From 5159593091ed9a1665ea8eeb12a4440668118000 Mon Sep 17 00:00:00 2001 From: Pankaj Garg Date: Thu, 30 Sep 2021 08:26:30 -0700 Subject: [PATCH] Delete obsolete CHIPOperationalCredentials class and usage --- src/channel/Channel.h | 20 - src/controller/CHIPDevice.h | 1 - src/controller/CHIPDeviceController.h | 1 - src/credentials/BUILD.gn | 2 - .../CHIPOperationalCredentials.cpp | 386 ------------------ src/credentials/CHIPOperationalCredentials.h | 288 ------------- src/credentials/tests/BUILD.gn | 1 - src/credentials/tests/TestChipCert.cpp | 1 - .../tests/TestChipOperationalCredentials.cpp | 289 ------------- src/messaging/tests/MessagingContext.h | 4 - src/protocols/secure_channel/CASESession.h | 1 - .../secure_channel/tests/TestCASESession.cpp | 1 - src/transport/FabricTable.h | 2 +- 13 files changed, 1 insertion(+), 996 deletions(-) delete mode 100644 src/credentials/CHIPOperationalCredentials.cpp delete mode 100644 src/credentials/CHIPOperationalCredentials.h delete mode 100644 src/credentials/tests/TestChipOperationalCredentials.cpp diff --git a/src/channel/Channel.h b/src/channel/Channel.h index f0374d8ce05448..310fd4aa998f5e 100644 --- a/src/channel/Channel.h +++ b/src/channel/Channel.h @@ -43,7 +43,6 @@ #pragma once -#include #include #include @@ -97,23 +96,6 @@ class ChannelBuilder return *this; } - Credentials::OperationalCredentialSet & GetOperationalCredentialSet() const - { - return *mCaseParameters.mOperationalCredentialSet; - } - ChannelBuilder & SetOperationalCredentialSet(Credentials::OperationalCredentialSet * operationalCredentialSet) - { - mCaseParameters.mOperationalCredentialSet = operationalCredentialSet; - return *this; - } - - uint8_t GetOperationalCredentialSetIndex() const { return mCaseParameters.mOperationalCredentialSetIndex; } - ChannelBuilder & SetOperationalCredentialSetIndex(uint8_t operationalCredentialSetIndex) - { - mCaseParameters.mOperationalCredentialSetIndex = operationalCredentialSetIndex; - return *this; - } - Optional GetForcePeerAddress() const { return mForcePeerAddr; } ChannelBuilder & SetForcePeerAddress(Inet::IPAddress peerAddr) { @@ -127,8 +109,6 @@ class ChannelBuilder struct { uint16_t mPeerSessionId; - Credentials::OperationalCredentialSet * mOperationalCredentialSet; - uint8_t mOperationalCredentialSetIndex; } mCaseParameters; Optional mForcePeerAddr; diff --git a/src/controller/CHIPDevice.h b/src/controller/CHIPDevice.h index d7eb54334293c1..069c795359e36d 100644 --- a/src/controller/CHIPDevice.h +++ b/src/controller/CHIPDevice.h @@ -32,7 +32,6 @@ #include #include #include -#include #include #include #include diff --git a/src/controller/CHIPDeviceController.h b/src/controller/CHIPDeviceController.h index 81d3adca983c4a..ed5b1ce5c06de7 100644 --- a/src/controller/CHIPDeviceController.h +++ b/src/controller/CHIPDeviceController.h @@ -35,7 +35,6 @@ #include #include #include -#include #include #include #include diff --git a/src/credentials/BUILD.gn b/src/credentials/BUILD.gn index 488e224395dcb9..e9f8b1f0a73360 100644 --- a/src/credentials/BUILD.gn +++ b/src/credentials/BUILD.gn @@ -23,8 +23,6 @@ static_library("credentials") { "CHIPCert.h", "CHIPCertFromX509.cpp", "CHIPCertToX509.cpp", - "CHIPOperationalCredentials.cpp", - "CHIPOperationalCredentials.h", "DeviceAttestationConstructor.cpp", "DeviceAttestationConstructor.h", "DeviceAttestationCredsProvider.cpp", diff --git a/src/credentials/CHIPOperationalCredentials.cpp b/src/credentials/CHIPOperationalCredentials.cpp deleted file mode 100644 index bcb304a3581791..00000000000000 --- a/src/credentials/CHIPOperationalCredentials.cpp +++ /dev/null @@ -1,386 +0,0 @@ -/* - * - * Copyright (c) 2021 Project CHIP Authors - * All rights reserved. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -/** - * @file - * This file defines data types and objects for modeling and - * working with CHIP Operational Credentials. - * - */ - -#ifndef __STDC_LIMIT_MACROS -#define __STDC_LIMIT_MACROS -#endif - -#include -#include -#include -#include - -namespace chip { -namespace Credentials { - -static constexpr size_t kOperationalCertificatesMax = 3; - -using namespace chip::Crypto; - -CHIP_ERROR OperationalCredentialSet::Init(uint8_t maxCertsArraySize) -{ - VerifyOrReturnError(mOpCreds == nullptr, CHIP_ERROR_INTERNAL); - - VerifyOrReturnError(maxCertsArraySize > 0, CHIP_ERROR_INVALID_ARGUMENT); - mOpCreds = reinterpret_cast(chip::Platform::MemoryAlloc(sizeof(ChipCertificateSet) * maxCertsArraySize)); - VerifyOrReturnError(mOpCreds != nullptr, CHIP_ERROR_NO_MEMORY); - - mOpCredCount = 0; - mMaxCerts = maxCertsArraySize; - mMemoryAllocInternal = true; - mChipDeviceCredentialsCount = 0; - mDeviceOpCredKeypairCount = 0; - - CleanupMaps(); - - return CHIP_NO_ERROR; -} - -CHIP_ERROR OperationalCredentialSet::Init(ChipCertificateSet * certSetsArray, uint8_t certSetsArraySize) -{ - VerifyOrReturnError(mOpCreds == nullptr, CHIP_ERROR_INTERNAL); - - VerifyOrReturnError(certSetsArray != nullptr, CHIP_ERROR_INVALID_ARGUMENT); - VerifyOrReturnError(certSetsArraySize > 0, CHIP_ERROR_INVALID_ARGUMENT); - - mOpCredCount = certSetsArraySize; - mOpCreds = certSetsArray; - mMaxCerts = certSetsArraySize; - mMemoryAllocInternal = false; - mChipDeviceCredentialsCount = 0; - mDeviceOpCredKeypairCount = 0; - - CleanupMaps(); - - return CHIP_NO_ERROR; -} - -void OperationalCredentialSet::Release() -{ - if (mMemoryAllocInternal) - { - if (mOpCreds != nullptr) - { - Clear(); - chip::Platform::MemoryFree(mOpCreds); - mOpCreds = nullptr; - } - mMemoryAllocInternal = false; - } - else - { - mOpCreds = nullptr; - } - - for (size_t i = 0; i < kOperationalCredentialsMax; ++i) - { - if (mChipDeviceCredentials[i].nodeCredential.mCredential != nullptr) - { - chip::Platform::MemoryFree(mChipDeviceCredentials[i].nodeCredential.mCredential); - mChipDeviceCredentials[i].nodeCredential.mCredential = nullptr; - mChipDeviceCredentials[i].nodeCredential.mLen = 0; - mChipDeviceCredentials[i].trustedRootId = CertificateKeyId(); - } - mDeviceOpCredKeypair[i].trustedRootId = CertificateKeyId(); - } - - mChipDeviceCredentialsCount = 0; - mDeviceOpCredKeypairCount = 0; -} - -void OperationalCredentialSet::Clear() -{ - for (int i = 0; i < mOpCredCount; i++) - { - mOpCreds[i].~ChipCertificateSet(); - } - - mOpCredCount = 0; -} - -void OperationalCredentialSet::CleanupMaps() -{ - for (size_t i = 0; i < kOperationalCredentialsMax; ++i) - { - mChipDeviceCredentials[i].trustedRootId = CertificateKeyId(); - mChipDeviceCredentials[i].nodeCredential.mCredential = nullptr; - mChipDeviceCredentials[i].nodeCredential.mLen = 0; - - mDeviceOpCredKeypair[i].trustedRootId = CertificateKeyId(); - } -} - -ChipCertificateSet * OperationalCredentialSet::FindCertSet(const CertificateKeyId & trustedRootId) const -{ - for (uint8_t i = 0; i < mOpCredCount; i++) - { - ChipCertificateSet * certSet = &mOpCreds[i]; - - for (uint8_t j = 0; j < certSet->GetCertCount(); j++) - { - const ChipCertificateData * cert = &certSet->GetCertSet()[j]; - if (cert->mCertFlags.Has(CertFlags::kIsTrustAnchor) && cert->mAuthKeyId.data_equal(trustedRootId)) - { - return certSet; - } - } - } - - return nullptr; -} - -bool OperationalCredentialSet::IsCertSetInTheOpCredSet(const ChipCertificateSet * cert) const -{ - for (uint8_t i = 0; i < mOpCredCount; i++) - { - if (cert == &mOpCreds[i]) - { - return true; - } - } - - return false; -} - -bool OperationalCredentialSet::IsTrustedRootIn(const CertificateKeyId & trustedRoot) const -{ - for (uint16_t i = 0; i < mOpCredCount; ++i) - { - if (GetTrustedRootId(i).data_equal(trustedRoot)) - { - return true; - } - } - - return false; -} - -CHIP_ERROR OperationalCredentialSet::ValidateCert(const CertificateKeyId & trustedRootId, const ChipCertificateData * cert, - ValidationContext & context) -{ - ChipCertificateSet * chipCertificateSet; - - chipCertificateSet = FindCertSet(trustedRootId); - VerifyOrReturnError(chipCertificateSet != nullptr, CHIP_ERROR_CERT_NOT_FOUND); - VerifyOrReturnError(chipCertificateSet->IsCertInTheSet(cert), CHIP_ERROR_INVALID_ARGUMENT); - - return chipCertificateSet->ValidateCert(cert, context); -} - -CHIP_ERROR OperationalCredentialSet::FindValidCert(const CertificateKeyId & trustedRootId, const ChipDN & subjectDN, - const CertificateKeyId & subjectKeyId, ValidationContext & context, - const ChipCertificateData ** certData) -{ - ChipCertificateSet * chipCertificateSet; - - chipCertificateSet = FindCertSet(trustedRootId); - VerifyOrReturnError(chipCertificateSet != nullptr, CHIP_ERROR_CERT_NOT_FOUND); - - return chipCertificateSet->FindValidCert(subjectDN, subjectKeyId, context, certData); -} - -CHIP_ERROR OperationalCredentialSet::SignMsg(const CertificateKeyId & trustedRootId, const uint8_t * msg, const size_t msg_length, - P256ECDSASignature & out_signature) -{ - return GetNodeKeypairAt(trustedRootId)->ECDSA_sign_msg(msg, msg_length, out_signature); -} - -CertificateKeyId OperationalCredentialSet::GetTrustedRootId(uint16_t certSetIndex) const -{ - VerifyOrReturnError(certSetIndex <= mOpCredCount, CertificateKeyId()); - - const ChipCertificateData * chipCertificateData = mOpCreds[certSetIndex].GetCertSet(); - uint8_t numberCertificates = mOpCreds[certSetIndex].GetCertCount(); - - for (uint8_t i = 0; i < numberCertificates; ++i) - { - if (chipCertificateData[i].mCertFlags.Has(CertFlags::kIsTrustAnchor)) - { - return chipCertificateData[i].mAuthKeyId; - } - } - return CertificateKeyId(); -} - -CHIP_ERROR OperationalCredentialSet::SetDevOpCred(const CertificateKeyId & trustedRootId, const uint8_t * chipDeviceCredentials, - uint16_t chipDeviceCredentialsLen) -{ - NodeCredential newCredential; - - VerifyOrReturnError(mChipDeviceCredentialsCount < kOperationalCredentialsMax, CHIP_ERROR_NO_MEMORY); - - newCredential.mCredential = static_cast(chip::Platform::MemoryAlloc(chipDeviceCredentialsLen)); - VerifyOrReturnError(newCredential.mCredential != nullptr, CHIP_ERROR_NO_MEMORY); - - memcpy(newCredential.mCredential, chipDeviceCredentials, chipDeviceCredentialsLen); - newCredential.mLen = chipDeviceCredentialsLen; - - mChipDeviceCredentials[mChipDeviceCredentialsCount].trustedRootId = trustedRootId; - mChipDeviceCredentials[mChipDeviceCredentialsCount].nodeCredential = newCredential; - - ++mChipDeviceCredentialsCount; - - return CHIP_NO_ERROR; -} - -CHIP_ERROR OperationalCredentialSet::SetDevOpCredKeypair(const CertificateKeyId & trustedRootId, P256Keypair * newKeypair) -{ - P256SerializedKeypair serializedKeypair; - - VerifyOrReturnError(mDeviceOpCredKeypairCount < kOperationalCredentialsMax, CHIP_ERROR_NO_MEMORY); - - ReturnErrorOnFailure(newKeypair->Serialize(serializedKeypair)); - ReturnErrorOnFailure(mDeviceOpCredKeypair[mDeviceOpCredKeypairCount].keypair.Deserialize(serializedKeypair)); - - mDeviceOpCredKeypair[mDeviceOpCredKeypairCount].trustedRootId = trustedRootId; - - ++mDeviceOpCredKeypairCount; - - return CHIP_NO_ERROR; -} - -CHIP_ERROR OperationalCredentialSet::ToSerializable(const CertificateKeyId & trustedRootId, - OperationalCredentialSerializable & serializable) -{ - const NodeCredential * nodeCredential = GetNodeCredentialAt(trustedRootId); - P256Keypair * keypair = GetNodeKeypairAt(trustedRootId); - P256SerializedKeypair serializedKeypair; - ChipCertificateSet * certificateSet = FindCertSet(trustedRootId); - const ChipCertificateData * dataSet = nullptr; - uint8_t * ptrSerializableCerts[] = { serializable.mRootCertificate, serializable.mCACertificate }; - uint16_t * ptrSerializableCertsLen[] = { &serializable.mRootCertificateLen, &serializable.mCACertificateLen }; - - VerifyOrReturnError(certificateSet != nullptr, CHIP_ERROR_INVALID_ARGUMENT); - ReturnErrorOnFailure(keypair->Serialize(serializedKeypair)); - VerifyOrReturnError(serializedKeypair.Length() <= sizeof(serializable.mNodeKeypair), CHIP_ERROR_INVALID_ARGUMENT); - - dataSet = certificateSet->GetCertSet(); - VerifyOrReturnError(dataSet != nullptr, CHIP_ERROR_INVALID_ARGUMENT); - - memset(&serializable, 0, sizeof(serializable)); - serializable.mNodeCredentialLen = nodeCredential->mLen; - - memcpy(serializable.mNodeCredential, nodeCredential->mCredential, nodeCredential->mLen); - memcpy(serializable.mNodeKeypair, serializedKeypair, serializedKeypair.Length()); - serializable.mNodeKeypairLen = static_cast(serializedKeypair.Length()); - - for (uint8_t i = 0; i < certificateSet->GetCertCount(); ++i) - { - VerifyOrReturnError(CanCastTo(dataSet[i].mCertificate.size()), CHIP_ERROR_INTERNAL); - memcpy(ptrSerializableCerts[i], dataSet[i].mCertificate.data(), dataSet[i].mCertificate.size()); - *ptrSerializableCertsLen[i] = static_cast(dataSet[i].mCertificate.size()); - } - - return CHIP_NO_ERROR; -} - -CHIP_ERROR OperationalCredentialSet::FromSerializable(const OperationalCredentialSerializable & serializable) -{ - CHIP_ERROR err = CHIP_NO_ERROR; - - P256Keypair keypair; - P256SerializedKeypair serializedKeypair; - ChipCertificateSet certificateSet; - CertificateKeyId trustedRootId; - - SuccessOrExit(err = certificateSet.Init(kOperationalCertificatesMax)); - - err = certificateSet.LoadCert(ByteSpan(serializable.mRootCertificate, serializable.mRootCertificateLen), - BitFlags(CertDecodeFlags::kIsTrustAnchor)); - SuccessOrExit(err); - - trustedRootId = certificateSet.GetLastCert()->mAuthKeyId; - - if (serializable.mCACertificateLen != 0) - { - err = certificateSet.LoadCert(ByteSpan(serializable.mCACertificate, serializable.mCACertificateLen), - BitFlags(CertDecodeFlags::kGenerateTBSHash)); - SuccessOrExit(err); - } - - LoadCertSet(&certificateSet); - - memcpy(serializedKeypair, serializable.mNodeKeypair, serializable.mNodeKeypairLen); - SuccessOrExit(err = serializedKeypair.SetLength(serializable.mNodeKeypairLen)); - - SuccessOrExit(err = keypair.Deserialize(serializedKeypair)); - - SuccessOrExit(err = SetDevOpCredKeypair(trustedRootId, &keypair)); - - SuccessOrExit(err = SetDevOpCred(trustedRootId, serializable.mNodeCredential, serializable.mNodeCredentialLen)); - -exit: - certificateSet.Release(); - - return err; -} - -const NodeCredential * OperationalCredentialSet::GetNodeCredentialAt(const CertificateKeyId & trustedRootId) const -{ - for (size_t i = 0; i < kOperationalCredentialsMax && mChipDeviceCredentials[i].nodeCredential.mCredential != nullptr; ++i) - { - if (trustedRootId.data_equal(mChipDeviceCredentials[i].trustedRootId)) - { - return &mChipDeviceCredentials[i].nodeCredential; - } - } - - return nullptr; -} - -P256Keypair * OperationalCredentialSet::GetNodeKeypairAt(const CertificateKeyId & trustedRootId) -{ - for (size_t i = 0; i < kOperationalCredentialsMax && !mDeviceOpCredKeypair[i].trustedRootId.empty(); ++i) - { - if (trustedRootId.data_equal(mDeviceOpCredKeypair[i].trustedRootId)) - { - return &mDeviceOpCredKeypair[i].keypair; - } - } - - return nullptr; -} - -const ChipCertificateData * OperationalCredentialSet::GetRootCertificate(const CertificateKeyId & trustedRootId) const -{ - for (size_t certChainIdx = 0; certChainIdx < mOpCredCount; certChainIdx++) - { - ChipCertificateSet * certSet = &mOpCreds[certChainIdx]; - - for (size_t ipkIdx = 0; ipkIdx < certSet->GetCertCount(); ipkIdx++) - { - const ChipCertificateData * cert = &certSet->GetCertSet()[ipkIdx]; - if (cert->mCertFlags.Has(CertFlags::kIsTrustAnchor) && cert->mAuthKeyId.data_equal(trustedRootId)) - { - return cert; - } - } - } - - return nullptr; -} - -} // namespace Credentials -} // namespace chip diff --git a/src/credentials/CHIPOperationalCredentials.h b/src/credentials/CHIPOperationalCredentials.h deleted file mode 100644 index b877bb3deea98f..00000000000000 --- a/src/credentials/CHIPOperationalCredentials.h +++ /dev/null @@ -1,288 +0,0 @@ -/* - * - * Copyright (c) 2021 Project CHIP Authors - * All rights reserved. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -/** - * @file - * This file defines data types and objects for modeling and - * working with CHIP Operational Credentials. - * - */ - -#pragma once - -#include -#include -#include -#if CHIP_CRYPTO_HSM -#include -#endif - -#include -#include - -namespace chip { -namespace Credentials { - -static constexpr size_t kOperationalCredentialsMax = 5; - -using namespace Crypto; - -struct NodeCredential -{ - uint8_t * mCredential = nullptr; - uint16_t mLen = 0; -}; - -struct OperationalCredentialSerializable -{ - uint16_t mNodeCredentialLen; - uint8_t mNodeCredential[kMaxCHIPCertLength]; - uint16_t mNodeKeypairLen; - uint8_t mNodeKeypair[kP256_PublicKey_Length + kP256_PrivateKey_Length]; - uint16_t mRootCertificateLen; - uint8_t mRootCertificate[kMaxCHIPCertLength]; - uint16_t mCACertificateLen; - uint8_t mCACertificate[kMaxCHIPCertLength]; -}; - -struct NodeCredentialMap -{ - CertificateKeyId trustedRootId; - NodeCredential nodeCredential; -}; - -struct NodeKeypairMap -{ - CertificateKeyId trustedRootId; -#ifdef ENABLE_HSM_CASE_OPS_KEY - P256KeypairHSM keypair; -#else - P256Keypair keypair; -#endif -}; - -/** - * - * @brief - * Collection of CHIPCertificateSet providing methods for - * finding and validating Device Credentials against Roof of Trust chains. - */ -class DLL_EXPORT OperationalCredentialSet -{ -public: - OperationalCredentialSet() : - mOpCreds(nullptr), mOpCredCount(0), mMaxCerts(0), mChipDeviceCredentialsCount(0), mDeviceOpCredKeypairCount(0) - {} - - ~OperationalCredentialSet() { Release(); } - - /** - * @brief Initialize OperationalCredentialSet. - * This initialization method is used when all memory structures needed for operation are - * allocated externally and methods in this class don't need to deal with memory allocations. - * - * @param certSetsArray A pointer to the array of the ChipCertificateSet structures. - * @param certSetsArraySize Number of ChipCertificateSet entries in the array. - * - * @return Returns a CHIP_ERROR on error, CHIP_NO_ERROR otherwise - **/ - CHIP_ERROR Init(ChipCertificateSet * certSetsArray, uint8_t certSetsArraySize); - - /** - * @brief Initialize OperationalCredentialSet. - * This initialization method is used when all memory structures needed for operation are - * allocated internally using chip::Platform::MemoryAlloc() and freed with chip::Platform::MemoryFree(). - * - * @param maxCertsArraySize Maximum number of CHIP certificate-sets to be loaded to the set. - * - * @return Returns a CHIP_ERROR on error, CHIP_NO_ERROR otherwise - **/ - CHIP_ERROR Init(uint8_t maxCertsArraySize); - - /** - * @brief Release resources allocated by this class. - **/ - void Release(); - - /** - * @brief Clear certificate data loaded into this set. - **/ - void Clear(); - - void CleanupMaps(); - - /** - * @brief Load CHIP certificate-set into set. - * - * @param chipCertSet Buffer containing certificate encoded in CHIP format. - **/ - void LoadCertSet(ChipCertificateSet * chipCertSet) { mOpCreds[mOpCredCount++] = std::move(*chipCertSet); } - - /** - * @brief Find certificate set in the set. - * - * @param trustedRootId Authority key identifier of the root certificate-set to be found in the operational credential set. - * - * @return A pointer to the certificate data On success. Otherwise, NULL if no certificate found. - **/ - ChipCertificateSet * FindCertSet(const CertificateKeyId & trustedRootId) const; - - /** - * @return A pointer to the set of certificate-set data entries. - **/ - ChipCertificateSet * GetOpCredSet() const { return mOpCreds; } - - /** - * @return Number of certificate-sets loaded into the set. - **/ - uint8_t GetCertCount() const { return mOpCredCount; } - - /** - * @brief Retrieve Trusted Root ID / Authority Key ID of a Certificate Set. - * - * @param certSetIndex Index of the Certificate-set to be used to search for a Trusted Root ID. - * - * @return A pointer to the Trusted Root ID on success. Otherwise, nullptr if no Trust Anchor is found. - **/ - CertificateKeyId GetTrustedRootId(uint16_t certSetIndex) const; - - /** - * @brief Check whether certificate set is in the operational credential set. - * - * @param cert Pointer to the ChipCertificateSet structures. - * - * @return True if certificate is in the set, false otherwise. - **/ - bool IsCertSetInTheOpCredSet(const ChipCertificateSet * cert) const; - - /** - * @brief Check whether Trusted Root ID is in the operational credential set. - * - * @param trustedRoot Reference to the Trusted Root ID. - * - * @return True if Trusted Root ID is in the set, false otherwise. - **/ - bool IsTrustedRootIn(const CertificateKeyId & trustedRoot) const; - - bool IsInitialized() const { return mMemoryAllocInternal; } - - /** - * @brief Validate CHIP certificate. - * - * @param trustedRootId Reference to the Trusted Root ID for the Certificate Set to be used - * for validation - * @param cert Pointer to the CHIP certificate to be validated. The certificate is - * required to be in this set, otherwise this function returns error. - * @param context Certificate validation context. - * - * @return Returns a CHIP_ERROR if no valid certificate could be found - **/ - CHIP_ERROR ValidateCert(const CertificateKeyId & trustedRootId, const ChipCertificateData * cert, ValidationContext & context); - - /** - * @brief Find and validate CHIP certificate. - * - * @param[in] trustedRootId Reference to the Trusted Root ID for the Certificate Set to be used - * for validation. - * @param[in] subjectDN Subject distinguished name to use as certificate search parameter. - * @param[in] subjectKeyId Subject key identifier to use as certificate search parameter. - * @param[in] context Certificate validation context. - * @param[out] certData A slot to write a pointer to the CHIP certificate data that matches search criteria. - * - * @return Returns a CHIP_ERROR if no valid certificate could be found - **/ - CHIP_ERROR FindValidCert(const CertificateKeyId & trustedRootId, const ChipDN & subjectDN, - const CertificateKeyId & subjectKeyId, ValidationContext & context, - const ChipCertificateData ** certData); - - /** - * @brief A function to sign a msg using ECDSA and the respective device credentials keypair. - * - * @param msg Message that needs to be signed - * @param msg_length Length of message - * @param out_signature Buffer that will hold the output signature. The signature consists of: 2 EC elements (r and s), - * represented as ASN.1 DER integers, plus the ASN.1 sequence Header - * - * @return Returns a CHIP_ERROR on error, CHIP_NO_ERROR otherwise - **/ - CHIP_ERROR SignMsg(const CertificateKeyId & trustedRootId, const uint8_t * msg, const size_t msg_length, - P256ECDSASignature & out_signature); - - /** - * @return A pointer to device credentials (in chip format). - **/ - const uint8_t * GetDevOpCred(const CertificateKeyId & trustedRootId) const - { - return GetNodeCredentialAt(trustedRootId)->mCredential; - } - - /** - * @return Length of the loaded device credentials buffer. - **/ - uint16_t GetDevOpCredLen(const CertificateKeyId & trustedRootId) const { return GetNodeCredentialAt(trustedRootId)->mLen; } - - CHIP_ERROR SetDevOpCred(const CertificateKeyId & trustedRootId, const uint8_t * chipDeviceCredentials, - uint16_t chipDeviceCredentialsLen); - - /** - * @brief - * Serialize the OperationalCredentialSet indexed by a TrustedRootID to the given serializable data structure - * - * This method must be called while the OperationalCredentialSet class is valid (After Init and before Release) - */ - CHIP_ERROR ToSerializable(const CertificateKeyId & trustedRootId, OperationalCredentialSerializable & output); - - /** - * @brief - * Reconstruct OperationalCredentialSet class from the serializable data structure. - * - * This method must be called after initializing the OperationalCredentialSet class with internal allocation. - * No references/pointers to the input parameter are made. The input parameter can be freed after calling this method. - */ - CHIP_ERROR FromSerializable(const OperationalCredentialSerializable & input); - - P256Keypair & GetDevOpCredKeypair(const CertificateKeyId & trustedRootId) { return *GetNodeKeypairAt(trustedRootId); } - - CHIP_ERROR SetDevOpCredKeypair(const CertificateKeyId & trustedRootId, P256Keypair * newKeypair); - - const ChipCertificateData * GetRootCertificate(const CertificateKeyId & trustedRootId) const; - -private: - ChipCertificateSet * mOpCreds; /**< Pointer to an array of certificate data. */ - // TODO: switch mOpCredCount var type to size_t in order to allow more than 255 credentials per controller. - uint8_t mOpCredCount; /**< Number of certificates in mOpCreds - array. We maintain the invariant that all - the slots at indices less than - mCertCount have been constructed and slots - at indices >= mCertCount have either never - had their constructor called, or have had - their destructor called since then. */ - uint8_t mMaxCerts; /**< Length of mOpCreds array. */ - bool mMemoryAllocInternal = false; /**< Indicates whether temporary memory buffers are allocated internally. */ - NodeCredentialMap mChipDeviceCredentials[kOperationalCredentialsMax]; - uint8_t mChipDeviceCredentialsCount; - NodeKeypairMap mDeviceOpCredKeypair[kOperationalCredentialsMax]; - uint8_t mDeviceOpCredKeypairCount; - - // TODO: Remove TrustedRootId indexing - Replace it with size_t index. - const NodeCredential * GetNodeCredentialAt(const CertificateKeyId & trustedRootId) const; - P256Keypair * GetNodeKeypairAt(const CertificateKeyId & trustedRootId); -}; - -} // namespace Credentials -} // namespace chip diff --git a/src/credentials/tests/BUILD.gn b/src/credentials/tests/BUILD.gn index 3b86802379449a..3b1b24e02e0fa1 100644 --- a/src/credentials/tests/BUILD.gn +++ b/src/credentials/tests/BUILD.gn @@ -38,7 +38,6 @@ chip_test_suite("tests") { test_sources = [ "TestChipCert.cpp", - "TestChipOperationalCredentials.cpp", "TestDeviceAttestationConstruction.cpp", "TestDeviceAttestationCredentials.cpp", "TestGroupDataProvider.cpp", diff --git a/src/credentials/tests/TestChipCert.cpp b/src/credentials/tests/TestChipCert.cpp index ac4eb1514ff5e8..247f30260651f2 100644 --- a/src/credentials/tests/TestChipCert.cpp +++ b/src/credentials/tests/TestChipCert.cpp @@ -25,7 +25,6 @@ */ #include -#include #include #include #include diff --git a/src/credentials/tests/TestChipOperationalCredentials.cpp b/src/credentials/tests/TestChipOperationalCredentials.cpp deleted file mode 100644 index c1942200d260df..00000000000000 --- a/src/credentials/tests/TestChipOperationalCredentials.cpp +++ /dev/null @@ -1,289 +0,0 @@ -/* - * - * Copyright (c) 2021 Project CHIP Authors - * All rights reserved. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -#include -#include -#include -#include - -#include - -#include "CHIPCert_test_vectors.h" - -using namespace chip; -using namespace chip::TestCerts; - -namespace { -static const BitFlags sGenTBSHashFlag(CertDecodeFlags::kGenerateTBSHash); -static const BitFlags sTrustAnchorFlag(CertDecodeFlags::kIsTrustAnchor); - -static const BitFlags sNullLoadFlag; - -static OperationalCredentialSerializable sSerialized; -static OperationalCredentialSerializable sSerialized2; -} // namespace - -static CHIP_ERROR SetEffectiveTime(ValidationContext & validContext, uint16_t year, uint8_t mon, uint8_t day, uint8_t hour = 0, - uint8_t min = 0, uint8_t sec = 0) -{ - ASN1UniversalTime effectiveTime; - - effectiveTime.Year = year; - effectiveTime.Month = mon; - effectiveTime.Day = day; - effectiveTime.Hour = hour; - effectiveTime.Minute = min; - effectiveTime.Second = sec; - - return ASN1ToChipEpochTime(effectiveTime, validContext.mEffectiveTime); -} - -static void TestChipOperationalCredentials_CertValidation(nlTestSuite * inSuite, void * inContext) -{ - CHIP_ERROR err; - ChipCertificateSet certSet; - OperationalCredentialSet opCredSet; - ValidationContext validContext; - enum - { - kMaxCertsPerTestCase = 10 - }; - - struct ValidationTestCase - { - int mSubjectCertIndex; - uint8_t mValidateFlags; - uint8_t mRequiredCertType; - CHIP_ERROR mExpectedResult; - int mExpectedCertIndex; - int mExpectedTrustAnchorIndex; - struct - { - uint8_t Type; - BitFlags DecodeFlags; - BitFlags LoadFlags; - } InputCerts[kMaxCertsPerTestCase]; - }; - - // Short-hand names to make the test cases table more concise. - enum - { - CTNS = kCertType_NotSpecified, - CTCA = kCertType_ICA, - CTNode = kCertType_Node, - CTFS = kCertType_FirmwareSigning, - }; - - // clang-format off - static const ValidationTestCase sValidationTestCases[] = { - // Reqd Exp Exp Cert Cert - // Subj Valid Cert Cert TA Cert Decode Load - // Ind Flags Type Expected Result Index Index Type Flags Flags - // ================================================================================================================================== - - // Basic validation of leaf certificate with different Trusted Anchor indexes to be used on TrustedRootID Search. - { 2, 0, CTNS, CHIP_NO_ERROR, 2, 0, { { TestCerts::kRoot01, sTrustAnchorFlag, sNullLoadFlag }, - { TestCerts::kICA01, sGenTBSHashFlag, sNullLoadFlag }, - { TestCerts::kNode01_01, sGenTBSHashFlag, sNullLoadFlag } } }, - { 2, 0, CTNS, CHIP_NO_ERROR, 2, 0, { { TestCerts::kRoot01, sTrustAnchorFlag, sNullLoadFlag }, - { TestCerts::kICA01, sGenTBSHashFlag, sNullLoadFlag }, - { TestCerts::kNode01_01, sGenTBSHashFlag, sNullLoadFlag } } }, - { 2, 0, CTNS, CHIP_ERROR_CERT_NOT_FOUND, 2, 2, { { TestCerts::kRoot01, sTrustAnchorFlag, sNullLoadFlag }, - { TestCerts::kICA01, sGenTBSHashFlag, sNullLoadFlag }, - { TestCerts::kNode01_01, sGenTBSHashFlag, sNullLoadFlag } } }, - }; - // clang-format on - static const size_t sNumValidationTestCases = ArraySize(sValidationTestCases); - - for (unsigned i = 0; i < sNumValidationTestCases; i++) - { - const ChipCertificateData * resultCert = nullptr; - const ValidationTestCase & testCase = sValidationTestCases[i]; - - err = certSet.Init(kMaxCertsPerTestCase); - NL_TEST_ASSERT(inSuite, err == CHIP_NO_ERROR); - - for (size_t i2 = 0; i2 < kMaxCertsPerTestCase; i2++) - { - if (testCase.InputCerts[i2].Type != TestCerts::kNone) - { - err = LoadTestCert(certSet, testCase.InputCerts[i2].Type, testCase.InputCerts[i2].LoadFlags, - testCase.InputCerts[i2].DecodeFlags); - NL_TEST_ASSERT(inSuite, err == CHIP_NO_ERROR); - } - } - // Make sure the test case is valid. - NL_TEST_ASSERT(inSuite, testCase.mSubjectCertIndex >= 0 && testCase.mSubjectCertIndex < certSet.GetCertCount()); - if (testCase.mExpectedResult == CHIP_NO_ERROR) - { - NL_TEST_ASSERT(inSuite, testCase.mExpectedCertIndex >= 0 && testCase.mExpectedCertIndex < certSet.GetCertCount()); - NL_TEST_ASSERT(inSuite, - testCase.mExpectedTrustAnchorIndex >= 0 && testCase.mExpectedTrustAnchorIndex < certSet.GetCertCount()); - } - - // Initialize the Operational Credential Set and load certificate set - NL_TEST_ASSERT(inSuite, opCredSet.Init(&certSet, 1) == CHIP_NO_ERROR); - - // Initialize the validation context. - validContext.Reset(); - err = SetEffectiveTime(validContext, 2021, 1, 1); - NL_TEST_ASSERT(inSuite, err == CHIP_NO_ERROR); - validContext.mRequiredKeyUsages.Set(KeyUsageFlags::kDigitalSignature); - validContext.mRequiredKeyPurposes.Set(KeyPurposeFlags::kServerAuth); - validContext.mValidateFlags.SetRaw(testCase.mValidateFlags); - validContext.mRequiredCertType = testCase.mRequiredCertType; - - // Locate the subject DN and key id that will be used as input the FindValidCert() method. - const ChipDN & subjectDN = certSet.GetCertSet()[testCase.mSubjectCertIndex].mSubjectDN; - const CertificateKeyId & subjectKeyId = certSet.GetCertSet()[testCase.mSubjectCertIndex].mSubjectKeyId; - const CertificateKeyId & trustedRootId = certSet.GetCertSet()[testCase.mExpectedTrustAnchorIndex].mAuthKeyId; - - // Invoke the FindValidCert() method (the method being tested). - err = opCredSet.FindValidCert(trustedRootId, subjectDN, subjectKeyId, validContext, &resultCert); - NL_TEST_ASSERT(inSuite, err == testCase.mExpectedResult); - - // If the test case is expected to be successful... - if (err == CHIP_NO_ERROR) - { - // Verify that the method found the correct certificate. - NL_TEST_ASSERT(inSuite, resultCert == &certSet.GetCertSet()[testCase.mExpectedCertIndex]); - - // Verify that the method selected the correct trust anchor. - NL_TEST_ASSERT(inSuite, validContext.mTrustAnchor == &certSet.GetCertSet()[testCase.mExpectedTrustAnchorIndex]); - } - - // Clear the certificate set. - certSet.Release(); - // Clear the Operational Credential Set - opCredSet.Release(); - } -} - -static void TestChipOperationalCredentials_Serialization(nlTestSuite * inSuite, void * inContext) -{ - CHIP_ERROR err; - ChipCertificateSet certSet; - OperationalCredentialSet opCredSet; - OperationalCredentialSet opCredSet2; - P256Keypair keypair; - P256SerializedKeypair serializedKeypair; - enum - { - kMaxCerts = 2 - }; - - // Initialize the certificate set and load the specified test certificates. - err = certSet.Init(kMaxCerts); - NL_TEST_ASSERT(inSuite, err == CHIP_NO_ERROR); - err = LoadTestCert(certSet, TestCerts::kRoot01, sNullLoadFlag, sTrustAnchorFlag); - NL_TEST_ASSERT(inSuite, err == CHIP_NO_ERROR); - err = LoadTestCert(certSet, TestCerts::kICA01, sNullLoadFlag, sGenTBSHashFlag); - NL_TEST_ASSERT(inSuite, err == CHIP_NO_ERROR); - - // Initialize the Operational Credential Set and load certificate set - NL_TEST_ASSERT(inSuite, opCredSet.Init(&certSet, 1) == CHIP_NO_ERROR); - NL_TEST_ASSERT(inSuite, opCredSet2.Init(1) == CHIP_NO_ERROR); - - CertificateKeyId trustedRootId = opCredSet.GetTrustedRootId(static_cast(opCredSet.GetCertCount() - 1)); - NL_TEST_ASSERT(inSuite, !trustedRootId.empty()); - - NL_TEST_ASSERT(inSuite, - serializedKeypair.SetLength(sTestCert_Node01_01_PublicKey_Len + sTestCert_Node01_01_PrivateKey_Len) == - CHIP_NO_ERROR); - - memcpy(static_cast(serializedKeypair), sTestCert_Node01_01_PublicKey, sTestCert_Node01_01_PublicKey_Len); - memcpy(static_cast(serializedKeypair) + sTestCert_Node01_01_PublicKey_Len, sTestCert_Node01_01_PrivateKey, - sTestCert_Node01_01_PrivateKey_Len); - - NL_TEST_ASSERT(inSuite, keypair.Deserialize(serializedKeypair) == CHIP_NO_ERROR); - - NL_TEST_ASSERT(inSuite, opCredSet.SetDevOpCredKeypair(trustedRootId, &keypair) == CHIP_NO_ERROR); - - NL_TEST_ASSERT(inSuite, - opCredSet.SetDevOpCred(trustedRootId, sTestCert_Node01_01_Chip, - static_cast(sTestCert_Node01_01_Chip_Len)) == CHIP_NO_ERROR); - - NL_TEST_ASSERT(inSuite, opCredSet.ToSerializable(trustedRootId, sSerialized) == CHIP_NO_ERROR); - NL_TEST_ASSERT(inSuite, opCredSet2.FromSerializable(sSerialized) == CHIP_NO_ERROR); - - CertificateKeyId trustedRootId2 = opCredSet2.GetTrustedRootId(static_cast(opCredSet2.GetCertCount() - 1)); - NL_TEST_ASSERT(inSuite, trustedRootId2.data_equal(trustedRootId)); - - NL_TEST_ASSERT(inSuite, opCredSet2.ToSerializable(trustedRootId2, sSerialized2) == CHIP_NO_ERROR); - - NL_TEST_ASSERT(inSuite, - strncmp(reinterpret_cast(&sSerialized), reinterpret_cast(&sSerialized2), - sizeof(sSerialized)) == 0); - - // Clear the certificate set. - certSet.Release(); - // Clear the Operational Credential Set - opCredSet2.Release(); - opCredSet.Release(); -} - -/** - * Set up the test suite. - */ -int TestChipOperationalCredentials_Setup(void * inContext) -{ - CHIP_ERROR error = chip::Platform::MemoryInit(); - - if (error != CHIP_NO_ERROR) - { - return FAILURE; - } - - return SUCCESS; -} - -/** - * Tear down the test suite. - */ -int TestChipOperationalCredentials_Teardown(void * inContext) -{ - chip::Platform::MemoryShutdown(); - return SUCCESS; -} - -/** - * Test Suite. It lists all the test functions. - */ -// clang-format off -static const nlTest sTests[] = { - NL_TEST_DEF("Test CHIP Certificate Validation", TestChipOperationalCredentials_CertValidation), - NL_TEST_DEF("Test CHIP Certificate Serialization", TestChipOperationalCredentials_Serialization), - NL_TEST_SENTINEL() -}; -// clang-format on - -int TestChipOperationalCredentials(void) -{ - // clang-format off - nlTestSuite theSuite = - { - "OperationalCredentials-CHIP-Certs", - &sTests[0], - TestChipOperationalCredentials_Setup, - TestChipOperationalCredentials_Teardown - }; - // clang-format on - nlTestRunner(&theSuite, nullptr); - return (nlTestRunnerStats(&theSuite)); -} - -CHIP_REGISTER_TEST_SUITE(TestChipOperationalCredentials); diff --git a/src/messaging/tests/MessagingContext.h b/src/messaging/tests/MessagingContext.h index b3121b4f35f2f9..21878322087456 100644 --- a/src/messaging/tests/MessagingContext.h +++ b/src/messaging/tests/MessagingContext.h @@ -16,7 +16,6 @@ */ #pragma once -#include #include #include #include @@ -87,8 +86,6 @@ class MessagingContext Messaging::ExchangeContext * NewExchangeToAlice(Messaging::ExchangeDelegate * delegate); Messaging::ExchangeContext * NewExchangeToBob(Messaging::ExchangeDelegate * delegate); - Credentials::OperationalCredentialSet & GetOperationalCredentialSet() { return mOperationalCredentialSet; } - System::Layer & GetSystemLayer() { return mIOContext->GetSystemLayer(); } private: @@ -109,7 +106,6 @@ class MessagingContext Transport::FabricTable mFabrics; FabricIndex mSrcFabricIndex = 0; FabricIndex mDestFabricIndex = 0; - Credentials::OperationalCredentialSet mOperationalCredentialSet; }; } // namespace Test diff --git a/src/protocols/secure_channel/CASESession.h b/src/protocols/secure_channel/CASESession.h index d22a7f20a34284..07ccdfdcf9f195 100644 --- a/src/protocols/secure_channel/CASESession.h +++ b/src/protocols/secure_channel/CASESession.h @@ -26,7 +26,6 @@ #pragma once #include -#include #include #if CHIP_CRYPTO_HSM #include diff --git a/src/protocols/secure_channel/tests/TestCASESession.cpp b/src/protocols/secure_channel/tests/TestCASESession.cpp index 72abb58c9f5d6c..d18adfbb33a8e2 100644 --- a/src/protocols/secure_channel/tests/TestCASESession.cpp +++ b/src/protocols/secure_channel/tests/TestCASESession.cpp @@ -25,7 +25,6 @@ #include #include -#include #include #include #include diff --git a/src/transport/FabricTable.h b/src/transport/FabricTable.h index f723080b9afb59..e627fe053fa708 100644 --- a/src/transport/FabricTable.h +++ b/src/transport/FabricTable.h @@ -22,7 +22,7 @@ #pragma once #include -#include +#include #include #include #if CHIP_CRYPTO_HSM