Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CD signing keys are hard coded in SDK and they won't be able to revoke if they are compromised until code change #23407

Open
j2fong opened this issue Oct 31, 2022 · 2 comments
Open

CD signing keys are hard coded in SDK and they won't be able to revoke if they are compromised until code change #23407

j2fong opened this issue Oct 31, 2022 · 2 comments
Labels
security

Comments

@j2fong
Copy link

j2fong commented Oct 31, 2022
edited by bzbarsky-apple
Loading

Reproduction steps

Problem:
The CD signing keys are hard coded in Matter SDK. If these keys are compromised, the deployed SDK will not be able to revoke.

Proposed solution:

Bug prevalence

everytime

GitHub hash of the SDK that was being used

faad9e1

Platform

core

Platform Version(s)

No response

Anything else?

No response
@tcarmelveilleux
Copy link
Contributor

We are not calling DCL APIs in SDK --> otherwise we have a service dependency with no official SLA, that would be called by a lot of common code, and would require the requisite error handling and multi-platform paths.

The DefaultAttestationVerifier allows overriding the trust store contents to add/remove CD keys, and PAAs. Anyone can also write their own DeviceAttestationVerifier.

A big part of the point of certification declarations is to replace the DCL. If we need to look-up a DCL replica first, then there is much less value to them, and offline commissioning fully based on resident infrastructure cannot take place.

There are provisions in SDK to add more certs that chain to the CSA root, or allow update of that code. We don't decide how different stakeholders implement all of attestation verification, and the SDK cannot be guaranteed to be used by all for that purpose.

@caipiblack
Copy link
Contributor

caipiblack commented Nov 15, 2022
edited
Loading

We are not calling DCL APIs in SDK --> otherwise we have a service dependency with no official SLA, that would be called by a lot of common code, and would require the requisite error handling and multi-platform paths.

The DefaultAttestationVerifier allows overriding the trust store contents to add/remove CD keys, and PAAs. Anyone can also write their own DeviceAttestationVerifier.

A big part of the point of certification declarations is to replace the DCL. If we need to look-up a DCL replica first, then there is much less value to them, and offline commissioning fully based on resident infrastructure cannot take place.

There are provisions in SDK to add more certs that chain to the CSA root, or allow update of that code. We don't decide how different stakeholders implement all of attestation verification, and the SDK cannot be guaranteed to be used by all for that purpose.

We are building a Matter Commissioner/Controller, currently we was using GetTestAttestationTrustStore() function to get the truststore.

We understand that in the stack there is no function to load a truststore from DCL (online)

But there are functions to use a folder as « truststore »

Did someone know if there is an example somewhere to download the certificates from DCL to local folder ?

Do we need specific credentials to do it ?

What are the best practices about it?

  • Download all the PAA on every boot and use previously downloaded if there is no connection ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@tcarmelveilleux @j2fong @caipiblack @bzbarsky-apple