Support different levels of device attestation

SmartHomeOS · Jan 2, 2025 · 06bca1d · 06bca1d
1 parent 473f3ea
commit 06bca1d
Show file tree

Hide file tree

Showing 4 changed files with 43 additions and 3 deletions.
diff --git a/MatterDotNet/MatterDotNet.csproj b/MatterDotNet/MatterDotNet.csproj
@@ -39,4 +39,8 @@
     <IsAotCompatible>True</IsAotCompatible>
   </PropertyGroup>
 
+  <ItemGroup>
+    <PackageReference Include="TinyDNS" Version="0.9.0" />
+  </ItemGroup>
+
 </Project>
diff --git a/MatterDotNet/PKI/Fabric.cs b/MatterDotNet/PKI/Fabric.cs
@@ -85,6 +85,12 @@ public OperationalCertificate Sign(CertificateRequest nocsr)
             return ret;
         }
 
+        public OperationalCertificate CreateCommissioner()
+        {
+            var keyPair = Crypto.GenerateKeypair();
+            return CreateCommissioner(keyPair.Public, keyPair.Private);
+        }
+
         public OperationalCertificate CreateCommissioner(byte[] publicKey, byte[] privateKey)
         {
             ulong nodeId = (ulong)(0xbaddeed2 + nodes.Count);

diff --git a/MatterDotNet/PKI/OperationalCertificate.cs b/MatterDotNet/PKI/OperationalCertificate.cs
@@ -10,6 +10,7 @@
 // You should have received a copy of the GNU Affero General Public License
 // along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
+using MatterDotNet.DCL;
 using MatterDotNet.Messages.Certificates;
 using MatterDotNet.Protocol.Payloads;
 using MatterDotNet.Util;
@@ -110,18 +111,24 @@ protected void ParseCert()
             }
         }
 
-        public bool VerifyChain(byte[] intermediateCert, OperationalCertificate rootCert)
+        public bool VerifyChain(byte[] intermediateCert, DCLClient dcl, VerificationLevel level)
         {
+            if (level == VerificationLevel.AnyDevice)
+                return true;
             X509Chain chain = new X509Chain();
             #if NET9_0_OR_GREATER
                 chain.ChainPolicy.ExtraStore.Add(X509CertificateLoader.LoadCertificate(intermediateCert));
             #else
                 chain.ChainPolicy.ExtraStore.Add(new X509Certificate2(intermediateCert));
             #endif
-            chain.ChainPolicy.CustomTrustStore.Add(rootCert.cert);
+            chain.ChainPolicy.CustomTrustStore.AddRange(dcl.TrustStore);
+            if (level == VerificationLevel.CertifiedDevicesOrCHIPTest)
+                chain.ChainPolicy.CustomTrustStore.Add(dcl.CHIPTestPAA);
             chain.ChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust;
             chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
-            return chain.Build(cert);
+            bool valid = chain.Build(cert);
+
+            return valid;
         }
 
         public bool VerifyChain(OperationalCertificate rootCert)

diff --git a/MatterDotNet/PKI/VerificationLevel.cs b/MatterDotNet/PKI/VerificationLevel.cs
@@ -0,0 +1,23 @@
+// MatterDotNet Copyright (C) 2025 
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or any later version.
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY, without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+// See the GNU Affero General Public License for more details.
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+//
+// WARNING: This file was auto-generated. Do not edit.
+
+namespace MatterDotNet.PKI
+{
+    public enum VerificationLevel
+    {
+        CertifiedDevicesOnly = 0x0,
+        CertifiedDevicesOrCHIPTest = 0x1,
+        AnyDevice = 0x2
+    }
+}