Skip to content

Commit

Permalink
Changed the return type of VerifyAttestationInformation to void. Resu…
Browse files Browse the repository at this point in the history
…lt will be returned in the callback. (#12657)
  • Loading branch information
vijs authored and pull[bot] committed Feb 13, 2024
1 parent 7288d2c commit 1277116
Show file tree
Hide file tree
Showing 6 changed files with 177 additions and 131 deletions.
47 changes: 29 additions & 18 deletions src/controller/CHIPDeviceController.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -610,6 +610,7 @@ DeviceCommissioner::DeviceCommissioner() :
mOnAttestationFailureCallback(OnAttestationFailureResponse, this), mOnCSRFailureCallback(OnCSRFailureResponse, this),
mOnCertFailureCallback(OnAddNOCFailureResponse, this), mOnRootCertFailureCallback(OnRootCertFailureResponse, this),
mOnDeviceConnectedCallback(OnDeviceConnectedFn, this), mOnDeviceConnectionFailureCallback(OnDeviceConnectionFailureFn, this),
mDeviceAttestationInformationVerificationCallback(OnDeviceAttestationInformationVerification, this),
mDeviceNOCChainCallback(OnDeviceNOCChainGeneration, this), mSetUpCodePairer(this), mAutoCommissioner(this)
{
mPairingDelegate = nullptr;
Expand Down Expand Up @@ -1154,34 +1155,22 @@ void DeviceCommissioner::OnAttestationResponse(void * context, chip::ByteSpan at
commissioner->mAttestationResponseCallback.Cancel();
commissioner->mOnAttestationFailureCallback.Cancel();

commissioner->HandleAttestationResult(commissioner->ValidateAttestationInfo(attestationElements, signature));
commissioner->ValidateAttestationInfo(attestationElements, signature);
}

CHIP_ERROR DeviceCommissioner::ValidateAttestationInfo(const ByteSpan & attestationElements, const ByteSpan & signature)
void DeviceCommissioner::OnDeviceAttestationInformationVerification(void * context, AttestationVerificationResult result)
{
VerifyOrReturnError(mState == State::Initialized, CHIP_ERROR_INCORRECT_STATE);
VerifyOrReturnError(mDeviceBeingCommissioned != nullptr, CHIP_ERROR_INCORRECT_STATE);

CommissioneeDeviceProxy * device = mDeviceBeingCommissioned;

DeviceAttestationVerifier * dac_verifier = GetDeviceAttestationVerifier();

// Retrieve attestation challenge
ByteSpan attestationChallenge = mSystemState->SessionMgr()
->GetSecureSession(mDeviceBeingCommissioned->GetSecureSession().Value())
->GetCryptoContext()
.GetAttestationChallenge();
DeviceCommissioner * commissioner = reinterpret_cast<DeviceCommissioner *>(context);
CHIP_ERROR error = CHIP_NO_ERROR;

AttestationVerificationResult result = dac_verifier->VerifyAttestationInformation(
attestationElements, attestationChallenge, signature, device->GetPAI(), device->GetDAC(), device->GetAttestationNonce());
if (result != AttestationVerificationResult::kSuccess)
{
if (result == AttestationVerificationResult::kNotImplemented)
{
ChipLogError(Controller,
"Failed in verifying 'Attestation Information' command received from the device due to default "
"DeviceAttestationVerifier Class not being overridden by a real implementation.");
return CHIP_ERROR_NOT_IMPLEMENTED;
SuccessOrExit(error = CHIP_ERROR_NOT_IMPLEMENTED);
}
else
{
Expand All @@ -1191,12 +1180,34 @@ CHIP_ERROR DeviceCommissioner::ValidateAttestationInfo(const ByteSpan & attestat
static_cast<uint16_t>(result));
// Go look at AttestationVerificationResult enum in src/credentials/DeviceAttestationVerifier.h to understand the
// errors.
return CHIP_ERROR_INTERNAL;
SuccessOrExit(error = CHIP_ERROR_INTERNAL);
}
}

ChipLogProgress(Controller, "Successfully validated 'Attestation Information' command received from the device.");

exit:
commissioner->HandleAttestationResult(error);
}

CHIP_ERROR DeviceCommissioner::ValidateAttestationInfo(const ByteSpan & attestationElements, const ByteSpan & signature)
{
VerifyOrReturnError(mState == State::Initialized, CHIP_ERROR_INCORRECT_STATE);
VerifyOrReturnError(mDeviceBeingCommissioned != nullptr, CHIP_ERROR_INCORRECT_STATE);

DeviceAttestationVerifier * dac_verifier = GetDeviceAttestationVerifier();

// Retrieve attestation challenge
ByteSpan attestationChallenge = mSystemState->SessionMgr()
->GetSecureSession(mDeviceBeingCommissioned->GetSecureSession().Value())
->GetCryptoContext()
.GetAttestationChallenge();

dac_verifier->VerifyAttestationInformation(attestationElements, attestationChallenge, signature,
mDeviceBeingCommissioned->GetPAI(), mDeviceBeingCommissioned->GetDAC(),
mDeviceBeingCommissioned->GetAttestationNonce(),
&mDeviceAttestationInformationVerificationCallback);

// TODO: Validate Firmware Information

return CHIP_NO_ERROR;
Expand Down
4 changes: 4 additions & 0 deletions src/controller/CHIPDeviceController.h
Original file line number Diff line number Diff line change
Expand Up @@ -753,6 +753,8 @@ class DLL_EXPORT DeviceCommissioner : public DeviceController,
static void OnDeviceConnectedFn(void * context, OperationalDeviceProxy * device);
static void OnDeviceConnectionFailureFn(void * context, PeerId peerId, CHIP_ERROR error);

static void OnDeviceAttestationInformationVerification(void * context, Credentials::AttestationVerificationResult result);

static void OnDeviceNOCChainGeneration(void * context, CHIP_ERROR status, const ByteSpan & noc, const ByteSpan & icac,
const ByteSpan & rcac);

Expand Down Expand Up @@ -807,6 +809,8 @@ class DLL_EXPORT DeviceCommissioner : public DeviceController,
Callback::Callback<OnDeviceConnected> mOnDeviceConnectedCallback;
Callback::Callback<OnDeviceConnectionFailure> mOnDeviceConnectionFailureCallback;

Callback::Callback<Credentials::OnAttestationInformationVerification> mDeviceAttestationInformationVerificationCallback;

Callback::Callback<OnNOCChainGeneration> mDeviceNOCChainCallback;
SetUpCodePairer mSetUpCodePairer;
AutoCommissioner mAutoCommissioner;
Expand Down
11 changes: 5 additions & 6 deletions src/credentials/DeviceAttestationVerifier.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -30,19 +30,18 @@ namespace {
class UnimplementedDACVerifier : public DeviceAttestationVerifier
{
public:
AttestationVerificationResult VerifyAttestationInformation(const ByteSpan & attestationInfoBuffer,
const ByteSpan & attestationChallengeBuffer,
const ByteSpan & attestationSignatureBuffer,
const ByteSpan & paiDerBuffer, const ByteSpan & dacDerBuffer,
const ByteSpan & attestationNonce) override
void VerifyAttestationInformation(const ByteSpan & attestationInfoBuffer, const ByteSpan & attestationChallengeBuffer,
const ByteSpan & attestationSignatureBuffer, const ByteSpan & paiDerBuffer,
const ByteSpan & dacDerBuffer, const ByteSpan & attestationNonce,
Callback::Callback<OnAttestationInformationVerification> * onCompletion) override
{
(void) attestationInfoBuffer;
(void) attestationChallengeBuffer;
(void) attestationSignatureBuffer;
(void) paiDerBuffer;
(void) dacDerBuffer;
(void) attestationNonce;
return AttestationVerificationResult::kNotImplemented;
(void) onCompletion;
}

AttestationVerificationResult ValidateCertificationDeclarationSignature(const ByteSpan & cmsEnvelopeBuffer,
Expand Down
17 changes: 9 additions & 8 deletions src/credentials/DeviceAttestationVerifier.h
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@
#pragma once

#include <crypto/CHIPCryptoPAL.h>
#include <lib/core/CHIPCallback.h>
#include <lib/core/CHIPError.h>
#include <lib/core/CHIPVendorIdentifiers.hpp>
#include <lib/support/Span.h>
Expand Down Expand Up @@ -104,6 +105,8 @@ struct DeviceInfoForAttestation
uint16_t paaVendorId = VendorId::NotSpecified;
};

typedef void (*OnAttestationInformationVerification)(void * context, AttestationVerificationResult result);

/**
* @brief Helper utility to model a basic trust store usable for device attestation verifiers.
*
Expand Down Expand Up @@ -205,15 +208,13 @@ class DeviceAttestationVerifier
* If length zero, there was no PAI certificate.
* @param[in] dacDerBuffer Buffer containing the DAC certificate from device in DER format.
* @param[in] attestationNonce Buffer containing attestation nonce.
*
* @returns AttestationVerificationResult::kSuccess on success or another specific
* value from AttestationVerificationResult enum on failure.
* @param[in] onCompletion Callback handler to provide Attestation Information Verification result to the caller of
* VerifyAttestationInformation()
*/
virtual AttestationVerificationResult VerifyAttestationInformation(const ByteSpan & attestationInfoBuffer,
const ByteSpan & attestationChallengeBuffer,
const ByteSpan & attestationSignatureBuffer,
const ByteSpan & paiDerBuffer, const ByteSpan & dacDerBuffer,
const ByteSpan & attestationNonce) = 0;
virtual void VerifyAttestationInformation(const ByteSpan & attestationInfoBuffer, const ByteSpan & attestationChallengeBuffer,
const ByteSpan & attestationSignatureBuffer, const ByteSpan & paiDerBuffer,
const ByteSpan & dacDerBuffer, const ByteSpan & attestationNonce,
Callback::Callback<OnAttestationInformationVerification> * onCompletion) = 0;

/**
* @brief Verify a CMS Signed Data signature against the CSA certificate of Subject Key Identifier that matches
Expand Down
Loading

0 comments on commit 1277116

Please sign in to comment.