Skip to content

Commit

Permalink
Allow using MTROperationalCertificateIssuer but letting the Matter fr…
Browse files Browse the repository at this point in the history
…amework perform device attestation checks. (#24371)

* Allow using MTROperationalCertificateIssuer but letting the Matter framework perform device attestation checks.

This gives MTROperationalCertificateIssuer implementations control over whether
they want to take over the device attestation checks that require roots of trust
or whether they want to allow Matter.framework to perform those checks itself,
using the roots of trust it was provided.

Fixes #24310

* Address review comment.

* Address more review comments.
bzbarsky-apple authored and pull[bot] committed Jun 7, 2023

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
1 parent fcde2da commit 3861055
Showing 3 changed files with 36 additions and 11 deletions.
6 changes: 6 additions & 0 deletions src/darwin/Framework/CHIP/MTRDeviceController.mm
Original file line number Diff line number Diff line change
@@ -558,8 +558,12 @@ - (BOOL)setOperationalCertificateIssuer:(nullable id<MTROperationalCertificateIs
}

auto block = ^{
BOOL usePartialDACVerifier = NO;
if (operationalCertificateIssuer != nil) {
self->_operationalCredentialsDelegate->SetOperationalCertificateIssuer(operationalCertificateIssuer, queue);
usePartialDACVerifier = operationalCertificateIssuer.shouldSkipAttestationCertificateValidation;
}
if (usePartialDACVerifier) {
self->_cppCommissioner->SetDeviceAttestationVerifier(self->_partialDACVerifier);
} else {
// TODO: Once we are not supporting setNocChainIssuer this
@@ -921,6 +925,7 @@ - (void)onPairingDeleted:(NSError * _Nullable)error
*/
@interface MTROperationalCertificateChainIssuerShim : NSObject <MTROperationalCertificateIssuer>
@property (nonatomic, readonly) id<MTRNOCChainIssuer> nocChainIssuer;
@property (nonatomic, readonly) BOOL shouldSkipAttestationCertificateValidation;
- (instancetype)initWithIssuer:(id<MTRNOCChainIssuer>)nocChainIssuer;
@end

@@ -929,6 +934,7 @@ - (instancetype)initWithIssuer:(id<MTRNOCChainIssuer>)nocChainIssuer
{
if (self = [super init]) {
_nocChainIssuer = nocChainIssuer;
_shouldSkipAttestationCertificateValidation = YES;
}
return self;
}
11 changes: 0 additions & 11 deletions src/darwin/Framework/CHIP/MTRDeviceControllerStartupParams.h
Original file line number Diff line number Diff line change
@@ -193,17 +193,6 @@ NS_ASSUME_NONNULL_BEGIN
* when commmissioning devices. Allowed to be nil if this controller either
* does not issue operational certificates at all or internally generates the
* certificates to be issued. In the latter case, nocSigner must not be nil.
*
* When this property is non-nill, all device attestation checks that require
* some sort of trust anchors are delegated to the operationalCertificateIssuer.
* Specifically, the following device attestation checks are not performed and
* must be done by the operationalCertificateIssuer:
*
* (1) Make sure the PAA is valid and approved by CSA.
* (2) VID-scoped PAA check: if the PAA is VID scoped, then its VID must match the DAC VID.
* (3) cert chain check: verify PAI is signed by PAA, and DAC is signed by PAI.
* (4) PAA subject key id extraction: the PAA subject key must match the PAA key referenced in the PAI.
* (5) CD signature check: make sure a valid CSA CD key is used to sign the CD.
*/
@property (nonatomic, strong, nullable) id<MTROperationalCertificateIssuer> operationalCertificateIssuer MTR_NEWLY_AVAILABLE;

30 changes: 30 additions & 0 deletions src/darwin/Framework/CHIP/MTROperationalCertificateIssuer.h
Original file line number Diff line number Diff line change
@@ -66,12 +66,42 @@ MTR_NEWLY_AVAILABLE
* and resume when the completion is invoked with a non-nil
* MTROperationalCertificateInfo. When the completion is invoked with an error,
* commissioning will fail.
*
* This will be called on the dispatch queue passed as
* operationalCertificateIssuerQueue in the MTRDeviceControllerFactoryParams.
*/
- (void)issueOperationalCertificateForRequest:(MTROperationalCSRInfo *)csrInfo
attestationInfo:(MTRAttestationInfo *)attestationInfo
controller:(MTRDeviceController *)controller
completion:(MTROperationalCertificateIssuedHandler)completion;

/**
* A way for MTROperationalCertificateIssuer to control whether it wants the
* Matter framework to perform device attestation checks that require trust
* anchors. If this returns NO, then productAttestationAuthorityCertificates
* should be passed in via MTRDeviceControllerFactoryParams, as well as any
* desired additional certificationDeclarationCertificates.
*
* If this returns YES, then all device attestation checks that require some
* sort of trust anchors are delegated to this MTROperationalCertificateIssuer,
* which can use the arguments passed to
* issueOperationalCertificateForRequest:attestationInfo:controller:completion:
* to perform the checks.
*
* Specifically, the following device attestation checks are not performed and
* must be done by the MTROperationalCertificateIssuer:
*
* (1) Make sure the PAA is valid and approved by CSA.
* (2) VID-scoped PAA check: if the PAA is VID scoped, then its VID must match the DAC VID.
* (3) cert chain check: verify PAI is signed by PAA, and DAC is signed by PAI.
* (4) PAA subject key id extraction: the PAA subject key must match the PAA key referenced in the PAI.
* (5) CD signature check: make sure a valid CSA CD key is used to sign the CD.
*
* This will be read on an arbitrary queue and must not block or call any
* Matter APIs.
*/
@property (nonatomic, readonly) BOOL shouldSkipAttestationCertificateValidation;

@end

MTR_NEWLY_DEPRECATED("Please use MTROperationalCertificateIssuedHandler")

0 comments on commit 3861055

Please sign in to comment.