From f622684150b9da9fdfa57eb1513cb26de7168bfd Mon Sep 17 00:00:00 2001 From: Evgeni Margolis Date: Wed, 4 May 2022 23:09:11 -0700 Subject: [PATCH] Updated DefaultDeviceAttestationVerifier to Verify that PAA KeyId is in the Certification Declaration. --- .../DefaultDeviceAttestationVerifier.cpp | 14 ++++++++++++++ .../DeviceAttestationVerifier.h | 7 +++++-- 2 files changed, 19 insertions(+), 2 deletions(-) diff --git a/src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.cpp b/src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.cpp index 896cfe9f3a0138..6524fafa80f836 100644 --- a/src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.cpp +++ b/src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.cpp @@ -278,6 +278,12 @@ void DefaultDACVerifier::VerifyAttestationInformation(const DeviceAttestationVer .paaVendorId = paaVidPid.mVendorId.ValueOr(VendorId::NotSpecified), }; + MutableByteSpan paaSKID(deviceInfo.paaSKID); + VerifyOrExit(ExtractSKIDFromX509Cert(paaDerBuffer, paaSKID) == CHIP_NO_ERROR, + attestationError = AttestationVerificationResult::kPaaFormatInvalid); + VerifyOrExit(paaSKID.size() == sizeof(deviceInfo.paaSKID), + attestationError = AttestationVerificationResult::kPaaFormatInvalid); + VerifyOrExit(DeconstructAttestationElements(info.attestationElementsBuffer, certificationDeclarationSpan, attestationNonceSpan, timestampDeconstructed, firmwareInfoSpan, vendorReserved) == CHIP_NO_ERROR, @@ -384,6 +390,14 @@ AttestationVerificationResult DefaultDACVerifier::ValidateCertificateDeclaration } } + if (cdContent.authorizedPAAListPresent) + { + // The Subject Key Id of the PAA SHALL match one of the values present in the authorized_paa_list + // in the Certification Declaration. + VerifyOrReturnError(cdElementsDecoder.HasAuthorizedPAA(certDeclBuffer, ByteSpan(deviceInfo.paaSKID)), + AttestationVerificationResult::kCertificationDeclarationInvalidPAA); + } + return AttestationVerificationResult::kSuccess; } diff --git a/src/credentials/attestation_verifier/DeviceAttestationVerifier.h b/src/credentials/attestation_verifier/DeviceAttestationVerifier.h index 038559882dd427..756759d32ebe03 100644 --- a/src/credentials/attestation_verifier/DeviceAttestationVerifier.h +++ b/src/credentials/attestation_verifier/DeviceAttestationVerifier.h @@ -68,6 +68,7 @@ enum class AttestationVerificationResult : uint16_t kCertificationDeclarationInvalidFormat = 603, kCertificationDeclarationInvalidVendorId = 604, kCertificationDeclarationInvalidProductId = 605, + kCertificationDeclarationInvalidPAA = 606, kNoMemory = 700, @@ -93,7 +94,7 @@ struct DeviceInfoForAttestation uint16_t vendorId = VendorId::NotSpecified; // Product ID reported by device in Basic Information cluster uint16_t productId = 0; - // Vendor ID from DAC + // Vendor ID from DAC uint16_t dacVendorId = VendorId::NotSpecified; // Product ID from DAC uint16_t dacProductId = 0; @@ -101,8 +102,10 @@ struct DeviceInfoForAttestation uint16_t paiVendorId = VendorId::NotSpecified; // Product ID from PAI cert (0 if absent) uint16_t paiProductId = 0; - // Vendor ID from PAA cert + // Vendor ID from PAA cert uint16_t paaVendorId = VendorId::NotSpecified; + // Subject Key Identifier (SKID) from PAA cert + uint8_t paaSKID[Crypto::kSubjectKeyIdentifierLength] = { 0 }; }; typedef void (*OnAttestationInformationVerification)(void * context, AttestationVerificationResult result);