forked from project-chip/connectedhomeip
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathMTRDeviceControllerStartupParams.h
290 lines (263 loc) · 11.9 KB
/
MTRDeviceControllerStartupParams.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
/**
* Copyright (c) 2022-2023 Project CHIP Authors
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#import <Foundation/Foundation.h>
#import <Matter/MTRCertificates.h>
#import <Matter/MTRDefines.h>
#import <Matter/MTROperationalCertificateIssuer.h>
NS_ASSUME_NONNULL_BEGIN
@protocol MTRKeypair;
MTR_AVAILABLE(ios(16.1), macos(13.0), watchos(9.1), tvos(16.1))
@interface MTRDeviceControllerStartupParams : NSObject
- (instancetype)init NS_UNAVAILABLE;
+ (instancetype)new NS_UNAVAILABLE;
/**
* Prepare to initialize a controller given a keypair to use for signing
* operational certificates.
*
* A controller created from MTRDeviceControllerStartupParams initialized with
* this method will be able to issue operational certificates to devices it
* commissions, using nocSigner to sign them.
* @param ipk The Identity Protection Key, must be 16 bytes in length
* @param fabricID The fabric identifier, must be non-zero.
*/
- (instancetype)initWithIPK:(NSData *)ipk
fabricID:(NSNumber *)fabricID
nocSigner:(id<MTRKeypair>)nocSigner MTR_AVAILABLE(ios(16.4), macos(13.3), watchos(9.4), tvos(16.4));
/**
* Prepare to initialize a controller that is not able to sign operational
* certificates itself, and therefore needs to be provided with a complete
* operational certificate chain. This initialization method should be used
* when none of the certificate-signing private keys are available locally.
*
* A controller created from MTRDeviceControllerStartupParams initialized with
* this method will not be able to commission devices unless
* operationalCertificateIssuer and operationalCertificateIssuerQueue are set.
*
* The fabric id and node id to use for the controller will be derived from the provided
* operationalCertificate.
*
* @param ipk The Identity Protection Key, must be 16 bytes in length
* @param intermediateCertificate may be nil if operationalCertificate is directly signed by rootCertificate.
*/
- (instancetype)initWithIPK:(NSData *)ipk
operationalKeypair:(id<MTRKeypair>)operationalKeypair
operationalCertificate:(MTRCertificateDERBytes)operationalCertificate
intermediateCertificate:(MTRCertificateDERBytes _Nullable)intermediateCertificate
rootCertificate:(MTRCertificateDERBytes)rootCertificate MTR_AVAILABLE(ios(16.4), macos(13.3), watchos(9.4), tvos(16.4));
/**
* Keypair used to sign operational certificates. This is the root CA keypair
* if not using an intermediate CA, the intermediate CA's keypair otherwise.
*
* Allowed to be nil if this controller will not be issuing internally-generated
* operational certificates. In that case, the MTRDeviceControllerStartupParams
* object must be initialized using
* initWithIPK:operationalKeypair:operationalCertificate:intermediateCertificate:rootCertificate:
* (to provide the operational credentials for t2he controller itself).
*/
@property (nonatomic, copy, readonly, nullable) id<MTRKeypair> nocSigner;
/**
* Fabric id for the controller. Must be set to a nonzero value. This is
* scoped by the root public key, which is determined as follows:
*
* * If a root certificate is provided, it is the public key of the root
* certificate.
*
* * If a root certificate is not provided, the root public key is the public
* key of the nocSigner keypair, since in this case we are not using an
* intermediate certificate.
*/
@property (nonatomic, copy, readonly) NSNumber * fabricID MTR_AVAILABLE(ios(16.4), macos(13.3), watchos(9.4), tvos(16.4));
/**
* IPK to use for the controller's fabric. Allowed to change from the last time
* a controller was started on this fabric if a new IPK has been distributed to
* all the devices the controller wants to interact with.
*/
@property (nonatomic, copy, readonly) NSData * ipk;
/**
* Vendor ID (allocated by the Connectivity Standards Alliance) for
* this controller.
*
* If not nil, must not be the "standard" vendor id (0).
*
* When creating a new fabric:
*
* * Must not be nil.
*
* When using an existing fabric:
*
* * Will override existing value if not nil. Otherwise existing value will be
* used.
*/
@property (nonatomic, copy, nullable) NSNumber * vendorID MTR_AVAILABLE(ios(16.4), macos(13.3), watchos(9.4), tvos(16.4));
/**
* Node id for this controller.
*
* If operationalCertificate is not nil, must be nil. The provided operational
* certificate will be used as-is.
*
* If not nil, must be a valid Matter operational node id.
*
* If operationalCertificate is nil, nodeID and operationalKeypair are used to
* determine an operational certificate, as follows:
*
* * When creating a new fabric:
*
* ** nodeID is allowed to be nil to indicate that a random node id should be
* generated.
*
* * When using an existing fabric:
*
* ** nodeID is allowed to be nil to indicate that the existing operational node
* id should be used. The existing operational keys will also be used,
* unless operationalKeypair is provided. The existing caseAuthenticatedTags
* will be used.
*
* ** If nodeID is not nil, a new operational certificate will be generated for
* the provided node id (even if that matches the existing node id), using
* either the operationalKeypair if that is provided or a new randomly
* generated operational key, and using the provided caseAuthenticatedTags.
*/
@property (nonatomic, copy, nullable) NSNumber * nodeID MTR_AVAILABLE(ios(16.4), macos(13.3), watchos(9.4), tvos(16.4));
/**
* CASE authenticated tags to use for this controller's operational certificate.
*
* Only allowed to be not nil if nodeID is not nil. In particular, if
* operationalCertificate is not nil, must be nil. The provided operational
* certificate will be used as-is.
*
* If not nil, must contain at most 3 numbers, which are expected to be 32-bit
* unsigned Case Authenticated Tag values.
*/
@property (nonatomic, copy, nullable)
NSSet<NSNumber *> * caseAuthenticatedTags MTR_AVAILABLE(ios(17.0), macos(14.0), watchos(10.0), tvos(17.0));
/**
* Root certificate, in X.509 DER form, to use.
*
* Must not be nil if an intermediate CA is being used, to allow determination
* of the root public key.
*
* If not nil, and if an intermediate CA is not being used, the public key of
* this certificate must match the public key of nocSigner, if nocSigner is not
* nil.
*
* When creating a new fabric:
*
* * May be nil if nocSigner is not nil and an intermediate CA is not being
* used. In that case the nocSigner keypair, which is the keypair for the
* root certificate, will be used to generate and sign a root certificate,
* with a random issuer id. In this case, the fabricID will be included in
* the root certificate's subject DN.
*
* When using an existing fabric:
*
* * May be nil if nocSigner is not nil and an intermediate CA is not being
* used. In that case, the existing root certificate for the fabric will be
* used.
*
* * If not nil must satisfy the following properties:
*
* 1) The public key must match the public key of the existing root
* certificate.
* 2) The subject DN must match the subject DN of the existing root
* certificate.
*/
@property (nonatomic, copy, nullable) MTRCertificateDERBytes rootCertificate;
/**
* Intermediate certificate, in X.509 DER form, to use.
*
* If not nil, rootCertificate must not be nil, and the intermediate certificate
* must be signed by rootCertificate.
*
* If not nil, and nocSigner is not nil, the public key of this certificate must
* match the public key of nocSigner.
*
* When creating a new fabric:
*
* * Must not be nil if an intermediate CA is being used.
*
* * Must be nil if an intermediate CA is not being used.
*
* When using an existing fabric:
*
* * If not nil, will be used as the intermediate certificate for issuing
* operational certificates.
*
* * If nil:
*
* * If nocSigner is not nil, there is an existing intermediate certificate,
* and it matches the nocSigner public key, the existing intermediate
* certificate will be used.
*
* * Otherwise the fabric will not use an intermediate certificate. This
* allows switching from using an intermediate CA to not using one.
*
*/
@property (nonatomic, copy, nullable) MTRCertificateDERBytes intermediateCertificate;
/**
* Operational certificate, in X.509 DER form, to use.
*
* If not nil, will be used as the operational certificate. In this case
* operationalKeypair must not be nil.
*
* If nil, an operational certificate will be determined as described in the
* documentation for nodeID.
*/
@property (nonatomic, copy, readonly, nullable) MTRCertificateDERBytes operationalCertificate;
/**
* Operational keypair to use. If operationalCertificate is not nil, the public
* key must match operationalCertificate.
*
* If not nil, and if operationalCertificate is nil, a new operational
* certificate will be generated for the given operationalKeypair. The node id
* for that certificate will be determined as described in the documentation for
* nodeID.
*/
@property (nonatomic, strong, nullable) id<MTRKeypair> operationalKeypair;
/**
* The certificate issuer delegate to use for issuing operational certificates
* when commmissioning devices. Allowed to be nil if this controller either
* does not issue operational certificates at all or internally generates the
* certificates to be issued. In the latter case, nocSigner must not be nil.
*/
@property (nonatomic, strong, nullable) id<MTROperationalCertificateIssuer> operationalCertificateIssuer MTR_AVAILABLE(
ios(16.4), macos(13.3), watchos(9.4), tvos(16.4));
/**
* The dispatch queue on which operationalCertificateIssuer should be called.
* Allowed to be nil if and only if operationalCertificateIssuer is nil.
*/
@property (nonatomic, strong, nullable)
dispatch_queue_t operationalCertificateIssuerQueue MTR_AVAILABLE(ios(16.4), macos(13.3), watchos(9.4), tvos(16.4));
@end
@interface MTRDeviceControllerStartupParams (Deprecated)
@property (nonatomic, assign, readonly) uint64_t fabricId MTR_DEPRECATED(
"Please use fabricID", ios(16.1, 16.4), macos(13.0, 13.3), watchos(9.1, 9.4), tvos(16.1, 16.4));
@property (nonatomic, copy, nullable) NSNumber * vendorId MTR_DEPRECATED(
"Please use vendorID", ios(16.1, 16.4), macos(13.0, 13.3), watchos(9.1, 9.4), tvos(16.1, 16.4));
@property (nonatomic, copy, nullable)
NSNumber * nodeId MTR_DEPRECATED("Please use nodeID", ios(16.1, 16.4), macos(13.0, 13.3), watchos(9.1, 9.4), tvos(16.1, 16.4));
- (instancetype)initWithSigningKeypair:(id<MTRKeypair>)nocSigner
fabricId:(uint64_t)fabricId
ipk:(NSData *)ipk MTR_DEPRECATED("Please use initWithIPK:fabricID:nocSigner:", ios(16.1, 16.4),
macos(13.0, 13.3), watchos(9.1, 9.4), tvos(16.1, 16.4));
- (instancetype)initWithOperationalKeypair:(id<MTRKeypair>)operationalKeypair
operationalCertificate:(MTRCertificateDERBytes)operationalCertificate
intermediateCertificate:(MTRCertificateDERBytes _Nullable)intermediateCertificate
rootCertificate:(MTRCertificateDERBytes)rootCertificate
ipk:(NSData *)ipk
MTR_DEPRECATED("Please use initWithIPK:operationalKeypair:operationalCertificate:intermediateCertificate:rootCertificate:",
ios(16.1, 16.4), macos(13.0, 13.3), watchos(9.1, 9.4), tvos(16.1, 16.4));
@end
NS_ASSUME_NONNULL_END