From 5d956b9065bb5e093084908289d9062e0cebed4f Mon Sep 17 00:00:00 2001 From: Cecille Freeman Date: Thu, 31 Mar 2022 16:21:39 -0400 Subject: [PATCH] Pass all validataion parameters to GenerateNOCChain This will let OperationalCredentialsIssuer impls validate the CSR before generating the NOC chain. --- src/controller/CHIPDeviceController.cpp | 8 ++++---- src/controller/ExampleOperationalCredentialsIssuer.cpp | 9 +++++++-- src/controller/ExampleOperationalCredentialsIssuer.h | 6 +++--- src/controller/OperationalCredentialsDelegate.h | 9 ++++++--- .../java/AndroidOperationalCredentialsIssuer.cpp | 7 ++++--- .../java/AndroidOperationalCredentialsIssuer.h | 6 +++--- src/controller/python/OpCredsBinding.cpp | 9 +++++---- .../Framework/CHIP/CHIPOperationalCredentialsDelegate.h | 6 +++--- .../Framework/CHIP/CHIPOperationalCredentialsDelegate.mm | 6 +++--- 9 files changed, 38 insertions(+), 28 deletions(-) diff --git a/src/controller/CHIPDeviceController.cpp b/src/controller/CHIPDeviceController.cpp index 6fd4982fc239f4..d6e9e89b3467f7 100644 --- a/src/controller/CHIPDeviceController.cpp +++ b/src/controller/CHIPDeviceController.cpp @@ -1100,8 +1100,8 @@ CHIP_ERROR DeviceCommissioner::ProcessCSR(DeviceProxy * proxy, const ByteSpan & ReturnErrorOnFailure(ExtractPubkeyFromX509Cert(dac, dacPubkey)); // Retrieve attestation challenge - // ByteSpan attestationChallenge = - // proxy->GetSecureSession().Value()->AsSecureSession()->GetCryptoContext().GetAttestationChallenge(); + ByteSpan attestationChallenge = + proxy->GetSecureSession().Value()->AsSecureSession()->GetCryptoContext().GetAttestationChallenge(); mOperationalCredentialsDelegate->SetNodeIdForNextNOCRequest(proxy->GetDeviceId()); @@ -1110,8 +1110,8 @@ CHIP_ERROR DeviceCommissioner::ProcessCSR(DeviceProxy * proxy, const ByteSpan & mOperationalCredentialsDelegate->SetFabricIdForNextNOCRequest(mFabricInfo->GetFabricId()); } - return mOperationalCredentialsDelegate->GenerateNOCChain(NOCSRElements, AttestationSignature, dac, ByteSpan(), ByteSpan(), - &mDeviceNOCChainCallback); + return mOperationalCredentialsDelegate->GenerateNOCChain(NOCSRElements, csrNonce, AttestationSignature, attestationChallenge, + dac, ByteSpan(), ByteSpan(), &mDeviceNOCChainCallback); } CHIP_ERROR DeviceCommissioner::SendOperationalCertificate(DeviceProxy * device, const ByteSpan & nocCertBuf, diff --git a/src/controller/ExampleOperationalCredentialsIssuer.cpp b/src/controller/ExampleOperationalCredentialsIssuer.cpp index 5271c71cb58882..616090e73fb631 100644 --- a/src/controller/ExampleOperationalCredentialsIssuer.cpp +++ b/src/controller/ExampleOperationalCredentialsIssuer.cpp @@ -176,12 +176,17 @@ CHIP_ERROR ExampleOperationalCredentialsIssuer::GenerateNOCChainAfterValidation( return NewNodeOperationalX509Cert(noc_request, pubkey, mIntermediateIssuer, noc); } -CHIP_ERROR ExampleOperationalCredentialsIssuer::GenerateNOCChain(const ByteSpan & csrElements, - const ByteSpan & attestationSignature, const ByteSpan & DAC, +CHIP_ERROR ExampleOperationalCredentialsIssuer::GenerateNOCChain(const ByteSpan & csrElements, const ByteSpan & csrNonce, + const ByteSpan & attestationSignature, + const ByteSpan & attestationChallenge, const ByteSpan & DAC, const ByteSpan & PAI, const ByteSpan & PAA, Callback::Callback * onCompletion) { VerifyOrReturnError(mInitialized, CHIP_ERROR_INCORRECT_STATE); + // At this point, Credential issues may wish to validate the CSR information + (void) attestationChallenge; + (void) csrNonce; + NodeId assignedId; if (mNodeIdRequested) { diff --git a/src/controller/ExampleOperationalCredentialsIssuer.h b/src/controller/ExampleOperationalCredentialsIssuer.h index 47b6392caecc94..9dd5f81806fc1d 100644 --- a/src/controller/ExampleOperationalCredentialsIssuer.h +++ b/src/controller/ExampleOperationalCredentialsIssuer.h @@ -55,9 +55,9 @@ class DLL_EXPORT ExampleOperationalCredentialsIssuer : public OperationalCredent ExampleOperationalCredentialsIssuer(uint32_t index = 0) { mIndex = index; } ~ExampleOperationalCredentialsIssuer() override {} - CHIP_ERROR GenerateNOCChain(const ByteSpan & csrElements, const ByteSpan & attestationSignature, const ByteSpan & DAC, - const ByteSpan & PAI, const ByteSpan & PAA, - Callback::Callback * onCompletion) override; + CHIP_ERROR GenerateNOCChain(const ByteSpan & csrElements, const ByteSpan & csrNonce, const ByteSpan & attestationSignature, + const ByteSpan & attestationChallenge, const ByteSpan & DAC, const ByteSpan & PAI, + const ByteSpan & PAA, Callback::Callback * onCompletion) override; void SetNodeIdForNextNOCRequest(NodeId nodeId) override { diff --git a/src/controller/OperationalCredentialsDelegate.h b/src/controller/OperationalCredentialsDelegate.h index ada16e5c48380e..9b73b16e029a20 100644 --- a/src/controller/OperationalCredentialsDelegate.h +++ b/src/controller/OperationalCredentialsDelegate.h @@ -51,8 +51,10 @@ class DLL_EXPORT OperationalCredentialsDelegate * * The delegate will call `onCompletion` when the NOC certificate chain is ready. * - * @param[in] csrElements CSR elements as per specifications section 11.22.5.6. NOCSR Elements. + * @param[in] csrElements CSR elements as per specifications section 11.18.5.6. NOCSR Elements. + * @param[in] csrNonce CSR nonce as described in 6.4.6.1 * @param[in] attestationSignature Attestation signature as per specifications section 11.22.7.6. CSRResponse Command. + * @param[in] attestationChallenge Attestation challenge as per 11.18.5.7 * @param[in] DAC Device attestation certificate received from the device being commissioned * @param[in] PAI Product Attestation Intermediate certificate * @param[in] PAA Product Attestation Authority certificate @@ -60,8 +62,9 @@ class DLL_EXPORT OperationalCredentialsDelegate * * @return CHIP_ERROR CHIP_NO_ERROR on success, or corresponding error code. */ - virtual CHIP_ERROR GenerateNOCChain(const ByteSpan & csrElements, const ByteSpan & attestationSignature, const ByteSpan & DAC, - const ByteSpan & PAI, const ByteSpan & PAA, + virtual CHIP_ERROR GenerateNOCChain(const ByteSpan & csrElements, const ByteSpan & csrNonce, + const ByteSpan & attestationSignature, const ByteSpan & attestationChallenge, + const ByteSpan & DAC, const ByteSpan & PAI, const ByteSpan & PAA, Callback::Callback * onCompletion) = 0; /** diff --git a/src/controller/java/AndroidOperationalCredentialsIssuer.cpp b/src/controller/java/AndroidOperationalCredentialsIssuer.cpp index 191dea78a50181..d139f05adba6c4 100644 --- a/src/controller/java/AndroidOperationalCredentialsIssuer.cpp +++ b/src/controller/java/AndroidOperationalCredentialsIssuer.cpp @@ -120,15 +120,16 @@ CHIP_ERROR AndroidOperationalCredentialsIssuer::GenerateNOCChainAfterValidation( return NewNodeOperationalX509Cert(noc_request, pubkey, mIssuer, noc); } -CHIP_ERROR AndroidOperationalCredentialsIssuer::GenerateNOCChain(const ByteSpan & csrElements, - const ByteSpan & attestationSignature, const ByteSpan & DAC, +CHIP_ERROR AndroidOperationalCredentialsIssuer::GenerateNOCChain(const ByteSpan & csrElements, const ByteSpan & csrNonce, + const ByteSpan & attestationSignature, + const ByteSpan & attestationChallenge, const ByteSpan & DAC, const ByteSpan & PAI, const ByteSpan & PAA, Callback::Callback * onCompletion) { jmethodID method; CHIP_ERROR err = CHIP_NO_ERROR; err = JniReferences::GetInstance().FindMethod(JniReferences::GetInstance().GetEnvForCurrentThread(), mJavaObjectRef, - "onOpCSRGenerationComplete", "([B)V", &method); + "onOpCSRGenerationComplete", "([B)V", &method); if (err != CHIP_NO_ERROR) { ChipLogError(Controller, "Error invoking onOpCSRGenerationComplete: %" CHIP_ERROR_FORMAT, err.Format()); diff --git a/src/controller/java/AndroidOperationalCredentialsIssuer.h b/src/controller/java/AndroidOperationalCredentialsIssuer.h index b770f73833b38c..1020e301067b52 100644 --- a/src/controller/java/AndroidOperationalCredentialsIssuer.h +++ b/src/controller/java/AndroidOperationalCredentialsIssuer.h @@ -47,9 +47,9 @@ class DLL_EXPORT AndroidOperationalCredentialsIssuer : public OperationalCredent public: virtual ~AndroidOperationalCredentialsIssuer() {} - CHIP_ERROR GenerateNOCChain(const ByteSpan & csrElements, const ByteSpan & attestationSignature, const ByteSpan & DAC, - const ByteSpan & PAI, const ByteSpan & PAA, - Callback::Callback * onCompletion) override; + CHIP_ERROR GenerateNOCChain(const ByteSpan & csrElements, const ByteSpan & csrNonce, const ByteSpan & attestationSignature, + const ByteSpan & attestationChallenge, const ByteSpan & DAC, const ByteSpan & PAI, + const ByteSpan & PAA, Callback::Callback * onCompletion) override; void SetNodeIdForNextNOCRequest(NodeId nodeId) override { diff --git a/src/controller/python/OpCredsBinding.cpp b/src/controller/python/OpCredsBinding.cpp index 4a08a2a0402759..ebf4f9f6e28b13 100644 --- a/src/controller/python/OpCredsBinding.cpp +++ b/src/controller/python/OpCredsBinding.cpp @@ -78,11 +78,12 @@ class OperationalCredentialsAdapter : public OperationalCredentialsDelegate } private: - CHIP_ERROR GenerateNOCChain(const ByteSpan & csrElements, const ByteSpan & attestationSignature, const ByteSpan & DAC, - const ByteSpan & PAI, const ByteSpan & PAA, - Callback::Callback * onCompletion) override + CHIP_ERROR GenerateNOCChain(const ByteSpan & csrElements, const ByteSpan & csrNonce, const ByteSpan & attestationSignature, + const ByteSpan & attestationChallenge, const ByteSpan & DAC, const ByteSpan & PAI, + const ByteSpan & PAA, Callback::Callback * onCompletion) override { - return mExampleOpCredsIssuer.GenerateNOCChain(csrElements, attestationSignature, DAC, PAI, PAA, onCompletion); + return mExampleOpCredsIssuer.GenerateNOCChain(csrElements, csrNonce, attestationSignature, attestationChallenge, DAC, PAI, + PAA, onCompletion); } void SetNodeIdForNextNOCRequest(NodeId nodeId) override { mExampleOpCredsIssuer.SetNodeIdForNextNOCRequest(nodeId); } diff --git a/src/darwin/Framework/CHIP/CHIPOperationalCredentialsDelegate.h b/src/darwin/Framework/CHIP/CHIPOperationalCredentialsDelegate.h index 5846d0c5a2f24f..b6bbd4e71e86b0 100644 --- a/src/darwin/Framework/CHIP/CHIPOperationalCredentialsDelegate.h +++ b/src/darwin/Framework/CHIP/CHIPOperationalCredentialsDelegate.h @@ -46,9 +46,9 @@ class CHIPOperationalCredentialsDelegate : public chip::Controller::OperationalC */ CHIP_ERROR init(CHIPPersistentStorageDelegateBridge * storage, ChipP256KeypairPtr nocSigner, NSData * _Nullable ipk); - CHIP_ERROR GenerateNOCChain(const chip::ByteSpan & csrElements, const chip::ByteSpan & attestationSignature, - const chip::ByteSpan & DAC, const chip::ByteSpan & PAI, const chip::ByteSpan & PAA, - chip::Callback::Callback * onCompletion) override; + CHIP_ERROR GenerateNOCChain(const ByteSpan & csrElements, const ByteSpan & csrNonce, const ByteSpan & attestationSignature, + const ByteSpan & attestationChallenge, const ByteSpan & DAC, const ByteSpan & PAI, const ByteSpan & PAA, + Callback::Callback * onCompletion) override; void SetNodeIdForNextNOCRequest(chip::NodeId nodeId) override { diff --git a/src/darwin/Framework/CHIP/CHIPOperationalCredentialsDelegate.mm b/src/darwin/Framework/CHIP/CHIPOperationalCredentialsDelegate.mm index 04a98ef2ea9b85..e5a229ee42b3d7 100644 --- a/src/darwin/Framework/CHIP/CHIPOperationalCredentialsDelegate.mm +++ b/src/darwin/Framework/CHIP/CHIPOperationalCredentialsDelegate.mm @@ -351,9 +351,9 @@ static BOOL isRunningTests(void) return NewNodeOperationalX509Cert(noc_request, pubkey, *mIssuerKey, noc); } -CHIP_ERROR CHIPOperationalCredentialsDelegate::GenerateNOCChain(const chip::ByteSpan & csrElements, - const chip::ByteSpan & attestationSignature, const chip::ByteSpan & DAC, const chip::ByteSpan & PAI, const chip::ByteSpan & PAA, - chip::Callback::Callback * onCompletion) +CHIP_ERROR CHIPOperationalCredentialsDelegate::GenerateNOCChain(const ByteSpan & csrElements, const ByteSpan & csrNonce, + const ByteSpan & attestationSignature, const ByteSpan & attestationChallenge, const ByteSpan & DAC, const ByteSpan & PAI, + const ByteSpan & PAA, Callback::Callback * onCompletion) { chip::NodeId assignedId; if (mNodeIdRequested) {