forked from project-chip/connectedhomeip
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[Java] Implement the trust store delegate API for customized device a…
…ttestation (project-chip#25471) * [Java]Implement truststore delegate API * Address the review comments
- Loading branch information
1 parent
9f5b1ab
commit 9a47eef
Showing
10 changed files
with
385 additions
and
49 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
43 changes: 43 additions & 0 deletions
43
...rc/main/java/com/google/chip/chiptool/attestation/ExampleAttestationTrustStoreDelegate.kt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
package com.google.chip.chiptool.attestation | ||
|
||
import android.util.Base64 | ||
import chip.devicecontroller.AttestationTrustStoreDelegate | ||
import chip.devicecontroller.ChipDeviceController | ||
import java.util.* | ||
|
||
class ExampleAttestationTrustStoreDelegate(val chipDeviceController: ChipDeviceController) : | ||
AttestationTrustStoreDelegate { | ||
|
||
private val paaCerts = arrayListOf(TEST_PAA_FFF1_Cert, TEST_PAA_NOVID_CERT) | ||
|
||
override fun getProductAttestationAuthorityCert(skid: ByteArray): ByteArray? { | ||
return paaCerts | ||
.map { Base64.decode(it, Base64.DEFAULT) } | ||
.firstOrNull { cert -> chipDeviceController.extractSkidFromPaaCert(cert) == skid } | ||
} | ||
|
||
companion object { | ||
const val TEST_PAA_FFF1_Cert = | ||
"MIIBvTCCAWSgAwIBAgIITqjoMYLUHBwwCgYIKoZIzj0EAwIwMDEYMBYGA1UEAwwP\n" + | ||
"TWF0dGVyIFRlc3QgUEFBMRQwEgYKKwYBBAGConwCAQwERkZGMTAgFw0yMTA2Mjgx\n" + | ||
"NDIzNDNaGA85OTk5MTIzMTIzNTk1OVowMDEYMBYGA1UEAwwPTWF0dGVyIFRlc3Qg\n" + | ||
"UEFBMRQwEgYKKwYBBAGConwCAQwERkZGMTBZMBMGByqGSM49AgEGCCqGSM49AwEH\n" + | ||
"A0IABLbLY3KIfyko9brIGqnZOuJDHK2p154kL2UXfvnO2TKijs0Duq9qj8oYShpQ\n" + | ||
"NUKWDUU/MD8fGUIddR6Pjxqam3WjZjBkMBIGA1UdEwEB/wQIMAYBAf8CAQEwDgYD\n" + | ||
"VR0PAQH/BAQDAgEGMB0GA1UdDgQWBBRq/SJ3H1Ef7L8WQZdnENzcMaFxfjAfBgNV\n" + | ||
"HSMEGDAWgBRq/SJ3H1Ef7L8WQZdnENzcMaFxfjAKBggqhkjOPQQDAgNHADBEAiBQ\n" + | ||
"qoAC9NkyqaAFOPZTaK0P/8jvu8m+t9pWmDXPmqdRDgIgI7rI/g8j51RFtlM5CBpH\n" + | ||
"mUkpxyqvChVI1A0DTVFLJd4=" | ||
|
||
const val TEST_PAA_NOVID_CERT = | ||
"MIIBkTCCATegAwIBAgIHC4+6qN2G7jAKBggqhkjOPQQDAjAaMRgwFgYDVQQDDA9N\n" + | ||
"YXR0ZXIgVGVzdCBQQUEwIBcNMjEwNjI4MTQyMzQzWhgPOTk5OTEyMzEyMzU5NTla\n" + | ||
"MBoxGDAWBgNVBAMMD01hdHRlciBUZXN0IFBBQTBZMBMGByqGSM49AgEGCCqGSM49\n" + | ||
"AwEHA0IABBDvAqgah7aBIfuo0xl4+AejF+UKqKgoRGgokUuTPejt1KXDnJ/3Gkzj\n" + | ||
"ZH/X9iZTt9JJX8ukwPR/h2iAA54HIEqjZjBkMBIGA1UdEwEB/wQIMAYBAf8CAQEw\n" + | ||
"DgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBR4XOcFuGuPTm/Hk6pgy0PqaWiC1TAf\n" + | ||
"BgNVHSMEGDAWgBR4XOcFuGuPTm/Hk6pgy0PqaWiC1TAKBggqhkjOPQQDAgNIADBF\n" + | ||
"AiEAue/bPqBqUuwL8B5h2u0sLRVt22zwFBAdq3mPrAX6R+UCIGAGHT411g2dSw1E\n" + | ||
"ja12EvfoXFguP8MS3Bh5TdNzcV5d" | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,93 @@ | ||
/** | ||
* | ||
* Copyright (c) 2023 Project CHIP Authors | ||
* | ||
* Licensed under the Apache License, Version 2.0 (the "License"); | ||
* you may not use this file except in compliance with the License. | ||
* You may obtain a copy of the License at | ||
* | ||
* http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, | ||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
* See the License for the specific language governing permissions and | ||
* limitations under the License. | ||
*/ | ||
|
||
#include "AttestationTrustStoreBridge.h" | ||
#include <credentials/CHIPCert.h> | ||
#include <lib/support/CHIPJNIError.h> | ||
#include <lib/support/CodeUtils.h> | ||
#include <lib/support/JniReferences.h> | ||
#include <lib/support/JniTypeWrappers.h> | ||
#include <lib/support/logging/CHIPLogging.h> | ||
|
||
using namespace chip; | ||
|
||
AttestationTrustStoreBridge::~AttestationTrustStoreBridge() | ||
{ | ||
if (mAttestationTrustStoreDelegate != nullptr) | ||
{ | ||
JNIEnv * env = JniReferences::GetInstance().GetEnvForCurrentThread(); | ||
VerifyOrReturn(env != nullptr, ChipLogError(Controller, "Could not get JNIEnv for current thread")); | ||
env->DeleteGlobalRef(mAttestationTrustStoreDelegate); | ||
mAttestationTrustStoreDelegate = nullptr; | ||
} | ||
} | ||
|
||
CHIP_ERROR AttestationTrustStoreBridge::GetProductAttestationAuthorityCert(const chip::ByteSpan & skid, | ||
chip::MutableByteSpan & outPaaDerBuffer) const | ||
{ | ||
VerifyOrReturnError(skid.size() == chip::Crypto::kSubjectKeyIdentifierLength, CHIP_ERROR_INVALID_ARGUMENT); | ||
|
||
constexpr size_t paaCertAllocatedLen = chip::Credentials::kMaxDERCertLength; | ||
Platform::ScopedMemoryBuffer<uint8_t> paaCert; | ||
VerifyOrReturnError(paaCert.Alloc(paaCertAllocatedLen), CHIP_ERROR_NO_MEMORY); | ||
|
||
MutableByteSpan paaDerBuffer{ paaCert.Get(), paaCertAllocatedLen }; | ||
ReturnErrorOnFailure(GetPaaCertFromJava(skid, paaDerBuffer)); | ||
|
||
uint8_t skidBuf[chip::Crypto::kSubjectKeyIdentifierLength] = { 0 }; | ||
chip::MutableByteSpan candidateSkidSpan{ skidBuf }; | ||
VerifyOrReturnError(CHIP_NO_ERROR == chip::Crypto::ExtractSKIDFromX509Cert(paaDerBuffer, candidateSkidSpan), | ||
CHIP_ERROR_INTERNAL); | ||
|
||
// Make sure the skid of the paa cert is match. | ||
if (skid.data_equal(candidateSkidSpan)) | ||
{ | ||
// Found a match | ||
return CopySpanToMutableSpan(paaDerBuffer, outPaaDerBuffer); | ||
} | ||
return CHIP_ERROR_CA_CERT_NOT_FOUND; | ||
} | ||
|
||
CHIP_ERROR AttestationTrustStoreBridge::GetPaaCertFromJava(const chip::ByteSpan & skid, | ||
chip::MutableByteSpan & outPaaDerBuffer) const | ||
{ | ||
JNIEnv * env = JniReferences::GetInstance().GetEnvForCurrentThread(); | ||
jclass attestationTrustStoreDelegateCls = nullptr; | ||
jbyteArray javaSkid = nullptr; | ||
jmethodID getProductAttestationAuthorityCertMethod = nullptr; | ||
|
||
JniReferences::GetInstance().GetClassRef(env, "chip/devicecontroller/AttestationTrustStoreDelegate", | ||
attestationTrustStoreDelegateCls); | ||
VerifyOrReturnError(attestationTrustStoreDelegateCls != nullptr, CHIP_JNI_ERROR_TYPE_NOT_FOUND); | ||
JniClass attestationTrustStoreDelegateJniCls(attestationTrustStoreDelegateCls); | ||
|
||
JniReferences::GetInstance().FindMethod(env, mAttestationTrustStoreDelegate, "getProductAttestationAuthorityCert", "([B)[B", | ||
&getProductAttestationAuthorityCertMethod); | ||
VerifyOrReturnError(getProductAttestationAuthorityCertMethod != nullptr, CHIP_JNI_ERROR_METHOD_NOT_FOUND); | ||
|
||
JniReferences::GetInstance().N2J_ByteArray(env, skid.data(), static_cast<jsize>(skid.size()), javaSkid); | ||
VerifyOrReturnError(javaSkid != nullptr, CHIP_ERROR_NO_MEMORY); | ||
|
||
jbyteArray javaPaaCert = | ||
(jbyteArray) env->CallObjectMethod(mAttestationTrustStoreDelegate, getProductAttestationAuthorityCertMethod, javaSkid); | ||
VerifyOrReturnError(javaPaaCert != nullptr, CHIP_ERROR_CA_CERT_NOT_FOUND); | ||
|
||
JniByteArray paaCertBytes(env, javaPaaCert); | ||
CopySpanToMutableSpan(paaCertBytes.byteSpan(), outPaaDerBuffer); | ||
|
||
return CHIP_NO_ERROR; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
/** | ||
* | ||
* Copyright (c) 2023 Project CHIP Authors | ||
* | ||
* Licensed under the Apache License, Version 2.0 (the "License"); | ||
* you may not use this file except in compliance with the License. | ||
* You may obtain a copy of the License at | ||
* | ||
* http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, | ||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
* See the License for the specific language governing permissions and | ||
* limitations under the License. | ||
*/ | ||
#include <credentials/attestation_verifier/DeviceAttestationVerifier.h> | ||
#include <lib/support/JniReferences.h> | ||
#include <lib/support/Span.h> | ||
|
||
class AttestationTrustStoreBridge : public chip::Credentials::AttestationTrustStore | ||
{ | ||
public: | ||
AttestationTrustStoreBridge(jobject attestationTrustStoreDelegate) : | ||
mAttestationTrustStoreDelegate(attestationTrustStoreDelegate) | ||
{} | ||
~AttestationTrustStoreBridge(); | ||
|
||
CHIP_ERROR GetProductAttestationAuthorityCert(const chip::ByteSpan & skid, | ||
chip::MutableByteSpan & outPaaDerBuffer) const override; | ||
|
||
protected: | ||
jobject mAttestationTrustStoreDelegate = nullptr; | ||
|
||
CHIP_ERROR GetPaaCertFromJava(const chip::ByteSpan & skid, chip::MutableByteSpan & outPaaDerBuffer) const; | ||
}; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.