Fix the way of providing data to generate factory data

Update the generation of factory data for nrfconnect platform. No more possible to provide spake2 verifier, always generated by provided passcode. Signed-off-by: Michał Szablowski <[email protected]>
nrfconnect · Jan 11, 2024 · 56d5a9c · 56d5a9c
1 parent 1a15f4c
commit 56d5a9c
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 48 deletions.
diff --git a/config/nrfconnect/chip-module/generate_factory_data.cmake b/config/nrfconnect/chip-module/generate_factory_data.cmake
@@ -77,18 +77,13 @@ elseif(CONFIG_CHIP_FACTORY_DATA_CERT_SOURCE_USER)
     string(APPEND script_args "--dac_cert \"${CONFIG_CHIP_FACTORY_DATA_USER_CERTS_DAC_CERT}\"\n")
     string(APPEND script_args "--dac_key \"${CONFIG_CHIP_FACTORY_DATA_USER_CERTS_DAC_KEY}\"\n")
     string(APPEND script_args "--pai_cert \"${CONFIG_CHIP_FACTORY_DATA_USER_CERTS_PAI_CERT}\"\n")
-else()
-    find_program(chip_cert_exe NAMES chip-cert REQUIRED)
-    string(APPEND script_args "--gen_cd\n")
-    string(APPEND script_args "--chip_cert_path ${chip_cert_exe}\n")
 endif()
 
 # add Password-Authenticated Key Exchange parameters
 string(APPEND script_args "--spake2_it \"${CONFIG_CHIP_DEVICE_SPAKE2_IT}\"\n")
 string(APPEND script_args "--spake2_salt \"${CONFIG_CHIP_DEVICE_SPAKE2_SALT}\"\n")
 string(APPEND script_args "--discriminator ${CONFIG_CHIP_DEVICE_DISCRIMINATOR}\n")
 string(APPEND script_args "--passcode ${CONFIG_CHIP_DEVICE_SPAKE2_PASSCODE}\n")
-string(APPEND script_args "--include_passcode\n")
 string(APPEND script_args "--overwrite\n")
 string(APPEND script_args "--product_finish ${CONFIG_CHIP_DEVICE_PRODUCT_FINISH}\n")
 
@@ -100,11 +95,6 @@ if(CONFIG_CHIP_FACTORY_DATA_GENERATE_ONBOARDING_CODES)
     string(APPEND script_args "--generate_onboarding\n")
 endif()
 
-# check if spake2 verifier should be generated using script
-if(NOT CONFIG_CHIP_FACTORY_DATA_GENERATE_SPAKE2_VERIFIER)
-    # Spake2 verifier should be provided using kConfig
-    string(APPEND script_args "--spake2_verifier \"${CONFIG_CHIP_DEVICE_SPAKE2_TEST_VERIFIER}\"\n")
-endif()
 
 if(CONFIG_CHIP_DEVICE_ENABLE_KEY)
 # Add optional EnableKey that triggers user-specific action.

diff --git a/scripts/tools/nrfconnect/generate_nrfconnect_chip_factory_data.py b/scripts/tools/nrfconnect/generate_nrfconnect_chip_factory_data.py
@@ -99,8 +99,6 @@ def gen_test_certs(chip_cert_exe: str,
                    vendor_id: int,
                    product_id: int,
                    device_name: str,
-                   generate_cd: bool = False,
-                   cd_type: int = 1,
                    paa_cert_path: str = None,
                    paa_key_path: str = None):
     """
@@ -115,7 +113,6 @@ def gen_test_certs(chip_cert_exe: str,
         vendor_id (int): an identification number specific to Vendor
         product_id (int): an identification number specific to Product
         device_name (str): human-readable device name
-        generate_cd (bool, optional): Generate Certificate Declaration and store it in thee output directory. Defaults to False.
         paa_cert_path (str, optional): provide PAA certification path. Defaults to None - a path will be set to
         /credentials/test/attestation directory.
         paa_key_path (str, optional): provide PAA key path. Defaults to None - a path will be set to
@@ -127,8 +124,6 @@ def gen_test_certs(chip_cert_exe: str,
                      "DAC_KEY": (str)<path to DAC key .der file>]
     """
 
-    CD_PATH = MATTER_ROOT + "/credentials/test/certification-declaration/Chip-Test-CD-Signing-Cert.pem"
-    CD_KEY_PATH = MATTER_ROOT + "/credentials/test/certification-declaration/Chip-Test-CD-Signing-Key.pem"
     PAA_PATH = paa_cert_path if paa_cert_path is not None else (MATTER_ROOT +
                                                                 "/credentials/test/attestation/Chip-Test-PAA-NoVID-Cert.pem")
     PAA_KEY_PATH = paa_key_path if paa_key_path is not None else (MATTER_ROOT +
@@ -138,23 +133,6 @@ def gen_test_certs(chip_cert_exe: str,
 
     log.info("Generating new certificates using chip-cert...")
 
-    if generate_cd:
-        # generate Certification Declaration
-        cmd = [chip_cert_exe, "gen-cd",
-               "--key", CD_KEY_PATH,
-               "--cert", CD_PATH,
-               "--out", output + "/CD.der",
-               "--format-version",  "1",
-               "--vendor-id",  hex(vendor_id),
-               "--product-id",  hex(product_id),
-               "--device-type-id", "0",
-               "--certificate-id", "FFFFFFFFFFFFFFFFFFF",
-               "--security-level",  "0",
-               "--security-info",  "0",
-               "--certification-type",  str(cd_type),
-               "--version-number", "0xFFFF",
-               ]
-        subprocess.run(cmd)
 
     new_certificates = {"PAI_CERT": output + "/PAI_cert",
                         "PAI_KEY": output + "/PAI_key",
@@ -232,8 +210,8 @@ def _validate_args(self):
                 self._user_data = json.loads(self._args.user)
             except json.decoder.JSONDecodeError as e:
                 raise AssertionError("Provided wrong user data, this is not a JSON format! {}".format(e))
-        assert self._args.spake2_verifier or self._args.passcode, \
-            "Cannot find Spake2+ verifier, to generate a new one please provide passcode (--passcode)"
+        assert self._args.passcode, \
+            "Cannot find passcode, to generate spake2 verifier. Please provide passcode (--passcode)"
         assert (self._args.chip_cert_path or (self._args.dac_cert and self._args.pai_cert and self._args.dac_key)), \
             "Cannot find paths to DAC or PAI certificates .der files. To generate a new ones please provide a path to chip-cert executable (--chip_cert_path)"
         assert self._args.output.endswith(".json"), \
@@ -247,11 +225,10 @@ def generate_json(self):
 
         To validate generated JSON data a scheme must be provided within script's arguments.
 
-        - In the first part, if the rotating device id unique id has been not provided
-          as an argument, it will be created.
-        - If user-provided passcode and Spake2+ verifier have been not provided
-          as an argument, it will be created using an external script
-        - Passcode is not stored in JSON by default. To store it for debugging purposes, add --include_passcode argument.
+        - if the rotating device id unique id has been not provided and the generate boolean 
+          has been set then rotating device id will be generated.
+        - based on provided passcode, the spake2 verifier will be generated
+        - Passcode is not stored in JSON.
         - Validating output JSON is not mandatory, but highly recommended.
 
         """
@@ -265,10 +242,10 @@ def generate_json(self):
         else:
             rd_uid = HEX_PREFIX + self._args.rd_uid
 
-        if not self._args.spake2_verifier:
+        if self._args.passcode:
             spake_2_verifier = self._generate_spake2_verifier()
         else:
-            spake_2_verifier = self._args.spake2_verifier
+            raise RuntimeError("Provide passcode.")
 
         # convert salt to bytestring to be coherent with Spake2+ verifier type
         spake_2_salt = self._args.spake2_salt
@@ -319,8 +296,6 @@ def generate_json(self):
             self._add_entry("dac_cert", self._process_der(dac_cert))
             self._add_entry("dac_key", dac_priv_key)
             self._add_entry("pai_cert", self._process_der(pai_cert))
-            if self._args.include_passcode:
-                self._add_entry("passcode", self._args.passcode)
             self._add_entry("spake2_it", self._args.spake2_it)
             self._add_entry("spake2_salt", spake_2_salt)
             self._add_entry("spake2_verifier", spake_2_verifier)
@@ -431,8 +406,6 @@ def base64_str(s): return base64.b64decode(s)
                         help="Output path to store .json file, e.g. my_dir/output.json")
     parser.add_argument("-v", "--verbose", action="store_true",
                         help="Run this script with DEBUG logging level")
-    parser.add_argument("--include_passcode", action="store_true",
-                        help="Include passcode in factory data. By default, it is used only for generating Spake2+ verifier.")
     parser.add_argument("--overwrite", action="store_true",
                         help="If output JSON file exist this argument allows to generate new factory data and overwrite it.")
     # Json known-keys values
@@ -497,8 +470,6 @@ def base64_str(s): return base64.b64decode(s)
     optional_arguments.add_argument("--passcode", type=allow_any_int,
                                     help=("[int | hex] Default PASE session passcode. "
                                           "(This is mandatory to generate Spake2+ verifier)."))
-    optional_arguments.add_argument("--spake2_verifier", type=base64_str,
-                                    help="[base64 string] Provide Spake2+ verifier without generating it.")
     optional_arguments.add_argument("--enable_key", type=str,
                                     help=("[hex string] [128-bit hex-encoded] The Enable Key is a 128-bit value that "
                                           "triggers manufacturer-specific action while invoking the TestEventTrigger Command."

diff --git a/scripts/tools/spake2p/spake2p.py b/scripts/tools/spake2p/spake2p.py
@@ -47,7 +47,6 @@ def generate_verifier(passcode: int, salt: bytes, iterations: int) -> bytes:
     w0 = int.from_bytes(ws[:WS_LENGTH], byteorder='big') % NIST256p.order
     w1 = int.from_bytes(ws[WS_LENGTH:], byteorder='big') % NIST256p.order
     L = NIST256p.generator * w1
-
     return w0.to_bytes(NIST256p.baselen, byteorder='big') + L.to_bytes('uncompressed')