From 103261484463ee0c60826dc777d94dbe7095354a Mon Sep 17 00:00:00 2001 From: krypton36 Date: Fri, 1 Apr 2022 17:31:25 -0700 Subject: [PATCH] Add IPK option to CHIP framework and chip-tool-darwin. (#16907) --- .../commands/common/CHIPCommandBridge.mm | 7 ++-- .../commands/common/CHIPToolKeypair.h | 1 + .../commands/common/CHIPToolKeypair.mm | 34 ++++++++++++++++++- .../Framework/CHIP/CHIPDeviceController.h | 13 +++++++ .../Framework/CHIP/CHIPDeviceController.mm | 9 ++++- 5 files changed, 60 insertions(+), 4 deletions(-) diff --git a/examples/chip-tool-darwin/commands/common/CHIPCommandBridge.mm b/examples/chip-tool-darwin/commands/common/CHIPCommandBridge.mm index 69f11f6efb430d..472b52b1422ffd 100644 --- a/examples/chip-tool-darwin/commands/common/CHIPCommandBridge.mm +++ b/examples/chip-tool-darwin/commands/common/CHIPCommandBridge.mm @@ -30,6 +30,7 @@ CHIP_ERROR CHIPCommandBridge::Run() { ChipLogProgress(chipTool, "Running Command"); + NSData * ipk; CHIPToolKeypair * nocSigner = [[CHIPToolKeypair alloc] init]; storage = [[CHIPToolPersistentStorageDelegate alloc] init]; @@ -42,9 +43,11 @@ [mController setListenPort:kListenPort]; [mController setKeyValueStoreManagerPath:"/tmp/chip_kvs_darwin"]; - [nocSigner createOrLoadKeys:storage]; + ReturnLogErrorOnFailure([nocSigner createOrLoadKeys:storage]); - if (![mController startup:storage vendorId:chip::VendorId::TestVendor1 nocSigner:nocSigner]) { + ipk = [nocSigner getIPK]; + + if (![mController startup:storage vendorId:chip::VendorId::TestVendor1 nocSigner:nocSigner ipk:ipk]) { ChipLogError(chipTool, "Controller startup failure."); return CHIP_ERROR_INTERNAL; } diff --git a/examples/chip-tool-darwin/commands/common/CHIPToolKeypair.h b/examples/chip-tool-darwin/commands/common/CHIPToolKeypair.h index 08ae047cf1b97e..11c15925b7815f 100644 --- a/examples/chip-tool-darwin/commands/common/CHIPToolKeypair.h +++ b/examples/chip-tool-darwin/commands/common/CHIPToolKeypair.h @@ -10,5 +10,6 @@ - (CHIP_ERROR)Serialize:(chip::Crypto::P256SerializedKeypair &)output; - (CHIP_ERROR)Deserialize:(chip::Crypto::P256SerializedKeypair &)input; - (CHIP_ERROR)createOrLoadKeys:(CHIPToolPersistentStorageDelegate *)storage; +- (NSData *)getIPK; @end diff --git a/examples/chip-tool-darwin/commands/common/CHIPToolKeypair.mm b/examples/chip-tool-darwin/commands/common/CHIPToolKeypair.mm index 579b4095b75766..146610e80d5477 100644 --- a/examples/chip-tool-darwin/commands/common/CHIPToolKeypair.mm +++ b/examples/chip-tool-darwin/commands/common/CHIPToolKeypair.mm @@ -14,6 +14,7 @@ static NSString * const kCHIPToolKeychainLabel = @"Chip Tool Keypair"; static NSString * const kOperationalCredentialsIssuerKeypairStorage = @"ChipToolOpCredsCAKey"; +static NSString * const kOperationalCredentialsIPK = @"ChipToolOpCredsIPK"; std::string StringToBase64(const std::string & value) { @@ -43,6 +44,7 @@ @interface CHIPToolKeypair () @property (nonatomic) chip::Crypto::P256Keypair mKeyPair; @property (nonatomic) chip::Crypto::P256Keypair mIssuer; +@property (nonatomic) NSData * ipk; @property (atomic) uint32_t mNow; @end @@ -95,6 +97,11 @@ - (CHIP_ERROR)Serialize:(chip::Crypto::P256SerializedKeypair &)output return _mKeyPair.Serialize(output); } +- (NSData *)getIPK +{ + return _ipk; +} + - (CHIP_ERROR)createOrLoadKeys:(CHIPToolPersistentStorageDelegate *)storage { chip::ASN1::ASN1UniversalTime effectiveTime; @@ -126,7 +133,23 @@ - (CHIP_ERROR)createOrLoadKeys:(CHIPToolPersistentStorageDelegate *)storage } else { ReturnErrorOnFailure([self Deserialize:serializedKey]); } - return err; + + NSData * ipk; + value = [storage CHIPGetKeyValue:kOperationalCredentialsIPK]; + err = [self decodeNSStringToNSData:value serializedKey:&ipk]; + if (err != CHIP_NO_ERROR) { + uint8_t tempIPK[chip::Crypto::CHIP_CRYPTO_SYMMETRIC_KEY_LENGTH_BYTES]; + + ReturnLogErrorOnFailure(chip::Crypto::DRBG_get_bytes(tempIPK, sizeof(tempIPK))); + + _ipk = [NSData dataWithBytes:tempIPK length:sizeof(tempIPK)]; + NSString * valueString = [_ipk base64EncodedStringWithOptions:0]; + [storage CHIPSetKeyValue:kOperationalCredentialsIPK value:valueString]; + } else { + _ipk = ipk; + } + + return CHIP_NO_ERROR; } - (CHIP_ERROR)decodeNSStringWithValue:(NSString *)value serializedKey:(chip::Crypto::P256SerializedKeypair &)serializedKey @@ -146,4 +169,13 @@ - (CHIP_ERROR)decodeNSStringWithValue:(NSString *)value serializedKey:(chip::Cry return CHIP_NO_ERROR; } +- (CHIP_ERROR)decodeNSStringToNSData:(NSString *)value serializedKey:(NSData **)decodedData +{ + if (value == nil) { + return CHIP_ERROR_PERSISTED_STORAGE_VALUE_NOT_FOUND; + } + + *decodedData = [[NSData alloc] initWithBase64EncodedString:value options:0]; + return CHIP_NO_ERROR; +} @end diff --git a/src/darwin/Framework/CHIP/CHIPDeviceController.h b/src/darwin/Framework/CHIP/CHIPDeviceController.h index 110af1bd3c497b..abf57e6a05bafd 100644 --- a/src/darwin/Framework/CHIP/CHIPDeviceController.h +++ b/src/darwin/Framework/CHIP/CHIPDeviceController.h @@ -112,6 +112,19 @@ typedef void (^CHIPDeviceConnectionCallback)(CHIPDevice * _Nullable device, NSEr vendorId:(uint16_t)vendorId nocSigner:(nullable id)nocSigner; +/** + * Start the CHIP Stack. Repeated calls to startup without calls to shutdown in between are NO-OPs. Use the isRunning property to + * check if the stack needs to be started up. + * + * @param[in] storageDelegate The delegate for persistent storage + * @param[in] vendorId The vendor ID of the commissioner application + * @param[in] nocSigner The CHIPKeypair that is used to generate and sign Node Operational Credentials + * @param[in] ipk The IPK to use for Operational Credentials. + */ +- (BOOL)startup:(_Nullable id)storageDelegate + vendorId:(uint16_t)vendorId + nocSigner:(id)nocSigner + ipk:(NSData * _Nullable)ipk; /** * Shutdown the CHIP Stack. Repeated calls to shutdown without calls to startup in between are NO-OPs. */ diff --git a/src/darwin/Framework/CHIP/CHIPDeviceController.mm b/src/darwin/Framework/CHIP/CHIPDeviceController.mm index dda9a7bfb83cd0..740d1227b16753 100644 --- a/src/darwin/Framework/CHIP/CHIPDeviceController.mm +++ b/src/darwin/Framework/CHIP/CHIPDeviceController.mm @@ -182,6 +182,13 @@ - (BOOL)shutdown - (BOOL)startup:(_Nullable id)storageDelegate vendorId:(uint16_t)vendorId nocSigner:(id)nocSigner +{ + return [self startup:storageDelegate vendorId:vendorId nocSigner:nocSigner ipk:nil]; +} +- (BOOL)startup:(_Nullable id)storageDelegate + vendorId:(uint16_t)vendorId + nocSigner:(id)nocSigner + ipk:(NSData * _Nullable)ipk { if (vendorId == chip::VendorId::Common) { // Shouldn't be using the "standard" vendor ID for actual devices. @@ -214,7 +221,7 @@ - (BOOL)startup:(_Nullable id)storageDelegate _keypairBridge.Init(nocSigner); nativeBridge.reset(new chip::Crypto::CHIPP256KeypairNativeBridge(_keypairBridge)); } - errorCode = _operationalCredentialsDelegate->init(_persistentStorageDelegateBridge, std::move(nativeBridge), nil); + errorCode = _operationalCredentialsDelegate->init(_persistentStorageDelegateBridge, std::move(nativeBridge), ipk); if ([self checkForStartError:(CHIP_NO_ERROR == errorCode) logMsg:kErrorOperationalCredentialsInit]) { return; }