Verify that public key in NOC matches public key generated by node an…

…d sent in CSRResponse message. (#18530)
project-chip · Sep 29, 2023 · 1294832 · 1294832
1 parent 2f4281a
commit 1294832
Showing 1 changed file with 4 additions and 2 deletions.
diff --git a/src/credentials/FabricTable.cpp b/src/credentials/FabricTable.cpp
@@ -595,8 +595,10 @@ CHIP_ERROR FabricInfo::SetFabricInfo(FabricInfo & newFabric)
         return CHIP_ERROR_INVALID_ARGUMENT;
     }
 
-    // TODO: https://github.com/project-chip/connectedhomeip/issues/8433 -- Should verify that pubkey matches operationalKey's
-    // public key.
+    // Verify that public key in NOC matches public key generated by node and sent in CSRResponse message.
+    VerifyOrReturnError(operationalKey->Pubkey().Length() == pubkey.Length(), CHIP_ERROR_INVALID_PUBLIC_KEY);
+    VerifyOrReturnError(memcmp(operationalKey->Pubkey().ConstBytes(), pubkey.Bytes(), pubkey.Length()) == 0,
+                        CHIP_ERROR_INVALID_PUBLIC_KEY);
 
     if (newFabric.mHasExternallyOwnedOperationalKey)
     {