Line data Source code
1 : /*
2 : *
3 : * Copyright (c) 2021 Project CHIP Authors
4 : *
5 : * Licensed under the Apache License, Version 2.0 (the "License");
6 : * you may not use this file except in compliance with the License.
7 : * You may obtain a copy of the License at
8 : *
9 : * http://www.apache.org/licenses/LICENSE-2.0
10 : *
11 : * Unless required by applicable law or agreed to in writing, software
12 : * distributed under the License is distributed on an "AS IS" BASIS,
13 : * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 : * See the License for the specific language governing permissions and
15 : * limitations under the License.
16 : */
17 : #pragma once
18 :
19 : #include <array>
20 : #include <credentials/attestation_verifier/DeviceAttestationVerifier.h>
21 : #include <crypto/CHIPCryptoPAL.h>
22 : #include <lib/core/CHIPConfig.h>
23 : #include <lib/core/CHIPError.h>
24 : #include <lib/support/Span.h>
25 : #include <stdlib.h>
26 :
27 : namespace chip {
28 : namespace Credentials {
29 :
30 : class CsaCdKeysTrustStore : public WellKnownKeysTrustStore
31 : {
32 : public:
33 2 : CsaCdKeysTrustStore() = default;
34 2 : virtual ~CsaCdKeysTrustStore() = default;
35 :
36 : CHIP_ERROR AddTrustedKey(const ByteSpan & kid, const Crypto::P256PublicKey & pubKey) override;
37 : CHIP_ERROR AddTrustedKey(const ByteSpan & derCertBytes) override;
38 : CHIP_ERROR LookupVerifyingKey(const ByteSpan & kid, Crypto::P256PublicKey & outPubKey) const override;
39 : bool IsCdTestKey(const ByteSpan & kid) const override;
40 :
41 : protected:
42 : struct SingleKeyEntry
43 : {
44 : static constexpr size_t kMaxKidSize = 32u;
45 : uint8_t kidBuffer[kMaxKidSize];
46 : size_t kidSize;
47 : Crypto::P256PublicKey publicKey;
48 :
49 1 : ByteSpan GetKid() const { return ByteSpan{ &kidBuffer[0], kidSize }; }
50 : };
51 :
52 : static constexpr size_t kMaxNumTrustedKeys = CHIP_CONFIG_NUM_CD_KEY_SLOTS;
53 : std::array<SingleKeyEntry, kMaxNumTrustedKeys> mTrustedKeys;
54 : size_t mNumTrustedKeys = 0;
55 : };
56 :
57 : class DefaultDACVerifier : public DeviceAttestationVerifier
58 : {
59 : public:
60 : DefaultDACVerifier(const AttestationTrustStore * paaRootStore) : mAttestationTrustStore(paaRootStore) {}
61 :
62 2 : DefaultDACVerifier(const AttestationTrustStore * paaRootStore, DeviceAttestationRevocationDelegate * revocationDelegate) :
63 2 : mAttestationTrustStore(paaRootStore), mRevocationDelegate(revocationDelegate)
64 2 : {}
65 :
66 : void VerifyAttestationInformation(const DeviceAttestationVerifier::AttestationInfo & info,
67 : Callback::Callback<OnAttestationInformationVerification> * onCompletion) override;
68 :
69 : AttestationVerificationResult ValidateCertificationDeclarationSignature(const ByteSpan & cmsEnvelopeBuffer,
70 : ByteSpan & certDeclBuffer) override;
71 :
72 : AttestationVerificationResult ValidateCertificateDeclarationPayload(const ByteSpan & certDeclBuffer,
73 : const ByteSpan & firmwareInfo,
74 : const DeviceInfoForAttestation & deviceInfo) override;
75 :
76 : CHIP_ERROR VerifyNodeOperationalCSRInformation(const ByteSpan & nocsrElementsBuffer,
77 : const ByteSpan & attestationChallengeBuffer,
78 : const ByteSpan & attestationSignatureBuffer,
79 : const Crypto::P256PublicKey & dacPublicKey, const ByteSpan & csrNonce) override;
80 :
81 : void CheckForRevokedDACChain(const AttestationInfo & info,
82 : Callback::Callback<OnAttestationInformationVerification> * onCompletion) override;
83 :
84 0 : CsaCdKeysTrustStore * GetCertificationDeclarationTrustStore() override { return &mCdKeysTrustStore; }
85 :
86 : void SetRevocationDelegate(DeviceAttestationRevocationDelegate * revocationDelegate)
87 : {
88 : mRevocationDelegate = revocationDelegate;
89 : }
90 :
91 : protected:
92 : DefaultDACVerifier() {}
93 :
94 : CsaCdKeysTrustStore mCdKeysTrustStore;
95 : const AttestationTrustStore * mAttestationTrustStore;
96 : DeviceAttestationRevocationDelegate * mRevocationDelegate = nullptr;
97 : };
98 :
99 : /**
100 : * @brief Get implementation of a PAA root store containing a basic set of static PAA roots
101 : * sufficient for *testing* only.
102 : *
103 : * WARNING: The PAA list known to this PAA root store is a reduced subset that will likely
104 : * cause users of it to fail attestation procedure in some cases. This is provided
105 : * to support tests and examples, not to be used by real commissioners, as it
106 : * contains several test roots which are not trustworthy for certified product usage.
107 : *
108 : * @returns a singleton AttestationTrustStore that contains some well-known PAA test root certs.
109 : */
110 : const AttestationTrustStore * GetTestAttestationTrustStore();
111 :
112 : /**
113 : * @brief Get a singleton implementation of a sample DAC verifier to validate device
114 : * attestation procedure.
115 : *
116 : * @param[in] paaRootStore Pointer to the AttestationTrustStore instance to be used by implementation
117 : * of default DeviceAttestationVerifier. Caller must ensure storage is
118 : * always available while the DeviceAttestationVerifier could be used.
119 : *
120 : * @returns a singleton DeviceAttestationVerifier that satisfies basic device attestation procedure requirements.
121 : * This has process lifetime, so the paaRootStore must also have
122 : * process lifetime. In particular, after the first call it's not
123 : * possible to change which AttestationTrustStore is used by this verifier.
124 : */
125 : DeviceAttestationVerifier * GetDefaultDACVerifier(const AttestationTrustStore * paaRootStore,
126 : DeviceAttestationRevocationDelegate * revocationDelegate = nullptr);
127 :
128 : } // namespace Credentials
129 : } // namespace chip
|
