Skip to content

Commit

Permalink
Make AddAttribute() APIs More Error Prone for Consumers (#17190)
Browse files Browse the repository at this point in the history
* Added separate AddAttribute_***() method for each attribute type.
 * some minor updates to the Matter attribute names
  • Loading branch information
emargolis authored and pull[bot] committed Nov 6, 2023
1 parent a93d533 commit 3077881
Show file tree
Hide file tree
Showing 10 changed files with 205 additions and 183 deletions.
8 changes: 4 additions & 4 deletions src/controller/ExampleOperationalCredentialsIssuer.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -131,7 +131,7 @@ CHIP_ERROR ExampleOperationalCredentialsIssuer::GenerateNOCChainAfterValidation(
// If root certificate not found in the storage, generate new root certificate.
else
{
ReturnErrorOnFailure(rcac_dn.AddAttribute(chip::ASN1::kOID_AttributeType_ChipRootId, mIssuerId));
ReturnErrorOnFailure(rcac_dn.AddAttribute_MatterRCACId(mIssuerId));

ChipLogProgress(Controller, "Generating RCAC");
X509CertRequestParams rcac_request = { 0, mNow, mNow + mValidity, rcac_dn, rcac_dn };
Expand All @@ -155,7 +155,7 @@ CHIP_ERROR ExampleOperationalCredentialsIssuer::GenerateNOCChainAfterValidation(
// If intermediate certificate not found in the storage, generate new intermediate certificate.
else
{
ReturnErrorOnFailure(icac_dn.AddAttribute(chip::ASN1::kOID_AttributeType_ChipICAId, mIntermediateIssuerId));
ReturnErrorOnFailure(icac_dn.AddAttribute_MatterICACId(mIntermediateIssuerId));

ChipLogProgress(Controller, "Generating ICAC");
X509CertRequestParams icac_request = { 0, mNow, mNow + mValidity, icac_dn, rcac_dn };
Expand All @@ -167,8 +167,8 @@ CHIP_ERROR ExampleOperationalCredentialsIssuer::GenerateNOCChainAfterValidation(
}

ChipDN noc_dn;
ReturnErrorOnFailure(noc_dn.AddAttribute(chip::ASN1::kOID_AttributeType_ChipFabricId, fabricId));
ReturnErrorOnFailure(noc_dn.AddAttribute(chip::ASN1::kOID_AttributeType_ChipNodeId, nodeId));
ReturnErrorOnFailure(noc_dn.AddAttribute_MatterFabricId(fabricId));
ReturnErrorOnFailure(noc_dn.AddAttribute_MatterNodeId(nodeId));
ReturnErrorOnFailure(noc_dn.AddCATs(cats));

ChipLogProgress(Controller, "Generating NOC");
Expand Down
6 changes: 3 additions & 3 deletions src/controller/java/AndroidOperationalCredentialsIssuer.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -97,7 +97,7 @@ CHIP_ERROR AndroidOperationalCredentialsIssuer::GenerateNOCChainAfterValidation(
// If root certificate not found in the storage, generate new root certificate.
else
{
ReturnErrorOnFailure(rcac_dn.AddAttribute(chip::ASN1::kOID_AttributeType_ChipRootId, mIssuerId));
ReturnErrorOnFailure(rcac_dn.AddAttribute_MatterRCACId(mIssuerId));

ChipLogProgress(Controller, "Generating RCAC");
chip::Credentials::X509CertRequestParams rcac_request = { 0, mNow, mNow + mValidity, rcac_dn, rcac_dn };
Expand All @@ -111,8 +111,8 @@ CHIP_ERROR AndroidOperationalCredentialsIssuer::GenerateNOCChainAfterValidation(
icac.reduce_size(0);

ChipDN noc_dn;
ReturnErrorOnFailure(noc_dn.AddAttribute(chip::ASN1::kOID_AttributeType_ChipFabricId, fabricId));
ReturnErrorOnFailure(noc_dn.AddAttribute(chip::ASN1::kOID_AttributeType_ChipNodeId, nodeId));
ReturnErrorOnFailure(noc_dn.AddAttribute_MatterFabricId(fabricId));
ReturnErrorOnFailure(noc_dn.AddAttribute_MatterNodeId(nodeId));
ReturnErrorOnFailure(noc_dn.AddCATs(cats));

ChipLogProgress(Controller, "Generating NOC");
Expand Down
40 changes: 20 additions & 20 deletions src/credentials/CHIPCert.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -582,7 +582,7 @@ CHIP_ERROR ChipDN::AddCATs(const chip::CATValues & cats)
{
if (cat != kUndefinedCAT)
{
ReturnErrorOnFailure(AddAttribute(chip::ASN1::kOID_AttributeType_ChipCASEAuthenticatedTag, cat));
ReturnErrorOnFailure(AddAttribute_MatterCASEAuthTag(cat));
}
}

Expand Down Expand Up @@ -615,31 +615,31 @@ CHIP_ERROR ChipDN::GetCertType(uint8_t & certType) const

for (uint8_t i = 0; i < rdnCount; i++)
{
if (rdn[i].mAttrOID == kOID_AttributeType_ChipRootId)
if (rdn[i].mAttrOID == kOID_AttributeType_MatterRCACId)
{
VerifyOrExit(lCertType == kCertType_NotSpecified, err = CHIP_ERROR_WRONG_CERT_DN);

lCertType = kCertType_Root;
}
else if (rdn[i].mAttrOID == kOID_AttributeType_ChipICAId)
else if (rdn[i].mAttrOID == kOID_AttributeType_MatterICACId)
{
VerifyOrExit(lCertType == kCertType_NotSpecified, err = CHIP_ERROR_WRONG_CERT_DN);

lCertType = kCertType_ICA;
}
else if (rdn[i].mAttrOID == kOID_AttributeType_ChipNodeId)
else if (rdn[i].mAttrOID == kOID_AttributeType_MatterNodeId)
{
VerifyOrExit(lCertType == kCertType_NotSpecified, err = CHIP_ERROR_WRONG_CERT_DN);
VerifyOrReturnError(IsOperationalNodeId(rdn[i].mChipVal), CHIP_ERROR_WRONG_CERT_DN);
lCertType = kCertType_Node;
}
else if (rdn[i].mAttrOID == kOID_AttributeType_ChipFirmwareSigningId)
else if (rdn[i].mAttrOID == kOID_AttributeType_MatterFirmwareSigningId)
{
VerifyOrExit(lCertType == kCertType_NotSpecified, err = CHIP_ERROR_WRONG_CERT_DN);

lCertType = kCertType_FirmwareSigning;
}
else if (rdn[i].mAttrOID == kOID_AttributeType_ChipFabricId)
else if (rdn[i].mAttrOID == kOID_AttributeType_MatterFabricId)
{
// Only one fabricId attribute is allowed per DN.
VerifyOrExit(!fabricIdPresent, err = CHIP_ERROR_WRONG_CERT_DN);
Expand Down Expand Up @@ -669,10 +669,10 @@ CHIP_ERROR ChipDN::GetCertChipId(uint64_t & chipId) const
{
switch (rdn[i].mAttrOID)
{
case kOID_AttributeType_ChipRootId:
case kOID_AttributeType_ChipICAId:
case kOID_AttributeType_ChipNodeId:
case kOID_AttributeType_ChipFirmwareSigningId:
case kOID_AttributeType_MatterRCACId:
case kOID_AttributeType_MatterICACId:
case kOID_AttributeType_MatterNodeId:
case kOID_AttributeType_MatterFirmwareSigningId:
VerifyOrReturnError(chipId == 0, CHIP_ERROR_WRONG_CERT_DN);

chipId = rdn[i].mChipVal;
Expand All @@ -695,7 +695,7 @@ CHIP_ERROR ChipDN::GetCertFabricId(uint64_t & fabricId) const
{
switch (rdn[i].mAttrOID)
{
case kOID_AttributeType_ChipFabricId:
case kOID_AttributeType_MatterFabricId:
// Ensure only one FabricID RDN present, since start value is kUndefinedFabricId, which is reserved and never seen.
VerifyOrReturnError(fabricId == kUndefinedFabricId, CHIP_ERROR_WRONG_CERT_DN);
VerifyOrReturnError(IsValidFabricId(rdn[i].mChipVal), CHIP_ERROR_WRONG_CERT_DN);
Expand Down Expand Up @@ -782,11 +782,11 @@ CHIP_ERROR ChipDN::DecodeFromTLV(TLVReader & reader)
uint64_t chipAttr;
VerifyOrReturnError(attrIsPrintableString == false, CHIP_ERROR_INVALID_TLV_TAG);
ReturnErrorOnFailure(reader.Get(chipAttr));
if (attrOID == chip::ASN1::kOID_AttributeType_ChipNodeId)
if (attrOID == chip::ASN1::kOID_AttributeType_MatterNodeId)
{
VerifyOrReturnError(IsOperationalNodeId(attrOID), CHIP_ERROR_INVALID_ARGUMENT);
}
else if (attrOID == chip::ASN1::kOID_AttributeType_ChipFabricId)
else if (attrOID == chip::ASN1::kOID_AttributeType_MatterFabricId)
{
VerifyOrReturnError(IsValidFabricId(attrOID), CHIP_ERROR_INVALID_ARGUMENT);
}
Expand All @@ -798,7 +798,7 @@ CHIP_ERROR ChipDN::DecodeFromTLV(TLVReader & reader)
uint32_t chipAttr;
VerifyOrReturnError(attrIsPrintableString == false, CHIP_ERROR_INVALID_TLV_TAG);
ReturnErrorOnFailure(reader.Get(chipAttr));
if (attrOID == chip::ASN1::kOID_AttributeType_ChipCASEAuthenticatedTag)
if (attrOID == chip::ASN1::kOID_AttributeType_MatterCASEAuthTag)
{
VerifyOrReturnError(IsValidCASEAuthTag(chipAttr), CHIP_ERROR_INVALID_ARGUMENT);
}
Expand Down Expand Up @@ -937,11 +937,11 @@ CHIP_ERROR ChipDN::DecodeFromASN1(ASN1Reader & reader)
chipAttr) == sizeof(uint64_t),
ASN1_ERROR_INVALID_ENCODING);

if (attrOID == chip::ASN1::kOID_AttributeType_ChipNodeId)
if (attrOID == chip::ASN1::kOID_AttributeType_MatterNodeId)
{
VerifyOrReturnError(IsOperationalNodeId(chipAttr), CHIP_ERROR_WRONG_CERT_DN);
}
else if (attrOID == chip::ASN1::kOID_AttributeType_ChipFabricId)
else if (attrOID == chip::ASN1::kOID_AttributeType_MatterFabricId)
{
VerifyOrReturnError(IsValidFabricId(chipAttr), CHIP_ERROR_WRONG_CERT_DN);
}
Expand Down Expand Up @@ -1135,12 +1135,12 @@ CHIP_ERROR ExtractNodeIdFabricIdFromOpCert(const ChipCertificateData & opcert, N
for (uint8_t i = 0; i < subjectDN.RDNCount(); ++i)
{
const auto & rdn = subjectDN.rdn[i];
if (rdn.mAttrOID == ASN1::kOID_AttributeType_ChipNodeId)
if (rdn.mAttrOID == ASN1::kOID_AttributeType_MatterNodeId)
{
nodeId = rdn.mChipVal;
foundNodeId = true;
}
else if (rdn.mAttrOID == ASN1::kOID_AttributeType_ChipFabricId)
else if (rdn.mAttrOID == ASN1::kOID_AttributeType_MatterFabricId)
{
fabricId = rdn.mChipVal;
foundFabricId = true;
Expand Down Expand Up @@ -1182,7 +1182,7 @@ CHIP_ERROR ExtractFabricIdFromCert(const ChipCertificateData & cert, FabricId *
for (uint8_t i = 0; i < subjectDN.RDNCount(); ++i)
{
const auto & rdn = subjectDN.rdn[i];
if (rdn.mAttrOID == ASN1::kOID_AttributeType_ChipFabricId)
if (rdn.mAttrOID == ASN1::kOID_AttributeType_MatterFabricId)
{
*fabricId = rdn.mChipVal;
return CHIP_NO_ERROR;
Expand Down Expand Up @@ -1216,7 +1216,7 @@ CHIP_ERROR ExtractCATsFromOpCert(const ChipCertificateData & opcert, CATValues &
for (uint8_t i = 0; i < subjectDN.RDNCount(); ++i)
{
const auto & rdn = subjectDN.rdn[i];
if (rdn.mAttrOID == ASN1::kOID_AttributeType_ChipCASEAuthenticatedTag)
if (rdn.mAttrOID == ASN1::kOID_AttributeType_MatterCASEAuthTag)
{
// This error should never happen in practice because valid NOC cannot have more
// than kMaxSubjectCATAttributeCount CATs in its subject. The check that it is
Expand Down
88 changes: 84 additions & 4 deletions src/credentials/CHIPCert.h
Original file line number Diff line number Diff line change
Expand Up @@ -251,6 +251,86 @@ class ChipDN
**/
CHIP_ERROR AddAttribute(chip::ASN1::OID oid, CharSpan val, bool isPrintableString);

inline CHIP_ERROR AddAttribute_CommonName(CharSpan val, bool isPrintableString)
{
return AddAttribute(ASN1::kOID_AttributeType_CommonName, val, isPrintableString);
}
inline CHIP_ERROR AddAttribute_Surname(CharSpan val, bool isPrintableString)
{
return AddAttribute(ASN1::kOID_AttributeType_Surname, val, isPrintableString);
}
inline CHIP_ERROR AddAttribute_SerialNumber(CharSpan val, bool isPrintableString)
{
return AddAttribute(ASN1::kOID_AttributeType_SerialNumber, val, isPrintableString);
}
inline CHIP_ERROR AddAttribute_CountryName(CharSpan val, bool isPrintableString)
{
return AddAttribute(ASN1::kOID_AttributeType_CountryName, val, isPrintableString);
}
inline CHIP_ERROR AddAttribute_LocalityName(CharSpan val, bool isPrintableString)
{
return AddAttribute(ASN1::kOID_AttributeType_LocalityName, val, isPrintableString);
}
inline CHIP_ERROR AddAttribute_StateOrProvinceName(CharSpan val, bool isPrintableString)
{
return AddAttribute(ASN1::kOID_AttributeType_StateOrProvinceName, val, isPrintableString);
}
inline CHIP_ERROR AddAttribute_OrganizationName(CharSpan val, bool isPrintableString)
{
return AddAttribute(ASN1::kOID_AttributeType_OrganizationName, val, isPrintableString);
}
inline CHIP_ERROR AddAttribute_OrganizationalUnitName(CharSpan val, bool isPrintableString)
{
return AddAttribute(ASN1::kOID_AttributeType_OrganizationalUnitName, val, isPrintableString);
}
inline CHIP_ERROR AddAttribute_Title(CharSpan val, bool isPrintableString)
{
return AddAttribute(ASN1::kOID_AttributeType_Title, val, isPrintableString);
}
inline CHIP_ERROR AddAttribute_Name(CharSpan val, bool isPrintableString)
{
return AddAttribute(ASN1::kOID_AttributeType_Name, val, isPrintableString);
}
inline CHIP_ERROR AddAttribute_GivenName(CharSpan val, bool isPrintableString)
{
return AddAttribute(ASN1::kOID_AttributeType_GivenName, val, isPrintableString);
}
inline CHIP_ERROR AddAttribute_Initials(CharSpan val, bool isPrintableString)
{
return AddAttribute(ASN1::kOID_AttributeType_Initials, val, isPrintableString);
}
inline CHIP_ERROR AddAttribute_GenerationQualifier(CharSpan val, bool isPrintableString)
{
return AddAttribute(ASN1::kOID_AttributeType_GenerationQualifier, val, isPrintableString);
}
inline CHIP_ERROR AddAttribute_DNQualifier(CharSpan val, bool isPrintableString)
{
return AddAttribute(ASN1::kOID_AttributeType_DNQualifier, val, isPrintableString);
}
inline CHIP_ERROR AddAttribute_Pseudonym(CharSpan val, bool isPrintableString)
{
return AddAttribute(ASN1::kOID_AttributeType_Pseudonym, val, isPrintableString);
}
inline CHIP_ERROR AddAttribute_DomainComponent(CharSpan val, bool isPrintableString)
{
return AddAttribute(ASN1::kOID_AttributeType_DomainComponent, val, isPrintableString);
}
inline CHIP_ERROR AddAttribute_MatterNodeId(uint64_t val) { return AddAttribute(ASN1::kOID_AttributeType_MatterNodeId, val); }
inline CHIP_ERROR AddAttribute_MatterFirmwareSigningId(uint64_t val)
{
return AddAttribute(ASN1::kOID_AttributeType_MatterFirmwareSigningId, val);
}
inline CHIP_ERROR AddAttribute_MatterICACId(uint64_t val) { return AddAttribute(ASN1::kOID_AttributeType_MatterICACId, val); }
inline CHIP_ERROR AddAttribute_MatterRCACId(uint64_t val) { return AddAttribute(ASN1::kOID_AttributeType_MatterRCACId, val); }
inline CHIP_ERROR AddAttribute_MatterFabricId(uint64_t val)
{
return AddAttribute(ASN1::kOID_AttributeType_MatterFabricId, val);
}
inline CHIP_ERROR AddAttribute_MatterCASEAuthTag(CASEAuthTag val)
{
return AddAttribute(ASN1::kOID_AttributeType_MatterCASEAuthTag, val);
}

/**
* @brief Determine type of a CHIP certificate.
* This method performs an assessment of a certificate's type based on the structure
Expand Down Expand Up @@ -729,17 +809,17 @@ CHIP_ERROR ChipEpochToASN1Time(uint32_t epochTime, chip::ASN1::ASN1UniversalTime
**/
inline bool IsChip64bitDNAttr(chip::ASN1::OID oid)
{
return (oid == chip::ASN1::kOID_AttributeType_ChipNodeId || oid == chip::ASN1::kOID_AttributeType_ChipFirmwareSigningId ||
oid == chip::ASN1::kOID_AttributeType_ChipICAId || oid == chip::ASN1::kOID_AttributeType_ChipRootId ||
oid == chip::ASN1::kOID_AttributeType_ChipFabricId);
return (oid == chip::ASN1::kOID_AttributeType_MatterNodeId || oid == chip::ASN1::kOID_AttributeType_MatterFirmwareSigningId ||
oid == chip::ASN1::kOID_AttributeType_MatterICACId || oid == chip::ASN1::kOID_AttributeType_MatterRCACId ||
oid == chip::ASN1::kOID_AttributeType_MatterFabricId);
}

/**
* @return True if the OID represents a CHIP-defined 32-bit distinguished named attribute.
**/
inline bool IsChip32bitDNAttr(chip::ASN1::OID oid)
{
return (oid == chip::ASN1::kOID_AttributeType_ChipCASEAuthenticatedTag);
return (oid == chip::ASN1::kOID_AttributeType_MatterCASEAuthTag);
}

/**
Expand Down
Loading

0 comments on commit 3077881

Please sign in to comment.