Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ensure chip-tool has access to a trust store for the official PAAs #15209

Closed
tcarmelveilleux opened this issue Feb 15, 2022 · 0 comments
Closed

Ensure chip-tool has access to a trust store for the official PAAs #15209

tcarmelveilleux opened this issue Feb 15, 2022 · 0 comments
Assignees
@vijs
Labels
attestation cert chip-tool tcv-dri-triage-temp V1.0

Comments

@tcarmelveilleux
Copy link
Contributor

Problem

chip-tool only knows of the TestAttestationTrustStore which only contains a well-known insecure PAA key. We need to be able to scale to having chip-tool capable of commissioning devices with real PAAs.

Proposed Solution

  • Make chip-tool configurable to receive a path to a location containing a mirror of the DCL's official PAA trust store.
@tcarmelveilleux tcarmelveilleux self-assigned this Feb 15, 2022
tcarmelveilleux added a commit to tcarmelveilleux/connectedhomeip that referenced this issue Feb 15, 2022
@tcarmelveilleux
Separate DefaultDeviceAttestationVerifier from credentials
154f208 
- This PR is on the way to resolving project-chip#15209.
- This PR does the following:
  - Splits DefaultDeviceAttesationVerifier from the main src/credentials target
    since it is an optional component that can be overridden by different
    commissioners
  - Adds the beginning of plumbing to properly select the Trust Store for
    the DefaultDeviceAttestationVerifier.
  - Moved DefaultDeviceAttestatationVerifier from credentials/examples to
    credentials/attestation_verifier

Missing, to come in the follow-up:
- The implementation of a new file-based PAA trust store configured with
  the path passed in the plumbing added here.

Testing done: unit tests and cert tests still pass. Commissioning still works
@tcarmelveilleux tcarmelveilleux mentioned this issue Feb 15, 2022
Merged
andy31415 pushed a commit that referenced this issue Feb 22, 2022
@tcarmelveilleux @restyled-commits
Prepare for adding PAA trust store to chip-tool (#15224)
22fb6c3 
* Separate DefaultDeviceAttestationVerifier from credentials

- This PR is on the way to resolving #15209.
- This PR does the following:
  - Splits DefaultDeviceAttesationVerifier from the main src/credentials target
    since it is an optional component that can be overridden by different
    commissioners
  - Adds the beginning of plumbing to properly select the Trust Store for
    the DefaultDeviceAttestationVerifier.
  - Moved DefaultDeviceAttestatationVerifier from credentials/examples to
    credentials/attestation_verifier

Missing, to come in the follow-up:
- The implementation of a new file-based PAA trust store configured with
  the path passed in the plumbing added here.

Testing done: unit tests and cert tests still pass. Commissioning still works

* Restyled by clang-format

* Restyled by gn

* Fix ESP32 Qemu test

* Fix CHIPCommandBridge

Co-authored-by: Restyled.io <[email protected]>
@vijs vijs mentioned this issue Mar 11, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@vijs vijs

Labels
attestation cert chip-tool tcv-dri-triage-temp V1.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tcarmelveilleux @vijs