README
¶
credentials
Package credentials implements Matter Certificate encoding, decoding, and validation (Spec Section 6).
It bridges the gap between Matter's TLV-encoded certificates and internal Go structures, and provides utilities for X.509 conversion.
Key Types
Certificate: The Go representation of a Matter certificate (Spec 6.5.2).CertificateType: Helper to identify certificate role (NOC, ICAC, RCAC).Builder: (If applicable) Utilities for constructing certificates.
Field Mapping (Spec 6.5.2)
The Certificate struct fields map directly to the Spec:
| Struct Field | TLV Tag | Description |
|---|---|---|
SerialNum |
1 | Certificate serial number |
SigAlgo |
2 | Signature algorithm (ECDSA-With-SHA256) |
Issuer |
3 | Issuer Distinguished Name (DN) |
NotBefore |
4 | Validity start (Matter Epoch Seconds) |
NotAfter |
5 | Validity end (Matter Epoch Seconds) |
Subject |
6 | Subject Distinguished Name (DN) |
PubKeyAlgo |
7 | Public key algorithm (EC) |
ECCurveID |
8 | Elliptic curve identifier (prime256v1) |
ECPubKey |
9 | Public key bytes |
Extensions |
10 | Basic Constraints, Key Usage, etc. |
Signature |
11 | The signature over the structure |
Usage
Decode a TLV Certificate
import "github.com/backkem/matter/pkg/credentials"
// Decode raw TLV bytes (e.g., from an Operational Credentials command)
cert, err := credentials.DecodeTLV(tlvBytes)
if err != nil {
log.Fatal(err)
}
fmt.Printf("Subject Node ID: %x\n", cert.NodeID())
fmt.Printf("Fabric ID: %x\n", cert.FabricID())
Encode a Certificate
tlvBytes, err := cert.EncodeTLV()
Documentation
¶
Index ¶
- Constants
- Variables
- func HexStringToMatterSpecific(s string) (uint64, error)
- func IsMatterSpecificTag(tag uint8) bool
- func IsPrintableStringTag(tag uint8) bool
- func KeyPurposeToOID(kp KeyPurposeID) asn1.ObjectIdentifier
- func MarshalDN(dn DistinguishedName) ([]byte, error)
- func MarshalExtensions(ext Extensions) ([]byte, error)
- func MatterSpecificToHexString(value uint64, byteLen int) string
- func MatterToX509(cert *Certificate) ([]byte, error)
- func MatterToX509PEM(cert *Certificate) ([]byte, error)
- func OIDToTag(oid asn1.ObjectIdentifier) uint8
- func TagToOID(tag uint8) asn1.ObjectIdentifier
- func TimeToMatterEpoch(t time.Time) uint32
- type AuthorityKeyIDExt
- type BasicConstraints
- type Certificate
- func (c *Certificate) AuthorityKeyID() []byte
- func (c *Certificate) EncodeTLV() ([]byte, error)
- func (c *Certificate) FabricID() uint64
- func (c *Certificate) ICACID() uint64
- func (c *Certificate) IsCA() bool
- func (c *Certificate) NOCCATs() []uint32
- func (c *Certificate) NodeID() uint64
- func (c *Certificate) NotAfterTime() time.Time
- func (c *Certificate) NotBeforeTime() time.Time
- func (c *Certificate) RCACID() uint64
- func (c *Certificate) SubjectKeyID() []byte
- func (c *Certificate) Type() CertificateType
- func (c *Certificate) WriteTLV(w *tlv.Writer) error
- type CertificateType
- type DNAttribute
- func (d DNAttribute) BaseTag() uint8
- func (d DNAttribute) EncodeTLV(w *tlv.Writer) error
- func (d DNAttribute) IsMatterSpecific() bool
- func (d DNAttribute) IsPrintableString() bool
- func (d DNAttribute) IsString() bool
- func (d DNAttribute) IsUint64() bool
- func (d DNAttribute) MatterSpecificByteLength() int
- func (d DNAttribute) String() string
- func (d DNAttribute) StringValue() string
- func (d DNAttribute) Uint64Value() uint64
- type DistinguishedName
- func (dn DistinguishedName) EncodeTLV(w *tlv.Writer, tag tlv.Tag) error
- func (dn DistinguishedName) GetAllAttributes(baseTag uint8) []DNAttribute
- func (dn DistinguishedName) GetAttribute(baseTag uint8) *DNAttribute
- func (dn DistinguishedName) GetFabricID() uint64
- func (dn DistinguishedName) GetICACID() uint64
- func (dn DistinguishedName) GetNOCCATs() []uint32
- func (dn DistinguishedName) GetNodeID() uint64
- func (dn DistinguishedName) GetRCACID() uint64
- func (dn DistinguishedName) HasAttribute(baseTag uint8) bool
- func (dn DistinguishedName) String() string
- type EllipticCurveID
- type ExtendedKeyUsageExt
- type Extension
- type Extensions
- type FutureExtensionExt
- type KeyPurposeID
- type KeyUsage
- type KeyUsageExt
- type PublicKeyAlgo
- type SignatureAlgo
- type SubjectKeyIDExt
Constants ¶
const ( // MaxDERCertSize is the maximum X.509 DER certificate size (600 bytes). MaxDERCertSize = 600 // MaxTLVCertSize is the maximum Matter TLV certificate size (400 bytes). MaxTLVCertSize = 400 // MaxSerialNumSize is the maximum serial number size (20 bytes). MaxSerialNumSize = 20 // PublicKeySize is the uncompressed P-256 public key size (65 bytes). PublicKeySize = 65 // SignatureSize is the raw ECDSA signature size (64 bytes = r || s). SignatureSize = 64 )
Certificate size limits from spec Section 6.1.3.
const ( TagSerialNum uint8 = 1 TagSigAlgo uint8 = 2 TagIssuer uint8 = 3 TagNotBefore uint8 = 4 TagNotAfter uint8 = 5 TagSubject uint8 = 6 TagPubKeyAlgo uint8 = 7 TagECCurveID uint8 = 8 TagECPubKey uint8 = 9 TagExtensions uint8 = 10 TagSignature uint8 = 11 )
Matter TLV context tags for certificate fields. Spec Section 6.5.2
const ( // Standard DN attributes (UTF8String encoding in X.509) TagDNCommonName uint8 = 1 TagDNSurname uint8 = 2 TagDNSerialNum uint8 = 3 TagDNCountryName uint8 = 4 TagDNLocalityName uint8 = 5 TagDNStateOrProvinceName uint8 = 6 TagDNOrgName uint8 = 7 TagDNOrgUnitName uint8 = 8 TagDNTitle uint8 = 9 TagDNName uint8 = 10 TagDNGivenName uint8 = 11 TagDNInitials uint8 = 12 TagDNGenQualifier uint8 = 13 TagDNDNQualifier uint8 = 14 TagDNPseudonym uint8 = 15 TagDNDomainComponent uint8 = 16 // Matter-specific DN attributes TagDNMatterNodeID uint8 = 17 TagDNMatterFirmwareSigningID uint8 = 18 TagDNMatterICACID uint8 = 19 TagDNMatterRCACID uint8 = 20 TagDNMatterFabricID uint8 = 21 TagDNMatterNOCCAT uint8 = 22 TagDNMatterVVSID uint8 = 23 // PrintableString encoding offset (tag + 0x80) TagDNPrintableStringOffset uint8 = 0x80 )
Matter TLV context tags for DN attributes. Spec Section 6.5.6.1, Table 85 and Table 86
const ( TagExtBasicConstraints uint8 = 1 TagExtKeyUsage uint8 = 2 TagExtExtendedKeyUsage uint8 = 3 TagExtSubjectKeyID uint8 = 4 TagExtAuthorityKeyID uint8 = 5 TagExtFutureExtension uint8 = 6 )
Matter TLV context tags for extensions. Spec Section 6.5.11, Table 90
const ( TagBasicConstraintsIsCA uint8 = 1 TagBasicConstraintsPathLen uint8 = 2 )
Basic constraints structure tags. Spec Section 6.5.11.1
Variables ¶
var ( // ErrInvalidCertificate indicates a malformed certificate structure. ErrInvalidCertificate = errors.New("invalid certificate") // ErrInvalidSerialNumber indicates the serial number is invalid. ErrInvalidSerialNumber = errors.New("serial number must be 1-20 bytes") // ErrInvalidSignatureAlgo indicates an unsupported signature algorithm. ErrInvalidSignatureAlgo = errors.New("unsupported signature algorithm") // ErrInvalidPublicKeyAlgo indicates an unsupported public key algorithm. ErrInvalidPublicKeyAlgo = errors.New("unsupported public key algorithm") // ErrInvalidEllipticCurve indicates an unsupported elliptic curve. ErrInvalidEllipticCurve = errors.New("unsupported elliptic curve") // ErrInvalidPublicKey indicates the public key is malformed. ErrInvalidPublicKey = errors.New("invalid public key") // ErrInvalidSignature indicates the signature is malformed. ErrInvalidSignature = errors.New("invalid signature") // ErrInvalidDN indicates a malformed Distinguished Name. ErrInvalidDN = errors.New("invalid distinguished name") // ErrInvalidExtension indicates a malformed extension. ErrInvalidExtension = errors.New("invalid extension") // ErrMissingExtension indicates a required extension is missing. ErrMissingExtension = errors.New("missing required extension") // ErrInvalidKeyUsage indicates invalid key usage flags. ErrInvalidKeyUsage = errors.New("invalid key usage") // ErrInvalidTime indicates an invalid time value. ErrInvalidTime = errors.New("invalid time value") // ErrCertificateTooLarge indicates the certificate exceeds size limits. ErrCertificateTooLarge = errors.New("certificate exceeds maximum size") // ErrUnsupportedOID indicates an unsupported OID was encountered. ErrUnsupportedOID = errors.New("unsupported OID") )
Certificate parsing and encoding errors.
var ( // ErrInvalidCertType indicates the certificate type cannot be determined. ErrInvalidCertType = errors.New("cannot determine certificate type") // ErrMissingNodeID indicates a NOC is missing the matter-node-id attribute. ErrMissingNodeID = errors.New("NOC must have matter-node-id") // ErrMissingFabricID indicates a NOC is missing the matter-fabric-id attribute. ErrMissingFabricID = errors.New("NOC must have matter-fabric-id") // ErrMissingRCACID indicates an RCAC is missing the matter-rcac-id attribute. ErrMissingRCACID = errors.New("RCAC must have matter-rcac-id") // ErrMissingICACID indicates an ICAC is missing the matter-icac-id attribute. ErrMissingICACID = errors.New("ICAC must have matter-icac-id") // ErrInvalidNodeID indicates an invalid node ID value. ErrInvalidNodeID = errors.New("invalid node ID") // ErrInvalidFabricID indicates an invalid fabric ID value. ErrInvalidFabricID = errors.New("fabric ID must not be 0") // ErrTooManyDNAttributes indicates too many DN attributes. ErrTooManyDNAttributes = errors.New("DN must have at most 5 attributes") // ErrTooManyNOCCATs indicates too many CASE Authenticated Tags. ErrTooManyNOCCATs = errors.New("NOC must have at most 3 matter-noc-cat attributes") // ErrDuplicateNOCCAT indicates duplicate CAT identifiers. ErrDuplicateNOCCAT = errors.New("duplicate CAT identifier") // ErrForbiddenAttribute indicates a DN attribute that is not allowed. ErrForbiddenAttribute = errors.New("forbidden DN attribute for certificate type") // ErrBasicConstraintsMismatch indicates wrong basic constraints for cert type. ErrBasicConstraintsMismatch = errors.New("basic constraints mismatch for certificate type") // ErrKeyUsageMismatch indicates wrong key usage for certificate type. ErrKeyUsageMismatch = errors.New("key usage mismatch for certificate type") // ErrExtKeyUsageMismatch indicates wrong extended key usage for certificate type. ErrExtKeyUsageMismatch = errors.New("extended key usage mismatch for certificate type") // ErrMissingSubjectKeyID indicates missing subject key identifier. ErrMissingSubjectKeyID = errors.New("missing subject key identifier extension") // ErrMissingAuthorityKeyID indicates missing authority key identifier. ErrMissingAuthorityKeyID = errors.New("missing authority key identifier extension") // ErrSelfSignedMismatch indicates RCAC SKID doesn't match AKID. ErrSelfSignedMismatch = errors.New("RCAC subject key ID must match authority key ID") // ErrFabricIDMismatch indicates fabric IDs don't match in certificate chain. ErrFabricIDMismatch = errors.New("fabric ID mismatch in certificate chain") )
Certificate validation errors.
var ( // ErrX509ParseFailed indicates X.509 parsing failed. ErrX509ParseFailed = errors.New("failed to parse X.509 certificate") // ErrX509EncodeFailed indicates X.509 encoding failed. ErrX509EncodeFailed = errors.New("failed to encode X.509 certificate") // ErrUnsupportedX509Feature indicates an unsupported X.509 feature. ErrUnsupportedX509Feature = errors.New("unsupported X.509 feature") // ErrSignatureConversionFailed indicates signature format conversion failed. ErrSignatureConversionFailed = errors.New("failed to convert signature format") )
X.509 conversion errors.
var ( OIDCommonName = asn1.ObjectIdentifier{2, 5, 4, 3} OIDSurname = asn1.ObjectIdentifier{2, 5, 4, 4} OIDSerialNumber = asn1.ObjectIdentifier{2, 5, 4, 5} OIDCountryName = asn1.ObjectIdentifier{2, 5, 4, 6} OIDLocalityName = asn1.ObjectIdentifier{2, 5, 4, 7} OIDStateOrProvinceName = asn1.ObjectIdentifier{2, 5, 4, 8} OIDOrganizationName = asn1.ObjectIdentifier{2, 5, 4, 10} OIDOrganizationalUnit = asn1.ObjectIdentifier{2, 5, 4, 11} OIDTitle = asn1.ObjectIdentifier{2, 5, 4, 12} OIDName = asn1.ObjectIdentifier{2, 5, 4, 41} OIDGivenName = asn1.ObjectIdentifier{2, 5, 4, 42} OIDInitials = asn1.ObjectIdentifier{2, 5, 4, 43} OIDGenerationQualifier = asn1.ObjectIdentifier{2, 5, 4, 44} OIDDNQualifier = asn1.ObjectIdentifier{2, 5, 4, 46} OIDPseudonym = asn1.ObjectIdentifier{2, 5, 4, 65} OIDDomainComponent = asn1.ObjectIdentifier{0, 9, 2342, 19200300, 100, 1, 25} )
Standard X.509 DN OIDs.
var ( OIDMatterNodeID = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 37244, 1, 1} OIDMatterFirmwareSigningID = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 37244, 1, 2} OIDMatterICACID = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 37244, 1, 3} OIDMatterRCACID = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 37244, 1, 4} OIDMatterFabricID = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 37244, 1, 5} OIDMatterNOCCAT = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 37244, 1, 6} OIDMatterVVSID = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 37244, 1, 7} // Device Attestation OIDs (for VID/PID in DAC certificates) OIDMatterVendorID = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 37244, 2, 1} OIDMatterProductID = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 37244, 2, 2} )
Matter-specific DN OIDs under the CSA private arc 1.3.6.1.4.1.37244. Spec Section 6.1.1, Table 83
var ( OIDExtensionBasicConstraints = asn1.ObjectIdentifier{2, 5, 29, 19} OIDExtensionKeyUsage = asn1.ObjectIdentifier{2, 5, 29, 15} OIDExtensionExtKeyUsage = asn1.ObjectIdentifier{2, 5, 29, 37} OIDExtensionSubjectKeyID = asn1.ObjectIdentifier{2, 5, 29, 14} OIDExtensionAuthorityKeyID = asn1.ObjectIdentifier{2, 5, 29, 35} )
X.509 extension OIDs.
var ( OIDExtKeyUsageServerAuth = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 1} OIDExtKeyUsageClientAuth = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 2} OIDExtKeyUsageCodeSigning = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 3} OIDExtKeyUsageEmailProtection = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 4} OIDExtKeyUsageTimeStamping = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 8} OIDExtKeyUsageOCSPSigning = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 9} )
Extended key usage OIDs.
var MatterEpochStart = time.Date(2000, 1, 1, 0, 0, 0, 0, time.UTC)
MatterEpochStart is the Matter epoch start time (2000-01-01 00:00:00 UTC).
var (
OIDNamedCurvePrime256v1 = asn1.ObjectIdentifier{1, 2, 840, 10045, 3, 1, 7}
)
X.509 elliptic curve OIDs.
var (
OIDPublicKeyECDSA = asn1.ObjectIdentifier{1, 2, 840, 10045, 2, 1}
)
X.509 public key algorithm OIDs.
var (
OIDSignatureECDSAWithSHA256 = asn1.ObjectIdentifier{1, 2, 840, 10045, 4, 3, 2}
)
X.509 signature algorithm OIDs.
Functions ¶
func HexStringToMatterSpecific ¶
HexStringToMatterSpecific parses a hex string from an X.509 certificate into a Matter-specific uint64 value. Spec Section 6.1.1
func IsMatterSpecificTag ¶
IsMatterSpecificTag returns true if the tag is for a Matter-specific DN attribute.
func IsPrintableStringTag ¶
IsPrintableStringTag returns true if the tag indicates PrintableString encoding.
func KeyPurposeToOID ¶
func KeyPurposeToOID(kp KeyPurposeID) asn1.ObjectIdentifier
KeyPurposeToOID returns the X.509 OID for a Matter key purpose ID.
func MarshalDN ¶
func MarshalDN(dn DistinguishedName) ([]byte, error)
MarshalDN encodes a DistinguishedName to standalone TLV bytes.
func MarshalExtensions ¶
func MarshalExtensions(ext Extensions) ([]byte, error)
MarshalExtensions encodes Extensions to standalone TLV bytes.
func MatterSpecificToHexString ¶
MatterSpecificToHexString converts a Matter-specific uint64 value to the hex string format used in X.509 certificates. Spec Section 6.1.1
func MatterToX509 ¶
func MatterToX509(cert *Certificate) ([]byte, error)
MatterToX509 converts a Matter TLV Certificate to X.509 DER format.
func MatterToX509PEM ¶
func MatterToX509PEM(cert *Certificate) ([]byte, error)
MatterToX509PEM converts a Matter TLV Certificate to PEM format.
func OIDToTag ¶
func OIDToTag(oid asn1.ObjectIdentifier) uint8
OIDToTag returns the Matter TLV tag for a given X.509 OID. Returns 0 if the OID is not recognized.
func TagToOID ¶
func TagToOID(tag uint8) asn1.ObjectIdentifier
TagToOID returns the X.509 OID for a given Matter TLV tag. Returns nil if the tag is not recognized.
func TimeToMatterEpoch ¶
TimeToMatterEpoch converts a Go time.Time to Matter epoch seconds.
Types ¶
type AuthorityKeyIDExt ¶
type AuthorityKeyIDExt struct {
KeyID [20]byte // SHA-1 hash of the issuer's public key
}
AuthorityKeyIDExt represents the Authority Key Identifier extension. Spec Section 6.5.11.5
func (AuthorityKeyIDExt) ExtTag ¶
func (a AuthorityKeyIDExt) ExtTag() uint8
type BasicConstraints ¶
type BasicConstraints struct {
IsCA bool
PathLenConstraint *uint8 // Optional, only valid when IsCA is true
}
BasicConstraints represents the Basic Constraints extension. Spec Section 6.5.11.1
func DecodeBasicConstraints ¶
func DecodeBasicConstraints(r *tlv.Reader) (BasicConstraints, error)
DecodeBasicConstraints decodes a BasicConstraints from a TLV reader. The reader must be positioned at the structure element.
func (BasicConstraints) ExtTag ¶
func (b BasicConstraints) ExtTag() uint8
type Certificate ¶
type Certificate struct {
SerialNum []byte // [1] Serial number (1-20 bytes)
SigAlgo SignatureAlgo // [2] Signature algorithm
Issuer DistinguishedName // [3] Issuer DN
NotBefore uint32 // [4] Not before (epoch-s)
NotAfter uint32 // [5] Not after (epoch-s, 0 = no expiration)
Subject DistinguishedName // [6] Subject DN
PubKeyAlgo PublicKeyAlgo // [7] Public key algorithm
ECCurveID EllipticCurveID // [8] Elliptic curve ID
ECPubKey []byte // [9] EC public key (65 bytes uncompressed)
Extensions Extensions // [10] Extensions
Signature []byte // [11] Signature (64 bytes = r || s)
}
Certificate represents a Matter certificate in TLV format. Spec Section 6.5.2
func DecodeTLV ¶
func DecodeTLV(data []byte) (*Certificate, error)
DecodeTLV decodes a certificate from TLV bytes.
func ReadTLV ¶
func ReadTLV(r *tlv.Reader) (*Certificate, error)
ReadTLV reads a certificate from a TLV reader. The reader must be positioned at the structure element.
func X509PEMToMatter ¶
func X509PEMToMatter(pemData []byte) (*Certificate, error)
X509PEMToMatter converts a PEM-encoded X.509 certificate to a Matter TLV Certificate.
func X509ToMatter ¶
func X509ToMatter(der []byte) (*Certificate, error)
X509ToMatter converts an X.509 DER certificate to a Matter TLV Certificate.
func (*Certificate) AuthorityKeyID ¶
func (c *Certificate) AuthorityKeyID() []byte
AuthorityKeyID returns the authority key identifier, or nil if not present.
func (*Certificate) EncodeTLV ¶
func (c *Certificate) EncodeTLV() ([]byte, error)
EncodeTLV encodes the certificate to TLV bytes.
func (*Certificate) FabricID ¶
func (c *Certificate) FabricID() uint64
FabricID returns the fabric ID from the subject, or 0 if not present.
func (*Certificate) ICACID ¶
func (c *Certificate) ICACID() uint64
ICACID returns the ICAC ID from the subject, or 0 if not an ICAC.
func (*Certificate) IsCA ¶
func (c *Certificate) IsCA() bool
IsCA returns true if the certificate is a CA certificate.
func (*Certificate) NOCCATs ¶
func (c *Certificate) NOCCATs() []uint32
NOCCATs returns the CASE Authenticated Tags from the subject.
func (*Certificate) NodeID ¶
func (c *Certificate) NodeID() uint64
NodeID returns the node ID from the subject, or 0 if not a NOC.
func (*Certificate) NotAfterTime ¶
func (c *Certificate) NotAfterTime() time.Time
NotAfterTime returns the NotAfter time as a Go time.Time. Returns a zero time if NotAfter is 0 (no well-defined expiration).
func (*Certificate) NotBeforeTime ¶
func (c *Certificate) NotBeforeTime() time.Time
NotBeforeTime returns the NotBefore time as a Go time.Time.
func (*Certificate) RCACID ¶
func (c *Certificate) RCACID() uint64
RCACID returns the RCAC ID from the subject, or 0 if not an RCAC.
func (*Certificate) SubjectKeyID ¶
func (c *Certificate) SubjectKeyID() []byte
SubjectKeyID returns the subject key identifier, or nil if not present.
func (*Certificate) Type ¶
func (c *Certificate) Type() CertificateType
Type determines the certificate type based on the subject DN.
type CertificateType ¶
type CertificateType int
CertificateType represents the type of Matter certificate.
const ( CertTypeUnknown CertificateType = iota CertTypeRCAC // Root CA Certificate CertTypeICAC // Intermediate CA Certificate CertTypeNOC // Node Operational Certificate CertTypeVVSC // Vendor Verification Signer Certificate CertTypeFirmwareSigning // Firmware Signing Certificate )
func (CertificateType) String ¶
func (c CertificateType) String() string
type DNAttribute ¶
type DNAttribute struct {
Tag uint8 // Context tag (1-23 for UTF8, 129-143 for PrintableString)
Value interface{} // string or uint64
}
DNAttribute represents a Distinguished Name attribute in a Matter certificate. For standard attributes (tags 1-16), Value is a string. For Matter-specific attributes (tags 17-23), Value is a uint64. Spec Section 6.5.6.1
func DecodeDNAttribute ¶
func DecodeDNAttribute(r *tlv.Reader) (DNAttribute, error)
DecodeDNAttribute decodes a single DN attribute from a TLV reader. The reader must be positioned at the element (after calling Next()).
func NewDNString ¶
func NewDNString(tag uint8, value string) DNAttribute
NewDNString creates a DN attribute with a string value.
func NewDNUint64 ¶
func NewDNUint64(tag uint8, value uint64) DNAttribute
NewDNUint64 creates a DN attribute with a uint64 value (for Matter-specific attributes).
func (DNAttribute) BaseTag ¶
func (d DNAttribute) BaseTag() uint8
BaseTag returns the base tag without the PrintableString offset.
func (DNAttribute) EncodeTLV ¶
func (d DNAttribute) EncodeTLV(w *tlv.Writer) error
EncodeTLV encodes the DN attribute to TLV bytes.
func (DNAttribute) IsMatterSpecific ¶
func (d DNAttribute) IsMatterSpecific() bool
IsMatterSpecific returns true if this is a Matter-specific attribute.
func (DNAttribute) IsPrintableString ¶
func (d DNAttribute) IsPrintableString() bool
IsPrintableString returns true if this attribute uses PrintableString encoding.
func (DNAttribute) IsString ¶
func (d DNAttribute) IsString() bool
IsString returns true if this is a string-valued attribute.
func (DNAttribute) IsUint64 ¶
func (d DNAttribute) IsUint64() bool
IsUint64 returns true if this is a uint64-valued attribute.
func (DNAttribute) MatterSpecificByteLength ¶
func (d DNAttribute) MatterSpecificByteLength() int
MatterSpecificByteLength returns the byte length for Matter-specific attributes. Spec Section 6.1.1, Table 83
func (DNAttribute) String ¶
func (d DNAttribute) String() string
String returns a human-readable representation of the DN attribute.
func (DNAttribute) StringValue ¶
func (d DNAttribute) StringValue() string
StringValue returns the string value, or empty string if not a string.
func (DNAttribute) Uint64Value ¶
func (d DNAttribute) Uint64Value() uint64
Uint64Value returns the uint64 value, or 0 if not a uint64.
type DistinguishedName ¶
type DistinguishedName []DNAttribute
DistinguishedName represents a full Distinguished Name (list of attributes).
func DecodeDistinguishedName ¶
func DecodeDistinguishedName(r *tlv.Reader) (DistinguishedName, error)
DecodeDistinguishedName decodes a DN from a TLV reader. The reader must be positioned at the list element.
func UnmarshalDN ¶
func UnmarshalDN(data []byte) (DistinguishedName, error)
UnmarshalDN decodes a DistinguishedName from TLV bytes.
func (DistinguishedName) GetAllAttributes ¶
func (dn DistinguishedName) GetAllAttributes(baseTag uint8) []DNAttribute
GetAllAttributes returns all attributes with the given base tag.
func (DistinguishedName) GetAttribute ¶
func (dn DistinguishedName) GetAttribute(baseTag uint8) *DNAttribute
GetAttribute returns the first attribute with the given base tag, or nil if not found.
func (DistinguishedName) GetFabricID ¶
func (dn DistinguishedName) GetFabricID() uint64
GetFabricID returns the matter-fabric-id value, or 0 if not present.
func (DistinguishedName) GetICACID ¶
func (dn DistinguishedName) GetICACID() uint64
GetICACID returns the matter-icac-id value, or 0 if not present.
func (DistinguishedName) GetNOCCATs ¶
func (dn DistinguishedName) GetNOCCATs() []uint32
GetNOCCATs returns all matter-noc-cat values.
func (DistinguishedName) GetNodeID ¶
func (dn DistinguishedName) GetNodeID() uint64
GetNodeID returns the matter-node-id value, or 0 if not present.
func (DistinguishedName) GetRCACID ¶
func (dn DistinguishedName) GetRCACID() uint64
GetRCACID returns the matter-rcac-id value, or 0 if not present.
func (DistinguishedName) HasAttribute ¶
func (dn DistinguishedName) HasAttribute(baseTag uint8) bool
HasAttribute returns true if the DN contains an attribute with the given base tag.
func (DistinguishedName) String ¶
func (dn DistinguishedName) String() string
String returns a human-readable representation of the DN.
type EllipticCurveID ¶
type EllipticCurveID uint8
EllipticCurveID represents the elliptic curve used in Matter certificates. Spec Section 6.5.9
const ( // EllipticCurveUnknown is an unknown or invalid elliptic curve. EllipticCurveUnknown EllipticCurveID = 0 // EllipticCurvePrime256v1 is the NIST P-256 curve (the only supported curve). EllipticCurvePrime256v1 EllipticCurveID = 1 )
func (EllipticCurveID) String ¶
func (e EllipticCurveID) String() string
type ExtendedKeyUsageExt ¶
type ExtendedKeyUsageExt struct {
KeyPurposes []KeyPurposeID
}
ExtendedKeyUsageExt represents the Extended Key Usage extension. Spec Section 6.5.11.3
func DecodeExtendedKeyUsage ¶
func DecodeExtendedKeyUsage(r *tlv.Reader) (ExtendedKeyUsageExt, error)
DecodeExtendedKeyUsage decodes an ExtendedKeyUsageExt from a TLV reader. The reader must be positioned at the array element.
func (ExtendedKeyUsageExt) ExtTag ¶
func (e ExtendedKeyUsageExt) ExtTag() uint8
type Extension ¶
type Extension interface {
// ExtTag returns the Matter TLV context tag for this extension.
ExtTag() uint8
// EncodeTLV writes the extension value to the TLV writer.
EncodeTLV(w *tlv.Writer) error
}
Extension represents a certificate extension in Matter TLV format. Spec Section 6.5.11
type Extensions ¶
type Extensions struct {
BasicConstraints *BasicConstraints
KeyUsage *KeyUsageExt
ExtendedKeyUsage *ExtendedKeyUsageExt
SubjectKeyID *SubjectKeyIDExt
AuthorityKeyID *AuthorityKeyIDExt
FutureExtensions []FutureExtensionExt
}
Extensions represents the list of extensions in a Matter certificate.
func DecodeExtensions ¶
func DecodeExtensions(r *tlv.Reader) (Extensions, error)
DecodeExtensions decodes an Extensions from a TLV reader. The reader must be positioned at the list element.
func UnmarshalExtensions ¶
func UnmarshalExtensions(data []byte) (Extensions, error)
UnmarshalExtensions decodes Extensions from TLV bytes.
type FutureExtensionExt ¶
type FutureExtensionExt struct {
Data []byte // Raw DER-encoded extension (including OID)
}
FutureExtensionExt represents a future/unknown extension. Spec Section 6.5.11.6
func (FutureExtensionExt) ExtTag ¶
func (f FutureExtensionExt) ExtTag() uint8
type KeyPurposeID ¶
type KeyPurposeID uint8
KeyPurposeID represents extended key usage purpose identifiers. Spec Section 6.5.11.3
const ( KeyPurposeUnknown KeyPurposeID = 0 KeyPurposeServerAuth KeyPurposeID = 1 KeyPurposeClientAuth KeyPurposeID = 2 KeyPurposeCodeSigning KeyPurposeID = 3 KeyPurposeEmailProtection KeyPurposeID = 4 KeyPurposeTimeStamping KeyPurposeID = 5 KeyPurposeOCSPSigning KeyPurposeID = 6 )
func OIDToKeyPurpose ¶
func OIDToKeyPurpose(oid asn1.ObjectIdentifier) KeyPurposeID
OIDToKeyPurpose returns the Matter key purpose ID for an X.509 OID.
func (KeyPurposeID) String ¶
func (k KeyPurposeID) String() string
type KeyUsage ¶
type KeyUsage uint16
KeyUsage represents the key usage extension flags. Spec Section 6.5.11.2
const ( KeyUsageDigitalSignature KeyUsage = 0x0001 KeyUsageNonRepudiation KeyUsage = 0x0002 KeyUsageKeyEncipherment KeyUsage = 0x0004 KeyUsageDataEncipherment KeyUsage = 0x0008 KeyUsageKeyAgreement KeyUsage = 0x0010 KeyUsageKeyCertSign KeyUsage = 0x0020 KeyUsageCRLSign KeyUsage = 0x0040 KeyUsageEncipherOnly KeyUsage = 0x0080 KeyUsageDecipherOnly KeyUsage = 0x0100 )
type KeyUsageExt ¶
type KeyUsageExt struct {
Usage KeyUsage
}
KeyUsageExt represents the Key Usage extension. Spec Section 6.5.11.2
func (KeyUsageExt) ExtTag ¶
func (k KeyUsageExt) ExtTag() uint8
type PublicKeyAlgo ¶
type PublicKeyAlgo uint8
PublicKeyAlgo represents the public key algorithm used in Matter certificates. Spec Section 6.5.8
const ( // PublicKeyAlgoUnknown is an unknown or invalid public key algorithm. PublicKeyAlgoUnknown PublicKeyAlgo = 0 // PublicKeyAlgoEC is Elliptic Curve public key (the only supported algorithm). PublicKeyAlgoEC PublicKeyAlgo = 1 )
func (PublicKeyAlgo) String ¶
func (p PublicKeyAlgo) String() string
type SignatureAlgo ¶
type SignatureAlgo uint8
SignatureAlgo represents the signature algorithm used in Matter certificates. Spec Section 6.5.5
const ( // SignatureAlgoUnknown is an unknown or invalid signature algorithm. SignatureAlgoUnknown SignatureAlgo = 0 // SignatureAlgoECDSASHA256 is ECDSA with SHA-256 (the only supported algorithm). SignatureAlgoECDSASHA256 SignatureAlgo = 1 )
func (SignatureAlgo) String ¶
func (s SignatureAlgo) String() string
type SubjectKeyIDExt ¶
type SubjectKeyIDExt struct {
KeyID [20]byte // SHA-1 hash of the public key
}
SubjectKeyIDExt represents the Subject Key Identifier extension. Spec Section 6.5.11.4
func (SubjectKeyIDExt) ExtTag ¶
func (s SubjectKeyIDExt) ExtTag() uint8
Source Files