Added PathLength Constraint Support to chip-cert Tool. (#8802)
-- Added optional path-length support for the Operational Root and ICA certs.
-- Added mandatory pathlength constraint for PAA and PAI attestation certs.
-- Updated some test Operational Root and ICA certs to include path-length constraint.
-- Updated test PAA and PAI certs to include path-length constraint.
diff --git a/credentials/test/attestation/Chip-Test-PAA-FFF1-Cert.der b/credentials/test/attestation/Chip-Test-PAA-FFF1-Cert.der
index 525e312..e9e702c 100644
--- a/credentials/test/attestation/Chip-Test-PAA-FFF1-Cert.der
+++ b/credentials/test/attestation/Chip-Test-PAA-FFF1-Cert.der
Binary files differ
diff --git a/credentials/test/attestation/Chip-Test-PAA-FFF1-Cert.pem b/credentials/test/attestation/Chip-Test-PAA-FFF1-Cert.pem
index 9019cbe..585b9e1 100644
--- a/credentials/test/attestation/Chip-Test-PAA-FFF1-Cert.pem
+++ b/credentials/test/attestation/Chip-Test-PAA-FFF1-Cert.pem
@@ -1,11 +1,11 @@
-----BEGIN CERTIFICATE-----
-MIIBmTCCAT+gAwIBAgIIaDhPq7kZ/N8wCgYIKoZIzj0EAwIwHzEdMBsGA1UEAwwU
+MIIBnTCCAUKgAwIBAgIIPkgLCCqFJx8wCgYIKoZIzj0EAwIwHzEdMBsGA1UEAwwU
TWF0dGVyIFRlc3QgUEFBIEZGRjEwIBcNMjEwNjI4MTQyMzQzWhgPOTk5OTEyMzEy
MzU5NTlaMB8xHTAbBgNVBAMMFE1hdHRlciBUZXN0IFBBQSBGRkYxMFkwEwYHKoZI
zj0CAQYIKoZIzj0DAQcDQgAEG5isW7wR3GoXVaBbCsXha6AsRu5vwrvnb/fPbKeq
-Tp/R15jcvvtP6uIl03c8kTSMwm1JMTHjCWMtXp7zHRLek6NjMGEwDwYDVR0TAQH/
-BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFO8Y4OzUZgQ03w28kR7U
-UhaZZoOfMB8GA1UdIwQYMBaAFO8Y4OzUZgQ03w28kR7UUhaZZoOfMAoGCCqGSM49
-BAMCA0gAMEUCIQCn+l+nZv/3tf0VjNNPYl1IkSAOBYUO8SX23udWVPmXNgIgI7Ub
-bkJTKCjbCZIDNwUNcPC2tyzNPLeB5nGsIl31Rys=
+Tp/R15jcvvtP6uIl03c8kTSMwm1JMTHjCWMtXp7zHRLek6NmMGQwEgYDVR0TAQH/
+BAgwBgEB/wIBATAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFO8Y4OzUZgQ03w28
+kR7UUhaZZoOfMB8GA1UdIwQYMBaAFO8Y4OzUZgQ03w28kR7UUhaZZoOfMAoGCCqG
+SM49BAMCA0kAMEYCIQDHQclgaMyReHFBbWrBPNiduu+Y+umYSwdnYoLTA7ksBgIh
+AKnXTWyUsSlCjlMtA1NSh6ay249U8Jy0xzHWv0PLW8pC
-----END CERTIFICATE-----
diff --git a/credentials/test/attestation/Chip-Test-PAA-FFF2-Cert.der b/credentials/test/attestation/Chip-Test-PAA-FFF2-Cert.der
index 0dcfed5..50834d1 100644
--- a/credentials/test/attestation/Chip-Test-PAA-FFF2-Cert.der
+++ b/credentials/test/attestation/Chip-Test-PAA-FFF2-Cert.der
Binary files differ
diff --git a/credentials/test/attestation/Chip-Test-PAA-FFF2-Cert.pem b/credentials/test/attestation/Chip-Test-PAA-FFF2-Cert.pem
index 3d33058..71bf45e 100644
--- a/credentials/test/attestation/Chip-Test-PAA-FFF2-Cert.pem
+++ b/credentials/test/attestation/Chip-Test-PAA-FFF2-Cert.pem
@@ -1,11 +1,11 @@
-----BEGIN CERTIFICATE-----
-MIIBmDCCAT+gAwIBAgIIabTWq+iZPl0wCgYIKoZIzj0EAwIwHzEdMBsGA1UEAwwU
+MIIBnTCCAUKgAwIBAgIIA5KnZVo+bHcwCgYIKoZIzj0EAwIwHzEdMBsGA1UEAwwU
TWF0dGVyIFRlc3QgUEFBIEZGRjIwIBcNMjEwNjI4MTQyMzQzWhgPOTk5OTEyMzEy
MzU5NTlaMB8xHTAbBgNVBAMMFE1hdHRlciBUZXN0IFBBQSBGRkYyMFkwEwYHKoZI
zj0CAQYIKoZIzj0DAQcDQgAEdW4YkvnpULAOlQqilfM1sEhLh20i4m+WZZLKweUQ
-1f6Zsx1cmIgWeorWUDd+dRD7dYI8fluYuMAG7F8Gz66FSqNjMGEwDwYDVR0TAQH/
-BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFOfv6sMzXF/Qw+Y0Up8W
-cEbEvKVcMB8GA1UdIwQYMBaAFOfv6sMzXF/Qw+Y0Up8WcEbEvKVcMAoGCCqGSM49
-BAMCA0cAMEQCIGq8jf1kG2hXC38ut2/BhpFh2BeMh8VQcrUzG/E+dDVcAiBysDJW
-TQIA/ursIC1aKt0Tr0daZxQo10z6Z5flgbQKUA==
+1f6Zsx1cmIgWeorWUDd+dRD7dYI8fluYuMAG7F8Gz66FSqNmMGQwEgYDVR0TAQH/
+BAgwBgEB/wIBATAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFOfv6sMzXF/Qw+Y0
+Up8WcEbEvKVcMB8GA1UdIwQYMBaAFOfv6sMzXF/Qw+Y0Up8WcEbEvKVcMAoGCCqG
+SM49BAMCA0kAMEYCIQCSUQ0dYCFfARvaLqeV/ssklO+QppeHrQr8IGxhjAnMUgIh
+AKA2sK+D40VcCTi5S/9HdRlyuNy+cZyfYbVW7LTqF8xX
-----END CERTIFICATE-----
diff --git a/credentials/test/attestation/Chip-Test-PAI-FFF1-8000-Cert.der b/credentials/test/attestation/Chip-Test-PAI-FFF1-8000-Cert.der
index c4393a0..b20a273 100644
--- a/credentials/test/attestation/Chip-Test-PAI-FFF1-8000-Cert.der
+++ b/credentials/test/attestation/Chip-Test-PAI-FFF1-8000-Cert.der
Binary files differ
diff --git a/credentials/test/attestation/Chip-Test-PAI-FFF1-8000-Cert.pem b/credentials/test/attestation/Chip-Test-PAI-FFF1-8000-Cert.pem
index 8b6ae5e..0397170 100644
--- a/credentials/test/attestation/Chip-Test-PAI-FFF1-8000-Cert.pem
+++ b/credentials/test/attestation/Chip-Test-PAI-FFF1-8000-Cert.pem
@@ -1,12 +1,12 @@
-----BEGIN CERTIFICATE-----
-MIIBvzCCAWagAwIBAgIIfpkqTYmEBRUwCgYIKoZIzj0EAwIwHzEdMBsGA1UEAwwU
+MIIBxDCCAWmgAwIBAgIIBXAmqJAFs6UwCgYIKoZIzj0EAwIwHzEdMBsGA1UEAwwU
TWF0dGVyIFRlc3QgUEFBIEZGRjEwIBcNMjEwNjI4MTQyMzQzWhgPOTk5OTEyMzEy
MzU5NTlaMEYxGDAWBgNVBAMMD01hdHRlciBUZXN0IFBBSTEUMBIGCisGAQQBgqJ8
AgEMBEZGRjExFDASBgorBgEEAYKifAICDAQ4MDAwMFkwEwYHKoZIzj0CAQYIKoZI
zj0DAQcDQgAEynPORkG/CDtKM42gQxoKMjB/ZtFgV0tmEi8lBs9q03Djf2XWNHrn
-l6GXJlBQl200rHtjezvaC1vYQ+2OXV6b8qNjMGEwDwYDVR0TAQH/BAUwAwEB/zAO
-BgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFIT1Hf+ezNopNZRIUg6F8Skto+3XMB8G
-A1UdIwQYMBaAFO8Y4OzUZgQ03w28kR7UUhaZZoOfMAoGCCqGSM49BAMCA0cAMEQC
-IFlGfLWq/BpStUOJbdI73kXQgGxTpzec5xLkqAqtZ6taAiA/mv80v+8mVtOb+tF2
-WCRrNllsMubAajV+yukQb3k0dQ==
+l6GXJlBQl200rHtjezvaC1vYQ+2OXV6b8qNmMGQwEgYDVR0TAQH/BAgwBgEB/wIB
+ADAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFIT1Hf+ezNopNZRIUg6F8Skto+3X
+MB8GA1UdIwQYMBaAFO8Y4OzUZgQ03w28kR7UUhaZZoOfMAoGCCqGSM49BAMCA0kA
+MEYCIQCZOYY4qq/OMNuma0XvCumxHeticRSrWCzbghtPf/+52AIhALMhsOr2dfqj
+LAR0nHmPYGs7IsEmZd/UE/nWxCSo/868
-----END CERTIFICATE-----
diff --git a/credentials/test/attestation/Chip-Test-PAI-FFF1-8001-Cert.der b/credentials/test/attestation/Chip-Test-PAI-FFF1-8001-Cert.der
index 2b8719e..196e8fd 100644
--- a/credentials/test/attestation/Chip-Test-PAI-FFF1-8001-Cert.der
+++ b/credentials/test/attestation/Chip-Test-PAI-FFF1-8001-Cert.der
Binary files differ
diff --git a/credentials/test/attestation/Chip-Test-PAI-FFF1-8001-Cert.pem b/credentials/test/attestation/Chip-Test-PAI-FFF1-8001-Cert.pem
index 0fa4d88..d6f1c89 100644
--- a/credentials/test/attestation/Chip-Test-PAI-FFF1-8001-Cert.pem
+++ b/credentials/test/attestation/Chip-Test-PAI-FFF1-8001-Cert.pem
@@ -1,12 +1,12 @@
-----BEGIN CERTIFICATE-----
-MIIBwDCCAWagAwIBAgIIOfa+AYgJN3gwCgYIKoZIzj0EAwIwHzEdMBsGA1UEAwwU
+MIIBwzCCAWmgAwIBAgIITSplyxPvQE0wCgYIKoZIzj0EAwIwHzEdMBsGA1UEAwwU
TWF0dGVyIFRlc3QgUEFBIEZGRjEwIBcNMjEwNjI4MTQyMzQzWhgPOTk5OTEyMzEy
MzU5NTlaMEYxGDAWBgNVBAMMD01hdHRlciBUZXN0IFBBSTEUMBIGCisGAQQBgqJ8
AgEMBEZGRjExFDASBgorBgEEAYKifAICDAQ4MDAxMFkwEwYHKoZIzj0CAQYIKoZI
zj0DAQcDQgAE63okUnxFcFGPmgZLDvKIBFt0V9AMgpKGYTLXvvkYxovjGrSDfa1n
-hmDdxJaJVVQGBhOz9jKIaxOj1sp+68PMs6NjMGEwDwYDVR0TAQH/BAUwAwEB/zAO
-BgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFJlJAzbtRDWhtz2JXcPWyRaxdE40MB8G
-A1UdIwQYMBaAFO8Y4OzUZgQ03w28kR7UUhaZZoOfMAoGCCqGSM49BAMCA0gAMEUC
-IQD1Vgrcf09s7NwDcFje6LOHQVDPrC4VkNSDMVZBJ5H6wQIgVo8JuexQ4KwZc7z9
-8h/g4QHlLBv2T0U++woATn6biTs=
+hmDdxJaJVVQGBhOz9jKIaxOj1sp+68PMs6NmMGQwEgYDVR0TAQH/BAgwBgEB/wIB
+ADAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFJlJAzbtRDWhtz2JXcPWyRaxdE40
+MB8GA1UdIwQYMBaAFO8Y4OzUZgQ03w28kR7UUhaZZoOfMAoGCCqGSM49BAMCA0gA
+MEUCIQCbz5xONSJDdLLgWIbER5/Zd3thISF9ElaGubVPHSHFtAIgbHoTzwcuFCNS
+Ksb6CjhujsZxa8AdTZlaAbBAcAMMH3M=
-----END CERTIFICATE-----
diff --git a/credentials/test/attestation/Chip-Test-PAI-FFF2-8000-Cert.der b/credentials/test/attestation/Chip-Test-PAI-FFF2-8000-Cert.der
index 63116d4..adeac29 100644
--- a/credentials/test/attestation/Chip-Test-PAI-FFF2-8000-Cert.der
+++ b/credentials/test/attestation/Chip-Test-PAI-FFF2-8000-Cert.der
Binary files differ
diff --git a/credentials/test/attestation/Chip-Test-PAI-FFF2-8000-Cert.pem b/credentials/test/attestation/Chip-Test-PAI-FFF2-8000-Cert.pem
index 3a9f6ed..a1f76ef 100644
--- a/credentials/test/attestation/Chip-Test-PAI-FFF2-8000-Cert.pem
+++ b/credentials/test/attestation/Chip-Test-PAI-FFF2-8000-Cert.pem
@@ -1,12 +1,12 @@
-----BEGIN CERTIFICATE-----
-MIIBvzCCAWagAwIBAgIINH+acwAlToMwCgYIKoZIzj0EAwIwHzEdMBsGA1UEAwwU
+MIIBxDCCAWmgAwIBAgIICDRqlhDWSBAwCgYIKoZIzj0EAwIwHzEdMBsGA1UEAwwU
TWF0dGVyIFRlc3QgUEFBIEZGRjIwIBcNMjEwNjI4MTQyMzQzWhgPOTk5OTEyMzEy
MzU5NTlaMEYxGDAWBgNVBAMMD01hdHRlciBUZXN0IFBBSTEUMBIGCisGAQQBgqJ8
AgEMBEZGRjIxFDASBgorBgEEAYKifAICDAQ4MDAwMFkwEwYHKoZIzj0CAQYIKoZI
zj0DAQcDQgAE9WxJasCpj9Yqwmqkvju6KOAwD+jC5NeLMbz8aDYbVBTzZdkkabYH
-LcOt8Kgqop8jKMHE/htCZeQfH5lDLl9JIqNjMGEwDwYDVR0TAQH/BAUwAwEB/zAO
-BgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFFpwXHDpF99K1qV3cHUT/2I5KEm7MB8G
-A1UdIwQYMBaAFOfv6sMzXF/Qw+Y0Up8WcEbEvKVcMAoGCCqGSM49BAMCA0cAMEQC
-IClLpYmn/TUFvGnjZZcSpawyTUptd+wYKtzEZG2880pfAiBci4uQHo2uQcAykAVo
-XqUDF5Fsmkrn8Ah8l+zQaAH39Q==
+LcOt8Kgqop8jKMHE/htCZeQfH5lDLl9JIqNmMGQwEgYDVR0TAQH/BAgwBgEB/wIB
+ADAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFFpwXHDpF99K1qV3cHUT/2I5KEm7
+MB8GA1UdIwQYMBaAFOfv6sMzXF/Qw+Y0Up8WcEbEvKVcMAoGCCqGSM49BAMCA0kA
+MEYCIQCVvpUUWjSa35AwLgbOfz/gNUdvDh71pnRjQCFvyRO9CAIhAOgPn0LXTWkI
+hmOGy9fbpwiqEIKwVtXxnRtobpD58wcP
-----END CERTIFICATE-----
diff --git a/credentials/test/attestation/Chip-Test-PAI-FFF2-8001-Cert.der b/credentials/test/attestation/Chip-Test-PAI-FFF2-8001-Cert.der
index c423361..419f7d5 100644
--- a/credentials/test/attestation/Chip-Test-PAI-FFF2-8001-Cert.der
+++ b/credentials/test/attestation/Chip-Test-PAI-FFF2-8001-Cert.der
Binary files differ
diff --git a/credentials/test/attestation/Chip-Test-PAI-FFF2-8001-Cert.pem b/credentials/test/attestation/Chip-Test-PAI-FFF2-8001-Cert.pem
index f911460..603acb9 100644
--- a/credentials/test/attestation/Chip-Test-PAI-FFF2-8001-Cert.pem
+++ b/credentials/test/attestation/Chip-Test-PAI-FFF2-8001-Cert.pem
@@ -1,12 +1,12 @@
-----BEGIN CERTIFICATE-----
-MIIBwDCCAWagAwIBAgIIRL5f86dv2S8wCgYIKoZIzj0EAwIwHzEdMBsGA1UEAwwU
+MIIBwzCCAWmgAwIBAgIIDaowBF5HxwQwCgYIKoZIzj0EAwIwHzEdMBsGA1UEAwwU
TWF0dGVyIFRlc3QgUEFBIEZGRjIwIBcNMjEwNjI4MTQyMzQzWhgPOTk5OTEyMzEy
MzU5NTlaMEYxGDAWBgNVBAMMD01hdHRlciBUZXN0IFBBSTEUMBIGCisGAQQBgqJ8
AgEMBEZGRjIxFDASBgorBgEEAYKifAICDAQ4MDAxMFkwEwYHKoZIzj0CAQYIKoZI
zj0DAQcDQgAEzvfsK0V8nY3MrY/1qEyGU86yHAsNrouPx/VKH3v0ilsAmtgFH7Hj
-nKRhfnAC3BhtyZBWF/l7ye1fnudEwnK/06NjMGEwDwYDVR0TAQH/BAUwAwEB/zAO
-BgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFO2mD++9Knk8Ml4qbUh43rmpNtBHMB8G
-A1UdIwQYMBaAFOfv6sMzXF/Qw+Y0Up8WcEbEvKVcMAoGCCqGSM49BAMCA0gAMEUC
-IFVt+a9+LTIex49MErhjx21r7Uu9469VVrcClSxR0dTkAiEA2BWdsZzVC8Wcu99e
-fX1FdDs1xrMOwKnZmp4ynWRJPDc=
+nKRhfnAC3BhtyZBWF/l7ye1fnudEwnK/06NmMGQwEgYDVR0TAQH/BAgwBgEB/wIB
+ADAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFO2mD++9Knk8Ml4qbUh43rmpNtBH
+MB8GA1UdIwQYMBaAFOfv6sMzXF/Qw+Y0Up8WcEbEvKVcMAoGCCqGSM49BAMCA0gA
+MEUCIEqWvBko3L7xtlIz0cuRcMtmXCG/NaXMpdQblzpi2OIxAiEAwOEY8dMGbWmy
+3SJfN7PcNJmCrkjJVIodQk2C0AsqpM0=
-----END CERTIFICATE-----
diff --git a/src/credentials/CHIPCert.h b/src/credentials/CHIPCert.h
index f29d790..076a544 100644
--- a/src/credentials/CHIPCert.h
+++ b/src/credentials/CHIPCert.h
@@ -103,7 +103,11 @@
kCertType_Root = 0x01, /**< A CHIP Root certificate. */
kCertType_ICA = 0x02, /**< A CHIP Intermediate CA certificate. */
kCertType_Node = 0x03, /**< A CHIP node certificate. */
- kCertType_FirmwareSigning = 0x04, /**< A CHIP firmware signing certificate. */
+ kCertType_FirmwareSigning = 0x04, /**< A CHIP firmware signing certificate. Note that CHIP doesn't
+ specify how firmware images are signed and implementation of
+ firmware image signing is manufacturer-specific. The CHIP
+ certificate format supports encoding of firmware signing
+ certificates if chosen by the manufacturer to use them. */
};
/** X.509 Certificate Key Purpose Flags
diff --git a/src/credentials/tests/CHIPCert_test_vectors.cpp b/src/credentials/tests/CHIPCert_test_vectors.cpp
index 701e30f..afc8809 100644
--- a/src/credentials/tests/CHIPCert_test_vectors.cpp
+++ b/src/credentials/tests/CHIPCert_test_vectors.cpp
@@ -338,7 +338,7 @@
Certificate:
Data:
Version: 3 (0x2)
- Serial Number: 2782606924353714404 (0x269dce413ba538e4)
+ Serial Number: 5356538228357938904 (0x4a563f2377133ed8)
Signature Algorithm: ecdsa-with-SHA256
Issuer: 1.3.6.1.4.1.37244.1.4 = CACACACA00000002, 1.3.6.1.4.1.37244.1.5 = FAB000000000001D
Validity
@@ -358,7 +358,7 @@
NIST CURVE: P-256
X509v3 extensions:
X509v3 Basic Constraints: critical
- CA:TRUE
+ CA:TRUE, pathlen:1
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Subject Key Identifier:
@@ -367,23 +367,23 @@
keyid:B2:1B:EA:40:AB:F2:AB:A9:56:F9:82:E1:DA:D2:B6:06:92:06:90:E0
Signature Algorithm: ecdsa-with-SHA256
- 30:46:02:21:00:8d:03:79:ff:1d:68:ab:8e:d7:b3:26:60:90:
- 97:77:50:07:a2:1f:28:49:71:89:a8:d8:7c:85:cd:2f:1a:79:
- 78:02:21:00:c1:eb:69:da:21:f0:0b:23:6c:02:83:43:57:3a:
- a7:98:6f:de:21:4a:77:a4:4d:ea:7a:0f:03:20:f7:5d:b6:80
+ 30:46:02:21:00:86:89:d7:3a:c2:e0:04:b7:0f:a4:05:91:ca:
+ b3:b9:79:47:c4:c6:92:cb:97:6c:53:9c:f3:76:06:53:a5:a4:
+ dd:02:21:00:87:cf:49:39:32:df:cd:49:8c:a0:bc:c4:93:9b:
+ b2:7d:76:ac:3d:de:67:2c:25:cb:34:7a:4f:de:9f:dc:f3:cb
-----BEGIN CERTIFICATE-----
-MIIB4jCCAYegAwIBAgIIJp3OQTulOOQwCgYIKoZIzj0EAwIwRDEgMB4GCisGAQQB
+MIIB5TCCAYqgAwIBAgIISlY/I3cTPtgwCgYIKoZIzj0EAwIwRDEgMB4GCisGAQQB
gqJ8AQQMEENBQ0FDQUNBMDAwMDAwMDIxIDAeBgorBgEEAYKifAEFDBBGQUIwMDAw
MDAwMDAwMDFEMB4XDTIwMTAxNTE0MjM0M1oXDTQwMTAxNTE0MjM0MlowRDEgMB4G
CisGAQQBgqJ8AQQMEENBQ0FDQUNBMDAwMDAwMDIxIDAeBgorBgEEAYKifAEFDBBG
QUIwMDAwMDAwMDAwMDFEMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEbpYwaJiJ
9gayVE8OACHkvnA2DD930DO+UG28ZGOBD5p6HO/S7eHQBlbuB2OqxQPoskCsdjIM
-dTXIf9zzkdchMqNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
-HQYDVR0OBBYEFLIb6kCr8qupVvmC4drStgaSBpDgMB8GA1UdIwQYMBaAFLIb6kCr
-8qupVvmC4drStgaSBpDgMAoGCCqGSM49BAMCA0kAMEYCIQCNA3n/HWirjtezJmCQ
-l3dQB6IfKElxiajYfIXNLxp5eAIhAMHradoh8AsjbAKDQ1c6p5hv3iFKd6RN6noP
-AyD3XbaA
+dTXIf9zzkdchMqNmMGQwEgYDVR0TAQH/BAgwBgEB/wIBATAOBgNVHQ8BAf8EBAMC
+AQYwHQYDVR0OBBYEFLIb6kCr8qupVvmC4drStgaSBpDgMB8GA1UdIwQYMBaAFLIb
+6kCr8qupVvmC4drStgaSBpDgMAoGCCqGSM49BAMCA0kAMEYCIQCGidc6wuAEtw+k
+BZHKs7l5R8TGksuXbFOc83YGU6Wk3QIhAIfPSTky381JjKC8xJObsn12rD3eZywl
+yzR6T96f3PPL
-----END CERTIFICATE-----
-----BEGIN EC PRIVATE KEY-----
@@ -394,26 +394,27 @@
*/
extern const uint8_t sTestCert_Root02_Chip[] = {
- 0x15, 0x30, 0x01, 0x08, 0x26, 0x9d, 0xce, 0x41, 0x3b, 0xa5, 0x38, 0xe4, 0x24, 0x02, 0x01, 0x37, 0x03, 0x27, 0x14, 0x02, 0x00,
- 0x00, 0x00, 0xca, 0xca, 0xca, 0xca, 0x27, 0x15, 0x1d, 0x00, 0x00, 0x00, 0x00, 0x00, 0xb0, 0xfa, 0x18, 0x26, 0x04, 0xef, 0x17,
- 0x1b, 0x27, 0x26, 0x05, 0x6e, 0xb5, 0xb9, 0x4c, 0x37, 0x06, 0x27, 0x14, 0x02, 0x00, 0x00, 0x00, 0xca, 0xca, 0xca, 0xca, 0x27,
- 0x15, 0x1d, 0x00, 0x00, 0x00, 0x00, 0x00, 0xb0, 0xfa, 0x18, 0x24, 0x07, 0x01, 0x24, 0x08, 0x01, 0x30, 0x09, 0x41, 0x04, 0x6e,
- 0x96, 0x30, 0x68, 0x98, 0x89, 0xf6, 0x06, 0xb2, 0x54, 0x4f, 0x0e, 0x00, 0x21, 0xe4, 0xbe, 0x70, 0x36, 0x0c, 0x3f, 0x77, 0xd0,
- 0x33, 0xbe, 0x50, 0x6d, 0xbc, 0x64, 0x63, 0x81, 0x0f, 0x9a, 0x7a, 0x1c, 0xef, 0xd2, 0xed, 0xe1, 0xd0, 0x06, 0x56, 0xee, 0x07,
- 0x63, 0xaa, 0xc5, 0x03, 0xe8, 0xb2, 0x40, 0xac, 0x76, 0x32, 0x0c, 0x75, 0x35, 0xc8, 0x7f, 0xdc, 0xf3, 0x91, 0xd7, 0x21, 0x32,
- 0x37, 0x0a, 0x35, 0x01, 0x29, 0x01, 0x18, 0x24, 0x02, 0x60, 0x30, 0x04, 0x14, 0xb2, 0x1b, 0xea, 0x40, 0xab, 0xf2, 0xab, 0xa9,
- 0x56, 0xf9, 0x82, 0xe1, 0xda, 0xd2, 0xb6, 0x06, 0x92, 0x06, 0x90, 0xe0, 0x30, 0x05, 0x14, 0xb2, 0x1b, 0xea, 0x40, 0xab, 0xf2,
- 0xab, 0xa9, 0x56, 0xf9, 0x82, 0xe1, 0xda, 0xd2, 0xb6, 0x06, 0x92, 0x06, 0x90, 0xe0, 0x18, 0x30, 0x0b, 0x40, 0x8d, 0x03, 0x79,
- 0xff, 0x1d, 0x68, 0xab, 0x8e, 0xd7, 0xb3, 0x26, 0x60, 0x90, 0x97, 0x77, 0x50, 0x07, 0xa2, 0x1f, 0x28, 0x49, 0x71, 0x89, 0xa8,
- 0xd8, 0x7c, 0x85, 0xcd, 0x2f, 0x1a, 0x79, 0x78, 0xc1, 0xeb, 0x69, 0xda, 0x21, 0xf0, 0x0b, 0x23, 0x6c, 0x02, 0x83, 0x43, 0x57,
- 0x3a, 0xa7, 0x98, 0x6f, 0xde, 0x21, 0x4a, 0x77, 0xa4, 0x4d, 0xea, 0x7a, 0x0f, 0x03, 0x20, 0xf7, 0x5d, 0xb6, 0x80, 0x18,
+ 0x15, 0x30, 0x01, 0x08, 0x4a, 0x56, 0x3f, 0x23, 0x77, 0x13, 0x3e, 0xd8, 0x24, 0x02, 0x01, 0x37, 0x03, 0x27, 0x14, 0x02,
+ 0x00, 0x00, 0x00, 0xca, 0xca, 0xca, 0xca, 0x27, 0x15, 0x1d, 0x00, 0x00, 0x00, 0x00, 0x00, 0xb0, 0xfa, 0x18, 0x26, 0x04,
+ 0xef, 0x17, 0x1b, 0x27, 0x26, 0x05, 0x6e, 0xb5, 0xb9, 0x4c, 0x37, 0x06, 0x27, 0x14, 0x02, 0x00, 0x00, 0x00, 0xca, 0xca,
+ 0xca, 0xca, 0x27, 0x15, 0x1d, 0x00, 0x00, 0x00, 0x00, 0x00, 0xb0, 0xfa, 0x18, 0x24, 0x07, 0x01, 0x24, 0x08, 0x01, 0x30,
+ 0x09, 0x41, 0x04, 0x6e, 0x96, 0x30, 0x68, 0x98, 0x89, 0xf6, 0x06, 0xb2, 0x54, 0x4f, 0x0e, 0x00, 0x21, 0xe4, 0xbe, 0x70,
+ 0x36, 0x0c, 0x3f, 0x77, 0xd0, 0x33, 0xbe, 0x50, 0x6d, 0xbc, 0x64, 0x63, 0x81, 0x0f, 0x9a, 0x7a, 0x1c, 0xef, 0xd2, 0xed,
+ 0xe1, 0xd0, 0x06, 0x56, 0xee, 0x07, 0x63, 0xaa, 0xc5, 0x03, 0xe8, 0xb2, 0x40, 0xac, 0x76, 0x32, 0x0c, 0x75, 0x35, 0xc8,
+ 0x7f, 0xdc, 0xf3, 0x91, 0xd7, 0x21, 0x32, 0x37, 0x0a, 0x35, 0x01, 0x29, 0x01, 0x24, 0x02, 0x01, 0x18, 0x24, 0x02, 0x60,
+ 0x30, 0x04, 0x14, 0xb2, 0x1b, 0xea, 0x40, 0xab, 0xf2, 0xab, 0xa9, 0x56, 0xf9, 0x82, 0xe1, 0xda, 0xd2, 0xb6, 0x06, 0x92,
+ 0x06, 0x90, 0xe0, 0x30, 0x05, 0x14, 0xb2, 0x1b, 0xea, 0x40, 0xab, 0xf2, 0xab, 0xa9, 0x56, 0xf9, 0x82, 0xe1, 0xda, 0xd2,
+ 0xb6, 0x06, 0x92, 0x06, 0x90, 0xe0, 0x18, 0x30, 0x0b, 0x40, 0x86, 0x89, 0xd7, 0x3a, 0xc2, 0xe0, 0x04, 0xb7, 0x0f, 0xa4,
+ 0x05, 0x91, 0xca, 0xb3, 0xb9, 0x79, 0x47, 0xc4, 0xc6, 0x92, 0xcb, 0x97, 0x6c, 0x53, 0x9c, 0xf3, 0x76, 0x06, 0x53, 0xa5,
+ 0xa4, 0xdd, 0x87, 0xcf, 0x49, 0x39, 0x32, 0xdf, 0xcd, 0x49, 0x8c, 0xa0, 0xbc, 0xc4, 0x93, 0x9b, 0xb2, 0x7d, 0x76, 0xac,
+ 0x3d, 0xde, 0x67, 0x2c, 0x25, 0xcb, 0x34, 0x7a, 0x4f, 0xde, 0x9f, 0xdc, 0xf3, 0xcb, 0x18,
};
extern const uint32_t sTestCert_Root02_Chip_Len = sizeof(sTestCert_Root02_Chip);
extern const uint8_t sTestCert_Root02_DER[] = {
- 0x30, 0x82, 0x01, 0xe2, 0x30, 0x82, 0x01, 0x87, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x08, 0x26, 0x9d, 0xce, 0x41, 0x3b, 0xa5,
- 0x38, 0xe4, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x30, 0x44, 0x31, 0x20, 0x30, 0x1e, 0x06,
+ 0x30, 0x82, 0x01, 0xe5, 0x30, 0x82, 0x01, 0x8a, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x08, 0x4a, 0x56, 0x3f, 0x23, 0x77, 0x13,
+ 0x3e, 0xd8, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x30, 0x44, 0x31, 0x20, 0x30, 0x1e, 0x06,
0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0xa2, 0x7c, 0x01, 0x04, 0x0c, 0x10, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41,
0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x32, 0x31, 0x20, 0x30, 0x1e, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0xa2,
0x7c, 0x01, 0x05, 0x0c, 0x10, 0x46, 0x41, 0x42, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x31, 0x44,
@@ -426,16 +427,16 @@
0x42, 0x00, 0x04, 0x6e, 0x96, 0x30, 0x68, 0x98, 0x89, 0xf6, 0x06, 0xb2, 0x54, 0x4f, 0x0e, 0x00, 0x21, 0xe4, 0xbe, 0x70, 0x36,
0x0c, 0x3f, 0x77, 0xd0, 0x33, 0xbe, 0x50, 0x6d, 0xbc, 0x64, 0x63, 0x81, 0x0f, 0x9a, 0x7a, 0x1c, 0xef, 0xd2, 0xed, 0xe1, 0xd0,
0x06, 0x56, 0xee, 0x07, 0x63, 0xaa, 0xc5, 0x03, 0xe8, 0xb2, 0x40, 0xac, 0x76, 0x32, 0x0c, 0x75, 0x35, 0xc8, 0x7f, 0xdc, 0xf3,
- 0x91, 0xd7, 0x21, 0x32, 0xa3, 0x63, 0x30, 0x61, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, 0x30,
- 0x03, 0x01, 0x01, 0xff, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x01, 0x01, 0xff, 0x04, 0x04, 0x03, 0x02, 0x01, 0x06, 0x30,
- 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0xb2, 0x1b, 0xea, 0x40, 0xab, 0xf2, 0xab, 0xa9, 0x56, 0xf9, 0x82,
- 0xe1, 0xda, 0xd2, 0xb6, 0x06, 0x92, 0x06, 0x90, 0xe0, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80,
- 0x14, 0xb2, 0x1b, 0xea, 0x40, 0xab, 0xf2, 0xab, 0xa9, 0x56, 0xf9, 0x82, 0xe1, 0xda, 0xd2, 0xb6, 0x06, 0x92, 0x06, 0x90, 0xe0,
- 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x03, 0x49, 0x00, 0x30, 0x46, 0x02, 0x21, 0x00, 0x8d,
- 0x03, 0x79, 0xff, 0x1d, 0x68, 0xab, 0x8e, 0xd7, 0xb3, 0x26, 0x60, 0x90, 0x97, 0x77, 0x50, 0x07, 0xa2, 0x1f, 0x28, 0x49, 0x71,
- 0x89, 0xa8, 0xd8, 0x7c, 0x85, 0xcd, 0x2f, 0x1a, 0x79, 0x78, 0x02, 0x21, 0x00, 0xc1, 0xeb, 0x69, 0xda, 0x21, 0xf0, 0x0b, 0x23,
- 0x6c, 0x02, 0x83, 0x43, 0x57, 0x3a, 0xa7, 0x98, 0x6f, 0xde, 0x21, 0x4a, 0x77, 0xa4, 0x4d, 0xea, 0x7a, 0x0f, 0x03, 0x20, 0xf7,
- 0x5d, 0xb6, 0x80,
+ 0x91, 0xd7, 0x21, 0x32, 0xa3, 0x66, 0x30, 0x64, 0x30, 0x12, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x08, 0x30,
+ 0x06, 0x01, 0x01, 0xff, 0x02, 0x01, 0x01, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x01, 0x01, 0xff, 0x04, 0x04, 0x03, 0x02,
+ 0x01, 0x06, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0xb2, 0x1b, 0xea, 0x40, 0xab, 0xf2, 0xab, 0xa9,
+ 0x56, 0xf9, 0x82, 0xe1, 0xda, 0xd2, 0xb6, 0x06, 0x92, 0x06, 0x90, 0xe0, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18,
+ 0x30, 0x16, 0x80, 0x14, 0xb2, 0x1b, 0xea, 0x40, 0xab, 0xf2, 0xab, 0xa9, 0x56, 0xf9, 0x82, 0xe1, 0xda, 0xd2, 0xb6, 0x06, 0x92,
+ 0x06, 0x90, 0xe0, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x03, 0x49, 0x00, 0x30, 0x46, 0x02,
+ 0x21, 0x00, 0x86, 0x89, 0xd7, 0x3a, 0xc2, 0xe0, 0x04, 0xb7, 0x0f, 0xa4, 0x05, 0x91, 0xca, 0xb3, 0xb9, 0x79, 0x47, 0xc4, 0xc6,
+ 0x92, 0xcb, 0x97, 0x6c, 0x53, 0x9c, 0xf3, 0x76, 0x06, 0x53, 0xa5, 0xa4, 0xdd, 0x02, 0x21, 0x00, 0x87, 0xcf, 0x49, 0x39, 0x32,
+ 0xdf, 0xcd, 0x49, 0x8c, 0xa0, 0xbc, 0xc4, 0x93, 0x9b, 0xb2, 0x7d, 0x76, 0xac, 0x3d, 0xde, 0x67, 0x2c, 0x25, 0xcb, 0x34, 0x7a,
+ 0x4f, 0xde, 0x9f, 0xdc, 0xf3, 0xcb,
};
extern const uint32_t sTestCert_Root02_DER_Len = sizeof(sTestCert_Root02_DER);
@@ -587,7 +588,7 @@
Certificate:
Data:
Version: 3 (0x2)
- Serial Number: 911518014129873355 (0xca65ccdee94a1cb)
+ Serial Number: 4165248444559607814 (0x39cdef6453394806)
Signature Algorithm: ecdsa-with-SHA256
Issuer: 1.3.6.1.4.1.37244.1.4 = CACACACA00000002, 1.3.6.1.4.1.37244.1.5 = FAB000000000001D
Validity
@@ -607,7 +608,7 @@
NIST CURVE: P-256
X509v3 extensions:
X509v3 Basic Constraints: critical
- CA:TRUE
+ CA:TRUE, pathlen:0
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Subject Key Identifier:
@@ -616,23 +617,23 @@
keyid:B2:1B:EA:40:AB:F2:AB:A9:56:F9:82:E1:DA:D2:B6:06:92:06:90:E0
Signature Algorithm: ecdsa-with-SHA256
- 30:45:02:21:00:ca:49:9e:8e:2c:5d:01:12:44:a9:2e:7e:17:
- d4:b0:52:6a:83:85:5c:8f:15:4f:f0:f1:c1:94:72:e1:f1:65:
- 26:02:20:33:87:03:f4:41:10:1e:09:c8:9b:a9:b0:f6:3f:74:
- a2:6e:26:2e:b6:2b:0f:39:5a:c2:03:11:be:d0:9e:e5:e6
+ 30:45:02:20:58:1a:14:96:5d:9b:42:10:53:12:b3:9f:0c:aa:
+ 18:98:d5:63:dc:c1:d6:eb:04:86:c2:f8:89:2b:20:43:3e:61:
+ 02:21:00:b8:4d:cf:33:60:8d:d5:1c:93:e1:27:6c:92:37:ae:
+ 6f:e2:06:01:dc:3e:6e:9e:02:b1:dc:2b:d9:3e:d8:f5:4d
-----BEGIN CERTIFICATE-----
-MIIB4TCCAYegAwIBAgIIDKZcze6UocswCgYIKoZIzj0EAwIwRDEgMB4GCisGAQQB
+MIIB5DCCAYqgAwIBAgIIOc3vZFM5SAYwCgYIKoZIzj0EAwIwRDEgMB4GCisGAQQB
gqJ8AQQMEENBQ0FDQUNBMDAwMDAwMDIxIDAeBgorBgEEAYKifAEFDBBGQUIwMDAw
MDAwMDAwMDFEMB4XDTIwMTAxNTE0MjM0M1oXDTQwMTAxNTE0MjM0MlowRDEgMB4G
CisGAQQBgqJ8AQMMEENBQ0FDQUNBMDAwMDAwMDQxIDAeBgorBgEEAYKifAEFDBBG
QUIwMDAwMDAwMDAwMDFEMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE/P4aD0l9
+Mf63oJC7rQJ5EhQ7lK84CszHqs+r5AMQgTZ6qMXOObelINFKN6cNT9eWxH7kt3b
-ZHTa9g4f/iH006NjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
-HQYDVR0OBBYEFM9CvPjfSAnZJm8jFVoWsH8Euz2EMB8GA1UdIwQYMBaAFLIb6kCr
-8qupVvmC4drStgaSBpDgMAoGCCqGSM49BAMCA0gAMEUCIQDKSZ6OLF0BEkSpLn4X
-1LBSaoOFXI8VT/DxwZRy4fFlJgIgM4cD9EEQHgnIm6mw9j90om4mLrYrDzlawgMR
-vtCe5eY=
+ZHTa9g4f/iH006NmMGQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMC
+AQYwHQYDVR0OBBYEFM9CvPjfSAnZJm8jFVoWsH8Euz2EMB8GA1UdIwQYMBaAFLIb
+6kCr8qupVvmC4drStgaSBpDgMAoGCCqGSM49BAMCA0gAMEUCIFgaFJZdm0IQUxKz
+nwyqGJjVY9zB1usEhsL4iSsgQz5hAiEAuE3PM2CN1RyT4Sdskjeub+IGAdw+bp4C
+sdwr2T7Y9U0=
-----END CERTIFICATE-----
-----BEGIN EC PRIVATE KEY-----
@@ -643,26 +644,27 @@
*/
extern const uint8_t sTestCert_ICA02_Chip[] = {
- 0x15, 0x30, 0x01, 0x08, 0x0c, 0xa6, 0x5c, 0xcd, 0xee, 0x94, 0xa1, 0xcb, 0x24, 0x02, 0x01, 0x37, 0x03, 0x27, 0x14, 0x02, 0x00,
- 0x00, 0x00, 0xca, 0xca, 0xca, 0xca, 0x27, 0x15, 0x1d, 0x00, 0x00, 0x00, 0x00, 0x00, 0xb0, 0xfa, 0x18, 0x26, 0x04, 0xef, 0x17,
- 0x1b, 0x27, 0x26, 0x05, 0x6e, 0xb5, 0xb9, 0x4c, 0x37, 0x06, 0x27, 0x13, 0x04, 0x00, 0x00, 0x00, 0xca, 0xca, 0xca, 0xca, 0x27,
- 0x15, 0x1d, 0x00, 0x00, 0x00, 0x00, 0x00, 0xb0, 0xfa, 0x18, 0x24, 0x07, 0x01, 0x24, 0x08, 0x01, 0x30, 0x09, 0x41, 0x04, 0xfc,
- 0xfe, 0x1a, 0x0f, 0x49, 0x7d, 0xf8, 0xc7, 0xfa, 0xde, 0x82, 0x42, 0xee, 0xb4, 0x09, 0xe4, 0x48, 0x50, 0xee, 0x52, 0xbc, 0xe0,
- 0x2b, 0x33, 0x1e, 0xab, 0x3e, 0xaf, 0x90, 0x0c, 0x42, 0x04, 0xd9, 0xea, 0xa3, 0x17, 0x38, 0xe6, 0xde, 0x94, 0x83, 0x45, 0x28,
- 0xde, 0x9c, 0x35, 0x3f, 0x5e, 0x5b, 0x11, 0xfb, 0x92, 0xdd, 0xdb, 0x64, 0x74, 0xda, 0xf6, 0x0e, 0x1f, 0xfe, 0x21, 0xf4, 0xd3,
- 0x37, 0x0a, 0x35, 0x01, 0x29, 0x01, 0x18, 0x24, 0x02, 0x60, 0x30, 0x04, 0x14, 0xcf, 0x42, 0xbc, 0xf8, 0xdf, 0x48, 0x09, 0xd9,
- 0x26, 0x6f, 0x23, 0x15, 0x5a, 0x16, 0xb0, 0x7f, 0x04, 0xbb, 0x3d, 0x84, 0x30, 0x05, 0x14, 0xb2, 0x1b, 0xea, 0x40, 0xab, 0xf2,
- 0xab, 0xa9, 0x56, 0xf9, 0x82, 0xe1, 0xda, 0xd2, 0xb6, 0x06, 0x92, 0x06, 0x90, 0xe0, 0x18, 0x30, 0x0b, 0x40, 0xca, 0x49, 0x9e,
- 0x8e, 0x2c, 0x5d, 0x01, 0x12, 0x44, 0xa9, 0x2e, 0x7e, 0x17, 0xd4, 0xb0, 0x52, 0x6a, 0x83, 0x85, 0x5c, 0x8f, 0x15, 0x4f, 0xf0,
- 0xf1, 0xc1, 0x94, 0x72, 0xe1, 0xf1, 0x65, 0x26, 0x33, 0x87, 0x03, 0xf4, 0x41, 0x10, 0x1e, 0x09, 0xc8, 0x9b, 0xa9, 0xb0, 0xf6,
- 0x3f, 0x74, 0xa2, 0x6e, 0x26, 0x2e, 0xb6, 0x2b, 0x0f, 0x39, 0x5a, 0xc2, 0x03, 0x11, 0xbe, 0xd0, 0x9e, 0xe5, 0xe6, 0x18,
+ 0x15, 0x30, 0x01, 0x08, 0x39, 0xcd, 0xef, 0x64, 0x53, 0x39, 0x48, 0x06, 0x24, 0x02, 0x01, 0x37, 0x03, 0x27, 0x14, 0x02,
+ 0x00, 0x00, 0x00, 0xca, 0xca, 0xca, 0xca, 0x27, 0x15, 0x1d, 0x00, 0x00, 0x00, 0x00, 0x00, 0xb0, 0xfa, 0x18, 0x26, 0x04,
+ 0xef, 0x17, 0x1b, 0x27, 0x26, 0x05, 0x6e, 0xb5, 0xb9, 0x4c, 0x37, 0x06, 0x27, 0x13, 0x04, 0x00, 0x00, 0x00, 0xca, 0xca,
+ 0xca, 0xca, 0x27, 0x15, 0x1d, 0x00, 0x00, 0x00, 0x00, 0x00, 0xb0, 0xfa, 0x18, 0x24, 0x07, 0x01, 0x24, 0x08, 0x01, 0x30,
+ 0x09, 0x41, 0x04, 0xfc, 0xfe, 0x1a, 0x0f, 0x49, 0x7d, 0xf8, 0xc7, 0xfa, 0xde, 0x82, 0x42, 0xee, 0xb4, 0x09, 0xe4, 0x48,
+ 0x50, 0xee, 0x52, 0xbc, 0xe0, 0x2b, 0x33, 0x1e, 0xab, 0x3e, 0xaf, 0x90, 0x0c, 0x42, 0x04, 0xd9, 0xea, 0xa3, 0x17, 0x38,
+ 0xe6, 0xde, 0x94, 0x83, 0x45, 0x28, 0xde, 0x9c, 0x35, 0x3f, 0x5e, 0x5b, 0x11, 0xfb, 0x92, 0xdd, 0xdb, 0x64, 0x74, 0xda,
+ 0xf6, 0x0e, 0x1f, 0xfe, 0x21, 0xf4, 0xd3, 0x37, 0x0a, 0x35, 0x01, 0x29, 0x01, 0x24, 0x02, 0x00, 0x18, 0x24, 0x02, 0x60,
+ 0x30, 0x04, 0x14, 0xcf, 0x42, 0xbc, 0xf8, 0xdf, 0x48, 0x09, 0xd9, 0x26, 0x6f, 0x23, 0x15, 0x5a, 0x16, 0xb0, 0x7f, 0x04,
+ 0xbb, 0x3d, 0x84, 0x30, 0x05, 0x14, 0xb2, 0x1b, 0xea, 0x40, 0xab, 0xf2, 0xab, 0xa9, 0x56, 0xf9, 0x82, 0xe1, 0xda, 0xd2,
+ 0xb6, 0x06, 0x92, 0x06, 0x90, 0xe0, 0x18, 0x30, 0x0b, 0x40, 0x58, 0x1a, 0x14, 0x96, 0x5d, 0x9b, 0x42, 0x10, 0x53, 0x12,
+ 0xb3, 0x9f, 0x0c, 0xaa, 0x18, 0x98, 0xd5, 0x63, 0xdc, 0xc1, 0xd6, 0xeb, 0x04, 0x86, 0xc2, 0xf8, 0x89, 0x2b, 0x20, 0x43,
+ 0x3e, 0x61, 0xb8, 0x4d, 0xcf, 0x33, 0x60, 0x8d, 0xd5, 0x1c, 0x93, 0xe1, 0x27, 0x6c, 0x92, 0x37, 0xae, 0x6f, 0xe2, 0x06,
+ 0x01, 0xdc, 0x3e, 0x6e, 0x9e, 0x02, 0xb1, 0xdc, 0x2b, 0xd9, 0x3e, 0xd8, 0xf5, 0x4d, 0x18,
};
extern const uint32_t sTestCert_ICA02_Chip_Len = sizeof(sTestCert_ICA02_Chip);
extern const uint8_t sTestCert_ICA02_DER[] = {
- 0x30, 0x82, 0x01, 0xe1, 0x30, 0x82, 0x01, 0x87, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x08, 0x0c, 0xa6, 0x5c, 0xcd, 0xee, 0x94,
- 0xa1, 0xcb, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x30, 0x44, 0x31, 0x20, 0x30, 0x1e, 0x06,
+ 0x30, 0x82, 0x01, 0xe4, 0x30, 0x82, 0x01, 0x8a, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x08, 0x39, 0xcd, 0xef, 0x64, 0x53, 0x39,
+ 0x48, 0x06, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x30, 0x44, 0x31, 0x20, 0x30, 0x1e, 0x06,
0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0xa2, 0x7c, 0x01, 0x04, 0x0c, 0x10, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41,
0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x32, 0x31, 0x20, 0x30, 0x1e, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0xa2,
0x7c, 0x01, 0x05, 0x0c, 0x10, 0x46, 0x41, 0x42, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x31, 0x44,
@@ -675,16 +677,16 @@
0x42, 0x00, 0x04, 0xfc, 0xfe, 0x1a, 0x0f, 0x49, 0x7d, 0xf8, 0xc7, 0xfa, 0xde, 0x82, 0x42, 0xee, 0xb4, 0x09, 0xe4, 0x48, 0x50,
0xee, 0x52, 0xbc, 0xe0, 0x2b, 0x33, 0x1e, 0xab, 0x3e, 0xaf, 0x90, 0x0c, 0x42, 0x04, 0xd9, 0xea, 0xa3, 0x17, 0x38, 0xe6, 0xde,
0x94, 0x83, 0x45, 0x28, 0xde, 0x9c, 0x35, 0x3f, 0x5e, 0x5b, 0x11, 0xfb, 0x92, 0xdd, 0xdb, 0x64, 0x74, 0xda, 0xf6, 0x0e, 0x1f,
- 0xfe, 0x21, 0xf4, 0xd3, 0xa3, 0x63, 0x30, 0x61, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, 0x30,
- 0x03, 0x01, 0x01, 0xff, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x01, 0x01, 0xff, 0x04, 0x04, 0x03, 0x02, 0x01, 0x06, 0x30,
- 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0xcf, 0x42, 0xbc, 0xf8, 0xdf, 0x48, 0x09, 0xd9, 0x26, 0x6f, 0x23,
- 0x15, 0x5a, 0x16, 0xb0, 0x7f, 0x04, 0xbb, 0x3d, 0x84, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80,
- 0x14, 0xb2, 0x1b, 0xea, 0x40, 0xab, 0xf2, 0xab, 0xa9, 0x56, 0xf9, 0x82, 0xe1, 0xda, 0xd2, 0xb6, 0x06, 0x92, 0x06, 0x90, 0xe0,
- 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x03, 0x48, 0x00, 0x30, 0x45, 0x02, 0x21, 0x00, 0xca,
- 0x49, 0x9e, 0x8e, 0x2c, 0x5d, 0x01, 0x12, 0x44, 0xa9, 0x2e, 0x7e, 0x17, 0xd4, 0xb0, 0x52, 0x6a, 0x83, 0x85, 0x5c, 0x8f, 0x15,
- 0x4f, 0xf0, 0xf1, 0xc1, 0x94, 0x72, 0xe1, 0xf1, 0x65, 0x26, 0x02, 0x20, 0x33, 0x87, 0x03, 0xf4, 0x41, 0x10, 0x1e, 0x09, 0xc8,
- 0x9b, 0xa9, 0xb0, 0xf6, 0x3f, 0x74, 0xa2, 0x6e, 0x26, 0x2e, 0xb6, 0x2b, 0x0f, 0x39, 0x5a, 0xc2, 0x03, 0x11, 0xbe, 0xd0, 0x9e,
- 0xe5, 0xe6,
+ 0xfe, 0x21, 0xf4, 0xd3, 0xa3, 0x66, 0x30, 0x64, 0x30, 0x12, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x08, 0x30,
+ 0x06, 0x01, 0x01, 0xff, 0x02, 0x01, 0x00, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x01, 0x01, 0xff, 0x04, 0x04, 0x03, 0x02,
+ 0x01, 0x06, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0xcf, 0x42, 0xbc, 0xf8, 0xdf, 0x48, 0x09, 0xd9,
+ 0x26, 0x6f, 0x23, 0x15, 0x5a, 0x16, 0xb0, 0x7f, 0x04, 0xbb, 0x3d, 0x84, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18,
+ 0x30, 0x16, 0x80, 0x14, 0xb2, 0x1b, 0xea, 0x40, 0xab, 0xf2, 0xab, 0xa9, 0x56, 0xf9, 0x82, 0xe1, 0xda, 0xd2, 0xb6, 0x06, 0x92,
+ 0x06, 0x90, 0xe0, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x03, 0x48, 0x00, 0x30, 0x45, 0x02,
+ 0x20, 0x58, 0x1a, 0x14, 0x96, 0x5d, 0x9b, 0x42, 0x10, 0x53, 0x12, 0xb3, 0x9f, 0x0c, 0xaa, 0x18, 0x98, 0xd5, 0x63, 0xdc, 0xc1,
+ 0xd6, 0xeb, 0x04, 0x86, 0xc2, 0xf8, 0x89, 0x2b, 0x20, 0x43, 0x3e, 0x61, 0x02, 0x21, 0x00, 0xb8, 0x4d, 0xcf, 0x33, 0x60, 0x8d,
+ 0xd5, 0x1c, 0x93, 0xe1, 0x27, 0x6c, 0x92, 0x37, 0xae, 0x6f, 0xe2, 0x06, 0x01, 0xdc, 0x3e, 0x6e, 0x9e, 0x02, 0xb1, 0xdc, 0x2b,
+ 0xd9, 0x3e, 0xd8, 0xf5, 0x4d,
};
extern const uint32_t sTestCert_ICA02_DER_Len = sizeof(sTestCert_ICA02_DER);
diff --git a/src/tools/chip-cert/CertUtils.cpp b/src/tools/chip-cert/CertUtils.cpp
index 526bac8..511758a 100644
--- a/src/tools/chip-cert/CertUtils.cpp
+++ b/src/tools/chip-cert/CertUtils.cpp
@@ -28,6 +28,8 @@
#include "chip-cert.h"
+#include <string>
+
using namespace chip;
using namespace chip::Credentials;
using namespace chip::ASN1;
@@ -574,7 +576,8 @@
}
bool MakeCert(uint8_t certType, const ToolChipDN * subjectDN, X509 * caCert, EVP_PKEY * caKey, const struct tm & validFrom,
- uint32_t validDays, const FutureExtension * futureExts, uint8_t futureExtsCount, X509 * newCert, EVP_PKEY * newKey)
+ uint32_t validDays, int pathLen, const FutureExtension * futureExts, uint8_t futureExtsCount, X509 * newCert,
+ EVP_PKEY * newKey)
{
bool res = true;
@@ -615,23 +618,42 @@
ReportOpenSSLErrorAndExit("X509_set_issuer_name", res = false);
}
+ // Add basic constraints certificate extensions.
+ {
+ std::string basicConstraintsExt;
+
+ if (certType == kCertType_Node || certType == kCertType_FirmwareSigning)
+ {
+ basicConstraintsExt = "critical,CA:FALSE";
+ }
+ else
+ {
+ basicConstraintsExt = "critical,CA:TRUE";
+ }
+
+ if (pathLen != kPathLength_NotSpecified)
+ {
+ basicConstraintsExt.append(",pathlen:" + std::to_string(pathLen));
+ }
+
+ res = AddExtension(newCert, NID_basic_constraints, basicConstraintsExt.c_str());
+ VerifyTrueOrExit(res);
+ }
+
// Add the appropriate certificate extensions.
if (certType == kCertType_Node)
{
- res = AddExtension(newCert, NID_basic_constraints, "critical,CA:FALSE") &&
- AddExtension(newCert, NID_key_usage, "critical,digitalSignature") &&
+ res = AddExtension(newCert, NID_key_usage, "critical,digitalSignature") &&
AddExtension(newCert, NID_ext_key_usage, "critical,clientAuth,serverAuth");
}
else if (certType == kCertType_FirmwareSigning)
{
- res = AddExtension(newCert, NID_basic_constraints, "critical,CA:FALSE") &&
- AddExtension(newCert, NID_key_usage, "critical,digitalSignature") &&
+ res = AddExtension(newCert, NID_key_usage, "critical,digitalSignature") &&
AddExtension(newCert, NID_ext_key_usage, "critical,codeSigning");
}
else if (certType == kCertType_ICA || certType == kCertType_Root)
{
- res = AddExtension(newCert, NID_basic_constraints, "critical,CA:TRUE") &&
- AddExtension(newCert, NID_key_usage, "critical,keyCertSign,cRLSign");
+ res = AddExtension(newCert, NID_key_usage, "critical,keyCertSign,cRLSign");
}
VerifyTrueOrExit(res);
@@ -775,10 +797,15 @@
res = AddExtension(newCert, NID_basic_constraints, "critical,CA:FALSE") &&
AddExtension(newCert, NID_key_usage, "critical,digitalSignature");
}
- // otherwise, it is PAI or PAA
+ else if (attCertType == kAttCertType_PAI)
+ {
+ res = AddExtension(newCert, NID_basic_constraints, "critical,CA:TRUE,pathlen:0") &&
+ AddExtension(newCert, NID_key_usage, "critical,keyCertSign,cRLSign");
+ }
+ // otherwise, it is PAA
else
{
- res = AddExtension(newCert, NID_basic_constraints, "critical,CA:TRUE") &&
+ res = AddExtension(newCert, NID_basic_constraints, "critical,CA:TRUE,pathlen:1") &&
AddExtension(newCert, NID_key_usage, "critical,keyCertSign,cRLSign");
}
VerifyTrueOrExit(res);
diff --git a/src/tools/chip-cert/Cmd_GenCert.cpp b/src/tools/chip-cert/Cmd_GenCert.cpp
index 66ea0f0..4fc61e9 100644
--- a/src/tools/chip-cert/Cmd_GenCert.cpp
+++ b/src/tools/chip-cert/Cmd_GenCert.cpp
@@ -43,21 +43,22 @@
// clang-format off
OptionDef gCmdOptionDefs[] =
{
- { "type", kArgumentRequired, 't' },
- { "subject-chip-id", kArgumentRequired, 'i' },
- { "subject-fab-id", kArgumentRequired, 'f' },
- { "subject-at", kArgumentRequired, 'a' },
- { "subject-cn-u", kArgumentRequired, 'c' },
- { "future-ext-sub", kArgumentRequired, 'x' },
- { "future-ext-info", kArgumentRequired, '2' },
- { "key", kArgumentRequired, 'k' },
- { "ca-cert", kArgumentRequired, 'C' },
- { "ca-key", kArgumentRequired, 'K' },
- { "out", kArgumentRequired, 'o' },
- { "out-key", kArgumentRequired, 'O' },
- { "out-format", kArgumentRequired, 'F' },
- { "valid-from", kArgumentRequired, 'V' },
- { "lifetime", kArgumentRequired, 'l' },
+ { "type", kArgumentRequired, 't' },
+ { "subject-chip-id", kArgumentRequired, 'i' },
+ { "subject-fab-id", kArgumentRequired, 'f' },
+ { "subject-at", kArgumentRequired, 'a' },
+ { "subject-cn-u", kArgumentRequired, 'c' },
+ { "path-len-constraint", kArgumentRequired, 'p' },
+ { "future-ext-sub", kArgumentRequired, 'x' },
+ { "future-ext-info", kArgumentRequired, '2' },
+ { "key", kArgumentRequired, 'k' },
+ { "ca-cert", kArgumentRequired, 'C' },
+ { "ca-key", kArgumentRequired, 'K' },
+ { "out", kArgumentRequired, 'o' },
+ { "out-key", kArgumentRequired, 'O' },
+ { "out-format", kArgumentRequired, 'F' },
+ { "valid-from", kArgumentRequired, 'V' },
+ { "lifetime", kArgumentRequired, 'l' },
{ }
};
@@ -90,6 +91,11 @@
"\n"
" Subject DN Common Name attribute encoded as UTF8String.\n"
"\n"
+ " -p, --path-len-constraint <int>\n"
+ "\n"
+ " Path length constraint to be included in the basic constraint extension.\n"
+ " If not specified, the path length constraint is not included in the extension.\n"
+ "\n"
" -x, --future-ext-sub <string>\n"
"\n"
" NID_subject_alt_name extension to be added to the list of certificate extensions.\n"
@@ -168,6 +174,7 @@
ToolChipDN gSubjectDN;
uint8_t gCertType = kCertType_NotSpecified;
+int gPathLengthConstraint = kPathLength_NotSpecified;
bool gSelfSign = false;
const char * gCACertFileName = nullptr;
const char * gCAKeyFileName = nullptr;
@@ -281,6 +288,13 @@
}
break;
+ case 'p':
+ if (!ParseInt(arg, gPathLengthConstraint))
+ {
+ PrintArgError("%s: Invalid value specified for path length constraint: %s\n", progName, arg);
+ return false;
+ }
+ break;
case 'f':
if (!ParseChip64bitAttr(arg, chip64bitAttr))
{
@@ -459,6 +473,13 @@
ExitNow(res = false);
}
+ if (gPathLengthConstraint != kPathLength_NotSpecified &&
+ (gCertType == kCertType_Node || gCertType == kCertType_FirmwareSigning))
+ {
+ fprintf(stderr, "Path length constraint shouldn't be specified for the leaf certificate.\n");
+ ExitNow(res = false);
+ }
+
if (strcmp(gOutCertFileName, "-") != 0 && access(gOutCertFileName, R_OK) == 0)
{
fprintf(stderr,
@@ -493,8 +514,8 @@
if (gSelfSign)
{
- res = MakeCert(gCertType, &gSubjectDN, newCert.get(), newKey.get(), gValidFrom, gValidDays, gFutureExtensions,
- gFutureExtensionsCount, newCert.get(), newKey.get());
+ res = MakeCert(gCertType, &gSubjectDN, newCert.get(), newKey.get(), gValidFrom, gValidDays, gPathLengthConstraint,
+ gFutureExtensions, gFutureExtensionsCount, newCert.get(), newKey.get());
VerifyTrueOrExit(res);
}
else
@@ -508,8 +529,8 @@
res = ReadKey(gCAKeyFileName, caKey.get());
VerifyTrueOrExit(res);
- res = MakeCert(gCertType, &gSubjectDN, caCert.get(), caKey.get(), gValidFrom, gValidDays, gFutureExtensions,
- gFutureExtensionsCount, newCert.get(), newKey.get());
+ res = MakeCert(gCertType, &gSubjectDN, caCert.get(), caKey.get(), gValidFrom, gValidDays, gPathLengthConstraint,
+ gFutureExtensions, gFutureExtensionsCount, newCert.get(), newKey.get());
VerifyTrueOrExit(res);
}
diff --git a/src/tools/chip-cert/chip-cert.h b/src/tools/chip-cert/chip-cert.h
index 24a3ef8..3e7d148 100644
--- a/src/tools/chip-cert/chip-cert.h
+++ b/src/tools/chip-cert/chip-cert.h
@@ -73,7 +73,8 @@
enum
{
kCertValidDays_Undefined = 0,
- kCertValidDays_NoWellDefinedExpiration = UINT32_MAX
+ kCertValidDays_NoWellDefinedExpiration = UINT32_MAX,
+ kPathLength_NotSpecified = -1,
};
enum CertFormat
@@ -132,7 +133,7 @@
extern bool WriteCert(const char * fileName, X509 * cert, CertFormat certFmt);
extern bool MakeCert(uint8_t certType, const ToolChipDN * subjectDN, X509 * caCert, EVP_PKEY * caKey, const struct tm & validFrom,
- uint32_t validDays, const FutureExtension * futureExts, uint8_t futureExtsCount, X509 * newCert,
+ uint32_t validDays, int pathLen, const FutureExtension * futureExts, uint8_t futureExtsCount, X509 * newCert,
EVP_PKEY * newKey);
extern bool ResignCert(X509 * cert, X509 * caCert, EVP_PKEY * caKey);
