Declare wither signing in background is supported

OperationalKeystore declares whether it supports this capability. If so, then CASE session establishment may take advantage of it. If not, then CASE session establishment must use foreground.
project-chip · Apr 19, 2023 · db76a70 · db76a70
1 parent 51dd538
commit db76a70
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 7 deletions.
diff --git a/src/crypto/OperationalKeystore.h b/src/crypto/OperationalKeystore.h
@@ -148,6 +148,19 @@ class OperationalKeystore
     virtual void RevertPendingKeypair() = 0;
 
     // ==== Primary operation required: signature
+    /**
+     * @brief Whether `SignWithOpKeypair` may be performed in the background.
+     *
+     * If true, `CASESession` may attempt to perform `SignWithOpKeypair` in the
+     * background. In this case, `OperationalKeystore` should protect itself,
+     * e.g. with a mutex, as the signing could occur at any time during session
+     * establishment.
+     *
+     * @retval true if `SignWithOpKeypair` may be performed in the background
+     * @retval false if `SignWithOpKeypair` may NOT be performed in the background
+     */
+    virtual bool SupportsSignWithOpKeypairInBackground() const { return false; }
+
     /**
      * @brief Sign a message with a fabric's currently-active operational keypair.
      *
@@ -164,7 +177,6 @@ class OperationalKeystore
      * @retval CHIP_ERROR_INVALID_FABRIC_INDEX if no active key is found for the given `fabricIndex` or if
      *                                         `fabricIndex` is invalid.
      * @retval other CHIP_ERROR value on internal crypto engine errors
-     *
      */
     virtual CHIP_ERROR SignWithOpKeypair(FabricIndex fabricIndex, const ByteSpan & message,
                                          Crypto::P256ECDSASignature & outSignature) const = 0;

diff --git a/src/protocols/secure_channel/CASESession.cpp b/src/protocols/secure_channel/CASESession.cpp
@@ -1309,16 +1309,16 @@ CHIP_ERROR CASESession::SendSigma3a()
         {
             const FabricInfo * fabricInfo = mFabricsTable->FindFabricWithIndex(mFabricIndex);
             VerifyOrExit(fabricInfo != nullptr, err = CHIP_ERROR_KEY_NOT_FOUND);
-            if (fabricInfo->HasOperationalKey())
+            auto * keystore = mFabricsTable->GetOperationalKeystore();
+            if (!fabricInfo->HasOperationalKey() && keystore != nullptr && keystore->SupportsSignWithOpKeypairInBackground())
             {
-                // NOTE: used to sign in foreground.
-                data.fabricTable = mFabricsTable;
+                // NOTE: used to sign in background.
+                data.keystore = keystore;
             }
             else
             {
-                // NOTE: used to sign in background.
-                data.keystore = mFabricsTable->GetOperationalKeystore();
-                VerifyOrExit(data.keystore != nullptr, err = CHIP_ERROR_KEY_NOT_FOUND);
+                // NOTE: used to sign in foreground.
+                data.fabricTable = mFabricsTable;
             }
         }