Device Layer: Generate Operational Device Credentials

src/adaptations/device-layer/DeviceControlServer.cpp

@@ -74,9 +74,11 @@ WEAVE_ERROR DeviceControlServer::OnResetConfig(uint16_t resetFlags)
         // service provisioning data, if present.
         if (((resetFlags & kResetConfigFlag_ServiceConfig) != 0)
 #if WEAVE_DEVICE_CONFIG_ENABLE_JUST_IN_TIME_PROVISIONING
-          // Always reset service provisioning data, when requested to reset operational
-          // device credentials.
-          || ((resetFlags & kResetConfigFlag_OperationalCredentials) != 0)
+            // Service config and operational credentials are closely corelated:
+            // 1. Reset service config when requested to clear operational credentials.
+            // 2. Clear and generate new operational credentials when requested to reset
+            //    service config.
+            || ((resetFlags & kResetConfigFlag_OperationalCredentials) != 0)
 #endif // WEAVE_DEVICE_CONFIG_ENABLE_JUST_IN_TIME_PROVISIONING
         )
         {
@@ -116,21 +118,6 @@ WEAVE_ERROR DeviceControlServer::OnResetConfig(uint16_t resetFlags)
             ThreadStackMgr().ClearThreadProvision();
 #endif // WEAVE_DEVICE_CONFIG_ENABLE_THREAD
         }
-
-#if WEAVE_DEVICE_CONFIG_ENABLE_JUST_IN_TIME_PROVISIONING
-        // If the device operational credentials reset has been requested, clear
-        // the device operational credentials, if present.
-        if ((resetFlags & kResetConfigFlag_OperationalCredentials) != 0)
-        {
-            WeaveLogProgress(DeviceLayer, "Reset operational credentials");
-            tmpErr = ConfigurationMgr().ClearOperationalDeviceCredentials();
-            if (tmpErr != WEAVE_NO_ERROR)
-            {
-                WeaveLogProgress(DeviceLayer, "ConfigurationMgr().ClearOperationalDeviceCredentials() failed: %s", ErrorStr(tmpErr));
-                err = (err == WEAVE_NO_ERROR) ? tmpErr : err;
-            }
-        }
-#endif // WEAVE_DEVICE_CONFIG_ENABLE_JUST_IN_TIME_PROVISIONING
     }
 
     return err;

src/adaptations/device-layer/include/Weave/DeviceLayer/ConfigurationManager.h

@@ -96,12 +96,6 @@ class ConfigurationManager
     WEAVE_ERROR StoreManufacturingDate(const char * mfgDate, size_t mfgDateLen);
     WEAVE_ERROR StoreProductRevision(uint16_t productRev);
     WEAVE_ERROR StoreFabricId(uint64_t fabricId);
-#if WEAVE_DEVICE_CONFIG_ENABLE_JUST_IN_TIME_PROVISIONING
-    WEAVE_ERROR StoreDeviceId(uint64_t deviceId);
-    WEAVE_ERROR StoreDeviceCertificate(const uint8_t * cert, size_t certLen);
-    WEAVE_ERROR StoreDeviceIntermediateCACerts(const uint8_t * certs, size_t certsLen);
-    WEAVE_ERROR StoreDevicePrivateKey(const uint8_t * key, size_t keyLen);
-#endif
     WEAVE_ERROR StoreManufacturerDeviceId(uint64_t deviceId);
     WEAVE_ERROR StoreManufacturerDeviceCertificate(const uint8_t * cert, size_t certLen);
     WEAVE_ERROR StoreManufacturerDeviceIntermediateCACerts(const uint8_t * certs, size_t certsLen);
@@ -124,9 +118,6 @@ class ConfigurationManager
     bool IsPairedToAccount();
     bool IsMemberOfFabric();
     bool IsFullyProvisioned();
-#if WEAVE_DEVICE_CONFIG_ENABLE_JUST_IN_TIME_PROVISIONING
-    bool OperationalDeviceCredentialsProvisioned();
-#endif
 
     void InitiateFactoryReset();
 
@@ -155,7 +146,9 @@ class ConfigurationManager
     WEAVE_ERROR ReadPersistedStorageValue(::nl::Weave::Platform::PersistedStorage::Key key, uint32_t & value);
     WEAVE_ERROR WritePersistedStorageValue(::nl::Weave::Platform::PersistedStorage::Key key, uint32_t value);
 #if WEAVE_DEVICE_CONFIG_ENABLE_JUST_IN_TIME_PROVISIONING
-    WEAVE_ERROR ClearOperationalDeviceCredentials(void);
+    WEAVE_ERROR GenerateOperationalDeviceCredentials(void);
+    WEAVE_ERROR StoreOperationalDeviceCertificates(const uint8_t * cert, size_t certLen, const uint8_t * icaCerts, size_t icaCertsLen);
+    bool AreOperationalDeviceCredentialsProvisioned(void);
     void UseManufacturerCredentialsAsOperational(bool val);
 #endif
 
@@ -355,30 +348,6 @@ inline WEAVE_ERROR ConfigurationManager::StoreFabricId(uint64_t fabricId)
     return static_cast<ImplClass*>(this)->_StoreFabricId(fabricId);
 }
 
-#if WEAVE_DEVICE_CONFIG_ENABLE_JUST_IN_TIME_PROVISIONING
-
-inline WEAVE_ERROR ConfigurationManager::StoreDeviceId(uint64_t deviceId)
-{
-    return static_cast<ImplClass*>(this)->_StoreDeviceId(deviceId);
-}
-
-inline WEAVE_ERROR ConfigurationManager::StoreDeviceCertificate(const uint8_t * cert, size_t certLen)
-{
-    return static_cast<ImplClass*>(this)->_StoreDeviceCertificate(cert, certLen);
-}
-
-inline WEAVE_ERROR ConfigurationManager::StoreDeviceIntermediateCACerts(const uint8_t * certs, size_t certsLen)
-{
-    return static_cast<ImplClass*>(this)->_StoreDeviceIntermediateCACerts(certs, certsLen);
-}
-
-inline WEAVE_ERROR ConfigurationManager::StoreDevicePrivateKey(const uint8_t * key, size_t keyLen)
-{
-    return static_cast<ImplClass*>(this)->_StoreDevicePrivateKey(key, keyLen);
-}
-
-#endif // WEAVE_DEVICE_CONFIG_ENABLE_JUST_IN_TIME_PROVISIONING
-
 inline WEAVE_ERROR ConfigurationManager::StoreManufacturerDeviceId(uint64_t deviceId)
 {
     return static_cast<ImplClass*>(this)->_StoreManufacturerDeviceId(deviceId);
@@ -521,14 +490,19 @@ inline WEAVE_ERROR ConfigurationManager::SetFailSafeArmed(bool val)
 
 #if WEAVE_DEVICE_CONFIG_ENABLE_JUST_IN_TIME_PROVISIONING
 
-inline bool ConfigurationManager::OperationalDeviceCredentialsProvisioned()
+inline WEAVE_ERROR ConfigurationManager::GenerateOperationalDeviceCredentials(void)
+{
+    return static_cast<ImplClass*>(this)->_GenerateOperationalDeviceCredentials();
+}
+
+inline WEAVE_ERROR ConfigurationManager::StoreOperationalDeviceCertificates(const uint8_t * cert, size_t certLen, const uint8_t * icaCerts, size_t icaCertsLen)
 {
-    return static_cast<ImplClass*>(this)->_OperationalDeviceCredentialsProvisioned();
+    return static_cast<ImplClass*>(this)->_StoreOperationalDeviceCertificates(cert, certLen, icaCerts, icaCertsLen);
 }
 
-inline WEAVE_ERROR ConfigurationManager::ClearOperationalDeviceCredentials(void)
+inline bool ConfigurationManager::AreOperationalDeviceCredentialsProvisioned()
 {
-    return static_cast<ImplClass*>(this)->_ClearOperationalDeviceCredentials();
+    return static_cast<ImplClass*>(this)->_AreOperationalDeviceCredentialsProvisioned();
 }
 
 inline void ConfigurationManager::UseManufacturerCredentialsAsOperational(bool val)

src/adaptations/device-layer/include/Weave/DeviceLayer/internal/GenericConfigurationManagerImpl.h

@@ -70,13 +70,6 @@ class GenericConfigurationManagerImpl
     WEAVE_ERROR _GetDeviceCertificate(uint8_t * buf, size_t bufSize, size_t & certLen);
     WEAVE_ERROR _GetDeviceIntermediateCACerts(uint8_t * buf, size_t bufSize, size_t & certsLen);
     WEAVE_ERROR _GetDevicePrivateKey(uint8_t * buf, size_t bufSize, size_t & keyLen);
-#if WEAVE_DEVICE_CONFIG_ENABLE_JUST_IN_TIME_PROVISIONING
-    WEAVE_ERROR _StoreDeviceId(uint64_t deviceId);
-    WEAVE_ERROR _StoreDeviceCertificate(const uint8_t * cert, size_t certLen);
-    WEAVE_ERROR _StoreDeviceIntermediateCACerts(const uint8_t * certs, size_t certsLen);
-    WEAVE_ERROR _StoreDevicePrivateKey(const uint8_t * key, size_t keyLen);
-    WEAVE_ERROR _ClearOperationalDeviceCredentials(void);
-#endif
     WEAVE_ERROR _GetManufacturerDeviceId(uint64_t & deviceId);
     WEAVE_ERROR _StoreManufacturerDeviceId(uint64_t deviceId);
     WEAVE_ERROR _GetManufacturerDeviceCertificate(uint8_t * buf, size_t bufSize, size_t & certLen);
@@ -110,7 +103,9 @@ class GenericConfigurationManagerImpl
     bool _IsFullyProvisioned();
     WEAVE_ERROR _ComputeProvisioningHash(uint8_t * hashBuf, size_t hashBufSize);
 #if WEAVE_DEVICE_CONFIG_ENABLE_JUST_IN_TIME_PROVISIONING
-    bool _OperationalDeviceCredentialsProvisioned();
+    WEAVE_ERROR _GenerateOperationalDeviceCredentials(void);
+    WEAVE_ERROR _StoreOperationalDeviceCertificates(const uint8_t * cert, size_t certLen, const uint8_t * icaCerts, size_t icaCertsLen);
+    bool _AreOperationalDeviceCredentialsProvisioned(void);
     void _UseManufacturerCredentialsAsOperational(bool val);
 #endif
 
@@ -121,22 +116,37 @@ class GenericConfigurationManagerImpl
         kFlag_IsServiceProvisioned                    = 0x01,
         kFlag_IsMemberOfFabric                        = 0x02,
         kFlag_IsPairedToAccount                       = 0x04,
-        kFlag_OperationalDeviceCredentialsProvisioned = 0x08,
-        kFlag_UseManufacturerCredentialsAsOperational = 0x10,
+        kFlag_UseManufacturerCredentialsAsOperational = 0x08,
     };
 
     uint8_t mFlags;
 
     void LogDeviceConfig();
     WEAVE_ERROR PersistProvisioningData(ProvisioningDataSet & provData);
 
+#if WEAVE_DEVICE_CONFIG_ENABLE_JUST_IN_TIME_PROVISIONING
+    WEAVE_ERROR StoreDeviceCertificate(const uint8_t * cert, size_t certLen);
+    WEAVE_ERROR StoreDevicePrivateKey(const uint8_t * key, size_t keyLen);
+
+    // These methods can be overridden by the platform/product specific implementations
+    // that support secure environment or secure element for secure processing, handling,
+    // and potentially secure storage of a device private key.
+    WEAVE_ERROR GenerateOperationalDevicePrivateKey(EncodedECPublicKey& pubKey);
+    static WEAVE_ERROR GenerateOperationalDeviceECDSASignature(const uint8_t *hash, uint8_t hashLen, EncodedECDSASignature& ecdsaSig);
+#endif
+
 private:
 
     ImplClass * Impl() { return static_cast<ImplClass *>(this); }
 
     static void HashLengthAndBase64Value(Platform::Security::SHA256 & hash, const uint8_t * val, uint16_t valLen);
 
 #if WEAVE_DEVICE_CONFIG_ENABLE_JUST_IN_TIME_PROVISIONING
+    WEAVE_ERROR StoreDeviceId(uint64_t deviceId);
+    WEAVE_ERROR StoreDeviceIntermediateCACerts(const uint8_t * certs, size_t certsLen);
+    WEAVE_ERROR GenerateOperationalDeviceId(void);
+    WEAVE_ERROR GenerateOperationalDeviceCertificate(EncodedECPublicKey& pubKey);
+    WEAVE_ERROR GenerateOperationalDeviceCertificateAndPrivateKey(void);
     bool UseManufacturerCredentialsAsOperational();
 #endif
 };