diff --git a/src/adaptations/device-layer/DeviceControlServer.cpp b/src/adaptations/device-layer/DeviceControlServer.cpp old mode 100644 new mode 100755 index 13bf96bae4..2d48a2a3be --- a/src/adaptations/device-layer/DeviceControlServer.cpp +++ b/src/adaptations/device-layer/DeviceControlServer.cpp @@ -74,9 +74,11 @@ WEAVE_ERROR DeviceControlServer::OnResetConfig(uint16_t resetFlags) // service provisioning data, if present. if (((resetFlags & kResetConfigFlag_ServiceConfig) != 0) #if WEAVE_DEVICE_CONFIG_ENABLE_JUST_IN_TIME_PROVISIONING - // Always reset service provisioning data, when requested to reset operational - // device credentials. - || ((resetFlags & kResetConfigFlag_OperationalCredentials) != 0) + // Service config and operational credentials are closely corelated: + // 1. Reset service config when requested to clear operational credentials. + // 2. Clear and generate new operational credentials when requested to reset + // service config. + || ((resetFlags & kResetConfigFlag_OperationalCredentials) != 0) #endif // WEAVE_DEVICE_CONFIG_ENABLE_JUST_IN_TIME_PROVISIONING ) { @@ -116,21 +118,6 @@ WEAVE_ERROR DeviceControlServer::OnResetConfig(uint16_t resetFlags) ThreadStackMgr().ClearThreadProvision(); #endif // WEAVE_DEVICE_CONFIG_ENABLE_THREAD } - -#if WEAVE_DEVICE_CONFIG_ENABLE_JUST_IN_TIME_PROVISIONING - // If the device operational credentials reset has been requested, clear - // the device operational credentials, if present. - if ((resetFlags & kResetConfigFlag_OperationalCredentials) != 0) - { - WeaveLogProgress(DeviceLayer, "Reset operational credentials"); - tmpErr = ConfigurationMgr().ClearOperationalDeviceCredentials(); - if (tmpErr != WEAVE_NO_ERROR) - { - WeaveLogProgress(DeviceLayer, "ConfigurationMgr().ClearOperationalDeviceCredentials() failed: %s", ErrorStr(tmpErr)); - err = (err == WEAVE_NO_ERROR) ? tmpErr : err; - } - } -#endif // WEAVE_DEVICE_CONFIG_ENABLE_JUST_IN_TIME_PROVISIONING } return err; diff --git a/src/adaptations/device-layer/include/Weave/DeviceLayer/ConfigurationManager.h b/src/adaptations/device-layer/include/Weave/DeviceLayer/ConfigurationManager.h old mode 100644 new mode 100755 index 8b2a8416a6..f765edd7b3 --- a/src/adaptations/device-layer/include/Weave/DeviceLayer/ConfigurationManager.h +++ b/src/adaptations/device-layer/include/Weave/DeviceLayer/ConfigurationManager.h @@ -96,12 +96,6 @@ class ConfigurationManager WEAVE_ERROR StoreManufacturingDate(const char * mfgDate, size_t mfgDateLen); WEAVE_ERROR StoreProductRevision(uint16_t productRev); WEAVE_ERROR StoreFabricId(uint64_t fabricId); -#if WEAVE_DEVICE_CONFIG_ENABLE_JUST_IN_TIME_PROVISIONING - WEAVE_ERROR StoreDeviceId(uint64_t deviceId); - WEAVE_ERROR StoreDeviceCertificate(const uint8_t * cert, size_t certLen); - WEAVE_ERROR StoreDeviceIntermediateCACerts(const uint8_t * certs, size_t certsLen); - WEAVE_ERROR StoreDevicePrivateKey(const uint8_t * key, size_t keyLen); -#endif WEAVE_ERROR StoreManufacturerDeviceId(uint64_t deviceId); WEAVE_ERROR StoreManufacturerDeviceCertificate(const uint8_t * cert, size_t certLen); WEAVE_ERROR StoreManufacturerDeviceIntermediateCACerts(const uint8_t * certs, size_t certsLen); @@ -124,9 +118,6 @@ class ConfigurationManager bool IsPairedToAccount(); bool IsMemberOfFabric(); bool IsFullyProvisioned(); -#if WEAVE_DEVICE_CONFIG_ENABLE_JUST_IN_TIME_PROVISIONING - bool OperationalDeviceCredentialsProvisioned(); -#endif void InitiateFactoryReset(); @@ -155,7 +146,9 @@ class ConfigurationManager WEAVE_ERROR ReadPersistedStorageValue(::nl::Weave::Platform::PersistedStorage::Key key, uint32_t & value); WEAVE_ERROR WritePersistedStorageValue(::nl::Weave::Platform::PersistedStorage::Key key, uint32_t value); #if WEAVE_DEVICE_CONFIG_ENABLE_JUST_IN_TIME_PROVISIONING - WEAVE_ERROR ClearOperationalDeviceCredentials(void); + WEAVE_ERROR GenerateOperationalDeviceCredentials(void); + WEAVE_ERROR StoreOperationalDeviceCertificates(const uint8_t * cert, size_t certLen, const uint8_t * icaCerts, size_t icaCertsLen); + bool AreOperationalDeviceCredentialsProvisioned(void); void UseManufacturerCredentialsAsOperational(bool val); #endif @@ -355,30 +348,6 @@ inline WEAVE_ERROR ConfigurationManager::StoreFabricId(uint64_t fabricId) return static_cast(this)->_StoreFabricId(fabricId); } -#if WEAVE_DEVICE_CONFIG_ENABLE_JUST_IN_TIME_PROVISIONING - -inline WEAVE_ERROR ConfigurationManager::StoreDeviceId(uint64_t deviceId) -{ - return static_cast(this)->_StoreDeviceId(deviceId); -} - -inline WEAVE_ERROR ConfigurationManager::StoreDeviceCertificate(const uint8_t * cert, size_t certLen) -{ - return static_cast(this)->_StoreDeviceCertificate(cert, certLen); -} - -inline WEAVE_ERROR ConfigurationManager::StoreDeviceIntermediateCACerts(const uint8_t * certs, size_t certsLen) -{ - return static_cast(this)->_StoreDeviceIntermediateCACerts(certs, certsLen); -} - -inline WEAVE_ERROR ConfigurationManager::StoreDevicePrivateKey(const uint8_t * key, size_t keyLen) -{ - return static_cast(this)->_StoreDevicePrivateKey(key, keyLen); -} - -#endif // WEAVE_DEVICE_CONFIG_ENABLE_JUST_IN_TIME_PROVISIONING - inline WEAVE_ERROR ConfigurationManager::StoreManufacturerDeviceId(uint64_t deviceId) { return static_cast(this)->_StoreManufacturerDeviceId(deviceId); @@ -521,14 +490,19 @@ inline WEAVE_ERROR ConfigurationManager::SetFailSafeArmed(bool val) #if WEAVE_DEVICE_CONFIG_ENABLE_JUST_IN_TIME_PROVISIONING -inline bool ConfigurationManager::OperationalDeviceCredentialsProvisioned() +inline WEAVE_ERROR ConfigurationManager::GenerateOperationalDeviceCredentials(void) +{ + return static_cast(this)->_GenerateOperationalDeviceCredentials(); +} + +inline WEAVE_ERROR ConfigurationManager::StoreOperationalDeviceCertificates(const uint8_t * cert, size_t certLen, const uint8_t * icaCerts, size_t icaCertsLen) { - return static_cast(this)->_OperationalDeviceCredentialsProvisioned(); + return static_cast(this)->_StoreOperationalDeviceCertificates(cert, certLen, icaCerts, icaCertsLen); } -inline WEAVE_ERROR ConfigurationManager::ClearOperationalDeviceCredentials(void) +inline bool ConfigurationManager::AreOperationalDeviceCredentialsProvisioned() { - return static_cast(this)->_ClearOperationalDeviceCredentials(); + return static_cast(this)->_AreOperationalDeviceCredentialsProvisioned(); } inline void ConfigurationManager::UseManufacturerCredentialsAsOperational(bool val) diff --git a/src/adaptations/device-layer/include/Weave/DeviceLayer/WeaveDeviceConfig.h b/src/adaptations/device-layer/include/Weave/DeviceLayer/WeaveDeviceConfig.h old mode 100644 new mode 100755 diff --git a/src/adaptations/device-layer/include/Weave/DeviceLayer/internal/GenericConfigurationManagerImpl.h b/src/adaptations/device-layer/include/Weave/DeviceLayer/internal/GenericConfigurationManagerImpl.h old mode 100644 new mode 100755 index e4d86b3e89..ffb702f78d --- a/src/adaptations/device-layer/include/Weave/DeviceLayer/internal/GenericConfigurationManagerImpl.h +++ b/src/adaptations/device-layer/include/Weave/DeviceLayer/internal/GenericConfigurationManagerImpl.h @@ -70,13 +70,6 @@ class GenericConfigurationManagerImpl WEAVE_ERROR _GetDeviceCertificate(uint8_t * buf, size_t bufSize, size_t & certLen); WEAVE_ERROR _GetDeviceIntermediateCACerts(uint8_t * buf, size_t bufSize, size_t & certsLen); WEAVE_ERROR _GetDevicePrivateKey(uint8_t * buf, size_t bufSize, size_t & keyLen); -#if WEAVE_DEVICE_CONFIG_ENABLE_JUST_IN_TIME_PROVISIONING - WEAVE_ERROR _StoreDeviceId(uint64_t deviceId); - WEAVE_ERROR _StoreDeviceCertificate(const uint8_t * cert, size_t certLen); - WEAVE_ERROR _StoreDeviceIntermediateCACerts(const uint8_t * certs, size_t certsLen); - WEAVE_ERROR _StoreDevicePrivateKey(const uint8_t * key, size_t keyLen); - WEAVE_ERROR _ClearOperationalDeviceCredentials(void); -#endif WEAVE_ERROR _GetManufacturerDeviceId(uint64_t & deviceId); WEAVE_ERROR _StoreManufacturerDeviceId(uint64_t deviceId); WEAVE_ERROR _GetManufacturerDeviceCertificate(uint8_t * buf, size_t bufSize, size_t & certLen); @@ -110,7 +103,9 @@ class GenericConfigurationManagerImpl bool _IsFullyProvisioned(); WEAVE_ERROR _ComputeProvisioningHash(uint8_t * hashBuf, size_t hashBufSize); #if WEAVE_DEVICE_CONFIG_ENABLE_JUST_IN_TIME_PROVISIONING - bool _OperationalDeviceCredentialsProvisioned(); + WEAVE_ERROR _GenerateOperationalDeviceCredentials(void); + WEAVE_ERROR _StoreOperationalDeviceCertificates(const uint8_t * cert, size_t certLen, const uint8_t * icaCerts, size_t icaCertsLen); + bool _AreOperationalDeviceCredentialsProvisioned(void); void _UseManufacturerCredentialsAsOperational(bool val); #endif @@ -121,8 +116,7 @@ class GenericConfigurationManagerImpl kFlag_IsServiceProvisioned = 0x01, kFlag_IsMemberOfFabric = 0x02, kFlag_IsPairedToAccount = 0x04, - kFlag_OperationalDeviceCredentialsProvisioned = 0x08, - kFlag_UseManufacturerCredentialsAsOperational = 0x10, + kFlag_UseManufacturerCredentialsAsOperational = 0x08, }; uint8_t mFlags; @@ -130,6 +124,17 @@ class GenericConfigurationManagerImpl void LogDeviceConfig(); WEAVE_ERROR PersistProvisioningData(ProvisioningDataSet & provData); +#if WEAVE_DEVICE_CONFIG_ENABLE_JUST_IN_TIME_PROVISIONING + WEAVE_ERROR StoreDeviceCertificate(const uint8_t * cert, size_t certLen); + WEAVE_ERROR StoreDevicePrivateKey(const uint8_t * key, size_t keyLen); + + // These methods can be overridden by the platform/product specific implementations + // that support secure environment or secure element for secure processing, handling, + // and potentially secure storage of a device private key. + WEAVE_ERROR GenerateOperationalDevicePrivateKey(EncodedECPublicKey& pubKey); + static WEAVE_ERROR GenerateOperationalDeviceECDSASignature(const uint8_t *hash, uint8_t hashLen, EncodedECDSASignature& ecdsaSig); +#endif + private: ImplClass * Impl() { return static_cast(this); } @@ -137,6 +142,11 @@ class GenericConfigurationManagerImpl static void HashLengthAndBase64Value(Platform::Security::SHA256 & hash, const uint8_t * val, uint16_t valLen); #if WEAVE_DEVICE_CONFIG_ENABLE_JUST_IN_TIME_PROVISIONING + WEAVE_ERROR StoreDeviceId(uint64_t deviceId); + WEAVE_ERROR StoreDeviceIntermediateCACerts(const uint8_t * certs, size_t certsLen); + WEAVE_ERROR GenerateOperationalDeviceId(void); + WEAVE_ERROR GenerateOperationalDeviceCertificate(EncodedECPublicKey& pubKey); + WEAVE_ERROR GenerateOperationalDeviceCertificateAndPrivateKey(void); bool UseManufacturerCredentialsAsOperational(); #endif }; diff --git a/src/adaptations/device-layer/include/Weave/DeviceLayer/internal/GenericConfigurationManagerImpl.ipp b/src/adaptations/device-layer/include/Weave/DeviceLayer/internal/GenericConfigurationManagerImpl.ipp old mode 100644 new mode 100755 index 601d031300..540363c730 --- a/src/adaptations/device-layer/include/Weave/DeviceLayer/internal/GenericConfigurationManagerImpl.ipp +++ b/src/adaptations/device-layer/include/Weave/DeviceLayer/internal/GenericConfigurationManagerImpl.ipp @@ -30,6 +30,7 @@ #include #include #include +#include #if WEAVE_DEVICE_CONFIG_ENABLE_THREAD #include @@ -53,7 +54,6 @@ WEAVE_ERROR GenericConfigurationManagerImpl::_Init() SetFlag(mFlags, kFlag_IsServiceProvisioned, Impl()->ConfigValueExists(ImplClass::kConfigKey_ServiceConfig)); SetFlag(mFlags, kFlag_IsMemberOfFabric, Impl()->ConfigValueExists(ImplClass::kConfigKey_FabricId)); SetFlag(mFlags, kFlag_IsPairedToAccount, Impl()->ConfigValueExists(ImplClass::kConfigKey_PairedAccountId)); - SetFlag(mFlags, kFlag_OperationalDeviceCredentialsProvisioned, Impl()->ConfigValueExists(ImplClass::kConfigKey_OperationalDeviceCert)); return WEAVE_NO_ERROR; } @@ -478,58 +478,262 @@ WEAVE_ERROR GenericConfigurationManagerImpl::_GetDevicePrivateKey(uin #if WEAVE_DEVICE_CONFIG_ENABLE_JUST_IN_TIME_PROVISIONING template -WEAVE_ERROR GenericConfigurationManagerImpl::_StoreDeviceId(uint64_t deviceId) +WEAVE_ERROR GenericConfigurationManagerImpl::StoreDeviceId(uint64_t deviceId) { return Impl()->WriteConfigValue(ImplClass::kConfigKey_OperationalDeviceId, deviceId); } template -WEAVE_ERROR GenericConfigurationManagerImpl::_StoreDeviceCertificate(const uint8_t * cert, size_t certLen) +WEAVE_ERROR GenericConfigurationManagerImpl::StoreDeviceCertificate(const uint8_t * cert, size_t certLen) { return Impl()->WriteConfigValueBin(ImplClass::kConfigKey_OperationalDeviceCert, cert, certLen); } template -WEAVE_ERROR GenericConfigurationManagerImpl::_StoreDeviceIntermediateCACerts(const uint8_t * certs, size_t certsLen) +WEAVE_ERROR GenericConfigurationManagerImpl::StoreDeviceIntermediateCACerts(const uint8_t * certs, size_t certsLen) { return Impl()->WriteConfigValueBin(ImplClass::kConfigKey_OperationalDeviceICACerts, certs, certsLen); } template -WEAVE_ERROR GenericConfigurationManagerImpl::_StoreDevicePrivateKey(const uint8_t * key, size_t keyLen) +WEAVE_ERROR GenericConfigurationManagerImpl::StoreDevicePrivateKey(const uint8_t * key, size_t keyLen) { return Impl()->WriteConfigValueBin(ImplClass::kConfigKey_OperationalDevicePrivateKey, key, keyLen); } template -WEAVE_ERROR GenericConfigurationManagerImpl::_ClearOperationalDeviceCredentials(void) +bool GenericConfigurationManagerImpl::_AreOperationalDeviceCredentialsProvisioned(void) { - Impl()->ClearConfigValue(ImplClass::kConfigKey_OperationalDeviceId); - Impl()->ClearConfigValue(ImplClass::kConfigKey_OperationalDeviceCert); - Impl()->ClearConfigValue(ImplClass::kConfigKey_OperationalDeviceICACerts); - Impl()->ClearConfigValue(ImplClass::kConfigKey_OperationalDevicePrivateKey); + return Impl()->ConfigValueExists(ImplClass::kConfigKey_OperationalDeviceId) && + Impl()->ConfigValueExists(ImplClass::kConfigKey_OperationalDeviceCert) && + Impl()->ConfigValueExists(ImplClass::kConfigKey_OperationalDevicePrivateKey); +} - ClearFlag(mFlags, kFlag_OperationalDeviceCredentialsProvisioned); +template +bool GenericConfigurationManagerImpl::UseManufacturerCredentialsAsOperational(void) +{ + return ::nl::GetFlag(mFlags, kFlag_UseManufacturerCredentialsAsOperational); +} - return WEAVE_NO_ERROR; +template +void GenericConfigurationManagerImpl::_UseManufacturerCredentialsAsOperational(bool val) +{ + SetFlag(mFlags, kFlag_UseManufacturerCredentialsAsOperational, val); } template -bool GenericConfigurationManagerImpl::_OperationalDeviceCredentialsProvisioned() +WEAVE_ERROR GenericConfigurationManagerImpl::GenerateOperationalDeviceId(void) { - return ::nl::GetFlag(mFlags, kFlag_OperationalDeviceCredentialsProvisioned); + WEAVE_ERROR err; + uint64_t deviceId; + + // Generate random device Id. + err = GenerateWeaveNodeId(deviceId); + SuccessOrExit(err); + + // Store generated device Id. + err = StoreDeviceId(deviceId); + SuccessOrExit(err); + +exit: + return err; } template -bool GenericConfigurationManagerImpl::UseManufacturerCredentialsAsOperational() +WEAVE_ERROR GenericConfigurationManagerImpl::GenerateOperationalDevicePrivateKey(EncodedECPublicKey& pubKey) { - return ::nl::GetFlag(mFlags, kFlag_UseManufacturerCredentialsAsOperational); + enum + { + kWeaveDevicePrivateKeyBufSize = 128, // Size of buffer needed to hold Weave device private key. + }; + + WEAVE_ERROR err; + uint8_t weavePrivKey[kWeaveDevicePrivateKeyBufSize]; + uint32_t weavePrivKeyLen; + uint8_t privKeyBuf[EncodedECPrivateKey::kMaxValueLength]; + EncodedECPrivateKey privKey; + + privKey.PrivKey = privKeyBuf; + privKey.PrivKeyLen = sizeof(privKeyBuf); + + // Generate random EC private/public key pair. + err = GenerateECDHKey(Profiles::Security::WeaveCurveIdToOID(WEAVE_CONFIG_OPERATIONAL_DEVICE_CERT_CURVE_ID), pubKey, privKey); + SuccessOrExit(err); + + // Encode Weave device EC private/public key pair into EllipticCurvePrivateKey TLV structure. + err = EncodeWeaveECPrivateKey(WEAVE_CONFIG_OPERATIONAL_DEVICE_CERT_CURVE_ID, &pubKey, privKey, + weavePrivKey, sizeof(weavePrivKey), weavePrivKeyLen); + SuccessOrExit(err); + + // Store generated operational device private key. + err = StoreDevicePrivateKey(weavePrivKey, weavePrivKeyLen); + SuccessOrExit(err); + +exit: + Crypto::ClearSecretData(weavePrivKey, sizeof(weavePrivKey)); + Crypto::ClearSecretData(privKeyBuf, sizeof(privKeyBuf)); + + return err; } template -void GenericConfigurationManagerImpl::_UseManufacturerCredentialsAsOperational(bool val) +WEAVE_ERROR GenericConfigurationManagerImpl::GenerateOperationalDeviceECDSASignature(const uint8_t *hash, uint8_t hashLen, EncodedECDSASignature& ecdsaSig) { - SetFlag(mFlags, kFlag_UseManufacturerCredentialsAsOperational, val); + WEAVE_ERROR err; + uint8_t * weavePrivKey = NULL; + size_t weavePrivKeyLen; + uint32_t weaveCurveId; + EncodedECPublicKey pubKey; + EncodedECPrivateKey privKey; + + // Determine the length of the private key. + err = ConfigurationMgr().GetDevicePrivateKey((uint8_t *)NULL, 0, weavePrivKeyLen); + SuccessOrExit(err); + + // Fail if no private key has been configured. + VerifyOrExit(weavePrivKeyLen != 0, err = WEAVE_ERROR_KEY_NOT_FOUND); + + // Create a temporary buffer to hold the private key. + weavePrivKey = (uint8_t *)Platform::Security::MemoryAlloc(weavePrivKeyLen); + VerifyOrExit(weavePrivKey != NULL, err = WEAVE_ERROR_NO_MEMORY); + + // Read the private key. + err = ConfigurationMgr().GetDevicePrivateKey(weavePrivKey, weavePrivKeyLen, weavePrivKeyLen); + SuccessOrExit(err); + + // Decode operational device private/public keys from private key TLV structure. + err = Profiles::Security::DecodeWeaveECPrivateKey(weavePrivKey, weavePrivKeyLen, weaveCurveId, pubKey, privKey); + SuccessOrExit(err); + + // Generate operational device signature. + err = nl::Weave::Crypto::GenerateECDSASignature(Profiles::Security::WeaveCurveIdToOID(weaveCurveId), + hash, hashLen, privKey, ecdsaSig); + SuccessOrExit(err); + +exit: + if (weavePrivKey != NULL) + { + Crypto::ClearSecretData(weavePrivKey, weavePrivKeyLen); + Platform::Security::MemoryFree(weavePrivKey); + } + return err; +} + +template +WEAVE_ERROR GenericConfigurationManagerImpl::GenerateOperationalDeviceCertificate(EncodedECPublicKey& pubKey) +{ + enum + { + kWeaveDeviceCertBufSize = 300, // Size of buffer needed to hold Weave device certificate. + }; + + WEAVE_ERROR err; + uint64_t deviceId; + uint8_t cert[kWeaveDeviceCertBufSize]; + uint16_t certLen; + + // Get operational device Id. + err = Impl()->_GetDeviceId(deviceId); + SuccessOrExit(err); + + // Generate self-signed operational device certificate. + err = Profiles::Security::GenerateOperationalDeviceCert(deviceId, pubKey, + cert, sizeof(cert), certLen, + Impl()->GenerateOperationalDeviceECDSASignature); + SuccessOrExit(err); + + // Store generated operational device certificate. + err = Impl()->StoreDeviceCertificate(cert, certLen); + SuccessOrExit(err); + +exit: + return err; +} + +template +WEAVE_ERROR GenericConfigurationManagerImpl::GenerateOperationalDeviceCertificateAndPrivateKey(void) +{ + WEAVE_ERROR err; + uint8_t pubKeyBuf[EncodedECPublicKey::kMaxValueLength]; + EncodedECPublicKey pubKey; + + // Clear intermediate CA certificate. + err = Impl()->ClearConfigValue(ImplClass::kConfigKey_OperationalDeviceICACerts); + SuccessOrExit(err); + + pubKey.ECPoint = pubKeyBuf; + pubKey.ECPointLen = sizeof(pubKeyBuf); + + // Generate and store operational device private key and return public key. + err = Impl()->GenerateOperationalDevicePrivateKey(pubKey); + SuccessOrExit(err); + + // Generate and store operational device certificate. + err = Impl()->GenerateOperationalDeviceCertificate(pubKey); + SuccessOrExit(err); + +exit: + if (err != WEAVE_NO_ERROR) + { + Impl()->ClearConfigValue(ImplClass::kConfigKey_OperationalDeviceCert); + Impl()->ClearConfigValue(ImplClass::kConfigKey_OperationalDevicePrivateKey); + } + return err; +} + +template +WEAVE_ERROR GenericConfigurationManagerImpl::_GenerateOperationalDeviceCredentials(void) +{ + WEAVE_ERROR err; + + // Generate and store operational device Id. + err = GenerateOperationalDeviceId(); + SuccessOrExit(err); + + // Generate and store operational device certificate and private key. + err = GenerateOperationalDeviceCertificateAndPrivateKey(); + SuccessOrExit(err); + +exit: + if (err != WEAVE_NO_ERROR) + { + Impl()->ClearConfigValue(ImplClass::kConfigKey_OperationalDeviceId); + Impl()->ClearConfigValue(ImplClass::kConfigKey_OperationalDeviceCert); + Impl()->ClearConfigValue(ImplClass::kConfigKey_OperationalDevicePrivateKey); + } + return err; +} + +template +WEAVE_ERROR GenericConfigurationManagerImpl::_StoreOperationalDeviceCertificates(const uint8_t * cert, size_t certLen, + const uint8_t * icaCerts, size_t icaCertsLen) +{ + WEAVE_ERROR err; + + // Store operational device certificate. + err = StoreDeviceCertificate(cert, certLen); + SuccessOrExit(err); + + if (icaCerts != NULL && icaCertsLen > 0) + { + // Store operational device intermediate CA certificates. + err = StoreDeviceIntermediateCACerts(icaCerts, icaCertsLen); + SuccessOrExit(err); + } + else + { + // Clear operational device intermediate CA certificates. + err = Impl()->ClearConfigValue(ImplClass::kConfigKey_OperationalDeviceICACerts); + SuccessOrExit(err); + } + +exit: + if (err != WEAVE_NO_ERROR) + { + Impl()->ClearConfigValue(ImplClass::kConfigKey_OperationalDeviceCert); + Impl()->ClearConfigValue(ImplClass::kConfigKey_OperationalDeviceICACerts); + } + return err; } #endif // WEAVE_DEVICE_CONFIG_ENABLE_JUST_IN_TIME_PROVISIONING @@ -662,6 +866,8 @@ exit: template WEAVE_ERROR GenericConfigurationManagerImpl::_ClearServiceProvisioningData() { + WEAVE_ERROR err = WEAVE_NO_ERROR; + Impl()->ClearConfigValue(ImplClass::kConfigKey_ServiceId); Impl()->ClearConfigValue(ImplClass::kConfigKey_ServiceConfig); Impl()->ClearConfigValue(ImplClass::kConfigKey_PairedAccountId); @@ -692,7 +898,12 @@ WEAVE_ERROR GenericConfigurationManagerImpl::_ClearServiceProvisionin ClearFlag(mFlags, kFlag_IsServiceProvisioned); ClearFlag(mFlags, kFlag_IsPairedToAccount); - return WEAVE_NO_ERROR; +#if WEAVE_DEVICE_CONFIG_ENABLE_JUST_IN_TIME_PROVISIONING + // Generate new operational device certificate and private key. + err = GenerateOperationalDeviceCertificateAndPrivateKey(); +#endif + + return err; } template @@ -899,7 +1110,7 @@ bool GenericConfigurationManagerImpl::_IsFullyProvisioned() Impl()->IsPairedToAccount() && #endif #if WEAVE_DEVICE_CONFIG_ENABLE_JUST_IN_TIME_PROVISIONING - (!UseManufacturerCredentialsAsOperational() && _OperationalDeviceCredentialsProvisioned()) && + (!UseManufacturerCredentialsAsOperational() && _AreOperationalDeviceCredentialsProvisioned()) && #endif Impl()->IsMemberOfFabric(); } diff --git a/src/adaptations/device-layer/include/Weave/DeviceLayer/internal/GenericPlatformManagerImpl.ipp b/src/adaptations/device-layer/include/Weave/DeviceLayer/internal/GenericPlatformManagerImpl.ipp old mode 100644 new mode 100755 index 4ae1a50775..b47ba66412 --- a/src/adaptations/device-layer/include/Weave/DeviceLayer/internal/GenericPlatformManagerImpl.ipp +++ b/src/adaptations/device-layer/include/Weave/DeviceLayer/internal/GenericPlatformManagerImpl.ipp @@ -1,5 +1,6 @@ /* * + * Copyright (c) 2020 Google LLC. * Copyright (c) 2018 Nest Labs, Inc. * All rights reserved. * @@ -83,6 +84,31 @@ WEAVE_ERROR GenericPlatformManagerImpl::_InitWeaveStack(void) } SuccessOrExit(err); +#if WEAVE_DEVICE_CONFIG_ENABLE_JUST_IN_TIME_PROVISIONING + if (!ConfigurationMgr().AreOperationalDeviceCredentialsProvisioned()) + { + // If already provisioned keep using manufacturer device credentials as operational. + if (ConfigurationMgr().IsFullyProvisioned()) + { + ConfigurationMgr().UseManufacturerCredentialsAsOperational(true); + } + // Otherwise, generate and store operational device credentials. + else + { + err = ConfigurationMgr().GenerateOperationalDeviceCredentials(); + if (err != WEAVE_NO_ERROR) + { + WeaveLogError(DeviceLayer, "GenerateOperationalDeviceCredentials() failed: %s", ErrorStr(err)); + ExitNow(); + } + else + { + WeaveLogProgress(DeviceLayer, "Device operational credentials generated"); + } + } + } +#endif // WEAVE_DEVICE_CONFIG_ENABLE_JUST_IN_TIME_PROVISIONING + // Initialize the Weave Inet layer. new (&InetLayer) Inet::InetLayer(); err = InetLayer.Init(SystemLayer, NULL);