From d95ce24f7c57b421db6ce68fa0cdf576ca876be2 Mon Sep 17 00:00:00 2001 From: Shubham Patil Date: Mon, 27 May 2024 08:01:51 +0530 Subject: [PATCH 1/5] dac revocation: Fallback method to parse VID/PID from crl signer --- credentials/generate-revocation-set.py | 25 +++++++++++++++++++++---- 1 file changed, 21 insertions(+), 4 deletions(-) diff --git a/credentials/generate-revocation-set.py b/credentials/generate-revocation-set.py index bfc5ce560c1f80..9e1f844a8b1678 100644 --- a/credentials/generate-revocation-set.py +++ b/credentials/generate-revocation-set.py @@ -64,6 +64,26 @@ def extract_single_integer_attribute(subject, oid): return None +def parse_vid_pid_from_distinguished_name(distinguished_name): + # VID/PID encoded using Matter specific RDNs + vid = extract_single_integer_attribute(distinguished_name, OID_VENDOR_ID) + pid = extract_single_integer_attribute(distinguished_name, OID_PRODUCT_ID) + + # Fallback method to get the VID/PID, encoded in CN as "Mvid:FFFF Mpid:1234" + if vid is None and pid is None: + cn = distinguished_name.get_attributes_for_oid(x509.ObjectIdentifier("2.5.4.3"))[0].value + + vid_start = cn.find('Mvid:') + if vid_start != -1: + vid = int(cn[vid_start + 5:vid_start + 9], 16) + + pid_start = cn.find('Mpid:') + if pid_start != -1: + pid = int(cn[pid_start + 5:pid_start + 9], 16) + + return vid, pid + + class DCLDClient: ''' A client for interacting with DCLD using either the REST API or command line interface (CLI). @@ -248,14 +268,11 @@ def main(use_main_net_dcld: str, use_test_net_dcld: str, use_main_net_http: bool is_paa = revocation_point["isPAA"] # 3. && 4. Validate VID/PID - # TODO: Need to support alternate representation of VID/PID (see spec "6.2.2.2. Encoding of Vendor ID and Product ID in subject and issuer fields") - crl_vid = extract_single_integer_attribute(crl_signer_certificate.subject, OID_VENDOR_ID) - crl_pid = extract_single_integer_attribute(crl_signer_certificate.subject, OID_PRODUCT_ID) + crl_vid, crl_pid = parse_vid_pid_from_distinguished_name(crl_signer_certificate.subject) if is_paa: if crl_vid is not None: if vid != crl_vid: - # TODO: Need to log all situations where a continue is called logging.warning("VID is not CRL VID, continue...") continue else: From 414692c4015700c8d490f4e62dc8e4805e20dca1 Mon Sep 17 00:00:00 2001 From: Shubham Patil Date: Mon, 27 May 2024 18:18:55 +0530 Subject: [PATCH 2/5] extract the redundant code into method --- credentials/generate-revocation-set.py | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/credentials/generate-revocation-set.py b/credentials/generate-revocation-set.py index 9e1f844a8b1678..27211fade69ce9 100644 --- a/credentials/generate-revocation-set.py +++ b/credentials/generate-revocation-set.py @@ -64,6 +64,17 @@ def extract_single_integer_attribute(subject, oid): return None +def extract_single_attribute_from_cn(cn, marker): + val_len = 4 + start_idx = cn.find(marker) + + if start_idx != -1: + val_start_idx = start_idx + len(marker) + return int(cn[val_start_idx:val_start_idx + val_len], 16) + + return None + + def parse_vid_pid_from_distinguished_name(distinguished_name): # VID/PID encoded using Matter specific RDNs vid = extract_single_integer_attribute(distinguished_name, OID_VENDOR_ID) @@ -72,14 +83,8 @@ def parse_vid_pid_from_distinguished_name(distinguished_name): # Fallback method to get the VID/PID, encoded in CN as "Mvid:FFFF Mpid:1234" if vid is None and pid is None: cn = distinguished_name.get_attributes_for_oid(x509.ObjectIdentifier("2.5.4.3"))[0].value - - vid_start = cn.find('Mvid:') - if vid_start != -1: - vid = int(cn[vid_start + 5:vid_start + 9], 16) - - pid_start = cn.find('Mpid:') - if pid_start != -1: - pid = int(cn[pid_start + 5:pid_start + 9], 16) + vid = extract_single_attribute_from_cn(cn, 'Mvid:') + pid = extract_single_attribute_from_cn(cn, 'Mpid:') return vid, pid From 63e3d9d72e916ed0efccee76f6c28d4ffe48a283 Mon Sep 17 00:00:00 2001 From: Shubham Patil Date: Mon, 27 May 2024 18:58:36 +0530 Subject: [PATCH 3/5] address review comments --- credentials/generate-revocation-set.py | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/credentials/generate-revocation-set.py b/credentials/generate-revocation-set.py index 27211fade69ce9..0b10ec9fb7149d 100644 --- a/credentials/generate-revocation-set.py +++ b/credentials/generate-revocation-set.py @@ -32,6 +32,7 @@ from click_option_group import RequiredMutuallyExclusiveOptionGroup, optgroup from cryptography import x509 from cryptography.hazmat.primitives.asymmetric import ec +from cryptography.x509.oid import NameOID # Supported log levels, mapping string values required for argument # parsing into logging constants @@ -64,13 +65,14 @@ def extract_single_integer_attribute(subject, oid): return None -def extract_single_attribute_from_cn(cn, marker): +def extract_fallback_tag_from_common_name(cn, marker): val_len = 4 start_idx = cn.find(marker) if start_idx != -1: val_start_idx = start_idx + len(marker) - return int(cn[val_start_idx:val_start_idx + val_len], 16) + val = cn[val_start_idx:val_start_idx + val_len] + return int(val, 16) if len(val) == 4 else None return None @@ -82,9 +84,9 @@ def parse_vid_pid_from_distinguished_name(distinguished_name): # Fallback method to get the VID/PID, encoded in CN as "Mvid:FFFF Mpid:1234" if vid is None and pid is None: - cn = distinguished_name.get_attributes_for_oid(x509.ObjectIdentifier("2.5.4.3"))[0].value - vid = extract_single_attribute_from_cn(cn, 'Mvid:') - pid = extract_single_attribute_from_cn(cn, 'Mpid:') + cn = distinguished_name.get_attributes_for_oid(x509.ObjectIdentifier(NameOID.COMMON_NAME))[0].value + vid = extract_fallback_tag_from_common_name(cn, 'Mvid:') + pid = extract_fallback_tag_from_common_name(cn, 'Mpid:') return vid, pid From 942142b8c9aeae8f467a5929724ea9b805dccc8a Mon Sep 17 00:00:00 2001 From: Shubham Patil Date: Mon, 27 May 2024 19:03:22 +0530 Subject: [PATCH 4/5] fix the usage of common name oid --- credentials/generate-revocation-set.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/credentials/generate-revocation-set.py b/credentials/generate-revocation-set.py index 0b10ec9fb7149d..c4d9aff3d791d0 100644 --- a/credentials/generate-revocation-set.py +++ b/credentials/generate-revocation-set.py @@ -84,7 +84,7 @@ def parse_vid_pid_from_distinguished_name(distinguished_name): # Fallback method to get the VID/PID, encoded in CN as "Mvid:FFFF Mpid:1234" if vid is None and pid is None: - cn = distinguished_name.get_attributes_for_oid(x509.ObjectIdentifier(NameOID.COMMON_NAME))[0].value + cn = distinguished_name.get_attributes_for_oid(x509.NameOID.COMMON_NAME)[0].value vid = extract_fallback_tag_from_common_name(cn, 'Mvid:') pid = extract_fallback_tag_from_common_name(cn, 'Mpid:') From 9d7c59d7d8094c16c1d7190296e4c3ed38b7736a Mon Sep 17 00:00:00 2001 From: Shubham Patil Date: Mon, 27 May 2024 19:06:35 +0530 Subject: [PATCH 5/5] fix the lint error --- credentials/generate-revocation-set.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/credentials/generate-revocation-set.py b/credentials/generate-revocation-set.py index c4d9aff3d791d0..e0d0cb611fa072 100644 --- a/credentials/generate-revocation-set.py +++ b/credentials/generate-revocation-set.py @@ -84,7 +84,7 @@ def parse_vid_pid_from_distinguished_name(distinguished_name): # Fallback method to get the VID/PID, encoded in CN as "Mvid:FFFF Mpid:1234" if vid is None and pid is None: - cn = distinguished_name.get_attributes_for_oid(x509.NameOID.COMMON_NAME)[0].value + cn = distinguished_name.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value vid = extract_fallback_tag_from_common_name(cn, 'Mvid:') pid = extract_fallback_tag_from_common_name(cn, 'Mpid:')