in java/remoteprovisioning/ProtectedDataPayload.java [186:238]
private void extractAdditionalDkSignatures(
CBORObject additionalDkSignatures, OneKey devicePublicKey)
throws CborException, CryptoException {
CborUtil.checkMap(additionalDkSignatures, "AdditionalDkSignatures");
if (additionalDkSignatures.size() > 0) {
for (CBORObject issuer : additionalDkSignatures.getKeys()) {
if (issuer.getType() != CBORType.TextString) {
throw new CborException("additionalDkSignatures has the wrong type",
CBORType.TextString,
issuer.getType(),
CborException.TYPE_MISMATCH);
}
CBORObject certChain = additionalDkSignatures.get(issuer);
if (certChain.getType() != CBORType.Array) {
throw new CborException(
"A DKCertChain is not properly encoded",
CBORType.Array,
certChain.getType(),
CborException.TYPE_MISMATCH);
}
if (certChain.size() < ADDITIONAL_DK_SIGNATURE_CERT_CHAIN_MINIMUM_LENGTH) {
throw new CborException(
"A DKCertChain has the wrong number of certs.",
ADDITIONAL_DK_SIGNATURE_CERT_CHAIN_MINIMUM_LENGTH,
certChain.size(),
CborException.INCORRECT_LENGTH);
}
// Verify the root is self signed
if (!CryptoUtil.verifyCert(
certChain.get(ADDITIONAL_DK_SIGNATURE_ROOT_INDEX),
certChain.get(ADDITIONAL_DK_SIGNATURE_ROOT_INDEX))) {
throw new CryptoException(
"DKCertChain root certificate is not self signed",
CryptoException.VERIFICATION_FAILURE);
}
for (int i = 1; i < certChain.size(); i++) {
if (i == certChain.size() - 1
&& !CryptoUtil.verifyCert(certChain.get(i - 1), certChain.get(i), devicePublicKey)) {
throw new CryptoException(
"DK cert " + (i - 1) + " failed to verify " + i,
CryptoException.VERIFICATION_FAILURE);
} else if (!CryptoUtil.verifyCert(certChain.get(i - 1), certChain.get(i))) {
throw new CryptoException(
"DK cert " + (i - 1) + " failed to verify " + i,
CryptoException.VERIFICATION_FAILURE);
}
}
byte[] oemRoot = CryptoUtil.getEd25519PublicKeyFromCert(
certChain.get(ADDITIONAL_DK_SIGNATURE_ROOT_INDEX));
this.addSignerAndKey(issuer.AsString(), oemRoot);
}
}
}