Merge branch 'master' into dm_xml_new_grammar_for_command_direction

Author: cecille

config/nrfconnect/chip-gn/.gn

@@ -14,6 +14,7 @@
 
 import("//build_overrides/build.gni")
 import("//build_overrides/chip.gni")
+import("//build_overrides/pigweed.gni")
 
 # The location of the build configuration file.
 buildconfig = "${build_root}/config/BUILDCONFIG.gn"
@@ -25,5 +26,14 @@ default_args = {
   target_cpu = "arm"
   target_os = "zephyr"
 
+  pw_sys_io_BACKEND = dir_pw_sys_io_stdio
+  pw_assert_BACKEND = dir_pw_assert_log
+  pw_log_BACKEND = dir_pw_log_basic
+
+  pw_build_LINK_DEPS = [
+    "$dir_pw_assert:impl",
+    "$dir_pw_log:impl",
+  ]
+
   import("${chip_root}/config/nrfconnect/chip-gn/args.gni")
 }

docs/cluster_and_device_type_dev/img/cluster_commands.png

@@ -166,7 +166,8 @@ CHIP_ERROR CHIPCommand::MaybeSetUpStack()
             cdTrustStorePath = getenv(kCDTrustStorePathVariable);
         }
 
-        auto additionalCdCerts = chip::Credentials::LoadAllX509DerCerts(cdTrustStorePath);
+        auto additionalCdCerts =
+            chip::Credentials::LoadAllX509DerCerts(cdTrustStorePath, chip::Credentials::CertificateValidationMode::kPublicKeyOnly);
         if (cdTrustStorePath != nullptr && additionalCdCerts.size() == 0)
         {
             ChipLogError(chipTool, "Warning: no CD signing certs found in path: %s, only defaults will be used", cdTrustStorePath);

examples/chip-tool/commands/common/CHIPCommand.cpp

@@ -2628,6 +2628,7 @@ endpoint 0 {
     ram      attribute clusterRevision default = 1;
 
     handle command RetrieveLogsRequest;
+    handle command RetrieveLogsResponse;
   }
 
   server cluster GeneralDiagnostics {

examples/light-switch-app/light-switch-common/light-switch-app.matter

@@ -1581,6 +1581,14 @@
               "source": "client",
               "isIncoming": 1,
               "isEnabled": 1
+            },
+            {
+              "name": "RetrieveLogsResponse",
+              "code": 1,
+              "mfgCode": null,
+              "source": "server",
+              "isIncoming": 0,
+              "isEnabled": 1
             }
           ],
           "attributes": [
@@ -4605,6 +4613,24 @@
           "define": "IDENTIFY_CLUSTER",
           "side": "client",
           "enabled": 1,
+          "commands": [
+            {
+              "name": "Identify",
+              "code": 0,
+              "mfgCode": null,
+              "source": "client",
+              "isIncoming": 0,
+              "isEnabled": 1
+            },
+            {
+              "name": "TriggerEffect",
+              "code": 64,
+              "mfgCode": null,
+              "source": "client",
+              "isIncoming": 0,
+              "isEnabled": 1
+            }
+          ],
           "attributes": [
             {
               "name": "ClusterRevision",

examples/light-switch-app/light-switch-common/light-switch-app.zap

@@ -2663,6 +2663,7 @@ endpoint 0 {
     ram      attribute clusterRevision default = 1;
 
     handle command RetrieveLogsRequest;
+    handle command RetrieveLogsResponse;
   }
 
   server cluster GeneralDiagnostics {

examples/lock-app/lock-common/lock-app.matter

@@ -2126,6 +2126,14 @@
               "source": "client",
               "isIncoming": 1,
               "isEnabled": 1
+            },
+            {
+              "name": "RetrieveLogsResponse",
+              "code": 1,
+              "mfgCode": null,
+              "source": "server",
+              "isIncoming": 0,
+              "isEnabled": 1
             }
           ],
           "attributes": [

examples/lock-app/lock-common/lock-app.zap

@@ -2240,6 +2240,7 @@ endpoint 0 {
     ram      attribute clusterRevision default = 1;
 
     handle command RetrieveLogsRequest;
+    handle command RetrieveLogsResponse;
   }
 
   server cluster GeneralDiagnostics {

examples/thermostat/thermostat-common/thermostat.matter

@@ -1707,6 +1707,14 @@
               "source": "client",
               "isIncoming": 1,
               "isEnabled": 1
+            },
+            {
+              "name": "RetrieveLogsResponse",
+              "code": 1,
+              "mfgCode": null,
+              "source": "server",
+              "isIncoming": 0,
+              "isEnabled": 1
             }
           ],
           "attributes": [

examples/thermostat/thermostat-common/thermostat.zap

@@ -98,7 +98,7 @@ ghapi==1.0.3
     # via -r requirements.memory.txt
 humanfriendly==10.0
     # via coloredlogs
-idf-component-manager==1.2.2
+idf-component-manager==1.5.2
     # via -r requirements.esp32.txt
 idna==3.4
     # via requests

scripts/setup/constraints.txt

@@ -160,6 +160,9 @@
     'src/tracing/json/json_tracing.cpp': {'string', 'sstream'},
     'src/tracing/json/json_tracing.h': {'fstream', 'unordered_map'},
 
+    # esp32 tracing
+    'src/tracing/esp32_trace/esp32_tracing.h': {'unordered_map'},
+
     # Not intended for embedded clients
     'src/app/PendingResponseTrackerImpl.h': {'unordered_set'},
 

scripts/tools/check_includes_config.py

@@ -143,7 +143,8 @@ if (chip_build_tests) {
     if (chip_monolithic_tests) {
       # TODO [PW_MIGRATION] Remove this if after migartion to PW_TEST is completed for all platforms
       # TODO [PW_MIGRATION] There will be a list of already migrated platforms
-      if (chip_device_platform == "esp32") {
+      if (chip_device_platform == "esp32" ||
+          chip_device_platform == "nrfconnect") {
         deps += [ "${chip_root}/src/lib/support:pw_tests_wrapper" ]
       }
       build_monolithic_library = true

src/BUILD.gn

@@ -595,7 +595,17 @@ void CommandHandler::AddStatus(const ConcreteCommandPath & aCommandPath, const P
 {
     // Return early in case of requests targeted to a group, since they should not add a response.
     VerifyOrReturn(!IsGroupRequest());
-    VerifyOrDie(FallibleAddStatus(aCommandPath, aStatus, context) == CHIP_NO_ERROR);
+
+    CHIP_ERROR error = FallibleAddStatus(aCommandPath, aStatus, context);
+
+    if (error != CHIP_NO_ERROR)
+    {
+        ChipLogError(DataManagement, "Failed to add command status: %" CHIP_ERROR_FORMAT, error.Format());
+
+        // Do not crash if the status has not been added due to running out of packet buffers or other resources.
+        // It is better to drop a single response than to go offline and lose all sessions and subscriptions.
+        VerifyOrDie(error == CHIP_ERROR_NO_MEMORY);
+    }
 }
 
 CHIP_ERROR CommandHandler::FallibleAddStatus(const ConcreteCommandPath & path, const Protocols::InteractionModel::Status status,

src/app/CommandHandler.cpp

@@ -74,10 +74,10 @@ limitations under the License.
                 <requireAttribute>ACTIVE_LOCALE</requireAttribute>
                 <requireAttribute>SUPPORTED_LOCALES</requireAttribute>
             </include>
-            <include cluster="Time Format Localization" client="false" server="true" clientLocked="true" serverLocked="false">
+            <include cluster="Time Format Localization" client="false" server="false" clientLocked="true" serverLocked="false">
                 <requireAttribute>HOUR_FORMAT</requireAttribute>
             </include>
-            <include cluster="Unit Localization" client="false" server="true" clientLocked="true" serverLocked="false"></include>
+            <include cluster="Unit Localization" client="false" server="false" clientLocked="true" serverLocked="false"></include>
             <include cluster="General Diagnostics" client="false" server="true" clientLocked="true" serverLocked="true">
                 <requireAttribute>UP_TIME</requireAttribute>
             </include>
@@ -1417,7 +1417,6 @@ limitations under the License.
                 <requireAttribute>IDENTIFY_TYPE</requireAttribute>
                 <requireCommand>Identify</requireCommand>
                 <requireCommand>IdentifyQuery</requireCommand>
-                <requireCommand>TriggerEffect</requireCommand>
             </include>
             <include cluster="Descriptor" client="false" server="true" clientLocked="true" serverLocked="true">
                 <requireAttribute>DEVICE_TYPE_LIST</requireAttribute>
@@ -1475,7 +1474,6 @@ limitations under the License.
                 <requireAttribute>IDENTIFY_TYPE</requireAttribute>
                 <requireCommand>Identify</requireCommand>
                 <requireCommand>IdentifyQuery</requireCommand>
-                <requireCommand>TriggerEffect</requireCommand>
             </include>
             <include cluster="Descriptor" client="false" server="true" clientLocked="true" serverLocked="true">
                 <requireAttribute>DEVICE_TYPE_LIST</requireAttribute>

src/app/zap-templates/zcl/data-model/chip/matter-devices.xml

@@ -365,11 +365,7 @@ kotlin_library("kotlin_matter_controller") {
 
   output_name = "KotlinMatterController.jar"
 
-  deps = [
-    ":java",
-    ":tlv",
-    "${chip_root}/third_party/java_deps:annotation",
-  ]
+  deps = [ ":java" ]
 
   sources = [
     "src/matter/controller/CompletionListenerAdapter.kt",
@@ -400,7 +396,6 @@ kotlin_library("kotlin_matter_controller") {
 
   if (matter_enable_java_compilation) {
     deps += [
-      "${chip_root}/third_party/java_deps:json",
       "${chip_root}/third_party/java_deps:kotlin-stdlib",
       "${chip_root}/third_party/java_deps:kotlinx-coroutines-core-jvm",
       "${chip_root}/third_party/java_deps/stub_src",

src/controller/java/BUILD.gn

@@ -53,7 +53,7 @@ FileAttestationTrustStore::FileAttestationTrustStore(const char * paaTrustStoreP
     mIsInitialized = true;
 }
 
-std::vector<std::vector<uint8_t>> LoadAllX509DerCerts(const char * trustStorePath)
+std::vector<std::vector<uint8_t>> LoadAllX509DerCerts(const char * trustStorePath, CertificateValidationMode validationMode)
 {
     std::vector<std::vector<uint8_t>> certs;
     if (trustStorePath == nullptr)
@@ -89,21 +89,39 @@ std::vector<std::vector<uint8_t>> LoadAllX509DerCerts(const char * trustStorePat
                 if ((certificateLength > 0) && (certificateLength <= kMaxDERCertLength))
                 {
                     certificate.resize(certificateLength);
-                    // Only accumulate certificate if it has a subject key ID extension
-                    {
-                        uint8_t kidBuf[Crypto::kSubjectKeyIdentifierLength] = { 0 };
-                        MutableByteSpan kidSpan{ kidBuf };
-                        ByteSpan certSpan{ certificate.data(), certificate.size() };
+                    ByteSpan certSpan{ certificate.data(), certificate.size() };
 
+                    // Only accumulate certificate if it passes validation.
+                    bool isValid = false;
+                    switch (validationMode)
+                    {
+                    case CertificateValidationMode::kPAA: {
                         if (CHIP_NO_ERROR != VerifyAttestationCertificateFormat(certSpan, Crypto::AttestationCertType::kPAA))
                         {
-                            continue;
+                            break;
                         }
 
+                        uint8_t kidBuf[Crypto::kSubjectKeyIdentifierLength] = { 0 };
+                        MutableByteSpan kidSpan{ kidBuf };
                         if (CHIP_NO_ERROR == Crypto::ExtractSKIDFromX509Cert(certSpan, kidSpan))
                         {
-                            certs.push_back(certificate);
+                            isValid = true;
                         }
+                        break;
+                    }
+                    case CertificateValidationMode::kPublicKeyOnly: {
+                        Crypto::P256PublicKey publicKey;
+                        if (CHIP_NO_ERROR == Crypto::ExtractPubkeyFromX509Cert(certSpan, publicKey))
+                        {
+                            isValid = true;
+                        }
+                        break;
+                    }
+                    }
+
+                    if (isValid)
+                    {
+                        certs.push_back(certificate);
                     }
                 }
                 fclose(file);

src/credentials/attestation_verifier/FileAttestationTrustStore.cpp

@@ -25,17 +25,29 @@
 namespace chip {
 namespace Credentials {
 
+enum class CertificateValidationMode
+{
+    // Validate that the certificate is a valid PAA certificate.
+    kPAA,
+    // Validate just that the certificate has a public key we can extract
+    // (e.g. it's a CD signing certificate).
+    kPublicKeyOnly,
+};
+
 /**
  * @brief Load all X.509 DER certificates in a given path.
  *
- * Silently ignores non-X.509 files and X.509 files without a subject key identifier.
+ * Silently ignores non-X.509 files and X.509 files that fail validation as
+ * determined by the provided validation mode.
  *
  * Returns an empty vector if no files are found or unrecoverable errors arise.
  *
  * @param trustStorePath - path from where to search for certificates.
+ * @param validationMode - how the certificate files should be validated.
  * @return a vector of certificate DER data
  */
-std::vector<std::vector<uint8_t>> LoadAllX509DerCerts(const char * trustStorePath);
+std::vector<std::vector<uint8_t>> LoadAllX509DerCerts(const char * trustStorePath,
+                                                      CertificateValidationMode validationMode = CertificateValidationMode::kPAA);
 
 class FileAttestationTrustStore : public AttestationTrustStore
 {

src/credentials/attestation_verifier/FileAttestationTrustStore.h

@@ -39,6 +39,7 @@
 
 #include <zephyr/bluetooth/addr.h>
 #include <zephyr/bluetooth/gatt.h>
+#include <zephyr/bluetooth/hci.h>
 #include <zephyr/random/rand32.h>
 #include <zephyr/sys/byteorder.h>
 #include <zephyr/sys/util.h>

src/platform/Zephyr/BLEManagerImpl.cpp

@@ -16,6 +16,7 @@
  */
 
 #include <lib/support/CodeUtils.h>
+#include <lib/support/UnitTest.h>
 #include <lib/support/UnitTestRegistration.h>
 #include <platform/CHIPDeviceLayer.h>
 
@@ -35,6 +36,7 @@ extern "C" int main(void)
 
     LOG_INF("Starting CHIP tests!");
     int status = RunRegisteredUnitTests();
+    status += chip::test::RunAllTests();
     LOG_INF("CHIP test status: %d", status);
 
     _exit(status);