-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
da_revocation: align the revocation set generation algorithm with spec changes #36225
base: master
Are you sure you want to change the base?
da_revocation: align the revocation set generation algorithm with spec changes #36225
Conversation
Review changes with SemanticDiff. Analyzed 1 of 1 files. Overall, the semantic diff is 19% smaller than the GitHub diff.
|
PR #36225: Size comparison from 75d7e6b to 7b138c4 Full report (44 builds for bl602, bl702, bl702l, cc13x4_26x4, cc32xx, cyw30739, efr32, nrfconnect, psoc6, qpg, stm32, telink, tizen)
|
PR #36225: Size comparison from 75d7e6b to c4a854b Full report (68 builds for bl602, bl702, bl702l, cc13x4_26x4, cc32xx, cyw30739, efr32, esp32, linux, nrfconnect, nxp, psoc6, qpg, stm32, telink, tizen)
|
PR #36225: Size comparison from 75d7e6b to 1bb607c Increases above 0.2%:
Full report (68 builds for bl602, bl702, bl702l, cc13x4_26x4, cc32xx, cyw30739, efr32, esp32, linux, nrfconnect, nxp, psoc6, qpg, stm32, telink, tizen)
|
logging.warning("VID in CRL Signer Certificate does not match with VID in revocation point, continue...") | ||
return False | ||
else: | ||
if crl_signer_vid is None or revocation_point["vid"] != crl_signer_vid: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If the CRL signer is a delegate then it is not required to have the vid or pid (see [11.23.9.6. CRLSignerCertificate]). So in the case of a delegated CRL signer this will incorrectly return False. Instead, check for a CRLSignerDelegator, and then it is that certificate that contains the matching vid and pid (if present).
@@ -172,30 +271,51 @@ def get_revocation_points(self) -> list[dict]: | |||
|
|||
return response["PkiRevocationDistributionPoint"] | |||
|
|||
def get_paa_cert_for_crl_issuer(self, crl_signer_issuer_name_b64, crl_signer_authority_key_id) -> str: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Doesnt this get the issuer of the CRL signer and not necessarily the PAA certificate?
There has been some updates to the revocation set generation algorithm in https://github.com/CHIP-Specifications/connectedhomeip-spec/issues/10308.
Add some helper function to interact with certificates.
Tests
Locally tested