Update src/darwin to take into account the proposed changes

project-chip · Sep 6, 2022 · a9e5662 · a9e5662
1 parent aa32ccd
commit a9e5662
Show file tree

Hide file tree

Showing 4 changed files with 22 additions and 42 deletions.
diff --git a/src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.cpp b/src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.cpp
@@ -477,7 +477,7 @@ CHIP_ERROR CsaCdKeysTrustStore::LookupVerifyingKey(const ByteSpan & kid, Crypto:
     // Seconds, search externally added keys
     for (size_t keyIdx = 0; keyIdx < mNumTrustedKeys; keyIdx++)
     {
-        auto & entry = mTrustedKeys[mNumTrustedKeys];
+        auto & entry = mTrustedKeys[keyIdx];
         if (kid.data_equal(entry.GetKid()))
         {
             outPubKey = entry.publicKey;

diff --git a/src/darwin/Framework/CHIP/MTRAttestationTrustStoreBridge.h b/src/darwin/Framework/CHIP/MTRAttestationTrustStoreBridge.h
@@ -22,22 +22,17 @@ NS_ASSUME_NONNULL_BEGIN
 
 class MTRAttestationTrustStoreBridge : public chip::Credentials::AttestationTrustStore {
 public:
-    MTRAttestationTrustStoreBridge(NSArray<NSData *> * _Nullable paaCerts, NSArray<NSData *> * _Nullable cdCerts)
+    MTRAttestationTrustStoreBridge(NSArray<NSData *> * paaCerts)
         : mPaaCerts(paaCerts)
-        , mCDCerts(cdCerts)
     {
     }
     ~MTRAttestationTrustStoreBridge() {};
 
     CHIP_ERROR GetProductAttestationAuthorityCert(
         const chip::ByteSpan & skid, chip::MutableByteSpan & outPaaDerBuffer) const override;
 
-    CHIP_ERROR GetCertificationDeclarationSigningKey(
-        const chip::ByteSpan & skid, chip::Crypto::P256PublicKey & pubKey) const override;
-
 private:
-    NSArray<NSData *> * _Nullable mPaaCerts;
-    NSArray<NSData *> * _Nullable mCDCerts;
+    NSArray<NSData *> * mPaaCerts;
 };
 
 NS_ASSUME_NONNULL_END
diff --git a/src/darwin/Framework/CHIP/MTRAttestationTrustStoreBridge.mm b/src/darwin/Framework/CHIP/MTRAttestationTrustStoreBridge.mm
@@ -21,10 +21,6 @@
 CHIP_ERROR MTRAttestationTrustStoreBridge::GetProductAttestationAuthorityCert(
     const chip::ByteSpan & skid, chip::MutableByteSpan & outPaaDerBuffer) const
 {
-    if (mPaaCerts == nil) {
-        return CHIP_ERROR_NOT_IMPLEMENTED;
-    }
-
     VerifyOrReturnError(skid.size() == chip::Crypto::kSubjectKeyIdentifierLength, CHIP_ERROR_INVALID_ARGUMENT);
 
     size_t paaIdx;
@@ -44,31 +40,3 @@
     }
     return CHIP_ERROR_CA_CERT_NOT_FOUND;
 }
-
-CHIP_ERROR MTRAttestationTrustStoreBridge::GetCertificationDeclarationSigningKey(
-    const chip::ByteSpan & skid, chip::Crypto::P256PublicKey & pubKey) const
-{
-    if (mCDCerts == nil) {
-        return CHIP_ERROR_NOT_IMPLEMENTED;
-    }
-
-    VerifyOrReturnError(skid.size() == chip::Crypto::kSubjectKeyIdentifierLength, CHIP_ERROR_INVALID_ARGUMENT);
-
-    size_t cdIdx;
-    chip::ByteSpan candidate;
-
-    for (cdIdx = 0; cdIdx < mCDCerts.count; ++cdIdx) {
-        uint8_t skidBuf[chip::Crypto::kSubjectKeyIdentifierLength] = { 0 };
-        candidate = AsByteSpan(mCDCerts[cdIdx]);
-        chip::MutableByteSpan candidateSkidSpan { skidBuf };
-        VerifyOrReturnError(
-            CHIP_NO_ERROR == chip::Crypto::ExtractSKIDFromX509Cert(candidate, candidateSkidSpan), CHIP_ERROR_INTERNAL);
-
-        if (skid.data_equal(candidateSkidSpan)) {
-            // Found a match
-            return chip::Crypto::ExtractPubkeyFromX509Cert(candidate, pubKey);
-        }
-    }
-
-    return CHIP_ERROR_CA_CERT_NOT_FOUND;
-}
diff --git a/src/darwin/Framework/CHIP/MTRControllerFactory.mm b/src/darwin/Framework/CHIP/MTRControllerFactory.mm
@@ -54,6 +54,7 @@
 static NSString * const kErrorControllerFactoryInit = @"Init failure while initializing controller factory";
 static NSString * const kErrorKeystoreInit = @"Init failure while initializing persistent storage keystore";
 static NSString * const kErrorCertStoreInit = @"Init failure while initializing persistent storage operational certificate store";
+static NSString * const kErrorCDCertStoreInit = @"Init failure while initializing Certificate Declaration Signing Keys store";
 static NSString * const kErrorOtaProviderInit = @"Init failure while creating an OTA provider delegate";
 
 @interface MTRControllerFactory ()
@@ -257,8 +258,8 @@ - (BOOL)startup:(MTRControllerFactoryParams *)startupParams
 
         // Initialize device attestation verifier
         const Credentials::AttestationTrustStore * trustStore;
-        if (startupParams.paaCerts || startupParams.cdCerts) {
-            _attestationTrustStoreBridge = new MTRAttestationTrustStoreBridge(startupParams.paaCerts, startupParams.cdCerts);
+        if (startupParams.paaCerts) {
+            _attestationTrustStoreBridge = new MTRAttestationTrustStoreBridge(startupParams.paaCerts);
             if (_attestationTrustStoreBridge == nullptr) {
                 MTR_LOG_ERROR("Error: %@", kErrorAttestationTrustStoreInit);
                 return;
@@ -274,6 +275,22 @@ - (BOOL)startup:(MTRControllerFactoryParams *)startupParams
             return;
         }
 
+        if (startupParams.cdCerts) {
+            auto cdTrustStore = _deviceAttestationVerifier->GetCertificationDeclarationTrustStore();
+            if (cdTrustStore == nullptr) {
+                MTR_LOG_ERROR("Error: %@", kErrorCDCertStoreInit);
+                return;
+            }
+
+            for (NSData * cdSigningCert in startupParams.cdCerts) {
+                errorCode = cdTrustStore->AddTrustedKey(AsByteSpan(cdSigningCert));
+                if (errorCode != CHIP_NO_ERROR) {
+                    MTR_LOG_ERROR("Error: %@", kErrorCDCertStoreInit);
+                    return;
+                }
+            }
+        }
+
         chip::Controller::FactoryInitParams params;
         if (startupParams.port != nil) {
             params.listenPort = [startupParams.port unsignedShortValue];