From 56d5a9cd3587beca0a77c12d96c58f3a438aea37 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Szablowski?= Date: Thu, 11 Jan 2024 09:05:29 +0100 Subject: [PATCH] Fix the way of providing data to generate factory data MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Update the generation of factory data for nrfconnect platform. No more possible to provide spake2 verifier, always generated by provided passcode. Signed-off-by: MichaƂ Szablowski --- .../chip-module/generate_factory_data.cmake | 10 ----- .../generate_nrfconnect_chip_factory_data.py | 45 ++++--------------- scripts/tools/spake2p/spake2p.py | 1 - 3 files changed, 8 insertions(+), 48 deletions(-) diff --git a/config/nrfconnect/chip-module/generate_factory_data.cmake b/config/nrfconnect/chip-module/generate_factory_data.cmake index dc1794562d..2700ad89ad 100644 --- a/config/nrfconnect/chip-module/generate_factory_data.cmake +++ b/config/nrfconnect/chip-module/generate_factory_data.cmake @@ -77,10 +77,6 @@ elseif(CONFIG_CHIP_FACTORY_DATA_CERT_SOURCE_USER) string(APPEND script_args "--dac_cert \"${CONFIG_CHIP_FACTORY_DATA_USER_CERTS_DAC_CERT}\"\n") string(APPEND script_args "--dac_key \"${CONFIG_CHIP_FACTORY_DATA_USER_CERTS_DAC_KEY}\"\n") string(APPEND script_args "--pai_cert \"${CONFIG_CHIP_FACTORY_DATA_USER_CERTS_PAI_CERT}\"\n") -else() - find_program(chip_cert_exe NAMES chip-cert REQUIRED) - string(APPEND script_args "--gen_cd\n") - string(APPEND script_args "--chip_cert_path ${chip_cert_exe}\n") endif() # add Password-Authenticated Key Exchange parameters @@ -88,7 +84,6 @@ string(APPEND script_args "--spake2_it \"${CONFIG_CHIP_DEVICE_SPAKE2_IT}\"\n") string(APPEND script_args "--spake2_salt \"${CONFIG_CHIP_DEVICE_SPAKE2_SALT}\"\n") string(APPEND script_args "--discriminator ${CONFIG_CHIP_DEVICE_DISCRIMINATOR}\n") string(APPEND script_args "--passcode ${CONFIG_CHIP_DEVICE_SPAKE2_PASSCODE}\n") -string(APPEND script_args "--include_passcode\n") string(APPEND script_args "--overwrite\n") string(APPEND script_args "--product_finish ${CONFIG_CHIP_DEVICE_PRODUCT_FINISH}\n") @@ -100,11 +95,6 @@ if(CONFIG_CHIP_FACTORY_DATA_GENERATE_ONBOARDING_CODES) string(APPEND script_args "--generate_onboarding\n") endif() -# check if spake2 verifier should be generated using script -if(NOT CONFIG_CHIP_FACTORY_DATA_GENERATE_SPAKE2_VERIFIER) - # Spake2 verifier should be provided using kConfig - string(APPEND script_args "--spake2_verifier \"${CONFIG_CHIP_DEVICE_SPAKE2_TEST_VERIFIER}\"\n") -endif() if(CONFIG_CHIP_DEVICE_ENABLE_KEY) # Add optional EnableKey that triggers user-specific action. diff --git a/scripts/tools/nrfconnect/generate_nrfconnect_chip_factory_data.py b/scripts/tools/nrfconnect/generate_nrfconnect_chip_factory_data.py index 6c2af9dc89..f0949b330e 100644 --- a/scripts/tools/nrfconnect/generate_nrfconnect_chip_factory_data.py +++ b/scripts/tools/nrfconnect/generate_nrfconnect_chip_factory_data.py @@ -99,8 +99,6 @@ def gen_test_certs(chip_cert_exe: str, vendor_id: int, product_id: int, device_name: str, - generate_cd: bool = False, - cd_type: int = 1, paa_cert_path: str = None, paa_key_path: str = None): """ @@ -115,7 +113,6 @@ def gen_test_certs(chip_cert_exe: str, vendor_id (int): an identification number specific to Vendor product_id (int): an identification number specific to Product device_name (str): human-readable device name - generate_cd (bool, optional): Generate Certificate Declaration and store it in thee output directory. Defaults to False. paa_cert_path (str, optional): provide PAA certification path. Defaults to None - a path will be set to /credentials/test/attestation directory. paa_key_path (str, optional): provide PAA key path. Defaults to None - a path will be set to @@ -127,8 +124,6 @@ def gen_test_certs(chip_cert_exe: str, "DAC_KEY": (str)] """ - CD_PATH = MATTER_ROOT + "/credentials/test/certification-declaration/Chip-Test-CD-Signing-Cert.pem" - CD_KEY_PATH = MATTER_ROOT + "/credentials/test/certification-declaration/Chip-Test-CD-Signing-Key.pem" PAA_PATH = paa_cert_path if paa_cert_path is not None else (MATTER_ROOT + "/credentials/test/attestation/Chip-Test-PAA-NoVID-Cert.pem") PAA_KEY_PATH = paa_key_path if paa_key_path is not None else (MATTER_ROOT + @@ -138,23 +133,6 @@ def gen_test_certs(chip_cert_exe: str, log.info("Generating new certificates using chip-cert...") - if generate_cd: - # generate Certification Declaration - cmd = [chip_cert_exe, "gen-cd", - "--key", CD_KEY_PATH, - "--cert", CD_PATH, - "--out", output + "/CD.der", - "--format-version", "1", - "--vendor-id", hex(vendor_id), - "--product-id", hex(product_id), - "--device-type-id", "0", - "--certificate-id", "FFFFFFFFFFFFFFFFFFF", - "--security-level", "0", - "--security-info", "0", - "--certification-type", str(cd_type), - "--version-number", "0xFFFF", - ] - subprocess.run(cmd) new_certificates = {"PAI_CERT": output + "/PAI_cert", "PAI_KEY": output + "/PAI_key", @@ -232,8 +210,8 @@ def _validate_args(self): self._user_data = json.loads(self._args.user) except json.decoder.JSONDecodeError as e: raise AssertionError("Provided wrong user data, this is not a JSON format! {}".format(e)) - assert self._args.spake2_verifier or self._args.passcode, \ - "Cannot find Spake2+ verifier, to generate a new one please provide passcode (--passcode)" + assert self._args.passcode, \ + "Cannot find passcode, to generate spake2 verifier. Please provide passcode (--passcode)" assert (self._args.chip_cert_path or (self._args.dac_cert and self._args.pai_cert and self._args.dac_key)), \ "Cannot find paths to DAC or PAI certificates .der files. To generate a new ones please provide a path to chip-cert executable (--chip_cert_path)" assert self._args.output.endswith(".json"), \ @@ -247,11 +225,10 @@ def generate_json(self): To validate generated JSON data a scheme must be provided within script's arguments. - - In the first part, if the rotating device id unique id has been not provided - as an argument, it will be created. - - If user-provided passcode and Spake2+ verifier have been not provided - as an argument, it will be created using an external script - - Passcode is not stored in JSON by default. To store it for debugging purposes, add --include_passcode argument. + - if the rotating device id unique id has been not provided and the generate boolean + has been set then rotating device id will be generated. + - based on provided passcode, the spake2 verifier will be generated + - Passcode is not stored in JSON. - Validating output JSON is not mandatory, but highly recommended. """ @@ -265,10 +242,10 @@ def generate_json(self): else: rd_uid = HEX_PREFIX + self._args.rd_uid - if not self._args.spake2_verifier: + if self._args.passcode: spake_2_verifier = self._generate_spake2_verifier() else: - spake_2_verifier = self._args.spake2_verifier + raise RuntimeError("Provide passcode.") # convert salt to bytestring to be coherent with Spake2+ verifier type spake_2_salt = self._args.spake2_salt @@ -319,8 +296,6 @@ def generate_json(self): self._add_entry("dac_cert", self._process_der(dac_cert)) self._add_entry("dac_key", dac_priv_key) self._add_entry("pai_cert", self._process_der(pai_cert)) - if self._args.include_passcode: - self._add_entry("passcode", self._args.passcode) self._add_entry("spake2_it", self._args.spake2_it) self._add_entry("spake2_salt", spake_2_salt) self._add_entry("spake2_verifier", spake_2_verifier) @@ -431,8 +406,6 @@ def base64_str(s): return base64.b64decode(s) help="Output path to store .json file, e.g. my_dir/output.json") parser.add_argument("-v", "--verbose", action="store_true", help="Run this script with DEBUG logging level") - parser.add_argument("--include_passcode", action="store_true", - help="Include passcode in factory data. By default, it is used only for generating Spake2+ verifier.") parser.add_argument("--overwrite", action="store_true", help="If output JSON file exist this argument allows to generate new factory data and overwrite it.") # Json known-keys values @@ -497,8 +470,6 @@ def base64_str(s): return base64.b64decode(s) optional_arguments.add_argument("--passcode", type=allow_any_int, help=("[int | hex] Default PASE session passcode. " "(This is mandatory to generate Spake2+ verifier).")) - optional_arguments.add_argument("--spake2_verifier", type=base64_str, - help="[base64 string] Provide Spake2+ verifier without generating it.") optional_arguments.add_argument("--enable_key", type=str, help=("[hex string] [128-bit hex-encoded] The Enable Key is a 128-bit value that " "triggers manufacturer-specific action while invoking the TestEventTrigger Command." diff --git a/scripts/tools/spake2p/spake2p.py b/scripts/tools/spake2p/spake2p.py index 5ad10dd6cd..2dc29658a4 100755 --- a/scripts/tools/spake2p/spake2p.py +++ b/scripts/tools/spake2p/spake2p.py @@ -47,7 +47,6 @@ def generate_verifier(passcode: int, salt: bytes, iterations: int) -> bytes: w0 = int.from_bytes(ws[:WS_LENGTH], byteorder='big') % NIST256p.order w1 = int.from_bytes(ws[WS_LENGTH:], byteorder='big') % NIST256p.order L = NIST256p.generator * w1 - return w0.to_bytes(NIST256p.baselen, byteorder='big') + L.to_bytes('uncompressed')