Implement CSR generation from first principles to support commissioners (#18631)

* Implement CSR generation from first principles to support commissioners

- When a commissioner is backing their key with OS or hardware support,
  the built-in P256Keypair::NewCertificateSigningRequest will not be
  usable since it relies on internal P256Keypair base class access to
  key state, as opposed to just using Pubkey() and ECDSA_sign_message
  primitives. This is OK on some embedded usecases that make use
  of P256Keypair backend directly, but not for many other usecases.
- On iOS/Darwin and on native Android, backing the P256Keypair *
  by derived classes is bridgeable to platform APIs, but those
  platform APIs do not offer easy/direct CSR generation, and on
  Darwin, there are not ASN.1 APIs anymore.
- If trying to make use of Darwin APIs introduced in #18519, there
  is no easy way to write code interfacing with an external CA to
  provide a CSR for a natively bridged keypair.

This PR adds a first-principle CSR generator, written and audited
by Google personel, using the ASN1Writer API already used in
CHIPCert.h and used by all Commissioner code making use of SDK
today. This is a straightforward implementation that directly
uses a P256Keypair * (or a derived class thereof!) to generate
a CSR against it, without depending on direct key access like
like the native version P256Keypair::NewCerticateSigningRequest
does.

This PR also fixes constness of operations on P256Keypair.

Issue #18444

Testing done:
- Added unit tests for the new primitive
- Validated generated CSR with OpenSSL
- Validated equivalence to generated CSR from P256Keypair, on
  both mbedTLS and OpenSSL
- Not used by CHIP-tool but usable by Darwin and Android framework
  users.

* Update src/crypto/CHIPCryptoPAL.h

Co-authored-by: Boris Zbarsky <[email protected]>

* Fix CI

* Restyled by clang-format

Co-authored-by: Boris Zbarsky <[email protected]>
Co-authored-by: Restyled.io <[email protected]>

Author: 3 people

src/crypto/BUILD.gn

@@ -70,6 +70,7 @@ static_library("crypto") {
 
   public_deps = [
     ":crypto_buildconfig",
+    "${chip_root}/src/lib/asn1",
     "${chip_root}/src/lib/core",
     "${nlassert_root}:nlassert",
   ]

src/crypto/CHIPCryptoPAL.cpp

@@ -21,6 +21,8 @@
  */
 
 #include "CHIPCryptoPAL.h"
+#include <lib/asn1/ASN1.h>
+#include <lib/asn1/ASN1Macros.h>
 #include <lib/core/CHIPEncoding.h>
 #include <lib/support/BufferReader.h>
 #include <lib/support/BufferWriter.h>
@@ -34,6 +36,8 @@ using chip::MutableByteSpan;
 using chip::Encoding::BufferWriter;
 using chip::Encoding::LittleEndian::Reader;
 
+using namespace chip::ASN1;
+
 namespace {
 
 constexpr uint8_t kIntegerTag         = 0x02u;
@@ -869,5 +873,186 @@ CHIP_ERROR ExtractVIDPIDFromAttributeString(DNAttrType attrType, const ByteSpan
     return CHIP_NO_ERROR;
 }
 
+// Generates the to-be-signed portion of a PKCS#10 CSR (`CertificationRequestInformation`)
+// that contains the
+static CHIP_ERROR GenerateCertificationRequestInformation(ASN1Writer & writer, const Crypto::P256PublicKey & pubkey)
+{
+    CHIP_ERROR err = CHIP_NO_ERROR;
+    /**
+     *
+     *  CertificationRequestInfo ::=
+     *     SEQUENCE {
+     *        version       INTEGER { v1(0) } (v1,...),
+     *        subject       Name,
+     *        subjectPKInfo SubjectPublicKeyInfo{{ PKInfoAlgorithms }},
+     *        attributes    [0] Attributes{{ CRIAttributes }}
+     * }
+     */
+    ASN1_START_SEQUENCE
+    {
+        ASN1_ENCODE_INTEGER(0); // version INTEGER { v1(0) }
+
+        // subject Name
+        ASN1_START_SEQUENCE
+        {
+            ASN1_START_SET
+            {
+                ASN1_START_SEQUENCE
+                {
+                    // Any subject, placeholder is good, since this
+                    // is going to usually be ignored
+                    ASN1_ENCODE_OBJECT_ID(kOID_AttributeType_OrganizationalUnitName);
+                    ASN1_ENCODE_STRING(kASN1UniversalTag_UTF8String, "CSA", static_cast<uint16_t>(strlen("CSA")));
+                }
+                ASN1_END_SEQUENCE;
+            }
+            ASN1_END_SET;
+        }
+        ASN1_END_SEQUENCE;
+
+        // subjectPKInfo
+        ASN1_START_SEQUENCE
+        {
+            ASN1_START_SEQUENCE
+            {
+                ASN1_ENCODE_OBJECT_ID(kOID_PubKeyAlgo_ECPublicKey);
+                ASN1_ENCODE_OBJECT_ID(kOID_EllipticCurve_prime256v1);
+            }
+            ASN1_END_SEQUENCE;
+            ReturnErrorOnFailure(writer.PutBitString(0, pubkey, static_cast<uint8_t>(pubkey.Length())));
+        }
+        ASN1_END_SEQUENCE;
+
+        // attributes [0]
+        ASN1_START_CONSTRUCTED(kASN1TagClass_ContextSpecific, 0)
+        {
+            // Using a plain empty attributes request
+            ASN1_START_SEQUENCE
+            {
+                ASN1_ENCODE_OBJECT_ID(kOID_Extension_CSRRequest);
+                ASN1_START_SET
+                {
+                    ASN1_START_SEQUENCE {}
+                    ASN1_END_SEQUENCE;
+                }
+                ASN1_END_SET;
+            }
+            ASN1_END_SEQUENCE;
+        }
+        ASN1_END_CONSTRUCTED;
+    }
+    ASN1_END_SEQUENCE;
+exit:
+    return err;
+}
+
+CHIP_ERROR GenerateCertificateSigningRequest(const P256Keypair * keypair, MutableByteSpan & csr_span)
+{
+    VerifyOrReturnError(keypair != nullptr, CHIP_ERROR_INVALID_ARGUMENT);
+    VerifyOrReturnError(csr_span.size() >= kMAX_CSR_Length, CHIP_ERROR_BUFFER_TOO_SMALL);
+
+    // First pass: Generate the CertificatioRequestInformation inner
+    // encoding one time, to sign it, before re-generating it within the
+    // full ASN1 writer later, since it's easier than trying to
+    // figure-out the span we need to sign of the overall object.
+    P256ECDSASignature signature;
+
+    {
+        // The first pass will just generate a signature, so we can use the
+        // output buffer as scratch to avoid needing more stack space. There
+        // are no secrets here and the contents is not reused since all we
+        // need is the signature which is already separately stored.
+        ASN1Writer toBeSignedWriter;
+        toBeSignedWriter.Init(csr_span);
+        CHIP_ERROR err = GenerateCertificationRequestInformation(toBeSignedWriter, keypair->Pubkey());
+        ReturnErrorOnFailure(err);
+
+        size_t encodedLen = (uint16_t) toBeSignedWriter.GetLengthWritten();
+        // This should not/will not happen
+        if (encodedLen > csr_span.size())
+        {
+            return CHIP_ERROR_INTERNAL;
+        }
+
+        err = keypair->ECDSA_sign_msg(csr_span.data(), encodedLen, signature);
+        ReturnErrorOnFailure(err);
+    }
+
+    // Second pass: Generate the entire CSR body, restarting a new write
+    // of the CertificationRequestInformation (cheap) and adding the
+    // signature.
+    //
+    // See RFC2986 for ASN.1 module, repeated here in snippets
+    CHIP_ERROR err = CHIP_NO_ERROR;
+
+    ASN1Writer writer;
+    writer.Init(csr_span);
+
+    ASN1_START_SEQUENCE
+    {
+
+        /*  CertificationRequestInfo ::=
+         *     SEQUENCE {
+         *        version       INTEGER { v1(0) } (v1,...),
+         *        subject       Name,
+         *        subjectPKInfo SubjectPublicKeyInfo{{ PKInfoAlgorithms }},
+         *        attributes    [0] Attributes{{ CRIAttributes }}
+         *     }
+         */
+        GenerateCertificationRequestInformation(writer, keypair->Pubkey());
+
+        // algorithm  AlgorithmIdentifier
+        ASN1_START_SEQUENCE
+        {
+            // See RFC5480 sec 2.1
+            ASN1_ENCODE_OBJECT_ID(kOID_SigAlgo_ECDSAWithSHA256);
+        }
+        ASN1_END_SEQUENCE;
+
+        // signature  BIT STRING --> ECDSA-with-SHA256 signature with P256 key with R,S integers format
+        // (see RFC3279 sec 2.2.3 ECDSA Signature Algorithm)
+        ASN1_START_BIT_STRING_ENCAPSULATED
+        {
+            // Convert raw signature to embedded signature
+            FixedByteSpan<Crypto::kP256_ECDSA_Signature_Length_Raw> rawSig(signature.Bytes());
+
+            uint8_t derInt[kP256_FE_Length + kEmitDerIntegerWithoutTagOverhead];
+
+            // Ecdsa-Sig-Value ::= SEQUENCE
+            ASN1_START_SEQUENCE
+            {
+                using P256IntegerSpan = FixedByteSpan<Crypto::kP256_FE_Length>;
+                // r INTEGER
+                {
+                    MutableByteSpan derIntSpan(derInt, sizeof(derInt));
+                    ReturnErrorOnFailure(ConvertIntegerRawToDerWithoutTag(P256IntegerSpan(rawSig.data()), derIntSpan));
+                    ReturnErrorOnFailure(writer.PutValue(kASN1TagClass_Universal, kASN1UniversalTag_Integer, false,
+                                                         derIntSpan.data(), static_cast<uint16_t>(derIntSpan.size())));
+                }
+
+                // s INTEGER
+                {
+                    MutableByteSpan derIntSpan(derInt, sizeof(derInt));
+                    ReturnErrorOnFailure(
+                        ConvertIntegerRawToDerWithoutTag(P256IntegerSpan(rawSig.data() + kP256_FE_Length), derIntSpan));
+                    ReturnErrorOnFailure(writer.PutValue(kASN1TagClass_Universal, kASN1UniversalTag_Integer, false,
+                                                         derIntSpan.data(), static_cast<uint16_t>(derIntSpan.size())));
+                }
+            }
+            ASN1_END_SEQUENCE;
+        }
+        ASN1_END_ENCAPSULATED;
+    }
+    ASN1_END_SEQUENCE;
+
+exit:
+    // Update size of output buffer on success
+    if (err == CHIP_NO_ERROR)
+    {
+        csr_span.reduce_size(writer.GetLengthWritten());
+    }
+    return err;
+}
+
 } // namespace Crypto
 } // namespace chip

src/crypto/CHIPCryptoPAL.h

@@ -322,7 +322,7 @@ class ECPKeypair
      *CSR.
      * @return Returns a CHIP_ERROR on error, CHIP_NO_ERROR otherwise
      **/
-    virtual CHIP_ERROR NewCertificateSigningRequest(uint8_t * csr, size_t & csr_length) = 0;
+    virtual CHIP_ERROR NewCertificateSigningRequest(uint8_t * csr, size_t & csr_length) const = 0;
 
     /**
      * @brief A function to sign a msg using ECDSA
@@ -332,7 +332,7 @@ class ECPKeypair
      * in raw <r,s> point form (see SEC1).
      * @return Returns a CHIP_ERROR on error, CHIP_NO_ERROR otherwise
      **/
-    virtual CHIP_ERROR ECDSA_sign_msg(const uint8_t * msg, size_t msg_length, Sig & out_signature) = 0;
+    virtual CHIP_ERROR ECDSA_sign_msg(const uint8_t * msg, size_t msg_length, Sig & out_signature) const = 0;
 
     /**
      * @brief A function to sign a hash using ECDSA
@@ -342,7 +342,7 @@ class ECPKeypair
      * in raw <r,s> point form (see SEC1).
      * @return Returns a CHIP_ERROR on error, CHIP_NO_ERROR otherwise
      **/
-    virtual CHIP_ERROR ECDSA_sign_hash(const uint8_t * hash, size_t hash_length, Sig & out_signature) = 0;
+    virtual CHIP_ERROR ECDSA_sign_hash(const uint8_t * hash, size_t hash_length, Sig & out_signature) const = 0;
 
     /** @brief A function to derive a shared secret using ECDH
      * @param remote_public_key Public key of remote peer with which we are trying to establish secure channel. remote_public_key is
@@ -416,7 +416,7 @@ class P256Keypair : public P256KeypairBase
      *CSR.
      * @return Returns a CHIP_ERROR on error, CHIP_NO_ERROR otherwise
      **/
-    CHIP_ERROR NewCertificateSigningRequest(uint8_t * csr, size_t & csr_length) override;
+    CHIP_ERROR NewCertificateSigningRequest(uint8_t * csr, size_t & csr_length) const override;
 
     /**
      * @brief A function to sign a msg using ECDSA
@@ -426,7 +426,7 @@ class P256Keypair : public P256KeypairBase
      * in raw <r,s> point form (see SEC1).
      * @return Returns a CHIP_ERROR on error, CHIP_NO_ERROR otherwise
      **/
-    CHIP_ERROR ECDSA_sign_msg(const uint8_t * msg, size_t msg_length, P256ECDSASignature & out_signature) override;
+    CHIP_ERROR ECDSA_sign_msg(const uint8_t * msg, size_t msg_length, P256ECDSASignature & out_signature) const override;
 
     /**
      * @brief A function to sign a hash using ECDSA
@@ -436,7 +436,7 @@ class P256Keypair : public P256KeypairBase
      * in raw <r,s> point form (see SEC1).
      * @return Returns a CHIP_ERROR on error, CHIP_NO_ERROR otherwise
      **/
-    CHIP_ERROR ECDSA_sign_hash(const uint8_t * hash, size_t hash_length, P256ECDSASignature & out_signature) override;
+    CHIP_ERROR ECDSA_sign_hash(const uint8_t * hash, size_t hash_length, P256ECDSASignature & out_signature) const override;
 
     /**
      * @brief A function to derive a shared secret using ECDH
@@ -462,7 +462,7 @@ class P256Keypair : public P256KeypairBase
 
 private:
     P256PublicKey mPublicKey;
-    P256KeypairContext mKeypair;
+    mutable P256KeypairContext mKeypair;
     bool mInitialized = false;
 };
 
@@ -616,6 +616,27 @@ CHIP_ERROR AES_CCM_decrypt(const uint8_t * ciphertext, size_t ciphertext_length,
                            const uint8_t * tag, size_t tag_length, const uint8_t * key, size_t key_length, const uint8_t * nonce,
                            size_t nonce_length, uint8_t * plaintext);
 
+/**
+ * @brief Generate a PKCS#10 CSR, usable for Matter, from a P256Keypair.
+ *
+ * This uses first principles ASN.1 encoding to avoid relying on the CHIPCryptoPAL backend
+ * itself, other than to provide an implementation of a P256Keypair * that supports
+ * at least `::Pubkey()` and `::ECDSA_sign_msg`. This allows using it with
+ * OS/Platform-bridged private key handling, without requiring a specific
+ * implementation of other bits like ASN.1.
+ *
+ * The CSR will have subject OU set to `CSA`. This is needed since omiting
+ * subject altogether often trips CSR parsing code. The profile at the CA can
+ * be configured to ignore CSR requested subject.
+ *
+ * @param keypair The key pair for which a CSR should be generated. Must not be null.
+ * @param csr_span Span to hold the resulting CSR. Must be at least kMAX_CSR_Length.  Otherwise returns CHIP_ERROR_BUFFER_TOO_SMALL.
+ *                 It will get resized to actual size needed on success.
+
+ * @return Returns a CHIP_ERROR from P256Keypair or ASN.1 backend on error, CHIP_NO_ERROR otherwise
+ **/
+CHIP_ERROR GenerateCertificateSigningRequest(const P256Keypair * keypair, MutableByteSpan & csr_span);
+
 /**
  * @brief Verify the Certificate Signing Request (CSR). If successfully verified, it outputs the public key from the CSR.
  * @param csr CSR in DER format

src/crypto/CHIPCryptoPALOpenSSL.cpp

@@ -609,7 +609,7 @@ static inline const EC_KEY * to_const_EC_KEY(const P256KeypairContext * context)
     return *SafePointerCast<const EC_KEY * const *>(context);
 }
 
-CHIP_ERROR P256Keypair::ECDSA_sign_msg(const uint8_t * msg, const size_t msg_length, P256ECDSASignature & out_signature)
+CHIP_ERROR P256Keypair::ECDSA_sign_msg(const uint8_t * msg, const size_t msg_length, P256ECDSASignature & out_signature) const
 {
     VerifyOrReturnError((msg != nullptr) && (msg_length > 0), CHIP_ERROR_INVALID_ARGUMENT);
 
@@ -620,7 +620,7 @@ CHIP_ERROR P256Keypair::ECDSA_sign_msg(const uint8_t * msg, const size_t msg_len
     return ECDSA_sign_hash(&digest[0], sizeof(digest), out_signature);
 }
 
-CHIP_ERROR P256Keypair::ECDSA_sign_hash(const uint8_t * hash, const size_t hash_length, P256ECDSASignature & out_signature)
+CHIP_ERROR P256Keypair::ECDSA_sign_hash(const uint8_t * hash, const size_t hash_length, P256ECDSASignature & out_signature) const
 {
     ERR_clear_error();
 
@@ -1110,7 +1110,7 @@ P256Keypair::~P256Keypair()
     Clear();
 }
 
-CHIP_ERROR P256Keypair::NewCertificateSigningRequest(uint8_t * out_csr, size_t & csr_length)
+CHIP_ERROR P256Keypair::NewCertificateSigningRequest(uint8_t * out_csr, size_t & csr_length) const
 {
     ERR_clear_error();
     CHIP_ERROR error     = CHIP_NO_ERROR;

src/crypto/CHIPCryptoPALmbedTLS.cpp

@@ -503,7 +503,7 @@ static inline const mbedtls_ecp_keypair * to_const_keypair(const P256KeypairCont
     return SafePointerCast<const mbedtls_ecp_keypair *>(context);
 }
 
-CHIP_ERROR P256Keypair::ECDSA_sign_msg(const uint8_t * msg, const size_t msg_length, P256ECDSASignature & out_signature)
+CHIP_ERROR P256Keypair::ECDSA_sign_msg(const uint8_t * msg, const size_t msg_length, P256ECDSASignature & out_signature) const
 {
 #if defined(MBEDTLS_ECDSA_C)
     VerifyOrReturnError(mInitialized, CHIP_ERROR_INCORRECT_STATE);
@@ -519,7 +519,7 @@ CHIP_ERROR P256Keypair::ECDSA_sign_msg(const uint8_t * msg, const size_t msg_len
 #endif
 }
 
-CHIP_ERROR P256Keypair::ECDSA_sign_hash(const uint8_t * hash, const size_t hash_length, P256ECDSASignature & out_signature)
+CHIP_ERROR P256Keypair::ECDSA_sign_hash(const uint8_t * hash, const size_t hash_length, P256ECDSASignature & out_signature) const
 {
 #if defined(MBEDTLS_ECDSA_C)
     VerifyOrReturnError(mInitialized, CHIP_ERROR_INCORRECT_STATE);
@@ -812,7 +812,7 @@ P256Keypair::~P256Keypair()
     Clear();
 }
 
-CHIP_ERROR P256Keypair::NewCertificateSigningRequest(uint8_t * out_csr, size_t & csr_length)
+CHIP_ERROR P256Keypair::NewCertificateSigningRequest(uint8_t * out_csr, size_t & csr_length) const
 {
     CHIP_ERROR error = CHIP_NO_ERROR;
 

src/crypto/hsm/nxp/CHIPCryptoPALHsm_SE05X_P256.cpp

@@ -121,7 +121,7 @@ CHIP_ERROR P256KeypairHSM::Initialize()
     return CHIP_NO_ERROR;
 }
 
-CHIP_ERROR P256KeypairHSM::ECDSA_sign_msg(const uint8_t * msg, size_t msg_length, P256ECDSASignature & out_signature)
+CHIP_ERROR P256KeypairHSM::ECDSA_sign_msg(const uint8_t * msg, size_t msg_length, P256ECDSASignature & out_signature) const
 {
     CHIP_ERROR error                  = CHIP_ERROR_INTERNAL;
     sss_digest_t digest_ctx           = { 0 };
@@ -205,7 +205,7 @@ CHIP_ERROR P256KeypairHSM::ECDSA_sign_msg(const uint8_t * msg, size_t msg_length
     return error;
 }
 
-CHIP_ERROR P256KeypairHSM::ECDSA_sign_hash(const uint8_t * hash, size_t hash_length, P256ECDSASignature & out_signature)
+CHIP_ERROR P256KeypairHSM::ECDSA_sign_hash(const uint8_t * hash, size_t hash_length, P256ECDSASignature & out_signature) const
 {
     CHIP_ERROR error                                         = CHIP_ERROR_INTERNAL;
     sss_asymmetric_t asymm_ctx                               = { 0 };
@@ -574,7 +574,7 @@ static void add_tlv(uint8_t * buf, size_t buf_index, uint8_t tag, size_t len, ui
  *
  */
 
-CHIP_ERROR P256KeypairHSM::NewCertificateSigningRequest(uint8_t * csr, size_t & csr_length)
+CHIP_ERROR P256KeypairHSM::NewCertificateSigningRequest(uint8_t * csr, size_t & csr_length) const
 {
     CHIP_ERROR error           = CHIP_ERROR_INTERNAL;
     sss_status_t status        = kStatus_SSS_Success;