Line data Source code
1 : /*
2 : *
3 : * Copyright (c) 2020-2022 Project CHIP Authors
4 : * Copyright (c) 2013-2017 Nest Labs, Inc.
5 : * All rights reserved.
6 : *
7 : * Licensed under the Apache License, Version 2.0 (the "License");
8 : * you may not use this file except in compliance with the License.
9 : * You may obtain a copy of the License at
10 : *
11 : * http://www.apache.org/licenses/LICENSE-2.0
12 : *
13 : * Unless required by applicable law or agreed to in writing, software
14 : * distributed under the License is distributed on an "AS IS" BASIS,
15 : * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 : * See the License for the specific language governing permissions and
17 : * limitations under the License.
18 : */
19 :
20 : /**
21 : * @file
22 : * This file implements methods for converting a standard X.509
23 : * certificate to a CHIP TLV-encoded certificate.
24 : *
25 : */
26 :
27 : #include <stddef.h>
28 :
29 : #include <credentials/CHIPCert.h>
30 : #include <lib/asn1/ASN1.h>
31 : #include <lib/asn1/ASN1Macros.h>
32 : #include <lib/core/CHIPCore.h>
33 : #include <lib/core/CHIPSafeCasts.h>
34 : #include <lib/core/Optional.h>
35 : #include <lib/core/TLV.h>
36 : #include <lib/support/BytesToHex.h>
37 : #include <lib/support/CodeUtils.h>
38 : #include <lib/support/SafeInt.h>
39 : #include <protocols/Protocols.h>
40 :
41 : namespace chip {
42 : namespace Credentials {
43 :
44 : using namespace chip::ASN1;
45 : using namespace chip::TLV;
46 : using namespace chip::Protocols;
47 : using namespace chip::Crypto;
48 :
49 281 : static CHIP_ERROR ConvertDistinguishedName(ASN1Reader & reader, TLVWriter & writer, Tag tag)
50 : {
51 281 : ChipDN dn;
52 281 : ReturnErrorOnFailure(dn.DecodeFromASN1(reader));
53 274 : return dn.EncodeToTLV(writer, tag);
54 281 : }
55 :
56 144 : static CHIP_ERROR ConvertValidity(ASN1Reader & reader, TLVWriter & writer)
57 : {
58 : CHIP_ERROR err;
59 : ASN1UniversalTime asn1Time;
60 : uint32_t chipEpochTimeNotBefore;
61 : uint32_t chipEpochTimeNotAfter;
62 :
63 144 : ASN1_PARSE_ENTER_SEQUENCE
64 : {
65 144 : ASN1_PARSE_TIME(asn1Time);
66 141 : ReturnErrorOnFailure(ASN1ToChipEpochTime(asn1Time, chipEpochTimeNotBefore));
67 :
68 141 : ASN1_PARSE_TIME(asn1Time);
69 138 : ReturnErrorOnFailure(ASN1ToChipEpochTime(asn1Time, chipEpochTimeNotAfter));
70 :
71 : // Perform this check if NotAfter value is different from Never-Expire value.
72 138 : if (chipEpochTimeNotAfter != kNullCertTime)
73 : {
74 134 : VerifyOrReturnError(chipEpochTimeNotBefore < chipEpochTimeNotAfter, ASN1_ERROR_INVALID_ENCODING);
75 : }
76 :
77 135 : ReturnErrorOnFailure(writer.Put(ContextTag(kTag_NotBefore), chipEpochTimeNotBefore));
78 135 : ReturnErrorOnFailure(writer.Put(ContextTag(kTag_NotAfter), chipEpochTimeNotAfter));
79 : }
80 135 : ASN1_EXIT_SEQUENCE;
81 :
82 141 : exit:
83 141 : return err;
84 : }
85 :
86 129 : static CHIP_ERROR ConvertSubjectPublicKeyInfo(ASN1Reader & reader, TLVWriter & writer)
87 : {
88 : CHIP_ERROR err;
89 : OID pubKeyAlgoOID, pubKeyCurveOID;
90 :
91 : // subjectPublicKeyInfo SubjectPublicKeyInfo,
92 129 : ASN1_PARSE_ENTER_SEQUENCE
93 : {
94 : // algorithm AlgorithmIdentifier,
95 : // AlgorithmIdentifier ::= SEQUENCE
96 129 : ASN1_PARSE_ENTER_SEQUENCE
97 : {
98 : // algorithm OBJECT IDENTIFIER,
99 129 : ASN1_PARSE_OBJECT_ID(pubKeyAlgoOID);
100 :
101 : // Verify that the algorithm type is supported.
102 129 : VerifyOrExit(pubKeyAlgoOID == kOID_PubKeyAlgo_ECPublicKey, err = ASN1_ERROR_UNSUPPORTED_ENCODING);
103 :
104 129 : err = writer.Put(ContextTag(kTag_PublicKeyAlgorithm), GetOIDEnum(pubKeyAlgoOID));
105 129 : SuccessOrExit(err);
106 :
107 : // EcpkParameters ::= CHOICE {
108 : // ecParameters ECParameters,
109 : // namedCurve OBJECT IDENTIFIER,
110 : // implicitlyCA NULL }
111 129 : ASN1_PARSE_ANY;
112 :
113 : // ecParameters and implicitlyCA not supported.
114 129 : if (reader.GetClass() == kASN1TagClass_Universal && reader.GetTag() == kASN1UniversalTag_Sequence)
115 : {
116 0 : ExitNow(err = ASN1_ERROR_UNSUPPORTED_ENCODING);
117 : }
118 129 : if (reader.GetClass() == kASN1TagClass_Universal && reader.GetTag() == kASN1UniversalTag_Null)
119 : {
120 0 : ExitNow(err = ASN1_ERROR_UNSUPPORTED_ENCODING);
121 : }
122 :
123 129 : ASN1_VERIFY_TAG(kASN1TagClass_Universal, kASN1UniversalTag_ObjectId);
124 :
125 129 : ASN1_GET_OBJECT_ID(pubKeyCurveOID);
126 :
127 : // Verify the curve name is recognized.
128 129 : VerifyOrExit(GetOIDCategory(pubKeyCurveOID) == kOIDCategory_EllipticCurve, err = ASN1_ERROR_UNSUPPORTED_ENCODING);
129 :
130 126 : err = writer.Put(ContextTag(kTag_EllipticCurveIdentifier), GetOIDEnum(pubKeyCurveOID));
131 126 : SuccessOrExit(err);
132 : }
133 126 : ASN1_EXIT_SEQUENCE;
134 :
135 : // subjectPublicKey BIT STRING
136 126 : ASN1_PARSE_ELEMENT(kASN1TagClass_Universal, kASN1UniversalTag_BitString);
137 :
138 : // Verify public key length.
139 126 : VerifyOrExit(reader.GetValueLen() > 0, err = ASN1_ERROR_INVALID_ENCODING);
140 :
141 : // The first byte is Unused Bit Count value, which should be zero.
142 126 : VerifyOrExit(reader.GetValue()[0] == 0, err = ASN1_ERROR_INVALID_ENCODING);
143 :
144 : // Copy the X9.62 encoded EC point into the CHIP certificate as a byte string.
145 : // Skip the first Unused Bit Count byte.
146 126 : err = writer.PutBytes(ContextTag(kTag_EllipticCurvePublicKey), reader.GetValue() + 1, reader.GetValueLen() - 1);
147 126 : SuccessOrExit(err);
148 : }
149 126 : ASN1_EXIT_SEQUENCE;
150 :
151 129 : exit:
152 129 : return err;
153 : }
154 :
155 513 : static CHIP_ERROR ConvertExtension(ASN1Reader & reader, TLVWriter & writer)
156 : {
157 : CHIP_ERROR err;
158 : TLVType outerContainer;
159 : OID extensionOID;
160 513 : bool critical = false;
161 : const uint8_t * extensionSequence;
162 : uint32_t extensionSequenceLen;
163 :
164 513 : err = reader.GetConstructedType(extensionSequence, extensionSequenceLen);
165 513 : SuccessOrExit(err);
166 :
167 : // Extension ::= SEQUENCE
168 513 : ASN1_ENTER_SEQUENCE
169 : {
170 : // extnID OBJECT IDENTIFIER,
171 513 : ASN1_PARSE_OBJECT_ID(extensionOID);
172 :
173 : // The kOID_Unknown will be interpreted and encoded as future-extension.
174 513 : if (extensionOID != kOID_Unknown)
175 : {
176 505 : VerifyOrExit(GetOIDCategory(extensionOID) == kOIDCategory_Extension, err = ASN1_ERROR_INVALID_ENCODING);
177 : }
178 :
179 : // critical BOOLEAN DEFAULT FALSE,
180 513 : ASN1_PARSE_ANY;
181 513 : if (reader.GetClass() == kASN1TagClass_Universal && reader.GetTag() == kASN1UniversalTag_Boolean)
182 : {
183 281 : ASN1_GET_BOOLEAN(critical);
184 :
185 281 : VerifyOrExit(critical, err = ASN1_ERROR_INVALID_ENCODING);
186 :
187 281 : ASN1_PARSE_ANY;
188 : }
189 :
190 : // extnValue OCTET STRING
191 : // -- contains the DER encoding of an ASN.1 value
192 : // -- corresponding to the extension type identified
193 : // -- by extnID
194 513 : ASN1_ENTER_ENCAPSULATED(kASN1TagClass_Universal, kASN1UniversalTag_OctetString)
195 : {
196 513 : if (extensionOID == kOID_Extension_AuthorityKeyIdentifier)
197 : {
198 : // This extension MUST be marked as non-critical.
199 105 : VerifyOrExit(!critical, err = ASN1_ERROR_INVALID_ENCODING);
200 :
201 : // AuthorityKeyIdentifier ::= SEQUENCE
202 105 : ASN1_PARSE_ENTER_SEQUENCE
203 : {
204 105 : err = reader.Next();
205 105 : SuccessOrExit(err);
206 :
207 : // keyIdentifier [0] IMPLICIT KeyIdentifier,
208 : // KeyIdentifier ::= OCTET STRING
209 105 : VerifyOrExit(reader.GetClass() == kASN1TagClass_ContextSpecific && reader.GetTag() == 0,
210 : err = ASN1_ERROR_INVALID_ENCODING);
211 :
212 105 : VerifyOrExit(reader.IsConstructed() == false, err = ASN1_ERROR_INVALID_ENCODING);
213 105 : VerifyOrExit(reader.GetValueLen() == kKeyIdentifierLength, err = ASN1_ERROR_INVALID_ENCODING);
214 :
215 102 : err = writer.PutBytes(ContextTag(kTag_AuthorityKeyIdentifier), reader.GetValue(), reader.GetValueLen());
216 102 : SuccessOrExit(err);
217 :
218 101 : err = reader.Next();
219 101 : VerifyOrExit(err == ASN1_END, err = ASN1_ERROR_INVALID_ENCODING);
220 : }
221 101 : ASN1_EXIT_SEQUENCE;
222 : }
223 408 : else if (extensionOID == kOID_Extension_SubjectKeyIdentifier)
224 : {
225 : // This extension MUST be marked as non-critical.
226 108 : VerifyOrExit(!critical, err = ASN1_ERROR_INVALID_ENCODING);
227 :
228 : // SubjectKeyIdentifier ::= KeyIdentifier
229 : // KeyIdentifier ::= OCTET STRING
230 108 : ASN1_PARSE_ELEMENT(kASN1TagClass_Universal, kASN1UniversalTag_OctetString);
231 :
232 108 : VerifyOrExit(reader.GetValueLen() == kKeyIdentifierLength, err = ASN1_ERROR_INVALID_ENCODING);
233 :
234 105 : err = writer.PutBytes(ContextTag(kTag_SubjectKeyIdentifier), reader.GetValue(), reader.GetValueLen());
235 105 : SuccessOrExit(err);
236 : }
237 300 : else if (extensionOID == kOID_Extension_KeyUsage)
238 : {
239 : // This extension MUST be marked as critical.
240 116 : VerifyOrExit(critical, err = ASN1_ERROR_INVALID_ENCODING);
241 :
242 : // KeyUsage ::= BIT STRING
243 110 : ASN1_PARSE_ELEMENT(kASN1TagClass_Universal, kASN1UniversalTag_BitString);
244 :
245 : uint32_t keyUsageBits;
246 110 : err = reader.GetBitString(keyUsageBits);
247 110 : SuccessOrExit(err);
248 110 : VerifyOrExit(CanCastTo<uint16_t>(keyUsageBits), err = ASN1_ERROR_INVALID_ENCODING);
249 :
250 : // Check that only supported flags are set.
251 110 : BitFlags<KeyUsageFlags> keyUsageFlags(static_cast<uint16_t>(keyUsageBits));
252 110 : VerifyOrExit(keyUsageFlags.HasOnly(
253 : KeyUsageFlags::kDigitalSignature, KeyUsageFlags::kNonRepudiation, KeyUsageFlags::kKeyEncipherment,
254 : KeyUsageFlags::kDataEncipherment, KeyUsageFlags::kKeyAgreement, KeyUsageFlags::kKeyCertSign,
255 : KeyUsageFlags::kCRLSign, KeyUsageFlags::kEncipherOnly, KeyUsageFlags::kEncipherOnly),
256 : err = ASN1_ERROR_INVALID_ENCODING);
257 :
258 110 : err = writer.Put(ContextTag(kTag_KeyUsage), keyUsageBits);
259 110 : SuccessOrExit(err);
260 : }
261 184 : else if (extensionOID == kOID_Extension_BasicConstraints)
262 : {
263 : // This extension MUST be marked as critical.
264 126 : VerifyOrExit(critical, err = ASN1_ERROR_INVALID_ENCODING);
265 :
266 : // BasicConstraints ::= SEQUENCE
267 120 : ASN1_PARSE_ENTER_SEQUENCE
268 : {
269 120 : bool isCA = false;
270 120 : int64_t pathLenConstraint = -1;
271 :
272 : // cA BOOLEAN DEFAULT FALSE
273 120 : err = reader.Next();
274 188 : if (err == CHIP_NO_ERROR && reader.GetClass() == kASN1TagClass_Universal &&
275 68 : reader.GetTag() == kASN1UniversalTag_Boolean)
276 : {
277 68 : ASN1_GET_BOOLEAN(isCA);
278 :
279 64 : VerifyOrExit(isCA, err = ASN1_ERROR_INVALID_ENCODING);
280 :
281 64 : err = reader.Next();
282 : }
283 :
284 : // pathLenConstraint INTEGER (0..MAX) OPTIONAL
285 127 : if (err == CHIP_NO_ERROR && reader.GetClass() == kASN1TagClass_Universal &&
286 7 : reader.GetTag() == kASN1UniversalTag_Integer)
287 : {
288 7 : ASN1_GET_INTEGER(pathLenConstraint);
289 :
290 7 : VerifyOrExit(CanCastTo<uint8_t>(pathLenConstraint), err = ASN1_ERROR_INVALID_ENCODING);
291 :
292 : // pathLenConstraint is present only when cA is TRUE
293 7 : VerifyOrExit(isCA, err = ASN1_ERROR_INVALID_ENCODING);
294 : }
295 :
296 116 : err = writer.StartContainer(ContextTag(kTag_BasicConstraints), kTLVType_Structure, outerContainer);
297 116 : SuccessOrExit(err);
298 :
299 : // Set also when cA is FALSE
300 116 : err = writer.PutBoolean(ContextTag(kTag_BasicConstraints_IsCA), isCA);
301 116 : SuccessOrExit(err);
302 :
303 116 : if (pathLenConstraint != -1)
304 : {
305 3 : err = writer.Put(ContextTag(kTag_BasicConstraints_PathLenConstraint),
306 : static_cast<uint8_t>(pathLenConstraint));
307 3 : SuccessOrExit(err);
308 : }
309 :
310 116 : err = writer.EndContainer(outerContainer);
311 116 : SuccessOrExit(err);
312 : }
313 116 : ASN1_EXIT_SEQUENCE;
314 : }
315 58 : else if (extensionOID == kOID_Extension_ExtendedKeyUsage)
316 : {
317 : // This extension MUST be marked as critical.
318 50 : VerifyOrExit(critical, err = ASN1_ERROR_INVALID_ENCODING);
319 :
320 50 : err = writer.StartContainer(ContextTag(kTag_ExtendedKeyUsage), kTLVType_Array, outerContainer);
321 50 : SuccessOrExit(err);
322 :
323 : // ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
324 50 : ASN1_PARSE_ENTER_SEQUENCE
325 : {
326 149 : while ((err = reader.Next()) == CHIP_NO_ERROR)
327 : {
328 : // KeyPurposeId ::= OBJECT IDENTIFIER
329 : OID keyPurposeOID;
330 99 : ASN1_GET_OBJECT_ID(keyPurposeOID);
331 :
332 99 : VerifyOrExit(keyPurposeOID != kOID_Unknown, err = ASN1_ERROR_UNSUPPORTED_ENCODING);
333 99 : VerifyOrExit(GetOIDCategory(keyPurposeOID) == kOIDCategory_KeyPurpose, err = ASN1_ERROR_INVALID_ENCODING);
334 :
335 99 : err = writer.Put(AnonymousTag(), GetOIDEnum(keyPurposeOID));
336 99 : SuccessOrExit(err);
337 : }
338 50 : if (err != ASN1_END)
339 : {
340 0 : SuccessOrExit(err);
341 : }
342 : }
343 50 : ASN1_EXIT_SEQUENCE;
344 :
345 50 : err = writer.EndContainer(outerContainer);
346 50 : SuccessOrExit(err);
347 : }
348 : // Any other extension is treated as FutureExtension
349 : else
350 : {
351 8 : err = writer.PutBytes(ContextTag(kTag_FutureExtension), extensionSequence, extensionSequenceLen);
352 8 : SuccessOrExit(err);
353 :
354 8 : ASN1_PARSE_ANY;
355 : }
356 : }
357 490 : ASN1_EXIT_ENCAPSULATED;
358 : }
359 490 : ASN1_EXIT_SEQUENCE;
360 :
361 513 : exit:
362 513 : return err;
363 : }
364 :
365 126 : static CHIP_ERROR ConvertExtensions(ASN1Reader & reader, TLVWriter & writer)
366 : {
367 : CHIP_ERROR err;
368 : TLVType containerType;
369 :
370 126 : err = writer.StartContainer(ContextTag(kTag_Extensions), kTLVType_List, containerType);
371 126 : SuccessOrExit(err);
372 :
373 : // Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
374 126 : ASN1_PARSE_ENTER_SEQUENCE
375 : {
376 616 : while ((err = reader.Next()) == CHIP_NO_ERROR)
377 : {
378 513 : err = ConvertExtension(reader, writer);
379 513 : SuccessOrExit(err);
380 : }
381 :
382 103 : if (err != ASN1_END)
383 : {
384 0 : SuccessOrExit(err);
385 : }
386 : }
387 103 : ASN1_EXIT_SEQUENCE;
388 :
389 103 : err = writer.EndContainer(containerType);
390 103 : SuccessOrExit(err);
391 :
392 126 : exit:
393 126 : return err;
394 : }
395 :
396 103 : CHIP_ERROR ConvertECDSASignatureDERToRaw(ASN1Reader & reader, TLVWriter & writer, Tag tag)
397 : {
398 103 : CHIP_ERROR err = CHIP_NO_ERROR;
399 : uint8_t rawSig[kP256_ECDSA_Signature_Length_Raw];
400 :
401 : // Per RFC3279, the ECDSA signature value is encoded in DER encapsulated in the signatureValue BIT STRING.
402 103 : ASN1_ENTER_ENCAPSULATED(kASN1TagClass_Universal, kASN1UniversalTag_BitString)
403 : {
404 : // Ecdsa-Sig-Value ::= SEQUENCE
405 103 : ASN1_PARSE_ENTER_SEQUENCE
406 : {
407 : // r INTEGER
408 103 : ASN1_PARSE_ELEMENT(kASN1TagClass_Universal, kASN1UniversalTag_Integer);
409 103 : ReturnErrorOnFailure(
410 : ConvertIntegerDERToRaw(ByteSpan(reader.GetValue(), reader.GetValueLen()), rawSig, kP256_FE_Length));
411 :
412 : // s INTEGER
413 103 : ASN1_PARSE_ELEMENT(kASN1TagClass_Universal, kASN1UniversalTag_Integer);
414 103 : ReturnErrorOnFailure(ConvertIntegerDERToRaw(ByteSpan(reader.GetValue(), reader.GetValueLen()), rawSig + kP256_FE_Length,
415 : kP256_FE_Length));
416 : }
417 103 : ASN1_EXIT_SEQUENCE;
418 : }
419 103 : ASN1_EXIT_ENCAPSULATED;
420 :
421 103 : ReturnErrorOnFailure(writer.PutBytes(tag, rawSig, kP256_ECDSA_Signature_Length_Raw));
422 :
423 102 : exit:
424 102 : return err;
425 : }
426 :
427 152 : static CHIP_ERROR ConvertCertificate(ASN1Reader & reader, TLVWriter & writer, Tag tag)
428 : {
429 : CHIP_ERROR err;
430 : int64_t version;
431 : OID sigAlgoOID;
432 : TLVType containerType;
433 :
434 152 : err = writer.StartContainer(tag, kTLVType_Structure, containerType);
435 152 : SuccessOrExit(err);
436 :
437 : // Certificate ::= SEQUENCE
438 152 : ASN1_PARSE_ENTER_SEQUENCE
439 : {
440 : // tbsCertificate TBSCertificate,
441 : // TBSCertificate ::= SEQUENCE
442 152 : ASN1_PARSE_ENTER_SEQUENCE
443 : {
444 : // version [0] EXPLICIT Version DEFAULT v1
445 152 : ASN1_PARSE_ENTER_CONSTRUCTED(kASN1TagClass_ContextSpecific, 0)
446 : {
447 : // Version ::= INTEGER { v1(0), v2(1), v3(2) }
448 152 : ASN1_PARSE_INTEGER(version);
449 :
450 : // Verify that the X.509 certificate version is v3
451 152 : VerifyOrExit(version == 2, err = ASN1_ERROR_UNSUPPORTED_ENCODING);
452 : }
453 149 : ASN1_EXIT_CONSTRUCTED;
454 :
455 : // serialNumber CertificateSerialNumber
456 : // CertificateSerialNumber ::= INTEGER
457 149 : ASN1_PARSE_ELEMENT(kASN1TagClass_Universal, kASN1UniversalTag_Integer);
458 149 : err = writer.PutBytes(ContextTag(kTag_SerialNumber), reader.GetValue(), reader.GetValueLen());
459 149 : SuccessOrExit(err);
460 :
461 : // signature AlgorithmIdentifier
462 : // AlgorithmIdentifier ::= SEQUENCE
463 149 : ASN1_PARSE_ENTER_SEQUENCE
464 : {
465 : // algorithm OBJECT IDENTIFIER,
466 149 : ASN1_PARSE_OBJECT_ID(sigAlgoOID);
467 :
468 149 : VerifyOrExit(sigAlgoOID == kOID_SigAlgo_ECDSAWithSHA256, err = ASN1_ERROR_UNSUPPORTED_ENCODING);
469 :
470 146 : err = writer.Put(ContextTag(kTag_SignatureAlgorithm), GetOIDEnum(sigAlgoOID));
471 146 : SuccessOrExit(err);
472 : }
473 146 : ASN1_EXIT_SEQUENCE;
474 :
475 : // issuer Name
476 146 : err = ConvertDistinguishedName(reader, writer, ContextTag(kTag_Issuer));
477 146 : SuccessOrExit(err);
478 :
479 : // validity Validity,
480 144 : err = ConvertValidity(reader, writer);
481 144 : SuccessOrExit(err);
482 :
483 : // subject Name,
484 135 : err = ConvertDistinguishedName(reader, writer, ContextTag(kTag_Subject));
485 135 : SuccessOrExit(err);
486 :
487 129 : err = ConvertSubjectPublicKeyInfo(reader, writer);
488 129 : SuccessOrExit(err);
489 :
490 126 : err = reader.Next();
491 :
492 : // issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
493 : // Not supported.
494 126 : if (err == CHIP_NO_ERROR && reader.GetClass() == kASN1TagClass_ContextSpecific && reader.GetTag() == 1)
495 : {
496 0 : ExitNow(err = ASN1_ERROR_UNSUPPORTED_ENCODING);
497 : }
498 :
499 : // subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
500 : // Not supported.
501 126 : if (err == CHIP_NO_ERROR && reader.GetClass() == kASN1TagClass_ContextSpecific && reader.GetTag() == 2)
502 : {
503 0 : ExitNow(err = ASN1_ERROR_UNSUPPORTED_ENCODING);
504 : }
505 :
506 : // extensions [3] EXPLICIT Extensions OPTIONAL
507 126 : if (err == CHIP_NO_ERROR && reader.GetClass() == kASN1TagClass_ContextSpecific && reader.GetTag() == 3)
508 : {
509 126 : ASN1_ENTER_CONSTRUCTED(kASN1TagClass_ContextSpecific, 3)
510 : {
511 126 : err = ConvertExtensions(reader, writer);
512 126 : SuccessOrExit(err);
513 : }
514 103 : ASN1_EXIT_CONSTRUCTED;
515 :
516 103 : err = reader.Next();
517 : }
518 :
519 103 : if (err != ASN1_END)
520 : {
521 0 : ExitNow();
522 : }
523 : }
524 103 : ASN1_EXIT_SEQUENCE;
525 :
526 : // signatureAlgorithm AlgorithmIdentifier
527 : // AlgorithmIdentifier ::= SEQUENCE
528 103 : ASN1_PARSE_ENTER_SEQUENCE
529 : {
530 : OID localSigAlgoOID;
531 :
532 : // algorithm OBJECT IDENTIFIER,
533 103 : ASN1_PARSE_OBJECT_ID(localSigAlgoOID);
534 :
535 : // Verify that the signatureAlgorithm is the same as the "signature" field in TBSCertificate.
536 103 : VerifyOrExit(localSigAlgoOID == sigAlgoOID, err = ASN1_ERROR_UNSUPPORTED_ENCODING);
537 : }
538 103 : ASN1_EXIT_SEQUENCE;
539 :
540 : // signatureValue BIT STRING
541 103 : ASN1_PARSE_ELEMENT(kASN1TagClass_Universal, kASN1UniversalTag_BitString);
542 :
543 103 : ReturnErrorOnFailure(ConvertECDSASignatureDERToRaw(reader, writer, ContextTag(kTag_ECDSASignature)));
544 : }
545 102 : ASN1_EXIT_SEQUENCE;
546 :
547 102 : err = writer.EndContainer(containerType);
548 102 : SuccessOrExit(err);
549 :
550 151 : exit:
551 151 : return err;
552 : }
553 :
554 152 : CHIP_ERROR ConvertX509CertToChipCert(const ByteSpan x509Cert, MutableByteSpan & chipCert)
555 : {
556 : ASN1Reader reader;
557 152 : TLVWriter writer;
558 :
559 152 : VerifyOrReturnError(!x509Cert.empty(), CHIP_ERROR_INVALID_ARGUMENT);
560 152 : VerifyOrReturnError(CanCastTo<uint32_t>(x509Cert.size()), CHIP_ERROR_INVALID_ARGUMENT);
561 :
562 152 : reader.Init(x509Cert);
563 :
564 152 : writer.Init(chipCert);
565 :
566 152 : ReturnErrorOnFailure(ConvertCertificate(reader, writer, AnonymousTag()));
567 :
568 102 : ReturnErrorOnFailure(writer.Finalize());
569 :
570 102 : chipCert.reduce_size(writer.GetLengthWritten());
571 :
572 102 : return CHIP_NO_ERROR;
573 : }
574 :
575 : } // namespace Credentials
576 : } // namespace chip
|
