Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Attestation] Need a certificate linter for NOC chain and Attestation chain #22672

Closed
tcarmelveilleux opened this issue Sep 15, 2022 · 4 comments
Closed

[Attestation] Need a certificate linter for NOC chain and Attestation chain #22672

tcarmelveilleux opened this issue Sep 15, 2022 · 4 comments
Labels
stale Stale issue or PR

Comments

@tcarmelveilleux
Copy link
Contributor

tcarmelveilleux commented Sep 15, 2022
edited
Loading

Feature

Both the NOC cert chain and DAC cert chain have particular non-trivial Matter-specific certificate content rules that apply.

Many participants, even PKI experts, have struggled to make 100% compliant Matter DAC chains (DAC/PAI/PAA) on first try.

Having tools that validate all the SHALLs and that provide human-readable feedback as to this errors are found, would greatly benefit the Matter WG members.

Platform

core (please add to version below)

Platform Version(s)

No response

Type

Manually tested with SDK

(Optional) If manually tested please explain why this is only manually tested

No response

Anything else?

No response
@emargolis
Copy link
Contributor

Operation Certificates { RCAC, ICAC, NOC}:
The chip-cert tool does very detailed certificate chain validation using the following command:
./chip-cert validate-cert ....
This validation is equivalent to what is don't by the SDK during CASE session establishment. This validation step verify 100% certificate structure compliance with the Matter Spec.

In addition to the full chain validation the chip-cert tool can be used to verify that operational certificate can be properly converted from DER to CHIP encoding and vice versa:
./chip-cert convert-cert cert.pem cert.chip --chip
./chip-cert convert-cert cert.chip cert2.pem --x509-pem
These steps also validate that the certificate is properly structured. It then can be validated that the result of PEM-->CHIP-->PEM conversion results in the same certificate:
diff cert.pem cert2.pem

In case of an error these commands will fail but not in all cases they provide detailed human-readable feedback for the exact reason for the failure.

Attestation Certificates { PAA, PAI, DAC}:
Similar to operational certificates the attestation certificates can be validated using:
./chip-cert validate-att-cert ....
This validation is equivalent to how validation is performed by the Default Device Attestation Verifier (src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.cpp).

Currently, neither chip-cert nor Default Device Attestation Verifier do the 100% Spec compliance checks of the attestation certificates.

@emargolis
Copy link
Contributor

Related to this issue:
#22943 added VerifyAttestationCertificateFormat() method to the SDK. chip-cert tool was also updated to verify cert structure on validate-att-cert command

@stale
Copy link

stale bot commented Apr 6, 2023

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

@stale stale bot added the stale Stale issue or PR label Apr 6, 2023
@stale
Copy link

stale bot commented Apr 26, 2023

This stale issue has been automatically closed. Thank you for your contributions.

@stale stale bot closed this as completed Apr 26, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
stale Stale issue or PR
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tcarmelveilleux @emargolis