[TECH-58] X.509 Certificate Parsing Utilities

[christianknab]

• Extract Subject Key Identifier (SKID)
• Extract Authority Key Identifier (AKID)
• Extract public key (P-256)
• Extract Matter Vendor ID extension (OID 1.3.6.1.4.1.37244.2.1)
• Extract Matter Product ID extension (OID 1.3.6.1.4.1.37244.2.2)
• Certificate validity period checking
• Unit tests with real DAC/PAI/PAA certificates

[CLAassistant]

All committers have signed the CLA.

[gemini-code-assist]

Summary of Changes

Hello @christianknab, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the rs-matter project by integrating a dedicated, efficient X.509 certificate parsing utility. This new module allows for the secure and resource-friendly extraction of critical attestation data, such as key identifiers, public keys, and Matter-specific vendor/product IDs, directly from DER-encoded certificates. The addition of validity period checks further strengthens the certificate handling capabilities, ensuring that only valid certificates are processed.

Highlights

• X.509 Certificate Parsing: Introduced a new zero-copy, no-allocation parser for DER-encoded X.509 certificates, specifically designed for Matter-specific data extraction.
• Key Identifier Extraction: Added functionality to extract Subject Key Identifier (SKID) and Authority Key Identifier (AKID) from X.509 certificates.
• Public Key Extraction: Implemented extraction of the P-256 uncompressed public key from certificates.
• Matter-Specific OID Extraction: Enabled extraction of Matter Vendor ID (OID 1.3.6.1.4.1.37244.2.1) and Matter Product ID (OID 1.3.6.1.4.1.37244.2.2) from the Subject DN.
• Certificate Validity Checking: Provided utilities for checking the validity period of certificates (NotBefore and NotAfter times) against a given Unix epoch timestamp.
• Comprehensive Unit Tests: Included extensive unit tests using real DAC, PAI, and PAA certificates to ensure the parsing logic is robust and accurate.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• rs-matter/src/cert.rs
  • Exposed the new x509 module for certificate parsing utilities.
• rs-matter/src/cert/x509.rs
  • Introduced a new module containing a zero-copy X.509 DER certificate parser.
  • Added methods for extracting Subject Key Identifier (SKID), Authority Key Identifier (AKID), and P-256 public keys.
  • Implemented functionality to extract Matter Vendor ID and Product ID from certificate Subject DNs.
  • Included functions for parsing certificate validity periods (NotBefore, NotAfter) and checking certificate validity.
  • Provided comprehensive unit tests using real Matter PAA, PAI, and DAC certificates.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

The pull request introduces a new module for X.509 DER certificate parsing, specifically designed for Matter-specific data extraction. The new module x509.rs provides zero-copy and no-alloc parsing for SKID, AKID, public key, Matter Vendor ID, Matter Product ID, and validity periods. The changes also include unit tests for the new functionality using real certificate data. The code appears well-structured and follows good practices for embedded systems by avoiding allocations. I've identified a few areas for improvement regarding error handling and potential optimizations in the DerReader.

[github-actions]

PR #378: Size comparison from bb6782a to 79742a3

Full report (8 builds for (core), dimmable-light, onoff-light, onoff-light-bt, speaker)

platform	target	config	section	bb6782a	79742a3	change	% change
(core)	riscv32imac-unknown-none-elf	infodefmt-optz-ltofat	FLASH	378314	378318	4	0.0
			RAM	64712	64712	0	0.0
	thumbv6m-none-eabi	infodefmt-optz-ltofat	FLASH	317912	317880	-32	-0.0
			RAM	61248	61248	0	0.0
	thumbv7em-none-eabi	infodefmt-optz-ltofat	FLASH	291340	291348	8	0.0
			RAM	60740	60728	-12	-0.0
	x86_64-unknown-linux-gnu	infologs-optz-ltofat	FLASH	811111	811111	0	0.0
			RAM	64400	64400	0	0.0
dimmable-light	x86_64-unknown-linux-gnu	infologs-optz-ltofat	FLASH	1873128	1872856	-272	-0.0
			RAM	46584	46584	0	0.0
onoff-light	x86_64-unknown-linux-gnu	infologs-optz-ltofat	FLASH	1799840	1799552	-288	-0.0
			RAM	46576	46576	0	0.0
onoff-light-bt	x86_64-unknown-linux-gnu	infologs-optz-ltofat	FLASH	3111184	3110840	-344	-0.0
			RAM	9304	9304	0	0.0
speaker	x86_64-unknown-linux-gnu	infologs-optz-ltofat	FLASH	800864	800640	-224	-0.0
			RAM	2832	2832	0	0.0