@@ -947,7 +947,7 @@ DeviceCommissioner::ContinueCommissioningAfterDeviceAttestation(DeviceProxy * de
947
947
return CHIP_ERROR_INCORRECT_STATE;
948
948
}
949
949
950
- if (mCommissioningStage != CommissioningStage::kAttestationVerification )
950
+ if (mCommissioningStage != CommissioningStage::kAttestationRevocationCheck )
951
951
{
952
952
ChipLogError (Controller, " Commissioning is not attestation verification phase" );
953
953
return CHIP_ERROR_INCORRECT_STATE;
@@ -1175,6 +1175,17 @@ void DeviceCommissioner::OnDeviceAttestationInformationVerification(
1175
1175
MATTER_TRACE_SCOPE (" OnDeviceAttestationInformationVerification" , " DeviceCommissioner" );
1176
1176
DeviceCommissioner * commissioner = reinterpret_cast <DeviceCommissioner *>(context);
1177
1177
1178
+ if (commissioner->mCommissioningStage == CommissioningStage::kAttestationVerification )
1179
+ {
1180
+ // Check for revoked DAC Chain before calling delegate. Enter next stage.
1181
+
1182
+ CommissioningDelegate::CommissioningReport report;
1183
+ report.Set <AttestationErrorInfo>(result);
1184
+
1185
+ return commissioner->CommissioningStageComplete (
1186
+ result == AttestationVerificationResult::kSuccess ? CHIP_NO_ERROR : CHIP_ERROR_INTERNAL, report);
1187
+ }
1188
+
1178
1189
if (!commissioner->mDeviceBeingCommissioned )
1179
1190
{
1180
1191
ChipLogError (Controller, " Device attestation verification result received when we're not commissioning a device" );
@@ -1184,6 +1195,15 @@ void DeviceCommissioner::OnDeviceAttestationInformationVerification(
1184
1195
auto & params = commissioner->mDefaultCommissioner ->GetCommissioningParameters ();
1185
1196
Credentials::DeviceAttestationDelegate * deviceAttestationDelegate = params.GetDeviceAttestationDelegate ();
1186
1197
1198
+ if (params.GetCompletionStatus ().attestationResult .HasValue ())
1199
+ {
1200
+ auto previousResult = params.GetCompletionStatus ().attestationResult .Value ();
1201
+ if (previousResult != AttestationVerificationResult::kSuccess )
1202
+ {
1203
+ result = previousResult;
1204
+ }
1205
+ }
1206
+
1187
1207
if (result != AttestationVerificationResult::kSuccess )
1188
1208
{
1189
1209
CommissioningDelegate::CommissioningReport report;
@@ -1398,6 +1418,18 @@ CHIP_ERROR DeviceCommissioner::ValidateAttestationInfo(const Credentials::Device
1398
1418
return CHIP_NO_ERROR;
1399
1419
}
1400
1420
1421
+ CHIP_ERROR
1422
+ DeviceCommissioner::CheckForRevokedDACChain (const Credentials::DeviceAttestationVerifier::AttestationInfo & info)
1423
+ {
1424
+ MATTER_TRACE_SCOPE (" CheckForRevokedDACChain" , " DeviceCommissioner" );
1425
+ VerifyOrReturnError (mState == State::Initialized, CHIP_ERROR_INCORRECT_STATE);
1426
+ VerifyOrReturnError (mDeviceAttestationVerifier != nullptr , CHIP_ERROR_INCORRECT_STATE);
1427
+
1428
+ mDeviceAttestationVerifier ->CheckForRevokedDACChain (info, &mDeviceAttestationInformationVerificationCallback );
1429
+
1430
+ return CHIP_NO_ERROR;
1431
+ }
1432
+
1401
1433
CHIP_ERROR DeviceCommissioner::ValidateCSR (DeviceProxy * proxy, const ByteSpan & NOCSRElements,
1402
1434
const ByteSpan & AttestationSignature, const ByteSpan & dac, const ByteSpan & csrNonce)
1403
1435
{
@@ -3037,9 +3069,7 @@ void DeviceCommissioner::PerformCommissioningStep(DeviceProxy * proxy, Commissio
3037
3069
}
3038
3070
case CommissioningStage::kAttestationVerification : {
3039
3071
ChipLogProgress (Controller, " Verifying attestation" );
3040
- if (!params.GetAttestationElements ().HasValue () || !params.GetAttestationSignature ().HasValue () ||
3041
- !params.GetAttestationNonce ().HasValue () || !params.GetDAC ().HasValue () || !params.GetPAI ().HasValue () ||
3042
- !params.GetRemoteVendorId ().HasValue () || !params.GetRemoteProductId ().HasValue ())
3072
+ if (IsAttestationInformationMissing (params))
3043
3073
{
3044
3074
ChipLogError (Controller, " Missing attestation information" );
3045
3075
CommissioningStageComplete (CHIP_ERROR_INVALID_ARGUMENT);
@@ -3055,9 +3085,32 @@ void DeviceCommissioner::PerformCommissioningStep(DeviceProxy * proxy, Commissio
3055
3085
if (ValidateAttestationInfo (info) != CHIP_NO_ERROR)
3056
3086
{
3057
3087
ChipLogError (Controller, " Error validating attestation information" );
3088
+ CommissioningStageComplete (CHIP_ERROR_FAILED_DEVICE_ATTESTATION);
3089
+ return ;
3090
+ }
3091
+ }
3092
+ break ;
3093
+ case CommissioningStage::kAttestationRevocationCheck : {
3094
+ ChipLogProgress (Controller, " Verifying device's DAC chain revocation status" );
3095
+ if (IsAttestationInformationMissing (params))
3096
+ {
3097
+ ChipLogError (Controller, " Missing attestation information" );
3058
3098
CommissioningStageComplete (CHIP_ERROR_INVALID_ARGUMENT);
3059
3099
return ;
3060
3100
}
3101
+
3102
+ DeviceAttestationVerifier::AttestationInfo info (
3103
+ params.GetAttestationElements ().Value (),
3104
+ proxy->GetSecureSession ().Value ()->AsSecureSession ()->GetCryptoContext ().GetAttestationChallenge (),
3105
+ params.GetAttestationSignature ().Value (), params.GetPAI ().Value (), params.GetDAC ().Value (),
3106
+ params.GetAttestationNonce ().Value (), params.GetRemoteVendorId ().Value (), params.GetRemoteProductId ().Value ());
3107
+
3108
+ if (CheckForRevokedDACChain (info) != CHIP_NO_ERROR)
3109
+ {
3110
+ ChipLogError (Controller, " Error validating device's DAC chain revocation status" );
3111
+ CommissioningStageComplete (CHIP_ERROR_FAILED_DEVICE_ATTESTATION);
3112
+ return ;
3113
+ }
3061
3114
}
3062
3115
break ;
3063
3116
case CommissioningStage::kSendOpCertSigningRequest : {
@@ -3424,6 +3477,18 @@ void DeviceCommissioner::ExtendFailsafeBeforeNetworkEnable(DeviceProxy * device,
3424
3477
}
3425
3478
}
3426
3479
3480
+ bool DeviceCommissioner::IsAttestationInformationMissing (const CommissioningParameters & params)
3481
+ {
3482
+ if (!params.GetAttestationElements ().HasValue () || !params.GetAttestationSignature ().HasValue () ||
3483
+ !params.GetAttestationNonce ().HasValue () || !params.GetDAC ().HasValue () || !params.GetPAI ().HasValue () ||
3484
+ !params.GetRemoteVendorId ().HasValue () || !params.GetRemoteProductId ().HasValue ())
3485
+ {
3486
+ return true ;
3487
+ }
3488
+
3489
+ return false ;
3490
+ }
3491
+
3427
3492
CHIP_ERROR DeviceController::GetCompressedFabricIdBytes (MutableByteSpan & outBytes) const
3428
3493
{
3429
3494
const auto * fabricInfo = GetFabricInfo ();
0 commit comments