Skip to content

Commit

Permalink
Cleanup Just-In-Time Provisioning feature (#10136)
Browse files Browse the repository at this point in the history
* Cleanup Just-In-Time Provisioning Configuration

* Remove un-used config keys
  • Loading branch information
yufengwangca authored Oct 1, 2021
1 parent 3f84d7c commit 3a5f1e0
Show file tree
Hide file tree
Showing 28 changed files with 169 additions and 504 deletions.
1 change: 0 additions & 1 deletion src/app/BUILD.gn
Original file line number Diff line number Diff line change
Expand Up @@ -107,7 +107,6 @@ static_library("app") {
defines = [
"CONFIG_USE_CLUSTERS_FOR_IP_COMMISSIONING=1",
"CHIP_DEVICE_CONFIG_ENABLE_EXTENDED_DISCOVERY=1",
"CHIP_DEVICE_CONFIG_ENABLE_JUST_IN_TIME_PROVISIONING=1",
]
}

Expand Down
20 changes: 0 additions & 20 deletions src/include/platform/CHIPDeviceConfig.h
Original file line number Diff line number Diff line change
Expand Up @@ -588,26 +588,6 @@
#define CHIP_DEVICE_CONFIG_SERVICE_PROVISIONING_REQUEST_TIMEOUT 10000
#endif

// -------------------- Just-In-Time Provisioning Configuration --------------------

/**
* CHIP_DEVICE_CONFIG_ENABLE_JUST_IN_TIME_PROVISIONING
*
* Enable just-in-time provisioning functionality in the chip Device Layer.
*
* When enabled, device creates and uses its ephemeral operational credentials:
* - operational device id
* - operational device self-signed certificate
* - operational device private key
* When enabled, device also implements certificate provisioning protocol and uses it to obtain
* service assigned certificate from the Certification Authority Service.
*
* Then, device uses these credentials to authenticate and communicate to other chip nodes.
*/
#ifndef CHIP_DEVICE_CONFIG_ENABLE_JUST_IN_TIME_PROVISIONING
#define CHIP_DEVICE_CONFIG_ENABLE_JUST_IN_TIME_PROVISIONING 0
#endif

// -------------------- Thread Configuration --------------------

/**
Expand Down
57 changes: 0 additions & 57 deletions src/include/platform/ConfigurationManager.h
Original file line number Diff line number Diff line change
Expand Up @@ -103,12 +103,6 @@ class ConfigurationManager
CHIP_ERROR StoreManufacturingDate(const char * mfgDate, size_t mfgDateLen);
CHIP_ERROR StoreProductRevision(uint16_t productRev);
CHIP_ERROR StoreFabricId(uint64_t fabricId);
#if CHIP_DEVICE_CONFIG_ENABLE_JUST_IN_TIME_PROVISIONING
CHIP_ERROR StoreDeviceId(uint64_t deviceId);
CHIP_ERROR StoreDeviceCertificate(const uint8_t * cert, size_t certLen);
CHIP_ERROR StoreDeviceIntermediateCACerts(const uint8_t * certs, size_t certsLen);
CHIP_ERROR StoreDevicePrivateKey(const uint8_t * key, size_t keyLen);
#endif
CHIP_ERROR StoreManufacturerDeviceId(uint64_t deviceId);
CHIP_ERROR StoreManufacturerDeviceCertificate(const uint8_t * cert, size_t certLen);
CHIP_ERROR StoreManufacturerDeviceIntermediateCACerts(const uint8_t * certs, size_t certsLen);
Expand Down Expand Up @@ -138,10 +132,6 @@ class ConfigurationManager
bool IsPairedToAccount();
bool IsMemberOfFabric();
bool IsFullyProvisioned();
#if CHIP_DEVICE_CONFIG_ENABLE_JUST_IN_TIME_PROVISIONING
bool OperationalDeviceCredentialsProvisioned();
#endif

void InitiateFactoryReset();

CHIP_ERROR ComputeProvisioningHash(uint8_t * hashBuf, size_t hashBufSize);
Expand Down Expand Up @@ -178,10 +168,6 @@ class ConfigurationManager
CHIP_ERROR SetFailSafeArmed(bool val);
CHIP_ERROR ReadPersistedStorageValue(::chip::Platform::PersistedStorage::Key key, uint32_t & value);
CHIP_ERROR WritePersistedStorageValue(::chip::Platform::PersistedStorage::Key key, uint32_t value);
#if CHIP_DEVICE_CONFIG_ENABLE_JUST_IN_TIME_PROVISIONING
CHIP_ERROR ClearOperationalDeviceCredentials(void);
void UseManufacturerCredentialsAsOperational(bool val);
#endif

protected:
// Construction/destruction limited to subclasses.
Expand Down Expand Up @@ -432,30 +418,6 @@ inline CHIP_ERROR ConfigurationManager::StoreFabricId(uint64_t fabricId)
return static_cast<ImplClass *>(this)->_StoreFabricId(fabricId);
}

#if CHIP_DEVICE_CONFIG_ENABLE_JUST_IN_TIME_PROVISIONING

inline CHIP_ERROR ConfigurationManager::StoreDeviceId(uint64_t deviceId)
{
return static_cast<ImplClass *>(this)->_StoreDeviceId(deviceId);
}

inline CHIP_ERROR ConfigurationManager::StoreDeviceCertificate(const uint8_t * cert, size_t certLen)
{
return static_cast<ImplClass *>(this)->_StoreDeviceCertificate(cert, certLen);
}

inline CHIP_ERROR ConfigurationManager::StoreDeviceIntermediateCACerts(const uint8_t * certs, size_t certsLen)
{
return static_cast<ImplClass *>(this)->_StoreDeviceIntermediateCACerts(certs, certsLen);
}

inline CHIP_ERROR ConfigurationManager::StoreDevicePrivateKey(const uint8_t * key, size_t keyLen)
{
return static_cast<ImplClass *>(this)->_StoreDevicePrivateKey(key, keyLen);
}

#endif // CHIP_DEVICE_CONFIG_ENABLE_JUST_IN_TIME_PROVISIONING

inline CHIP_ERROR ConfigurationManager::StoreManufacturerDeviceId(uint64_t deviceId)
{
return static_cast<ImplClass *>(this)->_StoreManufacturerDeviceId(deviceId);
Expand Down Expand Up @@ -614,25 +576,6 @@ inline CHIP_ERROR ConfigurationManager::SetFailSafeArmed(bool val)
return static_cast<ImplClass *>(this)->_SetFailSafeArmed(val);
}

#if CHIP_DEVICE_CONFIG_ENABLE_JUST_IN_TIME_PROVISIONING

inline bool ConfigurationManager::OperationalDeviceCredentialsProvisioned()
{
return static_cast<ImplClass *>(this)->_OperationalDeviceCredentialsProvisioned();
}

inline CHIP_ERROR ConfigurationManager::ClearOperationalDeviceCredentials(void)
{
return static_cast<ImplClass *>(this)->_ClearOperationalDeviceCredentials();
}

inline void ConfigurationManager::UseManufacturerCredentialsAsOperational(bool val)
{
static_cast<ImplClass *>(this)->_UseManufacturerCredentialsAsOperational(val);
}

#endif // CHIP_DEVICE_CONFIG_ENABLE_JUST_IN_TIME_PROVISIONING

inline void ConfigurationManager::LogDeviceConfig()
{
static_cast<ImplClass *>(this)->_LogDeviceConfig();
Expand Down
126 changes: 5 additions & 121 deletions src/include/platform/internal/GenericConfigurationManagerImpl.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -56,9 +56,7 @@ CHIP_ERROR GenericConfigurationManagerImpl<ImplClass>::_Init()
mFlags.ClearAll()
.Set(Flags::kIsServiceProvisioned, Impl()->ConfigValueExists(ImplClass::kConfigKey_ServiceConfig))
.Set(Flags::kIsMemberOfFabric, Impl()->ConfigValueExists(ImplClass::kConfigKey_FabricId))
.Set(Flags::kIsPairedToAccount, Impl()->ConfigValueExists(ImplClass::kConfigKey_PairedAccountId))
.Set(Flags::kOperationalDeviceCredentialsProvisioned,
Impl()->ConfigValueExists(ImplClass::kConfigKey_OperationalDeviceCert));
.Set(Flags::kIsPairedToAccount, Impl()->ConfigValueExists(ImplClass::kConfigKey_PairedAccountId));

#if CHIP_ENABLE_ROTATING_DEVICE_ID
mLifetimePersistedCounter.Init(CHIP_CONFIG_LIFETIIME_PERSISTED_COUNTER_KEY);
Expand Down Expand Up @@ -431,139 +429,28 @@ CHIP_ERROR GenericConfigurationManagerImpl<ImplClass>::_StoreManufacturerDeviceP
template <class ImplClass>
CHIP_ERROR GenericConfigurationManagerImpl<ImplClass>::_GetDeviceId(uint64_t & deviceId)
{
CHIP_ERROR err;

#if CHIP_DEVICE_CONFIG_ENABLE_JUST_IN_TIME_PROVISIONING
if (!UseManufacturerCredentialsAsOperational())
{
err = Impl()->ReadConfigValue(ImplClass::kConfigKey_OperationalDeviceId, deviceId);
}
else
#endif
{
err = Impl()->_GetManufacturerDeviceId(deviceId);
}

return err;
return Impl()->_GetManufacturerDeviceId(deviceId);
}

template <class ImplClass>
CHIP_ERROR GenericConfigurationManagerImpl<ImplClass>::_GetDeviceCertificate(uint8_t * buf, size_t bufSize, size_t & certLen)
{
CHIP_ERROR err;

#if CHIP_DEVICE_CONFIG_ENABLE_JUST_IN_TIME_PROVISIONING
if (!UseManufacturerCredentialsAsOperational())
{
err = Impl()->ReadConfigValueBin(ImplClass::kConfigKey_OperationalDeviceCert, buf, bufSize, certLen);
}
else
#endif
{
err = Impl()->_GetManufacturerDeviceCertificate(buf, bufSize, certLen);
}

return err;
return Impl()->_GetManufacturerDeviceCertificate(buf, bufSize, certLen);
}

template <class ImplClass>
CHIP_ERROR GenericConfigurationManagerImpl<ImplClass>::_GetDeviceIntermediateCACerts(uint8_t * buf, size_t bufSize,
size_t & certsLen)
{
CHIP_ERROR err;

#if CHIP_DEVICE_CONFIG_ENABLE_JUST_IN_TIME_PROVISIONING
if (!UseManufacturerCredentialsAsOperational())
{
err = Impl()->ReadConfigValueBin(ImplClass::kConfigKey_OperationalDeviceICACerts, buf, bufSize, certsLen);
}
else
#endif
{
err = Impl()->_GetManufacturerDeviceIntermediateCACerts(buf, bufSize, certsLen);
}

return err;
return Impl()->_GetManufacturerDeviceIntermediateCACerts(buf, bufSize, certsLen);
}

template <class ImplClass>
CHIP_ERROR GenericConfigurationManagerImpl<ImplClass>::_GetDevicePrivateKey(uint8_t * buf, size_t bufSize, size_t & keyLen)
{
CHIP_ERROR err;

#if CHIP_DEVICE_CONFIG_ENABLE_JUST_IN_TIME_PROVISIONING
if (!UseManufacturerCredentialsAsOperational())
{
err = Impl()->ReadConfigValueBin(ImplClass::kConfigKey_OperationalDevicePrivateKey, buf, bufSize, keyLen);
}
else
#endif
{
err = Impl()->_GetManufacturerDevicePrivateKey(buf, bufSize, keyLen);
}

return err;
}

#if CHIP_DEVICE_CONFIG_ENABLE_JUST_IN_TIME_PROVISIONING

template <class ImplClass>
CHIP_ERROR GenericConfigurationManagerImpl<ImplClass>::_StoreDeviceId(uint64_t deviceId)
{
return Impl()->WriteConfigValue(ImplClass::kConfigKey_OperationalDeviceId, deviceId);
}

template <class ImplClass>
CHIP_ERROR GenericConfigurationManagerImpl<ImplClass>::_StoreDeviceCertificate(const uint8_t * cert, size_t certLen)
{
return Impl()->WriteConfigValueBin(ImplClass::kConfigKey_OperationalDeviceCert, cert, certLen);
return Impl()->_GetManufacturerDevicePrivateKey(buf, bufSize, keyLen);
}

template <class ImplClass>
CHIP_ERROR GenericConfigurationManagerImpl<ImplClass>::_StoreDeviceIntermediateCACerts(const uint8_t * certs, size_t certsLen)
{
return Impl()->WriteConfigValueBin(ImplClass::kConfigKey_OperationalDeviceICACerts, certs, certsLen);
}

template <class ImplClass>
CHIP_ERROR GenericConfigurationManagerImpl<ImplClass>::_StoreDevicePrivateKey(const uint8_t * key, size_t keyLen)
{
return Impl()->WriteConfigValueBin(ImplClass::kConfigKey_OperationalDevicePrivateKey, key, keyLen);
}

template <class ImplClass>
CHIP_ERROR GenericConfigurationManagerImpl<ImplClass>::_ClearOperationalDeviceCredentials(void)
{
Impl()->ClearConfigValue(ImplClass::kConfigKey_OperationalDeviceId);
Impl()->ClearConfigValue(ImplClass::kConfigKey_OperationalDeviceCert);
Impl()->ClearConfigValue(ImplClass::kConfigKey_OperationalDeviceICACerts);
Impl()->ClearConfigValue(ImplClass::kConfigKey_OperationalDevicePrivateKey);

mFlags.Clear(Flags::kOperationalDeviceCredentialsProvisioned);

return CHIP_NO_ERROR;
}

template <class ImplClass>
bool GenericConfigurationManagerImpl<ImplClass>::_OperationalDeviceCredentialsProvisioned()
{
return mFlags.Has(Flags::kOperationalDeviceCredentialsProvisioned);
}

template <class ImplClass>
bool GenericConfigurationManagerImpl<ImplClass>::UseManufacturerCredentialsAsOperational()
{
return mFlags.Has(Flags::kUseManufacturerCredentialsAsOperational);
}

template <class ImplClass>
void GenericConfigurationManagerImpl<ImplClass>::_UseManufacturerCredentialsAsOperational(bool val)
{
mFlags.Set(Flags::kUseManufacturerCredentialsAsOperational, val);
}

#endif // CHIP_DEVICE_CONFIG_ENABLE_JUST_IN_TIME_PROVISIONING

template <class ImplClass>
CHIP_ERROR GenericConfigurationManagerImpl<ImplClass>::_GetSetupPinCode(uint32_t & setupPinCode)
{
Expand Down Expand Up @@ -923,9 +810,6 @@ bool GenericConfigurationManagerImpl<ImplClass>::_IsFullyProvisioned()
#endif
#if CHIP_DEVICE_CONFIG_ENABLE_THREAD
ConnectivityMgr().IsThreadProvisioned() &&
#endif
#if CHIP_DEVICE_CONFIG_ENABLE_JUST_IN_TIME_PROVISIONING
(!UseManufacturerCredentialsAsOperational() && _OperationalDeviceCredentialsProvisioned()) &&
#endif
// TODO: Add checks regarding fabric membership (IsMemberOfFabric()) and account pairing (IsPairedToAccount()),
// when functionalities will be implemented.
Expand Down
18 changes: 1 addition & 17 deletions src/include/platform/internal/GenericConfigurationManagerImpl.h
Original file line number Diff line number Diff line change
Expand Up @@ -77,13 +77,6 @@ class GenericConfigurationManagerImpl
CHIP_ERROR _GetDeviceCertificate(uint8_t * buf, size_t bufSize, size_t & certLen);
CHIP_ERROR _GetDeviceIntermediateCACerts(uint8_t * buf, size_t bufSize, size_t & certsLen);
CHIP_ERROR _GetDevicePrivateKey(uint8_t * buf, size_t bufSize, size_t & keyLen);
#if CHIP_DEVICE_CONFIG_ENABLE_JUST_IN_TIME_PROVISIONING
CHIP_ERROR _StoreDeviceId(uint64_t deviceId);
CHIP_ERROR _StoreDeviceCertificate(const uint8_t * cert, size_t certLen);
CHIP_ERROR _StoreDeviceIntermediateCACerts(const uint8_t * certs, size_t certsLen);
CHIP_ERROR _StoreDevicePrivateKey(const uint8_t * key, size_t keyLen);
CHIP_ERROR _ClearOperationalDeviceCredentials(void);
#endif
CHIP_ERROR _GetManufacturerDeviceId(uint64_t & deviceId);
CHIP_ERROR _StoreManufacturerDeviceId(uint64_t deviceId);
CHIP_ERROR _GetManufacturerDeviceCertificate(uint8_t * buf, size_t bufSize, size_t & certLen);
Expand Down Expand Up @@ -138,10 +131,6 @@ class GenericConfigurationManagerImpl
bool _IsPairedToAccount();
bool _IsFullyProvisioned();
CHIP_ERROR _ComputeProvisioningHash(uint8_t * hashBuf, size_t hashBufSize);
#if CHIP_DEVICE_CONFIG_ENABLE_JUST_IN_TIME_PROVISIONING
bool _OperationalDeviceCredentialsProvisioned();
void _UseManufacturerCredentialsAsOperational(bool val);
#endif
void _LogDeviceConfig();

protected:
Expand All @@ -150,8 +139,7 @@ class GenericConfigurationManagerImpl
kIsServiceProvisioned = 0x01,
kIsMemberOfFabric = 0x02,
kIsPairedToAccount = 0x04,
kOperationalDeviceCredentialsProvisioned = 0x08,
kUseManufacturerCredentialsAsOperational = 0x10,
kUseManufacturerCredentialsAsOperational = 0x08,
};

BitFlags<Flags> mFlags;
Expand All @@ -162,10 +150,6 @@ class GenericConfigurationManagerImpl

private:
ImplClass * Impl() { return static_cast<ImplClass *>(this); }

#if CHIP_DEVICE_CONFIG_ENABLE_JUST_IN_TIME_PROVISIONING
bool UseManufacturerCredentialsAsOperational();
#endif
};

// Instruct the compiler to instantiate the template only when explicitly told to do so.
Expand Down
28 changes: 12 additions & 16 deletions src/platform/Darwin/PosixConfig.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -54,22 +54,18 @@ const PosixConfig::Key PosixConfig::kConfigKey_SetupPinCode = { kConfigNa
const PosixConfig::Key PosixConfig::kConfigKey_SetupDiscriminator = { kConfigNamespace_ChipFactory, "discriminator" };

// Keys stored in the Chip-config namespace
const PosixConfig::Key PosixConfig::kConfigKey_FabricId = { kConfigNamespace_ChipConfig, "fabric-id" };
const PosixConfig::Key PosixConfig::kConfigKey_ServiceConfig = { kConfigNamespace_ChipConfig, "service-config" };
const PosixConfig::Key PosixConfig::kConfigKey_PairedAccountId = { kConfigNamespace_ChipConfig, "account-id" };
const PosixConfig::Key PosixConfig::kConfigKey_ServiceId = { kConfigNamespace_ChipConfig, "service-id" };
const PosixConfig::Key PosixConfig::kConfigKey_FabricSecret = { kConfigNamespace_ChipConfig, "fabric-secret" };
const PosixConfig::Key PosixConfig::kConfigKey_GroupKeyIndex = { kConfigNamespace_ChipConfig, "group-key-index" };
const PosixConfig::Key PosixConfig::kConfigKey_LastUsedEpochKeyId = { kConfigNamespace_ChipConfig, "last-ek-id" };
const PosixConfig::Key PosixConfig::kConfigKey_FailSafeArmed = { kConfigNamespace_ChipConfig, "fail-safe-armed" };
const PosixConfig::Key PosixConfig::kConfigKey_WiFiStationSecType = { kConfigNamespace_ChipConfig, "sta-sec-type" };
const PosixConfig::Key PosixConfig::kConfigKey_OperationalDeviceId = { kConfigNamespace_ChipConfig, "op-device-id" };
const PosixConfig::Key PosixConfig::kConfigKey_OperationalDeviceCert = { kConfigNamespace_ChipConfig, "op-device-cert" };
const PosixConfig::Key PosixConfig::kConfigKey_OperationalDeviceICACerts = { kConfigNamespace_ChipConfig, "op-device-ca-certs" };
const PosixConfig::Key PosixConfig::kConfigKey_OperationalDevicePrivateKey = { kConfigNamespace_ChipConfig, "op-device-key" };
const PosixConfig::Key PosixConfig::kConfigKey_RegulatoryLocation = { kConfigNamespace_ChipConfig, "regulatory-location" };
const PosixConfig::Key PosixConfig::kConfigKey_CountryCode = { kConfigNamespace_ChipConfig, "country-code" };
const PosixConfig::Key PosixConfig::kConfigKey_Breadcrumb = { kConfigNamespace_ChipConfig, "breadcrumb" };
const PosixConfig::Key PosixConfig::kConfigKey_FabricId = { kConfigNamespace_ChipConfig, "fabric-id" };
const PosixConfig::Key PosixConfig::kConfigKey_ServiceConfig = { kConfigNamespace_ChipConfig, "service-config" };
const PosixConfig::Key PosixConfig::kConfigKey_PairedAccountId = { kConfigNamespace_ChipConfig, "account-id" };
const PosixConfig::Key PosixConfig::kConfigKey_ServiceId = { kConfigNamespace_ChipConfig, "service-id" };
const PosixConfig::Key PosixConfig::kConfigKey_FabricSecret = { kConfigNamespace_ChipConfig, "fabric-secret" };
const PosixConfig::Key PosixConfig::kConfigKey_GroupKeyIndex = { kConfigNamespace_ChipConfig, "group-key-index" };
const PosixConfig::Key PosixConfig::kConfigKey_LastUsedEpochKeyId = { kConfigNamespace_ChipConfig, "last-ek-id" };
const PosixConfig::Key PosixConfig::kConfigKey_FailSafeArmed = { kConfigNamespace_ChipConfig, "fail-safe-armed" };
const PosixConfig::Key PosixConfig::kConfigKey_WiFiStationSecType = { kConfigNamespace_ChipConfig, "sta-sec-type" };
const PosixConfig::Key PosixConfig::kConfigKey_RegulatoryLocation = { kConfigNamespace_ChipConfig, "regulatory-location" };
const PosixConfig::Key PosixConfig::kConfigKey_CountryCode = { kConfigNamespace_ChipConfig, "country-code" };
const PosixConfig::Key PosixConfig::kConfigKey_Breadcrumb = { kConfigNamespace_ChipConfig, "breadcrumb" };

// Prefix used for NVS keys that contain Chip group encryption keys.
const char PosixConfig::kGroupKeyNamePrefix[] = "gk-";
Expand Down
4 changes: 0 additions & 4 deletions src/platform/Darwin/PosixConfig.h
Original file line number Diff line number Diff line change
Expand Up @@ -69,10 +69,6 @@ class PosixConfig
static const Key kConfigKey_LastUsedEpochKeyId;
static const Key kConfigKey_FailSafeArmed;
static const Key kConfigKey_WiFiStationSecType;
static const Key kConfigKey_OperationalDeviceId;
static const Key kConfigKey_OperationalDeviceCert;
static const Key kConfigKey_OperationalDeviceICACerts;
static const Key kConfigKey_OperationalDevicePrivateKey;
static const Key kConfigKey_SetupDiscriminator;
static const Key kConfigKey_RegulatoryLocation;
static const Key kConfigKey_CountryCode;
Expand Down
Loading

0 comments on commit 3a5f1e0

Please sign in to comment.