Google is committed to advancing racial equity for Black communities. See how.

nl::Weave::Profiles::Security::KeyExport::WeaveKeyExportDelegate

This is an abstract class.

#include <src/lib/profiles/security/WeaveKeyExport.h>

Abstract delegate class called by KeyExport engine to perform various actions related to authentication during key export.

Summary

Inheritance

Direct Known Subclasses: nl::Weave::Profiles::Security::KeyExport::WeaveStandAloneKeyExportClient

Public functions

BeginCertValidation(WeaveKeyExport *keyExport, ValidationContext & validCtx, WeaveCertificateSet & certSet)=0
virtual WEAVE_ERROR
Prepare for validating the peer's certificate.
EndCertValidation(WeaveKeyExport *keyExport, ValidationContext & validCtx, WeaveCertificateSet & certSet)=0
virtual WEAVE_ERROR
Release resources associated with peer certificate validation.
GenerateNodeSignature(WeaveKeyExport *keyExport, const uint8_t *msgHash, uint8_t msgHashLen, TLVWriter & writer)=0
virtual WEAVE_ERROR
Generate a signature for a key export message.
GetNodeCertSet(WeaveKeyExport *keyExport, WeaveCertificateSet & certSet)=0
virtual WEAVE_ERROR
Get the key export certificate set for the local node.
HandleCertValidationResult(WeaveKeyExport *keyExport, ValidationContext & validCtx, WeaveCertificateSet & certSet, uint32_t requestedKeyId)=0
virtual WEAVE_ERROR
Process the results of validating the peer's certificate.
ReleaseNodeCertSet(WeaveKeyExport *keyExport, WeaveCertificateSet & certSet)=0
virtual WEAVE_ERROR
Release the node's certificate set.
ValidateUnsignedKeyExportMessage(WeaveKeyExport *keyExport, uint32_t requestedKeyId)=0
virtual WEAVE_ERROR
Verify the security of an unsigned key export message.

Public functions

BeginCertValidation

virtual WEAVE_ERROR BeginCertValidation(
  WeaveKeyExport *keyExport,
  ValidationContext & validCtx,
  WeaveCertificateSet & certSet
)=0

Prepare for validating the peer's certificate.

Called at the start of certificate validation. This method is responsible for preparing the supplied certificate set and validation context for use in validating the peer node's certificate. Implementations must initialize the supplied WeaveCertificateSet object with sufficient resources to handle the upcoming certificate validation. The implementation must also load any necessary trusted root or CA certificates into the certificate set.

The supplied validation context will be initialized with a set of default validation criteria, which the implementation may alter as necessary. The implementation must either set the EffectiveTime field, or set the appropriate validation flags to suppress certificate lifetime validation.

The implementation is required to maintain any resources allocated during BeginCertValidation() until the corresponding EndCertValidation() is called is made. Implementations are guaranteed that EndCertValidation() will be called exactly once for each successful call to BeginCertValidation().

EndCertValidation

virtual WEAVE_ERROR EndCertValidation(
  WeaveKeyExport *keyExport,
  ValidationContext & validCtx,
  WeaveCertificateSet & certSet
)=0

Release resources associated with peer certificate validation.

Called when peer certificate validation and request verification are complete.

GenerateNodeSignature

virtual WEAVE_ERROR GenerateNodeSignature(
  WeaveKeyExport *keyExport,
  const uint8_t *msgHash,
  uint8_t msgHashLen,
  TLVWriter & writer
)=0

Generate a signature for a key export message.

This method is responsible for computing a signature of the given hash value using the local node's private key and writing the signature to the supplied TLV writer as a WeaveSignature TLV structure.

GetNodeCertSet

virtual WEAVE_ERROR GetNodeCertSet(
  WeaveKeyExport *keyExport,
  WeaveCertificateSet & certSet
)=0

Get the key export certificate set for the local node.

Called when the key export engine is preparing to sign a key export message. This method is responsible for initializing certificate set and loading all certificates that will be included or referenced in the signature of the message. The last certificate loaded must be the signing certificate.

HandleCertValidationResult

virtual WEAVE_ERROR HandleCertValidationResult(
  WeaveKeyExport *keyExport,
  ValidationContext & validCtx,
  WeaveCertificateSet & certSet,
  uint32_t requestedKeyId
)=0

Process the results of validating the peer's certificate.

Called when validation of the peer node's certificate has completed. This method is only called if certificate validation completes successfully. Implementations may use this call to inspect the results of validation, and possibly override the result with an error.

For a responding node, the method is expected to verify the requestor's authority to export the requested key.

For an initiating node, the method is expected to verify that the validated certificate properly identifies the peer to which the key export request was sent.

ReleaseNodeCertSet

virtual WEAVE_ERROR ReleaseNodeCertSet(
  WeaveKeyExport *keyExport,
  WeaveCertificateSet & certSet
)=0

Release the node's certificate set.

Called when the key export engine is done with the certificate set returned by GetNodeCertSet().

ValidateUnsignedKeyExportMessage

virtual WEAVE_ERROR ValidateUnsignedKeyExportMessage(
  WeaveKeyExport *keyExport,
  uint32_t requestedKeyId
)=0

Verify the security of an unsigned key export message.

Called when the node receives a key export message that isn't signed. The method is expected to verify the security of an unsigned key export message based on the context of its communication, e.g. via the attributes of a security session used to send the message.

For a responding node, the method is expected to verify the initiator's authority to export the requested key.

For an initiating node, the method is expected to verify the message legitimately originated from the peer to which the key export request was sent.