Skip to content

Commit

Permalink
Add a method to send the NOC with CATs when pairing devices (#24774)
Browse files Browse the repository at this point in the history
* controller: Add interface for setting CATs in ExampleOperationalCredentialsIssuer

* chiptool: Add option to set CATs encoded in device's NOC for pairing command

* Update examples/chip-tool/commands/common/CredentialIssuerCommands.h

Co-authored-by: Boris Zbarsky <[email protected]>

---------

Co-authored-by: Boris Zbarsky <[email protected]>
  • Loading branch information
wqx6 and bzbarsky-apple authored Feb 2, 2023
1 parent 10a4677 commit 79d5ac4
Show file tree
Hide file tree
Showing 6 changed files with 24 additions and 1 deletion.
2 changes: 2 additions & 0 deletions examples/chip-tool/commands/common/CredentialIssuerCommands.h
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,8 @@ class CredentialIssuerCommands

virtual chip::Controller::OperationalCredentialsDelegate * GetCredentialIssuer() = 0;

virtual void SetCredentialIssuerCATValues(chip::CATValues cats) = 0;

/**
* @brief
* This function is used to Generate NOC Chain for the Controller/Commissioner. Parameters follow the example implementation,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,7 @@ class ExampleCredentialIssuerCommands : public CredentialIssuerCommands
return CHIP_NO_ERROR;
}
chip::Controller::OperationalCredentialsDelegate * GetCredentialIssuer() override { return &mOpCredsIssuer; }
void SetCredentialIssuerCATValues(chip::CATValues cats) override { mOpCredsIssuer.SetCATValuesForNextNOCRequest(cats); }
CHIP_ERROR GenerateControllerNOCChain(chip::NodeId nodeId, chip::FabricId fabricId, const chip::CATValues & cats,
chip::Crypto::P256Keypair & keypair, chip::MutableByteSpan & rcac,
chip::MutableByteSpan & icac, chip::MutableByteSpan & noc) override
Expand Down
15 changes: 15 additions & 0 deletions examples/chip-tool/commands/pairing/PairingCommand.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,21 @@ using namespace ::chip::Controller;
CHIP_ERROR PairingCommand::RunCommand()
{
CurrentCommissioner().RegisterPairingDelegate(this);
// Clear the CATs in OperationalCredentialsIssuer
mCredIssuerCmds->SetCredentialIssuerCATValues(kUndefinedCATs);

if (mCASEAuthTags.HasValue() && mCASEAuthTags.Value().size() <= kMaxSubjectCATAttributeCount)
{
CATValues cats = kUndefinedCATs;
for (size_t index = 0; index < mCASEAuthTags.Value().size(); ++index)
{
cats.values[index] = mCASEAuthTags.Value()[index];
}
if (cats.AreValid())
{
mCredIssuerCmds->SetCredentialIssuerCATValues(cats);
}
}
return RunInternal(mNodeId);
}

Expand Down
2 changes: 2 additions & 0 deletions examples/chip-tool/commands/pairing/PairingCommand.h
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,7 @@ class PairingCommand : public CHIPCommand,
AddArgument("bypass-attestation-verifier", 0, 1, &mBypassAttestationVerifier,
"Bypass the attestation verifier. If not provided or false, the attestation verifier is not bypassed."
" If true, the commissioning will continue in case of attestation verification failure.");
AddArgument("case-auth-tags", 1, UINT32_MAX, &mCASEAuthTags, "The CATs to be encoded in the NOC sent to the commissionee");

switch (networkType)
{
Expand Down Expand Up @@ -188,6 +189,7 @@ class PairingCommand : public CHIPCommand,
chip::Optional<bool> mPaseOnly;
chip::Optional<bool> mSkipCommissioningComplete;
chip::Optional<bool> mBypassAttestationVerifier;
chip::Optional<std::vector<uint32_t>> mCASEAuthTags;
uint16_t mRemotePort;
uint16_t mDiscriminator;
uint32_t mSetupPINCode;
Expand Down
2 changes: 1 addition & 1 deletion src/controller/ExampleOperationalCredentialsIssuer.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -374,7 +374,7 @@ CHIP_ERROR ExampleOperationalCredentialsIssuer::GenerateNOCChain(const ByteSpan
MutableByteSpan rcacSpan(rcac.Get(), kMaxDERCertLength);

ReturnErrorOnFailure(
GenerateNOCChainAfterValidation(assignedId, mNextFabricId, chip::kUndefinedCATs, pubkey, rcacSpan, icacSpan, nocSpan));
GenerateNOCChainAfterValidation(assignedId, mNextFabricId, mNextCATs, pubkey, rcacSpan, icacSpan, nocSpan));

// TODO(#13825): Should always generate some IPK. Using a temporary fixed value until APIs are plumbed in to set it end-to-end
// TODO: Force callers to set IPK if used before GenerateNOCChain will succeed.
Expand Down
3 changes: 3 additions & 0 deletions src/controller/ExampleOperationalCredentialsIssuer.h
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,8 @@ class DLL_EXPORT ExampleOperationalCredentialsIssuer : public OperationalCredent

void SetFabricIdForNextNOCRequest(FabricId fabricId) override { mNextFabricId = fabricId; }

void SetCATValuesForNextNOCRequest(CATValues cats) { mNextCATs = cats; }

/**
* @brief Initialize the issuer with the keypair in the storage.
* If the storage doesn't have one, it'll create one, and it to the storage.
Expand Down Expand Up @@ -123,6 +125,7 @@ class DLL_EXPORT ExampleOperationalCredentialsIssuer : public OperationalCredent

NodeId mNextRequestedNodeId = 1;
FabricId mNextFabricId = 1;
CATValues mNextCATs = kUndefinedCATs;
bool mNodeIdRequested = false;
uint64_t mIndex = 0;
};
Expand Down

0 comments on commit 79d5ac4

Please sign in to comment.