LCOV - code coverage report
Current view: top level - credentials/attestation_verifier - DacOnlyPartialAttestationVerifier.cpp (source / functions) Hit Total Coverage
Test: lcov_final.info Lines: 0 49 0.0 %
Date: 2024-02-15 08:20:41 Functions: 0 1 0.0 % 

          Line data    Source code
       1             : /*
       2             :  *
       3             :  *    Copyright (c) 2021-2022 Project CHIP Authors
       4             :  *
       5             :  *    Licensed under the Apache License, Version 2.0 (the "License");
       6             :  *    you may not use this file except in compliance with the License.
       7             :  *    You may obtain a copy of the License at
       8             :  *
       9             :  *        http://www.apache.org/licenses/LICENSE-2.0
      10             :  *
      11             :  *    Unless required by applicable law or agreed to in writing, software
      12             :  *    distributed under the License is distributed on an "AS IS" BASIS,
      13             :  *    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
      14             :  *    See the License for the specific language governing permissions and
      15             :  *    limitations under the License.
      16             :  */
      17             : #include "DacOnlyPartialAttestationVerifier.h"
      18             : 
      19             : #include <controller/OperationalCredentialsDelegate.h>
      20             : #include <credentials/CHIPCert.h>
      21             : #include <credentials/CertificationDeclaration.h>
      22             : #include <credentials/DeviceAttestationConstructor.h>
      23             : #include <credentials/DeviceAttestationVendorReserved.h>
      24             : #include <crypto/CHIPCryptoPAL.h>
      25             : 
      26             : #include <lib/core/CHIPError.h>
      27             : #include <lib/support/CodeUtils.h>
      28             : #include <lib/support/ScopedBuffer.h>
      29             : #include <lib/support/Span.h>
      30             : 
      31             : using namespace chip::Crypto;
      32             : 
      33             : namespace chip {
      34             : namespace Credentials {
      35             : 
      36             : // As per specifications section 11.22.5.1. Constant RESP_MAX
      37             : constexpr size_t kMaxResponseLength = 900;
      38             : 
      39             : /**
      40             :  * The implementation should track DefaultDACVerifier::VerifyAttestationInformation but with the checks
      41             :  * disabled that are outlined at the top of DacOnlyPartialAttestationVerifier.h.
      42             :  */
      43           0 : void PartialDACVerifier::VerifyAttestationInformation(const DeviceAttestationVerifier::AttestationInfo & info,
      44             :                                                       Callback::Callback<OnAttestationInformationVerification> * onCompletion)
      45             : {
      46           0 :     AttestationVerificationResult attestationError = AttestationVerificationResult::kSuccess;
      47             : 
      48           0 :     AttestationCertVidPid dacVidPid;
      49           0 :     AttestationCertVidPid paiVidPid;
      50           0 :     AttestationCertVidPid paaVidPid;
      51             : 
      52           0 :     DeviceInfoForAttestation deviceInfo{
      53           0 :         .vendorId  = info.vendorId,
      54           0 :         .productId = info.productId,
      55           0 :     };
      56             : 
      57           0 :     VerifyOrExit(!info.attestationElementsBuffer.empty() && !info.attestationChallengeBuffer.empty() &&
      58             :                      !info.attestationSignatureBuffer.empty() && !info.paiDerBuffer.empty() && !info.dacDerBuffer.empty() &&
      59             :                      !info.attestationNonceBuffer.empty() && onCompletion != nullptr,
      60             :                  attestationError = AttestationVerificationResult::kInvalidArgument);
      61             : 
      62           0 :     VerifyOrExit(info.attestationElementsBuffer.size() <= kMaxResponseLength,
      63             :                  attestationError = AttestationVerificationResult::kInvalidArgument);
      64             : 
      65             :     // match DAC and PAI VIDs
      66             :     {
      67           0 :         VerifyOrExit(ExtractVIDPIDFromX509Cert(info.dacDerBuffer, dacVidPid) == CHIP_NO_ERROR,
      68             :                      attestationError = AttestationVerificationResult::kDacFormatInvalid);
      69           0 :         VerifyOrExit(ExtractVIDPIDFromX509Cert(info.paiDerBuffer, paiVidPid) == CHIP_NO_ERROR,
      70             :                      attestationError = AttestationVerificationResult::kPaiFormatInvalid);
      71           0 :         VerifyOrExit(paiVidPid.mVendorId.HasValue() && paiVidPid.mVendorId == dacVidPid.mVendorId,
      72             :                      attestationError = AttestationVerificationResult::kDacVendorIdMismatch);
      73           0 :         VerifyOrExit(dacVidPid.mProductId.HasValue(), attestationError = AttestationVerificationResult::kDacProductIdMismatch);
      74           0 :         if (paiVidPid.mProductId.HasValue())
      75             :         {
      76           0 :             VerifyOrExit(paiVidPid.mProductId == dacVidPid.mProductId,
      77             :                          attestationError = AttestationVerificationResult::kDacProductIdMismatch);
      78             :         }
      79             :     }
      80             : 
      81             :     {
      82           0 :         P256PublicKey remoteManufacturerPubkey;
      83           0 :         P256ECDSASignature deviceSignature;
      84             : 
      85           0 :         VerifyOrExit(ExtractPubkeyFromX509Cert(info.dacDerBuffer, remoteManufacturerPubkey) == CHIP_NO_ERROR,
      86             :                      attestationError = AttestationVerificationResult::kDacFormatInvalid);
      87             : 
      88             :         // Validate overall attestation signature on attestation information
      89             :         // SetLength will fail if signature doesn't fit
      90           0 :         VerifyOrExit(deviceSignature.SetLength(info.attestationSignatureBuffer.size()) == CHIP_NO_ERROR,
      91             :                      attestationError = AttestationVerificationResult::kAttestationSignatureInvalidFormat);
      92           0 :         memcpy(deviceSignature.Bytes(), info.attestationSignatureBuffer.data(), info.attestationSignatureBuffer.size());
      93           0 :         VerifyOrExit(ValidateAttestationSignature(remoteManufacturerPubkey, info.attestationElementsBuffer,
      94             :                                                   info.attestationChallengeBuffer, deviceSignature) == CHIP_NO_ERROR,
      95             :                      attestationError = AttestationVerificationResult::kAttestationSignatureInvalid);
      96           0 :     }
      97             : 
      98             :     {
      99           0 :         MutableByteSpan akid(deviceInfo.paaSKID);
     100             : 
     101           0 :         VerifyOrExit(ExtractAKIDFromX509Cert(info.paiDerBuffer, akid) == CHIP_NO_ERROR,
     102             :                      attestationError = AttestationVerificationResult::kPaiFormatInvalid);
     103             : 
     104           0 :         ChipLogProgress(Support, "PartialDACVerifier::CheckPAA skipping vid-scoped PAA check - PAARootStore disabled");
     105             :     }
     106             : 
     107             : #if !defined(CURRENT_TIME_NOT_IMPLEMENTED)
     108           0 :     VerifyOrExit(IsCertificateValidAtCurrentTime(info.dacDerBuffer) == CHIP_NO_ERROR,
     109             :                  attestationError = AttestationVerificationResult::kDacExpired);
     110             : #endif
     111             : 
     112           0 :     ChipLogProgress(Support, "PartialDACVerifier::CheckCertChain skipping cert chain check - PAARootStore disabled");
     113             : 
     114             :     {
     115           0 :         ByteSpan certificationDeclarationSpan;
     116           0 :         ByteSpan attestationNonceSpan;
     117             :         uint32_t timestampDeconstructed;
     118           0 :         ByteSpan firmwareInfoSpan;
     119           0 :         DeviceAttestationVendorReservedDeconstructor vendorReserved;
     120           0 :         ByteSpan certificationDeclarationPayload;
     121             : 
     122           0 :         deviceInfo.dacVendorId  = dacVidPid.mVendorId.Value();
     123           0 :         deviceInfo.dacProductId = dacVidPid.mProductId.Value();
     124           0 :         deviceInfo.paiVendorId  = paiVidPid.mVendorId.Value();
     125           0 :         deviceInfo.paiProductId = paiVidPid.mProductId.ValueOr(0);
     126           0 :         deviceInfo.paaVendorId  = paaVidPid.mVendorId.ValueOr(VendorId::NotSpecified);
     127             : 
     128           0 :         ChipLogProgress(
     129             :             Support,
     130             :             "PartialDACVerifier::VerifyAttestationInformation skipping PAA subject key id extraction - PAARootStore disabled");
     131             : 
     132           0 :         VerifyOrExit(DeconstructAttestationElements(info.attestationElementsBuffer, certificationDeclarationSpan,
     133             :                                                     attestationNonceSpan, timestampDeconstructed, firmwareInfoSpan,
     134             :                                                     vendorReserved) == CHIP_NO_ERROR,
     135             :                      attestationError = AttestationVerificationResult::kAttestationElementsMalformed);
     136             : 
     137             :         // Verify that Nonce matches with what we sent
     138           0 :         VerifyOrExit(attestationNonceSpan.data_equal(info.attestationNonceBuffer),
     139             :                      attestationError = AttestationVerificationResult::kAttestationNonceMismatch);
     140             : 
     141           0 :         ChipLogProgress(Support,
     142             :                         "PartialDACVerifier::VerifyAttestationInformation skipping CD signature check - LocalCSAStore disabled");
     143           0 :         VerifyOrExit(CMS_ExtractCDContent(certificationDeclarationSpan, certificationDeclarationPayload) == CHIP_NO_ERROR,
     144             :                      attestationError = AttestationVerificationResult::kPaaFormatInvalid);
     145             : 
     146           0 :         attestationError = ValidateCertificateDeclarationPayload(certificationDeclarationPayload, firmwareInfoSpan, deviceInfo);
     147           0 :         VerifyOrExit(attestationError == AttestationVerificationResult::kSuccess, attestationError = attestationError);
     148             :     }
     149             : 
     150           0 : exit:
     151           0 :     onCompletion->mCall(onCompletion->mContext, info, attestationError);
     152           0 : }
     153             : 
     154             : } // namespace Credentials
     155             : } // namespace chip

Generated by: LCOV version 1.14