Skip to content

Commit

Permalink
Add additional checks related to RESP_MAX into the DefaultDeviceAttes…
Browse files Browse the repository at this point in the history
…tationVerifier
  • Loading branch information
vivien-apple committed Jun 10, 2022
1 parent e51b6a0 commit ae7542a
Showing 1 changed file with 9 additions and 0 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,9 @@ namespace Credentials {

namespace {

// As per specifications section 11.22.5.1. Constant RESP_MAX
constexpr size_t kMaxResponseLength = 900;

static const ByteSpan kTestPaaRoots[] = {
TestCerts::sTestCert_PAA_FFF1_Cert,
TestCerts::sTestCert_PAA_NoVID_Cert,
Expand Down Expand Up @@ -184,6 +187,9 @@ void DefaultDACVerifier::VerifyAttestationInformation(const DeviceAttestationVer
!info.attestationNonceBuffer.empty() && onCompletion != nullptr,
attestationError = AttestationVerificationResult::kInvalidArgument);

VerifyOrExit(info.attestationElementsBuffer.size() <= kMaxResponseLength,
attestationError = AttestationVerificationResult::kInvalidArgument);

// match DAC and PAI VIDs
{
VerifyOrExit(ExtractVIDPIDFromX509Cert(info.dacDerBuffer, dacVidPid) == CHIP_NO_ERROR,
Expand Down Expand Up @@ -410,6 +416,7 @@ CHIP_ERROR DefaultDACVerifier::VerifyNodeOperationalCSRInformation(const ByteSpa
!attestationSignatureBuffer.empty() && !csrNonce.empty(),
CHIP_ERROR_INVALID_ARGUMENT);

VerifyOrReturnError(nocsrElementsBuffer.size() <= kMaxResponseLength, CHIP_ERROR_INVALID_ARGUMENT);
VerifyOrReturnError(csrNonce.size() == Controller::kCSRNonceLength, CHIP_ERROR_INVALID_ARGUMENT);

ByteSpan csrSpan;
Expand All @@ -420,6 +427,8 @@ CHIP_ERROR DefaultDACVerifier::VerifyNodeOperationalCSRInformation(const ByteSpa
ReturnErrorOnFailure(DeconstructNOCSRElements(nocsrElementsBuffer, csrSpan, csrNonceSpan, vendorReserved1Span,
vendorReserved2Span, vendorReserved3Span));

VerifyOrReturnError(csrNonceSpan.size() == Controller::kCSRNonceLength, CHIP_ERROR_INVALID_ARGUMENT);

// Verify that Nonce matches with what we sent
VerifyOrReturnError(csrNonceSpan.data_equal(csrNonce), CHIP_ERROR_INVALID_ARGUMENT);

Expand Down

0 comments on commit ae7542a

Please sign in to comment.