Line data Source code
1 : /*
2 : *
3 : * Copyright (c) 2021 Project CHIP Authors
4 : *
5 : * Licensed under the Apache License, Version 2.0 (the "License");
6 : * you may not use this file except in compliance with the License.
7 : * You may obtain a copy of the License at
8 : *
9 : * http://www.apache.org/licenses/LICENSE-2.0
10 : *
11 : * Unless required by applicable law or agreed to in writing, software
12 : * distributed under the License is distributed on an "AS IS" BASIS,
13 : * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 : * See the License for the specific language governing permissions and
15 : * limitations under the License.
16 : */
17 : #pragma once
18 :
19 : #include <array>
20 : #include <credentials/attestation_verifier/DeviceAttestationVerifier.h>
21 : #include <crypto/CHIPCryptoPAL.h>
22 : #include <lib/core/CHIPConfig.h>
23 : #include <lib/core/CHIPError.h>
24 : #include <lib/support/Span.h>
25 : #include <stdlib.h>
26 :
27 : namespace chip {
28 : namespace Credentials {
29 :
30 : class CsaCdKeysTrustStore : public WellKnownKeysTrustStore
31 : {
32 : public:
33 2 : CsaCdKeysTrustStore() = default;
34 2 : virtual ~CsaCdKeysTrustStore() = default;
35 :
36 : CHIP_ERROR AddTrustedKey(const ByteSpan & kid, const Crypto::P256PublicKey & pubKey) override;
37 : CHIP_ERROR AddTrustedKey(const ByteSpan & derCertBytes) override;
38 : CHIP_ERROR LookupVerifyingKey(const ByteSpan & kid, Crypto::P256PublicKey & outPubKey) const override;
39 : bool IsCdTestKey(const ByteSpan & kid) const override;
40 :
41 : protected:
42 : struct SingleKeyEntry
43 : {
44 : static constexpr size_t kMaxKidSize = 32u;
45 : uint8_t kidBuffer[kMaxKidSize];
46 : size_t kidSize;
47 : Crypto::P256PublicKey publicKey;
48 :
49 1 : ByteSpan GetKid() const { return ByteSpan{ &kidBuffer[0], kidSize }; }
50 : };
51 :
52 : static constexpr size_t kMaxNumTrustedKeys = CHIP_CONFIG_NUM_CD_KEY_SLOTS;
53 : std::array<SingleKeyEntry, kMaxNumTrustedKeys> mTrustedKeys;
54 : size_t mNumTrustedKeys = 0;
55 : };
56 :
57 : class DefaultDACVerifier : public DeviceAttestationVerifier
58 : {
59 : public:
60 : DefaultDACVerifier(const AttestationTrustStore * paaRootStore) : mAttestationTrustStore(paaRootStore) {}
61 :
62 2 : DefaultDACVerifier(const AttestationTrustStore * paaRootStore, DeviceAttestationRevocationDelegate * revocationDelegate) :
63 2 : mAttestationTrustStore(paaRootStore), mRevocationDelegate(revocationDelegate)
64 2 : {}
65 :
66 : void VerifyAttestationInformation(const DeviceAttestationVerifier::AttestationInfo & info,
67 : Callback::Callback<OnAttestationInformationVerification> * onCompletion) override;
68 :
69 : AttestationVerificationResult ValidateCertificationDeclarationSignature(const ByteSpan & cmsEnvelopeBuffer,
70 : ByteSpan & certDeclBuffer) override;
71 :
72 : AttestationVerificationResult ValidateCertificateDeclarationPayload(const ByteSpan & certDeclBuffer,
73 : const ByteSpan & firmwareInfo,
74 : const DeviceInfoForAttestation & deviceInfo) override;
75 :
76 : CHIP_ERROR VerifyNodeOperationalCSRInformation(const ByteSpan & nocsrElementsBuffer,
77 : const ByteSpan & attestationChallengeBuffer,
78 : const ByteSpan & attestationSignatureBuffer,
79 : const Crypto::P256PublicKey & dacPublicKey, const ByteSpan & csrNonce) override;
80 :
81 : void CheckForRevokedDACChain(const AttestationInfo & info,
82 : Callback::Callback<OnAttestationInformationVerification> * onCompletion) override;
83 :
84 0 : CsaCdKeysTrustStore * GetCertificationDeclarationTrustStore() override { return &mCdKeysTrustStore; }
85 :
86 0 : CHIP_ERROR SetRevocationDelegate(DeviceAttestationRevocationDelegate * revocationDelegate) override
87 : {
88 0 : mRevocationDelegate = revocationDelegate;
89 0 : return CHIP_NO_ERROR;
90 : }
91 :
92 : protected:
93 : DefaultDACVerifier() {}
94 :
95 : CsaCdKeysTrustStore mCdKeysTrustStore;
96 : const AttestationTrustStore * mAttestationTrustStore;
97 : DeviceAttestationRevocationDelegate * mRevocationDelegate = nullptr;
98 : };
99 :
100 : /**
101 : * @brief Get implementation of a PAA root store containing a basic set of static PAA roots
102 : * sufficient for *testing* only.
103 : *
104 : * WARNING: The PAA list known to this PAA root store is a reduced subset that will likely
105 : * cause users of it to fail attestation procedure in some cases. This is provided
106 : * to support tests and examples, not to be used by real commissioners, as it
107 : * contains several test roots which are not trustworthy for certified product usage.
108 : *
109 : * @returns a singleton AttestationTrustStore that contains some well-known PAA test root certs.
110 : */
111 : const AttestationTrustStore * GetTestAttestationTrustStore();
112 :
113 : /**
114 : * @brief Get a singleton implementation of a sample DAC verifier to validate device
115 : * attestation procedure.
116 : *
117 : * @param[in] paaRootStore Pointer to the AttestationTrustStore instance to be used by implementation
118 : * of default DeviceAttestationVerifier. Caller must ensure storage is
119 : * always available while the DeviceAttestationVerifier could be used.
120 : *
121 : * @returns a singleton DeviceAttestationVerifier that satisfies basic device attestation procedure requirements.
122 : * This has process lifetime, so the paaRootStore must also have
123 : * process lifetime. In particular, after the first call it's not
124 : * possible to change which AttestationTrustStore is used by this verifier.
125 : */
126 : DeviceAttestationVerifier * GetDefaultDACVerifier(const AttestationTrustStore * paaRootStore,
127 : DeviceAttestationRevocationDelegate * revocationDelegate = nullptr);
128 :
129 : } // namespace Credentials
130 : } // namespace chip
|
