blob: ffc6a980039a3aa6d54454a27c8662f2ff614929 [file] [log] [blame]
/*
*
* Copyright (c) 2021-2022 Project CHIP Authors
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
/****************************************************************************
* @file
* @brief Implementation for the Operational Credentials Cluster
***************************************************************************/
#include <access/AccessControl.h>
#include <app-common/zap-generated/attributes/Accessors.h>
#include <app-common/zap-generated/cluster-objects.h>
#include <app-common/zap-generated/ids/Attributes.h>
#include <app/AttributeAccessInterface.h>
#include <app/AttributeAccessInterfaceRegistry.h>
#include <app/CommandHandler.h>
#include <app/ConcreteCommandPath.h>
#include <app/EventLogging.h>
#include <app/InteractionModelEngine.h>
#include <app/reporting/reporting.h>
#include <app/server/Dnssd.h>
#include <app/server/Server.h>
#include <app/util/attribute-storage.h>
#include <credentials/CHIPCert.h>
#include <credentials/CertificationDeclaration.h>
#include <credentials/DeviceAttestationConstructor.h>
#include <credentials/DeviceAttestationCredsProvider.h>
#include <credentials/FabricTable.h>
#include <credentials/GroupDataProvider.h>
#include <lib/core/CHIPSafeCasts.h>
#include <lib/core/PeerId.h>
#include <lib/support/CodeUtils.h>
#include <lib/support/ScopedBuffer.h>
#include <lib/support/logging/CHIPLogging.h>
#include <platform/CHIPDeviceLayer.h>
#include <string.h>
#include <tracing/macros.h>
using namespace chip;
using namespace ::chip::Transport;
using namespace chip::app;
using namespace chip::app::Clusters;
using namespace chip::app::Clusters::OperationalCredentials;
using namespace chip::Credentials;
using namespace chip::Crypto;
using namespace chip::Protocols::InteractionModel;
namespace {
void SendNOCResponse(app::CommandHandler * commandObj, const ConcreteCommandPath & path, NodeOperationalCertStatusEnum status,
uint8_t index, const CharSpan & debug_text);
NodeOperationalCertStatusEnum ConvertToNOCResponseStatus(CHIP_ERROR err);
constexpr auto kDACCertificate = CertificateChainTypeEnum::kDACCertificate;
constexpr auto kPAICertificate = CertificateChainTypeEnum::kPAICertificate;
CHIP_ERROR CreateAccessControlEntryForNewFabricAdministrator(const Access::SubjectDescriptor & subjectDescriptor,
FabricIndex fabricIndex, uint64_t subject)
{
NodeId subjectAsNodeID = static_cast<NodeId>(subject);
if (!IsOperationalNodeId(subjectAsNodeID) && !IsCASEAuthTag(subjectAsNodeID))
{
return CHIP_ERROR_INVALID_ADMIN_SUBJECT;
}
Access::AccessControl::Entry entry;
ReturnErrorOnFailure(Access::GetAccessControl().PrepareEntry(entry));
ReturnErrorOnFailure(entry.SetFabricIndex(fabricIndex));
ReturnErrorOnFailure(entry.SetPrivilege(Access::Privilege::kAdminister));
ReturnErrorOnFailure(entry.SetAuthMode(Access::AuthMode::kCase));
ReturnErrorOnFailure(entry.AddSubject(nullptr, subject));
CHIP_ERROR err = Access::GetAccessControl().CreateEntry(&subjectDescriptor, fabricIndex, nullptr, entry);
if (err != CHIP_NO_ERROR)
{
ChipLogError(Zcl, "OpCreds: Failed to add administrative node ACL entry: %" CHIP_ERROR_FORMAT, err.Format());
return err;
}
ChipLogProgress(Zcl, "OpCreds: ACL entry created for Fabric index 0x%x CASE Admin Subject 0x" ChipLogFormatX64,
static_cast<unsigned>(fabricIndex), ChipLogValueX64(subject));
return CHIP_NO_ERROR;
}
class OperationalCredentialsAttrAccess : public AttributeAccessInterface
{
public:
// Register for the OperationalCredentials cluster on all endpoints.
OperationalCredentialsAttrAccess() :
AttributeAccessInterface(Optional<EndpointId>::Missing(), Clusters::OperationalCredentials::Id)
{}
CHIP_ERROR Read(const ConcreteReadAttributePath & aPath, AttributeValueEncoder & aEncoder) override;
private:
CHIP_ERROR ReadNOCs(EndpointId endpoint, AttributeValueEncoder & aEncoder);
CHIP_ERROR ReadSupportedFabrics(EndpointId endpoint, AttributeValueEncoder & aEncoder);
CHIP_ERROR ReadCommissionedFabrics(EndpointId endpoint, AttributeValueEncoder & aEncoder);
CHIP_ERROR ReadFabricsList(EndpointId endpoint, AttributeValueEncoder & aEncoder);
CHIP_ERROR ReadRootCertificates(EndpointId endpoint, AttributeValueEncoder & aEncoder);
};
CHIP_ERROR OperationalCredentialsAttrAccess::ReadNOCs(EndpointId endpoint, AttributeValueEncoder & aEncoder)
{
auto accessingFabricIndex = aEncoder.AccessingFabricIndex();
return aEncoder.EncodeList([accessingFabricIndex](const auto & encoder) -> CHIP_ERROR {
const auto & fabricTable = Server::GetInstance().GetFabricTable();
for (const auto & fabricInfo : fabricTable)
{
Clusters::OperationalCredentials::Structs::NOCStruct::Type noc;
uint8_t nocBuf[kMaxCHIPCertLength];
uint8_t icacBuf[kMaxCHIPCertLength];
MutableByteSpan nocSpan{ nocBuf };
MutableByteSpan icacSpan{ icacBuf };
FabricIndex fabricIndex = fabricInfo.GetFabricIndex();
noc.fabricIndex = fabricIndex;
if (accessingFabricIndex == fabricIndex)
{
ReturnErrorOnFailure(fabricTable.FetchNOCCert(fabricIndex, nocSpan));
ReturnErrorOnFailure(fabricTable.FetchICACert(fabricIndex, icacSpan));
noc.noc = nocSpan;
if (!icacSpan.empty())
{
noc.icac.SetNonNull(icacSpan);
}
}
ReturnErrorOnFailure(encoder.Encode(noc));
}
return CHIP_NO_ERROR;
});
}
CHIP_ERROR OperationalCredentialsAttrAccess::ReadSupportedFabrics(EndpointId endpoint, AttributeValueEncoder & aEncoder)
{
uint8_t fabricCount = CHIP_CONFIG_MAX_FABRICS;
return aEncoder.Encode(fabricCount);
}
CHIP_ERROR OperationalCredentialsAttrAccess::ReadCommissionedFabrics(EndpointId endpoint, AttributeValueEncoder & aEncoder)
{
return aEncoder.Encode(Server::GetInstance().GetFabricTable().FabricCount());
}
CHIP_ERROR OperationalCredentialsAttrAccess::ReadFabricsList(EndpointId endpoint, AttributeValueEncoder & aEncoder)
{
return aEncoder.EncodeList([](const auto & encoder) -> CHIP_ERROR {
const auto & fabricTable = Server::GetInstance().GetFabricTable();
for (const auto & fabricInfo : fabricTable)
{
Clusters::OperationalCredentials::Structs::FabricDescriptorStruct::Type fabricDescriptor;
FabricIndex fabricIndex = fabricInfo.GetFabricIndex();
fabricDescriptor.fabricIndex = fabricIndex;
fabricDescriptor.nodeID = fabricInfo.GetPeerId().GetNodeId();
fabricDescriptor.vendorID = fabricInfo.GetVendorId();
fabricDescriptor.fabricID = fabricInfo.GetFabricId();
fabricDescriptor.label = fabricInfo.GetFabricLabel();
Crypto::P256PublicKey pubKey;
ReturnErrorOnFailure(fabricTable.FetchRootPubkey(fabricIndex, pubKey));
fabricDescriptor.rootPublicKey = ByteSpan{ pubKey.ConstBytes(), pubKey.Length() };
ReturnErrorOnFailure(encoder.Encode(fabricDescriptor));
}
return CHIP_NO_ERROR;
});
}
CHIP_ERROR OperationalCredentialsAttrAccess::ReadRootCertificates(EndpointId endpoint, AttributeValueEncoder & aEncoder)
{
// It is OK to have duplicates.
return aEncoder.EncodeList([](const auto & encoder) -> CHIP_ERROR {
const auto & fabricTable = Server::GetInstance().GetFabricTable();
for (const auto & fabricInfo : fabricTable)
{
uint8_t certBuf[kMaxCHIPCertLength];
MutableByteSpan cert{ certBuf };
ReturnErrorOnFailure(fabricTable.FetchRootCert(fabricInfo.GetFabricIndex(), cert));
ReturnErrorOnFailure(encoder.Encode(ByteSpan{ cert }));
}
{
uint8_t certBuf[kMaxCHIPCertLength];
MutableByteSpan cert{ certBuf };
CHIP_ERROR err = fabricTable.FetchPendingNonFabricAssociatedRootCert(cert);
if (err == CHIP_ERROR_NOT_FOUND)
{
// No pending root cert, do nothing
}
else if (err != CHIP_NO_ERROR)
{
return err;
}
else
{
ReturnErrorOnFailure(encoder.Encode(ByteSpan{ cert }));
}
}
return CHIP_NO_ERROR;
});
}
OperationalCredentialsAttrAccess gAttrAccess;
CHIP_ERROR OperationalCredentialsAttrAccess::Read(const ConcreteReadAttributePath & aPath, AttributeValueEncoder & aEncoder)
{
VerifyOrDie(aPath.mClusterId == Clusters::OperationalCredentials::Id);
switch (aPath.mAttributeId)
{
case Attributes::NOCs::Id: {
return ReadNOCs(aPath.mEndpointId, aEncoder);
}
case Attributes::SupportedFabrics::Id: {
return ReadSupportedFabrics(aPath.mEndpointId, aEncoder);
}
case Attributes::CommissionedFabrics::Id: {
return ReadCommissionedFabrics(aPath.mEndpointId, aEncoder);
}
case Attributes::Fabrics::Id: {
return ReadFabricsList(aPath.mEndpointId, aEncoder);
}
case Attributes::TrustedRootCertificates::Id: {
return ReadRootCertificates(aPath.mEndpointId, aEncoder);
}
case Attributes::CurrentFabricIndex::Id: {
return aEncoder.Encode(aEncoder.AccessingFabricIndex());
}
default:
break;
}
return CHIP_NO_ERROR;
}
const FabricInfo * RetrieveCurrentFabric(CommandHandler * aCommandHandler)
{
FabricIndex index = aCommandHandler->GetAccessingFabricIndex();
ChipLogDetail(Zcl, "OpCreds: Finding fabric with fabricIndex 0x%x", static_cast<unsigned>(index));
return Server::GetInstance().GetFabricTable().FindFabricWithIndex(index);
}
CHIP_ERROR DeleteFabricFromTable(FabricIndex fabricIndex)
{
ReturnErrorOnFailure(Server::GetInstance().GetFabricTable().Delete(fabricIndex));
return CHIP_NO_ERROR;
}
void CleanupSessionsForFabric(SessionManager & sessionMgr, FabricIndex fabricIndex)
{
sessionMgr.ExpireAllSessionsForFabric(fabricIndex);
}
void FailSafeCleanup(const chip::DeviceLayer::ChipDeviceEvent * event)
{
ChipLogError(Zcl, "OpCreds: Proceeding to FailSafeCleanup on fail-safe expiry!");
FabricIndex fabricIndex = event->FailSafeTimerExpired.fabricIndex;
// If an AddNOC or UpdateNOC command has been successfully invoked, terminate all CASE sessions associated with the Fabric
// whose Fabric Index is recorded in the Fail-Safe context (see ArmFailSafe Command) by clearing any associated Secure
// Session Context at the Server.
if (event->FailSafeTimerExpired.addNocCommandHasBeenInvoked || event->FailSafeTimerExpired.updateNocCommandHasBeenInvoked)
{
SessionManager & sessionMgr = Server::GetInstance().GetSecureSessionManager();
CleanupSessionsForFabric(sessionMgr, fabricIndex);
}
auto & fabricTable = Server::GetInstance().GetFabricTable();
fabricTable.RevertPendingFabricData();
// If an AddNOC command had been successfully invoked, achieve the equivalent effect of invoking the RemoveFabric command
// against the Fabric Index stored in the Fail-Safe Context for the Fabric Index that was the subject of the AddNOC
// command.
if (event->FailSafeTimerExpired.addNocCommandHasBeenInvoked)
{
CHIP_ERROR err;
err = DeleteFabricFromTable(fabricIndex);
if (err != CHIP_NO_ERROR)
{
ChipLogError(Zcl, "OpCreds: failed to delete fabric at index %u: %" CHIP_ERROR_FORMAT, fabricIndex, err.Format());
}
}
}
void OnPlatformEventHandler(const chip::DeviceLayer::ChipDeviceEvent * event, intptr_t arg)
{
if (event->Type == DeviceLayer::DeviceEventType::kFailSafeTimerExpired)
{
ChipLogError(Zcl, "OpCreds: Got FailSafeTimerExpired");
FailSafeCleanup(event);
}
}
} // anonymous namespace
class OpCredsFabricTableDelegate : public chip::FabricTable::Delegate
{
public:
// Gets called when a fabric is about to be deleted
void FabricWillBeRemoved(const FabricTable & fabricTable, FabricIndex fabricIndex) override
{
// The Leave event SHOULD be emitted by a Node prior to permanently leaving the Fabric.
for (auto endpoint : EnabledEndpointsWithServerCluster(BasicInformation::Id))
{
// If Basic cluster is implemented on this endpoint
BasicInformation::Events::Leave::Type event;
event.fabricIndex = fabricIndex;
EventNumber eventNumber;
if (CHIP_NO_ERROR != LogEvent(event, endpoint, eventNumber))
{
ChipLogError(Zcl, "OpCredsFabricTableDelegate: Failed to record Leave event");
}
}
// Try to send the queued events as soon as possible for this fabric. If the just emitted leave event won't
// be sent this time, it will likely not be delivered at all for the following reasons:
// - removing the fabric expires all associated ReadHandlers, so all subscriptions to
// the leave event will be cancelled.
// - removing the fabric removes all associated access control entries, so generating
// subsequent reports containing the leave event will fail the access control check.
InteractionModelEngine::GetInstance()->GetReportingEngine().ScheduleUrgentEventDeliverySync(MakeOptional(fabricIndex));
}
// Gets called when a fabric is deleted
void OnFabricRemoved(const FabricTable & fabricTable, FabricIndex fabricIndex) override
{
ChipLogProgress(Zcl, "OpCreds: Fabric index 0x%x was removed", static_cast<unsigned>(fabricIndex));
// We need to withdraw the advertisement for the now-removed fabric, so need
// to restart advertising altogether.
app::DnssdServer::Instance().StartServer();
EventManagement::GetInstance().FabricRemoved(fabricIndex);
NotifyFabricTableChanged();
}
// Gets called when a fabric is added/updated, but not necessarily committed to storage
void OnFabricUpdated(const FabricTable & fabricTable, FabricIndex fabricIndex) override { NotifyFabricTableChanged(); }
// Gets called when a fabric in FabricTable is persisted to storage
void OnFabricCommitted(const FabricTable & fabricTable, FabricIndex fabricIndex) override
{
const FabricInfo * fabric = fabricTable.FindFabricWithIndex(fabricIndex);
// Safety check, but should not happen by the code paths involved
VerifyOrReturn(fabric != nullptr);
ChipLogProgress(Zcl,
"OpCreds: Fabric index 0x%x was committed to storage. Compressed Fabric Id 0x" ChipLogFormatX64
", FabricId " ChipLogFormatX64 ", NodeId " ChipLogFormatX64 ", VendorId 0x%04X",
static_cast<unsigned>(fabric->GetFabricIndex()), ChipLogValueX64(fabric->GetCompressedFabricId()),
ChipLogValueX64(fabric->GetFabricId()), ChipLogValueX64(fabric->GetNodeId()), fabric->GetVendorId());
}
private:
void NotifyFabricTableChanged()
{
// Opcreds cluster is always on Endpoint 0
MatterReportingAttributeChangeCallback(0, OperationalCredentials::Id,
OperationalCredentials::Attributes::CommissionedFabrics::Id);
MatterReportingAttributeChangeCallback(0, OperationalCredentials::Id, OperationalCredentials::Attributes::Fabrics::Id);
}
};
OpCredsFabricTableDelegate gFabricDelegate;
void MatterOperationalCredentialsPluginServerInitCallback()
{
AttributeAccessInterfaceRegistry::Instance().Register(&gAttrAccess);
Server::GetInstance().GetFabricTable().AddFabricDelegate(&gFabricDelegate);
DeviceLayer::PlatformMgrImpl().AddEventHandler(OnPlatformEventHandler);
}
bool emberAfOperationalCredentialsClusterRemoveFabricCallback(app::CommandHandler * commandObj,
const app::ConcreteCommandPath & commandPath,
const Commands::RemoveFabric::DecodableType & commandData)
{
MATTER_TRACE_SCOPE("RemoveFabric", "OperationalCredentials");
auto & fabricBeingRemoved = commandData.fabricIndex;
ChipLogProgress(Zcl, "OpCreds: Received a RemoveFabric Command for FabricIndex 0x%x",
static_cast<unsigned>(fabricBeingRemoved));
if (!IsValidFabricIndex(fabricBeingRemoved))
{
ChipLogError(Zcl, "OpCreds: Failed RemoveFabric due to invalid FabricIndex");
commandObj->AddStatus(commandPath, Status::InvalidCommand);
return true;
}
commandObj->FlushAcksRightAwayOnSlowCommand();
CHIP_ERROR err = DeleteFabricFromTable(fabricBeingRemoved);
SuccessOrExit(err);
// Notification was already done by FabricTable delegate
exit:
// Not using ConvertToNOCResponseStatus here because it's pretty
// AddNOC/UpdateNOC specific.
if (err == CHIP_ERROR_NOT_FOUND)
{
ChipLogError(Zcl, "OpCreds: Failed RemoveFabric due to FabricIndex not found locally");
SendNOCResponse(commandObj, commandPath, NodeOperationalCertStatusEnum::kInvalidFabricIndex, fabricBeingRemoved,
CharSpan());
}
else if (err != CHIP_NO_ERROR)
{
// We have no idea what happened; just report failure.
ChipLogError(Zcl, "OpCreds: Failed RemoveFabric due to internal error (err = %" CHIP_ERROR_FORMAT ")", err.Format());
StatusIB status(err);
commandObj->AddStatus(commandPath, status.mStatus);
}
else
{
ChipLogProgress(Zcl, "OpCreds: RemoveFabric successful");
SendNOCResponse(commandObj, commandPath, NodeOperationalCertStatusEnum::kOk, fabricBeingRemoved, CharSpan());
chip::Messaging::ExchangeContext * ec = commandObj->GetExchangeContext();
FabricIndex currentFabricIndex = commandObj->GetAccessingFabricIndex();
if (currentFabricIndex == fabricBeingRemoved)
{
ec->AbortAllOtherCommunicationOnFabric();
}
else
{
SessionManager * sessionManager = ec->GetExchangeMgr()->GetSessionManager();
CleanupSessionsForFabric(*sessionManager, fabricBeingRemoved);
}
}
return true;
}
bool emberAfOperationalCredentialsClusterUpdateFabricLabelCallback(app::CommandHandler * commandObj,
const app::ConcreteCommandPath & commandPath,
const Commands::UpdateFabricLabel::DecodableType & commandData)
{
MATTER_TRACE_SCOPE("UpdateFabricLabel", "OperationalCredentials");
auto & label = commandData.label;
auto ourFabricIndex = commandObj->GetAccessingFabricIndex();
auto finalStatus = Status::Failure;
auto & fabricTable = Server::GetInstance().GetFabricTable();
ChipLogProgress(Zcl, "OpCreds: Received an UpdateFabricLabel command");
if (label.size() > 32)
{
ChipLogError(Zcl, "OpCreds: Failed UpdateFabricLabel due to invalid label size %u", static_cast<unsigned>(label.size()));
commandObj->AddStatus(commandPath, Status::InvalidCommand);
return true;
}
for (const auto & fabricInfo : fabricTable)
{
if (fabricInfo.GetFabricLabel().data_equal(label) && fabricInfo.GetFabricIndex() != ourFabricIndex)
{
ChipLogError(Zcl, "Fabric label already in use");
SendNOCResponse(commandObj, commandPath, NodeOperationalCertStatusEnum::kLabelConflict, ourFabricIndex, CharSpan());
return true;
}
}
// Set Label on fabric. Any error on this is basically an internal error...
// NOTE: if an UpdateNOC had caused a pending fabric, that pending fabric is
// the one updated thereafter. Otherwise, the data is committed to storage
// as soon as the update is done.
CHIP_ERROR err = fabricTable.SetFabricLabel(ourFabricIndex, label);
VerifyOrExit(err == CHIP_NO_ERROR, finalStatus = Status::Failure);
finalStatus = Status::Success;
// Succeeded at updating the label, mark Fabrics table changed.
MatterReportingAttributeChangeCallback(commandPath.mEndpointId, OperationalCredentials::Id,
OperationalCredentials::Attributes::Fabrics::Id);
exit:
if (finalStatus == Status::Success)
{
SendNOCResponse(commandObj, commandPath, NodeOperationalCertStatusEnum::kOk, ourFabricIndex, CharSpan());
}
else
{
commandObj->AddStatus(commandPath, finalStatus);
}
return true;
}
namespace {
void SendNOCResponse(app::CommandHandler * commandObj, const ConcreteCommandPath & path, NodeOperationalCertStatusEnum status,
uint8_t index, const CharSpan & debug_text)
{
Commands::NOCResponse::Type payload;
payload.statusCode = status;
if (status == NodeOperationalCertStatusEnum::kOk)
{
payload.fabricIndex.Emplace(index);
}
if (!debug_text.empty())
{
// Max length of DebugText is 128 in the spec.
const CharSpan & to_send = debug_text.size() > 128 ? debug_text.SubSpan(0, 128) : debug_text;
payload.debugText.Emplace(to_send);
}
commandObj->AddResponse(path, payload);
}
NodeOperationalCertStatusEnum ConvertToNOCResponseStatus(CHIP_ERROR err)
{
if (err == CHIP_NO_ERROR)
{
return NodeOperationalCertStatusEnum::kOk;
}
if (err == CHIP_ERROR_INVALID_PUBLIC_KEY)
{
return NodeOperationalCertStatusEnum::kInvalidPublicKey;
}
if (err == CHIP_ERROR_WRONG_NODE_ID)
{
return NodeOperationalCertStatusEnum::kInvalidNodeOpId;
}
if (err == CHIP_ERROR_UNSUPPORTED_CERT_FORMAT)
{
return NodeOperationalCertStatusEnum::kInvalidNOC;
}
if (err == CHIP_ERROR_WRONG_CERT_DN)
{
return NodeOperationalCertStatusEnum::kInvalidNOC;
}
if (err == CHIP_ERROR_INCORRECT_STATE)
{
return NodeOperationalCertStatusEnum::kMissingCsr;
}
if (err == CHIP_ERROR_NO_MEMORY)
{
return NodeOperationalCertStatusEnum::kTableFull;
}
if (err == CHIP_ERROR_FABRIC_EXISTS)
{
return NodeOperationalCertStatusEnum::kFabricConflict;
}
if (err == CHIP_ERROR_INVALID_FABRIC_INDEX)
{
return NodeOperationalCertStatusEnum::kInvalidFabricIndex;
}
if (err == CHIP_ERROR_INVALID_ADMIN_SUBJECT)
{
return NodeOperationalCertStatusEnum::kInvalidAdminSubject;
}
return NodeOperationalCertStatusEnum::kInvalidNOC;
}
} // namespace
bool emberAfOperationalCredentialsClusterAddNOCCallback(app::CommandHandler * commandObj,
const app::ConcreteCommandPath & commandPath,
const Commands::AddNOC::DecodableType & commandData)
{
MATTER_TRACE_SCOPE("AddNOC", "OperationalCredentials");
auto & NOCValue = commandData.NOCValue;
auto & ICACValue = commandData.ICACValue;
auto & adminVendorId = commandData.adminVendorId;
auto & ipkValue = commandData.IPKValue;
auto * groupDataProvider = Credentials::GetGroupDataProvider();
auto nocResponse = NodeOperationalCertStatusEnum::kOk;
auto nonDefaultStatus = Status::Success;
bool needRevert = false;
CHIP_ERROR err = CHIP_NO_ERROR;
FabricIndex newFabricIndex = kUndefinedFabricIndex;
Credentials::GroupDataProvider::KeySet keyset;
const FabricInfo * newFabricInfo = nullptr;
auto & fabricTable = Server::GetInstance().GetFabricTable();
auto * secureSession = commandObj->GetExchangeContext()->GetSessionHandle()->AsSecureSession();
auto & failSafeContext = Server::GetInstance().GetFailSafeContext();
uint8_t compressed_fabric_id_buffer[sizeof(uint64_t)];
MutableByteSpan compressed_fabric_id(compressed_fabric_id_buffer);
bool csrWasForUpdateNoc = false; //< Output param of HasPendingOperationalKey
bool hasPendingKey = fabricTable.HasPendingOperationalKey(csrWasForUpdateNoc);
ChipLogProgress(Zcl, "OpCreds: Received an AddNOC command");
VerifyOrExit(NOCValue.size() <= Credentials::kMaxCHIPCertLength, nonDefaultStatus = Status::InvalidCommand);
VerifyOrExit(!ICACValue.HasValue() || ICACValue.Value().size() <= Credentials::kMaxCHIPCertLength,
nonDefaultStatus = Status::InvalidCommand);
VerifyOrExit(ipkValue.size() == Crypto::CHIP_CRYPTO_SYMMETRIC_KEY_LENGTH_BYTES, nonDefaultStatus = Status::InvalidCommand);
VerifyOrExit(IsVendorIdValidOperationally(adminVendorId), nonDefaultStatus = Status::InvalidCommand);
VerifyOrExit(failSafeContext.IsFailSafeArmed(commandObj->GetAccessingFabricIndex()),
nonDefaultStatus = Status::FailsafeRequired);
VerifyOrExit(!failSafeContext.NocCommandHasBeenInvoked(), nonDefaultStatus = Status::ConstraintError);
// Must have had a previous CSR request, not tagged for UpdateNOC
VerifyOrExit(hasPendingKey, nocResponse = NodeOperationalCertStatusEnum::kMissingCsr);
VerifyOrExit(!csrWasForUpdateNoc, nonDefaultStatus = Status::ConstraintError);
// Internal error that would prevent IPK from being added
VerifyOrExit(groupDataProvider != nullptr, nonDefaultStatus = Status::Failure);
// Flush acks before really slow work
commandObj->FlushAcksRightAwayOnSlowCommand();
// We can't possibly have a matching root based on the fact that we don't have
// a shared root store. Therefore we would later fail path validation due to
// missing root. Let's early-bail with InvalidNOC.
VerifyOrExit(failSafeContext.AddTrustedRootCertHasBeenInvoked(), nocResponse = NodeOperationalCertStatusEnum::kInvalidNOC);
// Check this explicitly before adding the fabric so we don't need to back out changes if this is an error.
VerifyOrExit(IsOperationalNodeId(commandData.caseAdminSubject) || IsCASEAuthTag(commandData.caseAdminSubject),
nocResponse = NodeOperationalCertStatusEnum::kInvalidAdminSubject);
err = fabricTable.AddNewPendingFabricWithOperationalKeystore(NOCValue, ICACValue.ValueOr(ByteSpan{}), adminVendorId,
&newFabricIndex);
VerifyOrExit(err == CHIP_NO_ERROR, nocResponse = ConvertToNOCResponseStatus(err));
// From here if we error-out, we should revert the fabric table pending updates
needRevert = true;
newFabricInfo = fabricTable.FindFabricWithIndex(newFabricIndex);
VerifyOrExit(newFabricInfo != nullptr, nonDefaultStatus = Status::Failure);
// Set the Identity Protection Key (IPK)
// The IPK SHALL be the operational group key under GroupKeySetID of 0
keyset.keyset_id = Credentials::GroupDataProvider::kIdentityProtectionKeySetId;
keyset.policy = GroupKeyManagement::GroupKeySecurityPolicyEnum::kTrustFirst;
keyset.num_keys_used = 1;
keyset.epoch_keys[0].start_time = 0;
memcpy(keyset.epoch_keys[0].key, ipkValue.data(), Crypto::CHIP_CRYPTO_SYMMETRIC_KEY_LENGTH_BYTES);
err = newFabricInfo->GetCompressedFabricIdBytes(compressed_fabric_id);
VerifyOrExit(err == CHIP_NO_ERROR, nonDefaultStatus = Status::Failure);
err = groupDataProvider->SetKeySet(newFabricIndex, compressed_fabric_id, keyset);
VerifyOrExit(err == CHIP_NO_ERROR, nocResponse = ConvertToNOCResponseStatus(err));
/**
* . If the current secure session was established with PASE,
* the receiver SHALL:
* .. Augment the secure session context with the `FabricIndex` generated above
* such that subsequent interactions have the proper accessing fabric.
*
* . If the current secure session was established with CASE, subsequent configuration
* of the newly installed Fabric requires the opening of a new CASE session from the
* Administrator from the Fabric just installed. This Administrator is the one listed
* in the `caseAdminSubject` argument.
*
*/
if (secureSession->GetSecureSessionType() == SecureSession::Type::kPASE)
{
err = secureSession->AdoptFabricIndex(newFabricIndex);
VerifyOrExit(err == CHIP_NO_ERROR, nonDefaultStatus = Status::Failure);
}
// Creating the initial ACL must occur after the PASE session has adopted the fabric index
// (see above) so that the concomitant event, which is fabric scoped, is properly handled.
err = CreateAccessControlEntryForNewFabricAdministrator(commandObj->GetSubjectDescriptor(), newFabricIndex,
commandData.caseAdminSubject);
VerifyOrExit(err != CHIP_ERROR_INTERNAL, nonDefaultStatus = Status::Failure);
VerifyOrExit(err == CHIP_NO_ERROR, nocResponse = ConvertToNOCResponseStatus(err));
// The Fabric Index associated with the armed fail-safe context SHALL be updated to match the Fabric
// Index just allocated.
failSafeContext.SetAddNocCommandInvoked(newFabricIndex);
// Done all intermediate steps, we are now successful
needRevert = false;
// We might have a new operational identity, so we should start advertising it right away.
err = app::DnssdServer::Instance().AdvertiseOperational();
if (err != CHIP_NO_ERROR)
{
ChipLogError(AppServer, "Operational advertising failed: %" CHIP_ERROR_FORMAT, err.Format());
}
// Notify the attributes containing fabric metadata can be read with new data
MatterReportingAttributeChangeCallback(commandPath.mEndpointId, OperationalCredentials::Id,
OperationalCredentials::Attributes::Fabrics::Id);
// Notify we have one more fabric
MatterReportingAttributeChangeCallback(commandPath.mEndpointId, OperationalCredentials::Id,
OperationalCredentials::Attributes::CommissionedFabrics::Id);
exit:
if (needRevert)
{
// Here, on revert, we DO NOT call FabricTable::Delete as this would also remove the existing
// trusted root previously added. It possibly got reverted in case of the worst kinds of errors,
// but a better impl of the innards of FabricTable::CommitPendingFabricData would make it work.
fabricTable.RevertPendingOpCertsExceptRoot();
// Revert IPK and ACL entries added, ignoring errors, since some steps may have been skipped
// and error handling does not assist.
if (groupDataProvider != nullptr)
{
(void) groupDataProvider->RemoveFabric(newFabricIndex);
}
(void) Access::GetAccessControl().DeleteAllEntriesForFabric(newFabricIndex);
MatterReportingAttributeChangeCallback(commandPath.mEndpointId, OperationalCredentials::Id,
OperationalCredentials::Attributes::CommissionedFabrics::Id);
MatterReportingAttributeChangeCallback(commandPath.mEndpointId, OperationalCredentials::Id,
OperationalCredentials::Attributes::Fabrics::Id);
}
// We have an NOC response
if (nonDefaultStatus == Status::Success)
{
SendNOCResponse(commandObj, commandPath, nocResponse, newFabricIndex, CharSpan());
// Failed to add NOC
if (nocResponse != NodeOperationalCertStatusEnum::kOk)
{
ChipLogError(Zcl, "OpCreds: Failed AddNOC request (err=%" CHIP_ERROR_FORMAT ") with OperationalCert error %d",
err.Format(), to_underlying(nocResponse));
}
// Success
else
{
ChipLogProgress(Zcl, "OpCreds: successfully created fabric index 0x%x via AddNOC",
static_cast<unsigned>(newFabricIndex));
}
}
// No NOC response - Failed constraints
else
{
commandObj->AddStatus(commandPath, nonDefaultStatus);
ChipLogError(Zcl, "OpCreds: Failed AddNOC request with IM error 0x%02x", to_underlying(nonDefaultStatus));
}
return true;
}
bool emberAfOperationalCredentialsClusterUpdateNOCCallback(app::CommandHandler * commandObj,
const app::ConcreteCommandPath & commandPath,
const Commands::UpdateNOC::DecodableType & commandData)
{
MATTER_TRACE_SCOPE("UpdateNOC", "OperationalCredentials");
auto & NOCValue = commandData.NOCValue;
auto & ICACValue = commandData.ICACValue;
auto nocResponse = NodeOperationalCertStatusEnum::kOk;
auto nonDefaultStatus = Status::Success;
CHIP_ERROR err = CHIP_NO_ERROR;
FabricIndex fabricIndex = 0;
ChipLogProgress(Zcl, "OpCreds: Received an UpdateNOC command");
auto & fabricTable = Server::GetInstance().GetFabricTable();
auto & failSafeContext = Server::GetInstance().GetFailSafeContext();
const FabricInfo * fabricInfo = RetrieveCurrentFabric(commandObj);
bool csrWasForUpdateNoc = false; //< Output param of HasPendingOperationalKey
bool hasPendingKey = fabricTable.HasPendingOperationalKey(csrWasForUpdateNoc);
VerifyOrExit(NOCValue.size() <= Credentials::kMaxCHIPCertLength, nonDefaultStatus = Status::InvalidCommand);
VerifyOrExit(!ICACValue.HasValue() || ICACValue.Value().size() <= Credentials::kMaxCHIPCertLength,
nonDefaultStatus = Status::InvalidCommand);
VerifyOrExit(failSafeContext.IsFailSafeArmed(commandObj->GetAccessingFabricIndex()),
nonDefaultStatus = Status::FailsafeRequired);
VerifyOrExit(!failSafeContext.NocCommandHasBeenInvoked(), nonDefaultStatus = Status::ConstraintError);
// Must have had a previous CSR request, tagged for UpdateNOC
VerifyOrExit(hasPendingKey, nocResponse = NodeOperationalCertStatusEnum::kMissingCsr);
VerifyOrExit(csrWasForUpdateNoc, nonDefaultStatus = Status::ConstraintError);
// If current fabric is not available, command was invoked over PASE which is not legal
VerifyOrExit(fabricInfo != nullptr, nocResponse = ConvertToNOCResponseStatus(CHIP_ERROR_INSUFFICIENT_PRIVILEGE));
fabricIndex = fabricInfo->GetFabricIndex();
// Flush acks before really slow work
commandObj->FlushAcksRightAwayOnSlowCommand();
err = fabricTable.UpdatePendingFabricWithOperationalKeystore(fabricIndex, NOCValue, ICACValue.ValueOr(ByteSpan{}));
VerifyOrExit(err == CHIP_NO_ERROR, nocResponse = ConvertToNOCResponseStatus(err));
// Flag on the fail-safe context that the UpdateNOC command was invoked.
failSafeContext.SetUpdateNocCommandInvoked();
// We might have a new operational identity, so we should start advertising
// it right away. Also, we need to withdraw our old operational identity.
// So we need to StartServer() here.
app::DnssdServer::Instance().StartServer();
// Attribute notification was already done by fabric table
exit:
// We have an NOC response
if (nonDefaultStatus == Status::Success)
{
SendNOCResponse(commandObj, commandPath, nocResponse, fabricIndex, CharSpan());
// Failed to update NOC
if (nocResponse != NodeOperationalCertStatusEnum::kOk)
{
ChipLogError(Zcl, "OpCreds: Failed UpdateNOC request (err=%" CHIP_ERROR_FORMAT ") with OperationalCert error %d",
err.Format(), to_underlying(nocResponse));
}
// Success
else
{
ChipLogProgress(Zcl, "OpCreds: UpdateNOC successful.");
// On success, revoke all CASE sessions on the fabric hosting the exchange.
// From spec:
//
// All internal data reflecting the prior operational identifier of the Node within the Fabric
// SHALL be revoked and removed, to an outcome equivalent to the disappearance of the prior Node,
// except for the ongoing CASE session context, which SHALL temporarily remain valid until the
// `NOCResponse` has been successfully delivered or until the next transport-layer error, so
// that the response can be received by the Administrator invoking the command.
commandObj->GetExchangeContext()->AbortAllOtherCommunicationOnFabric();
}
}
// No NOC response - Failed constraints
else
{
commandObj->AddStatus(commandPath, nonDefaultStatus);
ChipLogError(Zcl, "OpCreds: Failed UpdateNOC request with IM error 0x%02x", to_underlying(nonDefaultStatus));
}
return true;
}
bool emberAfOperationalCredentialsClusterCertificateChainRequestCallback(
app::CommandHandler * commandObj, const app::ConcreteCommandPath & commandPath,
const Commands::CertificateChainRequest::DecodableType & commandData)
{
MATTER_TRACE_SCOPE("CertificateChainRequest", "OperationalCredentials");
auto & certificateType = commandData.certificateType;
CHIP_ERROR err = CHIP_NO_ERROR;
uint8_t derBuf[Credentials::kMaxDERCertLength];
MutableByteSpan derBufSpan(derBuf);
Commands::CertificateChainResponse::Type response;
Credentials::DeviceAttestationCredentialsProvider * dacProvider = Credentials::GetDeviceAttestationCredentialsProvider();
VerifyOrExit(commandObj != nullptr, err = CHIP_ERROR_INCORRECT_STATE);
if (certificateType == kDACCertificate)
{
ChipLogProgress(Zcl, "OpCreds: Certificate Chain request received for DAC");
SuccessOrExit(err = dacProvider->GetDeviceAttestationCert(derBufSpan));
}
else if (certificateType == kPAICertificate)
{
ChipLogProgress(Zcl, "OpCreds: Certificate Chain request received for PAI");
SuccessOrExit(err = dacProvider->GetProductAttestationIntermediateCert(derBufSpan));
}
else
{
ChipLogError(Zcl, "OpCreds: Certificate Chain request received for unknown type: %d", static_cast<int>(certificateType));
commandObj->AddStatus(commandPath, Status::InvalidCommand);
return true;
}
response.certificate = derBufSpan;
commandObj->AddResponse(commandPath, response);
exit:
if (err != CHIP_NO_ERROR)
{
ChipLogError(Zcl, "OpCreds: Failed CertificateChainRequest: %" CHIP_ERROR_FORMAT, err.Format());
commandObj->AddStatus(commandPath, Status::Failure);
}
return true;
}
bool emberAfOperationalCredentialsClusterAttestationRequestCallback(app::CommandHandler * commandObj,
const app::ConcreteCommandPath & commandPath,
const Commands::AttestationRequest::DecodableType & commandData)
{
MATTER_TRACE_SCOPE("AttestationRequest", "OperationalCredentials");
auto & attestationNonce = commandData.attestationNonce;
auto finalStatus = Status::Failure;
CHIP_ERROR err = CHIP_ERROR_INVALID_ARGUMENT;
ByteSpan tbsSpan;
Platform::ScopedMemoryBuffer<uint8_t> attestationElements;
size_t attestationElementsLen = 0;
MutableByteSpan attestationElementsSpan;
uint8_t certDeclBuf[Credentials::kMaxCMSSignedCDMessage]; // Sized to hold the example certificate declaration with 100 PIDs.
// See DeviceAttestationCredsExample
MutableByteSpan certDeclSpan(certDeclBuf);
// TODO: Create an alternative way to retrieve the Attestation Challenge without this huge amount of calls.
// Retrieve attestation challenge
ByteSpan attestationChallenge =
commandObj->GetExchangeContext()->GetSessionHandle()->AsSecureSession()->GetCryptoContext().GetAttestationChallenge();
// TODO: in future versions, retrieve vendor information to populate the fields below.
uint32_t timestamp = 0;
Credentials::DeviceAttestationVendorReservedConstructor emptyVendorReserved(nullptr, 0);
// TODO: in future versions, also retrieve and use firmware Information
const ByteSpan kEmptyFirmwareInfo;
ChipLogProgress(Zcl, "OpCreds: Received an AttestationRequest command");
// Flush acks before really slow work
commandObj->FlushAcksRightAwayOnSlowCommand();
Credentials::DeviceAttestationCredentialsProvider * dacProvider = Credentials::GetDeviceAttestationCredentialsProvider();
VerifyOrExit(attestationNonce.size() == Credentials::kExpectedAttestationNonceSize, finalStatus = Status::InvalidCommand);
if (dacProvider == nullptr)
{
err = CHIP_ERROR_INTERNAL;
VerifyOrExit(dacProvider != nullptr, finalStatus = Status::Failure);
}
err = dacProvider->GetCertificationDeclaration(certDeclSpan);
VerifyOrExit(err == CHIP_NO_ERROR, finalStatus = Status::Failure);
attestationElementsLen = TLV::EstimateStructOverhead(certDeclSpan.size(), attestationNonce.size(), sizeof(uint64_t) * 8);
if (!attestationElements.Alloc(attestationElementsLen + attestationChallenge.size()))
{
err = CHIP_ERROR_NO_MEMORY;
VerifyOrExit(err == CHIP_NO_ERROR, finalStatus = Status::ResourceExhausted);
}
attestationElementsSpan = MutableByteSpan{ attestationElements.Get(), attestationElementsLen };
err = Credentials::ConstructAttestationElements(certDeclSpan, attestationNonce, timestamp, kEmptyFirmwareInfo,
emptyVendorReserved, attestationElementsSpan);
VerifyOrExit(err == CHIP_NO_ERROR, finalStatus = Status::Failure);
// Append attestation challenge in the back of the reserved space for the signature
memcpy(attestationElements.Get() + attestationElementsSpan.size(), attestationChallenge.data(), attestationChallenge.size());
tbsSpan = ByteSpan{ attestationElements.Get(), attestationElementsSpan.size() + attestationChallenge.size() };
{
Crypto::P256ECDSASignature signature;
MutableByteSpan signatureSpan{ signature.Bytes(), signature.Capacity() };
// Generate attestation signature
err = dacProvider->SignWithDeviceAttestationKey(tbsSpan, signatureSpan);
ClearSecretData(attestationElements.Get() + attestationElementsSpan.size(), attestationChallenge.size());
VerifyOrExit(err == CHIP_NO_ERROR, finalStatus = Status::Failure);
VerifyOrExit(signatureSpan.size() == Crypto::P256ECDSASignature::Capacity(), finalStatus = Status::Failure);
Commands::AttestationResponse::Type response;
response.attestationElements = attestationElementsSpan;
response.attestationSignature = signatureSpan;
ChipLogProgress(Zcl, "OpCreds: AttestationRequest successful.");
finalStatus = Status::Success;
commandObj->AddResponse(commandPath, response);
}
exit:
if (finalStatus != Status::Success)
{
commandObj->AddStatus(commandPath, finalStatus);
ChipLogError(Zcl, "OpCreds: Failed AttestationRequest request with IM error 0x%02x (err = %" CHIP_ERROR_FORMAT ")",
to_underlying(finalStatus), err.Format());
}
return true;
}
bool emberAfOperationalCredentialsClusterCSRRequestCallback(app::CommandHandler * commandObj,
const app::ConcreteCommandPath & commandPath,
const Commands::CSRRequest::DecodableType & commandData)
{
MATTER_TRACE_SCOPE("CSRRequest", "OperationalCredentials");
ChipLogProgress(Zcl, "OpCreds: Received a CSRRequest command");
chip::Platform::ScopedMemoryBuffer<uint8_t> nocsrElements;
MutableByteSpan nocsrElementsSpan;
auto finalStatus = Status::Failure;
ByteSpan tbsSpan;
// Start with CHIP_ERROR_INVALID_ARGUMENT so that cascading errors yield correct
// logs by the end. We use finalStatus as our overall success marker, not error
CHIP_ERROR err = CHIP_ERROR_INVALID_ARGUMENT;
auto & fabricTable = Server::GetInstance().GetFabricTable();
auto & failSafeContext = Server::GetInstance().GetFailSafeContext();
auto & CSRNonce = commandData.CSRNonce;
bool isForUpdateNoc = commandData.isForUpdateNOC.ValueOr(false);
// TODO: Create an alternative way to retrieve the Attestation Challenge without this huge amount of calls.
// Retrieve attestation challenge
ByteSpan attestationChallenge =
commandObj->GetExchangeContext()->GetSessionHandle()->AsSecureSession()->GetCryptoContext().GetAttestationChallenge();
failSafeContext.SetCsrRequestForUpdateNoc(isForUpdateNoc);
const FabricInfo * fabricInfo = RetrieveCurrentFabric(commandObj);
VerifyOrExit(CSRNonce.size() == Credentials::kExpectedAttestationNonceSize, finalStatus = Status::InvalidCommand);
// If current fabric is not available, command was invoked over PASE which is not legal if IsForUpdateNOC is true.
VerifyOrExit(!isForUpdateNoc || (fabricInfo != nullptr), finalStatus = Status::InvalidCommand);
VerifyOrExit(failSafeContext.IsFailSafeArmed(commandObj->GetAccessingFabricIndex()), finalStatus = Status::FailsafeRequired);
VerifyOrExit(!failSafeContext.NocCommandHasBeenInvoked(), finalStatus = Status::ConstraintError);
// Flush acks before really slow work
commandObj->FlushAcksRightAwayOnSlowCommand();
// Prepare NOCSRElements structure
{
constexpr size_t csrLength = Crypto::kMIN_CSR_Buffer_Size;
size_t nocsrLengthEstimate = 0;
ByteSpan kNoVendorReserved;
Platform::ScopedMemoryBuffer<uint8_t> csr;
MutableByteSpan csrSpan;
// Generate the actual CSR from the ephemeral key
if (!csr.Alloc(csrLength))
{
err = CHIP_ERROR_NO_MEMORY;
VerifyOrExit(err == CHIP_NO_ERROR, finalStatus = Status::ResourceExhausted);
}
csrSpan = MutableByteSpan{ csr.Get(), csrLength };
Optional<FabricIndex> fabricIndexForCsr;
if (isForUpdateNoc)
{
fabricIndexForCsr.SetValue(commandObj->GetAccessingFabricIndex());
}
err = fabricTable.AllocatePendingOperationalKey(fabricIndexForCsr, csrSpan);
if (csrSpan.size() > csrLength)
{
err = CHIP_ERROR_INTERNAL;
}
if (err != CHIP_NO_ERROR)
{
ChipLogError(Zcl, "OpCreds: AllocatePendingOperationalKey returned %" CHIP_ERROR_FORMAT, err.Format());
VerifyOrExit(err == CHIP_NO_ERROR, finalStatus = Status::Failure);
}
ChipLogProgress(Zcl, "OpCreds: AllocatePendingOperationalKey succeeded");
// Encode the NOCSR elements with the CSR and Nonce
nocsrLengthEstimate = TLV::EstimateStructOverhead(csrSpan.size(), // CSR buffer
CSRNonce.size(), // CSR Nonce
0u // no vendor reserved data
);
if (!nocsrElements.Alloc(nocsrLengthEstimate + attestationChallenge.size()))
{
err = CHIP_ERROR_NO_MEMORY;
VerifyOrExit(err == CHIP_NO_ERROR, finalStatus = Status::ResourceExhausted);
}
nocsrElementsSpan = MutableByteSpan{ nocsrElements.Get(), nocsrLengthEstimate };
err = Credentials::ConstructNOCSRElements(ByteSpan{ csrSpan.data(), csrSpan.size() }, CSRNonce, kNoVendorReserved,
kNoVendorReserved, kNoVendorReserved, nocsrElementsSpan);
VerifyOrExit(err == CHIP_NO_ERROR, finalStatus = Status::Failure);
// Append attestation challenge in the back of the reserved space for the signature
memcpy(nocsrElements.Get() + nocsrElementsSpan.size(), attestationChallenge.data(), attestationChallenge.size());
tbsSpan = ByteSpan{ nocsrElements.Get(), nocsrElementsSpan.size() + attestationChallenge.size() };
{
Credentials::DeviceAttestationCredentialsProvider * dacProvider =
Credentials::GetDeviceAttestationCredentialsProvider();
Crypto::P256ECDSASignature signature;
MutableByteSpan signatureSpan{ signature.Bytes(), signature.Capacity() };
// Generate attestation signature
err = dacProvider->SignWithDeviceAttestationKey(tbsSpan, signatureSpan);
ClearSecretData(nocsrElements.Get() + nocsrElementsSpan.size(), attestationChallenge.size());
VerifyOrExit(err == CHIP_NO_ERROR, finalStatus = Status::Failure);
VerifyOrExit(signatureSpan.size() == Crypto::P256ECDSASignature::Capacity(), finalStatus = Status::Failure);
Commands::CSRResponse::Type response;
response.NOCSRElements = nocsrElementsSpan;
response.attestationSignature = signatureSpan;
ChipLogProgress(Zcl, "OpCreds: CSRRequest successful.");
finalStatus = Status::Success;
commandObj->AddResponse(commandPath, response);
}
}
exit:
// If failed constraints or internal errors, send a status report instead of the response sent above
if (finalStatus != Status::Success)
{
commandObj->AddStatus(commandPath, finalStatus);
ChipLogError(Zcl, "OpCreds: Failed CSRRequest request with IM error 0x%02x (err = %" CHIP_ERROR_FORMAT ")",
to_underlying(finalStatus), err.Format());
}
return true;
}
bool emberAfOperationalCredentialsClusterAddTrustedRootCertificateCallback(
app::CommandHandler * commandObj, const app::ConcreteCommandPath & commandPath,
const Commands::AddTrustedRootCertificate::DecodableType & commandData)
{
MATTER_TRACE_SCOPE("AddTrustedRootCertificate", "OperationalCredentials");
auto & fabricTable = Server::GetInstance().GetFabricTable();
auto finalStatus = Status::Failure;
// Start with CHIP_ERROR_INVALID_ARGUMENT so that cascading errors yield correct
// logs by the end. We use finalStatus as our overall success marker, not error
CHIP_ERROR err = CHIP_ERROR_INVALID_ARGUMENT;
auto & rootCertificate = commandData.rootCACertificate;
auto & failSafeContext = Server::GetInstance().GetFailSafeContext();
ChipLogProgress(Zcl, "OpCreds: Received an AddTrustedRootCertificate command");
VerifyOrExit(rootCertificate.size() <= Credentials::kMaxCHIPCertLength, finalStatus = Status::InvalidCommand);
VerifyOrExit(failSafeContext.IsFailSafeArmed(commandObj->GetAccessingFabricIndex()), finalStatus = Status::FailsafeRequired);
// Can only add a single trusted root cert per fail-safe
VerifyOrExit(!failSafeContext.AddTrustedRootCertHasBeenInvoked(), finalStatus = Status::ConstraintError);
// If we successfully invoked AddNOC/UpdateNOC, this command cannot possibly
// be useful in the context.
VerifyOrExit(!failSafeContext.NocCommandHasBeenInvoked(), finalStatus = Status::ConstraintError);
// Flush acks before really slow work
commandObj->FlushAcksRightAwayOnSlowCommand();
err = ValidateChipRCAC(rootCertificate);
VerifyOrExit(err == CHIP_NO_ERROR, finalStatus = Status::InvalidCommand);
err = fabricTable.AddNewPendingTrustedRootCert(rootCertificate);
VerifyOrExit(err != CHIP_ERROR_NO_MEMORY, finalStatus = Status::ResourceExhausted);
// CHIP_ERROR_INVALID_ARGUMENT by the time we reach here means bad format
VerifyOrExit(err != CHIP_ERROR_INVALID_ARGUMENT, finalStatus = Status::InvalidCommand);
VerifyOrExit(err == CHIP_NO_ERROR, finalStatus = Status::Failure);
// Got here, so we succeeded, mark AddTrustedRootCert has having been invoked.
ChipLogProgress(Zcl, "OpCreds: AddTrustedRootCertificate successful.");
finalStatus = Status::Success;
failSafeContext.SetAddTrustedRootCertInvoked();
exit:
if (finalStatus != Status::Success)
{
ChipLogError(Zcl, "OpCreds: Failed AddTrustedRootCertificate request with IM error 0x%02x (err = %" CHIP_ERROR_FORMAT ")",
to_underlying(finalStatus), err.Format());
}
commandObj->AddStatus(commandPath, finalStatus);
return true;
}