/src/connectedhomeip/src/controller/OperationalCredentialsDelegate.h

Source (jump to first uncovered line)
/*
 *
 *    Copyright (c) 2021 Project CHIP Authors
 *    All rights reserved.
 *
 *    Licensed under the Apache License, Version 2.0 (the "License");
 *    you may not use this file except in compliance with the License.
 *    You may obtain a copy of the License at
 *
 *        http://www.apache.org/licenses/LICENSE-2.0
 *
 *    Unless required by applicable law or agreed to in writing, software
 *    distributed under the License is distributed on an "AS IS" BASIS,
 *    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 *    See the License for the specific language governing permissions and
 *    limitations under the License.
 */

#pragma once

#include <app/util/basic-types.h>
#include <crypto/CHIPCryptoPAL.h>
#include <lib/core/CHIPCallback.h>
#include <lib/core/PeerId.h>
#include <lib/support/DLLUtil.h>
#include <lib/support/Span.h>
#include <transport/raw/MessageHeader.h>

namespace chip {
namespace Controller {

typedef void (*OnNOCChainGeneration)(void * context, CHIP_ERROR status, const ByteSpan & noc, const ByteSpan & icac,
                                     const ByteSpan & rcac, Optional<Crypto::IdentityProtectionKeySpan> ipk,
                                     Optional<NodeId> adminSubject);

inline constexpr uint32_t kMaxCHIPDERCertLength = 600;
inline constexpr size_t kCSRNonceLength         = 32;

/// Callbacks for CHIP operational credentials generation
class DLL_EXPORT OperationalCredentialsDelegate
{
public:
    virtual ~OperationalCredentialsDelegate() {}

    /**
     * @brief
     *   This function generates an operational certificate chain for a remote device that is being commissioned.
     *   The API generates the certificate in X.509 DER format.
     *
     *   The delegate is expected to use the certificate authority whose certificate
     *   is returned in `GetRootCACertificate()` API call.
     *
     *   The delegate will call `onCompletion` when the NOC certificate chain is ready.
     *
     * @param[in] csrElements          CSR elements as per specifications section 11.18.5.6. NOCSR Elements.
     * @param[in] csrNonce             CSR nonce as described in 6.4.6.1
     * @param[in] attestationSignature Attestation signature as per specifications section 11.22.7.6. CSRResponse Command.
     * @param[in] attestationChallenge Attestation challenge as per 11.18.5.7
     * @param[in] DAC                  Device attestation certificate received from the device being commissioned
     * @param[in] PAI                  Product Attestation Intermediate certificate
     * @param[in] onCompletion         Callback handler to provide generated NOC chain to the caller of GenerateNOCChain()
     *
     * @return CHIP_ERROR CHIP_NO_ERROR on success, or corresponding error code.
     */
    virtual CHIP_ERROR GenerateNOCChain(const ByteSpan & csrElements, const ByteSpan & csrNonce,
                                        const ByteSpan & attestationSignature, const ByteSpan & attestationChallenge,
                                        const ByteSpan & DAC, const ByteSpan & PAI,
                                        Callback::Callback<OnNOCChainGeneration> * onCompletion) = 0;

    /**
     *   This function sets the node ID for which the next NOC Chain would be requested. The node ID is
     *   provided as a hint, and the delegate implementation may chose to ignore it and pick node ID of
     *   their choice.
     */
    virtual void SetNodeIdForNextNOCRequest(NodeId nodeId) {}

    /**
     *   This function sets the fabric ID for which the next NOC Chain should be generated. This API is
     *   not required to be implemented if the delegate implementation has other mechanisms to find the
     *   fabric ID.
     */
    virtual void SetFabricIdForNextNOCRequest(FabricId fabricId) {}

    virtual CHIP_ERROR ObtainCsrNonce(MutableByteSpan & csrNonce)
    {
        VerifyOrReturnError(csrNonce.size() == kCSRNonceLength, CHIP_ERROR_INVALID_ARGUMENT);
        ReturnErrorOnFailure(Crypto::DRBG_get_bytes(csrNonce.data(), csrNonce.size()));
        return CHIP_NO_ERROR;
    }
};

} // namespace Controller
} // namespace chip

Coverage Report

Created: 2025-06-24 06:17

Line	Count	Source (jump to first uncovered line)
1		/*
2		*
3		* Copyright (c) 2021 Project CHIP Authors
4		* All rights reserved.
5		*
6		* Licensed under the Apache License, Version 2.0 (the "License");
7		* you may not use this file except in compliance with the License.
8		* You may obtain a copy of the License at
9		*
10		* http://www.apache.org/licenses/LICENSE-2.0
11		*
12		* Unless required by applicable law or agreed to in writing, software
13		* distributed under the License is distributed on an "AS IS" BASIS,
14		* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15		* See the License for the specific language governing permissions and
16		* limitations under the License.
17		*/
18
19		#pragma once
20
21		#include <app/util/basic-types.h>
22		#include <crypto/CHIPCryptoPAL.h>
23		#include <lib/core/CHIPCallback.h>
24		#include <lib/core/PeerId.h>
25		#include <lib/support/DLLUtil.h>
26		#include <lib/support/Span.h>
27		#include <transport/raw/MessageHeader.h>
28
29		namespace chip {
30		namespace Controller {
31
32		typedef void (OnNOCChainGeneration)(void context, CHIP_ERROR status, const ByteSpan & noc, const ByteSpan & icac,
33		const ByteSpan & rcac, Optional<Crypto::IdentityProtectionKeySpan> ipk,
34		Optional<NodeId> adminSubject);
35
36		inline constexpr uint32_t kMaxCHIPDERCertLength = 600;
37		inline constexpr size_t kCSRNonceLength = 32;
38
39		/// Callbacks for CHIP operational credentials generation
40		class DLL_EXPORT OperationalCredentialsDelegate
41		{
42		public:
43	0	virtual ~OperationalCredentialsDelegate() {}
44
45		/**
46		* @brief
47		* This function generates an operational certificate chain for a remote device that is being commissioned.
48		* The API generates the certificate in X.509 DER format.
49		*
50		* The delegate is expected to use the certificate authority whose certificate
51		* is returned in `GetRootCACertificate()` API call.
52		*
53		* The delegate will call `onCompletion` when the NOC certificate chain is ready.
54		*
55		* @param[in] csrElements CSR elements as per specifications section 11.18.5.6. NOCSR Elements.
56		* @param[in] csrNonce CSR nonce as described in 6.4.6.1
57		* @param[in] attestationSignature Attestation signature as per specifications section 11.22.7.6. CSRResponse Command.
58		* @param[in] attestationChallenge Attestation challenge as per 11.18.5.7
59		* @param[in] DAC Device attestation certificate received from the device being commissioned
60		* @param[in] PAI Product Attestation Intermediate certificate
61		* @param[in] onCompletion Callback handler to provide generated NOC chain to the caller of GenerateNOCChain()
62		*
63		* @return CHIP_ERROR CHIP_NO_ERROR on success, or corresponding error code.
64		*/
65		virtual CHIP_ERROR GenerateNOCChain(const ByteSpan & csrElements, const ByteSpan & csrNonce,
66		const ByteSpan & attestationSignature, const ByteSpan & attestationChallenge,
67		const ByteSpan & DAC, const ByteSpan & PAI,
68		Callback::Callback<OnNOCChainGeneration> * onCompletion) = 0;
69
70		/**
71		* This function sets the node ID for which the next NOC Chain would be requested. The node ID is
72		* provided as a hint, and the delegate implementation may chose to ignore it and pick node ID of
73		* their choice.
74		*/
75	0	virtual void SetNodeIdForNextNOCRequest(NodeId nodeId) {}
76
77		/**
78		* This function sets the fabric ID for which the next NOC Chain should be generated. This API is
79		* not required to be implemented if the delegate implementation has other mechanisms to find the
80		* fabric ID.
81		*/
82	0	virtual void SetFabricIdForNextNOCRequest(FabricId fabricId) {}
83
84		virtual CHIP_ERROR ObtainCsrNonce(MutableByteSpan & csrNonce)
85	0	{
86	0	VerifyOrReturnError(csrNonce.size() == kCSRNonceLength, CHIP_ERROR_INVALID_ARGUMENT);
87	0	ReturnErrorOnFailure(Crypto::DRBG_get_bytes(csrNonce.data(), csrNonce.size()));
88	0	return CHIP_NO_ERROR;
89	0	}
90		};
91
92		} // namespace Controller
93		} // namespace chip