sample-apps-for-matter-android icon indicating copy to clipboard operation
sample-apps-for-matter-android copied to clipboard

Published 20 hours ago verified publisher icon google-home

RootCA keypair

Open jonsmirl opened this issue 2 years ago • 4 comments

GSAFM create a new commissioner, and when it does that it has to create a new root key pair. Where is this key pair being stored?

Could the sample show a way to use Google Cloud to hold the root key pair remotely, and then provide intermediate CA pairs to the commissioner app?

Consider if the user deletes their app and then wants it back. The root key pair has been lost.

jonsmirl avatar Jan 27 '23 00:01 jonsmirl

GSAFM is creating the root key locally on the phone via default key generation, and if you delete the app you lose the root key to the fabric. Since I don't think customers are going to tolerate losing that root key, there needs to be some way to preserve it. So my idea would be to keep the root key in the cloud and then generate the rest of the keys locally.

First off, is it possible to create a new commissioner while only using the cloud root key once when the commissioner is created? Next, can I create a second commissioner on the same fabric also using the cloud root key only once? and then be able to locally commission from both devices (assuming they assign disjoint nodeIds).

If the answer to both of those is yes, then how do I set this up? I know how to use the keys in the cloud, what I am unclear on is this comment in AndroidDeviceControllerWrapper.h which says I need to pass in rootCertificate, nodeOperationalCertificate, ipkEpochKey (probably intermediateCertificate too?). That seems to imply that I have to keep all of the keys externally, not just the root one.

My expectations were that I would pass in KeypairDelegate (for the root key) and leave rootCertificate null. Then CHIP would figure the reset out.

These are part of ControllerParams.newBuilder()... * If the keypairDelegate is provided, then the rootCertificate, nodeOperationalCertificate, and * ipkEpochKey must also be specified. If no operational credentials are specified here, then an * ephemeral signing configuration will be generated for you.

 * @param[in] keypairDelegate a pointer to a Java KeypairDelegate implementation.
 * @param[in] rootCertificate an X.509 DER-encoded trusted root certificate for this node
 * @param[in] intermediateCertificate an X.509 DER-encoded intermediate certificate for this node
 * @param[in] nodeOperationalCertificate an X.509 DER-encoded operational certificate for this node
 * @param[in] ipkEpochKey the IPK epoch key to use for this node

In the source there is just an interface description for KeypairDelegate, no code for an implementation, but I can probably figure it out. https://github.com/project-chip/connectedhomeip/blob/master/src/controller/java/src/chip/devicecontroller/KeypairDelegate.java

jonsmirl avatar Jan 27 '23 15:01 jonsmirl

It is important to note that the primary goal of the sample app is to showcase the Home Mobile SDK APIs. It can also be used as a learning tool to better understand key Matter concepts (as mentioned in the codelab).

However, when it comes to anything related to the fabric, we purposely rely on what’s provided by the Matter SDK. Note that the SDK only provides “demo/example” code for anything related to the fabric. The reason is simple: whoever needs to create its own fabric for production devices MUST know what they are doing and have an excellent understanding of everything that’s involved in terms of security. The CSA provides a demo/example implementation, but that example code is never intended for anyone to use with production devices.

Everything that revolves around the fabric is a very interesting topic, but one that does not fit the current goals we’ve set for our sample app. We just leverage what the CSA provides so the app has all that’s needed for in a demo/example/learning environment.

pierredelisle avatar Feb 06 '23 23:02 pierredelisle

Should the sample address this?

I install GSAFM and commission some devices. I uninstall GSAFM and then reinstall. I have now permanently lost the key that gives me access to those devices. So you can recommission them all again. But after you do five commissions you will run out of fabric slots. Now you have to factory reset them all.

Should the sample show how to save and restore that key? (fine if you just make a stub that says store it in cloud).

Even better, you could make a sample that uses GCP to make and store the key pair. Then make intermediate keys for GSAFM. Then show how two different users on two different phones can share Matter access.

jonsmirl avatar Feb 06 '23 23:02 jonsmirl

As mentioned above, this is interesting work but our limited resources do not allow us to tackle that (at least at this point in time). Tagging this issue as enhancement. Luckily, since this is an open source project, anyone interested in this is more than welcome to contribute.

pierredelisle avatar Feb 07 '23 01:02 pierredelisle