blob: c8a3ba4f6fcbf994fda0c3426bbf3a75b029883f [file] [log] [blame]
/*
*
* Copyright (c) 2022 Project CHIP Authors
* All rights reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include "Options.h"
#include <algorithm>
#include <app-common/zap-generated/cluster-objects.h>
#include <app/data-model/Encode.h>
#include <credentials/DeviceAttestationConstructor.h>
#include <crypto/CHIPCryptoPAL.h>
using namespace chip;
using namespace chip::app;
using namespace chip::app::Clusters::OperationalCredentials::Commands;
constexpr size_t kMaxResponseLength = 900;
constexpr size_t kCSRNonceLength = 32;
namespace {
CHIP_ERROR ConstructCustomNOCSRElements(TLV::TLVWriter & writer, TLV::Tag tag, const ByteSpan & nocsrElements,
CSRResponseOptions & options)
{
ByteSpan csr;
ByteSpan csrNonce;
ByteSpan vendorReserved1;
ByteSpan vendorReserved2;
ByteSpan vendorReserved3;
ReturnErrorOnFailure(
Credentials::DeconstructNOCSRElements(nocsrElements, csr, csrNonce, vendorReserved1, vendorReserved2, vendorReserved3));
// Add 10 bytes of possible overhead to allow the generation of content longer than the allowed maximum of RESP_MAX.
// 10 has been choosen to leave enough space for the possible TLV overhead when adding the additional data.
uint8_t nocsrElementsData[kMaxResponseLength + 10];
MutableByteSpan nocsrElementsSpan(nocsrElementsData);
TLV::TLVType outerContainerType = TLV::kTLVType_NotSpecified;
TLV::TLVWriter tlvWriter;
tlvWriter.Init(nocsrElementsSpan);
ReturnErrorOnFailure(tlvWriter.StartContainer(TLV::AnonymousTag(), TLV::kTLVType_Structure, outerContainerType));
// Update CSR
if (options.csrIncorrectType)
{
ReturnErrorOnFailure(tlvWriter.Put(TLV::ContextTag(1), true));
}
else
{
ReturnErrorOnFailure(tlvWriter.Put(TLV::ContextTag(1), csr));
}
// Update CSRNonce
if (options.csrNonceIncorrectType)
{
ReturnErrorOnFailure(tlvWriter.Put(TLV::ContextTag(2), true));
}
else if (options.csrNonceInvalid)
{
uint8_t csrNonceInvalid[kCSRNonceLength] = {};
memcpy(csrNonceInvalid, csrNonce.data(), csrNonce.size());
std::reverse(csrNonceInvalid, csrNonceInvalid + sizeof(csrNonceInvalid));
ReturnErrorOnFailure(tlvWriter.Put(TLV::ContextTag(2), ByteSpan(csrNonceInvalid)));
}
else if (options.csrNonceTooLong)
{
uint8_t csrNonceTooLong[kCSRNonceLength + 1] = {};
memcpy(csrNonceTooLong, csrNonce.data(), csrNonce.size());
ReturnErrorOnFailure(tlvWriter.Put(TLV::ContextTag(2), ByteSpan(csrNonceTooLong)));
}
else
{
ReturnErrorOnFailure(tlvWriter.Put(TLV::ContextTag(2), csrNonce));
}
// Add vendorReserved1 if present
if (!vendorReserved1.empty())
{
ReturnErrorOnFailure(tlvWriter.Put(TLV::ContextTag(3), vendorReserved1));
}
// Add vendorReserved2 if present
if (!vendorReserved2.empty())
{
ReturnErrorOnFailure(tlvWriter.Put(TLV::ContextTag(4), vendorReserved2));
}
// Add vendorReserved3 if present
if (!vendorReserved3.empty())
{
ReturnErrorOnFailure(tlvWriter.Put(TLV::ContextTag(5), vendorReserved3));
}
// Add additional data
if (options.nocsrElementsTooLong)
{
size_t len = kMaxResponseLength - tlvWriter.GetLengthWritten();
ReturnLogErrorOnFailure(tlvWriter.Put(TLV::ContextTag(6), ByteSpan(nocsrElementsData, len)));
}
ReturnErrorOnFailure(tlvWriter.EndContainer(outerContainerType));
ReturnErrorOnFailure(tlvWriter.Finalize());
return DataModel::Encode(writer, tag, nocsrElementsSpan.SubSpan(0, tlvWriter.GetLengthWritten()));
}
CHIP_ERROR ConstructCustomAttestationSignature(TLV::TLVWriter & writer, TLV::Tag tag, const ByteSpan & attestationSignature,
CSRResponseOptions & options)
{
if (options.attestationSignatureIncorrectType)
{
return DataModel::Encode(writer, tag, true);
}
if (options.attestationSignatureInvalid)
{
uint8_t invalidAttestationSignature[Crypto::kP256_ECDSA_Signature_Length_Raw] = {};
memcpy(invalidAttestationSignature, attestationSignature.data(), attestationSignature.size());
std::reverse(invalidAttestationSignature, invalidAttestationSignature + sizeof(invalidAttestationSignature));
return DataModel::Encode(writer, tag, ByteSpan(invalidAttestationSignature));
}
return DataModel::Encode(writer, tag, attestationSignature);
}
} // namespace
namespace chip {
namespace app {
namespace DataModel {
template <>
CHIP_ERROR Encode(TLV::TLVWriter & writer, TLV::Tag tag, const CSRResponse::Type & responseData)
{
auto tag1 = TLV::ContextTag(CSRResponse::Fields::kNOCSRElements);
auto tag2 = TLV::ContextTag(CSRResponse::Fields::kAttestationSignature);
auto & options = LinuxDeviceOptions::GetInstance().mCSRResponseOptions;
TLV::TLVType outer;
ReturnErrorOnFailure(writer.StartContainer(tag, TLV::kTLVType_Structure, outer));
ReturnErrorOnFailure(ConstructCustomNOCSRElements(writer, tag1, responseData.NOCSRElements, options));
ReturnErrorOnFailure(ConstructCustomAttestationSignature(writer, tag2, responseData.attestationSignature, options));
ReturnErrorOnFailure(writer.EndContainer(outer));
return CHIP_NO_ERROR;
}
} // namespace DataModel
} // namespace app
} // namespace chip