Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CHIP credential serialization #6400

Merged
merged 13 commits into from
Jun 3, 2021
Merged

CHIP credential serialization #6400

merged 13 commits into from
Jun 3, 2021

Conversation

jpk233
Copy link
Contributor

@jpk233 jpk233 commented Apr 30, 2021
edited
Loading

Problem

We're lacking support to adequately parse elements from CHIP and non-CHIP certificates.

Change overview

  • Added method to retrieve CHIP certificate value from certificate.

  • Enhanced OperationalCredentialSet class with Serialize/Deserialize methods. User can now serialize/deserialize a specific Trusted Root ID

Testing

  • Unit tests were added for GetCertChipId and for OperationalCredentialSet serialization
  • This was manually tested using Android controller (chip-tool) and x86/arm64 linux device (lighting-app)

@todo
Copy link

todo bot commented Apr 30, 2021

change constants

connectedhomeip/src/credentials/CHIPOperationalCredentials.cpp

Lines 314 to 324 in 19e2599

// TODO change constants
SuccessOrExit(err = certificateSet.Init(3, 1024));
err = certificateSet.LoadCert(serializable.mRootCertificate, serializable.mRootCertificateLen,
BitFlags<CertDecodeFlags>(CertDecodeFlags::kIsTrustAnchor));
SuccessOrExit(err);
trustedRootId.mId = certificateSet.GetLastCert()->mAuthKeyId.mId;
trustedRootId.mLen = certificateSet.GetLastCert()->mAuthKeyId.mLen;
err = certificateSet.LoadCert(serializable.mCACertificate, serializable.mCACertificateLen,

This comment was generated by todo based on a TODO comment in 19e2599 in #6400. cc @jpk233.

@todo
Copy link

todo bot commented Apr 30, 2021

Serialize the CASESession to the given serializable data structure for secure pairing

connectedhomeip/src/credentials/CHIPOperationalCredentials.h

Lines 238 to 248 in 19e2599

* @brief TODO Serialize the CASESession to the given serializable data structure for secure pairing
**/
CHIP_ERROR ToSerializable(const CertificateKeyId & trustedRootId, OperationalCredentialSerializable & output);
/** @brief TODO Reconstruct secure pairing class from the serializable data structure.
*
* @return TODO Returns a CHIP_ERROR on error, CHIP_NO_ERROR otherwise
**/
CHIP_ERROR FromSerializable(const OperationalCredentialSerializable & output);
P256Keypair & GetDevOpCredKeypair(const CertificateKeyId & trustedRootId) { return *GetNodeKeypairAt(trustedRootId); }

This comment was generated by todo based on a TODO comment in 19e2599 in #6400. cc @jpk233.

@todo
Copy link

todo bot commented Apr 30, 2021

Reconstruct secure pairing class from the serializable data structure.

connectedhomeip/src/credentials/CHIPOperationalCredentials.h

Lines 242 to 250 in 19e2599

/** @brief TODO Reconstruct secure pairing class from the serializable data structure.
*
* @return TODO Returns a CHIP_ERROR on error, CHIP_NO_ERROR otherwise
**/
CHIP_ERROR FromSerializable(const OperationalCredentialSerializable & output);
P256Keypair & GetDevOpCredKeypair(const CertificateKeyId & trustedRootId) { return *GetNodeKeypairAt(trustedRootId); }
CHIP_ERROR SetDevOpCredKeypair(const CertificateKeyId & trustedRootId, P256Keypair * newKeypair);

This comment was generated by todo based on a TODO comment in 19e2599 in #6400. cc @jpk233.

@todo
Copy link

todo bot commented Apr 30, 2021

Returns a CHIP_ERROR on error, CHIP_NO_ERROR otherwise

connectedhomeip/src/credentials/CHIPOperationalCredentials.h

Lines 244 to 250 in 19e2599

* @return TODO Returns a CHIP_ERROR on error, CHIP_NO_ERROR otherwise
**/
CHIP_ERROR FromSerializable(const OperationalCredentialSerializable & output);
P256Keypair & GetDevOpCredKeypair(const CertificateKeyId & trustedRootId) { return *GetNodeKeypairAt(trustedRootId); }
CHIP_ERROR SetDevOpCredKeypair(const CertificateKeyId & trustedRootId, P256Keypair * newKeypair);

This comment was generated by todo based on a TODO comment in 19e2599 in #6400. cc @jpk233.

@jpk233 jpk233 changed the title CHIP certificate value changes CHIP credential serialization Apr 30, 2021
@woody-apple
Copy link
Contributor

@pan-apple ?

bitkis
bitkis suggested changes Apr 30, 2021
View reviewed changes
src/credentials/CHIPCert.cpp Outdated
@@ -177,6 +178,9 @@ CHIP_ERROR ChipCertificateSet::LoadCert(TLVReader & reader, BitFlags<CertDecodeF

cert = new (&mCerts[mCertCount]) ChipCertificateData();

cert->mCertificateBegin = chipCert;
cert->mCertificateLen = static_cast<uint16_t>(chipCertLen);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Better idea would be getting sizes of chipCertLen and mCertificateLen in sync to avoid the cast

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Modified as per your comments, thanks

src/credentials/CHIPCert.cpp Outdated Show resolved Hide resolved
src/credentials/CHIPCert.cpp Show resolved Hide resolved
src/credentials/CHIPOperationalCredentials.cpp Show resolved Hide resolved
@pan-apple
Copy link
Contributor

@jpk233 , maybe we can just use the DER formatted cert, and store it as is. If the KVS doesn't support storage of binary data, we can convert it to base64 string and store that instead.

@pan-apple
Copy link
Contributor

For extracting Pubkey, how about converting X509 cert to CHIPCert, and get the value from there? CHIPCert is TLV formatted, and you can use kTag_EllipticCurvePublicKey to get the pubkey.

@pan-apple pan-apple requested a review from emargolis May 3, 2021 19:41
emargolis
emargolis reviewed May 4, 2021
View reviewed changes
src/credentials/CHIPOperationalCredentials.h Outdated Show resolved Hide resolved
src/credentials/CHIPCert.cpp Outdated Show resolved Hide resolved
src/credentials/CHIPCert.cpp Outdated
@@ -765,6 +772,32 @@ CHIP_ERROR ChipDN::GetCertType(uint8_t & certType) const
return err;
}

CHIP_ERROR ChipDN::GetCertChipVal(uint64_t & chipVal) const
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
CHIP_ERROR ChipDN::GetCertChipVal(uint64_t & chipVal) const
CHIP_ERROR ChipDN::GetCertChipId(uint64_t & chipId) const

src/credentials/CHIPCertFromX509.cpp Outdated Show resolved Hide resolved
src/credentials/CHIPOperationalCredentials.h Show resolved Hide resolved
src/credentials/CHIPCertFromX509.cpp Outdated
@@ -693,5 +857,19 @@ DLL_EXPORT CHIP_ERROR ConvertX509CertToChipCert(const uint8_t * x509Cert, uint32
return err;
}

DLL_EXPORT CHIP_ERROR ExtractPubkeyFromX509Cert(const uint8_t * x509Cert, uint32_t x509CertLen, Crypto::P256PublicKey & pubkey)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wanted to understand the usecase here? Specifically, why there is a need to extract public key from X509 certificate but there is no need to extract public key from the CHIP certificate format?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This has been removed as it's more appropriate for a separate PR. But for the usecase: during Device Attestation, we need to extract a public key from a X509 Certificate in order to validate the nonce.

@pullapprove

This comment has been minimized.

Sign in to view
@woody-apple woody-apple self-requested a review May 18, 2021 01:38
@jpk233
Copy link
Contributor Author

jpk233 commented May 20, 2021

@jpk233 , maybe we can just use the DER formatted cert, and store it as is. If the KVS doesn't support storage of binary data, we can convert it to base64 string and store that instead.

It's being serialized as base64 currently

For extracting Pubkey, how about converting X509 cert to CHIPCert, and get the value from there? CHIPCert is TLV formatted, and you can use kTag_EllipticCurvePublicKey to get the pubkey.

This change is meant to be applicable to both CHIP and non-CHIP certs, which is why it's not converted to CHIPCert format.

@jpk233
Copy link
Contributor Author

jpk233 commented May 24, 2021

Oh, and please document the lifetime assumptions involved....

Updated CHIPOperationalCredentials.h to document assumptions for the new methods.

bzbarsky-apple
bzbarsky-apple reviewed May 24, 2021
View reviewed changes
src/credentials/CHIPCert.h Outdated Show resolved Hide resolved
src/credentials/CHIPOperationalCredentials.h Outdated Show resolved Hide resolved
src/credentials/CHIPOperationalCredentials.h Outdated Show resolved Hide resolved
@jpk233 jpk233 requested a review from woody-apple May 25, 2021 19:32
@github-actions
Copy link

github-actions bot commented Jun 2, 2021

Size increase report for "nrfconnect-example-build" from 5d54fac

File Section File VM
chip-lock.elf bss 0 512
chip-lock.elf text 392 392
chip-lock.elf device_handles -8 -8
chip-shell.elf text 100 100
chip-shell.elf device_handles -4 -4
Full report output 
BLOAT REPORT

Files found only in the build output:
    report.csv

Comparing ./master_artifact/chip-lock.elf and ./pull_artifact/chip-lock.elf:

sections,vmsize,filesize
.debug_info,0,2916238
.debug_str,0,86365
.debug_line,0,20689
.debug_abbrev,0,20529
.debug_loc,0,2219
bss,512,0
text,392,392
.debug_ranges,0,216
.debug_frame,0,200
.strtab,0,72
.symtab,0,64
.debug_aranges,0,32
device_handles,-8,-8

Comparing ./master_artifact/chip-shell.elf and ./pull_artifact/chip-shell.elf:

sections,vmsize,filesize
.debug_info,0,393718
.debug_str,0,92482
.debug_line,0,3526
.debug_abbrev,0,3436
.debug_loc,0,234
text,100,100
.debug_frame,0,36
.debug_aranges,0,8
device_handles,-4,-4

@github-actions
Copy link

github-actions bot commented Jun 2, 2021

Size increase report for "esp32-example-build" from 5d54fac

File Section File VM
chip-all-clusters-app.elf .dram0.bss 0 512
chip-all-clusters-app.elf .flash.text 384 384
Full report output 
BLOAT REPORT

Files found only in the build output:
    report.csv

Comparing ./master_artifact/chip-all-clusters-app.elf and ./pull_artifact/chip-all-clusters-app.elf:

sections,vmsize,filesize
.debug_info,0,37365
.debug_line,0,3412
.debug_loc,0,2341
.debug_str,0,1136
.dram0.bss,512,0
.debug_ranges,0,416
.flash.text,384,384
.debug_frame,0,96
.strtab,0,72
.debug_aranges,0,32
.symtab,0,16
.debug_abbrev,0,-738

Comparing ./master_artifact/chip-pigweed-app.elf and ./pull_artifact/chip-pigweed-app.elf:

sections,vmsize,filesize

@github-actions
Copy link

github-actions bot commented Jun 2, 2021

Size increase report for "gn_qpg6100-example-build" from 5d54fac

File Section File VM
chip-qpg6100-lighting-example.out .text 416 416
chip-qpg6100-lighting-example.out .bss 0 128
chip-qpg6100-lighting-example.out .heap 0 -128
Full report output 
BLOAT REPORT

Files found only in the build output:
    report.csv

Comparing ./master_artifact/chip-qpg6100-lighting-example.out.map and ./pull_artifact/chip-qpg6100-lighting-example.out.map:

BLOAT EXECUTION FAILED WITH CODE 1:
bloaty: unknown file type for file './pull_artifact/chip-qpg6100-lighting-example.out.map'

Comparing ./master_artifact/chip-qpg6100-lighting-example.out and ./pull_artifact/chip-qpg6100-lighting-example.out:

sections,vmsize,filesize
.debug_info,0,29514
.debug_loc,0,2338
.debug_abbrev,0,2129
.debug_line,0,1619
.debug_str,0,1164
.text,416,416
.debug_ranges,0,256
.debug_frame,0,224
.bss,128,0
.strtab,0,72
.symtab,0,64
.debug_aranges,0,32
.heap,-128,0
[Unmapped],0,-416

@woody-apple
Copy link
Contributor

/rebase

@woody-apple woody-apple mentioned this pull request Jun 3, 2021
Closed
@woody-apple woody-apple merged commit da45bb3 into project-chip:master Jun 3, 2021
@jpk233 jpk233 deleted the credentials branch June 3, 2021 16:40
nikita-s-wrk pushed a commit to nikita-s-wrk/connectedhomeip that referenced this pull request Sep 23, 2021
@jpk233 @bitkis
CHIP credential serialization (project-chip#6400)
a8c21b7 
* CHIP certificate value changes

* Addressed review comments, removed TODOs and ExtractPubKey method

* Added 2 new tests: - Test OperationalCredentialSet Serialization - Test new method for retrieving Certificate CHIP ID

* Fix CI builds

* Update with bzbarsky-apple's suggestions, document lifetime assumption

* Additional documentation, moved serializable objects to .data in order to avoid stack limitations

* Cleanup old code remnants, size check for optional CA certificate

* Sync with master, CHIPCert updates

Co-authored-by: Boris Itkis <boris.itkis@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@emargolis emargolis emargolis approved these changes

@bzbarsky-apple bzbarsky-apple bzbarsky-apple left review comments

@bitkis bitkis bitkis approved these changes

@woody-apple woody-apple woody-apple approved these changes

@chrisdecenzo chrisdecenzo chrisdecenzo approved these changes

@jelderton jelderton jelderton approved these changes

@jmartinez-silabs jmartinez-silabs jmartinez-silabs approved these changes

@LuDuda LuDuda Awaiting requested review from LuDuda

@mspang mspang Awaiting requested review from mspang

@saurabhst saurabhst Awaiting requested review from saurabhst

Assignees
No one assigned
Labels
restyled-ignore review - changed requested
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
9 participants
@jpk233 @woody-apple @pan-apple @bzbarsky-apple @emargolis @bitkis @chrisdecenzo @jelderton @jmartinez-silabs