-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CHIP credential serialization #6400
Conversation
change constantsconnectedhomeip/src/credentials/CHIPOperationalCredentials.cpp Lines 314 to 324 in 19e2599
This comment was generated by todo based on a
|
Serialize the CASESession to the given serializable data structure for secure pairingconnectedhomeip/src/credentials/CHIPOperationalCredentials.h Lines 238 to 248 in 19e2599
This comment was generated by todo based on a
|
Reconstruct secure pairing class from the serializable data structure.connectedhomeip/src/credentials/CHIPOperationalCredentials.h Lines 242 to 250 in 19e2599
This comment was generated by todo based on a
|
Returns a CHIP_ERROR on error, CHIP_NO_ERROR otherwiseconnectedhomeip/src/credentials/CHIPOperationalCredentials.h Lines 244 to 250 in 19e2599
This comment was generated by todo based on a
|
src/credentials/CHIPCert.cpp
Outdated
@@ -177,6 +178,9 @@ CHIP_ERROR ChipCertificateSet::LoadCert(TLVReader & reader, BitFlags<CertDecodeF | |||
|
|||
cert = new (&mCerts[mCertCount]) ChipCertificateData(); | |||
|
|||
cert->mCertificateBegin = chipCert; | |||
cert->mCertificateLen = static_cast<uint16_t>(chipCertLen); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Better idea would be getting sizes of chipCertLen
and mCertificateLen
in sync to avoid the cast
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Modified as per your comments, thanks
@jpk233 , maybe we can just use the DER formatted cert, and store it as is. If the KVS doesn't support storage of binary data, we can convert it to base64 string and store that instead. |
For extracting Pubkey, how about converting X509 cert to CHIPCert, and get the value from there? CHIPCert is TLV formatted, and you can use |
src/credentials/CHIPCert.cpp
Outdated
@@ -765,6 +772,32 @@ CHIP_ERROR ChipDN::GetCertType(uint8_t & certType) const | |||
return err; | |||
} | |||
|
|||
CHIP_ERROR ChipDN::GetCertChipVal(uint64_t & chipVal) const |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
CHIP_ERROR ChipDN::GetCertChipVal(uint64_t & chipVal) const | |
CHIP_ERROR ChipDN::GetCertChipId(uint64_t & chipId) const |
src/credentials/CHIPCertFromX509.cpp
Outdated
@@ -693,5 +857,19 @@ DLL_EXPORT CHIP_ERROR ConvertX509CertToChipCert(const uint8_t * x509Cert, uint32 | |||
return err; | |||
} | |||
|
|||
DLL_EXPORT CHIP_ERROR ExtractPubkeyFromX509Cert(const uint8_t * x509Cert, uint32_t x509CertLen, Crypto::P256PublicKey & pubkey) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wanted to understand the usecase here? Specifically, why there is a need to extract public key from X509 certificate but there is no need to extract public key from the CHIP certificate format?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This has been removed as it's more appropriate for a separate PR. But for the usecase: during Device Attestation, we need to extract a public key from a X509 Certificate in order to validate the nonce.
This comment has been minimized.
This comment has been minimized.
It's being serialized as base64 currently
This change is meant to be applicable to both CHIP and non-CHIP certs, which is why it's not converted to CHIPCert format. |
…st new method for retrieving Certificate CHIP ID
Updated CHIPOperationalCredentials.h to document assumptions for the new methods. |
…r to avoid stack limitations
Size increase report for "nrfconnect-example-build" from 5d54fac
Full report output
|
Size increase report for "esp32-example-build" from 5d54fac
Full report output
|
Size increase report for "gn_qpg6100-example-build" from 5d54fac
Full report output
|
/rebase |
* CHIP certificate value changes * Addressed review comments, removed TODOs and ExtractPubKey method * Added 2 new tests: - Test OperationalCredentialSet Serialization - Test new method for retrieving Certificate CHIP ID * Fix CI builds * Update with bzbarsky-apple's suggestions, document lifetime assumption * Additional documentation, moved serializable objects to .data in order to avoid stack limitations * Cleanup old code remnants, size check for optional CA certificate * Sync with master, CHIPCert updates Co-authored-by: Boris Itkis <boris.itkis@gmail.com>
Problem
We're lacking support to adequately parse elements from CHIP and non-CHIP certificates.
Change overview
Added method to retrieve CHIP certificate value from certificate.
Enhanced OperationalCredentialSet class with Serialize/Deserialize methods. User can now serialize/deserialize a specific Trusted Root ID
Testing