This repository has been archived by the owner on Dec 20, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 105
/
Copy pathCASEAuth.cpp
480 lines (385 loc) · 16.6 KB
/
CASEAuth.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
/*
*
* Copyright (c) 2018 Nest Labs, Inc.
* All rights reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
/**
* @file
* Provides an implementation for the OpenWeave WeaveCASEAuthDelegate
* interface.
*/
// TODO: Generalize this code to work on systems without malloc.
#include <Weave/DeviceLayer/internal/WeaveDeviceLayerInternal.h>
#include <Weave/Core/WeaveTLV.h>
#include <Weave/Profiles/WeaveProfiles.h>
#include <Weave/Profiles/security/WeaveSecurity.h>
#include <Weave/Profiles/security/WeaveCert.h>
#include <Weave/Profiles/security/WeaveCASE.h>
#include <Weave/Profiles/service-provisioning/ServiceProvisioning.h>
#include <Weave/Support/NestCerts.h>
#include <Weave/Support/ASN1.h>
#include <Weave/Support/TimeUtils.h>
#include <new>
using namespace ::nl;
using namespace ::nl::Weave;
using namespace ::nl::Weave::TLV;
using namespace ::nl::Weave::Profiles;
using namespace ::nl::Weave::Profiles::Security;
using namespace ::nl::Weave::DeviceLayer;
using namespace ::nl::Weave::DeviceLayer::Internal;
namespace nl {
namespace Weave {
namespace DeviceLayer {
namespace {
using ::nl::Weave::Platform::Security::MemoryAlloc;
using ::nl::Weave::Platform::Security::MemoryFree;
class CASEAuthDelegate : public WeaveCASEAuthDelegate
{
public:
enum {
kMaxValidationCerts = 7, // Maximum number of certificates that can be present during certificate validation.
kCertDecodeBufferSize = 1024 // Size of temporary buffer used during certificate decoding and signature validation.
};
CASEAuthDelegate()
: mPrivKeyBuf(NULL), mServiceConfigBuf(NULL)
{
}
virtual WEAVE_ERROR GetNodeCertInfo(bool isInitiator, uint8_t *buf, uint16_t bufSize, uint16_t& certInfoLen);
virtual WEAVE_ERROR GetNodePrivateKey(bool isInitiator, const uint8_t *& weavePrivKey, uint16_t & weavePrivKeyLen);
virtual WEAVE_ERROR ReleaseNodePrivateKey(const uint8_t *weavePrivKey);
virtual WEAVE_ERROR GetNodePayload(bool isInitiator, uint8_t *buf, uint16_t bufSize, uint16_t& payloadLen);
virtual WEAVE_ERROR BeginCertValidation(bool isInitiator, WeaveCertificateSet& certSet, ValidationContext& validContext);
virtual WEAVE_ERROR HandleCertValidationResult(bool isInitiator, WEAVE_ERROR& validRes, WeaveCertificateData *peerCert,
uint64_t peerNodeId, WeaveCertificateSet& certSet, ValidationContext& validContext);
virtual WEAVE_ERROR EndCertValidation(WeaveCertificateSet& certSet, ValidationContext& validContext);
private:
uint8_t *mPrivKeyBuf;
uint8_t *mServiceConfigBuf;
};
CASEAuthDelegate gCASEAuthDelegate;
WEAVE_ERROR AddCertToContainer(TLVWriter& writer, uint64_t tag, const uint8_t *cert, uint16_t certLen);
WEAVE_ERROR MakeCertInfo(uint8_t *buf, uint16_t bufSize, uint16_t& certInfoLen,
const uint8_t *entityCert, uint16_t entityCertLen,
const uint8_t *intermediateCert, uint16_t intermediateCertLen);
WEAVE_ERROR LoadCertsFromServiceConfig(const uint8_t *serviceConfig, uint16_t serviceConfigLen, WeaveCertificateSet& certSet);
} // unnamed namespace
namespace Internal {
WEAVE_ERROR InitCASEAuthDelegate()
{
new (&gCASEAuthDelegate) CASEAuthDelegate();
SecurityMgr.SetCASEAuthDelegate(&gCASEAuthDelegate);
return WEAVE_NO_ERROR;
}
} // namespace Internal
namespace {
WEAVE_ERROR CASEAuthDelegate::GetNodeCertInfo(bool isInitiator, uint8_t *buf, uint16_t bufSize, uint16_t& certInfoLen)
{
WEAVE_ERROR err;
uint8_t * certBuf = NULL;
size_t certLen;
// Determine the length of the device certificate.
err = ConfigurationMgr().GetDeviceCertificate((uint8_t *)NULL, 0, certLen);
SuccessOrExit(err);
// Fail if no certificate has been configured.
VerifyOrExit(certLen != 0, err = WEAVE_ERROR_CERT_NOT_FOUND);
// Create a temporary buffer to hold the certificate.
certBuf = (uint8_t *)MemoryAlloc(certLen);
VerifyOrExit(certBuf != NULL, err = WEAVE_ERROR_NO_MEMORY);
// Read the certificate
err = ConfigurationMgr().GetDeviceCertificate(certBuf, certLen, certLen);
SuccessOrExit(err);
// Encode a CASECertificateInformation TLV structure containing the device certificate.
err = MakeCertInfo(buf, bufSize, certInfoLen, certBuf, certLen, NULL, 0);
SuccessOrExit(err);
exit:
if (certBuf != NULL)
{
MemoryFree(certBuf);
}
return err;
}
WEAVE_ERROR CASEAuthDelegate::GetNodePrivateKey(bool isInitiator, const uint8_t *& weavePrivKey, uint16_t & weavePrivKeyLen)
{
WEAVE_ERROR err;
size_t privKeyLen;
// Determine the length of the private key.
err = ConfigurationMgr().GetDevicePrivateKey((uint8_t *)NULL, 0, privKeyLen);
SuccessOrExit(err);
// Fail if no private key has been configured.
VerifyOrExit(privKeyLen != 0, err = WEAVE_ERROR_KEY_NOT_FOUND);
// Create a temporary buffer to hold the private key.
mPrivKeyBuf = (uint8_t *)MemoryAlloc(privKeyLen);
VerifyOrExit(mPrivKeyBuf != NULL, err = WEAVE_ERROR_NO_MEMORY);
// Read the private key.
err = ConfigurationMgr().GetDevicePrivateKey(mPrivKeyBuf, privKeyLen, privKeyLen);
SuccessOrExit(err);
weavePrivKey = mPrivKeyBuf;
weavePrivKeyLen = privKeyLen;
exit:
if (err != WEAVE_NO_ERROR && mPrivKeyBuf != NULL)
{
MemoryFree(mPrivKeyBuf);
mPrivKeyBuf = NULL;
}
return err;
}
WEAVE_ERROR CASEAuthDelegate::ReleaseNodePrivateKey(const uint8_t *weavePrivKey)
{
if (mPrivKeyBuf != NULL)
{
MemoryFree(mPrivKeyBuf);
mPrivKeyBuf = NULL;
}
return WEAVE_NO_ERROR;
}
WEAVE_ERROR CASEAuthDelegate::GetNodePayload(bool isInitiator, uint8_t *buf, uint16_t bufSize, uint16_t& payloadLen)
{
WEAVE_ERROR err;
size_t deviceDescLen;
err = ConfigurationMgr().GetDeviceDescriptorTLV(buf, (size_t)bufSize, deviceDescLen);
SuccessOrExit(err);
payloadLen = deviceDescLen;
exit:
return err;
}
WEAVE_ERROR CASEAuthDelegate::BeginCertValidation(bool isInitiator, WeaveCertificateSet& certSet, ValidationContext& validContext)
{
WEAVE_ERROR err;
nl::Weave::ASN1::ASN1UniversalTime validTime;
WeaveCertificateData *cert;
size_t serviceConfigLen;
uint64_t nowMS;
// Initialize the certificate set object arranging for it to call the platform
// memory allocation functions when it need memory.
err = certSet.Init(kMaxValidationCerts, kCertDecodeBufferSize, MemoryAlloc, MemoryFree);
SuccessOrExit(err);
// Determine if the device has been provisioned for talking to a service by querying the configuration manager
// for the length of the service configuration data. If service configuration data is present, then the device
// has been service provisioned.
err = ConfigurationMgr().GetServiceConfig(NULL, 0, serviceConfigLen);
if (err != WEAVE_DEVICE_ERROR_CONFIG_NOT_FOUND)
SuccessOrExit(err);
// If the device has been service provisioned...
if (err != WEAVE_DEVICE_ERROR_CONFIG_NOT_FOUND)
{
// Allocate a buffer to hold the service config data.
mServiceConfigBuf = (uint8_t *)MemoryAlloc(serviceConfigLen);
VerifyOrExit(mServiceConfigBuf != NULL, err = WEAVE_ERROR_NO_MEMORY);
// Read the service config data.
err = ConfigurationMgr().GetServiceConfig(mServiceConfigBuf, serviceConfigLen, serviceConfigLen);
SuccessOrExit(err);
// Load the list of trusted root certificate from the service config.
err = LoadCertsFromServiceConfig(mServiceConfigBuf, serviceConfigLen, certSet);
SuccessOrExit(err);
// Scan the list of trusted certs loaded from the service config. If the list contains a general
// certificate with a CommonName subject, presume this certificate is the access token certificate
// and mark it as such.
for (uint8_t i = 0; i < certSet.CertCount; i++)
{
cert = &certSet.Certs[i];
if ((cert->CertFlags & kCertFlag_IsTrusted) != 0 &&
cert->CertType == kCertType_General &&
cert->SubjectDN.AttrOID == ASN1::kOID_AttributeType_CommonName)
{
cert->CertType = kCertType_AccessToken;
}
}
}
// Otherwise the device has not been service provisioned...
else
{
// In security test mode, load a predefined set of root and intermediate certificates.
// Otherwise fail with a NOT_SERVICE_PROVISIONED error.
#if WEAVE_CONFIG_SECURITY_TEST_MODE
err = certSet.LoadCert(nl::NestCerts::Development::Root::Cert, nl::NestCerts::Development::Root::CertLength, 0, cert);
SuccessOrExit(err);
cert->CertFlags |= kCertFlag_IsTrusted;
err = certSet.LoadCert(nl::NestCerts::Production::Root::Cert, nl::NestCerts::Production::Root::CertLength, 0, cert);
SuccessOrExit(err);
cert->CertFlags |= kCertFlag_IsTrusted;
err = certSet.LoadCert(nl::NestCerts::Development::DeviceCA::Cert, nl::NestCerts::Development::DeviceCA::CertLength, kDecodeFlag_GenerateTBSHash, cert);
SuccessOrExit(err);
err = certSet.LoadCert(nl::NestCerts::Production::DeviceCA::Cert, nl::NestCerts::Production::DeviceCA::CertLength, kDecodeFlag_GenerateTBSHash, cert);
SuccessOrExit(err);
#else
ExitNow(err = WEAVE_DEVICE_ERROR_NOT_SERVICE_PROVISIONED);
#endif // WEAVE_CONFIG_SECURITY_TEST_MODE
}
memset(&validContext, 0, sizeof(validContext));
// Set the effective time for certificate validation.
//
// If the system's real time clock is synchronized, use the current time.
//
// If the system's real time clock is NOT synchronized, use the firmware build time, and arrange to ignore
// the "not before" date in the peer's certificate(s).
//
err = System::Layer::GetClock_RealTimeMS(nowMS);
if (err == WEAVE_NO_ERROR)
{
SecondsSinceEpochToCalendarTime((uint32_t)(nowMS / 1000), validTime.Year, validTime.Month, validTime.Day,
validTime.Hour, validTime.Minute, validTime.Second);
}
else if (err == WEAVE_SYSTEM_ERROR_REAL_TIME_NOT_SYNCED)
{
err = ConfigurationMgr().GetFirmwareBuildTime(validTime.Year, validTime.Month, validTime.Day,
validTime.Hour, validTime.Minute, validTime.Second);
SuccessOrExit(err);
validContext.ValidateFlags |= kValidateFlag_IgnoreNotBefore;
WeaveLogProgress(DeviceLayer, "Real time clock not synchronized; Using build time for cert validation");
}
else
{
ExitNow();
}
err = PackCertTime(validTime, validContext.EffectiveTime);
SuccessOrExit(err);
// Set the appropriate required key usages and purposes for the peer's certificates based
// on whether we're initiating or responding.
validContext.RequiredKeyUsages = kKeyUsageFlag_DigitalSignature;
validContext.RequiredKeyPurposes = (isInitiator) ? kKeyPurposeFlag_ServerAuth : kKeyPurposeFlag_ClientAuth;
exit:
if (err != WEAVE_NO_ERROR && mServiceConfigBuf != NULL)
{
MemoryFree(mServiceConfigBuf);
mServiceConfigBuf = NULL;
}
return err;
}
WEAVE_ERROR CASEAuthDelegate::HandleCertValidationResult(bool isInitiator, WEAVE_ERROR& validRes, WeaveCertificateData *peerCert,
uint64_t peerNodeId, WeaveCertificateSet& certSet, ValidationContext& validContext)
{
// If the peer's certificate is otherwise valid...
if (validRes == WEAVE_NO_ERROR)
{
// If the peer authenticated with a device certificate...
if (peerCert->CertType == kCertType_Device)
{
// Get the node id from the certificate subject.
uint64_t certId = peerCert->SubjectDN.AttrValue.WeaveId;
// Verify the certificate node id matches the peer's node id.
if (certId != peerNodeId)
validRes = WEAVE_ERROR_WRONG_CERT_SUBJECT;
}
// If the peer authenticated with a service endpoint certificate...
else if (peerCert->CertType == kCertType_ServiceEndpoint)
{
// Get the node id from the certificate subject.
uint64_t certId = peerCert->SubjectDN.AttrValue.WeaveId;
// Verify the certificate node id matches the peer's node id.
if (certId != peerNodeId)
validRes = WEAVE_ERROR_WRONG_CERT_SUBJECT;
// Reject the peer if they are initiating the session. Service endpoint certificates
// cannot be used to initiate sessions to other nodes, only to respond.
if (!isInitiator)
validRes = WEAVE_ERROR_WRONG_CERT_TYPE;
}
// If the peer authenticated with an access token certificate...
else if (peerCert->CertType == kCertType_AccessToken)
{
// Reject the peer if they are the session responder. Access token certificates
// can only be used to initiate sessions.
if (isInitiator)
validRes = WEAVE_ERROR_WRONG_CERT_TYPE;
}
// For all other certificate types, reject the session.
else
{
validRes = WEAVE_ERROR_WRONG_CERT_TYPE;
}
}
if (validRes == WEAVE_NO_ERROR)
{
WeaveLogProgress(DeviceLayer, "Certificate validation completed successfully");
}
else
{
WeaveLogError(DeviceLayer, "Certificate validation failed: %s", nl::ErrorStr(validRes));
}
return WEAVE_NO_ERROR;
}
WEAVE_ERROR CASEAuthDelegate::EndCertValidation(WeaveCertificateSet& certSet, ValidationContext& validContext)
{
if (mServiceConfigBuf != NULL)
{
MemoryFree(mServiceConfigBuf);
mServiceConfigBuf = NULL;
}
return WEAVE_NO_ERROR;
}
WEAVE_ERROR AddCertToContainer(TLVWriter& writer, uint64_t tag, const uint8_t *cert, uint16_t certLen)
{
WEAVE_ERROR err;
TLVReader reader;
reader.Init(cert, certLen);
err = reader.Next();
SuccessOrExit(err);
err = writer.PutPreEncodedContainer(tag, kTLVType_Structure, reader.GetReadPoint(), reader.GetRemainingLength());
SuccessOrExit(err);
exit:
return err;
}
WEAVE_ERROR MakeCertInfo(uint8_t *buf, uint16_t bufSize, uint16_t& certInfoLen,
const uint8_t *entityCert, uint16_t entityCertLen,
const uint8_t *intermediateCert, uint16_t intermediateCertLen)
{
WEAVE_ERROR err;
TLVWriter writer;
TLVType container;
writer.Init(buf, bufSize);
writer.ImplicitProfileId = kWeaveProfile_Security;
err = writer.StartContainer(ProfileTag(kWeaveProfile_Security, kTag_WeaveCASECertificateInformation), kTLVType_Structure, container);
SuccessOrExit(err);
err = AddCertToContainer(writer, ContextTag(kTag_CASECertificateInfo_EntityCertificate), entityCert, entityCertLen);
SuccessOrExit(err);
if (intermediateCert != NULL)
{
TLVType container2;
err = writer.StartContainer(ContextTag(kTag_CASECertificateInfo_RelatedCertificates), kTLVType_Path, container2);
SuccessOrExit(err);
err = AddCertToContainer(writer, ProfileTag(kWeaveProfile_Security, kTag_WeaveCertificate), intermediateCert, intermediateCertLen);
SuccessOrExit(err);
err = writer.EndContainer(container2);
SuccessOrExit(err);
}
err = writer.EndContainer(container);
SuccessOrExit(err);
err = writer.Finalize();
SuccessOrExit(err);
certInfoLen = writer.GetLengthWritten();
exit:
return err;
}
WEAVE_ERROR LoadCertsFromServiceConfig(const uint8_t *serviceConfig, uint16_t serviceConfigLen, WeaveCertificateSet& certSet)
{
WEAVE_ERROR err;
TLVReader reader;
TLVType topLevelContainer;
reader.Init(serviceConfig, serviceConfigLen);
reader.ImplicitProfileId = kWeaveProfile_ServiceProvisioning;
err = reader.Next(kTLVType_Structure, ProfileTag(kWeaveProfile_ServiceProvisioning, ServiceProvisioning::kTag_ServiceConfig));
SuccessOrExit(err);
err = reader.EnterContainer(topLevelContainer);
SuccessOrExit(err);
err = reader.Next(kTLVType_Array, ContextTag(ServiceProvisioning::kTag_ServiceConfig_CACerts));
SuccessOrExit(err);
err = certSet.LoadCerts(reader, kDecodeFlag_IsTrusted);
SuccessOrExit(err);
exit:
return err;
}
} // unnamed namespace
} // namespace DeviceLayer
} // namespace Weave
} // namespace nl