From 96c6d71c74060784b4b4abe0f4e0605bd425a4b4 Mon Sep 17 00:00:00 2001 From: Sharad Binjola Date: Tue, 23 Aug 2022 15:50:15 -0700 Subject: [PATCH] Darwin: Allow partial validation of DAC and CD (for external cloud or custom app based validation) --- src/darwin/Framework/CHIP/MTRDeviceController.h | 4 ++++ src/darwin/Framework/CHIP/MTRDeviceController.mm | 9 ++++++++- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/src/darwin/Framework/CHIP/MTRDeviceController.h b/src/darwin/Framework/CHIP/MTRDeviceController.h index faca45ddde863b..6deca1706934ca 100644 --- a/src/darwin/Framework/CHIP/MTRDeviceController.h +++ b/src/darwin/Framework/CHIP/MTRDeviceController.h @@ -124,6 +124,10 @@ typedef void (^MTRDeviceConnectionCallback)(MTRBaseDevice * _Nullable device, NS * Sets this MTRDeviceController to use the given issuer for issuing operational certs. By default, the MTRDeviceController uses an * internal issuer. * + * When a nocChainIssuer is set, the device commissioner will delegate verification to the chip::Credentials::PartialDACVerifier so + * that DAC chain and CD validation can be performed by custom code triggered by MTRNOCChainIssuer.onNOCChainGenerationNeeded(). + * Otherwise, the device commissioner uses the chip::Credentials::DefaultDACVerifier + * * @param[in] nocChainIssuer the NOC Chain issuer to use for issuer operational certs * * @param[in] queue The queue on which the callbacks will be delivered diff --git a/src/darwin/Framework/CHIP/MTRDeviceController.mm b/src/darwin/Framework/CHIP/MTRDeviceController.mm index b170771f77ad0b..438ac2409c3ac5 100644 --- a/src/darwin/Framework/CHIP/MTRDeviceController.mm +++ b/src/darwin/Framework/CHIP/MTRDeviceController.mm @@ -47,6 +47,7 @@ #include #include #include +#include #include #include #include @@ -77,6 +78,7 @@ @interface MTRDeviceController () @property (atomic, readonly) dispatch_queue_t chipWorkQueue; @property (readonly) chip::Controller::DeviceCommissioner * cppCommissioner; +@property (readonly) chip::Credentials::PartialDACVerifier * partialDACVerifier; @property (readonly) MTRDevicePairingDelegateBridge * pairingDelegateBridge; @property (readonly) MTROperationalCredentialsDelegate * operationalCredentialsDelegate; @property (readonly) MTRP256KeypairBridge signingKeypairBridge; @@ -664,7 +666,12 @@ - (void)setNocChainIssuer:(id)nocChainIssuer queue:(dispatch_ dispatch_sync(_chipWorkQueue, ^{ VerifyOrReturn([self checkIsRunning]); - self->_operationalCredentialsDelegate->SetNocChainIssuer(nocChainIssuer, queue); + if (nocChainIssuer != nil) { + self->_operationalCredentialsDelegate->SetNocChainIssuer(nocChainIssuer, queue); + self->_cppCommissioner->SetDeviceAttestationVerifier(_partialDACVerifier); + } else { + self->_cppCommissioner->SetDeviceAttestationVerifier(chip::Credentials::GetDeviceAttestationVerifier()); + } }); }