Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cleanup Just-In-Time Provisioning feature #10136

Merged
merged 2 commits into from
Oct 1, 2021
Merged

Cleanup Just-In-Time Provisioning feature #10136

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
e4f22e2
Cleanup Just-In-Time Provisioning Configuration
yufengwangca Sep 30, 2021
645e794
Remove un-used config keys
yufengwangca Oct 1, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 0 additions & 1 deletion src/app/BUILD.gn
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -107,7 +107,6 @@ static_library("app") {
defines = [
"CONFIG_USE_CLUSTERS_FOR_IP_COMMISSIONING=1",
"CHIP_DEVICE_CONFIG_ENABLE_EXTENDED_DISCOVERY=1",
"CHIP_DEVICE_CONFIG_ENABLE_JUST_IN_TIME_PROVISIONING=1",
]
}

Expand Down
20 changes: 0 additions & 20 deletions src/include/platform/CHIPDeviceConfig.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -588,26 +588,6 @@
#define CHIP_DEVICE_CONFIG_SERVICE_PROVISIONING_REQUEST_TIMEOUT 10000
#endif

// -------------------- Just-In-Time Provisioning Configuration --------------------

/**
* CHIP_DEVICE_CONFIG_ENABLE_JUST_IN_TIME_PROVISIONING
*
* Enable just-in-time provisioning functionality in the chip Device Layer.
*
* When enabled, device creates and uses its ephemeral operational credentials:
* - operational device id
* - operational device self-signed certificate
* - operational device private key
* When enabled, device also implements certificate provisioning protocol and uses it to obtain
* service assigned certificate from the Certification Authority Service.
*
* Then, device uses these credentials to authenticate and communicate to other chip nodes.
*/
#ifndef CHIP_DEVICE_CONFIG_ENABLE_JUST_IN_TIME_PROVISIONING
#define CHIP_DEVICE_CONFIG_ENABLE_JUST_IN_TIME_PROVISIONING 0
#endif

// -------------------- Thread Configuration --------------------

/**
Expand Down
57 changes: 0 additions & 57 deletions src/include/platform/ConfigurationManager.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -103,12 +103,6 @@ class ConfigurationManager
CHIP_ERROR StoreManufacturingDate(const char * mfgDate, size_t mfgDateLen);
CHIP_ERROR StoreProductRevision(uint16_t productRev);
CHIP_ERROR StoreFabricId(uint64_t fabricId);
#if CHIP_DEVICE_CONFIG_ENABLE_JUST_IN_TIME_PROVISIONING
CHIP_ERROR StoreDeviceId(uint64_t deviceId);
CHIP_ERROR StoreDeviceCertificate(const uint8_t * cert, size_t certLen);
CHIP_ERROR StoreDeviceIntermediateCACerts(const uint8_t * certs, size_t certsLen);
CHIP_ERROR StoreDevicePrivateKey(const uint8_t * key, size_t keyLen);
#endif
CHIP_ERROR StoreManufacturerDeviceId(uint64_t deviceId);
CHIP_ERROR StoreManufacturerDeviceCertificate(const uint8_t * cert, size_t certLen);
CHIP_ERROR StoreManufacturerDeviceIntermediateCACerts(const uint8_t * certs, size_t certsLen);
Expand Down Expand Up @@ -138,10 +132,6 @@ class ConfigurationManager
bool IsPairedToAccount();
bool IsMemberOfFabric();
bool IsFullyProvisioned();
#if CHIP_DEVICE_CONFIG_ENABLE_JUST_IN_TIME_PROVISIONING
bool OperationalDeviceCredentialsProvisioned();
#endif

void InitiateFactoryReset();

CHIP_ERROR ComputeProvisioningHash(uint8_t * hashBuf, size_t hashBufSize);
Expand Down Expand Up @@ -178,10 +168,6 @@ class ConfigurationManager
CHIP_ERROR SetFailSafeArmed(bool val);
CHIP_ERROR ReadPersistedStorageValue(::chip::Platform::PersistedStorage::Key key, uint32_t & value);
CHIP_ERROR WritePersistedStorageValue(::chip::Platform::PersistedStorage::Key key, uint32_t value);
#if CHIP_DEVICE_CONFIG_ENABLE_JUST_IN_TIME_PROVISIONING
CHIP_ERROR ClearOperationalDeviceCredentials(void);
void UseManufacturerCredentialsAsOperational(bool val);
#endif

protected:
// Construction/destruction limited to subclasses.
Expand Down Expand Up @@ -432,30 +418,6 @@ inline CHIP_ERROR ConfigurationManager::StoreFabricId(uint64_t fabricId)
return static_cast<ImplClass *>(this)->_StoreFabricId(fabricId);
}

#if CHIP_DEVICE_CONFIG_ENABLE_JUST_IN_TIME_PROVISIONING

inline CHIP_ERROR ConfigurationManager::StoreDeviceId(uint64_t deviceId)
{
return static_cast<ImplClass *>(this)->_StoreDeviceId(deviceId);
}

inline CHIP_ERROR ConfigurationManager::StoreDeviceCertificate(const uint8_t * cert, size_t certLen)
{
return static_cast<ImplClass *>(this)->_StoreDeviceCertificate(cert, certLen);
}

inline CHIP_ERROR ConfigurationManager::StoreDeviceIntermediateCACerts(const uint8_t * certs, size_t certsLen)
{
return static_cast<ImplClass *>(this)->_StoreDeviceIntermediateCACerts(certs, certsLen);
}

inline CHIP_ERROR ConfigurationManager::StoreDevicePrivateKey(const uint8_t * key, size_t keyLen)
{
return static_cast<ImplClass *>(this)->_StoreDevicePrivateKey(key, keyLen);
}

#endif // CHIP_DEVICE_CONFIG_ENABLE_JUST_IN_TIME_PROVISIONING

inline CHIP_ERROR ConfigurationManager::StoreManufacturerDeviceId(uint64_t deviceId)
{
return static_cast<ImplClass *>(this)->_StoreManufacturerDeviceId(deviceId);
Expand Down Expand Up @@ -614,25 +576,6 @@ inline CHIP_ERROR ConfigurationManager::SetFailSafeArmed(bool val)
return static_cast<ImplClass *>(this)->_SetFailSafeArmed(val);
}

#if CHIP_DEVICE_CONFIG_ENABLE_JUST_IN_TIME_PROVISIONING

inline bool ConfigurationManager::OperationalDeviceCredentialsProvisioned()
{
return static_cast<ImplClass *>(this)->_OperationalDeviceCredentialsProvisioned();
}

inline CHIP_ERROR ConfigurationManager::ClearOperationalDeviceCredentials(void)
{
return static_cast<ImplClass *>(this)->_ClearOperationalDeviceCredentials();
}

inline void ConfigurationManager::UseManufacturerCredentialsAsOperational(bool val)
{
static_cast<ImplClass *>(this)->_UseManufacturerCredentialsAsOperational(val);
}

#endif // CHIP_DEVICE_CONFIG_ENABLE_JUST_IN_TIME_PROVISIONING

inline void ConfigurationManager::LogDeviceConfig()
{
static_cast<ImplClass *>(this)->_LogDeviceConfig();
Expand Down
126 changes: 5 additions & 121 deletions src/include/platform/internal/GenericConfigurationManagerImpl.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,9 +56,7 @@ CHIP_ERROR GenericConfigurationManagerImpl<ImplClass>::_Init()
mFlags.ClearAll()
.Set(Flags::kIsServiceProvisioned, Impl()->ConfigValueExists(ImplClass::kConfigKey_ServiceConfig))
.Set(Flags::kIsMemberOfFabric, Impl()->ConfigValueExists(ImplClass::kConfigKey_FabricId))
.Set(Flags::kIsPairedToAccount, Impl()->ConfigValueExists(ImplClass::kConfigKey_PairedAccountId))
.Set(Flags::kOperationalDeviceCredentialsProvisioned,
Impl()->ConfigValueExists(ImplClass::kConfigKey_OperationalDeviceCert));
.Set(Flags::kIsPairedToAccount, Impl()->ConfigValueExists(ImplClass::kConfigKey_PairedAccountId));

#if CHIP_ENABLE_ROTATING_DEVICE_ID
mLifetimePersistedCounter.Init(CHIP_CONFIG_LIFETIIME_PERSISTED_COUNTER_KEY);
Expand Down Expand Up @@ -431,139 +429,28 @@ CHIP_ERROR GenericConfigurationManagerImpl<ImplClass>::_StoreManufacturerDeviceP
template <class ImplClass>
CHIP_ERROR GenericConfigurationManagerImpl<ImplClass>::_GetDeviceId(uint64_t & deviceId)
{
CHIP_ERROR err;

#if CHIP_DEVICE_CONFIG_ENABLE_JUST_IN_TIME_PROVISIONING
if (!UseManufacturerCredentialsAsOperational())
{
err = Impl()->ReadConfigValue(ImplClass::kConfigKey_OperationalDeviceId, deviceId);
}
else
#endif
{
err = Impl()->_GetManufacturerDeviceId(deviceId);
}

return err;
return Impl()->_GetManufacturerDeviceId(deviceId);
}

template <class ImplClass>
CHIP_ERROR GenericConfigurationManagerImpl<ImplClass>::_GetDeviceCertificate(uint8_t * buf, size_t bufSize, size_t & certLen)
{
CHIP_ERROR err;

#if CHIP_DEVICE_CONFIG_ENABLE_JUST_IN_TIME_PROVISIONING
if (!UseManufacturerCredentialsAsOperational())
{
err = Impl()->ReadConfigValueBin(ImplClass::kConfigKey_OperationalDeviceCert, buf, bufSize, certLen);
}
else
#endif
{
err = Impl()->_GetManufacturerDeviceCertificate(buf, bufSize, certLen);
}

return err;
return Impl()->_GetManufacturerDeviceCertificate(buf, bufSize, certLen);
}

template <class ImplClass>
CHIP_ERROR GenericConfigurationManagerImpl<ImplClass>::_GetDeviceIntermediateCACerts(uint8_t * buf, size_t bufSize,
size_t & certsLen)
{
CHIP_ERROR err;

#if CHIP_DEVICE_CONFIG_ENABLE_JUST_IN_TIME_PROVISIONING
if (!UseManufacturerCredentialsAsOperational())
{
err = Impl()->ReadConfigValueBin(ImplClass::kConfigKey_OperationalDeviceICACerts, buf, bufSize, certsLen);
}
else
#endif
{
err = Impl()->_GetManufacturerDeviceIntermediateCACerts(buf, bufSize, certsLen);
}

return err;
return Impl()->_GetManufacturerDeviceIntermediateCACerts(buf, bufSize, certsLen);
}

template <class ImplClass>
CHIP_ERROR GenericConfigurationManagerImpl<ImplClass>::_GetDevicePrivateKey(uint8_t * buf, size_t bufSize, size_t & keyLen)
{
CHIP_ERROR err;

#if CHIP_DEVICE_CONFIG_ENABLE_JUST_IN_TIME_PROVISIONING
if (!UseManufacturerCredentialsAsOperational())
{
err = Impl()->ReadConfigValueBin(ImplClass::kConfigKey_OperationalDevicePrivateKey, buf, bufSize, keyLen);
}
else
#endif
{
err = Impl()->_GetManufacturerDevicePrivateKey(buf, bufSize, keyLen);
}

return err;
}

#if CHIP_DEVICE_CONFIG_ENABLE_JUST_IN_TIME_PROVISIONING

template <class ImplClass>
CHIP_ERROR GenericConfigurationManagerImpl<ImplClass>::_StoreDeviceId(uint64_t deviceId)
{
return Impl()->WriteConfigValue(ImplClass::kConfigKey_OperationalDeviceId, deviceId);
}

template <class ImplClass>
CHIP_ERROR GenericConfigurationManagerImpl<ImplClass>::_StoreDeviceCertificate(const uint8_t * cert, size_t certLen)
{
return Impl()->WriteConfigValueBin(ImplClass::kConfigKey_OperationalDeviceCert, cert, certLen);
return Impl()->_GetManufacturerDevicePrivateKey(buf, bufSize, keyLen);
}

template <class ImplClass>
CHIP_ERROR GenericConfigurationManagerImpl<ImplClass>::_StoreDeviceIntermediateCACerts(const uint8_t * certs, size_t certsLen)
{
return Impl()->WriteConfigValueBin(ImplClass::kConfigKey_OperationalDeviceICACerts, certs, certsLen);
}

template <class ImplClass>
CHIP_ERROR GenericConfigurationManagerImpl<ImplClass>::_StoreDevicePrivateKey(const uint8_t * key, size_t keyLen)
{
return Impl()->WriteConfigValueBin(ImplClass::kConfigKey_OperationalDevicePrivateKey, key, keyLen);
}

template <class ImplClass>
CHIP_ERROR GenericConfigurationManagerImpl<ImplClass>::_ClearOperationalDeviceCredentials(void)
{
Impl()->ClearConfigValue(ImplClass::kConfigKey_OperationalDeviceId);
Impl()->ClearConfigValue(ImplClass::kConfigKey_OperationalDeviceCert);
Impl()->ClearConfigValue(ImplClass::kConfigKey_OperationalDeviceICACerts);
Impl()->ClearConfigValue(ImplClass::kConfigKey_OperationalDevicePrivateKey);

mFlags.Clear(Flags::kOperationalDeviceCredentialsProvisioned);

return CHIP_NO_ERROR;
}

template <class ImplClass>
bool GenericConfigurationManagerImpl<ImplClass>::_OperationalDeviceCredentialsProvisioned()
{
return mFlags.Has(Flags::kOperationalDeviceCredentialsProvisioned);
}

template <class ImplClass>
bool GenericConfigurationManagerImpl<ImplClass>::UseManufacturerCredentialsAsOperational()
{
return mFlags.Has(Flags::kUseManufacturerCredentialsAsOperational);
}

template <class ImplClass>
void GenericConfigurationManagerImpl<ImplClass>::_UseManufacturerCredentialsAsOperational(bool val)
{
mFlags.Set(Flags::kUseManufacturerCredentialsAsOperational, val);
}

#endif // CHIP_DEVICE_CONFIG_ENABLE_JUST_IN_TIME_PROVISIONING

template <class ImplClass>
CHIP_ERROR GenericConfigurationManagerImpl<ImplClass>::_GetSetupPinCode(uint32_t & setupPinCode)
{
Expand Down Expand Up @@ -923,9 +810,6 @@ bool GenericConfigurationManagerImpl<ImplClass>::_IsFullyProvisioned()
#endif
#if CHIP_DEVICE_CONFIG_ENABLE_THREAD
ConnectivityMgr().IsThreadProvisioned() &&
#endif
#if CHIP_DEVICE_CONFIG_ENABLE_JUST_IN_TIME_PROVISIONING
(!UseManufacturerCredentialsAsOperational() && _OperationalDeviceCredentialsProvisioned()) &&
#endif
// TODO: Add checks regarding fabric membership (IsMemberOfFabric()) and account pairing (IsPairedToAccount()),
// when functionalities will be implemented.
Expand Down
18 changes: 1 addition & 17 deletions src/include/platform/internal/GenericConfigurationManagerImpl.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,13 +77,6 @@ class GenericConfigurationManagerImpl
CHIP_ERROR _GetDeviceCertificate(uint8_t * buf, size_t bufSize, size_t & certLen);
CHIP_ERROR _GetDeviceIntermediateCACerts(uint8_t * buf, size_t bufSize, size_t & certsLen);
CHIP_ERROR _GetDevicePrivateKey(uint8_t * buf, size_t bufSize, size_t & keyLen);
#if CHIP_DEVICE_CONFIG_ENABLE_JUST_IN_TIME_PROVISIONING
CHIP_ERROR _StoreDeviceId(uint64_t deviceId);
CHIP_ERROR _StoreDeviceCertificate(const uint8_t * cert, size_t certLen);
CHIP_ERROR _StoreDeviceIntermediateCACerts(const uint8_t * certs, size_t certsLen);
CHIP_ERROR _StoreDevicePrivateKey(const uint8_t * key, size_t keyLen);
CHIP_ERROR _ClearOperationalDeviceCredentials(void);
#endif
CHIP_ERROR _GetManufacturerDeviceId(uint64_t & deviceId);
CHIP_ERROR _StoreManufacturerDeviceId(uint64_t deviceId);
CHIP_ERROR _GetManufacturerDeviceCertificate(uint8_t * buf, size_t bufSize, size_t & certLen);
Expand Down Expand Up @@ -138,10 +131,6 @@ class GenericConfigurationManagerImpl
bool _IsPairedToAccount();
bool _IsFullyProvisioned();
CHIP_ERROR _ComputeProvisioningHash(uint8_t * hashBuf, size_t hashBufSize);
#if CHIP_DEVICE_CONFIG_ENABLE_JUST_IN_TIME_PROVISIONING
bool _OperationalDeviceCredentialsProvisioned();
void _UseManufacturerCredentialsAsOperational(bool val);
#endif
void _LogDeviceConfig();

protected:
Expand All @@ -150,8 +139,7 @@ class GenericConfigurationManagerImpl
kIsServiceProvisioned = 0x01,
kIsMemberOfFabric = 0x02,
kIsPairedToAccount = 0x04,
kOperationalDeviceCredentialsProvisioned = 0x08,
kUseManufacturerCredentialsAsOperational = 0x10,
kUseManufacturerCredentialsAsOperational = 0x08,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

remove

};

BitFlags<Flags> mFlags;
Expand All @@ -162,10 +150,6 @@ class GenericConfigurationManagerImpl

private:
ImplClass * Impl() { return static_cast<ImplClass *>(this); }

#if CHIP_DEVICE_CONFIG_ENABLE_JUST_IN_TIME_PROVISIONING
bool UseManufacturerCredentialsAsOperational();
#endif
};

// Instruct the compiler to instantiate the template only when explicitly told to do so.
Expand Down
28 changes: 12 additions & 16 deletions src/platform/Darwin/PosixConfig.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,22 +54,18 @@ const PosixConfig::Key PosixConfig::kConfigKey_SetupPinCode = { kConfigNa
const PosixConfig::Key PosixConfig::kConfigKey_SetupDiscriminator = { kConfigNamespace_ChipFactory, "discriminator" };

// Keys stored in the Chip-config namespace
const PosixConfig::Key PosixConfig::kConfigKey_FabricId = { kConfigNamespace_ChipConfig, "fabric-id" };
const PosixConfig::Key PosixConfig::kConfigKey_ServiceConfig = { kConfigNamespace_ChipConfig, "service-config" };
const PosixConfig::Key PosixConfig::kConfigKey_PairedAccountId = { kConfigNamespace_ChipConfig, "account-id" };
const PosixConfig::Key PosixConfig::kConfigKey_ServiceId = { kConfigNamespace_ChipConfig, "service-id" };
const PosixConfig::Key PosixConfig::kConfigKey_FabricSecret = { kConfigNamespace_ChipConfig, "fabric-secret" };
const PosixConfig::Key PosixConfig::kConfigKey_GroupKeyIndex = { kConfigNamespace_ChipConfig, "group-key-index" };
const PosixConfig::Key PosixConfig::kConfigKey_LastUsedEpochKeyId = { kConfigNamespace_ChipConfig, "last-ek-id" };
const PosixConfig::Key PosixConfig::kConfigKey_FailSafeArmed = { kConfigNamespace_ChipConfig, "fail-safe-armed" };
const PosixConfig::Key PosixConfig::kConfigKey_WiFiStationSecType = { kConfigNamespace_ChipConfig, "sta-sec-type" };
const PosixConfig::Key PosixConfig::kConfigKey_OperationalDeviceId = { kConfigNamespace_ChipConfig, "op-device-id" };
const PosixConfig::Key PosixConfig::kConfigKey_OperationalDeviceCert = { kConfigNamespace_ChipConfig, "op-device-cert" };
const PosixConfig::Key PosixConfig::kConfigKey_OperationalDeviceICACerts = { kConfigNamespace_ChipConfig, "op-device-ca-certs" };
const PosixConfig::Key PosixConfig::kConfigKey_OperationalDevicePrivateKey = { kConfigNamespace_ChipConfig, "op-device-key" };
const PosixConfig::Key PosixConfig::kConfigKey_RegulatoryLocation = { kConfigNamespace_ChipConfig, "regulatory-location" };
const PosixConfig::Key PosixConfig::kConfigKey_CountryCode = { kConfigNamespace_ChipConfig, "country-code" };
const PosixConfig::Key PosixConfig::kConfigKey_Breadcrumb = { kConfigNamespace_ChipConfig, "breadcrumb" };
const PosixConfig::Key PosixConfig::kConfigKey_FabricId = { kConfigNamespace_ChipConfig, "fabric-id" };
const PosixConfig::Key PosixConfig::kConfigKey_ServiceConfig = { kConfigNamespace_ChipConfig, "service-config" };
const PosixConfig::Key PosixConfig::kConfigKey_PairedAccountId = { kConfigNamespace_ChipConfig, "account-id" };
const PosixConfig::Key PosixConfig::kConfigKey_ServiceId = { kConfigNamespace_ChipConfig, "service-id" };
const PosixConfig::Key PosixConfig::kConfigKey_FabricSecret = { kConfigNamespace_ChipConfig, "fabric-secret" };
const PosixConfig::Key PosixConfig::kConfigKey_GroupKeyIndex = { kConfigNamespace_ChipConfig, "group-key-index" };
const PosixConfig::Key PosixConfig::kConfigKey_LastUsedEpochKeyId = { kConfigNamespace_ChipConfig, "last-ek-id" };
const PosixConfig::Key PosixConfig::kConfigKey_FailSafeArmed = { kConfigNamespace_ChipConfig, "fail-safe-armed" };
const PosixConfig::Key PosixConfig::kConfigKey_WiFiStationSecType = { kConfigNamespace_ChipConfig, "sta-sec-type" };
const PosixConfig::Key PosixConfig::kConfigKey_RegulatoryLocation = { kConfigNamespace_ChipConfig, "regulatory-location" };
const PosixConfig::Key PosixConfig::kConfigKey_CountryCode = { kConfigNamespace_ChipConfig, "country-code" };
const PosixConfig::Key PosixConfig::kConfigKey_Breadcrumb = { kConfigNamespace_ChipConfig, "breadcrumb" };

// Prefix used for NVS keys that contain Chip group encryption keys.
const char PosixConfig::kGroupKeyNamePrefix[] = "gk-";
Expand Down
4 changes: 0 additions & 4 deletions src/platform/Darwin/PosixConfig.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,10 +69,6 @@ class PosixConfig
static const Key kConfigKey_LastUsedEpochKeyId;
static const Key kConfigKey_FailSafeArmed;
static const Key kConfigKey_WiFiStationSecType;
static const Key kConfigKey_OperationalDeviceId;
static const Key kConfigKey_OperationalDeviceCert;
static const Key kConfigKey_OperationalDeviceICACerts;
static const Key kConfigKey_OperationalDevicePrivateKey;
static const Key kConfigKey_SetupDiscriminator;
static const Key kConfigKey_RegulatoryLocation;
static const Key kConfigKey_CountryCode;
Expand Down
Loading