Skip to content

Commit

Permalink
chip-tool now builds the core as a static library (chip-tool-utils)
Browse files Browse the repository at this point in the history
Added set of pure virtual methods PKI-related to Commands class

Added example implementation of Matter’s example PKI

Added DAC to GenerateNOCChain method call

Added GenerateNOCSR method to OperationalCredentialsDelegate class so every PKI-vendor can override the nonce generation to follow a custom set of rules. Random example added.
  • Loading branch information
Marty Leisner committed Oct 13, 2021
1 parent cc8aaf0 commit dafba69
Show file tree
Hide file tree
Showing 9 changed files with 114 additions and 26 deletions.
41 changes: 32 additions & 9 deletions examples/chip-tool/BUILD.gn
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,19 @@ declare_args() {
config_pair_with_random_id = true
}

executable("chip-tool") {
config("config") {
include_dirs = [
".",
"${chip_root}/zzz_generated/chip-tool",
]

defines = [
"CONFIG_USE_SEPARATE_EVENTLOOP=${config_use_separate_eventloop}",
"CONFIG_PAIR_WITH_RANDOM_ID=${config_pair_with_random_id}",
]
}

static_library("chip-tool-utils") {
sources = [
"commands/clusters/ModelCommand.cpp",
"commands/common/Command.cpp",
Expand All @@ -43,15 +55,29 @@ executable("chip-tool") {
"commands/reporting/ReportingCommand.cpp",
"commands/tests/TestCommand.cpp",
"config/PersistentStorage.cpp",
"main.cpp",
]

defines = [
"CONFIG_USE_SEPARATE_EVENTLOOP=${config_use_separate_eventloop}",
"CONFIG_PAIR_WITH_RANDOM_ID=${config_pair_with_random_id}",
deps = [
"${chip_root}/src/controller/data_model",
"${chip_root}/src/lib",
"${chip_root}/src/platform",
"${chip_root}/third_party/inipp",
]

cflags = [ "-Wconversion" ]

public_configs = [ ":config" ]

output_dir = root_out_dir
}

executable("chip-tool") {
sources = [
"main.cpp",
]

deps = [
":chip-tool-utils",
"${chip_root}/src/controller/data_model",
"${chip_root}/src/lib",
"${chip_root}/src/platform",
Expand All @@ -60,10 +86,7 @@ executable("chip-tool") {

cflags = [ "-Wconversion" ]

include_dirs = [
".",
"${chip_root}/zzz_generated/chip-tool",
]
public_configs = [ ":config" ]

output_dir = root_out_dir
}
4 changes: 2 additions & 2 deletions examples/chip-tool/commands/common/Command.h
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@

#pragma once

#include "controller/ExampleOperationalCredentialsIssuer.h"
#include "controller/OperationalCredentialsDelegate.h"
#include <controller/CHIPDeviceController.h>
#include <inet/InetInterface.h>
#include <lib/support/Span.h>
Expand Down Expand Up @@ -100,7 +100,7 @@ class Command
struct ExecutionContext
{
ChipDeviceCommissioner * commissioner;
chip::Controller::ExampleOperationalCredentialsIssuer * opCredsIssuer;
chip::Controller::OperationalCredentialsDelegate * opCredsIssuer;
PersistentStorage * storage;
chip::NodeId localId;
chip::NodeId remoteId;
Expand Down
16 changes: 6 additions & 10 deletions examples/chip-tool/commands/common/Commands.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -28,10 +28,6 @@
#endif

#include <controller/CHIPDeviceControllerFactory.h>
#include <credentials/DeviceAttestationCredsProvider.h>
#include <credentials/DeviceAttestationVerifier.h>
#include <credentials/examples/DeviceAttestationCredsExample.h>
#include <credentials/examples/DeviceAttestationVerifierExample.h>
#include <lib/support/CHIPMem.h>
#include <lib/support/CodeUtils.h>
#include <lib/support/ScopedBuffer.h>
Expand Down Expand Up @@ -80,15 +76,15 @@ int Commands::Run(int argc, char ** argv)
factoryInitParams.storageDelegate = &mStorage;
factoryInitParams.listenPort = mStorage.GetListenPort();

err = mOpCredsIssuer.Initialize(mStorage);
err = InitializeCredentialsIssuer(mStorage);
VerifyOrExit(err == CHIP_NO_ERROR, ChipLogError(Controller, "Init failure! Operational Cred Issuer: %s", chip::ErrorStr(err)));

commissionerParams.operationalCredentialsDelegate = &mOpCredsIssuer;
commissionerParams.operationalCredentialsDelegate = GetCredentialIssuer();

VerifyOrExit(err == CHIP_NO_ERROR, ChipLogError(Controller, "Init failure! Commissioner: %s", chip::ErrorStr(err)));

chip::Credentials::SetDeviceAttestationCredentialsProvider(chip::Credentials::Examples::GetExampleDACProvider());
chip::Credentials::SetDeviceAttestationVerifier(chip::Credentials::Examples::GetExampleDACVerifier());
err = SetupDeviceAttestation();
VerifyOrExit(err == CHIP_NO_ERROR, ChipLogError(Controller, "Init failure! Device Attestation Setup: %s", chip::ErrorStr(err)));

VerifyOrExit(rcac.Alloc(chip::Controller::kMaxCHIPDERCertLength), err = CHIP_ERROR_NO_MEMORY);
VerifyOrExit(noc.Alloc(chip::Controller::kMaxCHIPDERCertLength), err = CHIP_ERROR_NO_MEMORY);
Expand All @@ -105,7 +101,7 @@ int Commands::Run(int argc, char ** argv)
// TODO - OpCreds should only be generated for pairing command
// store the credentials in persistent storage, and
// generate when not available in the storage.
err = mOpCredsIssuer.GenerateNOCChainAfterValidation(localId, 0, ephemeralKey.Pubkey(), rcacSpan, icacSpan, nocSpan);
err = GenerateControllerNOCChain(localId, 0, ephemeralKey, rcacSpan, icacSpan, nocSpan);
SuccessOrExit(err);

commissionerParams.ephemeralKeypair = &ephemeralKey;
Expand Down Expand Up @@ -229,7 +225,7 @@ CHIP_ERROR Commands::RunCommand(NodeId localId, NodeId remoteId, int argc, char
Command::ExecutionContext execContext;

execContext.commissioner = &mController;
execContext.opCredsIssuer = &mOpCredsIssuer;
execContext.opCredsIssuer = GetCredentialIssuer();
execContext.storage = &mStorage;
execContext.localId = localId;
execContext.remoteId = remoteId;
Expand Down
14 changes: 12 additions & 2 deletions examples/chip-tool/commands/common/Commands.h
Original file line number Diff line number Diff line change
Expand Up @@ -20,18 +20,22 @@

#include "../../config/PersistentStorage.h"
#include "Command.h"
#include <controller/ExampleOperationalCredentialsIssuer.h>
#include <controller/OperationalCredentialsDelegate.h>
#include <crypto/CHIPCryptoPAL.h>
#include <map>

class Commands
{
public:
using NodeId = ::chip::NodeId;
using FabricId = ::chip::FabricId;
using CommandsVector = ::std::vector<std::unique_ptr<Command>>;

void Register(const char * clusterName, commands_list commandsList);
int Run(int argc, char ** argv);

virtual ~Commands() {}

private:
// *ranCommand will be set to the command we ran if we get as far as running
// it. If it's not null, we need to call Shutdown() on the command after we
Expand All @@ -48,8 +52,14 @@ class Commands
void ShowClusterAttributes(std::string executable, std::string clusterName, std::string commandName, CommandsVector & commands);
void ShowCommand(std::string executable, std::string clusterName, Command * command);

virtual CHIP_ERROR InitializeCredentialsIssuer(chip::PersistentStorageDelegate & storage) = 0;
virtual CHIP_ERROR SetupDeviceAttestation() = 0;
virtual chip::Controller::OperationalCredentialsDelegate * GetCredentialIssuer() = 0;
virtual CHIP_ERROR GenerateControllerNOCChain(NodeId nodeId, FabricId fabricId, chip::Crypto::P256Keypair & keypair,
chip::MutableByteSpan & rcac, chip::MutableByteSpan & icac,
chip::MutableByteSpan & noc) = 0;

std::map<std::string, CommandsVector> mClusters;
chip::Controller::DeviceCommissioner mController;
chip::Controller::ExampleOperationalCredentialsIssuer mOpCredsIssuer;
PersistentStorage mStorage;
};
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
/*
* Copyright (c) 2021 Project CHIP Authors
* All rights reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
*/

#pragma once

#include <commands/common/Commands.h>
#include <controller/ExampleOperationalCredentialsIssuer.h>
#include <credentials/DeviceAttestationCredsProvider.h>
#include <credentials/DeviceAttestationVerifier.h>
#include <credentials/examples/DeviceAttestationCredsExample.h>
#include <credentials/examples/DeviceAttestationVerifierExample.h>

class ExampleCredentialIssuerCommands : public Commands
{
private:
CHIP_ERROR InitializeCredentialsIssuer(chip::PersistentStorageDelegate & storage) override
{
return mOpCredsIssuer.Initialize(storage);
}
CHIP_ERROR SetupDeviceAttestation() override
{
chip::Credentials::SetDeviceAttestationCredentialsProvider(chip::Credentials::Examples::GetExampleDACProvider());
chip::Credentials::SetDeviceAttestationVerifier(chip::Credentials::Examples::GetExampleDACVerifier());
return CHIP_NO_ERROR;
}
chip::Controller::OperationalCredentialsDelegate * GetCredentialIssuer() override { return &mOpCredsIssuer; }
CHIP_ERROR GenerateControllerNOCChain(NodeId nodeId, FabricId fabricId, chip::Crypto::P256Keypair & keypair,
chip::MutableByteSpan & rcac, chip::MutableByteSpan & icac,
chip::MutableByteSpan & noc) override
{
return mOpCredsIssuer.GenerateNOCChainAfterValidation(nodeId, fabricId, keypair.Pubkey(), rcac, icac, noc);
}

chip::Controller::ExampleOperationalCredentialsIssuer mOpCredsIssuer;
};
4 changes: 2 additions & 2 deletions examples/chip-tool/main.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@
*
*/

#include "commands/common/Commands.h"
#include "commands/example/ExampleCredentialIssuerCommands.h"

#include "commands/discover/Commands.h"
#include "commands/pairing/Commands.h"
Expand All @@ -31,7 +31,7 @@
// ================================================================================
int main(int argc, char * argv[])
{
Commands commands;
ExampleCredentialIssuerCommands commands;
registerCommandsDiscover(commands);
registerCommandsPayload(commands);
registerCommandsPairing(commands);
Expand Down
1 change: 1 addition & 0 deletions src/controller/CHIPDevice.h
Original file line number Diff line number Diff line change
Expand Up @@ -398,6 +398,7 @@ class DLL_EXPORT Device : public Messaging::ExchangeDelegate, public SessionEsta
}

ByteSpan GetCSRNonce() const { return ByteSpan(mCSRNonce, sizeof(mCSRNonce)); }
MutableByteSpan GetCSRNonce() { return MutableByteSpan(mCSRNonce, sizeof(mCSRNonce)); }

CHIP_ERROR SetAttestationNonce(ByteSpan attestationNonce)
{
Expand Down
4 changes: 3 additions & 1 deletion src/controller/CHIPDeviceController.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -1274,6 +1274,8 @@ CHIP_ERROR DeviceCommissioner::SendOperationalCertificateSigningRequestCommand(D
Callback::Cancelable * successCallback = mOpCSRResponseCallback.Cancel();
Callback::Cancelable * failureCallback = mOnCSRFailureCallback.Cancel();

MutableByteSpan csrNonce = device->GetCSRNonce();
ReturnErrorOnFailure(mOperationalCredentialsDelegate->GenerateNOCSR(csrNonce));
ReturnErrorOnFailure(cluster.OpCSRRequest(successCallback, failureCallback, device->GetCSRNonce()));

ChipLogDetail(Controller, "Sent OpCSR request, waiting for the CSR");
Expand Down Expand Up @@ -1379,7 +1381,7 @@ CHIP_ERROR DeviceCommissioner::ProcessOpCSR(const ByteSpan & NOCSRElements, cons
mOperationalCredentialsDelegate->SetNodeIdForNextNOCRequest(device->GetDeviceId());
mOperationalCredentialsDelegate->SetFabricIdForNextNOCRequest(0);

return mOperationalCredentialsDelegate->GenerateNOCChain(NOCSRElements, AttestationSignature, ByteSpan(), ByteSpan(),
return mOperationalCredentialsDelegate->GenerateNOCChain(NOCSRElements, AttestationSignature, device->GetDAC(), ByteSpan(),
ByteSpan(), &mDeviceNOCChainCallback);
}

Expand Down
6 changes: 6 additions & 0 deletions src/controller/OperationalCredentialsDelegate.h
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,12 @@ class DLL_EXPORT OperationalCredentialsDelegate
* fabric ID.
*/
virtual void SetFabricIdForNextNOCRequest(FabricId fabricId) {}

virtual CHIP_ERROR GenerateNOCSR(MutableByteSpan & csrNonce)
{
ReturnErrorOnFailure(Crypto::DRBG_get_bytes(csrNonce.data(), csrNonce.size()));
return CHIP_NO_ERROR;
}
};

} // namespace Controller
Expand Down

0 comments on commit dafba69

Please sign in to comment.