From 23484961383c379e24ac85befd3dad5bb6afe0e0 Mon Sep 17 00:00:00 2001 From: Pankaj Garg Date: Fri, 14 May 2021 13:17:50 -0700 Subject: [PATCH] Integrate CASE state machine with the controller (#6810) * Implemented CASEServer to fetch credentials, and wait for SigmaR1 message * Integrate CASE session establishment with controller * For now, disable test for disabled feature * some cleanup after rebase * address review comments * Update src/protocols/secure_channel/CASEServer.cpp Co-authored-by: Tennessee Carmel-Veilleux Co-authored-by: Tennessee Carmel-Veilleux --- .../operational-credentials-server.cpp | 2 + .../trusted-root-certificates-server.cpp | 2 + src/controller/CHIPDevice.cpp | 43 ++++++ src/controller/CHIPDevice.h | 37 ++++- src/controller/CHIPDeviceController.cpp | 133 +++++++++++++----- src/controller/CHIPDeviceController.h | 21 ++- src/credentials/CHIPCert.cpp | 3 +- src/credentials/tests/TestChipCert.cpp | 10 +- .../CHIP/CHIPOperationalCredentialsDelegate.h | 2 +- .../CHIPOperationalCredentialsDelegate.mm | 4 +- src/protocols/secure_channel/CASEServer.cpp | 52 ++++--- src/protocols/secure_channel/CASEServer.h | 6 +- src/protocols/secure_channel/CASESession.cpp | 11 +- src/transport/AdminPairingTable.cpp | 26 +++- src/transport/AdminPairingTable.h | 28 +++- 15 files changed, 288 insertions(+), 92 deletions(-) diff --git a/src/app/clusters/operational-credentials-server/operational-credentials-server.cpp b/src/app/clusters/operational-credentials-server/operational-credentials-server.cpp index 9cdeabd1df7530..c6d7c79f1a676d 100644 --- a/src/app/clusters/operational-credentials-server/operational-credentials-server.cpp +++ b/src/app/clusters/operational-credentials-server/operational-credentials-server.cpp @@ -336,6 +336,8 @@ bool emberAfOperationalCredentialsClusterAddOpCertCallback(chip::app::Command * VerifyOrExit(admin->SetOperationalCert(ByteSpan(certBuf, NOC.size() + ICACertificate.size())) == CHIP_NO_ERROR, status = EMBER_ZCL_STATUS_FAILURE); + VerifyOrExit(GetGlobalAdminPairingTable().Store(admin->GetAdminId()) == CHIP_NO_ERROR, status = EMBER_ZCL_STATUS_FAILURE); + exit: emberAfSendImmediateDefaultResponse(status); if (status == EMBER_ZCL_STATUS_FAILURE) diff --git a/src/app/clusters/trusted-root-certificates-server/trusted-root-certificates-server.cpp b/src/app/clusters/trusted-root-certificates-server/trusted-root-certificates-server.cpp index 171c08c8311cba..9313ed33a4ab72 100644 --- a/src/app/clusters/trusted-root-certificates-server/trusted-root-certificates-server.cpp +++ b/src/app/clusters/trusted-root-certificates-server/trusted-root-certificates-server.cpp @@ -57,6 +57,8 @@ bool emberAfTrustedRootCertificatesClusterAddTrustedRootCertificateCallback(chip VerifyOrExit(admin != nullptr, status = EMBER_ZCL_STATUS_FAILURE); VerifyOrExit(admin->SetRootCert(RootCertificate) == CHIP_NO_ERROR, status = EMBER_ZCL_STATUS_FAILURE); + VerifyOrExit(GetGlobalAdminPairingTable().Store(admin->GetAdminId()) == CHIP_NO_ERROR, status = EMBER_ZCL_STATUS_FAILURE); + exit: emberAfSendImmediateDefaultResponse(status); if (status == EMBER_ZCL_STATUS_FAILURE) diff --git a/src/controller/CHIPDevice.cpp b/src/controller/CHIPDevice.cpp index adcc5043305fcd..7c3e89f073af1e 100644 --- a/src/controller/CHIPDevice.cpp +++ b/src/controller/CHIPDevice.cpp @@ -164,6 +164,9 @@ CHIP_ERROR Device::Serialize(SerializedDevice & output) serializable.mDevicePort = Encoding::LittleEndian::HostSwap16(mDeviceAddress.GetPort()); serializable.mAdminId = Encoding::LittleEndian::HostSwap16(mAdminId); + serializable.mCASESessionKeyId = Encoding::LittleEndian::HostSwap16(mCASESessionKeyId); + serializable.mDeviceProvisioningComplete = (mDeviceProvisioningComplete) ? 1 : 0; + static_assert(std::is_same::type, uint8_t>::value, "The underlying type of Transport::Type is not uint8_t."); serializable.mDeviceTransport = static_cast(mDeviceAddress.GetTransportType()); @@ -217,6 +220,9 @@ CHIP_ERROR Device::Deserialize(const SerializedDevice & input) port = Encoding::LittleEndian::HostSwap16(serializable.mDevicePort); mAdminId = Encoding::LittleEndian::HostSwap16(serializable.mAdminId); + mCASESessionKeyId = Encoding::LittleEndian::HostSwap16(serializable.mCASESessionKeyId); + mDeviceProvisioningComplete = (serializable.mDeviceProvisioningComplete != 0); + // The InterfaceNameToId() API requires initialization of mInterface, and lock/unlock of // LwIP stack. interfaceId = INET_NULL_INTERFACEID; @@ -370,6 +376,12 @@ CHIP_ERROR Device::LoadSecureSessionParameters(ResetTransport resetNeeded) SecureSession::SessionRole::kInitiator, mAdminId); SuccessOrExit(err); + if (IsProvisioningComplete()) + { + err = EstablishCASESession(); + SuccessOrExit(err); + } + exit: if (err != CHIP_NO_ERROR) @@ -389,6 +401,37 @@ bool Device::GetAddress(Inet::IPAddress & addr, uint16_t & port) const return true; } +CHIP_ERROR Device::EstablishCASESession() +{ + Messaging::ExchangeContext * exchange = mExchangeMgr->NewContext(SecureSessionHandle(), &mCASESession); + VerifyOrReturnError(exchange != nullptr, CHIP_ERROR_INTERNAL); + + ReturnErrorOnFailure(mCASESession.MessageDispatch().Init(mSessionManager->GetTransportManager())); + mCASESession.MessageDispatch().SetPeerAddress(mDeviceAddress); + + ReturnErrorOnFailure(mCASESession.EstablishSession(mDeviceAddress, mCredentials, mDeviceId, 0, exchange, this)); + + return CHIP_NO_ERROR; +} + +void Device::OnSessionEstablishmentError(CHIP_ERROR error) {} + +void Device::OnSessionEstablished() +{ + mCASESession.PeerConnection().SetPeerNodeId(mDeviceId); + + // TODO - Enable keys derived from CASE Session + // CHIP_ERROR err = mSessionManager->NewPairing(Optional::Value(mDeviceAddress), mDeviceId, + // &mCASESession, + // SecureSession::SessionRole::kInitiator, mAdminId, nullptr); + // if (err != CHIP_NO_ERROR) + // { + // ChipLogError(Controller, "Failed in setting up CASE secure channel: err %s", ErrorStr(err)); + // OnSessionEstablishmentError(err); + // return; + // } +} + void Device::AddResponseHandler(uint8_t seqNum, Callback::Cancelable * onSuccessCallback, Callback::Cancelable * onFailureCallback) { mCallbacksMgr.AddResponseCallback(mDeviceId, seqNum, onSuccessCallback, onFailureCallback); diff --git a/src/controller/CHIPDevice.h b/src/controller/CHIPDevice.h index 0e972ad19a39c3..0db28dea964ff6 100644 --- a/src/controller/CHIPDevice.h +++ b/src/controller/CHIPDevice.h @@ -32,9 +32,11 @@ #include #include #include +#include #include #include #include +#include #include #include #include @@ -75,12 +77,14 @@ struct ControllerDeviceInitParams SecureSessionMgr * sessionMgr = nullptr; Messaging::ExchangeManager * exchangeMgr = nullptr; Inet::InetLayer * inetLayer = nullptr; + + Credentials::OperationalCredentialSet * credentials = nullptr; #if CONFIG_NETWORK_LAYER_BLE Ble::BleLayer * bleLayer = nullptr; #endif }; -class DLL_EXPORT Device : public Messaging::ExchangeDelegate +class DLL_EXPORT Device : public Messaging::ExchangeDelegate, public SessionEstablishmentDelegate { public: ~Device() @@ -183,6 +187,7 @@ class DLL_EXPORT Device : public Messaging::ExchangeDelegate mInetLayer = params.inetLayer; mListenPort = listenPort; mAdminId = admin; + mCredentials = params.credentials; #if CONFIG_NETWORK_LAYER_BLE mBleLayer = params.bleLayer; #endif @@ -198,7 +203,7 @@ class DLL_EXPORT Device : public Messaging::ExchangeDelegate * all device specifc parameters (address, port, interface etc). * * This is not done as part of constructor so that the controller can have a list of - * uninitialzed/unpaired device objects. The object is initialized only when the device + * uninitialized/unpaired device objects. The object is initialized only when the device * is actually paired. * * @param[in] params Wrapper object for transport manager etc. @@ -354,6 +359,19 @@ class DLL_EXPORT Device : public Messaging::ExchangeDelegate void AddIMResponseHandler(Callback::Cancelable * onSuccessCallback, Callback::Cancelable * onFailureCallback); void CancelIMResponseHandler(); + void ProvisioningComplete(uint16_t caseKeyId) + { + mDeviceProvisioningComplete = true; + mCASESessionKeyId = caseKeyId; + } + bool IsProvisioningComplete() const { return mDeviceProvisioningComplete; } + + //////////// SessionEstablishmentDelegate Implementation /////////////// + void OnSessionEstablishmentError(CHIP_ERROR error) override; + void OnSessionEstablished() override; + + CASESession & GetCASESession() { return mCASESession; } + private: enum class ConnectionState { @@ -428,9 +446,18 @@ class DLL_EXPORT Device : public Messaging::ExchangeDelegate */ void InitCommandSender(); + CHIP_ERROR EstablishCASESession(); + uint16_t mListenPort; Transport::AdminId mAdminId = Transport::kUndefinedAdminId; + + bool mDeviceProvisioningComplete = false; + + CASESession mCASESession; + uint16_t mCASESessionKeyId = 0; + + Credentials::OperationalCredentialSet * mCredentials = nullptr; }; /** @@ -479,9 +506,11 @@ typedef struct SerializableDevice PASESessionSerializable mOpsCreds; uint64_t mDeviceId; /* This field is serialized in LittleEndian byte order */ uint8_t mDeviceAddr[INET6_ADDRSTRLEN]; - uint16_t mDevicePort; /* This field is serialized in LittleEndian byte order */ - uint16_t mAdminId; /* This field is serialized in LittleEndian byte order */ + uint16_t mDevicePort; /* This field is serialized in LittleEndian byte order */ + uint16_t mAdminId; /* This field is serialized in LittleEndian byte order */ + uint16_t mCASESessionKeyId; /* This field is serialized in LittleEndian byte order */ uint8_t mDeviceTransport; + uint8_t mDeviceProvisioningComplete; uint8_t mInterfaceName[kMaxInterfaceName]; } SerializableDevice; diff --git a/src/controller/CHIPDeviceController.cpp b/src/controller/CHIPDeviceController.cpp index 89a656caefa3d9..ef8f038639586c 100644 --- a/src/controller/CHIPDeviceController.cpp +++ b/src/controller/CHIPDeviceController.cpp @@ -100,6 +100,7 @@ constexpr uint16_t kMdnsPort = 5353; constexpr uint32_t kSessionEstablishmentTimeout = 30 * kMillisecondPerSecond; constexpr uint32_t kMaxCHIPOpCertLength = 1024; +constexpr uint32_t kMaxCHIPCSRLength = 1024; constexpr uint32_t kOpCSRNonceLength = 32; // This macro generates a key using node ID an key prefix, and performs the given action @@ -184,9 +185,15 @@ CHIP_ERROR DeviceController::Init(NodeId localDeviceId, ControllerInitParams par ); SuccessOrExit(err); + err = mAdmins.Init(mStorageDelegate); + SuccessOrExit(err); + admin = mAdmins.AssignAdminId(mAdminId, localDeviceId); VerifyOrExit(admin != nullptr, err = CHIP_ERROR_NO_MEMORY); + err = mAdmins.LoadFromStorage(mAdminId); + SuccessOrExit(err); + err = mSessionMgr->Init(localDeviceId, mSystemLayer, mTransportMgr, &mAdmins, mMessageCounterManager); SuccessOrExit(err); @@ -228,12 +235,70 @@ CHIP_ERROR DeviceController::Init(NodeId localDeviceId, ControllerInitParams par mState = State::Initialized; mLocalDeviceId = localDeviceId; + VerifyOrExit(params.operationalCredentialsDelegate != nullptr, err = CHIP_ERROR_INVALID_ARGUMENT); + mOperationalCredentialsDelegate = params.operationalCredentialsDelegate; + + err = LoadLocalCredentials(admin); + SuccessOrExit(err); + ReleaseAllDevices(); exit: return err; } +CHIP_ERROR DeviceController::LoadLocalCredentials(Transport::AdminPairingInfo * admin) +{ + ChipLogProgress(Controller, "Getting operational keys"); + Crypto::P256Keypair * keypair = admin->GetOperationalKey(); + + ReturnErrorCodeIf(keypair == nullptr, CHIP_ERROR_NO_MEMORY); + + if (!admin->AreCredentialsAvailable()) + { + chip::Platform::ScopedMemoryBuffer buffer1; + ReturnErrorCodeIf(!buffer1.Alloc(kMaxCHIPCSRLength), CHIP_ERROR_NO_MEMORY); + + chip::Platform::ScopedMemoryBuffer buffer2; + ReturnErrorCodeIf(!buffer2.Alloc(kMaxCHIPOpCertLength), CHIP_ERROR_NO_MEMORY); + + uint8_t * CSR = buffer1.Get(); + size_t csrLength = kMaxCHIPCSRLength; + ReturnErrorOnFailure(keypair->NewCertificateSigningRequest(CSR, csrLength)); + + uint8_t * cert = buffer2.Get(); + uint32_t certLen = 0; + + // TODO - Match the generated cert against CSR and operational keypair + // Make sure it chains back to the trusted root. + ChipLogProgress(Controller, "Generating operational certificate for the controller"); + ReturnErrorOnFailure(mOperationalCredentialsDelegate->GenerateNodeOperationalCertificate( + PeerId().SetNodeId(mLocalDeviceId), ByteSpan(CSR, csrLength), 1, cert, kMaxCHIPOpCertLength, certLen)); + + uint8_t * chipCert = buffer1.Get(); + uint32_t chipCertLen = 0; + ReturnErrorOnFailure(ConvertX509CertToChipCert(cert, certLen, chipCert, kMaxCHIPOpCertLength, chipCertLen)); + + ReturnErrorOnFailure(admin->SetOperationalCert(ByteSpan(chipCert, chipCertLen))); + + ChipLogProgress(Controller, "Getting root certificate for the controller from the issuer"); + ReturnErrorOnFailure(mOperationalCredentialsDelegate->GetRootCACertificate(0, cert, kMaxCHIPOpCertLength, certLen)); + + chipCertLen = 0; + ReturnErrorOnFailure(ConvertX509CertToChipCert(cert, certLen, chipCert, kMaxCHIPOpCertLength, chipCertLen)); + + ReturnErrorOnFailure(admin->SetRootCert(ByteSpan(chipCert, chipCertLen))); + + ReturnErrorOnFailure(mAdmins.Store(admin->GetAdminId())); + } + + ChipLogProgress(Controller, "Generating credentials"); + ReturnErrorOnFailure(admin->GetCredentials(mCredentials, mCertificates, mRootKeyId)); + + ChipLogProgress(Controller, "Loaded credentials successfully"); + return CHIP_NO_ERROR; +} + CHIP_ERROR DeviceController::Shutdown() { VerifyOrReturnError(mState == State::Initialized, CHIP_ERROR_INCORRECT_STATE); @@ -406,6 +471,10 @@ CHIP_ERROR DeviceController::GetDevice(NodeId deviceId, Device ** out_device) CHIP_ERROR DeviceController::UpdateDevice(Device * device, uint64_t fabricId) { + // TODO - Detect when the device is fully provisioned, instead of relying on UpdateDevice() + device->ProvisioningComplete(mNextKeyId++); + PersistDevice(device); + PersistNextKeyId(); #if CHIP_DEVICE_CONFIG_ENABLE_MDNS return Mdns::Resolver::Instance().ResolveNodeId(chip::PeerId().SetNodeId(device->GetDeviceId()).SetFabricId(fabricId), chip::Inet::kIPAddressType_Any); @@ -637,6 +706,14 @@ CHIP_ERROR DeviceController::SetPairedDeviceList(ByteSpan serialized) return err; } +void DeviceController::PersistNextKeyId() +{ + if (mStorageDelegate != nullptr && mState == State::Initialized) + { + mStorageDelegate->SyncSetKeyValue(kNextAvailableKeyID, &mNextKeyId, sizeof(mNextKeyId)); + } +} + #if CHIP_DEVICE_CONFIG_ENABLE_MDNS void DeviceController::OnNodeIdResolved(const chip::Mdns::ResolvedNodeData & nodeData) { @@ -699,9 +776,11 @@ void DeviceController::OnCommissionableNodeFound(const chip::Mdns::Commissionabl ControllerDeviceInitParams DeviceController::GetControllerDeviceInitParams() { - return ControllerDeviceInitParams{ - .transportMgr = mTransportMgr, .sessionMgr = mSessionMgr, .exchangeMgr = mExchangeMgr, .inetLayer = mInetLayer - }; + return ControllerDeviceInitParams{ .transportMgr = mTransportMgr, + .sessionMgr = mSessionMgr, + .exchangeMgr = mExchangeMgr, + .inetLayer = mInetLayer, + .credentials = &mCredentials }; } DeviceCommissioner::DeviceCommissioner() : @@ -717,8 +796,6 @@ DeviceCommissioner::DeviceCommissioner() : CHIP_ERROR DeviceCommissioner::Init(NodeId localDeviceId, CommissionerInitParams params) { - VerifyOrReturnError(params.operationalCredentialsDelegate != nullptr, CHIP_ERROR_INVALID_ARGUMENT); - ReturnErrorOnFailure(DeviceController::Init(localDeviceId, params)); uint16_t size = sizeof(mNextKeyId); @@ -729,7 +806,6 @@ CHIP_ERROR DeviceCommissioner::Init(NodeId localDeviceId, CommissionerInitParams } mPairingDelegate = params.pairingDelegate; - mOperationalCredentialsDelegate = params.operationalCredentialsDelegate; return CHIP_NO_ERROR; } @@ -1101,21 +1177,21 @@ CHIP_ERROR DeviceCommissioner::ProcessOpCSR(const ByteSpan & CSR, const ByteSpan ReturnErrorOnFailure(mOperationalCredentialsDelegate->GenerateNodeOperationalCertificate( PeerId().SetNodeId(device->GetDeviceId()), CSR, 1, opCert.Get(), kMaxCHIPOpCertLength, opCertLen)); - chip::Platform::ScopedMemoryBuffer signingCert; - ReturnErrorCodeIf(!signingCert.Alloc(kMaxCHIPOpCertLength), CHIP_ERROR_NO_MEMORY); + chip::Platform::ScopedMemoryBuffer issuerCert; + ReturnErrorCodeIf(!issuerCert.Alloc(kMaxCHIPOpCertLength), CHIP_ERROR_NO_MEMORY); ChipLogProgress(Controller, "Getting intermediate CA certificate from the issuer"); - uint32_t signingCertLen = 0; + uint32_t issuerCertLen = 0; CHIP_ERROR err = - mOperationalCredentialsDelegate->GetIntermediateCACertificate(0, signingCert.Get(), kMaxCHIPOpCertLength, signingCertLen); + mOperationalCredentialsDelegate->GetIntermediateCACertificate(0, issuerCert.Get(), kMaxCHIPOpCertLength, issuerCertLen); ChipLogProgress(Controller, "GetIntermediateCACertificate returned %d", err); if (err == CHIP_ERROR_INTERMEDIATE_CA_NOT_REQUIRED) { // This implies that the commissioner application uses root CA to sign the operational // certificates, and an intermediate CA is not needed. It's not an error condition, so // let's just send operational certificate and root CA certificate to the device. - err = CHIP_NO_ERROR; - signingCertLen = 0; + err = CHIP_NO_ERROR; + issuerCertLen = 0; ChipLogProgress(Controller, "Intermediate CA is not needed"); } ReturnErrorOnFailure(err); @@ -1129,9 +1205,9 @@ CHIP_ERROR DeviceCommissioner::ProcessOpCSR(const ByteSpan & CSR, const ByteSpan // TODO - convert ICA cert to ChipCert format and send it to the device. ChipLogProgress(Controller, "Sending operational certificate to the device. Op Cert Len %d, ICA Cert Len %d", opCertLen, - signingCertLen); + issuerCertLen); ReturnErrorOnFailure( - SendOperationalCertificate(device, ByteSpan(chipCert.Get(), opCertLen), ByteSpan(signingCert.Get(), signingCertLen))); + SendOperationalCertificate(device, ByteSpan(chipCert.Get(), opCertLen), ByteSpan(issuerCert.Get(), issuerCertLen))); return CHIP_NO_ERROR; } @@ -1210,20 +1286,12 @@ CHIP_ERROR DeviceCommissioner::SendTrustedRootCertificate(Device * device) { VerifyOrReturnError(device != nullptr, CHIP_ERROR_INVALID_ARGUMENT); - chip::Platform::ScopedMemoryBuffer signingCert; - ReturnErrorCodeIf(!signingCert.Alloc(kMaxCHIPOpCertLength), CHIP_ERROR_NO_MEMORY); - uint32_t signingCertLen = 0; - - ChipLogProgress(Controller, "Getting root certificate from the issuer"); - ReturnErrorOnFailure( - mOperationalCredentialsDelegate->GetRootCACertificate(0, signingCert.Get(), kMaxCHIPOpCertLength, signingCertLen)); - - chip::Platform::ScopedMemoryBuffer chipCert; + Transport::AdminPairingInfo * admin = mAdmins.FindAdminWithId(mAdminId); + VerifyOrReturnError(admin != nullptr, CHIP_ERROR_INCORRECT_STATE); - ReturnErrorCodeIf(!chipCert.Alloc(kMaxCHIPOpCertLength), CHIP_ERROR_NO_MEMORY); - - ReturnErrorOnFailure( - ConvertX509CertToChipCert(signingCert.Get(), signingCertLen, chipCert.Get(), kMaxCHIPOpCertLength, signingCertLen)); + uint16_t rootCertLen = 0; + const uint8_t * rootCert = admin->GetTrustedRoot(rootCertLen); + VerifyOrReturnError(rootCert != nullptr, CHIP_ERROR_INCORRECT_STATE); ChipLogProgress(Controller, "Sending root certificate to the device"); @@ -1233,8 +1301,7 @@ CHIP_ERROR DeviceCommissioner::SendTrustedRootCertificate(Device * device) Callback::Cancelable * successCallback = mRootCertResponseCallback.Cancel(); Callback::Cancelable * failureCallback = mOnRootCertFailureCallback.Cancel(); - ReturnErrorOnFailure( - cluster.AddTrustedRootCertificate(successCallback, failureCallback, ByteSpan(chipCert.Get(), signingCertLen))); + ReturnErrorOnFailure(cluster.AddTrustedRootCertificate(successCallback, failureCallback, ByteSpan(rootCert, rootCertLen))); ChipLogProgress(Controller, "Sent root certificate to the device"); @@ -1321,14 +1388,6 @@ void DeviceCommissioner::PersistDeviceList() } } -void DeviceCommissioner::PersistNextKeyId() -{ - if (mStorageDelegate != nullptr && mState == State::Initialized) - { - mStorageDelegate->SyncSetKeyValue(kNextAvailableKeyID, &mNextKeyId, sizeof(mNextKeyId)); - } -} - void DeviceCommissioner::ReleaseDevice(Device * device) { PersistDeviceList(); diff --git a/src/controller/CHIPDeviceController.h b/src/controller/CHIPDeviceController.h index 8ac871c8f9d52b..10f9c0f9e8ef0a 100644 --- a/src/controller/CHIPDeviceController.h +++ b/src/controller/CHIPDeviceController.h @@ -35,6 +35,7 @@ #include #include #include +#include #include #include #include @@ -79,6 +80,7 @@ struct ControllerInitParams #if CHIP_DEVICE_CONFIG_ENABLE_MDNS DeviceAddressUpdateDelegate * mDeviceAddressUpdateDelegate = nullptr; #endif + OperationalCredentialsDelegate * operationalCredentialsDelegate = nullptr; }; class DLL_EXPORT DevicePairingDelegate @@ -120,8 +122,6 @@ class DLL_EXPORT DevicePairingDelegate struct CommissionerInitParams : public ControllerInitParams { DevicePairingDelegate * pairingDelegate = nullptr; - - OperationalCredentialsDelegate * operationalCredentialsDelegate = nullptr; }; /** @@ -275,9 +275,19 @@ class DLL_EXPORT DeviceController : public Messaging::ExchangeDelegate, CHIP_ERROR SetPairedDeviceList(ByteSpan pairedDeviceSerializedSet); ControllerDeviceInitParams GetControllerDeviceInitParams(); + void PersistNextKeyId(); + Transport::AdminId mAdminId = 0; Transport::AdminPairingTable mAdmins; + OperationalCredentialsDelegate * mOperationalCredentialsDelegate; + + Credentials::ChipCertificateSet mCertificates; + Credentials::OperationalCredentialSet mCredentials; + Credentials::CertificateKeyId mRootKeyId; + + uint16_t mNextKeyId = 0; + private: //////////// ExchangeDelegate Implementation /////////////// void OnMessageReceived(Messaging::ExchangeContext * ec, const PacketHeader & packetHeader, const PayloadHeader & payloadHeader, @@ -296,6 +306,8 @@ class DLL_EXPORT DeviceController : public Messaging::ExchangeDelegate, #endif // CHIP_DEVICE_CONFIG_ENABLE_MDNS void ReleaseAllDevices(); + + CHIP_ERROR LoadLocalCredentials(Transport::AdminPairingInfo * admin); }; /** @@ -429,7 +441,6 @@ class DLL_EXPORT DeviceCommissioner : public DeviceController, public SessionEst #endif private: - OperationalCredentialsDelegate * mOperationalCredentialsDelegate; DevicePairingDelegate * mPairingDelegate; /* This field is an index in mActiveDevices list. The object at this index in the list @@ -452,8 +463,6 @@ class DLL_EXPORT DeviceCommissioner : public DeviceController, public SessionEst void PersistDeviceList(); - void PersistNextKeyId(); - void FreeRendezvousSession(); CHIP_ERROR LoadKeyId(PersistentStorageDelegate * delegate, uint16_t & out); @@ -525,8 +534,6 @@ class DLL_EXPORT DeviceCommissioner : public DeviceController, public SessionEst CHIP_ERROR ProcessOpCSR(const ByteSpan & CSR, const ByteSpan & CSRNonce, const ByteSpan & VendorReserved1, const ByteSpan & VendorReserved2, const ByteSpan & VendorReserved3, const ByteSpan & Signature); - uint16_t mNextKeyId = 0; - Callback::Callback mOpCSRResponseCallback; Callback::Callback mOpCertResponseCallback; Callback::Callback mRootCertResponseCallback; diff --git a/src/credentials/CHIPCert.cpp b/src/credentials/CHIPCert.cpp index c5a7a6de41d84e..37def0f0d48762 100644 --- a/src/credentials/CHIPCert.cpp +++ b/src/credentials/CHIPCert.cpp @@ -491,7 +491,8 @@ CHIP_ERROR ChipCertificateSet::ValidateCert(const ChipCertificateData * cert, Va // Verify the validity time of the certificate, if requested. if (cert->mNotBeforeTime != 0 && !validateFlags.Has(CertValidateFlags::kIgnoreNotBefore)) { - VerifyOrExit(context.mEffectiveTime >= cert->mNotBeforeTime, err = CHIP_ERROR_CERT_NOT_VALID_YET); + // TODO - enable check for certificate validity dates + // VerifyOrExit(context.mEffectiveTime >= cert->mNotBeforeTime, err = CHIP_ERROR_CERT_NOT_VALID_YET); } if (cert->mNotAfterTime != 0 && !validateFlags.Has(CertValidateFlags::kIgnoreNotAfter)) { diff --git a/src/credentials/tests/TestChipCert.cpp b/src/credentials/tests/TestChipCert.cpp index 4d561ad6704e86..04afe7fd0b5ea7 100644 --- a/src/credentials/tests/TestChipCert.cpp +++ b/src/credentials/tests/TestChipCert.cpp @@ -426,14 +426,16 @@ static void TestChipCert_CertValidTime(nlTestSuite * inSuite, void * inContext) // Before certificate validity period. err = SetEffectiveTime(validContext, 2020, 1, 3); NL_TEST_ASSERT(inSuite, err == CHIP_NO_ERROR); - err = certSet.ValidateCert(certSet.GetLastCert(), validContext); - NL_TEST_ASSERT(inSuite, err == CHIP_ERROR_CERT_NOT_VALID_YET); + // TODO - enable check for certificate validity dates + // err = certSet.ValidateCert(certSet.GetLastCert(), validContext); + // NL_TEST_ASSERT(inSuite, err == CHIP_ERROR_CERT_NOT_VALID_YET); // 1 second before validity period. err = SetEffectiveTime(validContext, 2020, 10, 15, 14, 23, 42); NL_TEST_ASSERT(inSuite, err == CHIP_NO_ERROR); - err = certSet.ValidateCert(certSet.GetLastCert(), validContext); - NL_TEST_ASSERT(inSuite, err == CHIP_ERROR_CERT_NOT_VALID_YET); + // TODO - enable check for certificate validity dates + // err = certSet.ValidateCert(certSet.GetLastCert(), validContext); + // NL_TEST_ASSERT(inSuite, err == CHIP_ERROR_CERT_NOT_VALID_YET); // 1st second of validity period. err = SetEffectiveTime(validContext, 2020, 10, 15, 14, 23, 43); diff --git a/src/darwin/Framework/CHIP/CHIPOperationalCredentialsDelegate.h b/src/darwin/Framework/CHIP/CHIPOperationalCredentialsDelegate.h index 219696c84de0ee..60408c457ac49d 100644 --- a/src/darwin/Framework/CHIP/CHIPOperationalCredentialsDelegate.h +++ b/src/darwin/Framework/CHIP/CHIPOperationalCredentialsDelegate.h @@ -51,7 +51,7 @@ class CHIPOperationalCredentialsDelegate : public chip::Controller::OperationalC bool ToChipEpochTime(uint32_t offset, uint32_t & epoch); chip::Crypto::P256Keypair mIssuerKey; - uint32_t mIssuerId; + uint32_t mIssuerId = 1234; const uint32_t kCertificateValiditySecs = 365 * 24 * 60 * 60; const NSString * kCHIPCAKeyLabel = @"chip.nodeopcerts.CA:0"; diff --git a/src/darwin/Framework/CHIP/CHIPOperationalCredentialsDelegate.mm b/src/darwin/Framework/CHIP/CHIPOperationalCredentialsDelegate.mm index d30353d433c371..c29e796f5ffee5 100644 --- a/src/darwin/Framework/CHIP/CHIPOperationalCredentialsDelegate.mm +++ b/src/darwin/Framework/CHIP/CHIPOperationalCredentialsDelegate.mm @@ -49,7 +49,9 @@ static BOOL isRunningTests(void) if (err == CHIP_NO_ERROR) { // If keys were loaded, or generated, let's get the certificate issuer ID - err = SetIssuerID(storage); + + // TODO - enable generating a random issuer ID and saving it in persistent storage + // err = SetIssuerID(storage); } CHIP_LOG_ERROR("CHIPOperationalCredentialsDelegate::init returning %d", err); diff --git a/src/protocols/secure_channel/CASEServer.cpp b/src/protocols/secure_channel/CASEServer.cpp index 98567927251fbd..0784949b5ab592 100644 --- a/src/protocols/secure_channel/CASEServer.cpp +++ b/src/protocols/secure_channel/CASEServer.cpp @@ -20,10 +20,12 @@ #include #include #include +#include #include using namespace ::chip::Inet; using namespace ::chip::Transport; +using namespace ::chip::Credentials; namespace chip { @@ -41,8 +43,9 @@ CHIP_ERROR CASEServer::ListenForSessionEstablishment(Messaging::ExchangeManager ReturnErrorOnFailure(mPairingSession.MessageDispatch().Init(transportMgr)); + ExchangeDelegateBase * delegate = this; ReturnErrorOnFailure( - mExchangeManager->RegisterUnsolicitedMessageHandlerForType(Protocols::SecureChannel::MsgType::CASE_SigmaR1, this)); + mExchangeManager->RegisterUnsolicitedMessageHandlerForType(Protocols::SecureChannel::MsgType::CASE_SigmaR1, delegate)); return CHIP_NO_ERROR; } @@ -50,19 +53,19 @@ CHIP_ERROR CASEServer::InitCASEHandshake(Messaging::ExchangeContext * ec) { ReturnErrorCodeIf(ec == nullptr, CHIP_ERROR_INVALID_ARGUMENT); - // Lookup the admin that corresponds to the CASE session setup request. - // Each admin provisions their own credentials on the device. So it's essential to - // use the correct operational certificates for CASE session setup. + // TODO - Use PK of the root CA for the initiator to figure out the admin. mAdminId = ec->GetSecureSession().GetAdminId(); - ReturnErrorCodeIf(mAdminId == Transport::kUndefinedAdminId, CHIP_ERROR_INVALID_ARGUMENT); + + // TODO - Use section [4.368] and definition of `Destination Identifier` to find admin ID for CASE SigmaR1 message + // ReturnErrorCodeIf(mAdminId == Transport::kUndefinedAdminId, CHIP_ERROR_INVALID_ARGUMENT); + mAdminId = 0; + + mAdmins->LoadFromStorage(mAdminId); Transport::AdminPairingInfo * admin = mAdmins->FindAdminWithId(mAdminId); ReturnErrorCodeIf(admin == nullptr, CHIP_ERROR_INVALID_ARGUMENT); - ReturnErrorOnFailure(admin->GetOperationalCertificateSet(mCertificates)); - - mCredentials.Release(); - ReturnErrorOnFailure(mCredentials.Init(&mCertificates, mCertificates.GetCertCount())); + ReturnErrorOnFailure(admin->GetCredentials(mCredentials, mCertificates, mRootKeyId)); // Setup CASE state machine using the credentials for the current admin. ReturnErrorOnFailure(mPairingSession.ListenForSessionEstablishment(&mCredentials, mNextKeyId++, this)); @@ -76,7 +79,9 @@ CHIP_ERROR CASEServer::InitCASEHandshake(Messaging::ExchangeContext * ec) void CASEServer::OnMessageReceived(Messaging::ExchangeContext * ec, const PacketHeader & packetHeader, const PayloadHeader & payloadHeader, System::PacketBufferHandle payload) { + ChipLogProgress(Inet, "CASE Server received SigmaR1 message. Starting handshake. EC %p", ec); ReturnOnFailure(InitCASEHandshake(ec)); + mPairingSession.OnMessageReceived(ec, packetHeader, payloadHeader, std::move(payload)); // TODO - Enable multiple concurrent CASE session establishment @@ -95,25 +100,26 @@ void CASEServer::Cleanup() void CASEServer::OnSessionEstablishmentError(CHIP_ERROR err) { - ChipLogProgress(AppServer, "CASE Session establishment failed: %s", ErrorStr(err)); + ChipLogProgress(Inet, "CASE Session establishment failed: %s", ErrorStr(err)); Cleanup(); } void CASEServer::OnSessionEstablished() { - ChipLogProgress(AppServer, "CASE Session established. Setting up the secure channel."); - CHIP_ERROR err = - mSessionMgr->NewPairing(Optional::Value(mPairingSession.PeerConnection().GetPeerAddress()), - mPairingSession.PeerConnection().GetPeerNodeId(), &mPairingSession, - SecureSession::SessionRole::kResponder, mAdminId, nullptr); - if (err != CHIP_NO_ERROR) - { - ChipLogError(Ble, "Failed in setting up secure channel: err %s", ErrorStr(err)); - OnSessionEstablishmentError(err); - return; - } - - ChipLogProgress(AppServer, "CASE secure channel is available now."); + ChipLogProgress(Inet, "CASE Session established. Setting up the secure channel."); + // TODO - enable use of secure session established via CASE + // CHIP_ERROR err = + // mSessionMgr->NewPairing(Optional::Value(mPairingSession.PeerConnection().GetPeerAddress()), + // mPairingSession.PeerConnection().GetPeerNodeId(), &mPairingSession, + // SecureSession::SessionRole::kResponder, mAdminId, nullptr); + // if (err != CHIP_NO_ERROR) + // { + // ChipLogError(Inet, "Failed in setting up secure channel: err %s", ErrorStr(err)); + // OnSessionEstablishmentError(err); + // return; + // } + + ChipLogProgress(Inet, "CASE secure channel is available now."); Cleanup(); } } // namespace chip diff --git a/src/protocols/secure_channel/CASEServer.h b/src/protocols/secure_channel/CASEServer.h index 9aa05389dcbe54..abb95bd67248f5 100644 --- a/src/protocols/secure_channel/CASEServer.h +++ b/src/protocols/secure_channel/CASEServer.h @@ -64,10 +64,12 @@ class CASEServer : public SessionEstablishmentDelegate, public Messaging::Exchan Transport::AdminId mAdminId = Transport::kUndefinedAdminId; Transport::AdminPairingTable * mAdmins = nullptr; - ChipCertificateSet mCertificates; - OperationalCredentialSet mCredentials; + Credentials::ChipCertificateSet mCertificates; + Credentials::OperationalCredentialSet mCredentials; + Credentials::CertificateKeyId mRootKeyId; CHIP_ERROR InitCASEHandshake(Messaging::ExchangeContext * ec); + void Cleanup(); }; diff --git a/src/protocols/secure_channel/CASESession.cpp b/src/protocols/secure_channel/CASESession.cpp index 2c1648597f2d27..22110bce97fb58 100644 --- a/src/protocols/secure_channel/CASESession.cpp +++ b/src/protocols/secure_channel/CASESession.cpp @@ -193,6 +193,7 @@ CHIP_ERROR CASESession::Init(OperationalCredentialSet * operationalCredentialSet SessionEstablishmentDelegate * delegate) { VerifyOrReturnError(delegate != nullptr, CHIP_ERROR_INVALID_ARGUMENT); + VerifyOrReturnError(operationalCredentialSet != nullptr, CHIP_ERROR_INVALID_ARGUMENT); VerifyOrReturnError(operationalCredentialSet->GetCertCount() > 0, CHIP_ERROR_CERT_NOT_FOUND); Clear(); @@ -325,7 +326,10 @@ CHIP_ERROR CASESession::SendSigmaR1() bbuf.Put16(n_trusted_roots); for (uint16_t i = 0; i < n_trusted_roots; ++i) { - bbuf.Put(mOpCredSet->GetTrustedRootId(i)->mId, kTrustedRootIdSize); + if (mOpCredSet->GetTrustedRootId(i) != nullptr && mOpCredSet->GetTrustedRootId(i)->mId != nullptr) + { + bbuf.Put(mOpCredSet->GetTrustedRootId(i)->mId, kTrustedRootIdSize); + } } bbuf.Put(mEphemeralKey.Pubkey(), mEphemeralKey.Pubkey().Length()); VerifyOrReturnError(bbuf.Fit(), CHIP_ERROR_NO_MEMORY); @@ -721,6 +725,7 @@ CHIP_ERROR CASESession::SendSigmaR3() // Step 1 saltlen = kIPKSize + kSHA256_Hash_Length; + ChipLogDetail(Inet, "Sending SigmaR3"); msg_salt = System::PacketBufferHandle::New(saltlen); VerifyOrExit(!msg_salt.IsNull(), err = CHIP_SYSTEM_ERROR_NO_MEMORY); msg_salt->SetDataLength(saltlen); @@ -971,6 +976,7 @@ CHIP_ERROR CASESession::ConstructSaltSigmaR2(const System::PacketBufferHandle & const uint8_t * ipk, size_t ipkLen, System::PacketBufferHandle & salt) { uint8_t md[kSHA256_Hash_Length]; + memset(salt->Start(), 0, salt->DataLength()); Encoding::LittleEndian::BufferWriter bbuf(salt->Start(), salt->DataLength()); bbuf.Put(ipk, ipkLen); @@ -978,6 +984,7 @@ CHIP_ERROR CASESession::ConstructSaltSigmaR2(const System::PacketBufferHandle & bbuf.Put(pubkey, pubkey.Length()); ReturnErrorOnFailure(mCommissioningHash.Finish(md)); bbuf.Put(md, kSHA256_Hash_Length); + ReturnErrorOnFailure(mCommissioningHash.Begin()); VerifyOrReturnError(bbuf.Fit(), CHIP_ERROR_NO_MEMORY); @@ -987,11 +994,13 @@ CHIP_ERROR CASESession::ConstructSaltSigmaR2(const System::PacketBufferHandle & CHIP_ERROR CASESession::ConstructSaltSigmaR3(const uint8_t * ipk, size_t ipkLen, System::PacketBufferHandle & salt) { uint8_t md[kSHA256_Hash_Length]; + memset(salt->Start(), 0, salt->DataLength()); Encoding::LittleEndian::BufferWriter bbuf(salt->Start(), salt->DataLength()); bbuf.Put(ipk, ipkLen); ReturnErrorOnFailure(mCommissioningHash.Finish(md)); bbuf.Put(md, kSHA256_Hash_Length); + ReturnErrorOnFailure(mCommissioningHash.Begin()); VerifyOrReturnError(bbuf.Fit(), CHIP_ERROR_NO_MEMORY); diff --git a/src/transport/AdminPairingTable.cpp b/src/transport/AdminPairingTable.cpp index 1cf91a65b7721e..6def66c2c34a96 100644 --- a/src/transport/AdminPairingTable.cpp +++ b/src/transport/AdminPairingTable.cpp @@ -113,7 +113,7 @@ CHIP_ERROR AdminPairingInfo::FetchFromKVS(PersistentStorageDelegate * kvs) rootCertLen = Encoding::LittleEndian::HostSwap16(info->mRootCertLen); opCertLen = Encoding::LittleEndian::HostSwap16(info->mOpCertLen); - VerifyOrExit(mAdmin != id, err = CHIP_ERROR_INCORRECT_STATE); + VerifyOrExit(mAdmin == id, err = CHIP_ERROR_INCORRECT_STATE); if (mOperationalKey == nullptr) { @@ -122,6 +122,7 @@ CHIP_ERROR AdminPairingInfo::FetchFromKVS(PersistentStorageDelegate * kvs) VerifyOrExit(mOperationalKey != nullptr, err = CHIP_ERROR_NO_MEMORY); SuccessOrExit(err = mOperationalKey->Deserialize(info->mOperationalKey)); + ChipLogProgress(Inet, "Loading certs from KVS"); SuccessOrExit(SetRootCert(ByteSpan(info->mRootCert, rootCertLen))); SuccessOrExit(SetOperationalCert(ByteSpan(info->mOperationalCert, opCertLen))); @@ -250,17 +251,28 @@ CHIP_ERROR AdminPairingInfo::SetOperationalCert(const ByteSpan & cert) return CHIP_NO_ERROR; } -CHIP_ERROR AdminPairingInfo::GetOperationalCertificateSet(ChipCertificateSet & certSet) +CHIP_ERROR AdminPairingInfo::GetCredentials(OperationalCredentialSet & credentials, ChipCertificateSet & certificates, + CertificateKeyId & rootKeyId) { constexpr uint8_t kMaxNumCertsInOpCreds = 3; - ReturnErrorOnFailure(certSet.Init(kMaxNumCertsInOpCreds, kMaxChipCertSize * kMaxNumCertsInOpCreds)); + ReturnErrorOnFailure(certificates.Init(kMaxNumCertsInOpCreds, kMaxChipCertSize * kMaxNumCertsInOpCreds)); ReturnErrorOnFailure( - certSet.LoadCert(mRootCert, mRootCertLen, - BitFlags(CertDecodeFlags::kIsTrustAnchor).Set(CertDecodeFlags::kGenerateTBSHash))); + certificates.LoadCert(mRootCert, mRootCertLen, + BitFlags(CertDecodeFlags::kIsTrustAnchor).Set(CertDecodeFlags::kGenerateTBSHash))); + // TODO - Add support of ICA certificates - ReturnErrorOnFailure( - certSet.LoadCert(mOperationalCert, mOpCertLen, BitFlags(CertDecodeFlags::kGenerateTBSHash))); + + credentials.Release(); + ReturnErrorOnFailure(credentials.Init(&certificates, certificates.GetCertCount())); + + const CertificateKeyId * id = credentials.GetTrustedRootId(0); + rootKeyId.mId = id->mId; + rootKeyId.mLen = id->mLen; + + ReturnErrorOnFailure(credentials.SetDevOpCred(rootKeyId, mOperationalCert, mOpCertLen)); + ReturnErrorOnFailure(credentials.SetDevOpCredKeypair(rootKeyId, mOperationalKey)); + return CHIP_NO_ERROR; } diff --git a/src/transport/AdminPairingTable.h b/src/transport/AdminPairingTable.h index e8ff316dd6bf65..81a371e5ebfda3 100644 --- a/src/transport/AdminPairingTable.h +++ b/src/transport/AdminPairingTable.h @@ -23,7 +23,7 @@ #include #include -#include +#include #include #include #include @@ -88,16 +88,36 @@ class DLL_EXPORT AdminPairingInfo uint16_t GetVendorId() const { return mVendorId; } void SetVendorId(uint16_t vendorId) { mVendorId = vendorId; } - Crypto::P256Keypair * GetOperationalKey() { return mOperationalKey; } + Crypto::P256Keypair * GetOperationalKey() + { + if (mOperationalKey == nullptr) + { + mOperationalKey = chip::Platform::New(); + mOperationalKey->Initialize(); + } + return mOperationalKey; + } CHIP_ERROR SetOperationalKey(const Crypto::P256Keypair & key); + bool AreCredentialsAvailable() const + { + return (mRootCert != nullptr && mOperationalCert != nullptr && mRootCertLen != 0 && mOpCertLen != 0); + } + + CHIP_ERROR GetCredentials(Credentials::OperationalCredentialSet & credentials, Credentials::ChipCertificateSet & certSet, + Credentials::CertificateKeyId & rootKeyId); + + const uint8_t * GetTrustedRoot(uint16_t & size) + { + size = mRootCertLen; + return mRootCert; + } + // TODO - Update these APIs to take ownership of the buffer, instead of copying // internally. CHIP_ERROR SetOperationalCert(const chip::ByteSpan & cert); CHIP_ERROR SetRootCert(const chip::ByteSpan & cert); - CHIP_ERROR GetOperationalCertificateSet(Credentials::ChipCertificateSet & certSet); - const AccessControlList & GetACL() const { return mACL; } AccessControlList & GetACL() { return mACL; } void SetACL(const AccessControlList & acl) { mACL = acl; }