Line data Source code
1 : /*
2 : *
3 : * Copyright (c) 2021 Project CHIP Authors
4 : * All rights reserved.
5 : *
6 : * Licensed under the Apache License, Version 2.0 (the "License");
7 : * you may not use this file except in compliance with the License.
8 : * You may obtain a copy of the License at
9 : *
10 : * http://www.apache.org/licenses/LICENSE-2.0
11 : *
12 : * Unless required by applicable law or agreed to in writing, software
13 : * distributed under the License is distributed on an "AS IS" BASIS,
14 : * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15 : * See the License for the specific language governing permissions and
16 : * limitations under the License.
17 : */
18 :
19 : #pragma once
20 :
21 : #include <app/util/basic-types.h>
22 : #include <crypto/CHIPCryptoPAL.h>
23 : #include <lib/core/CHIPCallback.h>
24 : #include <lib/core/PeerId.h>
25 : #include <lib/support/DLLUtil.h>
26 : #include <lib/support/Span.h>
27 : #include <transport/raw/MessageHeader.h>
28 :
29 : namespace chip {
30 : namespace Controller {
31 :
32 : typedef void (*OnNOCChainGeneration)(void * context, CHIP_ERROR status, const ByteSpan & noc, const ByteSpan & icac,
33 : const ByteSpan & rcac, Optional<Crypto::IdentityProtectionKeySpan> ipk,
34 : Optional<NodeId> adminSubject);
35 :
36 : inline constexpr uint32_t kMaxCHIPDERCertLength = 600;
37 : inline constexpr size_t kCSRNonceLength = 32;
38 :
39 : /// Callbacks for CHIP operational credentials generation
40 : class DLL_EXPORT OperationalCredentialsDelegate
41 : {
42 : public:
43 0 : virtual ~OperationalCredentialsDelegate() {}
44 :
45 : /**
46 : * @brief
47 : * This function generates an operational certificate chain for a remote device that is being commissioned.
48 : * The API generates the certificate in X.509 DER format.
49 : *
50 : * The delegate is expected to use the certificate authority whose certificate
51 : * is returned in `GetRootCACertificate()` API call.
52 : *
53 : * The delegate will call `onCompletion` when the NOC certificate chain is ready.
54 : *
55 : * @param[in] csrElements CSR elements as per specifications section 11.18.5.6. NOCSR Elements.
56 : * @param[in] csrNonce CSR nonce as described in 6.4.6.1
57 : * @param[in] attestationSignature Attestation signature as per specifications section 11.22.7.6. CSRResponse Command.
58 : * @param[in] attestationChallenge Attestation challenge as per 11.18.5.7
59 : * @param[in] DAC Device attestation certificate received from the device being commissioned
60 : * @param[in] PAI Product Attestation Intermediate certificate
61 : * @param[in] onCompletion Callback handler to provide generated NOC chain to the caller of GenerateNOCChain()
62 : *
63 : * @return CHIP_ERROR CHIP_NO_ERROR on success, or corresponding error code.
64 : */
65 : virtual CHIP_ERROR GenerateNOCChain(const ByteSpan & csrElements, const ByteSpan & csrNonce,
66 : const ByteSpan & attestationSignature, const ByteSpan & attestationChallenge,
67 : const ByteSpan & DAC, const ByteSpan & PAI,
68 : Callback::Callback<OnNOCChainGeneration> * onCompletion) = 0;
69 :
70 : /**
71 : * This function sets the node ID for which the next NOC Chain would be requested. The node ID is
72 : * provided as a hint, and the delegate implementation may chose to ignore it and pick node ID of
73 : * their choice.
74 : */
75 0 : virtual void SetNodeIdForNextNOCRequest(NodeId nodeId) {}
76 :
77 : /**
78 : * This function sets the fabric ID for which the next NOC Chain should be generated. This API is
79 : * not required to be implemented if the delegate implementation has other mechanisms to find the
80 : * fabric ID.
81 : */
82 0 : virtual void SetFabricIdForNextNOCRequest(FabricId fabricId) {}
83 :
84 0 : virtual CHIP_ERROR ObtainCsrNonce(MutableByteSpan & csrNonce)
85 : {
86 0 : VerifyOrReturnError(csrNonce.size() == kCSRNonceLength, CHIP_ERROR_INVALID_ARGUMENT);
87 0 : ReturnErrorOnFailure(Crypto::DRBG_get_bytes(csrNonce.data(), csrNonce.size()));
88 0 : return CHIP_NO_ERROR;
89 : }
90 : };
91 :
92 : } // namespace Controller
93 : } // namespace chip
|
