From 441aad71c95d4331ac0871db6c45e32447811b12 Mon Sep 17 00:00:00 2001 From: Karsten Sperling <113487422+ksperling-apple@users.noreply.github.com> Date: Sat, 19 Aug 2023 02:33:09 +1200 Subject: [PATCH] Make CertType an enum class instead of an anonymous enum / uint8_t (#28743) --- src/app/server/Server.h | 4 +- src/credentials/CHIPCert.cpp | 40 ++++++++++---------- src/credentials/CHIPCert.h | 22 +++++------ src/credentials/CHIPCertificateSet.h | 2 +- src/credentials/GenerateChipX509Cert.cpp | 20 +++++----- src/credentials/tests/TestChipCert.cpp | 48 +++++++++++------------- src/tools/chip-cert/CertUtils.cpp | 29 +++++++------- src/tools/chip-cert/Cmd_GenCert.cpp | 28 +++++++------- src/tools/chip-cert/chip-cert.h | 16 ++++---- 9 files changed, 103 insertions(+), 106 deletions(-) diff --git a/src/app/server/Server.h b/src/app/server/Server.h index e5b5585be19f44..e2bcbe83d363a8 100644 --- a/src/app/server/Server.h +++ b/src/app/server/Server.h @@ -542,9 +542,9 @@ class Server case Credentials::CertificateValidityResult::kExpired: case Credentials::CertificateValidityResult::kExpiredAtLastKnownGoodTime: case Credentials::CertificateValidityResult::kTimeUnknown: { - uint8_t certType; + Credentials::CertType certType; ReturnErrorOnFailure(cert->mSubjectDN.GetCertType(certType)); - if (certType == Credentials::kCertType_Root) + if (certType == Credentials::CertType::kRoot) { return CHIP_NO_ERROR; } diff --git a/src/credentials/CHIPCert.cpp b/src/credentials/CHIPCert.cpp index 0c5b58d2ca1c84..1c0e9d7b281f0b 100644 --- a/src/credentials/CHIPCert.cpp +++ b/src/credentials/CHIPCert.cpp @@ -309,7 +309,7 @@ CHIP_ERROR ChipCertificateSet::ValidateCert(const ChipCertificateData * cert, Va { CHIP_ERROR err = CHIP_NO_ERROR; const ChipCertificateData * caCert = nullptr; - uint8_t certType; + CertType certType; err = cert->mSubjectDN.GetCertType(certType); SuccessOrExit(err); @@ -328,7 +328,7 @@ CHIP_ERROR ChipCertificateSet::ValidateCert(const ChipCertificateData * cert, Va err = CHIP_ERROR_CERT_USAGE_NOT_ALLOWED); // Verify that the certificate type is set to Root or ICA. - VerifyOrExit(certType == kCertType_ICA || certType == kCertType_Root, err = CHIP_ERROR_WRONG_CERT_TYPE); + VerifyOrExit(certType == CertType::kICA || certType == CertType::kRoot, err = CHIP_ERROR_WRONG_CERT_TYPE); // If a path length constraint was included, verify the cert depth vs. the specified constraint. // @@ -365,7 +365,7 @@ CHIP_ERROR ChipCertificateSet::ValidateCert(const ChipCertificateData * cert, Va } // If a required certificate type has been specified, verify it against the current certificate's type. - if (context.mRequiredCertType != kCertType_NotSpecified) + if (context.mRequiredCertType != CertType::kNotSpecified) { VerifyOrExit(certType == context.mRequiredCertType, err = CHIP_ERROR_WRONG_CERT_TYPE); } @@ -569,7 +569,7 @@ void ValidationContext::Reset() mValidityPolicy = nullptr; mRequiredKeyUsages.ClearAll(); mRequiredKeyPurposes.ClearAll(); - mRequiredCertType = kCertType_NotSpecified; + mRequiredCertType = CertType::kNotSpecified; } bool ChipRDN::IsEqual(const ChipRDN & other) const @@ -667,40 +667,40 @@ CHIP_ERROR ChipDN::AddAttribute(chip::ASN1::OID oid, CharSpan val, bool isPrinta return CHIP_NO_ERROR; } -CHIP_ERROR ChipDN::GetCertType(uint8_t & certType) const +CHIP_ERROR ChipDN::GetCertType(CertType & certType) const { - uint8_t lCertType = kCertType_NotSpecified; + CertType lCertType = CertType::kNotSpecified; bool fabricIdPresent = false; bool catsPresent = false; uint8_t rdnCount = RDNCount(); - certType = kCertType_NotSpecified; + certType = CertType::kNotSpecified; for (uint8_t i = 0; i < rdnCount; i++) { if (rdn[i].mAttrOID == kOID_AttributeType_MatterRCACId) { - VerifyOrReturnError(lCertType == kCertType_NotSpecified, CHIP_ERROR_WRONG_CERT_DN); + VerifyOrReturnError(lCertType == CertType::kNotSpecified, CHIP_ERROR_WRONG_CERT_DN); - lCertType = kCertType_Root; + lCertType = CertType::kRoot; } else if (rdn[i].mAttrOID == kOID_AttributeType_MatterICACId) { - VerifyOrReturnError(lCertType == kCertType_NotSpecified, CHIP_ERROR_WRONG_CERT_DN); + VerifyOrReturnError(lCertType == CertType::kNotSpecified, CHIP_ERROR_WRONG_CERT_DN); - lCertType = kCertType_ICA; + lCertType = CertType::kICA; } else if (rdn[i].mAttrOID == kOID_AttributeType_MatterNodeId) { - VerifyOrReturnError(lCertType == kCertType_NotSpecified, CHIP_ERROR_WRONG_CERT_DN); + VerifyOrReturnError(lCertType == CertType::kNotSpecified, CHIP_ERROR_WRONG_CERT_DN); VerifyOrReturnError(IsOperationalNodeId(rdn[i].mChipVal), CHIP_ERROR_WRONG_NODE_ID); - lCertType = kCertType_Node; + lCertType = CertType::kNode; } else if (rdn[i].mAttrOID == kOID_AttributeType_MatterFirmwareSigningId) { - VerifyOrReturnError(lCertType == kCertType_NotSpecified, CHIP_ERROR_WRONG_CERT_DN); + VerifyOrReturnError(lCertType == CertType::kNotSpecified, CHIP_ERROR_WRONG_CERT_DN); - lCertType = kCertType_FirmwareSigning; + lCertType = CertType::kFirmwareSigning; } else if (rdn[i].mAttrOID == kOID_AttributeType_MatterFabricId) { @@ -717,7 +717,7 @@ CHIP_ERROR ChipDN::GetCertType(uint8_t & certType) const } } - if (lCertType == kCertType_Node) + if (lCertType == CertType::kNode) { VerifyOrReturnError(fabricIdPresent, CHIP_ERROR_WRONG_CERT_DN); } @@ -1151,7 +1151,7 @@ CHIP_ERROR ValidateChipRCAC(const ByteSpan & rcac) ChipCertificateSet certSet; ChipCertificateData certData; ValidationContext validContext; - uint8_t certType; + CertType certType; // Note that this function doesn't check RCAC NotBefore / NotAfter time validity. // It is assumed that RCAC should be valid at the time of installation by definition. @@ -1161,7 +1161,7 @@ CHIP_ERROR ValidateChipRCAC(const ByteSpan & rcac) ReturnErrorOnFailure(certSet.LoadCert(rcac, CertDecodeFlags::kGenerateTBSHash)); ReturnErrorOnFailure(certData.mSubjectDN.GetCertType(certType)); - VerifyOrReturnError(certType == kCertType_Root, CHIP_ERROR_WRONG_CERT_TYPE); + VerifyOrReturnError(certType == CertType::kRoot, CHIP_ERROR_WRONG_CERT_TYPE); VerifyOrReturnError(certData.mSubjectDN.IsEqual(certData.mIssuerDN), CHIP_ERROR_WRONG_CERT_TYPE); @@ -1337,10 +1337,10 @@ CHIP_ERROR ExtractCATsFromOpCert(const ByteSpan & opcert, CATValues & cats) CHIP_ERROR ExtractCATsFromOpCert(const ChipCertificateData & opcert, CATValues & cats) { uint8_t catCount = 0; - uint8_t certType; + CertType certType; ReturnErrorOnFailure(opcert.mSubjectDN.GetCertType(certType)); - VerifyOrReturnError(certType == kCertType_Node, CHIP_ERROR_INVALID_ARGUMENT); + VerifyOrReturnError(certType == CertType::kNode, CHIP_ERROR_INVALID_ARGUMENT); const ChipDN & subjectDN = opcert.mSubjectDN; for (uint8_t i = 0; i < subjectDN.RDNCount(); ++i) diff --git a/src/credentials/CHIPCert.h b/src/credentials/CHIPCert.h index 7ceac66222ab36..f0b78df9ea2ec7 100644 --- a/src/credentials/CHIPCert.h +++ b/src/credentials/CHIPCert.h @@ -101,17 +101,17 @@ enum * * @note Cert type is an API data type only; it should never be sent over-the-wire. */ -enum +enum class CertType : uint8_t { - kCertType_NotSpecified = 0x00, /**< The certificate's type has not been specified. */ - kCertType_Root = 0x01, /**< A CHIP Root certificate. */ - kCertType_ICA = 0x02, /**< A CHIP Intermediate CA certificate. */ - kCertType_Node = 0x03, /**< A CHIP node certificate. */ - kCertType_FirmwareSigning = 0x04, /**< A CHIP firmware signing certificate. Note that CHIP doesn't - specify how firmware images are signed and implementation of - firmware image signing is manufacturer-specific. The CHIP - certificate format supports encoding of firmware signing - certificates if chosen by the manufacturer to use them. */ + kNotSpecified = 0x00, /**< The certificate's type has not been specified. */ + kRoot = 0x01, /**< A CHIP Root certificate. */ + kICA = 0x02, /**< A CHIP Intermediate CA certificate. */ + kNode = 0x03, /**< A CHIP node certificate. */ + kFirmwareSigning = 0x04, /**< A CHIP firmware signing certificate. Note that CHIP doesn't + specify how firmware images are signed and implementation of + firmware image signing is manufacturer-specific. The CHIP + certificate format supports encoding of firmware signing + certificates if chosen by the manufacturer to use them. */ }; /** X.509 Certificate Key Purpose Flags @@ -334,7 +334,7 @@ class ChipDN * * @return Returns a CHIP_ERROR on error, CHIP_NO_ERROR otherwise **/ - CHIP_ERROR GetCertType(uint8_t & certType) const; + CHIP_ERROR GetCertType(CertType & certType) const; /** * @brief Retrieve the ID of a CHIP certificate. diff --git a/src/credentials/CHIPCertificateSet.h b/src/credentials/CHIPCertificateSet.h index d3694467c74fbc..3c119a6c2ae718 100644 --- a/src/credentials/CHIPCertificateSet.h +++ b/src/credentials/CHIPCertificateSet.h @@ -70,7 +70,7 @@ struct ValidationContext validated certificate. */ BitFlags mRequiredKeyPurposes; /**< Extended Key usage extensions that should be present in the validated certificate. */ - uint8_t mRequiredCertType; /**< Required certificate type. */ + CertType mRequiredCertType; /**< Required certificate type. */ CertificateValidityPolicy * mValidityPolicy = nullptr; /**< Optional application policy to apply for certificate validity period evaluation. */ diff --git a/src/credentials/GenerateChipX509Cert.cpp b/src/credentials/GenerateChipX509Cert.cpp index 12aacab9bf87fb..7eb0a158f5c49d 100644 --- a/src/credentials/GenerateChipX509Cert.cpp +++ b/src/credentials/GenerateChipX509Cert.cpp @@ -326,7 +326,7 @@ CHIP_ERROR EncodeTBSCert(const X509CertRequestParams & requestParams, const Cryp const Crypto::P256PublicKey & issuerPubkey, ASN1Writer & writer) { CHIP_ERROR err = CHIP_NO_ERROR; - uint8_t certType; + CertType certType; bool isCA; VerifyOrReturnError(requestParams.SerialNumber >= 0, CHIP_ERROR_INVALID_ARGUMENT); @@ -334,7 +334,7 @@ CHIP_ERROR EncodeTBSCert(const X509CertRequestParams & requestParams, const Cryp CHIP_ERROR_INVALID_ARGUMENT); ReturnErrorOnFailure(requestParams.SubjectDN.GetCertType(certType)); - isCA = (certType == kCertType_ICA || certType == kCertType_Root); + isCA = (certType == CertType::kICA || certType == CertType::kRoot); ASN1_START_SEQUENCE { @@ -405,10 +405,10 @@ CHIP_ERROR NewChipX509Cert(const X509CertRequestParams & requestParams, const Cr DLL_EXPORT CHIP_ERROR NewRootX509Cert(const X509CertRequestParams & requestParams, Crypto::P256Keypair & issuerKeypair, MutableByteSpan & x509Cert) { - uint8_t certType; + CertType certType; ReturnErrorOnFailure(requestParams.SubjectDN.GetCertType(certType)); - VerifyOrReturnError(certType == kCertType_Root, CHIP_ERROR_INVALID_ARGUMENT); + VerifyOrReturnError(certType == CertType::kRoot, CHIP_ERROR_INVALID_ARGUMENT); VerifyOrReturnError(requestParams.SubjectDN.IsEqual(requestParams.IssuerDN), CHIP_ERROR_INVALID_ARGUMENT); return NewChipX509Cert(requestParams, issuerKeypair.Pubkey(), issuerKeypair, x509Cert); @@ -417,13 +417,13 @@ DLL_EXPORT CHIP_ERROR NewRootX509Cert(const X509CertRequestParams & requestParam DLL_EXPORT CHIP_ERROR NewICAX509Cert(const X509CertRequestParams & requestParams, const Crypto::P256PublicKey & subjectPubkey, Crypto::P256Keypair & issuerKeypair, MutableByteSpan & x509Cert) { - uint8_t certType; + CertType certType; ReturnErrorOnFailure(requestParams.SubjectDN.GetCertType(certType)); - VerifyOrReturnError(certType == kCertType_ICA, CHIP_ERROR_INVALID_ARGUMENT); + VerifyOrReturnError(certType == CertType::kICA, CHIP_ERROR_INVALID_ARGUMENT); ReturnErrorOnFailure(requestParams.IssuerDN.GetCertType(certType)); - VerifyOrReturnError(certType == kCertType_Root, CHIP_ERROR_INVALID_ARGUMENT); + VerifyOrReturnError(certType == CertType::kRoot, CHIP_ERROR_INVALID_ARGUMENT); return NewChipX509Cert(requestParams, subjectPubkey, issuerKeypair, x509Cert); } @@ -432,13 +432,13 @@ DLL_EXPORT CHIP_ERROR NewNodeOperationalX509Cert(const X509CertRequestParams & r const Crypto::P256PublicKey & subjectPubkey, Crypto::P256Keypair & issuerKeypair, MutableByteSpan & x509Cert) { - uint8_t certType; + CertType certType; ReturnErrorOnFailure(requestParams.SubjectDN.GetCertType(certType)); - VerifyOrReturnError(certType == kCertType_Node, CHIP_ERROR_INVALID_ARGUMENT); + VerifyOrReturnError(certType == CertType::kNode, CHIP_ERROR_INVALID_ARGUMENT); ReturnErrorOnFailure(requestParams.IssuerDN.GetCertType(certType)); - VerifyOrReturnError(certType == kCertType_ICA || certType == kCertType_Root, CHIP_ERROR_INVALID_ARGUMENT); + VerifyOrReturnError(certType == CertType::kICA || certType == CertType::kRoot, CHIP_ERROR_INVALID_ARGUMENT); return NewChipX509Cert(requestParams, subjectPubkey, issuerKeypair, x509Cert); } diff --git a/src/credentials/tests/TestChipCert.cpp b/src/credentials/tests/TestChipCert.cpp index a29f357d274c77..e17de88eee1817 100644 --- a/src/credentials/tests/TestChipCert.cpp +++ b/src/credentials/tests/TestChipCert.cpp @@ -244,13 +244,13 @@ static void TestChipCert_GetCertType_ErrorCases(nlTestSuite * inSuite, void * in for (auto chipCert : gTestCert_GetCertType_ErrorCases) { - uint8_t certType; + CertType certType; err = certSet.LoadCert(chipCert, sNullDecodeFlag); NL_TEST_ASSERT(inSuite, err == CHIP_NO_ERROR); err = certSet.GetCertSet()->mSubjectDN.GetCertType(certType); - NL_TEST_ASSERT(inSuite, err != CHIP_NO_ERROR || certType == kCertType_NotSpecified); + NL_TEST_ASSERT(inSuite, err != CHIP_NO_ERROR || certType == CertType::kNotSpecified); certSet.Clear(); } @@ -302,13 +302,13 @@ static void TestChipCert_ChipDN(nlTestSuite * inSuite, void * inContext) const static CATValues noc_cats = { { 0xABCD0001, chip::kUndefinedCAT, chip::kUndefinedCAT } }; ChipDN chip_dn; - uint8_t certType = kCertType_FirmwareSigning; // Start with non-default value + CertType certType = CertType::kFirmwareSigning; // Start with non-default value NL_TEST_ASSERT(inSuite, chip_dn.IsEmpty()); NL_TEST_ASSERT(inSuite, chip_dn.RDNCount() == 0); NL_TEST_ASSERT(inSuite, chip_dn.GetCertType(certType) == CHIP_NO_ERROR); NL_TEST_ASSERT(inSuite, chip_dn.IsEmpty() == true); - NL_TEST_ASSERT(inSuite, certType == kCertType_NotSpecified); + NL_TEST_ASSERT(inSuite, certType == CertType::kNotSpecified); NL_TEST_ASSERT(inSuite, chip_dn.AddAttribute_CommonName(CharSpan(noc_rdn, strlen(noc_rdn)), false) == CHIP_NO_ERROR); NL_TEST_ASSERT(inSuite, chip_dn.AddAttribute_MatterNodeId(0xAAAABBBBCCCCDDDD) == CHIP_NO_ERROR); @@ -321,7 +321,7 @@ static void TestChipCert_ChipDN(nlTestSuite * inSuite, void * inContext) NL_TEST_ASSERT(inSuite, chip_dn.RDNCount() == 5); NL_TEST_ASSERT(inSuite, chip_dn.GetCertType(certType) == CHIP_NO_ERROR); - NL_TEST_ASSERT(inSuite, certType == kCertType_Node); + NL_TEST_ASSERT(inSuite, certType == CertType::kNode); uint64_t certId; NL_TEST_ASSERT(inSuite, chip_dn.GetCertChipId(certId) == CHIP_NO_ERROR); @@ -334,7 +334,7 @@ static void TestChipCert_ChipDN(nlTestSuite * inSuite, void * inContext) chip_dn.Clear(); NL_TEST_ASSERT(inSuite, chip_dn.GetCertType(certType) == CHIP_NO_ERROR); NL_TEST_ASSERT(inSuite, chip_dn.IsEmpty() == true); - NL_TEST_ASSERT(inSuite, certType == kCertType_NotSpecified); + NL_TEST_ASSERT(inSuite, certType == CertType::kNotSpecified); CATValues noc_cats2; chip::CATValues::Serialized serializedCATs; @@ -362,7 +362,7 @@ static void TestChipCert_CertValidation(nlTestSuite * inSuite, void * inContext) { int mSubjectCertIndex; uint8_t mValidateFlags; - uint8_t mRequiredCertType; + CertType mRequiredCertType; CHIP_ERROR mExpectedResult; int mExpectedCertIndex; int mExpectedTrustAnchorIndex; @@ -375,13 +375,9 @@ static void TestChipCert_CertValidation(nlTestSuite * inSuite, void * inContext) }; // Short-hand names to make the test cases table more concise. - enum - { - CTNS = kCertType_NotSpecified, - CTCA = kCertType_ICA, - CTNode = kCertType_Node, - CTFS = kCertType_FirmwareSigning, - }; + const auto CTNS = CertType::kNotSpecified; + const auto CTCA = CertType::kICA; + const auto CTNode = CertType::kNode; // clang-format off static const ValidationTestCase sValidationTestCases[] = { @@ -1196,28 +1192,28 @@ static void TestChipCert_CertType(nlTestSuite * inSuite, void * inContext) struct TestCase { uint8_t Cert; - uint8_t ExpectedCertType; + CertType ExpectedCertType; }; // clang-format off static TestCase sTestCases[] = { // Cert ExpectedCertType // ============================================================= - { TestCert::kRoot01, kCertType_Root }, - { TestCert::kRoot02, kCertType_Root }, - { TestCert::kICA01, kCertType_ICA }, - { TestCert::kICA02, kCertType_ICA }, - { TestCert::kICA01_1, kCertType_ICA }, - { TestCert::kFWSign01, kCertType_FirmwareSigning }, - { TestCert::kNode01_01, kCertType_Node }, - { TestCert::kNode01_02, kCertType_Node }, - { TestCert::kNode02_01, kCertType_Node }, - { TestCert::kNode02_02, kCertType_Node }, + { TestCert::kRoot01, CertType::kRoot }, + { TestCert::kRoot02, CertType::kRoot }, + { TestCert::kICA01, CertType::kICA }, + { TestCert::kICA02, CertType::kICA }, + { TestCert::kICA01_1, CertType::kICA }, + { TestCert::kFWSign01, CertType::kFirmwareSigning }, + { TestCert::kNode01_01, CertType::kNode }, + { TestCert::kNode01_02, CertType::kNode }, + { TestCert::kNode02_01, CertType::kNode }, + { TestCert::kNode02_02, CertType::kNode }, }; // clang-format on for (const auto & testCase : sTestCases) { - uint8_t certType; + CertType certType; err = certSet.Init(1); NL_TEST_ASSERT(inSuite, err == CHIP_NO_ERROR); diff --git a/src/tools/chip-cert/CertUtils.cpp b/src/tools/chip-cert/CertUtils.cpp index db880f75f3c5dc..7ef3e6b109d3e5 100644 --- a/src/tools/chip-cert/CertUtils.cpp +++ b/src/tools/chip-cert/CertUtils.cpp @@ -837,12 +837,12 @@ bool WriteChipCert(const char * fileName, const ByteSpan & chipCert, CertFormat return WriteDataIntoFile(fileName, chipCert.data(), static_cast(chipCert.size()), dataFormat); } -bool MakeCert(uint8_t certType, const ToolChipDN * subjectDN, X509 * caCert, EVP_PKEY * caKey, const struct tm & validFrom, +bool MakeCert(CertType certType, const ToolChipDN * subjectDN, X509 * caCert, EVP_PKEY * caKey, const struct tm & validFrom, uint32_t validDays, int pathLen, const FutureExtensionWithNID * futureExts, uint8_t futureExtsCount, X509 * newCert, EVP_PKEY * newKey, CertStructConfig & certConfig) { bool res = true; - bool isCA = (certType != kCertType_Node); + bool isCA = (certType != CertType::kNode); VerifyOrExit(subjectDN != nullptr, res = false); VerifyOrExit(caCert != nullptr, res = false); @@ -867,7 +867,7 @@ bool MakeCert(uint8_t certType, const ToolChipDN * subjectDN, X509 * caCert, EVP // the new cert's subject name. if (certConfig.IsIssuerPresent()) { - if (certType == kCertType_Root) + if (certType == CertType::kRoot) { res = subjectDN->SetCertIssuerDN(newCert); VerifyTrueOrExit(res); @@ -920,12 +920,12 @@ bool MakeCert(uint8_t certType, const ToolChipDN * subjectDN, X509 * caCert, EVP // Add extended key usage certificate extensions. if (!certConfig.IsExtensionExtendedKeyUsageMissing()) { - if (certType == kCertType_Node) + if (certType == CertType::kNode) { res = AddExtension(newCert, NID_ext_key_usage, "critical,clientAuth,serverAuth"); VerifyTrueOrExit(res); } - else if (certType == kCertType_FirmwareSigning) + else if (certType == CertType::kFirmwareSigning) { res = AddExtension(newCert, NID_ext_key_usage, "critical,codeSigning"); VerifyTrueOrExit(res); @@ -943,7 +943,7 @@ bool MakeCert(uint8_t certType, const ToolChipDN * subjectDN, X509 * caCert, EVP // be the same as new cert's subject key id extension. if (certConfig.IsExtensionAKIDPresent()) { - if ((certType == kCertType_Root) && !certConfig.IsExtensionSKIDPresent()) + if ((certType == CertType::kRoot) && !certConfig.IsExtensionSKIDPresent()) { res = AddSubjectKeyId(newCert, certConfig.IsExtensionSKIDLengthValid()); VerifyTrueOrExit(res); @@ -990,9 +990,10 @@ bool MakeCert(uint8_t certType, const ToolChipDN * subjectDN, X509 * caCert, EVP return res; } -CHIP_ERROR MakeCertTLV(uint8_t certType, const ToolChipDN * subjectDN, X509 * caCert, EVP_PKEY * caKey, const struct tm & validFrom, - uint32_t validDays, int pathLen, const FutureExtensionWithNID * futureExts, uint8_t futureExtsCount, - X509 * x509Cert, EVP_PKEY * newKey, CertStructConfig & certConfig, MutableByteSpan & chipCert) +CHIP_ERROR MakeCertTLV(CertType certType, const ToolChipDN * subjectDN, X509 * caCert, EVP_PKEY * caKey, + const struct tm & validFrom, uint32_t validDays, int pathLen, const FutureExtensionWithNID * futureExts, + uint8_t futureExtsCount, X509 * x509Cert, EVP_PKEY * newKey, CertStructConfig & certConfig, + MutableByteSpan & chipCert) { TLVWriter writer; TLVType containerType; @@ -1009,7 +1010,7 @@ CHIP_ERROR MakeCertTLV(uint8_t certType, const ToolChipDN * subjectDN, X509 * ca VerifyOrReturnError(x509Cert != nullptr, CHIP_ERROR_INVALID_ARGUMENT); VerifyOrReturnError(newKey != nullptr, CHIP_ERROR_INVALID_ARGUMENT); - isCA = (certType == kCertType_ICA || certType == kCertType_Root); + isCA = (certType == CertType::kICA || certType == CertType::kRoot); uint8_t * p = subjectPubkey; VerifyOrReturnError(i2o_ECPublicKey(EVP_PKEY_get0_EC_KEY(newKey), &p) == chip::Crypto::CHIP_CRYPTO_PUBLIC_KEY_SIZE_BYTES, @@ -1040,7 +1041,7 @@ CHIP_ERROR MakeCertTLV(uint8_t certType, const ToolChipDN * subjectDN, X509 * ca // issuer Name if (certConfig.IsIssuerPresent()) { - if (certType == kCertType_Root) + if (certType == CertType::kRoot) { ReturnErrorOnFailure(subjectDN->EncodeToTLV(writer, ContextTag(kTag_Issuer))); } @@ -1186,15 +1187,15 @@ CHIP_ERROR MakeCertTLV(uint8_t certType, const ToolChipDN * subjectDN, X509 * ca } // extended key usage - if (!certConfig.IsExtensionExtendedKeyUsageMissing() && (certType == kCertType_Node)) + if (!certConfig.IsExtensionExtendedKeyUsageMissing() && (certType == CertType::kNode)) { ReturnErrorOnFailure(writer.StartContainer(ContextTag(kTag_ExtendedKeyUsage), kTLVType_Array, containerType3)); - if (certType == kCertType_Node) + if (certType == CertType::kNode) { ReturnErrorOnFailure(writer.Put(AnonymousTag(), GetOIDEnum(kOID_KeyPurpose_ClientAuth))); ReturnErrorOnFailure(writer.Put(AnonymousTag(), GetOIDEnum(kOID_KeyPurpose_ServerAuth))); } - else if (certType == kCertType_FirmwareSigning) + else if (certType == CertType::kFirmwareSigning) { ReturnErrorOnFailure(writer.Put(AnonymousTag(), GetOIDEnum(kOID_KeyPurpose_CodeSigning))); } diff --git a/src/tools/chip-cert/Cmd_GenCert.cpp b/src/tools/chip-cert/Cmd_GenCert.cpp index 5313b866e0d6dd..7d8767e8c9d7ef 100644 --- a/src/tools/chip-cert/Cmd_GenCert.cpp +++ b/src/tools/chip-cert/Cmd_GenCert.cpp @@ -297,7 +297,7 @@ OptionSet *gCmdOptionSets[] = // clang-format on ToolChipDN gSubjectDN; -uint8_t gCertType = kCertType_NotSpecified; +CertType gCertType = CertType::kNotSpecified; int gPathLengthConstraint = kPathLength_NotSpecified; bool gSelfSign = false; const char * gCACertFileNameOrStr = nullptr; @@ -326,24 +326,24 @@ bool HandleOption(const char * progName, OptionSet * optSet, int id, const char { if (*arg == 'n') { - gCertType = kCertType_Node; + gCertType = CertType::kNode; } else if (*arg == 'f') { - gCertType = kCertType_FirmwareSigning; + gCertType = CertType::kFirmwareSigning; } else if (*arg == 'c') { - gCertType = kCertType_ICA; + gCertType = CertType::kICA; } else if (*arg == 'r') { - gCertType = kCertType_Root; + gCertType = CertType::kRoot; gSelfSign = true; } } - if (gCertType == kCertType_NotSpecified) + if (gCertType == CertType::kNotSpecified) { PrintArgError("%s: Invalid value specified for the certificate type: %s\n", progName, arg); return false; @@ -359,7 +359,7 @@ bool HandleOption(const char * progName, OptionSet * optSet, int id, const char switch (gCertType) { - case kCertType_Node: + case CertType::kNode: if (gCertConfig.IsSubjectNodeIdValid() && !chip::IsOperationalNodeId(chip64bitAttr)) { PrintArgError("%s: Invalid value specified for chip node-id attribute: %s\n", progName, arg); @@ -381,10 +381,10 @@ bool HandleOption(const char * progName, OptionSet * optSet, int id, const char } } break; - case kCertType_FirmwareSigning: + case CertType::kFirmwareSigning: err = gSubjectDN.AddAttribute_MatterFirmwareSigningId(chip64bitAttr); break; - case kCertType_ICA: + case CertType::kICA: if (gCertConfig.IsSubjectMatterIdPresent()) { err = gSubjectDN.AddAttribute_MatterICACId(chip64bitAttr); @@ -394,7 +394,7 @@ bool HandleOption(const char * progName, OptionSet * optSet, int id, const char } } break; - case kCertType_Root: + case CertType::kRoot: if (gCertConfig.IsSubjectMatterIdPresent()) { err = gSubjectDN.AddAttribute_MatterRCACId(chip64bitAttr); @@ -987,9 +987,9 @@ bool HandleOption(const char * progName, OptionSet * optSet, int id, const char bool Cmd_GenCert(int argc, char * argv[]) { - CHIP_ERROR err = CHIP_NO_ERROR; - bool res = true; - uint8_t certType = kCertType_NotSpecified; + CHIP_ERROR err = CHIP_NO_ERROR; + bool res = true; + CertType certType = CertType::kNotSpecified; std::unique_ptr newCert(X509_new(), &X509_free); std::unique_ptr newKey(EVP_PKEY_new(), &EVP_PKEY_free); std::unique_ptr caCert(nullptr, &X509_free); @@ -1109,7 +1109,7 @@ bool Cmd_GenCert(int argc, char * argv[]) } if (gPathLengthConstraint != kPathLength_NotSpecified && - (gCertType == kCertType_Node || gCertType == kCertType_FirmwareSigning)) + (gCertType == CertType::kNode || gCertType == CertType::kFirmwareSigning)) { fprintf(stderr, "Path length constraint shouldn't be specified for the leaf certificate.\n"); ExitNow(res = false); diff --git a/src/tools/chip-cert/chip-cert.h b/src/tools/chip-cert/chip-cert.h index 82d4d8e4c8190b..884e648a87b0d1 100644 --- a/src/tools/chip-cert/chip-cert.h +++ b/src/tools/chip-cert/chip-cert.h @@ -274,7 +274,7 @@ class CertStructConfig (mFlags.Has(CertErrorFlags::kExtBasicPathLenWrong) || mFlags.Has(CertErrorFlags::kExtBasicPathLen0) || mFlags.Has(CertErrorFlags::kExtBasicPathLen1) || mFlags.Has(CertErrorFlags::kExtBasicPathLen2))); } - int GetExtensionBasicPathLenValue(uint8_t & certType) + int GetExtensionBasicPathLenValue(chip::Credentials::CertType certType) { if (mFlags.Has(CertErrorFlags::kExtBasicPathLen0)) { @@ -290,15 +290,15 @@ class CertStructConfig } if (mFlags.Has(CertErrorFlags::kExtBasicPathLenWrong)) { - if (certType == chip::Credentials::kCertType_Node) + if (certType == chip::Credentials::CertType::kNode) { return 2; } - if (certType == chip::Credentials::kCertType_ICA) + if (certType == chip::Credentials::CertType::kICA) { return 1; } - if (certType == chip::Credentials::kCertType_Root) + if (certType == chip::Credentials::CertType::kRoot) { return 0; } @@ -438,10 +438,10 @@ extern bool LoadChipCert(const char * fileNameOrStr, bool isTrused, chip::Creden extern bool WriteCert(const char * fileName, X509 * cert, CertFormat certFmt); extern bool WriteChipCert(const char * fileName, const chip::ByteSpan & cert, CertFormat certFmt); -extern bool MakeCert(uint8_t certType, const ToolChipDN * subjectDN, X509 * caCert, EVP_PKEY * caKey, const struct tm & validFrom, - uint32_t validDays, int pathLen, const FutureExtensionWithNID * futureExts, uint8_t futureExtsCount, - X509 * newCert, EVP_PKEY * newKey, CertStructConfig & certConfig); -extern CHIP_ERROR MakeCertTLV(uint8_t certType, const ToolChipDN * subjectDN, X509 * caCert, EVP_PKEY * caKey, +extern bool MakeCert(chip::Credentials::CertType certType, const ToolChipDN * subjectDN, X509 * caCert, EVP_PKEY * caKey, + const struct tm & validFrom, uint32_t validDays, int pathLen, const FutureExtensionWithNID * futureExts, + uint8_t futureExtsCount, X509 * newCert, EVP_PKEY * newKey, CertStructConfig & certConfig); +extern CHIP_ERROR MakeCertTLV(chip::Credentials::CertType certType, const ToolChipDN * subjectDN, X509 * caCert, EVP_PKEY * caKey, const struct tm & validFrom, uint32_t validDays, int pathLen, const FutureExtensionWithNID * futureExts, uint8_t futureExtsCount, X509 * x509Cert, EVP_PKEY * newKey, CertStructConfig & certConfig, chip::MutableByteSpan & chipCert);