Fix the way of providing data to generate factory data

doublemis1 · doublemis1 · commit 56d5a9cd3587 · 2024-01-11T09:05:29.000+01:00
Update the generation of factory data for nrfconnect
platform. No more possible to provide spake2 verifier,
always generated by provided passcode.

Signed-off-by: Michał Szablowski &lt;michal.szablowski@nordicsemi.no&gt;
diff --git a/config/nrfconnect/chip-module/generate_factory_data.cmake b/config/nrfconnect/chip-module/generate_factory_data.cmake
@@ -77,18 +77,13 @@ elseif(CONFIG_CHIP_FACTORY_DATA_CERT_SOURCE_USER)
     string(APPEND script_args "--dac_cert \"${CONFIG_CHIP_FACTORY_DATA_USER_CERTS_DAC_CERT}\"\n")
     string(APPEND script_args "--dac_key \"${CONFIG_CHIP_FACTORY_DATA_USER_CERTS_DAC_KEY}\"\n")
     string(APPEND script_args "--pai_cert \"${CONFIG_CHIP_FACTORY_DATA_USER_CERTS_PAI_CERT}\"\n")
-else()
-    find_program(chip_cert_exe NAMES chip-cert REQUIRED)
-    string(APPEND script_args "--gen_cd\n")
-    string(APPEND script_args "--chip_cert_path ${chip_cert_exe}\n")
 endif()
 
 # add Password-Authenticated Key Exchange parameters
 string(APPEND script_args "--spake2_it \"${CONFIG_CHIP_DEVICE_SPAKE2_IT}\"\n")
 string(APPEND script_args "--spake2_salt \"${CONFIG_CHIP_DEVICE_SPAKE2_SALT}\"\n")
 string(APPEND script_args "--discriminator ${CONFIG_CHIP_DEVICE_DISCRIMINATOR}\n")
 string(APPEND script_args "--passcode ${CONFIG_CHIP_DEVICE_SPAKE2_PASSCODE}\n")
-string(APPEND script_args "--include_passcode\n")
 string(APPEND script_args "--overwrite\n")
 string(APPEND script_args "--product_finish ${CONFIG_CHIP_DEVICE_PRODUCT_FINISH}\n")
 
@@ -100,11 +95,6 @@ if(CONFIG_CHIP_FACTORY_DATA_GENERATE_ONBOARDING_CODES)
     string(APPEND script_args "--generate_onboarding\n")
 endif()
 
-# check if spake2 verifier should be generated using script
-if(NOT CONFIG_CHIP_FACTORY_DATA_GENERATE_SPAKE2_VERIFIER)
-    # Spake2 verifier should be provided using kConfig
-    string(APPEND script_args "--spake2_verifier \"${CONFIG_CHIP_DEVICE_SPAKE2_TEST_VERIFIER}\"\n")
-endif()
 
 if(CONFIG_CHIP_DEVICE_ENABLE_KEY)
 # Add optional EnableKey that triggers user-specific action.
diff --git a/scripts/tools/nrfconnect/generate_nrfconnect_chip_factory_data.py b/scripts/tools/nrfconnect/generate_nrfconnect_chip_factory_data.py
@@ -99,8 +99,6 @@ def gen_test_certs(chip_cert_exe: str,
                    vendor_id: int,
                    product_id: int,
                    device_name: str,
-                   generate_cd: bool = False,
-                   cd_type: int = 1,
                    paa_cert_path: str = None,
                    paa_key_path: str = None):
     """
@@ -115,7 +113,6 @@ def gen_test_certs(chip_cert_exe: str,
         vendor_id (int): an identification number specific to Vendor
         product_id (int): an identification number specific to Product
         device_name (str): human-readable device name
-        generate_cd (bool, optional): Generate Certificate Declaration and store it in thee output directory. Defaults to False.
         paa_cert_path (str, optional): provide PAA certification path. Defaults to None - a path will be set to
         /credentials/test/attestation directory.
         paa_key_path (str, optional): provide PAA key path. Defaults to None - a path will be set to
@@ -127,8 +124,6 @@ def gen_test_certs(chip_cert_exe: str,
                      "DAC_KEY": (str)<path to DAC key .der file>]
     """
 
-    CD_PATH = MATTER_ROOT + "/credentials/test/certification-declaration/Chip-Test-CD-Signing-Cert.pem"
-    CD_KEY_PATH = MATTER_ROOT + "/credentials/test/certification-declaration/Chip-Test-CD-Signing-Key.pem"
     PAA_PATH = paa_cert_path if paa_cert_path is not None else (MATTER_ROOT +
                                                                 "/credentials/test/attestation/Chip-Test-PAA-NoVID-Cert.pem")
     PAA_KEY_PATH = paa_key_path if paa_key_path is not None else (MATTER_ROOT +
@@ -138,23 +133,6 @@ def gen_test_certs(chip_cert_exe: str,
 
     log.info("Generating new certificates using chip-cert...")
 
-    if generate_cd:
-        # generate Certification Declaration
-        cmd = [chip_cert_exe, "gen-cd",
-               "--key", CD_KEY_PATH,
-               "--cert", CD_PATH,
-               "--out", output + "/CD.der",
-               "--format-version",  "1",
-               "--vendor-id",  hex(vendor_id),
-               "--product-id",  hex(product_id),
-               "--device-type-id", "0",
-               "--certificate-id", "FFFFFFFFFFFFFFFFFFF",
-               "--security-level",  "0",
-               "--security-info",  "0",
-               "--certification-type",  str(cd_type),
-               "--version-number", "0xFFFF",
-               ]
-        subprocess.run(cmd)
 
     new_certificates = {"PAI_CERT": output + "/PAI_cert",
                         "PAI_KEY": output + "/PAI_key",
@@ -232,8 +210,8 @@ def _validate_args(self):
                 self._user_data = json.loads(self._args.user)
             except json.decoder.JSONDecodeError as e:
                 raise AssertionError("Provided wrong user data, this is not a JSON format! {}".format(e))
-        assert self._args.spake2_verifier or self._args.passcode, \
-            "Cannot find Spake2+ verifier, to generate a new one please provide passcode (--passcode)"
+        assert self._args.passcode, \
+            "Cannot find passcode, to generate spake2 verifier. Please provide passcode (--passcode)"
         assert (self._args.chip_cert_path or (self._args.dac_cert and self._args.pai_cert and self._args.dac_key)), \
             "Cannot find paths to DAC or PAI certificates .der files. To generate a new ones please provide a path to chip-cert executable (--chip_cert_path)"
         assert self._args.output.endswith(".json"), \
@@ -247,11 +225,10 @@ def generate_json(self):
 
         To validate generated JSON data a scheme must be provided within script's arguments.
 
-        - In the first part, if the rotating device id unique id has been not provided
-          as an argument, it will be created.
-        - If user-provided passcode and Spake2+ verifier have been not provided
-          as an argument, it will be created using an external script
-        - Passcode is not stored in JSON by default. To store it for debugging purposes, add --include_passcode argument.
+        - if the rotating device id unique id has been not provided and the generate boolean 
+          has been set then rotating device id will be generated.
+        - based on provided passcode, the spake2 verifier will be generated
+        - Passcode is not stored in JSON.
         - Validating output JSON is not mandatory, but highly recommended.
 
         """
@@ -265,10 +242,10 @@ def generate_json(self):
         else:
             rd_uid = HEX_PREFIX + self._args.rd_uid
 
-        if not self._args.spake2_verifier:
+        if self._args.passcode:
             spake_2_verifier = self._generate_spake2_verifier()
         else:
-            spake_2_verifier = self._args.spake2_verifier
+            raise RuntimeError("Provide passcode.")
 
         # convert salt to bytestring to be coherent with Spake2+ verifier type
         spake_2_salt = self._args.spake2_salt
@@ -319,8 +296,6 @@ def generate_json(self):
             self._add_entry("dac_cert", self._process_der(dac_cert))
             self._add_entry("dac_key", dac_priv_key)
             self._add_entry("pai_cert", self._process_der(pai_cert))
-            if self._args.include_passcode:
-                self._add_entry("passcode", self._args.passcode)
             self._add_entry("spake2_it", self._args.spake2_it)
             self._add_entry("spake2_salt", spake_2_salt)
             self._add_entry("spake2_verifier", spake_2_verifier)
@@ -431,8 +406,6 @@ def base64_str(s): return base64.b64decode(s)
                         help="Output path to store .json file, e.g. my_dir/output.json")
     parser.add_argument("-v", "--verbose", action="store_true",
                         help="Run this script with DEBUG logging level")
-    parser.add_argument("--include_passcode", action="store_true",
-                        help="Include passcode in factory data. By default, it is used only for generating Spake2+ verifier.")
     parser.add_argument("--overwrite", action="store_true",
                         help="If output JSON file exist this argument allows to generate new factory data and overwrite it.")
     # Json known-keys values
@@ -497,8 +470,6 @@ def base64_str(s): return base64.b64decode(s)
     optional_arguments.add_argument("--passcode", type=allow_any_int,
                                     help=("[int | hex] Default PASE session passcode. "
                                           "(This is mandatory to generate Spake2+ verifier)."))
-    optional_arguments.add_argument("--spake2_verifier", type=base64_str,
-                                    help="[base64 string] Provide Spake2+ verifier without generating it.")
     optional_arguments.add_argument("--enable_key", type=str,
                                     help=("[hex string] [128-bit hex-encoded] The Enable Key is a 128-bit value that "
                                           "triggers manufacturer-specific action while invoking the TestEventTrigger Command."
diff --git a/scripts/tools/spake2p/spake2p.py b/scripts/tools/spake2p/spake2p.py
@@ -47,7 +47,6 @@ def generate_verifier(passcode: int, salt: bytes, iterations: int) -> bytes:
     w0 = int.from_bytes(ws[:WS_LENGTH], byteorder='big') % NIST256p.order
     w1 = int.from_bytes(ws[WS_LENGTH:], byteorder='big') % NIST256p.order
     L = NIST256p.generator * w1
-
     return w0.to_bytes(NIST256p.baselen, byteorder='big') + L.to_bytes('uncompressed')
 
 
