[tcat][tcat_ble_client] Add TCAT Commissioner / Device certs for Thread certification testing #10211
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
… with Thread cert testing; added scripts for example certificate generation; README files updated. [tcat_ble_client] remove hostname use in BBTC - use of hostnames is not specified for TCAT. [src/tcat] fixes in Thread-specific X509v3 extension parsing; unit test extended for this.
|
FYI @canisLupus1313 with this PR, I can run TCAT in simulation using the Thread certs as defined by the test plan. |
Size Report of OpenThread
|
tools/tcat_ble_client/auth-generate/create-cert-tcat-commissioner.sh
Outdated
Show resolved
Hide resolved
|
@EskoDijk Overall looks good. |
abtink
approved these changes
May 10, 2024
|
@abtink @canisLupus1313 Thanks! I've updated with your suggestions and applied |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
…disconnect TLV upon exit of commissioner per spec.
| ) | ||
| logger.info(f"Certificates and key loaded from '{args.cert_path}'") |
Check failure
Code scanning / CodeQL
Clear-text logging of sensitive information High
| for cert in cc: | ||
| logger.info(f' cert info:\n{cert.get_info()}') | ||
| peer_cert_der_hex = utils.base64_string(cert.public_bytes(_ssl.ENCODING_DER)) | ||
| logger.info(f' base64: (paste in https://lapo.it/asn1js/ to decode)\n{peer_cert_der_hex}') |
Check failure
Code scanning / CodeQL
Clear-text logging of sensitive information High
| logger.info(f' cert info:\n{cert.get_info()}') | ||
| peer_cert_der_hex = utils.base64_string(cert.public_bytes(_ssl.ENCODING_DER)) | ||
| logger.info(f' base64: (paste in https://lapo.it/asn1js/ to decode)\n{peer_cert_der_hex}') | ||
| logger.info(f'TCAT Commissioner cert, PEM:\n{self.cert}') |
Check failure
Code scanning / CodeQL
Clear-text logging of sensitive information High
canisLupus1313
approved these changes
Jun 3, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Also with the BBTC Commissioner tool, adds scripts for example certificate generation; documentation updated to reflect this.
In [tcat_ble_client] it removse hostname use in BBTC - use of hostnames is not specified for TCAT.
In [src/tcat] it fixes Thread-specific X509v3 extension parsing; unit test extended for this.
The purpose of this change is to allow use of the BBTC client directly in TCAT cert testing. This requires X509 certificate identities that are based on the Thread Group internal test CA. The included private keys can be exposed - all for testing purposes.
The present generated certificates still use SKI/AKI extensions - this may be removed possibly later on in another PR, if analysis shows that these are not needed/required for TCAT use cases.
This PR partly addresses the issue #10196 - it at least prints a warning message when the TCAT Commissioner cert had an error in processing, and it attempts to close the TLS connection. (To be verified later on if the closing actually works in the sense that the Commissioner receives the TLS alert / close-notify.) This avoids at least that during manual testing the connection looks "ok" but was silently rejected by the TCAT Device.
No CLANG/"Pretty" has been applied yet to the new code.