From 51afde7d438fcb48dfdd2d935a2ef7851824d10e Mon Sep 17 00:00:00 2001 From: chrisdecenzo Date: Mon, 8 Aug 2022 11:19:46 -0700 Subject: [PATCH 1/8] Draft: Allow partial validation of DAC and CD (when PAA list is not local) --- .../java/AndroidDeviceControllerWrapper.cpp | 6 +- .../java/AndroidDeviceControllerWrapper.h | 6 ++ .../AndroidOperationalCredentialsIssuer.cpp | 14 ++- .../java/CHIPDeviceController-JNI.cpp | 6 ++ .../DefaultDeviceAttestationVerifier.cpp | 100 ++++++++++++------ .../DefaultDeviceAttestationVerifier.h | 10 +- 6 files changed, 100 insertions(+), 42 deletions(-) diff --git a/src/controller/java/AndroidDeviceControllerWrapper.cpp b/src/controller/java/AndroidDeviceControllerWrapper.cpp index 8b28896a701d44..612001c1797d96 100644 --- a/src/controller/java/AndroidDeviceControllerWrapper.cpp +++ b/src/controller/java/AndroidDeviceControllerWrapper.cpp @@ -127,11 +127,6 @@ AndroidDeviceControllerWrapper * AndroidDeviceControllerWrapper::AllocateNew( chip::Controller::AndroidOperationalCredentialsIssuer * opCredsIssuer = wrapper->mOpCredsIssuer.get(); - // Initialize device attestation verifier - // TODO: Replace testingRootStore with a AttestationTrustStore that has the necessary official PAA roots available - const chip::Credentials::AttestationTrustStore * testingRootStore = chip::Credentials::GetTestAttestationTrustStore(); - SetDeviceAttestationVerifier(GetDefaultDACVerifier(testingRootStore)); - chip::Controller::FactoryInitParams initParams; chip::Controller::SetupParams setupParams; @@ -148,6 +143,7 @@ AndroidDeviceControllerWrapper * AndroidDeviceControllerWrapper::AllocateNew( setupParams.pairingDelegate = wrapper.get(); setupParams.operationalCredentialsDelegate = opCredsIssuer; setupParams.defaultCommissioner = &wrapper->mAutoCommissioner; + setupParams.deviceAttestationVerifier = &wrapper->mDACVerifier; initParams.fabricIndependentStorage = wrapperStorage; wrapper->mGroupDataProvider.SetStorageDelegate(wrapperStorage); diff --git a/src/controller/java/AndroidDeviceControllerWrapper.h b/src/controller/java/AndroidDeviceControllerWrapper.h index 77f9a6d735cc25..cafe02d52cea6f 100644 --- a/src/controller/java/AndroidDeviceControllerWrapper.h +++ b/src/controller/java/AndroidDeviceControllerWrapper.h @@ -26,6 +26,7 @@ #include #include #include +#include #include #include #include @@ -94,6 +95,8 @@ class AndroidDeviceControllerWrapper : public chip::Controller::DevicePairingDel chip::Controller::AutoCommissioner * GetAutoCommissioner() { return &mAutoCommissioner; } + chip::Credentials::DefaultDACVerifier * GetDACVerifier() { return &mDACVerifier; } + const chip::Controller::CommissioningParameters & GetCommissioningParameters() const { return mAutoCommissioner.GetCommissioningParameters(); @@ -175,6 +178,9 @@ class AndroidDeviceControllerWrapper : public chip::Controller::DevicePairingDel chip::Controller::AutoCommissioner mAutoCommissioner; + // TODO: Replace testingRootStore with a AttestationTrustStore that has the necessary official PAA roots available + chip::Credentials::DefaultDACVerifier mDACVerifier{ chip::Credentials::GetTestAttestationTrustStore() }; + AndroidDeviceControllerWrapper(ChipDeviceControllerPtr controller, AndroidOperationalCredentialsIssuerPtr opCredsIssuer) : mController(std::move(controller)), mOpCredsIssuer(std::move(opCredsIssuer)) {} diff --git a/src/controller/java/AndroidOperationalCredentialsIssuer.cpp b/src/controller/java/AndroidOperationalCredentialsIssuer.cpp index aa54ae1d4c1336..249921ae17c923 100644 --- a/src/controller/java/AndroidOperationalCredentialsIssuer.cpp +++ b/src/controller/java/AndroidOperationalCredentialsIssuer.cpp @@ -151,7 +151,7 @@ CHIP_ERROR AndroidOperationalCredentialsIssuer::GenerateNOCChain(const ByteSpan } CHIP_ERROR AndroidOperationalCredentialsIssuer::CallbackGenerateNOCChain(const ByteSpan & csrElements, const ByteSpan & csrNonce, - const ByteSpan & csrSignature, + const ByteSpan & csrElementsSignature, const ByteSpan & attestationChallenge, const ByteSpan & DAC, const ByteSpan & PAI, Callback::Callback * onCompletion) @@ -177,8 +177,9 @@ CHIP_ERROR AndroidOperationalCredentialsIssuer::CallbackGenerateNOCChain(const B jbyteArray javaCsrNonce; JniReferences::GetInstance().N2J_ByteArray(env, csrNonce.data(), csrNonce.size(), javaCsrNonce); - jbyteArray javaCsrSignature; - JniReferences::GetInstance().N2J_ByteArray(env, csrSignature.data(), csrSignature.size(), javaCsrSignature); + jbyteArray javaCsrElementsSignature; + JniReferences::GetInstance().N2J_ByteArray(env, csrElementsSignature.data(), csrElementsSignature.size(), + javaCsrElementsSignature); ChipLogProgress(Controller, "Parsing Certificate Signing Request"); TLVReader reader; @@ -202,8 +203,13 @@ CHIP_ERROR AndroidOperationalCredentialsIssuer::CallbackGenerateNOCChain(const B jbyteArray javaCsr; JniReferences::GetInstance().N2J_ByteArray(env, csr.data(), csr.size(), javaCsr); + P256PublicKey pubkey; + ReturnErrorOnFailure(VerifyCertificateSigningRequest(csr.data(), csr.size(), pubkey)); + // TODO: verify signed by DAC creds? + ChipLogProgress(chipTool, "VerifyCertificateSigningRequest"); + jobject csrInfo; - err = N2J_CSRInfo(env, javaCsrNonce, javaCsrElements, javaCsrSignature, javaCsr, csrInfo); + err = N2J_CSRInfo(env, javaCsrNonce, javaCsrElements, javaCsrElementsSignature, javaCsr, csrInfo); if (err != CHIP_NO_ERROR) { ChipLogError(Controller, "Failed to create CSRInfo"); diff --git a/src/controller/java/CHIPDeviceController-JNI.cpp b/src/controller/java/CHIPDeviceController-JNI.cpp index 420a17e20160f8..2f997c69ed1217 100644 --- a/src/controller/java/CHIPDeviceController-JNI.cpp +++ b/src/controller/java/CHIPDeviceController-JNI.cpp @@ -541,6 +541,12 @@ JNI_METHOD(void, setUseJavaCallbackForNOCRequest) AndroidDeviceControllerWrapper * wrapper = AndroidDeviceControllerWrapper::FromJNIHandle(handle); wrapper->GetAndroidOperationalCredentialsIssuer()->SetUseJavaCallbackForNOCRequest(useCallback); + + // disable the local PAA Root store since we will be performing validation in the callback + wrapper->GetDACVerifier()->SetUseLocalPAARootStore(!useCallback); + + // disable the local CSA store since we will be performing validation in the callback + wrapper->GetDACVerifier()->SetUseLocalCSAStore(!useCallback); } JNI_METHOD(void, updateCommissioningNetworkCredentials) diff --git a/src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.cpp b/src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.cpp index 518ebc2eb8f6f8..699a1c89965742 100644 --- a/src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.cpp +++ b/src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.cpp @@ -158,6 +158,11 @@ void DefaultDACVerifier::VerifyAttestationInformation(const DeviceAttestationVer AttestationCertVidPid paiVidPid; AttestationCertVidPid paaVidPid; + DeviceInfoForAttestation deviceInfo{ + .vendorId = info.vendorId, + .productId = info.productId, + }; + VerifyOrExit(!info.attestationElementsBuffer.empty() && !info.attestationChallengeBuffer.empty() && !info.attestationSignatureBuffer.empty() && !info.paiDerBuffer.empty() && !info.dacDerBuffer.empty() && !info.attestationNonceBuffer.empty() && onCompletion != nullptr, @@ -200,8 +205,7 @@ void DefaultDACVerifier::VerifyAttestationInformation(const DeviceAttestationVer } { - uint8_t akidBuf[Crypto::kAuthorityKeyIdentifierLength]; - MutableByteSpan akid(akidBuf); + MutableByteSpan akid(deviceInfo.paaSKID); constexpr size_t paaCertAllocatedLen = kMaxDERCertLength; VerifyOrExit(ExtractAKIDFromX509Cert(info.paiDerBuffer, akid) == CHIP_NO_ERROR, @@ -209,20 +213,28 @@ void DefaultDACVerifier::VerifyAttestationInformation(const DeviceAttestationVer VerifyOrExit(paaCert.Alloc(paaCertAllocatedLen), attestationError = AttestationVerificationResult::kNoMemory); - paaDerBuffer = MutableByteSpan(paaCert.Get(), paaCertAllocatedLen); - VerifyOrExit(mAttestationTrustStore->GetProductAttestationAuthorityCert(akid, paaDerBuffer) == CHIP_NO_ERROR, - attestationError = AttestationVerificationResult::kPaaNotFound); + if (mUseLocalPAARootStore) + { + paaDerBuffer = MutableByteSpan(paaCert.Get(), paaCertAllocatedLen); + VerifyOrExit(mAttestationTrustStore->GetProductAttestationAuthorityCert(akid, paaDerBuffer) == CHIP_NO_ERROR, + attestationError = AttestationVerificationResult::kPaaNotFound); + + VerifyOrExit(ExtractVIDPIDFromX509Cert(paaDerBuffer, paaVidPid) == CHIP_NO_ERROR, + attestationError = AttestationVerificationResult::kPaaFormatInvalid); - VerifyOrExit(ExtractVIDPIDFromX509Cert(paaDerBuffer, paaVidPid) == CHIP_NO_ERROR, - attestationError = AttestationVerificationResult::kPaaFormatInvalid); + if (paaVidPid.mVendorId.HasValue()) + { + VerifyOrExit(paaVidPid.mVendorId == paiVidPid.mVendorId, + attestationError = AttestationVerificationResult::kPaiVendorIdMismatch); + } - if (paaVidPid.mVendorId.HasValue()) + VerifyOrExit(!paaVidPid.mProductId.HasValue(), attestationError = AttestationVerificationResult::kPaaFormatInvalid); + } + else { - VerifyOrExit(paaVidPid.mVendorId == paiVidPid.mVendorId, - attestationError = AttestationVerificationResult::kPaiVendorIdMismatch); + ChipLogProgress( + Support, "DefaultDACVerifier::VerifyAttestationInformation skipping vid-scoped PAA check - PAARootStore disabled"); } - - VerifyOrExit(!paaVidPid.mProductId.HasValue(), attestationError = AttestationVerificationResult::kPaaFormatInvalid); } #if !defined(CURRENT_TIME_NOT_IMPLEMENTED) @@ -237,11 +249,19 @@ void DefaultDACVerifier::VerifyAttestationInformation(const DeviceAttestationVer attestationError = AttestationVerificationResult::kPaaExpired); CertificateChainValidationResult chainValidationResult; - VerifyOrExit(ValidateCertificateChain(paaDerBuffer.data(), paaDerBuffer.size(), info.paiDerBuffer.data(), - info.paiDerBuffer.size(), info.dacDerBuffer.data(), info.dacDerBuffer.size(), - chainValidationResult) == CHIP_NO_ERROR, - attestationError = MapError(chainValidationResult)); + if (mUseLocalPAARootStore) + { + VerifyOrExit(ValidateCertificateChain(paaDerBuffer.data(), paaDerBuffer.size(), info.paiDerBuffer.data(), + info.paiDerBuffer.size(), info.dacDerBuffer.data(), info.dacDerBuffer.size(), + chainValidationResult) == CHIP_NO_ERROR, + attestationError = MapError(chainValidationResult)); + } + else + { + ChipLogProgress(Support, + "DefaultDACVerifier::VerifyAttestationInformation skipping cert chain validation - PAARootStore disabled"); + } { ByteSpan certificationDeclarationSpan; ByteSpan attestationNonceSpan; @@ -250,21 +270,26 @@ void DefaultDACVerifier::VerifyAttestationInformation(const DeviceAttestationVer DeviceAttestationVendorReservedDeconstructor vendorReserved; ByteSpan certificationDeclarationPayload; - DeviceInfoForAttestation deviceInfo{ - .vendorId = info.vendorId, - .productId = info.productId, - .dacVendorId = dacVidPid.mVendorId.Value(), - .dacProductId = dacVidPid.mProductId.Value(), - .paiVendorId = paiVidPid.mVendorId.Value(), - .paiProductId = paiVidPid.mProductId.ValueOr(0), - .paaVendorId = paaVidPid.mVendorId.ValueOr(VendorId::NotSpecified), - }; + deviceInfo.dacVendorId = dacVidPid.mVendorId.Value(); + deviceInfo.dacProductId = dacVidPid.mProductId.Value(); + deviceInfo.paiVendorId = paiVidPid.mVendorId.Value(); + deviceInfo.paiProductId = paiVidPid.mProductId.ValueOr(0); + deviceInfo.paaVendorId = paaVidPid.mVendorId.ValueOr(VendorId::NotSpecified); - MutableByteSpan paaSKID(deviceInfo.paaSKID); - VerifyOrExit(ExtractSKIDFromX509Cert(paaDerBuffer, paaSKID) == CHIP_NO_ERROR, - attestationError = AttestationVerificationResult::kPaaFormatInvalid); - VerifyOrExit(paaSKID.size() == sizeof(deviceInfo.paaSKID), - attestationError = AttestationVerificationResult::kPaaFormatInvalid); + if (mUseLocalPAARootStore) + { + MutableByteSpan paaSKID(deviceInfo.paaSKID); + VerifyOrExit(ExtractSKIDFromX509Cert(paaDerBuffer, paaSKID) == CHIP_NO_ERROR, + attestationError = AttestationVerificationResult::kPaaFormatInvalid); + VerifyOrExit(paaSKID.size() == sizeof(deviceInfo.paaSKID), + attestationError = AttestationVerificationResult::kPaaFormatInvalid); + } + else + { + ChipLogProgress( + Support, + "DefaultDACVerifier::VerifyAttestationInformation skipping PAA subject key id extraction - PAARootStore disabled"); + } VerifyOrExit(DeconstructAttestationElements(info.attestationElementsBuffer, certificationDeclarationSpan, attestationNonceSpan, timestampDeconstructed, firmwareInfoSpan, @@ -275,8 +300,19 @@ void DefaultDACVerifier::VerifyAttestationInformation(const DeviceAttestationVer VerifyOrExit(attestationNonceSpan.data_equal(info.attestationNonceBuffer), attestationError = AttestationVerificationResult::kAttestationNonceMismatch); - attestationError = ValidateCertificationDeclarationSignature(certificationDeclarationSpan, certificationDeclarationPayload); - VerifyOrExit(attestationError == AttestationVerificationResult::kSuccess, attestationError = attestationError); + if (mUseLocalCSAStore) + { + attestationError = + ValidateCertificationDeclarationSignature(certificationDeclarationSpan, certificationDeclarationPayload); + VerifyOrExit(attestationError == AttestationVerificationResult::kSuccess, attestationError = attestationError); + } + else + { + ChipLogProgress( + Support, "DefaultDACVerifier::VerifyAttestationInformation skipping CD signature check - LocalCSAStore disabled"); + VerifyOrExit(CMS_ExtractCDContent(certificationDeclarationSpan, certificationDeclarationPayload) == CHIP_NO_ERROR, + attestationError = AttestationVerificationResult::kPaaFormatInvalid); + } attestationError = ValidateCertificateDeclarationPayload(certificationDeclarationPayload, firmwareInfoSpan, deviceInfo); VerifyOrExit(attestationError == AttestationVerificationResult::kSuccess, attestationError = attestationError); diff --git a/src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.h b/src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.h index 99f2fb5f2b85ae..6c61be285f586d 100644 --- a/src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.h +++ b/src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.h @@ -41,10 +41,18 @@ class DefaultDACVerifier : public DeviceAttestationVerifier const ByteSpan & attestationSignatureBuffer, const Crypto::P256PublicKey & dacPublicKey, const ByteSpan & csrNonce) override; -protected: + bool GetUseLocalPAARootStore() { return mUseLocalPAARootStore; } + void SetUseLocalPAARootStore(bool useLocalPAARootStore) { mUseLocalPAARootStore = useLocalPAARootStore; } + + bool GetUseLocalCSAStore() { return mUseLocalCSAStore; } + void SetUseLocalCSAStore(bool useLocalCSAStore) { mUseLocalCSAStore = useLocalCSAStore; } + DefaultDACVerifier() {} +protected: const AttestationTrustStore * mAttestationTrustStore; + bool mUseLocalPAARootStore = true; + bool mUseLocalCSAStore = true; }; /** From 2478c688382bec27f4e4993377c433c1300df192 Mon Sep 17 00:00:00 2001 From: chrisdecenzo Date: Mon, 8 Aug 2022 11:19:46 -0700 Subject: [PATCH 2/8] Draft: Allow partial validation of DAC and CD (when PAA list is not local) --- .../java/AndroidDeviceControllerWrapper.cpp | 6 +- .../java/AndroidDeviceControllerWrapper.h | 6 ++ .../AndroidOperationalCredentialsIssuer.cpp | 14 ++- .../java/CHIPDeviceController-JNI.cpp | 6 ++ .../DefaultDeviceAttestationVerifier.cpp | 100 ++++++++++++------ .../DefaultDeviceAttestationVerifier.h | 10 +- 6 files changed, 100 insertions(+), 42 deletions(-) diff --git a/src/controller/java/AndroidDeviceControllerWrapper.cpp b/src/controller/java/AndroidDeviceControllerWrapper.cpp index 8b28896a701d44..612001c1797d96 100644 --- a/src/controller/java/AndroidDeviceControllerWrapper.cpp +++ b/src/controller/java/AndroidDeviceControllerWrapper.cpp @@ -127,11 +127,6 @@ AndroidDeviceControllerWrapper * AndroidDeviceControllerWrapper::AllocateNew( chip::Controller::AndroidOperationalCredentialsIssuer * opCredsIssuer = wrapper->mOpCredsIssuer.get(); - // Initialize device attestation verifier - // TODO: Replace testingRootStore with a AttestationTrustStore that has the necessary official PAA roots available - const chip::Credentials::AttestationTrustStore * testingRootStore = chip::Credentials::GetTestAttestationTrustStore(); - SetDeviceAttestationVerifier(GetDefaultDACVerifier(testingRootStore)); - chip::Controller::FactoryInitParams initParams; chip::Controller::SetupParams setupParams; @@ -148,6 +143,7 @@ AndroidDeviceControllerWrapper * AndroidDeviceControllerWrapper::AllocateNew( setupParams.pairingDelegate = wrapper.get(); setupParams.operationalCredentialsDelegate = opCredsIssuer; setupParams.defaultCommissioner = &wrapper->mAutoCommissioner; + setupParams.deviceAttestationVerifier = &wrapper->mDACVerifier; initParams.fabricIndependentStorage = wrapperStorage; wrapper->mGroupDataProvider.SetStorageDelegate(wrapperStorage); diff --git a/src/controller/java/AndroidDeviceControllerWrapper.h b/src/controller/java/AndroidDeviceControllerWrapper.h index 77f9a6d735cc25..cafe02d52cea6f 100644 --- a/src/controller/java/AndroidDeviceControllerWrapper.h +++ b/src/controller/java/AndroidDeviceControllerWrapper.h @@ -26,6 +26,7 @@ #include #include #include +#include #include #include #include @@ -94,6 +95,8 @@ class AndroidDeviceControllerWrapper : public chip::Controller::DevicePairingDel chip::Controller::AutoCommissioner * GetAutoCommissioner() { return &mAutoCommissioner; } + chip::Credentials::DefaultDACVerifier * GetDACVerifier() { return &mDACVerifier; } + const chip::Controller::CommissioningParameters & GetCommissioningParameters() const { return mAutoCommissioner.GetCommissioningParameters(); @@ -175,6 +178,9 @@ class AndroidDeviceControllerWrapper : public chip::Controller::DevicePairingDel chip::Controller::AutoCommissioner mAutoCommissioner; + // TODO: Replace testingRootStore with a AttestationTrustStore that has the necessary official PAA roots available + chip::Credentials::DefaultDACVerifier mDACVerifier{ chip::Credentials::GetTestAttestationTrustStore() }; + AndroidDeviceControllerWrapper(ChipDeviceControllerPtr controller, AndroidOperationalCredentialsIssuerPtr opCredsIssuer) : mController(std::move(controller)), mOpCredsIssuer(std::move(opCredsIssuer)) {} diff --git a/src/controller/java/AndroidOperationalCredentialsIssuer.cpp b/src/controller/java/AndroidOperationalCredentialsIssuer.cpp index aa54ae1d4c1336..249921ae17c923 100644 --- a/src/controller/java/AndroidOperationalCredentialsIssuer.cpp +++ b/src/controller/java/AndroidOperationalCredentialsIssuer.cpp @@ -151,7 +151,7 @@ CHIP_ERROR AndroidOperationalCredentialsIssuer::GenerateNOCChain(const ByteSpan } CHIP_ERROR AndroidOperationalCredentialsIssuer::CallbackGenerateNOCChain(const ByteSpan & csrElements, const ByteSpan & csrNonce, - const ByteSpan & csrSignature, + const ByteSpan & csrElementsSignature, const ByteSpan & attestationChallenge, const ByteSpan & DAC, const ByteSpan & PAI, Callback::Callback * onCompletion) @@ -177,8 +177,9 @@ CHIP_ERROR AndroidOperationalCredentialsIssuer::CallbackGenerateNOCChain(const B jbyteArray javaCsrNonce; JniReferences::GetInstance().N2J_ByteArray(env, csrNonce.data(), csrNonce.size(), javaCsrNonce); - jbyteArray javaCsrSignature; - JniReferences::GetInstance().N2J_ByteArray(env, csrSignature.data(), csrSignature.size(), javaCsrSignature); + jbyteArray javaCsrElementsSignature; + JniReferences::GetInstance().N2J_ByteArray(env, csrElementsSignature.data(), csrElementsSignature.size(), + javaCsrElementsSignature); ChipLogProgress(Controller, "Parsing Certificate Signing Request"); TLVReader reader; @@ -202,8 +203,13 @@ CHIP_ERROR AndroidOperationalCredentialsIssuer::CallbackGenerateNOCChain(const B jbyteArray javaCsr; JniReferences::GetInstance().N2J_ByteArray(env, csr.data(), csr.size(), javaCsr); + P256PublicKey pubkey; + ReturnErrorOnFailure(VerifyCertificateSigningRequest(csr.data(), csr.size(), pubkey)); + // TODO: verify signed by DAC creds? + ChipLogProgress(chipTool, "VerifyCertificateSigningRequest"); + jobject csrInfo; - err = N2J_CSRInfo(env, javaCsrNonce, javaCsrElements, javaCsrSignature, javaCsr, csrInfo); + err = N2J_CSRInfo(env, javaCsrNonce, javaCsrElements, javaCsrElementsSignature, javaCsr, csrInfo); if (err != CHIP_NO_ERROR) { ChipLogError(Controller, "Failed to create CSRInfo"); diff --git a/src/controller/java/CHIPDeviceController-JNI.cpp b/src/controller/java/CHIPDeviceController-JNI.cpp index 420a17e20160f8..2f997c69ed1217 100644 --- a/src/controller/java/CHIPDeviceController-JNI.cpp +++ b/src/controller/java/CHIPDeviceController-JNI.cpp @@ -541,6 +541,12 @@ JNI_METHOD(void, setUseJavaCallbackForNOCRequest) AndroidDeviceControllerWrapper * wrapper = AndroidDeviceControllerWrapper::FromJNIHandle(handle); wrapper->GetAndroidOperationalCredentialsIssuer()->SetUseJavaCallbackForNOCRequest(useCallback); + + // disable the local PAA Root store since we will be performing validation in the callback + wrapper->GetDACVerifier()->SetUseLocalPAARootStore(!useCallback); + + // disable the local CSA store since we will be performing validation in the callback + wrapper->GetDACVerifier()->SetUseLocalCSAStore(!useCallback); } JNI_METHOD(void, updateCommissioningNetworkCredentials) diff --git a/src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.cpp b/src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.cpp index 518ebc2eb8f6f8..699a1c89965742 100644 --- a/src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.cpp +++ b/src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.cpp @@ -158,6 +158,11 @@ void DefaultDACVerifier::VerifyAttestationInformation(const DeviceAttestationVer AttestationCertVidPid paiVidPid; AttestationCertVidPid paaVidPid; + DeviceInfoForAttestation deviceInfo{ + .vendorId = info.vendorId, + .productId = info.productId, + }; + VerifyOrExit(!info.attestationElementsBuffer.empty() && !info.attestationChallengeBuffer.empty() && !info.attestationSignatureBuffer.empty() && !info.paiDerBuffer.empty() && !info.dacDerBuffer.empty() && !info.attestationNonceBuffer.empty() && onCompletion != nullptr, @@ -200,8 +205,7 @@ void DefaultDACVerifier::VerifyAttestationInformation(const DeviceAttestationVer } { - uint8_t akidBuf[Crypto::kAuthorityKeyIdentifierLength]; - MutableByteSpan akid(akidBuf); + MutableByteSpan akid(deviceInfo.paaSKID); constexpr size_t paaCertAllocatedLen = kMaxDERCertLength; VerifyOrExit(ExtractAKIDFromX509Cert(info.paiDerBuffer, akid) == CHIP_NO_ERROR, @@ -209,20 +213,28 @@ void DefaultDACVerifier::VerifyAttestationInformation(const DeviceAttestationVer VerifyOrExit(paaCert.Alloc(paaCertAllocatedLen), attestationError = AttestationVerificationResult::kNoMemory); - paaDerBuffer = MutableByteSpan(paaCert.Get(), paaCertAllocatedLen); - VerifyOrExit(mAttestationTrustStore->GetProductAttestationAuthorityCert(akid, paaDerBuffer) == CHIP_NO_ERROR, - attestationError = AttestationVerificationResult::kPaaNotFound); + if (mUseLocalPAARootStore) + { + paaDerBuffer = MutableByteSpan(paaCert.Get(), paaCertAllocatedLen); + VerifyOrExit(mAttestationTrustStore->GetProductAttestationAuthorityCert(akid, paaDerBuffer) == CHIP_NO_ERROR, + attestationError = AttestationVerificationResult::kPaaNotFound); + + VerifyOrExit(ExtractVIDPIDFromX509Cert(paaDerBuffer, paaVidPid) == CHIP_NO_ERROR, + attestationError = AttestationVerificationResult::kPaaFormatInvalid); - VerifyOrExit(ExtractVIDPIDFromX509Cert(paaDerBuffer, paaVidPid) == CHIP_NO_ERROR, - attestationError = AttestationVerificationResult::kPaaFormatInvalid); + if (paaVidPid.mVendorId.HasValue()) + { + VerifyOrExit(paaVidPid.mVendorId == paiVidPid.mVendorId, + attestationError = AttestationVerificationResult::kPaiVendorIdMismatch); + } - if (paaVidPid.mVendorId.HasValue()) + VerifyOrExit(!paaVidPid.mProductId.HasValue(), attestationError = AttestationVerificationResult::kPaaFormatInvalid); + } + else { - VerifyOrExit(paaVidPid.mVendorId == paiVidPid.mVendorId, - attestationError = AttestationVerificationResult::kPaiVendorIdMismatch); + ChipLogProgress( + Support, "DefaultDACVerifier::VerifyAttestationInformation skipping vid-scoped PAA check - PAARootStore disabled"); } - - VerifyOrExit(!paaVidPid.mProductId.HasValue(), attestationError = AttestationVerificationResult::kPaaFormatInvalid); } #if !defined(CURRENT_TIME_NOT_IMPLEMENTED) @@ -237,11 +249,19 @@ void DefaultDACVerifier::VerifyAttestationInformation(const DeviceAttestationVer attestationError = AttestationVerificationResult::kPaaExpired); CertificateChainValidationResult chainValidationResult; - VerifyOrExit(ValidateCertificateChain(paaDerBuffer.data(), paaDerBuffer.size(), info.paiDerBuffer.data(), - info.paiDerBuffer.size(), info.dacDerBuffer.data(), info.dacDerBuffer.size(), - chainValidationResult) == CHIP_NO_ERROR, - attestationError = MapError(chainValidationResult)); + if (mUseLocalPAARootStore) + { + VerifyOrExit(ValidateCertificateChain(paaDerBuffer.data(), paaDerBuffer.size(), info.paiDerBuffer.data(), + info.paiDerBuffer.size(), info.dacDerBuffer.data(), info.dacDerBuffer.size(), + chainValidationResult) == CHIP_NO_ERROR, + attestationError = MapError(chainValidationResult)); + } + else + { + ChipLogProgress(Support, + "DefaultDACVerifier::VerifyAttestationInformation skipping cert chain validation - PAARootStore disabled"); + } { ByteSpan certificationDeclarationSpan; ByteSpan attestationNonceSpan; @@ -250,21 +270,26 @@ void DefaultDACVerifier::VerifyAttestationInformation(const DeviceAttestationVer DeviceAttestationVendorReservedDeconstructor vendorReserved; ByteSpan certificationDeclarationPayload; - DeviceInfoForAttestation deviceInfo{ - .vendorId = info.vendorId, - .productId = info.productId, - .dacVendorId = dacVidPid.mVendorId.Value(), - .dacProductId = dacVidPid.mProductId.Value(), - .paiVendorId = paiVidPid.mVendorId.Value(), - .paiProductId = paiVidPid.mProductId.ValueOr(0), - .paaVendorId = paaVidPid.mVendorId.ValueOr(VendorId::NotSpecified), - }; + deviceInfo.dacVendorId = dacVidPid.mVendorId.Value(); + deviceInfo.dacProductId = dacVidPid.mProductId.Value(); + deviceInfo.paiVendorId = paiVidPid.mVendorId.Value(); + deviceInfo.paiProductId = paiVidPid.mProductId.ValueOr(0); + deviceInfo.paaVendorId = paaVidPid.mVendorId.ValueOr(VendorId::NotSpecified); - MutableByteSpan paaSKID(deviceInfo.paaSKID); - VerifyOrExit(ExtractSKIDFromX509Cert(paaDerBuffer, paaSKID) == CHIP_NO_ERROR, - attestationError = AttestationVerificationResult::kPaaFormatInvalid); - VerifyOrExit(paaSKID.size() == sizeof(deviceInfo.paaSKID), - attestationError = AttestationVerificationResult::kPaaFormatInvalid); + if (mUseLocalPAARootStore) + { + MutableByteSpan paaSKID(deviceInfo.paaSKID); + VerifyOrExit(ExtractSKIDFromX509Cert(paaDerBuffer, paaSKID) == CHIP_NO_ERROR, + attestationError = AttestationVerificationResult::kPaaFormatInvalid); + VerifyOrExit(paaSKID.size() == sizeof(deviceInfo.paaSKID), + attestationError = AttestationVerificationResult::kPaaFormatInvalid); + } + else + { + ChipLogProgress( + Support, + "DefaultDACVerifier::VerifyAttestationInformation skipping PAA subject key id extraction - PAARootStore disabled"); + } VerifyOrExit(DeconstructAttestationElements(info.attestationElementsBuffer, certificationDeclarationSpan, attestationNonceSpan, timestampDeconstructed, firmwareInfoSpan, @@ -275,8 +300,19 @@ void DefaultDACVerifier::VerifyAttestationInformation(const DeviceAttestationVer VerifyOrExit(attestationNonceSpan.data_equal(info.attestationNonceBuffer), attestationError = AttestationVerificationResult::kAttestationNonceMismatch); - attestationError = ValidateCertificationDeclarationSignature(certificationDeclarationSpan, certificationDeclarationPayload); - VerifyOrExit(attestationError == AttestationVerificationResult::kSuccess, attestationError = attestationError); + if (mUseLocalCSAStore) + { + attestationError = + ValidateCertificationDeclarationSignature(certificationDeclarationSpan, certificationDeclarationPayload); + VerifyOrExit(attestationError == AttestationVerificationResult::kSuccess, attestationError = attestationError); + } + else + { + ChipLogProgress( + Support, "DefaultDACVerifier::VerifyAttestationInformation skipping CD signature check - LocalCSAStore disabled"); + VerifyOrExit(CMS_ExtractCDContent(certificationDeclarationSpan, certificationDeclarationPayload) == CHIP_NO_ERROR, + attestationError = AttestationVerificationResult::kPaaFormatInvalid); + } attestationError = ValidateCertificateDeclarationPayload(certificationDeclarationPayload, firmwareInfoSpan, deviceInfo); VerifyOrExit(attestationError == AttestationVerificationResult::kSuccess, attestationError = attestationError); diff --git a/src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.h b/src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.h index 99f2fb5f2b85ae..6c61be285f586d 100644 --- a/src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.h +++ b/src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.h @@ -41,10 +41,18 @@ class DefaultDACVerifier : public DeviceAttestationVerifier const ByteSpan & attestationSignatureBuffer, const Crypto::P256PublicKey & dacPublicKey, const ByteSpan & csrNonce) override; -protected: + bool GetUseLocalPAARootStore() { return mUseLocalPAARootStore; } + void SetUseLocalPAARootStore(bool useLocalPAARootStore) { mUseLocalPAARootStore = useLocalPAARootStore; } + + bool GetUseLocalCSAStore() { return mUseLocalCSAStore; } + void SetUseLocalCSAStore(bool useLocalCSAStore) { mUseLocalCSAStore = useLocalCSAStore; } + DefaultDACVerifier() {} +protected: const AttestationTrustStore * mAttestationTrustStore; + bool mUseLocalPAARootStore = true; + bool mUseLocalCSAStore = true; }; /** From a253ab24a5ab77ef3fa9f286cff7b6137c7dd658 Mon Sep 17 00:00:00 2001 From: chrisdecenzo Date: Thu, 11 Aug 2022 20:45:33 -0700 Subject: [PATCH 3/8] Move cloud attestation to a separate class, re-structure default attestation verification logic to allow cloud verifier to leverage it --- src/controller/CHIPDeviceController.h | 5 + .../java/AndroidDeviceControllerWrapper.cpp | 6 +- .../java/AndroidDeviceControllerWrapper.h | 7 +- .../java/CHIPDeviceController-JNI.cpp | 15 +- src/credentials/BUILD.gn | 2 + .../CloudDeviceAttestationVerifier.cpp | 169 ++++++++++ .../CloudDeviceAttestationVerifier.h | 52 +++ .../DefaultDeviceAttestationVerifier.cpp | 302 ++++++++++-------- .../DefaultDeviceAttestationVerifier.h | 32 +- 9 files changed, 435 insertions(+), 155 deletions(-) create mode 100644 src/credentials/attestation_verifier/CloudDeviceAttestationVerifier.cpp create mode 100644 src/credentials/attestation_verifier/CloudDeviceAttestationVerifier.h diff --git a/src/controller/CHIPDeviceController.h b/src/controller/CHIPDeviceController.h index 2f9734816cae4e..5ffe5e14c24e9c 100644 --- a/src/controller/CHIPDeviceController.h +++ b/src/controller/CHIPDeviceController.h @@ -670,6 +670,11 @@ class DLL_EXPORT DeviceCommissioner : public DeviceController, CHIP_ERROR IssueNOCChain(const ByteSpan & NOCSRElements, NodeId nodeId, chip::Callback::Callback * callback); + void SetDeviceAttestationVerifier(Credentials::DeviceAttestationVerifier * deviceAttestationVerifier) + { + mDeviceAttestationVerifier = deviceAttestationVerifier; + } + private: DevicePairingDelegate * mPairingDelegate; diff --git a/src/controller/java/AndroidDeviceControllerWrapper.cpp b/src/controller/java/AndroidDeviceControllerWrapper.cpp index 612001c1797d96..8b28896a701d44 100644 --- a/src/controller/java/AndroidDeviceControllerWrapper.cpp +++ b/src/controller/java/AndroidDeviceControllerWrapper.cpp @@ -127,6 +127,11 @@ AndroidDeviceControllerWrapper * AndroidDeviceControllerWrapper::AllocateNew( chip::Controller::AndroidOperationalCredentialsIssuer * opCredsIssuer = wrapper->mOpCredsIssuer.get(); + // Initialize device attestation verifier + // TODO: Replace testingRootStore with a AttestationTrustStore that has the necessary official PAA roots available + const chip::Credentials::AttestationTrustStore * testingRootStore = chip::Credentials::GetTestAttestationTrustStore(); + SetDeviceAttestationVerifier(GetDefaultDACVerifier(testingRootStore)); + chip::Controller::FactoryInitParams initParams; chip::Controller::SetupParams setupParams; @@ -143,7 +148,6 @@ AndroidDeviceControllerWrapper * AndroidDeviceControllerWrapper::AllocateNew( setupParams.pairingDelegate = wrapper.get(); setupParams.operationalCredentialsDelegate = opCredsIssuer; setupParams.defaultCommissioner = &wrapper->mAutoCommissioner; - setupParams.deviceAttestationVerifier = &wrapper->mDACVerifier; initParams.fabricIndependentStorage = wrapperStorage; wrapper->mGroupDataProvider.SetStorageDelegate(wrapperStorage); diff --git a/src/controller/java/AndroidDeviceControllerWrapper.h b/src/controller/java/AndroidDeviceControllerWrapper.h index cafe02d52cea6f..e103709ff06733 100644 --- a/src/controller/java/AndroidDeviceControllerWrapper.h +++ b/src/controller/java/AndroidDeviceControllerWrapper.h @@ -26,7 +26,7 @@ #include #include #include -#include +#include #include #include #include @@ -95,7 +95,7 @@ class AndroidDeviceControllerWrapper : public chip::Controller::DevicePairingDel chip::Controller::AutoCommissioner * GetAutoCommissioner() { return &mAutoCommissioner; } - chip::Credentials::DefaultDACVerifier * GetDACVerifier() { return &mDACVerifier; } + chip::Credentials::CloudDACVerifier * GetCloudDACVerifier() { return &mCloudDACVerifier; } const chip::Controller::CommissioningParameters & GetCommissioningParameters() const { @@ -178,8 +178,7 @@ class AndroidDeviceControllerWrapper : public chip::Controller::DevicePairingDel chip::Controller::AutoCommissioner mAutoCommissioner; - // TODO: Replace testingRootStore with a AttestationTrustStore that has the necessary official PAA roots available - chip::Credentials::DefaultDACVerifier mDACVerifier{ chip::Credentials::GetTestAttestationTrustStore() }; + chip::Credentials::CloudDACVerifier mCloudDACVerifier; AndroidDeviceControllerWrapper(ChipDeviceControllerPtr controller, AndroidOperationalCredentialsIssuerPtr opCredsIssuer) : mController(std::move(controller)), mOpCredsIssuer(std::move(opCredsIssuer)) diff --git a/src/controller/java/CHIPDeviceController-JNI.cpp b/src/controller/java/CHIPDeviceController-JNI.cpp index 2f997c69ed1217..7b7575ef92ae85 100644 --- a/src/controller/java/CHIPDeviceController-JNI.cpp +++ b/src/controller/java/CHIPDeviceController-JNI.cpp @@ -542,11 +542,16 @@ JNI_METHOD(void, setUseJavaCallbackForNOCRequest) wrapper->GetAndroidOperationalCredentialsIssuer()->SetUseJavaCallbackForNOCRequest(useCallback); - // disable the local PAA Root store since we will be performing validation in the callback - wrapper->GetDACVerifier()->SetUseLocalPAARootStore(!useCallback); - - // disable the local CSA store since we will be performing validation in the callback - wrapper->GetDACVerifier()->SetUseLocalCSAStore(!useCallback); + if (useCallback) + { + // if we are assigning a callback, then make the device commissioner delegate verification to the cloud + wrapper->Controller()->SetDeviceAttestationVerifier(wrapper->GetCloudDACVerifier()); + } + else + { + // if we are setting callback to null, then make the device commissioner use the default verifier + wrapper->Controller()->SetDeviceAttestationVerifier(GetDeviceAttestationVerifier()); + } } JNI_METHOD(void, updateCommissioningNetworkCredentials) diff --git a/src/credentials/BUILD.gn b/src/credentials/BUILD.gn index ad809326b892d2..5e32ec1ccad6af 100644 --- a/src/credentials/BUILD.gn +++ b/src/credentials/BUILD.gn @@ -94,6 +94,8 @@ static_library("default_attestation_verifier") { output_name = "libDefaultAttestationVerifier" sources = [ + "attestation_verifier/CloudDeviceAttestationVerifier.cpp", + "attestation_verifier/CloudDeviceAttestationVerifier.h", "attestation_verifier/DefaultDeviceAttestationVerifier.cpp", "attestation_verifier/DefaultDeviceAttestationVerifier.h", "attestation_verifier/DeviceAttestationDelegate.h", diff --git a/src/credentials/attestation_verifier/CloudDeviceAttestationVerifier.cpp b/src/credentials/attestation_verifier/CloudDeviceAttestationVerifier.cpp new file mode 100644 index 00000000000000..52c7ac2dc280e4 --- /dev/null +++ b/src/credentials/attestation_verifier/CloudDeviceAttestationVerifier.cpp @@ -0,0 +1,169 @@ +/* + * + * Copyright (c) 2021-2022 Project CHIP Authors + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +#include "CloudDeviceAttestationVerifier.h" + +#include +#include +#include +#include +#include +#include + +#include +#include +#include +#include + +using namespace chip::Crypto; + +namespace chip { +namespace Credentials { + +// As per specifications section 11.22.5.1. Constant RESP_MAX +constexpr size_t kMaxResponseLength = 900; + +AttestationVerificationResult CloudDACVerifier::CheckPAA(const DeviceAttestationVerifier::AttestationInfo & info, + DeviceInfoForAttestation & deviceInfo, + Platform::ScopedMemoryBuffer & paaCert, + MutableByteSpan & paaDerBuffer, AttestationCertVidPid & paaVidPid, + AttestationCertVidPid & paiVidPid) +{ + AttestationVerificationResult attestationError = AttestationVerificationResult::kSuccess; + MutableByteSpan akid(deviceInfo.paaSKID); + + VerifyOrExit(ExtractAKIDFromX509Cert(info.paiDerBuffer, akid) == CHIP_NO_ERROR, + attestationError = AttestationVerificationResult::kPaiFormatInvalid); + + ChipLogProgress(Support, "CloudDACVerifier::CheckPAA skipping vid-scoped PAA check - PAARootStore disabled"); + +exit: + return attestationError; +} + +AttestationVerificationResult CloudDACVerifier::CheckCertTimes(const DeviceAttestationVerifier::AttestationInfo & info, + MutableByteSpan & paaDerBuffer) +{ + AttestationVerificationResult attestationError = AttestationVerificationResult::kSuccess; + +#if !defined(CURRENT_TIME_NOT_IMPLEMENTED) + VerifyOrExit(IsCertificateValidAtCurrentTime(info.dacDerBuffer) == CHIP_NO_ERROR, + attestationError = AttestationVerificationResult::kDacExpired); +#endif + + VerifyOrExit(IsCertificateValidAtIssuance(info.dacDerBuffer, info.paiDerBuffer) == CHIP_NO_ERROR, + attestationError = AttestationVerificationResult::kPaiExpired); + + ChipLogProgress(Support, "CloudDACVerifier::CheckCertTimes skipping PAA expiry check - PAARootStore disabled"); + +exit: + return attestationError; +} + +AttestationVerificationResult CloudDACVerifier::CheckCertChain(const DeviceAttestationVerifier::AttestationInfo & info, + MutableByteSpan & paaDerBuffer) +{ + ChipLogProgress(Support, "CloudDACVerifier::CheckCertChain skipping cert chain check - PAARootStore disabled"); + + return AttestationVerificationResult::kSuccess; +} + +AttestationVerificationResult +CloudDACVerifier::CheckCertDeclaration(const DeviceAttestationVerifier::AttestationInfo & info, MutableByteSpan & paaDerBuffer, + AttestationCertVidPid & dacVidPid, AttestationCertVidPid & paiVidPid, + AttestationCertVidPid & paaVidPid, DeviceInfoForAttestation & deviceInfo) +{ + AttestationVerificationResult attestationError = AttestationVerificationResult::kSuccess; + + ByteSpan certificationDeclarationSpan; + ByteSpan attestationNonceSpan; + uint32_t timestampDeconstructed; + ByteSpan firmwareInfoSpan; + DeviceAttestationVendorReservedDeconstructor vendorReserved; + ByteSpan certificationDeclarationPayload; + + deviceInfo.dacVendorId = dacVidPid.mVendorId.Value(); + deviceInfo.dacProductId = dacVidPid.mProductId.Value(); + deviceInfo.paiVendorId = paiVidPid.mVendorId.Value(); + deviceInfo.paiProductId = paiVidPid.mProductId.ValueOr(0); + deviceInfo.paaVendorId = paaVidPid.mVendorId.ValueOr(VendorId::NotSpecified); + + VerifyOrExit(DeconstructAttestationElements(info.attestationElementsBuffer, certificationDeclarationSpan, attestationNonceSpan, + timestampDeconstructed, firmwareInfoSpan, vendorReserved) == CHIP_NO_ERROR, + attestationError = AttestationVerificationResult::kAttestationElementsMalformed); + + // Verify that Nonce matches with what we sent + VerifyOrExit(attestationNonceSpan.data_equal(info.attestationNonceBuffer), + attestationError = AttestationVerificationResult::kAttestationNonceMismatch); + + ChipLogProgress(Support, "CloudDACVerifier::VerifyAttestationInformation skipping CD signature check - LocalCSAStore disabled"); + VerifyOrExit(CMS_ExtractCDContent(certificationDeclarationSpan, certificationDeclarationPayload) == CHIP_NO_ERROR, + attestationError = AttestationVerificationResult::kPaaFormatInvalid); + + attestationError = ValidateCertificateDeclarationPayload(certificationDeclarationPayload, firmwareInfoSpan, deviceInfo); + VerifyOrExit(attestationError == AttestationVerificationResult::kSuccess, attestationError = attestationError); +exit: + return attestationError; +} + +void CloudDACVerifier::VerifyAttestationInformation(const DeviceAttestationVerifier::AttestationInfo & info, + Callback::Callback * onCompletion) +{ + AttestationVerificationResult attestationError = AttestationVerificationResult::kSuccess; + + Platform::ScopedMemoryBuffer paaCert; + MutableByteSpan paaDerBuffer; + AttestationCertVidPid dacVidPid; + AttestationCertVidPid paiVidPid; + AttestationCertVidPid paaVidPid; + + DeviceInfoForAttestation deviceInfo{ + .vendorId = info.vendorId, + .productId = info.productId, + }; + + VerifyOrExit(!info.attestationElementsBuffer.empty() && !info.attestationChallengeBuffer.empty() && + !info.attestationSignatureBuffer.empty() && !info.paiDerBuffer.empty() && !info.dacDerBuffer.empty() && + !info.attestationNonceBuffer.empty() && onCompletion != nullptr, + attestationError = AttestationVerificationResult::kInvalidArgument); + + VerifyOrExit(info.attestationElementsBuffer.size() <= kMaxResponseLength, + attestationError = AttestationVerificationResult::kInvalidArgument); + + attestationError = CheckDacPaiVidPids(info, dacVidPid, paiVidPid); + VerifyOrExit(attestationError == AttestationVerificationResult::kSuccess, attestationError = attestationError); + + attestationError = CheckAttestationSignature(info); + VerifyOrExit(attestationError == AttestationVerificationResult::kSuccess, attestationError = attestationError); + + attestationError = CheckPAA(info, deviceInfo, paaCert, paaDerBuffer, paaVidPid, paiVidPid); + VerifyOrExit(attestationError == AttestationVerificationResult::kSuccess, attestationError = attestationError); + + attestationError = CheckCertTimes(info, paaDerBuffer); + VerifyOrExit(attestationError == AttestationVerificationResult::kSuccess, attestationError = attestationError); + + attestationError = CheckCertChain(info, paaDerBuffer); + VerifyOrExit(attestationError == AttestationVerificationResult::kSuccess, attestationError = attestationError); + + attestationError = CheckCertDeclaration(info, paaDerBuffer, dacVidPid, paiVidPid, paaVidPid, deviceInfo); + VerifyOrExit(attestationError == AttestationVerificationResult::kSuccess, attestationError = attestationError); + +exit: + onCompletion->mCall(onCompletion->mContext, attestationError); // TODO: is this check getting done? +} + +} // namespace Credentials +} // namespace chip diff --git a/src/credentials/attestation_verifier/CloudDeviceAttestationVerifier.h b/src/credentials/attestation_verifier/CloudDeviceAttestationVerifier.h new file mode 100644 index 00000000000000..6f0a04639b4ae3 --- /dev/null +++ b/src/credentials/attestation_verifier/CloudDeviceAttestationVerifier.h @@ -0,0 +1,52 @@ +/* + * + * Copyright (c) 2021 Project CHIP Authors + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +#pragma once + +#include + +namespace chip { +namespace Credentials { + +class CloudDACVerifier : public DefaultDACVerifier +{ +public: + CloudDACVerifier() {} + + void VerifyAttestationInformation(const DeviceAttestationVerifier::AttestationInfo & info, + Callback::Callback * onCompletion) override; + +protected: + AttestationVerificationResult CheckPAA(const DeviceAttestationVerifier::AttestationInfo & info, + DeviceInfoForAttestation & deviceInfo, Platform::ScopedMemoryBuffer & paaCert, + MutableByteSpan & paaDerBuffer, Crypto::AttestationCertVidPid & paaVidPid, + Crypto::AttestationCertVidPid & paiVidPid); + + AttestationVerificationResult CheckCertTimes(const DeviceAttestationVerifier::AttestationInfo & info, + MutableByteSpan & paaDerBuffer); + + AttestationVerificationResult CheckCertChain(const DeviceAttestationVerifier::AttestationInfo & info, + MutableByteSpan & paaDerBuffer); + + AttestationVerificationResult CheckCertDeclaration(const DeviceAttestationVerifier::AttestationInfo & info, + MutableByteSpan & paaDerBuffer, Crypto::AttestationCertVidPid & dacVidPid, + Crypto::AttestationCertVidPid & paiVidPid, + Crypto::AttestationCertVidPid & paaVidPid, + DeviceInfoForAttestation & deviceInfo); +}; + +} // namespace Credentials +} // namespace chip diff --git a/src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.cpp b/src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.cpp index 699a1c89965742..f8689549aeb365 100644 --- a/src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.cpp +++ b/src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.cpp @@ -147,95 +147,93 @@ CHIP_ERROR GetCertificationDeclarationCertificate(const ByteSpan & skid, Mutable } // namespace -void DefaultDACVerifier::VerifyAttestationInformation(const DeviceAttestationVerifier::AttestationInfo & info, - Callback::Callback * onCompletion) +// match DAC and PAI VIDs +AttestationVerificationResult DefaultDACVerifier::CheckDacPaiVidPids(const DeviceAttestationVerifier::AttestationInfo & info, + AttestationCertVidPid & dacVidPid, + AttestationCertVidPid & paiVidPid) { AttestationVerificationResult attestationError = AttestationVerificationResult::kSuccess; - Platform::ScopedMemoryBuffer paaCert; - MutableByteSpan paaDerBuffer; - AttestationCertVidPid dacVidPid; - AttestationCertVidPid paiVidPid; - AttestationCertVidPid paaVidPid; + VerifyOrExit(ExtractVIDPIDFromX509Cert(info.dacDerBuffer, dacVidPid) == CHIP_NO_ERROR, + attestationError = AttestationVerificationResult::kDacFormatInvalid); + VerifyOrExit(ExtractVIDPIDFromX509Cert(info.paiDerBuffer, paiVidPid) == CHIP_NO_ERROR, + attestationError = AttestationVerificationResult::kPaiFormatInvalid); + VerifyOrExit(paiVidPid.mVendorId.HasValue() && paiVidPid.mVendorId == dacVidPid.mVendorId, + attestationError = AttestationVerificationResult::kDacVendorIdMismatch); + VerifyOrExit(dacVidPid.mProductId.HasValue(), attestationError = AttestationVerificationResult::kDacProductIdMismatch); + if (paiVidPid.mProductId.HasValue()) + { + VerifyOrExit(paiVidPid.mProductId == dacVidPid.mProductId, + attestationError = AttestationVerificationResult::kDacProductIdMismatch); + } +exit: + return attestationError; +} - DeviceInfoForAttestation deviceInfo{ - .vendorId = info.vendorId, - .productId = info.productId, - }; +AttestationVerificationResult DefaultDACVerifier::CheckAttestationSignature(const DeviceAttestationVerifier::AttestationInfo & info) +{ + AttestationVerificationResult attestationError = AttestationVerificationResult::kSuccess; + P256PublicKey remoteManufacturerPubkey; + P256ECDSASignature deviceSignature; - VerifyOrExit(!info.attestationElementsBuffer.empty() && !info.attestationChallengeBuffer.empty() && - !info.attestationSignatureBuffer.empty() && !info.paiDerBuffer.empty() && !info.dacDerBuffer.empty() && - !info.attestationNonceBuffer.empty() && onCompletion != nullptr, - attestationError = AttestationVerificationResult::kInvalidArgument); + VerifyOrExit(ExtractPubkeyFromX509Cert(info.dacDerBuffer, remoteManufacturerPubkey) == CHIP_NO_ERROR, + attestationError = AttestationVerificationResult::kDacFormatInvalid); - VerifyOrExit(info.attestationElementsBuffer.size() <= kMaxResponseLength, - attestationError = AttestationVerificationResult::kInvalidArgument); + // Validate overall attestation signature on attestation information + // SetLength will fail if signature doesn't fit + VerifyOrExit(deviceSignature.SetLength(info.attestationSignatureBuffer.size()) == CHIP_NO_ERROR, + attestationError = AttestationVerificationResult::kAttestationSignatureInvalidFormat); + memcpy(deviceSignature.Bytes(), info.attestationSignatureBuffer.data(), info.attestationSignatureBuffer.size()); + VerifyOrExit(ValidateAttestationSignature(remoteManufacturerPubkey, info.attestationElementsBuffer, + info.attestationChallengeBuffer, deviceSignature) == CHIP_NO_ERROR, + attestationError = AttestationVerificationResult::kAttestationSignatureInvalid); +exit: + return attestationError; +} - // match DAC and PAI VIDs - { - VerifyOrExit(ExtractVIDPIDFromX509Cert(info.dacDerBuffer, dacVidPid) == CHIP_NO_ERROR, - attestationError = AttestationVerificationResult::kDacFormatInvalid); - VerifyOrExit(ExtractVIDPIDFromX509Cert(info.paiDerBuffer, paiVidPid) == CHIP_NO_ERROR, - attestationError = AttestationVerificationResult::kPaiFormatInvalid); - VerifyOrExit(paiVidPid.mVendorId.HasValue() && paiVidPid.mVendorId == dacVidPid.mVendorId, - attestationError = AttestationVerificationResult::kDacVendorIdMismatch); - VerifyOrExit(dacVidPid.mProductId.HasValue(), attestationError = AttestationVerificationResult::kDacProductIdMismatch); - if (paiVidPid.mProductId.HasValue()) - { - VerifyOrExit(paiVidPid.mProductId == dacVidPid.mProductId, - attestationError = AttestationVerificationResult::kDacProductIdMismatch); - } - } +AttestationVerificationResult DefaultDACVerifier::CheckPAA(const DeviceAttestationVerifier::AttestationInfo & info, + DeviceInfoForAttestation & deviceInfo, + Platform::ScopedMemoryBuffer & paaCert, + MutableByteSpan & paaDerBuffer, AttestationCertVidPid & paaVidPid, + AttestationCertVidPid & paiVidPid) +{ + AttestationVerificationResult attestationError = AttestationVerificationResult::kSuccess; + MutableByteSpan paaSKID(deviceInfo.paaSKID); + MutableByteSpan akid(deviceInfo.paaSKID); + constexpr size_t paaCertAllocatedLen = kMaxDERCertLength; - { - P256PublicKey remoteManufacturerPubkey; - P256ECDSASignature deviceSignature; - - VerifyOrExit(ExtractPubkeyFromX509Cert(info.dacDerBuffer, remoteManufacturerPubkey) == CHIP_NO_ERROR, - attestationError = AttestationVerificationResult::kDacFormatInvalid); - - // Validate overall attestation signature on attestation information - // SetLength will fail if signature doesn't fit - VerifyOrExit(deviceSignature.SetLength(info.attestationSignatureBuffer.size()) == CHIP_NO_ERROR, - attestationError = AttestationVerificationResult::kAttestationSignatureInvalidFormat); - memcpy(deviceSignature.Bytes(), info.attestationSignatureBuffer.data(), info.attestationSignatureBuffer.size()); - VerifyOrExit(ValidateAttestationSignature(remoteManufacturerPubkey, info.attestationElementsBuffer, - info.attestationChallengeBuffer, deviceSignature) == CHIP_NO_ERROR, - attestationError = AttestationVerificationResult::kAttestationSignatureInvalid); - } + VerifyOrExit(ExtractAKIDFromX509Cert(info.paiDerBuffer, akid) == CHIP_NO_ERROR, + attestationError = AttestationVerificationResult::kPaiFormatInvalid); - { - MutableByteSpan akid(deviceInfo.paaSKID); - constexpr size_t paaCertAllocatedLen = kMaxDERCertLength; + VerifyOrExit(paaCert.Alloc(paaCertAllocatedLen), attestationError = AttestationVerificationResult::kNoMemory); - VerifyOrExit(ExtractAKIDFromX509Cert(info.paiDerBuffer, akid) == CHIP_NO_ERROR, - attestationError = AttestationVerificationResult::kPaiFormatInvalid); + paaDerBuffer = MutableByteSpan(paaCert.Get(), paaCertAllocatedLen); + VerifyOrExit(mAttestationTrustStore->GetProductAttestationAuthorityCert(akid, paaDerBuffer) == CHIP_NO_ERROR, + attestationError = AttestationVerificationResult::kPaaNotFound); - VerifyOrExit(paaCert.Alloc(paaCertAllocatedLen), attestationError = AttestationVerificationResult::kNoMemory); + VerifyOrExit(ExtractVIDPIDFromX509Cert(paaDerBuffer, paaVidPid) == CHIP_NO_ERROR, + attestationError = AttestationVerificationResult::kPaaFormatInvalid); - if (mUseLocalPAARootStore) - { - paaDerBuffer = MutableByteSpan(paaCert.Get(), paaCertAllocatedLen); - VerifyOrExit(mAttestationTrustStore->GetProductAttestationAuthorityCert(akid, paaDerBuffer) == CHIP_NO_ERROR, - attestationError = AttestationVerificationResult::kPaaNotFound); + if (paaVidPid.mVendorId.HasValue()) + { + VerifyOrExit(paaVidPid.mVendorId == paiVidPid.mVendorId, + attestationError = AttestationVerificationResult::kPaiVendorIdMismatch); + } - VerifyOrExit(ExtractVIDPIDFromX509Cert(paaDerBuffer, paaVidPid) == CHIP_NO_ERROR, - attestationError = AttestationVerificationResult::kPaaFormatInvalid); + VerifyOrExit(!paaVidPid.mProductId.HasValue(), attestationError = AttestationVerificationResult::kPaaFormatInvalid); - if (paaVidPid.mVendorId.HasValue()) - { - VerifyOrExit(paaVidPid.mVendorId == paiVidPid.mVendorId, - attestationError = AttestationVerificationResult::kPaiVendorIdMismatch); - } + VerifyOrExit(ExtractSKIDFromX509Cert(paaDerBuffer, paaSKID) == CHIP_NO_ERROR, + attestationError = AttestationVerificationResult::kPaaFormatInvalid); + VerifyOrExit(paaSKID.size() == sizeof(deviceInfo.paaSKID), attestationError = AttestationVerificationResult::kPaaFormatInvalid); - VerifyOrExit(!paaVidPid.mProductId.HasValue(), attestationError = AttestationVerificationResult::kPaaFormatInvalid); - } - else - { - ChipLogProgress( - Support, "DefaultDACVerifier::VerifyAttestationInformation skipping vid-scoped PAA check - PAARootStore disabled"); - } - } +exit: + return attestationError; +} + +AttestationVerificationResult DefaultDACVerifier::CheckCertTimes(const DeviceAttestationVerifier::AttestationInfo & info, + MutableByteSpan & paaDerBuffer) +{ + AttestationVerificationResult attestationError = AttestationVerificationResult::kSuccess; #if !defined(CURRENT_TIME_NOT_IMPLEMENTED) VerifyOrExit(IsCertificateValidAtCurrentTime(info.dacDerBuffer) == CHIP_NO_ERROR, @@ -248,75 +246,105 @@ void DefaultDACVerifier::VerifyAttestationInformation(const DeviceAttestationVer VerifyOrExit(IsCertificateValidAtIssuance(info.dacDerBuffer, paaDerBuffer) == CHIP_NO_ERROR, attestationError = AttestationVerificationResult::kPaaExpired); +exit: + return attestationError; +} + +AttestationVerificationResult DefaultDACVerifier::CheckCertChain(const DeviceAttestationVerifier::AttestationInfo & info, + MutableByteSpan & paaDerBuffer) +{ + AttestationVerificationResult attestationError = AttestationVerificationResult::kSuccess; CertificateChainValidationResult chainValidationResult; - if (mUseLocalPAARootStore) - { - VerifyOrExit(ValidateCertificateChain(paaDerBuffer.data(), paaDerBuffer.size(), info.paiDerBuffer.data(), - info.paiDerBuffer.size(), info.dacDerBuffer.data(), info.dacDerBuffer.size(), - chainValidationResult) == CHIP_NO_ERROR, - attestationError = MapError(chainValidationResult)); - } - else - { - ChipLogProgress(Support, - "DefaultDACVerifier::VerifyAttestationInformation skipping cert chain validation - PAARootStore disabled"); - } - { - ByteSpan certificationDeclarationSpan; - ByteSpan attestationNonceSpan; - uint32_t timestampDeconstructed; - ByteSpan firmwareInfoSpan; - DeviceAttestationVendorReservedDeconstructor vendorReserved; - ByteSpan certificationDeclarationPayload; - - deviceInfo.dacVendorId = dacVidPid.mVendorId.Value(); - deviceInfo.dacProductId = dacVidPid.mProductId.Value(); - deviceInfo.paiVendorId = paiVidPid.mVendorId.Value(); - deviceInfo.paiProductId = paiVidPid.mProductId.ValueOr(0); - deviceInfo.paaVendorId = paaVidPid.mVendorId.ValueOr(VendorId::NotSpecified); - - if (mUseLocalPAARootStore) - { - MutableByteSpan paaSKID(deviceInfo.paaSKID); - VerifyOrExit(ExtractSKIDFromX509Cert(paaDerBuffer, paaSKID) == CHIP_NO_ERROR, - attestationError = AttestationVerificationResult::kPaaFormatInvalid); - VerifyOrExit(paaSKID.size() == sizeof(deviceInfo.paaSKID), - attestationError = AttestationVerificationResult::kPaaFormatInvalid); - } - else - { - ChipLogProgress( - Support, - "DefaultDACVerifier::VerifyAttestationInformation skipping PAA subject key id extraction - PAARootStore disabled"); - } + VerifyOrExit(ValidateCertificateChain(paaDerBuffer.data(), paaDerBuffer.size(), info.paiDerBuffer.data(), + info.paiDerBuffer.size(), info.dacDerBuffer.data(), info.dacDerBuffer.size(), + chainValidationResult) == CHIP_NO_ERROR, + attestationError = MapError(chainValidationResult)); - VerifyOrExit(DeconstructAttestationElements(info.attestationElementsBuffer, certificationDeclarationSpan, - attestationNonceSpan, timestampDeconstructed, firmwareInfoSpan, - vendorReserved) == CHIP_NO_ERROR, - attestationError = AttestationVerificationResult::kAttestationElementsMalformed); +exit: + return attestationError; +} - // Verify that Nonce matches with what we sent - VerifyOrExit(attestationNonceSpan.data_equal(info.attestationNonceBuffer), - attestationError = AttestationVerificationResult::kAttestationNonceMismatch); +AttestationVerificationResult +DefaultDACVerifier::CheckCertDeclaration(const DeviceAttestationVerifier::AttestationInfo & info, MutableByteSpan & paaDerBuffer, + AttestationCertVidPid & dacVidPid, AttestationCertVidPid & paiVidPid, + AttestationCertVidPid & paaVidPid, DeviceInfoForAttestation & deviceInfo) +{ + AttestationVerificationResult attestationError = AttestationVerificationResult::kSuccess; - if (mUseLocalCSAStore) - { - attestationError = - ValidateCertificationDeclarationSignature(certificationDeclarationSpan, certificationDeclarationPayload); - VerifyOrExit(attestationError == AttestationVerificationResult::kSuccess, attestationError = attestationError); - } - else - { - ChipLogProgress( - Support, "DefaultDACVerifier::VerifyAttestationInformation skipping CD signature check - LocalCSAStore disabled"); - VerifyOrExit(CMS_ExtractCDContent(certificationDeclarationSpan, certificationDeclarationPayload) == CHIP_NO_ERROR, - attestationError = AttestationVerificationResult::kPaaFormatInvalid); - } + ByteSpan certificationDeclarationSpan; + ByteSpan attestationNonceSpan; + uint32_t timestampDeconstructed; + ByteSpan firmwareInfoSpan; + DeviceAttestationVendorReservedDeconstructor vendorReserved; + ByteSpan certificationDeclarationPayload; - attestationError = ValidateCertificateDeclarationPayload(certificationDeclarationPayload, firmwareInfoSpan, deviceInfo); - VerifyOrExit(attestationError == AttestationVerificationResult::kSuccess, attestationError = attestationError); - } + deviceInfo.dacVendorId = dacVidPid.mVendorId.Value(); + deviceInfo.dacProductId = dacVidPid.mProductId.Value(); + deviceInfo.paiVendorId = paiVidPid.mVendorId.Value(); + deviceInfo.paiProductId = paiVidPid.mProductId.ValueOr(0); + deviceInfo.paaVendorId = paaVidPid.mVendorId.ValueOr(VendorId::NotSpecified); + + VerifyOrExit(DeconstructAttestationElements(info.attestationElementsBuffer, certificationDeclarationSpan, attestationNonceSpan, + timestampDeconstructed, firmwareInfoSpan, vendorReserved) == CHIP_NO_ERROR, + attestationError = AttestationVerificationResult::kAttestationElementsMalformed); + + // Verify that Nonce matches with what we sent + VerifyOrExit(attestationNonceSpan.data_equal(info.attestationNonceBuffer), + attestationError = AttestationVerificationResult::kAttestationNonceMismatch); + + attestationError = ValidateCertificationDeclarationSignature(certificationDeclarationSpan, certificationDeclarationPayload); + VerifyOrExit(attestationError == AttestationVerificationResult::kSuccess, attestationError = attestationError); + + attestationError = ValidateCertificateDeclarationPayload(certificationDeclarationPayload, firmwareInfoSpan, deviceInfo); + VerifyOrExit(attestationError == AttestationVerificationResult::kSuccess, attestationError = attestationError); +exit: + return attestationError; +} + +void DefaultDACVerifier::VerifyAttestationInformation(const DeviceAttestationVerifier::AttestationInfo & info, + Callback::Callback * onCompletion) +{ + ChipLogProgress(Support, "---------------------------DefaultDACVerifier::VerifyAttestationInformation"); + + AttestationVerificationResult attestationError = AttestationVerificationResult::kSuccess; + + Platform::ScopedMemoryBuffer paaCert; + MutableByteSpan paaDerBuffer; + AttestationCertVidPid dacVidPid; + AttestationCertVidPid paiVidPid; + AttestationCertVidPid paaVidPid; + + DeviceInfoForAttestation deviceInfo{ + .vendorId = info.vendorId, + .productId = info.productId, + }; + + VerifyOrExit(!info.attestationElementsBuffer.empty() && !info.attestationChallengeBuffer.empty() && + !info.attestationSignatureBuffer.empty() && !info.paiDerBuffer.empty() && !info.dacDerBuffer.empty() && + !info.attestationNonceBuffer.empty() && onCompletion != nullptr, + attestationError = AttestationVerificationResult::kInvalidArgument); + + VerifyOrExit(info.attestationElementsBuffer.size() <= kMaxResponseLength, + attestationError = AttestationVerificationResult::kInvalidArgument); + + attestationError = CheckDacPaiVidPids(info, dacVidPid, paiVidPid); + VerifyOrExit(attestationError == AttestationVerificationResult::kSuccess, attestationError = attestationError); + + attestationError = CheckAttestationSignature(info); + VerifyOrExit(attestationError == AttestationVerificationResult::kSuccess, attestationError = attestationError); + + attestationError = CheckPAA(info, deviceInfo, paaCert, paaDerBuffer, paaVidPid, paiVidPid); + VerifyOrExit(attestationError == AttestationVerificationResult::kSuccess, attestationError = attestationError); + + attestationError = CheckCertTimes(info, paaDerBuffer); + VerifyOrExit(attestationError == AttestationVerificationResult::kSuccess, attestationError = attestationError); + + attestationError = CheckCertChain(info, paaDerBuffer); + VerifyOrExit(attestationError == AttestationVerificationResult::kSuccess, attestationError = attestationError); + + attestationError = CheckCertDeclaration(info, paaDerBuffer, dacVidPid, paiVidPid, paaVidPid, deviceInfo); + VerifyOrExit(attestationError == AttestationVerificationResult::kSuccess, attestationError = attestationError); exit: onCompletion->mCall(onCompletion->mContext, attestationError); diff --git a/src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.h b/src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.h index 6c61be285f586d..bb6ee77677d851 100644 --- a/src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.h +++ b/src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.h @@ -17,6 +17,7 @@ #pragma once #include +#include namespace chip { namespace Credentials { @@ -41,18 +42,33 @@ class DefaultDACVerifier : public DeviceAttestationVerifier const ByteSpan & attestationSignatureBuffer, const Crypto::P256PublicKey & dacPublicKey, const ByteSpan & csrNonce) override; - bool GetUseLocalPAARootStore() { return mUseLocalPAARootStore; } - void SetUseLocalPAARootStore(bool useLocalPAARootStore) { mUseLocalPAARootStore = useLocalPAARootStore; } - - bool GetUseLocalCSAStore() { return mUseLocalCSAStore; } - void SetUseLocalCSAStore(bool useLocalCSAStore) { mUseLocalCSAStore = useLocalCSAStore; } - DefaultDACVerifier() {} protected: + AttestationVerificationResult CheckDacPaiVidPids(const DeviceAttestationVerifier::AttestationInfo & info, + Crypto::AttestationCertVidPid & dacVidPid, + Crypto::AttestationCertVidPid & paiVidPid); + + AttestationVerificationResult CheckAttestationSignature(const DeviceAttestationVerifier::AttestationInfo & info); + + AttestationVerificationResult CheckPAA(const DeviceAttestationVerifier::AttestationInfo & info, + DeviceInfoForAttestation & deviceInfo, Platform::ScopedMemoryBuffer & paaCert, + MutableByteSpan & paaDerBuffer, Crypto::AttestationCertVidPid & paaVidPid, + Crypto::AttestationCertVidPid & paiVidPid); + + AttestationVerificationResult CheckCertTimes(const DeviceAttestationVerifier::AttestationInfo & info, + MutableByteSpan & paaDerBuffer); + + AttestationVerificationResult CheckCertChain(const DeviceAttestationVerifier::AttestationInfo & info, + MutableByteSpan & paaDerBuffer); + + AttestationVerificationResult CheckCertDeclaration(const DeviceAttestationVerifier::AttestationInfo & info, + MutableByteSpan & paaDerBuffer, Crypto::AttestationCertVidPid & dacVidPid, + Crypto::AttestationCertVidPid & paiVidPid, + Crypto::AttestationCertVidPid & paaVidPid, + DeviceInfoForAttestation & deviceInfo); + const AttestationTrustStore * mAttestationTrustStore; - bool mUseLocalPAARootStore = true; - bool mUseLocalCSAStore = true; }; /** From 08b9a47e0246fc6d0e5029eebe2753b8d908295f Mon Sep 17 00:00:00 2001 From: chrisdecenzo Date: Thu, 11 Aug 2022 20:55:02 -0700 Subject: [PATCH 4/8] straggler --- src/controller/java/AndroidDeviceControllerWrapper.cpp | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/controller/java/AndroidDeviceControllerWrapper.cpp b/src/controller/java/AndroidDeviceControllerWrapper.cpp index 612001c1797d96..8b28896a701d44 100644 --- a/src/controller/java/AndroidDeviceControllerWrapper.cpp +++ b/src/controller/java/AndroidDeviceControllerWrapper.cpp @@ -127,6 +127,11 @@ AndroidDeviceControllerWrapper * AndroidDeviceControllerWrapper::AllocateNew( chip::Controller::AndroidOperationalCredentialsIssuer * opCredsIssuer = wrapper->mOpCredsIssuer.get(); + // Initialize device attestation verifier + // TODO: Replace testingRootStore with a AttestationTrustStore that has the necessary official PAA roots available + const chip::Credentials::AttestationTrustStore * testingRootStore = chip::Credentials::GetTestAttestationTrustStore(); + SetDeviceAttestationVerifier(GetDefaultDACVerifier(testingRootStore)); + chip::Controller::FactoryInitParams initParams; chip::Controller::SetupParams setupParams; @@ -143,7 +148,6 @@ AndroidDeviceControllerWrapper * AndroidDeviceControllerWrapper::AllocateNew( setupParams.pairingDelegate = wrapper.get(); setupParams.operationalCredentialsDelegate = opCredsIssuer; setupParams.defaultCommissioner = &wrapper->mAutoCommissioner; - setupParams.deviceAttestationVerifier = &wrapper->mDACVerifier; initParams.fabricIndependentStorage = wrapperStorage; wrapper->mGroupDataProvider.SetStorageDelegate(wrapperStorage); From c87bfd0200bfe3ee0085de47dbf0338bf70a6e87 Mon Sep 17 00:00:00 2001 From: chrisdecenzo Date: Fri, 12 Aug 2022 07:27:35 -0700 Subject: [PATCH 5/8] address feedback --- .../CloudDeviceAttestationVerifier.cpp | 180 ++++++------ .../CloudDeviceAttestationVerifier.h | 16 -- .../DefaultDeviceAttestationVerifier.cpp | 262 +++++++----------- .../DefaultDeviceAttestationVerifier.h | 23 -- 4 files changed, 180 insertions(+), 301 deletions(-) diff --git a/src/credentials/attestation_verifier/CloudDeviceAttestationVerifier.cpp b/src/credentials/attestation_verifier/CloudDeviceAttestationVerifier.cpp index 52c7ac2dc280e4..785facc11506e2 100644 --- a/src/credentials/attestation_verifier/CloudDeviceAttestationVerifier.cpp +++ b/src/credentials/attestation_verifier/CloudDeviceAttestationVerifier.cpp @@ -36,89 +36,6 @@ namespace Credentials { // As per specifications section 11.22.5.1. Constant RESP_MAX constexpr size_t kMaxResponseLength = 900; -AttestationVerificationResult CloudDACVerifier::CheckPAA(const DeviceAttestationVerifier::AttestationInfo & info, - DeviceInfoForAttestation & deviceInfo, - Platform::ScopedMemoryBuffer & paaCert, - MutableByteSpan & paaDerBuffer, AttestationCertVidPid & paaVidPid, - AttestationCertVidPid & paiVidPid) -{ - AttestationVerificationResult attestationError = AttestationVerificationResult::kSuccess; - MutableByteSpan akid(deviceInfo.paaSKID); - - VerifyOrExit(ExtractAKIDFromX509Cert(info.paiDerBuffer, akid) == CHIP_NO_ERROR, - attestationError = AttestationVerificationResult::kPaiFormatInvalid); - - ChipLogProgress(Support, "CloudDACVerifier::CheckPAA skipping vid-scoped PAA check - PAARootStore disabled"); - -exit: - return attestationError; -} - -AttestationVerificationResult CloudDACVerifier::CheckCertTimes(const DeviceAttestationVerifier::AttestationInfo & info, - MutableByteSpan & paaDerBuffer) -{ - AttestationVerificationResult attestationError = AttestationVerificationResult::kSuccess; - -#if !defined(CURRENT_TIME_NOT_IMPLEMENTED) - VerifyOrExit(IsCertificateValidAtCurrentTime(info.dacDerBuffer) == CHIP_NO_ERROR, - attestationError = AttestationVerificationResult::kDacExpired); -#endif - - VerifyOrExit(IsCertificateValidAtIssuance(info.dacDerBuffer, info.paiDerBuffer) == CHIP_NO_ERROR, - attestationError = AttestationVerificationResult::kPaiExpired); - - ChipLogProgress(Support, "CloudDACVerifier::CheckCertTimes skipping PAA expiry check - PAARootStore disabled"); - -exit: - return attestationError; -} - -AttestationVerificationResult CloudDACVerifier::CheckCertChain(const DeviceAttestationVerifier::AttestationInfo & info, - MutableByteSpan & paaDerBuffer) -{ - ChipLogProgress(Support, "CloudDACVerifier::CheckCertChain skipping cert chain check - PAARootStore disabled"); - - return AttestationVerificationResult::kSuccess; -} - -AttestationVerificationResult -CloudDACVerifier::CheckCertDeclaration(const DeviceAttestationVerifier::AttestationInfo & info, MutableByteSpan & paaDerBuffer, - AttestationCertVidPid & dacVidPid, AttestationCertVidPid & paiVidPid, - AttestationCertVidPid & paaVidPid, DeviceInfoForAttestation & deviceInfo) -{ - AttestationVerificationResult attestationError = AttestationVerificationResult::kSuccess; - - ByteSpan certificationDeclarationSpan; - ByteSpan attestationNonceSpan; - uint32_t timestampDeconstructed; - ByteSpan firmwareInfoSpan; - DeviceAttestationVendorReservedDeconstructor vendorReserved; - ByteSpan certificationDeclarationPayload; - - deviceInfo.dacVendorId = dacVidPid.mVendorId.Value(); - deviceInfo.dacProductId = dacVidPid.mProductId.Value(); - deviceInfo.paiVendorId = paiVidPid.mVendorId.Value(); - deviceInfo.paiProductId = paiVidPid.mProductId.ValueOr(0); - deviceInfo.paaVendorId = paaVidPid.mVendorId.ValueOr(VendorId::NotSpecified); - - VerifyOrExit(DeconstructAttestationElements(info.attestationElementsBuffer, certificationDeclarationSpan, attestationNonceSpan, - timestampDeconstructed, firmwareInfoSpan, vendorReserved) == CHIP_NO_ERROR, - attestationError = AttestationVerificationResult::kAttestationElementsMalformed); - - // Verify that Nonce matches with what we sent - VerifyOrExit(attestationNonceSpan.data_equal(info.attestationNonceBuffer), - attestationError = AttestationVerificationResult::kAttestationNonceMismatch); - - ChipLogProgress(Support, "CloudDACVerifier::VerifyAttestationInformation skipping CD signature check - LocalCSAStore disabled"); - VerifyOrExit(CMS_ExtractCDContent(certificationDeclarationSpan, certificationDeclarationPayload) == CHIP_NO_ERROR, - attestationError = AttestationVerificationResult::kPaaFormatInvalid); - - attestationError = ValidateCertificateDeclarationPayload(certificationDeclarationPayload, firmwareInfoSpan, deviceInfo); - VerifyOrExit(attestationError == AttestationVerificationResult::kSuccess, attestationError = attestationError); -exit: - return attestationError; -} - void CloudDACVerifier::VerifyAttestationInformation(const DeviceAttestationVerifier::AttestationInfo & info, Callback::Callback * onCompletion) { @@ -143,23 +60,92 @@ void CloudDACVerifier::VerifyAttestationInformation(const DeviceAttestationVerif VerifyOrExit(info.attestationElementsBuffer.size() <= kMaxResponseLength, attestationError = AttestationVerificationResult::kInvalidArgument); - attestationError = CheckDacPaiVidPids(info, dacVidPid, paiVidPid); - VerifyOrExit(attestationError == AttestationVerificationResult::kSuccess, attestationError = attestationError); - - attestationError = CheckAttestationSignature(info); - VerifyOrExit(attestationError == AttestationVerificationResult::kSuccess, attestationError = attestationError); + // match DAC and PAI VIDs + { + VerifyOrExit(ExtractVIDPIDFromX509Cert(info.dacDerBuffer, dacVidPid) == CHIP_NO_ERROR, + attestationError = AttestationVerificationResult::kDacFormatInvalid); + VerifyOrExit(ExtractVIDPIDFromX509Cert(info.paiDerBuffer, paiVidPid) == CHIP_NO_ERROR, + attestationError = AttestationVerificationResult::kPaiFormatInvalid); + VerifyOrExit(paiVidPid.mVendorId.HasValue() && paiVidPid.mVendorId == dacVidPid.mVendorId, + attestationError = AttestationVerificationResult::kDacVendorIdMismatch); + VerifyOrExit(dacVidPid.mProductId.HasValue(), attestationError = AttestationVerificationResult::kDacProductIdMismatch); + if (paiVidPid.mProductId.HasValue()) + { + VerifyOrExit(paiVidPid.mProductId == dacVidPid.mProductId, + attestationError = AttestationVerificationResult::kDacProductIdMismatch); + } + } + + { + P256PublicKey remoteManufacturerPubkey; + P256ECDSASignature deviceSignature; + + VerifyOrExit(ExtractPubkeyFromX509Cert(info.dacDerBuffer, remoteManufacturerPubkey) == CHIP_NO_ERROR, + attestationError = AttestationVerificationResult::kDacFormatInvalid); + + // Validate overall attestation signature on attestation information + // SetLength will fail if signature doesn't fit + VerifyOrExit(deviceSignature.SetLength(info.attestationSignatureBuffer.size()) == CHIP_NO_ERROR, + attestationError = AttestationVerificationResult::kAttestationSignatureInvalidFormat); + memcpy(deviceSignature.Bytes(), info.attestationSignatureBuffer.data(), info.attestationSignatureBuffer.size()); + VerifyOrExit(ValidateAttestationSignature(remoteManufacturerPubkey, info.attestationElementsBuffer, + info.attestationChallengeBuffer, deviceSignature) == CHIP_NO_ERROR, + attestationError = AttestationVerificationResult::kAttestationSignatureInvalid); + } + + { + MutableByteSpan akid(deviceInfo.paaSKID); + + VerifyOrExit(ExtractAKIDFromX509Cert(info.paiDerBuffer, akid) == CHIP_NO_ERROR, + attestationError = AttestationVerificationResult::kPaiFormatInvalid); + + ChipLogProgress(Support, "CloudDACVerifier::CheckPAA skipping vid-scoped PAA check - PAARootStore disabled"); + } - attestationError = CheckPAA(info, deviceInfo, paaCert, paaDerBuffer, paaVidPid, paiVidPid); - VerifyOrExit(attestationError == AttestationVerificationResult::kSuccess, attestationError = attestationError); - - attestationError = CheckCertTimes(info, paaDerBuffer); - VerifyOrExit(attestationError == AttestationVerificationResult::kSuccess, attestationError = attestationError); +#if !defined(CURRENT_TIME_NOT_IMPLEMENTED) + VerifyOrExit(IsCertificateValidAtCurrentTime(info.dacDerBuffer) == CHIP_NO_ERROR, + attestationError = AttestationVerificationResult::kDacExpired); +#endif - attestationError = CheckCertChain(info, paaDerBuffer); - VerifyOrExit(attestationError == AttestationVerificationResult::kSuccess, attestationError = attestationError); + ChipLogProgress(Support, "CloudDACVerifier::CheckCertChain skipping cert chain check - PAARootStore disabled"); - attestationError = CheckCertDeclaration(info, paaDerBuffer, dacVidPid, paiVidPid, paaVidPid, deviceInfo); - VerifyOrExit(attestationError == AttestationVerificationResult::kSuccess, attestationError = attestationError); + { + ByteSpan certificationDeclarationSpan; + ByteSpan attestationNonceSpan; + uint32_t timestampDeconstructed; + ByteSpan firmwareInfoSpan; + DeviceAttestationVendorReservedDeconstructor vendorReserved; + ByteSpan certificationDeclarationPayload; + + deviceInfo.dacVendorId = dacVidPid.mVendorId.Value(); + deviceInfo.dacProductId = dacVidPid.mProductId.Value(); + deviceInfo.paiVendorId = paiVidPid.mVendorId.Value(); + deviceInfo.paiProductId = paiVidPid.mProductId.ValueOr(0); + deviceInfo.paaVendorId = paaVidPid.mVendorId.ValueOr(VendorId::NotSpecified); + + MutableByteSpan paaSKID(deviceInfo.paaSKID); + VerifyOrExit(ExtractSKIDFromX509Cert(paaDerBuffer, paaSKID) == CHIP_NO_ERROR, + attestationError = AttestationVerificationResult::kPaaFormatInvalid); + VerifyOrExit(paaSKID.size() == sizeof(deviceInfo.paaSKID), + attestationError = AttestationVerificationResult::kPaaFormatInvalid); + + VerifyOrExit(DeconstructAttestationElements(info.attestationElementsBuffer, certificationDeclarationSpan, + attestationNonceSpan, timestampDeconstructed, firmwareInfoSpan, + vendorReserved) == CHIP_NO_ERROR, + attestationError = AttestationVerificationResult::kAttestationElementsMalformed); + + // Verify that Nonce matches with what we sent + VerifyOrExit(attestationNonceSpan.data_equal(info.attestationNonceBuffer), + attestationError = AttestationVerificationResult::kAttestationNonceMismatch); + + ChipLogProgress(Support, + "CloudDACVerifier::VerifyAttestationInformation skipping CD signature check - LocalCSAStore disabled"); + VerifyOrExit(CMS_ExtractCDContent(certificationDeclarationSpan, certificationDeclarationPayload) == CHIP_NO_ERROR, + attestationError = AttestationVerificationResult::kPaaFormatInvalid); + + attestationError = ValidateCertificateDeclarationPayload(certificationDeclarationPayload, firmwareInfoSpan, deviceInfo); + VerifyOrExit(attestationError == AttestationVerificationResult::kSuccess, attestationError = attestationError); + } exit: onCompletion->mCall(onCompletion->mContext, attestationError); // TODO: is this check getting done? diff --git a/src/credentials/attestation_verifier/CloudDeviceAttestationVerifier.h b/src/credentials/attestation_verifier/CloudDeviceAttestationVerifier.h index 6f0a04639b4ae3..93065071248b19 100644 --- a/src/credentials/attestation_verifier/CloudDeviceAttestationVerifier.h +++ b/src/credentials/attestation_verifier/CloudDeviceAttestationVerifier.h @@ -30,22 +30,6 @@ class CloudDACVerifier : public DefaultDACVerifier Callback::Callback * onCompletion) override; protected: - AttestationVerificationResult CheckPAA(const DeviceAttestationVerifier::AttestationInfo & info, - DeviceInfoForAttestation & deviceInfo, Platform::ScopedMemoryBuffer & paaCert, - MutableByteSpan & paaDerBuffer, Crypto::AttestationCertVidPid & paaVidPid, - Crypto::AttestationCertVidPid & paiVidPid); - - AttestationVerificationResult CheckCertTimes(const DeviceAttestationVerifier::AttestationInfo & info, - MutableByteSpan & paaDerBuffer); - - AttestationVerificationResult CheckCertChain(const DeviceAttestationVerifier::AttestationInfo & info, - MutableByteSpan & paaDerBuffer); - - AttestationVerificationResult CheckCertDeclaration(const DeviceAttestationVerifier::AttestationInfo & info, - MutableByteSpan & paaDerBuffer, Crypto::AttestationCertVidPid & dacVidPid, - Crypto::AttestationCertVidPid & paiVidPid, - Crypto::AttestationCertVidPid & paaVidPid, - DeviceInfoForAttestation & deviceInfo); }; } // namespace Credentials diff --git a/src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.cpp b/src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.cpp index 003542acee9814..07db1d3726d9b9 100644 --- a/src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.cpp +++ b/src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.cpp @@ -147,202 +147,134 @@ CHIP_ERROR GetCertificationDeclarationCertificate(const ByteSpan & skid, Mutable } // namespace -// match DAC and PAI VIDs -AttestationVerificationResult DefaultDACVerifier::CheckDacPaiVidPids(const DeviceAttestationVerifier::AttestationInfo & info, - AttestationCertVidPid & dacVidPid, - AttestationCertVidPid & paiVidPid) -{ - AttestationVerificationResult attestationError = AttestationVerificationResult::kSuccess; - - VerifyOrExit(ExtractVIDPIDFromX509Cert(info.dacDerBuffer, dacVidPid) == CHIP_NO_ERROR, - attestationError = AttestationVerificationResult::kDacFormatInvalid); - VerifyOrExit(ExtractVIDPIDFromX509Cert(info.paiDerBuffer, paiVidPid) == CHIP_NO_ERROR, - attestationError = AttestationVerificationResult::kPaiFormatInvalid); - VerifyOrExit(paiVidPid.mVendorId.HasValue() && paiVidPid.mVendorId == dacVidPid.mVendorId, - attestationError = AttestationVerificationResult::kDacVendorIdMismatch); - VerifyOrExit(dacVidPid.mProductId.HasValue(), attestationError = AttestationVerificationResult::kDacProductIdMismatch); - if (paiVidPid.mProductId.HasValue()) - { - VerifyOrExit(paiVidPid.mProductId == dacVidPid.mProductId, - attestationError = AttestationVerificationResult::kDacProductIdMismatch); - } -exit: - return attestationError; -} - -AttestationVerificationResult DefaultDACVerifier::CheckAttestationSignature(const DeviceAttestationVerifier::AttestationInfo & info) +void DefaultDACVerifier::VerifyAttestationInformation(const DeviceAttestationVerifier::AttestationInfo & info, + Callback::Callback * onCompletion) { AttestationVerificationResult attestationError = AttestationVerificationResult::kSuccess; - P256PublicKey remoteManufacturerPubkey; - P256ECDSASignature deviceSignature; - VerifyOrExit(ExtractPubkeyFromX509Cert(info.dacDerBuffer, remoteManufacturerPubkey) == CHIP_NO_ERROR, - attestationError = AttestationVerificationResult::kDacFormatInvalid); + Platform::ScopedMemoryBuffer paaCert; + MutableByteSpan paaDerBuffer; + AttestationCertVidPid dacVidPid; + AttestationCertVidPid paiVidPid; + AttestationCertVidPid paaVidPid; - // Validate overall attestation signature on attestation information - // SetLength will fail if signature doesn't fit - VerifyOrExit(deviceSignature.SetLength(info.attestationSignatureBuffer.size()) == CHIP_NO_ERROR, - attestationError = AttestationVerificationResult::kAttestationSignatureInvalidFormat); - memcpy(deviceSignature.Bytes(), info.attestationSignatureBuffer.data(), info.attestationSignatureBuffer.size()); - VerifyOrExit(ValidateAttestationSignature(remoteManufacturerPubkey, info.attestationElementsBuffer, - info.attestationChallengeBuffer, deviceSignature) == CHIP_NO_ERROR, - attestationError = AttestationVerificationResult::kAttestationSignatureInvalid); -exit: - return attestationError; -} + VerifyOrExit(!info.attestationElementsBuffer.empty() && !info.attestationChallengeBuffer.empty() && + !info.attestationSignatureBuffer.empty() && !info.paiDerBuffer.empty() && !info.dacDerBuffer.empty() && + !info.attestationNonceBuffer.empty() && onCompletion != nullptr, + attestationError = AttestationVerificationResult::kInvalidArgument); -AttestationVerificationResult DefaultDACVerifier::CheckPAA(const DeviceAttestationVerifier::AttestationInfo & info, - DeviceInfoForAttestation & deviceInfo, - Platform::ScopedMemoryBuffer & paaCert, - MutableByteSpan & paaDerBuffer, AttestationCertVidPid & paaVidPid, - AttestationCertVidPid & paiVidPid) -{ - AttestationVerificationResult attestationError = AttestationVerificationResult::kSuccess; - MutableByteSpan paaSKID(deviceInfo.paaSKID); - MutableByteSpan akid(deviceInfo.paaSKID); - constexpr size_t paaCertAllocatedLen = kMaxDERCertLength; + VerifyOrExit(info.attestationElementsBuffer.size() <= kMaxResponseLength, + attestationError = AttestationVerificationResult::kInvalidArgument); - VerifyOrExit(ExtractAKIDFromX509Cert(info.paiDerBuffer, akid) == CHIP_NO_ERROR, - attestationError = AttestationVerificationResult::kPaiFormatInvalid); + // match DAC and PAI VIDs + { + VerifyOrExit(ExtractVIDPIDFromX509Cert(info.dacDerBuffer, dacVidPid) == CHIP_NO_ERROR, + attestationError = AttestationVerificationResult::kDacFormatInvalid); + VerifyOrExit(ExtractVIDPIDFromX509Cert(info.paiDerBuffer, paiVidPid) == CHIP_NO_ERROR, + attestationError = AttestationVerificationResult::kPaiFormatInvalid); + VerifyOrExit(paiVidPid.mVendorId.HasValue() && paiVidPid.mVendorId == dacVidPid.mVendorId, + attestationError = AttestationVerificationResult::kDacVendorIdMismatch); + VerifyOrExit(dacVidPid.mProductId.HasValue(), attestationError = AttestationVerificationResult::kDacProductIdMismatch); + if (paiVidPid.mProductId.HasValue()) + { + VerifyOrExit(paiVidPid.mProductId == dacVidPid.mProductId, + attestationError = AttestationVerificationResult::kDacProductIdMismatch); + } + } - VerifyOrExit(paaCert.Alloc(paaCertAllocatedLen), attestationError = AttestationVerificationResult::kNoMemory); + { + P256PublicKey remoteManufacturerPubkey; + P256ECDSASignature deviceSignature; + + VerifyOrExit(ExtractPubkeyFromX509Cert(info.dacDerBuffer, remoteManufacturerPubkey) == CHIP_NO_ERROR, + attestationError = AttestationVerificationResult::kDacFormatInvalid); + + // Validate overall attestation signature on attestation information + // SetLength will fail if signature doesn't fit + VerifyOrExit(deviceSignature.SetLength(info.attestationSignatureBuffer.size()) == CHIP_NO_ERROR, + attestationError = AttestationVerificationResult::kAttestationSignatureInvalidFormat); + memcpy(deviceSignature.Bytes(), info.attestationSignatureBuffer.data(), info.attestationSignatureBuffer.size()); + VerifyOrExit(ValidateAttestationSignature(remoteManufacturerPubkey, info.attestationElementsBuffer, + info.attestationChallengeBuffer, deviceSignature) == CHIP_NO_ERROR, + attestationError = AttestationVerificationResult::kAttestationSignatureInvalid); + } - paaDerBuffer = MutableByteSpan(paaCert.Get(), paaCertAllocatedLen); - VerifyOrExit(mAttestationTrustStore->GetProductAttestationAuthorityCert(akid, paaDerBuffer) == CHIP_NO_ERROR, - attestationError = AttestationVerificationResult::kPaaNotFound); + { + uint8_t akidBuf[Crypto::kAuthorityKeyIdentifierLength]; + MutableByteSpan akid(akidBuf); + constexpr size_t paaCertAllocatedLen = kMaxDERCertLength; - VerifyOrExit(ExtractVIDPIDFromX509Cert(paaDerBuffer, paaVidPid) == CHIP_NO_ERROR, - attestationError = AttestationVerificationResult::kPaaFormatInvalid); + VerifyOrExit(ExtractAKIDFromX509Cert(info.paiDerBuffer, akid) == CHIP_NO_ERROR, + attestationError = AttestationVerificationResult::kPaiFormatInvalid); - if (paaVidPid.mVendorId.HasValue()) - { - VerifyOrExit(paaVidPid.mVendorId == paiVidPid.mVendorId, - attestationError = AttestationVerificationResult::kPaiVendorIdMismatch); - } + VerifyOrExit(paaCert.Alloc(paaCertAllocatedLen), attestationError = AttestationVerificationResult::kNoMemory); - VerifyOrExit(!paaVidPid.mProductId.HasValue(), attestationError = AttestationVerificationResult::kPaaFormatInvalid); + paaDerBuffer = MutableByteSpan(paaCert.Get(), paaCertAllocatedLen); + VerifyOrExit(mAttestationTrustStore->GetProductAttestationAuthorityCert(akid, paaDerBuffer) == CHIP_NO_ERROR, + attestationError = AttestationVerificationResult::kPaaNotFound); - VerifyOrExit(ExtractSKIDFromX509Cert(paaDerBuffer, paaSKID) == CHIP_NO_ERROR, - attestationError = AttestationVerificationResult::kPaaFormatInvalid); - VerifyOrExit(paaSKID.size() == sizeof(deviceInfo.paaSKID), attestationError = AttestationVerificationResult::kPaaFormatInvalid); + VerifyOrExit(ExtractVIDPIDFromX509Cert(paaDerBuffer, paaVidPid) == CHIP_NO_ERROR, + attestationError = AttestationVerificationResult::kPaaFormatInvalid); -exit: - return attestationError; -} + if (paaVidPid.mVendorId.HasValue()) + { + VerifyOrExit(paaVidPid.mVendorId == paiVidPid.mVendorId, + attestationError = AttestationVerificationResult::kPaiVendorIdMismatch); + } -AttestationVerificationResult DefaultDACVerifier::CheckCertTimes(const DeviceAttestationVerifier::AttestationInfo & info, - MutableByteSpan & paaDerBuffer) -{ - AttestationVerificationResult attestationError = AttestationVerificationResult::kSuccess; + VerifyOrExit(!paaVidPid.mProductId.HasValue(), attestationError = AttestationVerificationResult::kPaaFormatInvalid); + } #if !defined(CURRENT_TIME_NOT_IMPLEMENTED) VerifyOrExit(IsCertificateValidAtCurrentTime(info.dacDerBuffer) == CHIP_NO_ERROR, attestationError = AttestationVerificationResult::kDacExpired); #endif - VerifyOrExit(IsCertificateValidAtIssuance(info.dacDerBuffer, info.paiDerBuffer) == CHIP_NO_ERROR, - attestationError = AttestationVerificationResult::kPaiExpired); - - VerifyOrExit(IsCertificateValidAtIssuance(info.dacDerBuffer, paaDerBuffer) == CHIP_NO_ERROR, - attestationError = AttestationVerificationResult::kPaaExpired); - -exit: - return attestationError; -} - -AttestationVerificationResult DefaultDACVerifier::CheckCertChain(const DeviceAttestationVerifier::AttestationInfo & info, - MutableByteSpan & paaDerBuffer) -{ - AttestationVerificationResult attestationError = AttestationVerificationResult::kSuccess; CertificateChainValidationResult chainValidationResult; - VerifyOrExit(ValidateCertificateChain(paaDerBuffer.data(), paaDerBuffer.size(), info.paiDerBuffer.data(), info.paiDerBuffer.size(), info.dacDerBuffer.data(), info.dacDerBuffer.size(), chainValidationResult) == CHIP_NO_ERROR, attestationError = MapError(chainValidationResult)); -exit: - return attestationError; -} - -AttestationVerificationResult -DefaultDACVerifier::CheckCertDeclaration(const DeviceAttestationVerifier::AttestationInfo & info, MutableByteSpan & paaDerBuffer, - AttestationCertVidPid & dacVidPid, AttestationCertVidPid & paiVidPid, - AttestationCertVidPid & paaVidPid, DeviceInfoForAttestation & deviceInfo) -{ - AttestationVerificationResult attestationError = AttestationVerificationResult::kSuccess; - - ByteSpan certificationDeclarationSpan; - ByteSpan attestationNonceSpan; - uint32_t timestampDeconstructed; - ByteSpan firmwareInfoSpan; - DeviceAttestationVendorReservedDeconstructor vendorReserved; - ByteSpan certificationDeclarationPayload; - - deviceInfo.dacVendorId = dacVidPid.mVendorId.Value(); - deviceInfo.dacProductId = dacVidPid.mProductId.Value(); - deviceInfo.paiVendorId = paiVidPid.mVendorId.Value(); - deviceInfo.paiProductId = paiVidPid.mProductId.ValueOr(0); - deviceInfo.paaVendorId = paaVidPid.mVendorId.ValueOr(VendorId::NotSpecified); - - VerifyOrExit(DeconstructAttestationElements(info.attestationElementsBuffer, certificationDeclarationSpan, attestationNonceSpan, - timestampDeconstructed, firmwareInfoSpan, vendorReserved) == CHIP_NO_ERROR, - attestationError = AttestationVerificationResult::kAttestationElementsMalformed); - - // Verify that Nonce matches with what we sent - VerifyOrExit(attestationNonceSpan.data_equal(info.attestationNonceBuffer), - attestationError = AttestationVerificationResult::kAttestationNonceMismatch); - - attestationError = ValidateCertificationDeclarationSignature(certificationDeclarationSpan, certificationDeclarationPayload); - VerifyOrExit(attestationError == AttestationVerificationResult::kSuccess, attestationError = attestationError); - - attestationError = ValidateCertificateDeclarationPayload(certificationDeclarationPayload, firmwareInfoSpan, deviceInfo); - VerifyOrExit(attestationError == AttestationVerificationResult::kSuccess, attestationError = attestationError); -exit: - return attestationError; -} - -void DefaultDACVerifier::VerifyAttestationInformation(const DeviceAttestationVerifier::AttestationInfo & info, - Callback::Callback * onCompletion) -{ - AttestationVerificationResult attestationError = AttestationVerificationResult::kSuccess; - - Platform::ScopedMemoryBuffer paaCert; - MutableByteSpan paaDerBuffer; - AttestationCertVidPid dacVidPid; - AttestationCertVidPid paiVidPid; - AttestationCertVidPid paaVidPid; - - DeviceInfoForAttestation deviceInfo{ - .vendorId = info.vendorId, - .productId = info.productId, - }; - - VerifyOrExit(!info.attestationElementsBuffer.empty() && !info.attestationChallengeBuffer.empty() && - !info.attestationSignatureBuffer.empty() && !info.paiDerBuffer.empty() && !info.dacDerBuffer.empty() && - !info.attestationNonceBuffer.empty() && onCompletion != nullptr, - attestationError = AttestationVerificationResult::kInvalidArgument); - - VerifyOrExit(info.attestationElementsBuffer.size() <= kMaxResponseLength, - attestationError = AttestationVerificationResult::kInvalidArgument); - - attestationError = CheckDacPaiVidPids(info, dacVidPid, paiVidPid); - VerifyOrExit(attestationError == AttestationVerificationResult::kSuccess, attestationError = attestationError); + { + ByteSpan certificationDeclarationSpan; + ByteSpan attestationNonceSpan; + uint32_t timestampDeconstructed; + ByteSpan firmwareInfoSpan; + DeviceAttestationVendorReservedDeconstructor vendorReserved; + ByteSpan certificationDeclarationPayload; + + DeviceInfoForAttestation deviceInfo{ + .vendorId = info.vendorId, + .productId = info.productId, + .dacVendorId = dacVidPid.mVendorId.Value(), + .dacProductId = dacVidPid.mProductId.Value(), + .paiVendorId = paiVidPid.mVendorId.Value(), + .paiProductId = paiVidPid.mProductId.ValueOr(0), + .paaVendorId = paaVidPid.mVendorId.ValueOr(VendorId::NotSpecified), + }; - attestationError = CheckAttestationSignature(info); - VerifyOrExit(attestationError == AttestationVerificationResult::kSuccess, attestationError = attestationError); + MutableByteSpan paaSKID(deviceInfo.paaSKID); + VerifyOrExit(ExtractSKIDFromX509Cert(paaDerBuffer, paaSKID) == CHIP_NO_ERROR, + attestationError = AttestationVerificationResult::kPaaFormatInvalid); + VerifyOrExit(paaSKID.size() == sizeof(deviceInfo.paaSKID), + attestationError = AttestationVerificationResult::kPaaFormatInvalid); - attestationError = CheckPAA(info, deviceInfo, paaCert, paaDerBuffer, paaVidPid, paiVidPid); - VerifyOrExit(attestationError == AttestationVerificationResult::kSuccess, attestationError = attestationError); + VerifyOrExit(DeconstructAttestationElements(info.attestationElementsBuffer, certificationDeclarationSpan, + attestationNonceSpan, timestampDeconstructed, firmwareInfoSpan, + vendorReserved) == CHIP_NO_ERROR, + attestationError = AttestationVerificationResult::kAttestationElementsMalformed); - attestationError = CheckCertTimes(info, paaDerBuffer); - VerifyOrExit(attestationError == AttestationVerificationResult::kSuccess, attestationError = attestationError); + // Verify that Nonce matches with what we sent + VerifyOrExit(attestationNonceSpan.data_equal(info.attestationNonceBuffer), + attestationError = AttestationVerificationResult::kAttestationNonceMismatch); - attestationError = CheckCertChain(info, paaDerBuffer); - VerifyOrExit(attestationError == AttestationVerificationResult::kSuccess, attestationError = attestationError); + attestationError = ValidateCertificationDeclarationSignature(certificationDeclarationSpan, certificationDeclarationPayload); + VerifyOrExit(attestationError == AttestationVerificationResult::kSuccess, attestationError = attestationError); - attestationError = CheckCertDeclaration(info, paaDerBuffer, dacVidPid, paiVidPid, paaVidPid, deviceInfo); - VerifyOrExit(attestationError == AttestationVerificationResult::kSuccess, attestationError = attestationError); + attestationError = ValidateCertificateDeclarationPayload(certificationDeclarationPayload, firmwareInfoSpan, deviceInfo); + VerifyOrExit(attestationError == AttestationVerificationResult::kSuccess, attestationError = attestationError); + } exit: onCompletion->mCall(onCompletion->mContext, attestationError); diff --git a/src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.h b/src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.h index bb6ee77677d851..268a41411b6317 100644 --- a/src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.h +++ b/src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.h @@ -45,29 +45,6 @@ class DefaultDACVerifier : public DeviceAttestationVerifier DefaultDACVerifier() {} protected: - AttestationVerificationResult CheckDacPaiVidPids(const DeviceAttestationVerifier::AttestationInfo & info, - Crypto::AttestationCertVidPid & dacVidPid, - Crypto::AttestationCertVidPid & paiVidPid); - - AttestationVerificationResult CheckAttestationSignature(const DeviceAttestationVerifier::AttestationInfo & info); - - AttestationVerificationResult CheckPAA(const DeviceAttestationVerifier::AttestationInfo & info, - DeviceInfoForAttestation & deviceInfo, Platform::ScopedMemoryBuffer & paaCert, - MutableByteSpan & paaDerBuffer, Crypto::AttestationCertVidPid & paaVidPid, - Crypto::AttestationCertVidPid & paiVidPid); - - AttestationVerificationResult CheckCertTimes(const DeviceAttestationVerifier::AttestationInfo & info, - MutableByteSpan & paaDerBuffer); - - AttestationVerificationResult CheckCertChain(const DeviceAttestationVerifier::AttestationInfo & info, - MutableByteSpan & paaDerBuffer); - - AttestationVerificationResult CheckCertDeclaration(const DeviceAttestationVerifier::AttestationInfo & info, - MutableByteSpan & paaDerBuffer, Crypto::AttestationCertVidPid & dacVidPid, - Crypto::AttestationCertVidPid & paiVidPid, - Crypto::AttestationCertVidPid & paaVidPid, - DeviceInfoForAttestation & deviceInfo); - const AttestationTrustStore * mAttestationTrustStore; }; From 3349401a1e1dd9b2d92211e99f6d0167cba609fe Mon Sep 17 00:00:00 2001 From: chrisdecenzo Date: Fri, 12 Aug 2022 07:46:49 -0700 Subject: [PATCH 6/8] address feedback --- src/credentials/BUILD.gn | 4 ++-- ...onVerifier.cpp => DacOnlyPartialAttestationVerifier.cpp} | 2 +- ...tationVerifier.h => DacOnlyPartialAttestationVerifier.h} | 0 .../DefaultDeviceAttestationVerifier.cpp | 6 ++++++ .../attestation_verifier/DefaultDeviceAttestationVerifier.h | 1 - 5 files changed, 9 insertions(+), 4 deletions(-) rename src/credentials/attestation_verifier/{CloudDeviceAttestationVerifier.cpp => DacOnlyPartialAttestationVerifier.cpp} (99%) rename src/credentials/attestation_verifier/{CloudDeviceAttestationVerifier.h => DacOnlyPartialAttestationVerifier.h} (100%) diff --git a/src/credentials/BUILD.gn b/src/credentials/BUILD.gn index 5e32ec1ccad6af..7e33874fe22402 100644 --- a/src/credentials/BUILD.gn +++ b/src/credentials/BUILD.gn @@ -94,8 +94,8 @@ static_library("default_attestation_verifier") { output_name = "libDefaultAttestationVerifier" sources = [ - "attestation_verifier/CloudDeviceAttestationVerifier.cpp", - "attestation_verifier/CloudDeviceAttestationVerifier.h", + "attestation_verifier/DacOnlyPartialAttestationVerifier.cpp", + "attestation_verifier/DacOnlyPartialAttestationVerifier.h", "attestation_verifier/DefaultDeviceAttestationVerifier.cpp", "attestation_verifier/DefaultDeviceAttestationVerifier.h", "attestation_verifier/DeviceAttestationDelegate.h", diff --git a/src/credentials/attestation_verifier/CloudDeviceAttestationVerifier.cpp b/src/credentials/attestation_verifier/DacOnlyPartialAttestationVerifier.cpp similarity index 99% rename from src/credentials/attestation_verifier/CloudDeviceAttestationVerifier.cpp rename to src/credentials/attestation_verifier/DacOnlyPartialAttestationVerifier.cpp index 785facc11506e2..ef73952874fdb3 100644 --- a/src/credentials/attestation_verifier/CloudDeviceAttestationVerifier.cpp +++ b/src/credentials/attestation_verifier/DacOnlyPartialAttestationVerifier.cpp @@ -14,7 +14,7 @@ * See the License for the specific language governing permissions and * limitations under the License. */ -#include "CloudDeviceAttestationVerifier.h" +#include "DacOnlyPartialAttestationVerifier.h" #include #include diff --git a/src/credentials/attestation_verifier/CloudDeviceAttestationVerifier.h b/src/credentials/attestation_verifier/DacOnlyPartialAttestationVerifier.h similarity index 100% rename from src/credentials/attestation_verifier/CloudDeviceAttestationVerifier.h rename to src/credentials/attestation_verifier/DacOnlyPartialAttestationVerifier.h diff --git a/src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.cpp b/src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.cpp index 07db1d3726d9b9..518ebc2eb8f6f8 100644 --- a/src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.cpp +++ b/src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.cpp @@ -230,6 +230,12 @@ void DefaultDACVerifier::VerifyAttestationInformation(const DeviceAttestationVer attestationError = AttestationVerificationResult::kDacExpired); #endif + VerifyOrExit(IsCertificateValidAtIssuance(info.dacDerBuffer, info.paiDerBuffer) == CHIP_NO_ERROR, + attestationError = AttestationVerificationResult::kPaiExpired); + + VerifyOrExit(IsCertificateValidAtIssuance(info.dacDerBuffer, paaDerBuffer) == CHIP_NO_ERROR, + attestationError = AttestationVerificationResult::kPaaExpired); + CertificateChainValidationResult chainValidationResult; VerifyOrExit(ValidateCertificateChain(paaDerBuffer.data(), paaDerBuffer.size(), info.paiDerBuffer.data(), info.paiDerBuffer.size(), info.dacDerBuffer.data(), info.dacDerBuffer.size(), diff --git a/src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.h b/src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.h index 268a41411b6317..013d5806bb057f 100644 --- a/src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.h +++ b/src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.h @@ -17,7 +17,6 @@ #pragma once #include -#include namespace chip { namespace Credentials { From f9100975843892ff8c5268be90fa06edf75406c9 Mon Sep 17 00:00:00 2001 From: chrisdecenzo Date: Fri, 12 Aug 2022 08:44:12 -0700 Subject: [PATCH 7/8] straggler --- src/controller/java/AndroidDeviceControllerWrapper.h | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/controller/java/AndroidDeviceControllerWrapper.h b/src/controller/java/AndroidDeviceControllerWrapper.h index e103709ff06733..2afcae2ac133eb 100644 --- a/src/controller/java/AndroidDeviceControllerWrapper.h +++ b/src/controller/java/AndroidDeviceControllerWrapper.h @@ -26,7 +26,7 @@ #include #include #include -#include +#include #include #include #include @@ -95,7 +95,7 @@ class AndroidDeviceControllerWrapper : public chip::Controller::DevicePairingDel chip::Controller::AutoCommissioner * GetAutoCommissioner() { return &mAutoCommissioner; } - chip::Credentials::CloudDACVerifier * GetCloudDACVerifier() { return &mCloudDACVerifier; } + chip::Credentials::DacOnlyPartialAttestationVerifier * GetPartialDACVerifier() { return &mPartialDACVerifier; } const chip::Controller::CommissioningParameters & GetCommissioningParameters() const { @@ -178,7 +178,7 @@ class AndroidDeviceControllerWrapper : public chip::Controller::DevicePairingDel chip::Controller::AutoCommissioner mAutoCommissioner; - chip::Credentials::CloudDACVerifier mCloudDACVerifier; + chip::Credentials::DacOnlyPartialAttestationVerifier mPartialDACVerifier; AndroidDeviceControllerWrapper(ChipDeviceControllerPtr controller, AndroidOperationalCredentialsIssuerPtr opCredsIssuer) : mController(std::move(controller)), mOpCredsIssuer(std::move(opCredsIssuer)) From edcd119b3a18c35e6c6f827c630af3fdda846bad Mon Sep 17 00:00:00 2001 From: chrisdecenzo Date: Fri, 12 Aug 2022 08:59:52 -0700 Subject: [PATCH 8/8] fix builds, integration tests --- .../java/AndroidDeviceControllerWrapper.h | 4 ++-- .../java/CHIPDeviceController-JNI.cpp | 2 +- .../DacOnlyPartialAttestationVerifier.cpp | 20 ++++++++----------- .../DacOnlyPartialAttestationVerifier.h | 4 ++-- .../DefaultDeviceAttestationVerifier.h | 2 +- 5 files changed, 14 insertions(+), 18 deletions(-) diff --git a/src/controller/java/AndroidDeviceControllerWrapper.h b/src/controller/java/AndroidDeviceControllerWrapper.h index 2afcae2ac133eb..2890d5f6e976ba 100644 --- a/src/controller/java/AndroidDeviceControllerWrapper.h +++ b/src/controller/java/AndroidDeviceControllerWrapper.h @@ -95,7 +95,7 @@ class AndroidDeviceControllerWrapper : public chip::Controller::DevicePairingDel chip::Controller::AutoCommissioner * GetAutoCommissioner() { return &mAutoCommissioner; } - chip::Credentials::DacOnlyPartialAttestationVerifier * GetPartialDACVerifier() { return &mPartialDACVerifier; } + chip::Credentials::PartialDACVerifier * GetPartialDACVerifier() { return &mPartialDACVerifier; } const chip::Controller::CommissioningParameters & GetCommissioningParameters() const { @@ -178,7 +178,7 @@ class AndroidDeviceControllerWrapper : public chip::Controller::DevicePairingDel chip::Controller::AutoCommissioner mAutoCommissioner; - chip::Credentials::DacOnlyPartialAttestationVerifier mPartialDACVerifier; + chip::Credentials::PartialDACVerifier mPartialDACVerifier; AndroidDeviceControllerWrapper(ChipDeviceControllerPtr controller, AndroidOperationalCredentialsIssuerPtr opCredsIssuer) : mController(std::move(controller)), mOpCredsIssuer(std::move(opCredsIssuer)) diff --git a/src/controller/java/CHIPDeviceController-JNI.cpp b/src/controller/java/CHIPDeviceController-JNI.cpp index 7b7575ef92ae85..b3642211cdfd5d 100644 --- a/src/controller/java/CHIPDeviceController-JNI.cpp +++ b/src/controller/java/CHIPDeviceController-JNI.cpp @@ -545,7 +545,7 @@ JNI_METHOD(void, setUseJavaCallbackForNOCRequest) if (useCallback) { // if we are assigning a callback, then make the device commissioner delegate verification to the cloud - wrapper->Controller()->SetDeviceAttestationVerifier(wrapper->GetCloudDACVerifier()); + wrapper->Controller()->SetDeviceAttestationVerifier(wrapper->GetPartialDACVerifier()); } else { diff --git a/src/credentials/attestation_verifier/DacOnlyPartialAttestationVerifier.cpp b/src/credentials/attestation_verifier/DacOnlyPartialAttestationVerifier.cpp index ef73952874fdb3..e37155886d61ce 100644 --- a/src/credentials/attestation_verifier/DacOnlyPartialAttestationVerifier.cpp +++ b/src/credentials/attestation_verifier/DacOnlyPartialAttestationVerifier.cpp @@ -36,13 +36,11 @@ namespace Credentials { // As per specifications section 11.22.5.1. Constant RESP_MAX constexpr size_t kMaxResponseLength = 900; -void CloudDACVerifier::VerifyAttestationInformation(const DeviceAttestationVerifier::AttestationInfo & info, - Callback::Callback * onCompletion) +void PartialDACVerifier::VerifyAttestationInformation(const DeviceAttestationVerifier::AttestationInfo & info, + Callback::Callback * onCompletion) { AttestationVerificationResult attestationError = AttestationVerificationResult::kSuccess; - Platform::ScopedMemoryBuffer paaCert; - MutableByteSpan paaDerBuffer; AttestationCertVidPid dacVidPid; AttestationCertVidPid paiVidPid; AttestationCertVidPid paaVidPid; @@ -99,7 +97,7 @@ void CloudDACVerifier::VerifyAttestationInformation(const DeviceAttestationVerif VerifyOrExit(ExtractAKIDFromX509Cert(info.paiDerBuffer, akid) == CHIP_NO_ERROR, attestationError = AttestationVerificationResult::kPaiFormatInvalid); - ChipLogProgress(Support, "CloudDACVerifier::CheckPAA skipping vid-scoped PAA check - PAARootStore disabled"); + ChipLogProgress(Support, "PartialDACVerifier::CheckPAA skipping vid-scoped PAA check - PAARootStore disabled"); } #if !defined(CURRENT_TIME_NOT_IMPLEMENTED) @@ -107,7 +105,7 @@ void CloudDACVerifier::VerifyAttestationInformation(const DeviceAttestationVerif attestationError = AttestationVerificationResult::kDacExpired); #endif - ChipLogProgress(Support, "CloudDACVerifier::CheckCertChain skipping cert chain check - PAARootStore disabled"); + ChipLogProgress(Support, "PartialDACVerifier::CheckCertChain skipping cert chain check - PAARootStore disabled"); { ByteSpan certificationDeclarationSpan; @@ -123,11 +121,9 @@ void CloudDACVerifier::VerifyAttestationInformation(const DeviceAttestationVerif deviceInfo.paiProductId = paiVidPid.mProductId.ValueOr(0); deviceInfo.paaVendorId = paaVidPid.mVendorId.ValueOr(VendorId::NotSpecified); - MutableByteSpan paaSKID(deviceInfo.paaSKID); - VerifyOrExit(ExtractSKIDFromX509Cert(paaDerBuffer, paaSKID) == CHIP_NO_ERROR, - attestationError = AttestationVerificationResult::kPaaFormatInvalid); - VerifyOrExit(paaSKID.size() == sizeof(deviceInfo.paaSKID), - attestationError = AttestationVerificationResult::kPaaFormatInvalid); + ChipLogProgress( + Support, + "PartialDACVerifier::VerifyAttestationInformation skipping PAA subject key id extraction - PAARootStore disabled"); VerifyOrExit(DeconstructAttestationElements(info.attestationElementsBuffer, certificationDeclarationSpan, attestationNonceSpan, timestampDeconstructed, firmwareInfoSpan, @@ -139,7 +135,7 @@ void CloudDACVerifier::VerifyAttestationInformation(const DeviceAttestationVerif attestationError = AttestationVerificationResult::kAttestationNonceMismatch); ChipLogProgress(Support, - "CloudDACVerifier::VerifyAttestationInformation skipping CD signature check - LocalCSAStore disabled"); + "PartialDACVerifier::VerifyAttestationInformation skipping CD signature check - LocalCSAStore disabled"); VerifyOrExit(CMS_ExtractCDContent(certificationDeclarationSpan, certificationDeclarationPayload) == CHIP_NO_ERROR, attestationError = AttestationVerificationResult::kPaaFormatInvalid); diff --git a/src/credentials/attestation_verifier/DacOnlyPartialAttestationVerifier.h b/src/credentials/attestation_verifier/DacOnlyPartialAttestationVerifier.h index 93065071248b19..acd28f66d71054 100644 --- a/src/credentials/attestation_verifier/DacOnlyPartialAttestationVerifier.h +++ b/src/credentials/attestation_verifier/DacOnlyPartialAttestationVerifier.h @@ -21,10 +21,10 @@ namespace chip { namespace Credentials { -class CloudDACVerifier : public DefaultDACVerifier +class PartialDACVerifier : public DefaultDACVerifier { public: - CloudDACVerifier() {} + PartialDACVerifier() {} void VerifyAttestationInformation(const DeviceAttestationVerifier::AttestationInfo & info, Callback::Callback * onCompletion) override; diff --git a/src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.h b/src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.h index 013d5806bb057f..99f2fb5f2b85ae 100644 --- a/src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.h +++ b/src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.h @@ -41,9 +41,9 @@ class DefaultDACVerifier : public DeviceAttestationVerifier const ByteSpan & attestationSignatureBuffer, const Crypto::P256PublicKey & dacPublicKey, const ByteSpan & csrNonce) override; +protected: DefaultDACVerifier() {} -protected: const AttestationTrustStore * mAttestationTrustStore; };