diff --git a/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-2CDPs-Cert.der b/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-2CDPs-Cert.der new file mode 100644 index 00000000000000..880b441bd42cc6 Binary files /dev/null and b/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-2CDPs-Cert.der differ diff --git a/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-2CDPs-Cert.pem b/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-2CDPs-Cert.pem new file mode 100644 index 00000000000000..e9568978ab1aea --- /dev/null +++ b/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-2CDPs-Cert.pem @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE----- +MIICUDCCAfagAwIBAgIISW372zteskMwCgYIKoZIzj0EAwIwRjEYMBYGA1UEAwwP +TWF0dGVyIFRlc3QgUEFJMRQwEgYKKwYBBAGConwCAQwERkZGMTEUMBIGCisGAQQB +gqJ8AgIMBDgwMDAwIBcNMjEwNjI4MTQyMzQzWhgPOTk5OTEyMzEyMzU5NTlaMFQx +JjAkBgNVBAMMHU1hdHRlciBUZXN0IERBQyAwMDAwIFR3byBDRFBzMRQwEgYKKwYB +BAGConwCAQwERkZGMTEUMBIGCisGAQQBgqJ8AgIMBDgwMDAwWTATBgcqhkjOPQIB +BggqhkjOPQMBBwNCAARKrV70IfqHoglq9IBcx7bK3w/30LA1NNMRJ5LYnAHfE7cV +AfLEBWiSm/ibuygPsGeTDUwoQvlzUhJXOY+2MpLco4G9MIG6MAwGA1UdEwEB/wQC +MAAwDgYDVR0PAQH/BAQDAgeAMB0GA1UdDgQWBBRF3Pw1yhkocaPuFrIVi2gb4+mK +jDAfBgNVHSMEGDAWgBSvQrcJTevVFexuzzO4ERUiXzJSiDAsBgNVHR8EJTAjMCGg +H6AdhhtodHRwczovL2V4YW1wbGUuY29tL2NybC5wZW0wLAYDVR0fBCUwIzAhoB+g +HYYbaHR0cDovL2V4YW1wbGUuY29tL2NybDIucGVtMAoGCCqGSM49BAMCA0gAMEUC +ICo4AL07AB1JwKlxGLhw/UsJVGsGYQev7ZWa7wxbASuPAiEA4YlR6OPubKM9Z7Jg +jBq99l+UvHneNRsmIWpB3JKzESI= +-----END CERTIFICATE----- diff --git a/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-2CDPs-Key.der b/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-2CDPs-Key.der new file mode 100644 index 00000000000000..6db711ca7bde9c Binary files /dev/null and b/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-2CDPs-Key.der differ diff --git a/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-2CDPs-Key.pem b/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-2CDPs-Key.pem new file mode 100644 index 00000000000000..39a7c256c79722 --- /dev/null +++ b/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-2CDPs-Key.pem @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIJj6QtgPRpxFxnBqp0m+IYABttjI2ijEbkXYSlxoqN9+oAoGCCqGSM49 +AwEHoUQDQgAESq1e9CH6h6IJavSAXMe2yt8P99CwNTTTESeS2JwB3xO3FQHyxAVo +kpv4m7soD7Bnkw1MKEL5c1ISVzmPtjKS3A== +-----END EC PRIVATE KEY----- diff --git a/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-2URIs-Cert.der b/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-2URIs-Cert.der new file mode 100644 index 00000000000000..3e725cc85cd818 Binary files /dev/null and b/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-2URIs-Cert.der differ diff --git a/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-2URIs-Cert.pem b/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-2URIs-Cert.pem new file mode 100644 index 00000000000000..966c5025d8811f --- /dev/null +++ b/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-2URIs-Cert.pem @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE----- +MIICSjCCAfCgAwIBAgIIXzwUpXaaVS0wCgYIKoZIzj0EAwIwRjEYMBYGA1UEAwwP +TWF0dGVyIFRlc3QgUEFJMRQwEgYKKwYBBAGConwCAQwERkZGMTEUMBIGCisGAQQB +gqJ8AgIMBDgwMDAwIBcNMjEwNjI4MTQyMzQzWhgPOTk5OTEyMzEyMzU5NTlaMFox +LDAqBgNVBAMMI01hdHRlciBUZXN0IERBQyAwMDAwIENEUCAoVHdvIFVSSXMpMRQw +EgYKKwYBBAGConwCAQwERkZGMTEUMBIGCisGAQQBgqJ8AgIMBDgwMDAwWTATBgcq +hkjOPQIBBggqhkjOPQMBBwNCAATaRkJ2yopbD59Iy6YH/+2S9qgTFGdh+Hu5AO9s +Q2voAeanxcjpYgnLEQRq76+OKwOZtin1IANCtIw0epGZh+NXo4GxMIGuMAwGA1Ud +EwEB/wQCMAAwDgYDVR0PAQH/BAQDAgeAMB0GA1UdDgQWBBTMrHgJmsR/rXoOuQEs +yPQiiAmrYTAfBgNVHSMEGDAWgBSvQrcJTevVFexuzzO4ERUiXzJSiDBOBgNVHR8E +RzBFMCCgHqAchhpodHRwOi8vZXhhbXBsZS5jb20vY3JsLnBlbTAhoB+gHYYbaHR0 +cDovL2V4YW1wbGUuY29tL2NybDIucGVtMAoGCCqGSM49BAMCA0gAMEUCIGoUNMNM +07VMHKebxQhC593V7bd4xaKF6a5UYf8ddjl/AiEA7U3iA9Ja1dNx+7NNXJz3vqkS +1ohFXkrf4C9/CWQ/iLw= +-----END CERTIFICATE----- diff --git a/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-2URIs-Key.der b/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-2URIs-Key.der new file mode 100644 index 00000000000000..db0b5753f9dd5c Binary files /dev/null and b/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-2URIs-Key.der differ diff --git a/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-2URIs-Key.pem b/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-2URIs-Key.pem new file mode 100644 index 00000000000000..63ce1fe337d991 --- /dev/null +++ b/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-2URIs-Key.pem @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIL3FzD2bhQ0UC24d6vXSt8tj/HH2TmyomvM0uZhDfm3HoAoGCCqGSM49 +AwEHoUQDQgAE2kZCdsqKWw+fSMumB//tkvaoExRnYfh7uQDvbENr6AHmp8XI6WIJ +yxEEau+vjisDmbYp9SADQrSMNHqRmYfjVw== +-----END EC PRIVATE KEY----- diff --git a/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-Cert.der b/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-Cert.der new file mode 100644 index 00000000000000..5733c1377e82ce Binary files /dev/null and b/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-Cert.der differ diff --git a/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-Cert.pem b/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-Cert.pem new file mode 100644 index 00000000000000..c4fb6b4f2ffcf2 --- /dev/null +++ b/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-Cert.pem @@ -0,0 +1,14 @@ +-----BEGIN CERTIFICATE----- +MIICIzCCAcmgAwIBAgIIcWVtG3ouFqQwCgYIKoZIzj0EAwIwRjEYMBYGA1UEAwwP +TWF0dGVyIFRlc3QgUEFJMRQwEgYKKwYBBAGConwCAQwERkZGMTEUMBIGCisGAQQB +gqJ8AgIMBDgwMDAwIBcNMjEwNjI4MTQyMzQzWhgPOTk5OTEyMzEyMzU5NTlaMFYx +KDAmBgNVBAMMH01hdHRlciBUZXN0IERBQyAwMDAwIENEUCAoSFRUUCkxFDASBgor +BgEEAYKifAIBDARGRkYxMRQwEgYKKwYBBAGConwCAgwEODAwMDBZMBMGByqGSM49 +AgEGCCqGSM49AwEHA0IABOMBHt6fUVqz6bqTJf7yO5bNcVw66jjOgR6I/G3nrDAm +I/unBos+CdP+VJsRzF8OWWxO284+e6InH7jQmvQhnj2jgY4wgYswDAYDVR0TAQH/ +BAIwADAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0OBBYEFGhDyDOjOZ+YQhU+sazPL5VY +XxpQMB8GA1UdIwQYMBaAFK9CtwlN69UV7G7PM7gRFSJfMlKIMCsGA1UdHwQkMCIw +IKAeoByGGmh0dHA6Ly9leGFtcGxlLmNvbS9jcmwucGVtMAoGCCqGSM49BAMCA0gA +MEUCIGVKTBM7ydpNFHg1q/wk1Szso6CPovTm6sKuYEEfNvWkAiEAqhyhkx+8mv/W +RzKr8x6o9hPBZx8PIqQxZ+KOnayTHhg= +-----END CERTIFICATE----- diff --git a/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-HTTPS-Cert.der b/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-HTTPS-Cert.der new file mode 100644 index 00000000000000..4022bc555b6494 Binary files /dev/null and b/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-HTTPS-Cert.der differ diff --git a/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-HTTPS-Cert.pem b/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-HTTPS-Cert.pem new file mode 100644 index 00000000000000..1cc3bfe2334852 --- /dev/null +++ b/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-HTTPS-Cert.pem @@ -0,0 +1,14 @@ +-----BEGIN CERTIFICATE----- +MIICJTCCAcugAwIBAgIINKhBW30/Kx4wCgYIKoZIzj0EAwIwRjEYMBYGA1UEAwwP +TWF0dGVyIFRlc3QgUEFJMRQwEgYKKwYBBAGConwCAQwERkZGMTEUMBIGCisGAQQB +gqJ8AgIMBDgwMDAwIBcNMjEwNjI4MTQyMzQzWhgPOTk5OTEyMzEyMzU5NTlaMFcx +KTAnBgNVBAMMIE1hdHRlciBUZXN0IERBQyAwMDAwIENEUCAoSFRUUFMpMRQwEgYK +KwYBBAGConwCAQwERkZGMTEUMBIGCisGAQQBgqJ8AgIMBDgwMDAwWTATBgcqhkjO +PQIBBggqhkjOPQMBBwNCAATZKyTeUWuOzT5oYt6H/Dv3fnARcccLWYz/XwJ/Argg +5/oHutTk2L4mHAj7MZXVqDSCOijMRwO3xRV+FJ5eqngFo4GPMIGMMAwGA1UdEwEB +/wQCMAAwDgYDVR0PAQH/BAQDAgeAMB0GA1UdDgQWBBSjAjP4b0DRGsVfgKXAqSpQ +b+qfMTAfBgNVHSMEGDAWgBSvQrcJTevVFexuzzO4ERUiXzJSiDAsBgNVHR8EJTAj +MCGgH6AdhhtodHRwczovL2V4YW1wbGUuY29tL2NybC5wZW0wCgYIKoZIzj0EAwID +SAAwRQIgU+zq2jxdS7dQy+f40QlZEtTI5fsf7zAkH8+VgylA0JoCIQC1V168pxuE +fnfV1dFBBruHvzedkqSd6o0QoOGLSBAuHw== +-----END CERTIFICATE----- diff --git a/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-HTTPS-Key.der b/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-HTTPS-Key.der new file mode 100644 index 00000000000000..1c41899873d8c2 Binary files /dev/null and b/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-HTTPS-Key.der differ diff --git a/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-HTTPS-Key.pem b/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-HTTPS-Key.pem new file mode 100644 index 00000000000000..ccd6216112c5e8 --- /dev/null +++ b/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-HTTPS-Key.pem @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIASkFQOGOdFOYpJvRhpiVdejCwvcrGqYzfiLFnAqcp87oAoGCCqGSM49 +AwEHoUQDQgAE2Ssk3lFrjs0+aGLeh/w7935wEXHHC1mM/18CfwK4IOf6B7rU5Ni+ +JhwI+zGV1ag0gjoozEcDt8UVfhSeXqp4BQ== +-----END EC PRIVATE KEY----- diff --git a/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-Key.der b/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-Key.der new file mode 100644 index 00000000000000..7d63f00c9bcfa4 Binary files /dev/null and b/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-Key.der differ diff --git a/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-Key.pem b/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-Key.pem new file mode 100644 index 00000000000000..48fe09ad29812d --- /dev/null +++ b/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-Key.pem @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIAZZ8hZ3GOkPEiO670Qo8bDOxHK1X7sH6ofXOYmc9zFqoAoGCCqGSM49 +AwEHoUQDQgAE4wEe3p9RWrPpupMl/vI7ls1xXDrqOM6BHoj8beesMCYj+6cGiz4J +0/5UmxHMXw5ZbE7bzj57oicfuNCa9CGePQ== +-----END EC PRIVATE KEY----- diff --git a/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-Long-Cert.der b/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-Long-Cert.der new file mode 100644 index 00000000000000..1ece300335a5fe Binary files /dev/null and b/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-Long-Cert.der differ diff --git a/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-Long-Cert.pem b/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-Long-Cert.pem new file mode 100644 index 00000000000000..4cadfd7818c829 --- /dev/null +++ b/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-Long-Cert.pem @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE----- +MIICUzCCAfmgAwIBAgIIHW5tUEGGAAcwCgYIKoZIzj0EAwIwRjEYMBYGA1UEAwwP +TWF0dGVyIFRlc3QgUEFJMRQwEgYKKwYBBAGConwCAQwERkZGMTEUMBIGCisGAQQB +gqJ8AgIMBDgwMDAwIBcNMjEwNjI4MTQyMzQzWhgPOTk5OTEyMzEyMzU5NTlaMDsx +DTALBgNVBAMMBExvbmcxFDASBgorBgEEAYKifAIBDARGRkYxMRQwEgYKKwYBBAGC +onwCAgwEODAwMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABEMo+7hxQow14iSz +f56AZANfssxy+PFxGFNGwyDhqIW15AkJXuyFX31Sr5eh0G92cWyHNn4ZiM6hGdbX +9CUrxy+jgdkwgdYwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0O +BBYEFPZMe/GotuC6EI6960/h9nd8ySwpMB8GA1UdIwQYMBaAFK9CtwlN69UV7G7P +M7gRFSJfMlKIMHYGA1UdHwRvMG0wa6BpoGeGZWh0dHBzOi8vZXhhbXBsZS5jb20v +dGhpcy1pcy1hbi1leGFtcGxlLW9mLWNybC1kaXN0cmlidXRpb24tcG9pbnQtZXh0 +ZW5zaW9uLXdoaWNoLWlzLTEwMS1jaGFycy9jcmwucGVtMAoGCCqGSM49BAMCA0gA +MEUCIENDYnRVRbgQ6zM9WS0/RoI8U/VhGfCGROJ5TLpK2rexAiEAr1GXakRNQ566 +F7ihY3WBUwmT9hjCdBiH0+beR5GkyaQ= +-----END CERTIFICATE----- diff --git a/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-Long-Key.der b/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-Long-Key.der new file mode 100644 index 00000000000000..5282d103be84bb Binary files /dev/null and b/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-Long-Key.der differ diff --git a/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-Long-Key.pem b/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-Long-Key.pem new file mode 100644 index 00000000000000..d868b79ee31833 --- /dev/null +++ b/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-Long-Key.pem @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEINFUmafW3jhThp3mpGxLUtE7c1kW1Kq9UCaqrR5yeWbroAoGCCqGSM49 +AwEHoUQDQgAEQyj7uHFCjDXiJLN/noBkA1+yzHL48XEYU0bDIOGohbXkCQle7IVf +fVKvl6HQb3ZxbIc2fhmIzqEZ1tf0JSvHLw== +-----END EC PRIVATE KEY----- diff --git a/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-Wrong-Prefix-Cert.der b/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-Wrong-Prefix-Cert.der new file mode 100644 index 00000000000000..2ad2f7c7190a4d Binary files /dev/null and b/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-Wrong-Prefix-Cert.der differ diff --git a/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-Wrong-Prefix-Cert.pem b/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-Wrong-Prefix-Cert.pem new file mode 100644 index 00000000000000..c53dbb8fbd6498 --- /dev/null +++ b/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-Wrong-Prefix-Cert.pem @@ -0,0 +1,13 @@ +-----BEGIN CERTIFICATE----- +MIICBTCCAaugAwIBAgIIcAYIqqHXrW0wCgYIKoZIzj0EAwIwRjEYMBYGA1UEAwwP +TWF0dGVyIFRlc3QgUEFJMRQwEgYKKwYBBAGConwCAQwERkZGMTEUMBIGCisGAQQB +gqJ8AgIMBDgwMDAwIBcNMjEwNjI4MTQyMzQzWhgPOTk5OTEyMzEyMzU5NTlaMDsx +DTALBgNVBAMMBExvbmcxFDASBgorBgEEAYKifAIBDARGRkYxMRQwEgYKKwYBBAGC +onwCAgwEODAwMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABPzNyCm6Yjd8xsez +bqfBr3bNFcMovEtujQd4ull/u/MK5xK2V9L58rkV+CNMh+KjO/XnWXbgTmrQPYUL +0WQ588+jgYswgYgwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0O +BBYEFAcwHO+LnkQm0uRuxvo607dEHe+9MB8GA1UdIwQYMBaAFK9CtwlN69UV7G7P +M7gRFSJfMlKIMCgGA1UdHwQhMB8wHaAboBmGF3d3dy5leGFtcGxlLmNvbS9jcmwu +cGVtMAoGCCqGSM49BAMCA0gAMEUCIQDmuIge7Q6mcILAYH5G9sqEBDGr4JHWF12B +DDih5PBFdwIgOQZfvvn9pBs3r8ux9t8JDhpEO6xuZSw72sED9NOsTnY= +-----END CERTIFICATE----- diff --git a/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-Wrong-Prefix-Key.der b/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-Wrong-Prefix-Key.der new file mode 100644 index 00000000000000..ab268e2e51f69e Binary files /dev/null and b/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-Wrong-Prefix-Key.der differ diff --git a/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-Wrong-Prefix-Key.pem b/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-Wrong-Prefix-Key.pem new file mode 100644 index 00000000000000..f9c33a94072281 --- /dev/null +++ b/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-Wrong-Prefix-Key.pem @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIKUdzfzZVduHJDVshxIakL0TGFN4p6mMcfRwRKKm2+vboAoGCCqGSM49 +AwEHoUQDQgAE/M3IKbpiN3zGx7Nup8Gvds0Vwyi8S26NB3i6WX+78wrnErZX0vny +uRX4I0yH4qM79edZduBOatA9hQvRZDnzzw== +-----END EC PRIVATE KEY----- diff --git a/credentials/test/gen-test-attestation-certs.sh b/credentials/test/gen-test-attestation-certs.sh index 83bc7668a62bb2..04d0ba6130dac8 100755 --- a/credentials/test/gen-test-attestation-certs.sh +++ b/credentials/test/gen-test-attestation-certs.sh @@ -1,7 +1,7 @@ #!/usr/bin/env bash # -# Copyright (c) 2021-2022 Project CHIP Authors +# Copyright (c) 2021-2023 Project CHIP Authors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -340,6 +340,59 @@ cert_lifetime=4294967295 "$chip_cert_tool" gen-att-cert --type i --subject-cn "Matter Test PAI" --subject-vid "$vid" --valid-from "$cert_valid_from" --lifetime "$cert_lifetime" --ca-key "$paa_key_file".pem --ca-cert "$paa_cert_file".pem --key "$pai_key_file".pem --out "$pai_cert_file".pem } +# Set #8: +# - Generate DACs with CRL Distribution Point (CDP) Extensions (Valid and Invalid cases) +{ + vid=FFF1 + pid=8000 + dac=0000 + + pai_key_file="$dest_dir/Chip-Test-PAI-$vid-$pid-Key" + pai_cert_file="$dest_dir/Chip-Test-PAI-$vid-$pid-Cert" + + dac_key_file="$dest_dir/Chip-Test-DAC-$vid-$pid-$dac-CDP-Key" + dac_cert_file="$dest_dir/Chip-Test-DAC-$vid-$pid-$dac-CDP-Cert" + + cdp_example="URI:http://example.com/crl.pem" + + "$chip_cert_tool" gen-att-cert --type d --subject-cn "Matter Test DAC $dac CDP (HTTP)" --subject-vid "$vid" --subject-pid "$pid" --valid-from "$cert_valid_from" --lifetime "$cert_lifetime" --cpd-ext "$cdp_example" --ca-key "$pai_key_file".pem --ca-cert "$pai_cert_file".pem --out-key "$dac_key_file".pem --out "$dac_cert_file".pem + + dac_key_file="$dest_dir/Chip-Test-DAC-$vid-$pid-$dac-CDP-HTTPS-Key" + dac_cert_file="$dest_dir/Chip-Test-DAC-$vid-$pid-$dac-CDP-HTTPS-Cert" + + cdp_example="URI:https://example.com/crl.pem" + + "$chip_cert_tool" gen-att-cert --type d --subject-cn "Matter Test DAC $dac CDP (HTTPS)" --subject-vid "$vid" --subject-pid "$pid" --valid-from "$cert_valid_from" --lifetime "$cert_lifetime" --cpd-ext "$cdp_example" --ca-key "$pai_key_file".pem --ca-cert "$pai_cert_file".pem --out-key "$dac_key_file".pem --out "$dac_cert_file".pem + + dac_key_file="$dest_dir/Chip-Test-DAC-$vid-$pid-$dac-2CDPs-Key" + dac_cert_file="$dest_dir/Chip-Test-DAC-$vid-$pid-$dac-2CDPs-Cert" + + cdp_example2="URI:http://example.com/crl2.pem" + + "$chip_cert_tool" gen-att-cert --type d --subject-cn "Matter Test DAC $dac Two CDPs" --subject-vid "$vid" --subject-pid "$pid" --valid-from "$cert_valid_from" --lifetime "$cert_lifetime" --cpd-ext "$cdp_example" --cpd-ext "$cdp_example2" --ca-key "$pai_key_file".pem --ca-cert "$pai_cert_file".pem --out-key "$dac_key_file".pem --out "$dac_cert_file".pem + + dac_key_file="$dest_dir/Chip-Test-DAC-$vid-$pid-$dac-CDP-2URIs-Key" + dac_cert_file="$dest_dir/Chip-Test-DAC-$vid-$pid-$dac-CDP-2URIs-Cert" + + cdp_example2in1="URI:http://example.com/crl.pem,URI:http://example.com/crl2.pem" + + "$chip_cert_tool" gen-att-cert --type d --subject-cn "Matter Test DAC $dac CDP (Two URIs)" --subject-vid "$vid" --subject-pid "$pid" --valid-from "$cert_valid_from" --lifetime "$cert_lifetime" --cpd-ext "$cdp_example2in1" --ca-key "$pai_key_file".pem --ca-cert "$pai_cert_file".pem --out-key "$dac_key_file".pem --out "$dac_cert_file".pem + + dac_key_file="$dest_dir/Chip-Test-DAC-$vid-$pid-$dac-CDP-Long-Key" + dac_cert_file="$dest_dir/Chip-Test-DAC-$vid-$pid-$dac-CDP-Long-Cert" + + cdp_example="URI:https://example.com/this-is-an-example-of-crl-distribution-point-extension-which-is-101-chars/crl.pem" + + "$chip_cert_tool" gen-att-cert --type d --subject-cn "Long" --subject-vid "$vid" --subject-pid "$pid" --valid-from "$cert_valid_from" --lifetime "$cert_lifetime" --cpd-ext "$cdp_example" --ca-key "$pai_key_file".pem --ca-cert "$pai_cert_file".pem --out-key "$dac_key_file".pem --out "$dac_cert_file".pem + + dac_key_file="$dest_dir/Chip-Test-DAC-$vid-$pid-$dac-CDP-Wrong-Prefix-Key" + dac_cert_file="$dest_dir/Chip-Test-DAC-$vid-$pid-$dac-CDP-Wrong-Prefix-Cert" + + cdp_example="URI:www.example.com/crl.pem" + + "$chip_cert_tool" gen-att-cert --type d --subject-cn "Long" --subject-vid "$vid" --subject-pid "$pid" --valid-from "$cert_valid_from" --lifetime "$cert_lifetime" --cpd-ext "$cdp_example" --ca-key "$pai_key_file".pem --ca-cert "$pai_cert_file".pem --out-key "$dac_key_file".pem --out "$dac_cert_file".pem +} + # In addition to PEM format also create certificates in DER form. for cert_file_pem in "$dest_dir"/*Cert.pem; do cert_file_der="${cert_file_pem/.pem/.der}" @@ -357,7 +410,7 @@ if [ ! -z "$output_cstyle_file" ]; then copyright_note='/* * - * Copyright (c) 2021-2022 Project CHIP Authors + * Copyright (c) 2021-2023 Project CHIP Authors * All rights reserved. * * Licensed under the Apache License, Version 2.0 (the "License"); @@ -380,6 +433,8 @@ if [ ! -z "$output_cstyle_file" ]; then ' header_includes=' #pragma once + +#include ' namespaces_open=' diff --git a/src/credentials/tests/CHIPAttCert_test_vectors.cpp b/src/credentials/tests/CHIPAttCert_test_vectors.cpp index 82cda1285d8980..7318d5b925a4e5 100644 --- a/src/credentials/tests/CHIPAttCert_test_vectors.cpp +++ b/src/credentials/tests/CHIPAttCert_test_vectors.cpp @@ -1,6 +1,6 @@ /* * - * Copyright (c) 2021-2022 Project CHIP Authors + * Copyright (c) 2021-2023 Project CHIP Authors * All rights reserved. * * Licensed under the Apache License, Version 2.0 (the "License"); @@ -22,6 +22,368 @@ namespace chip { namespace TestCerts { +// ${chip_root}/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-2CDPs-Cert.pem + +constexpr uint8_t sTestCert_DAC_FFF1_8000_0000_2CDPs_Cert_Array[] = { + 0x30, 0x82, 0x02, 0x50, 0x30, 0x82, 0x01, 0xf6, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x08, 0x49, 0x6d, 0xfb, 0xdb, 0x3b, 0x5e, + 0xb2, 0x43, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x30, 0x46, 0x31, 0x18, 0x30, 0x16, 0x06, + 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, 0x4d, 0x61, 0x74, 0x74, 0x65, 0x72, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x50, 0x41, 0x49, + 0x31, 0x14, 0x30, 0x12, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0xa2, 0x7c, 0x02, 0x01, 0x0c, 0x04, 0x46, 0x46, 0x46, + 0x31, 0x31, 0x14, 0x30, 0x12, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0xa2, 0x7c, 0x02, 0x02, 0x0c, 0x04, 0x38, 0x30, + 0x30, 0x30, 0x30, 0x20, 0x17, 0x0d, 0x32, 0x31, 0x30, 0x36, 0x32, 0x38, 0x31, 0x34, 0x32, 0x33, 0x34, 0x33, 0x5a, 0x18, 0x0f, + 0x39, 0x39, 0x39, 0x39, 0x31, 0x32, 0x33, 0x31, 0x32, 0x33, 0x35, 0x39, 0x35, 0x39, 0x5a, 0x30, 0x54, 0x31, 0x26, 0x30, 0x24, + 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x1d, 0x4d, 0x61, 0x74, 0x74, 0x65, 0x72, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x44, 0x41, + 0x43, 0x20, 0x30, 0x30, 0x30, 0x30, 0x20, 0x54, 0x77, 0x6f, 0x20, 0x43, 0x44, 0x50, 0x73, 0x31, 0x14, 0x30, 0x12, 0x06, 0x0a, + 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0xa2, 0x7c, 0x02, 0x01, 0x0c, 0x04, 0x46, 0x46, 0x46, 0x31, 0x31, 0x14, 0x30, 0x12, 0x06, + 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0xa2, 0x7c, 0x02, 0x02, 0x0c, 0x04, 0x38, 0x30, 0x30, 0x30, 0x30, 0x59, 0x30, 0x13, + 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, 0x42, + 0x00, 0x04, 0x4a, 0xad, 0x5e, 0xf4, 0x21, 0xfa, 0x87, 0xa2, 0x09, 0x6a, 0xf4, 0x80, 0x5c, 0xc7, 0xb6, 0xca, 0xdf, 0x0f, 0xf7, + 0xd0, 0xb0, 0x35, 0x34, 0xd3, 0x11, 0x27, 0x92, 0xd8, 0x9c, 0x01, 0xdf, 0x13, 0xb7, 0x15, 0x01, 0xf2, 0xc4, 0x05, 0x68, 0x92, + 0x9b, 0xf8, 0x9b, 0xbb, 0x28, 0x0f, 0xb0, 0x67, 0x93, 0x0d, 0x4c, 0x28, 0x42, 0xf9, 0x73, 0x52, 0x12, 0x57, 0x39, 0x8f, 0xb6, + 0x32, 0x92, 0xdc, 0xa3, 0x81, 0xbd, 0x30, 0x81, 0xba, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x02, + 0x30, 0x00, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x01, 0x01, 0xff, 0x04, 0x04, 0x03, 0x02, 0x07, 0x80, 0x30, 0x1d, 0x06, + 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x45, 0xdc, 0xfc, 0x35, 0xca, 0x19, 0x28, 0x71, 0xa3, 0xee, 0x16, 0xb2, 0x15, + 0x8b, 0x68, 0x1b, 0xe3, 0xe9, 0x8a, 0x8c, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0xaf, + 0x42, 0xb7, 0x09, 0x4d, 0xeb, 0xd5, 0x15, 0xec, 0x6e, 0xcf, 0x33, 0xb8, 0x11, 0x15, 0x22, 0x5f, 0x32, 0x52, 0x88, 0x30, 0x2c, + 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x25, 0x30, 0x23, 0x30, 0x21, 0xa0, 0x1f, 0xa0, 0x1d, 0x86, 0x1b, 0x68, 0x74, 0x74, 0x70, + 0x73, 0x3a, 0x2f, 0x2f, 0x65, 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x63, 0x72, 0x6c, 0x2e, 0x70, + 0x65, 0x6d, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x25, 0x30, 0x23, 0x30, 0x21, 0xa0, 0x1f, 0xa0, 0x1d, 0x86, 0x1b, + 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x65, 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x63, 0x72, + 0x6c, 0x32, 0x2e, 0x70, 0x65, 0x6d, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x03, 0x48, 0x00, + 0x30, 0x45, 0x02, 0x20, 0x2a, 0x38, 0x00, 0xbd, 0x3b, 0x00, 0x1d, 0x49, 0xc0, 0xa9, 0x71, 0x18, 0xb8, 0x70, 0xfd, 0x4b, 0x09, + 0x54, 0x6b, 0x06, 0x61, 0x07, 0xaf, 0xed, 0x95, 0x9a, 0xef, 0x0c, 0x5b, 0x01, 0x2b, 0x8f, 0x02, 0x21, 0x00, 0xe1, 0x89, 0x51, + 0xe8, 0xe3, 0xee, 0x6c, 0xa3, 0x3d, 0x67, 0xb2, 0x60, 0x8c, 0x1a, 0xbd, 0xf6, 0x5f, 0x94, 0xbc, 0x79, 0xde, 0x35, 0x1b, 0x26, + 0x21, 0x6a, 0x41, 0xdc, 0x92, 0xb3, 0x11, 0x22, +}; + +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_2CDPs_Cert = ByteSpan(sTestCert_DAC_FFF1_8000_0000_2CDPs_Cert_Array); + +constexpr uint8_t sTestCert_DAC_FFF1_8000_0000_2CDPs_SKID_Array[] = { + 0x45, 0xDC, 0xFC, 0x35, 0xCA, 0x19, 0x28, 0x71, 0xA3, 0xEE, 0x16, 0xB2, 0x15, 0x8B, 0x68, 0x1B, 0xE3, 0xE9, 0x8A, 0x8C, +}; + +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_2CDPs_SKID = ByteSpan(sTestCert_DAC_FFF1_8000_0000_2CDPs_SKID_Array); + +// ${chip_root}/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-2CDPs-Key.pem + +constexpr uint8_t sTestCert_DAC_FFF1_8000_0000_2CDPs_PublicKey_Array[] = { + 0x04, 0x4a, 0xad, 0x5e, 0xf4, 0x21, 0xfa, 0x87, 0xa2, 0x09, 0x6a, 0xf4, 0x80, 0x5c, 0xc7, 0xb6, 0xca, + 0xdf, 0x0f, 0xf7, 0xd0, 0xb0, 0x35, 0x34, 0xd3, 0x11, 0x27, 0x92, 0xd8, 0x9c, 0x01, 0xdf, 0x13, 0xb7, + 0x15, 0x01, 0xf2, 0xc4, 0x05, 0x68, 0x92, 0x9b, 0xf8, 0x9b, 0xbb, 0x28, 0x0f, 0xb0, 0x67, 0x93, 0x0d, + 0x4c, 0x28, 0x42, 0xf9, 0x73, 0x52, 0x12, 0x57, 0x39, 0x8f, 0xb6, 0x32, 0x92, 0xdc, +}; + +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_2CDPs_PublicKey = ByteSpan(sTestCert_DAC_FFF1_8000_0000_2CDPs_PublicKey_Array); + +constexpr uint8_t sTestCert_DAC_FFF1_8000_0000_2CDPs_PrivateKey_Array[] = { + 0x98, 0xfa, 0x42, 0xd8, 0x0f, 0x46, 0x9c, 0x45, 0xc6, 0x70, 0x6a, 0xa7, 0x49, 0xbe, 0x21, 0x80, + 0x01, 0xb6, 0xd8, 0xc8, 0xda, 0x28, 0xc4, 0x6e, 0x45, 0xd8, 0x4a, 0x5c, 0x68, 0xa8, 0xdf, 0x7e, +}; + +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_2CDPs_PrivateKey = ByteSpan(sTestCert_DAC_FFF1_8000_0000_2CDPs_PrivateKey_Array); + +// ${chip_root}/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-2URIs-Cert.pem + +constexpr uint8_t sTestCert_DAC_FFF1_8000_0000_CDP_2URIs_Cert_Array[] = { + 0x30, 0x82, 0x02, 0x4a, 0x30, 0x82, 0x01, 0xf0, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x08, 0x5f, 0x3c, 0x14, 0xa5, 0x76, 0x9a, + 0x55, 0x2d, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x30, 0x46, 0x31, 0x18, 0x30, 0x16, 0x06, + 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, 0x4d, 0x61, 0x74, 0x74, 0x65, 0x72, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x50, 0x41, 0x49, + 0x31, 0x14, 0x30, 0x12, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0xa2, 0x7c, 0x02, 0x01, 0x0c, 0x04, 0x46, 0x46, 0x46, + 0x31, 0x31, 0x14, 0x30, 0x12, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0xa2, 0x7c, 0x02, 0x02, 0x0c, 0x04, 0x38, 0x30, + 0x30, 0x30, 0x30, 0x20, 0x17, 0x0d, 0x32, 0x31, 0x30, 0x36, 0x32, 0x38, 0x31, 0x34, 0x32, 0x33, 0x34, 0x33, 0x5a, 0x18, 0x0f, + 0x39, 0x39, 0x39, 0x39, 0x31, 0x32, 0x33, 0x31, 0x32, 0x33, 0x35, 0x39, 0x35, 0x39, 0x5a, 0x30, 0x5a, 0x31, 0x2c, 0x30, 0x2a, + 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x23, 0x4d, 0x61, 0x74, 0x74, 0x65, 0x72, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x44, 0x41, + 0x43, 0x20, 0x30, 0x30, 0x30, 0x30, 0x20, 0x43, 0x44, 0x50, 0x20, 0x28, 0x54, 0x77, 0x6f, 0x20, 0x55, 0x52, 0x49, 0x73, 0x29, + 0x31, 0x14, 0x30, 0x12, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0xa2, 0x7c, 0x02, 0x01, 0x0c, 0x04, 0x46, 0x46, 0x46, + 0x31, 0x31, 0x14, 0x30, 0x12, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0xa2, 0x7c, 0x02, 0x02, 0x0c, 0x04, 0x38, 0x30, + 0x30, 0x30, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, + 0x3d, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, 0x04, 0xda, 0x46, 0x42, 0x76, 0xca, 0x8a, 0x5b, 0x0f, 0x9f, 0x48, 0xcb, 0xa6, 0x07, + 0xff, 0xed, 0x92, 0xf6, 0xa8, 0x13, 0x14, 0x67, 0x61, 0xf8, 0x7b, 0xb9, 0x00, 0xef, 0x6c, 0x43, 0x6b, 0xe8, 0x01, 0xe6, 0xa7, + 0xc5, 0xc8, 0xe9, 0x62, 0x09, 0xcb, 0x11, 0x04, 0x6a, 0xef, 0xaf, 0x8e, 0x2b, 0x03, 0x99, 0xb6, 0x29, 0xf5, 0x20, 0x03, 0x42, + 0xb4, 0x8c, 0x34, 0x7a, 0x91, 0x99, 0x87, 0xe3, 0x57, 0xa3, 0x81, 0xb1, 0x30, 0x81, 0xae, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, + 0x13, 0x01, 0x01, 0xff, 0x04, 0x02, 0x30, 0x00, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x01, 0x01, 0xff, 0x04, 0x04, 0x03, + 0x02, 0x07, 0x80, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0xcc, 0xac, 0x78, 0x09, 0x9a, 0xc4, 0x7f, + 0xad, 0x7a, 0x0e, 0xb9, 0x01, 0x2c, 0xc8, 0xf4, 0x22, 0x88, 0x09, 0xab, 0x61, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, + 0x18, 0x30, 0x16, 0x80, 0x14, 0xaf, 0x42, 0xb7, 0x09, 0x4d, 0xeb, 0xd5, 0x15, 0xec, 0x6e, 0xcf, 0x33, 0xb8, 0x11, 0x15, 0x22, + 0x5f, 0x32, 0x52, 0x88, 0x30, 0x4e, 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x47, 0x30, 0x45, 0x30, 0x20, 0xa0, 0x1e, 0xa0, 0x1c, + 0x86, 0x1a, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x65, 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, + 0x63, 0x72, 0x6c, 0x2e, 0x70, 0x65, 0x6d, 0x30, 0x21, 0xa0, 0x1f, 0xa0, 0x1d, 0x86, 0x1b, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, + 0x2f, 0x65, 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x63, 0x72, 0x6c, 0x32, 0x2e, 0x70, 0x65, 0x6d, + 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x03, 0x48, 0x00, 0x30, 0x45, 0x02, 0x20, 0x6a, 0x14, + 0x34, 0xc3, 0x4c, 0xd3, 0xb5, 0x4c, 0x1c, 0xa7, 0x9b, 0xc5, 0x08, 0x42, 0xe7, 0xdd, 0xd5, 0xed, 0xb7, 0x78, 0xc5, 0xa2, 0x85, + 0xe9, 0xae, 0x54, 0x61, 0xff, 0x1d, 0x76, 0x39, 0x7f, 0x02, 0x21, 0x00, 0xed, 0x4d, 0xe2, 0x03, 0xd2, 0x5a, 0xd5, 0xd3, 0x71, + 0xfb, 0xb3, 0x4d, 0x5c, 0x9c, 0xf7, 0xbe, 0xa9, 0x12, 0xd6, 0x88, 0x45, 0x5e, 0x4a, 0xdf, 0xe0, 0x2f, 0x7f, 0x09, 0x64, 0x3f, + 0x88, 0xbc, +}; + +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_CDP_2URIs_Cert = ByteSpan(sTestCert_DAC_FFF1_8000_0000_CDP_2URIs_Cert_Array); + +constexpr uint8_t sTestCert_DAC_FFF1_8000_0000_CDP_2URIs_SKID_Array[] = { + 0xCC, 0xAC, 0x78, 0x09, 0x9A, 0xC4, 0x7F, 0xAD, 0x7A, 0x0E, 0xB9, 0x01, 0x2C, 0xC8, 0xF4, 0x22, 0x88, 0x09, 0xAB, 0x61, +}; + +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_CDP_2URIs_SKID = ByteSpan(sTestCert_DAC_FFF1_8000_0000_CDP_2URIs_SKID_Array); + +// ${chip_root}/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-2URIs-Key.pem + +constexpr uint8_t sTestCert_DAC_FFF1_8000_0000_CDP_2URIs_PublicKey_Array[] = { + 0x04, 0xda, 0x46, 0x42, 0x76, 0xca, 0x8a, 0x5b, 0x0f, 0x9f, 0x48, 0xcb, 0xa6, 0x07, 0xff, 0xed, 0x92, + 0xf6, 0xa8, 0x13, 0x14, 0x67, 0x61, 0xf8, 0x7b, 0xb9, 0x00, 0xef, 0x6c, 0x43, 0x6b, 0xe8, 0x01, 0xe6, + 0xa7, 0xc5, 0xc8, 0xe9, 0x62, 0x09, 0xcb, 0x11, 0x04, 0x6a, 0xef, 0xaf, 0x8e, 0x2b, 0x03, 0x99, 0xb6, + 0x29, 0xf5, 0x20, 0x03, 0x42, 0xb4, 0x8c, 0x34, 0x7a, 0x91, 0x99, 0x87, 0xe3, 0x57, +}; + +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_CDP_2URIs_PublicKey = + ByteSpan(sTestCert_DAC_FFF1_8000_0000_CDP_2URIs_PublicKey_Array); + +constexpr uint8_t sTestCert_DAC_FFF1_8000_0000_CDP_2URIs_PrivateKey_Array[] = { + 0xbd, 0xc5, 0xcc, 0x3d, 0x9b, 0x85, 0x0d, 0x14, 0x0b, 0x6e, 0x1d, 0xea, 0xf5, 0xd2, 0xb7, 0xcb, + 0x63, 0xfc, 0x71, 0xf6, 0x4e, 0x6c, 0xa8, 0x9a, 0xf3, 0x34, 0xb9, 0x98, 0x43, 0x7e, 0x6d, 0xc7, +}; + +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_CDP_2URIs_PrivateKey = + ByteSpan(sTestCert_DAC_FFF1_8000_0000_CDP_2URIs_PrivateKey_Array); + +// ${chip_root}/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-Cert.pem + +constexpr uint8_t sTestCert_DAC_FFF1_8000_0000_CDP_Cert_Array[] = { + 0x30, 0x82, 0x02, 0x23, 0x30, 0x82, 0x01, 0xc9, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x08, 0x71, 0x65, 0x6d, 0x1b, 0x7a, 0x2e, + 0x16, 0xa4, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x30, 0x46, 0x31, 0x18, 0x30, 0x16, 0x06, + 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, 0x4d, 0x61, 0x74, 0x74, 0x65, 0x72, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x50, 0x41, 0x49, + 0x31, 0x14, 0x30, 0x12, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0xa2, 0x7c, 0x02, 0x01, 0x0c, 0x04, 0x46, 0x46, 0x46, + 0x31, 0x31, 0x14, 0x30, 0x12, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0xa2, 0x7c, 0x02, 0x02, 0x0c, 0x04, 0x38, 0x30, + 0x30, 0x30, 0x30, 0x20, 0x17, 0x0d, 0x32, 0x31, 0x30, 0x36, 0x32, 0x38, 0x31, 0x34, 0x32, 0x33, 0x34, 0x33, 0x5a, 0x18, 0x0f, + 0x39, 0x39, 0x39, 0x39, 0x31, 0x32, 0x33, 0x31, 0x32, 0x33, 0x35, 0x39, 0x35, 0x39, 0x5a, 0x30, 0x56, 0x31, 0x28, 0x30, 0x26, + 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x1f, 0x4d, 0x61, 0x74, 0x74, 0x65, 0x72, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x44, 0x41, + 0x43, 0x20, 0x30, 0x30, 0x30, 0x30, 0x20, 0x43, 0x44, 0x50, 0x20, 0x28, 0x48, 0x54, 0x54, 0x50, 0x29, 0x31, 0x14, 0x30, 0x12, + 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0xa2, 0x7c, 0x02, 0x01, 0x0c, 0x04, 0x46, 0x46, 0x46, 0x31, 0x31, 0x14, 0x30, + 0x12, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0xa2, 0x7c, 0x02, 0x02, 0x0c, 0x04, 0x38, 0x30, 0x30, 0x30, 0x30, 0x59, + 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, + 0x03, 0x42, 0x00, 0x04, 0xe3, 0x01, 0x1e, 0xde, 0x9f, 0x51, 0x5a, 0xb3, 0xe9, 0xba, 0x93, 0x25, 0xfe, 0xf2, 0x3b, 0x96, 0xcd, + 0x71, 0x5c, 0x3a, 0xea, 0x38, 0xce, 0x81, 0x1e, 0x88, 0xfc, 0x6d, 0xe7, 0xac, 0x30, 0x26, 0x23, 0xfb, 0xa7, 0x06, 0x8b, 0x3e, + 0x09, 0xd3, 0xfe, 0x54, 0x9b, 0x11, 0xcc, 0x5f, 0x0e, 0x59, 0x6c, 0x4e, 0xdb, 0xce, 0x3e, 0x7b, 0xa2, 0x27, 0x1f, 0xb8, 0xd0, + 0x9a, 0xf4, 0x21, 0x9e, 0x3d, 0xa3, 0x81, 0x8e, 0x30, 0x81, 0x8b, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, + 0x04, 0x02, 0x30, 0x00, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x01, 0x01, 0xff, 0x04, 0x04, 0x03, 0x02, 0x07, 0x80, 0x30, + 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x68, 0x43, 0xc8, 0x33, 0xa3, 0x39, 0x9f, 0x98, 0x42, 0x15, 0x3e, + 0xb1, 0xac, 0xcf, 0x2f, 0x95, 0x58, 0x5f, 0x1a, 0x50, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, + 0x14, 0xaf, 0x42, 0xb7, 0x09, 0x4d, 0xeb, 0xd5, 0x15, 0xec, 0x6e, 0xcf, 0x33, 0xb8, 0x11, 0x15, 0x22, 0x5f, 0x32, 0x52, 0x88, + 0x30, 0x2b, 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x24, 0x30, 0x22, 0x30, 0x20, 0xa0, 0x1e, 0xa0, 0x1c, 0x86, 0x1a, 0x68, 0x74, + 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x65, 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x63, 0x72, 0x6c, 0x2e, + 0x70, 0x65, 0x6d, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x03, 0x48, 0x00, 0x30, 0x45, 0x02, + 0x20, 0x65, 0x4a, 0x4c, 0x13, 0x3b, 0xc9, 0xda, 0x4d, 0x14, 0x78, 0x35, 0xab, 0xfc, 0x24, 0xd5, 0x2c, 0xec, 0xa3, 0xa0, 0x8f, + 0xa2, 0xf4, 0xe6, 0xea, 0xc2, 0xae, 0x60, 0x41, 0x1f, 0x36, 0xf5, 0xa4, 0x02, 0x21, 0x00, 0xaa, 0x1c, 0xa1, 0x93, 0x1f, 0xbc, + 0x9a, 0xff, 0xd6, 0x47, 0x32, 0xab, 0xf3, 0x1e, 0xa8, 0xf6, 0x13, 0xc1, 0x67, 0x1f, 0x0f, 0x22, 0xa4, 0x31, 0x67, 0xe2, 0x8e, + 0x9d, 0xac, 0x93, 0x1e, 0x18, +}; + +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_CDP_Cert = ByteSpan(sTestCert_DAC_FFF1_8000_0000_CDP_Cert_Array); + +constexpr uint8_t sTestCert_DAC_FFF1_8000_0000_CDP_SKID_Array[] = { + 0x68, 0x43, 0xC8, 0x33, 0xA3, 0x39, 0x9F, 0x98, 0x42, 0x15, 0x3E, 0xB1, 0xAC, 0xCF, 0x2F, 0x95, 0x58, 0x5F, 0x1A, 0x50, +}; + +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_CDP_SKID = ByteSpan(sTestCert_DAC_FFF1_8000_0000_CDP_SKID_Array); + +// ${chip_root}/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-Key.pem + +constexpr uint8_t sTestCert_DAC_FFF1_8000_0000_CDP_PublicKey_Array[] = { + 0x04, 0xe3, 0x01, 0x1e, 0xde, 0x9f, 0x51, 0x5a, 0xb3, 0xe9, 0xba, 0x93, 0x25, 0xfe, 0xf2, 0x3b, 0x96, + 0xcd, 0x71, 0x5c, 0x3a, 0xea, 0x38, 0xce, 0x81, 0x1e, 0x88, 0xfc, 0x6d, 0xe7, 0xac, 0x30, 0x26, 0x23, + 0xfb, 0xa7, 0x06, 0x8b, 0x3e, 0x09, 0xd3, 0xfe, 0x54, 0x9b, 0x11, 0xcc, 0x5f, 0x0e, 0x59, 0x6c, 0x4e, + 0xdb, 0xce, 0x3e, 0x7b, 0xa2, 0x27, 0x1f, 0xb8, 0xd0, 0x9a, 0xf4, 0x21, 0x9e, 0x3d, +}; + +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_CDP_PublicKey = ByteSpan(sTestCert_DAC_FFF1_8000_0000_CDP_PublicKey_Array); + +constexpr uint8_t sTestCert_DAC_FFF1_8000_0000_CDP_PrivateKey_Array[] = { + 0x06, 0x59, 0xf2, 0x16, 0x77, 0x18, 0xe9, 0x0f, 0x12, 0x23, 0xba, 0xef, 0x44, 0x28, 0xf1, 0xb0, + 0xce, 0xc4, 0x72, 0xb5, 0x5f, 0xbb, 0x07, 0xea, 0x87, 0xd7, 0x39, 0x89, 0x9c, 0xf7, 0x31, 0x6a, +}; + +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_CDP_PrivateKey = ByteSpan(sTestCert_DAC_FFF1_8000_0000_CDP_PrivateKey_Array); + +// ${chip_root}/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-HTTPS-Cert.pem + +constexpr uint8_t sTestCert_DAC_FFF1_8000_0000_CDP_HTTPS_Cert_Array[] = { + 0x30, 0x82, 0x02, 0x25, 0x30, 0x82, 0x01, 0xcb, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x08, 0x34, 0xa8, 0x41, 0x5b, 0x7d, 0x3f, + 0x2b, 0x1e, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x30, 0x46, 0x31, 0x18, 0x30, 0x16, 0x06, + 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, 0x4d, 0x61, 0x74, 0x74, 0x65, 0x72, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x50, 0x41, 0x49, + 0x31, 0x14, 0x30, 0x12, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0xa2, 0x7c, 0x02, 0x01, 0x0c, 0x04, 0x46, 0x46, 0x46, + 0x31, 0x31, 0x14, 0x30, 0x12, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0xa2, 0x7c, 0x02, 0x02, 0x0c, 0x04, 0x38, 0x30, + 0x30, 0x30, 0x30, 0x20, 0x17, 0x0d, 0x32, 0x31, 0x30, 0x36, 0x32, 0x38, 0x31, 0x34, 0x32, 0x33, 0x34, 0x33, 0x5a, 0x18, 0x0f, + 0x39, 0x39, 0x39, 0x39, 0x31, 0x32, 0x33, 0x31, 0x32, 0x33, 0x35, 0x39, 0x35, 0x39, 0x5a, 0x30, 0x57, 0x31, 0x29, 0x30, 0x27, + 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x20, 0x4d, 0x61, 0x74, 0x74, 0x65, 0x72, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x44, 0x41, + 0x43, 0x20, 0x30, 0x30, 0x30, 0x30, 0x20, 0x43, 0x44, 0x50, 0x20, 0x28, 0x48, 0x54, 0x54, 0x50, 0x53, 0x29, 0x31, 0x14, 0x30, + 0x12, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0xa2, 0x7c, 0x02, 0x01, 0x0c, 0x04, 0x46, 0x46, 0x46, 0x31, 0x31, 0x14, + 0x30, 0x12, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0xa2, 0x7c, 0x02, 0x02, 0x0c, 0x04, 0x38, 0x30, 0x30, 0x30, 0x30, + 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, + 0x07, 0x03, 0x42, 0x00, 0x04, 0xd9, 0x2b, 0x24, 0xde, 0x51, 0x6b, 0x8e, 0xcd, 0x3e, 0x68, 0x62, 0xde, 0x87, 0xfc, 0x3b, 0xf7, + 0x7e, 0x70, 0x11, 0x71, 0xc7, 0x0b, 0x59, 0x8c, 0xff, 0x5f, 0x02, 0x7f, 0x02, 0xb8, 0x20, 0xe7, 0xfa, 0x07, 0xba, 0xd4, 0xe4, + 0xd8, 0xbe, 0x26, 0x1c, 0x08, 0xfb, 0x31, 0x95, 0xd5, 0xa8, 0x34, 0x82, 0x3a, 0x28, 0xcc, 0x47, 0x03, 0xb7, 0xc5, 0x15, 0x7e, + 0x14, 0x9e, 0x5e, 0xaa, 0x78, 0x05, 0xa3, 0x81, 0x8f, 0x30, 0x81, 0x8c, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, + 0xff, 0x04, 0x02, 0x30, 0x00, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x01, 0x01, 0xff, 0x04, 0x04, 0x03, 0x02, 0x07, 0x80, + 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0xa3, 0x02, 0x33, 0xf8, 0x6f, 0x40, 0xd1, 0x1a, 0xc5, 0x5f, + 0x80, 0xa5, 0xc0, 0xa9, 0x2a, 0x50, 0x6f, 0xea, 0x9f, 0x31, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, + 0x80, 0x14, 0xaf, 0x42, 0xb7, 0x09, 0x4d, 0xeb, 0xd5, 0x15, 0xec, 0x6e, 0xcf, 0x33, 0xb8, 0x11, 0x15, 0x22, 0x5f, 0x32, 0x52, + 0x88, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x25, 0x30, 0x23, 0x30, 0x21, 0xa0, 0x1f, 0xa0, 0x1d, 0x86, 0x1b, 0x68, + 0x74, 0x74, 0x70, 0x73, 0x3a, 0x2f, 0x2f, 0x65, 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x63, 0x72, + 0x6c, 0x2e, 0x70, 0x65, 0x6d, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x03, 0x48, 0x00, 0x30, + 0x45, 0x02, 0x20, 0x53, 0xec, 0xea, 0xda, 0x3c, 0x5d, 0x4b, 0xb7, 0x50, 0xcb, 0xe7, 0xf8, 0xd1, 0x09, 0x59, 0x12, 0xd4, 0xc8, + 0xe5, 0xfb, 0x1f, 0xef, 0x30, 0x24, 0x1f, 0xcf, 0x95, 0x83, 0x29, 0x40, 0xd0, 0x9a, 0x02, 0x21, 0x00, 0xb5, 0x57, 0x5e, 0xbc, + 0xa7, 0x1b, 0x84, 0x7e, 0x77, 0xd5, 0xd5, 0xd1, 0x41, 0x06, 0xbb, 0x87, 0xbf, 0x37, 0x9d, 0x92, 0xa4, 0x9d, 0xea, 0x8d, 0x10, + 0xa0, 0xe1, 0x8b, 0x48, 0x10, 0x2e, 0x1f, +}; + +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_CDP_HTTPS_Cert = ByteSpan(sTestCert_DAC_FFF1_8000_0000_CDP_HTTPS_Cert_Array); + +constexpr uint8_t sTestCert_DAC_FFF1_8000_0000_CDP_HTTPS_SKID_Array[] = { + 0xA3, 0x02, 0x33, 0xF8, 0x6F, 0x40, 0xD1, 0x1A, 0xC5, 0x5F, 0x80, 0xA5, 0xC0, 0xA9, 0x2A, 0x50, 0x6F, 0xEA, 0x9F, 0x31, +}; + +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_CDP_HTTPS_SKID = ByteSpan(sTestCert_DAC_FFF1_8000_0000_CDP_HTTPS_SKID_Array); + +// ${chip_root}/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-HTTPS-Key.pem + +constexpr uint8_t sTestCert_DAC_FFF1_8000_0000_CDP_HTTPS_PublicKey_Array[] = { + 0x04, 0xd9, 0x2b, 0x24, 0xde, 0x51, 0x6b, 0x8e, 0xcd, 0x3e, 0x68, 0x62, 0xde, 0x87, 0xfc, 0x3b, 0xf7, + 0x7e, 0x70, 0x11, 0x71, 0xc7, 0x0b, 0x59, 0x8c, 0xff, 0x5f, 0x02, 0x7f, 0x02, 0xb8, 0x20, 0xe7, 0xfa, + 0x07, 0xba, 0xd4, 0xe4, 0xd8, 0xbe, 0x26, 0x1c, 0x08, 0xfb, 0x31, 0x95, 0xd5, 0xa8, 0x34, 0x82, 0x3a, + 0x28, 0xcc, 0x47, 0x03, 0xb7, 0xc5, 0x15, 0x7e, 0x14, 0x9e, 0x5e, 0xaa, 0x78, 0x05, +}; + +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_CDP_HTTPS_PublicKey = + ByteSpan(sTestCert_DAC_FFF1_8000_0000_CDP_HTTPS_PublicKey_Array); + +constexpr uint8_t sTestCert_DAC_FFF1_8000_0000_CDP_HTTPS_PrivateKey_Array[] = { + 0x04, 0xa4, 0x15, 0x03, 0x86, 0x39, 0xd1, 0x4e, 0x62, 0x92, 0x6f, 0x46, 0x1a, 0x62, 0x55, 0xd7, + 0xa3, 0x0b, 0x0b, 0xdc, 0xac, 0x6a, 0x98, 0xcd, 0xf8, 0x8b, 0x16, 0x70, 0x2a, 0x72, 0x9f, 0x3b, +}; + +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_CDP_HTTPS_PrivateKey = + ByteSpan(sTestCert_DAC_FFF1_8000_0000_CDP_HTTPS_PrivateKey_Array); + +// ${chip_root}/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-Long-Cert.pem + +constexpr uint8_t sTestCert_DAC_FFF1_8000_0000_CDP_Long_Cert_Array[] = { + 0x30, 0x82, 0x02, 0x53, 0x30, 0x82, 0x01, 0xf9, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x08, 0x1d, 0x6e, 0x6d, 0x50, 0x41, 0x86, + 0x00, 0x07, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x30, 0x46, 0x31, 0x18, 0x30, 0x16, 0x06, + 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, 0x4d, 0x61, 0x74, 0x74, 0x65, 0x72, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x50, 0x41, 0x49, + 0x31, 0x14, 0x30, 0x12, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0xa2, 0x7c, 0x02, 0x01, 0x0c, 0x04, 0x46, 0x46, 0x46, + 0x31, 0x31, 0x14, 0x30, 0x12, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0xa2, 0x7c, 0x02, 0x02, 0x0c, 0x04, 0x38, 0x30, + 0x30, 0x30, 0x30, 0x20, 0x17, 0x0d, 0x32, 0x31, 0x30, 0x36, 0x32, 0x38, 0x31, 0x34, 0x32, 0x33, 0x34, 0x33, 0x5a, 0x18, 0x0f, + 0x39, 0x39, 0x39, 0x39, 0x31, 0x32, 0x33, 0x31, 0x32, 0x33, 0x35, 0x39, 0x35, 0x39, 0x5a, 0x30, 0x3b, 0x31, 0x0d, 0x30, 0x0b, + 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x04, 0x4c, 0x6f, 0x6e, 0x67, 0x31, 0x14, 0x30, 0x12, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, + 0x01, 0x82, 0xa2, 0x7c, 0x02, 0x01, 0x0c, 0x04, 0x46, 0x46, 0x46, 0x31, 0x31, 0x14, 0x30, 0x12, 0x06, 0x0a, 0x2b, 0x06, 0x01, + 0x04, 0x01, 0x82, 0xa2, 0x7c, 0x02, 0x02, 0x0c, 0x04, 0x38, 0x30, 0x30, 0x30, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, + 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, 0x04, 0x43, 0x28, + 0xfb, 0xb8, 0x71, 0x42, 0x8c, 0x35, 0xe2, 0x24, 0xb3, 0x7f, 0x9e, 0x80, 0x64, 0x03, 0x5f, 0xb2, 0xcc, 0x72, 0xf8, 0xf1, 0x71, + 0x18, 0x53, 0x46, 0xc3, 0x20, 0xe1, 0xa8, 0x85, 0xb5, 0xe4, 0x09, 0x09, 0x5e, 0xec, 0x85, 0x5f, 0x7d, 0x52, 0xaf, 0x97, 0xa1, + 0xd0, 0x6f, 0x76, 0x71, 0x6c, 0x87, 0x36, 0x7e, 0x19, 0x88, 0xce, 0xa1, 0x19, 0xd6, 0xd7, 0xf4, 0x25, 0x2b, 0xc7, 0x2f, 0xa3, + 0x81, 0xd9, 0x30, 0x81, 0xd6, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x02, 0x30, 0x00, 0x30, 0x0e, + 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x01, 0x01, 0xff, 0x04, 0x04, 0x03, 0x02, 0x07, 0x80, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, + 0x04, 0x16, 0x04, 0x14, 0xf6, 0x4c, 0x7b, 0xf1, 0xa8, 0xb6, 0xe0, 0xba, 0x10, 0x8e, 0xbd, 0xeb, 0x4f, 0xe1, 0xf6, 0x77, 0x7c, + 0xc9, 0x2c, 0x29, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0xaf, 0x42, 0xb7, 0x09, 0x4d, + 0xeb, 0xd5, 0x15, 0xec, 0x6e, 0xcf, 0x33, 0xb8, 0x11, 0x15, 0x22, 0x5f, 0x32, 0x52, 0x88, 0x30, 0x76, 0x06, 0x03, 0x55, 0x1d, + 0x1f, 0x04, 0x6f, 0x30, 0x6d, 0x30, 0x6b, 0xa0, 0x69, 0xa0, 0x67, 0x86, 0x65, 0x68, 0x74, 0x74, 0x70, 0x73, 0x3a, 0x2f, 0x2f, + 0x65, 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x74, 0x68, 0x69, 0x73, 0x2d, 0x69, 0x73, 0x2d, 0x61, + 0x6e, 0x2d, 0x65, 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65, 0x2d, 0x6f, 0x66, 0x2d, 0x63, 0x72, 0x6c, 0x2d, 0x64, 0x69, 0x73, 0x74, + 0x72, 0x69, 0x62, 0x75, 0x74, 0x69, 0x6f, 0x6e, 0x2d, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x2d, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, + 0x69, 0x6f, 0x6e, 0x2d, 0x77, 0x68, 0x69, 0x63, 0x68, 0x2d, 0x69, 0x73, 0x2d, 0x31, 0x30, 0x31, 0x2d, 0x63, 0x68, 0x61, 0x72, + 0x73, 0x2f, 0x63, 0x72, 0x6c, 0x2e, 0x70, 0x65, 0x6d, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, + 0x03, 0x48, 0x00, 0x30, 0x45, 0x02, 0x20, 0x43, 0x43, 0x62, 0x74, 0x55, 0x45, 0xb8, 0x10, 0xeb, 0x33, 0x3d, 0x59, 0x2d, 0x3f, + 0x46, 0x82, 0x3c, 0x53, 0xf5, 0x61, 0x19, 0xf0, 0x86, 0x44, 0xe2, 0x79, 0x4c, 0xba, 0x4a, 0xda, 0xb7, 0xb1, 0x02, 0x21, 0x00, + 0xaf, 0x51, 0x97, 0x6a, 0x44, 0x4d, 0x43, 0x9e, 0xba, 0x17, 0xb8, 0xa1, 0x63, 0x75, 0x81, 0x53, 0x09, 0x93, 0xf6, 0x18, 0xc2, + 0x74, 0x18, 0x87, 0xd3, 0xe6, 0xde, 0x47, 0x91, 0xa4, 0xc9, 0xa4, +}; + +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_CDP_Long_Cert = ByteSpan(sTestCert_DAC_FFF1_8000_0000_CDP_Long_Cert_Array); + +constexpr uint8_t sTestCert_DAC_FFF1_8000_0000_CDP_Long_SKID_Array[] = { + 0xF6, 0x4C, 0x7B, 0xF1, 0xA8, 0xB6, 0xE0, 0xBA, 0x10, 0x8E, 0xBD, 0xEB, 0x4F, 0xE1, 0xF6, 0x77, 0x7C, 0xC9, 0x2C, 0x29, +}; + +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_CDP_Long_SKID = ByteSpan(sTestCert_DAC_FFF1_8000_0000_CDP_Long_SKID_Array); + +// ${chip_root}/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-Long-Key.pem + +constexpr uint8_t sTestCert_DAC_FFF1_8000_0000_CDP_Long_PublicKey_Array[] = { + 0x04, 0x43, 0x28, 0xfb, 0xb8, 0x71, 0x42, 0x8c, 0x35, 0xe2, 0x24, 0xb3, 0x7f, 0x9e, 0x80, 0x64, 0x03, + 0x5f, 0xb2, 0xcc, 0x72, 0xf8, 0xf1, 0x71, 0x18, 0x53, 0x46, 0xc3, 0x20, 0xe1, 0xa8, 0x85, 0xb5, 0xe4, + 0x09, 0x09, 0x5e, 0xec, 0x85, 0x5f, 0x7d, 0x52, 0xaf, 0x97, 0xa1, 0xd0, 0x6f, 0x76, 0x71, 0x6c, 0x87, + 0x36, 0x7e, 0x19, 0x88, 0xce, 0xa1, 0x19, 0xd6, 0xd7, 0xf4, 0x25, 0x2b, 0xc7, 0x2f, +}; + +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_CDP_Long_PublicKey = + ByteSpan(sTestCert_DAC_FFF1_8000_0000_CDP_Long_PublicKey_Array); + +constexpr uint8_t sTestCert_DAC_FFF1_8000_0000_CDP_Long_PrivateKey_Array[] = { + 0xd1, 0x54, 0x99, 0xa7, 0xd6, 0xde, 0x38, 0x53, 0x86, 0x9d, 0xe6, 0xa4, 0x6c, 0x4b, 0x52, 0xd1, + 0x3b, 0x73, 0x59, 0x16, 0xd4, 0xaa, 0xbd, 0x50, 0x26, 0xaa, 0xad, 0x1e, 0x72, 0x79, 0x66, 0xeb, +}; + +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_CDP_Long_PrivateKey = + ByteSpan(sTestCert_DAC_FFF1_8000_0000_CDP_Long_PrivateKey_Array); + +// ${chip_root}/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-Wrong-Prefix-Cert.pem + +constexpr uint8_t sTestCert_DAC_FFF1_8000_0000_CDP_Wrong_Prefix_Cert_Array[] = { + 0x30, 0x82, 0x02, 0x05, 0x30, 0x82, 0x01, 0xab, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x08, 0x70, 0x06, 0x08, 0xaa, 0xa1, 0xd7, + 0xad, 0x6d, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x30, 0x46, 0x31, 0x18, 0x30, 0x16, 0x06, + 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, 0x4d, 0x61, 0x74, 0x74, 0x65, 0x72, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x50, 0x41, 0x49, + 0x31, 0x14, 0x30, 0x12, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0xa2, 0x7c, 0x02, 0x01, 0x0c, 0x04, 0x46, 0x46, 0x46, + 0x31, 0x31, 0x14, 0x30, 0x12, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0xa2, 0x7c, 0x02, 0x02, 0x0c, 0x04, 0x38, 0x30, + 0x30, 0x30, 0x30, 0x20, 0x17, 0x0d, 0x32, 0x31, 0x30, 0x36, 0x32, 0x38, 0x31, 0x34, 0x32, 0x33, 0x34, 0x33, 0x5a, 0x18, 0x0f, + 0x39, 0x39, 0x39, 0x39, 0x31, 0x32, 0x33, 0x31, 0x32, 0x33, 0x35, 0x39, 0x35, 0x39, 0x5a, 0x30, 0x3b, 0x31, 0x0d, 0x30, 0x0b, + 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x04, 0x4c, 0x6f, 0x6e, 0x67, 0x31, 0x14, 0x30, 0x12, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, + 0x01, 0x82, 0xa2, 0x7c, 0x02, 0x01, 0x0c, 0x04, 0x46, 0x46, 0x46, 0x31, 0x31, 0x14, 0x30, 0x12, 0x06, 0x0a, 0x2b, 0x06, 0x01, + 0x04, 0x01, 0x82, 0xa2, 0x7c, 0x02, 0x02, 0x0c, 0x04, 0x38, 0x30, 0x30, 0x30, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, + 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, 0x04, 0xfc, 0xcd, + 0xc8, 0x29, 0xba, 0x62, 0x37, 0x7c, 0xc6, 0xc7, 0xb3, 0x6e, 0xa7, 0xc1, 0xaf, 0x76, 0xcd, 0x15, 0xc3, 0x28, 0xbc, 0x4b, 0x6e, + 0x8d, 0x07, 0x78, 0xba, 0x59, 0x7f, 0xbb, 0xf3, 0x0a, 0xe7, 0x12, 0xb6, 0x57, 0xd2, 0xf9, 0xf2, 0xb9, 0x15, 0xf8, 0x23, 0x4c, + 0x87, 0xe2, 0xa3, 0x3b, 0xf5, 0xe7, 0x59, 0x76, 0xe0, 0x4e, 0x6a, 0xd0, 0x3d, 0x85, 0x0b, 0xd1, 0x64, 0x39, 0xf3, 0xcf, 0xa3, + 0x81, 0x8b, 0x30, 0x81, 0x88, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x02, 0x30, 0x00, 0x30, 0x0e, + 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x01, 0x01, 0xff, 0x04, 0x04, 0x03, 0x02, 0x07, 0x80, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, + 0x04, 0x16, 0x04, 0x14, 0x07, 0x30, 0x1c, 0xef, 0x8b, 0x9e, 0x44, 0x26, 0xd2, 0xe4, 0x6e, 0xc6, 0xfa, 0x3a, 0xd3, 0xb7, 0x44, + 0x1d, 0xef, 0xbd, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0xaf, 0x42, 0xb7, 0x09, 0x4d, + 0xeb, 0xd5, 0x15, 0xec, 0x6e, 0xcf, 0x33, 0xb8, 0x11, 0x15, 0x22, 0x5f, 0x32, 0x52, 0x88, 0x30, 0x28, 0x06, 0x03, 0x55, 0x1d, + 0x1f, 0x04, 0x21, 0x30, 0x1f, 0x30, 0x1d, 0xa0, 0x1b, 0xa0, 0x19, 0x86, 0x17, 0x77, 0x77, 0x77, 0x2e, 0x65, 0x78, 0x61, 0x6d, + 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x63, 0x72, 0x6c, 0x2e, 0x70, 0x65, 0x6d, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, + 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x03, 0x48, 0x00, 0x30, 0x45, 0x02, 0x21, 0x00, 0xe6, 0xb8, 0x88, 0x1e, 0xed, 0x0e, 0xa6, + 0x70, 0x82, 0xc0, 0x60, 0x7e, 0x46, 0xf6, 0xca, 0x84, 0x04, 0x31, 0xab, 0xe0, 0x91, 0xd6, 0x17, 0x5d, 0x81, 0x0c, 0x38, 0xa1, + 0xe4, 0xf0, 0x45, 0x77, 0x02, 0x20, 0x39, 0x06, 0x5f, 0xbe, 0xf9, 0xfd, 0xa4, 0x1b, 0x37, 0xaf, 0xcb, 0xb1, 0xf6, 0xdf, 0x09, + 0x0e, 0x1a, 0x44, 0x3b, 0xac, 0x6e, 0x65, 0x2c, 0x3b, 0xda, 0xc1, 0x03, 0xf4, 0xd3, 0xac, 0x4e, 0x76, +}; + +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_CDP_Wrong_Prefix_Cert = + ByteSpan(sTestCert_DAC_FFF1_8000_0000_CDP_Wrong_Prefix_Cert_Array); + +constexpr uint8_t sTestCert_DAC_FFF1_8000_0000_CDP_Wrong_Prefix_SKID_Array[] = { + 0x07, 0x30, 0x1C, 0xEF, 0x8B, 0x9E, 0x44, 0x26, 0xD2, 0xE4, 0x6E, 0xC6, 0xFA, 0x3A, 0xD3, 0xB7, 0x44, 0x1D, 0xEF, 0xBD, +}; + +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_CDP_Wrong_Prefix_SKID = + ByteSpan(sTestCert_DAC_FFF1_8000_0000_CDP_Wrong_Prefix_SKID_Array); + +// ${chip_root}/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-CDP-Wrong-Prefix-Key.pem + +constexpr uint8_t sTestCert_DAC_FFF1_8000_0000_CDP_Wrong_Prefix_PublicKey_Array[] = { + 0x04, 0xfc, 0xcd, 0xc8, 0x29, 0xba, 0x62, 0x37, 0x7c, 0xc6, 0xc7, 0xb3, 0x6e, 0xa7, 0xc1, 0xaf, 0x76, + 0xcd, 0x15, 0xc3, 0x28, 0xbc, 0x4b, 0x6e, 0x8d, 0x07, 0x78, 0xba, 0x59, 0x7f, 0xbb, 0xf3, 0x0a, 0xe7, + 0x12, 0xb6, 0x57, 0xd2, 0xf9, 0xf2, 0xb9, 0x15, 0xf8, 0x23, 0x4c, 0x87, 0xe2, 0xa3, 0x3b, 0xf5, 0xe7, + 0x59, 0x76, 0xe0, 0x4e, 0x6a, 0xd0, 0x3d, 0x85, 0x0b, 0xd1, 0x64, 0x39, 0xf3, 0xcf, +}; + +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_CDP_Wrong_Prefix_PublicKey = + ByteSpan(sTestCert_DAC_FFF1_8000_0000_CDP_Wrong_Prefix_PublicKey_Array); + +constexpr uint8_t sTestCert_DAC_FFF1_8000_0000_CDP_Wrong_Prefix_PrivateKey_Array[] = { + 0xa5, 0x1d, 0xcd, 0xfc, 0xd9, 0x55, 0xdb, 0x87, 0x24, 0x35, 0x6c, 0x87, 0x12, 0x1a, 0x90, 0xbd, + 0x13, 0x18, 0x53, 0x78, 0xa7, 0xa9, 0x8c, 0x71, 0xf4, 0x70, 0x44, 0xa2, 0xa6, 0xdb, 0xeb, 0xdb, +}; + +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_CDP_Wrong_Prefix_PrivateKey = + ByteSpan(sTestCert_DAC_FFF1_8000_0000_CDP_Wrong_Prefix_PrivateKey_Array); + // ${chip_root}/credentials/test/attestation/Chip-Test-DAC-FFF1-8000-0000-Cert.pem constexpr uint8_t sTestCert_DAC_FFF1_8000_0000_Cert_Array[] = { diff --git a/src/credentials/tests/CHIPAttCert_test_vectors.h b/src/credentials/tests/CHIPAttCert_test_vectors.h index 2419c6bfd578c3..1e59b5321cf19d 100644 --- a/src/credentials/tests/CHIPAttCert_test_vectors.h +++ b/src/credentials/tests/CHIPAttCert_test_vectors.h @@ -1,6 +1,6 @@ /* * - * Copyright (c) 2021-2022 Project CHIP Authors + * Copyright (c) 2021-2023 Project CHIP Authors * All rights reserved. * * Licensed under the Apache License, Version 2.0 (the "License"); @@ -23,6 +23,36 @@ namespace chip { namespace TestCerts { +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_2CDPs_Cert; +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_2CDPs_SKID; +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_2CDPs_PublicKey; +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_2CDPs_PrivateKey; + +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_CDP_2URIs_Cert; +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_CDP_2URIs_SKID; +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_CDP_2URIs_PublicKey; +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_CDP_2URIs_PrivateKey; + +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_CDP_Cert; +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_CDP_SKID; +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_CDP_PublicKey; +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_CDP_PrivateKey; + +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_CDP_HTTPS_Cert; +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_CDP_HTTPS_SKID; +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_CDP_HTTPS_PublicKey; +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_CDP_HTTPS_PrivateKey; + +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_CDP_Long_Cert; +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_CDP_Long_SKID; +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_CDP_Long_PublicKey; +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_CDP_Long_PrivateKey; + +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_CDP_Wrong_Prefix_Cert; +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_CDP_Wrong_Prefix_SKID; +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_CDP_Wrong_Prefix_PublicKey; +extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_CDP_Wrong_Prefix_PrivateKey; + extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_Cert; extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_SKID; extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_PublicKey; diff --git a/src/crypto/CHIPCryptoPAL.h b/src/crypto/CHIPCryptoPAL.h index a5e2c080f012a6..1ad60b4c68d61a 100644 --- a/src/crypto/CHIPCryptoPAL.h +++ b/src/crypto/CHIPCryptoPAL.h @@ -52,6 +52,10 @@ constexpr size_t kSubjectKeyIdentifierLength = kSHA1_Hash_Length; constexpr size_t kAuthorityKeyIdentifierLength = kSHA1_Hash_Length; constexpr size_t kMaxCertificateSerialNumberLength = 20; constexpr size_t kMaxCertificateDistinguishedNameLength = 200; +constexpr size_t kMaxCRLDistributionPointURLLength = 100; + +constexpr const char * kValidCDPURIHttpPrefix = "http://"; +constexpr const char * kValidCDPURIHttpsPrefix = "https://"; constexpr size_t CHIP_CRYPTO_GROUP_SIZE_BYTES = kP256_FE_Length; constexpr size_t CHIP_CRYPTO_PUBLIC_KEY_SIZE_BYTES = kP256_Point_Length; @@ -1568,6 +1572,16 @@ CHIP_ERROR ExtractSKIDFromX509Cert(const ByteSpan & certificate, MutableByteSpan **/ CHIP_ERROR ExtractAKIDFromX509Cert(const ByteSpan & certificate, MutableByteSpan & akid); +/** + * @brief Extracts the CRL Distribution Point (CDP) extension from an X509 ASN.1 Encoded Certificate. + * The returned value only covers the URI of the CDP. Only a single URI distribution point + * GeneralName is supported, and only those that start with "http://" and "https://". + * + * @returns CHIP_ERROR_NOT_FOUND if not found or wrong format. + * CHIP_NO_ERROR otherwise. + **/ +CHIP_ERROR ExtractCRLDistributionPointURIFromX509Cert(const ByteSpan & certificate, MutableCharSpan & cdpurl); + /** * @brief Extracts Serial Number from X509 Certificate. **/ diff --git a/src/crypto/CHIPCryptoPALOpenSSL.cpp b/src/crypto/CHIPCryptoPALOpenSSL.cpp index e181190a109bb6..741603e0829d5f 100644 --- a/src/crypto/CHIPCryptoPALOpenSSL.cpp +++ b/src/crypto/CHIPCryptoPALOpenSSL.cpp @@ -1971,6 +1971,87 @@ CHIP_ERROR ExtractAKIDFromX509Cert(const ByteSpan & certificate, MutableByteSpan return ExtractKIDFromX509Cert(false, certificate, akid); } +CHIP_ERROR ExtractCRLDistributionPointURIFromX509Cert(const ByteSpan & certificate, MutableCharSpan & cdpurl) +{ + CHIP_ERROR err = CHIP_NO_ERROR; + X509 * x509certificate = nullptr; + const unsigned char * pCertificate = certificate.data(); + const unsigned char ** ppCertificate = &pCertificate; + STACK_OF(DIST_POINT) * crldp = nullptr; + DIST_POINT * dp = nullptr; + GENERAL_NAMES * gens = nullptr; + GENERAL_NAME * gen = nullptr; + ASN1_STRING * uri = nullptr; + const char * urlptr = nullptr; + size_t len = 0; + + VerifyOrReturnError(!certificate.empty() && CanCastTo(certificate.size()), CHIP_ERROR_INVALID_ARGUMENT); + + x509certificate = d2i_X509(nullptr, ppCertificate, static_cast(certificate.size())); + VerifyOrExit(x509certificate != nullptr, err = CHIP_ERROR_NO_MEMORY); + + // CRL Distribution Point Extension is encoded as a secuense of DistributionPoint: + // CRLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint + // + // This implementation only supports a single DistributionPoint (sequence of size 1) + crldp = + reinterpret_cast(X509_get_ext_d2i(x509certificate, NID_crl_distribution_points, nullptr, nullptr)); + VerifyOrExit(crldp != nullptr, err = CHIP_ERROR_NOT_FOUND); + VerifyOrExit(sk_DIST_POINT_num(crldp) == 1, err = CHIP_ERROR_NOT_FOUND); + + dp = sk_DIST_POINT_value(crldp, 0); + VerifyOrExit(dp != nullptr, err = CHIP_ERROR_NOT_FOUND); + VerifyOrExit(dp->distpoint != nullptr && dp->distpoint->type == 0, err = CHIP_ERROR_NOT_FOUND); + + // The DistributionPoint is a sequence of three optional elements: + // DistributionPoint ::= SEQUENCE { + // distributionPoint [0] DistributionPointName OPTIONAL, + // reasons [1] ReasonFlags OPTIONAL, + // cRLIssuer [2] GeneralNames OPTIONAL } + // + // where the DistributionPointName is a CHOICE of: + // DistributionPointName ::= CHOICE { + // fullName [0] GeneralNames, + // nameRelativeToCRLIssuer [1] RelativeDistinguishedName } + // + // The URI should be encoded in the fullName element. + // This implementation only supports a single GeneralName in the fullName sequence: + // GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName + gens = dp->distpoint->name.fullname; + VerifyOrExit(sk_GENERAL_NAME_num(gens) == 1, err = CHIP_ERROR_NOT_FOUND); + + // The CDP URI is encoded as a uniformResourceIdentifier field of the GeneralName: + // GeneralName ::= CHOICE { + // otherName [0] OtherName, + // rfc822Name [1] IA5String, + // dNSName [2] IA5String, + // x400Address [3] ORAddress, + // directoryName [4] Name, + // ediPartyName [5] EDIPartyName, + // uniformResourceIdentifier [6] IA5String, + // iPAddress [7] OCTET STRING, + // registeredID [8] OBJECT IDENTIFIER } + gen = sk_GENERAL_NAME_value(gens, 0); + VerifyOrExit(gen->type == GEN_URI, err = CHIP_ERROR_NOT_FOUND); + + uri = reinterpret_cast(GENERAL_NAME_get0_value(gen, nullptr)); + urlptr = reinterpret_cast(ASN1_STRING_get0_data(uri)); + VerifyOrExit(CanCastTo(ASN1_STRING_length(uri)), err = CHIP_ERROR_NOT_FOUND); + len = static_cast(ASN1_STRING_length(uri)); + VerifyOrExit( + (len > strlen(kValidCDPURIHttpPrefix) && strncmp(urlptr, kValidCDPURIHttpPrefix, strlen(kValidCDPURIHttpPrefix)) == 0) || + (len > strlen(kValidCDPURIHttpsPrefix) && + strncmp(urlptr, kValidCDPURIHttpsPrefix, strlen(kValidCDPURIHttpsPrefix)) == 0), + err = CHIP_ERROR_NOT_FOUND); + err = CopyCharSpanToMutableCharSpan(CharSpan(urlptr, len), cdpurl); + +exit: + sk_DIST_POINT_pop_free(crldp, DIST_POINT_free); + X509_free(x509certificate); + + return err; +} + CHIP_ERROR ExtractSerialNumberFromX509Cert(const ByteSpan & certificate, MutableByteSpan & serialNumber) { CHIP_ERROR err = CHIP_NO_ERROR; diff --git a/src/crypto/CHIPCryptoPALPSA.cpp b/src/crypto/CHIPCryptoPALPSA.cpp index e8d4b75c9221b1..d1afbf1dbb05e3 100644 --- a/src/crypto/CHIPCryptoPALPSA.cpp +++ b/src/crypto/CHIPCryptoPALPSA.cpp @@ -1218,6 +1218,7 @@ constexpr uint8_t sOID_Extension_BasicConstraints[] = { 0x55, 0x1D, 0x13 } constexpr uint8_t sOID_Extension_KeyUsage[] = { 0x55, 0x1D, 0x0F }; constexpr uint8_t sOID_Extension_SubjectKeyIdentifier[] = { 0x55, 0x1D, 0x0E }; constexpr uint8_t sOID_Extension_AuthorityKeyIdentifier[] = { 0x55, 0x1D, 0x23 }; +constexpr uint8_t sOID_Extension_CRLDistributionPoint[] = { 0x55, 0x1D, 0x1F }; /** * Compares an mbedtls_asn1_buf structure (oidBuf) to a reference OID represented as uint8_t array (oid). @@ -1684,6 +1685,128 @@ CHIP_ERROR ExtractAKIDFromX509Cert(const ByteSpan & certificate, MutableByteSpan return ExtractKIDFromX509Cert(false, certificate, akid); } +CHIP_ERROR ExtractCRLDistributionPointURIFromX509Cert(const ByteSpan & certificate, MutableCharSpan & cdpurl) +{ +#if defined(MBEDTLS_X509_CRT_PARSE_C) + CHIP_ERROR error = CHIP_ERROR_NOT_FOUND; + mbedtls_x509_crt mbed_cert; + unsigned char * p = nullptr; + const unsigned char * end = nullptr; + size_t len = 0; + size_t cdpExtCount = 0; + + VerifyOrReturnError(!certificate.empty() && CanCastTo(certificate.size()), CHIP_ERROR_INVALID_ARGUMENT); + + mbedtls_x509_crt_init(&mbed_cert); + + int result = mbedtls_x509_crt_parse(&mbed_cert, Uint8::to_const_uchar(certificate.data()), certificate.size()); + VerifyOrExit(result == 0, error = CHIP_ERROR_INTERNAL); + + p = mbed_cert.CHIP_CRYPTO_PAL_PRIVATE_X509(v3_ext).CHIP_CRYPTO_PAL_PRIVATE_X509(p); + end = mbed_cert.CHIP_CRYPTO_PAL_PRIVATE_X509(v3_ext).CHIP_CRYPTO_PAL_PRIVATE_X509(p) + + mbed_cert.CHIP_CRYPTO_PAL_PRIVATE_X509(v3_ext).CHIP_CRYPTO_PAL_PRIVATE_X509(len); + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE); + VerifyOrExit(result == 0, error = CHIP_ERROR_WRONG_CERT_TYPE); + + while (p < end) + { + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE); + VerifyOrExit(result == 0, error = CHIP_ERROR_WRONG_CERT_TYPE); + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OID); + VerifyOrExit(result == 0, error = CHIP_ERROR_WRONG_CERT_TYPE); + + mbedtls_x509_buf extOID = { MBEDTLS_ASN1_OID, len, p }; + bool isCurrentExtCDP = OID_CMP(sOID_Extension_CRLDistributionPoint, extOID); + p += len; + + int is_critical = 0; + result = mbedtls_asn1_get_bool(&p, end, &is_critical); + VerifyOrExit(result == 0 || result == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG, error = CHIP_ERROR_WRONG_CERT_TYPE); + + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OCTET_STRING); + VerifyOrExit(result == 0, error = CHIP_ERROR_WRONG_CERT_TYPE); + + unsigned char * end_of_ext = p + len; + + if (isCurrentExtCDP) + { + // Only one CRL Distribution Point Extension is allowed. + cdpExtCount++; + VerifyOrExit(cdpExtCount <= 1, error = CHIP_ERROR_NOT_FOUND); + + // CRL Distribution Point Extension is encoded as a secuense of DistributionPoint: + // CRLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint + // + // This implementation only supports a single DistributionPoint (sequence of size 1), + // which is verified by comparing (p + len == end_of_ext) + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE); + VerifyOrExit(result == 0, error = CHIP_ERROR_NOT_FOUND); + VerifyOrExit(p + len == end_of_ext, error = CHIP_ERROR_NOT_FOUND); + + // The DistributionPoint is a sequence of three optional elements: + // DistributionPoint ::= SEQUENCE { + // distributionPoint [0] DistributionPointName OPTIONAL, + // reasons [1] ReasonFlags OPTIONAL, + // cRLIssuer [2] GeneralNames OPTIONAL } + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE); + VerifyOrExit(result == 0, error = CHIP_ERROR_NOT_FOUND); + VerifyOrExit(p + len == end_of_ext, error = CHIP_ERROR_NOT_FOUND); + + // The DistributionPointName is: + // DistributionPointName ::= CHOICE { + // fullName [0] GeneralNames, + // nameRelativeToCRLIssuer [1] RelativeDistinguishedName } + // + // The URI should be encoded in the fullName element. + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | 0); + VerifyOrExit(result == 0, error = CHIP_ERROR_NOT_FOUND); + + // GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED); + VerifyOrExit(result == 0, error = CHIP_ERROR_NOT_FOUND); + + // The CDP URI is encoded as a uniformResourceIdentifier field of the GeneralName: + // GeneralName ::= CHOICE { + // otherName [0] OtherName, + // rfc822Name [1] IA5String, + // dNSName [2] IA5String, + // x400Address [3] ORAddress, + // directoryName [4] Name, + // ediPartyName [5] EDIPartyName, + // uniformResourceIdentifier [6] IA5String, + // iPAddress [7] OCTET STRING, + // registeredID [8] OBJECT IDENTIFIER } + result = + mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER); + VerifyOrExit(result == 0, error = CHIP_ERROR_NOT_FOUND); + + const char * urlptr = reinterpret_cast(p); + VerifyOrExit((len > strlen(kValidCDPURIHttpPrefix) && + strncmp(urlptr, kValidCDPURIHttpPrefix, strlen(kValidCDPURIHttpPrefix)) == 0) || + (len > strlen(kValidCDPURIHttpsPrefix) && + strncmp(urlptr, kValidCDPURIHttpsPrefix, strlen(kValidCDPURIHttpsPrefix)) == 0), + error = CHIP_ERROR_NOT_FOUND); + error = CopyCharSpanToMutableCharSpan(CharSpan(urlptr, len), cdpurl); + SuccessOrExit(error); + } + p = end_of_ext; + } + + VerifyOrExit(cdpExtCount == 1, error = CHIP_ERROR_NOT_FOUND); + +exit: + logMbedTLSError(result); + mbedtls_x509_crt_free(&mbed_cert); + +#else + (void) certificate; + (void) cdpurl; + CHIP_ERROR error = CHIP_ERROR_NOT_IMPLEMENTED; +#endif // defined(MBEDTLS_X509_CRT_PARSE_C) + + return error; +} + CHIP_ERROR ExtractSerialNumberFromX509Cert(const ByteSpan & certificate, MutableByteSpan & serialNumber) { #if defined(MBEDTLS_X509_CRT_PARSE_C) diff --git a/src/crypto/CHIPCryptoPALmbedTLS.cpp b/src/crypto/CHIPCryptoPALmbedTLS.cpp index 92ec3048fe8de6..195bd56cf745a2 100644 --- a/src/crypto/CHIPCryptoPALmbedTLS.cpp +++ b/src/crypto/CHIPCryptoPALmbedTLS.cpp @@ -1309,6 +1309,7 @@ constexpr uint8_t sOID_Extension_BasicConstraints[] = { 0x55, 0x1D, 0x13 } constexpr uint8_t sOID_Extension_KeyUsage[] = { 0x55, 0x1D, 0x0F }; constexpr uint8_t sOID_Extension_SubjectKeyIdentifier[] = { 0x55, 0x1D, 0x0E }; constexpr uint8_t sOID_Extension_AuthorityKeyIdentifier[] = { 0x55, 0x1D, 0x23 }; +constexpr uint8_t sOID_Extension_CRLDistributionPoint[] = { 0x55, 0x1D, 0x1F }; /** * Compares an mbedtls_asn1_buf structure (oidBuf) to a reference OID represented as uint8_t array (oid). @@ -1776,6 +1777,128 @@ CHIP_ERROR ExtractAKIDFromX509Cert(const ByteSpan & certificate, MutableByteSpan return ExtractKIDFromX509Cert(false, certificate, akid); } +CHIP_ERROR ExtractCRLDistributionPointURIFromX509Cert(const ByteSpan & certificate, MutableCharSpan & cdpurl) +{ +#if defined(MBEDTLS_X509_CRT_PARSE_C) + CHIP_ERROR error = CHIP_ERROR_NOT_FOUND; + mbedtls_x509_crt mbed_cert; + unsigned char * p = nullptr; + const unsigned char * end = nullptr; + size_t len = 0; + size_t cdpExtCount = 0; + + VerifyOrReturnError(!certificate.empty() && CanCastTo(certificate.size()), CHIP_ERROR_INVALID_ARGUMENT); + + mbedtls_x509_crt_init(&mbed_cert); + + int result = mbedtls_x509_crt_parse(&mbed_cert, Uint8::to_const_uchar(certificate.data()), certificate.size()); + VerifyOrExit(result == 0, error = CHIP_ERROR_INTERNAL); + + p = mbed_cert.CHIP_CRYPTO_PAL_PRIVATE_X509(v3_ext).CHIP_CRYPTO_PAL_PRIVATE_X509(p); + end = mbed_cert.CHIP_CRYPTO_PAL_PRIVATE_X509(v3_ext).CHIP_CRYPTO_PAL_PRIVATE_X509(p) + + mbed_cert.CHIP_CRYPTO_PAL_PRIVATE_X509(v3_ext).CHIP_CRYPTO_PAL_PRIVATE_X509(len); + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE); + VerifyOrExit(result == 0, error = CHIP_ERROR_WRONG_CERT_TYPE); + + while (p < end) + { + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE); + VerifyOrExit(result == 0, error = CHIP_ERROR_WRONG_CERT_TYPE); + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OID); + VerifyOrExit(result == 0, error = CHIP_ERROR_WRONG_CERT_TYPE); + + mbedtls_x509_buf extOID = { MBEDTLS_ASN1_OID, len, p }; + bool isCurrentExtCDP = OID_CMP(sOID_Extension_CRLDistributionPoint, extOID); + p += len; + + int is_critical = 0; + result = mbedtls_asn1_get_bool(&p, end, &is_critical); + VerifyOrExit(result == 0 || result == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG, error = CHIP_ERROR_WRONG_CERT_TYPE); + + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OCTET_STRING); + VerifyOrExit(result == 0, error = CHIP_ERROR_WRONG_CERT_TYPE); + + unsigned char * end_of_ext = p + len; + + if (isCurrentExtCDP) + { + // Only one CRL Distribution Point Extension is allowed. + cdpExtCount++; + VerifyOrExit(cdpExtCount <= 1, error = CHIP_ERROR_NOT_FOUND); + + // CRL Distribution Point Extension is encoded as a secuense of DistributionPoint: + // CRLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint + // + // This implementation only supports a single DistributionPoint (sequence of size 1), + // which is verified by comparing (p + len == end_of_ext) + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE); + VerifyOrExit(result == 0, error = CHIP_ERROR_NOT_FOUND); + VerifyOrExit(p + len == end_of_ext, error = CHIP_ERROR_NOT_FOUND); + + // The DistributionPoint is a sequence of three optional elements: + // DistributionPoint ::= SEQUENCE { + // distributionPoint [0] DistributionPointName OPTIONAL, + // reasons [1] ReasonFlags OPTIONAL, + // cRLIssuer [2] GeneralNames OPTIONAL } + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE); + VerifyOrExit(result == 0, error = CHIP_ERROR_NOT_FOUND); + VerifyOrExit(p + len == end_of_ext, error = CHIP_ERROR_NOT_FOUND); + + // The DistributionPointName is: + // DistributionPointName ::= CHOICE { + // fullName [0] GeneralNames, + // nameRelativeToCRLIssuer [1] RelativeDistinguishedName } + // + // The URI should be encoded in the fullName element. + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | 0); + VerifyOrExit(result == 0, error = CHIP_ERROR_NOT_FOUND); + + // GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED); + VerifyOrExit(result == 0, error = CHIP_ERROR_NOT_FOUND); + + // The CDP URI is encoded as a uniformResourceIdentifier field of the GeneralName: + // GeneralName ::= CHOICE { + // otherName [0] OtherName, + // rfc822Name [1] IA5String, + // dNSName [2] IA5String, + // x400Address [3] ORAddress, + // directoryName [4] Name, + // ediPartyName [5] EDIPartyName, + // uniformResourceIdentifier [6] IA5String, + // iPAddress [7] OCTET STRING, + // registeredID [8] OBJECT IDENTIFIER } + result = + mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER); + VerifyOrExit(result == 0, error = CHIP_ERROR_NOT_FOUND); + + const char * urlptr = reinterpret_cast(p); + VerifyOrExit((len > strlen(kValidCDPURIHttpPrefix) && + strncmp(urlptr, kValidCDPURIHttpPrefix, strlen(kValidCDPURIHttpPrefix)) == 0) || + (len > strlen(kValidCDPURIHttpsPrefix) && + strncmp(urlptr, kValidCDPURIHttpsPrefix, strlen(kValidCDPURIHttpsPrefix)) == 0), + error = CHIP_ERROR_NOT_FOUND); + error = CopyCharSpanToMutableCharSpan(CharSpan(urlptr, len), cdpurl); + SuccessOrExit(error); + } + p = end_of_ext; + } + + VerifyOrExit(cdpExtCount == 1, error = CHIP_ERROR_NOT_FOUND); + +exit: + _log_mbedTLS_error(result); + mbedtls_x509_crt_free(&mbed_cert); + +#else + (void) certificate; + (void) cdpurl; + CHIP_ERROR error = CHIP_ERROR_NOT_IMPLEMENTED; +#endif // defined(MBEDTLS_X509_CRT_PARSE_C) + + return error; +} + CHIP_ERROR ExtractSerialNumberFromX509Cert(const ByteSpan & certificate, MutableByteSpan & serialNumber) { #if defined(MBEDTLS_X509_CRT_PARSE_C) diff --git a/src/crypto/tests/CHIPCryptoPALTest.cpp b/src/crypto/tests/CHIPCryptoPALTest.cpp index 5f377841935725..9eb01b6723dabb 100644 --- a/src/crypto/tests/CHIPCryptoPALTest.cpp +++ b/src/crypto/tests/CHIPCryptoPALTest.cpp @@ -2106,6 +2106,54 @@ static void TestAKID_x509Extraction(nlTestSuite * inSuite, void * inContext) } } +static void TestCDPExtension_x509Extraction(nlTestSuite * inSuite, void * inContext) +{ + using namespace TestCerts; + + HeapChecker heapChecker(inSuite); + CHIP_ERROR err = CHIP_NO_ERROR; + + struct CDPTestCase + { + ByteSpan Cert; + CHIP_ERROR mExpectedError; + CharSpan mExpectedResult; + }; + + constexpr const char * exampleHttpURI = "http://example.com/crl.pem"; + constexpr const char * exampleHttpsURI = "https://example.com/crl.pem"; + + // clang-format off + static CDPTestCase sCDPTestCases[] = { + // Cert Expected Error Expected Output + // =============================================================================================== + { ByteSpan(), CHIP_ERROR_INVALID_ARGUMENT, CharSpan() }, + { sTestCert_PAA_FFF1_Cert, CHIP_ERROR_NOT_FOUND, CharSpan() }, + { sTestCert_PAI_FFF2_8001_Cert, CHIP_ERROR_NOT_FOUND, CharSpan() }, + { sTestCert_DAC_FFF2_8003_0019_FB_Cert, CHIP_ERROR_NOT_FOUND, CharSpan() }, + { sTestCert_DAC_FFF1_8000_0000_CDP_Cert, CHIP_NO_ERROR, CharSpan::fromCharString(exampleHttpURI) }, + { sTestCert_DAC_FFF1_8000_0000_CDP_HTTPS_Cert, CHIP_NO_ERROR, CharSpan::fromCharString(exampleHttpsURI) }, + { sTestCert_DAC_FFF1_8000_0000_2CDPs_Cert, CHIP_ERROR_NOT_FOUND, CharSpan() }, + { sTestCert_DAC_FFF1_8000_0000_CDP_2URIs_Cert, CHIP_ERROR_NOT_FOUND, CharSpan() }, + { sTestCert_DAC_FFF1_8000_0000_CDP_Wrong_Prefix_Cert, CHIP_ERROR_NOT_FOUND, CharSpan() }, + { sTestCert_DAC_FFF1_8000_0000_CDP_Long_Cert, CHIP_ERROR_BUFFER_TOO_SMALL, CharSpan() }, + }; + // clang-format on + + for (auto & testCase : sCDPTestCases) + { + char cdpBuf[kMaxCRLDistributionPointURLLength] = { '\0' }; + MutableCharSpan cdp(cdpBuf); + err = ExtractCRLDistributionPointURIFromX509Cert(testCase.Cert, cdp); + NL_TEST_ASSERT(inSuite, err == testCase.mExpectedError); + if (err == CHIP_NO_ERROR) + { + NL_TEST_ASSERT(inSuite, cdp.size() == testCase.mExpectedResult.size()); + NL_TEST_ASSERT(inSuite, cdp.data_equal(testCase.mExpectedResult)); + } + } +} + static void TestSerialNumber_x509Extraction(nlTestSuite * inSuite, void * inContext) { using namespace TestCerts; @@ -2703,6 +2751,7 @@ static const nlTest sTests[] = { NL_TEST_DEF("Test x509 Certificate Timestamp Validation", TestX509_IssuingTimestampValidation), NL_TEST_DEF("Test Subject Key Id Extraction from x509 Certificate", TestSKID_x509Extraction), NL_TEST_DEF("Test Authority Key Id Extraction from x509 Certificate", TestAKID_x509Extraction), + NL_TEST_DEF("Test CRL Distribution Point Extension Extraction from x509 Certificate", TestCDPExtension_x509Extraction), NL_TEST_DEF("Test Serial Number Extraction from x509 Certificate", TestSerialNumber_x509Extraction), NL_TEST_DEF("Test Subject Extraction from x509 Certificate", TestSubject_x509Extraction), NL_TEST_DEF("Test Issuer Extraction from x509 Certificate", TestIssuer_x509Extraction), diff --git a/src/platform/nxp/common/crypto/CHIPCryptoPALTinyCrypt.cpp b/src/platform/nxp/common/crypto/CHIPCryptoPALTinyCrypt.cpp index e5fedf2d7f994d..96973dcf12046d 100644 --- a/src/platform/nxp/common/crypto/CHIPCryptoPALTinyCrypt.cpp +++ b/src/platform/nxp/common/crypto/CHIPCryptoPALTinyCrypt.cpp @@ -1150,6 +1150,7 @@ constexpr uint8_t sOID_Extension_BasicConstraints[] = { 0x55, 0x1D, 0x13 } constexpr uint8_t sOID_Extension_KeyUsage[] = { 0x55, 0x1D, 0x0F }; constexpr uint8_t sOID_Extension_SubjectKeyIdentifier[] = { 0x55, 0x1D, 0x0E }; constexpr uint8_t sOID_Extension_AuthorityKeyIdentifier[] = { 0x55, 0x1D, 0x23 }; +constexpr uint8_t sOID_Extension_CRLDistributionPoint[] = { 0x55, 0x1D, 0x1F }; /** * Compares an mbedtls_asn1_buf structure (oidBuf) to a reference OID represented as uint8_t array (oid). @@ -1612,6 +1613,128 @@ CHIP_ERROR ExtractAKIDFromX509Cert(const ByteSpan & certificate, MutableByteSpan return ExtractKIDFromX509Cert(false, certificate, akid); } +CHIP_ERROR ExtractCRLDistributionPointURIFromX509Cert(const ByteSpan & certificate, MutableCharSpan & cdpurl) +{ +#if defined(MBEDTLS_X509_CRT_PARSE_C) + CHIP_ERROR error = CHIP_ERROR_NOT_FOUND; + mbedtls_x509_crt mbed_cert; + unsigned char * p = nullptr; + const unsigned char * end = nullptr; + size_t len = 0; + size_t cdpExtCount = 0; + + VerifyOrReturnError(!certificate.empty() && CanCastTo(certificate.size()), CHIP_ERROR_INVALID_ARGUMENT); + + mbedtls_x509_crt_init(&mbed_cert); + + int result = mbedtls_x509_crt_parse(&mbed_cert, Uint8::to_const_uchar(certificate.data()), certificate.size()); + VerifyOrExit(result == 0, error = CHIP_ERROR_INTERNAL); + + p = mbed_cert.CHIP_CRYPTO_PAL_PRIVATE_X509(v3_ext).CHIP_CRYPTO_PAL_PRIVATE_X509(p); + end = mbed_cert.CHIP_CRYPTO_PAL_PRIVATE_X509(v3_ext).CHIP_CRYPTO_PAL_PRIVATE_X509(p) + + mbed_cert.CHIP_CRYPTO_PAL_PRIVATE_X509(v3_ext).CHIP_CRYPTO_PAL_PRIVATE_X509(len); + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE); + VerifyOrExit(result == 0, error = CHIP_ERROR_WRONG_CERT_TYPE); + + while (p < end) + { + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE); + VerifyOrExit(result == 0, error = CHIP_ERROR_WRONG_CERT_TYPE); + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OID); + VerifyOrExit(result == 0, error = CHIP_ERROR_WRONG_CERT_TYPE); + + mbedtls_x509_buf extOID = { MBEDTLS_ASN1_OID, len, p }; + bool isCurrentExtCDP = OID_CMP(sOID_Extension_CRLDistributionPoint, extOID); + p += len; + + int is_critical = 0; + result = mbedtls_asn1_get_bool(&p, end, &is_critical); + VerifyOrExit(result == 0 || result == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG, error = CHIP_ERROR_WRONG_CERT_TYPE); + + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OCTET_STRING); + VerifyOrExit(result == 0, error = CHIP_ERROR_WRONG_CERT_TYPE); + + unsigned char * end_of_ext = p + len; + + if (isCurrentExtCDP) + { + // Only one CRL Distribution Point Extension is allowed. + cdpExtCount++; + VerifyOrExit(cdpExtCount <= 1, error = CHIP_ERROR_NOT_FOUND); + + // CRL Distribution Point Extension is encoded as a secuense of DistributionPoint: + // CRLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint + // + // This implementation only supports a single DistributionPoint (sequence of size 1), + // which is verified by comparing (p + len == end_of_ext) + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE); + VerifyOrExit(result == 0, error = CHIP_ERROR_NOT_FOUND); + VerifyOrExit(p + len == end_of_ext, error = CHIP_ERROR_NOT_FOUND); + + // The DistributionPoint is a sequence of three optional elements: + // DistributionPoint ::= SEQUENCE { + // distributionPoint [0] DistributionPointName OPTIONAL, + // reasons [1] ReasonFlags OPTIONAL, + // cRLIssuer [2] GeneralNames OPTIONAL } + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE); + VerifyOrExit(result == 0, error = CHIP_ERROR_NOT_FOUND); + VerifyOrExit(p + len == end_of_ext, error = CHIP_ERROR_NOT_FOUND); + + // The DistributionPointName is: + // DistributionPointName ::= CHOICE { + // fullName [0] GeneralNames, + // nameRelativeToCRLIssuer [1] RelativeDistinguishedName } + // + // The URI should be encoded in the fullName element. + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | 0); + VerifyOrExit(result == 0, error = CHIP_ERROR_NOT_FOUND); + + // GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED); + VerifyOrExit(result == 0, error = CHIP_ERROR_NOT_FOUND); + + // The CDP URI is encoded as a uniformResourceIdentifier field of the GeneralName: + // GeneralName ::= CHOICE { + // otherName [0] OtherName, + // rfc822Name [1] IA5String, + // dNSName [2] IA5String, + // x400Address [3] ORAddress, + // directoryName [4] Name, + // ediPartyName [5] EDIPartyName, + // uniformResourceIdentifier [6] IA5String, + // iPAddress [7] OCTET STRING, + // registeredID [8] OBJECT IDENTIFIER } + result = + mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER); + VerifyOrExit(result == 0, error = CHIP_ERROR_NOT_FOUND); + + const char * urlptr = reinterpret_cast(p); + VerifyOrExit((len > strlen(kValidCDPURIHttpPrefix) && + strncmp(urlptr, kValidCDPURIHttpPrefix, strlen(kValidCDPURIHttpPrefix)) == 0) || + (len > strlen(kValidCDPURIHttpsPrefix) && + strncmp(urlptr, kValidCDPURIHttpsPrefix, strlen(kValidCDPURIHttpsPrefix)) == 0), + error = CHIP_ERROR_NOT_FOUND); + error = CopyCharSpanToMutableCharSpan(CharSpan(urlptr, len), cdpurl); + SuccessOrExit(error); + } + p = end_of_ext; + } + + VerifyOrExit(cdpExtCount == 1, error = CHIP_ERROR_NOT_FOUND); + +exit: + _log_mbedTLS_error(result); + mbedtls_x509_crt_free(&mbed_cert); + +#else + (void) certificate; + (void) cdpurl; + CHIP_ERROR error = CHIP_ERROR_NOT_IMPLEMENTED; +#endif // defined(MBEDTLS_X509_CRT_PARSE_C) + + return error; +} + CHIP_ERROR ExtractSerialNumberFromX509Cert(const ByteSpan & certificate, MutableByteSpan & serialNumber) { #if defined(MBEDTLS_X509_CRT_PARSE_C) diff --git a/src/platform/nxp/k32w/k32w0/crypto/CHIPCryptoPALNXPUltrafastP256.cpp b/src/platform/nxp/k32w/k32w0/crypto/CHIPCryptoPALNXPUltrafastP256.cpp index 93c286c0edaa9f..b7d49c4fdb2e66 100644 --- a/src/platform/nxp/k32w/k32w0/crypto/CHIPCryptoPALNXPUltrafastP256.cpp +++ b/src/platform/nxp/k32w/k32w0/crypto/CHIPCryptoPALNXPUltrafastP256.cpp @@ -1120,6 +1120,7 @@ constexpr uint8_t sOID_Extension_BasicConstraints[] = { 0x55, 0x1D, 0x13 } constexpr uint8_t sOID_Extension_KeyUsage[] = { 0x55, 0x1D, 0x0F }; constexpr uint8_t sOID_Extension_SubjectKeyIdentifier[] = { 0x55, 0x1D, 0x0E }; constexpr uint8_t sOID_Extension_AuthorityKeyIdentifier[] = { 0x55, 0x1D, 0x23 }; +constexpr uint8_t sOID_Extension_CRLDistributionPoint[] = { 0x55, 0x1D, 0x1F }; /** * Compares an mbedtls_asn1_buf structure (oidBuf) to a reference OID represented as uint8_t array (oid). @@ -1581,6 +1582,128 @@ CHIP_ERROR ExtractAKIDFromX509Cert(const ByteSpan & certificate, MutableByteSpan return ExtractKIDFromX509Cert(false, certificate, akid); } +CHIP_ERROR ExtractCRLDistributionPointURIFromX509Cert(const ByteSpan & certificate, MutableCharSpan & cdpurl) +{ +#if defined(MBEDTLS_X509_CRT_PARSE_C) + CHIP_ERROR error = CHIP_ERROR_NOT_FOUND; + mbedtls_x509_crt mbed_cert; + unsigned char * p = nullptr; + const unsigned char * end = nullptr; + size_t len = 0; + size_t cdpExtCount = 0; + + VerifyOrReturnError(!certificate.empty() && CanCastTo(certificate.size()), CHIP_ERROR_INVALID_ARGUMENT); + + mbedtls_x509_crt_init(&mbed_cert); + + int result = mbedtls_x509_crt_parse(&mbed_cert, Uint8::to_const_uchar(certificate.data()), certificate.size()); + VerifyOrExit(result == 0, error = CHIP_ERROR_INTERNAL); + + p = mbed_cert.CHIP_CRYPTO_PAL_PRIVATE_X509(v3_ext).CHIP_CRYPTO_PAL_PRIVATE_X509(p); + end = mbed_cert.CHIP_CRYPTO_PAL_PRIVATE_X509(v3_ext).CHIP_CRYPTO_PAL_PRIVATE_X509(p) + + mbed_cert.CHIP_CRYPTO_PAL_PRIVATE_X509(v3_ext).CHIP_CRYPTO_PAL_PRIVATE_X509(len); + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE); + VerifyOrExit(result == 0, error = CHIP_ERROR_WRONG_CERT_TYPE); + + while (p < end) + { + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE); + VerifyOrExit(result == 0, error = CHIP_ERROR_WRONG_CERT_TYPE); + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OID); + VerifyOrExit(result == 0, error = CHIP_ERROR_WRONG_CERT_TYPE); + + mbedtls_x509_buf extOID = { MBEDTLS_ASN1_OID, len, p }; + bool isCurrentExtCDP = OID_CMP(sOID_Extension_CRLDistributionPoint, extOID); + p += len; + + int is_critical = 0; + result = mbedtls_asn1_get_bool(&p, end, &is_critical); + VerifyOrExit(result == 0 || result == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG, error = CHIP_ERROR_WRONG_CERT_TYPE); + + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OCTET_STRING); + VerifyOrExit(result == 0, error = CHIP_ERROR_WRONG_CERT_TYPE); + + unsigned char * end_of_ext = p + len; + + if (isCurrentExtCDP) + { + // Only one CRL Distribution Point Extension is allowed. + cdpExtCount++; + VerifyOrExit(cdpExtCount <= 1, error = CHIP_ERROR_NOT_FOUND); + + // CRL Distribution Point Extension is encoded as a secuense of DistributionPoint: + // CRLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint + // + // This implementation only supports a single DistributionPoint (sequence of size 1), + // which is verified by comparing (p + len == end_of_ext) + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE); + VerifyOrExit(result == 0, error = CHIP_ERROR_NOT_FOUND); + VerifyOrExit(p + len == end_of_ext, error = CHIP_ERROR_NOT_FOUND); + + // The DistributionPoint is a sequence of three optional elements: + // DistributionPoint ::= SEQUENCE { + // distributionPoint [0] DistributionPointName OPTIONAL, + // reasons [1] ReasonFlags OPTIONAL, + // cRLIssuer [2] GeneralNames OPTIONAL } + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE); + VerifyOrExit(result == 0, error = CHIP_ERROR_NOT_FOUND); + VerifyOrExit(p + len == end_of_ext, error = CHIP_ERROR_NOT_FOUND); + + // The DistributionPointName is: + // DistributionPointName ::= CHOICE { + // fullName [0] GeneralNames, + // nameRelativeToCRLIssuer [1] RelativeDistinguishedName } + // + // The URI should be encoded in the fullName element. + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | 0); + VerifyOrExit(result == 0, error = CHIP_ERROR_NOT_FOUND); + + // GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED); + VerifyOrExit(result == 0, error = CHIP_ERROR_NOT_FOUND); + + // The CDP URI is encoded as a uniformResourceIdentifier field of the GeneralName: + // GeneralName ::= CHOICE { + // otherName [0] OtherName, + // rfc822Name [1] IA5String, + // dNSName [2] IA5String, + // x400Address [3] ORAddress, + // directoryName [4] Name, + // ediPartyName [5] EDIPartyName, + // uniformResourceIdentifier [6] IA5String, + // iPAddress [7] OCTET STRING, + // registeredID [8] OBJECT IDENTIFIER } + result = + mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER); + VerifyOrExit(result == 0, error = CHIP_ERROR_NOT_FOUND); + + const char * urlptr = reinterpret_cast(p); + VerifyOrExit((len > strlen(kValidCDPURIHttpPrefix) && + strncmp(urlptr, kValidCDPURIHttpPrefix, strlen(kValidCDPURIHttpPrefix)) == 0) || + (len > strlen(kValidCDPURIHttpsPrefix) && + strncmp(urlptr, kValidCDPURIHttpsPrefix, strlen(kValidCDPURIHttpsPrefix)) == 0), + error = CHIP_ERROR_NOT_FOUND); + error = CopyCharSpanToMutableCharSpan(CharSpan(urlptr, len), cdpurl); + SuccessOrExit(error); + } + p = end_of_ext; + } + + VerifyOrExit(cdpExtCount == 1, error = CHIP_ERROR_NOT_FOUND); + +exit: + _log_mbedTLS_error(result); + mbedtls_x509_crt_free(&mbed_cert); + +#else + (void) certificate; + (void) cdpurl; + CHIP_ERROR error = CHIP_ERROR_NOT_IMPLEMENTED; +#endif // defined(MBEDTLS_X509_CRT_PARSE_C) + + return error; +} + CHIP_ERROR ExtractSerialNumberFromX509Cert(const ByteSpan & certificate, MutableByteSpan & serialNumber) { #if defined(MBEDTLS_X509_CRT_PARSE_C) diff --git a/src/platform/silabs/SiWx917/CHIPCryptoPALTinyCrypt.cpp b/src/platform/silabs/SiWx917/CHIPCryptoPALTinyCrypt.cpp index 321aaac5363d19..1bcfbdc59edaa5 100644 --- a/src/platform/silabs/SiWx917/CHIPCryptoPALTinyCrypt.cpp +++ b/src/platform/silabs/SiWx917/CHIPCryptoPALTinyCrypt.cpp @@ -1151,6 +1151,7 @@ constexpr uint8_t sOID_Extension_BasicConstraints[] = { 0x55, 0x1D, 0x13 } constexpr uint8_t sOID_Extension_KeyUsage[] = { 0x55, 0x1D, 0x0F }; constexpr uint8_t sOID_Extension_SubjectKeyIdentifier[] = { 0x55, 0x1D, 0x0E }; constexpr uint8_t sOID_Extension_AuthorityKeyIdentifier[] = { 0x55, 0x1D, 0x23 }; +constexpr uint8_t sOID_Extension_CRLDistributionPoint[] = { 0x55, 0x1D, 0x1F }; /** * Compares an mbedtls_asn1_buf structure (oidBuf) to a reference OID represented as uint8_t array (oid). @@ -1612,6 +1613,128 @@ CHIP_ERROR ExtractAKIDFromX509Cert(const ByteSpan & certificate, MutableByteSpan return ExtractKIDFromX509Cert(false, certificate, akid); } +CHIP_ERROR ExtractCRLDistributionPointURIFromX509Cert(const ByteSpan & certificate, MutableCharSpan & cdpurl) +{ +#if defined(MBEDTLS_X509_CRT_PARSE_C) + CHIP_ERROR error = CHIP_ERROR_NOT_FOUND; + mbedtls_x509_crt mbed_cert; + unsigned char * p = nullptr; + const unsigned char * end = nullptr; + size_t len = 0; + size_t cdpExtCount = 0; + + VerifyOrReturnError(!certificate.empty() && CanCastTo(certificate.size()), CHIP_ERROR_INVALID_ARGUMENT); + + mbedtls_x509_crt_init(&mbed_cert); + + int result = mbedtls_x509_crt_parse(&mbed_cert, Uint8::to_const_uchar(certificate.data()), certificate.size()); + VerifyOrExit(result == 0, error = CHIP_ERROR_INTERNAL); + + p = mbed_cert.CHIP_CRYPTO_PAL_PRIVATE_X509(v3_ext).CHIP_CRYPTO_PAL_PRIVATE_X509(p); + end = mbed_cert.CHIP_CRYPTO_PAL_PRIVATE_X509(v3_ext).CHIP_CRYPTO_PAL_PRIVATE_X509(p) + + mbed_cert.CHIP_CRYPTO_PAL_PRIVATE_X509(v3_ext).CHIP_CRYPTO_PAL_PRIVATE_X509(len); + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE); + VerifyOrExit(result == 0, error = CHIP_ERROR_WRONG_CERT_TYPE); + + while (p < end) + { + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE); + VerifyOrExit(result == 0, error = CHIP_ERROR_WRONG_CERT_TYPE); + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OID); + VerifyOrExit(result == 0, error = CHIP_ERROR_WRONG_CERT_TYPE); + + mbedtls_x509_buf extOID = { MBEDTLS_ASN1_OID, len, p }; + bool isCurrentExtCDP = OID_CMP(sOID_Extension_CRLDistributionPoint, extOID); + p += len; + + int is_critical = 0; + result = mbedtls_asn1_get_bool(&p, end, &is_critical); + VerifyOrExit(result == 0 || result == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG, error = CHIP_ERROR_WRONG_CERT_TYPE); + + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OCTET_STRING); + VerifyOrExit(result == 0, error = CHIP_ERROR_WRONG_CERT_TYPE); + + unsigned char * end_of_ext = p + len; + + if (isCurrentExtCDP) + { + // Only one CRL Distribution Point Extension is allowed. + cdpExtCount++; + VerifyOrExit(cdpExtCount <= 1, error = CHIP_ERROR_NOT_FOUND); + + // CRL Distribution Point Extension is encoded as a secuense of DistributionPoint: + // CRLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint + // + // This implementation only supports a single DistributionPoint (sequence of size 1), + // which is verified by comparing (p + len == end_of_ext) + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE); + VerifyOrExit(result == 0, error = CHIP_ERROR_NOT_FOUND); + VerifyOrExit(p + len == end_of_ext, error = CHIP_ERROR_NOT_FOUND); + + // The DistributionPoint is a sequence of three optional elements: + // DistributionPoint ::= SEQUENCE { + // distributionPoint [0] DistributionPointName OPTIONAL, + // reasons [1] ReasonFlags OPTIONAL, + // cRLIssuer [2] GeneralNames OPTIONAL } + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE); + VerifyOrExit(result == 0, error = CHIP_ERROR_NOT_FOUND); + VerifyOrExit(p + len == end_of_ext, error = CHIP_ERROR_NOT_FOUND); + + // The DistributionPointName is: + // DistributionPointName ::= CHOICE { + // fullName [0] GeneralNames, + // nameRelativeToCRLIssuer [1] RelativeDistinguishedName } + // + // The URI should be encoded in the fullName element. + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | 0); + VerifyOrExit(result == 0, error = CHIP_ERROR_NOT_FOUND); + + // GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED); + VerifyOrExit(result == 0, error = CHIP_ERROR_NOT_FOUND); + + // The CDP URI is encoded as a uniformResourceIdentifier field of the GeneralName: + // GeneralName ::= CHOICE { + // otherName [0] OtherName, + // rfc822Name [1] IA5String, + // dNSName [2] IA5String, + // x400Address [3] ORAddress, + // directoryName [4] Name, + // ediPartyName [5] EDIPartyName, + // uniformResourceIdentifier [6] IA5String, + // iPAddress [7] OCTET STRING, + // registeredID [8] OBJECT IDENTIFIER } + result = + mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER); + VerifyOrExit(result == 0, error = CHIP_ERROR_NOT_FOUND); + + const char * urlptr = reinterpret_cast(p); + VerifyOrExit((len > strlen(kValidCDPURIHttpPrefix) && + strncmp(urlptr, kValidCDPURIHttpPrefix, strlen(kValidCDPURIHttpPrefix)) == 0) || + (len > strlen(kValidCDPURIHttpsPrefix) && + strncmp(urlptr, kValidCDPURIHttpsPrefix, strlen(kValidCDPURIHttpsPrefix)) == 0), + error = CHIP_ERROR_NOT_FOUND); + error = CopyCharSpanToMutableCharSpan(CharSpan(urlptr, len), cdpurl); + SuccessOrExit(error); + } + p = end_of_ext; + } + + VerifyOrExit(cdpExtCount == 1, error = CHIP_ERROR_NOT_FOUND); + +exit: + _log_mbedTLS_error(result); + mbedtls_x509_crt_free(&mbed_cert); + +#else + (void) certificate; + (void) cdpurl; + CHIP_ERROR error = CHIP_ERROR_NOT_IMPLEMENTED; +#endif // defined(MBEDTLS_X509_CRT_PARSE_C) + + return error; +} + CHIP_ERROR ExtractSerialNumberFromX509Cert(const ByteSpan & certificate, MutableByteSpan & serialNumber) { #if defined(MBEDTLS_X509_CRT_PARSE_C) diff --git a/src/platform/silabs/efr32/CHIPCryptoPALPsaEfr32.cpp b/src/platform/silabs/efr32/CHIPCryptoPALPsaEfr32.cpp index 63a7a17308ab13..e0b5906c1a816b 100644 --- a/src/platform/silabs/efr32/CHIPCryptoPALPsaEfr32.cpp +++ b/src/platform/silabs/efr32/CHIPCryptoPALPsaEfr32.cpp @@ -1457,6 +1457,7 @@ constexpr uint8_t sOID_Extension_BasicConstraints[] = { 0x55, 0x1D, 0x13 } constexpr uint8_t sOID_Extension_KeyUsage[] = { 0x55, 0x1D, 0x0F }; constexpr uint8_t sOID_Extension_SubjectKeyIdentifier[] = { 0x55, 0x1D, 0x0E }; constexpr uint8_t sOID_Extension_AuthorityKeyIdentifier[] = { 0x55, 0x1D, 0x23 }; +constexpr uint8_t sOID_Extension_CRLDistributionPoint[] = { 0x55, 0x1D, 0x1F }; /** * Compares an mbedtls_asn1_buf structure (oidBuf) to a reference OID represented as uint8_t array (oid). @@ -1973,6 +1974,128 @@ CHIP_ERROR ExtractAKIDFromX509Cert(const ByteSpan & certificate, MutableByteSpan return ExtractKIDFromX509Cert(false, certificate, akid); } +CHIP_ERROR ExtractCRLDistributionPointURIFromX509Cert(const ByteSpan & certificate, MutableCharSpan & cdpurl) +{ +#if defined(MBEDTLS_X509_CRT_PARSE_C) + CHIP_ERROR error = CHIP_ERROR_NOT_FOUND; + mbedtls_x509_crt mbed_cert; + unsigned char * p = nullptr; + const unsigned char * end = nullptr; + size_t len = 0; + size_t cdpExtCount = 0; + + VerifyOrReturnError(!certificate.empty() && CanCastTo(certificate.size()), CHIP_ERROR_INVALID_ARGUMENT); + + mbedtls_x509_crt_init(&mbed_cert); + + int result = mbedtls_x509_crt_parse(&mbed_cert, Uint8::to_const_uchar(certificate.data()), certificate.size()); + VerifyOrExit(result == 0, error = CHIP_ERROR_INTERNAL); + + p = mbed_cert.CHIP_CRYPTO_PAL_PRIVATE_X509(v3_ext).CHIP_CRYPTO_PAL_PRIVATE_X509(p); + end = mbed_cert.CHIP_CRYPTO_PAL_PRIVATE_X509(v3_ext).CHIP_CRYPTO_PAL_PRIVATE_X509(p) + + mbed_cert.CHIP_CRYPTO_PAL_PRIVATE_X509(v3_ext).CHIP_CRYPTO_PAL_PRIVATE_X509(len); + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE); + VerifyOrExit(result == 0, error = CHIP_ERROR_WRONG_CERT_TYPE); + + while (p < end) + { + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE); + VerifyOrExit(result == 0, error = CHIP_ERROR_WRONG_CERT_TYPE); + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OID); + VerifyOrExit(result == 0, error = CHIP_ERROR_WRONG_CERT_TYPE); + + mbedtls_x509_buf extOID = { MBEDTLS_ASN1_OID, len, p }; + bool isCurrentExtCDP = OID_CMP(sOID_Extension_CRLDistributionPoint, extOID); + p += len; + + int is_critical = 0; + result = mbedtls_asn1_get_bool(&p, end, &is_critical); + VerifyOrExit(result == 0 || result == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG, error = CHIP_ERROR_WRONG_CERT_TYPE); + + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OCTET_STRING); + VerifyOrExit(result == 0, error = CHIP_ERROR_WRONG_CERT_TYPE); + + unsigned char * end_of_ext = p + len; + + if (isCurrentExtCDP) + { + // Only one CRL Distribution Point Extension is allowed. + cdpExtCount++; + VerifyOrExit(cdpExtCount <= 1, error = CHIP_ERROR_NOT_FOUND); + + // CRL Distribution Point Extension is encoded as a secuense of DistributionPoint: + // CRLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint + // + // This implementation only supports a single DistributionPoint (sequence of size 1), + // which is verified by comparing (p + len == end_of_ext) + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE); + VerifyOrExit(result == 0, error = CHIP_ERROR_NOT_FOUND); + VerifyOrExit(p + len == end_of_ext, error = CHIP_ERROR_NOT_FOUND); + + // The DistributionPoint is a sequence of three optional elements: + // DistributionPoint ::= SEQUENCE { + // distributionPoint [0] DistributionPointName OPTIONAL, + // reasons [1] ReasonFlags OPTIONAL, + // cRLIssuer [2] GeneralNames OPTIONAL } + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE); + VerifyOrExit(result == 0, error = CHIP_ERROR_NOT_FOUND); + VerifyOrExit(p + len == end_of_ext, error = CHIP_ERROR_NOT_FOUND); + + // The DistributionPointName is: + // DistributionPointName ::= CHOICE { + // fullName [0] GeneralNames, + // nameRelativeToCRLIssuer [1] RelativeDistinguishedName } + // + // The URI should be encoded in the fullName element. + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | 0); + VerifyOrExit(result == 0, error = CHIP_ERROR_NOT_FOUND); + + // GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName + result = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED); + VerifyOrExit(result == 0, error = CHIP_ERROR_NOT_FOUND); + + // The CDP URI is encoded as a uniformResourceIdentifier field of the GeneralName: + // GeneralName ::= CHOICE { + // otherName [0] OtherName, + // rfc822Name [1] IA5String, + // dNSName [2] IA5String, + // x400Address [3] ORAddress, + // directoryName [4] Name, + // ediPartyName [5] EDIPartyName, + // uniformResourceIdentifier [6] IA5String, + // iPAddress [7] OCTET STRING, + // registeredID [8] OBJECT IDENTIFIER } + result = + mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER); + VerifyOrExit(result == 0, error = CHIP_ERROR_NOT_FOUND); + + const char * urlptr = reinterpret_cast(p); + VerifyOrExit((len > strlen(kValidCDPURIHttpPrefix) && + strncmp(urlptr, kValidCDPURIHttpPrefix, strlen(kValidCDPURIHttpPrefix)) == 0) || + (len > strlen(kValidCDPURIHttpsPrefix) && + strncmp(urlptr, kValidCDPURIHttpsPrefix, strlen(kValidCDPURIHttpsPrefix)) == 0), + error = CHIP_ERROR_NOT_FOUND); + error = CopyCharSpanToMutableCharSpan(CharSpan(urlptr, len), cdpurl); + SuccessOrExit(error); + } + p = end_of_ext; + } + + VerifyOrExit(cdpExtCount == 1, error = CHIP_ERROR_NOT_FOUND); + +exit: + _log_mbedTLS_error(result); + mbedtls_x509_crt_free(&mbed_cert); + +#else + (void) certificate; + (void) cdpurl; + CHIP_ERROR error = CHIP_ERROR_NOT_IMPLEMENTED; +#endif // defined(MBEDTLS_X509_CRT_PARSE_C) + + return error; +} + CHIP_ERROR ExtractSerialNumberFromX509Cert(const ByteSpan & certificate, MutableByteSpan & serialNumber) { #if defined(MBEDTLS_X509_CRT_PARSE_C) diff --git a/src/tools/chip-cert/CertUtils.cpp b/src/tools/chip-cert/CertUtils.cpp index 2fece459ac4495..3fcf474e9abba8 100644 --- a/src/tools/chip-cert/CertUtils.cpp +++ b/src/tools/chip-cert/CertUtils.cpp @@ -1,6 +1,6 @@ /* * - * Copyright (c) 2021-2022 Project CHIP Authors + * Copyright (c) 2021-2023 Project CHIP Authors * Copyright (c) 2013-2017 Nest Labs, Inc. * All rights reserved. * @@ -1284,7 +1284,8 @@ bool ResignCert(X509 * cert, X509 * caCert, EVP_PKEY * caKey) bool MakeAttCert(AttCertType attCertType, const char * subjectCN, uint16_t subjectVID, uint16_t subjectPID, bool encodeVIDandPIDasCN, X509 * caCert, EVP_PKEY * caKey, const struct tm & validFrom, uint32_t validDays, - X509 * newCert, EVP_PKEY * newKey, CertStructConfig & certConfig) + X509 * newCert, EVP_PKEY * newKey, CertStructConfig & certConfig, const FutureExtensionWithNID * exts, + uint8_t extsCount) { bool res = true; uint16_t vid = certConfig.IsSubjectVIDMismatch() ? static_cast(subjectVID + 1) : subjectVID; @@ -1468,6 +1469,12 @@ bool MakeAttCert(AttCertType attCertType, const char * subjectCN, uint16_t subje VerifyTrueOrExit(res); } + for (uint8_t i = 0; i < extsCount; i++) + { + res = AddExtension(newCert, exts[i].nid, exts[i].info); + VerifyTrueOrExit(res); + } + // Sign the new certificate. if (!X509_sign(newCert, caKey, certConfig.GetSignatureAlgorithmDER())) { diff --git a/src/tools/chip-cert/Cmd_GenAttCert.cpp b/src/tools/chip-cert/Cmd_GenAttCert.cpp index 270e42cfcbd1d6..7f57e1df20542d 100644 --- a/src/tools/chip-cert/Cmd_GenAttCert.cpp +++ b/src/tools/chip-cert/Cmd_GenAttCert.cpp @@ -1,6 +1,6 @@ /* * - * Copyright (c) 2021-2022 Project CHIP Authors + * Copyright (c) 2021-2023 Project CHIP Authors * All rights reserved. * * Licensed under the Apache License, Version 2.0 (the "License"); @@ -57,6 +57,7 @@ OptionDef gCmdOptionDefs[] = { "out-key", kArgumentRequired, 'O' }, { "valid-from", kArgumentRequired, 'f' }, { "lifetime", kArgumentRequired, 'l' }, + { "cpd-ext", kArgumentRequired, 'x' }, #if CHIP_CONFIG_INTERNAL_FLAG_GENERATE_DA_TEST_CASES { "ignore-error", kNoArgument, 'I' }, { "error-type", kArgumentRequired, 'E' }, @@ -125,6 +126,11 @@ const char * const gCmdOptionHelp = " 4294967295 to indicate that certificate doesn't have well defined\n" " expiration date\n" "\n" + " -x, --cpd-ext \n" + "\n" + " CRL Distribution Points (CDP) extension (NID_crl_distribution_points) extension to be added to the list\n" + " of certificate extensions.\n" + "\n" #if CHIP_CONFIG_INTERNAL_FLAG_GENERATE_DA_TEST_CASES " -I, --ignore-error\n" "\n" @@ -201,17 +207,19 @@ OptionSet *gCmdOptionSets[] = }; // clang-format on -AttCertType gAttCertType = kAttCertType_NotSpecified; -const char * gSubjectCN = nullptr; -uint16_t gSubjectVID = VendorId::NotSpecified; -uint16_t gSubjectPID = 0; -bool gEncodeVIDandPIDasCN = false; -const char * gCACertFileNameOrStr = nullptr; -const char * gCAKeyFileNameOrStr = nullptr; -const char * gInKeyFileNameOrStr = nullptr; -const char * gOutCertFileName = nullptr; -const char * gOutKeyFileName = nullptr; -uint32_t gValidDays = kCertValidDays_Undefined; +AttCertType gAttCertType = kAttCertType_NotSpecified; +const char * gSubjectCN = nullptr; +uint16_t gSubjectVID = VendorId::NotSpecified; +uint16_t gSubjectPID = 0; +bool gEncodeVIDandPIDasCN = false; +const char * gCACertFileNameOrStr = nullptr; +const char * gCAKeyFileNameOrStr = nullptr; +const char * gInKeyFileNameOrStr = nullptr; +const char * gOutCertFileName = nullptr; +const char * gOutKeyFileName = nullptr; +uint32_t gValidDays = kCertValidDays_Undefined; +FutureExtensionWithNID gCPDExtensions[3] = { { 0, nullptr } }; +uint8_t gCPDExtensionsCount = 0; struct tm gValidFrom; CertStructConfig gCertConfig; @@ -291,6 +299,11 @@ bool HandleOption(const char * progName, OptionSet * optSet, int id, const char return false; } break; + case 'x': + gCPDExtensions[gCPDExtensionsCount].nid = NID_crl_distribution_points; + gCPDExtensions[gCPDExtensionsCount].info = arg; + gCPDExtensionsCount++; + break; #if CHIP_CONFIG_INTERNAL_FLAG_GENERATE_DA_TEST_CASES case 'I': gCertConfig.EnableErrorTestCase(); @@ -555,7 +568,7 @@ bool Cmd_GenAttCert(int argc, char * argv[]) if (gAttCertType == kAttCertType_PAA) { res = MakeAttCert(gAttCertType, gSubjectCN, gSubjectVID, gSubjectPID, gEncodeVIDandPIDasCN, newCert.get(), newKey.get(), - gValidFrom, gValidDays, newCert.get(), newKey.get(), gCertConfig); + gValidFrom, gValidDays, newCert.get(), newKey.get(), gCertConfig, gCPDExtensions, gCPDExtensionsCount); VerifyTrueOrExit(res); } else @@ -570,7 +583,7 @@ bool Cmd_GenAttCert(int argc, char * argv[]) VerifyTrueOrExit(res); res = MakeAttCert(gAttCertType, gSubjectCN, gSubjectVID, gSubjectPID, gEncodeVIDandPIDasCN, caCert.get(), caKey.get(), - gValidFrom, gValidDays, newCert.get(), newKey.get(), gCertConfig); + gValidFrom, gValidDays, newCert.get(), newKey.get(), gCertConfig, gCPDExtensions, gCPDExtensionsCount); VerifyTrueOrExit(res); } diff --git a/src/tools/chip-cert/chip-cert.h b/src/tools/chip-cert/chip-cert.h index 1c0e4a2b1d90d9..2f203193e38e44 100644 --- a/src/tools/chip-cert/chip-cert.h +++ b/src/tools/chip-cert/chip-cert.h @@ -437,7 +437,8 @@ extern bool ResignCert(X509 * cert, X509 * caCert, EVP_PKEY * caKey); extern bool MakeAttCert(AttCertType attCertType, const char * subjectCN, uint16_t subjectVID, uint16_t subjectPID, bool encodeVIDandPIDasCN, X509 * caCert, EVP_PKEY * caKey, const struct tm & validFrom, uint32_t validDays, - X509 * newCert, EVP_PKEY * newKey, CertStructConfig & certConfig); + X509 * newCert, EVP_PKEY * newKey, CertStructConfig & certConfig, const FutureExtensionWithNID * exts, + uint8_t extsCount); extern bool GenerateKeyPair(EVP_PKEY * key); extern bool GenerateKeyPair_Secp256k1(EVP_PKEY * key); extern bool ReadKey(const char * fileNameOrStr, std::unique_ptr & key,