Add APIs to work with PKCS7 data

src/crypto/CHIPCryptoPAL.h

@@ -36,6 +36,8 @@
 namespace chip {
 namespace Crypto {
 
+const size_t kMax_x509_Certificate_Length = 1024;
+
 const size_t kP256_FE_Length     = 32;
 const size_t kP256_Point_Length  = (2 * kP256_FE_Length + 1);
 const size_t kSHA256_Hash_Length = 32;
@@ -898,6 +900,17 @@ class Spake2p_P256_SHA256_HKDF_HMAC : public Spake2p
  **/
 void ClearSecretData(uint8_t * buf, uint32_t len);
 
+typedef CapacityBoundBuffer<kMax_x509_Certificate_Length> X509DerCertificate;
+
+CHIP_ERROR LoadCertsFromPKCS7(const uint8_t * pkcs7, X509DerCertificate * x509list, uint32_t * max_certs);
+
+CHIP_ERROR LoadCertFromPKCS7(const uint8_t * pkcs7, X509DerCertificate * x509list, uint32_t n_cert);
+
+CHIP_ERROR GetNumberOfCertsFromPKCS7(const uint8_t * pkcs7, uint32_t * n_certs);
+
+CHIP_ERROR ValidateCertificateChain(const uint8_t * rootCertificate, size_t rootCertificateLen, const uint8_t * caCertificate,
+                                    size_t caCertificateLen, const uint8_t * leafCertificate, size_t leafCertificateLen);
+
 } // namespace Crypto
 } // namespace chip
 

src/crypto/CHIPCryptoPALOpenSSL.cpp

@@ -52,6 +52,8 @@ namespace Crypto {
 
 #define kKeyLengthInBits 256
 
+typedef struct stack_st_X509 X509_LIST;
+
 enum class DigestType
 {
     SHA256
@@ -1560,5 +1562,208 @@ CHIP_ERROR Spake2p_P256_SHA256_HKDF_HMAC::PointIsValid(void * R)
     return error;
 }
 
+static void security_free_cert_list(X509_LIST * certs)
+{
+    if (certs)
+    {
+        sk_X509_pop_free(certs, X509_free);
+    }
+}
+
+CHIP_ERROR LoadCertsFromPKCS7(const uint8_t * pkcs7, X509DerCertificate * x509list, uint32_t * max_certs)
+{
+    CHIP_ERROR err    = CHIP_NO_ERROR;
+    X509_LIST * certs = NULL;
+    BIO * bio_cert    = NULL;
+    PKCS7 * p7        = NULL;
+    int p7_type       = 0;
+
+    VerifyOrExit(x509list != nullptr, err = CHIP_ERROR_INVALID_ARGUMENT);
+    VerifyOrExit(max_certs != nullptr, err = CHIP_ERROR_INVALID_ARGUMENT);
+
+    bio_cert = BIO_new_mem_buf(pkcs7, -1);
+
+    p7 = PEM_read_bio_PKCS7(bio_cert, NULL, NULL, NULL);
+    // TODO -> error value
+    VerifyOrExit(p7 != nullptr, err = CHIP_ERROR_WRONG_CERT_TYPE);
+
+    p7_type = OBJ_obj2nid(p7->type);
+    if (p7_type == NID_pkcs7_signed)
+    {
+        certs = p7->d.sign->cert;
+    }
+    else if (p7_type == NID_pkcs7_signedAndEnveloped)
+    {
+        certs = p7->d.signed_and_enveloped->cert;
+    }
+
+    // TODO -> error value
+    VerifyOrExit(certs != NULL, err = CHIP_ERROR_WRONG_CERT_TYPE);
+    VerifyOrExit(static_cast<uint32_t>(sk_X509_num(certs)) <= *max_certs, err = CHIP_ERROR_WRONG_CERT_TYPE);
+
+    *max_certs = static_cast<uint32_t>(sk_X509_num(certs));
+
+    certs = X509_chain_up_ref(certs);
+
+    for (uint32_t i = 0; i < *max_certs; ++i)
+    {
+        size_t bytes_written          = 0;
+        unsigned char * pX509ListEnd  = x509list[i];
+        unsigned char ** pX509ListAux = &pX509ListEnd;
+
+        bytes_written = static_cast<size_t>(i2d_X509(sk_X509_value(certs, static_cast<int>(i)), pX509ListAux));
+
+        VerifyOrExit(bytes_written <= x509list[i].Capacity(), err = CHIP_ERROR_NO_MEMORY);
+
+        x509list[i].SetLength(bytes_written);
+    }
+
+exit:
+    BIO_free_all(bio_cert);
+    PKCS7_free(p7);
+    security_free_cert_list(certs);
+
+    return err;
+}
+
+CHIP_ERROR LoadCertFromPKCS7(const uint8_t * pkcs7, X509DerCertificate * x509list, uint32_t n_cert)
+{
+    CHIP_ERROR err    = CHIP_NO_ERROR;
+    X509_LIST * certs = NULL;
+    BIO * bio_cert    = NULL;
+    PKCS7 * p7        = NULL;
+    int p7_type       = 0;
+
+    VerifyOrExit(x509list != nullptr, err = CHIP_ERROR_INVALID_ARGUMENT);
+
+    bio_cert = BIO_new_mem_buf(pkcs7, -1);
+
+    p7 = PEM_read_bio_PKCS7(bio_cert, NULL, NULL, NULL);
+    // TODO -> error value
+    VerifyOrExit(p7 != nullptr, err = CHIP_ERROR_WRONG_CERT_TYPE);
+
+    p7_type = OBJ_obj2nid(p7->type);
+    if (p7_type == NID_pkcs7_signed)
+    {
+        certs = p7->d.sign->cert;
+    }
+    else if (p7_type == NID_pkcs7_signedAndEnveloped)
+    {
+        certs = p7->d.signed_and_enveloped->cert;
+    }
+
+    // TODO -> error value
+    VerifyOrExit(certs != NULL, err = CHIP_ERROR_WRONG_CERT_TYPE);
+    VerifyOrExit(n_cert < static_cast<uint32_t>(sk_X509_num(certs)), err = CHIP_ERROR_INVALID_ARGUMENT);
+
+    certs = X509_chain_up_ref(certs);
+
+    {
+        size_t bytes_written          = 0;
+        unsigned char * pX509ListEnd  = reinterpret_cast<unsigned char *>(x509list);
+        unsigned char ** pX509ListAux = &pX509ListEnd;
+
+        bytes_written = static_cast<size_t>(i2d_X509(sk_X509_value(certs, static_cast<int>(n_cert)), pX509ListAux));
+
+        VerifyOrExit(bytes_written <= x509list->Capacity(), err = CHIP_ERROR_NO_MEMORY);
+
+        x509list->SetLength(bytes_written);
+    }
+
+exit:
+    BIO_free_all(bio_cert);
+    PKCS7_free(p7);
+    security_free_cert_list(certs);
+
+    return err;
+}
+
+CHIP_ERROR GetNumberOfCertsFromPKCS7(const uint8_t * pkcs7, uint32_t * n_certs)
+{
+    CHIP_ERROR err    = CHIP_NO_ERROR;
+    X509_LIST * certs = NULL;
+    BIO * bio_cert    = NULL;
+    PKCS7 * p7        = NULL;
+    int p7_type       = 0;
+
+    VerifyOrExit(n_certs != nullptr, err = CHIP_ERROR_INVALID_ARGUMENT);
+
+    bio_cert = BIO_new_mem_buf(pkcs7, -1);
+
+    p7 = PEM_read_bio_PKCS7(bio_cert, NULL, NULL, NULL);
+    // TODO -> error value
+    VerifyOrExit(p7 != nullptr, err = CHIP_ERROR_WRONG_CERT_TYPE);
+
+    p7_type = OBJ_obj2nid(p7->type);
+    if (p7_type == NID_pkcs7_signed)
+    {
+        certs = p7->d.sign->cert;
+    }
+    else if (p7_type == NID_pkcs7_signedAndEnveloped)
+    {
+        certs = p7->d.signed_and_enveloped->cert;
+    }
+
+    // TODO -> error value
+    VerifyOrExit(certs != NULL, err = CHIP_ERROR_WRONG_CERT_TYPE);
+
+    *n_certs = static_cast<uint32_t>(sk_X509_num(certs));
+
+exit:
+    BIO_free_all(bio_cert);
+    PKCS7_free(p7);
+
+    return err;
+}
+
+CHIP_ERROR ValidateCertificateChain(const uint8_t * rootCertificate, size_t rootCertificateLen, const uint8_t * caCertificate,
+                                    size_t caCertificateLen, const uint8_t * leafCertificate, size_t leafCertificateLen)
+{
+    CHIP_ERROR err             = CHIP_NO_ERROR;
+    X509_STORE_CTX * verifyCtx = nullptr;
+    X509_STORE * store         = nullptr;
+    X509 * x509RootCertificate = nullptr;
+    X509 * x509CACertificate   = nullptr;
+    X509 * x509LeafCertificate = nullptr;
+
+    store = X509_STORE_new();
+    VerifyOrExit(store != nullptr, err = CHIP_ERROR_NO_MEMORY);
+
+    verifyCtx = X509_STORE_CTX_new();
+    VerifyOrExit(verifyCtx != nullptr, err = CHIP_ERROR_NO_MEMORY);
+
+    x509RootCertificate = d2i_X509(NULL, &rootCertificate, static_cast<long>(rootCertificateLen));
+    VerifyOrExit(x509RootCertificate != nullptr, err = CHIP_ERROR_NO_MEMORY);
+
+    err = X509_STORE_add_cert(store, x509RootCertificate);
+    VerifyOrExit(err == 1, err = CHIP_ERROR_INTERNAL);
+
+    x509CACertificate = d2i_X509(NULL, &caCertificate, static_cast<long>(caCertificateLen));
+    VerifyOrExit(x509CACertificate != nullptr, err = CHIP_ERROR_NO_MEMORY);
+
+    err = X509_STORE_add_cert(store, x509CACertificate);
+    VerifyOrExit(err == 1, err = CHIP_ERROR_INTERNAL);
+
+    x509LeafCertificate = d2i_X509(NULL, &leafCertificate, static_cast<long>(leafCertificateLen));
+    VerifyOrExit(x509LeafCertificate != nullptr, err = CHIP_ERROR_NO_MEMORY);
+
+    err = X509_STORE_CTX_init(verifyCtx, store, x509LeafCertificate, NULL);
+    VerifyOrExit(err == 1, err = CHIP_ERROR_INTERNAL);
+
+    err = X509_verify_cert(verifyCtx);
+    VerifyOrExit(err == 1, err = CHIP_ERROR_CERT_NOT_TRUSTED);
+
+    err = CHIP_NO_ERROR;
+
+exit:
+    X509_free(x509LeafCertificate);
+    X509_free(x509CACertificate);
+    X509_free(x509RootCertificate);
+    X509_STORE_CTX_free(verifyCtx);
+    X509_STORE_free(store);
+
+    return err;
+}
+
 } // namespace Crypto
 } // namespace chip

src/crypto/tests/CHIPCryptoPALTest.cpp

@@ -32,6 +32,7 @@
 #include "SPAKE2P_POINT_RW_test_vectors.h"
 #include "SPAKE2P_POINT_VALID_test_vectors.h"
 #include "SPAKE2P_RFC_test_vectors.h"
+#include "X509_PKCS7Extraction_test_vectors.h"
 
 #include <crypto/CHIPCryptoPAL.h>
 #if CHIP_CRYPTO_HSM
@@ -1428,6 +1429,25 @@ static void TestSPAKE2P_RFC(nlTestSuite * inSuite, void * inContext)
     NL_TEST_ASSERT(inSuite, numOfTestsRan == numOfTestVectors);
 }
 
+static void TestX509_PKCS7Extraction(nlTestSuite * inSuite, void * inContext)
+{
+    CHIP_ERROR err = CHIP_NO_ERROR;
+    X509DerCertificate x509list[3];
+    uint32_t max_certs = sizeof(x509list) / sizeof(X509DerCertificate);
+
+    err = LoadCertsFromPKCS7(reinterpret_cast<const uint8_t *>(pem_pkcs7_blob), x509list, &max_certs);
+    NL_TEST_ASSERT(inSuite, err == CHIP_NO_ERROR);
+
+    err = memcmp(certificate_blob_leaf, x509list[0], x509list[0].Length());
+    NL_TEST_ASSERT(inSuite, err == CHIP_NO_ERROR);
+
+    err = memcmp(certificate_blob_intermediate, x509list[1], x509list[1].Length());
+    NL_TEST_ASSERT(inSuite, err == CHIP_NO_ERROR);
+
+    err = memcmp(certificate_blob_root, x509list[2], x509list[2].Length());
+    NL_TEST_ASSERT(inSuite, err == CHIP_NO_ERROR);
+}
+
 /**
  *   Test Suite. It lists all the test functions.
  */
@@ -1482,6 +1502,7 @@ static const nlTest sTests[] = {
     NL_TEST_DEF("Test Spake2p_spake2p PointLoad/PointWrite", TestSPAKE2P_spake2p_PointLoadWrite),
     NL_TEST_DEF("Test Spake2p_spake2p PointIsValid", TestSPAKE2P_spake2p_PointIsValid),
     NL_TEST_DEF("Test Spake2+ against RFC test vectors", TestSPAKE2P_RFC),
+    NL_TEST_DEF("Test x509 Certificate Extraction from PKCS7", TestX509_PKCS7Extraction),
     NL_TEST_SENTINEL()
 };