examples/chip-tool/commands/example/ExampleCredentialIssuerCommands.h - third_party/github/project-chip/connectedhomeip - Git at Google

 /*
  *   Copyright (c) 2021-2022 Project CHIP Authors
  *   All rights reserved.
  *
  *   Licensed under the Apache License, Version 2.0 (the "License");
  *   you may not use this file except in compliance with the License.
  *   You may obtain a copy of the License at
  *
  *       http://www.apache.org/licenses/LICENSE-2.0
  *
  *   Unless required by applicable law or agreed to in writing, software
  *   distributed under the License is distributed on an "AS IS" BASIS,
  *   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  *   See the License for the specific language governing permissions and
  *   limitations under the License.
  *
  */

 #pragma once

 #include <commands/common/CredentialIssuerCommands.h>
 #include <controller/CHIPDeviceControllerFactory.h>
 #include <controller/ExampleOperationalCredentialsIssuer.h>
 #include <credentials/DeviceAttestationCredsProvider.h>
 #include <credentials/attestation_verifier/DefaultDeviceAttestationVerifier.h>
 #include <credentials/attestation_verifier/DeviceAttestationVerifier.h>
 #include <credentials/examples/DeviceAttestationCredsExample.h>

 class ExampleCredentialIssuerCommands : public CredentialIssuerCommands
 {
 public:
     CHIP_ERROR InitializeCredentialsIssuer(chip::PersistentStorageDelegate & storage) override
     {
         return mOpCredsIssuer.Initialize(storage);
     }
     CHIP_ERROR SetupDeviceAttestation(chip::Controller::SetupParams & setupParams,
                                       const chip::Credentials::AttestationTrustStore * trustStore,
                                       chip::Credentials::DeviceAttestationRevocationDelegate * revocationDelegate) override
     {
         chip::Credentials::SetDeviceAttestationCredentialsProvider(chip::Credentials::Examples::GetExampleDACProvider());

         mDacVerifier                          = chip::Credentials::GetDefaultDACVerifier(trustStore, revocationDelegate);
         setupParams.deviceAttestationVerifier = mDacVerifier;
         mDacVerifier->EnableCdTestKeySupport(mAllowTestCdSigningKey);

         return CHIP_NO_ERROR;
     }

     chip::Controller::OperationalCredentialsDelegate * GetCredentialIssuer() override { return &mOpCredsIssuer; }
     void SetCredentialIssuerCATValues(chip::CATValues cats) override { mOpCredsIssuer.SetCATValuesForNextNOCRequest(cats); }
     CHIP_ERROR GenerateControllerNOCChain(chip::NodeId nodeId, chip::FabricId fabricId, const chip::CATValues & cats,
                                           chip::Crypto::P256Keypair & keypair, chip::MutableByteSpan & rcac,
                                           chip::MutableByteSpan & icac, chip::MutableByteSpan & noc) override
     {
         return mOpCredsIssuer.GenerateNOCChainAfterValidation(nodeId, fabricId, cats, keypair.Pubkey(), rcac, icac, noc);
     }

     CHIP_ERROR AddAdditionalCDVerifyingCerts(const std::vector<std::vector<uint8_t>> & additionalCdCerts) override
     {
         VerifyOrReturnError(mDacVerifier != nullptr, CHIP_ERROR_INCORRECT_STATE);

         for (const auto & cert : additionalCdCerts)
         {
             auto cdTrustStore = mDacVerifier->GetCertificationDeclarationTrustStore();
             VerifyOrReturnError(cdTrustStore != nullptr, CHIP_ERROR_INCORRECT_STATE);
             ReturnErrorOnFailure(cdTrustStore->AddTrustedKey(chip::ByteSpan(cert.data(), cert.size())));
         }

         return CHIP_NO_ERROR;
     }

     void SetCredentialIssuerOption(CredentialIssuerOptions option, bool isEnabled) override
     {
         switch (option)
         {
         case CredentialIssuerOptions::kMaximizeCertificateSizes:
             mUsesMaxSizedCerts = isEnabled;
             mOpCredsIssuer.SetMaximallyLargeCertsUsed(mUsesMaxSizedCerts);
             break;
         case CredentialIssuerOptions::kAllowTestCdSigningKey:
             mAllowTestCdSigningKey = isEnabled;
             if (mDacVerifier != nullptr)
             {
                 mDacVerifier->EnableCdTestKeySupport(isEnabled);
             }
             break;
         default:
             break;
         }
     }

     bool GetCredentialIssuerOption(CredentialIssuerOptions option) override
     {
         switch (option)
         {
         case CredentialIssuerOptions::kMaximizeCertificateSizes:
             return mUsesMaxSizedCerts;
         case CredentialIssuerOptions::kAllowTestCdSigningKey:
             return mAllowTestCdSigningKey;
         default:
             return false;
         }
     }

 protected:
     bool mUsesMaxSizedCerts = false;
     // Starts true for legacy purposes
     bool mAllowTestCdSigningKey = true;

 private:
     chip::Controller::ExampleOperationalCredentialsIssuer mOpCredsIssuer;
     chip::Credentials::DeviceAttestationVerifier * mDacVerifier;
 };
	/*
	* Copyright (c) 2021-2022 Project CHIP Authors
	* All rights reserved.
	*
	* Licensed under the Apache License, Version 2.0 (the "License");
	* you may not use this file except in compliance with the License.
	* You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*
	*/

	#pragma once

	#include <commands/common/CredentialIssuerCommands.h>
	#include <controller/CHIPDeviceControllerFactory.h>
	#include <controller/ExampleOperationalCredentialsIssuer.h>
	#include <credentials/DeviceAttestationCredsProvider.h>
	#include <credentials/attestation_verifier/DefaultDeviceAttestationVerifier.h>
	#include <credentials/attestation_verifier/DeviceAttestationVerifier.h>
	#include <credentials/examples/DeviceAttestationCredsExample.h>

	class ExampleCredentialIssuerCommands : public CredentialIssuerCommands
	{
	public:
	CHIP_ERROR InitializeCredentialsIssuer(chip::PersistentStorageDelegate & storage) override
	{
	return mOpCredsIssuer.Initialize(storage);
	}
	CHIP_ERROR SetupDeviceAttestation(chip::Controller::SetupParams & setupParams,
	const chip::Credentials::AttestationTrustStore * trustStore,
	chip::Credentials::DeviceAttestationRevocationDelegate * revocationDelegate) override
	{
	chip::Credentials::SetDeviceAttestationCredentialsProvider(chip::Credentials::Examples::GetExampleDACProvider());

	mDacVerifier = chip::Credentials::GetDefaultDACVerifier(trustStore, revocationDelegate);
	setupParams.deviceAttestationVerifier = mDacVerifier;
	mDacVerifier->EnableCdTestKeySupport(mAllowTestCdSigningKey);

	return CHIP_NO_ERROR;
	}

	chip::Controller::OperationalCredentialsDelegate * GetCredentialIssuer() override { return &mOpCredsIssuer; }
	void SetCredentialIssuerCATValues(chip::CATValues cats) override { mOpCredsIssuer.SetCATValuesForNextNOCRequest(cats); }
	CHIP_ERROR GenerateControllerNOCChain(chip::NodeId nodeId, chip::FabricId fabricId, const chip::CATValues & cats,
	chip::Crypto::P256Keypair & keypair, chip::MutableByteSpan & rcac,
	chip::MutableByteSpan & icac, chip::MutableByteSpan & noc) override
	{
	return mOpCredsIssuer.GenerateNOCChainAfterValidation(nodeId, fabricId, cats, keypair.Pubkey(), rcac, icac, noc);
	}

	CHIP_ERROR AddAdditionalCDVerifyingCerts(const std::vector<std::vector<uint8_t>> & additionalCdCerts) override
	{
	VerifyOrReturnError(mDacVerifier != nullptr, CHIP_ERROR_INCORRECT_STATE);

	for (const auto & cert : additionalCdCerts)
	{
	auto cdTrustStore = mDacVerifier->GetCertificationDeclarationTrustStore();
	VerifyOrReturnError(cdTrustStore != nullptr, CHIP_ERROR_INCORRECT_STATE);
	ReturnErrorOnFailure(cdTrustStore->AddTrustedKey(chip::ByteSpan(cert.data(), cert.size())));
	}

	return CHIP_NO_ERROR;
	}

	void SetCredentialIssuerOption(CredentialIssuerOptions option, bool isEnabled) override
	{
	switch (option)
	{
	case CredentialIssuerOptions::kMaximizeCertificateSizes:
	mUsesMaxSizedCerts = isEnabled;
	mOpCredsIssuer.SetMaximallyLargeCertsUsed(mUsesMaxSizedCerts);
	break;
	case CredentialIssuerOptions::kAllowTestCdSigningKey:
	mAllowTestCdSigningKey = isEnabled;
	if (mDacVerifier != nullptr)
	{
	mDacVerifier->EnableCdTestKeySupport(isEnabled);
	}
	break;
	default:
	break;
	}
	}

	bool GetCredentialIssuerOption(CredentialIssuerOptions option) override
	{
	switch (option)
	{
	case CredentialIssuerOptions::kMaximizeCertificateSizes:
	return mUsesMaxSizedCerts;
	case CredentialIssuerOptions::kAllowTestCdSigningKey:
	return mAllowTestCdSigningKey;
	default:
	return false;
	}
	}

	protected:
	bool mUsesMaxSizedCerts = false;
	// Starts true for legacy purposes
	bool mAllowTestCdSigningKey = true;

	private:
	chip::Controller::ExampleOperationalCredentialsIssuer mOpCredsIssuer;
	chip::Credentials::DeviceAttestationVerifier * mDacVerifier;
	};