Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Device Attestation (Modular) #9617

Merged
merged 41 commits into from
Sep 27, 2021
Merged

Device Attestation (Modular) #9617

merged 41 commits into from
Sep 27, 2021

Conversation

mleisner
Copy link
Contributor

Problem

Working device attestation

Change overview

  • Added CertChainRequest and AttestationRequest commands to lighting-app ZAP script
  • Introduced CertChainRequest, CertChainResponse, AttestationRequest and AttestationResponse commands into operational-credentials-cluster.xml
  • Added the above commands' callbacks to operational-credentials-server.cpp
  • Introduced the Attestation Nonce buffer to CHIPDevice Class
  • Added Certificate Chain Request and Attestation Request Commands to CHIPDeviceController
  • Added global method to Server.cpp in order to retrieve Server's SecureSessionMgr (needed to retrieve Attestation Challenge)
  • Added support to DAC/PAI certificates in CHIPDevice

(includes two files
src/credentials/DeviceAttestationConstructor.cpp
src/credentials/DeviceAttestationConstructor.h
which was in PR #9544)

Testing

Tested Commissioning using chip-tool and lighting apps

Marty Leisner added 6 commits September 8, 2021 20:35
Added DeconstructAttestationElements/ConstructAttestationElements
bf5c1c8 
helpers

Moved CopySpantoMutableSpan into src/lib/support/Span.h as a general use
routine.

Added ExtractVIDFromX509Cert and ExtractAKIDFromX509Cert

Changed attestation data to equate with updated spec.

coauthor: restyled io
Added CertChainRequest and AttestationRequest commands to lighting-ap…
d5e476f 
…p ZAP script

Introduced CertChainRequest, CertChainResponse, AttestationRequest and AttestationResponse commands into operational-credentials-cluster.xml

Added the above commands' callbacks to operational-credentials-server.cpp

Introduced the Attestation Nonce buffer to CHIPDevice Class

Added Certificate Chain Request and Attestation Request Commands to CHIPDeviceController

Added global method to Server.cpp in order to retrieve Server's SecureSessionMgr (needed to retrieve Attestation Challenge)

Added support to DAC/PAI certificates in CHIPDevice

Include files from the DA constructor PR
        src/credentials/DeviceAttestationConstructor.cpp
        src/credentials/DeviceAttestationConstructor.h
Merge commit '78469bb8012524e5921216783937cc7349ac2628' of https://gi…
99b1fa3 
…thub.com/project-chip/connectedhomeip into feature/device_attestation_complete
Merge commit '44f8ea7bbb0f7eae47c504ccd2a3f39d8f6ea74a' of https://gi…
cfedec6 
…thub.com/project-chip/connectedhomeip into feature/DA-constructors
Address review comments
6e779a2 
Changing naming convention for constants

simpler logic for context tags.

Eliminate boolean array indexed by tag and have boolean flags.

Removed vector for VendorReserved data and changed signature of helper
functions.
Merge commit '44f8ea7bbb0f7eae47c504ccd2a3f39d8f6ea74a' of https://gi…
38454ea 
…thub.com/project-chip/connectedhomeip into feature/device_attestation_complete
@todo
Copy link

todo bot commented Sep 11, 2021

remove line below

connectedhomeip/src/app/clusters/operational-credentials-server/operational-credentials-server.cpp

Lines 442 to 452 in 0e9dcf8

// TODO: remove line below
Credentials::SetDeviceAttestationCredentialsProvider(Credentials::Examples::GetExampleDACProvider());
Credentials::DeviceAttestationCredentialsProvider * dacProvider = Credentials::GetDeviceAttestationCredentialsProvider();
VerifyOrExit(commandObj != nullptr, err = CHIP_ERROR_INCORRECT_STATE);
SuccessOrExit(err = commandObj->PrepareCommand(cmdParams));
writer = commandObj->GetCommandDataElementTLVWriter();
if (certChainType == kDACCertificate)
{
SuccessOrExit(err = dacProvider->GetDeviceAttestationCert(derBufSpan));

This comment was generated by todo based on a TODO comment in 0e9dcf8 in #9617. cc @mleisner.

@todo
Copy link

todo bot commented Sep 11, 2021

remove line below

connectedhomeip/src/app/clusters/operational-credentials-server/operational-credentials-server.cpp

Lines 497 to 507 in 0e9dcf8

// TODO: remove line below
Credentials::SetDeviceAttestationCredentialsProvider(Credentials::Examples::GetExampleDACProvider());
Credentials::DeviceAttestationCredentialsProvider * dacProvider = Credentials::GetDeviceAttestationCredentialsProvider();
VerifyOrExit(commandObj != nullptr, err = CHIP_ERROR_INCORRECT_STATE);
VerifyOrExit(attestationNonce.size() == 32, status = EMBER_ZCL_STATUS_FAILURE);
{
uint8_t certDeclBuf[512];
MutableByteSpan certDeclSpan(certDeclBuf);

This comment was generated by todo based on a TODO comment in 0e9dcf8 in #9617. cc @mleisner.

@todo
Copy link

todo bot commented Sep 11, 2021

Map error status to correct error code

connectedhomeip/src/controller/CHIPDeviceController.cpp

Lines 1235 to 1245 in 0e9dcf8

// TODO: Map error status to correct error code
commissioner->OnSessionEstablishmentError(CHIP_ERROR_INTERNAL);
}
void DeviceCommissioner::OnCertificateChainResponse(void * context, ByteSpan certificate)
{
ChipLogProgress(Controller, "Received certificate chain from the device");
DeviceCommissioner * commissioner = reinterpret_cast<DeviceCommissioner *>(context);
commissioner->mCertChainResponseCallback.Cancel();
commissioner->mOnCertChainFailureCallback.Cancel();

This comment was generated by todo based on a TODO comment in 0e9dcf8 in #9617. cc @mleisner.

@todo
Copy link

todo bot commented Sep 11, 2021

Map error status to correct error code

connectedhomeip/src/controller/CHIPDeviceController.cpp

Lines 1251 to 1261 in 0e9dcf8

// TODO: Map error status to correct error code
commissioner->OnSessionEstablishmentError(CHIP_ERROR_INTERNAL);
}
}
CHIP_ERROR DeviceCommissioner::ProcessCertificateChain(const ByteSpan & certificate)
{
VerifyOrReturnError(mState == State::Initialized, CHIP_ERROR_INCORRECT_STATE);
VerifyOrReturnError(mDeviceBeingPaired < kNumMaxActiveDevices, CHIP_ERROR_INCORRECT_STATE);
Device * device = &mActiveDevices[mDeviceBeingPaired];

This comment was generated by todo based on a TODO comment in 0e9dcf8 in #9617. cc @mleisner.

@todo
Copy link

todo bot commented Sep 11, 2021

Map error status to correct error code

connectedhomeip/src/controller/CHIPDeviceController.cpp

Lines 1319 to 1329 in 0e9dcf8

// TODO: Map error status to correct error code
commissioner->OnSessionEstablishmentError(CHIP_ERROR_INTERNAL);
}
void DeviceCommissioner::OnAttestationResponse(void * context, chip::ByteSpan attestationElements, chip::ByteSpan signature)
{
ChipLogProgress(Controller, "Received Attestation Information from the device");
DeviceCommissioner * commissioner = reinterpret_cast<DeviceCommissioner *>(context);
commissioner->mAttestationResponseCallback.Cancel();
commissioner->mOnAttestationFailureCallback.Cancel();

This comment was generated by todo based on a TODO comment in 0e9dcf8 in #9617. cc @mleisner.

@todo
Copy link

todo bot commented Sep 11, 2021

Map error status to correct error code

connectedhomeip/src/controller/CHIPDeviceController.cpp

Lines 1336 to 1346 in 0e9dcf8

// TODO: Map error status to correct error code
commissioner->OnSessionEstablishmentError(CHIP_ERROR_INTERNAL);
}
}
CHIP_ERROR DeviceCommissioner::ValidateAttestationInfo(chip::ByteSpan attestationElements, chip::ByteSpan signature)
{
VerifyOrReturnError(mState == State::Initialized, CHIP_ERROR_INCORRECT_STATE);
VerifyOrReturnError(mDeviceBeingPaired < kNumMaxActiveDevices, CHIP_ERROR_INCORRECT_STATE);
Device * device = &mActiveDevices[mDeviceBeingPaired];

This comment was generated by todo based on a TODO comment in 0e9dcf8 in #9617. cc @mleisner.

@todo
Copy link

todo bot commented Sep 11, 2021

Step g/h validate CertDeclaration

connectedhomeip/src/controller/CHIPDeviceController.cpp

Lines 1361 to 1371 in 0e9dcf8

// TODO: Step g/h validate CertDeclaration
// TODO: Step i: validate firmware information
ChipLogProgress(Controller, "Sending 'CSR request' command to the device.");
CHIP_ERROR error = SendOperationalCertificateSigningRequestCommand(device);
if (error != CHIP_NO_ERROR)
{
ChipLogError(Controller, "Failed in sending 'CSR request' command to the device: err %s", ErrorStr(error));
OnSessionEstablishmentError(error);
return error;
}

This comment was generated by todo based on a TODO comment in 0e9dcf8 in #9617. cc @mleisner.

@todo
Copy link

todo bot commented Sep 11, 2021

Step i: validate firmware information

connectedhomeip/src/controller/CHIPDeviceController.cpp

Lines 1362 to 1372 in 0e9dcf8

// TODO: Step i: validate firmware information
ChipLogProgress(Controller, "Sending 'CSR request' command to the device.");
CHIP_ERROR error = SendOperationalCertificateSigningRequestCommand(device);
if (error != CHIP_NO_ERROR)
{
ChipLogError(Controller, "Failed in sending 'CSR request' command to the device: err %s", ErrorStr(error));
OnSessionEstablishmentError(error);
return error;
}

This comment was generated by todo based on a TODO comment in 0e9dcf8 in #9617. cc @mleisner.

@restyled-io restyled-io bot mentioned this pull request Sep 11, 2021
Closed
minor changes (mainly review rework of Constructor/Deconstructor) and
adb5725 
include generated zap files.

coauthor -- clang format
@mleisner mleisner force-pushed the feature/device_attestation_complete branch from 0e9dcf8 to adb5725 Compare September 11, 2021 00:38
@restyled-io restyled-io bot mentioned this pull request Sep 23, 2021
Closed
Marty Leisner added 2 commits September 23, 2021 15:22
Merge commit 'e1f3aa1bb4084f89b3762b346f67da2350cadadb' of github.com…
b080b4b 
…-comcast:mleisner/connectedhomeip into feature/device_attestation_complete
reran zap
c9f00f8 
coauthor: restyle-io (clang-format)
@github-actions
Copy link

Size increase report for "gn_qpg-example-build" from 4bafdcf

File Section File VM
chip-qpg6100-lighting-example.out .text 1524 1524
Full report output 
BLOAT REPORT

Files found only in the build output:
    report.csv

Comparing ./master_artifact/chip-qpg6100-lighting-example.out and ./pull_artifact/chip-qpg6100-lighting-example.out:

sections,vmsize,filesize
.debug_info,0,29910
.debug_loc,0,11395
.debug_line,0,6554
.debug_str,0,2264
.debug_abbrev,0,2021
.debug_ranges,0,1840
.text,1524,1524
.debug_frame,0,340
.strtab,0,335
.symtab,0,224
.debug_aranges,0,96
.shstrtab,0,1
[Unmapped],0,-1524

Comparing ./master_artifact/chip-qpg6100-lighting-example.out.map and ./pull_artifact/chip-qpg6100-lighting-example.out.map:

BLOAT EXECUTION FAILED WITH CODE 1:
bloaty: unknown file type for file './pull_artifact/chip-qpg6100-lighting-example.out.map'

@github-actions
Copy link

Size increase report for "nrfconnect-example-build" from 4bafdcf

File Section File VM
chip-lock.elf text 1356 1356
chip-lock.elf rodata 200 200
chip-lock.elf device_handles -12 -12
Full report output 
BLOAT REPORT

Files found only in the build output:
    report.csv

Comparing ./master_artifact/chip-shell.elf and ./pull_artifact/chip-shell.elf:

sections,vmsize,filesize
.debug_info,0,248
.debug_str,0,76
.debug_loc,0,-60

Comparing ./master_artifact/chip-lock.elf and ./pull_artifact/chip-lock.elf:

sections,vmsize,filesize
.debug_info,0,28512
.debug_loc,0,10141
.debug_line,0,5765
.debug_abbrev,0,2023
.debug_ranges,0,1800
.debug_str,0,1627
text,1356,1356
.strtab,0,335
.debug_frame,0,228
.symtab,0,224
rodata,200,200
.debug_aranges,0,64
.shstrtab,0,-3
device_handles,-12,-12

@github-actions
Copy link

Size increase report for "esp32-example-build" from 4bafdcf

File Section File VM
chip-all-clusters-app.elf .flash.text 1408 1408
chip-all-clusters-app.elf .flash.rodata 216 216
Full report output 
BLOAT REPORT

Files found only in the build output:
    report.csv

Comparing ./master_artifact/chip-all-clusters-app.elf and ./pull_artifact/chip-all-clusters-app.elf:

sections,vmsize,filesize
.debug_info,0,42345
.debug_line,0,8170
.debug_loc,0,5476
.debug_abbrev,0,2571
[Unmapped],0,2472
.debug_str,0,1803
.debug_ranges,0,1592
.flash.text,1408,1408
.strtab,0,495
.debug_frame,0,320
.flash.rodata,216,216
.symtab,0,96
.debug_aranges,0,64
.riscv.attributes,0,-1
.shstrtab,0,-3

@hawk248 hawk248 merged commit 0e52970 into project-chip:master Sep 27, 2021
This was referenced Oct 15, 2021
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tcarmelveilleux tcarmelveilleux tcarmelveilleux approved these changes

@cecille cecille cecille left review comments

@hawk248 hawk248 hawk248 approved these changes

@woody-apple woody-apple woody-apple approved these changes

@chrisdecenzo chrisdecenzo Awaiting requested review from chrisdecenzo

@jelderton jelderton Awaiting requested review from jelderton

@jmartinez-silabs jmartinez-silabs Awaiting requested review from jmartinez-silabs

@LuDuda LuDuda Awaiting requested review from LuDuda

@mspang mspang Awaiting requested review from mspang

@saurabhst saurabhst Awaiting requested review from saurabhst

@austinh0 austinh0 Awaiting requested review from austinh0

@Damian-Nordic Damian-Nordic Awaiting requested review from Damian-Nordic

@erjiaqing erjiaqing Awaiting requested review from erjiaqing

@holbrookt holbrookt Awaiting requested review from holbrookt

@jepenven-silabs jepenven-silabs Awaiting requested review from jepenven-silabs

@kghost kghost Awaiting requested review from kghost

@mrjerryjohns mrjerryjohns Awaiting requested review from mrjerryjohns

@turon turon Awaiting requested review from turon

@yufengwangca yufengwangca Awaiting requested review from yufengwangca

@msandstedt msandstedt Awaiting requested review from msandstedt

@pan-apple pan-apple Awaiting requested review from pan-apple

Assignees
No one assigned
Labels
android app controller darwin examples github review - approved transport workflows
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
9 participants
@mleisner @andy31415 @CLAassistant @tcarmelveilleux @msandstedt @cecille @hawk248 @woody-apple @pan-apple