Line data Source code
1 : /*
2 : *
3 : * Copyright (c) 2021-2022 Project CHIP Authors
4 : * All rights reserved.
5 : *
6 : * Licensed under the Apache License, Version 2.0 (the "License");
7 : * you may not use this file except in compliance with the License.
8 : * You may obtain a copy of the License at
9 : *
10 : * http://www.apache.org/licenses/LICENSE-2.0
11 : *
12 : * Unless required by applicable law or agreed to in writing, software
13 : * distributed under the License is distributed on an "AS IS" BASIS,
14 : * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15 : * See the License for the specific language governing permissions and
16 : * limitations under the License.
17 : */
18 :
19 : /**
20 : * @file
21 : * This file contains class definition of an example operational certificate
22 : * issuer for CHIP devices. The class can be used as a guideline on how to
23 : * construct your own certificate issuer. It can also be used in tests and tools
24 : * if a specific signing authority is not required.
25 : *
26 : * NOTE: This class stores the encryption key in clear storage. This is not suited
27 : * for production use. This should only be used in test tools.
28 : */
29 :
30 : #pragma once
31 :
32 : #include <controller/OperationalCredentialsDelegate.h>
33 : #include <crypto/CHIPCryptoPAL.h>
34 : #include <lib/core/CASEAuthTag.h>
35 : #include <lib/core/CHIPError.h>
36 : #include <lib/core/CHIPPersistentStorageDelegate.h>
37 : #include <lib/support/CodeUtils.h>
38 : #include <lib/support/Span.h>
39 :
40 : namespace chip {
41 : namespace Controller {
42 :
43 : class DLL_EXPORT ExampleOperationalCredentialsIssuer : public OperationalCredentialsDelegate
44 : {
45 : public:
46 : //
47 : // Constructor to create an instance of this object that vends out operational credentials for a given fabric.
48 : //
49 : // An index should be provided to numerically identify this instance relative to others in a multi-fabric deployment. This is
50 : // needed given the interactions of this object with persistent storage. Consequently, the index is used to scope the entries
51 : // read/written to/from storage.
52 : //
53 : // It is recommended that this index track the fabric index within which this issuer is operating.
54 : //
55 : ExampleOperationalCredentialsIssuer(uint32_t index = 0) { mIndex = index; }
56 0 : ~ExampleOperationalCredentialsIssuer() override {}
57 :
58 : CHIP_ERROR GenerateNOCChain(const ByteSpan & csrElements, const ByteSpan & csrNonce, const ByteSpan & attestationSignature,
59 : const ByteSpan & attestationChallenge, const ByteSpan & DAC, const ByteSpan & PAI,
60 : Callback::Callback<OnNOCChainGeneration> * onCompletion) override;
61 :
62 0 : void SetNodeIdForNextNOCRequest(NodeId nodeId) override
63 : {
64 0 : mNextRequestedNodeId = nodeId;
65 0 : mNodeIdRequested = true;
66 0 : }
67 :
68 : void SetMaximallyLargeCertsUsed(bool areMaximallyLargeCertsUsed) { mUseMaximallySizedCerts = areMaximallyLargeCertsUsed; }
69 :
70 0 : void SetFabricIdForNextNOCRequest(FabricId fabricId) override { mNextFabricId = fabricId; }
71 :
72 : void SetCATValuesForNextNOCRequest(CATValues cats) { mNextCATs = cats; }
73 :
74 : /**
75 : * @brief Initialize the issuer with the keypair in the storage.
76 : * If the storage doesn't have one, it'll create one, and it to the storage.
77 : *
78 : * @param[in] storage A reference to the storage, where the keypair is stored.
79 : * The object of ExampleOperationalCredentialsIssuer doesn't hold
80 : * on the reference of storage.
81 : *
82 : * @return Returns a CHIP_ERROR on error, CHIP_NO_ERROR otherwise
83 : **/
84 : [[deprecated("This class stores the encryption key in clear storage. Don't use it for production code.")]] CHIP_ERROR
85 : Initialize(PersistentStorageDelegate & storage);
86 :
87 : void SetIssuerId(uint32_t id) { mIssuerId = id; }
88 :
89 : void SetCurrentEpoch(uint32_t epoch) { mNow = epoch; }
90 :
91 : void SetCertificateValidityPeriod(uint32_t validity) { mValidity = validity; }
92 :
93 : /**
94 : * Generate a random operational node id.
95 : *
96 : * @param[out] aNodeId where to place the generated id.
97 : *
98 : * On error no guarantees are made about the state of aNodeId.
99 : */
100 : static CHIP_ERROR GetRandomOperationalNodeId(NodeId * aNodeId);
101 :
102 : /**
103 : * This is a utility method that generates a operational certificate chain for the given public key.
104 : * This method is expected to be called once all the checks (e.g. device attestation, CSR verification etc)
105 : * have been completed, or not required (e.g. for self trusted devices such as commissioner apps).
106 : */
107 : CHIP_ERROR GenerateNOCChainAfterValidation(NodeId nodeId, FabricId fabricId, const CATValues & cats,
108 : const Crypto::P256PublicKey & pubkey, MutableByteSpan & rcac, MutableByteSpan & icac,
109 : MutableByteSpan & noc);
110 :
111 : private:
112 : Crypto::P256Keypair mIssuer;
113 : Crypto::P256Keypair mIntermediateIssuer;
114 : bool mInitialized = false;
115 : uint32_t mIssuerId = 1;
116 : uint32_t mIntermediateIssuerId = 2;
117 : uint32_t mNow = 0;
118 :
119 : // By default, let's set validity to 10 years
120 : uint32_t mValidity = 365 * 24 * 60 * 60 * 10;
121 :
122 : NodeId mNextAvailableNodeId = 1;
123 : PersistentStorageDelegate * mStorage = nullptr;
124 : bool mUseMaximallySizedCerts = false;
125 :
126 : NodeId mNextRequestedNodeId = 1;
127 : FabricId mNextFabricId = 1;
128 : CATValues mNextCATs = kUndefinedCATs;
129 : bool mNodeIdRequested = false;
130 : uint64_t mIndex = 0;
131 : };
132 :
133 : } // namespace Controller
134 : } // namespace chip
|
