From f636396744daf4f9cde1f923dda962e6b62a8522 Mon Sep 17 00:00:00 2001 From: Mikhail Burshteyn Date: Tue, 23 Aug 2022 14:09:53 -0600 Subject: [PATCH 1/5] Expose `DeviceCommissioner::GetAttestationChallenge` to Obj-C. --- .../Framework/CHIP/MTRDeviceController.h | 3 ++ .../Framework/CHIP/MTRDeviceController.mm | 31 +++++++++++++++++++ 2 files changed, 34 insertions(+) diff --git a/src/darwin/Framework/CHIP/MTRDeviceController.h b/src/darwin/Framework/CHIP/MTRDeviceController.h index e53a3a86732958..f86443c77e7dab 100644 --- a/src/darwin/Framework/CHIP/MTRDeviceController.h +++ b/src/darwin/Framework/CHIP/MTRDeviceController.h @@ -134,6 +134,9 @@ typedef void (^MTRDeviceConnectionCallback)(MTRBaseDevice * _Nullable device, NS */ - (void)setNocChainIssuer:(id)nocChainIssuer queue:(dispatch_queue_t)queue; +/** Return the attestation challenge for the secure session of the device being commissioned. */ +- (nullable NSData *)generateAttestationChallengeForDeviceId:(uint64_t)deviceId; + /** * Compute a PASE verifier and passcode ID for the desired setup pincode. * diff --git a/src/darwin/Framework/CHIP/MTRDeviceController.mm b/src/darwin/Framework/CHIP/MTRDeviceController.mm index 7e4aa25ad14d79..a908172ac65b7a 100644 --- a/src/darwin/Framework/CHIP/MTRDeviceController.mm +++ b/src/darwin/Framework/CHIP/MTRDeviceController.mm @@ -703,6 +703,37 @@ - (nullable NSData *)computePaseVerifier:(uint32_t)setupPincode iterations:(uint return result; } +- (nullable NSData *)generateAttestationChallengeForDeviceId:(uint64_t)deviceId +{ + __block CHIP_ERROR errorCode = CHIP_ERROR_INCORRECT_STATE; + if (![self isRunning]) { + [self checkForError:errorCode logMsg:kErrorNotRunning error:nil]; + return nil; + } + + __block NSData * attestationChallenge; + dispatch_sync(_chipWorkQueue, ^{ + if ([self isRunning]) { + chip::CommissioneeDeviceProxy * deviceProxy; + errorCode = self.cppCommissioner->GetDeviceBeingCommissioned(deviceId, &deviceProxy); + if (errorCode != CHIP_NO_ERROR) { + [self checkForError:errorCode logMsg:@"Invalid Attestation Challenge device ID." error:nil]; + return; + } + + NSMutableData * challengeBuffer = [[NSMutableData alloc] initWithLength:chip::Crypto::kAES_CCM128_Key_Length]; + chip::ByteSpan challenge((uint8_t *) [challengeBuffer mutableBytes], chip::Crypto::kAES_CCM128_Key_Length); + + errorCode = deviceProxy->GetAttestationChallenge(challenge); + MTR_LOG_ERROR("GetAttestationChallenge: %s", chip::ErrorStr(errorCode)); + + attestationChallenge = [NSData dataWithBytes:challenge.data() length:challenge.size()]; + } + }); + + return attestationChallenge; +} + - (BOOL)checkForInitError:(BOOL)condition logMsg:(NSString *)logMsg { if (condition) { From 414ec31d5d832b94819bd57b9d4f44dfd869774c Mon Sep 17 00:00:00 2001 From: Mikhail Burshteyn Date: Mon, 29 Aug 2022 10:35:14 -0400 Subject: [PATCH 2/5] Update PR based on comments from bzbarsky. --- .../Framework/CHIP/MTRDeviceController.h | 7 +++- .../Framework/CHIP/MTRDeviceController.mm | 33 +++++++++---------- 2 files changed, 21 insertions(+), 19 deletions(-) diff --git a/src/darwin/Framework/CHIP/MTRDeviceController.h b/src/darwin/Framework/CHIP/MTRDeviceController.h index f86443c77e7dab..f45af2407ddc95 100644 --- a/src/darwin/Framework/CHIP/MTRDeviceController.h +++ b/src/darwin/Framework/CHIP/MTRDeviceController.h @@ -134,7 +134,12 @@ typedef void (^MTRDeviceConnectionCallback)(MTRBaseDevice * _Nullable device, NS */ - (void)setNocChainIssuer:(id)nocChainIssuer queue:(dispatch_queue_t)queue; -/** Return the attestation challenge for the secure session of the device being commissioned. */ +/** + * Return the attestation challenge for the secure session of the device being commissioned. + * + * Attempts to retreive the generated attestation challenge from a commissionee with the given Device ID. + * Returns nil if given Device ID does not match an active commissionee, or if a Secure Session is not availale. +*/ - (nullable NSData *)generateAttestationChallengeForDeviceId:(uint64_t)deviceId; /** diff --git a/src/darwin/Framework/CHIP/MTRDeviceController.mm b/src/darwin/Framework/CHIP/MTRDeviceController.mm index a908172ac65b7a..a70892d8d247b4 100644 --- a/src/darwin/Framework/CHIP/MTRDeviceController.mm +++ b/src/darwin/Framework/CHIP/MTRDeviceController.mm @@ -71,6 +71,8 @@ static NSString * const kErrorGenerateNOC = @"Generating operational certificate failed"; static NSString * const kErrorKeyAllocation = @"Generating new operational key failed"; static NSString * const kErrorCSRValidation = @"Extracting public key from CSR failed"; +static NSString * const kErrorGetCommissionee = @"Failure obtaining device being commissioned" +static NSString * const kErrorGetAttestationChallenge = @"Failure getting attestation challenge" @interface MTRDeviceController () @@ -705,30 +707,25 @@ - (nullable NSData *)computePaseVerifier:(uint32_t)setupPincode iterations:(uint - (nullable NSData *)generateAttestationChallengeForDeviceId:(uint64_t)deviceId { - __block CHIP_ERROR errorCode = CHIP_ERROR_INCORRECT_STATE; - if (![self isRunning]) { - [self checkForError:errorCode logMsg:kErrorNotRunning error:nil]; - return nil; - } + VerifyOrReturn([self checkIsRunning], nil); __block NSData * attestationChallenge; dispatch_sync(_chipWorkQueue, ^{ - if ([self isRunning]) { - chip::CommissioneeDeviceProxy * deviceProxy; - errorCode = self.cppCommissioner->GetDeviceBeingCommissioned(deviceId, &deviceProxy); - if (errorCode != CHIP_NO_ERROR) { - [self checkForError:errorCode logMsg:@"Invalid Attestation Challenge device ID." error:nil]; - return; - } + VerifyOrReturn([self checkIsRunning]); + + chip::CommissioneeDeviceProxy * deviceProxy; + errorCode = self.cppCommissioner->GetDeviceBeingCommissioned(deviceId, &deviceProxy); + auto success = ![self checkForError:errorCode logMsg:kErrorGetCommissionee error:nil]; + VerifyOrReturn(success); - NSMutableData * challengeBuffer = [[NSMutableData alloc] initWithLength:chip::Crypto::kAES_CCM128_Key_Length]; - chip::ByteSpan challenge((uint8_t *) [challengeBuffer mutableBytes], chip::Crypto::kAES_CCM128_Key_Length); + uint8_t challengeBuffer[chip::Crypto::kAES_CCM128_Key_Length]; + chip::ByteSpan challenge(challengeBuffer); - errorCode = deviceProxy->GetAttestationChallenge(challenge); - MTR_LOG_ERROR("GetAttestationChallenge: %s", chip::ErrorStr(errorCode)); + errorCode = deviceProxy->GetAttestationChallenge(challenge); + success = ![self checkForError:errorCode logMsg:kErrorGetAttestationChallenge error:nil]; + VerifyOrReturn(success); - attestationChallenge = [NSData dataWithBytes:challenge.data() length:challenge.size()]; - } + attestationChallenge = AsData(challenge); }); return attestationChallenge; From 1524f647b705c743243fd566a2dc72c6c8a51f33 Mon Sep 17 00:00:00 2001 From: "Restyled.io" Date: Mon, 29 Aug 2022 14:55:33 +0000 Subject: [PATCH 3/5] Restyled by whitespace --- src/darwin/Framework/CHIP/MTRDeviceController.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/darwin/Framework/CHIP/MTRDeviceController.h b/src/darwin/Framework/CHIP/MTRDeviceController.h index f45af2407ddc95..0aaf453a4f545d 100644 --- a/src/darwin/Framework/CHIP/MTRDeviceController.h +++ b/src/darwin/Framework/CHIP/MTRDeviceController.h @@ -134,8 +134,8 @@ typedef void (^MTRDeviceConnectionCallback)(MTRBaseDevice * _Nullable device, NS */ - (void)setNocChainIssuer:(id)nocChainIssuer queue:(dispatch_queue_t)queue; -/** - * Return the attestation challenge for the secure session of the device being commissioned. +/** + * Return the attestation challenge for the secure session of the device being commissioned. * * Attempts to retreive the generated attestation challenge from a commissionee with the given Device ID. * Returns nil if given Device ID does not match an active commissionee, or if a Secure Session is not availale. From a8907e1e631f98e7e4c36b9d517babd7268d78e0 Mon Sep 17 00:00:00 2001 From: "Restyled.io" Date: Mon, 29 Aug 2022 14:55:34 +0000 Subject: [PATCH 4/5] Restyled by clang-format --- src/darwin/Framework/CHIP/MTRDeviceController.h | 2 +- src/darwin/Framework/CHIP/MTRDeviceController.mm | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/src/darwin/Framework/CHIP/MTRDeviceController.h b/src/darwin/Framework/CHIP/MTRDeviceController.h index 0aaf453a4f545d..91e985fe952c11 100644 --- a/src/darwin/Framework/CHIP/MTRDeviceController.h +++ b/src/darwin/Framework/CHIP/MTRDeviceController.h @@ -139,7 +139,7 @@ typedef void (^MTRDeviceConnectionCallback)(MTRBaseDevice * _Nullable device, NS * * Attempts to retreive the generated attestation challenge from a commissionee with the given Device ID. * Returns nil if given Device ID does not match an active commissionee, or if a Secure Session is not availale. -*/ + */ - (nullable NSData *)generateAttestationChallengeForDeviceId:(uint64_t)deviceId; /** diff --git a/src/darwin/Framework/CHIP/MTRDeviceController.mm b/src/darwin/Framework/CHIP/MTRDeviceController.mm index a70892d8d247b4..d122d28f93e16f 100644 --- a/src/darwin/Framework/CHIP/MTRDeviceController.mm +++ b/src/darwin/Framework/CHIP/MTRDeviceController.mm @@ -71,8 +71,8 @@ static NSString * const kErrorGenerateNOC = @"Generating operational certificate failed"; static NSString * const kErrorKeyAllocation = @"Generating new operational key failed"; static NSString * const kErrorCSRValidation = @"Extracting public key from CSR failed"; -static NSString * const kErrorGetCommissionee = @"Failure obtaining device being commissioned" -static NSString * const kErrorGetAttestationChallenge = @"Failure getting attestation challenge" +static NSString * const kErrorGetCommissionee = @"Failure obtaining device being commissioned"; +static NSString * const kErrorGetAttestationChallenge = @"Failure getting attestation challenge"; @interface MTRDeviceController () @@ -707,14 +707,14 @@ - (nullable NSData *)computePaseVerifier:(uint32_t)setupPincode iterations:(uint - (nullable NSData *)generateAttestationChallengeForDeviceId:(uint64_t)deviceId { - VerifyOrReturn([self checkIsRunning], nil); + VerifyOrReturnValue([self checkIsRunning], nil); __block NSData * attestationChallenge; dispatch_sync(_chipWorkQueue, ^{ VerifyOrReturn([self checkIsRunning]); chip::CommissioneeDeviceProxy * deviceProxy; - errorCode = self.cppCommissioner->GetDeviceBeingCommissioned(deviceId, &deviceProxy); + auto errorCode = self.cppCommissioner->GetDeviceBeingCommissioned(deviceId, &deviceProxy); auto success = ![self checkForError:errorCode logMsg:kErrorGetCommissionee error:nil]; VerifyOrReturn(success); From 36b5c4cde21d013663257350e1ddc172ed6741bb Mon Sep 17 00:00:00 2001 From: Boris Zbarsky Date: Tue, 30 Aug 2022 11:43:08 -0400 Subject: [PATCH 5/5] Fix typo in comment. --- src/darwin/Framework/CHIP/MTRDeviceController.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/darwin/Framework/CHIP/MTRDeviceController.h b/src/darwin/Framework/CHIP/MTRDeviceController.h index 91e985fe952c11..f1ca55bb9001c4 100644 --- a/src/darwin/Framework/CHIP/MTRDeviceController.h +++ b/src/darwin/Framework/CHIP/MTRDeviceController.h @@ -137,7 +137,7 @@ typedef void (^MTRDeviceConnectionCallback)(MTRBaseDevice * _Nullable device, NS /** * Return the attestation challenge for the secure session of the device being commissioned. * - * Attempts to retreive the generated attestation challenge from a commissionee with the given Device ID. + * Attempts to retrieve the generated attestation challenge from a commissionee with the given Device ID. * Returns nil if given Device ID does not match an active commissionee, or if a Secure Session is not availale. */ - (nullable NSData *)generateAttestationChallengeForDeviceId:(uint64_t)deviceId;