add custom cert support for java controller

Author: yunhanw-google

src/controller/java/AndroidDeviceControllerWrapper.cpp

@@ -40,9 +40,7 @@
 #include <lib/support/TestGroupData.h>
 #include <lib/support/ThreadOperationalDataset.h>
 #include <platform/KeyValueStoreManager.h>
-#ifndef JAVA_MATTER_CONTROLLER_TEST
-#include <platform/android/CHIPP256KeypairBridge.h>
-#endif // JAVA_MATTER_CONTROLLER_TEST
+
 using namespace chip;
 using namespace chip::Controller;
 using namespace chip::Credentials;
@@ -52,13 +50,11 @@ AndroidDeviceControllerWrapper::~AndroidDeviceControllerWrapper()
 {
     mController->Shutdown();
 
-#ifndef JAVA_MATTER_CONTROLLER_TEST
     if (mKeypairBridge != nullptr)
     {
         chip::Platform::Delete(mKeypairBridge);
         mKeypairBridge = nullptr;
     }
-#endif // JAVA_MATTER_CONTROLLER_TEST
 
     if (mDeviceAttestationDelegateBridge != nullptr)
     {
@@ -296,7 +292,6 @@ AndroidDeviceControllerWrapper * AndroidDeviceControllerWrapper::AllocateNew(
 
     // The lifetime of the ephemeralKey variable must be kept until SetupParams is saved.
     Crypto::P256Keypair ephemeralKey;
-#ifndef JAVA_MATTER_CONTROLLER_TEST
     if (rootCertificate != nullptr && nodeOperationalCertificate != nullptr && keypairDelegate != nullptr)
     {
         CHIPP256KeypairBridge * nativeKeypairBridge = wrapper->GetP256KeypairBridge();
@@ -333,7 +328,6 @@ AndroidDeviceControllerWrapper * AndroidDeviceControllerWrapper::AllocateNew(
         setupParams.controllerNOC  = chip::ByteSpan(wrapper->mNocCertificate.data(), wrapper->mNocCertificate.size());
     }
     else
-#endif // JAVA_MATTER_CONTROLLER_TEST
     {
         ChipLogProgress(Controller,
                         "No existing credentials provided: generating ephemeral local NOC chain with OperationalCredentialsIssuer");

src/controller/java/AndroidDeviceControllerWrapper.h

@@ -34,13 +34,12 @@
 #include <crypto/RawKeySessionKeystore.h>
 #include <lib/support/TimeUtils.h>
 #include <platform/internal/DeviceNetworkInfo.h>
-
+#include <controller/java/CHIPP256KeypairBridge.h>
 #ifdef JAVA_MATTER_CONTROLLER_TEST
 #include <controller/ExampleOperationalCredentialsIssuer.h>
 #include <controller/ExamplePersistentStorage.h>
 #else
 #include <platform/android/AndroidChipPlatform-JNI.h>
-#include <platform/android/CHIPP256KeypairBridge.h>
 #endif // JAVA_MATTER_CONTROLLER_TEST
 
 #include "AndroidCheckInDelegate.h"
@@ -71,7 +70,6 @@ class AndroidDeviceControllerWrapper : public chip::Controller::DevicePairingDel
     jobject JavaObjectRef() { return mJavaObjectRef.ObjectRef(); }
     jlong ToJNIHandle();
 
-#ifndef JAVA_MATTER_CONTROLLER_TEST
     /**
      * Returns a CHIPP256KeypairBridge which can be used to delegate signing operations
      * to a KeypairDelegate in the Java layer. Note that this will always return a pointer
@@ -85,7 +83,6 @@ class AndroidDeviceControllerWrapper : public chip::Controller::DevicePairingDel
         }
         return mKeypairBridge;
     }
-#endif // JAVA_MATTER_CONTROLLER_TEST
 
     void CallJavaIntMethod(const char * methodName, jint argument);
     void CallJavaLongMethod(const char * methodName, jlong argument);
@@ -231,12 +228,12 @@ class AndroidDeviceControllerWrapper : public chip::Controller::DevicePairingDel
 
     JavaVM * mJavaVM = nullptr;
     chip::JniGlobalReference mJavaObjectRef;
+    CHIPP256KeypairBridge * mKeypairBridge = nullptr;
 #ifdef JAVA_MATTER_CONTROLLER_TEST
     ExampleOperationalCredentialsIssuerPtr mOpCredsIssuer;
     PersistentStorage mExampleStorage;
 #else
     AndroidOperationalCredentialsIssuerPtr mOpCredsIssuer;
-    CHIPP256KeypairBridge * mKeypairBridge = nullptr;
 #endif // JAVA_MATTER_CONTROLLER_TEST
 
     // These fields allow us to release the string/byte array memory later.

src/controller/java/BUILD.gn

@@ -120,6 +120,8 @@ shared_library("jni") {
   check_includes = false
 
   sources = [
+    "CHIPP256KeypairBridge.cpp",
+    "CHIPP256KeypairBridge.h",
     "AndroidCheckInDelegate.cpp",
     "AndroidCheckInDelegate.h",
     "AndroidClusterExceptions.cpp",

src/controller/java/CHIPP256KeypairBridge.cpp

@@ -0,0 +1,177 @@
+/**
+ *
+ *    Copyright (c) 2021 Project CHIP Authors
+ *
+ *    Licensed under the Apache License, Version 2.0 (the "License");
+ *    you may not use this file except in compliance with the License.
+ *    You may obtain a copy of the License at
+ *
+ *        http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *    Unless required by applicable law or agreed to in writing, software
+ *    distributed under the License is distributed on an "AS IS" BASIS,
+ *    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *    See the License for the specific language governing permissions and
+ *    limitations under the License.
+ */
+
+#include "CHIPP256KeypairBridge.h"
+#include "lib/core/CHIPError.h"
+#include "lib/support/CHIPJNIError.h"
+#include "lib/support/JniReferences.h"
+#include "lib/support/JniTypeWrappers.h"
+#include "lib/support/SafeInt.h"
+
+#include <array>
+#include <cstdint>
+#include <cstdlib>
+#include <jni.h>
+#include <string.h>
+#include <type_traits>
+
+using namespace chip;
+using namespace chip::Crypto;
+
+CHIPP256KeypairBridge::~CHIPP256KeypairBridge() {}
+
+CHIP_ERROR CHIPP256KeypairBridge::SetDelegate(jobject delegate)
+{
+    CHIP_ERROR err = CHIP_NO_ERROR;
+
+    JNIEnv * env = JniReferences::GetInstance().GetEnvForCurrentThread();
+    VerifyOrExit(env != nullptr, err = CHIP_JNI_ERROR_NO_ENV);
+    ReturnErrorOnFailure(mDelegate.Init(delegate));
+    jclass keypairDelegateClass;
+    err = JniReferences::GetInstance().GetLocalClassRef(env, "chip/devicecontroller/KeypairDelegate", keypairDelegateClass);
+    VerifyOrExit(err == CHIP_NO_ERROR, ChipLogError(Controller, "Failed to find class for KeypairDelegate."));
+    SuccessOrExit(err = mKeypairDelegateClass.Init(static_cast<jobject>(keypairDelegateClass)));
+    err = JniReferences::GetInstance().FindMethod(env, delegate, "createCertificateSigningRequest", "()[B",
+                                                  &mCreateCertificateSigningRequestMethod);
+    VerifyOrExit(err == CHIP_NO_ERROR,
+                 ChipLogError(Controller, "Failed to find KeypairDelegate.createCertificateSigningRequest() method."));
+
+    err = JniReferences::GetInstance().FindMethod(env, delegate, "getPublicKey", "()[B", &mGetPublicKeyMethod);
+    VerifyOrExit(err == CHIP_NO_ERROR, ChipLogError(Controller, "Failed to find KeypairDelegate.getPublicKey() method."));
+
+    err = JniReferences::GetInstance().FindMethod(env, delegate, "ecdsaSignMessage", "([B)[B", &mEcdsaSignMessageMethod);
+    VerifyOrExit(err == CHIP_NO_ERROR, ChipLogError(Controller, "Failed to find KeypairDelegate.ecdsaSignMessage() method."));
+
+exit:
+    return err;
+}
+
+CHIP_ERROR CHIPP256KeypairBridge::Initialize(ECPKeyTarget key_target)
+{
+    if (HasKeypair())
+    {
+        SetPubkey();
+    }
+    return CHIP_NO_ERROR;
+}
+
+CHIP_ERROR CHIPP256KeypairBridge::Serialize(P256SerializedKeypair & output) const
+{
+    if (!HasKeypair())
+    {
+        return CHIP_ERROR_INCORRECT_STATE;
+    }
+
+    return CHIP_ERROR_UNSUPPORTED_CHIP_FEATURE;
+}
+
+CHIP_ERROR CHIPP256KeypairBridge::Deserialize(P256SerializedKeypair & input)
+{
+    if (!HasKeypair())
+    {
+        return CHIP_ERROR_INCORRECT_STATE;
+    }
+
+    return CHIP_ERROR_UNSUPPORTED_CHIP_FEATURE;
+}
+
+CHIP_ERROR CHIPP256KeypairBridge::NewCertificateSigningRequest(uint8_t * csr, size_t & csr_length) const
+{
+    if (!HasKeypair())
+    {
+        return CHIP_ERROR_INCORRECT_STATE;
+    }
+
+    // Not supported for use from within the CHIP SDK. We provide our own
+    // implementation that is JVM-specific.
+    return CHIP_ERROR_UNSUPPORTED_CHIP_FEATURE;
+}
+
+CHIP_ERROR CHIPP256KeypairBridge::ECDSA_sign_msg(const uint8_t * msg, size_t msg_length, P256ECDSASignature & out_signature) const
+{
+    if (!HasKeypair())
+    {
+        return CHIP_ERROR_INCORRECT_STATE;
+    }
+
+    VerifyOrReturnError(CanCastTo<uint32_t>(msg_length), CHIP_ERROR_INVALID_ARGUMENT);
+
+    CHIP_ERROR err = CHIP_NO_ERROR;
+    jbyteArray jniMsg;
+    jobject signedResult = nullptr;
+    JNIEnv * env         = JniReferences::GetInstance().GetEnvForCurrentThread();
+    VerifyOrReturnError(env != nullptr, err = CHIP_JNI_ERROR_NO_ENV);
+    err = JniReferences::GetInstance().N2J_ByteArray(env, msg, static_cast<uint32_t>(msg_length), jniMsg);
+    VerifyOrReturnError(err == CHIP_NO_ERROR, err);
+    VerifyOrReturnError(jniMsg != nullptr, err);
+    VerifyOrReturnError(mDelegate.HasValidObjectRef(), CHIP_ERROR_INCORRECT_STATE);
+    signedResult = env->CallObjectMethod(mDelegate.ObjectRef(), mEcdsaSignMessageMethod, jniMsg);
+
+    if (env->ExceptionCheck())
+    {
+        ChipLogError(Controller, "Java exception in KeypairDelegate.ecdsaSignMessage()");
+        env->ExceptionDescribe();
+        env->ExceptionClear();
+        return CHIP_JNI_ERROR_EXCEPTION_THROWN;
+    }
+
+    JniByteArray jniSignature(env, static_cast<jbyteArray>(signedResult));
+    MutableByteSpan signatureSpan(out_signature.Bytes(), out_signature.Capacity());
+    ReturnErrorOnFailure(EcdsaAsn1SignatureToRaw(CHIP_CRYPTO_GROUP_SIZE_BYTES, jniSignature.byteSpan(), signatureSpan));
+    ReturnErrorOnFailure(out_signature.SetLength(signatureSpan.size()));
+
+    return err;
+}
+
+CHIP_ERROR CHIPP256KeypairBridge::ECDH_derive_secret(const P256PublicKey & remote_public_key,
+                                                     P256ECDHDerivedSecret & out_secret) const
+{
+    if (!HasKeypair())
+    {
+        return CHIP_ERROR_INCORRECT_STATE;
+    }
+
+    // Not required for Java SDK.
+    return CHIP_ERROR_UNSUPPORTED_CHIP_FEATURE;
+}
+
+CHIP_ERROR CHIPP256KeypairBridge::SetPubkey()
+{
+    jobject publicKey = nullptr;
+    JNIEnv * env      = nullptr;
+
+    VerifyOrReturnError(HasKeypair(), CHIP_ERROR_INCORRECT_STATE);
+
+    env = JniReferences::GetInstance().GetEnvForCurrentThread();
+    VerifyOrReturnError(env != nullptr, CHIP_JNI_ERROR_NO_ENV);
+    VerifyOrReturnError(mDelegate.HasValidObjectRef(), CHIP_ERROR_INCORRECT_STATE);
+    publicKey = env->CallObjectMethod(mDelegate.ObjectRef(), mGetPublicKeyMethod);
+    if (env->ExceptionCheck())
+    {
+        ChipLogError(Controller, "Java exception in KeypairDelegate.getPublicKey()");
+        env->ExceptionDescribe();
+        env->ExceptionClear();
+        return CHIP_JNI_ERROR_EXCEPTION_THROWN;
+    }
+
+    VerifyOrReturnError(publicKey != nullptr, CHIP_JNI_ERROR_NULL_OBJECT);
+    JniByteArray jniPublicKey(env, static_cast<jbyteArray>(publicKey));
+    FixedByteSpan<Crypto::kP256_PublicKey_Length> publicKeySpan =
+        FixedByteSpan<kP256_PublicKey_Length>(reinterpret_cast<const uint8_t *>(jniPublicKey.data()));
+    mPublicKey = P256PublicKey(publicKeySpan);
+    return CHIP_NO_ERROR;
+}

src/controller/java/CHIPP256KeypairBridge.h

@@ -0,0 +1,73 @@
+/**
+ *
+ *    Copyright (c) 2021 Project CHIP Authors
+ *
+ *    Licensed under the Apache License, Version 2.0 (the "License");
+ *    you may not use this file except in compliance with the License.
+ *    You may obtain a copy of the License at
+ *
+ *        http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *    Unless required by applicable law or agreed to in writing, software
+ *    distributed under the License is distributed on an "AS IS" BASIS,
+ *    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *    See the License for the specific language governing permissions and
+ *    limitations under the License.
+ */
+#pragma once
+
+#include "crypto/CHIPCryptoPAL.h"
+#include "lib/core/CHIPError.h"
+#include "lib/support/JniReferences.h"
+#include "lib/support/logging/CHIPLogging.h"
+#include <jni.h>
+
+/**
+ * Bridging implementation of P256Keypair to allow delegation of signing and
+ * key generation to the JVM layer (through the KeypairDelegate Java interface).
+ *
+ * This implementation explicitly does not support serialization or
+ * deserialization and will always return CHIP_ERROR_UNSUPPORTED_CHIP_FEATURE if
+ * either of them are invoked (as this bridge is not expected to ever have
+ * access to the raw key bits).
+ */
+class CHIPP256KeypairBridge : public chip::Crypto::P256Keypair
+{
+public:
+    ~CHIPP256KeypairBridge() override;
+
+    /**
+     * Sets a reference to the Java implementation of the KeypairDelegate
+     * interface that will be called whenever this P256Keypair is used.
+     */
+    CHIP_ERROR SetDelegate(jobject delegate);
+
+    bool HasKeypair() const { return mDelegate.HasValidObjectRef(); }
+
+    CHIP_ERROR Initialize(chip::Crypto::ECPKeyTarget key_target) override;
+
+    CHIP_ERROR Serialize(chip::Crypto::P256SerializedKeypair & output) const override;
+
+    CHIP_ERROR Deserialize(chip::Crypto::P256SerializedKeypair & input) override;
+
+    CHIP_ERROR NewCertificateSigningRequest(uint8_t * csr, size_t & csr_length) const override;
+
+    CHIP_ERROR ECDSA_sign_msg(const uint8_t * msg, size_t msg_length,
+                              chip::Crypto::P256ECDSASignature & out_signature) const override;
+
+    CHIP_ERROR ECDH_derive_secret(const chip::Crypto::P256PublicKey & remote_public_key,
+                                  chip::Crypto::P256ECDHDerivedSecret & out_secret) const override;
+
+    const chip::Crypto::P256PublicKey & Pubkey() const override { return mPublicKey; };
+
+private:
+    chip::JniGlobalReference mDelegate;
+    chip::JniGlobalReference mKeypairDelegateClass;
+    jmethodID mGetPublicKeyMethod;
+    jmethodID mCreateCertificateSigningRequestMethod;
+    jmethodID mEcdsaSignMessageMethod;
+
+    chip::Crypto::P256PublicKey mPublicKey;
+
+    CHIP_ERROR SetPubkey();
+};

src/platform/android/BUILD.gn

@@ -51,8 +51,6 @@ static_library("android") {
     "BleConnectCallback-JNI.cpp",
     "BlePlatformConfig.h",
     "CHIPDevicePlatformEvent.h",
-    "CHIPP256KeypairBridge.cpp",
-    "CHIPP256KeypairBridge.h",
     "CommissionableDataProviderImpl.cpp",
     "CommissionableDataProviderImpl.h",
     "ConfigurationManagerImpl.cpp",