-
Notifications
You must be signed in to change notification settings - Fork 2.1k
/
Copy pathOperationalCredentialsDelegate.h
93 lines (82 loc) · 4.05 KB
/
OperationalCredentialsDelegate.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
/*
*
* Copyright (c) 2021 Project CHIP Authors
* All rights reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#pragma once
#include <app/util/basic-types.h>
#include <crypto/CHIPCryptoPAL.h>
#include <lib/core/CHIPCallback.h>
#include <lib/core/PeerId.h>
#include <lib/support/DLLUtil.h>
#include <lib/support/Span.h>
#include <transport/raw/MessageHeader.h>
namespace chip {
namespace Controller {
typedef void (*OnNOCChainGeneration)(void * context, CHIP_ERROR status, const ByteSpan & noc, const ByteSpan & icac,
const ByteSpan & rcac, Optional<Crypto::IdentityProtectionKeySpan> ipk,
Optional<NodeId> adminSubject);
inline constexpr uint32_t kMaxCHIPDERCertLength = 600;
inline constexpr size_t kCSRNonceLength = 32;
/// Callbacks for CHIP operational credentials generation
class DLL_EXPORT OperationalCredentialsDelegate
{
public:
virtual ~OperationalCredentialsDelegate() {}
/**
* @brief
* This function generates an operational certificate chain for a remote device that is being commissioned.
* The API generates the certificate in X.509 DER format.
*
* The delegate is expected to use the certificate authority whose certificate
* is returned in `GetRootCACertificate()` API call.
*
* The delegate will call `onCompletion` when the NOC certificate chain is ready.
*
* @param[in] csrElements CSR elements as per specifications section 11.18.5.6. NOCSR Elements.
* @param[in] csrNonce CSR nonce as described in 6.4.6.1
* @param[in] attestationSignature Attestation signature as per specifications section 11.22.7.6. CSRResponse Command.
* @param[in] attestationChallenge Attestation challenge as per 11.18.5.7
* @param[in] DAC Device attestation certificate received from the device being commissioned
* @param[in] PAI Product Attestation Intermediate certificate
* @param[in] onCompletion Callback handler to provide generated NOC chain to the caller of GenerateNOCChain()
*
* @return CHIP_ERROR CHIP_NO_ERROR on success, or corresponding error code.
*/
virtual CHIP_ERROR GenerateNOCChain(const ByteSpan & csrElements, const ByteSpan & csrNonce,
const ByteSpan & attestationSignature, const ByteSpan & attestationChallenge,
const ByteSpan & DAC, const ByteSpan & PAI,
Callback::Callback<OnNOCChainGeneration> * onCompletion) = 0;
/**
* This function sets the node ID for which the next NOC Chain would be requested. The node ID is
* provided as a hint, and the delegate implementation may chose to ignore it and pick node ID of
* their choice.
*/
virtual void SetNodeIdForNextNOCRequest(NodeId nodeId) {}
/**
* This function sets the fabric ID for which the next NOC Chain should be generated. This API is
* not required to be implemented if the delegate implementation has other mechanisms to find the
* fabric ID.
*/
virtual void SetFabricIdForNextNOCRequest(FabricId fabricId) {}
virtual CHIP_ERROR ObtainCsrNonce(MutableByteSpan & csrNonce)
{
VerifyOrReturnError(csrNonce.size() == kCSRNonceLength, CHIP_ERROR_INVALID_ARGUMENT);
ReturnErrorOnFailure(Crypto::DRBG_get_bytes(csrNonce.data(), csrNonce.size()));
return CHIP_NO_ERROR;
}
};
} // namespace Controller
} // namespace chip