in java/remoteprovisioning/CryptoUtil.java [704:737]
public static boolean validateBcc(CBORObject chain) throws CborException, CryptoException {
try {
Sign1Message certToVerify =
(Sign1Message) Message.DecodeFromBytes(chain.get(1).EncodeToBytes(), MessageTag.Sign1);
OneKey verifyingKey = new OneKey(chain.get(0));
if (!certToVerify.validate(verifyingKey)) {
return false;
}
} catch (CoseException e) {
throw new CryptoException(
"Failed to validate first BCC cert with key", e, CryptoException.VERIFICATION_FAILURE);
}
// TODO: No implementations will have anything more than a device public key and a self
// signed root cert in phase 1. Come back and finish functionality for verifying
// a chain of signed CWTs and extracting the relevant info
/*
Sign1Message signedCwt =
(Sign1Message) Message.DecodeFromBytes(certToVerifyCbor.EncodeToBytes(),
MessageTag.Sign1);
CBORObject cwtMap = CBORObject.DecodeFromBytes(signedCwt.getContent());
// The 0 index is the the device public key as a COSE_Key object. The 1 index marks the
// start of the full BccEntry's; COSE_Sign1 objects where the payload is a CBOR Web Token.
// That CBOR Web Token is a map, in which one of the fields contains the public key that
// verifies the next BccEntry in the chain.
CBORObject last = chain.get(1);
// verify the certificate chain
for (int i = 0; i < chain.size(); i++) {
if (!verifyCertWithWebtokenPayload(last, chain.get(i))) {
return false;
}
last = chain.get(i);
}*/
return true;
}