Address comments

Added an interface for device attestation revocation and the test
implementation for the same.

Author: shubhamdp

examples/chip-tool/commands/common/CHIPCommand.cpp

@@ -452,7 +452,10 @@ CHIP_ERROR CHIPCommand::InitializeCommissioner(CommissionerIdentity & identity,
 
     ReturnLogErrorOnFailure(mCredIssuerCmds->SetupDeviceAttestation(commissionerParams, sTrustStore));
 
-    mCredIssuerCmds->SetupDeviceAttestationRevocationSetPath(mDacRevocationSetPath.ValueOr(nullptr));
+    if (mDacRevocationSetPath.HasValue())
+    {
+        ReturnLogErrorOnFailure(mCredIssuerCmds->SetDeviceAttestationRevocationSetPath(mDacRevocationSetPath.Value()));
+    }
 
     chip::Crypto::P256Keypair ephemeralKey;
 

examples/chip-tool/commands/common/CredentialIssuerCommands.h

@@ -68,8 +68,10 @@ class CredentialIssuerCommands
      *
      * @param[in] path Path to the JSON file containing list of revoked DACs or PAIs.
      *                 It can be generated using credentials/generate-revocation-set.py script
+     *
+     * @return CHIP_ERROR CHIP_NO_ERROR on success, or corresponding error code.
      */
-    virtual void SetupDeviceAttestationRevocationSetPath(const char * path) = 0;
+    virtual CHIP_ERROR SetDeviceAttestationRevocationSetPath(const char * path) = 0;
 
     /**
      * @brief Add a list of additional non-default CD verifying keys (by certificate)

examples/chip-tool/commands/example/ExampleCredentialIssuerCommands.h

@@ -24,6 +24,7 @@
 #include <credentials/DeviceAttestationCredsProvider.h>
 #include <credentials/attestation_verifier/DefaultDeviceAttestationVerifier.h>
 #include <credentials/attestation_verifier/DeviceAttestationVerifier.h>
+#include <credentials/attestation_verifier/TestDACRevocationDelegateImpl.h>
 #include <credentials/examples/DeviceAttestationCredsExample.h>
 
 class ExampleCredentialIssuerCommands : public CredentialIssuerCommands
@@ -45,14 +46,12 @@ class ExampleCredentialIssuerCommands : public CredentialIssuerCommands
         return CHIP_NO_ERROR;
     }
 
-    void SetupDeviceAttestationRevocationSetPath(const char * path) override
+    CHIP_ERROR SetDeviceAttestationRevocationSetPath(const char * path) override
     {
-        if (path)
-        {
-            // As we know that we are using DefaultDACVerifier, we can downcast from
-            // DeviceAttestationVerifier to DefaultDACVerifier to set the revocation set
-            static_cast<chip::Credentials::DefaultDACVerifier *>(mDacVerifier)->SetDeviceAttestationRevocationSetPath(path);
-        }
+        VerifyOrReturnError(path != nullptr, CHIP_ERROR_INVALID_ARGUMENT);
+        ReturnErrorOnFailure(mTestDacRevocationDelegate.SetDeviceAttestationRevocationSetPath(path));
+        mDacVerifier->SetRevocationDelegate(&mTestDacRevocationDelegate);
+        return CHIP_NO_ERROR;
     }
 
     chip::Controller::OperationalCredentialsDelegate * GetCredentialIssuer() override { return &mOpCredsIssuer; }
@@ -119,4 +118,5 @@ class ExampleCredentialIssuerCommands : public CredentialIssuerCommands
 private:
     chip::Controller::ExampleOperationalCredentialsIssuer mOpCredsIssuer;
     chip::Credentials::DeviceAttestationVerifier * mDacVerifier;
+    chip::Credentials::TestDACRevocationDelegateImpl mTestDacRevocationDelegate;
 };

scripts/tools/check_includes_config.py

@@ -137,7 +137,7 @@
 
     'src/credentials/attestation_verifier/FileAttestationTrustStore.h': {'vector'},
     'src/credentials/attestation_verifier/FileAttestationTrustStore.cpp': {'string'},
-    'src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.cpp': {'fstream'},
+    'src/credentials/attestation_verifier/TestDACRevocationDelegateImpl.cpp': {'fstream'},
 
     'src/setup_payload/AdditionalDataPayload.h': {'string'},
     'src/setup_payload/AdditionalDataPayloadParser.cpp': {'vector', 'string'},

src/credentials/BUILD.gn

@@ -158,6 +158,8 @@ static_library("default_attestation_verifier") {
     "attestation_verifier/DefaultDeviceAttestationVerifier.cpp",
     "attestation_verifier/DefaultDeviceAttestationVerifier.h",
     "attestation_verifier/DeviceAttestationDelegate.h",
+    "attestation_verifier/TestDACRevocationDelegateImpl.cpp",
+    "attestation_verifier/TestDACRevocationDelegateImpl.h",
   ]
 
   if (chip_device_platform == "esp32" || chip_device_platform == "nrfconnect" ||

src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.cpp

@@ -26,16 +26,10 @@
 
 #include <lib/core/CHIPError.h>
 #include <lib/core/Global.h>
-#include <lib/support/Base64.h>
-#include <lib/support/BytesToHex.h>
 #include <lib/support/CodeUtils.h>
 #include <lib/support/ScopedBuffer.h>
 #include <lib/support/Span.h>
 
-#include <fstream>
-#include <json/json.h>
-#include <string.h>
-
 using namespace chip::Crypto;
 using chip::TestCerts::GetTestPaaRootStore;
 
@@ -613,149 +607,17 @@ CHIP_ERROR DefaultDACVerifier::VerifyNodeOperationalCSRInformation(const ByteSpa
     return CHIP_NO_ERROR;
 }
 
-// This method parses the below JSON Scheme
-// [
-//  {
-//    "type": "revocation_set",
-//    "issuer_subject_key_id": "63540E47F64B1C38D13884A462D16C195D8FFB3C",
-//    "issuer_name": "MD0xJTAjBgNVBAMMHE1hdHRlciBEZXYgUEFJIDB4RkZGMSBubyBQSUQxFDASBgorBgEEAYKifAIBDARGRkYx",
-//    "revoked_serial_numbers": [
-//      "69CDF10DE9E54ED1"
-//    ]
-//  }
-// ]
-//
-bool DefaultDACVerifier::IsEntryExistsInRevocationSet(const CharSpan & akidHexStr, const CharSpan & issuerNameBase64Str,
-                                                      const CharSpan & serialNumberHexStr)
-{
-    std::ifstream file(mDeviceAttestationRevocationSetPath);
-    if (!file.is_open())
-    {
-        return false;
-    }
-
-    // Parse the JSON data incrementally
-    Json::CharReaderBuilder readerBuilder;
-    Json::Value jsonData;
-    std::string errs;
-
-    bool parsingSuccessful = Json::parseFromStream(readerBuilder, file, &jsonData, &errs);
-
-    // Close the file as it's no longer needed
-    file.close();
-
-    if (!parsingSuccessful)
-    {
-        return false;
-    }
-
-    for (const auto & revokedSet : jsonData)
-    {
-        if (strncmp(revokedSet["issuer_name"].asCString(), issuerNameBase64Str.data(), issuerNameBase64Str.size()) == 0 &&
-            strncmp(revokedSet["issuer_subject_key_id"].asCString(), akidHexStr.data(), akidHexStr.size()) == 0)
-        {
-            for (const auto & revokedSerialNumber : revokedSet["revoked_serial_numbers"])
-            {
-                if (strncmp(revokedSerialNumber.asCString(), serialNumberHexStr.data(), serialNumberHexStr.size()) == 0)
-                {
-                    return true;
-                }
-            }
-        }
-    }
-    return false;
-}
-
-CHIP_ERROR DefaultDACVerifier::GetAKIDHexStr(const ByteSpan & certDer, MutableCharSpan & outAKIDHexStr)
-{
-    uint8_t akidBuf[kAuthorityKeyIdentifierLength];
-    MutableByteSpan akid(akidBuf);
-
-    CHIP_ERROR err = ExtractAKIDFromX509Cert(certDer, akid);
-    VerifyOrReturnError(err == CHIP_NO_ERROR, err);
-    VerifyOrReturnError(outAKIDHexStr.size() > akid.size() * 2, CHIP_ERROR_BUFFER_TOO_SMALL);
-
-    Encoding::HexFlags flags = Encoding::HexFlags::kUppercaseAndNullTerminate;
-    err                      = BytesToHex(akid.data(), akid.size(), outAKIDHexStr.data(), outAKIDHexStr.size(), flags);
-    VerifyOrReturnError(err == CHIP_NO_ERROR, err);
-
-    outAKIDHexStr.reduce_size(strlen(outAKIDHexStr.data()));
-    return CHIP_NO_ERROR;
-}
-
-CHIP_ERROR DefaultDACVerifier::GetSerialNumberHexStr(const ByteSpan & certDer, MutableCharSpan & outSerialNumberHexStr)
-{
-    uint8_t serialNumberBuf[kMaxCertificateSerialNumberLength] = { 0 };
-    MutableByteSpan serialNumber(serialNumberBuf);
-
-    CHIP_ERROR err = ExtractSerialNumberFromX509Cert(certDer, serialNumber);
-    VerifyOrReturnError(err == CHIP_NO_ERROR, err);
-    VerifyOrReturnError(outSerialNumberHexStr.size() > serialNumber.size() * 2, CHIP_ERROR_BUFFER_TOO_SMALL);
-
-    Encoding::HexFlags flags = Encoding::HexFlags::kUppercaseAndNullTerminate;
-    err = BytesToHex(serialNumber.data(), serialNumber.size(), outSerialNumberHexStr.data(), outSerialNumberHexStr.size(), flags);
-    VerifyOrReturnError(err == CHIP_NO_ERROR, err);
-
-    outSerialNumberHexStr.reduce_size(strlen(outSerialNumberHexStr.data()));
-    return CHIP_NO_ERROR;
-}
-
-CHIP_ERROR DefaultDACVerifier::GetIssuerNameBase64Str(const ByteSpan & certDer, MutableCharSpan & outIssuerNameBase64String)
-{
-    uint8_t issuerBuf[kMaxCertificateDistinguishedNameLength] = { 0 };
-    MutableByteSpan issuer(issuerBuf);
-
-    CHIP_ERROR err = ExtractIssuerFromX509Cert(certDer, issuer);
-    VerifyOrReturnError(CHIP_NO_ERROR == err, err);
-    VerifyOrReturnError(outIssuerNameBase64String.size() > BASE64_ENCODED_LEN(issuer.size()), CHIP_ERROR_BUFFER_TOO_SMALL);
-
-    uint32_t encodedLen = Base64Encode32(issuer.data(), static_cast<uint32_t>(issuer.size()), outIssuerNameBase64String.data());
-    outIssuerNameBase64String.reduce_size(encodedLen);
-    return CHIP_NO_ERROR;
-}
-
-bool DefaultDACVerifier::IsCertificateRevoked(const ByteSpan & certDer)
-{
-    static constexpr uint32_t maxIssuerBase64Len = BASE64_ENCODED_LEN(kMaxCertificateDistinguishedNameLength) + 1;
-
-    char issuerNameBuffer[maxIssuerBase64Len]                                = { 0 };
-    char serialNumberHexStrBuffer[2 * kMaxCertificateSerialNumberLength + 1] = { 0 };
-    char akidHexStrBuffer[2 * kAuthorityKeyIdentifierLength + 1]             = { 0 };
-
-    MutableCharSpan issuerName(issuerNameBuffer);
-    MutableCharSpan serialNumber(serialNumberHexStrBuffer);
-    MutableCharSpan akid(akidHexStrBuffer);
-
-    CHIP_ERROR err = GetIssuerNameBase64Str(certDer, issuerName);
-    VerifyOrReturnValue(err == CHIP_NO_ERROR, false);
-
-    err = GetSerialNumberHexStr(certDer, serialNumber);
-    VerifyOrReturnValue(err == CHIP_NO_ERROR, false);
-
-    err = GetAKIDHexStr(certDer, akid);
-    VerifyOrReturnValue(err == CHIP_NO_ERROR, false);
-
-    return IsEntryExistsInRevocationSet(akid, issuerName, serialNumber);
-}
-
 void DefaultDACVerifier::CheckForRevokedDACChain(const AttestationInfo & info,
                                                  Callback::Callback<OnAttestationInformationVerification> * onCompletion)
 {
-    AttestationVerificationResult attestationError = AttestationVerificationResult::kSuccess;
-
-    if (mDeviceAttestationRevocationSetPath != nullptr)
+    if (mRevocationDelegate != nullptr)
     {
-        if (IsCertificateRevoked(info.dacDerBuffer))
-        {
-            attestationError = AttestationVerificationResult::kDacRevoked;
-        }
-        if (IsCertificateRevoked(info.paiDerBuffer))
-        {
-            attestationError = AttestationVerificationResult::kPaiRevoked;
-        }
+        mRevocationDelegate->CheckForRevokedDACChain(info, onCompletion);
+    }
+    else
+    {
+        onCompletion->mCall(onCompletion->mContext, info, AttestationVerificationResult::kSuccess);
     }
-
-    onCompletion->mCall(onCompletion->mContext, info, attestationError);
 }
 
 bool CsaCdKeysTrustStore::IsCdTestKey(const ByteSpan & kid) const

src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.h

@@ -77,31 +77,13 @@ class DefaultDACVerifier : public DeviceAttestationVerifier
     void CheckForRevokedDACChain(const AttestationInfo & info,
                                  Callback::Callback<OnAttestationInformationVerification> * onCompletion) override;
 
-    // Set the path to the device attestation revocation set JSON file.
-    // revocation set can be generated using credentials/generate-revocation-set.py script
-    void SetDeviceAttestationRevocationSetPath(const char * path) { mDeviceAttestationRevocationSetPath = path; }
-
     CsaCdKeysTrustStore * GetCertificationDeclarationTrustStore() override { return &mCdKeysTrustStore; }
 
 protected:
     DefaultDACVerifier() {}
 
     CsaCdKeysTrustStore mCdKeysTrustStore;
     const AttestationTrustStore * mAttestationTrustStore;
-
-private:
-    CHIP_ERROR GetAKIDHexStr(const ByteSpan & certDer, MutableCharSpan & outAKIDHexString);
-    CHIP_ERROR GetSerialNumberHexStr(const ByteSpan & certDer, MutableCharSpan & outSerialNumberHexString);
-    CHIP_ERROR GetIssuerNameBase64Str(const ByteSpan & certDer, MutableCharSpan & outIssuerNameBase64String);
-
-    bool IsCertificateRevoked(const ByteSpan & certDer);
-
-    // Searches the revocation set and returns true if for the given AKID, issuer name and serial number
-    // the entry is found in the revocation set, false otherwise.
-    bool IsEntryExistsInRevocationSet(const CharSpan & akidHexStr, const CharSpan & issuerNameBase64Str,
-                                      const CharSpan & serialNumberHexStr);
-
-    const char * mDeviceAttestationRevocationSetPath = nullptr;
 };
 
 /**

src/credentials/attestation_verifier/DeviceAttestationVerifier.h

@@ -259,6 +259,8 @@ class ArrayAttestationTrustStore : public AttestationTrustStore
     const size_t mNumCerts;
 };
 
+class DeviceAttestationRevocationDelegate;
+
 class DeviceAttestationVerifier
 {
 public:
@@ -409,13 +411,39 @@ class DeviceAttestationVerifier
     void EnableCdTestKeySupport(bool enabled) { mEnableCdTestKeySupport = enabled; }
     bool IsCdTestKeySupported() const { return mEnableCdTestKeySupport; }
 
+    void SetRevocationDelegate(DeviceAttestationRevocationDelegate * delegate) { mRevocationDelegate = delegate; }
+
 protected:
     CHIP_ERROR ValidateAttestationSignature(const Crypto::P256PublicKey & pubkey, const ByteSpan & attestationElements,
                                             const ByteSpan & attestationChallenge, const Crypto::P256ECDSASignature & signature);
 
     // Default to support the "development" test key for legacy purposes (since the DefaultDACVerifier)
     // always supported development keys.
     bool mEnableCdTestKeySupport = true;
+
+    DeviceAttestationRevocationDelegate * mRevocationDelegate = nullptr;
+};
+
+/**
+ * @brief Interface for checking the device attestation revocation status
+ *
+ */
+class DeviceAttestationRevocationDelegate
+{
+public:
+    DeviceAttestationRevocationDelegate()          = default;
+    virtual ~DeviceAttestationRevocationDelegate() = default;
+
+    /**
+     * @brief Verify whether or not the given DAC chain is revoked.
+     *
+     * @param[in] info All of the information required to check for revoked DAC chain.
+     * @param[in] onCompletion Callback handler to provide Attestation Information Verification result to the caller of
+     *                         CheckForRevokedDACChain().
+     */
+    virtual void
+    CheckForRevokedDACChain(const DeviceAttestationVerifier::AttestationInfo & info,
+                            Callback::Callback<DeviceAttestationVerifier::OnAttestationInformationVerification> * onCompletion) = 0;
 };
 
 /**