Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

da_revocation: sample revoked DACs and PAI certs for VID:0xFFF1 PID:0x8001 #36838

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

da_revocation: sample revoked DACs and PAI certs for VID:0xFFF1 PID:0x8001 #36838

wants to merge 2 commits into from
+105 −0

Conversation

shubhamdp
Copy link
Contributor

Related to #26582

Generated the certificates with the help of chip-cert (please check the commands used below).
Generated and updated CRL using openssl ca functionality.

Next update time is set to 99 years.

chip-cert commands used for generating DACs 
cd credentials/development/attestation

chip-cert gen-att-cert -t d -c "Matter Dev DAC Revoked 01" -V 0xFFF1 -P 0x8001 --lifetime 4294967295 \
	-C Matter-Development-PAI-FFF1-noPID-Cert.pem -K Matter-Development-PAI-FFF1-noPID-Key.pem \
	-o Matter-Development-DAC-FFF1-8001-Revoked-01-Cert.pem -O Matter-Development-DAC-FFF1-8001-Revoked-01-Key.pem

chip-cert gen-att-cert -t d -c "Matter Dev DAC Revoked 02" -V 0xFFF1 -P 0x8001 --lifetime 4294967295 \
	-C Matter-Development-PAI-FFF1-noPID-Cert.pem -K Matter-Development-PAI-FFF1-noPID-Key.pem \
	-o Matter-Development-DAC-FFF1-8001-Revoked-02-Cert.pem -O Matter-Development-DAC-FFF1-8001-Revoked-02-Key.pem

chip-cert gen-att-cert -t d -c "Matter Dev DAC Revoked 03" -V 0xFFF1 -P 0x8001 --lifetime 4294967295 \
	-C Matter-Development-PAI-FFF1-noPID-Cert.pem -K Matter-Development-PAI-FFF1-noPID-Key.pem \
	-o Matter-Development-DAC-FFF1-8001-Revoked-03-Cert.pem -O Matter-Development-DAC-FFF1-8001-Revoked-03-Key.pem
chip-cert commands used for generating PAI and DAC 
cd credentials/test/attestation

chip-cert gen-att-cert -t i -c "Matter Test PAI 0xFFF1 no PID Revoked" -V 0xFFF1 --lifetime 4294967295 \
	-C Chip-Test-PAA-FFF1-Cert.pem -K Chip-Test-PAA-FFF1-Key.pem \
	-o Chip-Test-PAI-FFF1-noPID-Revoked-Cert.pem -O Chip-Test-PAI-FFF1-noPID-Revoked-Key.pem

chip-cert gen-att-cert -t d -c "Matter Test DAC" -V 0xFFF1 -P 0x8001 --lifetime 4294967295 \
	-C Chip-Test-PAI-FFF1-noPID-Revoked-Cert.pem -K Chip-Test-PAI-FFF1-noPID-Revoked-Key.pem \
	-o Chip-Test-DAC-FFF1-8001-Singed-By-Revoked-PAI-Cert.pem -O Chip-Test-DAC-FFF1-8001-Singed-By-Revoked-PAI-Key.pem

@shubhamdp
credentials: sample revoked PAI certificate, key, and CRL for VID 0xFFF1
f596064 
created the PAI using chip-cert by using
credentials/test/attestation/Chip-Test-PAA-FFF1-{Cert,Key}.pem as
the signing CA.

created the DAC (vid: 0xFFF1, pid: 0x8001) using the generated PAI

Revoked the PAI and created the CRL for the same.
@shubhamdp
credentials: sample revoked DAC certificates, keys, and CRL for VID
c24a766 
0xFFF1 and PID 0x8001

created the DAC using chip-cert by using
credentials/development/attestation/Matter-Development-PAI-FFF1-noPID-Cert.pem
as the signing CA.

Revoked the DAC and created CRL for the same.
@semanticdiff-com SemanticDiff.com
Copy link

Review changes with  SemanticDiff

@github-actions GitHub Actions
Copy link

github-actions bot commented Dec 13, 2024
edited
Loading

PR #36838: Size comparison from 9e203e2 to c24a766

Full report (69 builds for bl602, bl702, bl702l, cc13x4_26x4, cc32xx, cyw30739, efr32, esp32, linux, nrfconnect, nxp, psoc6, qpg, stm32, telink, tizen)
platform target config section 9e203e2 c24a766 change % change
bl602 lighting-app bl602+mfd+littlefs+rpc FLASH 1353340 1353340 0 0.0
RAM 104112 104112 0 0.0
bl702 lighting-app bl702+eth FLASH 651826 651826 0 0.0
RAM 25353 25353 0 0.0
bl702+wifi FLASH 829154 829154 0 0.0
RAM 14093 14093 0 0.0
bl706+mfd+rpc+littlefs FLASH 1057626 1057626 0 0.0
RAM 23933 23933 0 0.0
bl702l lighting-app bl702l+mfd+littlefs FLASH 979000 979000 0 0.0
RAM 16596 16596 0 0.0
cc13x4_26x4 lighting-app LP_EM_CC1354P10_6 FLASH 839760 839760 0 0.0
RAM 123664 123664 0 0.0
lock-ftd LP_EM_CC1354P10_6 FLASH 825308 825308 0 0.0
RAM 125552 125552 0 0.0
pump-app LP_EM_CC1354P10_6 FLASH 772096 772096 0 0.0
RAM 114020 114020 0 0.0
pump-controller-app LP_EM_CC1354P10_6 FLASH 756284 756284 0 0.0
RAM 114228 114228 0 0.0
cc32xx air-purifier CC3235SF_LAUNCHXL FLASH 631050 631050 0 0.0
RAM 205824 205824 0 0.0
lock CC3235SF_LAUNCHXL FLASH 669646 669646 0 0.0
RAM 205968 205968 0 0.0
cyw30739 light CYW30739B2-P5-EVK-01 unknown 2040 2040 0 0.0
FLASH 681505 681505 0 0.0
RAM 78724 78724 0 0.0
CYW30739B2-P5-EVK-02 unknown 2040 2040 0 0.0
FLASH 701349 701349 0 0.0
RAM 81364 81364 0 0.0
CYW30739B2-P5-EVK-03 unknown 2040 2040 0 0.0
FLASH 701349 701349 0 0.0
RAM 81364 81364 0 0.0
CYW930739M2EVB-02 unknown 2040 2040 0 0.0
FLASH 658293 658293 0 0.0
RAM 73792 73792 0 0.0
light-switch CYW30739B2-P5-EVK-01 unknown 2040 2040 0 0.0
FLASH 618065 618065 0 0.0
RAM 71708 71708 0 0.0
CYW30739B2-P5-EVK-02 unknown 2040 2040 0 0.0
FLASH 637693 637693 0 0.0
RAM 74252 74252 0 0.0
CYW30739B2-P5-EVK-03 unknown 2040 2040 0 0.0
FLASH 637693 637693 0 0.0
RAM 74252 74252 0 0.0
lock CYW30739B2-P5-EVK-01 unknown 2040 2040 0 0.0
FLASH 637465 637465 0 0.0
RAM 74724 74724 0 0.0
CYW30739B2-P5-EVK-02 unknown 2040 2040 0 0.0
FLASH 657173 657173 0 0.0
RAM 77268 77268 0 0.0
CYW30739B2-P5-EVK-03 unknown 2040 2040 0 0.0
FLASH 657173 657173 0 0.0
RAM 77268 77268 0 0.0
thermostat CYW30739B2-P5-EVK-01 unknown 2040 2040 0 0.0
FLASH 613925 613925 0 0.0
RAM 68812 68812 0 0.0
CYW30739B2-P5-EVK-02 unknown 2040 2040 0 0.0
FLASH 633777 633777 0 0.0
RAM 71444 71444 0 0.0
CYW30739B2-P5-EVK-03 unknown 2040 2040 0 0.0
FLASH 633777 633777 0 0.0
RAM 71444 71444 0 0.0
efr32 lock-app BRD4187C FLASH 932340 932340 0 0.0
RAM 160192 160192 0 0.0
BRD4338a FLASH 746144 746136 -8 -0.0
RAM 233320 233320 0 0.0
window-app BRD4187C FLASH 1024784 1024784 0 0.0
RAM 128296 128296 0 0.0
esp32 all-clusters-app c3devkit DRAM 95360 95360 0 0.0
FLASH 1543082 1543082 0 0.0
IRAM 82542 82542 0 0.0
m5stack DRAM 116312 116312 0 0.0
FLASH 1549682 1549682 0 0.0
IRAM 117039 117039 0 0.0
linux air-purifier-app debug unknown 4720 4720 0 0.0
FLASH 2715063 2715063 0 0.0
RAM 129800 129800 0 0.0
all-clusters-app debug unknown 5560 5560 0 0.0
FLASH 6007064 6007064 0 0.0
RAM 523544 523544 0 0.0
all-clusters-minimal-app debug unknown 5456 5456 0 0.0
FLASH 5344804 5344804 0 0.0
RAM 242600 242600 0 0.0
bridge-app debug unknown 5440 5440 0 0.0
FLASH 4684372 4684372 0 0.0
RAM 218416 218416 0 0.0
chip-tool debug unknown 5992 5992 0 0.0
FLASH 12848744 12848744 0 0.0
RAM 582506 582506 0 0.0
chip-tool-ipv6only arm64 unknown 21352 21352 0 0.0
FLASH 10983232 10983232 0 0.0
RAM 633424 633424 0 0.0
fabric-admin debug unknown 5816 5816 0 0.0
FLASH 11255293 11255293 0 0.0
RAM 582850 582850 0 0.0
fabric-bridge-app debug unknown 4696 4696 0 0.0
FLASH 4509948 4509948 0 0.0
RAM 205600 205600 0 0.0
fabric-sync debug unknown 4936 4936 0 0.0
FLASH 5610053 5610053 0 0.0
RAM 472584 472584 0 0.0
lighting-app debug+rpc+ui unknown 6104 6104 0 0.0
FLASH 5621073 5621073 0 0.0
RAM 228792 228792 0 0.0
lock-app debug unknown 5376 5376 0 0.0
FLASH 4733612 4733612 0 0.0
RAM 204776 204776 0 0.0
ota-provider-app debug unknown 4752 4752 0 0.0
FLASH 4359350 4359350 0 0.0
RAM 198448 198448 0 0.0
ota-requestor-app debug unknown 4688 4688 0 0.0
FLASH 4498342 4498342 0 0.0
RAM 203032 203032 0 0.0
shell debug unknown 4248 4248 0 0.0
FLASH 3030077 3030077 0 0.0
RAM 160424 160424 0 0.0
thermostat-no-ble arm64 unknown 9536 9536 0 0.0
FLASH 4103472 4103472 0 0.0
RAM 243040 243040 0 0.0
tv-app debug unknown 5704 5704 0 0.0
FLASH 5958901 5958901 0 0.0
RAM 596016 596016 0 0.0
tv-casting-app debug unknown 5288 5288 0 0.0
FLASH 11054589 11054589 0 0.0
RAM 692184 692184 0 0.0
nrfconnect all-clusters-app nrf52840dk_nrf52840 FLASH 917616 917616 0 0.0
RAM 143292 143292 0 0.0
nrf7002dk_nrf5340_cpuapp FLASH 890104 890104 0 0.0
RAM 141487 141487 0 0.0
all-clusters-minimal-app nrf52840dk_nrf52840 FLASH 851760 851760 0 0.0
RAM 142200 142200 0 0.0
nxp contact k32w0+release FLASH 585440 585440 0 0.0
RAM 71080 71080 0 0.0
mcxw71+release FLASH 600048 600048 0 0.0
RAM 63176 63176 0 0.0
light k32w0+release FLASH 612396 612396 0 0.0
RAM 70472 70472 0 0.0
k32w1+release FLASH 686576 686576 0 0.0
RAM 48808 48808 0 0.0
lock mcxw71+release FLASH 762928 762928 0 0.0
RAM 70844 70844 0 0.0
psoc6 all-clusters cy8ckit_062s2_43012 FLASH 1646364 1646364 0 0.0
RAM 212104 212104 0 0.0
all-clusters-minimal cy8ckit_062s2_43012 FLASH 1554108 1554108 0 0.0
RAM 208904 208904 0 0.0
light cy8ckit_062s2_43012 FLASH 1469436 1469436 0 0.0
RAM 200880 200880 0 0.0
lock cy8ckit_062s2_43012 FLASH 1467164 1467164 0 0.0
RAM 225240 225240 0 0.0
qpg lighting-app qpg6105+debug FLASH 664008 664008 0 0.0
RAM 105424 105424 0 0.0
lock-app qpg6105+debug FLASH 621796 621796 0 0.0
RAM 99868 99868 0 0.0
stm32 light STM32WB5MM-DK FLASH 484720 484720 0 0.0
RAM 144880 144880 0 0.0
telink bridge-app tlsr9258a FLASH 682920 682920 0 0.0
RAM 91208 91208 0 0.0
contact-sensor-app tlsr9528a_retention FLASH 623350 623350 0 0.0
RAM 31440 31440 0 0.0
light-app-ota-compress-lzma-shell-factory-data tl3218x FLASH 772180 772180 0 0.0
RAM 49300 49300 0 0.0
light-switch-app-ota-compress-lzma-shell-factory-data tlsr9528a FLASH 710774 710774 0 0.0
RAM 73504 73504 0 0.0
lighting-app-ota-factory-data tlsr9118bdk40d FLASH 627794 627794 0 0.0
RAM 142140 142140 0 0.0
lighting-app-ota-rpc-factory-data-4mb tlsr9518adk80d FLASH 813808 813808 0 0.0
RAM 99684 99684 0 0.0
tizen all-clusters-app arm unknown 4988 4988 0 0.0
FLASH 1732528 1732528 0 0.0
RAM 90744 90744 0 0.0
chip-tool-ubsan arm unknown 10804 10804 0 0.0
FLASH 17972150 17972150 0 0.0
RAM 7841864 7841864 0 0.0

tcarmelveilleux
tcarmelveilleux reviewed Dec 13, 2024
View reviewed changes
credentials/test/attestation/Chip-Test-DAC-FFF1-8001-Singed-By-Revoked-PAI-Cert.pem
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • Please rename Singed to Signed everywhere.

tcarmelveilleux
tcarmelveilleux reviewed Dec 13, 2024
View reviewed changes
credentials/development/attestation/Matter-Development-DAC-FFF1-8001-Revoked-01-Cert.pem
@@ -0,0 +1,13 @@
-----BEGIN CERTIFICATE-----
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please wait for a review by @bh3000 befire merging.

bh3000
bh3000 reviewed Dec 13, 2024
View reviewed changes
Copy link

@bh3000 bh3000 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you add a set of CRLs and certs for the indirect CRL signing use case as well?

For complete test/example coverage there needs to be versions that includes the CRL entry extension Certificate Issuer as well. Note that there are two approaches here that should be included, the case where each entry has the Certificate Issuer, and the case where the entry's are grouped by Certificate Issuer (multiple entries with the same Certificate Issuer where only the first in the group contain the extension). See section 6.2.4.1. Step 10.a. and RFC 5280 section 5.3.3 for detail.

Can you add those?

credentials/development/attestation/Matter-Development-PAI-FFF1-noPID-CRL.pem Show resolved Hide resolved
tcarmelveilleux
tcarmelveilleux reviewed Dec 13, 2024
View reviewed changes
credentials/development/attestation/Matter-Development-PAI-FFF1-noPID-CRL.pem
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The CRLs have to be regenerated with the Authority Key Identifier extension matching the CRLSignerCertificates Subject Key Identifier.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To add this you can update the ca.conf you use to include:

[ crl_ext ]
authorityKeyIdentifier=keyid:always

and within the [ ca ], or where the default_ca points to add:
crl_extensions = crl_ext

@bh3000
Copy link

bh3000 commented Dec 13, 2024

Could you add a set of CRLs and certs for the indirect CRL signing use case as well?

For complete test/example coverage there needs to be versions that includes the CRL entry extension Certificate Issuer as well. Note that there are two approaches here that should be included, the case where each entry has the Certificate Issuer, and the case where the entry's are grouped by Certificate Issuer (multiple entries with the same Certificate Issuer where only the first in the group contain the extension). See section 6.2.4.1. Step 10.a. and RFC 5280 section 5.3.3 for detail.

Can you add those?

This can be done in a separate PR. No need to do here.

andy31415
andy31415 reviewed Dec 13, 2024
View reviewed changes
Copy link
Contributor

@andy31415 andy31415 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@shubhamdp please add a Testing entry in the summary of this PR and explain how this change was tested.

Since I see no unit test changes, I assume this will be "manually tested via..." and in that case we would like to intentionally set the bar higher on manual tests (to avoid all PRs setting manual because it is easier) so please spend time to add details on how this was tested as well as a justification why it is impossible for this PR to be tested in an automated fashion.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bh3000 bh3000 bh3000 left review comments

@andy31415 andy31415 andy31415 left review comments

@tcarmelveilleux tcarmelveilleux tcarmelveilleux approved these changes

Assignees
No one assigned
Labels
review - pending
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@shubhamdp @bh3000 @tcarmelveilleux @andy31415