Add support for PASE verification value (#153)

Author: mfucci

src/Device.ts

@@ -86,7 +86,7 @@ class Device {
             .addScanner(await MdnsScanner.create())
             .addBroadcaster(await MdnsBroadcaster.create())
             .addProtocolHandler(new SecureChannelProtocol(
-                    new PaseServer(passcode, { iteration: 1000, salt: Crypto.getRandomData(32) }),
+                    await PaseServer.fromPin({ iteration: 1000, salt: Crypto.getRandomData(32) }, passcode),
                     new CaseServer(),
                 ))
             .addProtocolHandler(new InteractionServer()
@@ -107,7 +107,8 @@ class Device {
                        capabilityMinima: {
                            caseSessionsPerFabric: 3,
                            subscriptionsPerFabric: 3,
-                       }
+                       },
+                       serialNumber: `node-matter-${packageJson.version}`,
                    }, {}),
                    new ClusterServer(GeneralCommissioningCluster, {}, {
                        breadcrumb: BigInt(0),

src/crypto/Spake2p.ts

@@ -21,23 +21,33 @@ export interface PbkdfParameters {
 }
 
 export class Spake2p {
-    constructor(
-        private readonly context: ByteArray,
-        private readonly random: BN,
-        /* visible for tests */ readonly w0: BN,
-        private readonly w1: BN,
-    ) {}
 
-    static async create(context: ByteArray, {iteration, salt}: PbkdfParameters, pin: number) {
+    static async computeW0W1({iteration, salt}: PbkdfParameters, pin: number) {
         const pinWriter = new DataWriter(Endian.Little);
         pinWriter.writeUInt32(pin);
         const ws = await Crypto.pbkdf2(pinWriter.toByteArray(), salt, iteration, 80);
-        const random = Crypto.getRandomBN(32, P256_CURVE.p);
         const w0 = new BN(ws.slice(0, 40)).mod(P256_CURVE.n);
         const w1 = new BN(ws.slice(40, 80)).mod(P256_CURVE.n);
-        return new Spake2p(context, random, w0, w1);
+        return { w0, w1 };
+    }
+
+    static async computeW0L(pbkdfParameters: PbkdfParameters, pin: number) {
+        const { w0, w1 } = await this.computeW0W1(pbkdfParameters, pin);
+        const L = P256_CURVE.g.mul(w1).encode();
+        return { w0, L };
     }
 
+    static async create(context: ByteArray, w0: BN) {
+        const random = Crypto.getRandomBN(32, P256_CURVE.p);
+        return new Spake2p(context, random, w0);
+    }
+
+    constructor(
+        private readonly context: ByteArray,
+        private readonly random: BN,
+        private readonly w0: BN,
+    ) {}
+
     computeX(): ByteArray {
         const X = P256_CURVE.g.mul(this.random).add(M.mul(this.w0));
         return ByteArray.from(X.encode());
@@ -48,20 +58,21 @@ export class Spake2p {
         return ByteArray.from(Y.encode());
     }
 
-    async computeSecretAndVerifiersFromY(X: ByteArray, Y: ByteArray) {
+    async computeSecretAndVerifiersFromY(w1: BN, X: ByteArray, Y: ByteArray) {
         const YPoint = P256_CURVE.decodePoint(Y);
         if (!YPoint.validate()) throw new Error("Y is not on the curve");
         const yNwo = YPoint.add(N.mul(this.w0).neg());
         const Z = yNwo.mul(this.random);
-        const V = yNwo.mul(this.w1);
+        const V = yNwo.mul(w1);
         return this.computeSecretAndVerifiers(X, Y, ByteArray.from(Z.encode()), ByteArray.from(V.encode()));
     }
 
-    async computeSecretAndVerifiersFromX(X: ByteArray, Y: ByteArray) {
+    async computeSecretAndVerifiersFromX(L: ByteArray, X: ByteArray, Y: ByteArray) {
         const XPoint = P256_CURVE.decodePoint(X);
+        const LPoint = P256_CURVE.decodePoint(L);
         if (!XPoint.validate()) throw new Error("X is not on the curve");
         const Z = XPoint.add(M.mul(this.w0).neg()).mul(this.random);
-        const V = P256_CURVE.g.mul(this.w1).mul(this.random);
+        const V = LPoint.mul(this.random);
         return this.computeSecretAndVerifiers(X, Y, ByteArray.from(Z.encode()), ByteArray.from(V.encode()));
     }
 

src/matter/session/secure/PaseClient.ts

@@ -16,8 +16,6 @@ import { ByteArray } from "@project-chip/matter.js";
 const logger = Logger.get("PaseClient");
 
 export class PaseClient {
-    constructor() {}
-
     async pair(client: MatterController, exchange: MessageExchange<MatterController>, setupPin: number) {
         const messenger = new PaseClientMessenger(exchange);
         const random = Crypto.getRandom();
@@ -29,13 +27,14 @@ export class PaseClient {
         if (pbkdfParameters === undefined) throw new Error("Missing requested PbkdfParameters in the response");
 
         // Compute pake1 and read pake2
-        const spake2p = await Spake2p.create(Crypto.hash([ SPAKE_CONTEXT, requestPayload, responsePayload ]), pbkdfParameters, setupPin);
+        const { w0, w1 } = await Spake2p.computeW0W1(pbkdfParameters, setupPin);
+        const spake2p = await Spake2p.create(Crypto.hash([ SPAKE_CONTEXT, requestPayload, responsePayload ]), w0);
         const X = spake2p.computeX();
         await messenger.sendPasePake1({x: X});
 
         // Process pack2 and send pake3
         const { y: Y, verifier } = await messenger.readPasePake2();
-        const { Ke, hAY, hBX } = await spake2p.computeSecretAndVerifiersFromY(X, Y);
+        const { Ke, hAY, hBX } = await spake2p.computeSecretAndVerifiersFromY(w1, X, Y);
         if (!verifier.equals(hBX)) throw new Error("Received incorrect key confirmation from the receiver");
         await messenger.sendPasePake3({ verifier: hAY });
 

src/matter/session/secure/PaseServer.ts

@@ -14,14 +14,27 @@ import { SECURE_CHANNEL_PROTOCOL_ID } from "./SecureChannelMessages";
 import { MatterDevice } from "../../MatterDevice";
 import { Logger } from "../../../log/Logger";
 import { ByteArray } from "@project-chip/matter.js";
+import BN from "bn.js";
 
 const logger = Logger.get("PaseServer");
 
 export class PaseServer implements ProtocolHandler<MatterDevice> {
 
+    static async fromPin(pbkdfParameters: PbkdfParameters, setupPinCode: number) {
+        const { w0, L } = await Spake2p.computeW0L(pbkdfParameters, setupPinCode);
+        return new PaseServer(w0, L, pbkdfParameters);
+    }
+
+    static fromVerificationValue(verificationValue: ByteArray) {
+        const w0 = new BN(verificationValue.slice(0, 32));
+        const L = verificationValue.slice(32, 32 + 65);
+        return new PaseServer(w0, L);
+    }
+
     constructor(
-        private readonly setupPinCode: number,
-        private readonly pbkdfParameters: PbkdfParameters,
+        private readonly w0: BN,
+        private readonly L: ByteArray,
+        private readonly pbkdfParameters?: PbkdfParameters,
         ) {}
 
     getId(): number {
@@ -49,10 +62,10 @@ export class PaseServer implements ProtocolHandler<MatterDevice> {
         const responsePayload = await messenger.sendPbkdfParamResponse({ peerRandom, random, sessionId, mrpParameters, pbkdfParameters: hasPbkdfParameters ? undefined : this.pbkdfParameters });
 
         // Process pake1 and send pake2
-        const spake2p = await Spake2p.create(Crypto.hash([ SPAKE_CONTEXT, requestPayload, responsePayload ]), this.pbkdfParameters, this.setupPinCode);
+        const spake2p = await Spake2p.create(Crypto.hash([ SPAKE_CONTEXT, requestPayload, responsePayload ]), this.w0);
         const { x: X } = await messenger.readPasePake1();
         const Y = spake2p.computeY();
-        const { Ke, hAY, hBX } = await spake2p.computeSecretAndVerifiersFromX(X, Y);
+        const { Ke, hAY, hBX } = await spake2p.computeSecretAndVerifiersFromX(this.L, X, Y);
         await messenger.sendPasePake2({ y: Y, verifier: hBX });
 
         // Read and process pake3

test/IntegrationTest.ts

@@ -93,7 +93,7 @@ describe("Integration", () => {
             .addNetInterface(await UdpInterface.create(matterPort, "udp6", SERVER_IP))
             .addBroadcaster(await MdnsBroadcaster.create())
             .addProtocolHandler(new SecureChannelProtocol(
-                    new PaseServer(setupPin, { iteration: 1000, salt: Crypto.getRandomData(32) }),
+                    await PaseServer.fromPin({ iteration: 1000, salt: Crypto.getRandomData(32) }, setupPin),
                     new CaseServer(),
                 ))
             .addProtocolHandler(new InteractionServer()

test/crypto/Spake2pTest.ts

@@ -15,15 +15,16 @@ describe("Spake2p", () => {
         const context = ByteArray.fromString("SPAKE2+-P256-SHA256-HKDF draft-01");
         const w0 = new BN("e6887cf9bdfb7579c69bf47928a84514b5e355ac034863f7ffaf4390e67d798c", "hex");
         const w1 = new BN("24b5ae4abda868ec9336ffc3b78ee31c5755bef1759227ef5372ca139b94e512", "hex");
+        const L = ByteArray.fromHex("0495645cfb74df6e58f9748bb83a86620bab7c82e107f57d6870da8cbcb2ff9f7063a14b6402c62f99afcb9706a4d1a143273259fe76f1c605a3639745a92154b9");
         const x = new BN("5b478619804f4938d361fbba3a20648725222f0a54cc4c876139efe7d9a21786", "hex");
         const y = new BN("766770dad8c8eecba936823c0aed044b8c3c4f7655e8beec44a15dcbcaf78e5e", "hex");
         const X = ByteArray.fromHex("04a6db23d001723fb01fcfc9d08746c3c2a0a3feff8635d29cad2853e7358623425cf39712e928054561ba71e2dc11f300f1760e71eb177021a8f85e78689071cd");
         const Y = ByteArray.fromHex("04390d29bf185c3abf99f150ae7c13388c82b6be0c07b1b8d90d26853e84374bbdc82becdb978ca3792f472424106a2578012752c11938fcf60a41df75ff7cf947");
         const Ke = ByteArray.fromHex("ea3276d68334576097e04b19ee5a3a8b");
         const hAY = ByteArray.fromHex("71d9412779b6c45a2c615c9df3f1fd93dc0aaf63104da8ece4aa1b5a3a415fea");
         const hBX = ByteArray.fromHex("095dc0400355cc233fde7437811815b3c1524aae80fd4e6810cf531cf11d20e3");
-        const spake2pInitiator = new Spake2p(context, x, w0, w1);
-        const spake2pReceiver = new Spake2p(context, y, w0, w1);
+        const spake2pInitiator = new Spake2p(context, x, w0);
+        const spake2pReceiver = new Spake2p(context, y, w0);
 
         it("generates X", () => {
             const result = spake2pInitiator.computeX();
@@ -38,23 +39,22 @@ describe("Spake2p", () => {
         });
 
         it("generates shared secret and key confirmation for the initiator", async () => {
-            const result = await spake2pInitiator.computeSecretAndVerifiersFromY(X, Y);
+            const result = await spake2pInitiator.computeSecretAndVerifiersFromY(w1, X, Y);
 
             assert.equal(result.Ke.toHex(), Ke.toHex());
             assert.equal(result.hAY.toHex(), hAY.toHex());
             assert.equal(result.hBX.toHex(), hBX.toHex());
         });
 
         it("generates shared secret and key confirmation for the receiver", async () => {
-            const result = await spake2pReceiver.computeSecretAndVerifiersFromX(X, Y);
+            const result = await spake2pReceiver.computeSecretAndVerifiersFromX(L, X, Y);
 
             assert.equal(result.Ke.toHex(), Ke.toHex());
             assert.equal(result.hAY.toHex(), hAY.toHex());
             assert.equal(result.hBX.toHex(), hBX.toHex());
         });
     });
 
-
     context("context hash test", () => {
         it("generates the correct context hash", () => {
             // Test data captured from https://github.com/project-chip/connectedhomeip/
@@ -70,17 +70,5 @@ describe("Spake2p", () => {
 
             assert.equal(result.toHex(), "c49718b0275b6f81fd6a081f6c34c5833382b75b3bd997895d13a51c71a02855");
         });
-
-        it("generates the correct ws0 from the pin", async () => {
-            // Test data captured from https://github.com/project-chip/connectedhomeip/
-            const pin = 20202021;
-            const salt = ByteArray.fromHex("438df2ea5143215c4ec5f1bbf7a4d9b1374f62320f2c88e25cc18ff5e5d1bbf6");
-            const iteration = 1000;
-
-            const spake2p = await Spake2p.create(Buffer.alloc(0), { iteration, salt }, pin);
-            const result = spake2p.w0;
-
-            assert.equal(result.toString("hex"), "987aede3f3f32756971b905820b0bbdad2a6e236838a865b043e64878b5db6d0");
-        });
     });
 });