-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[tcat][tcat_ble_client] Add TCAT Commissioner / Device certs for Thread certification testing #10211
base: main
Are you sure you want to change the base?
Conversation
… with Thread cert testing; added scripts for example certificate generation; README files updated. [tcat_ble_client] remove hostname use in BBTC - use of hostnames is not specified for TCAT. [src/tcat] fixes in Thread-specific X509v3 extension parsing; unit test extended for this.
FYI @canisLupus1313 with this PR, I can run TCAT in simulation using the Thread certs as defined by the test plan. |
Size Report of OpenThread
|
tools/tcat_ble_client/auth-generate/create-cert-tcat-commissioner.sh
Outdated
Show resolved
Hide resolved
@EskoDijk Overall looks good. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Thanks.
Some smaller style suggestions below.
@abtink @canisLupus1313 Thanks! I've updated with your suggestions and applied |
…disconnect TLV upon exit of commissioner per spec.
) | ||
logger.info(f"Certificates and key loaded from '{args.cert_path}'") |
Check failure
Code scanning / CodeQL
Clear-text logging of sensitive information High
sensitive data (certificate)
for cert in cc: | ||
logger.info(f' cert info:\n{cert.get_info()}') | ||
peer_cert_der_hex = utils.base64_string(cert.public_bytes(_ssl.ENCODING_DER)) | ||
logger.info(f' base64: (paste in https://lapo.it/asn1js/ to decode)\n{peer_cert_der_hex}') |
Check failure
Code scanning / CodeQL
Clear-text logging of sensitive information High
sensitive data (certificate)
logger.info(f' cert info:\n{cert.get_info()}') | ||
peer_cert_der_hex = utils.base64_string(cert.public_bytes(_ssl.ENCODING_DER)) | ||
logger.info(f' base64: (paste in https://lapo.it/asn1js/ to decode)\n{peer_cert_der_hex}') | ||
logger.info(f'TCAT Commissioner cert, PEM:\n{self.cert}') |
Check failure
Code scanning / CodeQL
Clear-text logging of sensitive information High
sensitive data (certificate)
This expression logs
sensitive data (certificate)
This expression logs
Also with the BBTC Commissioner tool, adds scripts for example certificate generation; documentation updated to reflect this.
In [tcat_ble_client] it removse hostname use in BBTC - use of hostnames is not specified for TCAT.
In [src/tcat] it fixes Thread-specific X509v3 extension parsing; unit test extended for this.
The purpose of this change is to allow use of the BBTC client directly in TCAT cert testing. This requires X509 certificate identities that are based on the Thread Group internal test CA. The included private keys can be exposed - all for testing purposes.
The present generated certificates still use SKI/AKI extensions - this may be removed possibly later on in another PR, if analysis shows that these are not needed/required for TCAT use cases.
This PR partly addresses the issue #10196 - it at least prints a warning message when the TCAT Commissioner cert had an error in processing, and it attempts to close the TLS connection. (To be verified later on if the closing actually works in the sense that the Commissioner receives the TLS alert / close-notify.) This avoids at least that during manual testing the connection looks "ok" but was silently rejected by the TCAT Device.
No CLANG/"Pretty" has been applied yet to the new code.