added Java DAC Provider (#16059)

Author: xylophone21

examples/tv-app/android/App/app/src/main/java/com/tcl/chip/chiptvserver/service/MatterServant.java

@@ -30,6 +30,7 @@
 import com.tcl.chip.tvapp.ChannelManagerStub;
 import com.tcl.chip.tvapp.Clusters;
 import com.tcl.chip.tvapp.ContentLaunchManagerStub;
+import com.tcl.chip.tvapp.DACProviderStub;
 import com.tcl.chip.tvapp.KeypadInputManagerStub;
 import com.tcl.chip.tvapp.LowPowerManagerStub;
 import com.tcl.chip.tvapp.MediaInputManagerStub;
@@ -79,6 +80,7 @@ public void init(@NonNull Context context) {
                   break;
               }
             });
+    tvApp.setDACProvider(new DACProviderStub());
 
     Context applicationContext = context.getApplicationContext();
     AndroidChipPlatform chipPlatform =

examples/tv-app/android/BUILD.gn

@@ -42,6 +42,8 @@ shared_library("jni") {
     "java/ChannelManager.h",
     "java/ContentLauncherManager.cpp",
     "java/ContentLauncherManager.h",
+    "java/JNIDACProvider.cpp",
+    "java/JNIDACProvider.h",
     "java/KeypadInputManager.cpp",
     "java/KeypadInputManager.h",
     "java/LowPowerManager.cpp",
@@ -93,6 +95,8 @@ android_library("java") {
     "java/src/com/tcl/chip/tvapp/ContentLaunchManagerStub.java",
     "java/src/com/tcl/chip/tvapp/ContentLaunchResponse.java",
     "java/src/com/tcl/chip/tvapp/ContentLaunchSearchParameter.java",
+    "java/src/com/tcl/chip/tvapp/DACProvider.java",
+    "java/src/com/tcl/chip/tvapp/DACProviderStub.java",
     "java/src/com/tcl/chip/tvapp/KeypadInputManager.java",
     "java/src/com/tcl/chip/tvapp/KeypadInputManagerStub.java",
     "java/src/com/tcl/chip/tvapp/LowPowerManager.java",

examples/tv-app/android/java/JNIDACProvider.cpp

@@ -0,0 +1,172 @@
+/*
+ *
+ *    Copyright (c) 2021 Project CHIP Authors
+ *
+ *    Licensed under the Apache License, Version 2.0 (the "License");
+ *    you may not use this file except in compliance with the License.
+ *    You may obtain a copy of the License at
+ *
+ *        http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *    Unless required by applicable law or agreed to in writing, software
+ *    distributed under the License is distributed on an "AS IS" BASIS,
+ *    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *    See the License for the specific language governing permissions and
+ *    limitations under the License.
+ */
+
+#include "JNIDACProvider.h"
+#include "lib/support/logging/CHIPLogging.h"
+#include <credentials/CHIPCert.h>
+#include <crypto/CHIPCryptoPAL.h>
+#include <cstdlib>
+#include <jni.h>
+#include <lib/core/CHIPError.h>
+#include <lib/support/CHIPJNIError.h>
+#include <lib/support/JniReferences.h>
+#include <lib/support/JniTypeWrappers.h>
+#include <lib/support/Span.h>
+
+using namespace chip;
+
+JNIDACProvider::JNIDACProvider(jobject provider)
+{
+    JNIEnv * env = JniReferences::GetInstance().GetEnvForCurrentThread();
+    VerifyOrReturn(env != nullptr, ChipLogError(Zcl, "Failed to GetEnvForCurrentThread for JNIDACProvider"));
+
+    mJNIDACProviderObject = env->NewGlobalRef(provider);
+    VerifyOrReturn(mJNIDACProviderObject != nullptr, ChipLogError(Zcl, "Failed to NewGlobalRef JNIDACProvider"));
+
+    jclass JNIDACProviderClass = env->GetObjectClass(provider);
+    VerifyOrReturn(JNIDACProviderClass != nullptr, ChipLogError(Zcl, "Failed to get JNIDACProvider Java class"));
+
+    mGetCertificationDeclarationMethod = env->GetMethodID(JNIDACProviderClass, "GetCertificationDeclaration", "()[B");
+    if (mGetCertificationDeclarationMethod == nullptr)
+    {
+        ChipLogError(Zcl, "Failed to access JNIDACProvider 'GetCertificationDeclaration' method");
+        env->ExceptionClear();
+    }
+
+    mGetFirmwareInformationMethod = env->GetMethodID(JNIDACProviderClass, "GetFirmwareInformation", "()[B");
+    if (mGetFirmwareInformationMethod == nullptr)
+    {
+        ChipLogError(Zcl, "Failed to access JNIDACProvider 'GetFirmwareInformation' method");
+        env->ExceptionClear();
+    }
+
+    mGetDeviceAttestationCertMethod = env->GetMethodID(JNIDACProviderClass, "GetDeviceAttestationCert", "()[B");
+    if (mGetDeviceAttestationCertMethod == nullptr)
+    {
+        ChipLogError(Zcl, "Failed to access JNIDACProvider 'GetDeviceAttestationCert' method");
+        env->ExceptionClear();
+    }
+
+    mGetProductAttestationIntermediateCertMethod =
+        env->GetMethodID(JNIDACProviderClass, "GetProductAttestationIntermediateCert", "()[B");
+    if (mGetProductAttestationIntermediateCertMethod == nullptr)
+    {
+        ChipLogError(Zcl, "Failed to access JNIDACProvider 'GetProductAttestationIntermediateCert' method");
+        env->ExceptionClear();
+    }
+
+    mGetDeviceAttestationCertPrivateKeyMethod = env->GetMethodID(JNIDACProviderClass, "GetDeviceAttestationCertPrivateKey", "()[B");
+    if (mGetDeviceAttestationCertPrivateKeyMethod == nullptr)
+    {
+        ChipLogError(Zcl, "Failed to access JNIDACProvider 'GetDeviceAttestationCertPrivateKey' method");
+        env->ExceptionClear();
+    }
+
+    mGetDeviceAttestationCertPublicKeyKeyMethod =
+        env->GetMethodID(JNIDACProviderClass, "GetDeviceAttestationCertPublicKeyKey", "()[B");
+    if (mGetDeviceAttestationCertPublicKeyKeyMethod == nullptr)
+    {
+        ChipLogError(Zcl, "Failed to access JNIDACProvider 'GetDeviceAttestationCertPublicKeyKey' method");
+        env->ExceptionClear();
+    }
+}
+
+CHIP_ERROR JNIDACProvider::GetJavaByteByMethod(jmethodID method, MutableByteSpan & out_buffer)
+{
+    JNIEnv * env = JniReferences::GetInstance().GetEnvForCurrentThread();
+    VerifyOrReturnLogError(mJNIDACProviderObject != nullptr, CHIP_ERROR_INCORRECT_STATE);
+    VerifyOrReturnLogError(method != nullptr, CHIP_ERROR_INCORRECT_STATE);
+    VerifyOrReturnLogError(env != nullptr, CHIP_JNI_ERROR_NO_ENV);
+
+    jbyteArray outArray = (jbyteArray) env->CallObjectMethod(mJNIDACProviderObject, method);
+    if (env->ExceptionCheck())
+    {
+        ChipLogError(Zcl, "Java exception in get Method");
+        env->ExceptionDescribe();
+        env->ExceptionClear();
+        return CHIP_ERROR_INCORRECT_STATE;
+    }
+
+    if (outArray == nullptr || env->GetArrayLength(outArray) <= 0)
+    {
+        out_buffer.reduce_size(0);
+        return CHIP_NO_ERROR;
+    }
+
+    JniByteArray JniOutArray(env, outArray);
+    return CopySpanToMutableSpan(JniOutArray.byteSpan(), out_buffer);
+}
+
+CHIP_ERROR JNIDACProvider::GetCertificationDeclaration(MutableByteSpan & out_cd_buffer)
+{
+    ChipLogProgress(Zcl, "Received GetCertificationDeclaration");
+    return GetJavaByteByMethod(mGetCertificationDeclarationMethod, out_cd_buffer);
+}
+
+CHIP_ERROR JNIDACProvider::GetFirmwareInformation(MutableByteSpan & out_firmware_info_buffer)
+{
+    ChipLogProgress(Zcl, "Received GetFirmwareInformation");
+    return GetJavaByteByMethod(mGetFirmwareInformationMethod, out_firmware_info_buffer);
+}
+
+CHIP_ERROR JNIDACProvider::GetDeviceAttestationCert(MutableByteSpan & out_dac_buffer)
+{
+    ChipLogProgress(Zcl, "Received GetDeviceAttestationCert");
+    return GetJavaByteByMethod(mGetDeviceAttestationCertMethod, out_dac_buffer);
+}
+
+CHIP_ERROR JNIDACProvider::GetProductAttestationIntermediateCert(MutableByteSpan & out_pai_buffer)
+{
+    ChipLogProgress(Zcl, "Received GetProductAttestationIntermediateCert");
+    return GetJavaByteByMethod(mGetProductAttestationIntermediateCertMethod, out_pai_buffer);
+}
+
+// TODO: This should be moved to a method of P256Keypair
+CHIP_ERROR LoadKeypairFromRaw(ByteSpan private_key, ByteSpan public_key, Crypto::P256Keypair & keypair)
+{
+    Crypto::P256SerializedKeypair serialized_keypair;
+    ReturnErrorOnFailure(serialized_keypair.SetLength(private_key.size() + public_key.size()));
+    memcpy(serialized_keypair.Bytes(), public_key.data(), public_key.size());
+    memcpy(serialized_keypair.Bytes() + public_key.size(), private_key.data(), private_key.size());
+    return keypair.Deserialize(serialized_keypair);
+}
+
+CHIP_ERROR JNIDACProvider::SignWithDeviceAttestationKey(const ByteSpan & digest_to_sign, MutableByteSpan & out_signature_buffer)
+{
+    ChipLogProgress(Zcl, "Received SignWithDeviceAttestationKey");
+    Crypto::P256ECDSASignature signature;
+    Crypto::P256Keypair keypair;
+
+    VerifyOrReturnError(IsSpanUsable(out_signature_buffer), CHIP_ERROR_INVALID_ARGUMENT);
+    VerifyOrReturnError(IsSpanUsable(digest_to_sign), CHIP_ERROR_INVALID_ARGUMENT);
+    VerifyOrReturnError(out_signature_buffer.size() >= signature.Capacity(), CHIP_ERROR_BUFFER_TOO_SMALL);
+
+    uint8_t privateKeyBuf[Crypto::kP256_PrivateKey_Length];
+    MutableByteSpan privateKeyBufSpan(privateKeyBuf);
+    ReturnErrorOnFailure(GetJavaByteByMethod(mGetDeviceAttestationCertPrivateKeyMethod, privateKeyBufSpan));
+
+    uint8_t publicKeyBuf[Crypto::kP256_PublicKey_Length];
+    MutableByteSpan publicKeyBufSpan(publicKeyBuf);
+    ReturnErrorOnFailure(GetJavaByteByMethod(mGetDeviceAttestationCertPublicKeyKeyMethod, publicKeyBufSpan));
+
+    // In a non-exemplary implementation, the public key is not needed here. It is used here merely because
+    // Crypto::P256Keypair is only (currently) constructable from raw keys if both private/public keys are present.
+    ReturnErrorOnFailure(LoadKeypairFromRaw(privateKeyBufSpan, publicKeyBufSpan, keypair));
+    ReturnErrorOnFailure(keypair.ECDSA_sign_hash(digest_to_sign.data(), digest_to_sign.size(), signature));
+
+    return CopySpanToMutableSpan(ByteSpan{ signature.ConstBytes(), signature.Length() }, out_signature_buffer);
+}

examples/tv-app/android/java/JNIDACProvider.h

@@ -0,0 +1,43 @@
+/*
+ *
+ *    Copyright (c) 2021 Project CHIP Authors
+ *
+ *    Licensed under the Apache License, Version 2.0 (the "License");
+ *    you may not use this file except in compliance with the License.
+ *    You may obtain a copy of the License at
+ *
+ *        http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *    Unless required by applicable law or agreed to in writing, software
+ *    distributed under the License is distributed on an "AS IS" BASIS,
+ *    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *    See the License for the specific language governing permissions and
+ *    limitations under the License.
+ */
+#pragma once
+
+#include "lib/support/logging/CHIPLogging.h"
+#include <credentials/DeviceAttestationCredsProvider.h>
+#include <jni.h>
+
+class JNIDACProvider : public chip::Credentials::DeviceAttestationCredentialsProvider
+{
+public:
+    JNIDACProvider(jobject provider);
+    CHIP_ERROR GetCertificationDeclaration(chip::MutableByteSpan & out_cd_buffer) override;
+    CHIP_ERROR GetFirmwareInformation(chip::MutableByteSpan & out_firmware_info_buffer) override;
+    CHIP_ERROR GetDeviceAttestationCert(chip::MutableByteSpan & out_dac_buffer) override;
+    CHIP_ERROR GetProductAttestationIntermediateCert(chip::MutableByteSpan & out_pai_buffer) override;
+    CHIP_ERROR SignWithDeviceAttestationKey(const chip::ByteSpan & digest_to_sign,
+                                            chip::MutableByteSpan & out_signature_buffer) override;
+
+private:
+    CHIP_ERROR GetJavaByteByMethod(jmethodID method, chip::MutableByteSpan & out_buffer);
+    jobject mJNIDACProviderObject                          = nullptr;
+    jmethodID mGetCertificationDeclarationMethod           = nullptr;
+    jmethodID mGetFirmwareInformationMethod                = nullptr;
+    jmethodID mGetDeviceAttestationCertMethod              = nullptr;
+    jmethodID mGetProductAttestationIntermediateCertMethod = nullptr;
+    jmethodID mGetDeviceAttestationCertPrivateKeyMethod    = nullptr;
+    jmethodID mGetDeviceAttestationCertPublicKeyKeyMethod  = nullptr;
+};

examples/tv-app/android/java/TVApp-JNI.cpp

@@ -19,11 +19,13 @@
 #include "TvApp-JNI.h"
 #include "ChannelManager.h"
 #include "ContentLauncherManager.h"
+#include "JNIDACProvider.h"
 #include "KeypadInputManager.h"
 #include "LowPowerManager.h"
 #include "MediaInputManager.h"
 #include "MediaPlaybackManager.h"
 #include "WakeOnLanManager.h"
+#include "credentials/DeviceAttestationCredsProvider.h"
 #include <app/server/java/AndroidAppServerWrapper.h>
 #include <jni.h>
 #include <lib/core/CHIPError.h>
@@ -119,3 +121,12 @@ JNI_METHOD(void, setChannelManager)(JNIEnv *, jobject, jint endpoint, jobject ma
 {
     ChannelManager::NewManager(endpoint, manager);
 }
+
+JNI_METHOD(void, setDACProvider)(JNIEnv *, jobject, jobject provider)
+{
+    if (!chip::Credentials::IsDeviceAttestationCredentialsProviderSet())
+    {
+        JNIDACProvider * p = new JNIDACProvider(provider);
+        chip::Credentials::SetDeviceAttestationCredentialsProvider(p);
+    }
+}

examples/tv-app/android/java/src/com/tcl/chip/tvapp/DACProvider.java

@@ -0,0 +1,32 @@
+/*
+ *   Copyright (c) 2021 Project CHIP Authors
+ *   All rights reserved.
+ *
+ *   Licensed under the Apache License, Version 2.0 (the "License");
+ *   you may not use this file except in compliance with the License.
+ *   You may obtain a copy of the License at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing, software
+ *   distributed under the License is distributed on an "AS IS" BASIS,
+ *   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *   See the License for the specific language governing permissions and
+ *   limitations under the License.
+ *
+ */
+package com.tcl.chip.tvapp;
+
+public interface DACProvider {
+  byte[] GetCertificationDeclaration();
+
+  byte[] GetFirmwareInformation();
+
+  byte[] GetDeviceAttestationCert();
+
+  byte[] GetProductAttestationIntermediateCert();
+
+  byte[] GetDeviceAttestationCertPrivateKey();
+
+  byte[] GetDeviceAttestationCertPublicKeyKey();
+}

examples/tv-app/android/java/src/com/tcl/chip/tvapp/DACProviderStub.java

@@ -0,0 +1,57 @@
+package com.tcl.chip.tvapp;
+
+import android.util.Base64;
+
+public class DACProviderStub implements DACProvider {
+
+  private String kDevelopmentDAC_Cert_FFF1_8001 =
+      "MIIB5zCCAY6gAwIBAgIIac3xDenlTtEwCgYIKoZIzj0EAwIwPTElMCMGA1UEAwwcTWF0dGVyIERldiBQQUkgMHhGRkYxIG5vIFBJRDEUMBIGCisGAQQBgqJ8AgEMBEZGRjEwIBcNMjIwMjA1MDAwMDAwWhgPOTk5OTEyMzEyMzU5NTlaMFMxJTAjBgNVBAMMHE1hdHRlciBEZXYgREFDIDB4RkZGMS8weDgwMDExFDASBgorBgEEAYKifAIBDARGRkYxMRQwEgYKKwYBBAGConwCAgwEODAwMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABEY6xpNCkQoOVYj8b/Vrtj5i7M7LFI99TrA+5VJgFBV2fRalxmP3k+SRIyYLgpenzX58/HsxaznZjpDSk3dzjoKjYDBeMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgeAMB0GA1UdDgQWBBSI3eezADgpMs/3NMBGJIEPRBaKbzAfBgNVHSMEGDAWgBRjVA5H9kscONE4hKRi0WwZXY/7PDAKBggqhkjOPQQDAgNHADBEAiABJ6J7S0RhDuL83E0reIVWNmC8D3bxchntagjfsrPBzQIga1ngr0Xz6yqFuRnTVzFSjGAoxBUjlUXhCOTlTnCXE1M=";
+
+  private String kDevelopmentDAC_PrivateKey_FFF1_8001 =
+      "qrYAroroqrfXNifCF7fCBHCcppRq9fL3UwgzpStE+/8=";
+
+  private String kDevelopmentDAC_PublicKey_FFF1_8001 =
+      "BEY6xpNCkQoOVYj8b/Vrtj5i7M7LFI99TrA+5VJgFBV2fRalxmP3k+SRIyYLgpenzX58/HsxaznZjpDSk3dzjoI=";
+
+  private String KPAI_FFF1_8000_Cert_Array =
+      "MIIByzCCAXGgAwIBAgIIVq2CIq2UW2QwCgYIKoZIzj0EAwIwMDEYMBYGA1UEAwwPTWF0dGVyIFRlc3QgUEFBMRQwEgYKKwYBBAGConwCAQwERkZGMTAgFw0yMjAyMDUwMDAwMDBaGA85OTk5MTIzMTIzNTk1OVowPTElMCMGA1UEAwwcTWF0dGVyIERldiBQQUkgMHhGRkYxIG5vIFBJRDEUMBIGCisGAQQBgqJ8AgEMBEZGRjEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARBmpMVwhc+DIyHbQPM/JRIUmR/f+xeUIL0BZko7KiUxZQVEwmsYx5MsDOSr2hLC6+35ls7gWLC9Sv5MbjneqqCo2YwZDASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUY1QOR/ZLHDjROISkYtFsGV2P+zwwHwYDVR0jBBgwFoAUav0idx9RH+y/FkGXZxDc3DGhcX4wCgYIKoZIzj0EAwIDSAAwRQIhALLvJ/Sa6bUPuR7qyUxNC9u415KcbLiPrOUpNo0SBUwMAiBlXckrhr2QmIKmxiF3uCXX0F7b58Ivn+pxIg5+pwP4kQ==";
+
+  /**
+   * format_version = 1 vendor_id = 0xFFF1 product_id_array = [ 0x8000,0x8001...0x8063]
+   * device_type_id = 0x1234 certificate_id = "ZIG20141ZB330001-24" security_level = 0
+   * security_information = 0 version_number = 0x2694 certification_type = 0 dac_origin_vendor_id is
+   * not present dac_origin_product_id is not present
+   */
+  private String kCertificationDeclaration =
+      "MIICGQYJKoZIhvcNAQcCoIICCjCCAgYCAQMxDTALBglghkgBZQMEAgEwggFxBgkqhkiG9w0BBwGgggFiBIIBXhUkAAElAfH/NgIFAIAFAYAFAoAFA4AFBIAFBYAFBoAFB4AFCIAFCYAFCoAFC4AFDIAFDYAFDoAFD4AFEIAFEYAFEoAFE4AFFIAFFYAFFoAFF4AFGIAFGYAFGoAFG4AFHIAFHYAFHoAFH4AFIIAFIYAFIoAFI4AFJIAFJYAFJoAFJ4AFKIAFKYAFKoAFK4AFLIAFLYAFLoAFL4AFMIAFMYAFMoAFM4AFNIAFNYAFNoAFN4AFOIAFOYAFOoAFO4AFPIAFPYAFPoAFP4AFQIAFQYAFQoAFQ4AFRIAFRYAFRoAFR4AFSIAFSYAFSoAFS4AFTIAFTYAFToAFT4AFUIAFUYAFUoAFU4AFVIAFVYAFVoAFV4AFWIAFWYAFWoAFW4AFXIAFXYAFXoAFX4AFYIAFYYAFYoAFY4AYJAMWLAQTWklHMjAxNDJaQjMzMDAwMy0yNCQFACQGACUHlCYkCAAYMX0wewIBA4AUYvqCM1ms+qmWPhz6FArd9QTzcWAwCwYJYIZIAWUDBAIBMAoGCCqGSM49BAMCBEcwRQIgJOXR9Hp9ew0gaibvaZt8l1e3LUaQid4xkuZ4x0Xn9gwCIQD4qi+nEfy3m5fjl87aZnuuRk4r0//fw8zteqjKX0wafA==";
+
+  @Override
+  public byte[] GetCertificationDeclaration() {
+    return Base64.decode(kCertificationDeclaration, Base64.DEFAULT);
+  }
+
+  @Override
+  public byte[] GetFirmwareInformation() {
+    return new byte[0];
+  }
+
+  @Override
+  public byte[] GetDeviceAttestationCert() {
+    return Base64.decode(kDevelopmentDAC_Cert_FFF1_8001, Base64.DEFAULT);
+  }
+
+  @Override
+  public byte[] GetProductAttestationIntermediateCert() {
+    return Base64.decode(KPAI_FFF1_8000_Cert_Array, Base64.DEFAULT);
+  }
+
+  @Override
+  public byte[] GetDeviceAttestationCertPrivateKey() {
+    return Base64.decode(kDevelopmentDAC_PrivateKey_FFF1_8001, Base64.DEFAULT);
+  }
+
+  @Override
+  public byte[] GetDeviceAttestationCertPublicKeyKey() {
+    return Base64.decode(kDevelopmentDAC_PublicKey_FFF1_8001, Base64.DEFAULT);
+  }
+}

examples/tv-app/android/java/src/com/tcl/chip/tvapp/TvApp.java

@@ -51,6 +51,8 @@ private void postClusterInit(int clusterId, int endpoint) {
 
   public native void setChannelManager(int endpoint, ChannelManager manager);
 
+  public native void setDACProvider(DACProvider provider);
+
   static {
     System.loadLibrary("TvApp");
   }

src/app/server/java/AndroidAppServerWrapper.cpp

@@ -51,8 +51,10 @@ CHIP_ERROR ChipAndroidAppInit(void)
     err = chip::Server::GetInstance().Init(nullptr, CHIP_PORT, CHIP_UDC_PORT);
     SuccessOrExit(err);
 
-    // TODO: move load DAC to java
-    SetDeviceAttestationCredentialsProvider(Examples::GetExampleDACProvider());
+    if (!IsDeviceAttestationCredentialsProviderSet())
+    {
+        SetDeviceAttestationCredentialsProvider(Examples::GetExampleDACProvider());
+    }
 
 exit:
     if (err != CHIP_NO_ERROR)