Line data Source code
1 : /* 2 : * 3 : * Copyright (c) 2021 Project CHIP Authors 4 : * 5 : * Licensed under the Apache License, Version 2.0 (the "License"); 6 : * you may not use this file except in compliance with the License. 7 : * You may obtain a copy of the License at 8 : * 9 : * http://www.apache.org/licenses/LICENSE-2.0 10 : * 11 : * Unless required by applicable law or agreed to in writing, software 12 : * distributed under the License is distributed on an "AS IS" BASIS, 13 : * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 : * See the License for the specific language governing permissions and 15 : * limitations under the License. 16 : */ 17 : #pragma once 18 : 19 : #include <array> 20 : #include <credentials/attestation_verifier/DeviceAttestationVerifier.h> 21 : #include <crypto/CHIPCryptoPAL.h> 22 : #include <lib/core/CHIPConfig.h> 23 : #include <lib/core/CHIPError.h> 24 : #include <lib/support/Span.h> 25 : #include <stdlib.h> 26 : 27 : namespace chip { 28 : namespace Credentials { 29 : 30 : class CsaCdKeysTrustStore : public WellKnownKeysTrustStore 31 : { 32 : public: 33 2 : CsaCdKeysTrustStore() = default; 34 2 : virtual ~CsaCdKeysTrustStore() = default; 35 : 36 : CHIP_ERROR AddTrustedKey(const ByteSpan & kid, const Crypto::P256PublicKey & pubKey) override; 37 : CHIP_ERROR AddTrustedKey(const ByteSpan & derCertBytes) override; 38 : CHIP_ERROR LookupVerifyingKey(const ByteSpan & kid, Crypto::P256PublicKey & outPubKey) const override; 39 : bool IsCdTestKey(const ByteSpan & kid) const override; 40 : 41 : protected: 42 : struct SingleKeyEntry 43 : { 44 : static constexpr size_t kMaxKidSize = 32u; 45 : uint8_t kidBuffer[kMaxKidSize]; 46 : size_t kidSize; 47 : Crypto::P256PublicKey publicKey; 48 : 49 1 : ByteSpan GetKid() const { return ByteSpan{ &kidBuffer[0], kidSize }; } 50 : }; 51 : 52 : static constexpr size_t kMaxNumTrustedKeys = CHIP_CONFIG_NUM_CD_KEY_SLOTS; 53 : std::array<SingleKeyEntry, kMaxNumTrustedKeys> mTrustedKeys; 54 : size_t mNumTrustedKeys = 0; 55 : }; 56 : 57 : class DefaultDACVerifier : public DeviceAttestationVerifier 58 : { 59 : public: 60 2 : DefaultDACVerifier(const AttestationTrustStore * paaRootStore) : mAttestationTrustStore(paaRootStore) {} 61 : 62 : void VerifyAttestationInformation(const DeviceAttestationVerifier::AttestationInfo & info, 63 : Callback::Callback<OnAttestationInformationVerification> * onCompletion) override; 64 : 65 : AttestationVerificationResult ValidateCertificationDeclarationSignature(const ByteSpan & cmsEnvelopeBuffer, 66 : ByteSpan & certDeclBuffer) override; 67 : 68 : AttestationVerificationResult ValidateCertificateDeclarationPayload(const ByteSpan & certDeclBuffer, 69 : const ByteSpan & firmwareInfo, 70 : const DeviceInfoForAttestation & deviceInfo) override; 71 : 72 : CHIP_ERROR VerifyNodeOperationalCSRInformation(const ByteSpan & nocsrElementsBuffer, 73 : const ByteSpan & attestationChallengeBuffer, 74 : const ByteSpan & attestationSignatureBuffer, 75 : const Crypto::P256PublicKey & dacPublicKey, const ByteSpan & csrNonce) override; 76 : 77 0 : CsaCdKeysTrustStore * GetCertificationDeclarationTrustStore() override { return &mCdKeysTrustStore; } 78 : 79 : protected: 80 : DefaultDACVerifier() {} 81 : 82 : CsaCdKeysTrustStore mCdKeysTrustStore; 83 : const AttestationTrustStore * mAttestationTrustStore; 84 : }; 85 : 86 : /** 87 : * @brief Get implementation of a PAA root store containing a basic set of static PAA roots 88 : * sufficient for *testing* only. 89 : * 90 : * WARNING: The PAA list known to this PAA root store is a reduced subset that will likely 91 : * cause users of it to fail attestation procedure in some cases. This is provided 92 : * to support tests and examples, not to be used by real commissioners, as it 93 : * contains several test roots which are not trustworthy for certified product usage. 94 : * 95 : * @returns a singleton AttestationTrustStore that contains some well-known PAA test root certs. 96 : */ 97 : const AttestationTrustStore * GetTestAttestationTrustStore(); 98 : 99 : /** 100 : * @brief Get a singleton implementation of a sample DAC verifier to validate device 101 : * attestation procedure. 102 : * 103 : * @param[in] paaRootStore Pointer to the AttestationTrustStore instance to be used by implementation 104 : * of default DeviceAttestationVerifier. Caller must ensure storage is 105 : * always available while the DeviceAttestationVerifier could be used. 106 : * 107 : * @returns a singleton DeviceAttestationVerifier that satisfies basic device attestation procedure requirements. 108 : * This has process lifetime, so the paaRootStore must also have 109 : * process lifetime. In particular, after the first call it's not 110 : * possible to change which AttestationTrustStore is used by this verifier. 111 : */ 112 : DeviceAttestationVerifier * GetDefaultDACVerifier(const AttestationTrustStore * paaRootStore); 113 : 114 : } // namespace Credentials 115 : } // namespace chip