Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for generation and verification of CSR attestation signature #11908

Closed
tcarmelveilleux opened this issue Nov 17, 2021 · 5 comments · Fixed by #16913
Closed

Add support for generation and verification of CSR attestation signature #11908

tcarmelveilleux opened this issue Nov 17, 2021 · 5 comments · Fixed by #16913
Assignees
@cecille
Labels
attestation commissioning Involves placing devices on the network, initial setup spec Mismatch between spec and implementation tcv-dri-triage-temp V1.0

Comments

@tcarmelveilleux
Copy link
Contributor

Problem

Spec requires an attestation signature on the CSR. This attestation signature must then be validated by commissioner logic. This is currently omitted in the SDK.

Proposed Solution

  • Implement adding the attestation signature using the DeviceAttestationCredentialsProvider
  • Update DeviceAttestationVerifier to have a primitive to validate DAC chain and the signature, symetrical to the attestation prcedure
  • Update commissioning sample to have reporting of failure of signature
@tcarmelveilleux tcarmelveilleux self-assigned this Nov 17, 2021
tcarmelveilleux added a commit to tcarmelveilleux/connectedhomeip that referenced this issue Nov 23, 2021
@tcarmelveilleux
Use spec-compliant NOCSR elements
077819d 
- Add actual attestation signature to NOCSR elements
- Add ability to generate the vendor-reserved elements
- Move TLV struct size estimator to TLV library
- Add more logs to NOC cluster
- Refactor NOC cluster to use common signature logic for
  CSRResponse and AttestationResponse
- Add a good limit on CSR size to reduce memory (a real spec-compliant
  CSR is 220-230 bytes

Fixes project-chip#8729
Issue project-chip#11908

Testing done: added unit tests and ran test_suites.sh integration tests
@tcarmelveilleux tcarmelveilleux mentioned this issue Nov 23, 2021
Merged
tcarmelveilleux added a commit that referenced this issue Nov 25, 2021
@tcarmelveilleux @restyled-commits
Use spec-compliant NOCSR elements (#12179)
3f7ea64 
* Use spec-compliant NOCSR elements

- Add actual attestation signature to NOCSR elements
- Add ability to generate the vendor-reserved elements
- Move TLV struct size estimator to TLV library
- Add more logs to NOC cluster
- Refactor NOC cluster to use common signature logic for
  CSRResponse and AttestationResponse
- Add a good limit on CSR size to reduce memory (a real spec-compliant
  CSR is 220-230 bytes

Fixes #8729
Issue #11908

Testing done: added unit tests and ran test_suites.sh integration tests

* Restyled by clang-format

* Fix signedness warning

* Fix signedness issue in perfect forwarding

* Address review comments

* Restyled by clang-format

* Fixed bug when vendor reserved data missing

* Restyled by clang-format

Co-authored-by: Restyled.io <[email protected]>
@vijs vijs mentioned this issue Dec 16, 2021
Merged
@vijs
Copy link
Collaborator

vijs commented Jan 26, 2022

@tcarmelveilleux Please review the merged PRs and confirm if this issue is addressed

@yufengwangca
Copy link
Contributor

@tcarmelveilleux is there any remaining task for this ticket?

@woody-apple woody-apple added commissioning Involves placing devices on the network, initial setup spec Mismatch between spec and implementation labels Feb 8, 2022
@tcarmelveilleux
Copy link
Contributor Author

AutoCommissioner should at least check attestation signature on receipt of CSRResponse. This is the MVP for 1.0

@tcarmelveilleux tcarmelveilleux removed their assignment Mar 1, 2022
@cecille
Copy link
Contributor

cecille commented Mar 10, 2022

Tennessee, can you just clarify what you want here? Do you want the auto commissioner to call VerifyNodeOperationalCSRInformation? Or do you want it to verify the generated cert chain?

We verify the CSR information right before we generate the NOC chain. I suppose we can pull this out into a separate step so folks that opt to replace the auto commissioner can call that as a separate step.

@cecille
Copy link
Contributor

cecille commented Mar 31, 2022

From offline discussion - twofold answer for this issue.

  1. will make validation a separate step in commissioning to make this easier for devs implementing their own commissioning delegate to perform this step without being tied to generating the noc chain.
  2. change the GenerateNOCChain function signature to accept the attestationChallenge and csrNonce so that the credentials delegate can verify the CSR before generating the noc chain if it desires (not adding that check to example delegates as it is checked by the auto commissioner, but just to allow other delegate to do so if they wish)

@cecille cecille mentioned this issue Apr 1, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@cecille cecille

Labels
attestation commissioning Involves placing devices on the network, initial setup spec Mismatch between spec and implementation tcv-dri-triage-temp V1.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Validate CSR in separate commissioning step cecille/connectedhomeip
6 participants
@tcarmelveilleux @andy31415 @vijs @cecille @yufengwangca @woody-apple