Skip to content

Commit dbaf427

Browse files
committed
Fixed issues in revocation check and code cleanup
1 parent de3a253 commit dbaf427

8 files changed

+34
-25
lines changed

src/controller/AutoCommissioner.cpp

+3-4
Original file line numberDiff line numberDiff line change
@@ -389,8 +389,7 @@ CommissioningStage AutoCommissioner::GetNextCommissioningStageInternal(Commissio
389389
case CommissioningStage::kSendAttestationRequest:
390390
return CommissioningStage::kAttestationVerification;
391391
case CommissioningStage::kAttestationVerification:
392-
return mBypassDeviceAttestation ? CommissioningStage::kSendOpCertSigningRequest
393-
: CommissioningStage::kAttestationRevocationCheck;
392+
return CommissioningStage::kAttestationRevocationCheck;
394393
case CommissioningStage::kAttestationRevocationCheck:
395394
return CommissioningStage::kSendOpCertSigningRequest;
396395
case CommissioningStage::kSendOpCertSigningRequest:
@@ -582,7 +581,6 @@ CHIP_ERROR AutoCommissioner::StartCommissioning(DeviceCommissioner * commissione
582581
return CHIP_ERROR_INVALID_ARGUMENT;
583582
}
584583
mStopCommissioning = false;
585-
mBypassDeviceAttestation = false;
586584
mCommissioner = commissioner;
587585
mCommissioneeDeviceProxy = proxy;
588586
mNeedsNetworkSetup =
@@ -697,7 +695,8 @@ CHIP_ERROR AutoCommissioner::CommissioningStepFinished(CHIP_ERROR err, Commissio
697695
"Failed device attestation. Device vendor and/or product ID do not match the IDs expected. "
698696
"Verify DAC certificate chain and certification declaration to ensure spec rules followed.");
699697
}
700-
else if (report.stageCompleted == CommissioningStage::kAttestationVerification)
698+
699+
if (report.stageCompleted == CommissioningStage::kAttestationVerification)
701700
{
702701
ChipLogError(Controller, "Failed verifying attestation information. Now checking DAC chain revoked status.");
703702
// don't error out until we check for DAC chain revocation status

src/controller/AutoCommissioner.h

+1-3
Original file line numberDiff line numberDiff line change
@@ -38,7 +38,6 @@ class AutoCommissioner : public CommissioningDelegate
3838

3939
CHIP_ERROR StartCommissioning(DeviceCommissioner * commissioner, CommissioneeDeviceProxy * proxy) override;
4040
void StopCommissioning() { mStopCommissioning = true; };
41-
void BypassDeviceAttestation() override { mBypassDeviceAttestation = true; }
4241

4342
CHIP_ERROR CommissioningStepFinished(CHIP_ERROR err, CommissioningDelegate::CommissioningReport report) override;
4443

@@ -95,8 +94,7 @@ class AutoCommissioner : public CommissioningDelegate
9594
mDeviceCommissioningInfo.network.thread.endpoint != kInvalidEndpointId));
9695
};
9796

98-
bool mStopCommissioning = false;
99-
bool mBypassDeviceAttestation = false;
97+
bool mStopCommissioning = false;
10098

10199
DeviceCommissioner * mCommissioner = nullptr;
102100
CommissioneeDeviceProxy * mCommissioneeDeviceProxy = nullptr;

src/controller/CHIPDeviceController.cpp

+22-11
Original file line numberDiff line numberDiff line change
@@ -947,8 +947,7 @@ DeviceCommissioner::ContinueCommissioningAfterDeviceAttestation(DeviceProxy * de
947947
return CHIP_ERROR_INCORRECT_STATE;
948948
}
949949

950-
if (mCommissioningStage != CommissioningStage::kAttestationVerification &&
951-
mCommissioningStage != CommissioningStage::kAttestationRevocationCheck)
950+
if (mCommissioningStage != CommissioningStage::kAttestationRevocationCheck)
952951
{
953952
ChipLogError(Controller, "Commissioning is not attestation verification phase");
954953
return CHIP_ERROR_INCORRECT_STATE;
@@ -957,8 +956,6 @@ DeviceCommissioner::ContinueCommissioningAfterDeviceAttestation(DeviceProxy * de
957956
ChipLogProgress(Controller, "Continuing commissioning after attestation failure for device ID 0x" ChipLogFormatX64,
958957
ChipLogValueX64(commissioneeDevice->GetDeviceId()));
959958

960-
mCommissioningDelegate->BypassDeviceAttestation();
961-
962959
if (attestationResult != AttestationVerificationResult::kSuccess)
963960
{
964961
ChipLogError(Controller, "Client selected error: %u for failed 'Attestation Information' for device",
@@ -1198,8 +1195,14 @@ void DeviceCommissioner::OnDeviceAttestationInformationVerification(
11981195
auto & params = commissioner->mDefaultCommissioner->GetCommissioningParameters();
11991196
Credentials::DeviceAttestationDelegate * deviceAttestationDelegate = params.GetDeviceAttestationDelegate();
12001197

1201-
result =
1202-
params.GetCompletionStatus().attestationResult.HasValue() ? params.GetCompletionStatus().attestationResult.Value() : result;
1198+
if (params.GetCompletionStatus().attestationResult.HasValue())
1199+
{
1200+
auto previousResult = params.GetCompletionStatus().attestationResult.Value();
1201+
if (previousResult != AttestationVerificationResult::kSuccess)
1202+
{
1203+
result = previousResult;
1204+
}
1205+
}
12031206

12041207
if (result != AttestationVerificationResult::kSuccess)
12051208
{
@@ -3066,7 +3069,12 @@ void DeviceCommissioner::PerformCommissioningStep(DeviceProxy * proxy, Commissio
30663069
}
30673070
case CommissioningStage::kAttestationVerification: {
30683071
ChipLogProgress(Controller, "Verifying attestation");
3069-
VerifyOrReturn(IsAttestationInformationMissing(params) == false);
3072+
if (IsAttestationInformationMissing(params))
3073+
{
3074+
ChipLogError(Controller, "Missing attestation information");
3075+
CommissioningStageComplete(CHIP_ERROR_INVALID_ARGUMENT);
3076+
return;
3077+
}
30703078

30713079
DeviceAttestationVerifier::AttestationInfo info(
30723080
params.GetAttestationElements().Value(),
@@ -3084,7 +3092,12 @@ void DeviceCommissioner::PerformCommissioningStep(DeviceProxy * proxy, Commissio
30843092
break;
30853093
case CommissioningStage::kAttestationRevocationCheck: {
30863094
ChipLogProgress(Controller, "Verifying device's DAC chain revocation status");
3087-
VerifyOrReturn(IsAttestationInformationMissing(params) == false);
3095+
if (IsAttestationInformationMissing(params))
3096+
{
3097+
ChipLogError(Controller, "Missing attestation information");
3098+
CommissioningStageComplete(CHIP_ERROR_INVALID_ARGUMENT);
3099+
return;
3100+
}
30883101

30893102
DeviceAttestationVerifier::AttestationInfo info(
30903103
params.GetAttestationElements().Value(),
@@ -3464,14 +3477,12 @@ void DeviceCommissioner::ExtendFailsafeBeforeNetworkEnable(DeviceProxy * device,
34643477
}
34653478
}
34663479

3467-
bool DeviceCommissioner::IsAttestationInformationMissing(CommissioningParameters & params)
3480+
bool DeviceCommissioner::IsAttestationInformationMissing(const CommissioningParameters & params)
34683481
{
34693482
if (!params.GetAttestationElements().HasValue() || !params.GetAttestationSignature().HasValue() ||
34703483
!params.GetAttestationNonce().HasValue() || !params.GetDAC().HasValue() || !params.GetPAI().HasValue() ||
34713484
!params.GetRemoteVendorId().HasValue() || !params.GetRemoteProductId().HasValue())
34723485
{
3473-
ChipLogError(Controller, "Missing attestation information");
3474-
CommissioningStageComplete(CHIP_ERROR_INVALID_ARGUMENT);
34753486
return true;
34763487
}
34773488

src/controller/CHIPDeviceController.h

+1-1
Original file line numberDiff line numberDiff line change
@@ -1061,7 +1061,7 @@ class DLL_EXPORT DeviceCommissioner : public DeviceController,
10611061
// extend it).
10621062
void ExtendFailsafeBeforeNetworkEnable(DeviceProxy * device, CommissioningParameters & params, CommissioningStage step);
10631063

1064-
bool IsAttestationInformationMissing(CommissioningParameters & params);
1064+
bool IsAttestationInformationMissing(const CommissioningParameters & params);
10651065

10661066
chip::Callback::Callback<OnDeviceConnected> mOnDeviceConnectedCallback;
10671067
chip::Callback::Callback<OnDeviceConnectionFailure> mOnDeviceConnectionFailureCallback;

src/controller/CommissioningDelegate.h

-1
Original file line numberDiff line numberDiff line change
@@ -812,7 +812,6 @@ class CommissioningDelegate
812812
virtual void SetOperationalCredentialsDelegate(OperationalCredentialsDelegate * operationalCredentialsDelegate) = 0;
813813
virtual CHIP_ERROR StartCommissioning(DeviceCommissioner * commissioner, CommissioneeDeviceProxy * proxy) = 0;
814814
virtual CHIP_ERROR CommissioningStepFinished(CHIP_ERROR err, CommissioningReport report) = 0;
815-
virtual void BypassDeviceAttestation() = 0;
816815
};
817816

818817
} // namespace Controller

src/controller/python/OpCredsBinding.cpp

+2
Original file line numberDiff line numberDiff line change
@@ -331,6 +331,8 @@ class TestCommissioner : public chip::Controller::AutoCommissioner
331331
return mNeedsDST && mParams.GetDSTOffsets().HasValue();
332332
case chip::Controller::CommissioningStage::kError:
333333
case chip::Controller::CommissioningStage::kSecurePairing:
334+
// "not valid" because attestation verification always fails after entering revocation check step
335+
case chip::Controller::CommissioningStage::kAttestationVerification:
334336
return false;
335337
default:
336338
return true;

src/controller/python/test/test_scripts/commissioning_failure_test.py

+2-2
Original file line numberDiff line numberDiff line change
@@ -96,7 +96,7 @@ def main():
9696

9797
# TODO: Start at stage 2 once handling for arming failsafe on pase is done.
9898
if options.report:
99-
for testFailureStage in range(3, 20):
99+
for testFailureStage in range(3, 21):
100100
FailIfNot(test.TestPaseOnly(ip=options.deviceAddress1,
101101
setuppin=20202021,
102102
nodeid=1),
@@ -105,7 +105,7 @@ def main():
105105
"Commissioning failure tests failed for simulated report failure on stage {}".format(testFailureStage))
106106

107107
else:
108-
for testFailureStage in range(3, 20):
108+
for testFailureStage in range(3, 21):
109109
FailIfNot(test.TestPaseOnly(ip=options.deviceAddress1,
110110
setuppin=20202021,
111111
nodeid=1),

src/python_testing/TC_CGEN_2_4.py

+3-3
Original file line numberDiff line numberDiff line change
@@ -34,9 +34,9 @@
3434
kSendPAICertificateRequest = 10
3535
kSendDACCertificateRequest = 11
3636
kSendAttestationRequest = 12
37-
kSendOpCertSigningRequest = 14
38-
kSendTrustedRootCert = 17
39-
kSendNOC = 18
37+
kSendOpCertSigningRequest = 15
38+
kSendTrustedRootCert = 18
39+
kSendNOC = 19
4040

4141

4242
class TC_CGEN_2_4(MatterBaseTest):

0 commit comments

Comments
 (0)