Made PAI Certificate mandatory in VerifyAttestationInformation method

project-chip · Nov 23, 2021 · 92dd5d5 · 92dd5d5
1 parent b5f45aa
commit 92dd5d5
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 13 deletions.
diff --git a/src/credentials/DeviceAttestationVerifier.h b/src/credentials/DeviceAttestationVerifier.h
@@ -67,6 +67,8 @@ enum class AttestationVerificationResult : uint16_t
 
     kNoMemory = 700,
 
+    kInvalidArgument = 800,
+
     kNotImplemented = 0xFFFFU,
 
     // TODO: Add more attestation verification errors

diff --git a/src/credentials/examples/DeviceAttestationVerifierExample.cpp b/src/credentials/examples/DeviceAttestationVerifierExample.cpp
@@ -213,25 +213,24 @@ AttestationVerificationResult ExampleDACVerifier::VerifyAttestationInformation(c
                                                                                const ByteSpan & dacCertDerBuffer,
                                                                                const ByteSpan & attestationNonce)
 {
+    VerifyOrReturnError(!attestationInfoBuffer.empty() && !attestationChallengeBuffer.empty() &&
+                            !attestationSignatureBuffer.empty() && !paiCertDerBuffer.empty() && !dacCertDerBuffer.empty() &&
+                            !attestationNonce.empty(),
+                        AttestationVerificationResult::kInvalidArgument);
+
     VendorId dacVendorId = VendorId::NotSpecified;
     // match DAC and PAI VIDs
-    if (!paiCertDerBuffer.empty())
     {
         uint16_t paiVid = VendorId::NotSpecified;
         uint16_t dacVid = VendorId::NotSpecified;
 
-        CHIP_ERROR error     = ExtractDNAttributeFromX509Cert(MatterOid::kVendorId, paiCertDerBuffer, paiVid);
-        const bool paiHasVid = error != CHIP_ERROR_KEY_NOT_FOUND;
-        VerifyOrReturnError(error == CHIP_NO_ERROR || paiHasVid == false, AttestationVerificationResult::kPaiFormatInvalid);
-
-        if (paiHasVid)
-        {
-            VerifyOrReturnError(ExtractDNAttributeFromX509Cert(MatterOid::kVendorId, dacCertDerBuffer, dacVid) == CHIP_NO_ERROR,
-                                AttestationVerificationResult::kDacFormatInvalid);
+        VerifyOrReturnError(ExtractDNAttributeFromX509Cert(MatterOid::kVendorId, paiCertDerBuffer, paiVid) == CHIP_NO_ERROR,
+                            AttestationVerificationResult::kPaiFormatInvalid);
+        VerifyOrReturnError(ExtractDNAttributeFromX509Cert(MatterOid::kVendorId, dacCertDerBuffer, dacVid) == CHIP_NO_ERROR,
+                            AttestationVerificationResult::kDacFormatInvalid);
 
-            VerifyOrReturnError(paiVid == dacVid, AttestationVerificationResult::kDacVendorIdMismatch);
-            dacVendorId = static_cast<VendorId>(dacVid);
-        }
+        VerifyOrReturnError(paiVid == dacVid, AttestationVerificationResult::kDacVendorIdMismatch);
+        dacVendorId = static_cast<VendorId>(dacVid);
     }
 
     P256PublicKey remoteManufacturerPubkey;
@@ -250,7 +249,7 @@ AttestationVerificationResult ExampleDACVerifier::VerifyAttestationInformation(c
 
     uint8_t akidBuf[Credentials::kKeyIdentifierLength];
     MutableByteSpan akid(akidBuf);
-    ExtractAKIDFromX509Cert(paiCertDerBuffer.empty() ? dacCertDerBuffer : paiCertDerBuffer, akid);
+    ExtractAKIDFromX509Cert(paiCertDerBuffer, akid);
 
     constexpr size_t paaCertAllocatedLen = kMaxDERCertLength;
     chip::Platform::ScopedMemoryBuffer<uint8_t> paaCert;