blob: 7e0fc1c43788489c431f19353dd6f023289ee5a0 [file] [log] [blame]
/*
*
* Copyright (c) 2021 Project CHIP Authors
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#pragma once
#include <array>
#include <credentials/attestation_verifier/DeviceAttestationVerifier.h>
#include <crypto/CHIPCryptoPAL.h>
#include <lib/core/CHIPConfig.h>
#include <lib/core/CHIPError.h>
#include <lib/support/Span.h>
#include <stdlib.h>
namespace chip {
namespace Credentials {
class CsaCdKeysTrustStore : public WellKnownKeysTrustStore
{
public:
CsaCdKeysTrustStore() = default;
virtual ~CsaCdKeysTrustStore() = default;
CHIP_ERROR AddTrustedKey(const ByteSpan & kid, const Crypto::P256PublicKey & pubKey) override;
CHIP_ERROR AddTrustedKey(const ByteSpan & derCertBytes) override;
CHIP_ERROR LookupVerifyingKey(const ByteSpan & kid, Crypto::P256PublicKey & outPubKey) const override;
bool IsCdTestKey(const ByteSpan & kid) const override;
protected:
struct SingleKeyEntry
{
static constexpr size_t kMaxKidSize = 32u;
uint8_t kidBuffer[kMaxKidSize];
size_t kidSize;
Crypto::P256PublicKey publicKey;
ByteSpan GetKid() const { return ByteSpan{ &kidBuffer[0], kidSize }; }
};
static constexpr size_t kMaxNumTrustedKeys = CHIP_CONFIG_NUM_CD_KEY_SLOTS;
std::array<SingleKeyEntry, kMaxNumTrustedKeys> mTrustedKeys;
size_t mNumTrustedKeys = 0;
};
class DefaultDACVerifier : public DeviceAttestationVerifier
{
public:
DefaultDACVerifier(const AttestationTrustStore * paaRootStore) : mAttestationTrustStore(paaRootStore) {}
DefaultDACVerifier(const AttestationTrustStore * paaRootStore, DeviceAttestationRevocationDelegate * revocationDelegate) :
mAttestationTrustStore(paaRootStore), mRevocationDelegate(revocationDelegate)
{}
void VerifyAttestationInformation(const DeviceAttestationVerifier::AttestationInfo & info,
Callback::Callback<OnAttestationInformationVerification> * onCompletion) override;
AttestationVerificationResult ValidateCertificationDeclarationSignature(const ByteSpan & cmsEnvelopeBuffer,
ByteSpan & certDeclBuffer) override;
AttestationVerificationResult ValidateCertificateDeclarationPayload(const ByteSpan & certDeclBuffer,
const ByteSpan & firmwareInfo,
const DeviceInfoForAttestation & deviceInfo) override;
CHIP_ERROR VerifyNodeOperationalCSRInformation(const ByteSpan & nocsrElementsBuffer,
const ByteSpan & attestationChallengeBuffer,
const ByteSpan & attestationSignatureBuffer,
const Crypto::P256PublicKey & dacPublicKey, const ByteSpan & csrNonce) override;
void CheckForRevokedDACChain(const AttestationInfo & info,
Callback::Callback<OnAttestationInformationVerification> * onCompletion) override;
CsaCdKeysTrustStore * GetCertificationDeclarationTrustStore() override { return &mCdKeysTrustStore; }
void SetRevocationDelegate(DeviceAttestationRevocationDelegate * revocationDelegate)
{
mRevocationDelegate = revocationDelegate;
}
protected:
DefaultDACVerifier() {}
CsaCdKeysTrustStore mCdKeysTrustStore;
const AttestationTrustStore * mAttestationTrustStore;
DeviceAttestationRevocationDelegate * mRevocationDelegate = nullptr;
};
/**
* @brief Get implementation of a PAA root store containing a basic set of static PAA roots
* sufficient for *testing* only.
*
* WARNING: The PAA list known to this PAA root store is a reduced subset that will likely
* cause users of it to fail attestation procedure in some cases. This is provided
* to support tests and examples, not to be used by real commissioners, as it
* contains several test roots which are not trustworthy for certified product usage.
*
* @returns a singleton AttestationTrustStore that contains some well-known PAA test root certs.
*/
const AttestationTrustStore * GetTestAttestationTrustStore();
/**
* @brief Get a singleton implementation of a sample DAC verifier to validate device
* attestation procedure.
*
* @param[in] paaRootStore Pointer to the AttestationTrustStore instance to be used by implementation
* of default DeviceAttestationVerifier. Caller must ensure storage is
* always available while the DeviceAttestationVerifier could be used.
*
* @returns a singleton DeviceAttestationVerifier that satisfies basic device attestation procedure requirements.
* This has process lifetime, so the paaRootStore must also have
* process lifetime. In particular, after the first call it's not
* possible to change which AttestationTrustStore is used by this verifier.
*/
DeviceAttestationVerifier * GetDefaultDACVerifier(const AttestationTrustStore * paaRootStore,
DeviceAttestationRevocationDelegate * revocationDelegate = nullptr);
} // namespace Credentials
} // namespace chip