From c92e5851c759ef8de64f291d67c030835973cc79 Mon Sep 17 00:00:00 2001 From: "tennessee.carmelveilleux@gmail.com" Date: Mon, 12 Jun 2023 17:00:39 -0400 Subject: [PATCH 1/6] Fix PAA pathlen check Problem: - Since Matter 1.1, PAAs are allowed to omit the pathlen optional field to basic constraints extension. The code did not do that - Fixes #27194 Changes in this PR: - Update all CryptoPAL backends to fix the path length checks - Added unit tests covering valid and invalid basic constraints around path lengths. Testing done: - Unit tests pass on both mbedTLS and BoringSSL/OpenSSL CryptoPAL --- src/crypto/CHIPCryptoPALOpenSSL.cpp | 3 +- src/crypto/CHIPCryptoPALPSA.cpp | 5 +- src/crypto/CHIPCryptoPALmbedTLS.cpp | 5 +- src/crypto/tests/BUILD.gn | 1 + src/crypto/tests/CHIPCryptoPALTest.cpp | 12 + .../tests/DacValidationExplicitVectors.h | 205 ++++++++++++++++++ .../common/crypto/CHIPCryptoPALTinyCrypt.cpp | 5 +- .../crypto/CHIPCryptoPALNXPUltrafastP256.cpp | 5 +- .../silabs/SiWx917/CHIPCryptoPALTinyCrypt.cpp | 5 +- .../silabs/efr32/CHIPCryptoPALPsaEfr32.cpp | 5 +- 10 files changed, 238 insertions(+), 13 deletions(-) create mode 100644 src/crypto/tests/DacValidationExplicitVectors.h diff --git a/src/crypto/CHIPCryptoPALOpenSSL.cpp b/src/crypto/CHIPCryptoPALOpenSSL.cpp index a3321aaf9e2828..e181190a109bb6 100644 --- a/src/crypto/CHIPCryptoPALOpenSSL.cpp +++ b/src/crypto/CHIPCryptoPALOpenSSL.cpp @@ -1653,7 +1653,8 @@ CHIP_ERROR VerifyAttestationCertificateFormat(const ByteSpan & cert, Attestation } else { - VerifyOrExit(isCA && (pathLen == -1 || pathLen == 0 || pathLen == 1), err = CHIP_ERROR_INTERNAL); + // For PAA, pathlen must be absent or equal to 1 (see Matter 1.1 spec 6.2.2.5) + VerifyOrExit(isCA && (pathLen == -1 || pathLen == 1), err = CHIP_ERROR_INTERNAL); } } break; diff --git a/src/crypto/CHIPCryptoPALPSA.cpp b/src/crypto/CHIPCryptoPALPSA.cpp index 2d01e3229b4918..8d5d643c004e27 100644 --- a/src/crypto/CHIPCryptoPALPSA.cpp +++ b/src/crypto/CHIPCryptoPALPSA.cpp @@ -1311,8 +1311,8 @@ CHIP_ERROR VerifyAttestationCertificateFormat(const ByteSpan & cert, Attestation if (p != seqStart + len) { + // Failure to read will leave pathLen == -1 result = mbedtls_asn1_get_int(&p, end, &pathLen); - VerifyOrExit(result == 0, error = CHIP_ERROR_INTERNAL); } } @@ -1326,7 +1326,8 @@ CHIP_ERROR VerifyAttestationCertificateFormat(const ByteSpan & cert, Attestation } else { - VerifyOrExit(isCA && (pathLen == -1 || pathLen == 0 || pathLen == 1), error = CHIP_ERROR_INTERNAL); + // For PAA, pathlen must be absent or equal to 1 (see Matter 1.1 spec 6.2.2.5) + VerifyOrExit(isCA && (pathLen == -1 || pathLen == 1), error = CHIP_ERROR_INTERNAL); } } else if (OID_CMP(sOID_Extension_KeyUsage, extOID)) diff --git a/src/crypto/CHIPCryptoPALmbedTLS.cpp b/src/crypto/CHIPCryptoPALmbedTLS.cpp index 26a00156725791..8529a6ddfffbdd 100644 --- a/src/crypto/CHIPCryptoPALmbedTLS.cpp +++ b/src/crypto/CHIPCryptoPALmbedTLS.cpp @@ -1402,8 +1402,8 @@ CHIP_ERROR VerifyAttestationCertificateFormat(const ByteSpan & cert, Attestation if (p != seqStart + len) { + // Failure to read will leave pathLen == -1 result = mbedtls_asn1_get_int(&p, end, &pathLen); - VerifyOrExit(result == 0, error = CHIP_ERROR_INTERNAL); } } @@ -1417,7 +1417,8 @@ CHIP_ERROR VerifyAttestationCertificateFormat(const ByteSpan & cert, Attestation } else { - VerifyOrExit(isCA && (pathLen == -1 || pathLen == 0 || pathLen == 1), error = CHIP_ERROR_INTERNAL); + // For PAA, pathlen must be absent or equal to 1 (see Matter 1.1 spec 6.2.2.5) + VerifyOrExit(isCA && (pathLen == -1 || pathLen == 1), error = CHIP_ERROR_INTERNAL); } } else if (OID_CMP(sOID_Extension_KeyUsage, extOID)) diff --git a/src/crypto/tests/BUILD.gn b/src/crypto/tests/BUILD.gn index ea3ee0dc124f5d..0f2fde50996481 100644 --- a/src/crypto/tests/BUILD.gn +++ b/src/crypto/tests/BUILD.gn @@ -25,6 +25,7 @@ chip_test_suite("tests") { sources = [ "AES_CCM_128_test_vectors.h", "CHIPCryptoPALTest.cpp", + "DacValidationExplicitVectors.h", "DerSigConversion_test_vectors.h", "ECDH_P256_test_vectors.h", "HKDF_SHA256_test_vectors.h", diff --git a/src/crypto/tests/CHIPCryptoPALTest.cpp b/src/crypto/tests/CHIPCryptoPALTest.cpp index fae25912c2fe44..4b8d0bff4ac2f8 100644 --- a/src/crypto/tests/CHIPCryptoPALTest.cpp +++ b/src/crypto/tests/CHIPCryptoPALTest.cpp @@ -156,6 +156,8 @@ class HeapChecker }; #endif +#include "DacValidationExplicitVectors.h" + } // namespace static uint32_t gs_test_entropy_source_called = 0; @@ -1956,14 +1958,24 @@ static void TestX509_VerifyAttestationCertificateFormat(nlTestSuite * inSuite, v { ByteSpan(), Crypto::AttestationCertType::kDAC, CHIP_ERROR_INVALID_ARGUMENT }, { sTestCert_PAI_FFF2_NoPID_FB_Cert, Crypto::AttestationCertType::kDAC, CHIP_ERROR_INTERNAL }, { sTestCert_DAC_FFF2_8006_0025_ValInFuture_Cert, Crypto::AttestationCertType::kPAA, CHIP_ERROR_INTERNAL }, + { ByteSpan{kPaaWithNoPathlen}, Crypto::AttestationCertType::kPAA, CHIP_NO_ERROR }, + { ByteSpan{kPaiPathLenMissing}, Crypto::AttestationCertType::kPAI, CHIP_ERROR_INTERNAL }, + { ByteSpan{kPaiPathLen1}, Crypto::AttestationCertType::kPAI, CHIP_ERROR_INTERNAL }, + { ByteSpan{kPaaPathLen2}, Crypto::AttestationCertType::kPAA, CHIP_ERROR_INTERNAL }, }; // clang-format on + int case_idx = 0; for (auto & testCase : sValidationTestCases) { ByteSpan cert = testCase.cert; CHIP_ERROR err = VerifyAttestationCertificateFormat(cert, testCase.type); + if (err != testCase.expectedError) + { + ChipLogError(Crypto, "Failed TestX509_VerifyAttestationCertificateFormat sub-case %d, err: %" CHIP_ERROR_FORMAT, case_idx, err.Format()); + } NL_TEST_ASSERT(inSuite, err == testCase.expectedError); + ++case_idx; } } diff --git a/src/crypto/tests/DacValidationExplicitVectors.h b/src/crypto/tests/DacValidationExplicitVectors.h new file mode 100644 index 00000000000000..1e6daeaddd682c --- /dev/null +++ b/src/crypto/tests/DacValidationExplicitVectors.h @@ -0,0 +1,205 @@ +/* + * + * Copyright (c) 2023 Project CHIP Authors + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +// This file contains test certificate bodies with particular situations that +// were not auto-generated, but rather constructed. + +#pragma once + +#include + +/* +-----BEGIN CERTIFICATE----- +MIIByjCCAXCgAwIBAgIRALmDRJO1vv31wcqYjJYpxZQwCgYIKoZIzj0EAwIwMzEb +MBkGA1UEAwwSUWlhbnlhbiBNYXR0ZXIgUEFBMRQwEgYKKwYBBAGConwCAQwEMTM4 +NzAgFw0yMzAzMTQwODIyNDRaGA85OTk5MTIzMTIzNTk1OVowMzEbMBkGA1UEAwwS +UWlhbnlhbiBNYXR0ZXIgUEFBMRQwEgYKKwYBBAGConwCAQwEMTM4NzBZMBMGByqG +SM49AgEGCCqGSM49AwEHA0IABAV999uorscml0N9OlulWuvb+6d06vsjmpwKPQd5 +mpaayy4f6ODdbycnNhHUZqxP4jQL8CLk509zlJCyTvX4f16jYzBhMA8GA1UdEwEB +/wQFMAMBAf8wHQYDVR0OBBYEFDCn/GzW+lrLgn93bjJiB2u4EeQpMA4GA1UdDwEB +/wQEAwIBhjAfBgNVHSMEGDAWgBQwp/xs1vpay4J/d24yYgdruBHkKTAKBggqhkjO +PQQDAgNIADBFAiBo6kBk1wcJjH4XYaR6cPOrCOXmbTPk20EzfoaLrXXtrgIhANmh +IEohtRvlb6URoKv1v3jwfzATeqLNY2eLKBmQjUN8 +-----END CERTIFICATE----- +*/ + +const uint8_t kPaaWithNoPathlen[462] = { + 0x30, 0x82, 0x01, 0xca, 0x30, 0x82, 0x01, 0x70, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x11, 0x00, + 0xb9, 0x83, 0x44, 0x93, 0xb5, 0xbe, 0xfd, 0xf5, 0xc1, 0xca, 0x98, 0x8c, 0x96, 0x29, 0xc5, 0x94, + 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x30, 0x33, 0x31, 0x1b, + 0x30, 0x19, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x12, 0x51, 0x69, 0x61, 0x6e, 0x79, 0x61, 0x6e, + 0x20, 0x4d, 0x61, 0x74, 0x74, 0x65, 0x72, 0x20, 0x50, 0x41, 0x41, 0x31, 0x14, 0x30, 0x12, 0x06, + 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0xa2, 0x7c, 0x02, 0x01, 0x0c, 0x04, 0x31, 0x33, 0x38, + 0x37, 0x30, 0x20, 0x17, 0x0d, 0x32, 0x33, 0x30, 0x33, 0x31, 0x34, 0x30, 0x38, 0x32, 0x32, 0x34, + 0x34, 0x5a, 0x18, 0x0f, 0x39, 0x39, 0x39, 0x39, 0x31, 0x32, 0x33, 0x31, 0x32, 0x33, 0x35, 0x39, + 0x35, 0x39, 0x5a, 0x30, 0x33, 0x31, 0x1b, 0x30, 0x19, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x12, + 0x51, 0x69, 0x61, 0x6e, 0x79, 0x61, 0x6e, 0x20, 0x4d, 0x61, 0x74, 0x74, 0x65, 0x72, 0x20, 0x50, + 0x41, 0x41, 0x31, 0x14, 0x30, 0x12, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0xa2, 0x7c, + 0x02, 0x01, 0x0c, 0x04, 0x31, 0x33, 0x38, 0x37, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, + 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, + 0x42, 0x00, 0x04, 0x05, 0x7d, 0xf7, 0xdb, 0xa8, 0xae, 0xc7, 0x26, 0x97, 0x43, 0x7d, 0x3a, 0x5b, + 0xa5, 0x5a, 0xeb, 0xdb, 0xfb, 0xa7, 0x74, 0xea, 0xfb, 0x23, 0x9a, 0x9c, 0x0a, 0x3d, 0x07, 0x79, + 0x9a, 0x96, 0x9a, 0xcb, 0x2e, 0x1f, 0xe8, 0xe0, 0xdd, 0x6f, 0x27, 0x27, 0x36, 0x11, 0xd4, 0x66, + 0xac, 0x4f, 0xe2, 0x34, 0x0b, 0xf0, 0x22, 0xe4, 0xe7, 0x4f, 0x73, 0x94, 0x90, 0xb2, 0x4e, 0xf5, + 0xf8, 0x7f, 0x5e, 0xa3, 0x63, 0x30, 0x61, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, + 0xff, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, + 0x16, 0x04, 0x14, 0x30, 0xa7, 0xfc, 0x6c, 0xd6, 0xfa, 0x5a, 0xcb, 0x82, 0x7f, 0x77, 0x6e, 0x32, + 0x62, 0x07, 0x6b, 0xb8, 0x11, 0xe4, 0x29, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x01, 0x01, + 0xff, 0x04, 0x04, 0x03, 0x02, 0x01, 0x86, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, + 0x30, 0x16, 0x80, 0x14, 0x30, 0xa7, 0xfc, 0x6c, 0xd6, 0xfa, 0x5a, 0xcb, 0x82, 0x7f, 0x77, 0x6e, + 0x32, 0x62, 0x07, 0x6b, 0xb8, 0x11, 0xe4, 0x29, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, + 0x3d, 0x04, 0x03, 0x02, 0x03, 0x48, 0x00, 0x30, 0x45, 0x02, 0x20, 0x68, 0xea, 0x40, 0x64, 0xd7, + 0x07, 0x09, 0x8c, 0x7e, 0x17, 0x61, 0xa4, 0x7a, 0x70, 0xf3, 0xab, 0x08, 0xe5, 0xe6, 0x6d, 0x33, + 0xe4, 0xdb, 0x41, 0x33, 0x7e, 0x86, 0x8b, 0xad, 0x75, 0xed, 0xae, 0x02, 0x21, 0x00, 0xd9, 0xa1, + 0x20, 0x4a, 0x21, 0xb5, 0x1b, 0xe5, 0x6f, 0xa5, 0x11, 0xa0, 0xab, 0xf5, 0xbf, 0x78, 0xf0, 0x7f, + 0x30, 0x13, 0x7a, 0xa2, 0xcd, 0x63, 0x67, 0x8b, 0x28, 0x19, 0x90, 0x8d, 0x43, 0x7c, +}; + +/* +-----BEGIN CERTIFICATE----- +MIIBuDCCAV+gAwIBAgIIEl3k+yzkQuowCgYIKoZIzj0EAwIwGjEYMBYGA1UEAwwP +TWF0dGVyIFRlc3QgUEFBMB4XDTIxMDYyODE0MjM0M1oXDTMzMDYyODE0MjM0Mlow +RjEYMBYGA1UEAwwPTWF0dGVyIFRlc3QgUEFJMRQwEgYKKwYBBAGConwCAQwERkZG +MjEUMBIGCisGAQQBgqJ8AgIMBDgwMDUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC +AAQso3JRSRbamUuVk4C2aycB9M84CPOT9xaxI4nC+VqK8vSTJiploKPr+BvganEH +MqCqoC/1KO+Vi/0gMmMvvYhfo2MwYTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB +/wQEAwIBBjAdBgNVHQ4EFgQU2tRnb1BtRUPblHbWGGkcZ0lyjQgwHwYDVR0jBBgw +FoAUeFznBbhrj05vx5OqYMtD6mlogtUwCgYIKoZIzj0EAwIDRwAwRAIgYreXc1Ny ++5HZRSxqT4gPVP5z5ZkhZXUSYW7GHaqs8VACID/8iIGshdedcjAbI6sQO+AtevcO +qLypxnhGVlL2gQnf +-----END CERTIFICATE----- +*/ +const uint8_t kPaiPathLenMissing[444] = { + 0x30, 0x82, 0x01, 0xb8, 0x30, 0x82, 0x01, 0x5f, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x08, 0x12, + 0x5d, 0xe4, 0xfb, 0x2c, 0xe4, 0x42, 0xea, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, + 0x04, 0x03, 0x02, 0x30, 0x1a, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, + 0x4d, 0x61, 0x74, 0x74, 0x65, 0x72, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x50, 0x41, 0x41, 0x30, + 0x1e, 0x17, 0x0d, 0x32, 0x31, 0x30, 0x36, 0x32, 0x38, 0x31, 0x34, 0x32, 0x33, 0x34, 0x33, 0x5a, + 0x17, 0x0d, 0x33, 0x33, 0x30, 0x36, 0x32, 0x38, 0x31, 0x34, 0x32, 0x33, 0x34, 0x32, 0x5a, 0x30, + 0x46, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, 0x4d, 0x61, 0x74, 0x74, + 0x65, 0x72, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x50, 0x41, 0x49, 0x31, 0x14, 0x30, 0x12, 0x06, + 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0xa2, 0x7c, 0x02, 0x01, 0x0c, 0x04, 0x46, 0x46, 0x46, + 0x32, 0x31, 0x14, 0x30, 0x12, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0xa2, 0x7c, 0x02, + 0x02, 0x0c, 0x04, 0x38, 0x30, 0x30, 0x35, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, + 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, 0x42, + 0x00, 0x04, 0x2c, 0xa3, 0x72, 0x51, 0x49, 0x16, 0xda, 0x99, 0x4b, 0x95, 0x93, 0x80, 0xb6, 0x6b, + 0x27, 0x01, 0xf4, 0xcf, 0x38, 0x08, 0xf3, 0x93, 0xf7, 0x16, 0xb1, 0x23, 0x89, 0xc2, 0xf9, 0x5a, + 0x8a, 0xf2, 0xf4, 0x93, 0x26, 0x2a, 0x65, 0xa0, 0xa3, 0xeb, 0xf8, 0x1b, 0xe0, 0x6a, 0x71, 0x07, + 0x32, 0xa0, 0xaa, 0xa0, 0x2f, 0xf5, 0x28, 0xef, 0x95, 0x8b, 0xfd, 0x20, 0x32, 0x63, 0x2f, 0xbd, + 0x88, 0x5f, 0xa3, 0x63, 0x30, 0x61, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, + 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x01, 0x01, + 0xff, 0x04, 0x04, 0x03, 0x02, 0x01, 0x06, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, + 0x04, 0x14, 0xda, 0xd4, 0x67, 0x6f, 0x50, 0x6d, 0x45, 0x43, 0xdb, 0x94, 0x76, 0xd6, 0x18, 0x69, + 0x1c, 0x67, 0x49, 0x72, 0x8d, 0x08, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, + 0x16, 0x80, 0x14, 0x78, 0x5c, 0xe7, 0x05, 0xb8, 0x6b, 0x8f, 0x4e, 0x6f, 0xc7, 0x93, 0xaa, 0x60, + 0xcb, 0x43, 0xea, 0x69, 0x68, 0x82, 0xd5, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, + 0x04, 0x03, 0x02, 0x03, 0x47, 0x00, 0x30, 0x44, 0x02, 0x20, 0x62, 0xb7, 0x97, 0x73, 0x53, 0x72, + 0xfb, 0x91, 0xd9, 0x45, 0x2c, 0x6a, 0x4f, 0x88, 0x0f, 0x54, 0xfe, 0x73, 0xe5, 0x99, 0x21, 0x65, + 0x75, 0x12, 0x61, 0x6e, 0xc6, 0x1d, 0xaa, 0xac, 0xf1, 0x50, 0x02, 0x20, 0x3f, 0xfc, 0x88, 0x81, + 0xac, 0x85, 0xd7, 0x9d, 0x72, 0x30, 0x1b, 0x23, 0xab, 0x10, 0x3b, 0xe0, 0x2d, 0x7a, 0xf7, 0x0e, + 0xa8, 0xbc, 0xa9, 0xc6, 0x78, 0x46, 0x56, 0x52, 0xf6, 0x81, 0x09, 0xdf, +}; + +/* +-----BEGIN CERTIFICATE----- +MIIBuzCCAWKgAwIBAgIIEl3k+yzkQuowCgYIKoZIzj0EAwIwGjEYMBYGA1UEAwwP +TWF0dGVyIFRlc3QgUEFBMB4XDTIxMDYyODE0MjM0M1oXDTMzMDYyODE0MjM0Mlow +RjEYMBYGA1UEAwwPTWF0dGVyIFRlc3QgUEFJMRQwEgYKKwYBBAGConwCAQwERkZG +MjEUMBIGCisGAQQBgqJ8AgIMBDgwMDUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC +AAQso3JRSRbamUuVk4C2aycB9M84CPOT9xaxI4nC+VqK8vSTJiploKPr+BvganEH +MqCqoC/1KO+Vi/0gMmMvvYhfo2YwZDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1Ud +DwEB/wQEAwIBBjAdBgNVHQ4EFgQU2tRnb1BtRUPblHbWGGkcZ0lyjQgwHwYDVR0j +BBgwFoAUeFznBbhrj05vx5OqYMtD6mlogtUwCgYIKoZIzj0EAwIDRwAwRAIgYreX +c1Ny+5HZRSxqT4gPVP5z5ZkhZXUSYW7GHaqs8VACID/8iIGshdedcjAbI6sQO+At +evcOqLypxnhGVlL2gQnf +-----END CERTIFICATE----- +*/ +const uint8_t kPaiPathLen1[447] = { + 0x30, 0x82, 0x01, 0xbb, 0x30, 0x82, 0x01, 0x62, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x08, 0x12, + 0x5d, 0xe4, 0xfb, 0x2c, 0xe4, 0x42, 0xea, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, + 0x04, 0x03, 0x02, 0x30, 0x1a, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, + 0x4d, 0x61, 0x74, 0x74, 0x65, 0x72, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x50, 0x41, 0x41, 0x30, + 0x1e, 0x17, 0x0d, 0x32, 0x31, 0x30, 0x36, 0x32, 0x38, 0x31, 0x34, 0x32, 0x33, 0x34, 0x33, 0x5a, + 0x17, 0x0d, 0x33, 0x33, 0x30, 0x36, 0x32, 0x38, 0x31, 0x34, 0x32, 0x33, 0x34, 0x32, 0x5a, 0x30, + 0x46, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, 0x4d, 0x61, 0x74, 0x74, + 0x65, 0x72, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x50, 0x41, 0x49, 0x31, 0x14, 0x30, 0x12, 0x06, + 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0xa2, 0x7c, 0x02, 0x01, 0x0c, 0x04, 0x46, 0x46, 0x46, + 0x32, 0x31, 0x14, 0x30, 0x12, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0xa2, 0x7c, 0x02, + 0x02, 0x0c, 0x04, 0x38, 0x30, 0x30, 0x35, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, + 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, 0x42, + 0x00, 0x04, 0x2c, 0xa3, 0x72, 0x51, 0x49, 0x16, 0xda, 0x99, 0x4b, 0x95, 0x93, 0x80, 0xb6, 0x6b, + 0x27, 0x01, 0xf4, 0xcf, 0x38, 0x08, 0xf3, 0x93, 0xf7, 0x16, 0xb1, 0x23, 0x89, 0xc2, 0xf9, 0x5a, + 0x8a, 0xf2, 0xf4, 0x93, 0x26, 0x2a, 0x65, 0xa0, 0xa3, 0xeb, 0xf8, 0x1b, 0xe0, 0x6a, 0x71, 0x07, + 0x32, 0xa0, 0xaa, 0xa0, 0x2f, 0xf5, 0x28, 0xef, 0x95, 0x8b, 0xfd, 0x20, 0x32, 0x63, 0x2f, 0xbd, + 0x88, 0x5f, 0xa3, 0x66, 0x30, 0x64, 0x30, 0x12, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, + 0x04, 0x08, 0x30, 0x06, 0x01, 0x01, 0xff, 0x02, 0x01, 0x01, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d, + 0x0f, 0x01, 0x01, 0xff, 0x04, 0x04, 0x03, 0x02, 0x01, 0x06, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, + 0x0e, 0x04, 0x16, 0x04, 0x14, 0xda, 0xd4, 0x67, 0x6f, 0x50, 0x6d, 0x45, 0x43, 0xdb, 0x94, 0x76, + 0xd6, 0x18, 0x69, 0x1c, 0x67, 0x49, 0x72, 0x8d, 0x08, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, + 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x78, 0x5c, 0xe7, 0x05, 0xb8, 0x6b, 0x8f, 0x4e, 0x6f, 0xc7, + 0x93, 0xaa, 0x60, 0xcb, 0x43, 0xea, 0x69, 0x68, 0x82, 0xd5, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, + 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x03, 0x47, 0x00, 0x30, 0x44, 0x02, 0x20, 0x62, 0xb7, 0x97, + 0x73, 0x53, 0x72, 0xfb, 0x91, 0xd9, 0x45, 0x2c, 0x6a, 0x4f, 0x88, 0x0f, 0x54, 0xfe, 0x73, 0xe5, + 0x99, 0x21, 0x65, 0x75, 0x12, 0x61, 0x6e, 0xc6, 0x1d, 0xaa, 0xac, 0xf1, 0x50, 0x02, 0x20, 0x3f, + 0xfc, 0x88, 0x81, 0xac, 0x85, 0xd7, 0x9d, 0x72, 0x30, 0x1b, 0x23, 0xab, 0x10, 0x3b, 0xe0, 0x2d, + 0x7a, 0xf7, 0x0e, 0xa8, 0xbc, 0xa9, 0xc6, 0x78, 0x46, 0x56, 0x52, 0xf6, 0x81, 0x09, 0xdf, +}; + +/* +-----BEGIN CERTIFICATE----- +MIIBvDCCAWKgAwIBAgIIUU31T4F/bycwCgYIKoZIzj0EAwIwMDEYMBYGA1UEAwwP +TWF0dGVyIFRlc3QgUEFBMRQwEgYKKwYBBAGConwCAQwERkZGMjAeFw0yMzA1Mjgx +NDIzNDNaFw0zMjA2MjcxNDIzNDJaMDAxGDAWBgNVBAMMD01hdHRlciBUZXN0IFBB +QTEUMBIGCisGAQQBgqJ8AgEMBEZGRjIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC +AAQjYtkTW7E7w26mNn1LTLN/93IZp/xgOrAGP9ye/8bPC166EyCmbvTjSBvKu+HM +UlUmt2r79bkb9Swzhg3GXxA5o2YwZDASBgNVHRMBAf8ECDAGAQH/AgECMA4GA1Ud +DwEB/wQEAwIBBjAdBgNVHQ4EFgQUfx2q8kSYuYZoDqCPwYkh6EhInRcwHwYDVR0j +BBgwFoAUfx2q8kSYuYZoDqCPwYkh6EhInRcwCgYIKoZIzj0EAwIDSAAwRQIgbBOM +5XDzrA1cWOTHigR4go96aos4+W1pA8Irlj2LxRcCIQDje3+2Gvz7UW9rRkf8p/SG +NbKsuLiNm8I5idctQg3eaw== +-----END CERTIFICATE----- +*/ +const uint8_t kPaaPathLen2[448] = { + 0x30, 0x82, 0x01, 0xbc, 0x30, 0x82, 0x01, 0x62, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x08, 0x51, + 0x4d, 0xf5, 0x4f, 0x81, 0x7f, 0x6f, 0x27, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, + 0x04, 0x03, 0x02, 0x30, 0x30, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, + 0x4d, 0x61, 0x74, 0x74, 0x65, 0x72, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x50, 0x41, 0x41, 0x31, + 0x14, 0x30, 0x12, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0xa2, 0x7c, 0x02, 0x01, 0x0c, + 0x04, 0x46, 0x46, 0x46, 0x32, 0x30, 0x1e, 0x17, 0x0d, 0x32, 0x33, 0x30, 0x35, 0x32, 0x38, 0x31, + 0x34, 0x32, 0x33, 0x34, 0x33, 0x5a, 0x17, 0x0d, 0x33, 0x32, 0x30, 0x36, 0x32, 0x37, 0x31, 0x34, + 0x32, 0x33, 0x34, 0x32, 0x5a, 0x30, 0x30, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, + 0x0c, 0x0f, 0x4d, 0x61, 0x74, 0x74, 0x65, 0x72, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x50, 0x41, + 0x41, 0x31, 0x14, 0x30, 0x12, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0xa2, 0x7c, 0x02, + 0x01, 0x0c, 0x04, 0x46, 0x46, 0x46, 0x32, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, + 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, 0x42, + 0x00, 0x04, 0x23, 0x62, 0xd9, 0x13, 0x5b, 0xb1, 0x3b, 0xc3, 0x6e, 0xa6, 0x36, 0x7d, 0x4b, 0x4c, + 0xb3, 0x7f, 0xf7, 0x72, 0x19, 0xa7, 0xfc, 0x60, 0x3a, 0xb0, 0x06, 0x3f, 0xdc, 0x9e, 0xff, 0xc6, + 0xcf, 0x0b, 0x5e, 0xba, 0x13, 0x20, 0xa6, 0x6e, 0xf4, 0xe3, 0x48, 0x1b, 0xca, 0xbb, 0xe1, 0xcc, + 0x52, 0x55, 0x26, 0xb7, 0x6a, 0xfb, 0xf5, 0xb9, 0x1b, 0xf5, 0x2c, 0x33, 0x86, 0x0d, 0xc6, 0x5f, + 0x10, 0x39, 0xa3, 0x66, 0x30, 0x64, 0x30, 0x12, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, + 0x04, 0x08, 0x30, 0x06, 0x01, 0x01, 0xff, 0x02, 0x01, 0x02, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d, + 0x0f, 0x01, 0x01, 0xff, 0x04, 0x04, 0x03, 0x02, 0x01, 0x06, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, + 0x0e, 0x04, 0x16, 0x04, 0x14, 0x7f, 0x1d, 0xaa, 0xf2, 0x44, 0x98, 0xb9, 0x86, 0x68, 0x0e, 0xa0, + 0x8f, 0xc1, 0x89, 0x21, 0xe8, 0x48, 0x48, 0x9d, 0x17, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, + 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x7f, 0x1d, 0xaa, 0xf2, 0x44, 0x98, 0xb9, 0x86, 0x68, 0x0e, + 0xa0, 0x8f, 0xc1, 0x89, 0x21, 0xe8, 0x48, 0x48, 0x9d, 0x17, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, + 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x03, 0x48, 0x00, 0x30, 0x45, 0x02, 0x20, 0x6c, 0x13, 0x8c, + 0xe5, 0x70, 0xf3, 0xac, 0x0d, 0x5c, 0x58, 0xe4, 0xc7, 0x8a, 0x04, 0x78, 0x82, 0x8f, 0x7a, 0x6a, + 0x8b, 0x38, 0xf9, 0x6d, 0x69, 0x03, 0xc2, 0x2b, 0x96, 0x3d, 0x8b, 0xc5, 0x17, 0x02, 0x21, 0x00, + 0xe3, 0x7b, 0x7f, 0xb6, 0x1a, 0xfc, 0xfb, 0x51, 0x6f, 0x6b, 0x46, 0x47, 0xfc, 0xa7, 0xf4, 0x86, + 0x35, 0xb2, 0xac, 0xb8, 0xb8, 0x8d, 0x9b, 0xc2, 0x39, 0x89, 0xd7, 0x2d, 0x42, 0x0d, 0xde, 0x6b, +}; diff --git a/src/platform/nxp/common/crypto/CHIPCryptoPALTinyCrypt.cpp b/src/platform/nxp/common/crypto/CHIPCryptoPALTinyCrypt.cpp index 4ad79d22463f5a..5d019d15372eb7 100644 --- a/src/platform/nxp/common/crypto/CHIPCryptoPALTinyCrypt.cpp +++ b/src/platform/nxp/common/crypto/CHIPCryptoPALTinyCrypt.cpp @@ -1243,8 +1243,8 @@ CHIP_ERROR VerifyAttestationCertificateFormat(const ByteSpan & cert, Attestation if (p != seqStart + len) { + // Failure to read will leave pathLen == -1 result = mbedtls_asn1_get_int(&p, end, &pathLen); - VerifyOrExit(result == 0, error = CHIP_ERROR_INTERNAL); } } @@ -1258,7 +1258,8 @@ CHIP_ERROR VerifyAttestationCertificateFormat(const ByteSpan & cert, Attestation } else { - VerifyOrExit(isCA && (pathLen == -1 || pathLen == 0 || pathLen == 1), error = CHIP_ERROR_INTERNAL); + // For PAA, pathlen must be absent or equal to 1 (see Matter 1.1 spec 6.2.2.5) + VerifyOrExit(isCA && (pathLen == -1 || pathLen == 1), error = CHIP_ERROR_INTERNAL); } } else if (OID_CMP(sOID_Extension_KeyUsage, extOID)) diff --git a/src/platform/nxp/k32w/k32w0/crypto/CHIPCryptoPALNXPUltrafastP256.cpp b/src/platform/nxp/k32w/k32w0/crypto/CHIPCryptoPALNXPUltrafastP256.cpp index 771e2638a8a176..12607da09f53e5 100644 --- a/src/platform/nxp/k32w/k32w0/crypto/CHIPCryptoPALNXPUltrafastP256.cpp +++ b/src/platform/nxp/k32w/k32w0/crypto/CHIPCryptoPALNXPUltrafastP256.cpp @@ -1213,8 +1213,8 @@ CHIP_ERROR VerifyAttestationCertificateFormat(const ByteSpan & cert, Attestation if (p != seqStart + len) { + // Failure to read will leave pathLen == -1 result = mbedtls_asn1_get_int(&p, end, &pathLen); - VerifyOrExit(result == 0, error = CHIP_ERROR_INTERNAL); } } @@ -1228,7 +1228,8 @@ CHIP_ERROR VerifyAttestationCertificateFormat(const ByteSpan & cert, Attestation } else { - VerifyOrExit(isCA && (pathLen == -1 || pathLen == 0 || pathLen == 1), error = CHIP_ERROR_INTERNAL); + // For PAA, pathlen must be absent or equal to 1 (see Matter 1.1 spec 6.2.2.5) + VerifyOrExit(isCA && (pathLen == -1 || pathLen == 1), error = CHIP_ERROR_INTERNAL); } } else if (OID_CMP(sOID_Extension_KeyUsage, extOID)) diff --git a/src/platform/silabs/SiWx917/CHIPCryptoPALTinyCrypt.cpp b/src/platform/silabs/SiWx917/CHIPCryptoPALTinyCrypt.cpp index 192f691b497cfe..ad59ab915c1ef4 100644 --- a/src/platform/silabs/SiWx917/CHIPCryptoPALTinyCrypt.cpp +++ b/src/platform/silabs/SiWx917/CHIPCryptoPALTinyCrypt.cpp @@ -1244,8 +1244,8 @@ CHIP_ERROR VerifyAttestationCertificateFormat(const ByteSpan & cert, Attestation if (p != seqStart + len) { + // Failure to read will leave pathLen == -1 result = mbedtls_asn1_get_int(&p, end, &pathLen); - VerifyOrExit(result == 0, error = CHIP_ERROR_INTERNAL); } } @@ -1259,7 +1259,8 @@ CHIP_ERROR VerifyAttestationCertificateFormat(const ByteSpan & cert, Attestation } else { - VerifyOrExit(isCA && (pathLen == -1 || pathLen == 0 || pathLen == 1), error = CHIP_ERROR_INTERNAL); + // For PAA, pathlen must be absent or equal to 1 (see Matter 1.1 spec 6.2.2.5) + VerifyOrExit(isCA && (pathLen == -1 || pathLen == 1), error = CHIP_ERROR_INTERNAL); } } else if (OID_CMP(sOID_Extension_KeyUsage, extOID)) diff --git a/src/platform/silabs/efr32/CHIPCryptoPALPsaEfr32.cpp b/src/platform/silabs/efr32/CHIPCryptoPALPsaEfr32.cpp index 300348ef311e5a..92ace3115962c8 100644 --- a/src/platform/silabs/efr32/CHIPCryptoPALPsaEfr32.cpp +++ b/src/platform/silabs/efr32/CHIPCryptoPALPsaEfr32.cpp @@ -1546,8 +1546,8 @@ CHIP_ERROR VerifyAttestationCertificateFormat(const ByteSpan & cert, Attestation if (p != seqStart + len) { + // Failure to read will leave pathLen == -1 result = mbedtls_asn1_get_int(&p, end, &pathLen); - VerifyOrExit(result == 0, error = CHIP_ERROR_INTERNAL); } } @@ -1561,7 +1561,8 @@ CHIP_ERROR VerifyAttestationCertificateFormat(const ByteSpan & cert, Attestation } else { - VerifyOrExit(isCA && (pathLen == -1 || pathLen == 0 || pathLen == 1), error = CHIP_ERROR_INTERNAL); + // For PAA, pathlen must be absent or equal to 1 (see Matter 1.1 spec 6.2.2.5) + VerifyOrExit(isCA && (pathLen == -1 || pathLen == 1), error = CHIP_ERROR_INTERNAL); } } else if (OID_CMP(sOID_Extension_KeyUsage, extOID)) From 9b30bf6482c0538f27351394c9789ccdc1d698f5 Mon Sep 17 00:00:00 2001 From: "Restyled.io" Date: Tue, 13 Jun 2023 02:25:31 +0000 Subject: [PATCH 2/6] Restyled by clang-format --- src/crypto/tests/CHIPCryptoPALTest.cpp | 3 +- .../tests/DacValidationExplicitVectors.h | 201 ++++++++---------- 2 files changed, 90 insertions(+), 114 deletions(-) diff --git a/src/crypto/tests/CHIPCryptoPALTest.cpp b/src/crypto/tests/CHIPCryptoPALTest.cpp index 4b8d0bff4ac2f8..3ceda243d2347d 100644 --- a/src/crypto/tests/CHIPCryptoPALTest.cpp +++ b/src/crypto/tests/CHIPCryptoPALTest.cpp @@ -1972,7 +1972,8 @@ static void TestX509_VerifyAttestationCertificateFormat(nlTestSuite * inSuite, v CHIP_ERROR err = VerifyAttestationCertificateFormat(cert, testCase.type); if (err != testCase.expectedError) { - ChipLogError(Crypto, "Failed TestX509_VerifyAttestationCertificateFormat sub-case %d, err: %" CHIP_ERROR_FORMAT, case_idx, err.Format()); + ChipLogError(Crypto, "Failed TestX509_VerifyAttestationCertificateFormat sub-case %d, err: %" CHIP_ERROR_FORMAT, + case_idx, err.Format()); } NL_TEST_ASSERT(inSuite, err == testCase.expectedError); ++case_idx; diff --git a/src/crypto/tests/DacValidationExplicitVectors.h b/src/crypto/tests/DacValidationExplicitVectors.h index 1e6daeaddd682c..ea1dc6d0584520 100644 --- a/src/crypto/tests/DacValidationExplicitVectors.h +++ b/src/crypto/tests/DacValidationExplicitVectors.h @@ -38,35 +38,28 @@ IEohtRvlb6URoKv1v3jwfzATeqLNY2eLKBmQjUN8 */ const uint8_t kPaaWithNoPathlen[462] = { - 0x30, 0x82, 0x01, 0xca, 0x30, 0x82, 0x01, 0x70, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x11, 0x00, - 0xb9, 0x83, 0x44, 0x93, 0xb5, 0xbe, 0xfd, 0xf5, 0xc1, 0xca, 0x98, 0x8c, 0x96, 0x29, 0xc5, 0x94, - 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x30, 0x33, 0x31, 0x1b, - 0x30, 0x19, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x12, 0x51, 0x69, 0x61, 0x6e, 0x79, 0x61, 0x6e, - 0x20, 0x4d, 0x61, 0x74, 0x74, 0x65, 0x72, 0x20, 0x50, 0x41, 0x41, 0x31, 0x14, 0x30, 0x12, 0x06, - 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0xa2, 0x7c, 0x02, 0x01, 0x0c, 0x04, 0x31, 0x33, 0x38, - 0x37, 0x30, 0x20, 0x17, 0x0d, 0x32, 0x33, 0x30, 0x33, 0x31, 0x34, 0x30, 0x38, 0x32, 0x32, 0x34, - 0x34, 0x5a, 0x18, 0x0f, 0x39, 0x39, 0x39, 0x39, 0x31, 0x32, 0x33, 0x31, 0x32, 0x33, 0x35, 0x39, - 0x35, 0x39, 0x5a, 0x30, 0x33, 0x31, 0x1b, 0x30, 0x19, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x12, - 0x51, 0x69, 0x61, 0x6e, 0x79, 0x61, 0x6e, 0x20, 0x4d, 0x61, 0x74, 0x74, 0x65, 0x72, 0x20, 0x50, - 0x41, 0x41, 0x31, 0x14, 0x30, 0x12, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0xa2, 0x7c, - 0x02, 0x01, 0x0c, 0x04, 0x31, 0x33, 0x38, 0x37, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, - 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, - 0x42, 0x00, 0x04, 0x05, 0x7d, 0xf7, 0xdb, 0xa8, 0xae, 0xc7, 0x26, 0x97, 0x43, 0x7d, 0x3a, 0x5b, - 0xa5, 0x5a, 0xeb, 0xdb, 0xfb, 0xa7, 0x74, 0xea, 0xfb, 0x23, 0x9a, 0x9c, 0x0a, 0x3d, 0x07, 0x79, - 0x9a, 0x96, 0x9a, 0xcb, 0x2e, 0x1f, 0xe8, 0xe0, 0xdd, 0x6f, 0x27, 0x27, 0x36, 0x11, 0xd4, 0x66, - 0xac, 0x4f, 0xe2, 0x34, 0x0b, 0xf0, 0x22, 0xe4, 0xe7, 0x4f, 0x73, 0x94, 0x90, 0xb2, 0x4e, 0xf5, - 0xf8, 0x7f, 0x5e, 0xa3, 0x63, 0x30, 0x61, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, - 0xff, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, - 0x16, 0x04, 0x14, 0x30, 0xa7, 0xfc, 0x6c, 0xd6, 0xfa, 0x5a, 0xcb, 0x82, 0x7f, 0x77, 0x6e, 0x32, - 0x62, 0x07, 0x6b, 0xb8, 0x11, 0xe4, 0x29, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x01, 0x01, - 0xff, 0x04, 0x04, 0x03, 0x02, 0x01, 0x86, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, - 0x30, 0x16, 0x80, 0x14, 0x30, 0xa7, 0xfc, 0x6c, 0xd6, 0xfa, 0x5a, 0xcb, 0x82, 0x7f, 0x77, 0x6e, - 0x32, 0x62, 0x07, 0x6b, 0xb8, 0x11, 0xe4, 0x29, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, - 0x3d, 0x04, 0x03, 0x02, 0x03, 0x48, 0x00, 0x30, 0x45, 0x02, 0x20, 0x68, 0xea, 0x40, 0x64, 0xd7, - 0x07, 0x09, 0x8c, 0x7e, 0x17, 0x61, 0xa4, 0x7a, 0x70, 0xf3, 0xab, 0x08, 0xe5, 0xe6, 0x6d, 0x33, - 0xe4, 0xdb, 0x41, 0x33, 0x7e, 0x86, 0x8b, 0xad, 0x75, 0xed, 0xae, 0x02, 0x21, 0x00, 0xd9, 0xa1, - 0x20, 0x4a, 0x21, 0xb5, 0x1b, 0xe5, 0x6f, 0xa5, 0x11, 0xa0, 0xab, 0xf5, 0xbf, 0x78, 0xf0, 0x7f, - 0x30, 0x13, 0x7a, 0xa2, 0xcd, 0x63, 0x67, 0x8b, 0x28, 0x19, 0x90, 0x8d, 0x43, 0x7c, + 0x30, 0x82, 0x01, 0xca, 0x30, 0x82, 0x01, 0x70, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x11, 0x00, 0xb9, 0x83, 0x44, 0x93, 0xb5, + 0xbe, 0xfd, 0xf5, 0xc1, 0xca, 0x98, 0x8c, 0x96, 0x29, 0xc5, 0x94, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, + 0x03, 0x02, 0x30, 0x33, 0x31, 0x1b, 0x30, 0x19, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x12, 0x51, 0x69, 0x61, 0x6e, 0x79, 0x61, + 0x6e, 0x20, 0x4d, 0x61, 0x74, 0x74, 0x65, 0x72, 0x20, 0x50, 0x41, 0x41, 0x31, 0x14, 0x30, 0x12, 0x06, 0x0a, 0x2b, 0x06, 0x01, + 0x04, 0x01, 0x82, 0xa2, 0x7c, 0x02, 0x01, 0x0c, 0x04, 0x31, 0x33, 0x38, 0x37, 0x30, 0x20, 0x17, 0x0d, 0x32, 0x33, 0x30, 0x33, + 0x31, 0x34, 0x30, 0x38, 0x32, 0x32, 0x34, 0x34, 0x5a, 0x18, 0x0f, 0x39, 0x39, 0x39, 0x39, 0x31, 0x32, 0x33, 0x31, 0x32, 0x33, + 0x35, 0x39, 0x35, 0x39, 0x5a, 0x30, 0x33, 0x31, 0x1b, 0x30, 0x19, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x12, 0x51, 0x69, 0x61, + 0x6e, 0x79, 0x61, 0x6e, 0x20, 0x4d, 0x61, 0x74, 0x74, 0x65, 0x72, 0x20, 0x50, 0x41, 0x41, 0x31, 0x14, 0x30, 0x12, 0x06, 0x0a, + 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0xa2, 0x7c, 0x02, 0x01, 0x0c, 0x04, 0x31, 0x33, 0x38, 0x37, 0x30, 0x59, 0x30, 0x13, 0x06, + 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, + 0x04, 0x05, 0x7d, 0xf7, 0xdb, 0xa8, 0xae, 0xc7, 0x26, 0x97, 0x43, 0x7d, 0x3a, 0x5b, 0xa5, 0x5a, 0xeb, 0xdb, 0xfb, 0xa7, 0x74, + 0xea, 0xfb, 0x23, 0x9a, 0x9c, 0x0a, 0x3d, 0x07, 0x79, 0x9a, 0x96, 0x9a, 0xcb, 0x2e, 0x1f, 0xe8, 0xe0, 0xdd, 0x6f, 0x27, 0x27, + 0x36, 0x11, 0xd4, 0x66, 0xac, 0x4f, 0xe2, 0x34, 0x0b, 0xf0, 0x22, 0xe4, 0xe7, 0x4f, 0x73, 0x94, 0x90, 0xb2, 0x4e, 0xf5, 0xf8, + 0x7f, 0x5e, 0xa3, 0x63, 0x30, 0x61, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, 0x30, 0x03, 0x01, + 0x01, 0xff, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x30, 0xa7, 0xfc, 0x6c, 0xd6, 0xfa, 0x5a, 0xcb, + 0x82, 0x7f, 0x77, 0x6e, 0x32, 0x62, 0x07, 0x6b, 0xb8, 0x11, 0xe4, 0x29, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x01, 0x01, + 0xff, 0x04, 0x04, 0x03, 0x02, 0x01, 0x86, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x30, + 0xa7, 0xfc, 0x6c, 0xd6, 0xfa, 0x5a, 0xcb, 0x82, 0x7f, 0x77, 0x6e, 0x32, 0x62, 0x07, 0x6b, 0xb8, 0x11, 0xe4, 0x29, 0x30, 0x0a, + 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x03, 0x48, 0x00, 0x30, 0x45, 0x02, 0x20, 0x68, 0xea, 0x40, 0x64, + 0xd7, 0x07, 0x09, 0x8c, 0x7e, 0x17, 0x61, 0xa4, 0x7a, 0x70, 0xf3, 0xab, 0x08, 0xe5, 0xe6, 0x6d, 0x33, 0xe4, 0xdb, 0x41, 0x33, + 0x7e, 0x86, 0x8b, 0xad, 0x75, 0xed, 0xae, 0x02, 0x21, 0x00, 0xd9, 0xa1, 0x20, 0x4a, 0x21, 0xb5, 0x1b, 0xe5, 0x6f, 0xa5, 0x11, + 0xa0, 0xab, 0xf5, 0xbf, 0x78, 0xf0, 0x7f, 0x30, 0x13, 0x7a, 0xa2, 0xcd, 0x63, 0x67, 0x8b, 0x28, 0x19, 0x90, 0x8d, 0x43, 0x7c, }; /* @@ -84,34 +77,28 @@ qLypxnhGVlL2gQnf -----END CERTIFICATE----- */ const uint8_t kPaiPathLenMissing[444] = { - 0x30, 0x82, 0x01, 0xb8, 0x30, 0x82, 0x01, 0x5f, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x08, 0x12, - 0x5d, 0xe4, 0xfb, 0x2c, 0xe4, 0x42, 0xea, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, - 0x04, 0x03, 0x02, 0x30, 0x1a, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, - 0x4d, 0x61, 0x74, 0x74, 0x65, 0x72, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x50, 0x41, 0x41, 0x30, - 0x1e, 0x17, 0x0d, 0x32, 0x31, 0x30, 0x36, 0x32, 0x38, 0x31, 0x34, 0x32, 0x33, 0x34, 0x33, 0x5a, - 0x17, 0x0d, 0x33, 0x33, 0x30, 0x36, 0x32, 0x38, 0x31, 0x34, 0x32, 0x33, 0x34, 0x32, 0x5a, 0x30, - 0x46, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, 0x4d, 0x61, 0x74, 0x74, - 0x65, 0x72, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x50, 0x41, 0x49, 0x31, 0x14, 0x30, 0x12, 0x06, - 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0xa2, 0x7c, 0x02, 0x01, 0x0c, 0x04, 0x46, 0x46, 0x46, - 0x32, 0x31, 0x14, 0x30, 0x12, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0xa2, 0x7c, 0x02, - 0x02, 0x0c, 0x04, 0x38, 0x30, 0x30, 0x35, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, - 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, 0x42, - 0x00, 0x04, 0x2c, 0xa3, 0x72, 0x51, 0x49, 0x16, 0xda, 0x99, 0x4b, 0x95, 0x93, 0x80, 0xb6, 0x6b, - 0x27, 0x01, 0xf4, 0xcf, 0x38, 0x08, 0xf3, 0x93, 0xf7, 0x16, 0xb1, 0x23, 0x89, 0xc2, 0xf9, 0x5a, - 0x8a, 0xf2, 0xf4, 0x93, 0x26, 0x2a, 0x65, 0xa0, 0xa3, 0xeb, 0xf8, 0x1b, 0xe0, 0x6a, 0x71, 0x07, - 0x32, 0xa0, 0xaa, 0xa0, 0x2f, 0xf5, 0x28, 0xef, 0x95, 0x8b, 0xfd, 0x20, 0x32, 0x63, 0x2f, 0xbd, - 0x88, 0x5f, 0xa3, 0x63, 0x30, 0x61, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, - 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x01, 0x01, - 0xff, 0x04, 0x04, 0x03, 0x02, 0x01, 0x06, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, - 0x04, 0x14, 0xda, 0xd4, 0x67, 0x6f, 0x50, 0x6d, 0x45, 0x43, 0xdb, 0x94, 0x76, 0xd6, 0x18, 0x69, - 0x1c, 0x67, 0x49, 0x72, 0x8d, 0x08, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, - 0x16, 0x80, 0x14, 0x78, 0x5c, 0xe7, 0x05, 0xb8, 0x6b, 0x8f, 0x4e, 0x6f, 0xc7, 0x93, 0xaa, 0x60, - 0xcb, 0x43, 0xea, 0x69, 0x68, 0x82, 0xd5, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, - 0x04, 0x03, 0x02, 0x03, 0x47, 0x00, 0x30, 0x44, 0x02, 0x20, 0x62, 0xb7, 0x97, 0x73, 0x53, 0x72, - 0xfb, 0x91, 0xd9, 0x45, 0x2c, 0x6a, 0x4f, 0x88, 0x0f, 0x54, 0xfe, 0x73, 0xe5, 0x99, 0x21, 0x65, - 0x75, 0x12, 0x61, 0x6e, 0xc6, 0x1d, 0xaa, 0xac, 0xf1, 0x50, 0x02, 0x20, 0x3f, 0xfc, 0x88, 0x81, - 0xac, 0x85, 0xd7, 0x9d, 0x72, 0x30, 0x1b, 0x23, 0xab, 0x10, 0x3b, 0xe0, 0x2d, 0x7a, 0xf7, 0x0e, - 0xa8, 0xbc, 0xa9, 0xc6, 0x78, 0x46, 0x56, 0x52, 0xf6, 0x81, 0x09, 0xdf, + 0x30, 0x82, 0x01, 0xb8, 0x30, 0x82, 0x01, 0x5f, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x08, 0x12, 0x5d, 0xe4, 0xfb, 0x2c, 0xe4, + 0x42, 0xea, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x30, 0x1a, 0x31, 0x18, 0x30, 0x16, 0x06, + 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, 0x4d, 0x61, 0x74, 0x74, 0x65, 0x72, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x50, 0x41, 0x41, + 0x30, 0x1e, 0x17, 0x0d, 0x32, 0x31, 0x30, 0x36, 0x32, 0x38, 0x31, 0x34, 0x32, 0x33, 0x34, 0x33, 0x5a, 0x17, 0x0d, 0x33, 0x33, + 0x30, 0x36, 0x32, 0x38, 0x31, 0x34, 0x32, 0x33, 0x34, 0x32, 0x5a, 0x30, 0x46, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, + 0x03, 0x0c, 0x0f, 0x4d, 0x61, 0x74, 0x74, 0x65, 0x72, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x50, 0x41, 0x49, 0x31, 0x14, 0x30, + 0x12, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0xa2, 0x7c, 0x02, 0x01, 0x0c, 0x04, 0x46, 0x46, 0x46, 0x32, 0x31, 0x14, + 0x30, 0x12, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0xa2, 0x7c, 0x02, 0x02, 0x0c, 0x04, 0x38, 0x30, 0x30, 0x35, 0x30, + 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, + 0x07, 0x03, 0x42, 0x00, 0x04, 0x2c, 0xa3, 0x72, 0x51, 0x49, 0x16, 0xda, 0x99, 0x4b, 0x95, 0x93, 0x80, 0xb6, 0x6b, 0x27, 0x01, + 0xf4, 0xcf, 0x38, 0x08, 0xf3, 0x93, 0xf7, 0x16, 0xb1, 0x23, 0x89, 0xc2, 0xf9, 0x5a, 0x8a, 0xf2, 0xf4, 0x93, 0x26, 0x2a, 0x65, + 0xa0, 0xa3, 0xeb, 0xf8, 0x1b, 0xe0, 0x6a, 0x71, 0x07, 0x32, 0xa0, 0xaa, 0xa0, 0x2f, 0xf5, 0x28, 0xef, 0x95, 0x8b, 0xfd, 0x20, + 0x32, 0x63, 0x2f, 0xbd, 0x88, 0x5f, 0xa3, 0x63, 0x30, 0x61, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, + 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x01, 0x01, 0xff, 0x04, 0x04, 0x03, 0x02, 0x01, + 0x06, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0xda, 0xd4, 0x67, 0x6f, 0x50, 0x6d, 0x45, 0x43, 0xdb, + 0x94, 0x76, 0xd6, 0x18, 0x69, 0x1c, 0x67, 0x49, 0x72, 0x8d, 0x08, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, + 0x16, 0x80, 0x14, 0x78, 0x5c, 0xe7, 0x05, 0xb8, 0x6b, 0x8f, 0x4e, 0x6f, 0xc7, 0x93, 0xaa, 0x60, 0xcb, 0x43, 0xea, 0x69, 0x68, + 0x82, 0xd5, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x03, 0x47, 0x00, 0x30, 0x44, 0x02, 0x20, + 0x62, 0xb7, 0x97, 0x73, 0x53, 0x72, 0xfb, 0x91, 0xd9, 0x45, 0x2c, 0x6a, 0x4f, 0x88, 0x0f, 0x54, 0xfe, 0x73, 0xe5, 0x99, 0x21, + 0x65, 0x75, 0x12, 0x61, 0x6e, 0xc6, 0x1d, 0xaa, 0xac, 0xf1, 0x50, 0x02, 0x20, 0x3f, 0xfc, 0x88, 0x81, 0xac, 0x85, 0xd7, 0x9d, + 0x72, 0x30, 0x1b, 0x23, 0xab, 0x10, 0x3b, 0xe0, 0x2d, 0x7a, 0xf7, 0x0e, 0xa8, 0xbc, 0xa9, 0xc6, 0x78, 0x46, 0x56, 0x52, 0xf6, + 0x81, 0x09, 0xdf, }; /* @@ -129,34 +116,28 @@ evcOqLypxnhGVlL2gQnf -----END CERTIFICATE----- */ const uint8_t kPaiPathLen1[447] = { - 0x30, 0x82, 0x01, 0xbb, 0x30, 0x82, 0x01, 0x62, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x08, 0x12, - 0x5d, 0xe4, 0xfb, 0x2c, 0xe4, 0x42, 0xea, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, - 0x04, 0x03, 0x02, 0x30, 0x1a, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, - 0x4d, 0x61, 0x74, 0x74, 0x65, 0x72, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x50, 0x41, 0x41, 0x30, - 0x1e, 0x17, 0x0d, 0x32, 0x31, 0x30, 0x36, 0x32, 0x38, 0x31, 0x34, 0x32, 0x33, 0x34, 0x33, 0x5a, - 0x17, 0x0d, 0x33, 0x33, 0x30, 0x36, 0x32, 0x38, 0x31, 0x34, 0x32, 0x33, 0x34, 0x32, 0x5a, 0x30, - 0x46, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, 0x4d, 0x61, 0x74, 0x74, - 0x65, 0x72, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x50, 0x41, 0x49, 0x31, 0x14, 0x30, 0x12, 0x06, - 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0xa2, 0x7c, 0x02, 0x01, 0x0c, 0x04, 0x46, 0x46, 0x46, - 0x32, 0x31, 0x14, 0x30, 0x12, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0xa2, 0x7c, 0x02, - 0x02, 0x0c, 0x04, 0x38, 0x30, 0x30, 0x35, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, - 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, 0x42, - 0x00, 0x04, 0x2c, 0xa3, 0x72, 0x51, 0x49, 0x16, 0xda, 0x99, 0x4b, 0x95, 0x93, 0x80, 0xb6, 0x6b, - 0x27, 0x01, 0xf4, 0xcf, 0x38, 0x08, 0xf3, 0x93, 0xf7, 0x16, 0xb1, 0x23, 0x89, 0xc2, 0xf9, 0x5a, - 0x8a, 0xf2, 0xf4, 0x93, 0x26, 0x2a, 0x65, 0xa0, 0xa3, 0xeb, 0xf8, 0x1b, 0xe0, 0x6a, 0x71, 0x07, - 0x32, 0xa0, 0xaa, 0xa0, 0x2f, 0xf5, 0x28, 0xef, 0x95, 0x8b, 0xfd, 0x20, 0x32, 0x63, 0x2f, 0xbd, - 0x88, 0x5f, 0xa3, 0x66, 0x30, 0x64, 0x30, 0x12, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, - 0x04, 0x08, 0x30, 0x06, 0x01, 0x01, 0xff, 0x02, 0x01, 0x01, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d, - 0x0f, 0x01, 0x01, 0xff, 0x04, 0x04, 0x03, 0x02, 0x01, 0x06, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, - 0x0e, 0x04, 0x16, 0x04, 0x14, 0xda, 0xd4, 0x67, 0x6f, 0x50, 0x6d, 0x45, 0x43, 0xdb, 0x94, 0x76, - 0xd6, 0x18, 0x69, 0x1c, 0x67, 0x49, 0x72, 0x8d, 0x08, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, - 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x78, 0x5c, 0xe7, 0x05, 0xb8, 0x6b, 0x8f, 0x4e, 0x6f, 0xc7, - 0x93, 0xaa, 0x60, 0xcb, 0x43, 0xea, 0x69, 0x68, 0x82, 0xd5, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, - 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x03, 0x47, 0x00, 0x30, 0x44, 0x02, 0x20, 0x62, 0xb7, 0x97, - 0x73, 0x53, 0x72, 0xfb, 0x91, 0xd9, 0x45, 0x2c, 0x6a, 0x4f, 0x88, 0x0f, 0x54, 0xfe, 0x73, 0xe5, - 0x99, 0x21, 0x65, 0x75, 0x12, 0x61, 0x6e, 0xc6, 0x1d, 0xaa, 0xac, 0xf1, 0x50, 0x02, 0x20, 0x3f, - 0xfc, 0x88, 0x81, 0xac, 0x85, 0xd7, 0x9d, 0x72, 0x30, 0x1b, 0x23, 0xab, 0x10, 0x3b, 0xe0, 0x2d, - 0x7a, 0xf7, 0x0e, 0xa8, 0xbc, 0xa9, 0xc6, 0x78, 0x46, 0x56, 0x52, 0xf6, 0x81, 0x09, 0xdf, + 0x30, 0x82, 0x01, 0xbb, 0x30, 0x82, 0x01, 0x62, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x08, 0x12, 0x5d, 0xe4, 0xfb, 0x2c, 0xe4, + 0x42, 0xea, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x30, 0x1a, 0x31, 0x18, 0x30, 0x16, 0x06, + 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, 0x4d, 0x61, 0x74, 0x74, 0x65, 0x72, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x50, 0x41, 0x41, + 0x30, 0x1e, 0x17, 0x0d, 0x32, 0x31, 0x30, 0x36, 0x32, 0x38, 0x31, 0x34, 0x32, 0x33, 0x34, 0x33, 0x5a, 0x17, 0x0d, 0x33, 0x33, + 0x30, 0x36, 0x32, 0x38, 0x31, 0x34, 0x32, 0x33, 0x34, 0x32, 0x5a, 0x30, 0x46, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, + 0x03, 0x0c, 0x0f, 0x4d, 0x61, 0x74, 0x74, 0x65, 0x72, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x50, 0x41, 0x49, 0x31, 0x14, 0x30, + 0x12, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0xa2, 0x7c, 0x02, 0x01, 0x0c, 0x04, 0x46, 0x46, 0x46, 0x32, 0x31, 0x14, + 0x30, 0x12, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0xa2, 0x7c, 0x02, 0x02, 0x0c, 0x04, 0x38, 0x30, 0x30, 0x35, 0x30, + 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, + 0x07, 0x03, 0x42, 0x00, 0x04, 0x2c, 0xa3, 0x72, 0x51, 0x49, 0x16, 0xda, 0x99, 0x4b, 0x95, 0x93, 0x80, 0xb6, 0x6b, 0x27, 0x01, + 0xf4, 0xcf, 0x38, 0x08, 0xf3, 0x93, 0xf7, 0x16, 0xb1, 0x23, 0x89, 0xc2, 0xf9, 0x5a, 0x8a, 0xf2, 0xf4, 0x93, 0x26, 0x2a, 0x65, + 0xa0, 0xa3, 0xeb, 0xf8, 0x1b, 0xe0, 0x6a, 0x71, 0x07, 0x32, 0xa0, 0xaa, 0xa0, 0x2f, 0xf5, 0x28, 0xef, 0x95, 0x8b, 0xfd, 0x20, + 0x32, 0x63, 0x2f, 0xbd, 0x88, 0x5f, 0xa3, 0x66, 0x30, 0x64, 0x30, 0x12, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, + 0x08, 0x30, 0x06, 0x01, 0x01, 0xff, 0x02, 0x01, 0x01, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x01, 0x01, 0xff, 0x04, 0x04, + 0x03, 0x02, 0x01, 0x06, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0xda, 0xd4, 0x67, 0x6f, 0x50, 0x6d, + 0x45, 0x43, 0xdb, 0x94, 0x76, 0xd6, 0x18, 0x69, 0x1c, 0x67, 0x49, 0x72, 0x8d, 0x08, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, + 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x78, 0x5c, 0xe7, 0x05, 0xb8, 0x6b, 0x8f, 0x4e, 0x6f, 0xc7, 0x93, 0xaa, 0x60, 0xcb, 0x43, + 0xea, 0x69, 0x68, 0x82, 0xd5, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x03, 0x47, 0x00, 0x30, + 0x44, 0x02, 0x20, 0x62, 0xb7, 0x97, 0x73, 0x53, 0x72, 0xfb, 0x91, 0xd9, 0x45, 0x2c, 0x6a, 0x4f, 0x88, 0x0f, 0x54, 0xfe, 0x73, + 0xe5, 0x99, 0x21, 0x65, 0x75, 0x12, 0x61, 0x6e, 0xc6, 0x1d, 0xaa, 0xac, 0xf1, 0x50, 0x02, 0x20, 0x3f, 0xfc, 0x88, 0x81, 0xac, + 0x85, 0xd7, 0x9d, 0x72, 0x30, 0x1b, 0x23, 0xab, 0x10, 0x3b, 0xe0, 0x2d, 0x7a, 0xf7, 0x0e, 0xa8, 0xbc, 0xa9, 0xc6, 0x78, 0x46, + 0x56, 0x52, 0xf6, 0x81, 0x09, 0xdf, }; /* @@ -174,32 +155,26 @@ NbKsuLiNm8I5idctQg3eaw== -----END CERTIFICATE----- */ const uint8_t kPaaPathLen2[448] = { - 0x30, 0x82, 0x01, 0xbc, 0x30, 0x82, 0x01, 0x62, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x08, 0x51, - 0x4d, 0xf5, 0x4f, 0x81, 0x7f, 0x6f, 0x27, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, - 0x04, 0x03, 0x02, 0x30, 0x30, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, - 0x4d, 0x61, 0x74, 0x74, 0x65, 0x72, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x50, 0x41, 0x41, 0x31, - 0x14, 0x30, 0x12, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0xa2, 0x7c, 0x02, 0x01, 0x0c, - 0x04, 0x46, 0x46, 0x46, 0x32, 0x30, 0x1e, 0x17, 0x0d, 0x32, 0x33, 0x30, 0x35, 0x32, 0x38, 0x31, - 0x34, 0x32, 0x33, 0x34, 0x33, 0x5a, 0x17, 0x0d, 0x33, 0x32, 0x30, 0x36, 0x32, 0x37, 0x31, 0x34, - 0x32, 0x33, 0x34, 0x32, 0x5a, 0x30, 0x30, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, - 0x0c, 0x0f, 0x4d, 0x61, 0x74, 0x74, 0x65, 0x72, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x50, 0x41, - 0x41, 0x31, 0x14, 0x30, 0x12, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0xa2, 0x7c, 0x02, - 0x01, 0x0c, 0x04, 0x46, 0x46, 0x46, 0x32, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, - 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, 0x42, - 0x00, 0x04, 0x23, 0x62, 0xd9, 0x13, 0x5b, 0xb1, 0x3b, 0xc3, 0x6e, 0xa6, 0x36, 0x7d, 0x4b, 0x4c, - 0xb3, 0x7f, 0xf7, 0x72, 0x19, 0xa7, 0xfc, 0x60, 0x3a, 0xb0, 0x06, 0x3f, 0xdc, 0x9e, 0xff, 0xc6, - 0xcf, 0x0b, 0x5e, 0xba, 0x13, 0x20, 0xa6, 0x6e, 0xf4, 0xe3, 0x48, 0x1b, 0xca, 0xbb, 0xe1, 0xcc, - 0x52, 0x55, 0x26, 0xb7, 0x6a, 0xfb, 0xf5, 0xb9, 0x1b, 0xf5, 0x2c, 0x33, 0x86, 0x0d, 0xc6, 0x5f, - 0x10, 0x39, 0xa3, 0x66, 0x30, 0x64, 0x30, 0x12, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, - 0x04, 0x08, 0x30, 0x06, 0x01, 0x01, 0xff, 0x02, 0x01, 0x02, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d, - 0x0f, 0x01, 0x01, 0xff, 0x04, 0x04, 0x03, 0x02, 0x01, 0x06, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, - 0x0e, 0x04, 0x16, 0x04, 0x14, 0x7f, 0x1d, 0xaa, 0xf2, 0x44, 0x98, 0xb9, 0x86, 0x68, 0x0e, 0xa0, - 0x8f, 0xc1, 0x89, 0x21, 0xe8, 0x48, 0x48, 0x9d, 0x17, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, - 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x7f, 0x1d, 0xaa, 0xf2, 0x44, 0x98, 0xb9, 0x86, 0x68, 0x0e, - 0xa0, 0x8f, 0xc1, 0x89, 0x21, 0xe8, 0x48, 0x48, 0x9d, 0x17, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, - 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x03, 0x48, 0x00, 0x30, 0x45, 0x02, 0x20, 0x6c, 0x13, 0x8c, - 0xe5, 0x70, 0xf3, 0xac, 0x0d, 0x5c, 0x58, 0xe4, 0xc7, 0x8a, 0x04, 0x78, 0x82, 0x8f, 0x7a, 0x6a, - 0x8b, 0x38, 0xf9, 0x6d, 0x69, 0x03, 0xc2, 0x2b, 0x96, 0x3d, 0x8b, 0xc5, 0x17, 0x02, 0x21, 0x00, - 0xe3, 0x7b, 0x7f, 0xb6, 0x1a, 0xfc, 0xfb, 0x51, 0x6f, 0x6b, 0x46, 0x47, 0xfc, 0xa7, 0xf4, 0x86, - 0x35, 0xb2, 0xac, 0xb8, 0xb8, 0x8d, 0x9b, 0xc2, 0x39, 0x89, 0xd7, 0x2d, 0x42, 0x0d, 0xde, 0x6b, + 0x30, 0x82, 0x01, 0xbc, 0x30, 0x82, 0x01, 0x62, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x08, 0x51, 0x4d, 0xf5, 0x4f, 0x81, 0x7f, + 0x6f, 0x27, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x30, 0x30, 0x31, 0x18, 0x30, 0x16, 0x06, + 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, 0x4d, 0x61, 0x74, 0x74, 0x65, 0x72, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x50, 0x41, 0x41, + 0x31, 0x14, 0x30, 0x12, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0xa2, 0x7c, 0x02, 0x01, 0x0c, 0x04, 0x46, 0x46, 0x46, + 0x32, 0x30, 0x1e, 0x17, 0x0d, 0x32, 0x33, 0x30, 0x35, 0x32, 0x38, 0x31, 0x34, 0x32, 0x33, 0x34, 0x33, 0x5a, 0x17, 0x0d, 0x33, + 0x32, 0x30, 0x36, 0x32, 0x37, 0x31, 0x34, 0x32, 0x33, 0x34, 0x32, 0x5a, 0x30, 0x30, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, + 0x04, 0x03, 0x0c, 0x0f, 0x4d, 0x61, 0x74, 0x74, 0x65, 0x72, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x50, 0x41, 0x41, 0x31, 0x14, + 0x30, 0x12, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0xa2, 0x7c, 0x02, 0x01, 0x0c, 0x04, 0x46, 0x46, 0x46, 0x32, 0x30, + 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, + 0x07, 0x03, 0x42, 0x00, 0x04, 0x23, 0x62, 0xd9, 0x13, 0x5b, 0xb1, 0x3b, 0xc3, 0x6e, 0xa6, 0x36, 0x7d, 0x4b, 0x4c, 0xb3, 0x7f, + 0xf7, 0x72, 0x19, 0xa7, 0xfc, 0x60, 0x3a, 0xb0, 0x06, 0x3f, 0xdc, 0x9e, 0xff, 0xc6, 0xcf, 0x0b, 0x5e, 0xba, 0x13, 0x20, 0xa6, + 0x6e, 0xf4, 0xe3, 0x48, 0x1b, 0xca, 0xbb, 0xe1, 0xcc, 0x52, 0x55, 0x26, 0xb7, 0x6a, 0xfb, 0xf5, 0xb9, 0x1b, 0xf5, 0x2c, 0x33, + 0x86, 0x0d, 0xc6, 0x5f, 0x10, 0x39, 0xa3, 0x66, 0x30, 0x64, 0x30, 0x12, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, + 0x08, 0x30, 0x06, 0x01, 0x01, 0xff, 0x02, 0x01, 0x02, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x01, 0x01, 0xff, 0x04, 0x04, + 0x03, 0x02, 0x01, 0x06, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x7f, 0x1d, 0xaa, 0xf2, 0x44, 0x98, + 0xb9, 0x86, 0x68, 0x0e, 0xa0, 0x8f, 0xc1, 0x89, 0x21, 0xe8, 0x48, 0x48, 0x9d, 0x17, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, + 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x7f, 0x1d, 0xaa, 0xf2, 0x44, 0x98, 0xb9, 0x86, 0x68, 0x0e, 0xa0, 0x8f, 0xc1, 0x89, 0x21, + 0xe8, 0x48, 0x48, 0x9d, 0x17, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x03, 0x48, 0x00, 0x30, + 0x45, 0x02, 0x20, 0x6c, 0x13, 0x8c, 0xe5, 0x70, 0xf3, 0xac, 0x0d, 0x5c, 0x58, 0xe4, 0xc7, 0x8a, 0x04, 0x78, 0x82, 0x8f, 0x7a, + 0x6a, 0x8b, 0x38, 0xf9, 0x6d, 0x69, 0x03, 0xc2, 0x2b, 0x96, 0x3d, 0x8b, 0xc5, 0x17, 0x02, 0x21, 0x00, 0xe3, 0x7b, 0x7f, 0xb6, + 0x1a, 0xfc, 0xfb, 0x51, 0x6f, 0x6b, 0x46, 0x47, 0xfc, 0xa7, 0xf4, 0x86, 0x35, 0xb2, 0xac, 0xb8, 0xb8, 0x8d, 0x9b, 0xc2, 0x39, + 0x89, 0xd7, 0x2d, 0x42, 0x0d, 0xde, 0x6b, }; From c34d4e716217823b3b120677eea135bd8b3c3eab Mon Sep 17 00:00:00 2001 From: "tennessee.carmelveilleux@gmail.com" Date: Tue, 13 Jun 2023 11:09:38 -0400 Subject: [PATCH 3/6] Address review comments --- src/crypto/CHIPCryptoPALPSA.cpp | 7 +++++-- src/crypto/CHIPCryptoPALmbedTLS.cpp | 7 +++++-- src/platform/nxp/common/crypto/CHIPCryptoPALTinyCrypt.cpp | 7 +++++-- .../k32w/k32w0/crypto/CHIPCryptoPALNXPUltrafastP256.cpp | 7 +++++-- src/platform/silabs/SiWx917/CHIPCryptoPALTinyCrypt.cpp | 7 +++++-- src/platform/silabs/efr32/CHIPCryptoPALPsaEfr32.cpp | 7 +++++-- 6 files changed, 30 insertions(+), 12 deletions(-) diff --git a/src/crypto/CHIPCryptoPALPSA.cpp b/src/crypto/CHIPCryptoPALPSA.cpp index 8d5d643c004e27..99e5ddc4a45cc1 100644 --- a/src/crypto/CHIPCryptoPALPSA.cpp +++ b/src/crypto/CHIPCryptoPALPSA.cpp @@ -1309,10 +1309,13 @@ CHIP_ERROR VerifyAttestationCertificateFormat(const ByteSpan & cert, Attestation result = mbedtls_asn1_get_bool(&p, end, &isCA); VerifyOrExit(result == 0 || result == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG, error = CHIP_ERROR_INTERNAL); - if (p != seqStart + len) + // Missing pathLen optional tag will leave pathLen == -1. + bool hasPathLen = (p != (seqStart + len)); + if (hasPathLen) { - // Failure to read will leave pathLen == -1 + // Extract pathLen value, making sure it's a valid format. result = mbedtls_asn1_get_int(&p, end, &pathLen); + VerifyOrExit(result == 0, error = CHIP_ERROR_INTERNAL); } } diff --git a/src/crypto/CHIPCryptoPALmbedTLS.cpp b/src/crypto/CHIPCryptoPALmbedTLS.cpp index 8529a6ddfffbdd..591d013a29748e 100644 --- a/src/crypto/CHIPCryptoPALmbedTLS.cpp +++ b/src/crypto/CHIPCryptoPALmbedTLS.cpp @@ -1400,10 +1400,13 @@ CHIP_ERROR VerifyAttestationCertificateFormat(const ByteSpan & cert, Attestation result = mbedtls_asn1_get_bool(&p, end, &isCA); VerifyOrExit(result == 0 || result == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG, error = CHIP_ERROR_INTERNAL); - if (p != seqStart + len) + // Missing pathLen optional tag will leave pathLen == -1. + bool hasPathLen = (p != (seqStart + len)); + if (hasPathLen) { - // Failure to read will leave pathLen == -1 + // Extract pathLen value, making sure it's a valid format. result = mbedtls_asn1_get_int(&p, end, &pathLen); + VerifyOrExit(result == 0, error = CHIP_ERROR_INTERNAL); } } diff --git a/src/platform/nxp/common/crypto/CHIPCryptoPALTinyCrypt.cpp b/src/platform/nxp/common/crypto/CHIPCryptoPALTinyCrypt.cpp index 5d019d15372eb7..e2e71cac863494 100644 --- a/src/platform/nxp/common/crypto/CHIPCryptoPALTinyCrypt.cpp +++ b/src/platform/nxp/common/crypto/CHIPCryptoPALTinyCrypt.cpp @@ -1241,10 +1241,13 @@ CHIP_ERROR VerifyAttestationCertificateFormat(const ByteSpan & cert, Attestation result = mbedtls_asn1_get_bool(&p, end, &isCA); VerifyOrExit(result == 0 || result == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG, error = CHIP_ERROR_INTERNAL); - if (p != seqStart + len) + // Missing pathLen optional tag will leave pathLen == -1. + bool hasPathLen = (p != (seqStart + len)); + if (hasPathLen) { - // Failure to read will leave pathLen == -1 + // Extract pathLen value, making sure it's a valid format. result = mbedtls_asn1_get_int(&p, end, &pathLen); + VerifyOrExit(result == 0, error = CHIP_ERROR_INTERNAL); } } diff --git a/src/platform/nxp/k32w/k32w0/crypto/CHIPCryptoPALNXPUltrafastP256.cpp b/src/platform/nxp/k32w/k32w0/crypto/CHIPCryptoPALNXPUltrafastP256.cpp index 12607da09f53e5..201ff84dd85b37 100644 --- a/src/platform/nxp/k32w/k32w0/crypto/CHIPCryptoPALNXPUltrafastP256.cpp +++ b/src/platform/nxp/k32w/k32w0/crypto/CHIPCryptoPALNXPUltrafastP256.cpp @@ -1211,10 +1211,13 @@ CHIP_ERROR VerifyAttestationCertificateFormat(const ByteSpan & cert, Attestation result = mbedtls_asn1_get_bool(&p, end, &isCA); VerifyOrExit(result == 0 || result == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG, error = CHIP_ERROR_INTERNAL); - if (p != seqStart + len) + // Missing pathLen optional tag will leave pathLen == -1. + bool hasPathLen = (p != (seqStart + len)); + if (hasPathLen) { - // Failure to read will leave pathLen == -1 + // Extract pathLen value, making sure it's a valid format. result = mbedtls_asn1_get_int(&p, end, &pathLen); + VerifyOrExit(result == 0, error = CHIP_ERROR_INTERNAL); } } diff --git a/src/platform/silabs/SiWx917/CHIPCryptoPALTinyCrypt.cpp b/src/platform/silabs/SiWx917/CHIPCryptoPALTinyCrypt.cpp index ad59ab915c1ef4..b1328381af8989 100644 --- a/src/platform/silabs/SiWx917/CHIPCryptoPALTinyCrypt.cpp +++ b/src/platform/silabs/SiWx917/CHIPCryptoPALTinyCrypt.cpp @@ -1242,10 +1242,13 @@ CHIP_ERROR VerifyAttestationCertificateFormat(const ByteSpan & cert, Attestation result = mbedtls_asn1_get_bool(&p, end, &isCA); VerifyOrExit(result == 0 || result == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG, error = CHIP_ERROR_INTERNAL); - if (p != seqStart + len) + // Missing pathLen optional tag will leave pathLen == -1. + bool hasPathLen = (p != (seqStart + len)); + if (hasPathLen) { - // Failure to read will leave pathLen == -1 + // Extract pathLen value, making sure it's a valid format. result = mbedtls_asn1_get_int(&p, end, &pathLen); + VerifyOrExit(result == 0, error = CHIP_ERROR_INTERNAL); } } diff --git a/src/platform/silabs/efr32/CHIPCryptoPALPsaEfr32.cpp b/src/platform/silabs/efr32/CHIPCryptoPALPsaEfr32.cpp index 92ace3115962c8..dfc6e23dd006ec 100644 --- a/src/platform/silabs/efr32/CHIPCryptoPALPsaEfr32.cpp +++ b/src/platform/silabs/efr32/CHIPCryptoPALPsaEfr32.cpp @@ -1544,10 +1544,13 @@ CHIP_ERROR VerifyAttestationCertificateFormat(const ByteSpan & cert, Attestation result = mbedtls_asn1_get_bool(&p, end, &isCA); VerifyOrExit(result == 0 || result == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG, error = CHIP_ERROR_INTERNAL); - if (p != seqStart + len) + // Missing pathLen optional tag will leave pathLen == -1. + bool hasPathLen = (p != (seqStart + len)); + if (hasPathLen) { - // Failure to read will leave pathLen == -1 + // Extract pathLen value, making sure it's a valid format. result = mbedtls_asn1_get_int(&p, end, &pathLen); + VerifyOrExit(result == 0, error = CHIP_ERROR_INTERNAL); } } From 173e349beaf6b529d8a49b4a021ff37ba8dded47 Mon Sep 17 00:00:00 2001 From: "tennessee.carmelveilleux@gmail.com" Date: Tue, 13 Jun 2023 15:52:41 -0400 Subject: [PATCH 4/6] Address review comments --- src/crypto/CHIPCryptoPALPSA.cpp | 2 +- src/crypto/CHIPCryptoPALmbedTLS.cpp | 2 +- src/platform/nxp/common/crypto/CHIPCryptoPALTinyCrypt.cpp | 2 +- .../nxp/k32w/k32w0/crypto/CHIPCryptoPALNXPUltrafastP256.cpp | 2 +- src/platform/silabs/SiWx917/CHIPCryptoPALTinyCrypt.cpp | 2 +- src/platform/silabs/efr32/CHIPCryptoPALPsaEfr32.cpp | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/src/crypto/CHIPCryptoPALPSA.cpp b/src/crypto/CHIPCryptoPALPSA.cpp index 99e5ddc4a45cc1..bdd123c0a8eea8 100644 --- a/src/crypto/CHIPCryptoPALPSA.cpp +++ b/src/crypto/CHIPCryptoPALPSA.cpp @@ -1310,7 +1310,7 @@ CHIP_ERROR VerifyAttestationCertificateFormat(const ByteSpan & cert, Attestation VerifyOrExit(result == 0 || result == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG, error = CHIP_ERROR_INTERNAL); // Missing pathLen optional tag will leave pathLen == -1. - bool hasPathLen = (p != (seqStart + len)); + bool hasPathLen = (p <= (seqStart + len)); if (hasPathLen) { // Extract pathLen value, making sure it's a valid format. diff --git a/src/crypto/CHIPCryptoPALmbedTLS.cpp b/src/crypto/CHIPCryptoPALmbedTLS.cpp index 591d013a29748e..9a846319383869 100644 --- a/src/crypto/CHIPCryptoPALmbedTLS.cpp +++ b/src/crypto/CHIPCryptoPALmbedTLS.cpp @@ -1401,7 +1401,7 @@ CHIP_ERROR VerifyAttestationCertificateFormat(const ByteSpan & cert, Attestation VerifyOrExit(result == 0 || result == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG, error = CHIP_ERROR_INTERNAL); // Missing pathLen optional tag will leave pathLen == -1. - bool hasPathLen = (p != (seqStart + len)); + bool hasPathLen = (p <= (seqStart + len)); if (hasPathLen) { // Extract pathLen value, making sure it's a valid format. diff --git a/src/platform/nxp/common/crypto/CHIPCryptoPALTinyCrypt.cpp b/src/platform/nxp/common/crypto/CHIPCryptoPALTinyCrypt.cpp index e2e71cac863494..5061eb7cde44fa 100644 --- a/src/platform/nxp/common/crypto/CHIPCryptoPALTinyCrypt.cpp +++ b/src/platform/nxp/common/crypto/CHIPCryptoPALTinyCrypt.cpp @@ -1242,7 +1242,7 @@ CHIP_ERROR VerifyAttestationCertificateFormat(const ByteSpan & cert, Attestation VerifyOrExit(result == 0 || result == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG, error = CHIP_ERROR_INTERNAL); // Missing pathLen optional tag will leave pathLen == -1. - bool hasPathLen = (p != (seqStart + len)); + bool hasPathLen = (p <= (seqStart + len)); if (hasPathLen) { // Extract pathLen value, making sure it's a valid format. diff --git a/src/platform/nxp/k32w/k32w0/crypto/CHIPCryptoPALNXPUltrafastP256.cpp b/src/platform/nxp/k32w/k32w0/crypto/CHIPCryptoPALNXPUltrafastP256.cpp index 201ff84dd85b37..9346f2c4ac5931 100644 --- a/src/platform/nxp/k32w/k32w0/crypto/CHIPCryptoPALNXPUltrafastP256.cpp +++ b/src/platform/nxp/k32w/k32w0/crypto/CHIPCryptoPALNXPUltrafastP256.cpp @@ -1212,7 +1212,7 @@ CHIP_ERROR VerifyAttestationCertificateFormat(const ByteSpan & cert, Attestation VerifyOrExit(result == 0 || result == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG, error = CHIP_ERROR_INTERNAL); // Missing pathLen optional tag will leave pathLen == -1. - bool hasPathLen = (p != (seqStart + len)); + bool hasPathLen = (p <= (seqStart + len)); if (hasPathLen) { // Extract pathLen value, making sure it's a valid format. diff --git a/src/platform/silabs/SiWx917/CHIPCryptoPALTinyCrypt.cpp b/src/platform/silabs/SiWx917/CHIPCryptoPALTinyCrypt.cpp index b1328381af8989..557be6b0497061 100644 --- a/src/platform/silabs/SiWx917/CHIPCryptoPALTinyCrypt.cpp +++ b/src/platform/silabs/SiWx917/CHIPCryptoPALTinyCrypt.cpp @@ -1243,7 +1243,7 @@ CHIP_ERROR VerifyAttestationCertificateFormat(const ByteSpan & cert, Attestation VerifyOrExit(result == 0 || result == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG, error = CHIP_ERROR_INTERNAL); // Missing pathLen optional tag will leave pathLen == -1. - bool hasPathLen = (p != (seqStart + len)); + bool hasPathLen = (p <= (seqStart + len)); if (hasPathLen) { // Extract pathLen value, making sure it's a valid format. diff --git a/src/platform/silabs/efr32/CHIPCryptoPALPsaEfr32.cpp b/src/platform/silabs/efr32/CHIPCryptoPALPsaEfr32.cpp index dfc6e23dd006ec..501ba07563abf7 100644 --- a/src/platform/silabs/efr32/CHIPCryptoPALPsaEfr32.cpp +++ b/src/platform/silabs/efr32/CHIPCryptoPALPsaEfr32.cpp @@ -1545,7 +1545,7 @@ CHIP_ERROR VerifyAttestationCertificateFormat(const ByteSpan & cert, Attestation VerifyOrExit(result == 0 || result == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG, error = CHIP_ERROR_INTERNAL); // Missing pathLen optional tag will leave pathLen == -1. - bool hasPathLen = (p != (seqStart + len)); + bool hasPathLen = (p <= (seqStart + len)); if (hasPathLen) { // Extract pathLen value, making sure it's a valid format. From 325ff8cdeb72fea15a35922932910ab945823121 Mon Sep 17 00:00:00 2001 From: "tennessee.carmelveilleux@gmail.com" Date: Wed, 14 Jun 2023 11:54:47 -0400 Subject: [PATCH 5/6] Improve logic with help from @bzbarsky-apple --- src/crypto/CHIPCryptoPALPSA.cpp | 8 +++++--- src/crypto/CHIPCryptoPALmbedTLS.cpp | 8 +++++--- src/platform/nxp/common/crypto/CHIPCryptoPALTinyCrypt.cpp | 8 +++++--- .../k32w/k32w0/crypto/CHIPCryptoPALNXPUltrafastP256.cpp | 8 +++++--- src/platform/silabs/SiWx917/CHIPCryptoPALTinyCrypt.cpp | 8 +++++--- src/platform/silabs/efr32/CHIPCryptoPALPsaEfr32.cpp | 8 +++++--- 6 files changed, 30 insertions(+), 18 deletions(-) diff --git a/src/crypto/CHIPCryptoPALPSA.cpp b/src/crypto/CHIPCryptoPALPSA.cpp index bdd123c0a8eea8..e368800e06684a 100644 --- a/src/crypto/CHIPCryptoPALPSA.cpp +++ b/src/crypto/CHIPCryptoPALPSA.cpp @@ -1297,7 +1297,6 @@ CHIP_ERROR VerifyAttestationCertificateFormat(const ByteSpan & cert, Attestation { int isCA = 0; int pathLen = -1; - unsigned char * seqStart = p; VerifyOrExit(extCritical, error = CHIP_ERROR_INTERNAL); extBasicPresent = true; @@ -1306,11 +1305,14 @@ CHIP_ERROR VerifyAttestationCertificateFormat(const ByteSpan & cert, Attestation VerifyOrExit(result == 0, error = CHIP_ERROR_INTERNAL); if (len > 0) { + unsigned char * seqStart = p; result = mbedtls_asn1_get_bool(&p, end, &isCA); VerifyOrExit(result == 0 || result == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG, error = CHIP_ERROR_INTERNAL); - // Missing pathLen optional tag will leave pathLen == -1. - bool hasPathLen = (p <= (seqStart + len)); + // Check if pathLen is there by validating if the cursor didn't get to the end of + // of the internal SEQUENCE for the basic constraints encapsulation. + // Missing pathLen optional tag will leave pathLen == -1 for following checks. + bool hasPathLen = (p != (seqStart + len)); if (hasPathLen) { // Extract pathLen value, making sure it's a valid format. diff --git a/src/crypto/CHIPCryptoPALmbedTLS.cpp b/src/crypto/CHIPCryptoPALmbedTLS.cpp index 9a846319383869..865876729a6631 100644 --- a/src/crypto/CHIPCryptoPALmbedTLS.cpp +++ b/src/crypto/CHIPCryptoPALmbedTLS.cpp @@ -1388,7 +1388,6 @@ CHIP_ERROR VerifyAttestationCertificateFormat(const ByteSpan & cert, Attestation { int isCA = 0; int pathLen = -1; - unsigned char * seqStart = p; VerifyOrExit(extCritical, error = CHIP_ERROR_INTERNAL); extBasicPresent = true; @@ -1397,11 +1396,14 @@ CHIP_ERROR VerifyAttestationCertificateFormat(const ByteSpan & cert, Attestation VerifyOrExit(result == 0, error = CHIP_ERROR_INTERNAL); if (len > 0) { + unsigned char * seqStart = p; result = mbedtls_asn1_get_bool(&p, end, &isCA); VerifyOrExit(result == 0 || result == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG, error = CHIP_ERROR_INTERNAL); - // Missing pathLen optional tag will leave pathLen == -1. - bool hasPathLen = (p <= (seqStart + len)); + // Check if pathLen is there by validating if the cursor didn't get to the end of + // of the internal SEQUENCE for the basic constraints encapsulation. + // Missing pathLen optional tag will leave pathLen == -1 for following checks. + bool hasPathLen = (p != (seqStart + len)); if (hasPathLen) { // Extract pathLen value, making sure it's a valid format. diff --git a/src/platform/nxp/common/crypto/CHIPCryptoPALTinyCrypt.cpp b/src/platform/nxp/common/crypto/CHIPCryptoPALTinyCrypt.cpp index 5061eb7cde44fa..42bf923cd267a4 100644 --- a/src/platform/nxp/common/crypto/CHIPCryptoPALTinyCrypt.cpp +++ b/src/platform/nxp/common/crypto/CHIPCryptoPALTinyCrypt.cpp @@ -1229,7 +1229,6 @@ CHIP_ERROR VerifyAttestationCertificateFormat(const ByteSpan & cert, Attestation { int isCA = 0; int pathLen = -1; - unsigned char * seqStart = p; VerifyOrExit(extCritical, error = CHIP_ERROR_INTERNAL); extBasicPresent = true; @@ -1238,11 +1237,14 @@ CHIP_ERROR VerifyAttestationCertificateFormat(const ByteSpan & cert, Attestation VerifyOrExit(result == 0, error = CHIP_ERROR_INTERNAL); if (len > 0) { + unsigned char * seqStart = p; result = mbedtls_asn1_get_bool(&p, end, &isCA); VerifyOrExit(result == 0 || result == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG, error = CHIP_ERROR_INTERNAL); - // Missing pathLen optional tag will leave pathLen == -1. - bool hasPathLen = (p <= (seqStart + len)); + // Check if pathLen is there by validating if the cursor didn't get to the end of + // of the internal SEQUENCE for the basic constraints encapsulation. + // Missing pathLen optional tag will leave pathLen == -1 for following checks. + bool hasPathLen = (p != (seqStart + len)); if (hasPathLen) { // Extract pathLen value, making sure it's a valid format. diff --git a/src/platform/nxp/k32w/k32w0/crypto/CHIPCryptoPALNXPUltrafastP256.cpp b/src/platform/nxp/k32w/k32w0/crypto/CHIPCryptoPALNXPUltrafastP256.cpp index 9346f2c4ac5931..9a177b30fae20c 100644 --- a/src/platform/nxp/k32w/k32w0/crypto/CHIPCryptoPALNXPUltrafastP256.cpp +++ b/src/platform/nxp/k32w/k32w0/crypto/CHIPCryptoPALNXPUltrafastP256.cpp @@ -1199,7 +1199,6 @@ CHIP_ERROR VerifyAttestationCertificateFormat(const ByteSpan & cert, Attestation { int isCA = 0; int pathLen = -1; - unsigned char * seqStart = p; VerifyOrExit(extCritical, error = CHIP_ERROR_INTERNAL); extBasicPresent = true; @@ -1208,11 +1207,14 @@ CHIP_ERROR VerifyAttestationCertificateFormat(const ByteSpan & cert, Attestation VerifyOrExit(result == 0, error = CHIP_ERROR_INTERNAL); if (len > 0) { + unsigned char * seqStart = p; result = mbedtls_asn1_get_bool(&p, end, &isCA); VerifyOrExit(result == 0 || result == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG, error = CHIP_ERROR_INTERNAL); - // Missing pathLen optional tag will leave pathLen == -1. - bool hasPathLen = (p <= (seqStart + len)); + // Check if pathLen is there by validating if the cursor didn't get to the end of + // of the internal SEQUENCE for the basic constraints encapsulation. + // Missing pathLen optional tag will leave pathLen == -1 for following checks. + bool hasPathLen = (p != (seqStart + len)); if (hasPathLen) { // Extract pathLen value, making sure it's a valid format. diff --git a/src/platform/silabs/SiWx917/CHIPCryptoPALTinyCrypt.cpp b/src/platform/silabs/SiWx917/CHIPCryptoPALTinyCrypt.cpp index 557be6b0497061..8d0b987143f641 100644 --- a/src/platform/silabs/SiWx917/CHIPCryptoPALTinyCrypt.cpp +++ b/src/platform/silabs/SiWx917/CHIPCryptoPALTinyCrypt.cpp @@ -1230,7 +1230,6 @@ CHIP_ERROR VerifyAttestationCertificateFormat(const ByteSpan & cert, Attestation { int isCA = 0; int pathLen = -1; - unsigned char * seqStart = p; VerifyOrExit(extCritical, error = CHIP_ERROR_INTERNAL); extBasicPresent = true; @@ -1239,11 +1238,14 @@ CHIP_ERROR VerifyAttestationCertificateFormat(const ByteSpan & cert, Attestation VerifyOrExit(result == 0, error = CHIP_ERROR_INTERNAL); if (len > 0) { + unsigned char * seqStart = p; result = mbedtls_asn1_get_bool(&p, end, &isCA); VerifyOrExit(result == 0 || result == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG, error = CHIP_ERROR_INTERNAL); - // Missing pathLen optional tag will leave pathLen == -1. - bool hasPathLen = (p <= (seqStart + len)); + // Check if pathLen is there by validating if the cursor didn't get to the end of + // of the internal SEQUENCE for the basic constraints encapsulation. + // Missing pathLen optional tag will leave pathLen == -1 for following checks. + bool hasPathLen = (p != (seqStart + len)); if (hasPathLen) { // Extract pathLen value, making sure it's a valid format. diff --git a/src/platform/silabs/efr32/CHIPCryptoPALPsaEfr32.cpp b/src/platform/silabs/efr32/CHIPCryptoPALPsaEfr32.cpp index 501ba07563abf7..13c29a4b671dde 100644 --- a/src/platform/silabs/efr32/CHIPCryptoPALPsaEfr32.cpp +++ b/src/platform/silabs/efr32/CHIPCryptoPALPsaEfr32.cpp @@ -1532,7 +1532,6 @@ CHIP_ERROR VerifyAttestationCertificateFormat(const ByteSpan & cert, Attestation { int isCA = 0; int pathLen = -1; - unsigned char * seqStart = p; VerifyOrExit(extCritical, error = CHIP_ERROR_INTERNAL); extBasicPresent = true; @@ -1541,11 +1540,14 @@ CHIP_ERROR VerifyAttestationCertificateFormat(const ByteSpan & cert, Attestation VerifyOrExit(result == 0, error = CHIP_ERROR_INTERNAL); if (len > 0) { + unsigned char * seqStart = p; result = mbedtls_asn1_get_bool(&p, end, &isCA); VerifyOrExit(result == 0 || result == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG, error = CHIP_ERROR_INTERNAL); - // Missing pathLen optional tag will leave pathLen == -1. - bool hasPathLen = (p <= (seqStart + len)); + // Check if pathLen is there by validating if the cursor didn't get to the end of + // of the internal SEQUENCE for the basic constraints encapsulation. + // Missing pathLen optional tag will leave pathLen == -1 for following checks. + bool hasPathLen = (p != (seqStart + len)); if (hasPathLen) { // Extract pathLen value, making sure it's a valid format. From 06858113b5d8b175a18851bcd57a9ce9f6ed6195 Mon Sep 17 00:00:00 2001 From: "Restyled.io" Date: Wed, 14 Jun 2023 15:56:07 +0000 Subject: [PATCH 6/6] Restyled by clang-format --- src/crypto/CHIPCryptoPALPSA.cpp | 6 +++--- src/crypto/CHIPCryptoPALmbedTLS.cpp | 6 +++--- src/platform/nxp/common/crypto/CHIPCryptoPALTinyCrypt.cpp | 6 +++--- .../nxp/k32w/k32w0/crypto/CHIPCryptoPALNXPUltrafastP256.cpp | 6 +++--- src/platform/silabs/SiWx917/CHIPCryptoPALTinyCrypt.cpp | 6 +++--- src/platform/silabs/efr32/CHIPCryptoPALPsaEfr32.cpp | 6 +++--- 6 files changed, 18 insertions(+), 18 deletions(-) diff --git a/src/crypto/CHIPCryptoPALPSA.cpp b/src/crypto/CHIPCryptoPALPSA.cpp index e368800e06684a..e8d4b75c9221b1 100644 --- a/src/crypto/CHIPCryptoPALPSA.cpp +++ b/src/crypto/CHIPCryptoPALPSA.cpp @@ -1295,8 +1295,8 @@ CHIP_ERROR VerifyAttestationCertificateFormat(const ByteSpan & cert, Attestation if (OID_CMP(sOID_Extension_BasicConstraints, extOID)) { - int isCA = 0; - int pathLen = -1; + int isCA = 0; + int pathLen = -1; VerifyOrExit(extCritical, error = CHIP_ERROR_INTERNAL); extBasicPresent = true; @@ -1306,7 +1306,7 @@ CHIP_ERROR VerifyAttestationCertificateFormat(const ByteSpan & cert, Attestation if (len > 0) { unsigned char * seqStart = p; - result = mbedtls_asn1_get_bool(&p, end, &isCA); + result = mbedtls_asn1_get_bool(&p, end, &isCA); VerifyOrExit(result == 0 || result == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG, error = CHIP_ERROR_INTERNAL); // Check if pathLen is there by validating if the cursor didn't get to the end of diff --git a/src/crypto/CHIPCryptoPALmbedTLS.cpp b/src/crypto/CHIPCryptoPALmbedTLS.cpp index 865876729a6631..92ec3048fe8de6 100644 --- a/src/crypto/CHIPCryptoPALmbedTLS.cpp +++ b/src/crypto/CHIPCryptoPALmbedTLS.cpp @@ -1386,8 +1386,8 @@ CHIP_ERROR VerifyAttestationCertificateFormat(const ByteSpan & cert, Attestation if (OID_CMP(sOID_Extension_BasicConstraints, extOID)) { - int isCA = 0; - int pathLen = -1; + int isCA = 0; + int pathLen = -1; VerifyOrExit(extCritical, error = CHIP_ERROR_INTERNAL); extBasicPresent = true; @@ -1397,7 +1397,7 @@ CHIP_ERROR VerifyAttestationCertificateFormat(const ByteSpan & cert, Attestation if (len > 0) { unsigned char * seqStart = p; - result = mbedtls_asn1_get_bool(&p, end, &isCA); + result = mbedtls_asn1_get_bool(&p, end, &isCA); VerifyOrExit(result == 0 || result == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG, error = CHIP_ERROR_INTERNAL); // Check if pathLen is there by validating if the cursor didn't get to the end of diff --git a/src/platform/nxp/common/crypto/CHIPCryptoPALTinyCrypt.cpp b/src/platform/nxp/common/crypto/CHIPCryptoPALTinyCrypt.cpp index 42bf923cd267a4..e5fedf2d7f994d 100644 --- a/src/platform/nxp/common/crypto/CHIPCryptoPALTinyCrypt.cpp +++ b/src/platform/nxp/common/crypto/CHIPCryptoPALTinyCrypt.cpp @@ -1227,8 +1227,8 @@ CHIP_ERROR VerifyAttestationCertificateFormat(const ByteSpan & cert, Attestation if (OID_CMP(sOID_Extension_BasicConstraints, extOID)) { - int isCA = 0; - int pathLen = -1; + int isCA = 0; + int pathLen = -1; VerifyOrExit(extCritical, error = CHIP_ERROR_INTERNAL); extBasicPresent = true; @@ -1238,7 +1238,7 @@ CHIP_ERROR VerifyAttestationCertificateFormat(const ByteSpan & cert, Attestation if (len > 0) { unsigned char * seqStart = p; - result = mbedtls_asn1_get_bool(&p, end, &isCA); + result = mbedtls_asn1_get_bool(&p, end, &isCA); VerifyOrExit(result == 0 || result == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG, error = CHIP_ERROR_INTERNAL); // Check if pathLen is there by validating if the cursor didn't get to the end of diff --git a/src/platform/nxp/k32w/k32w0/crypto/CHIPCryptoPALNXPUltrafastP256.cpp b/src/platform/nxp/k32w/k32w0/crypto/CHIPCryptoPALNXPUltrafastP256.cpp index 9a177b30fae20c..93c286c0edaa9f 100644 --- a/src/platform/nxp/k32w/k32w0/crypto/CHIPCryptoPALNXPUltrafastP256.cpp +++ b/src/platform/nxp/k32w/k32w0/crypto/CHIPCryptoPALNXPUltrafastP256.cpp @@ -1197,8 +1197,8 @@ CHIP_ERROR VerifyAttestationCertificateFormat(const ByteSpan & cert, Attestation if (OID_CMP(sOID_Extension_BasicConstraints, extOID)) { - int isCA = 0; - int pathLen = -1; + int isCA = 0; + int pathLen = -1; VerifyOrExit(extCritical, error = CHIP_ERROR_INTERNAL); extBasicPresent = true; @@ -1208,7 +1208,7 @@ CHIP_ERROR VerifyAttestationCertificateFormat(const ByteSpan & cert, Attestation if (len > 0) { unsigned char * seqStart = p; - result = mbedtls_asn1_get_bool(&p, end, &isCA); + result = mbedtls_asn1_get_bool(&p, end, &isCA); VerifyOrExit(result == 0 || result == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG, error = CHIP_ERROR_INTERNAL); // Check if pathLen is there by validating if the cursor didn't get to the end of diff --git a/src/platform/silabs/SiWx917/CHIPCryptoPALTinyCrypt.cpp b/src/platform/silabs/SiWx917/CHIPCryptoPALTinyCrypt.cpp index 8d0b987143f641..321aaac5363d19 100644 --- a/src/platform/silabs/SiWx917/CHIPCryptoPALTinyCrypt.cpp +++ b/src/platform/silabs/SiWx917/CHIPCryptoPALTinyCrypt.cpp @@ -1228,8 +1228,8 @@ CHIP_ERROR VerifyAttestationCertificateFormat(const ByteSpan & cert, Attestation if (OID_CMP(sOID_Extension_BasicConstraints, extOID)) { - int isCA = 0; - int pathLen = -1; + int isCA = 0; + int pathLen = -1; VerifyOrExit(extCritical, error = CHIP_ERROR_INTERNAL); extBasicPresent = true; @@ -1239,7 +1239,7 @@ CHIP_ERROR VerifyAttestationCertificateFormat(const ByteSpan & cert, Attestation if (len > 0) { unsigned char * seqStart = p; - result = mbedtls_asn1_get_bool(&p, end, &isCA); + result = mbedtls_asn1_get_bool(&p, end, &isCA); VerifyOrExit(result == 0 || result == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG, error = CHIP_ERROR_INTERNAL); // Check if pathLen is there by validating if the cursor didn't get to the end of diff --git a/src/platform/silabs/efr32/CHIPCryptoPALPsaEfr32.cpp b/src/platform/silabs/efr32/CHIPCryptoPALPsaEfr32.cpp index 13c29a4b671dde..63a7a17308ab13 100644 --- a/src/platform/silabs/efr32/CHIPCryptoPALPsaEfr32.cpp +++ b/src/platform/silabs/efr32/CHIPCryptoPALPsaEfr32.cpp @@ -1530,8 +1530,8 @@ CHIP_ERROR VerifyAttestationCertificateFormat(const ByteSpan & cert, Attestation if (OID_CMP(sOID_Extension_BasicConstraints, extOID)) { - int isCA = 0; - int pathLen = -1; + int isCA = 0; + int pathLen = -1; VerifyOrExit(extCritical, error = CHIP_ERROR_INTERNAL); extBasicPresent = true; @@ -1541,7 +1541,7 @@ CHIP_ERROR VerifyAttestationCertificateFormat(const ByteSpan & cert, Attestation if (len > 0) { unsigned char * seqStart = p; - result = mbedtls_asn1_get_bool(&p, end, &isCA); + result = mbedtls_asn1_get_bool(&p, end, &isCA); VerifyOrExit(result == 0 || result == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG, error = CHIP_ERROR_INTERNAL); // Check if pathLen is there by validating if the cursor didn't get to the end of