Updated DefaultDeviceAttestationVerifier to Verify that PAA KeyId is …

…in the Certification Declaration.
project-chip · May 9, 2022 · 7f28baa · 7f28baa
1 parent d85700e
commit 7f28baa
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 2 deletions.
diff --git a/src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.cpp b/src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.cpp
@@ -267,6 +267,11 @@ void DefaultDACVerifier::VerifyAttestationInformation(const DeviceAttestationVer
         ByteSpan firmwareInfoSpan;
         DeviceAttestationVendorReservedDeconstructor vendorReserved;
         ByteSpan certificationDeclarationPayload;
+        uint8_t paaSKIDBuf[20] = { 0 };
+        MutableByteSpan paaSKID(paaSKIDBuf);
+
+        VerifyOrExit(ExtractSKIDFromX509Cert(paaDerBuffer, paaSKID) == CHIP_NO_ERROR,
+                     attestationError = AttestationVerificationResult::kPaaFormatInvalid);
 
         DeviceInfoForAttestation deviceInfo{
             .vendorId     = info.vendorId,
@@ -276,6 +281,7 @@ void DefaultDACVerifier::VerifyAttestationInformation(const DeviceAttestationVer
             .paiVendorId  = paiVidPid.mVendorId.Value(),
             .paiProductId = paiVidPid.mProductId.ValueOr(0),
             .paaVendorId  = paaVidPid.mVendorId.ValueOr(VendorId::NotSpecified),
+            .paaSKID      = paaSKID,
         };
 
         VerifyOrExit(DeconstructAttestationElements(info.attestationElementsBuffer, certificationDeclarationSpan,
@@ -384,6 +390,14 @@ AttestationVerificationResult DefaultDACVerifier::ValidateCertificateDeclaration
         }
     }
 
+    if (cdContent.authorizedPAAListPresent)
+    {
+        // The Subject Key Id of the PAA SHALL match one of the values present in the authorized_paa_list
+        // in the Certification Declaration.
+        VerifyOrReturnError(cdElementsDecoder.HasAuthorizedPAA(certDeclBuffer, deviceInfo.paaSKID),
+                            AttestationVerificationResult::kCertificationDeclarationInvalidPAA);
+    }
+
     return AttestationVerificationResult::kSuccess;
 }
 

diff --git a/src/credentials/attestation_verifier/DeviceAttestationVerifier.h b/src/credentials/attestation_verifier/DeviceAttestationVerifier.h
@@ -68,6 +68,7 @@ enum class AttestationVerificationResult : uint16_t
     kCertificationDeclarationInvalidFormat      = 603,
     kCertificationDeclarationInvalidVendorId    = 604,
     kCertificationDeclarationInvalidProductId   = 605,
+    kCertificationDeclarationInvalidPAA         = 606,
 
     kNoMemory = 700,
 
@@ -93,16 +94,18 @@ struct DeviceInfoForAttestation
     uint16_t vendorId = VendorId::NotSpecified;
     // Product ID reported by device in Basic Information cluster
     uint16_t productId = 0;
-    // Vendor ID from  DAC
+    // Vendor ID from DAC
     uint16_t dacVendorId = VendorId::NotSpecified;
     // Product ID from DAC
     uint16_t dacProductId = 0;
     // Vendor ID from PAI cert
     uint16_t paiVendorId = VendorId::NotSpecified;
     // Product ID from PAI cert (0 if absent)
     uint16_t paiProductId = 0;
-    // Vendor ID from  PAA cert
+    // Vendor ID from PAA cert
     uint16_t paaVendorId = VendorId::NotSpecified;
+    // Subject Key Identifier (SKID) from PAA cert
+    ByteSpan paaSKID;
 };
 
 typedef void (*OnAttestationInformationVerification)(void * context, AttestationVerificationResult result);