-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Introduce fail-safe compliant Operational Cert storage #19643
Merged
andy31415
merged 3 commits into
project-chip:master
from
tcarmelveilleux:add-cert-trust-store
Jun 16, 2022
Merged
Introduce fail-safe compliant Operational Cert storage #19643
andy31415
merged 3 commits into
project-chip:master
from
tcarmelveilleux:add-cert-trust-store
Jun 16, 2022
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- This PR is an intermediate fully unit-tested step towards replacing all NOC/ICAC/RCAC storage from Fabric-Table to allow spec-compliant fail-safe implementation - Right now, we have hacky code in opcreds cluster server and in FabricTable to attempt to affect fail-safe properly. It doesn't actually work and prevents the TrustedRootCertificates, NOCs and Fabrics attributes from being implemented properly, and prevents UpdateNOC from being implemented to spec Issue project-chip#18633 Issue project-chip#17208 Issue project-chip#15585 This PR implements an operational cert storage interface and provides an implementation based on exact storage from existing FabricTable for backwards compatibility. Its usage in FabricTable and via opcreds cluster is a follow-up. Testing done: - Added large-scale new code unit test - Unit tests pass - Not hooked-up to device software yet, so just the unit tests need to pass
pullapprove
bot
requested review from
andy31415,
anush-apple,
arkq,
Byungjoo-Lee,
bzbarsky-apple,
carol-apple,
chrisdecenzo,
chshu,
chulspro,
Damian-Nordic,
dhrishi,
electrocucaracha,
emargolis,
franck-apple,
gjc13,
harimau-qirex,
hawk248,
harsha-rajendran,
isiu-apple,
jelderton,
jepenven-silabs,
jmartinez-silabs,
jtung-apple,
kghost,
kpschoedel,
lazarkov,
LuDuda and
mlepage-google
June 15, 2022 21:03
pullapprove
bot
requested review from
msandstedt,
rgoliver,
sagar-apple,
saurabhst,
selissia,
tecimovic,
tehampson,
turon,
vijs,
vivien-apple,
wbschiller,
woody-apple,
xylophone21 and
yunhanw-google
June 15, 2022 21:03
PR #19643: Size comparison from be878d3 to d8c92de Increases (1 build for telink)
Decreases (1 build for telink)
Full report (41 builds for cc13x2_26x2, cyw30739, efr32, esp32, k32w, linux, mbed, nrfconnect, p6, telink)
|
PR #19643: Size comparison from be878d3 to 386392a Increases (1 build for telink)
Decreases (2 builds for esp32, telink)
Full report (41 builds for cc13x2_26x2, cyw30739, efr32, esp32, k32w, linux, mbed, nrfconnect, p6, telink)
|
woody-apple
approved these changes
Jun 16, 2022
andy31415
approved these changes
Jun 16, 2022
* return CHIP_ERROR_INCORRECT_STATE since it is illegal in this implementation to store an | ||
* NOC chain without associated root. | ||
* | ||
* NOTE: The Matter spec allows AddNOC without AddTrustedRootCertificate if the NOC |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm.. Our AddNOC impl right now definitely does not handle this right. Is there an issue tracking that?
tcarmelveilleux
added a commit
to tcarmelveilleux/connectedhomeip
that referenced
this pull request
Jun 21, 2022
- After PR project-chip#19643 was merge, @bzbarsky-apple had several minor editorial comments. - This PR applies the comments from project-chip#19643 (review) Testing: - Unit tests still pass - No integration yet, so unit tests passing is enough
woody-apple
pushed a commit
that referenced
this pull request
Jun 22, 2022
* Follow-up minor changes to OpCertStore - After PR #19643 was merge, @bzbarsky-apple had several minor editorial comments. - This PR applies the comments from #19643 (review) Testing: - Unit tests still pass - No integration yet, so unit tests passing is enough * Restyled by clang-format * Fix grammar Co-authored-by: Restyled.io <commits@restyled.io>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Problem
all NOC/ICAC/RCAC storage from Fabric-Table to allow spec-compliant
fail-safe implementation
to attempt to affect fail-safe properly. It doesn't actually work and
prevents the TrustedRootCertificates, NOCs and Fabrics attributes from
being implemented properly, and prevents UpdateNOC from being implemented
to spec
Issue #18633
Issue #17208
Issue #15585
Change overview
This PR implements an operational cert storage interface and provides
an implementation based on exact storage from existing FabricTable
for backwards compatibility. Its usage in FabricTable and via
opcreds cluster is a follow-up.
Testing
Testing done: