blob: 720ef036445fc7d5d74547c535768a065f770ff7 [file] [log] [blame]
/*
*
* Copyright (c) 2021 Project CHIP Authors
* Copyright (c) 2013-2017 Nest Labs, Inc.
* All rights reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
/**
* @file
* This file implements the command handler for the 'chip-cert' tool
* that validates a CHIP certificate.
*
*/
#include "chip-cert.h"
#include "vector"
namespace {
using namespace chip;
using namespace chip::ArgParser;
using namespace chip::Credentials;
using namespace chip::ASN1;
#define CMD_NAME "chip-cert validate-cert"
bool HandleOption(const char * progName, OptionSet * optSet, int id, const char * name, const char * arg);
bool HandleNonOptionArgs(const char * progName, int argc, char * argv[]);
// clang-format off
OptionDef gCmdOptionDefs[] =
{
{ "cert", kArgumentRequired, 'c' },
{ "trusted-cert", kArgumentRequired, 't' },
{ }
};
const char * const gCmdOptionHelp =
" -c, --cert <cert-file>\n"
"\n"
" A file containing an untrusted CHIP certificate to be used during\n"
" validation. Usually, it is Intermediate CA certificate.\n"
"\n"
" -t, --trusted-cert <cert-file>\n"
"\n"
" A file containing a trusted CHIP certificate to be used during\n"
" validation. Usually, it is trust anchor root certificate.\n"
"\n"
;
OptionSet gCmdOptions =
{
HandleOption,
gCmdOptionDefs,
"COMMAND OPTIONS",
gCmdOptionHelp
};
HelpOptions gHelpOptions(
CMD_NAME,
"Usage: " CMD_NAME " [ <options...> ] <target-cert-file>\n",
CHIP_VERSION_STRING "\n" COPYRIGHT_STRING,
"Validate a chain of CHIP certificates.\n"
"\n"
"ARGUMENTS\n"
"\n"
" <target-cert-file>\n"
"\n"
" A file containing the certificate to be validated.\n"
"\n"
);
OptionSet * gCmdOptionSets[] =
{
&gCmdOptions,
&gHelpOptions,
nullptr
};
// clang-format on
enum
{
kMaxCerts = 16,
};
const char * gTargetCertFileName = nullptr;
const char * gCACertFileNames[kMaxCerts - 1];
bool gCACertIsTrusted[kMaxCerts - 1];
size_t gNumCertFileNames = 0;
bool HandleOption(const char * progName, OptionSet * optSet, int id, const char * name, const char * arg)
{
switch (id)
{
case 'c':
case 't':
gCACertFileNames[gNumCertFileNames] = arg;
gCACertIsTrusted[gNumCertFileNames++] = (id == 't');
break;
default:
PrintArgError("%s: Unhandled option: %s\n", progName, name);
return false;
}
return true;
}
bool HandleNonOptionArgs(const char * progName, int argc, char * argv[])
{
if (argc == 0)
{
PrintArgError("%s: Please specify the name of the certificate to be validated.\n", progName);
return false;
}
if (argc > 1)
{
PrintArgError("%s: Unexpected argument: %s\n", progName, argv[1]);
return false;
}
gTargetCertFileName = argv[0];
return true;
}
} // namespace
bool Cmd_ValidateCert(int argc, char * argv[])
{
bool res = true;
CHIP_ERROR err = CHIP_NO_ERROR;
ChipCertificateSet certSet;
const ChipCertificateData * certToBeValidated = nullptr;
const ChipCertificateData * validatedCert = nullptr;
ValidationContext context;
uint8_t certsBuf[kMaxCerts * kMaxCHIPCertLength];
MutableByteSpan chipCert[kMaxCerts];
context.Reset();
if (argc == 1)
{
gHelpOptions.PrintBriefUsage(stderr);
ExitNow(res = true);
}
res = ParseArgs(CMD_NAME, argc, argv, gCmdOptionSets, HandleNonOptionArgs);
VerifyTrueOrExit(res);
err = certSet.Init(kMaxCerts);
if (err != CHIP_NO_ERROR)
{
fprintf(stderr, "Failed to initialize certificate set: %s\n", chip::ErrorStr(err));
ExitNow(res = false);
}
for (size_t i = 0; i < gNumCertFileNames; i++)
{
chipCert[i] = MutableByteSpan(&certsBuf[i * kMaxCHIPCertLength], kMaxCHIPCertLength);
res = LoadChipCert(gCACertFileNames[i], gCACertIsTrusted[i], certSet, chipCert[i]);
VerifyTrueOrExit(res);
}
chipCert[gNumCertFileNames] = MutableByteSpan(&certsBuf[gNumCertFileNames * kMaxCHIPCertLength], kMaxCHIPCertLength);
res = LoadChipCert(gTargetCertFileName, false, certSet, chipCert[gNumCertFileNames]);
VerifyTrueOrExit(res);
certToBeValidated = certSet.GetLastCert();
context.Reset();
res = chip::UnixEpochToChipEpochTime(static_cast<uint32_t>(time(nullptr)), context.mEffectiveTime);
VerifyTrueOrExit(res);
err = certSet.FindValidCert(certToBeValidated->mSubjectDN, certToBeValidated->mSubjectKeyId, context, &validatedCert);
if (err != CHIP_NO_ERROR)
{
fprintf(stderr, "Failed certificate chain validation: %s\n", chip::ErrorStr(err));
ExitNow(res = false);
}
exit:
certSet.Release();
return res;
}