Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CASE spec refresh #8137

Merged
merged 20 commits into from
Jul 28, 2021
Merged

CASE spec refresh #8137

merged 20 commits into from
Jul 28, 2021

Conversation

jpk233
Copy link
Contributor

@jpk233 jpk233 commented Jul 6, 2021
edited
Loading

Problem

Change overview

  • Added TrustedRootId parameter to CASESession’s EstablishSession method

  • Added new methods to Find and Generate Destination IDs (New CASE Spec updates)

  • Updated some CASESession method’s parameters that were using raw input buffers with ByteSpan and MutableByteSpan objects

  • Updated CASESession Nonce and Info vectors (new CASE Spec updates)

  • Updated SigmaR1 message construction method to generate DestinationID instead of sending all TrustedRootIDs available.

  • Minor comment updates to match CASE Spec’s steps

  • Added new method to OperationalCredentialSet to retrieve RootCertificate indexed by TrustedRootId

  • CASESession Tests: Updated NodeID parameter to match Node ID of the corresponding Test Vector Certificate

Testing

  • Tested using CASE Session Unit Tests

@todo
Copy link

todo bot commented Jul 6, 2021

read fabricId

connectedhomeip/src/protocols/secure_channel/CASESession.cpp

Lines 1151 to 1161 in f2f7df4

// TODO: read fabricId
uint64_t fabricId = 0;
uint16_t destinationMessageLen = kSigmaParamRandomNumberSize + kP256_PublicKey_Length + sizeof(fabricId) + sizeof(nodeId);
System::PacketBufferHandle destinationMessage = System::PacketBufferHandle::New(destinationMessageLen);
const ChipCertificateData * rootCertificate = mOpCredSet->GetRootCertificate(*trustedRootId);
VerifyOrReturnError(!destinationMessage.IsNull(), CHIP_ERROR_NO_MEMORY);
VerifyOrReturnError(rootCertificate != nullptr, CHIP_ERROR_CERT_NOT_FOUND);
VerifyOrReturnError(!rootCertificate->mPublicKey.empty(), CHIP_ERROR_INTERNAL);
VerifyOrReturnError(rootCertificate->mPublicKey.size() == kP256_PublicKey_Length, CHIP_ERROR_INTERNAL);
Encoding::LittleEndian::BufferWriter bbuf(destinationMessage->Start(), destinationMessageLen);

This comment was generated by todo based on a TODO comment in f2f7df4 in #8137. cc @jpk233.

tcarmelveilleux
tcarmelveilleux requested changes Jul 6, 2021
View reviewed changes
Copy link
Contributor

@tcarmelveilleux tcarmelveilleux left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Crypto algorithm used for destinationId in CASE does not match spec.

src/protocols/secure_channel/CASESession.cpp Outdated Show resolved Hide resolved
@todo
Copy link

todo bot commented Jul 8, 2021

implement API for this in OperationalCredentialSet

connectedhomeip/src/protocols/secure_channel/CASESession.cpp

Lines 268 to 272 in 21f624c

// TODO: implement API for this in OperationalCredentialSet
mTrustedRootId = operationalCredentialSet->GetOpCredSet()[opCredSetIndex].GetCertSet()[0].mAuthKeyId;
err = SendSigmaR1();
SuccessOrExit(err);

This comment was generated by todo based on a TODO comment in 21f624c in #8137. cc @jpk233.

@todo
Copy link

todo bot commented Jul 8, 2021

Parameterize fabricId instead of hardcoding it to 0

connectedhomeip/src/protocols/secure_channel/CASESession.cpp

Lines 331 to 341 in 21f624c

// TODO: Parameterize fabricId instead of hardcoding it to 0
FabricId fabricId = 0;
// Generate an ephemeral keypair
#ifdef ENABLE_HSM_CASE_EPHERMAL_KEY
mEphemeralKey.SetKeyId(CASE_EPHEMERAL_KEY);
#endif
ReturnErrorOnFailure(mEphemeralKey.Initialize());
// Fill in the random value
ReturnErrorOnFailure(DRBG_get_bytes(initiatorRandom, kSigmaParamRandomNumberSize));

This comment was generated by todo based on a TODO comment in 21f624c in #8137. cc @jpk233.

@todo
Copy link

todo bot commented Jul 8, 2021

Parameterize fabricId instead of hardcoding it to 0

connectedhomeip/src/protocols/secure_channel/CASESession.cpp

Lines 1119 to 1129 in 21f624c

// TODO: Parameterize fabricId instead of hardcoding it to 0
FabricId fabricId = 0;
trustedRootId = mOpCredSet->GetTrustedRootId(i);
ReturnErrorOnFailure(DecodeChipCert(mOpCredSet->GetDevOpCred(trustedRootId), mOpCredSet->GetDevOpCredLen(trustedRootId),
nodeOperationalCertificate));
ReturnErrorOnFailure(nodeOperationalCertificate.mSubjectDN.GetCertChipId(nodeId));
// TODO: add method to retrieve FabricId. Call it here

This comment was generated by todo based on a TODO comment in 21f624c in #8137. cc @jpk233.

@todo
Copy link

todo bot commented Jul 8, 2021

add method to retrieve FabricId. Call it here

connectedhomeip/src/protocols/secure_channel/CASESession.cpp

Lines 1128 to 1138 in 21f624c

// TODO: add method to retrieve FabricId. Call it here
{
MutableByteSpan candidateSpan(candidate, sizeof(candidate));
ReturnErrorOnFailure(GenerateDestinationID(initiatorRandom, &trustedRootId, nodeId, fabricId, candidateSpan));
}
if (memcmp(destinationId.data(), candidate, destinationId.size()) == 0)
{
mTrustedRootId = trustedRootId;
break;

This comment was generated by todo based on a TODO comment in 21f624c in #8137. cc @jpk233.

@restyled-io restyled-io bot mentioned this pull request Jul 26, 2021
Closed
andy31415
andy31415 reviewed Jul 26, 2021
View reviewed changes
src/credentials/CHIPCert.h Outdated Show resolved Hide resolved
src/protocols/secure_channel/CASESession.cpp Show resolved Hide resolved
src/protocols/secure_channel/CASESession.cpp Show resolved Hide resolved
src/controller/CHIPDevice.h Outdated Show resolved Hide resolved
src/transport/FabricTable.cpp Show resolved Hide resolved
src/transport/FabricTable.h Show resolved Hide resolved
src/credentials/CHIPCert.cpp Show resolved Hide resolved
src/credentials/CHIPCert.cpp Show resolved Hide resolved
@jpk233
Replace mCredentialsIndex pointer to an actual uint8_t variable.
cbcf488 
Update GetCertFabricId method to use UINT64_MAX macro as an invalid reference,
and added a final sanity check to see if there were actually any fabricIds present in the certificate.
Added doxygen to GetCredentials method.
@restyled-io restyled-io bot mentioned this pull request Jul 27, 2021
Closed
@github-actions
Copy link

Size increase report for "esp32-example-build" from 5d91959

File Section File VM
chip-ipv6only-app.elf .flash.text 172 172
chip-all-clusters-app.elf .flash.text 632 632
chip-all-clusters-app.elf .dram0.data 8 16
chip-all-clusters-app.elf .dram0.heap_start 0 -8
chip-all-clusters-app.elf .flash.rodata -8 -8
chip-all-clusters-app.elf .dram0.bss 0 -56
chip-shell.elf .flash.text 24 24
chip-lock-app.elf .flash.text 400 400
chip-lock-app.elf [2 Others] -8 -8
chip-lock-app.elf .dram0.bss 0 -56
Full report output 
BLOAT REPORT

Files found only in the build output:
    report.csv

Comparing ./master_artifact/chip-ipv6only-app.elf and ./pull_artifact/chip-ipv6only-app.elf:

sections,vmsize,filesize
.flash.text,172,172
[Unmapped],0,-172

Comparing ./master_artifact/chip-all-clusters-app.elf and ./pull_artifact/chip-all-clusters-app.elf:

sections,vmsize,filesize
.debug_info,0,12064
.debug_loc,0,2027
.debug_str,0,854
.debug_ranges,0,832
.strtab,0,790
.debug_line,0,665
.flash.text,632,632
.symtab,0,192
.debug_frame,0,156
.debug_aranges,0,40
.debug_abbrev,0,21
.dram0.data,16,8
.riscv.attributes,0,1
.shstrtab,0,-2
.dram0.heap_start,-8,0
.flash.rodata,-8,-8
[ELF Headers],0,-40
.dram0.bss,-56,0
[Unmapped],0,-632

Comparing ./master_artifact/chip-shell.elf and ./pull_artifact/chip-shell.elf:

sections,vmsize,filesize
.debug_info,0,1434
.debug_str,0,274
.debug_line,0,158
.debug_loc,0,143
.debug_ranges,0,72
.debug_abbrev,0,39
.flash.text,24,24
.shstrtab,0,-2
.strtab,0,-2
[Unmapped],0,-24

Comparing ./master_artifact/chip-persistent-storage.elf and ./pull_artifact/chip-persistent-storage.elf:

sections,vmsize,filesize

Comparing ./master_artifact/chip-temperature-measurement-app.elf and ./pull_artifact/chip-temperature-measurement-app.elf:

BLOAT EXECUTION FAILED WITH CODE 1:
bloaty: integer overflow

Comparing ./master_artifact/chip-lock-app.elf and ./pull_artifact/chip-lock-app.elf:

sections,vmsize,filesize
.debug_info,0,11100
.debug_loc,0,5867
.debug_line,0,1566
.debug_ranges,0,976
.debug_str,0,854
.strtab,0,790
.flash.text,400,400
.shstrtab,0,322
.symtab,0,304
.xt.prop._ZNK4chip4SpanIhE7SubSpanEjj,0,140
.debug_frame,0,120
.xt.prop._ZNK4chip11CASESession10GetIPKListEv,0,88
.debug_abbrev,0,81
.xt.prop._ZN4chip10CASEServer10GetSessionEv,0,76
.xt.prop._ZNK4chip11CASESession17GetIPKListEntriesEv,0,76
.xt.prop._ZZNK4chip11CASESession10GetIPKListEvE11ipkListSpan,0,52
.xt.lit._ZNK4chip11CASESession10GetIPKListEv,0,48
.debug_aranges,0,32
[2 Others],-8,-8
.dram0.bss,-56,0
[Unmapped],0,-392

Comparing ./master_artifact/chip-pigweed-app.elf and ./pull_artifact/chip-pigweed-app.elf:

sections,vmsize,filesize

@github-actions
Copy link

Size increase report for "nrfconnect-example-build" from 5d91959

File Section File VM
chip-shell.elf text 56 56
chip-shell.elf [LOAD #3 [RW]] 0 20
chip-shell.elf device_handles 8 8
chip-shell.elf bss 0 -20
chip-lock.elf text 436 436
chip-lock.elf datas 8 8
chip-lock.elf device_handles -4 -4
chip-lock.elf rodata -8 -8
chip-lock.elf [LOAD #3 [RW]] 0 -20
chip-lock.elf bss 0 -44
Full report output 
BLOAT REPORT

Files found only in the build output:
    report.csv

Comparing ./master_artifact/chip-shell.elf and ./pull_artifact/chip-shell.elf:

sections,vmsize,filesize
.debug_info,0,1508
.debug_loc,0,471
.debug_str,0,261
.debug_ranges,0,72
.debug_line,0,64
text,56,56
[LOAD #3 [RW]],20,0
.debug_abbrev,0,12
device_handles,8,8
.debug_frame,0,4
.shstrtab,0,-1
bss,-20,0
.symtab,0,-32
.strtab,0,-35

Comparing ./master_artifact/chip-lock.elf and ./pull_artifact/chip-lock.elf:

sections,vmsize,filesize
.debug_info,0,10156
.debug_loc,0,5702
.strtab,0,865
.debug_line,0,809
.debug_str,0,786
text,436,436
.debug_ranges,0,408
.symtab,0,336
.debug_frame,0,148
.debug_aranges,0,48
datas,8,8
.debug_abbrev,0,-1
.shstrtab,0,-1
device_handles,-4,-4
rodata,-8,-8
[LOAD #3 [RW]],-20,0
bss,-44,0

@github-actions
Copy link

Size increase report for "gn_qpg-example-build" from 5d91959

File Section File VM
chip-qpg6100-lighting-example.out .text 428 428
chip-qpg6100-lighting-example.out .heap 0 48
chip-qpg6100-lighting-example.out .data 8 8
chip-qpg6100-lighting-example.out .bss 0 -56
Full report output 
BLOAT REPORT

Files found only in the build output:
    report.csv

Comparing ./master_artifact/chip-qpg6100-lighting-example.out and ./pull_artifact/chip-qpg6100-lighting-example.out:

sections,vmsize,filesize
.debug_info,0,10180
.debug_loc,0,5065
.strtab,0,855
.debug_str,0,796
.debug_line,0,742
.text,428,428
.symtab,0,336
.debug_frame,0,144
.debug_ranges,0,136
.debug_abbrev,0,49
.debug_aranges,0,48
.heap,48,0
.data,8,8
.shstrtab,0,1
.bss,-56,0
[Unmapped],0,-428

Comparing ./master_artifact/chip-qpg6100-lighting-example.out.map and ./pull_artifact/chip-qpg6100-lighting-example.out.map:

BLOAT EXECUTION FAILED WITH CODE 1:
bloaty: unknown file type for file './pull_artifact/chip-qpg6100-lighting-example.out.map'

@hawk248 hawk248 merged commit 410b9f9 into project-chip:master Jul 28, 2021
This was referenced Jul 28, 2021
Closed
Closed
Closed
Closed
Closed
Closed
@jpk233 jpk233 deleted the case branch July 28, 2021 14:21
@todo todo bot mentioned this pull request Jul 28, 2021
Closed
@austinh0 austinh0 mentioned this pull request Jul 29, 2021
Closed
@samadDotDev samadDotDev mentioned this pull request Aug 6, 2021
Closed
nikita-s-wrk pushed a commit to nikita-s-wrk/connectedhomeip that referenced this pull request Sep 23, 2021
@jpk233
CASE spec refresh (project-chip#8137)
ecc50a0 
* CASE spec refresh

* Remove TrustedRootID from Sigma messages. Replce HKDF algorithm with HMAC-SHA256 Algorithm in GenerateDestinationID method.

* Replace TrustedRootId parameter with an index value for the OperationalCredentialSet.
Added CredentialsIndex parameter to AdminPairingTable's GetCredentials method.
Removed FabricSecret.
Removed kIPKInfo.
Removed Deprecated ComputeIPK method - Replaced it with dummy RetrieveIPK method.

* cast 1 to uint8_t to avoid compiler errors on other platforms

* Fix uint8_t conversion

* Replace CASETLVTags with TLV::ContextTag ID, switch unsafe statement to an actual OperationalCredentialSet method to retrieve a TrustedRootId, renamed kMAX_Hash_Length refs to kSHA256_Hash_Length to match the Spec.

* Add GenerateDestinationID Test

* Added ReleaseLastCert method to OperationalCredentialSet Class.
This method will release the last certificate data in the set.
Added call to ReleaseLastCert method during CASESession after a successful validation of the NOC certificate.
Updated CASE Unit Tests to force 3 certificates maximum. This will guarantee that for the tests to work fine,
CASESession must release the NOC certificate every time.
CASESession: change LoadCerts to LoadCert - Only NOC is transferred during CASE Protocol. No need to handle ICA

* remove fabricId parameters/methods from CASESession. Retrieve it from the NOC instead.

* Updated ReleaseLastCert method from CHIPCertificateSet class: not using a const ChipCertificateData type anymore to avoid confusion.
Removed redundant comment from ReleaseLastCert method.
Wrote some TODO items to update OperationalCredentialSet class in order to work with size_t variable counters: useful to index more than 255 Credentials.
Update DestinationIDGeneration Test to use Spec's test vectors.
Added static assert to check TBEData2 and TBEData3 Nonce Lengths : they must match.
Added new method to Estimate TLV Struct overhead.
Updated GenerateDestinationID to be stateless: now directly accesses the inputs as raw memory buffers.
Updated HandleSigma methods to handle TLV tags sequentially.
Removed redundant GetLength and GetType calls during TLV Reads.
Renamed encryptionKeyId to initiatorSessionId and responderSessionId.
Fixed typo in ENABLE_HSM_CASE_EPHEMERAL_KEY macro.

* Update casesession with latest comments

* Trigger Build

* added IPK to CASESession Serializable data: IPK is needed to DeriveSecureSession, so it needs to be stored. Updated FindDestinationIDCandidate loop variables to size_t. Also updated names to reflect what they are indexing.

* Added CASESession protected API (Virtual) to get the IPK List Entries. They can be overridden by the Unit Tests in order to feed in the test IPK vectors.

* Update for fabric class rename

* Restyling

* Replace mCredentialsIndex pointer to an actual uint8_t variable.
Update GetCertFabricId method to use UINT64_MAX macro as an invalid reference,
and added a final sanity check to see if there were actually any fabricIds present in the certificate.
Added doxygen to GetCredentials method.

* Restyle fix
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andy31415 andy31415 andy31415 left review comments

@hawk248 hawk248 hawk248 approved these changes

@msandstedt msandstedt msandstedt approved these changes

@LuDuda LuDuda LuDuda approved these changes

@tcarmelveilleux tcarmelveilleux tcarmelveilleux approved these changes

@chrisdecenzo chrisdecenzo Awaiting requested review from chrisdecenzo

@jelderton jelderton Awaiting requested review from jelderton

@jmartinez-silabs jmartinez-silabs Awaiting requested review from jmartinez-silabs

@mspang mspang Awaiting requested review from mspang

@saurabhst saurabhst Awaiting requested review from saurabhst

@vivien-apple vivien-apple Awaiting requested review from vivien-apple

@woody-apple woody-apple Awaiting requested review from woody-apple

@pan-apple pan-apple Awaiting requested review from pan-apple

Assignees
No one assigned
Labels
controller crypto review - approved transport
Projects
None yet
Milestone
Test Event 5
8 participants
@jpk233 @tcarmelveilleux @andy31415 @LuDuda @msandstedt @hawk248 @woody-apple @franck-apple