Skip to content

Commit

Permalink
Fix sequence of root cert and op cert provisioning (project-chip#8550)
Browse files Browse the repository at this point in the history
* Fix sequence of root cert and op cert provisioning

* address review comments

* Update operational credentials delegate to use single API

* cleanup delegate API

* Fix Android build
  • Loading branch information
pan-apple authored and Nikita committed Sep 23, 2021
1 parent 3a814f6 commit ee9a3f2
Show file tree
Hide file tree
Showing 22 changed files with 482 additions and 468 deletions.
5 changes: 2 additions & 3 deletions examples/chip-tool/commands/clusters/Commands.h
Original file line number Diff line number Diff line change
Expand Up @@ -597,9 +597,8 @@ static void OnOperationalCredentialsClusterNOCResponse(void * context, uint8_t S
command->SetCommandExitStatus(CHIP_NO_ERROR);
}

static void OnOperationalCredentialsClusterOpCSRResponse(void * context, chip::ByteSpan CSR, chip::ByteSpan CSRNonce,
chip::ByteSpan VendorReserved1, chip::ByteSpan VendorReserved2,
chip::ByteSpan VendorReserved3, chip::ByteSpan Signature)
static void OnOperationalCredentialsClusterOpCSRResponse(void * context, chip::ByteSpan NOCSRElements,
chip::ByteSpan AttestationSignature)
{
ChipLogProgress(chipTool, "OperationalCredentialsClusterOpCSRResponse");

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,9 @@ using namespace chip;
using namespace ::chip::DeviceLayer;
using namespace ::chip::Transport;

// As per specifications section 11.22.5.1. Constant RESP_MAX
constexpr uint16_t kMaxRspLen = 900;

/*
* Temporary flow for fabric management until addOptCert + fabric index are implemented:
* 1) When Commissioner pairs with CHIP device, store device nodeId in Fabric table as NodeId
Expand Down Expand Up @@ -446,12 +449,16 @@ bool emberAfOperationalCredentialsClusterOpCSRRequestCallback(chip::EndpointId e
chip::Platform::ScopedMemoryBuffer<uint8_t> csr;
size_t csrLength = Crypto::kMAX_CSR_Length;

chip::Platform::ScopedMemoryBuffer<uint8_t> csrElements;

emberAfPrintln(EMBER_AF_PRINT_DEBUG, "OpCreds: commissioner has requested an OpCSR");

app::CommandPathParams cmdParams = { emberAfCurrentEndpoint(), /* group id */ 0, ZCL_OPERATIONAL_CREDENTIALS_CLUSTER_ID,
ZCL_OP_CSR_RESPONSE_COMMAND_ID, (chip::app::CommandPathFlags::kEndpointIdValid) };

TLV::TLVWriter * writer = nullptr;
TLV::TLVWriter csrElementWriter;
TLV::TLVType containerType;

// Fetch current fabric
FabricInfo * fabric = retrieveCurrentFabric();
Expand All @@ -471,16 +478,28 @@ bool emberAfOperationalCredentialsClusterOpCSRRequestCallback(chip::EndpointId e
VerifyOrExit(err == CHIP_NO_ERROR, status = EMBER_ZCL_STATUS_FAILURE);
VerifyOrExit(csrLength < UINT8_MAX, status = EMBER_ZCL_STATUS_FAILURE);

VerifyOrExit(csrElements.Alloc(kMaxRspLen), status = EMBER_ZCL_STATUS_FAILURE);
csrElementWriter.Init(csrElements.Get(), kMaxRspLen);

SuccessOrExit(err = csrElementWriter.StartContainer(TLV::AnonymousTag, TLV::TLVType::kTLVType_Structure, containerType));
SuccessOrExit(err = csrElementWriter.Put(TLV::ContextTag(1), ByteSpan(csr.Get(), csrLength)));
SuccessOrExit(err = csrElementWriter.Put(TLV::ContextTag(2), CSRNonce));
SuccessOrExit(err = csrElementWriter.Put(TLV::ContextTag(3), ByteSpan()));
SuccessOrExit(err = csrElementWriter.Put(TLV::ContextTag(4), ByteSpan()));
SuccessOrExit(err = csrElementWriter.Put(TLV::ContextTag(5), ByteSpan()));
SuccessOrExit(err = csrElementWriter.EndContainer(containerType));
SuccessOrExit(err = csrElementWriter.Finalize());

VerifyOrExit(commandObj != nullptr, err = CHIP_ERROR_INCORRECT_STATE);

SuccessOrExit(err = commandObj->PrepareCommand(cmdParams));
writer = commandObj->GetCommandDataElementTLVWriter();
SuccessOrExit(err = writer->Put(TLV::ContextTag(0), ByteSpan(csr.Get(), csrLength)));
SuccessOrExit(err = writer->Put(TLV::ContextTag(1), CSRNonce));
SuccessOrExit(err = writer->Put(TLV::ContextTag(2), ByteSpan(nullptr, 0)));
SuccessOrExit(err = writer->Put(TLV::ContextTag(3), ByteSpan(nullptr, 0)));
SuccessOrExit(err = writer->Put(TLV::ContextTag(4), ByteSpan(nullptr, 0)));
SuccessOrExit(err = writer->Put(TLV::ContextTag(5), ByteSpan(nullptr, 0)));

// Write CSR Elements
SuccessOrExit(err = writer->Put(TLV::ContextTag(0), ByteSpan(csrElements.Get(), csrElementWriter.GetLengthWritten())));

// TODO - Write attestation signature using attestation key
SuccessOrExit(err = writer->Put(TLV::ContextTag(1), ByteSpan()));
SuccessOrExit(err = commandObj->FinishCommand());

exit:
Expand Down
4 changes: 1 addition & 3 deletions src/app/common/gen/callback.h
Original file line number Diff line number Diff line change
Expand Up @@ -15815,9 +15815,7 @@ bool emberAfOperationalCredentialsClusterOpCSRRequestCallback(chip::EndpointId e
* @brief Cluster OpCSRResponse Command callback (from server)
*/
bool emberAfOperationalCredentialsClusterOpCSRResponseCallback(chip::EndpointId endpoint, chip::app::CommandSender * commandObj,
chip::ByteSpan CSR, chip::ByteSpan CSRNonce,
chip::ByteSpan VendorReserved1, chip::ByteSpan VendorReserved2,
chip::ByteSpan VendorReserved3, chip::ByteSpan Signature);
chip::ByteSpan NOCSRElements, chip::ByteSpan AttestationSignature);
/**
* @brief Cluster AddNOC Command callback (from client)
*/
Expand Down
13 changes: 4 additions & 9 deletions src/app/common/gen/client-command-macro.h
Original file line number Diff line number Diff line change
Expand Up @@ -2244,19 +2244,14 @@
/** @brief Command description for OpCSRResponse
*
* Command: OpCSRResponse
* @param CSR OCTET_STRING
* @param CSRNonce OCTET_STRING
* @param VendorReserved1 OCTET_STRING
* @param VendorReserved2 OCTET_STRING
* @param VendorReserved3 OCTET_STRING
* @param Signature OCTET_STRING
* @param NOCSRElements OCTET_STRING
* @param AttestationSignature OCTET_STRING
*/
#define emberAfFillCommandOperational \
CredentialsClusterOpCSRResponse(CSR, CSRNonce, VendorReserved1, VendorReserved2, VendorReserved3, Signature) \
CredentialsClusterOpCSRResponse(NOCSRElements, AttestationSignature) \
emberAfFillExternalBuffer(mask, \
\
ZCL_OP_CSR_RESPONSE_COMMAND_ID, "uuuuuu", CSR, CSRNonce, VendorReserved1, VendorReserved2, \
VendorReserved3, Signature);
ZCL_OP_CSR_RESPONSE_COMMAND_ID, "uu", NOCSRElements, AttestationSignature);

/** @brief Command description for AddNOC
*
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -95,12 +95,8 @@ fabric-scoped data.</description>
<!-- TODO: Fix to match chip-spec:#3346 -->
<command source="server" code="0x05" name="OpCSRResponse" optional="false">
<description>A certificate signing request (CSR) from the server.</description>
<arg name="CSR" type="OCTET_STRING"/>
<arg name="CSRNonce" type="OCTET_STRING"/>
<arg name="VendorReserved1" type="OCTET_STRING"/>
<arg name="VendorReserved2" type="OCTET_STRING"/>
<arg name="VendorReserved3" type="OCTET_STRING"/>
<arg name="Signature" type="OCTET_STRING"/>
<arg name="NOCSRElements" type="OCTET_STRING"/>
<arg name="AttestationSignature" type="OCTET_STRING"/>
</command>

<command source="client" code="0x06" name="AddNOC" optional="false">
Expand Down
7 changes: 7 additions & 0 deletions src/controller/CHIPDevice.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -694,5 +694,12 @@ Device::~Device()
}
}

CHIP_ERROR Device::ReduceNOCChainBufferSize(size_t new_size)
{
ReturnErrorCodeIf(new_size > sizeof(mNOCChainBuffer), CHIP_ERROR_INVALID_ARGUMENT);
mNOCChainBufferSize = new_size;
return CHIP_NO_ERROR;
}

} // namespace Controller
} // namespace chip
10 changes: 10 additions & 0 deletions src/controller/CHIPDevice.h
Original file line number Diff line number Diff line change
Expand Up @@ -382,6 +382,12 @@ class DLL_EXPORT Device : public Messaging::ExchangeDelegate, public SessionEsta

ByteSpan GetCSRNonce() const { return ByteSpan(mCSRNonce, sizeof(mCSRNonce)); }

MutableByteSpan GetMutableNOCChain() { return MutableByteSpan(mNOCChainBuffer, sizeof(mNOCChainBuffer)); }

CHIP_ERROR ReduceNOCChainBufferSize(size_t new_size);

ByteSpan GetNOCChain() const { return ByteSpan(mNOCChainBuffer, mNOCChainBufferSize); }

/*
* This function can be called to establish a secure session with the device.
*
Expand Down Expand Up @@ -490,6 +496,10 @@ class DLL_EXPORT Device : public Messaging::ExchangeDelegate, public SessionEsta

uint8_t mCSRNonce[kOpCSRNonceLength];

// The chain can contain ICAC and OpCert
uint8_t mNOCChainBuffer[Credentials::kMaxCHIPCertLength * 2];
size_t mNOCChainBufferSize = 0;

SessionIDAllocator * mIDAllocator = nullptr;

Callback::CallbackDeque mConnectionSuccess;
Expand Down
Loading

0 comments on commit ee9a3f2

Please sign in to comment.