Skip to content

Commit

Permalink
Updated DefaultDeviceAttestationVerifier to Verify that PAA KeyId is …
Browse files Browse the repository at this point in the history
…in the Certification Declaration. (#18219)
  • Loading branch information
emargolis authored May 11, 2022
1 parent 2299c4b commit b351579
Show file tree
Hide file tree
Showing 2 changed files with 19 additions and 2 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -278,6 +278,12 @@ void DefaultDACVerifier::VerifyAttestationInformation(const DeviceAttestationVer
.paaVendorId = paaVidPid.mVendorId.ValueOr(VendorId::NotSpecified),
};

MutableByteSpan paaSKID(deviceInfo.paaSKID);
VerifyOrExit(ExtractSKIDFromX509Cert(paaDerBuffer, paaSKID) == CHIP_NO_ERROR,
attestationError = AttestationVerificationResult::kPaaFormatInvalid);
VerifyOrExit(paaSKID.size() == sizeof(deviceInfo.paaSKID),
attestationError = AttestationVerificationResult::kPaaFormatInvalid);

VerifyOrExit(DeconstructAttestationElements(info.attestationElementsBuffer, certificationDeclarationSpan,
attestationNonceSpan, timestampDeconstructed, firmwareInfoSpan,
vendorReserved) == CHIP_NO_ERROR,
Expand Down Expand Up @@ -384,6 +390,14 @@ AttestationVerificationResult DefaultDACVerifier::ValidateCertificateDeclaration
}
}

if (cdContent.authorizedPAAListPresent)
{
// The Subject Key Id of the PAA SHALL match one of the values present in the authorized_paa_list
// in the Certification Declaration.
VerifyOrReturnError(cdElementsDecoder.HasAuthorizedPAA(certDeclBuffer, ByteSpan(deviceInfo.paaSKID)),
AttestationVerificationResult::kCertificationDeclarationInvalidPAA);
}

return AttestationVerificationResult::kSuccess;
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,7 @@ enum class AttestationVerificationResult : uint16_t
kCertificationDeclarationInvalidFormat = 603,
kCertificationDeclarationInvalidVendorId = 604,
kCertificationDeclarationInvalidProductId = 605,
kCertificationDeclarationInvalidPAA = 606,

kNoMemory = 700,

Expand All @@ -93,16 +94,18 @@ struct DeviceInfoForAttestation
uint16_t vendorId = VendorId::NotSpecified;
// Product ID reported by device in Basic Information cluster
uint16_t productId = 0;
// Vendor ID from DAC
// Vendor ID from DAC
uint16_t dacVendorId = VendorId::NotSpecified;
// Product ID from DAC
uint16_t dacProductId = 0;
// Vendor ID from PAI cert
uint16_t paiVendorId = VendorId::NotSpecified;
// Product ID from PAI cert (0 if absent)
uint16_t paiProductId = 0;
// Vendor ID from PAA cert
// Vendor ID from PAA cert
uint16_t paaVendorId = VendorId::NotSpecified;
// Subject Key Identifier (SKID) from PAA cert
uint8_t paaSKID[Crypto::kSubjectKeyIdentifierLength] = { 0 };
};

typedef void (*OnAttestationInformationVerification)(void * context, AttestationVerificationResult result);
Expand Down

0 comments on commit b351579

Please sign in to comment.