feat: TO0.OwnerSign implementation

-Implemented logic to build and send the TO0.OwnerSign message after recieving the HelloAck from the Rendezvous.
-Added documentation on testing the TO0 protocol with the current draft setup.
-Added tests for the new TO0.OwnerSign functionality.
Signed-off-by: Riccardo Nalgi <riccardo.nalgi@secomind.com>

Author: mizzet1

apps/astarte_pairing/lib/astarte_pairing/fdo_client.ex

@@ -23,13 +23,18 @@ defmodule Astarte.Pairing.FDOClient do
   require Logger
 
   @doc """
-  TO0.Hello - Type 20 message to initiate TO0 protocol
-  Sends an empty array as per FDO specification section 5.3.1
-  Returns decoded TO0.HelloAck (message 21) with rendezvous nonce
+  TO0.Hello - Type 20 message to initiate TO0 protocol.
+  Sends an empty array as per FDO specification section 5.3.1.
+  Returns decoded TO0.HelloAck (message 21) with rendezvous nonce.
   """
   def to0_hello() do
     url = "#{fdo_rendezvous_url!()}/fdo/101/msg/20"
-    headers = [{"Content-Type", "application/cbor"}, {"Content-Length", "0"}]
+
+    headers = [
+      {"Content-Type", "application/cbor"},
+      {"Content-Length", "0"}
+    ]
+
     request_body = CBOR.encode([])
 
     Logger.debug("Sending TO0.Hello to FDO rendezvous server...", url: url)
@@ -41,8 +46,8 @@ defmodule Astarte.Pairing.FDOClient do
 
         case TO0Util.get_nonce_from_hello_ack(body) do
           {:ok, nonce} ->
-            # TODO: to0owner_sign
-            {:ok, nonce}
+            Logger.debug("Nonce retrieved from TO0.HelloAck", nonce: Base.encode16(nonce))
+            to0_owner_sign(nonce, get_auth_bearer(headers))
 
           {:error, reason} ->
             Logger.error("Failed to get nonce from TO0.HelloAck", reason: reason)
@@ -59,6 +64,58 @@ defmodule Astarte.Pairing.FDOClient do
     end
   end
 
+  defp get_auth_bearer(headers) do
+    Enum.find_value(headers, fn
+      {"authorization", value} ->
+        Logger.debug("Authorization Bearer retrieved: #{inspect(value)}")
+        value
+
+      _ ->
+        nil
+    end)
+  end
+
+  @doc """
+  TO0.OwnerSign - Type 22 message to register ownership.
+  Sends ownership voucher and waits for response from rendezvous server.
+  Returns decoded TO0.AcceptOwner (message 23) with negotiated wait time.
+  """
+  def to0_owner_sign(nonce, bearer) do
+    Logger.debug("Sending TO0.OwnerSign...")
+
+    with {:ok, owner_key} <- TO0Util.get_owner_private_key(),
+         {:ok, ownership_voucher} <- TO0Util.get_ownership_voucher(),
+         {:ok, addr_entries} <- TO0Util.get_astarte_rv_to2_addr_entries(),
+         {:ok, request_body} <-
+           TO0Util.build_owner_sign_message(ownership_voucher, owner_key, nonce, addr_entries) do
+      url = "#{fdo_rendezvous_url!()}/fdo/101/msg/22"
+
+      headers = [
+        {"Content-Type", "application/cbor"},
+        {"Content-Length", byte_size(request_body)},
+        {"Authorization", bearer}
+      ]
+
+      Logger.debug("Sending TO0.OwnerSign", payload_size: byte_size(request_body))
+
+      case http_client().post(url, request_body, headers) do
+        {:ok, %{status_code: 200, body: _body}} ->
+          Logger.debug("TO0.OwnerSign completed successfully!")
+
+        {:ok, %{status_code: status_code, body: body}} ->
+          Logger.error(
+            "TO0.OwnerSign failed with status #{status_code}, response: #{inspect(body)}"
+          )
+
+        {:error, reason} ->
+          Logger.error("TO0.OwnerSign request failed", reason: reason)
+      end
+    else
+      {:error, reason} ->
+        Logger.error("Failed to prepare TO0.OwnerSign message", reason: reason)
+    end
+  end
+
   defp fdo_rendezvous_url! do
     Config.fdo_rendezvous_url!()
   end

apps/astarte_pairing/lib/astarte_pairing/mock_fdo_keys_api.ex

@@ -0,0 +1,66 @@
+defmodule Astarte.Pairing.MockFDOApi do
+  require Logger
+
+  def get_ownership_voucher do
+    ownership_voucher = build_mock_ownership_voucher()
+    {:ok, ownership_voucher}
+  end
+
+  def get_owner_private_key do
+    owner_key = build_mock_owner_key()
+    {:ok, owner_key}
+  end
+
+  defp build_mock_ownership_voucher do
+    """
+    -----BEGIN OWNERSHIP VOUCHER-----
+    hRhlWNiGGGVQAYHfMFvr/EFPkrDfd5dxZ4GFggVQb2Zkby5leGFtcGxlLmNvbYIC
+    UVAAAAAAAAAAAAAA//9/AAABggxBAYIDQxkfaYIEQxkfaWZnb3Rlc3SDCgFYWzBZ
+    MBMGByqGSM49AgEGCCqGSM49AwEHA0IABJN09TXjwFiTHtW4/YnnmXXAf0FL2t3w
+    9d9om8aydUrtz1ejG8rIMExyhyVnYDVYgMf5hQTtAJd3/J9B+S8LijWCL1ggZ40j
+    /ULTK2LRwjMu3IwGBF8fAwvS411brOsTzhU7Y+WCBVggJNtX1qgc9dh7wz0tvTJs
+    tb4Vo/LXA5COgcj8x+hzANKCWQGDMIIBfzCCASWgAwIBAgIUG+ai0U9Ht7elK5hY
+    OqFDbXUON+gwCgYIKoZIzj0EAwIwMDELMAkGA1UEBhMCVVMxEDAOBgNVBAoMB0V4
+    YW1wbGUxDzANBgNVBAMMBkRldmljZTAgFw0yNTEwMjIxMjM5MzJaGA8yMDU1MDUx
+    ODEyMzkzMlowGDEWMBQGA1UEAxMNZGV2aWNlLmdvLWZkbzBZMBMGByqGSM49AgEG
+    CCqGSM49AwEHA0IABJsCjFMh2CusnD/CTZ0BWCL5aqb5Wt7506PqGOPzPSxffu2M
+    w6cUu2E75OgBzNSKFAryOm5S8DICsMSOJ2aUWxOjMzAxMA4GA1UdDwEB/wQEAwIH
+    gDAfBgNVHSMEGDAWgBTQie7mYwn8UTIHbj1YHKWqgpdMgTAKBggqhkjOPQQDAgNI
+    ADBFAiEAjb7AcZWtgFBvVJ5ddA9ItKWyeJdhVKpKXbcBwUz78o8CID21S/9kPx0a
+    oPqp1dAGCSYS2vlRbFDflMfFQrFVCsB3WQG5MIIBtTCCAVugAwIBAgIUPSF900zN
+    HhKedT517226SYKoL9swCgYIKoZIzj0EAwIwMDELMAkGA1UEBhMCVVMxEDAOBgNV
+    BAoMB0V4YW1wbGUxDzANBgNVBAMMBkRldmljZTAeFw0yNTEwMjIxMjM0MzlaFw0y
+    NjEwMjIxMjM0MzlaMDAxCzAJBgNVBAYTAlVTMRAwDgYDVQQKDAdFeGFtcGxlMQ8w
+    DQYDVQQDDAZEZXZpY2UwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASkL7ijPGa2
+    pLnxy7ZC03olpdFxhIfFh+omay2heOb0+1Jl5lc/CaB60rsnQmupA4T2CTCxIbFh
+    gnC3XXfbB+nko1MwUTAdBgNVHQ4EFgQU0Inu5mMJ/FEyB249WBylqoKXTIEwHwYD
+    VR0jBBgwFoAU0Inu5mMJ/FEyB249WBylqoKXTIEwDwYDVR0TAQH/BAUwAwEB/zAK
+    BggqhkjOPQQDAgNIADBFAiBshWDCM/YmnSUhT99c1PeMSwxS8w1uiJ+4uA3nMpN3
+    RgIhAKTZE4tZmuRDZn30L71dGEG5GTMQdpfSi2XcMdsZTfbMgdKEQ6EBJqBZAgmE
+    gi9YIGCEWa+pSOW0mjRDc+rmEjbz6/jbmiFPvnl9hvo+v3Bxgi9YIEkPS6IhbWb7
+    sA3PktmvLNGzxG83mZLC3We3ZiVG7+VpQaCDCgKBWQG3MIIBszCCAVmgAwIBAgIU
+    LosSffQPeA7p74gTpP1r8nyEkmYwCgYIKoZIzj0EAwIwLzELMAkGA1UEBhMCVVMx
+    EDAOBgNVBAoMB0V4YW1wbGUxDjAMBgNVBAMMBU93bmVyMB4XDTI1MTAyMjEyMzQz
+    OVoXDTI2MTAyMjEyMzQzOVowLzELMAkGA1UEBhMCVVMxEDAOBgNVBAoMB0V4YW1w
+    bGUxDjAMBgNVBAMMBU93bmVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAErzCg
+    /gc+phQos1a0wwhlIialnqYc0YaJAV6h2VXMZ0bTE4UOxv8atpH9eKHl9vMDgHDe
+    MFBjPCBv1414gGySIaNTMFEwHQYDVR0OBBYEFJ6le2Ei1zjU5mCij7ZegBtBXk03
+    MB8GA1UdIwQYMBaAFJ6le2Ei1zjU5mCij7ZegBtBXk03MA8GA1UdEwEB/wQFMAMB
+    Af8wCgYIKoZIzj0EAwIDSAAwRQIhAJDLePyqpyGgUulA1HI0vDdl4+MOQZBIfHIN
+    ZY6S8UZGAiAbnGOoDZLJIGWz2FNTrsr1y8t0CWNbk6J+gOdit/rfAFhAFOU2tL7T
+    P3+w5O0SSWAYKnli+Dp23IndYOxOrS84yalTH9zt5aj3AIiMK642jsIRwHW4jK6O
+    uliN+61J1dB0nA==
+    -----END OWNERSHIP VOUCHER-----
+    """
+  end
+
+  defp build_mock_owner_key do
+    """
+    -----BEGIN EC PRIVATE KEY-----
+    MHcCAQEEIFlbTEE1Ce+RSqhU8FqxsY7eNb9BaBWOTw6qFv7l0DZtoAoGCCqGSM49
+    AwEHoUQDQgAEocPEIHIrn08VRO5zkkDztwp72Sw0BSm0mZeLgOKkHLUPdVFFlc0E
+    O82b1/S2Cwzwh8MIDDx0CN2b+IBl5bRwOw==
+    -----END EC PRIVATE KEY-----
+    """
+  end
+end

apps/astarte_pairing/lib/astarte_pairing/to0_util.ex

@@ -19,11 +19,13 @@
 defmodule Astarte.Pairing.TO0Util do
   require Logger
 
+  alias Astarte.Pairing.MockFDOApi
+
   @doc """
   Decodes the TO0.HelloAck CBOR body and returns the extracted nonce.
   """
   def get_nonce_from_hello_ack(body) do
-    Logger.info("Decoding TO0.HelloAck CBOR body: #{inspect(body)}")
+    Logger.debug("Decoding TO0.HelloAck CBOR body: #{inspect(body)}")
 
     case CBOR.decode(body) do
       {:ok, [%CBOR.Tag{tag: :bytes, value: nonce}], _rest}
@@ -41,4 +43,159 @@ defmodule Astarte.Pairing.TO0Util do
         {:error, {:cbor_decode_error, reason}}
     end
   end
+
+  def get_ownership_voucher() do
+    MockFDOApi.get_ownership_voucher()
+  end
+
+  def decode_ownership_voucher(voucher_pem) do
+    ov_data =
+      voucher_pem
+      |> String.replace("-----BEGIN OWNERSHIP VOUCHER-----", "")
+      |> String.replace("-----END OWNERSHIP VOUCHER-----", "")
+      |> String.replace(~r/\s/, "")
+
+    with {:ok, cbor_data} <- Base.decode64(ov_data),
+         {:ok, result, _rest} <- CBOR.decode(cbor_data) do
+      {:ok, result}
+    else
+      {:error, reason} -> {:error, reason}
+      other -> {:error, "PEM parsing failed: #{inspect(other)}"}
+    end
+  end
+
+  def get_owner_private_key() do
+    MockFDOApi.get_owner_private_key()
+  end
+
+  def sign_with_owner_key(data, owner_key) do
+    case :public_key.pem_decode(owner_key) do
+      [{:ECPrivateKey, der_data, :not_encrypted}] ->
+        with {:ok, ec_private_key} <- safe_der_decode(der_data),
+             {:ok, raw_priv} <- extract_raw_private_key(ec_private_key),
+             {:ok, signature} <- safe_sign(data, raw_priv) do
+          {:ok, signature}
+        else
+          {:error, reason} ->
+            Logger.error("Signing failed", error: inspect(reason))
+            {:error, reason}
+        end
+
+      _ ->
+        Logger.error("PEM decode failed for owner key")
+        {:error, :pem_decode_failed}
+    end
+  end
+
+  def safe_der_decode(der_data) do
+    try do
+      {:ok, :public_key.der_decode(:ECPrivateKey, der_data)}
+    rescue
+      e -> {:error, {:der_decode_failed, e}}
+    end
+  end
+
+  defp extract_raw_private_key({:ECPrivateKey, _version, bin, _params, _pub, _extra}) do
+    case byte_size(bin) do
+      32 -> {:ok, bin}
+      n when n < 32 -> {:ok, :binary.copy(<<0>>, 32 - n) <> bin}
+      n -> {:error, {:key_too_long, n}}
+    end
+  end
+
+  def safe_sign(data, priv_key) do
+    # ECDSA with SHA-256 requires a 32-byte private key secp256r1
+    if is_binary(priv_key) and byte_size(priv_key) == 32 do
+      try do
+        {:ok, :crypto.sign(:ecdsa, :sha256, data, [priv_key, :secp256r1])}
+      rescue
+        e -> {:error, {:signing_failed, e}}
+      end
+    else
+      {:error, :invalid_private_key_format}
+    end
+  end
+
+  def build_rv_to2_addr_entry(ip, dns, port, protocol) do
+    rv_entry = [ip, dns, port, protocol]
+    encoded_entry = CBOR.encode([rv_entry])
+    {:ok, encoded_entry}
+  end
+
+  defp build_to1d_rv(entries) do
+    to1d_rv = CBOR.encode([entries])
+    {:ok, to1d_rv}
+  end
+
+  defp build_to0d(ov, wait_seconds, nonce) do
+    to0d = CBOR.encode([ov, wait_seconds, nonce])
+    {:ok, to0d}
+  end
+
+  defp add_cbor_tag(payload) do
+    %CBOR.Tag{tag: :bytes, value: payload}
+  end
+
+  defp build_to1d_to0d_hash(to0d) do
+    to1d_to0d_hash_value = :crypto.hash(:sha256, to0d)
+    # 47 is the key for SHA-256
+    to1d_to0d_hash = CBOR.encode([47, to1d_to0d_hash_value])
+    {:ok, to1d_to0d_hash}
+  end
+
+  defp build_to1d_blob_payload(to1d_rv, to1d_to0d_hash) do
+    blob_payload = CBOR.encode([to1d_rv, to1d_to0d_hash])
+    {:ok, blob_payload}
+  end
+
+  def build_cose_sign1(payload, owner_key) do
+    # Protected header: ES256 algorithm (ECDSA with SHA-256)
+    # -7 is ES256
+    protected_header = %{1 => -7}
+    protected_header_cbor = CBOR.encode(protected_header)
+
+    sig_structure = ["Signature1", protected_header_cbor, <<>>, payload]
+    sig_structure_cbor = CBOR.encode(sig_structure)
+
+    with {:ok, raw_signature} <- sign_with_owner_key(sig_structure_cbor, owner_key) do
+      cose_sign1_array = [
+        add_cbor_tag(protected_header_cbor),
+        %{},
+        add_cbor_tag(payload),
+        add_cbor_tag(raw_signature)
+      ]
+
+      # Tag 18 is associated with COSE_Sign1
+      cose_sign1 = %CBOR.Tag{tag: 18, value: cose_sign1_array}
+      {:ok, cose_sign1}
+    else
+      {:error, reason} -> {:error, {:signing_error, reason}}
+    end
+  end
+
+  def get_astarte_rv_to2_addr_entries() do
+    with {:ok, rv_entry1} <- build_rv_to2_addr_entry(CBOR.encode([]), "pippo", 8080, 3),
+         {:ok, rv_entry2} <- build_rv_to2_addr_entry(CBOR.encode([]), "paperino", 8080, 3) do
+      {:ok, [rv_entry1, rv_entry2]}
+    else
+      {:error, reason} -> {:error, reason}
+    end
+  end
+
+  def build_owner_sign_message(ownership_voucher, owner_key, nonce, addr_entries) do
+    with {:ok, decoded_ownership_voucher} <- decode_ownership_voucher(ownership_voucher),
+         {:ok, to0d} <- build_to0d(decoded_ownership_voucher, 3600, nonce),
+         {:ok, to1d_to0d_hash} <- build_to1d_to0d_hash(to0d),
+         {:ok, to1d_rv} <- build_to1d_rv(addr_entries),
+         {:ok, blob_payload} <- build_to1d_blob_payload(to1d_rv, to1d_to0d_hash),
+         {:ok, signature} <- build_cose_sign1(blob_payload, owner_key) do
+      result = CBOR.encode([add_cbor_tag(to0d), signature])
+      Logger.debug("build_owner_sign_message success: #{inspect(result)}")
+      {:ok, result}
+    else
+      error ->
+        Logger.debug("build_owner_sign_message error: #{inspect(error)}")
+        {:error, error}
+    end
+  end
 end