Skip to content

Commit

Permalink
Introduced Separate Constant for Certificate Decode Buffer Length. (#…
Browse files Browse the repository at this point in the history
  • Loading branch information
emargolis authored and pull[bot] committed Jul 9, 2021
1 parent 3d9fc15 commit 0d41696
Show file tree
Hide file tree
Showing 7 changed files with 19 additions and 24 deletions.
3 changes: 3 additions & 0 deletions src/credentials/CHIPCert.h
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,9 @@ static constexpr uint16_t kX509NoWellDefinedExpirationDateYear = 9999;
static constexpr uint32_t kMaxCHIPCertLength = 400;
static constexpr uint32_t kMaxDERCertLength = 600;

// The decode buffer is used to reconstruct TBS section of X.509 certificate, which doesn't include signature.
static constexpr uint32_t kMaxCHIPCertDecodeBufLength = kMaxDERCertLength - Crypto::kMax_ECDSA_Signature_Length;

/** Data Element Tags for the CHIP Certificate
*/
enum
Expand Down
18 changes: 9 additions & 9 deletions src/credentials/tests/TestChipCert.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -350,7 +350,7 @@ static void TestChipCert_CertValidation(nlTestSuite * inSuite, void * inContext)
const ValidationTestCase & testCase = sValidationTestCases[i];

// Initialize the certificate set and load the specified test certificates.
certSet.Init(kMaxCertsPerTestCase, kMaxDERCertLength);
certSet.Init(kMaxCertsPerTestCase, kMaxCHIPCertDecodeBufLength);
for (size_t i2 = 0; i2 < kMaxCertsPerTestCase; i2++)
{
if (testCase.InputCerts[i2].Type != TestCert::kNone)
Expand Down Expand Up @@ -408,7 +408,7 @@ static void TestChipCert_CertValidTime(nlTestSuite * inSuite, void * inContext)
ChipCertificateSet certSet;
ValidationContext validContext;

certSet.Init(kStandardCertsCount, kMaxDERCertLength);
certSet.Init(kStandardCertsCount, kMaxCHIPCertDecodeBufLength);

err = LoadTestCertSet01(certSet);
NL_TEST_ASSERT(inSuite, err == CHIP_NO_ERROR);
Expand Down Expand Up @@ -568,7 +568,7 @@ static void TestChipCert_CertUsage(nlTestSuite * inSuite, void * inContext)
// clang-format on
size_t sNumUsageTestCases = sizeof(sUsageTestCases) / sizeof(sUsageTestCases[0]);

certSet.Init(kStandardCertsCount, kMaxDERCertLength);
certSet.Init(kStandardCertsCount, kMaxCHIPCertDecodeBufLength);

err = LoadTestCertSet01(certSet);
NL_TEST_ASSERT(inSuite, err == CHIP_NO_ERROR);
Expand Down Expand Up @@ -624,7 +624,7 @@ static void TestChipCert_CertType(nlTestSuite * inSuite, void * inContext)
uint8_t certType;

// Initialize the certificate set and load the test certificate.
certSet.Init(1, kMaxDERCertLength);
certSet.Init(1, kMaxCHIPCertDecodeBufLength);
err = LoadTestCert(certSet, testCase.Cert, sNullLoadFlag, sNullDecodeFlag);
NL_TEST_ASSERT(inSuite, err == CHIP_NO_ERROR);

Expand Down Expand Up @@ -671,7 +671,7 @@ static void TestChipCert_CertId(nlTestSuite * inSuite, void * inContext)
uint64_t chipId;

// Initialize the certificate set and load the test certificate.
certSet.Init(1, kMaxDERCertLength);
certSet.Init(1, kMaxCHIPCertDecodeBufLength);
err = LoadTestCert(certSet, testCase.Cert, sNullLoadFlag, sNullDecodeFlag);
NL_TEST_ASSERT(inSuite, err == CHIP_NO_ERROR);

Expand All @@ -689,7 +689,7 @@ static void TestChipCert_LoadDuplicateCerts(nlTestSuite * inSuite, void * inCont
ChipCertificateSet certSet;
ValidationContext validContext;

certSet.Init(kStandardCertsCount, kMaxDERCertLength);
certSet.Init(kStandardCertsCount, kMaxCHIPCertDecodeBufLength);

// Let's load two distinct certificates, and make sure cert count is 2
err = LoadTestCert(certSet, TestCert::kRoot01, sNullLoadFlag, sTrustAnchorFlag);
Expand Down Expand Up @@ -935,7 +935,7 @@ static void TestChipCert_VerifyGeneratedCerts(nlTestSuite * inSuite, void * inCo
sizeof(noc_cert), noc_len) == CHIP_NO_ERROR);

ChipCertificateSet certSet;
NL_TEST_ASSERT(inSuite, certSet.Init(3, kMaxDERCertLength) == CHIP_NO_ERROR);
NL_TEST_ASSERT(inSuite, certSet.Init(3, kMaxCHIPCertDecodeBufLength) == CHIP_NO_ERROR);

static uint8_t rootCertBuf[kMaxCHIPCertLength];
static uint8_t icaCertBuf[kMaxCHIPCertLength];
Expand Down Expand Up @@ -1023,7 +1023,7 @@ static void TestChipCert_X509ToChipArray(nlTestSuite * inSuite, void * inContext
NL_TEST_ASSERT(inSuite, outCert.size() <= sizeof(outCertBuf));

ChipCertificateSet certSet;
NL_TEST_ASSERT(inSuite, certSet.Init(3, kMaxDERCertLength) == CHIP_NO_ERROR);
NL_TEST_ASSERT(inSuite, certSet.Init(3, kMaxCHIPCertDecodeBufLength) == CHIP_NO_ERROR);

NL_TEST_ASSERT(inSuite,
certSet.LoadCerts(outCert.data(), static_cast<uint32_t>(outCert.size()),
Expand Down Expand Up @@ -1088,7 +1088,7 @@ static void TestChipCert_X509ToChipArrayNoICA(nlTestSuite * inSuite, void * inCo
NL_TEST_ASSERT(inSuite, outCert.size() <= sizeof(outCertBuf));

ChipCertificateSet certSet;
NL_TEST_ASSERT(inSuite, certSet.Init(3, kMaxDERCertLength) == CHIP_NO_ERROR);
NL_TEST_ASSERT(inSuite, certSet.Init(3, kMaxCHIPCertDecodeBufLength) == CHIP_NO_ERROR);

NL_TEST_ASSERT(inSuite,
certSet.LoadCerts(outCert.data(), static_cast<uint32_t>(outCert.size()),
Expand Down
10 changes: 2 additions & 8 deletions src/credentials/tests/TestChipOperationalCredentials.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -34,12 +34,6 @@
using namespace chip;
using namespace chip::TestCerts;

enum
{
kTestCertBufSize = 1024, // Size of buffer needed to hold any of the test certificates
// (in either CHIP or DER form), or to decode the certificates.
};

namespace {
static const BitFlags<CertDecodeFlags> sGenTBSHashFlag(CertDecodeFlags::kGenerateTBSHash);
static const BitFlags<CertDecodeFlags> sTrustAnchorFlag(CertDecodeFlags::kIsTrustAnchor);
Expand Down Expand Up @@ -128,7 +122,7 @@ static void TestChipOperationalCredentials_CertValidation(nlTestSuite * inSuite,
const ValidationTestCase & testCase = sValidationTestCases[i];

// Initialize the certificate set and load the specified test certificates.
certSet.Init(kMaxCertsPerTestCase, kTestCertBufSize);
certSet.Init(kMaxCertsPerTestCase, kMaxCHIPCertDecodeBufLength);
for (size_t i2 = 0; i2 < kMaxCertsPerTestCase; i2++)
{
if (testCase.InputCerts[i2].Type != TestCerts::kNone)
Expand Down Expand Up @@ -199,7 +193,7 @@ static void TestChipOperationalCredentials_Serialization(nlTestSuite * inSuite,
};

// Initialize the certificate set and load the specified test certificates.
certSet.Init(kMaxCerts, kTestCertBufSize);
certSet.Init(kMaxCerts, kMaxCHIPCertDecodeBufLength);
err = LoadTestCert(certSet, TestCerts::kRoot01, sNullLoadFlag, sTrustAnchorFlag);
NL_TEST_ASSERT(inSuite, err == CHIP_NO_ERROR);
err = LoadTestCert(certSet, TestCerts::kICA01, sNullLoadFlag, sGenTBSHashFlag);
Expand Down
2 changes: 1 addition & 1 deletion src/protocols/secure_channel/CASESession.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -1014,7 +1014,7 @@ CHIP_ERROR CASESession::Validate_and_RetrieveResponderID(const uint8_t ** msgIte

ChipCertificateSet certSet;
// Certificate set can contain up to 3 certs (NOC, ICA cert, and Root CA cert)
ReturnErrorOnFailure(certSet.Init(3, kMaxDERCertLength));
ReturnErrorOnFailure(certSet.Init(3, kMaxCHIPCertDecodeBufLength));

responderOpCertLen = chip::Encoding::LittleEndian::Read16(*msgIterator);
*responderOpCert = *msgIterator;
Expand Down
6 changes: 2 additions & 4 deletions src/protocols/secure_channel/tests/TestCASESession.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -72,8 +72,6 @@ P256Keypair accessoryOpKeys;
enum
{
kStandardCertsCount = 4,
kTestCertBufSize = 1024, // Size of buffer needed to hold any of the test certificates
// (in either CHIP or DER form), or to decode the certificates.
};

class TestCASESecurePairingDelegate : public SessionEstablishmentDelegate
Expand Down Expand Up @@ -114,9 +112,9 @@ static CHIP_ERROR InitCredentialSets()

ReturnErrorOnFailure(accessoryOpKeys.Deserialize(accessoryOpKeysSerialized));

ReturnErrorOnFailure(commissionerCertificateSet.Init(kStandardCertsCount, kTestCertBufSize));
ReturnErrorOnFailure(commissionerCertificateSet.Init(kStandardCertsCount, kMaxCHIPCertDecodeBufLength));

ReturnErrorOnFailure(accessoryCertificateSet.Init(kStandardCertsCount, kTestCertBufSize));
ReturnErrorOnFailure(accessoryCertificateSet.Init(kStandardCertsCount, kMaxCHIPCertDecodeBufLength));

// Add the trusted root certificate to the certificate set.
ReturnErrorOnFailure(commissionerCertificateSet.LoadCert(sTestCert_Root01_Chip, sTestCert_Root01_Chip_Len,
Expand Down
2 changes: 1 addition & 1 deletion src/tools/chip-cert/Cmd_PrintCert.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -221,7 +221,7 @@ bool PrintCert(const char * fileName, X509 * cert)
res = X509ToChipCert(cert, certBuf.get(), kMaxCHIPCertLength, certLen);
VerifyTrueOrExit(res);

err = certSet.Init(1, 1024);
err = certSet.Init(1, kMaxCHIPCertDecodeBufLength);
if (err != CHIP_NO_ERROR)
{
fprintf(stderr, "Failed to initialize certificate set: %s\n", chip::ErrorStr(err));
Expand Down
2 changes: 1 addition & 1 deletion src/tools/chip-cert/Cmd_ValidateCert.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -159,7 +159,7 @@ bool Cmd_ValidateCert(int argc, char * argv[])
res = ParseArgs(CMD_NAME, argc, argv, gCmdOptionSets, HandleNonOptionArgs);
VerifyTrueOrExit(res);

err = certSet.Init(kMaxCerts, kMaxDERCertLength);
err = certSet.Init(kMaxCerts, kMaxCHIPCertDecodeBufLength);
if (err != CHIP_NO_ERROR)
{
fprintf(stderr, "Failed to initialize certificate set: %s\n", chip::ErrorStr(err));
Expand Down

0 comments on commit 0d41696

Please sign in to comment.