Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Any API to provide custom root certificate authority (RootCA) ? #90

Open
KhushbuShah25 opened this issue Feb 28, 2023 · 7 comments
Open

Any API to provide custom root certificate authority (RootCA) ? #90

KhushbuShah25 opened this issue Feb 28, 2023 · 7 comments
Labels
Fabric management

Comments

@KhushbuShah25
Copy link

Is there any way to provide custom root CA for custom fabric ?
@yufengwangca
Copy link

I am currently working on this, we will provide the AttestationTrustStore delegate API to allow the vendor to set their own PAA list

@nicelyjust
Copy link

Which paa certificates are supported by GHSA so far ?Are there other certificates besides the default PAA test certificate? For example the list of PAAs in the DCL?
can someone give me some pointers?Appreciate your help. @pierredelisle @yufengwangca

@KhushbuShah25
Copy link
Author

Hi @yufengwangca,

Firstly thanks for the update.

Actually sorry for providing less information in question. Updating my question here.

Updated question :

Hi @pierredelisle / @yufengwangca ,
Basically, I want to commission matter device in my custom fabric.
For this I need to perform below steps :

  1. I need to get CSR from the device.
  2. Pass CSR to our proprietary cloud.
  3. I will get root CA cert and device cert (NOC) from our cloud for our fabric.
  4. Need to send those to device (root CA and device cert).

For the first step, I want to receive callback and CSR value in Android application at java layer... (I guess after 'ValidateCSR' from chiptool lib)
I am able to receive CSR at android application java layer in this callback. But from logs, it seems different than required.

If you see in attached logs, library is requesting and getting CSR from device, validating it, generating NOC, sending root certificate to the device and after that gives above callback to app.

Screenshot 2023-03-15 at 22 30 58

I want to modify this flow as per above steps. So after getting CSR in app, need to call our cloud API to get root CA and device cert for our fabric.
And after that want to send these information to device (java to chiptool lib call)

Is there any API or way to do this ?
Seems need to modify CHIPController in library to give callback at java layer and vice versa.
Can anyone guide me for this ?

Thanks.

@KhushbuShah25
Copy link
Author

Hi @yufengwangca , @pierredelisle ,

Is NOCChainIssuer a relevant API to skip root CA certificate and device certificate (NOC) generation in commissioning flow ?

Can I get a callback at Android app layer and provide my own certificates (from proprietary cloud) to commission device in custom fabric ?

@jonsmirl
Copy link

jonsmirl commented Apr 8, 2023

Does this work as an alternative way to solve this problem? For each user account, generate an intermediate CA in the cloud. Then download that intermediate CA into the commissioner. Let the intermediate CA generate device certificates and sign the CSRs locally. Intermediate CA private key is stored in the commissioner's trust zone.

@jonsmirl
Copy link

controller.newBuilder() has a parameter of OperationalKeyConfig() and OperationalKeyConfig accepts KeypairDelegate which has a signing API.
https://github.com/project-chip/connectedhomeip/blob/master/src/controller/java/src/chip/devicecontroller/KeypairDelegate.java

  /**
   * Signs the given message with the private key (generating one if it has not yet been created)
   * using ECDSA and returns a DER-encoded signature.
   *
   * @throws KeypairException if a private key could not be resolved, or the message could not be
   *     signed
   */
  byte[] ecdsaSignMessage(byte[] message) throws KeypairException;

  /** Encompassing exception to encapsulate errors thrown during operations. */
  final class KeypairException extends Exception {
    private static final long serialVersionUID = 2646523289554350914L;

    /** Constructs an exception with the specified {@code msg} as the message. */
    public KeypairException(String msg) {
      super(msg);
    }
    /**
     * Constructs an exception with the specified {@code msg} as the message and the provided {@code
     * cause}.
     */
    public KeypairException(String msg, Throwable cause) {
      super(msg, cause);
    }
  }

@KhushbuShah25
Copy link
Author

Hi @jonsmirl ,

Thank you so much for the answer. I am trying to understand the things.
I have also checked your NOC related question and comments.
Checked the mention APIs like OperationalKeyConfig and KeypairDelegate.
OperationalKeyConfig requires "nodeOperationalCertificate" at the time of init.
But I will able to get it from the cloud after sending CSR. And app will receive CSR during commissioning process.

Basically, I want to commission matter device in my custom fabric. Here is the required flow and some of my understanding.

Start commissioning device --> Google will do commission to its fabric using BLE --> Start commissioning on network --> Get CSR from device --> App will pass this CSR to cloud and will get RootCA & NOC --> Send NOC to device --> complete commissioning.

So want to get control and callback in-between commissioning process at Android app side for CSR and NOC. From the documentation of NOCChainIssuer, I thought it will useful for getting CSR information in onNOCChainGenerationNeeded callback at app side and then provide NOC to the device.
I am still confused, which API should I use for my requirement and how to use it ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Fabric management
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@jonsmirl @pierredelisle @KhushbuShah25 @nicelyjust @yufengwangca