forked from project-chip/connectedhomeip
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathDefaultDeviceAttestationVerifier.h
130 lines (109 loc) · 5.72 KB
/
DefaultDeviceAttestationVerifier.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
/*
*
* Copyright (c) 2021 Project CHIP Authors
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#pragma once
#include <array>
#include <credentials/attestation_verifier/DeviceAttestationVerifier.h>
#include <crypto/CHIPCryptoPAL.h>
#include <lib/core/CHIPConfig.h>
#include <lib/core/CHIPError.h>
#include <lib/support/Span.h>
#include <stdlib.h>
namespace chip {
namespace Credentials {
class CsaCdKeysTrustStore : public WellKnownKeysTrustStore
{
public:
CsaCdKeysTrustStore() = default;
virtual ~CsaCdKeysTrustStore() = default;
CHIP_ERROR AddTrustedKey(const ByteSpan & kid, const Crypto::P256PublicKey & pubKey) override;
CHIP_ERROR AddTrustedKey(const ByteSpan & derCertBytes) override;
CHIP_ERROR LookupVerifyingKey(const ByteSpan & kid, Crypto::P256PublicKey & outPubKey) const override;
bool IsCdTestKey(const ByteSpan & kid) const override;
protected:
struct SingleKeyEntry
{
static constexpr size_t kMaxKidSize = 32u;
uint8_t kidBuffer[kMaxKidSize];
size_t kidSize;
Crypto::P256PublicKey publicKey;
ByteSpan GetKid() const { return ByteSpan{ &kidBuffer[0], kidSize }; }
};
static constexpr size_t kMaxNumTrustedKeys = CHIP_CONFIG_NUM_CD_KEY_SLOTS;
std::array<SingleKeyEntry, kMaxNumTrustedKeys> mTrustedKeys;
size_t mNumTrustedKeys = 0;
};
class DefaultDACVerifier : public DeviceAttestationVerifier
{
public:
DefaultDACVerifier(const AttestationTrustStore * paaRootStore) : mAttestationTrustStore(paaRootStore) {}
DefaultDACVerifier(const AttestationTrustStore * paaRootStore, DeviceAttestationRevocationDelegate * revocationDelegate) :
mAttestationTrustStore(paaRootStore), mRevocationDelegate(revocationDelegate)
{}
void VerifyAttestationInformation(const DeviceAttestationVerifier::AttestationInfo & info,
Callback::Callback<OnAttestationInformationVerification> * onCompletion) override;
AttestationVerificationResult ValidateCertificationDeclarationSignature(const ByteSpan & cmsEnvelopeBuffer,
ByteSpan & certDeclBuffer) override;
AttestationVerificationResult ValidateCertificateDeclarationPayload(const ByteSpan & certDeclBuffer,
const ByteSpan & firmwareInfo,
const DeviceInfoForAttestation & deviceInfo) override;
CHIP_ERROR VerifyNodeOperationalCSRInformation(const ByteSpan & nocsrElementsBuffer,
const ByteSpan & attestationChallengeBuffer,
const ByteSpan & attestationSignatureBuffer,
const Crypto::P256PublicKey & dacPublicKey, const ByteSpan & csrNonce) override;
void CheckForRevokedDACChain(const AttestationInfo & info,
Callback::Callback<OnAttestationInformationVerification> * onCompletion) override;
CsaCdKeysTrustStore * GetCertificationDeclarationTrustStore() override { return &mCdKeysTrustStore; }
void SetRevocationDelegate(DeviceAttestationRevocationDelegate * revocationDelegate)
{
mRevocationDelegate = revocationDelegate;
}
protected:
DefaultDACVerifier() {}
CsaCdKeysTrustStore mCdKeysTrustStore;
const AttestationTrustStore * mAttestationTrustStore;
DeviceAttestationRevocationDelegate * mRevocationDelegate = nullptr;
};
/**
* @brief Get implementation of a PAA root store containing a basic set of static PAA roots
* sufficient for *testing* only.
*
* WARNING: The PAA list known to this PAA root store is a reduced subset that will likely
* cause users of it to fail attestation procedure in some cases. This is provided
* to support tests and examples, not to be used by real commissioners, as it
* contains several test roots which are not trustworthy for certified product usage.
*
* @returns a singleton AttestationTrustStore that contains some well-known PAA test root certs.
*/
const AttestationTrustStore * GetTestAttestationTrustStore();
/**
* @brief Get a singleton implementation of a sample DAC verifier to validate device
* attestation procedure.
*
* @param[in] paaRootStore Pointer to the AttestationTrustStore instance to be used by implementation
* of default DeviceAttestationVerifier. Caller must ensure storage is
* always available while the DeviceAttestationVerifier could be used.
*
* @returns a singleton DeviceAttestationVerifier that satisfies basic device attestation procedure requirements.
* This has process lifetime, so the paaRootStore must also have
* process lifetime. In particular, after the first call it's not
* possible to change which AttestationTrustStore is used by this verifier.
*/
DeviceAttestationVerifier *
GetDefaultDACVerifier(const AttestationTrustStore * paaRootStore,
DeviceAttestationVerifier::DeviceAttestationRevocationDelegate * revocationDelegate = nullptr);
} // namespace Credentials
} // namespace chip