Skip to content

Commit

Permalink
Allow using MTROperationalCertificateIssuer but letting the Matter fr…
Browse files Browse the repository at this point in the history
…amework perform device attestation checks. (#24371)

* Allow using MTROperationalCertificateIssuer but letting the Matter framework perform device attestation checks.

This gives MTROperationalCertificateIssuer implementations control over whether
they want to take over the device attestation checks that require roots of trust
or whether they want to allow Matter.framework to perform those checks itself,
using the roots of trust it was provided.

Fixes #24310

* Address review comment.

* Address more review comments.
  • Loading branch information
bzbarsky-apple authored Jan 11, 2023
1 parent 5c2ab75 commit e7acdf7
Show file tree
Hide file tree
Showing 3 changed files with 36 additions and 11 deletions.
6 changes: 6 additions & 0 deletions src/darwin/Framework/CHIP/MTRDeviceController.mm
Original file line number Diff line number Diff line change
Expand Up @@ -558,8 +558,12 @@ - (BOOL)setOperationalCertificateIssuer:(nullable id<MTROperationalCertificateIs
}

auto block = ^{
BOOL usePartialDACVerifier = NO;
if (operationalCertificateIssuer != nil) {
self->_operationalCredentialsDelegate->SetOperationalCertificateIssuer(operationalCertificateIssuer, queue);
usePartialDACVerifier = operationalCertificateIssuer.shouldSkipAttestationCertificateValidation;
}
if (usePartialDACVerifier) {
self->_cppCommissioner->SetDeviceAttestationVerifier(self->_partialDACVerifier);
} else {
// TODO: Once we are not supporting setNocChainIssuer this
Expand Down Expand Up @@ -921,6 +925,7 @@ - (void)onPairingDeleted:(NSError * _Nullable)error
*/
@interface MTROperationalCertificateChainIssuerShim : NSObject <MTROperationalCertificateIssuer>
@property (nonatomic, readonly) id<MTRNOCChainIssuer> nocChainIssuer;
@property (nonatomic, readonly) BOOL shouldSkipAttestationCertificateValidation;
- (instancetype)initWithIssuer:(id<MTRNOCChainIssuer>)nocChainIssuer;
@end

Expand All @@ -929,6 +934,7 @@ - (instancetype)initWithIssuer:(id<MTRNOCChainIssuer>)nocChainIssuer
{
if (self = [super init]) {
_nocChainIssuer = nocChainIssuer;
_shouldSkipAttestationCertificateValidation = YES;
}
return self;
}
Expand Down
11 changes: 0 additions & 11 deletions src/darwin/Framework/CHIP/MTRDeviceControllerStartupParams.h
Original file line number Diff line number Diff line change
Expand Up @@ -193,17 +193,6 @@ NS_ASSUME_NONNULL_BEGIN
* when commmissioning devices. Allowed to be nil if this controller either
* does not issue operational certificates at all or internally generates the
* certificates to be issued. In the latter case, nocSigner must not be nil.
*
* When this property is non-nill, all device attestation checks that require
* some sort of trust anchors are delegated to the operationalCertificateIssuer.
* Specifically, the following device attestation checks are not performed and
* must be done by the operationalCertificateIssuer:
*
* (1) Make sure the PAA is valid and approved by CSA.
* (2) VID-scoped PAA check: if the PAA is VID scoped, then its VID must match the DAC VID.
* (3) cert chain check: verify PAI is signed by PAA, and DAC is signed by PAI.
* (4) PAA subject key id extraction: the PAA subject key must match the PAA key referenced in the PAI.
* (5) CD signature check: make sure a valid CSA CD key is used to sign the CD.
*/
@property (nonatomic, strong, nullable) id<MTROperationalCertificateIssuer> operationalCertificateIssuer MTR_NEWLY_AVAILABLE;

Expand Down
30 changes: 30 additions & 0 deletions src/darwin/Framework/CHIP/MTROperationalCertificateIssuer.h
Original file line number Diff line number Diff line change
Expand Up @@ -66,12 +66,42 @@ MTR_NEWLY_AVAILABLE
* and resume when the completion is invoked with a non-nil
* MTROperationalCertificateInfo. When the completion is invoked with an error,
* commissioning will fail.
*
* This will be called on the dispatch queue passed as
* operationalCertificateIssuerQueue in the MTRDeviceControllerFactoryParams.
*/
- (void)issueOperationalCertificateForRequest:(MTROperationalCSRInfo *)csrInfo
attestationInfo:(MTRAttestationInfo *)attestationInfo
controller:(MTRDeviceController *)controller
completion:(MTROperationalCertificateIssuedHandler)completion;

/**
* A way for MTROperationalCertificateIssuer to control whether it wants the
* Matter framework to perform device attestation checks that require trust
* anchors. If this returns NO, then productAttestationAuthorityCertificates
* should be passed in via MTRDeviceControllerFactoryParams, as well as any
* desired additional certificationDeclarationCertificates.
*
* If this returns YES, then all device attestation checks that require some
* sort of trust anchors are delegated to this MTROperationalCertificateIssuer,
* which can use the arguments passed to
* issueOperationalCertificateForRequest:attestationInfo:controller:completion:
* to perform the checks.
*
* Specifically, the following device attestation checks are not performed and
* must be done by the MTROperationalCertificateIssuer:
*
* (1) Make sure the PAA is valid and approved by CSA.
* (2) VID-scoped PAA check: if the PAA is VID scoped, then its VID must match the DAC VID.
* (3) cert chain check: verify PAI is signed by PAA, and DAC is signed by PAI.
* (4) PAA subject key id extraction: the PAA subject key must match the PAA key referenced in the PAI.
* (5) CD signature check: make sure a valid CSA CD key is used to sign the CD.
*
* This will be read on an arbitrary queue and must not block or call any
* Matter APIs.
*/
@property (nonatomic, readonly) BOOL shouldSkipAttestationCertificateValidation;

@end

MTR_NEWLY_DEPRECATED("Please use MTROperationalCertificateIssuedHandler")
Expand Down

0 comments on commit e7acdf7

Please sign in to comment.