From db76a70792bbec1f91c45270d7387f23cf39b2ce Mon Sep 17 00:00:00 2001 From: Marc Lepage Date: Wed, 19 Apr 2023 13:14:38 -0400 Subject: [PATCH] Declare wither signing in background is supported OperationalKeystore declares whether it supports this capability. If so, then CASE session establishment may take advantage of it. If not, then CASE session establishment must use foreground. --- src/crypto/OperationalKeystore.h | 14 +++++++++++++- src/protocols/secure_channel/CASESession.cpp | 12 ++++++------ 2 files changed, 19 insertions(+), 7 deletions(-) diff --git a/src/crypto/OperationalKeystore.h b/src/crypto/OperationalKeystore.h index bfa846b9d1a8be..6af92629174810 100644 --- a/src/crypto/OperationalKeystore.h +++ b/src/crypto/OperationalKeystore.h @@ -148,6 +148,19 @@ class OperationalKeystore virtual void RevertPendingKeypair() = 0; // ==== Primary operation required: signature + /** + * @brief Whether `SignWithOpKeypair` may be performed in the background. + * + * If true, `CASESession` may attempt to perform `SignWithOpKeypair` in the + * background. In this case, `OperationalKeystore` should protect itself, + * e.g. with a mutex, as the signing could occur at any time during session + * establishment. + * + * @retval true if `SignWithOpKeypair` may be performed in the background + * @retval false if `SignWithOpKeypair` may NOT be performed in the background + */ + virtual bool SupportsSignWithOpKeypairInBackground() const { return false; } + /** * @brief Sign a message with a fabric's currently-active operational keypair. * @@ -164,7 +177,6 @@ class OperationalKeystore * @retval CHIP_ERROR_INVALID_FABRIC_INDEX if no active key is found for the given `fabricIndex` or if * `fabricIndex` is invalid. * @retval other CHIP_ERROR value on internal crypto engine errors - * */ virtual CHIP_ERROR SignWithOpKeypair(FabricIndex fabricIndex, const ByteSpan & message, Crypto::P256ECDSASignature & outSignature) const = 0; diff --git a/src/protocols/secure_channel/CASESession.cpp b/src/protocols/secure_channel/CASESession.cpp index 70146409192202..512ed319623b92 100644 --- a/src/protocols/secure_channel/CASESession.cpp +++ b/src/protocols/secure_channel/CASESession.cpp @@ -1309,16 +1309,16 @@ CHIP_ERROR CASESession::SendSigma3a() { const FabricInfo * fabricInfo = mFabricsTable->FindFabricWithIndex(mFabricIndex); VerifyOrExit(fabricInfo != nullptr, err = CHIP_ERROR_KEY_NOT_FOUND); - if (fabricInfo->HasOperationalKey()) + auto * keystore = mFabricsTable->GetOperationalKeystore(); + if (!fabricInfo->HasOperationalKey() && keystore != nullptr && keystore->SupportsSignWithOpKeypairInBackground()) { - // NOTE: used to sign in foreground. - data.fabricTable = mFabricsTable; + // NOTE: used to sign in background. + data.keystore = keystore; } else { - // NOTE: used to sign in background. - data.keystore = mFabricsTable->GetOperationalKeystore(); - VerifyOrExit(data.keystore != nullptr, err = CHIP_ERROR_KEY_NOT_FOUND); + // NOTE: used to sign in foreground. + data.fabricTable = mFabricsTable; } }