Add APIs to generate minimal CHIP x509 encoded certificates (#6370)

* Add APIs to generate minimal CHIP x509 encoded certificates * fix build errors * address review comments * address some review comments * some more cleanup * Fix test stack usage * remove PutRaw() and add a TODO * add anonymous namespace * Check that serial number is not negative
project-chip · Sep 9, 2021 · 2452953 · 2452953
1 parent 8512279
commit 2452953
Show file tree

Hide file tree

Showing 7 changed files with 858 additions and 6 deletions.
diff --git a/src/credentials/BUILD.gn b/src/credentials/BUILD.gn
@@ -25,6 +25,7 @@ static_library("credentials") {
     "CHIPCertToX509.cpp",
     "CHIPOperationalCredentials.cpp",
     "CHIPOperationalCredentials.h",
+    "GenerateChipX509Cert.cpp",
   ]
 
   cflags = [ "-Wconversion" ]

diff --git a/src/credentials/CHIPCert.h b/src/credentials/CHIPCert.h
@@ -641,6 +641,88 @@ CHIP_ERROR ConvertX509CertToChipCert(const uint8_t * x509Cert, uint32_t x509Cert
 CHIP_ERROR ConvertChipCertToX509Cert(const uint8_t * chipCert, uint32_t chipCertLen, uint8_t * x509CertBuf,
                                      uint32_t x509CertBufSize, uint32_t & x509CertLen);
 
+/**
+ * @brief Generate a standard X.509 DER encoded certificate using provided CHIP certificate and signing key
+ *
+ * @param chipCert        Buffer containing CHIP certificate.
+ * @param chipCertLen     The length of the CHIP certificate.
+ * @param keypair         The certificate signing key
+ * @param x509CertBuf     Buffer to store signed certificate in X.509 DER format.
+ * @param x509CertBufSize The size of the buffer to store converted certificate.
+ * @param x509CertLen     The length of the converted certificate.
+ *
+ * @return Returns a CHIP_ERROR on error, CHIP_NO_ERROR otherwise
+ **/
+CHIP_ERROR GenerateSignedX509CertFromChipCert(const uint8_t * chipCert, uint32_t chipCertLen, Crypto::P256Keypair & keypair,
+                                              uint8_t * x509CertBuf, uint32_t x509CertBufSize, uint32_t & x509CertLen);
+
+// TODO: Add support for Authentication Tag Attribute
+struct X509CertRequestParams
+{
+    int64_t SerialNumber;
+    uint64_t Issuer;
+    uint32_t ValidityStart;
+    uint32_t ValidityEnd;
+    bool HasFabricID;
+    uint64_t FabricID;
+    bool HasNodeID;
+    uint64_t NodeID;
+};
+
+enum CertificateIssuerLevel
+{
+    kIssuerIsRootCA,
+    kIssuerIsIntermediateCA,
+};
+
+/**
+ * @brief Generate a new X.509 DER encoded Root CA certificate
+ *
+ * @param requestParams   Certificate request parameters.
+ * @param issuerKeypair   The certificate signing key
+ * @param x509CertBuf     Buffer to store signed certificate in X.509 DER format.
+ * @param x509CertBufSize The size of the buffer to store converted certificate.
+ * @param x509CertLen     The length of the converted certificate.
+ *
+ * @return Returns a CHIP_ERROR on error, CHIP_NO_ERROR otherwise
+ **/
+CHIP_ERROR NewRootX509Cert(const X509CertRequestParams & requestParams, Crypto::P256Keypair & issuerKeypair, uint8_t * x509CertBuf,
+                           uint32_t x509CertBufSize, uint32_t & x509CertLen);
+
+/**
+ * @brief Generate a new X.509 DER encoded Intermediate CA certificate
+ *
+ * @param requestParams   Certificate request parameters.
+ * @param subject         The requested subject ID
+ * @param subjectPubkey   The public key of subject
+ * @param issuerKeypair   The certificate signing key
+ * @param x509CertBuf     Buffer to store signed certificate in X.509 DER format.
+ * @param x509CertBufSize The size of the buffer to store converted certificate.
+ * @param x509CertLen     The length of the converted certificate.
+ *
+ * @return Returns a CHIP_ERROR on error, CHIP_NO_ERROR otherwise
+ **/
+CHIP_ERROR NewICAX509Cert(const X509CertRequestParams & requestParams, uint64_t subject,
+                          const Crypto::P256PublicKey & subjectPubkey, Crypto::P256Keypair & issuerKeypair, uint8_t * x509CertBuf,
+                          uint32_t x509CertBufSize, uint32_t & x509CertLen);
+
+/**
+ * @brief Generate a new X.509 DER encoded Node operational certificate
+ *
+ * @param requestParams   Certificate request parameters.
+ * @param issuerLevel     Indicates if the issuer is a root CA or an intermediate CA
+ * @param subjectPubkey   The public key of subject
+ * @param issuerKeypair   The certificate signing key
+ * @param x509CertBuf     Buffer to store signed certificate in X.509 DER format.
+ * @param x509CertBufSize The size of the buffer to store converted certificate.
+ * @param x509CertLen     The length of the converted certificate.
+ *
+ * @return Returns a CHIP_ERROR on error, CHIP_NO_ERROR otherwise
+ **/
+CHIP_ERROR NewNodeOperationalX509Cert(const X509CertRequestParams & requestParams, CertificateIssuerLevel issuerLevel,
+                                      const Crypto::P256PublicKey & subjectPubkey, Crypto::P256Keypair & issuerKeypair,
+                                      uint8_t * x509CertBuf, uint32_t x509CertBufSize, uint32_t & x509CertLen);
+
 /**
  * @brief
  *   Convert a certificate date/time (in the form of an ASN.1 universal time structure) into a CHIP Epoch UTC time.