project-chip · hawk248 · Jul 28, 2021 · Jul 6, 2021 · Jul 8, 2021 · Jul 8, 2021
diff --git a/src/channel/Channel.h b/src/channel/Channel.h
@@ -107,6 +107,13 @@ class ChannelBuilder
         return *this;
     }
 
+    uint8_t GetOperationalCredentialSetIndex() const { return mCaseParameters.mOperationalCredentialSetIndex; }
+    ChannelBuilder & SetOperationalCredentialSetIndex(uint8_t operationalCredentialSetIndex)
+    {
+        mCaseParameters.mOperationalCredentialSetIndex = operationalCredentialSetIndex;
+        return *this;
+    }
+
     Optional<Inet::IPAddress> GetForcePeerAddress() const { return mForcePeerAddr; }
     ChannelBuilder & SetForcePeerAddress(Inet::IPAddress peerAddr)
     {
@@ -121,6 +128,7 @@ class ChannelBuilder
     {
         uint16_t mPeerKeyId;
         Credentials::OperationalCredentialSet * mOperationalCredentialSet;
+        uint8_t mOperationalCredentialSetIndex;
     } mCaseParameters;
 
     Optional<Inet::IPAddress> mForcePeerAddr;

diff --git a/src/channel/ChannelContext.cpp b/src/channel/ChannelContext.cpp
@@ -264,9 +264,9 @@ void ChannelContext::EnterCasePairingState()
     // TODO: currently only supports IP/UDP paring
     Transport::PeerAddress addr;
     addr.SetTransportType(Transport::Type::kUdp).SetIPAddress(prepare.mAddress);
-    CHIP_ERROR err = prepare.mCasePairingSession->EstablishSession(addr, &prepare.mBuilder.GetOperationalCredentialSet(),
-                                                                   prepare.mBuilder.GetPeerNodeId(),
-                                                                   mExchangeManager->GetNextKeyId(), ctxt, this);
+    CHIP_ERROR err = prepare.mCasePairingSession->EstablishSession(
+        addr, &prepare.mBuilder.GetOperationalCredentialSet(), prepare.mBuilder.GetOperationalCredentialSetIndex(),
+        prepare.mBuilder.GetPeerNodeId(), mExchangeManager->GetNextKeyId(), ctxt, this);
     if (err != CHIP_NO_ERROR)
     {
         ExitCasePairingState();

diff --git a/src/controller/CHIPDevice.cpp b/src/controller/CHIPDevice.cpp
@@ -536,7 +536,8 @@ CHIP_ERROR Device::WarmupCASESession()
     mLocalMessageCounter = 0;
     mPeerMessageCounter  = 0;
 
-    ReturnErrorOnFailure(mCASESession.EstablishSession(mDeviceAddress, mCredentials, mDeviceId, keyID, exchange, this));
+    ReturnErrorOnFailure(
+        mCASESession.EstablishSession(mDeviceAddress, mCredentials, *mCredentialsIndex, mDeviceId, keyID, exchange, this));
 
     mState = ConnectionState::Connecting;
 

diff --git a/src/controller/CHIPDevice.h b/src/controller/CHIPDevice.h
@@ -82,6 +82,7 @@ struct ControllerDeviceInitParams
     Inet::InetLayer * inetLayer                         = nullptr;
     PersistentStorageDelegate * storageDelegate         = nullptr;
     Credentials::OperationalCredentialSet * credentials = nullptr;
+    uint8_t * credentialsIndex                          = nullptr;
     SessionIDAllocator * idAllocator                    = nullptr;
 #if CONFIG_NETWORK_LAYER_BLE
     Ble::BleLayer * bleLayer = nullptr;
@@ -176,15 +177,16 @@ class DLL_EXPORT Device : public Messaging::ExchangeDelegate, public SessionEsta
      */
     void Init(ControllerDeviceInitParams params, uint16_t listenPort, FabricIndex fabric)
     {
-        mTransportMgr    = params.transportMgr;
-        mSessionManager  = params.sessionMgr;
-        mExchangeMgr     = params.exchangeMgr;
-        mInetLayer       = params.inetLayer;
-        mListenPort      = listenPort;
-        mFabricIndex     = fabric;
-        mStorageDelegate = params.storageDelegate;
-        mCredentials     = params.credentials;
-        mIDAllocator     = params.idAllocator;
+        mTransportMgr     = params.transportMgr;
+        mSessionManager   = params.sessionMgr;
+        mExchangeMgr      = params.exchangeMgr;
+        mInetLayer        = params.inetLayer;
+        mListenPort       = listenPort;
+        mFabricIndex      = fabric;
+        mStorageDelegate  = params.storageDelegate;
+        mCredentials      = params.credentials;
+        mCredentialsIndex = params.credentialsIndex;
+        mIDAllocator      = params.idAllocator;
 #if CONFIG_NETWORK_LAYER_BLE
         mBleLayer = params.bleLayer;
 #endif
@@ -477,6 +479,8 @@ class DLL_EXPORT Device : public Messaging::ExchangeDelegate, public SessionEsta
     CASESession mCASESession;
 
     Credentials::OperationalCredentialSet * mCredentials = nullptr;
+    // TODO: Switch to size_t whenever OperationalCredentialSet Class is updated to support more then 255 credentials per controller
+    uint8_t * mCredentialsIndex = nullptr;
 
     PersistentStorageDelegate * mStorageDelegate = nullptr;
 

diff --git a/src/controller/CHIPDeviceController.cpp b/src/controller/CHIPDeviceController.cpp
@@ -319,7 +319,7 @@ CHIP_ERROR DeviceController::LoadLocalCredentials(Transport::FabricInfo * fabric
     }
 
     ChipLogProgress(Controller, "Generating credentials");
-    ReturnErrorOnFailure(fabric->GetCredentials(mCredentials, mCertificates, mRootKeyId));
+    ReturnErrorOnFailure(fabric->GetCredentials(mCredentials, mCertificates, mRootKeyId, mCredentialsIndex));
 
     ChipLogProgress(Controller, "Loaded credentials successfully");
     return CHIP_NO_ERROR;
@@ -796,13 +796,14 @@ void DeviceController::OnNodeIdResolutionFailed(const chip::PeerId & peer, CHIP_
 ControllerDeviceInitParams DeviceController::GetControllerDeviceInitParams()
 {
     return ControllerDeviceInitParams{
-        .transportMgr    = mTransportMgr,
-        .sessionMgr      = mSessionMgr,
-        .exchangeMgr     = mExchangeMgr,
-        .inetLayer       = mInetLayer,
-        .storageDelegate = mStorageDelegate,
-        .credentials     = &mCredentials,
-        .idAllocator     = &mIDAllocator,
+        .transportMgr     = mTransportMgr,
+        .sessionMgr       = mSessionMgr,
+        .exchangeMgr      = mExchangeMgr,
+        .inetLayer        = mInetLayer,
+        .storageDelegate  = mStorageDelegate,
+        .credentials      = &mCredentials,
+        .credentialsIndex = &mCredentialsIndex,
+        .idAllocator      = &mIDAllocator,
     };
 }
 

diff --git a/src/controller/CHIPDeviceController.h b/src/controller/CHIPDeviceController.h
@@ -344,6 +344,7 @@ class DLL_EXPORT DeviceController : public Messaging::ExchangeDelegate,
     Credentials::ChipCertificateSet mCertificates;
     Credentials::OperationalCredentialSet mCredentials;
     Credentials::CertificateKeyId mRootKeyId;
+    uint8_t mCredentialsIndex;
 
     SessionIDAllocator mIDAllocator;
 

diff --git a/src/credentials/CHIPCert.cpp b/src/credentials/CHIPCert.cpp
@@ -311,6 +311,17 @@ CHIP_ERROR ChipCertificateSet::LoadCerts(TLVReader & reader, BitFlags<CertDecode
     return err;
 }
 
+CHIP_ERROR ChipCertificateSet::ReleaseLastCert()
+{
+    ChipCertificateData * lastCert = (mCertCount > 0) ? &mCerts[mCertCount - 1] : nullptr;
+    VerifyOrReturnError(lastCert != nullptr, CHIP_ERROR_INTERNAL);
+
+    lastCert->~ChipCertificateData();
+    --mCertCount;
+
+    return CHIP_NO_ERROR;
+}
+
 const ChipCertificateData * ChipCertificateSet::FindCert(const CertificateKeyId & subjectKeyId) const
 {
     for (uint8_t i = 0; i < mCertCount; i++)
@@ -746,6 +757,30 @@ CHIP_ERROR ChipDN::GetCertChipId(uint64_t & chipId) const
     return CHIP_NO_ERROR;
 }
 
+CHIP_ERROR ChipDN::GetCertFabricId(uint64_t & fabricId) const
+{
+    uint8_t rdnCount = RDNCount();
+
+    fabricId = 0;
+
+    for (uint8_t i = 0; i < rdnCount; i++)
+    {
+        switch (rdn[i].mAttrOID)
+        {
+        case kOID_AttributeType_ChipFabricId:
+            // Ensure only one FabricID RDN present, since start value is 0, which is reserved and never seen.
+            VerifyOrReturnError(fabricId == 0, CHIP_ERROR_WRONG_CERT_TYPE);
+
+            fabricId = rdn[i].mChipVal;
+            break;
+        default:
+            break;
+        }
+    }
+
+    return CHIP_NO_ERROR;
+}
+
 bool ChipDN::IsEqual(const ChipDN & other) const
 {
     bool res         = true;

diff --git a/src/credentials/CHIPCert.h b/src/credentials/CHIPCert.h
@@ -252,6 +252,15 @@ class ChipDN
      **/
     CHIP_ERROR GetCertChipId(uint64_t & certId) const;
 
+    /**
+     * @brief Retrieve the Fabric ID of a CHIP certificate.
+     *
+     * @param certId  A reference to the certificate Fabric ID value.
+     *
+     * @return Returns a CHIP_ERROR on error, CHIP_NO_ERROR otherwise
+     **/
+    CHIP_ERROR GetCertFabricId(uint64_t & fabricId) const;
+
     bool IsEqual(const ChipDN & other) const;
 
     /**
@@ -461,6 +470,8 @@ class DLL_EXPORT ChipCertificateSet
      **/
     CHIP_ERROR LoadCerts(chip::TLV::TLVReader & reader, BitFlags<CertDecodeFlags> decodeFlags);
 
+    CHIP_ERROR ReleaseLastCert();
+
     /**
      * @brief Find certificate in the set.
      *

diff --git a/src/credentials/CHIPOperationalCredentials.cpp b/src/credentials/CHIPOperationalCredentials.cpp
@@ -363,5 +363,24 @@ P256Keypair * OperationalCredentialSet::GetNodeKeypairAt(const CertificateKeyId
     return nullptr;
 }
 
+const ChipCertificateData * OperationalCredentialSet::GetRootCertificate(const CertificateKeyId & trustedRootId) const
+{
+    for (size_t certChainIdx = 0; certChainIdx < mOpCredCount; certChainIdx++)
+    {
+        ChipCertificateSet * certSet = &mOpCreds[certChainIdx];
+
+        for (size_t ipkIdx = 0; ipkIdx < certSet->GetCertCount(); ipkIdx++)
+        {
+            const ChipCertificateData * cert = &certSet->GetCertSet()[ipkIdx];
+            if (cert->mCertFlags.Has(CertFlags::kIsTrustAnchor) && cert->mAuthKeyId.data_equal(trustedRootId))
+            {
+                return cert;
+            }
+        }
+    }
+
+    return nullptr;
+}
+
 } // namespace Credentials
 } // namespace chip
diff --git a/src/credentials/CHIPOperationalCredentials.h b/src/credentials/CHIPOperationalCredentials.h
@@ -223,7 +223,7 @@ class DLL_EXPORT OperationalCredentialSet
                        P256ECDSASignature & out_signature);
 
     /**
-     * @return A pointer to device credentials (in x509 format).
+     * @return A pointer to device credentials (in chip format).
      **/
     const uint8_t * GetDevOpCred(const CertificateKeyId & trustedRootId) const
     {
@@ -259,8 +259,11 @@ class DLL_EXPORT OperationalCredentialSet
 
     CHIP_ERROR SetDevOpCredKeypair(const CertificateKeyId & trustedRootId, P256Keypair * newKeypair);
 
+    const ChipCertificateData * GetRootCertificate(const CertificateKeyId & trustedRootId) const;
+
 private:
-    ChipCertificateSet * mOpCreds;     /**< Pointer to an array of certificate data. */
+    ChipCertificateSet * mOpCreds; /**< Pointer to an array of certificate data. */
+    // TODO: switch mOpCredCount var type to size_t in order to allow more than 255 credentials per controller.
     uint8_t mOpCredCount;              /**< Number of certificates in mOpCreds
                                         array. We maintain the invariant that all
                                         the slots at indices less than
@@ -275,6 +278,7 @@ class DLL_EXPORT OperationalCredentialSet
     NodeKeypairMap mDeviceOpCredKeypair[kOperationalCredentialsMax];
     uint8_t mDeviceOpCredKeypairCount;
 
+    // TODO: Remove TrustedRootId indexing - Replace it with size_t index.
     const NodeCredential * GetNodeCredentialAt(const CertificateKeyId & trustedRootId) const;
     P256Keypair * GetNodeKeypairAt(const CertificateKeyId & trustedRootId);
 };

diff --git a/src/crypto/hsm/CHIPCryptoPALHsm_config.h b/src/crypto/hsm/CHIPCryptoPALHsm_config.h
@@ -58,7 +58,7 @@
 
 #if ((CHIP_CRYPTO_HSM) && (ENABLE_HSM_GENERATE_EC_KEY))
 #define ENABLE_HSM_EC_KEY
-#define ENABLE_HSM_CASE_EPHERMAL_KEY
+#define ENABLE_HSM_CASE_EPHEMERAL_KEY
 #define ENABLE_HSM_CASE_OPS_KEY
 #endif
 

diff --git a/src/protocols/secure_channel/CASEServer.cpp b/src/protocols/secure_channel/CASEServer.cpp
@@ -43,7 +43,7 @@ CHIP_ERROR CASEServer::ListenForSessionEstablishment(Messaging::ExchangeManager
     mExchangeManager = exchangeManager;
     mIDAllocator     = idAllocator;
 
-    ReturnErrorOnFailure(mPairingSession.MessageDispatch().Init(transportMgr));
+    ReturnErrorOnFailure(GetSession().MessageDispatch().Init(transportMgr));
 
     ExchangeDelegate * delegate = this;
     ReturnErrorOnFailure(
@@ -73,15 +73,16 @@ CHIP_ERROR CASEServer::InitCASEHandshake(Messaging::ExchangeContext * ec)
     }
     ReturnErrorCodeIf(fabric == nullptr, CHIP_ERROR_INVALID_ARGUMENT);
 
-    ReturnErrorOnFailure(fabric->GetCredentials(mCredentials, mCertificates, mRootKeyId));
+    uint8_t credentialsIndex;
+    ReturnErrorOnFailure(fabric->GetCredentials(mCredentials, mCertificates, mRootKeyId, credentialsIndex));
 
     ReturnErrorOnFailure(mIDAllocator->Allocate(mSessionKeyId));
 
     // Setup CASE state machine using the credentials for the current fabric.
-    ReturnErrorOnFailure(mPairingSession.ListenForSessionEstablishment(&mCredentials, mSessionKeyId, this));
+    ReturnErrorOnFailure(GetSession().ListenForSessionEstablishment(&mCredentials, mSessionKeyId, this));
 
     // Hand over the exchange context to the CASE session.
-    ec->SetDelegate(&mPairingSession);
+    ec->SetDelegate(&GetSession());
 
     return CHIP_NO_ERROR;
 }
@@ -92,7 +93,7 @@ CHIP_ERROR CASEServer::OnMessageReceived(Messaging::ExchangeContext * ec, const
     ChipLogProgress(Inet, "CASE Server received SigmaR1 message. Starting handshake. EC %p", ec);
     ReturnErrorOnFailure(InitCASEHandshake(ec));
 
-    mPairingSession.OnMessageReceived(ec, packetHeader, payloadHeader, std::move(payload));
+    GetSession().OnMessageReceived(ec, packetHeader, payloadHeader, std::move(payload));
 
     return CHIP_NO_ERROR;
     // TODO - Enable multiple concurrent CASE session establishment
@@ -104,7 +105,7 @@ void CASEServer::Cleanup()
     mFabricIndex = Transport::kUndefinedFabricIndex;
     mCredentials.Release();
     mCertificates.Release();
-    mPairingSession.Clear();
+    GetSession().Clear();
 }
 
 void CASEServer::OnSessionEstablishmentError(CHIP_ERROR err)
@@ -117,11 +118,11 @@ void CASEServer::OnSessionEstablishmentError(CHIP_ERROR err)
 void CASEServer::OnSessionEstablished()
 {
     ChipLogProgress(Inet, "CASE Session established. Setting up the secure channel.");
-    mSessionMgr->ExpireAllPairings(mPairingSession.PeerConnection().GetPeerNodeId(), mFabricIndex);
+    mSessionMgr->ExpireAllPairings(GetSession().PeerConnection().GetPeerNodeId(), mFabricIndex);
 
     CHIP_ERROR err = mSessionMgr->NewPairing(
-        Optional<Transport::PeerAddress>::Value(mPairingSession.PeerConnection().GetPeerAddress()),
-        mPairingSession.PeerConnection().GetPeerNodeId(), &mPairingSession, SecureSession::SessionRole::kResponder, mFabricIndex);
+        Optional<Transport::PeerAddress>::Value(GetSession().PeerConnection().GetPeerAddress()),
+        GetSession().PeerConnection().GetPeerNodeId(), &GetSession(), SecureSession::SessionRole::kResponder, mFabricIndex);
     if (err != CHIP_NO_ERROR)
     {
         ChipLogError(Inet, "Failed in setting up secure channel: err %s", ErrorStr(err));

diff --git a/src/protocols/secure_channel/CASEServer.h b/src/protocols/secure_channel/CASEServer.h
@@ -53,10 +53,10 @@ class CASEServer : public SessionEstablishmentDelegate, public Messaging::Exchan
     Messaging::ExchangeMessageDispatch * GetMessageDispatch(Messaging::ReliableMessageMgr * reliableMessageManager,
                                                             SecureSessionMgr * sessionMgr) override
     {
-        return mPairingSession.GetMessageDispatch(reliableMessageManager, sessionMgr);
+        return GetSession().GetMessageDispatch(reliableMessageManager, sessionMgr);
     }
 
-    CASESession & GetSession() { return mPairingSession; }
+    virtual CASESession & GetSession() { return mPairingSession; }
 
 private:
     Messaging::ExchangeManager * mExchangeManager = nullptr;