| /* |
| * |
| * Copyright (c) 2013-2017 Nest Labs, Inc. |
| * All rights reserved. |
| * |
| * Licensed under the Apache License, Version 2.0 (the "License"); |
| * you may not use this file except in compliance with the License. |
| * You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| |
| /** |
| * @file |
| * Implementation of CASEConfig object, which provides an implementation of the WeaveCASEAuthDelegate |
| * interface for use in test applications. |
| * |
| */ |
| |
| #include "stdio.h" |
| |
| #include "ToolCommon.h" |
| #include <Weave/Support/CodeUtils.h> |
| #include <Weave/Core/WeaveTLV.h> |
| #include <Weave/Profiles/WeaveProfiles.h> |
| #include <Weave/Profiles/security/WeaveSecurityDebug.h> |
| #include <Weave/Profiles/security/WeaveSig.h> |
| #include <Weave/Profiles/service-provisioning/ServiceProvisioning.h> |
| #include <Weave/Support/NestCerts.h> |
| #include <Weave/Support/ErrorStr.h> |
| #include <Weave/Support/ASN1.h> |
| #include <Weave/Support/Base64.h> |
| #include "CASEOptions.h" |
| |
| using namespace nl::Weave; |
| using namespace nl::Weave::TLV; |
| using namespace nl::Weave::ASN1; |
| using namespace nl::Weave::Profiles; |
| using namespace nl::Weave::Profiles::Security; |
| using namespace nl::Weave::Profiles::Security::CASE; |
| |
| CASEOptions gCASEOptions; |
| |
| WEAVE_ERROR LoadCertsFromServiceConfig(const uint8_t *serviceConfig, uint16_t serviceConfigLen, WeaveCertificateSet& certSet) |
| { |
| WEAVE_ERROR err; |
| nl::Weave::TLV::TLVReader reader; |
| TLVType topLevelContainer; |
| |
| reader.Init(serviceConfig, serviceConfigLen); |
| reader.ImplicitProfileId = kWeaveProfile_ServiceProvisioning; |
| |
| err = reader.Next(kTLVType_Structure, ProfileTag(kWeaveProfile_ServiceProvisioning, ServiceProvisioning::kTag_ServiceConfig)); |
| SuccessOrExit(err); |
| |
| err = reader.EnterContainer(topLevelContainer); |
| SuccessOrExit(err); |
| |
| err = reader.Next(kTLVType_Array, ContextTag(ServiceProvisioning::kTag_ServiceConfig_CACerts)); |
| SuccessOrExit(err); |
| |
| err = certSet.LoadCerts(reader, kDecodeFlag_IsTrusted); |
| SuccessOrExit(err); |
| |
| exit: |
| return err; |
| } |
| |
| bool ParseCASEConfig(const char *str, uint32_t& output) |
| { |
| uint32_t configNum; |
| |
| if (!ParseInt(str, configNum)) |
| return false; |
| |
| switch (configNum) |
| { |
| case 1: |
| output = kCASEConfig_Config1; |
| return true; |
| case 2: |
| output = kCASEConfig_Config2; |
| return true; |
| default: |
| return false; |
| } |
| } |
| |
| // Parse a sequence of zero or more unsigned integers corresponding to a list |
| // of allowed CASE configurations. Integer values must be separated by either |
| // a comma or a space. |
| bool ParseAllowedCASEConfigs(const char *strConst, uint8_t& output) |
| { |
| bool res = true; |
| char *str = strdup(strConst); |
| uint32_t configNum; |
| |
| output = 0; |
| |
| for (char *p = str; p != NULL; ) |
| { |
| char *sep = strchr(p, ','); |
| if (sep == NULL) |
| sep = strchr(p, ' '); |
| |
| if (sep != NULL) |
| *sep = 0; |
| |
| if (!ParseInt(p, configNum)) |
| { |
| res = false; |
| break; |
| } |
| |
| if (configNum == 1) |
| output |= kCASEAllowedConfig_Config1; |
| else if (configNum == 2) |
| output |= kCASEAllowedConfig_Config2; |
| else |
| { |
| res = false; |
| break; |
| } |
| |
| p = (sep != NULL) ? sep + 1 : NULL; |
| } |
| |
| free(str); |
| |
| return res; |
| } |
| |
| CASEOptions::CASEOptions() |
| { |
| static OptionDef optionDefs[] = |
| { |
| #if WEAVE_CONFIG_ENABLE_CASE_INITIATOR || WEAVE_CONFIG_ENABLE_CASE_RESPONDER |
| { "node-cert", kArgumentRequired, kToolCommonOpt_NodeCert }, |
| { "node-key", kArgumentRequired, kToolCommonOpt_NodeKey }, |
| { "ca-cert", kArgumentRequired, kToolCommonOpt_CACert }, |
| { "no-ca-cert", kNoArgument, kToolCommonOpt_NoCACert }, |
| { "case-config", kArgumentRequired, kToolCommonOpt_CASEConfig }, |
| { "allowed-case-configs", kArgumentRequired, kToolCommonOpt_AllowedCASEConfigs }, |
| { "debug-case", kNoArgument, kToolCommonOpt_DebugCASE }, |
| #if WEAVE_CONFIG_SECURITY_TEST_MODE |
| { "case-use-known-key", kNoArgument, kToolCommonOpt_CASEUseKnownECDHKey }, |
| #endif // WEAVE_CONFIG_SECURITY_TEST_MODE |
| #endif // WEAVE_CONFIG_ENABLE_CASE_INITIATOR || WEAVE_CONFIG_ENABLE_CASE_RESPONDER |
| { } |
| }; |
| OptionDefs = optionDefs; |
| |
| HelpGroupName = "CASE OPTIONS"; |
| |
| OptionHelp = |
| #if WEAVE_CONFIG_ENABLE_CASE_INITIATOR || WEAVE_CONFIG_ENABLE_CASE_RESPONDER |
| " --node-cert <cert-file>\n" |
| " File containing a Weave certificate to be used to authenticate the node\n" |
| " when establishing a CASE session. The file can contain either raw TLV or\n" |
| " base-64.\n" |
| "\n" |
| " --node-key <key-file>\n" |
| " File containing a private key to be used to authenticate the node\n" |
| " when establishing a CASE session. The file can contain either raw TLV or\n" |
| " base-64.\n" |
| "\n" |
| " --ca-cert <cert-file>\n" |
| " File containing a Weave CA certificate to be included along with the\n" |
| " node's certificate when establishing a CASE session. The file can contain\n" |
| " either raw TLV or base-64.\n" |
| "\n" |
| " --no-ca-cert\n" |
| " Do not send an intermediate certificate when establishing a CASE session.\n" |
| "\n" |
| " --case-config <int>\n" |
| " Proposed the specified CASE configuration when initiating a CASE session.\n" |
| "\n" |
| " --allowed-case-configs <int>[,<int>]\n" |
| " Accept the specified set of CASE configurations when either initiating or\n" |
| " responding to a CASE session.\n" |
| "\n" |
| " --debug-case\n" |
| " Enable CASE debug messages.\n" |
| #if WEAVE_CONFIG_SECURITY_TEST_MODE |
| "\n" |
| " --case-use-known-key\n" |
| " Enable use of known ECDH key in CASE.\n" |
| #endif // WEAVE_CONFIG_SECURITY_TEST_MODE |
| "\n" |
| #endif // WEAVE_CONFIG_ENABLE_CASE_INITIATOR || WEAVE_CONFIG_ENABLE_CASE_RESPONDER |
| ""; |
| |
| // Defaults |
| InitiatorCASEConfig = kCASEConfig_NotSpecified; |
| AllowedCASEConfigs = 0; // 0 causes code to use default value provided by WeaveSecurityManager |
| NodeCert = NULL; |
| NodeCertLength = 0; |
| NodePrivateKey = NULL; |
| NodePrivateKeyLength = 0; |
| NodeIntermediateCert = NULL; |
| NodeIntermediateCertLength = 0; |
| ServiceConfig = NULL; |
| ServiceConfigLength = 0; |
| NodePayload = NULL; |
| NodePayloadLength = 0; |
| Debug = false; |
| #if WEAVE_CONFIG_SECURITY_TEST_MODE |
| UseKnownECDHKey = false; |
| #endif |
| } |
| |
| bool CASEOptions::HandleOption(const char *progName, OptionSet *optSet, int id, const char *name, const char *arg) |
| { |
| switch (id) |
| { |
| #if WEAVE_CONFIG_ENABLE_CASE_INITIATOR || WEAVE_CONFIG_ENABLE_CASE_RESPONDER |
| |
| case kToolCommonOpt_NodeCert: |
| if (!ReadCertFile(arg, (uint8_t *&)NodeCert, NodeCertLength)) |
| return false; |
| break; |
| case kToolCommonOpt_NodeKey: |
| if (!ReadPrivateKeyFile(arg, (uint8_t *&)NodePrivateKey, NodePrivateKeyLength)) |
| return false; |
| break; |
| case kToolCommonOpt_CACert: |
| if (!ReadCertFile(arg, (uint8_t *&)NodeIntermediateCert, NodeIntermediateCertLength)) |
| return false; |
| break; |
| case kToolCommonOpt_NoCACert: |
| NodeIntermediateCert = NULL; |
| NodeIntermediateCertLength = 0; |
| break; |
| case kToolCommonOpt_CASEConfig: |
| if (!ParseCASEConfig(arg, InitiatorCASEConfig)) |
| { |
| PrintArgError("%s: Invalid value specified for CASE config: %s\n", progName, arg); |
| return false; |
| } |
| break; |
| case kToolCommonOpt_AllowedCASEConfigs: |
| if (!ParseAllowedCASEConfigs(arg, AllowedCASEConfigs)) |
| { |
| PrintArgError("%s: Invalid value specified for allowed CASE configs: %s\n", progName, arg); |
| return false; |
| } |
| break; |
| case kToolCommonOpt_DebugCASE: |
| Debug = true; |
| break; |
| #if WEAVE_CONFIG_SECURITY_TEST_MODE |
| case kToolCommonOpt_CASEUseKnownECDHKey: |
| UseKnownECDHKey = true; |
| break; |
| #endif //WEAVE_CONFIG_SECURITY_TEST_MODE |
| |
| #endif // WEAVE_CONFIG_ENABLE_CASE_INITIATOR || WEAVE_CONFIG_ENABLE_CASE_RESPONDER |
| |
| default: |
| PrintArgError("%s: INTERNAL ERROR: Unhandled option: %s\n", progName, name); |
| return false; |
| } |
| |
| return true; |
| } |
| |
| bool CASEOptions::ReadCertFile(const char *fileName, uint8_t *& certBuf, uint16_t& certLen) |
| { |
| uint32_t len; |
| |
| static const char *certB64Prefix = "1QAABAAB"; |
| static const size_t certB64PrefixLen = sizeof(certB64Prefix) - 1; |
| |
| // Read the specified file into a malloced buffer. |
| certBuf = ReadFileArg(fileName, len, UINT16_MAX); |
| if (certBuf == NULL) |
| return false; |
| |
| // If the certificate is in base-64 format, convert it to raw TLV. |
| if (len > certB64PrefixLen && memcmp(certBuf, certB64Prefix, certB64PrefixLen) == 0) |
| { |
| len = nl::Base64Decode((const char *)certBuf, len, (uint8_t *)certBuf); |
| if (len == UINT16_MAX) |
| { |
| printf("Invalid certificate format: %s\n", fileName); |
| free(certBuf); |
| certBuf = NULL; |
| return false; |
| } |
| } |
| |
| certLen = (uint16_t)len; |
| |
| return true; |
| } |
| |
| bool CASEOptions::ReadPrivateKeyFile(const char *fileName, uint8_t *& keyBuf, uint16_t& keyLen) |
| { |
| uint32_t len; |
| |
| static const char *keyB64Prefix = "1QAABAAC"; |
| static const size_t keyB64PrefixLen = sizeof(keyB64Prefix) - 1; |
| |
| // Read the specified file into a malloced buffer. |
| keyBuf = ReadFileArg(fileName, len, UINT16_MAX); |
| if (keyBuf == NULL) |
| return false; |
| |
| // If the private key is in base-64 format, convert it to raw TLV. |
| if (len > keyB64PrefixLen && memcmp(keyBuf, keyB64Prefix, keyB64PrefixLen) == 0) |
| { |
| len = nl::Base64Decode((const char *)keyBuf, len, (uint8_t *)keyBuf); |
| if (len == UINT16_MAX) |
| { |
| printf("Invalid private key format: %s\n", fileName); |
| free(keyBuf); |
| keyBuf = NULL; |
| return false; |
| } |
| } |
| |
| keyLen = (uint16_t)len; |
| |
| return true; |
| } |
| |
| WEAVE_ERROR CASEOptions::GetNodeCert(const uint8_t *& nodeCert, uint16_t & nodeCertLen) |
| { |
| nodeCert = NodeCert; |
| nodeCertLen = NodeCertLength; |
| |
| if (nodeCert == NULL || nodeCertLen == 0) |
| { |
| if (!GetTestNodeCert(FabricState.LocalNodeId, nodeCert, nodeCertLen)) |
| { |
| printf("ERROR: Node certificate not configured\n"); |
| return WEAVE_ERROR_CERT_NOT_FOUND; |
| } |
| } |
| return WEAVE_NO_ERROR; |
| } |
| |
| WEAVE_ERROR CASEOptions::GetNodePrivateKey(const uint8_t *& weavePrivKey, uint16_t& weavePrivKeyLen) |
| { |
| weavePrivKey = NodePrivateKey; |
| weavePrivKeyLen = NodePrivateKeyLength; |
| |
| if (weavePrivKey == NULL || weavePrivKeyLen == 0) |
| { |
| if (!GetTestNodePrivateKey(FabricState.LocalNodeId, weavePrivKey, weavePrivKeyLen)) |
| { |
| printf("ERROR: Node private key not configured\n"); |
| return WEAVE_ERROR_KEY_NOT_FOUND; |
| } |
| } |
| return WEAVE_NO_ERROR; |
| } |
| |
| #if !WEAVE_CONFIG_LEGACY_CASE_AUTH_DELEGATE |
| |
| WEAVE_ERROR CASEOptions::EncodeNodeCertInfo(const BeginSessionContext & msgCtx, TLVWriter & writer) |
| { |
| WEAVE_ERROR err; |
| const uint8_t * nodeCert; |
| uint16_t nodeCertLen; |
| const uint8_t * intermediateCert = NodeIntermediateCert; |
| uint16_t intermediateCertLen = NodeIntermediateCertLength; |
| |
| if (intermediateCert == NULL || intermediateCertLen == 0) |
| { |
| intermediateCert = nl::NestCerts::Development::DeviceCA::Cert; |
| intermediateCertLen = nl::NestCerts::Development::DeviceCA::CertLength; |
| } |
| |
| err = GetNodeCert(nodeCert, nodeCertLen); |
| SuccessOrExit(err); |
| |
| err = EncodeCASECertInfo(writer, nodeCert, nodeCertLen, intermediateCert, intermediateCertLen); |
| SuccessOrExit(err); |
| |
| exit: |
| return err; |
| } |
| |
| WEAVE_ERROR CASEOptions::GenerateNodeSignature(const BeginSessionContext & msgCtx, |
| const uint8_t * msgHash, uint8_t msgHashLen, TLVWriter & writer, uint64_t tag) |
| { |
| WEAVE_ERROR err; |
| const uint8_t * nodePrivKey; |
| uint16_t nodePrivKeyLen; |
| |
| err = GetNodePrivateKey(nodePrivKey, nodePrivKeyLen); |
| SuccessOrExit(err); |
| |
| err = GenerateAndEncodeWeaveECDSASignature(writer, tag, msgHash, msgHashLen, nodePrivKey, nodePrivKeyLen); |
| SuccessOrExit(err); |
| |
| exit: |
| return err; |
| } |
| |
| WEAVE_ERROR CASEOptions::EncodeNodePayload(const BeginSessionContext & msgCtx, |
| uint8_t * payloadBuf, uint16_t payloadBufSize, uint16_t & payloadLen) |
| { |
| return GetNodePayload(msgCtx.IsInitiator(), payloadBuf, payloadBufSize, payloadLen); |
| } |
| |
| WEAVE_ERROR CASEOptions::BeginValidation(const BeginSessionContext & msgCtx, ValidationContext & validCtx, |
| WeaveCertificateSet & certSet) |
| { |
| return BeginCertValidation(msgCtx.IsInitiator(), certSet, validCtx); |
| } |
| |
| WEAVE_ERROR CASEOptions::HandleValidationResult(const BeginSessionContext & msgCtx, ValidationContext & validCtx, |
| WeaveCertificateSet & certSet, WEAVE_ERROR & validRes) |
| { |
| return HandleCertValidationResult(msgCtx.IsInitiator(), validRes, validCtx.SigningCert, msgCtx.PeerNodeId, certSet, validCtx); |
| } |
| |
| void CASEOptions::EndValidation(const BeginSessionContext & msgCtx, ValidationContext & validCtx, |
| WeaveCertificateSet & certSet) |
| { |
| EndCertValidation(certSet, validCtx); |
| } |
| |
| #else // !WEAVE_CONFIG_LEGACY_CASE_AUTH_DELEGATE |
| |
| // Get the CASE Certificate Information structure for the local node. |
| WEAVE_ERROR CASEOptions::GetNodeCertInfo(bool isInitiator, uint8_t *buf, uint16_t bufSize, uint16_t& certInfoLen) |
| { |
| WEAVE_ERROR err; |
| const uint8_t *nodeCert; |
| uint16_t nodeCertLen; |
| const uint8_t * intCert = NodeIntermediateCert; |
| uint16_t intCertLen = NodeIntermediateCertLength; |
| |
| if (intCert == NULL || intCertLen == 0) |
| { |
| intCert = nl::NestCerts::Development::DeviceCA::Cert; |
| intCertLen = nl::NestCerts::Development::DeviceCA::CertLength; |
| } |
| |
| err = GetNodeCert(nodeCert, nodeCertLen); |
| SuccessOrExit(err); |
| |
| err = EncodeCASECertInfo(buf, bufSize, certInfoLen, nodeCert, nodeCertLen, intCert, intCertLen); |
| SuccessOrExit(err); |
| |
| exit: |
| return err; |
| } |
| |
| // Get the local node's private key. |
| WEAVE_ERROR CASEOptions::GetNodePrivateKey(bool isInitiator, const uint8_t *& weavePrivKey, uint16_t& weavePrivKeyLen) |
| { |
| return GetNodePrivateKey(weavePrivKey, weavePrivKeyLen); |
| } |
| |
| // Called when the CASE engine is done with the buffer returned by GetNodePrivateKey(). |
| WEAVE_ERROR CASEOptions::ReleaseNodePrivateKey(const uint8_t *weavePrivKey) |
| { |
| // nothing to do |
| return WEAVE_NO_ERROR; |
| } |
| |
| #endif // WEAVE_CONFIG_LEGACY_CASE_AUTH_DELEGATE |
| |
| WEAVE_ERROR CASEOptions::GetNodePayload(bool isInitiator, uint8_t *buf, uint16_t bufSize, uint16_t& payloadLen) |
| { |
| WEAVE_ERROR err = WEAVE_NO_ERROR; |
| |
| if (NodePayload != NULL) |
| { |
| VerifyOrExit(NodePayloadLength <= bufSize, err = WEAVE_ERROR_BUFFER_TOO_SMALL); |
| |
| memcpy(buf, NodePayload, NodePayloadLength); |
| payloadLen = NodePayloadLength; |
| } |
| |
| else |
| { |
| WeaveDeviceDescriptor deviceDesc; |
| uint32_t encodedDescLen; |
| |
| gDeviceDescOptions.GetDeviceDesc(deviceDesc); |
| |
| err = WeaveDeviceDescriptor::EncodeTLV(deviceDesc, buf, bufSize, encodedDescLen); |
| SuccessOrExit(err); |
| |
| payloadLen = encodedDescLen; |
| } |
| |
| exit: |
| return err; |
| } |
| |
| // Prepare the supplied certificate set and validation context for use in validating the certificate of a peer. |
| // This method is responsible for loading the trust anchors into the certificate set. |
| WEAVE_ERROR CASEOptions::BeginCertValidation(bool isInitiator, WeaveCertificateSet& certSet, ValidationContext& validContext) |
| { |
| WEAVE_ERROR err; |
| WeaveCertificateData *cert; |
| |
| err = certSet.Init(10, 1024); |
| SuccessOrExit(err); |
| |
| if (ServiceConfig != NULL) |
| { |
| err = LoadCertsFromServiceConfig(ServiceConfig, ServiceConfigLength, certSet); |
| SuccessOrExit(err); |
| |
| // Scan the list of trusted certs loaded from the service config. If the list contains a general |
| // certificate with a CommonName subject, presume this certificate is the access token certificate. |
| for (uint8_t i = 0; i < certSet.CertCount; i++) |
| { |
| cert = &certSet.Certs[i]; |
| if ((cert->CertFlags & kCertFlag_IsTrusted) != 0 && |
| cert->CertType == kCertType_General && |
| cert->SubjectDN.AttrOID == ASN1::kOID_AttributeType_CommonName) |
| { |
| cert->CertType = kCertType_AccessToken; |
| } |
| } |
| } |
| |
| else |
| { |
| err = certSet.LoadCert(nl::NestCerts::Development::Root::Cert, nl::NestCerts::Development::Root::CertLength, 0, cert); |
| SuccessOrExit(err); |
| cert->CertFlags |= kCertFlag_IsTrusted; |
| |
| err = certSet.LoadCert(nl::NestCerts::Production::Root::Cert, nl::NestCerts::Production::Root::CertLength, 0, cert); |
| SuccessOrExit(err); |
| cert->CertFlags |= kCertFlag_IsTrusted; |
| |
| const uint8_t *caCert; |
| uint16_t caCertLen; |
| |
| GetTestCACert(TestMockRoot_CAId, caCert, caCertLen); |
| |
| err = certSet.LoadCert(caCert, caCertLen, 0, cert); |
| SuccessOrExit(err); |
| cert->CertFlags |= kCertFlag_IsTrusted; |
| |
| err = certSet.LoadCert(nl::NestCerts::Development::DeviceCA::Cert, nl::NestCerts::Development::DeviceCA::CertLength, kDecodeFlag_GenerateTBSHash, cert); |
| SuccessOrExit(err); |
| |
| err = certSet.LoadCert(nl::NestCerts::Production::DeviceCA::Cert, nl::NestCerts::Production::DeviceCA::CertLength, kDecodeFlag_GenerateTBSHash, cert); |
| SuccessOrExit(err); |
| |
| GetTestCACert(TestMockServiceEndpointCA_CAId, caCert, caCertLen); |
| |
| err = certSet.LoadCert(caCert, caCertLen, kDecodeFlag_GenerateTBSHash, cert); |
| SuccessOrExit(err); |
| } |
| |
| memset(&validContext, 0, sizeof(validContext)); |
| validContext.EffectiveTime = SecondsSinceEpochToPackedCertTime(time(NULL)); |
| validContext.RequiredKeyUsages = kKeyUsageFlag_DigitalSignature; |
| validContext.RequiredKeyPurposes = (isInitiator) ? kKeyPurposeFlag_ServerAuth : kKeyPurposeFlag_ClientAuth; |
| |
| if (Debug) |
| { |
| validContext.CertValidationResults = (WEAVE_ERROR *)malloc(sizeof(WEAVE_ERROR) * certSet.MaxCerts); |
| validContext.CertValidationResultsLen = certSet.MaxCerts; |
| } |
| |
| exit: |
| return err; |
| } |
| |
| // Called when peer certificate validation is complete. |
| WEAVE_ERROR CASEOptions::HandleCertValidationResult(bool isInitiator, WEAVE_ERROR& validRes, WeaveCertificateData *peerCert, |
| uint64_t peerNodeId, WeaveCertificateSet& certSet, ValidationContext& validContext) |
| { |
| // If the peer's certificate is otherwise valid... |
| if (validRes == WEAVE_NO_ERROR) |
| { |
| // If the peer authenticated with a device certificate... |
| if (peerCert->CertType == kCertType_Device) |
| { |
| // Get the node id from the certificate subject. |
| uint64_t certId = peerCert->SubjectDN.AttrValue.WeaveId; |
| |
| // This is a work-around for DVT devices that were built with incorrect certificates. |
| // Specifically, the device id in the certificate didn't include Nest's OUI (the first |
| // 3 bytes of the EUI-64 that makes up the id). Here we grandfather these in by assuming |
| // anything that has an OUI of 0 is in fact a Nest device. |
| if ((certId & 0xFFFFFF0000000000ULL) == 0) |
| certId |= 0x18b4300000000000ULL; |
| |
| // Verify the certificate node id matches the peer's node id. |
| if (certId != peerNodeId) |
| validRes = WEAVE_ERROR_WRONG_CERT_SUBJECT; |
| } |
| |
| // If the peer authenticated with a service endpoint certificate... |
| else if (peerCert->CertType == kCertType_ServiceEndpoint) |
| { |
| // Get the node id from the certificate subject. |
| uint64_t certId = peerCert->SubjectDN.AttrValue.WeaveId; |
| |
| // Verify the certificate node id matches the peer's node id. |
| if (certId != peerNodeId) |
| validRes = WEAVE_ERROR_WRONG_CERT_SUBJECT; |
| |
| // Reject the peer if they are initiating the session. Service endpoint certificates |
| // cannot be used to initiate sessions to other nodes, only to respond. |
| if (!isInitiator) |
| validRes = WEAVE_ERROR_WRONG_CERT_TYPE; |
| } |
| |
| // If the peer authenticated with an access token certificate... |
| else if (peerCert->CertType == kCertType_AccessToken) |
| { |
| // Reject the peer if they are the session responder. Access token certificates |
| // can only be used to initiate sessions. |
| if (isInitiator) |
| validRes = WEAVE_ERROR_WRONG_CERT_TYPE; |
| } |
| |
| // For all other certificate types, reject the session. |
| else |
| { |
| validRes = WEAVE_ERROR_WRONG_CERT_TYPE; |
| } |
| } |
| |
| if (Debug) |
| { |
| if (validRes == WEAVE_NO_ERROR) |
| printf("Certificate validation completed successfully\n"); |
| else |
| printf("Certificate validation failed: %s\n", nl::ErrorStr(validRes)); |
| |
| if (peerCert != NULL) |
| printf("Peer certificate: %d\n", (int)(peerCert - certSet.Certs)); |
| |
| printf("\nValidation results:\n\n"); |
| PrintCertValidationResults(stdout, certSet, validContext, 2); |
| } |
| |
| return WEAVE_NO_ERROR; |
| } |
| |
| // Called when peer certificate validation is complete. |
| WEAVE_ERROR CASEOptions::EndCertValidation(WeaveCertificateSet& certSet, ValidationContext& validContext) |
| { |
| if (Debug) |
| free(validContext.CertValidationResults); |
| return WEAVE_NO_ERROR; |
| } |