search

google-home / sample-apps-for-matter-android

The Google Home Sample App for Matter (GHSA for Matter) uses the Home Mobile SDK to create an Android app that's similar to Google Home.
Apache License 2.0
106 stars 38 forks source link

Any API to provide custom root certificate authority (RootCA) ? #90

Open KhushbuShah25 opened 1 year ago

KhushbuShah25 commented 1 year ago

Is there any way to provide custom root CA for custom fabric ?

yufengwangca commented 1 year ago

I am currently working on this, we will provide the AttestationTrustStore delegate API to allow the vendor to set their own PAA list

nicelyjust commented 1 year ago

Which paa certificates are supported by GHSA so far ?Are there other certificates besides the default PAA test certificate? For example the list of PAAs in the DCL? can someone give me some pointers?Appreciate your help. @pierredelisle @yufengwangca

KhushbuShah25 commented 1 year ago

Hi @yufengwangca,

Firstly thanks for the update.

Actually sorry for providing less information in question. Updating my question here.

Updated question :

Hi @pierredelisle / @yufengwangca , Basically, I want to commission matter device in my custom fabric. For this I need to perform below steps :

  1. I need to get CSR from the device.
  2. Pass CSR to our proprietary cloud.
  3. I will get root CA cert and device cert (NOC) from our cloud for our fabric.
  4. Need to send those to device (root CA and device cert).

For the first step, I want to receive callback and CSR value in Android application at java layer... (I guess after 'ValidateCSR' from chiptool lib) I am able to receive CSR at android application java layer in this callback. But from logs, it seems different than required.

If you see in attached logs, library is requesting and getting CSR from device, validating it, generating NOC, sending root certificate to the device and after that gives above callback to app.

Screenshot 2023-03-15 at 22 30 58

I want to modify this flow as per above steps. So after getting CSR in app, need to call our cloud API to get root CA and device cert for our fabric. And after that want to send these information to device (java to chiptool lib call)

Is there any API or way to do this ? Seems need to modify CHIPController in library to give callback at java layer and vice versa. Can anyone guide me for this ?

Thanks.

KhushbuShah25 commented 1 year ago

Hi @yufengwangca , @pierredelisle ,

Is NOCChainIssuer a relevant API to skip root CA certificate and device certificate (NOC) generation in commissioning flow ?

Can I get a callback at Android app layer and provide my own certificates (from proprietary cloud) to commission device in custom fabric ?

jonsmirl commented 1 year ago

Does this work as an alternative way to solve this problem? For each user account, generate an intermediate CA in the cloud. Then download that intermediate CA into the commissioner. Let the intermediate CA generate device certificates and sign the CSRs locally. Intermediate CA private key is stored in the commissioner's trust zone.

jonsmirl commented 1 year ago

controller.newBuilder() has a parameter of OperationalKeyConfig() and OperationalKeyConfig accepts KeypairDelegate which has a signing API. https://github.com/project-chip/connectedhomeip/blob/master/src/controller/java/src/chip/devicecontroller/KeypairDelegate.java

  /**
   * Signs the given message with the private key (generating one if it has not yet been created)
   * using ECDSA and returns a DER-encoded signature.
   *
   * @throws KeypairException if a private key could not be resolved, or the message could not be
   *     signed
   */
  byte[] ecdsaSignMessage(byte[] message) throws KeypairException;

  /** Encompassing exception to encapsulate errors thrown during operations. */
  final class KeypairException extends Exception {
    private static final long serialVersionUID = 2646523289554350914L;

    /** Constructs an exception with the specified {@code msg} as the message. */
    public KeypairException(String msg) {
      super(msg);
    }
    /**
     * Constructs an exception with the specified {@code msg} as the message and the provided {@code
     * cause}.
     */
    public KeypairException(String msg, Throwable cause) {
      super(msg, cause);
    }
  }
KhushbuShah25 commented 1 year ago

Hi @jonsmirl ,

Thank you so much for the answer. I am trying to understand the things. I have also checked your NOC related question and comments. Checked the mention APIs like OperationalKeyConfig and KeypairDelegate. OperationalKeyConfig requires "nodeOperationalCertificate" at the time of init. But I will able to get it from the cloud after sending CSR. And app will receive CSR during commissioning process.

Basically, I want to commission matter device in my custom fabric. Here is the required flow and some of my understanding.

Start commissioning device --> Google will do commission to its fabric using BLE --> Start commissioning on network --> Get CSR from device --> App will pass this CSR to cloud and will get RootCA & NOC --> Send NOC to device --> complete commissioning.

So want to get control and callback in-between commissioning process at Android app side for CSR and NOC. From the documentation of NOCChainIssuer, I thought it will useful for getting CSR information in onNOCChainGenerationNeeded callback at app side and then provide NOC to the device. I am still confused, which API should I use for my requirement and how to use it ?