Implemented PR #31222 review comments

Author: vijs

src/controller/CHIPDeviceController.cpp

@@ -392,8 +392,8 @@ DeviceCommissioner::DeviceCommissioner() :
     mOnDeviceConnectionRetryCallback(OnDeviceConnectionRetryFn, this),
 #endif // CHIP_DEVICE_CONFIG_ENABLE_AUTOMATIC_CASE_RETRIES
     mDeviceAttestationInformationVerificationCallback(OnDeviceAttestationInformationVerification, this),
-    mDACChainRevocationStatusVerificationCallback(OnDACChainRevocationStatusVerification, this),
-    mDeviceNOCChainCallback(OnDeviceNOCChainGeneration, this), mSetUpCodePairer(this)
+    mDACChainRevocationStatusCallback(OnDACChainRevocationStatus, this), mDeviceNOCChainCallback(OnDeviceNOCChainGeneration, this),
+    mSetUpCodePairer(this)
 {}
 
 CHIP_ERROR DeviceCommissioner::Init(CommissionerInitParams params)
@@ -1107,6 +1107,17 @@ void DeviceCommissioner::OnDeviceAttestationInformationVerification(
     MATTER_TRACE_SCOPE("OnDeviceAttestationInformationVerification", "DeviceCommissioner");
     DeviceCommissioner * commissioner = reinterpret_cast<DeviceCommissioner *>(context);
 
+    if (commissioner->attestationInformationVerificationResult == AttestationVerificationResult::kNotImplemented)
+    {
+        commissioner->attestationInformationVerificationResult = result;
+    }
+
+    VerifyOrReturn(commissioner->dacChainRevocationStatusResult != AttestationVerificationResult::kNotImplemented);
+
+    result = commissioner->attestationInformationVerificationResult != AttestationVerificationResult::kSuccess
+        ? commissioner->attestationInformationVerificationResult
+        : commissioner->dacChainRevocationStatusResult;
+
     if (!commissioner->mDeviceBeingCommissioned)
     {
         ChipLogError(Controller, "Device attestation verification result received when we're not commissioning a device");
@@ -1156,64 +1167,25 @@ void DeviceCommissioner::OnDeviceAttestationInformationVerification(
     }
 }
 
-void DeviceCommissioner::OnDACChainRevocationStatusVerification(
-    void * context, const Credentials::DeviceAttestationVerifier::AttestationInfo & info, AttestationVerificationResult result)
+void DeviceCommissioner::OnDACChainRevocationStatus(void * context,
+                                                    const Credentials::DeviceAttestationVerifier::AttestationInfo & info,
+                                                    AttestationVerificationResult result)
 {
-    MATTER_TRACE_SCOPE("OnDACChainRevocationStatusVerification", "DeviceCommissioner");
+    MATTER_TRACE_SCOPE("OnDeviceAttestationInformationVerification", "DeviceCommissioner");
     DeviceCommissioner * commissioner = reinterpret_cast<DeviceCommissioner *>(context);
 
-    if (!commissioner->mDeviceBeingCommissioned)
+    if (commissioner->dacChainRevocationStatusResult == AttestationVerificationResult::kNotImplemented)
     {
-        ChipLogError(Controller, "Device attestation verification result received when we're not commissioning a device");
-        return;
+        commissioner->dacChainRevocationStatusResult = result;
     }
 
-    auto & params = commissioner->mDefaultCommissioner->GetCommissioningParameters();
-    Credentials::DeviceAttestationDelegate * deviceAttestationDelegate = params.GetDeviceAttestationDelegate();
+    VerifyOrReturn(commissioner->attestationInformationVerificationResult != AttestationVerificationResult::kNotImplemented);
 
-    if (result != AttestationVerificationResult::kSuccess)
-    {
-        CommissioningDelegate::CommissioningReport report;
-        report.Set<AttestationErrorInfo>(result);
-        if (result == AttestationVerificationResult::kNotImplemented)
-        {
-            ChipLogError(Controller,
-                         "Failed in verifying 'DAC Chain Revocation Status' command received from the device due to default "
-                         "DeviceAttestationVerifier Class not being overridden by a real implementation.");
-            commissioner->CommissioningStageComplete(CHIP_ERROR_NOT_IMPLEMENTED, report);
-            return;
-        }
-
-        ChipLogError(Controller,
-                     "Failed in verifying 'DAC Chain Revocation Status' command received from the device: err %hu. Look at "
-                     "AttestationVerificationResult enum to understand the errors",
-                     static_cast<uint16_t>(result));
-        // Go look at AttestationVerificationResult enum in src/credentials/attestation_verifier/DeviceAttestationVerifier.h to
-        // understand the errors.
-
-        // If a device attestation status delegate is installed, delegate handling of failure to the client and let them decide on
-        // whether to proceed further or not.
-        if (deviceAttestationDelegate)
-        {
-            commissioner->ExtendArmFailSafeForDeviceAttestation(info, result);
-        }
-        else
-        {
-            commissioner->CommissioningStageComplete(CHIP_ERROR_INTERNAL, report);
-        }
-    }
-    else
-    {
-        if (deviceAttestationDelegate && deviceAttestationDelegate->ShouldWaitAfterDeviceAttestation())
-        {
-            commissioner->ExtendArmFailSafeForDeviceAttestation(info, result);
-        }
-        else
-        {
-            ChipLogProgress(Controller, "Successfully validated 'DAC Chain Revocation Status' command received from the device.");
-            commissioner->CommissioningStageComplete(CHIP_NO_ERROR);
-        }
-    }
+    OnDeviceAttestationInformationVerification(context, info,
+                                               commissioner->dacChainRevocationStatusResult !=
+                                                       AttestationVerificationResult::kSuccess
+                                                   ? commissioner->dacChainRevocationStatusResult
+                                                   : result);
 }
 
 void DeviceCommissioner::OnArmFailSafeExtendedForDeviceAttestation(
@@ -1363,13 +1335,13 @@ CHIP_ERROR DeviceCommissioner::ValidateAttestationInfo(const Credentials::Device
 }
 
 CHIP_ERROR
-DeviceCommissioner::ValidateDACChainRevocationStatus(const Credentials::DeviceAttestationVerifier::AttestationInfo & info)
+DeviceCommissioner::CheckForRevokedDACChain(const Credentials::DeviceAttestationVerifier::AttestationInfo & info)
 {
-    MATTER_TRACE_SCOPE("ValidateDACChainRevocationStatus", "DeviceCommissioner");
+    MATTER_TRACE_SCOPE("CheckForRevokedDACChain", "DeviceCommissioner");
     VerifyOrReturnError(mState == State::Initialized, CHIP_ERROR_INCORRECT_STATE);
     VerifyOrReturnError(mDeviceAttestationVerifier != nullptr, CHIP_ERROR_INCORRECT_STATE);
 
-    mDeviceAttestationVerifier->ValidateDACChainRevocationStatus(info, &mDACChainRevocationStatusVerificationCallback);
+    mDeviceAttestationVerifier->CheckForRevokedDACChain(info, &mDACChainRevocationStatusCallback);
 
     return CHIP_NO_ERROR;
 }
@@ -2971,14 +2943,11 @@ void DeviceCommissioner::PerformCommissioningStep(DeviceProxy * proxy, Commissio
     }
     case CommissioningStage::kAttestationVerification: {
         ChipLogProgress(Controller, "Verifying attestation");
-        if (!params.GetAttestationElements().HasValue() || !params.GetAttestationSignature().HasValue() ||
-            !params.GetAttestationNonce().HasValue() || !params.GetDAC().HasValue() || !params.GetPAI().HasValue() ||
-            !params.GetRemoteVendorId().HasValue() || !params.GetRemoteProductId().HasValue())
-        {
-            ChipLogError(Controller, "Missing attestation information");
-            CommissioningStageComplete(CHIP_ERROR_INVALID_ARGUMENT);
-            return;
-        }
+        VerifyOrReturn(IsAttestationInformationMissing(params) == false);
+
+        // Reset results before verifying
+        attestationInformationVerificationResult = AttestationVerificationResult::kNotImplemented;
+        dacChainRevocationStatusResult           = AttestationVerificationResult::kNotImplemented;
 
         DeviceAttestationVerifier::AttestationInfo info(
             params.GetAttestationElements().Value(),
@@ -2996,25 +2965,18 @@ void DeviceCommissioner::PerformCommissioningStep(DeviceProxy * proxy, Commissio
     break;
     case CommissioningStage::kAttestationRevocationCheck: {
         ChipLogProgress(Controller, "Verifying device's DAC chain revocation status");
-        if (!params.GetAttestationElements().HasValue() || !params.GetAttestationSignature().HasValue() ||
-            !params.GetAttestationNonce().HasValue() || !params.GetDAC().HasValue() || !params.GetPAI().HasValue() ||
-            !params.GetRemoteVendorId().HasValue() || !params.GetRemoteProductId().HasValue())
-        {
-            ChipLogError(Controller, "Missing attestation certificates");
-            CommissioningStageComplete(CHIP_ERROR_INVALID_ARGUMENT);
-            return;
-        }
+        VerifyOrReturn(IsAttestationInformationMissing(params) == false);
 
         DeviceAttestationVerifier::AttestationInfo info(
             params.GetAttestationElements().Value(),
             proxy->GetSecureSession().Value()->AsSecureSession()->GetCryptoContext().GetAttestationChallenge(),
             params.GetAttestationSignature().Value(), params.GetPAI().Value(), params.GetDAC().Value(),
             params.GetAttestationNonce().Value(), params.GetRemoteVendorId().Value(), params.GetRemoteProductId().Value());
 
-        if (ValidateDACChainRevocationStatus(info) != CHIP_NO_ERROR)
+        if (CheckForRevokedDACChain(info) != CHIP_NO_ERROR)
         {
             ChipLogError(Controller, "Error validating device's DAC chain revocation status");
-            CommissioningStageComplete(CHIP_ERROR_INVALID_ARGUMENT);
+            CommissioningStageComplete(CHIP_ERROR_FAILED_DEVICE_ATTESTATION);
             return;
         }
     }
@@ -3359,6 +3321,20 @@ void DeviceCommissioner::ExtendFailsafeBeforeNetworkEnable(DeviceProxy * device,
     }
 }
 
+bool DeviceCommissioner::IsAttestationInformationMissing(CommissioningParameters & params)
+{
+    if (!params.GetAttestationElements().HasValue() || !params.GetAttestationSignature().HasValue() ||
+        !params.GetAttestationNonce().HasValue() || !params.GetDAC().HasValue() || !params.GetPAI().HasValue() ||
+        !params.GetRemoteVendorId().HasValue() || !params.GetRemoteProductId().HasValue())
+    {
+        ChipLogError(Controller, "Missing attestation information");
+        CommissioningStageComplete(CHIP_ERROR_INVALID_ARGUMENT);
+        return true;
+    }
+
+    return false;
+}
+
 CHIP_ERROR DeviceController::GetCompressedFabricIdBytes(MutableByteSpan & outBytes) const
 {
     const auto * fabricInfo = GetFabricInfo();

src/controller/CHIPDeviceController.h

@@ -610,7 +610,7 @@ class DLL_EXPORT DeviceCommissioner : public DeviceController,
      *
      * @param[in] info Structure contatining all the required information for validating the device attestation.
      */
-    CHIP_ERROR ValidateDACChainRevocationStatus(const Credentials::DeviceAttestationVerifier::AttestationInfo & info);
+    CHIP_ERROR CheckForRevokedDACChain(const Credentials::DeviceAttestationVerifier::AttestationInfo & info);
 
     /**
      * @brief
@@ -792,6 +792,11 @@ class DLL_EXPORT DeviceCommissioner : public DeviceController,
 
     ObjectPool<CommissioneeDeviceProxy, kNumMaxActiveDevices> mCommissioneeDevicePool;
 
+    Credentials::AttestationVerificationResult attestationInformationVerificationResult =
+        Credentials::AttestationVerificationResult::kNotImplemented;
+    Credentials::AttestationVerificationResult dacChainRevocationStatusResult =
+        Credentials::AttestationVerificationResult::kNotImplemented;
+
 #if CHIP_DEVICE_CONFIG_ENABLE_COMMISSIONER_DISCOVERY // make this commissioner discoverable
     UserDirectedCommissioningServer * mUdcServer = nullptr;
     // mUdcTransportMgr is for insecure communication (ex. user directed commissioning)
@@ -892,9 +897,8 @@ class DLL_EXPORT DeviceCommissioner : public DeviceController,
     static void OnDeviceAttestationInformationVerification(void * context,
                                                            const Credentials::DeviceAttestationVerifier::AttestationInfo & info,
                                                            Credentials::AttestationVerificationResult result);
-    static void OnDACChainRevocationStatusVerification(void * context,
-                                                       const Credentials::DeviceAttestationVerifier::AttestationInfo & info,
-                                                       Credentials::AttestationVerificationResult result);
+    static void OnDACChainRevocationStatus(void * context, const Credentials::DeviceAttestationVerifier::AttestationInfo & info,
+                                           Credentials::AttestationVerificationResult result);
 
     static void OnDeviceNOCChainGeneration(void * context, CHIP_ERROR status, const ByteSpan & noc, const ByteSpan & icac,
                                            const ByteSpan & rcac, Optional<IdentityProtectionKeySpan> ipk,
@@ -1020,6 +1024,8 @@ class DLL_EXPORT DeviceCommissioner : public DeviceController,
     // extend it).
     void ExtendFailsafeBeforeNetworkEnable(DeviceProxy * device, CommissioningParameters & params, CommissioningStage step);
 
+    bool IsAttestationInformationMissing(CommissioningParameters & params);
+
     chip::Callback::Callback<OnDeviceConnected> mOnDeviceConnectedCallback;
     chip::Callback::Callback<OnDeviceConnectionFailure> mOnDeviceConnectionFailureCallback;
 #if CHIP_DEVICE_CONFIG_ENABLE_AUTOMATIC_CASE_RETRIES
@@ -1029,7 +1035,7 @@ class DLL_EXPORT DeviceCommissioner : public DeviceController,
     chip::Callback::Callback<Credentials::DeviceAttestationVerifier::OnAttestationInformationVerification>
         mDeviceAttestationInformationVerificationCallback;
     chip::Callback::Callback<Credentials::DeviceAttestationVerifier::OnAttestationInformationVerification>
-        mDACChainRevocationStatusVerificationCallback;
+        mDACChainRevocationStatusCallback;
 
     chip::Callback::Callback<OnNOCChainGeneration> mDeviceNOCChainCallback;
     SetUpCodePairer mSetUpCodePairer;

src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.cpp

@@ -607,12 +607,12 @@ CHIP_ERROR DefaultDACVerifier::VerifyNodeOperationalCSRInformation(const ByteSpa
     return CHIP_NO_ERROR;
 }
 
-void DefaultDACVerifier::ValidateDACChainRevocationStatus(const AttestationInfo & info,
-                                                          Callback::Callback<OnAttestationInformationVerification> * onCompletion)
+void DefaultDACVerifier::CheckForRevokedDACChain(const AttestationInfo & info,
+                                                 Callback::Callback<OnAttestationInformationVerification> * onCompletion)
 {
     AttestationVerificationResult attestationError = AttestationVerificationResult::kSuccess;
 
-    // TODO
+    // TODO(#33124): Implement default version of CheckForRevokedDACChain
 
     onCompletion->mCall(onCompletion->mContext, info, attestationError);
 }

src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.h

@@ -74,8 +74,8 @@ class DefaultDACVerifier : public DeviceAttestationVerifier
                                                    const ByteSpan & attestationSignatureBuffer,
                                                    const Crypto::P256PublicKey & dacPublicKey, const ByteSpan & csrNonce) override;
 
-    void ValidateDACChainRevocationStatus(const AttestationInfo & info,
-                                          Callback::Callback<OnAttestationInformationVerification> * onCompletion) override;
+    void CheckForRevokedDACChain(const AttestationInfo & info,
+                                 Callback::Callback<OnAttestationInformationVerification> * onCompletion) override;
 
     CsaCdKeysTrustStore * GetCertificationDeclarationTrustStore() override { return &mCdKeysTrustStore; }
 

src/credentials/attestation_verifier/DeviceAttestationVerifier.cpp

@@ -70,11 +70,12 @@ class UnimplementedDACVerifier : public DeviceAttestationVerifier
         return CHIP_ERROR_NOT_IMPLEMENTED;
     }
 
-    void ValidateDACChainRevocationStatus(const AttestationInfo & info,
-                                          Callback::Callback<OnAttestationInformationVerification> * onCompletion) override
+    void CheckForRevokedDACChain(const AttestationInfo & info,
+                                 Callback::Callback<OnAttestationInformationVerification> * onCompletion) override
     {
         (void) info;
         (void) onCompletion;
+        VerifyOrDie(false);
     }
 };
 

src/credentials/attestation_verifier/DeviceAttestationVerifier.h

@@ -386,8 +386,15 @@ class DeviceAttestationVerifier
                                                            const Crypto::P256PublicKey & dacPublicKey,
                                                            const ByteSpan & csrNonce) = 0;
 
-    virtual void ValidateDACChainRevocationStatus(const AttestationInfo & info,
-                                                  Callback::Callback<OnAttestationInformationVerification> * onCompletion) = 0;
+    /**
+     * @brief Verify whether or not the given DAC chain is revoked.
+     *
+     * @param[in] info All of the information required to check for revoked DAC chain.
+     * @param[in] onCompletion Callback handler to provide Attestation Information Verification result to the caller of
+     *                         CheckForRevokedDACChain()
+     */
+    virtual void CheckForRevokedDACChain(const AttestationInfo & info,
+                                         Callback::Callback<OnAttestationInformationVerification> * onCompletion) = 0;
 
     /**
      * @brief Get the trust store used for the attestation verifier.

src/lib/core/CHIPError.cpp

@@ -146,6 +146,9 @@ bool FormatCHIPError(char * buf, uint16_t bufSize, CHIP_ERROR err)
     case CHIP_ERROR_INVALID_LIST_LENGTH.AsInteger():
         desc = "Invalid list length";
         break;
+    case CHIP_ERROR_FAILED_DEVICE_ATTESTATION.AsInteger():
+        desc = "Failed Device Attestation";
+        break;
     case CHIP_END_OF_TLV.AsInteger():
         desc = "End of TLV";
         break;

src/lib/core/CHIPError.h

@@ -707,7 +707,14 @@ using CHIP_ERROR = ::chip::ChipError;
  */
 #define CHIP_ERROR_INVALID_LIST_LENGTH                         CHIP_CORE_ERROR(0x1f)
 
-// AVAILABLE: 0x20
+/**
+ *  @def CHIP_ERROR_FAILED_DEVICE_ATTESTATION
+ *
+ *  @brief
+ *    Device Attestation failed.
+ *
+ */
+#define CHIP_ERROR_FAILED_DEVICE_ATTESTATION                   CHIP_CORE_ERROR(0x20)
 
 /**
  *  @def CHIP_END_OF_TLV

src/lib/core/tests/TestCHIPErrorStr.cpp

@@ -71,6 +71,7 @@ static const CHIP_ERROR kTestElements[] =
     CHIP_ERROR_UNINITIALIZED,
     CHIP_ERROR_INVALID_STRING_LENGTH,
     CHIP_ERROR_INVALID_LIST_LENGTH,
+    CHIP_ERROR_FAILED_DEVICE_ATTESTATION,
     CHIP_END_OF_TLV,
     CHIP_ERROR_TLV_UNDERRUN,
     CHIP_ERROR_INVALID_TLV_ELEMENT,