Line data Source code
1 : /*
2 : *
3 : * Copyright (c) 2021-2022 Project CHIP Authors
4 : * All rights reserved.
5 : *
6 : * Licensed under the Apache License, Version 2.0 (the "License");
7 : * you may not use this file except in compliance with the License.
8 : * You may obtain a copy of the License at
9 : *
10 : * http://www.apache.org/licenses/LICENSE-2.0
11 : *
12 : * Unless required by applicable law or agreed to in writing, software
13 : * distributed under the License is distributed on an "AS IS" BASIS,
14 : * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15 : * See the License for the specific language governing permissions and
16 : * limitations under the License.
17 : */
18 :
19 : #include <algorithm>
20 : #include <controller/ExampleOperationalCredentialsIssuer.h>
21 : #include <credentials/CHIPCert.h>
22 : #include <lib/core/TLV.h>
23 : #include <lib/support/CHIPMem.h>
24 : #include <lib/support/CodeUtils.h>
25 : #include <lib/support/PersistentStorageMacros.h>
26 : #include <lib/support/SafeInt.h>
27 : #include <lib/support/ScopedBuffer.h>
28 : #include <lib/support/TestGroupData.h>
29 :
30 : namespace chip {
31 : namespace Controller {
32 :
33 : constexpr char kOperationalCredentialsIssuerKeypairStorage[] = "ExampleOpCredsCAKey";
34 : constexpr char kOperationalCredentialsIntermediateIssuerKeypairStorage[] = "ExampleOpCredsICAKey";
35 : constexpr char kOperationalCredentialsRootCertificateStorage[] = "ExampleCARootCert";
36 : constexpr char kOperationalCredentialsIntermediateCertificateStorage[] = "ExampleCAIntermediateCert";
37 :
38 : using namespace Credentials;
39 : using namespace Crypto;
40 : using namespace TLV;
41 :
42 : namespace {
43 :
44 : enum CertType : uint8_t
45 : {
46 : kRcac = 0,
47 : kIcac = 1,
48 : kNoc = 2
49 : };
50 :
51 6 : CHIP_ERROR IssueX509Cert(uint32_t now, uint32_t validity, ChipDN issuerDn, ChipDN desiredDn, CertType certType, bool maximizeSize,
52 : const Crypto::P256PublicKey & subjectPublicKey, Crypto::P256Keypair & issuerKeypair,
53 : MutableByteSpan & outX509Cert)
54 : {
55 6 : constexpr size_t kDERCertFutureExtEncodingOverhead = 12;
56 6 : constexpr size_t kTLVCertFutureExtEncodingOverhead = kDERCertFutureExtEncodingOverhead + 5;
57 6 : constexpr size_t kMaxCertPaddingLength = 200;
58 6 : constexpr size_t kTLVDesiredSize = kMaxCHIPCertLength;
59 6 : constexpr uint8_t sOID_Extension_SubjectAltName[] = { 0x55, 0x1d, 0x11 };
60 :
61 6 : Platform::ScopedMemoryBuffer<uint8_t> derBuf;
62 6 : VerifyOrReturnError(derBuf.Alloc(kMaxDERCertLength), CHIP_ERROR_NO_MEMORY);
63 6 : MutableByteSpan derSpan{ derBuf.Get(), kMaxDERCertLength };
64 :
65 6 : int64_t serialNumber = 1;
66 :
67 6 : switch (certType)
68 : {
69 2 : case CertType::kRcac: {
70 2 : X509CertRequestParams rcacRequest = { serialNumber, now, now + validity, desiredDn, desiredDn };
71 2 : ReturnErrorOnFailure(NewRootX509Cert(rcacRequest, issuerKeypair, derSpan));
72 2 : break;
73 2 : }
74 2 : case CertType::kIcac: {
75 2 : X509CertRequestParams icacRequest = { serialNumber, now, now + validity, desiredDn, issuerDn };
76 2 : ReturnErrorOnFailure(NewICAX509Cert(icacRequest, subjectPublicKey, issuerKeypair, derSpan));
77 2 : break;
78 2 : }
79 2 : case CertType::kNoc: {
80 2 : X509CertRequestParams nocRequest = { serialNumber, now, now + validity, desiredDn, issuerDn };
81 2 : ReturnErrorOnFailure(NewNodeOperationalX509Cert(nocRequest, subjectPublicKey, issuerKeypair, derSpan));
82 2 : break;
83 2 : }
84 0 : default:
85 0 : return CHIP_ERROR_INVALID_ARGUMENT;
86 : }
87 :
88 6 : if (maximizeSize)
89 : {
90 3 : Platform::ScopedMemoryBuffer<uint8_t> paddedTlvBuf;
91 3 : VerifyOrReturnError(paddedTlvBuf.Alloc(kMaxCHIPCertLength + kMaxCertPaddingLength), CHIP_ERROR_NO_MEMORY);
92 3 : MutableByteSpan paddedTlvSpan{ paddedTlvBuf.Get(), kMaxCHIPCertLength + kMaxCertPaddingLength };
93 3 : ReturnErrorOnFailure(ConvertX509CertToChipCert(derSpan, paddedTlvSpan));
94 :
95 3 : Platform::ScopedMemoryBuffer<uint8_t> paddedDerBuf;
96 3 : VerifyOrReturnError(paddedDerBuf.Alloc(kMaxDERCertLength + kMaxCertPaddingLength), CHIP_ERROR_NO_MEMORY);
97 3 : MutableByteSpan paddedDerSpan{ paddedDerBuf.Get(), kMaxDERCertLength + kMaxCertPaddingLength };
98 :
99 3 : Platform::ScopedMemoryBuffer<char> fillerBuf;
100 3 : VerifyOrReturnError(fillerBuf.Alloc(kMaxCertPaddingLength), CHIP_ERROR_NO_MEMORY);
101 3 : memset(fillerBuf.Get(), 'A', kMaxCertPaddingLength);
102 :
103 3 : int derPaddingLen = static_cast<int>(kMaxDERCertLength - kDERCertFutureExtEncodingOverhead - derSpan.size());
104 3 : int tlvPaddingLen = static_cast<int>(kTLVDesiredSize - kTLVCertFutureExtEncodingOverhead - paddedTlvSpan.size());
105 3 : size_t paddingLen = 0;
106 3 : if (derPaddingLen >= 1 && tlvPaddingLen >= 1)
107 : {
108 3 : paddingLen = std::min(static_cast<size_t>(std::min(derPaddingLen, tlvPaddingLen)), kMaxCertPaddingLength);
109 : }
110 :
111 3 : for (; paddingLen > 0; paddingLen--)
112 : {
113 3 : paddedDerSpan = MutableByteSpan{ paddedDerBuf.Get(), kMaxDERCertLength + kMaxCertPaddingLength };
114 3 : paddedTlvSpan = MutableByteSpan{ paddedTlvBuf.Get(), kMaxCHIPCertLength + kMaxCertPaddingLength };
115 :
116 3 : Optional<FutureExtension> futureExt;
117 : FutureExtension ext = { ByteSpan(sOID_Extension_SubjectAltName),
118 3 : ByteSpan(reinterpret_cast<uint8_t *>(fillerBuf.Get()), paddingLen) };
119 3 : futureExt.SetValue(ext);
120 :
121 3 : switch (certType)
122 : {
123 1 : case CertType::kRcac: {
124 1 : X509CertRequestParams rcacRequest = { serialNumber, now, now + validity, desiredDn, desiredDn, futureExt };
125 1 : ReturnErrorOnFailure(NewRootX509Cert(rcacRequest, issuerKeypair, paddedDerSpan));
126 1 : break;
127 1 : }
128 1 : case CertType::kIcac: {
129 1 : X509CertRequestParams icacRequest = { serialNumber, now, now + validity, desiredDn, issuerDn, futureExt };
130 1 : ReturnErrorOnFailure(NewICAX509Cert(icacRequest, subjectPublicKey, issuerKeypair, paddedDerSpan));
131 1 : break;
132 1 : }
133 1 : case CertType::kNoc: {
134 1 : X509CertRequestParams nocRequest = { serialNumber, now, now + validity, desiredDn, issuerDn, futureExt };
135 1 : ReturnErrorOnFailure(NewNodeOperationalX509Cert(nocRequest, subjectPublicKey, issuerKeypair, paddedDerSpan));
136 1 : break;
137 1 : }
138 0 : default:
139 0 : return CHIP_ERROR_INVALID_ARGUMENT;
140 : }
141 :
142 3 : ReturnErrorOnFailure(ConvertX509CertToChipCert(paddedDerSpan, paddedTlvSpan));
143 :
144 3 : if (paddedDerSpan.size() <= kMaxDERCertLength && paddedTlvSpan.size() <= kMaxCHIPCertLength)
145 : {
146 3 : ChipLogProgress(Controller, "Generated maximized certificate with %u DER bytes, %u TLV bytes",
147 : static_cast<unsigned>(paddedDerSpan.size()), static_cast<unsigned>(paddedTlvSpan.size()));
148 3 : return CopySpanToMutableSpan(paddedDerSpan, outX509Cert);
149 : }
150 : }
151 9 : }
152 :
153 3 : return CopySpanToMutableSpan(derSpan, outX509Cert);
154 6 : }
155 :
156 : } // namespace
157 :
158 2 : CHIP_ERROR ExampleOperationalCredentialsIssuer::Initialize(PersistentStorageDelegate & storage)
159 : {
160 : using namespace ASN1;
161 : ASN1UniversalTime effectiveTime;
162 : CHIP_ERROR err;
163 :
164 : // Initializing the default start validity to start of 2021. The default validity duration is 10 years.
165 2 : CHIP_ZERO_AT(effectiveTime);
166 2 : effectiveTime.Year = 2021;
167 2 : effectiveTime.Month = 1;
168 2 : effectiveTime.Day = 1;
169 2 : ReturnErrorOnFailure(ASN1ToChipEpochTime(effectiveTime, mNow));
170 :
171 2 : Crypto::P256SerializedKeypair serializedKey;
172 : {
173 : // Scope for keySize, because we use it as an in/out param.
174 2 : uint16_t keySize = static_cast<uint16_t>(serializedKey.Capacity());
175 :
176 2 : PERSISTENT_KEY_OP(mIndex, kOperationalCredentialsIssuerKeypairStorage, key,
177 : err = storage.SyncGetKeyValue(key, serializedKey.Bytes(), keySize));
178 2 : serializedKey.SetLength(keySize);
179 : }
180 :
181 2 : if (err != CHIP_NO_ERROR)
182 : {
183 2 : ChipLogProgress(Controller, "Couldn't get %s from storage: %s", kOperationalCredentialsIssuerKeypairStorage, ErrorStr(err));
184 : // Storage doesn't have an existing keypair. Let's create one and add it to the storage.
185 2 : ReturnErrorOnFailure(mRootIssuer.Initialize(Crypto::ECPKeyTarget::ECDSA));
186 2 : ReturnErrorOnFailure(mRootIssuer.Serialize(serializedKey));
187 :
188 2 : PERSISTENT_KEY_OP(mIndex, kOperationalCredentialsIssuerKeypairStorage, key,
189 : ReturnErrorOnFailure(
190 : storage.SyncSetKeyValue(key, serializedKey.Bytes(), static_cast<uint16_t>(serializedKey.Length()))));
191 : }
192 : else
193 : {
194 : // Use the keypair from the storage
195 0 : ReturnErrorOnFailure(mRootIssuer.Deserialize(serializedKey));
196 : }
197 :
198 : {
199 : // Scope for keySize, because we use it as an in/out param.
200 2 : uint16_t keySize = static_cast<uint16_t>(serializedKey.Capacity());
201 :
202 2 : PERSISTENT_KEY_OP(mIndex, kOperationalCredentialsIntermediateIssuerKeypairStorage, key,
203 : err = storage.SyncGetKeyValue(key, serializedKey.Bytes(), keySize));
204 2 : serializedKey.SetLength(keySize);
205 : }
206 :
207 2 : if (err != CHIP_NO_ERROR)
208 : {
209 2 : ChipLogProgress(Controller, "Couldn't get %s from storage: %s", kOperationalCredentialsIntermediateIssuerKeypairStorage,
210 : ErrorStr(err));
211 : // Storage doesn't have an existing keypair. Let's create one and add it to the storage.
212 2 : ReturnErrorOnFailure(mIntermediateIssuer.Initialize(Crypto::ECPKeyTarget::ECDSA));
213 2 : ReturnErrorOnFailure(mIntermediateIssuer.Serialize(serializedKey));
214 :
215 2 : PERSISTENT_KEY_OP(mIndex, kOperationalCredentialsIntermediateIssuerKeypairStorage, key,
216 : ReturnErrorOnFailure(
217 : storage.SyncSetKeyValue(key, serializedKey.Bytes(), static_cast<uint16_t>(serializedKey.Length()))));
218 : }
219 : else
220 : {
221 : // Use the keypair from the storage
222 0 : ReturnErrorOnFailure(mIntermediateIssuer.Deserialize(serializedKey));
223 : }
224 :
225 2 : mStorage = &storage;
226 2 : mInitialized = true;
227 2 : return CHIP_NO_ERROR;
228 2 : }
229 :
230 2 : CHIP_ERROR ExampleOperationalCredentialsIssuer::GenerateNOCChainAfterValidation(NodeId nodeId, FabricId fabricId,
231 : const CATValues & cats,
232 : const Crypto::P256PublicKey & pubkey,
233 : MutableByteSpan & rcac, MutableByteSpan & icac,
234 : MutableByteSpan & noc)
235 : {
236 2 : ChipDN rcac_dn;
237 2 : CHIP_ERROR err = CHIP_NO_ERROR;
238 2 : uint16_t rcacBufLen = static_cast<uint16_t>(std::min(rcac.size(), static_cast<size_t>(UINT16_MAX)));
239 2 : PERSISTENT_KEY_OP(mIndex, kOperationalCredentialsRootCertificateStorage, key,
240 : err = mStorage->SyncGetKeyValue(key, rcac.data(), rcacBufLen));
241 : // Always regenerate RCAC on maximally sized certs. The keys remain the same, so everything is fine.
242 2 : if (mUseMaximallySizedCerts)
243 : {
244 1 : err = CHIP_ERROR_PERSISTED_STORAGE_VALUE_NOT_FOUND;
245 : }
246 :
247 2 : if (err == CHIP_NO_ERROR)
248 : {
249 : uint64_t rcacId;
250 : // Found root certificate in the storage.
251 0 : rcac.reduce_size(rcacBufLen);
252 0 : ReturnErrorOnFailure(ExtractSubjectDNFromX509Cert(rcac, rcac_dn));
253 0 : ReturnErrorOnFailure(rcac_dn.GetCertChipId(rcacId));
254 0 : VerifyOrReturnError(rcacId == mRootIssuerId, CHIP_ERROR_INTERNAL);
255 : }
256 : // If root certificate not found in the storage, generate new root certificate.
257 : else
258 : {
259 2 : ReturnErrorOnFailure(rcac_dn.AddAttribute_MatterRCACId(mRootIssuerId));
260 :
261 2 : ChipLogProgress(Controller, "Generating RCAC");
262 2 : ReturnErrorOnFailure(IssueX509Cert(mNow, mValidity, rcac_dn, rcac_dn, CertType::kRcac, mUseMaximallySizedCerts,
263 : mRootIssuer.Pubkey(), mRootIssuer, rcac));
264 2 : VerifyOrReturnError(CanCastTo<uint16_t>(rcac.size()), CHIP_ERROR_INTERNAL);
265 :
266 : // Re-extract DN based on final generated cert
267 2 : rcac_dn = ChipDN{};
268 2 : ReturnErrorOnFailure(ExtractSubjectDNFromX509Cert(rcac, rcac_dn));
269 :
270 2 : PERSISTENT_KEY_OP(mIndex, kOperationalCredentialsRootCertificateStorage, key,
271 : ReturnErrorOnFailure(mStorage->SyncSetKeyValue(key, rcac.data(), static_cast<uint16_t>(rcac.size()))));
272 : }
273 :
274 2 : ChipDN icac_dn;
275 2 : uint16_t icacBufLen = static_cast<uint16_t>(std::min(icac.size(), static_cast<size_t>(UINT16_MAX)));
276 2 : PERSISTENT_KEY_OP(mIndex, kOperationalCredentialsIntermediateCertificateStorage, key,
277 : err = mStorage->SyncGetKeyValue(key, icac.data(), icacBufLen));
278 : // Always regenerate ICAC on maximally sized certs. The keys remain the same, so everything is fine.
279 2 : if (mUseMaximallySizedCerts)
280 : {
281 1 : err = CHIP_ERROR_PERSISTED_STORAGE_VALUE_NOT_FOUND;
282 : }
283 2 : if (err == CHIP_NO_ERROR)
284 : {
285 : uint64_t icacId;
286 : // Found intermediate certificate in the storage.
287 0 : icac.reduce_size(icacBufLen);
288 0 : ReturnErrorOnFailure(ExtractSubjectDNFromX509Cert(icac, icac_dn));
289 0 : ReturnErrorOnFailure(icac_dn.GetCertChipId(icacId));
290 0 : VerifyOrReturnError(icacId == mIntermediateIssuerId, CHIP_ERROR_INTERNAL);
291 : }
292 : // If intermediate certificate not found in the storage, generate new intermediate certificate.
293 : else
294 : {
295 2 : ReturnErrorOnFailure(icac_dn.AddAttribute_MatterICACId(mIntermediateIssuerId));
296 :
297 2 : ChipLogProgress(Controller, "Generating ICAC");
298 2 : ReturnErrorOnFailure(IssueX509Cert(mNow, mValidity, rcac_dn, icac_dn, CertType::kIcac, mUseMaximallySizedCerts,
299 : mIntermediateIssuer.Pubkey(), mRootIssuer, icac));
300 2 : VerifyOrReturnError(CanCastTo<uint16_t>(icac.size()), CHIP_ERROR_INTERNAL);
301 :
302 : // Re-extract DN based on final generated cert
303 2 : icac_dn = ChipDN{};
304 2 : ReturnErrorOnFailure(ExtractSubjectDNFromX509Cert(icac, icac_dn));
305 :
306 2 : PERSISTENT_KEY_OP(mIndex, kOperationalCredentialsIntermediateCertificateStorage, key,
307 : ReturnErrorOnFailure(mStorage->SyncSetKeyValue(key, icac.data(), static_cast<uint16_t>(icac.size()))));
308 : }
309 :
310 2 : ChipDN noc_dn;
311 2 : ReturnErrorOnFailure(noc_dn.AddAttribute_MatterFabricId(fabricId));
312 2 : ReturnErrorOnFailure(noc_dn.AddAttribute_MatterNodeId(nodeId));
313 2 : ReturnErrorOnFailure(noc_dn.AddCATs(cats));
314 :
315 2 : ChipLogProgress(Controller, "Generating NOC");
316 2 : if (mAlwaysOmitIcac)
317 : {
318 0 : icac.reduce_size(0);
319 0 : err = IssueX509Cert(mNow, mValidity, rcac_dn, noc_dn, CertType::kNoc, mUseMaximallySizedCerts, pubkey, mRootIssuer, noc);
320 : }
321 : else
322 : {
323 2 : err = IssueX509Cert(mNow, mValidity, icac_dn, noc_dn, CertType::kNoc, mUseMaximallySizedCerts, pubkey, mIntermediateIssuer,
324 : noc);
325 : }
326 :
327 2 : if (err != CHIP_NO_ERROR)
328 : {
329 0 : ChipLogError(Controller, "Failed to Generate NOC: %" CHIP_ERROR_FORMAT, err.Format());
330 : }
331 2 : return err;
332 2 : }
333 :
334 0 : CHIP_ERROR ExampleOperationalCredentialsIssuer::GenerateNOCChain(const ByteSpan & csrElements, const ByteSpan & csrNonce,
335 : const ByteSpan & attestationSignature,
336 : const ByteSpan & attestationChallenge, const ByteSpan & DAC,
337 : const ByteSpan & PAI,
338 : Callback::Callback<OnNOCChainGeneration> * onCompletion)
339 : {
340 0 : VerifyOrReturnError(mInitialized, CHIP_ERROR_UNINITIALIZED);
341 : // At this point, Credential issuer may wish to validate the CSR information
342 : (void) attestationChallenge;
343 : (void) csrNonce;
344 :
345 : NodeId assignedId;
346 0 : if (mNodeIdRequested)
347 : {
348 0 : assignedId = mNextRequestedNodeId;
349 0 : mNodeIdRequested = false;
350 : }
351 : else
352 : {
353 0 : assignedId = mNextAvailableNodeId++;
354 : }
355 :
356 0 : ChipLogProgress(Controller, "Verifying Certificate Signing Request");
357 0 : TLVReader reader;
358 0 : reader.Init(csrElements);
359 :
360 0 : if (reader.GetType() == kTLVType_NotSpecified)
361 : {
362 0 : ReturnErrorOnFailure(reader.Next());
363 : }
364 :
365 0 : ReturnErrorOnFailure(reader.Expect(kTLVType_Structure, AnonymousTag()));
366 :
367 : TLVType containerType;
368 0 : ReturnErrorOnFailure(reader.EnterContainer(containerType));
369 0 : ReturnErrorOnFailure(reader.Next(kTLVType_ByteString, TLV::ContextTag(1)));
370 :
371 0 : ByteSpan csr(reader.GetReadPoint(), reader.GetLength());
372 0 : reader.ExitContainer(containerType);
373 :
374 0 : P256PublicKey pubkey;
375 0 : ReturnErrorOnFailure(VerifyCertificateSigningRequest(csr.data(), csr.size(), pubkey));
376 :
377 0 : chip::Platform::ScopedMemoryBuffer<uint8_t> noc;
378 0 : VerifyOrReturnError(noc.Alloc(kMaxDERCertLength), CHIP_ERROR_NO_MEMORY);
379 0 : MutableByteSpan nocSpan(noc.Get(), kMaxDERCertLength);
380 :
381 0 : chip::Platform::ScopedMemoryBuffer<uint8_t> icac;
382 0 : VerifyOrReturnError(icac.Alloc(kMaxDERCertLength), CHIP_ERROR_NO_MEMORY);
383 0 : MutableByteSpan icacSpan(icac.Get(), kMaxDERCertLength);
384 :
385 0 : chip::Platform::ScopedMemoryBuffer<uint8_t> rcac;
386 0 : VerifyOrReturnError(rcac.Alloc(kMaxDERCertLength), CHIP_ERROR_NO_MEMORY);
387 0 : MutableByteSpan rcacSpan(rcac.Get(), kMaxDERCertLength);
388 :
389 0 : ReturnErrorOnFailure(
390 : GenerateNOCChainAfterValidation(assignedId, mNextFabricId, mNextCATs, pubkey, rcacSpan, icacSpan, nocSpan));
391 :
392 : // TODO(#13825): Should always generate some IPK. Using a temporary fixed value until APIs are plumbed in to set it end-to-end
393 : // TODO: Force callers to set IPK if used before GenerateNOCChain will succeed.
394 0 : ByteSpan defaultIpkSpan = chip::GroupTesting::DefaultIpkValue::GetDefaultIpk();
395 :
396 : // The below static assert validates a key assumption in types used (needed for public API conformance)
397 : static_assert(CHIP_CRYPTO_SYMMETRIC_KEY_LENGTH_BYTES == kAES_CCM128_Key_Length, "IPK span sizing must match");
398 :
399 : // Prepare IPK to be sent back. A more fully-fledged operational credentials delegate
400 : // would obtain a suitable key per fabric.
401 : uint8_t ipkValue[CHIP_CRYPTO_SYMMETRIC_KEY_LENGTH_BYTES];
402 0 : Crypto::IdentityProtectionKeySpan ipkSpan(ipkValue);
403 :
404 0 : VerifyOrReturnError(defaultIpkSpan.size() == sizeof(ipkValue), CHIP_ERROR_INTERNAL);
405 0 : memcpy(&ipkValue[0], defaultIpkSpan.data(), defaultIpkSpan.size());
406 :
407 : // Callback onto commissioner.
408 0 : ChipLogProgress(Controller, "Providing certificate chain to the commissioner");
409 0 : onCompletion->mCall(onCompletion->mContext, CHIP_NO_ERROR, nocSpan, icacSpan, rcacSpan, MakeOptional(ipkSpan),
410 0 : Optional<NodeId>());
411 0 : return CHIP_NO_ERROR;
412 0 : }
413 :
414 3 : CHIP_ERROR ExampleOperationalCredentialsIssuer::GetRandomOperationalNodeId(NodeId * aNodeId)
415 : {
416 3 : for (int i = 0; i < 10; ++i)
417 : {
418 3 : CHIP_ERROR err = DRBG_get_bytes(reinterpret_cast<uint8_t *>(aNodeId), sizeof(*aNodeId));
419 3 : if (err != CHIP_NO_ERROR)
420 : {
421 3 : return err;
422 : }
423 :
424 3 : if (IsOperationalNodeId(*aNodeId))
425 : {
426 3 : return CHIP_NO_ERROR;
427 : }
428 : }
429 :
430 : // Terrible, universe-ending luck (chances are 1 in 2^280 or so here, if our
431 : // DRBG is good).
432 0 : return CHIP_ERROR_INTERNAL;
433 : }
434 :
435 : } // namespace Controller
436 : } // namespace chip
|
