From e10cc58b7e381accc857f5e684c1a4eb4b6c63b6 Mon Sep 17 00:00:00 2001 From: Vivien Nicolas Date: Fri, 2 Sep 2022 11:05:26 +0200 Subject: [PATCH] Add credentials/development/cd-certs/ and update chip-tool to use it if desired --- .../cd-certs/Chip-Test-CD-Cert.der | Bin 0 -> 439 bytes .../chip-tool/commands/common/CHIPCommand.cpp | 87 +++++++++++------- .../chip-tool/commands/common/CHIPCommand.h | 6 +- 3 files changed, 57 insertions(+), 36 deletions(-) create mode 100644 credentials/development/cd-certs/Chip-Test-CD-Cert.der diff --git a/credentials/development/cd-certs/Chip-Test-CD-Cert.der b/credentials/development/cd-certs/Chip-Test-CD-Cert.der new file mode 100644 index 0000000000000000000000000000000000000000..6a7732980d7c27cc9c00132b76e0d50da419020f GIT binary patch literal 439 zcmXqLV%%)d#2B@JnTe5!iNp2Q=ebX+7W5l%v2kd%d7QIlVP-PWHq6)$}FigP!Q)eGBhwVvM@9;GBz=elHj)l z0z)HXATqTywTvRoxJUzGHg>Q}m>8i>VrFD#c4A<$vFucG)eb%Nx${u;#XU<>GlS0T z(nRUb6Ett_~|I};k)8d%3gJc4k>#}>^zCR_m#lbDpe?dpnyK8}S-|SkPW{_ea z1oW1yFeBrC77hb8AjQPUXut;&;|GZWJieKj$HF=G4sSAZ0h%ZE=&qKAu&&$gx^^9;pWZVudls%c=um@PwuRo x&!tB4$9^3bZedagVXt^mVp$Ya_xAPrh>RqKtqv8R&iW-S&w74(r~X%;ZUDT0mhb=o literal 0 HcmV?d00001 diff --git a/examples/chip-tool/commands/common/CHIPCommand.cpp b/examples/chip-tool/commands/common/CHIPCommand.cpp index 89dd1d536e4550..112103eeaf37c1 100644 --- a/examples/chip-tool/commands/common/CHIPCommand.cpp +++ b/examples/chip-tool/commands/common/CHIPCommand.cpp @@ -36,27 +36,63 @@ std::set CHIPCommand::sDeferredCleanups; using DeviceControllerFactory = chip::Controller::DeviceControllerFactory; -constexpr chip::FabricId kIdentityNullFabricId = chip::kUndefinedFabricId; -constexpr chip::FabricId kIdentityAlphaFabricId = 1; -constexpr chip::FabricId kIdentityBetaFabricId = 2; -constexpr chip::FabricId kIdentityGammaFabricId = 3; -constexpr chip::FabricId kIdentityOtherFabricId = 4; -constexpr const char * kTrustStorePathVariable = "CHIPTOOL_PAA_TRUST_STORE_PATH"; - -const chip::Credentials::AttestationTrustStore * CHIPCommand::sPaaTrustStore = nullptr; +constexpr chip::FabricId kIdentityNullFabricId = chip::kUndefinedFabricId; +constexpr chip::FabricId kIdentityAlphaFabricId = 1; +constexpr chip::FabricId kIdentityBetaFabricId = 2; +constexpr chip::FabricId kIdentityGammaFabricId = 3; +constexpr chip::FabricId kIdentityOtherFabricId = 4; +constexpr const char * kPAATrustStorePathVariable = "CHIPTOOL_PAA_TRUST_STORE_PATH"; +constexpr const char * kCDTrustStorePathVariable = "CHIPTOOL_CD_TRUST_STORE_PATH"; + +const chip::Credentials::AttestationTrustStore * CHIPCommand::sTrustStore = nullptr; chip::Credentials::GroupDataProviderImpl CHIPCommand::sGroupDataProvider{ kMaxGroupsPerFabric, kMaxGroupKeysPerFabric }; namespace { -const chip::Credentials::AttestationTrustStore * GetTestFileAttestationTrustStore(const char * paaTrustStorePath) +const CHIP_ERROR GetAttestationTrustStore(const char * paaTrustStorePath, const char * cdTrustStorePath, + const chip::Credentials::AttestationTrustStore ** trustStore) { - static chip::Credentials::FileAttestationTrustStore attestationTrustStore{ paaTrustStorePath }; + if (paaTrustStorePath == nullptr) + { + paaTrustStorePath = getenv(kPAATrustStorePathVariable); + } + + if (cdTrustStorePath == nullptr) + { + cdTrustStorePath = getenv(kCDTrustStorePathVariable); + } + + if (paaTrustStorePath == nullptr && cdTrustStorePath == nullptr) + { + *trustStore = chip::Credentials::GetTestAttestationTrustStore(); + return CHIP_NO_ERROR; + } + + static chip::Credentials::FileAttestationTrustStore attestationTrustStore{ paaTrustStorePath, cdTrustStorePath }; + + if (paaTrustStorePath != nullptr && attestationTrustStore.paaCount() == 0) + { + ChipLogError(chipTool, "No PAAs found in path: %s", paaTrustStorePath); + ChipLogError(chipTool, + "Please specify a valid path containing trusted PAA certificates using " + "the argument [--paa-trust-store-path paa/file/path] " + "or environment variable [%s=paa/file/path]", + kPAATrustStorePathVariable); + return CHIP_ERROR_INVALID_ARGUMENT; + } - if (attestationTrustStore.IsInitialized()) + if (cdTrustStorePath != nullptr && attestationTrustStore.cdCount() == 0) { - return &attestationTrustStore; + ChipLogError(chipTool, "No CDs found in path: %s", cdTrustStorePath); + ChipLogError(chipTool, + "Please specify a valid path containing trusted CD certificates using " + "the argument [--cd-trust-store-path cd/file/path] " + "or environment variable [%s=cd/file/path]", + kCDTrustStorePathVariable); + return CHIP_ERROR_INVALID_ARGUMENT; } - return nullptr; + *trustStore = &attestationTrustStore; + return CHIP_NO_ERROR; } } // namespace @@ -103,27 +139,8 @@ CHIP_ERROR CHIPCommand::MaybeSetUpStack() factoryInitParams.listenPort = port; ReturnLogErrorOnFailure(DeviceControllerFactory::GetInstance().Init(factoryInitParams)); - if (!mPaaTrustStorePath.HasValue()) - { - char * const trust_store_path = getenv(kTrustStorePathVariable); - if (trust_store_path != nullptr) - { - mPaaTrustStorePath.SetValue(trust_store_path); - } - } - sPaaTrustStore = mPaaTrustStorePath.HasValue() ? GetTestFileAttestationTrustStore(mPaaTrustStorePath.Value()) - : chip::Credentials::GetTestAttestationTrustStore(); - ; - if (mPaaTrustStorePath.HasValue() && sPaaTrustStore == nullptr) - { - ChipLogError(chipTool, "No PAAs found in path: %s", mPaaTrustStorePath.Value()); - ChipLogError(chipTool, - "Please specify a valid path containing trusted PAA certificates using" - "the argument [--paa-trust-store-path paa/file/path]" - "or environment variable [%s=paa/file/path]", - kTrustStorePathVariable); - return CHIP_ERROR_INVALID_ARGUMENT; - } + ReturnErrorOnFailure( + GetAttestationTrustStore(mPaaTrustStorePath.ValueOr(nullptr), mCDTrustStorePath.ValueOr(nullptr), &sTrustStore)); ReturnLogErrorOnFailure(InitializeCommissioner(kIdentityNull, kIdentityNullFabricId)); @@ -343,7 +360,7 @@ CHIP_ERROR CHIPCommand::InitializeCommissioner(std::string key, chip::FabricId f std::unique_ptr commissioner = std::make_unique(); chip::Controller::SetupParams commissionerParams; - ReturnLogErrorOnFailure(mCredIssuerCmds->SetupDeviceAttestation(commissionerParams, sPaaTrustStore)); + ReturnLogErrorOnFailure(mCredIssuerCmds->SetupDeviceAttestation(commissionerParams, sTrustStore)); VerifyOrReturnError(noc.Alloc(chip::Controller::kMaxCHIPDERCertLength), CHIP_ERROR_NO_MEMORY); VerifyOrReturnError(icac.Alloc(chip::Controller::kMaxCHIPDERCertLength), CHIP_ERROR_NO_MEMORY); diff --git a/examples/chip-tool/commands/common/CHIPCommand.h b/examples/chip-tool/commands/common/CHIPCommand.h index 7dd36a7c7d6214..148f79129101fd 100644 --- a/examples/chip-tool/commands/common/CHIPCommand.h +++ b/examples/chip-tool/commands/common/CHIPCommand.h @@ -65,6 +65,9 @@ class CHIPCommand : public Command AddArgument("paa-trust-store-path", &mPaaTrustStorePath, "Path to directory holding PAA certificate information. Can be absolute or relative to the current working " "directory."); + AddArgument("cd-trust-store-path", &mCDTrustStorePath, + "Path to directory holding CD certificate information. Can be absolute or relative to the current working " + "directory."); AddArgument("commissioner-name", &mCommissionerName, "Name of fabric to use. Valid values are \"alpha\", \"beta\", \"gamma\", and integers greater than or equal to " "4. The default if not specified is \"alpha\"."); @@ -156,11 +159,12 @@ class CHIPCommand : public Command chip::Optional mCommissionerNodeId; chip::Optional mBleAdapterId; chip::Optional mPaaTrustStorePath; + chip::Optional mCDTrustStorePath; chip::Optional mUseMaxSizedCerts; // Cached trust store so commands other than the original startup command // can spin up commissioners as needed. - static const chip::Credentials::AttestationTrustStore * sPaaTrustStore; + static const chip::Credentials::AttestationTrustStore * sTrustStore; static void RunQueuedCommand(intptr_t commandArg);