[nrf toup][crypto] Add define to enable x509 usage

config/nrfconnect/chip-module/CMakeLists.txt

@@ -161,6 +161,7 @@ matter_add_gn_arg_bool  ("chip_enable_read_client"                CONFIG_CHIP_EN
 matter_add_gn_arg_bool  ("chip_mdns_minimal"                      CONFIG_WIFI_NRF70)
 matter_add_gn_arg_bool  ("chip_mdns_platform"                     CONFIG_OPENTHREAD)
 matter_add_gn_arg_bool  ("enable_im_pretty_print"                 CONFIG_CHIP_IM_PRETTY_PRINT)
+matter_add_gn_arg_bool  ("chip_crypto_use_x509"                   CONFIG_CHIP_CRYPTO_USE_X509)
 
 matter_add_gn_arg_bool  ("chip_system_config_use_sockets"                   NOT CONFIG_CHIP_USE_OPENTHREAD_ENDPOINT)
 matter_add_gn_arg_bool  ("chip_system_config_use_openthread_inet_endpoints" CONFIG_CHIP_USE_OPENTHREAD_ENDPOINT)

config/nrfconnect/chip-module/Kconfig

@@ -493,4 +493,11 @@ config CHIP_IM_PRETTY_PRINT
 	  Request). This option helps in debugging and development of message exchanges within the Matter
 	  protocol.
 
+config CHIP_CRYPTO_USE_X509
+	bool "X.509 certificate support"
+	default n if CHIP_CRYPTO_PSA
+	default y if MBEDTLS_X509_LIBRARY # We still need it to be enabled if we use mbedTLS as the crypto backend
+	help
+	  Enables X.509 certificate support for Matter.
+
 endif # CHIP

src/crypto/BUILD.gn

@@ -75,6 +75,7 @@ buildconfig_header("crypto_buildconfig") {
     "CHIP_CRYPTO_BORINGSSL=${chip_crypto_boringssl}",
     "CHIP_CRYPTO_PLATFORM=${chip_crypto_platform}",
     "CHIP_CRYPTO_TRUSTY_OS=${chip_with_trusty_os}",
+    "CHIP_CRYPTO_USE_X509=${chip_crypto_use_x509}",
   ]
 }
 

src/crypto/CHIPCryptoPALmbedTLS.cpp

@@ -784,7 +784,7 @@ P256Keypair::~P256Keypair()
 
 CHIP_ERROR P256Keypair::NewCertificateSigningRequest(uint8_t * out_csr, size_t & csr_length) const
 {
-#if defined(MBEDTLS_X509_CSR_WRITE_C)
+#if CHIP_CRYPTO_USE_X509
     CHIP_ERROR error = CHIP_NO_ERROR;
     int result       = 0;
     size_t out_length;
@@ -835,7 +835,7 @@ CHIP_ERROR P256Keypair::NewCertificateSigningRequest(uint8_t * out_csr, size_t &
 #else
     ChipLogError(Crypto, "MBEDTLS_X509_CSR_WRITE_C is not enabled. CSR cannot be created");
     return CHIP_ERROR_UNSUPPORTED_CHIP_FEATURE;
-#endif
+#endif // CHIP_CRYPTO_USE_X509
 }
 
 typedef struct Spake2p_Context

src/crypto/CHIPCryptoPALmbedTLSCert.cpp

@@ -33,16 +33,16 @@
 #include <mbedtls/x509.h>
 #include <mbedtls/x509_csr.h>
 
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if CHIP_CRYPTO_USE_X509
 #include <mbedtls/x509_crt.h>
-#endif // defined(MBEDTLS_X509_CRT_PARSE_C)
+#endif // CHIP_CRYPTO_USE_X509
 
 namespace chip {
 namespace Crypto {
 
 CHIP_ERROR VerifyCertificateSigningRequest(const uint8_t * csr_buf, size_t csr_length, P256PublicKey & pubkey)
 {
-#if defined(MBEDTLS_X509_CSR_PARSE_C)
+#if CHIP_CRYPTO_USE_X509
     ReturnErrorOnFailure(VerifyCertificateSigningRequestFormat(csr_buf, csr_length));
 
     // TODO: For some embedded targets, mbedTLS library doesn't have mbedtls_x509_csr_parse_der, and mbedtls_x509_csr_parse_free.
@@ -103,7 +103,7 @@ CHIP_ERROR VerifyCertificateSigningRequest(const uint8_t * csr_buf, size_t csr_l
 
 namespace {
 
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if CHIP_CRYPTO_USE_X509
 bool IsTimeGreaterThanEqual(const mbedtls_x509_time * const timeA, const mbedtls_x509_time * const timeB)
 {
 
@@ -181,13 +181,13 @@ constexpr uint8_t sOID_Extension_CRLDistributionPoint[]   = { 0x55, 0x1D, 0x1F }
      (sizeof(oid) == (oidBuf).CHIP_CRYPTO_PAL_PRIVATE_X509(len)) &&                                                                \
      (memcmp((oid), (oidBuf).CHIP_CRYPTO_PAL_PRIVATE_X509(p), (oidBuf).CHIP_CRYPTO_PAL_PRIVATE_X509(len)) == 0))
 
-#endif // defined(MBEDTLS_X509_CRT_PARSE_C)
+#endif // CHIP_CRYPTO_USE_X509
 
 } // anonymous namespace
 
 CHIP_ERROR VerifyAttestationCertificateFormat(const ByteSpan & cert, AttestationCertType certType)
 {
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if CHIP_CRYPTO_USE_X509
     CHIP_ERROR error = CHIP_NO_ERROR;
     int result       = 0;
     mbedtls_x509_crt mbed_cert;
@@ -349,7 +349,7 @@ CHIP_ERROR VerifyAttestationCertificateFormat(const ByteSpan & cert, Attestation
     (void) cert;
     (void) certType;
     CHIP_ERROR error = CHIP_ERROR_NOT_IMPLEMENTED;
-#endif // defined(MBEDTLS_X509_CRT_PARSE_C)
+#endif // CHIP_CRYPTO_USE_X509
 
     return error;
 }
@@ -358,7 +358,7 @@ CHIP_ERROR ValidateCertificateChain(const uint8_t * rootCertificate, size_t root
                                     size_t caCertificateLen, const uint8_t * leafCertificate, size_t leafCertificateLen,
                                     CertificateChainValidationResult & result)
 {
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if CHIP_CRYPTO_USE_X509
     CHIP_ERROR error = CHIP_NO_ERROR;
     mbedtls_x509_crt certChain;
     mbedtls_x509_crt rootCert;
@@ -425,14 +425,14 @@ CHIP_ERROR ValidateCertificateChain(const uint8_t * rootCertificate, size_t root
     (void) leafCertificateLen;
     (void) result;
     CHIP_ERROR error = CHIP_ERROR_NOT_IMPLEMENTED;
-#endif // defined(MBEDTLS_X509_CRT_PARSE_C)
+#endif // CHIP_CRYPTO_USE_X509
 
     return error;
 }
 
 CHIP_ERROR IsCertificateValidAtIssuance(const ByteSpan & candidateCertificate, const ByteSpan & issuerCertificate)
 {
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if CHIP_CRYPTO_USE_X509
     CHIP_ERROR error = CHIP_NO_ERROR;
     mbedtls_x509_crt mbedCandidateCertificate;
     mbedtls_x509_crt mbedIssuerCertificate;
@@ -463,14 +463,14 @@ CHIP_ERROR IsCertificateValidAtIssuance(const ByteSpan & candidateCertificate, c
     (void) candidateCertificate;
     (void) issuerCertificate;
     CHIP_ERROR error = CHIP_ERROR_NOT_IMPLEMENTED;
-#endif // defined(MBEDTLS_X509_CRT_PARSE_C)
+#endif // CHIP_CRYPTO_USE_X509
 
     return error;
 }
 
 CHIP_ERROR IsCertificateValidAtCurrentTime(const ByteSpan & certificate)
 {
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if CHIP_CRYPTO_USE_X509
     CHIP_ERROR error = CHIP_NO_ERROR;
     mbedtls_x509_crt mbedCertificate;
     int result;
@@ -497,14 +497,14 @@ CHIP_ERROR IsCertificateValidAtCurrentTime(const ByteSpan & certificate)
 #else
     (void) certificate;
     CHIP_ERROR error = CHIP_ERROR_NOT_IMPLEMENTED;
-#endif // defined(MBEDTLS_X509_CRT_PARSE_C)
+#endif // CHIP_CRYPTO_USE_X509
 
     return error;
 }
 
 CHIP_ERROR ExtractPubkeyFromX509Cert(const ByteSpan & certificate, Crypto::P256PublicKey & pubkey)
 {
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if CHIP_CRYPTO_USE_X509
     CHIP_ERROR error = CHIP_NO_ERROR;
     mbedtls_x509_crt mbed_cert;
     mbedtls_ecp_keypair * keypair = nullptr;
@@ -536,7 +536,7 @@ CHIP_ERROR ExtractPubkeyFromX509Cert(const ByteSpan & certificate, Crypto::P256P
     (void) certificate;
     (void) pubkey;
     CHIP_ERROR error = CHIP_ERROR_NOT_IMPLEMENTED;
-#endif // defined(MBEDTLS_X509_CRT_PARSE_C)
+#endif // CHIP_CRYPTO_USE_X509
 
     return error;
 }
@@ -545,7 +545,7 @@ namespace {
 
 CHIP_ERROR ExtractKIDFromX509Cert(bool extractSKID, const ByteSpan & certificate, MutableByteSpan & kid)
 {
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if CHIP_CRYPTO_USE_X509
     CHIP_ERROR error = CHIP_ERROR_NOT_FOUND;
     mbedtls_x509_crt mbed_cert;
     unsigned char * p         = nullptr;
@@ -622,7 +622,7 @@ CHIP_ERROR ExtractKIDFromX509Cert(bool extractSKID, const ByteSpan & certificate
     (void) certificate;
     (void) kid;
     CHIP_ERROR error = CHIP_ERROR_NOT_IMPLEMENTED;
-#endif // defined(MBEDTLS_X509_CRT_PARSE_C)
+#endif // CHIP_CRYPTO_USE_X509
 
     return error;
 }
@@ -641,7 +641,7 @@ CHIP_ERROR ExtractAKIDFromX509Cert(const ByteSpan & certificate, MutableByteSpan
 
 CHIP_ERROR ExtractCRLDistributionPointURIFromX509Cert(const ByteSpan & certificate, MutableCharSpan & cdpurl)
 {
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if CHIP_CRYPTO_USE_X509
     CHIP_ERROR error = CHIP_ERROR_NOT_FOUND;
     mbedtls_x509_crt mbed_cert;
     unsigned char * p         = nullptr;
@@ -761,14 +761,14 @@ CHIP_ERROR ExtractCRLDistributionPointURIFromX509Cert(const ByteSpan & certifica
     (void) certificate;
     (void) cdpurl;
     CHIP_ERROR error = CHIP_ERROR_NOT_IMPLEMENTED;
-#endif // defined(MBEDTLS_X509_CRT_PARSE_C)
+#endif // CHIP_CRYPTO_USE_X509
 
     return error;
 }
 
 CHIP_ERROR ExtractCDPExtensionCRLIssuerFromX509Cert(const ByteSpan & certificate, MutableByteSpan & crlIssuer)
 {
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if CHIP_CRYPTO_USE_X509
     CHIP_ERROR error = CHIP_ERROR_NOT_FOUND;
     mbedtls_x509_crt mbed_cert;
     unsigned char * p         = nullptr;
@@ -877,14 +877,14 @@ CHIP_ERROR ExtractCDPExtensionCRLIssuerFromX509Cert(const ByteSpan & certificate
     (void) certificate;
     (void) crlIssuer;
     CHIP_ERROR error = CHIP_ERROR_NOT_IMPLEMENTED;
-#endif // defined(MBEDTLS_X509_CRT_PARSE_C)
+#endif // CHIP_CRYPTO_USE_X509
 
     return error;
 }
 
 CHIP_ERROR ExtractSerialNumberFromX509Cert(const ByteSpan & certificate, MutableByteSpan & serialNumber)
 {
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if CHIP_CRYPTO_USE_X509
     CHIP_ERROR error = CHIP_NO_ERROR;
     int result       = 0;
     uint8_t * p      = nullptr;
@@ -911,14 +911,14 @@ CHIP_ERROR ExtractSerialNumberFromX509Cert(const ByteSpan & certificate, Mutable
     (void) certificate;
     (void) serialNumber;
     CHIP_ERROR error = CHIP_ERROR_NOT_IMPLEMENTED;
-#endif // defined(MBEDTLS_X509_CRT_PARSE_C)
+#endif // CHIP_CRYPTO_USE_X509
 
     return error;
 }
 
 CHIP_ERROR ExtractVIDPIDFromX509Cert(const ByteSpan & certificate, AttestationCertVidPid & vidpid)
 {
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if CHIP_CRYPTO_USE_X509
     CHIP_ERROR error = CHIP_NO_ERROR;
     mbedtls_x509_crt mbed_cert;
     mbedtls_asn1_named_data * dnIterator = nullptr;
@@ -967,15 +967,15 @@ CHIP_ERROR ExtractVIDPIDFromX509Cert(const ByteSpan & certificate, AttestationCe
     (void) certificate;
     (void) vidpid;
     CHIP_ERROR error = CHIP_ERROR_NOT_IMPLEMENTED;
-#endif // defined(MBEDTLS_X509_CRT_PARSE_C)
+#endif // CHIP_CRYPTO_USE_X509
 
     return error;
 }
 
 namespace {
 CHIP_ERROR ExtractRawDNFromX509Cert(bool extractSubject, const ByteSpan & certificate, MutableByteSpan & dn)
 {
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if CHIP_CRYPTO_USE_X509
     CHIP_ERROR error = CHIP_NO_ERROR;
     int result       = 0;
     uint8_t * p      = nullptr;
@@ -1011,7 +1011,7 @@ CHIP_ERROR ExtractRawDNFromX509Cert(bool extractSubject, const ByteSpan & certif
     (void) certificate;
     (void) dn;
     CHIP_ERROR error = CHIP_ERROR_NOT_IMPLEMENTED;
-#endif // defined(MBEDTLS_X509_CRT_PARSE_C)
+#endif // CHIP_CRYPTO_USE_X509
 
     return error;
 }
@@ -1030,7 +1030,7 @@ CHIP_ERROR ExtractIssuerFromX509Cert(const ByteSpan & certificate, MutableByteSp
 CHIP_ERROR ReplaceCertIfResignedCertFound(const ByteSpan & referenceCertificate, const ByteSpan * candidateCertificates,
                                           size_t candidateCertificatesCount, ByteSpan & outCertificate)
 {
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if CHIP_CRYPTO_USE_X509
     uint8_t referenceSubjectBuf[kMaxCertificateDistinguishedNameLength];
     uint8_t referenceSKIDBuf[kSubjectKeyIdentifierLength];
     MutableByteSpan referenceSubject(referenceSubjectBuf);
@@ -1068,7 +1068,7 @@ CHIP_ERROR ReplaceCertIfResignedCertFound(const ByteSpan & referenceCertificate,
     (void) candidateCertificatesCount;
     (void) outCertificate;
     return CHIP_ERROR_NOT_IMPLEMENTED;
-#endif // defined(MBEDTLS_X509_CRT_PARSE_C)
+#endif // CHIP_CRYPTO_USE_X509
 }
 
 } // namespace Crypto

src/crypto/crypto.gni

@@ -35,6 +35,11 @@ declare_args() {
   # Trusty TEE, please refer the website listed below:
   # https://source.android.com/docs/security/features/trusty
   chip_with_trusty_os = false
+
+  # Enable support for x509 certificates.
+  # Disable this argument to reduce the code footprint if your device does not
+  # need to manage the x509 certificates.
+  chip_crypto_use_x509 = true
 }
 
 assert(

src/test_driver/nrfconnect/prj.conf

@@ -94,3 +94,6 @@ CONFIG_CHIP_FACTORY_RESET_ERASE_SETTINGS=n
 # Use default ICD poll intervals to keep compatibility with tests
 CONFIG_CHIP_ICD_SLOW_POLL_INTERVAL=5000
 CONFIG_CHIP_ICD_FAST_POLLING_INTERVAL=200
+
+# Enable X.509 certificate support
+CONFIG_CHIP_CRYPTO_USE_X509=y