Merge pull request #450 from openweave/feature/emargolis/device-layer-credential-storage

Added Operational Device Credentials Support for the Weave Device Layer.

Author: Jay Logue

src/adaptations/device-layer/DeviceControlServer.cpp

@@ -1,5 +1,6 @@
 /*
  *
+ *    Copyright (c) 2019-2020 Google LLC.
  *    Copyright (c) 2018 Nest Labs, Inc.
  *    All rights reserved.
  *
@@ -69,9 +70,15 @@ WEAVE_ERROR DeviceControlServer::OnResetConfig(uint16_t resetFlags)
 
     else
     {
-        // If a service config request has been requested, clear the persisted
+        // If a service config reset has been requested, clear the persisted
         // service provisioning data, if present.
-        if ((resetFlags & kResetConfigFlag_ServiceConfig) != 0)
+        if (((resetFlags & kResetConfigFlag_ServiceConfig) != 0)
+#if WEAVE_DEVICE_CONFIG_ENABLE_JUST_IN_TIME_PROVISIONING
+          // Always reset service provisioning data, when requested to reset operational
+          // device credentials.
+          || ((resetFlags & kResetConfigFlag_OperationalCredentials) != 0)
+#endif // WEAVE_DEVICE_CONFIG_ENABLE_JUST_IN_TIME_PROVISIONING
+        )
         {
             WeaveLogProgress(DeviceLayer, "Reset service config");
             tmpErr = ConfigurationMgr().ClearServiceProvisioningData();
@@ -109,6 +116,21 @@ WEAVE_ERROR DeviceControlServer::OnResetConfig(uint16_t resetFlags)
             ThreadStackMgr().ClearThreadProvision();
 #endif // WEAVE_DEVICE_CONFIG_ENABLE_THREAD
         }
+
+#if WEAVE_DEVICE_CONFIG_ENABLE_JUST_IN_TIME_PROVISIONING
+        // If the device operational credentials reset has been requested, clear
+        // the device operational credentials, if present.
+        if ((resetFlags & kResetConfigFlag_OperationalCredentials) != 0)
+        {
+            WeaveLogProgress(DeviceLayer, "Reset operational credentials");
+            tmpErr = ConfigurationMgr().ClearOperationalDeviceCredentials();
+            if (tmpErr != WEAVE_NO_ERROR)
+            {
+                WeaveLogProgress(DeviceLayer, "ConfigurationMgr().ClearOperationalDeviceCredentials() failed: %s", ErrorStr(tmpErr));
+                err = (err == WEAVE_NO_ERROR) ? tmpErr : err;
+            }
+        }
+#endif // WEAVE_DEVICE_CONFIG_ENABLE_JUST_IN_TIME_PROVISIONING
     }
 
     return err;
@@ -171,7 +193,8 @@ bool DeviceControlServer::IsResetAllowed(uint16_t resetFlags)
     }
 
     const uint16_t supportedResetOps =
-            (kResetConfigFlag_NetworkConfig | kResetConfigFlag_FabricConfig | kResetConfigFlag_ServiceConfig);
+            (kResetConfigFlag_NetworkConfig | kResetConfigFlag_FabricConfig |
+             kResetConfigFlag_ServiceConfig | kResetConfigFlag_OperationalCredentials);
 
     // Otherwise, verify the requested reset operation is supported.
     return (resetFlags == kResetConfigFlag_All || (resetFlags & ~supportedResetOps) == 0);
@@ -213,5 +236,3 @@ void DeviceControlServer::OnPlatformEvent(const WeaveDeviceEvent * event)
 } // namespace DeviceLayer
 } // namespace Weave
 } // namespace nl
-
-

src/adaptations/device-layer/ESP32/ESP32Config.cpp

@@ -1,5 +1,6 @@
 /*
  *
+ *    Copyright (c) 2019-2020 Google LLC.
  *    Copyright (c) 2018 Nest Labs, Inc.
  *    All rights reserved.
  *
@@ -40,27 +41,32 @@ const char ESP32Config::kConfigNamespace_WeaveConfig[]                     = "we
 const char ESP32Config::kConfigNamespace_WeaveCounters[]                   = "weave-counters";
 
 // Keys stored in the weave-factory namespace
-const ESP32Config::Key ESP32Config::kConfigKey_SerialNum               = { kConfigNamespace_WeaveFactory, "serial-num"         };
-const ESP32Config::Key ESP32Config::kConfigKey_DeviceId                = { kConfigNamespace_WeaveFactory, "device-id"          };
-const ESP32Config::Key ESP32Config::kConfigKey_DeviceCert              = { kConfigNamespace_WeaveFactory, "device-cert"        };
-const ESP32Config::Key ESP32Config::kConfigKey_DevicePrivateKey        = { kConfigNamespace_WeaveFactory, "device-key"         };
-const ESP32Config::Key ESP32Config::kConfigKey_ProductRevision         = { kConfigNamespace_WeaveFactory, "product-rev"        };
-const ESP32Config::Key ESP32Config::kConfigKey_ManufacturingDate       = { kConfigNamespace_WeaveFactory, "mfg-date"           };
-const ESP32Config::Key ESP32Config::kConfigKey_PairingCode             = { kConfigNamespace_WeaveFactory, "pairing-code"       };
+const ESP32Config::Key ESP32Config::kConfigKey_SerialNum                   = { kConfigNamespace_WeaveFactory, "serial-num"         };
+const ESP32Config::Key ESP32Config::kConfigKey_MfrDeviceId                 = { kConfigNamespace_WeaveFactory, "device-id"          };
+const ESP32Config::Key ESP32Config::kConfigKey_MfrDeviceCert               = { kConfigNamespace_WeaveFactory, "device-cert"        };
+const ESP32Config::Key ESP32Config::kConfigKey_MfrDeviceICACerts           = { kConfigNamespace_WeaveFactory, "device-ca-certs"    };
+const ESP32Config::Key ESP32Config::kConfigKey_MfrDevicePrivateKey         = { kConfigNamespace_WeaveFactory, "device-key"         };
+const ESP32Config::Key ESP32Config::kConfigKey_ProductRevision             = { kConfigNamespace_WeaveFactory, "product-rev"        };
+const ESP32Config::Key ESP32Config::kConfigKey_ManufacturingDate           = { kConfigNamespace_WeaveFactory, "mfg-date"           };
+const ESP32Config::Key ESP32Config::kConfigKey_PairingCode                 = { kConfigNamespace_WeaveFactory, "pairing-code"       };
 
 // Keys stored in the weave-config namespace
-const ESP32Config::Key ESP32Config::kConfigKey_FabricId                = { kConfigNamespace_WeaveConfig,  "fabric-id"          };
-const ESP32Config::Key ESP32Config::kConfigKey_ServiceConfig           = { kConfigNamespace_WeaveConfig,  "service-config"     };
-const ESP32Config::Key ESP32Config::kConfigKey_PairedAccountId         = { kConfigNamespace_WeaveConfig,  "account-id"         };
-const ESP32Config::Key ESP32Config::kConfigKey_ServiceId               = { kConfigNamespace_WeaveConfig,  "service-id"         };
-const ESP32Config::Key ESP32Config::kConfigKey_FabricSecret            = { kConfigNamespace_WeaveConfig,  "fabric-secret"      };
-const ESP32Config::Key ESP32Config::kConfigKey_GroupKeyIndex           = { kConfigNamespace_WeaveConfig,  "group-key-index"    };
-const ESP32Config::Key ESP32Config::kConfigKey_LastUsedEpochKeyId      = { kConfigNamespace_WeaveConfig,  "last-ek-id"         };
-const ESP32Config::Key ESP32Config::kConfigKey_FailSafeArmed           = { kConfigNamespace_WeaveConfig,  "fail-safe-armed"    };
-const ESP32Config::Key ESP32Config::kConfigKey_WiFiStationSecType      = { kConfigNamespace_WeaveConfig,  "sta-sec-type"       };
+const ESP32Config::Key ESP32Config::kConfigKey_FabricId                    = { kConfigNamespace_WeaveConfig,  "fabric-id"          };
+const ESP32Config::Key ESP32Config::kConfigKey_ServiceConfig               = { kConfigNamespace_WeaveConfig,  "service-config"     };
+const ESP32Config::Key ESP32Config::kConfigKey_PairedAccountId             = { kConfigNamespace_WeaveConfig,  "account-id"         };
+const ESP32Config::Key ESP32Config::kConfigKey_ServiceId                   = { kConfigNamespace_WeaveConfig,  "service-id"         };
+const ESP32Config::Key ESP32Config::kConfigKey_FabricSecret                = { kConfigNamespace_WeaveConfig,  "fabric-secret"      };
+const ESP32Config::Key ESP32Config::kConfigKey_GroupKeyIndex               = { kConfigNamespace_WeaveConfig,  "group-key-index"    };
+const ESP32Config::Key ESP32Config::kConfigKey_LastUsedEpochKeyId          = { kConfigNamespace_WeaveConfig,  "last-ek-id"         };
+const ESP32Config::Key ESP32Config::kConfigKey_FailSafeArmed               = { kConfigNamespace_WeaveConfig,  "fail-safe-armed"    };
+const ESP32Config::Key ESP32Config::kConfigKey_WiFiStationSecType          = { kConfigNamespace_WeaveConfig,  "sta-sec-type"       };
+const ESP32Config::Key ESP32Config::kConfigKey_OperationalDeviceId         = { kConfigNamespace_WeaveConfig,  "op-device-id"       };
+const ESP32Config::Key ESP32Config::kConfigKey_OperationalDeviceCert       = { kConfigNamespace_WeaveConfig,  "op-device-cert"     };
+const ESP32Config::Key ESP32Config::kConfigKey_OperationalDeviceICACerts   = { kConfigNamespace_WeaveConfig,  "op-device-ca-certs" };
+const ESP32Config::Key ESP32Config::kConfigKey_OperationalDevicePrivateKey = { kConfigNamespace_WeaveConfig,  "op-device-key"      };
 
 // Prefix used for NVS keys that contain Weave group encryption keys.
-const char ESP32Config::kGroupKeyNamePrefix[]                        = "gk-";
+const char ESP32Config::kGroupKeyNamePrefix[]                              = "gk-";
 
 
 WEAVE_ERROR ESP32Config::ReadConfigValue(Key key, bool & val)
@@ -126,15 +132,15 @@ WEAVE_ERROR ESP32Config::ReadConfigValue(Key key, uint64_t & val)
     SuccessOrExit(err);
     needClose = true;
 
-    // Special case the DeviceId value, optionally allowing it to be read as a blob containing a 64-bit
-    // big-endian integer, instead of a u64 value.
+    // Special case the MfrDeviceId value, optionally allowing it to be read as a blob containing
+    // a 64-bit big-endian integer, instead of a u64 value.
     //
     // The ESP32 development environment provides a tool for pre-populating the NVS partition using
     // values from a CSV file.  This tool is convenient for provisioning devices during manufacturing.
-    // However currently the tool does not support pre-populating u64 values such as DeviceId.  Thus
-    // we allow DeviceId to be stored as a blob instead.
+    // However currently the tool does not support pre-populating u64 values such as MfrDeviceId.
+    // Thus we allow MfrDeviceId to be stored as a blob instead.
     //
-    if (key == kConfigKey_DeviceId)
+    if (key == kConfigKey_MfrDeviceId)
     {
         uint8_t deviceIdBytes[sizeof(uint64_t)];
         size_t deviceIdLen = sizeof(deviceIdBytes);

src/adaptations/device-layer/GenTestDeviceIds.py

@@ -1,5 +1,5 @@
 #
-#    Copyright (c) 2018-2019 Google, LLC.
+#    Copyright (c) 2018-2020 Google, LLC.
 #    All rights reserved.
 #
 #    Licensed under the Apache License, Version 2.0 (the "License");
@@ -23,6 +23,7 @@
 preamble = '''\
 /*
  *
+ *    Copyright (c) 2019-2020 Google LLC.
  *    Copyright (c) 2018 Nest Labs, Inc.
  *    All rights reserved.
  *
@@ -39,8 +40,8 @@
  *    limitations under the License.
  */
 
-#include <internal/WeaveDeviceInternal.h>
-#include <ConfigurationManager.h>
+#include <Weave/DeviceLayer/internal/WeaveDeviceInternal.h>
+#include <Weave/DeviceLayer/ConfigurationManager.h>
 
 namespace nl {
 namespace Weave {
@@ -53,7 +54,26 @@
 
 #if WEAVE_DEVICE_CONFIG_ENABLE_TEST_DEVICE_IDENTITY
 
+const uint8_t TestDeviceIntermediateCACert[] =
+{
+    0xD6, 0x00, 0x00, 0x04, 0x00, 0x04, 0x00, 0x15, 0x30, 0x01, 0x08, 0x6A, 0x76, 0xA7, 0xB9, 0x50,
+    0x3C, 0x34, 0x7A, 0x24, 0x02, 0x05, 0x37, 0x03, 0x27, 0x13, 0x01, 0x00, 0x00, 0xEE, 0xEE, 0x30,
+    0xB4, 0x18, 0x18, 0x26, 0x04, 0x80, 0x62, 0xA9, 0x19, 0x26, 0x05, 0x7F, 0xDE, 0x72, 0x79, 0x37,
+    0x06, 0x27, 0x13, 0x02, 0x00, 0x00, 0xEE, 0xEE, 0x30, 0xB4, 0x18, 0x18, 0x24, 0x07, 0x02, 0x26,
+    0x08, 0x15, 0x00, 0x5A, 0x23, 0x30, 0x0A, 0x31, 0x04, 0x3B, 0x9D, 0xC4, 0xE8, 0xCA, 0xC8, 0x33,
+    0xA0, 0x2E, 0x7B, 0x5D, 0xB5, 0x29, 0xF4, 0xA6, 0xD5, 0xF8, 0x82, 0x26, 0x4C, 0xD2, 0xFB, 0x31,
+    0x21, 0xE6, 0x84, 0xA5, 0x1C, 0xC9, 0x58, 0x13, 0x72, 0x36, 0x4A, 0x05, 0xA9, 0xC6, 0x27, 0x65,
+    0xDD, 0x20, 0xDB, 0x30, 0xD4, 0x6B, 0xF8, 0xAD, 0x31, 0x35, 0x83, 0x29, 0x01, 0x29, 0x02, 0x18,
+    0x35, 0x82, 0x29, 0x01, 0x24, 0x02, 0x60, 0x18, 0x35, 0x81, 0x30, 0x02, 0x08, 0x44, 0xE3, 0x40,
+    0x38, 0xA9, 0xD4, 0xB5, 0xA7, 0x18, 0x35, 0x80, 0x30, 0x02, 0x08, 0x42, 0x0C, 0xAC, 0xF6, 0xB4,
+    0x64, 0x71, 0xE6, 0x18, 0x35, 0x0C, 0x30, 0x01, 0x18, 0x57, 0x63, 0xAA, 0xD5, 0x6A, 0x91, 0xCE,
+    0x35, 0xAB, 0x2A, 0x44, 0x77, 0x31, 0x3C, 0xBA, 0xFC, 0x77, 0x5F, 0x3E, 0xFE, 0xCB, 0xA2, 0x65,
+    0x4B, 0x30, 0x02, 0x19, 0x00, 0xF4, 0x54, 0x79, 0x8C, 0xAA, 0x07, 0x13, 0x0B, 0xAF, 0xA8, 0x8F,
+    0xCB, 0x0B, 0x2F, 0x80, 0x8D, 0xA3, 0x57, 0xBB, 0xC7, 0xA0, 0xFF, 0x54, 0xD5, 0x18, 0x18, 0x18,
+};
+
 const uint16_t TestDeviceCertLength = sizeof(TestDeviceCert);
+const uint16_t TestDeviceIntermediateCACertLength = sizeof(TestDeviceIntermediateCACert);
 const uint16_t TestDevicePrivateKeyLength = sizeof(TestDevicePrivateKey);
 
 #endif // WEAVE_DEVICE_CONFIG_ENABLE_TEST_DEVICE_IDENTITY

src/adaptations/device-layer/TestDeviceIds.cpp

@@ -1,5 +1,6 @@
 /*
  *
+ *    Copyright (c) 2019-2020 Google LLC.
  *    Copyright (c) 2018 Nest Labs, Inc.
  *    All rights reserved.
  *
@@ -8805,7 +8806,26 @@ const uint8_t TestDevicePrivateKey[] =
 
 #if WEAVE_DEVICE_CONFIG_ENABLE_TEST_DEVICE_IDENTITY
 
+const uint8_t TestDeviceIntermediateCACert[] =
+{
+    0xD6, 0x00, 0x00, 0x04, 0x00, 0x04, 0x00, 0x15, 0x30, 0x01, 0x08, 0x6A, 0x76, 0xA7, 0xB9, 0x50,
+    0x3C, 0x34, 0x7A, 0x24, 0x02, 0x05, 0x37, 0x03, 0x27, 0x13, 0x01, 0x00, 0x00, 0xEE, 0xEE, 0x30,
+    0xB4, 0x18, 0x18, 0x26, 0x04, 0x80, 0x62, 0xA9, 0x19, 0x26, 0x05, 0x7F, 0xDE, 0x72, 0x79, 0x37,
+    0x06, 0x27, 0x13, 0x02, 0x00, 0x00, 0xEE, 0xEE, 0x30, 0xB4, 0x18, 0x18, 0x24, 0x07, 0x02, 0x26,
+    0x08, 0x15, 0x00, 0x5A, 0x23, 0x30, 0x0A, 0x31, 0x04, 0x3B, 0x9D, 0xC4, 0xE8, 0xCA, 0xC8, 0x33,
+    0xA0, 0x2E, 0x7B, 0x5D, 0xB5, 0x29, 0xF4, 0xA6, 0xD5, 0xF8, 0x82, 0x26, 0x4C, 0xD2, 0xFB, 0x31,
+    0x21, 0xE6, 0x84, 0xA5, 0x1C, 0xC9, 0x58, 0x13, 0x72, 0x36, 0x4A, 0x05, 0xA9, 0xC6, 0x27, 0x65,
+    0xDD, 0x20, 0xDB, 0x30, 0xD4, 0x6B, 0xF8, 0xAD, 0x31, 0x35, 0x83, 0x29, 0x01, 0x29, 0x02, 0x18,
+    0x35, 0x82, 0x29, 0x01, 0x24, 0x02, 0x60, 0x18, 0x35, 0x81, 0x30, 0x02, 0x08, 0x44, 0xE3, 0x40,
+    0x38, 0xA9, 0xD4, 0xB5, 0xA7, 0x18, 0x35, 0x80, 0x30, 0x02, 0x08, 0x42, 0x0C, 0xAC, 0xF6, 0xB4,
+    0x64, 0x71, 0xE6, 0x18, 0x35, 0x0C, 0x30, 0x01, 0x18, 0x57, 0x63, 0xAA, 0xD5, 0x6A, 0x91, 0xCE,
+    0x35, 0xAB, 0x2A, 0x44, 0x77, 0x31, 0x3C, 0xBA, 0xFC, 0x77, 0x5F, 0x3E, 0xFE, 0xCB, 0xA2, 0x65,
+    0x4B, 0x30, 0x02, 0x19, 0x00, 0xF4, 0x54, 0x79, 0x8C, 0xAA, 0x07, 0x13, 0x0B, 0xAF, 0xA8, 0x8F,
+    0xCB, 0x0B, 0x2F, 0x80, 0x8D, 0xA3, 0x57, 0xBB, 0xC7, 0xA0, 0xFF, 0x54, 0xD5, 0x18, 0x18, 0x18,
+};
+
 const uint16_t TestDeviceCertLength = sizeof(TestDeviceCert);
+const uint16_t TestDeviceIntermediateCACertLength = sizeof(TestDeviceIntermediateCACert);
 const uint16_t TestDevicePrivateKeyLength = sizeof(TestDevicePrivateKey);
 
 #endif // WEAVE_DEVICE_CONFIG_ENABLE_TEST_DEVICE_IDENTITY