Line data Source code
1 : /*
2 : *
3 : * Copyright (c) 2024 Project CHIP Authors
4 : *
5 : * Licensed under the Apache License, Version 2.0 (the "License");
6 : * you may not use this file except in compliance with the License.
7 : * You may obtain a copy of the License at
8 : *
9 : * http://www.apache.org/licenses/LICENSE-2.0
10 : *
11 : * Unless required by applicable law or agreed to in writing, software
12 : * distributed under the License is distributed on an "AS IS" BASIS,
13 : * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 : * See the License for the specific language governing permissions and
15 : * limitations under the License.
16 : */
17 :
18 : #pragma once
19 :
20 : #include <credentials/attestation_verifier/DeviceAttestationVerifier.h>
21 : #include <json/json.h>
22 : #include <lib/support/Span.h>
23 :
24 : #include <string>
25 :
26 : namespace chip {
27 : namespace Credentials {
28 :
29 : class TestDACRevocationDelegateImpl : public DeviceAttestationRevocationDelegate
30 : {
31 : public:
32 : TestDACRevocationDelegateImpl() = default;
33 0 : ~TestDACRevocationDelegateImpl() = default;
34 :
35 : /**
36 : * @brief Verify whether or not the given DAC chain is revoked.
37 : *
38 : * @param[in] info All of the information required to check for revoked DAC chain.
39 : * @param[in] onCompletion Callback handler to provide Attestation Information Verification result to the caller of
40 : * CheckForRevokedDACChain().
41 : */
42 : void CheckForRevokedDACChain(
43 : const DeviceAttestationVerifier::AttestationInfo & info,
44 : Callback::Callback<DeviceAttestationVerifier::OnAttestationInformationVerification> * onCompletion) override;
45 :
46 : // Set the path to the device attestation revocation set JSON file.
47 : // revocation set can be generated using credentials/generate-revocation-set.py script
48 : // This API returns CHIP_ERROR_INVALID_ARGUMENT if the path is null.
49 : CHIP_ERROR SetDeviceAttestationRevocationSetPath(std::string_view path);
50 :
51 : // Clear the path to the device attestation revocation set JSON file.
52 : // This can be used to skip the revocation check
53 : void ClearDeviceAttestationRevocationSetPath();
54 :
55 : // Set JSON data directly for unit test purposes.
56 : CHIP_ERROR SetDeviceAttestationRevocationData(const std::string & jsonData);
57 : void ClearDeviceAttestationRevocationData();
58 :
59 : private:
60 : enum class KeyIdType : uint8_t
61 : {
62 : kSKID = 0,
63 : kAKID = 1,
64 : };
65 :
66 : enum class RDNType : uint8_t
67 : {
68 : kIssuer = 0,
69 : kSubject = 1,
70 : };
71 :
72 : bool CrossValidateCert(const Json::Value & revokedSet, const std::string & akIdHexStr, const std::string & issuerNameBase64Str);
73 :
74 : CHIP_ERROR GetKeyIDHexStr(const ByteSpan & certDer, std::string & outKeyIDHexStr, KeyIdType keyIdType);
75 : CHIP_ERROR GetAKIDHexStr(const ByteSpan & certDer, std::string & outAKIDHexStr);
76 : CHIP_ERROR GetSKIDHexStr(const ByteSpan & certDer, std::string & outSKIDHexStr);
77 :
78 : CHIP_ERROR GetSerialNumberHexStr(const ByteSpan & certDer, std::string & outSerialNumberHexStr);
79 :
80 : CHIP_ERROR GetRDNBase64Str(const ByteSpan & certDer, std::string & outRDNBase64String, RDNType rdnType);
81 : CHIP_ERROR GetIssuerNameBase64Str(const ByteSpan & certDer, std::string & outIssuerNameBase64String);
82 : CHIP_ERROR GetSubjectNameBase64Str(const ByteSpan & certDer, std::string & outSubjectNameBase64String);
83 :
84 : bool IsEntryInRevocationSet(const std::string & akidHexStr, const std::string & issuerNameBase64Str,
85 : const std::string & serialNumberHexStr);
86 :
87 : bool IsCertificateRevoked(const ByteSpan & certDer);
88 :
89 : std::string mDeviceAttestationRevocationSetPath;
90 : std::string mRevocationData; // Stores direct JSON data
91 : };
92 :
93 : } // namespace Credentials
94 : } // namespace chip
|
