Line data Source code
1 : /*
2 : *
3 : * Copyright (c) 2021 Project CHIP Authors
4 : *
5 : * Licensed under the Apache License, Version 2.0 (the "License");
6 : * you may not use this file except in compliance with the License.
7 : * You may obtain a copy of the License at
8 : *
9 : * http://www.apache.org/licenses/LICENSE-2.0
10 : *
11 : * Unless required by applicable law or agreed to in writing, software
12 : * distributed under the License is distributed on an "AS IS" BASIS,
13 : * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 : * See the License for the specific language governing permissions and
15 : * limitations under the License.
16 : */
17 : #pragma once
18 :
19 : #include <credentials/attestation_verifier/DefaultDeviceAttestationVerifier.h>
20 :
21 : namespace chip {
22 : namespace Credentials {
23 :
24 : /**
25 : * @brief
26 : * This class is based upon the DefaultDACVerifier but has all checks removed which require
27 : * local availability of trust anchors that are not available from the commissionee, such as the
28 : * PAA root certificates and the CSA keys used to sign the Certification Declaration (CD).
29 : *
30 : * This class should only be used in conjunction with an OperationalCredentialsDelegate
31 : * which performs the removed checks. For example, an OperationalCredentialsDelegate implementation
32 : * might send the DAC chain and signed CD to custom code which obtains these keys from the DCL.
33 : *
34 : * Specifically, the following list of checks have been removed:
35 : * (1) Make sure the PAA is valid and approved by CSA.
36 : * (2) vid-scoped PAA check: if the PAA is vid scoped, then its vid must match the DAC vid.
37 : * (3) cert chain check: verify PAI is signed by PAA, and DAC is signed by PAI.
38 : * (4) PAA subject key id extraction: the PAA subject key must match the PAA key referenced in the PAI.
39 : * (5) CD signature check: make sure a valid CSA CD key is used to sign the CD.
40 : *
41 : * Any other checks performed by the DefaultDACVerifier should be performed here too. Changes
42 : * made to DefaultDACVerifier::VerifyAttestationInformation should be made to
43 : * PartialDACVerifier::VerifyAttestationInformation.
44 : */
45 : class PartialDACVerifier : public DefaultDACVerifier
46 : {
47 : public:
48 9 : PartialDACVerifier() {}
49 :
50 : /**
51 : * @brief
52 : * The implementation should track DefaultDACVerifier::VerifyAttestationInformation but with the checks
53 : * disabled that are outlined at the top of DacOnlyPartialAttestationVerifier.h.
54 : */
55 : void VerifyAttestationInformation(const DeviceAttestationVerifier::AttestationInfo & info,
56 : Callback::Callback<OnAttestationInformationVerification> * onCompletion) override;
57 :
58 : protected:
59 : };
60 :
61 : } // namespace Credentials
62 : } // namespace chip
|
