project-chip · yufengwangca · Jan 12, 2023 · Oct 13, 2022 · Oct 14, 2022 · Oct 14, 2022
@@ -19,14 +19,19 @@
 package com.google.chip.chiptool.provisioning
 
 import android.bluetooth.BluetoothGatt
+import android.content.DialogInterface
 import android.os.Bundle
 import android.util.Log
 import android.view.LayoutInflater
 import android.view.View
 import android.view.ViewGroup
 import android.widget.Toast
+import androidx.appcompat.app.AlertDialog
 import androidx.fragment.app.Fragment
 import androidx.lifecycle.lifecycleScope
+import chip.devicecontroller.AttestationInfo
+import chip.devicecontroller.DeviceAttestationDelegate.DeviceAttestationCompletionCallback
+import chip.devicecontroller.DeviceAttestationDelegate.DeviceAttestationFailureCallback
 import chip.devicecontroller.NetworkCredentials
 import com.google.chip.chiptool.NetworkCredentialsParcelable
 import com.google.chip.chiptool.ChipClient
@@ -38,7 +43,9 @@ import com.google.chip.chiptool.util.DeviceIdUtil
 import com.google.chip.chiptool.util.FragmentUtil
 import kotlinx.coroutines.CoroutineScope
 import kotlinx.coroutines.ExperimentalCoroutinesApi
+import kotlinx.coroutines.Runnable
 import kotlinx.coroutines.launch
+import java.lang.IllegalArgumentException
 
 @ExperimentalCoroutinesApi
 class DeviceProvisioningFragment : Fragment() {
@@ -132,7 +139,30 @@ class DeviceProvisioningFragment : Fragment() {
       if (thread != null) {
         network = NetworkCredentials.forThread(NetworkCredentials.ThreadCredentials(thread.operationalDataset))
       }
-
+      deviceController.setDeviceAttestationFailureCallback(600
+      ) { devicePtr, errorCode ->
+        Log.i(TAG, "Device attestation errorCode: $errorCode")
+        requireActivity().runOnUiThread(Runnable {
+          val alertDialog: AlertDialog? = activity?.let {
+            val builder = AlertDialog.Builder(it)
+            builder.apply {
+              setPositiveButton("Continue",
+                DialogInterface.OnClickListener { dialog, id ->
+                  deviceController.continueCommissioning(devicePtr, true)
+                })
+              setNegativeButton("No",
+                DialogInterface.OnClickListener { dialog, id ->
+                  deviceController.continueCommissioning(devicePtr, false)
+                })
+            }
+            builder.setTitle("Device Attestation")
+            builder.setMessage("Device Attestation failed for device under commissioning. Do you wish to continue pairing?")
+            // Create the AlertDialog
+            builder.create()
+          }
+          alertDialog?.show()
+        })
+      }
       deviceController.pairDevice(gatt, connId, deviceId, deviceInfo.setupPinCode, network)
       DeviceIdUtil.setNextAvailableId(requireContext(), deviceId + 1)
     }

diff --git a/src/controller/java/AndroidDeviceControllerWrapper.cpp b/src/controller/java/AndroidDeviceControllerWrapper.cpp
@@ -58,6 +58,21 @@ AndroidDeviceControllerWrapper::~AndroidDeviceControllerWrapper()
         chip::Platform::Delete(mKeypairBridge);
         mKeypairBridge = nullptr;
     }
+    if (mDeviceAttestationDelegateBridge != nullptr)
+    {
+        delete mDeviceAttestationDelegateBridge;
+        mDeviceAttestationDelegateBridge = nullptr;
+    }
+    if (mDeviceAttestationVerifier != nullptr)
+    {
+        delete mDeviceAttestationVerifier;
+        mDeviceAttestationVerifier = nullptr;
+    }
+    if (mAttestationTrustStoreBridge != nullptr)
+    {
+        delete mAttestationTrustStoreBridge;
+        mAttestationTrustStoreBridge = nullptr;
+    }
 }
 
 void AndroidDeviceControllerWrapper::SetJavaObjectRef(JavaVM * vm, jobject obj)
@@ -77,8 +92,9 @@ AndroidDeviceControllerWrapper * AndroidDeviceControllerWrapper::AllocateNew(
     chip::System::Layer * systemLayer, chip::Inet::EndPointManager<Inet::TCPEndPoint> * tcpEndPointManager,
     chip::Inet::EndPointManager<Inet::UDPEndPoint> * udpEndPointManager, AndroidOperationalCredentialsIssuerPtr opCredsIssuerPtr,
     jobject keypairDelegate, jbyteArray rootCertificate, jbyteArray intermediateCertificate, jbyteArray nodeOperationalCertificate,
-    jbyteArray ipkEpochKey, uint16_t listenPort, uint16_t controllerVendorId, uint16_t failsafeTimerSeconds,
-    bool attemptNetworkScanWiFi, bool attemptNetworkScanThread, bool skipCommissioningComplete, CHIP_ERROR * errInfoOnFailure)
+    jbyteArray ipkEpochKey, jobject paaCertsArrayList, jobject cdCertsArrayList, uint16_t listenPort, uint16_t controllerVendorId,
+    uint16_t failsafeTimerSeconds, bool attemptNetworkScanWiFi, bool attemptNetworkScanThread, bool skipCommissioningComplete,
+    CHIP_ERROR * errInfoOnFailure)
 {
     if (errInfoOnFailure == nullptr)
     {
@@ -131,9 +147,77 @@ AndroidDeviceControllerWrapper * AndroidDeviceControllerWrapper::AllocateNew(
     chip::Controller::AndroidOperationalCredentialsIssuer * opCredsIssuer = wrapper->mOpCredsIssuer.get();
 
     // Initialize device attestation verifier
-    // TODO: Replace testingRootStore with a AttestationTrustStore that has the necessary official PAA roots available
-    const chip::Credentials::AttestationTrustStore * testingRootStore = chip::Credentials::GetTestAttestationTrustStore();
-    SetDeviceAttestationVerifier(GetDefaultDACVerifier(testingRootStore));
+    const Credentials::AttestationTrustStore * trustStore;
+    CHIP_ERROR err = CHIP_NO_ERROR;
+    if (paaCertsArrayList)
+    {
+        jint listSize;
+        JniReferences::GetInstance().GetListSize(paaCertsArrayList, listSize);
+        std::vector<std::vector<uint8_t>> paaCerts;
+        for (uint8_t i = 0; i < listSize; i++)
+        {
+            jobject paaCertObj = nullptr;
+            err                = JniReferences::GetInstance().GetListItem(paaCertsArrayList, i, paaCertObj);
+            if (err != CHIP_NO_ERROR)
+            {
+                *errInfoOnFailure = err;
+                return nullptr;
+            }
+            JniByteArray paaCert(env, static_cast<jbyteArray>(paaCertObj));
+            // Make a copy of the cert so that it does not loss of scope.
+            paaCerts.push_back(std::vector<uint8_t>(paaCert.byteSpan().begin(), paaCert.byteSpan().end()));
+        }
+        wrapper->mAttestationTrustStoreBridge = new AttestationTrustStoreBridge(paaCerts);
+        if (wrapper->mAttestationTrustStoreBridge == nullptr)
+        {
+            ChipLogError(Controller, "Failed to create AttestationTrustStoreBridge");
+            *errInfoOnFailure = CHIP_ERROR_NO_MEMORY;
+            return nullptr;
+        }
+        trustStore = wrapper->mAttestationTrustStoreBridge;
+    }
+    else
+    {
+        trustStore = chip::Credentials::GetTestAttestationTrustStore();
+    }
+    wrapper->mDeviceAttestationVerifier = new Credentials::DefaultDACVerifier(trustStore);
+    if (wrapper->mDeviceAttestationVerifier == nullptr)
+    {
+        ChipLogError(Controller, "Init failure while creating the device attestation verifier");
+        *errInfoOnFailure = CHIP_ERROR_NO_MEMORY;
+        return nullptr;
+    }
+    if (cdCertsArrayList)
+    {
+        auto cdTrustStore = wrapper->mDeviceAttestationVerifier->GetCertificationDeclarationTrustStore();
+        if (cdTrustStore == nullptr)
+        {
+            ChipLogError(Controller, "Failed to get cd trust store");
+            *errInfoOnFailure = CHIP_ERROR_NO_MEMORY;
+            return nullptr;
+        }
+        jint listSize;
+        JniReferences::GetInstance().GetListSize(cdCertsArrayList, listSize);
+        for (uint8_t i = 0; i < listSize; i++)
+        {
+            jobject cdCertObj = nullptr;
+            err               = JniReferences::GetInstance().GetListItem(cdCertsArrayList, i, cdCertObj);
+            if (err != CHIP_NO_ERROR)
+            {
+                *errInfoOnFailure = err;
+                return nullptr;
+            }
+            JniByteArray cdCert(env, static_cast<jbyteArray>(cdCertObj));
+            std::vector<uint8_t> cdCertCopy(cdCert.byteSpan().begin(), cdCert.byteSpan().end());
+            chip::ByteSpan trustedKey = chip::ByteSpan(cdCertCopy.data(), cdCertCopy.size());
+            err                       = cdTrustStore->AddTrustedKey(trustedKey);
+            if (err != CHIP_NO_ERROR)
+            {
+                *errInfoOnFailure = err;
+                return nullptr;
+            }
+        }
+    }
 
     chip::Controller::FactoryInitParams initParams;
     chip::Controller::SetupParams setupParams;
@@ -152,6 +236,7 @@ AndroidDeviceControllerWrapper * AndroidDeviceControllerWrapper::AllocateNew(
     setupParams.operationalCredentialsDelegate = opCredsIssuer;
     setupParams.defaultCommissioner            = &wrapper->mAutoCommissioner;
     initParams.fabricIndependentStorage        = wrapperStorage;
+    setupParams.deviceAttestationVerifier      = wrapper->mDeviceAttestationVerifier;
 
     wrapper->mGroupDataProvider.SetStorageDelegate(wrapperStorage);
 
@@ -162,7 +247,7 @@ AndroidDeviceControllerWrapper * AndroidDeviceControllerWrapper::AllocateNew(
     params.SetSkipCommissioningComplete(skipCommissioningComplete);
     wrapper->UpdateCommissioningParameters(params);
 
-    CHIP_ERROR err = wrapper->mGroupDataProvider.Init();
+    err = wrapper->mGroupDataProvider.Init();
     if (err != CHIP_NO_ERROR)
     {
         *errInfoOnFailure = err;

diff --git a/src/controller/java/AndroidDeviceControllerWrapper.h b/src/controller/java/AndroidDeviceControllerWrapper.h
@@ -33,6 +33,8 @@
 #include <platform/internal/DeviceNetworkInfo.h>
 
 #include "AndroidOperationalCredentialsIssuer.h"
+#include "AttestationTrustStoreBridge.h"
+#include "DeviceAttestationDelegateBridge.h"
 
 /**
  * This class contains all relevant information for the JNI view of CHIPDeviceController
@@ -149,14 +151,31 @@ class AndroidDeviceControllerWrapper : public chip::Controller::DevicePairingDel
                 chip::Inet::EndPointManager<chip::Inet::UDPEndPoint> * udpEndPointManager,
                 AndroidOperationalCredentialsIssuerPtr opCredsIssuer, jobject keypairDelegate, jbyteArray rootCertificate,
                 jbyteArray intermediateCertificate, jbyteArray nodeOperationalCertificate, jbyteArray ipkEpochKey,
-                uint16_t listenPort, uint16_t controllerVendorId, uint16_t failsafeTimerSeconds, bool attemptNetworkScanWiFi,
-                bool attemptNetworkScanThread, bool skipCommissioningComplete, CHIP_ERROR * errInfoOnFailure);
+                jobject paaCertsArrayList, jobject cdCertsArrayList, uint16_t listenPort, uint16_t controllerVendorId,
+                uint16_t failsafeTimerSeconds, bool attemptNetworkScanWiFi, bool attemptNetworkScanThread,
+                bool skipCommissioningComplete, CHIP_ERROR * errInfoOnFailure);
 
     chip::Controller::AndroidOperationalCredentialsIssuer * GetAndroidOperationalCredentialsIssuer()
     {
         return mOpCredsIssuer.get();
     }
 
+    void SetDeviceAttestationDelegateBridge(DeviceAttestationDelegateBridge * deviceAttestationDelegateBridge)
+    {
+        mDeviceAttestationDelegateBridge = deviceAttestationDelegateBridge;
+    }
+
+    DeviceAttestationDelegateBridge * GetDeviceAttestationDelegateBridge() { return mDeviceAttestationDelegateBridge; }
+
+    void ClearDeviceAttestationDelegateBridge()
+    {
+        if (mDeviceAttestationDelegateBridge != nullptr)
+        {
+            delete mDeviceAttestationDelegateBridge;
+            mDeviceAttestationDelegateBridge = nullptr;
+        }
+    }
+
 private:
     using ChipDeviceControllerPtr = std::unique_ptr<chip::Controller::DeviceCommissioner>;
 
@@ -187,6 +206,10 @@ class AndroidDeviceControllerWrapper : public chip::Controller::DevicePairingDel
 
     chip::Credentials::PartialDACVerifier mPartialDACVerifier;
 
+    DeviceAttestationDelegateBridge * mDeviceAttestationDelegateBridge        = nullptr;
+    AttestationTrustStoreBridge * mAttestationTrustStoreBridge                = nullptr;
+    chip::Credentials::DeviceAttestationVerifier * mDeviceAttestationVerifier = nullptr;
+
     AndroidDeviceControllerWrapper(ChipDeviceControllerPtr controller, AndroidOperationalCredentialsIssuerPtr opCredsIssuer) :
         mController(std::move(controller)), mOpCredsIssuer(std::move(opCredsIssuer))
     {}

diff --git a/src/controller/java/AttestationTrustStoreBridge.cpp b/src/controller/java/AttestationTrustStoreBridge.cpp
@@ -0,0 +1,54 @@
+/**
+ *
+ *    Copyright (c) 2022 Project CHIP Authors
+ *
+ *    Licensed under the Apache License, Version 2.0 (the "License");
+ *    you may not use this file except in compliance with the License.
+ *    You may obtain a copy of the License at
+ *
+ *        http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *    Unless required by applicable law or agreed to in writing, software
+ *    distributed under the License is distributed on an "AS IS" BASIS,
+ *    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *    See the License for the specific language governing permissions and
+ *    limitations under the License.
+ */
+
+#include "AttestationTrustStoreBridge.h"
+#include <lib/support/CodeUtils.h>
+
+AttestationTrustStoreBridge::~AttestationTrustStoreBridge()
+{
+    if (!mPaaCerts.empty())
+    {
+        for (auto paaCert : mPaaCerts)
+        {
+            paaCert.clear();
+            paaCert.shrink_to_fit();
+        }
+        mPaaCerts.clear();
+        mPaaCerts.shrink_to_fit();
+    }
+}
+
+CHIP_ERROR AttestationTrustStoreBridge::GetProductAttestationAuthorityCert(const chip::ByteSpan & skid,
+                                                                           chip::MutableByteSpan & outPaaDerBuffer) const
+{
+    VerifyOrReturnError(skid.size() == chip::Crypto::kSubjectKeyIdentifierLength, CHIP_ERROR_INVALID_ARGUMENT);
+
+    for (auto paaCert : mPaaCerts)
+    {
+        chip::ByteSpan candidate                                   = chip::ByteSpan(paaCert.data(), paaCert.size());
+        uint8_t skidBuf[chip::Crypto::kSubjectKeyIdentifierLength] = { 0 };
+        chip::MutableByteSpan candidateSkidSpan{ skidBuf };
+        VerifyOrReturnError(CHIP_NO_ERROR == chip::Crypto::ExtractSKIDFromX509Cert(candidate, candidateSkidSpan),
+                            CHIP_ERROR_INTERNAL);
+        if (skid.data_equal(candidateSkidSpan))
+        {
+            // Found a match
+            return CopySpanToMutableSpan(candidate, outPaaDerBuffer);
+        }
+    }
+    return CHIP_ERROR_CA_CERT_NOT_FOUND;
+}
diff --git a/src/controller/java/AttestationTrustStoreBridge.h b/src/controller/java/AttestationTrustStoreBridge.h
@@ -0,0 +1,32 @@
+/**
+ *
+ *    Copyright (c) 2022 Project CHIP Authors
+ *
+ *    Licensed under the Apache License, Version 2.0 (the "License");
+ *    you may not use this file except in compliance with the License.
+ *    You may obtain a copy of the License at
+ *
+ *        http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *    Unless required by applicable law or agreed to in writing, software
+ *    distributed under the License is distributed on an "AS IS" BASIS,
+ *    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *    See the License for the specific language governing permissions and
+ *    limitations under the License.
+ */
+
+#include <credentials/attestation_verifier/DeviceAttestationVerifier.h>
+#include <vector>
+
+class AttestationTrustStoreBridge : public chip::Credentials::AttestationTrustStore
+{
+public:
+    AttestationTrustStoreBridge(std::vector<std::vector<uint8_t>> paaCerts) : mPaaCerts(paaCerts) {}
+    ~AttestationTrustStoreBridge();
+
+    CHIP_ERROR GetProductAttestationAuthorityCert(const chip::ByteSpan & skid,
+                                                  chip::MutableByteSpan & outPaaDerBuffer) const override;
+
+private:
+    std::vector<std::vector<uint8_t>> mPaaCerts;
+};
diff --git a/src/controller/java/BUILD.gn b/src/controller/java/BUILD.gn
@@ -36,11 +36,15 @@ shared_library("jni") {
     "AndroidDeviceControllerWrapper.h",
     "AndroidOperationalCredentialsIssuer.cpp",
     "AndroidOperationalCredentialsIssuer.h",
+    "AttestationTrustStoreBridge.cpp",
+    "AttestationTrustStoreBridge.h",
     "BaseCHIPCluster-JNI.cpp",
     "CHIPAttributeTLVValueDecoder.h",
     "CHIPDefaultCallbacks.cpp",
     "CHIPDefaultCallbacks.h",
     "CHIPDeviceController-JNI.cpp",
+    "DeviceAttestationDelegateBridge.cpp",
+    "DeviceAttestationDelegateBridge.h",
     "zap-generated/CHIPAttributeTLVValueDecoder.cpp",
     "zap-generated/CHIPClustersWrite-JNI.cpp",
     "zap-generated/CHIPEventTLVValueDecoder.cpp",
@@ -101,6 +105,7 @@ android_library("java") {
     "src/chip/devicecontroller/ChipDeviceController.java",
     "src/chip/devicecontroller/ChipDeviceControllerException.java",
     "src/chip/devicecontroller/ControllerParams.java",
+    "src/chip/devicecontroller/DeviceAttestationDelegate.java",
     "src/chip/devicecontroller/DiscoveredDevice.java",
     "src/chip/devicecontroller/GetConnectedDeviceCallbackJni.java",
     "src/chip/devicecontroller/KeypairDelegate.java",
@@ -143,7 +148,10 @@ android_library("java") {
     data_deps += [ "${chip_root}/build/chip/java:shared_cpplib" ]
   }
 
-  javac_flags = [ "-Xlint:deprecation" ]
+  javac_flags = [
+    "-Xlint:deprecation",
+    "-parameters",  # Store infomation about method parameters
+  ]
 
   # TODO: add classpath support (we likely need to add something like
   #  ..../platforms/android-21/android.jar to access BLE items)