components/esp_matter_controller: support dcl attestation for commissioner

Author: DejinChen

components/esp_matter_controller/CMakeLists.txt

@@ -7,7 +7,7 @@ set(MATTER_SDK_PATH ${ESP_MATTER_PATH}/connectedhomeip/connectedhomeip)
 set(src_dirs_list )
 set(include_dirs_list )
 set(exclude_srcs_list )
-set(requires_list chip esp_matter esp_matter_console spiffs)
+set(requires_list chip esp_matter esp_matter_console spiffs esp_http_client)
 if (CONFIG_ESP_MATTER_CONTROLLER_ENABLE)
     list(APPEND src_dirs_list "${CMAKE_CURRENT_SOURCE_DIR}/core"
                               "${CMAKE_CURRENT_SOURCE_DIR}/commands"

components/esp_matter_controller/Kconfig

@@ -37,6 +37,11 @@ menu "ESP Matter Controller"
             help
                 Read the PAA root certificates from the spiffs partition
 
+        config DCL_ATTESTATION_TRUST_STORE
+            bool "Attestation Trust Store - DCL"
+            help
+                Read the PAA root certificates from DCL
+
         config CUSTOM_ATTESTATION_TRUST_STORE
             bool "Attestation Trust Store - Custom"
             help

components/esp_matter_controller/attestation_store/esp_matter_attestation_trust_store.cpp

@@ -12,11 +12,16 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
+#include "esp_matter_controller_utils.h"
 #include <credentials/attestation_verifier/DefaultDeviceAttestationVerifier.h>
 #include <esp_check.h>
+#include <esp_crt_bundle.h>
+#include <esp_http_client.h>
 #include <esp_log.h>
 #include <esp_matter_attestation_trust_store.h>
 #include <esp_spiffs.h>
+#include <json_parser.h>
+#include <mbedtls/base64.h>
 
 const char TAG[] = "spiffs_attestation";
 
@@ -132,14 +137,185 @@ CHIP_ERROR spiffs_attestation_trust_store::GetProductAttestationAuthorityCert(co
     return CHIP_ERROR_INCORRECT_STATE;
 }
 
+#if CONFIG_DCL_ATTESTATION_TRUST_STORE
+static void remove_backslash_n(char *str)
+{
+    char *src = str, *dst = str;
+    while (*src) {
+        if (*src == '\\' && *(src + 1) == 'n' && *(src + 1) != '\0') {
+            src += 2;
+        } else {
+            *dst++ = *src++;
+        }
+    }
+    *dst = '\0';
+}
+
+static esp_err_t convert_pem_to_der(const char *pem, uint8_t *der_buf, size_t *der_len)
+{
+    ESP_RETURN_ON_FALSE(pem && strlen(pem) > 0, ESP_ERR_INVALID_ARG, TAG, "pem cannot be NULL");
+    ESP_RETURN_ON_FALSE(der_buf && der_len, ESP_ERR_INVALID_ARG, TAG, "der_buf cannot be NULL");
+    size_t pem_len = strlen(pem);
+    size_t len = 0;
+    const char *s1, *s2, *end = pem + pem_len;
+    constexpr char *begin_mark = "-----BEGIN";
+    constexpr char *end_mark = "-----END";
+    s1 = (char *)strstr(pem, begin_mark);
+    if (s1 == NULL) {
+        return ESP_FAIL;
+    }
+    s2 = (char *)strstr(pem, end_mark);
+    if (s2 == NULL) {
+        return ESP_FAIL;
+    }
+    s1 += strlen(begin_mark);
+    while (s1 < end && *s1 != '-') {
+        s1++;
+    }
+    while (s1 < end && *s1 == '-') {
+        s1++;
+    }
+    if (*s1 == '\r') {
+        s1++;
+    }
+    if (*s1 == '\n') {
+        s1++;
+    }
+    int ret = mbedtls_base64_decode(NULL, 0, &len, (const unsigned char *)s1, s2 - s1);
+    if (ret == MBEDTLS_ERR_BASE64_INVALID_CHARACTER) {
+        return ESP_FAIL;
+    }
+    if (len > *der_len) {
+        return ESP_FAIL;
+    }
+    if ((ret = mbedtls_base64_decode(der_buf, len, &len, (const unsigned char *)s1, s2 - s1)) != 0) {
+        return ESP_FAIL;
+    }
+    *der_len = len;
+    return ESP_OK;
+}
+
+CHIP_ERROR dcl_attestation_trust_store::GetProductAttestationAuthorityCert(const ByteSpan &skid,
+                                                                           MutableByteSpan &outPaaDerBuffer) const
+{
+    VerifyOrReturnError(skid.size() == Crypto::kSubjectKeyIdentifierLength, CHIP_ERROR_INVALID_ARGUMENT);
+    VerifyOrReturnError(outPaaDerBuffer.size() > 0 && outPaaDerBuffer.size() <= kMaxDERCertLength,
+                        CHIP_ERROR_INVALID_ARGUMENT);
+    char url[200];
+    int offset = 0;
+    esp_err_t ret = ESP_OK;
+    if (dcl_net_type == DCL_MAIN_NET) {
+        offset += snprintf(url, sizeof(url), "%s", "https://on.dcl.csa-iot.org/dcl/pki/certificates?subjectKeyId=");
+    } else {
+        // DCL_TEST_NET
+        offset +=
+            snprintf(url, sizeof(url), "%s", "https://on.test-net.dcl.csa-iot.org/dcl/pki/certificates?subjectKeyId=");
+    }
+
+    for (size_t i = 0; i < skid.size(); ++i) {
+        if (i == skid.size() - 1) {
+            offset += snprintf(url + offset, sizeof(url) - offset, "%02X", skid[i]);
+        } else {
+            offset += snprintf(url + offset, sizeof(url) - offset, "%02X%%3a", skid[i]);
+        }
+    }
+
+    ChipLogProgress(Controller, "DCL Attestation URL: %s", url);
+
+    esp_http_client_config_t config = {
+        .url = url,
+        .method = HTTP_METHOD_GET,
+        .timeout_ms = 10000,
+        .transport_type = HTTP_TRANSPORT_OVER_SSL,
+        .buffer_size = 1024,
+        .skip_cert_common_name_check = false,
+        .crt_bundle_attach = esp_crt_bundle_attach,
+    };
+    esp_http_client_handle_t client = NULL;
+    ScopedMemoryBufferWithSize<char> http_payload;
+    int http_len, http_status_code;
+    int certificates_count, certs_count, paa_str_len;
+    jparse_ctx_t jctx;
+    const size_t paa_pem_size = 1024;
+    size_t paa_der_len = outPaaDerBuffer.size();
+
+    client = esp_http_client_init(&config);
+    if (!client) {
+        ESP_LOGE(TAG, "Failed to initialise HTTP Client.");
+        return CHIP_ERROR_NO_MEMORY;
+    }
+
+    char *paa_pem_buffer = (char *)malloc(paa_pem_size);
+    ESP_GOTO_ON_FALSE(paa_pem_buffer, ESP_ERR_NO_MEM, cleanup, TAG, "Failed to alloc memory for paa_pem_buffer");
+    ESP_GOTO_ON_ERROR(esp_http_client_set_header(client, "accept", "application/json"), cleanup, TAG,
+                      "Failed to set http header accept");
+    ESP_GOTO_ON_ERROR(esp_http_client_open(client, 0), cleanup, TAG, "Failed to open http connection");
+
+    // Read Response
+    http_len = esp_http_client_fetch_headers(client);
+    http_status_code = esp_http_client_get_status_code(client);
+    http_payload.Calloc(2400);
+    ESP_GOTO_ON_FALSE(http_payload.Get(), ESP_ERR_NO_MEM, close, TAG, "Failed to alloc memory for http_payload");
+    if (http_status_code == HttpStatus_Ok) {
+        http_len = esp_http_client_read_response(client, http_payload.Get(), http_payload.AllocatedSize());
+        http_payload[http_len] = '\0';
+    } else {
+        ESP_LOGE(TAG, "Status = %d. Invalid response for %s", http_status_code, url);
+        ret = ESP_FAIL;
+        goto close;
+    }
+
+    // Parse the response payload
+    ESP_GOTO_ON_FALSE(json_parse_start(&jctx, http_payload.Get(), http_len) == 0, ESP_FAIL, close, TAG,
+                      "Failed to parse the http response json on json_parse_start");
+    if (json_obj_get_array(&jctx, "approvedCertificates", &certificates_count) == 0 && certificates_count == 1) {
+        if (json_arr_get_object(&jctx, 0) == 0) {
+            if (json_obj_get_array(&jctx, "certs", &certs_count) == 0 && certs_count == 1) {
+                if (json_arr_get_object(&jctx, 0) == 0) {
+                    if (json_obj_get_strlen(&jctx, "pemCert", &paa_str_len) == 0 &&
+                        json_obj_get_string(&jctx, "pemCert", paa_pem_buffer, paa_pem_size) == 0) {
+                        paa_str_len = paa_str_len < paa_pem_size - 1 ? paa_str_len : paa_pem_size - 1;
+                        paa_pem_buffer[paa_str_len] = 0;
+                        remove_backslash_n(paa_pem_buffer);
+                        ret = convert_pem_to_der(paa_pem_buffer, outPaaDerBuffer.data(), &paa_der_len);
+                        if (ret == ESP_OK) {
+                            outPaaDerBuffer.reduce_size(paa_der_len);
+                        }
+                    }
+                    json_obj_leave_object(&jctx);
+                }
+                json_obj_leave_array(&jctx);
+            } else {
+                ret = ESP_FAIL;
+            }
+            json_obj_leave_object(&jctx);
+        } else {
+            ret = ESP_FAIL;
+        }
+        json_obj_leave_array(&jctx);
+    } else {
+        ret = ESP_FAIL;
+    }
+    json_parse_end(&jctx);
+
+close:
+    esp_http_client_close(client);
+cleanup:
+    free(paa_pem_buffer);
+    esp_http_client_cleanup(client);
+    return ret == ESP_OK ? CHIP_NO_ERROR : CHIP_ERROR_INTERNAL;
+}
+#endif // CONFIG_DCL_ATTESTATION_TRUST_STORE
+
 const AttestationTrustStore *get_attestation_trust_store()
 {
-    // TODO: Fetch the PAA certificates from DCL
 #if CONFIG_TEST_ATTESTATION_TRUST_STORE
     return GetTestAttestationTrustStore();
 #elif CONFIG_SPIFFS_ATTESTATION_TRUST_STORE
     spiffs_attestation_trust_store::get_instance().init();
     return &spiffs_attestation_trust_store::get_instance();
+#elif CONFIG_DCL_ATTESTATION_TRUST_STORE
+    return &dcl_attestation_trust_store::get_instance();
 #endif
 }
 

components/esp_matter_controller/attestation_store/esp_matter_attestation_trust_store.h

@@ -64,6 +64,34 @@ class spiffs_attestation_trust_store : public AttestationTrustStore {
     spiffs_attestation_trust_store() {}
 };
 
+#if CONFIG_DCL_ATTESTATION_TRUST_STORE
+class dcl_attestation_trust_store : public AttestationTrustStore {
+public:
+    typedef enum {
+        DCL_MAIN_NET,
+        DCL_TEST_NET,
+    } dcl_net_type_t;
+
+    dcl_attestation_trust_store(dcl_attestation_trust_store &other) = delete;
+    void operator=(const dcl_attestation_trust_store &) = delete;
+
+    static dcl_attestation_trust_store &get_instance()
+    {
+        static dcl_attestation_trust_store instance;
+        return instance;
+    }
+
+    CHIP_ERROR GetProductAttestationAuthorityCert(const ByteSpan &skid,
+                                                  MutableByteSpan &outPaaDerBuffer) const override;
+
+    void SetDCLNetType(dcl_net_type_t type) { dcl_net_type = type; }
+
+private:
+    dcl_net_type_t dcl_net_type = DCL_MAIN_NET;
+    dcl_attestation_trust_store() {}
+};
+#endif // CONFIG_DCL_ATTESTATION_TRUST_STORE
+
 const AttestationTrustStore *get_attestation_trust_store();
 
 } // namespace Credentials