From 92dd5d546ef9fb05ba2e51a1d49b2805f2eef654 Mon Sep 17 00:00:00 2001 From: Vijay Selvaraj Date: Tue, 23 Nov 2021 10:18:25 -0500 Subject: [PATCH] Made PAI Certificate mandatory in VerifyAttestationInformation method --- src/credentials/DeviceAttestationVerifier.h | 2 ++ .../DeviceAttestationVerifierExample.cpp | 25 +++++++++---------- 2 files changed, 14 insertions(+), 13 deletions(-) diff --git a/src/credentials/DeviceAttestationVerifier.h b/src/credentials/DeviceAttestationVerifier.h index 5c0ef51bd5d20f..09d843153943d5 100644 --- a/src/credentials/DeviceAttestationVerifier.h +++ b/src/credentials/DeviceAttestationVerifier.h @@ -67,6 +67,8 @@ enum class AttestationVerificationResult : uint16_t kNoMemory = 700, + kInvalidArgument = 800, + kNotImplemented = 0xFFFFU, // TODO: Add more attestation verification errors diff --git a/src/credentials/examples/DeviceAttestationVerifierExample.cpp b/src/credentials/examples/DeviceAttestationVerifierExample.cpp index 0bb3277997ab31..11f34289435d0e 100644 --- a/src/credentials/examples/DeviceAttestationVerifierExample.cpp +++ b/src/credentials/examples/DeviceAttestationVerifierExample.cpp @@ -213,25 +213,24 @@ AttestationVerificationResult ExampleDACVerifier::VerifyAttestationInformation(c const ByteSpan & dacCertDerBuffer, const ByteSpan & attestationNonce) { + VerifyOrReturnError(!attestationInfoBuffer.empty() && !attestationChallengeBuffer.empty() && + !attestationSignatureBuffer.empty() && !paiCertDerBuffer.empty() && !dacCertDerBuffer.empty() && + !attestationNonce.empty(), + AttestationVerificationResult::kInvalidArgument); + VendorId dacVendorId = VendorId::NotSpecified; // match DAC and PAI VIDs - if (!paiCertDerBuffer.empty()) { uint16_t paiVid = VendorId::NotSpecified; uint16_t dacVid = VendorId::NotSpecified; - CHIP_ERROR error = ExtractDNAttributeFromX509Cert(MatterOid::kVendorId, paiCertDerBuffer, paiVid); - const bool paiHasVid = error != CHIP_ERROR_KEY_NOT_FOUND; - VerifyOrReturnError(error == CHIP_NO_ERROR || paiHasVid == false, AttestationVerificationResult::kPaiFormatInvalid); - - if (paiHasVid) - { - VerifyOrReturnError(ExtractDNAttributeFromX509Cert(MatterOid::kVendorId, dacCertDerBuffer, dacVid) == CHIP_NO_ERROR, - AttestationVerificationResult::kDacFormatInvalid); + VerifyOrReturnError(ExtractDNAttributeFromX509Cert(MatterOid::kVendorId, paiCertDerBuffer, paiVid) == CHIP_NO_ERROR, + AttestationVerificationResult::kPaiFormatInvalid); + VerifyOrReturnError(ExtractDNAttributeFromX509Cert(MatterOid::kVendorId, dacCertDerBuffer, dacVid) == CHIP_NO_ERROR, + AttestationVerificationResult::kDacFormatInvalid); - VerifyOrReturnError(paiVid == dacVid, AttestationVerificationResult::kDacVendorIdMismatch); - dacVendorId = static_cast(dacVid); - } + VerifyOrReturnError(paiVid == dacVid, AttestationVerificationResult::kDacVendorIdMismatch); + dacVendorId = static_cast(dacVid); } P256PublicKey remoteManufacturerPubkey; @@ -250,7 +249,7 @@ AttestationVerificationResult ExampleDACVerifier::VerifyAttestationInformation(c uint8_t akidBuf[Credentials::kKeyIdentifierLength]; MutableByteSpan akid(akidBuf); - ExtractAKIDFromX509Cert(paiCertDerBuffer.empty() ? dacCertDerBuffer : paiCertDerBuffer, akid); + ExtractAKIDFromX509Cert(paiCertDerBuffer, akid); constexpr size_t paaCertAllocatedLen = kMaxDERCertLength; chip::Platform::ScopedMemoryBuffer paaCert;