Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement CSR generation from first principles to support commissioners #18631

Merged
merged 4 commits into from
May 20, 2022
Merged

Implement CSR generation from first principles to support commissioners #18631

merged 4 commits into from
May 20, 2022

Commits on May 19, 2022

  1. Implement CSR generation from first principles to support commissioners 

    - When a commissioner is backing their key with OS or hardware support,
  the built-in P256Keypair::NewCertificateSigningRequest will not be
  usable since it relies on internal P256Keypair base class access to
  key state, as opposed to just using Pubkey() and ECDSA_sign_message
  primitives. This is OK on some embedded usecases that make use
  of P256Keypair backend directly, but not for many other usecases.
- On iOS/Darwin and on native Android, backing the P256Keypair *
  by derived classes is bridgeable to platform APIs, but those
  platform APIs do not offer easy/direct CSR generation, and on
  Darwin, there are not ASN.1 APIs anymore.
- If trying to make use of Darwin APIs introduced in project-chip#18519, there
  is no easy way to write code interfacing with an external CA to
  provide a CSR for a natively bridged keypair.

This PR adds a first-principle CSR generator, written and audited
by Google personel, using the ASN1Writer API already used in
CHIPCert.h and used by all Commissioner code making use of SDK
today. This is a straightforward implementation that directly
uses a P256Keypair * (or a derived class thereof!) to generate
a CSR against it, without depending on direct key access like
like the native version P256Keypair::NewCerticateSigningRequest
does.

This PR also fixes constness of operations on P256Keypair.

Issue project-chip#18444

Testing done:
- Added unit tests for the new primitive
- Validated generated CSR with OpenSSL
- Validated equivalence to generated CSR from P256Keypair, on
  both mbedTLS and OpenSSL
- Not used by CHIP-tool but usable by Darwin and Android framework
  users.
    @tcarmelveilleux
    tcarmelveilleux committed May 19, 2022
    Configuration menu
    Copy the full SHA
    5995c2c View commit details
    Browse the repository at this point in the history

  2. Update src/crypto/CHIPCryptoPAL.h 

    Co-authored-by: Boris Zbarsky <[email protected]>
    @tcarmelveilleux @bzbarsky-apple
    tcarmelveilleux and bzbarsky-apple authored May 19, 2022
    Configuration menu
    Copy the full SHA
    7ff899a View commit details
    Browse the repository at this point in the history

  3. Fix CI

    @tcarmelveilleux
    tcarmelveilleux committed May 19, 2022
    Configuration menu
    Copy the full SHA
    9f22ebc View commit details
    Browse the repository at this point in the history

  4. Restyled by clang-format

    @restyled-commits
    restyled-commits committed May 19, 2022
    Configuration menu
    Copy the full SHA
    463ccfc View commit details
    Browse the repository at this point in the history