mizzet1
diff --git a/‎.github/workflows/astarte-end-to-end-test-workflow.yaml‎
Lines changed: 4 additions & 0 deletions b/‎.github/workflows/astarte-end-to-end-test-workflow.yaml‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎apps/astarte_housekeeping/lib/astarte_housekeeping/realms/queries.ex‎
Lines changed: 5 additions & 0 deletions b/‎apps/astarte_housekeeping/lib/astarte_housekeeping/realms/queries.ex‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎apps/astarte_housekeeping/priv/migrations/realm/0010_create_device_session_table.sql‎
Lines changed: 5 additions & 0 deletions b/‎apps/astarte_housekeeping/priv/migrations/realm/0010_create_device_session_table.sql‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎apps/astarte_pairing/config/dev.exs‎
Lines changed: 1 addition & 0 deletions b/‎apps/astarte_pairing/config/dev.exs‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎apps/astarte_pairing/config/test.exs‎
Lines changed: 1 addition & 0 deletions b/‎apps/astarte_pairing/config/test.exs‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎apps/astarte_pairing/lib/astarte_pairing/fdo/owner_onboarding.ex‎
Lines changed: 49 additions & 10 deletions b/‎apps/astarte_pairing/lib/astarte_pairing/fdo/owner_onboarding.ex‎
Lines changed: 49 additions & 10 deletions
diff --git a/‎apps/astarte_pairing/lib/astarte_pairing/fdo/owner_onboarding/session.ex‎
Lines changed: 68 additions & 3 deletions b/‎apps/astarte_pairing/lib/astarte_pairing/fdo/owner_onboarding/session.ex‎
Lines changed: 68 additions & 3 deletions
diff --git a/‎apps/astarte_pairing/lib/astarte_pairing/fdo/ownership_voucher/ownership_voucher.ex‎
Lines changed: 26 additions & 6 deletions b/‎apps/astarte_pairing/lib/astarte_pairing/fdo/ownership_voucher/ownership_voucher.ex‎
Lines changed: 26 additions & 6 deletions
@@ -174,3 +174,7 @@ jobs:
             -k compose/astarte-keys/housekeeping_private.pem
       - name: Run FDO
         run: just astarte-run
+      - name: Check Docker
+        working-directory: .tmp/repos/astarte
+        if: ${{ failure() }}
+        run: docker compose logs astarte-pairing
@@ -569,6 +569,7 @@ defmodule Astarte.Housekeeping.Realms.Queries do
     CREATE TABLE #{keyspace_name}.to2_sessions (
       guid blob,
       device_id uuid,
+      hmac blob,
       nonce blob,
       sig_type int,
       epid_group blob,
@@ -586,6 +587,10 @@ defmodule Astarte.Housekeeping.Realms.Queries do
       device_service_info map<tuple<text, text>, blob>,
       owner_service_info list<blob>,
       last_chunk_sent int,
+      replacement_guid blob,
+      replacement_rv_info blob,
+      replacement_pub_key blob,
+      replacement_hmac blob,
       PRIMARY KEY (guid)
     )
     WITH default_time_to_live = 7200;
 
@@ -1,6 +1,7 @@
 CREATE TABLE :keyspace.to2_sessions (
   guid blob,
   device_id uuid,
+  hmac blob,
   nonce blob,
   sig_type int,
   epid_group blob,
@@ -18,6 +19,10 @@ CREATE TABLE :keyspace.to2_sessions (
   device_service_info map<tuple<text, text>, blob>,
   owner_service_info list<blob>,
   last_chunk_sent int,
+  replacement_guid blob,
+  replacement_rv_info blob,
+  replacement_pub_key blob,
+  replacement_hmac blob,
   PRIMARY KEY (guid)
 )
 WITH default_time_to_live = 7200;
@@ -74,3 +74,4 @@ config :astarte_pairing, :cfssl_url, "http://localhost:8888"
 config :astarte_pairing, :base_url_domain, "api.astarte.localhost"
 config :astarte_pairing, :base_url_port, 4003
 config :astarte_pairing, :base_url_protocol, :http
+config :astarte_pairing, :enable_credential_reuse, true
@@ -101,6 +101,7 @@ config :astarte_pairing, :enable_fdo, true
 config :astarte_pairing, :base_url_domain, "api.astarte.localhost"
 config :astarte_pairing, :base_url_port, 4003
 config :astarte_pairing, :base_url_protocol, :http
+config :astarte_pairing, :enable_credential_reuse, true
 
 config :bcrypt_elixir,
   log_rounds: 4
@@ -49,6 +49,7 @@ defmodule Astarte.Pairing.FDO.OwnerOnboarding do
 
   @max_owner_message_size 65_535
   @rsa_public_exponent 65_537
+  @one_week 604_800
 
   def hello_device(realm_name, cbor_hello_device) do
     with {:ok, hello_device} <- HelloDevice.decode(cbor_hello_device),
@@ -62,7 +63,8 @@ defmodule Astarte.Pairing.FDO.OwnerOnboarding do
              realm_name,
              hello_device,
              ownership_voucher,
-             owner_private_key
+             owner_private_key,
+             ownership_voucher.hmac
            ) do
       encoded_pub_key = PublicKey.encode(pub_key)
       num_ov_entries = Enum.count(ownership_voucher.entries)
@@ -136,6 +138,9 @@ defmodule Astarte.Pairing.FDO.OwnerOnboarding do
   def prove_device(realm_name, body, session) do
     guid = session.guid
 
+    # TODO credential reuse requires also Owner2Key and/or rv info to be changed for credential reuse
+    # so far, there is no API to do so, so it-s limited to the guid
+
     with {:ok, ownership_voucher} <- OwnershipVoucher.fetch(realm_name, guid),
          {:ok, private_key} <- Queries.get_owner_private_key(realm_name, guid),
          {:ok, owner_public_key} <- OwnershipVoucher.owner_public_key(ownership_voucher) do
@@ -157,6 +162,15 @@ defmodule Astarte.Pairing.FDO.OwnerOnboarding do
                session,
                body,
                connection_credentials
+             ),
+           {:ok, session} <-
+             Session.add_replacement_info(
+               session,
+               realm_name,
+               guid,
+               rendezvous_info,
+               owner_public_key,
+               nil
              ) do
         {:ok, session, resp_msg}
       end
@@ -244,19 +258,23 @@ defmodule Astarte.Pairing.FDO.OwnerOnboarding do
           max_owner_service_info_sz: max_owner_service_info_sz
         }
       ) do
-    with {:ok, old_voucher} <-
-           OwnershipVoucher.fetch(realm_name, session.guid),
-         {:ok, _new_voucher} <-
-           OwnershipVoucher.generate_replacement_voucher(old_voucher, replacement_hmac),
-         {:ok, _session} <-
-           Session.add_max_owner_service_info_size(session, realm_name, max_owner_service_info_sz) do
-      # TODO: Store `new_voucher` into DB.
-
+    with {:ok, _} <- Queries.fetch_session(realm_name, session.guid),
+         {:ok, session} <-
+           Session.add_max_owner_service_info_size(session, realm_name, max_owner_service_info_sz),
+         {:ok, session} <-
+           Session.add_replacement_info(
+             session,
+             realm_name,
+             session.replacement_guid,
+             session.replacement_rv_info,
+             session.replacement_pub_key,
+             replacement_hmac || session.hmac
+           ) do
       response =
         OwnerServiceInfoReady.new()
         |> OwnerServiceInfoReady.to_cbor_list()
 
-      {:ok, response}
+      {:ok, session, response}
     else
       _ ->
         {:error, :failed_66}
@@ -272,6 +290,27 @@ defmodule Astarte.Pairing.FDO.OwnerOnboarding do
            check_prove_dv_nonces_equality(prove_dv_nonce_challenge, to2_session.prove_dv_nonce),
          {:ok, _device} <- Queries.remove_device_ttl(realm_name, to2_session.device_id) do
       done2_message = build_done2_message(to2_session.setup_dv_nonce)
+
+      if not OwnershipVoucher.credential_reuse?(to2_session) do
+        with {:ok, old_voucher} <-
+               OwnershipVoucher.fetch(realm_name, to2_session.guid),
+             {:ok, new_voucher} <-
+               OwnershipVoucher.generate_replacement_voucher(old_voucher, to2_session),
+             #  TODO change this line to ensure the retrival of latest private key after exposing an API to do so
+             {:ok, private_key} <-
+               Queries.get_owner_private_key(realm_name, to2_session.guid) do
+          cbor_voucher = OwnershipVoucher.cbor_encode(new_voucher)
+
+          Queries.replace_ownership_voucher(
+            realm_name,
+            to2_session.guid,
+            cbor_voucher,
+            private_key,
+            @one_week
+          )
+        end
+      end
+
       {:ok, done2_message}
     end
   end
 
@@ -26,11 +26,14 @@ defmodule Astarte.Pairing.FDO.OwnerOnboarding.Session do
   alias Astarte.Pairing.FDO.OwnerOnboarding.Session
   alias Astarte.Pairing.FDO.OwnerOnboarding.SessionKey
   alias Astarte.Pairing.FDO.OwnerOnboarding.SessionToken
+  alias Astarte.Pairing.FDO.Rendezvous.RvTO2Addr
+  alias Astarte.Pairing.FDO.Types.Hash
   alias Astarte.Pairing.Queries
   alias COSE.Messages.Encrypt0
 
   typedstruct do
     field :guid, binary()
+    field :hmac, Hash.t()
     field :device_id, Astarte.DataAccess.UUID, default: nil
     field :nonce, binary()
     field :device_signature, SignatureInfo.device_signature()
@@ -48,9 +51,13 @@ defmodule Astarte.Pairing.FDO.OwnerOnboarding.Session do
     field :device_service_info, map() | nil
     field :owner_service_info, [binary()] | nil
     field :last_chunk_sent, non_neg_integer() | nil
+    field :replacement_guid, binary() | nil
+    field :replacement_rv_info, [RvTO2Addr.t()] | nil
+    field :replacement_pub_key, struct() | nil
+    field :replacement_hmac, Hash.t() | nil
   end
 
-  def new(realm_name, hello_device, ownership_voucher, owner_key) do
+  def new(realm_name, hello_device, ownership_voucher, owner_key, hmac) do
     prove_dv_nonce = :crypto.strong_rand_bytes(16)
     nonce = :crypto.strong_rand_bytes(16)
 
@@ -70,6 +77,7 @@ defmodule Astarte.Pairing.FDO.OwnerOnboarding.Session do
            %TO2Session{
              guid: guid,
              device_id: nil,
+             hmac: Hash.encode_cbor(hmac),
              nonce: nonce,
              prove_dv_nonce: prove_dv_nonce,
              kex_suite_name: kex_name,
@@ -88,6 +96,7 @@ defmodule Astarte.Pairing.FDO.OwnerOnboarding.Session do
       session =
         %Session{
           guid: guid,
+          hmac: hmac,
           device_id: nil,
           nonce: nonce,
           prove_dv_nonce: prove_dv_nonce,
@@ -175,13 +184,45 @@ defmodule Astarte.Pairing.FDO.OwnerOnboarding.Session do
     end
   end
 
+  defp decode_hash(binary) do
+    with {:ok, cbor_list, ""} <- CBOR.decode(binary),
+         {:ok, hash} <- Hash.decode(cbor_list) do
+      {:ok, hash}
+    end
+  end
+
   defp encode_values_to_cbor(map) when is_map(map) do
     Map.new(map, fn
       {key, value} ->
         {key, CBOR.encode(value)}
     end)
   end
 
+  def add_replacement_info(session, realm_name, replacement_guid, rv_info, pub_key, hmac) do
+    serialized_hmac = if hmac, do: Hash.encode_cbor(hmac), else: nil
+    serialized_rv_info = if rv_info, do: :erlang.term_to_binary(rv_info), else: nil
+    serialized_pub_key = if pub_key, do: :erlang.term_to_binary(pub_key), else: nil
+
+    with :ok <-
+           Queries.session_add_replacement_info(
+             realm_name,
+             session.guid,
+             replacement_guid,
+             serialized_rv_info,
+             serialized_pub_key,
+             serialized_hmac
+           ) do
+      {:ok,
+       %{
+         session
+         | replacement_guid: replacement_guid,
+           replacement_rv_info: rv_info,
+           replacement_pub_key: pub_key,
+           replacement_hmac: hmac
+       }}
+    end
+  end
+
   def build_session_secret(session, realm_name, owner_key, xb) do
     %Session{kex_suite_name: kex, owner_random: owner_random, guid: guid} = session
 
@@ -237,6 +278,7 @@ defmodule Astarte.Pairing.FDO.OwnerOnboarding.Session do
       %TO2Session{
         guid: guid,
         device_id: device_id,
+        hmac: db_hmac,
         nonce: db_nonce,
         prove_dv_nonce: prove_dv_nonce,
         setup_dv_nonce: setup_dv_nonce,
@@ -250,12 +292,31 @@ defmodule Astarte.Pairing.FDO.OwnerOnboarding.Session do
         max_owner_service_info_size: max_owner_service_info_size,
         device_service_info: device_service_info,
         owner_service_info: owner_service_info,
-        last_chunk_sent: last_chunk_sent
+        last_chunk_sent: last_chunk_sent,
+        replacement_guid: replacement_guid,
+        replacement_rv_info: db_replacement_rv_info,
+        replacement_pub_key: db_replacement_pub_key,
+        replacement_hmac: db_replacement_hmac
       } = database_session
 
+      {:ok, hmac} = decode_hash(db_hmac)
+
+      replacement_hmac =
+        if db_replacement_hmac do
+          {:ok, h} = decode_hash(db_replacement_hmac)
+          h
+        end
+
+      replacement_rv_info =
+        if db_replacement_rv_info, do: :erlang.binary_to_term(db_replacement_rv_info), else: nil
+
+      replacement_pub_key =
+        if db_replacement_pub_key, do: :erlang.binary_to_term(db_replacement_pub_key), else: nil
+
       session = %Session{
         guid: guid,
         device_id: device_id,
+        hmac: hmac,
         nonce: db_nonce,
         prove_dv_nonce: prove_dv_nonce,
         setup_dv_nonce: setup_dv_nonce,
@@ -270,7 +331,11 @@ defmodule Astarte.Pairing.FDO.OwnerOnboarding.Session do
         max_owner_service_info_size: max_owner_service_info_size,
         device_service_info: device_service_info,
         owner_service_info: owner_service_info,
-        last_chunk_sent: last_chunk_sent
+        last_chunk_sent: last_chunk_sent,
+        replacement_guid: replacement_guid,
+        replacement_rv_info: replacement_rv_info,
+        replacement_pub_key: replacement_pub_key,
+        replacement_hmac: replacement_hmac
       }
 
       {:ok, session}
 
@@ -115,13 +115,19 @@ defmodule Astarte.Pairing.FDO.OwnershipVoucher do
     Enum.find(extracted, {:ok, extracted}, &(&1 == :error))
   end
 
-  def generate_replacement_voucher(_ownership_voucher, nil) do
-    # If ReplacementHMac is null, we don't create a new voucher (Credential Reuse)
-    {:ok, nil}
-  end
+  def generate_replacement_voucher(ownership_voucher, session) do
+    new_header =
+      ownership_voucher.header
+      |> Map.put(:guid, session.replacement_guid)
+      |> Map.put(:rendezvous_info, session.replacement_rv_info)
+      |> Map.put(:public_key, session.replacement_pub_key)
+
+    new_voucher =
+      ownership_voucher
+      |> Map.put(:hmac, session.replacement_hmac)
+      |> Map.put(:header, new_header)
+      |> Map.put(:entries, [])
 
-  def generate_replacement_voucher(ownership_voucher, new_dev_id_hmac) do
-    new_voucher = ownership_voucher |> Map.put(:hmac, new_dev_id_hmac) |> Map.put(:entries, [])
     {:ok, new_voucher}
   end
 
@@ -142,4 +148,18 @@ defmodule Astarte.Pairing.FDO.OwnershipVoucher do
   def cbor_encode(voucher) do
     encode(voucher) |> CBOR.encode()
   end
+
+  def credential_reuse_config_enabled?() do
+    true
+  end
+
+  def credential_reuse?(session) do
+    # TODO credential reuse requires also Owner2Key and/or rv info to be changed for credential reuse
+    # so far, there is no API to do so, so it-s limited to the guid
+
+    case session.replacement_hmac == session.hmac && session.guid == session.replacement_guid do
+      false -> false
+      true -> credential_reuse_config_enabled?()
+    end
+  end
 end