Line data    Source code

       1             : /*
       2             :  *
       3             :  *    Copyright (c) 2021 Project CHIP Authors
       4             :  *
       5             :  *    Licensed under the Apache License, Version 2.0 (the "License");
       6             :  *    you may not use this file except in compliance with the License.
       7             :  *    You may obtain a copy of the License at
       8             :  *
       9             :  *        http://www.apache.org/licenses/LICENSE-2.0
      10             :  *
      11             :  *    Unless required by applicable law or agreed to in writing, software
      12             :  *    distributed under the License is distributed on an "AS IS" BASIS,
      13             :  *    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
      14             :  *    See the License for the specific language governing permissions and
      15             :  *    limitations under the License.
      16             :  */
      17             : #pragma once
      18             : 
      19             : #include <array>
      20             : #include <credentials/attestation_verifier/DeviceAttestationVerifier.h>
      21             : #include <crypto/CHIPCryptoPAL.h>
      22             : #include <lib/core/CHIPConfig.h>
      23             : #include <lib/core/CHIPError.h>
      24             : #include <lib/support/Span.h>
      25             : #include <stdlib.h>
      26             : 
      27             : namespace chip {
      28             : namespace Credentials {
      29             : 
      30             : class CsaCdKeysTrustStore : public WellKnownKeysTrustStore
      31             : {
      32             : public:
      33           2 :     CsaCdKeysTrustStore()          = default;
      34           2 :     virtual ~CsaCdKeysTrustStore() = default;
      35             : 
      36             :     CHIP_ERROR AddTrustedKey(const ByteSpan & kid, const Crypto::P256PublicKey & pubKey) override;
      37             :     CHIP_ERROR AddTrustedKey(const ByteSpan & derCertBytes) override;
      38             :     CHIP_ERROR LookupVerifyingKey(const ByteSpan & kid, Crypto::P256PublicKey & outPubKey) const override;
      39             :     bool IsCdTestKey(const ByteSpan & kid) const override;
      40             : 
      41             : protected:
      42             :     struct SingleKeyEntry
      43             :     {
      44             :         static constexpr size_t kMaxKidSize = 32u;
      45             :         uint8_t kidBuffer[kMaxKidSize];
      46             :         size_t kidSize;
      47             :         Crypto::P256PublicKey publicKey;
      48             : 
      49           1 :         ByteSpan GetKid() const { return ByteSpan{ &kidBuffer[0], kidSize }; }
      50             :     };
      51             : 
      52             :     static constexpr size_t kMaxNumTrustedKeys = CHIP_CONFIG_NUM_CD_KEY_SLOTS;
      53             :     std::array<SingleKeyEntry, kMaxNumTrustedKeys> mTrustedKeys;
      54             :     size_t mNumTrustedKeys = 0;
      55             : };
      56             : 
      57             : class DefaultDACVerifier : public DeviceAttestationVerifier
      58             : {
      59             : public:
      60           2 :     DefaultDACVerifier(const AttestationTrustStore * paaRootStore) : mAttestationTrustStore(paaRootStore) {}
      61             : 
      62             :     void VerifyAttestationInformation(const DeviceAttestationVerifier::AttestationInfo & info,
      63             :                                       Callback::Callback<OnAttestationInformationVerification> * onCompletion) override;
      64             : 
      65             :     AttestationVerificationResult ValidateCertificationDeclarationSignature(const ByteSpan & cmsEnvelopeBuffer,
      66             :                                                                             ByteSpan & certDeclBuffer) override;
      67             : 
      68             :     AttestationVerificationResult ValidateCertificateDeclarationPayload(const ByteSpan & certDeclBuffer,
      69             :                                                                         const ByteSpan & firmwareInfo,
      70             :                                                                         const DeviceInfoForAttestation & deviceInfo) override;
      71             : 
      72             :     CHIP_ERROR VerifyNodeOperationalCSRInformation(const ByteSpan & nocsrElementsBuffer,
      73             :                                                    const ByteSpan & attestationChallengeBuffer,
      74             :                                                    const ByteSpan & attestationSignatureBuffer,
      75             :                                                    const Crypto::P256PublicKey & dacPublicKey, const ByteSpan & csrNonce) override;
      76             : 
      77           0 :     CsaCdKeysTrustStore * GetCertificationDeclarationTrustStore() override { return &mCdKeysTrustStore; }
      78             : 
      79             : protected:
      80             :     DefaultDACVerifier() {}
      81             : 
      82             :     CsaCdKeysTrustStore mCdKeysTrustStore;
      83             :     const AttestationTrustStore * mAttestationTrustStore;
      84             : };
      85             : 
      86             : /**
      87             :  * @brief Get implementation of a PAA root store containing a basic set of static PAA roots
      88             :  *        sufficient for *testing* only.
      89             :  *
      90             :  * WARNING: The PAA list known to this PAA root store is a reduced subset that will likely
      91             :  *          cause users of it to fail attestation procedure in some cases. This is provided
      92             :  *          to support tests and examples, not to be used by real commissioners, as it
      93             :  *          contains several test roots which are not trustworthy for certified product usage.
      94             :  *
      95             :  * @returns a singleton AttestationTrustStore that contains some well-known PAA test root certs.
      96             :  */
      97             : const AttestationTrustStore * GetTestAttestationTrustStore();
      98             : 
      99             : /**
     100             :  * @brief Get a singleton implementation of a sample DAC verifier to validate device
     101             :  *        attestation procedure.
     102             :  *
     103             :  * @param[in] paaRootStore Pointer to the AttestationTrustStore instance to be used by implementation
     104             :  *                         of default DeviceAttestationVerifier. Caller must ensure storage is
     105             :  *                         always available while the DeviceAttestationVerifier could be used.
     106             :  *
     107             :  * @returns a singleton DeviceAttestationVerifier that satisfies basic device attestation procedure requirements.
     108             :  *          This has process lifetime, so the paaRootStore must also have
     109             :  *          process lifetime.  In particular, after the first call it's not
     110             :  *          possible to change which AttestationTrustStore is used by this verifier.
     111             :  */
     112             : DeviceAttestationVerifier * GetDefaultDACVerifier(const AttestationTrustStore * paaRootStore);
     113             : 
     114             : } // namespace Credentials
     115             : } // namespace chip