@@ -392,8 +392,8 @@ DeviceCommissioner::DeviceCommissioner() :
392
392
mOnDeviceConnectionRetryCallback (OnDeviceConnectionRetryFn, this ),
393
393
#endif // CHIP_DEVICE_CONFIG_ENABLE_AUTOMATIC_CASE_RETRIES
394
394
mDeviceAttestationInformationVerificationCallback (OnDeviceAttestationInformationVerification, this ),
395
- mDACChainRevocationStatusVerificationCallback (OnDACChainRevocationStatusVerification , this ),
396
- mDeviceNOCChainCallback (OnDeviceNOCChainGeneration, this ), mSetUpCodePairer (this )
395
+ mDACChainRevocationStatusCallback (OnDACChainRevocationStatus, this ), mDeviceNOCChainCallback (OnDeviceNOCChainGeneration , this ),
396
+ mSetUpCodePairer (this )
397
397
{}
398
398
399
399
CHIP_ERROR DeviceCommissioner::Init (CommissionerInitParams params)
@@ -888,6 +888,8 @@ DeviceCommissioner::ContinueCommissioningAfterDeviceAttestation(DeviceProxy * de
888
888
ChipLogProgress (Controller, " Continuing commissioning after attestation failure for device ID 0x" ChipLogFormatX64,
889
889
ChipLogValueX64 (commissioneeDevice->GetDeviceId ()));
890
890
891
+ mCommissioningDelegate ->BypassDeviceAttestation ();
892
+
891
893
if (attestationResult != AttestationVerificationResult::kSuccess )
892
894
{
893
895
ChipLogError (Controller, " Client selected error: %u for failed 'Attestation Information' for device" ,
@@ -1107,6 +1109,22 @@ void DeviceCommissioner::OnDeviceAttestationInformationVerification(
1107
1109
MATTER_TRACE_SCOPE (" OnDeviceAttestationInformationVerification" , " DeviceCommissioner" );
1108
1110
DeviceCommissioner * commissioner = reinterpret_cast <DeviceCommissioner *>(context);
1109
1111
1112
+ if (commissioner->attestationInformationVerificationResult == AttestationVerificationResult::kNotImplemented )
1113
+ {
1114
+ commissioner->attestationInformationVerificationResult = result;
1115
+ }
1116
+
1117
+ if (commissioner->attestationInformationVerificationResult == AttestationVerificationResult::kSuccess &&
1118
+ commissioner->dacChainRevocationStatusResult == AttestationVerificationResult::kNotImplemented )
1119
+ {
1120
+ // Check for revoked DAC Chain before calling delegate. Enter next stage.
1121
+ return commissioner->CommissioningStageComplete (CHIP_NO_ERROR);
1122
+ }
1123
+
1124
+ result = commissioner->attestationInformationVerificationResult != AttestationVerificationResult::kSuccess
1125
+ ? commissioner->attestationInformationVerificationResult
1126
+ : commissioner->dacChainRevocationStatusResult ;
1127
+
1110
1128
if (!commissioner->mDeviceBeingCommissioned )
1111
1129
{
1112
1130
ChipLogError (Controller, " Device attestation verification result received when we're not commissioning a device" );
@@ -1156,64 +1174,21 @@ void DeviceCommissioner::OnDeviceAttestationInformationVerification(
1156
1174
}
1157
1175
}
1158
1176
1159
- void DeviceCommissioner::OnDACChainRevocationStatusVerification (
1160
- void * context, const Credentials::DeviceAttestationVerifier::AttestationInfo & info, AttestationVerificationResult result)
1177
+ void DeviceCommissioner::OnDACChainRevocationStatus (void * context,
1178
+ const Credentials::DeviceAttestationVerifier::AttestationInfo & info,
1179
+ AttestationVerificationResult result)
1161
1180
{
1162
- MATTER_TRACE_SCOPE (" OnDACChainRevocationStatusVerification " , " DeviceCommissioner" );
1181
+ MATTER_TRACE_SCOPE (" OnDeviceAttestationInformationVerification " , " DeviceCommissioner" );
1163
1182
DeviceCommissioner * commissioner = reinterpret_cast <DeviceCommissioner *>(context);
1164
1183
1165
- if (! commissioner->mDeviceBeingCommissioned )
1184
+ if (commissioner->dacChainRevocationStatusResult == AttestationVerificationResult:: kNotImplemented )
1166
1185
{
1167
- ChipLogError (Controller, " Device attestation verification result received when we're not commissioning a device" );
1168
- return ;
1186
+ commissioner->dacChainRevocationStatusResult = result;
1169
1187
}
1170
1188
1171
- auto & params = commissioner->mDefaultCommissioner ->GetCommissioningParameters ();
1172
- Credentials::DeviceAttestationDelegate * deviceAttestationDelegate = params.GetDeviceAttestationDelegate ();
1173
-
1174
- if (result != AttestationVerificationResult::kSuccess )
1175
- {
1176
- CommissioningDelegate::CommissioningReport report;
1177
- report.Set <AttestationErrorInfo>(result);
1178
- if (result == AttestationVerificationResult::kNotImplemented )
1179
- {
1180
- ChipLogError (Controller,
1181
- " Failed in verifying 'DAC Chain Revocation Status' command received from the device due to default "
1182
- " DeviceAttestationVerifier Class not being overridden by a real implementation." );
1183
- commissioner->CommissioningStageComplete (CHIP_ERROR_NOT_IMPLEMENTED, report);
1184
- return ;
1185
- }
1186
-
1187
- ChipLogError (Controller,
1188
- " Failed in verifying 'DAC Chain Revocation Status' command received from the device: err %hu. Look at "
1189
- " AttestationVerificationResult enum to understand the errors" ,
1190
- static_cast <uint16_t >(result));
1191
- // Go look at AttestationVerificationResult enum in src/credentials/attestation_verifier/DeviceAttestationVerifier.h to
1192
- // understand the errors.
1189
+ VerifyOrReturn (commissioner->attestationInformationVerificationResult != AttestationVerificationResult::kNotImplemented );
1193
1190
1194
- // If a device attestation status delegate is installed, delegate handling of failure to the client and let them decide on
1195
- // whether to proceed further or not.
1196
- if (deviceAttestationDelegate)
1197
- {
1198
- commissioner->ExtendArmFailSafeForDeviceAttestation (info, result);
1199
- }
1200
- else
1201
- {
1202
- commissioner->CommissioningStageComplete (CHIP_ERROR_INTERNAL, report);
1203
- }
1204
- }
1205
- else
1206
- {
1207
- if (deviceAttestationDelegate && deviceAttestationDelegate->ShouldWaitAfterDeviceAttestation ())
1208
- {
1209
- commissioner->ExtendArmFailSafeForDeviceAttestation (info, result);
1210
- }
1211
- else
1212
- {
1213
- ChipLogProgress (Controller, " Successfully validated 'DAC Chain Revocation Status' command received from the device." );
1214
- commissioner->CommissioningStageComplete (CHIP_NO_ERROR);
1215
- }
1216
- }
1191
+ OnDeviceAttestationInformationVerification (context, info, commissioner->dacChainRevocationStatusResult );
1217
1192
}
1218
1193
1219
1194
void DeviceCommissioner::OnArmFailSafeExtendedForDeviceAttestation (
@@ -1363,13 +1338,13 @@ CHIP_ERROR DeviceCommissioner::ValidateAttestationInfo(const Credentials::Device
1363
1338
}
1364
1339
1365
1340
CHIP_ERROR
1366
- DeviceCommissioner::ValidateDACChainRevocationStatus (const Credentials::DeviceAttestationVerifier::AttestationInfo & info)
1341
+ DeviceCommissioner::CheckForRevokedDACChain (const Credentials::DeviceAttestationVerifier::AttestationInfo & info)
1367
1342
{
1368
- MATTER_TRACE_SCOPE (" ValidateDACChainRevocationStatus " , " DeviceCommissioner" );
1343
+ MATTER_TRACE_SCOPE (" CheckForRevokedDACChain " , " DeviceCommissioner" );
1369
1344
VerifyOrReturnError (mState == State::Initialized, CHIP_ERROR_INCORRECT_STATE);
1370
1345
VerifyOrReturnError (mDeviceAttestationVerifier != nullptr , CHIP_ERROR_INCORRECT_STATE);
1371
1346
1372
- mDeviceAttestationVerifier ->ValidateDACChainRevocationStatus (info, &mDACChainRevocationStatusVerificationCallback );
1347
+ mDeviceAttestationVerifier ->CheckForRevokedDACChain (info, &mDACChainRevocationStatusCallback );
1373
1348
1374
1349
return CHIP_NO_ERROR;
1375
1350
}
@@ -2971,14 +2946,11 @@ void DeviceCommissioner::PerformCommissioningStep(DeviceProxy * proxy, Commissio
2971
2946
}
2972
2947
case CommissioningStage::kAttestationVerification : {
2973
2948
ChipLogProgress (Controller, " Verifying attestation" );
2974
- if (!params.GetAttestationElements ().HasValue () || !params.GetAttestationSignature ().HasValue () ||
2975
- !params.GetAttestationNonce ().HasValue () || !params.GetDAC ().HasValue () || !params.GetPAI ().HasValue () ||
2976
- !params.GetRemoteVendorId ().HasValue () || !params.GetRemoteProductId ().HasValue ())
2977
- {
2978
- ChipLogError (Controller, " Missing attestation information" );
2979
- CommissioningStageComplete (CHIP_ERROR_INVALID_ARGUMENT);
2980
- return ;
2981
- }
2949
+ VerifyOrReturn (IsAttestationInformationMissing (params) == false );
2950
+
2951
+ // Reset results before verifying
2952
+ attestationInformationVerificationResult = AttestationVerificationResult::kNotImplemented ;
2953
+ dacChainRevocationStatusResult = AttestationVerificationResult::kNotImplemented ;
2982
2954
2983
2955
DeviceAttestationVerifier::AttestationInfo info (
2984
2956
params.GetAttestationElements ().Value (),
@@ -2996,25 +2968,18 @@ void DeviceCommissioner::PerformCommissioningStep(DeviceProxy * proxy, Commissio
2996
2968
break ;
2997
2969
case CommissioningStage::kAttestationRevocationCheck : {
2998
2970
ChipLogProgress (Controller, " Verifying device's DAC chain revocation status" );
2999
- if (!params.GetAttestationElements ().HasValue () || !params.GetAttestationSignature ().HasValue () ||
3000
- !params.GetAttestationNonce ().HasValue () || !params.GetDAC ().HasValue () || !params.GetPAI ().HasValue () ||
3001
- !params.GetRemoteVendorId ().HasValue () || !params.GetRemoteProductId ().HasValue ())
3002
- {
3003
- ChipLogError (Controller, " Missing attestation certificates" );
3004
- CommissioningStageComplete (CHIP_ERROR_INVALID_ARGUMENT);
3005
- return ;
3006
- }
2971
+ VerifyOrReturn (IsAttestationInformationMissing (params) == false );
3007
2972
3008
2973
DeviceAttestationVerifier::AttestationInfo info (
3009
2974
params.GetAttestationElements ().Value (),
3010
2975
proxy->GetSecureSession ().Value ()->AsSecureSession ()->GetCryptoContext ().GetAttestationChallenge (),
3011
2976
params.GetAttestationSignature ().Value (), params.GetPAI ().Value (), params.GetDAC ().Value (),
3012
2977
params.GetAttestationNonce ().Value (), params.GetRemoteVendorId ().Value (), params.GetRemoteProductId ().Value ());
3013
2978
3014
- if (ValidateDACChainRevocationStatus (info) != CHIP_NO_ERROR)
2979
+ if (CheckForRevokedDACChain (info) != CHIP_NO_ERROR)
3015
2980
{
3016
2981
ChipLogError (Controller, " Error validating device's DAC chain revocation status" );
3017
- CommissioningStageComplete (CHIP_ERROR_INVALID_ARGUMENT );
2982
+ CommissioningStageComplete (CHIP_ERROR_FAILED_DEVICE_ATTESTATION );
3018
2983
return ;
3019
2984
}
3020
2985
}
@@ -3359,6 +3324,20 @@ void DeviceCommissioner::ExtendFailsafeBeforeNetworkEnable(DeviceProxy * device,
3359
3324
}
3360
3325
}
3361
3326
3327
+ bool DeviceCommissioner::IsAttestationInformationMissing (CommissioningParameters & params)
3328
+ {
3329
+ if (!params.GetAttestationElements ().HasValue () || !params.GetAttestationSignature ().HasValue () ||
3330
+ !params.GetAttestationNonce ().HasValue () || !params.GetDAC ().HasValue () || !params.GetPAI ().HasValue () ||
3331
+ !params.GetRemoteVendorId ().HasValue () || !params.GetRemoteProductId ().HasValue ())
3332
+ {
3333
+ ChipLogError (Controller, " Missing attestation information" );
3334
+ CommissioningStageComplete (CHIP_ERROR_INVALID_ARGUMENT);
3335
+ return true ;
3336
+ }
3337
+
3338
+ return false ;
3339
+ }
3340
+
3362
3341
CHIP_ERROR DeviceController::GetCompressedFabricIdBytes (MutableByteSpan & outBytes) const
3363
3342
{
3364
3343
const auto * fabricInfo = GetFabricInfo ();
0 commit comments