Fix sequence of root cert and op cert provisioning (#8550)

* Fix sequence of root cert and op cert provisioning * address review comments * Update operational credentials delegate to use single API * cleanup delegate API * Fix Android build
project-chip · Aug 23, 2021 · 4777459 · 4777459
1 parent aac2a57
commit 4777459
Show file tree

Hide file tree

Showing 22 changed files with 482 additions and 468 deletions.
diff --git a/examples/chip-tool/commands/clusters/Commands.h b/examples/chip-tool/commands/clusters/Commands.h
@@ -597,9 +597,8 @@ static void OnOperationalCredentialsClusterNOCResponse(void * context, uint8_t S
     command->SetCommandExitStatus(CHIP_NO_ERROR);
 }
 
-static void OnOperationalCredentialsClusterOpCSRResponse(void * context, chip::ByteSpan CSR, chip::ByteSpan CSRNonce,
-                                                         chip::ByteSpan VendorReserved1, chip::ByteSpan VendorReserved2,
-                                                         chip::ByteSpan VendorReserved3, chip::ByteSpan Signature)
+static void OnOperationalCredentialsClusterOpCSRResponse(void * context, chip::ByteSpan NOCSRElements,
+                                                         chip::ByteSpan AttestationSignature)
 {
     ChipLogProgress(chipTool, "OperationalCredentialsClusterOpCSRResponse");
 

diff --git a/src/app/clusters/operational-credentials-server/operational-credentials-server.cpp b/src/app/clusters/operational-credentials-server/operational-credentials-server.cpp
@@ -45,6 +45,9 @@ using namespace chip;
 using namespace ::chip::DeviceLayer;
 using namespace ::chip::Transport;
 
+// As per specifications section 11.22.5.1. Constant RESP_MAX
+constexpr uint16_t kMaxRspLen = 900;
+
 /*
  * Temporary flow for fabric management until addOptCert + fabric index are implemented:
  * 1) When Commissioner pairs with CHIP device, store device nodeId in Fabric table as NodeId
@@ -446,12 +449,16 @@ bool emberAfOperationalCredentialsClusterOpCSRRequestCallback(chip::EndpointId e
     chip::Platform::ScopedMemoryBuffer<uint8_t> csr;
     size_t csrLength = Crypto::kMAX_CSR_Length;
 
+    chip::Platform::ScopedMemoryBuffer<uint8_t> csrElements;
+
     emberAfPrintln(EMBER_AF_PRINT_DEBUG, "OpCreds: commissioner has requested an OpCSR");
 
     app::CommandPathParams cmdParams = { emberAfCurrentEndpoint(), /* group id */ 0, ZCL_OPERATIONAL_CREDENTIALS_CLUSTER_ID,
                                          ZCL_OP_CSR_RESPONSE_COMMAND_ID, (chip::app::CommandPathFlags::kEndpointIdValid) };
 
     TLV::TLVWriter * writer = nullptr;
+    TLV::TLVWriter csrElementWriter;
+    TLV::TLVType containerType;
 
     // Fetch current fabric
     FabricInfo * fabric = retrieveCurrentFabric();
@@ -471,16 +478,28 @@ bool emberAfOperationalCredentialsClusterOpCSRRequestCallback(chip::EndpointId e
     VerifyOrExit(err == CHIP_NO_ERROR, status = EMBER_ZCL_STATUS_FAILURE);
     VerifyOrExit(csrLength < UINT8_MAX, status = EMBER_ZCL_STATUS_FAILURE);
 
+    VerifyOrExit(csrElements.Alloc(kMaxRspLen), status = EMBER_ZCL_STATUS_FAILURE);
+    csrElementWriter.Init(csrElements.Get(), kMaxRspLen);
+
+    SuccessOrExit(err = csrElementWriter.StartContainer(TLV::AnonymousTag, TLV::TLVType::kTLVType_Structure, containerType));
+    SuccessOrExit(err = csrElementWriter.Put(TLV::ContextTag(1), ByteSpan(csr.Get(), csrLength)));
+    SuccessOrExit(err = csrElementWriter.Put(TLV::ContextTag(2), CSRNonce));
+    SuccessOrExit(err = csrElementWriter.Put(TLV::ContextTag(3), ByteSpan()));
+    SuccessOrExit(err = csrElementWriter.Put(TLV::ContextTag(4), ByteSpan()));
+    SuccessOrExit(err = csrElementWriter.Put(TLV::ContextTag(5), ByteSpan()));
+    SuccessOrExit(err = csrElementWriter.EndContainer(containerType));
+    SuccessOrExit(err = csrElementWriter.Finalize());
+
     VerifyOrExit(commandObj != nullptr, err = CHIP_ERROR_INCORRECT_STATE);
 
     SuccessOrExit(err = commandObj->PrepareCommand(cmdParams));
     writer = commandObj->GetCommandDataElementTLVWriter();
-    SuccessOrExit(err = writer->Put(TLV::ContextTag(0), ByteSpan(csr.Get(), csrLength)));
-    SuccessOrExit(err = writer->Put(TLV::ContextTag(1), CSRNonce));
-    SuccessOrExit(err = writer->Put(TLV::ContextTag(2), ByteSpan(nullptr, 0)));
-    SuccessOrExit(err = writer->Put(TLV::ContextTag(3), ByteSpan(nullptr, 0)));
-    SuccessOrExit(err = writer->Put(TLV::ContextTag(4), ByteSpan(nullptr, 0)));
-    SuccessOrExit(err = writer->Put(TLV::ContextTag(5), ByteSpan(nullptr, 0)));
+
+    // Write CSR Elements
+    SuccessOrExit(err = writer->Put(TLV::ContextTag(0), ByteSpan(csrElements.Get(), csrElementWriter.GetLengthWritten())));
+
+    // TODO - Write attestation signature using attestation key
+    SuccessOrExit(err = writer->Put(TLV::ContextTag(1), ByteSpan()));
     SuccessOrExit(err = commandObj->FinishCommand());
 
 exit:

diff --git a/src/app/common/gen/callback.h b/src/app/common/gen/callback.h
@@ -15815,9 +15815,7 @@ bool emberAfOperationalCredentialsClusterOpCSRRequestCallback(chip::EndpointId e
  * @brief  Cluster OpCSRResponse Command callback (from server)
  */
 bool emberAfOperationalCredentialsClusterOpCSRResponseCallback(chip::EndpointId endpoint, chip::app::CommandSender * commandObj,
-                                                               chip::ByteSpan CSR, chip::ByteSpan CSRNonce,
-                                                               chip::ByteSpan VendorReserved1, chip::ByteSpan VendorReserved2,
-                                                               chip::ByteSpan VendorReserved3, chip::ByteSpan Signature);
+                                                               chip::ByteSpan NOCSRElements, chip::ByteSpan AttestationSignature);
 /**
  * @brief  Cluster AddNOC Command callback (from client)
  */

diff --git a/src/app/common/gen/client-command-macro.h b/src/app/common/gen/client-command-macro.h
@@ -2244,19 +2244,14 @@
 /** @brief Command description for OpCSRResponse
  *
  * Command: OpCSRResponse
- * @param CSR OCTET_STRING
- * @param CSRNonce OCTET_STRING
- * @param VendorReserved1 OCTET_STRING
- * @param VendorReserved2 OCTET_STRING
- * @param VendorReserved3 OCTET_STRING
- * @param Signature OCTET_STRING
+ * @param NOCSRElements OCTET_STRING
+ * @param AttestationSignature OCTET_STRING
  */
 #define emberAfFillCommandOperational                                                                                              \
-    CredentialsClusterOpCSRResponse(CSR, CSRNonce, VendorReserved1, VendorReserved2, VendorReserved3, Signature)                   \
+    CredentialsClusterOpCSRResponse(NOCSRElements, AttestationSignature)                                                           \
         emberAfFillExternalBuffer(mask,                                                                                            \
                                                                                                                                    \
-                                  ZCL_OP_CSR_RESPONSE_COMMAND_ID, "uuuuuu", CSR, CSRNonce, VendorReserved1, VendorReserved2,       \
-                                  VendorReserved3, Signature);
+                                  ZCL_OP_CSR_RESPONSE_COMMAND_ID, "uu", NOCSRElements, AttestationSignature);
 
 /** @brief Command description for AddNOC
  *

diff --git a/src/app/zap-templates/zcl/data-model/chip/operational-credentials-cluster.xml b/src/app/zap-templates/zcl/data-model/chip/operational-credentials-cluster.xml
@@ -95,12 +95,8 @@ fabric-scoped data.</description>
     <!-- TODO: Fix to match chip-spec:#3346 -->
     <command source="server" code="0x05" name="OpCSRResponse" optional="false">
       <description>A certificate signing request (CSR) from the server.</description>
-      <arg name="CSR" type="OCTET_STRING"/>
-      <arg name="CSRNonce" type="OCTET_STRING"/>
-      <arg name="VendorReserved1" type="OCTET_STRING"/>
-      <arg name="VendorReserved2" type="OCTET_STRING"/>
-      <arg name="VendorReserved3" type="OCTET_STRING"/>
-      <arg name="Signature" type="OCTET_STRING"/>
+      <arg name="NOCSRElements" type="OCTET_STRING"/>
+      <arg name="AttestationSignature" type="OCTET_STRING"/>
     </command>
 
     <command source="client" code="0x06" name="AddNOC" optional="false">

diff --git a/src/controller/CHIPDevice.cpp b/src/controller/CHIPDevice.cpp
@@ -694,5 +694,12 @@ Device::~Device()
     }
 }
 
+CHIP_ERROR Device::ReduceNOCChainBufferSize(size_t new_size)
+{
+    ReturnErrorCodeIf(new_size > sizeof(mNOCChainBuffer), CHIP_ERROR_INVALID_ARGUMENT);
+    mNOCChainBufferSize = new_size;
+    return CHIP_NO_ERROR;
+}
+
 } // namespace Controller
 } // namespace chip
diff --git a/src/controller/CHIPDevice.h b/src/controller/CHIPDevice.h
@@ -382,6 +382,12 @@ class DLL_EXPORT Device : public Messaging::ExchangeDelegate, public SessionEsta
 
     ByteSpan GetCSRNonce() const { return ByteSpan(mCSRNonce, sizeof(mCSRNonce)); }
 
+    MutableByteSpan GetMutableNOCChain() { return MutableByteSpan(mNOCChainBuffer, sizeof(mNOCChainBuffer)); }
+
+    CHIP_ERROR ReduceNOCChainBufferSize(size_t new_size);
+
+    ByteSpan GetNOCChain() const { return ByteSpan(mNOCChainBuffer, mNOCChainBufferSize); }
+
     /*
      * This function can be called to establish a secure session with the device.
      *
@@ -490,6 +496,10 @@ class DLL_EXPORT Device : public Messaging::ExchangeDelegate, public SessionEsta
 
     uint8_t mCSRNonce[kOpCSRNonceLength];
 
+    // The chain can contain ICAC and OpCert
+    uint8_t mNOCChainBuffer[Credentials::kMaxCHIPCertLength * 2];
+    size_t mNOCChainBufferSize = 0;
+
     SessionIDAllocator * mIDAllocator = nullptr;
 
     Callback::CallbackDeque mConnectionSuccess;