDY4rEye5DnHQZwU3fqjZjBkMBIGA1UdEwEB
+/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBTbd9JbY20EOKGS
+HEFSED7q4sQ7BzAfBgNVHSMEGDAWgBR4XOcFuGuPTm/Hk6pgy0PqaWiC1TAKBggq
+hkjOPQQDAgNHADBEAiAFHzA0Vv3rAf/95Hmf+7Q9bdFIZTSK1j+SusvKYMgcKQIg
+ERLDCvsqkvYALhR4OSA7Rdu4JVFhsP0M0F4MpMRwyPE=
+-----END CERTIFICATE-----

credentials/test/attestation/Chip-Test-PAI-FFF2-8001-ResignedSKIDDiff-Key.pem

@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEINGuYvtNswX+o4yj6UR0TRvAv/mUqHTcxfV6F/i1GFE1oAoGCCqGSM49
+AwEHoUQDQgAEofpIKjyS86RmY5zjNXE4tqTJ3UR2Fo7H7FxFCCvcG8Btm5TTTHnf
+Bd/ECycQgEQLeoi0NjisTJ7kOcdBnBTd+g==
+-----END EC PRIVATE KEY-----

credentials/test/attestation/Chip-Test-PAI-FFF2-8001-ResignedSubjectDiff-Cert.pem

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIB1jCCAXygAwIBAgIIR+1jaCGXaTEwCgYIKoZIzj0EAwIwKTEnMCUGA1UEAwwe
+TWF0dGVyIFRlc3QgUEFBIFRvIFJlc2lnbiBQQUlzMCAXDTIxMDYyODE0MjM0M1oY
+Dzk5OTkxMjMxMjM1OTU5WjBPMSEwHwYDVQQDDBhNYXR0ZXIgVGVzdCBQQUkgUmVz
+aWduZWQxFDASBgorBgEEAYKifAIBDARGRkYyMRQwEgYKKwYBBAGConwCAgwEODAw
+MTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABCwGPCCLt88/idiccLJo3sLwrYkZ
+LwIvlUetzHIqBoBpynI1YIO3JHcbIXZMskxXEbU+/of+T+C0cxQbzKEEso2jZjBk
+MBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBTQ
+WptncaGjepvBnZXotduPQwC2OjAfBgNVHSMEGDAWgBR4XOcFuGuPTm/Hk6pgy0Pq
+aWiC1TAKBggqhkjOPQQDAgNIADBFAiEA6LLGEXBKVAZ5DMXIhzg4iQOcGO3yPV7i
+VRUOD/R178kCIH8NlJHm5pHAVcugsEpykHaiWC+zueMKFb7D0FzpES/8
+-----END CERTIFICATE-----

credentials/test/attestation/Chip-Test-PAI-FFF2-NoPID-Resigned-Cert.pem

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBtzCCAV2gAwIBAgIIXQpZwBdLO2UwCgYIKoZIzj0EAwIwKTEnMCUGA1UEAwwe
+TWF0dGVyIFRlc3QgUEFBIFRvIFJlc2lnbiBQQUlzMCAXDTIxMDYyODE0MjM0M1oY
+Dzk5OTkxMjMxMjM1OTU5WjAwMRgwFgYDVQQDDA9NYXR0ZXIgVGVzdCBQQUkxFDAS
+BgorBgEEAYKifAIBDARGRkYyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE2L+T
+R5LPjq7awk/8lmyRdiD7ly+6uY7G1RMUoHrpjhoD+0GR0m4tEny5UnYhw26XOhhs
+VtDK2ZmwQcJwqbHLP6NmMGQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8E
+BAMCAQYwHQYDVR0OBBYEFGE90Ic1XvCLrgHkxpqPxz2sjH39MB8GA1UdIwQYMBaA
+FHhc5wW4a49Ob8eTqmDLQ+ppaILVMAoGCCqGSM49BAMCA0gAMEUCIH5fn1//Bus5
+/xNPWu1/P5ZhP+Lxf097v1EkPipzU3D4AiEA7FR9eHPbRYDx6NjpLsrsJF2ICogX
+/NgcZ6j65JWO2oI=
+-----END CERTIFICATE-----

credentials/test/gen-test-attestation-certs.sh

@@ -309,6 +309,37 @@ cert_lifetime=4294967295
     "$chip_cert_tool" gen-att-cert --type d --subject-cn "Matter Test DAC $dac" --subject-vid "$vid" --subject-pid "$pid" --valid-from "$cert_valid_from_1sec_before_in_future" --lifetime "$cert_lifetime_1year" --ca-key "$pai_key_file".pem --ca-cert "$pai_cert_file".pem --out-key "$dac_key_file".pem --out "$dac_cert_file".pem
 }
 
+# Set #7:
+#   - Generate new PAA to resign already generated PAIs
+{
+    vid=FFF2
+    pid=8001
+
+    paa_key_file="$dest_dir/Chip-Test-PAA-NoVID-Key"
+    paa_cert_file="$dest_dir/Chip-Test-PAA-NoVID-ToResignPAIs-Cert"
+
+    "$chip_cert_tool" gen-att-cert --type a --subject-cn "Matter Test PAA To Resign PAIs" --valid-from "$cert_valid_from" --lifetime "$cert_lifetime" --key "$paa_key_file".pem --out "$paa_cert_file".pem
+
+    pai_key_file="$dest_dir/Chip-Test-PAI-$vid-$pid-Key"
+    pai_cert_file="$dest_dir/Chip-Test-PAI-$vid-$pid-Resigned-Cert"
+
+    "$chip_cert_tool" gen-att-cert --type i --subject-cn "Matter Test PAI" --subject-vid "$vid" --subject-pid "$pid" --valid-from "$cert_valid_from" --lifetime "$cert_lifetime" --ca-key "$paa_key_file".pem --ca-cert "$paa_cert_file".pem --key "$pai_key_file".pem --out "$pai_cert_file".pem
+
+    pai_cert_file="$dest_dir/Chip-Test-PAI-$vid-$pid-ResignedSubjectDiff-Cert"
+
+    "$chip_cert_tool" gen-att-cert --type i --subject-cn "Matter Test PAI Resigned" --subject-vid "$vid" --subject-pid "$pid" --valid-from "$cert_valid_from" --lifetime "$cert_lifetime" --ca-key "$paa_key_file".pem --ca-cert "$paa_cert_file".pem --key "$pai_key_file".pem --out "$pai_cert_file".pem
+
+    pai_key_file="$dest_dir/Chip-Test-PAI-$vid-$pid-ResignedSKIDDiff-Key"
+    pai_cert_file="$dest_dir/Chip-Test-PAI-$vid-$pid-ResignedSKIDDiff-Cert"
+
+    "$chip_cert_tool" gen-att-cert --type i --subject-cn "Matter Test PAI" --subject-vid "$vid" --subject-pid "$pid" --valid-from "$cert_valid_from" --lifetime "$cert_lifetime" --ca-key "$paa_key_file".pem --ca-cert "$paa_cert_file".pem --out-key "$pai_key_file".pem --out "$pai_cert_file".pem
+
+    pai_key_file="$dest_dir/Chip-Test-PAI-$vid-NoPID-Key"
+    pai_cert_file="$dest_dir/Chip-Test-PAI-$vid-NoPID-Resigned-Cert"
+
+    "$chip_cert_tool" gen-att-cert --type i --subject-cn "Matter Test PAI" --subject-vid "$vid" --valid-from "$cert_valid_from" --lifetime "$cert_lifetime" --ca-key "$paa_key_file".pem --ca-cert "$paa_cert_file".pem --key "$pai_key_file".pem --out "$pai_cert_file".pem
+}
+
 # In addition to PEM format also create certificates in DER form.
 for cert_file_pem in "$dest_dir"/*Cert.pem; do
     cert_file_der="${cert_file_pem/.pem/.der}"
@@ -366,7 +397,7 @@ namespace TestCerts {
     printf "$header_includes" >>"$output_cstyle_file".h
     printf "$namespaces_open\n" >>"$output_cstyle_file".cpp
     printf "$namespaces_open\n" >>"$output_cstyle_file".h
-    for cert_file_pem in credentials/test/attestation/*Cert.pem; do
+    for cert_file_pem in "$dest_dir"/*Cert.pem; do
         params_prefix="${cert_file_pem/*Chip-Test/sTestCert}"
         params_prefix="${params_prefix//-/_}"
         params_prefix="${params_prefix/_Cert.pem/}"
@@ -387,24 +418,31 @@ namespace TestCerts {
             printf "};\n\n"
             printf "extern const ByteSpan ${params_prefix}_SKID = ByteSpan(${params_prefix}_SKID_Array);\n\n"
 
-            printf "// \${chip_root}/$key_file_pem\n\n"
+            # Print key data if present
+            if test -f "$key_file_pem"; then
+                printf "// \${chip_root}/$key_file_pem\n\n"
 
-            printf "constexpr uint8_t ${params_prefix}_PublicKey_Array[] = {\n"
-            openssl ec -text -noout -in "$key_file_pem" | sed '0,/pub:$/d' | sed '/ASN1 OID:/,$d' | sed 's/:/ /g' | sed 's/\</0x/g' | sed 's/\>/,/g' | sed "s/^[ \t]*/    /" | sed 's/ *$//'
-            printf "};\n\n"
-            printf "extern const ByteSpan ${params_prefix}_PublicKey = ByteSpan(${params_prefix}_PublicKey_Array);\n\n"
+                printf "constexpr uint8_t ${params_prefix}_PublicKey_Array[] = {\n"
+                openssl ec -text -noout -in "$key_file_pem" | sed '0,/pub:$/d' | sed '/ASN1 OID:/,$d' | sed 's/:/ /g' | sed 's/\</0x/g' | sed 's/\>/,/g' | sed "s/^[ \t]*/    /" | sed 's/ *$//'
+                printf "};\n\n"
+                printf "extern const ByteSpan ${params_prefix}_PublicKey = ByteSpan(${params_prefix}_PublicKey_Array);\n\n"
 
-            printf "constexpr uint8_t ${params_prefix}_PrivateKey_Array[] = {\n"
-            openssl ec -text -noout -in "$key_file_pem" | sed '0,/priv:$/d' | sed '/pub:/,$d' | sed 's/:/ /g' | sed 's/\</0x/g' | sed 's/\>/,/g' | sed "s/^[ \t]*/    /" | sed 's/ *$//'
-            printf "};\n\n"
-            printf "extern const ByteSpan ${params_prefix}_PrivateKey = ByteSpan(${params_prefix}_PrivateKey_Array);\n\n"
+                printf "constexpr uint8_t ${params_prefix}_PrivateKey_Array[] = {\n"
+                openssl ec -text -noout -in "$key_file_pem" | sed '0,/priv:$/d' | sed '/pub:/,$d' | sed 's/:/ /g' | sed 's/\</0x/g' | sed 's/\>/,/g' | sed "s/^[ \t]*/    /" | sed 's/ *$//'
+                printf "};\n\n"
+                printf "extern const ByteSpan ${params_prefix}_PrivateKey = ByteSpan(${params_prefix}_PrivateKey_Array);\n\n"
+            fi
         } >>"$output_cstyle_file".cpp
 
         {
             printf "extern const ByteSpan ${params_prefix}_Cert;\n"
             printf "extern const ByteSpan ${params_prefix}_SKID;\n"
-            printf "extern const ByteSpan ${params_prefix}_PublicKey;\n"
-            printf "extern const ByteSpan ${params_prefix}_PrivateKey;\n\n"
+            # Print key data if present
+            if test -f "$key_file_pem"; then
+                printf "extern const ByteSpan ${params_prefix}_PublicKey;\n"
+                printf "extern const ByteSpan ${params_prefix}_PrivateKey;\n"
+            fi
+            printf "\n"
         } >>"$output_cstyle_file".h
 
     done