Addressed review comments

vijs · vijs · commit 4db45bfdd9f2 · 2024-03-15T01:28:00.000-04:00
diff --git a/scripts/tools/check_includes_config.py b/scripts/tools/check_includes_config.py
@@ -134,6 +134,7 @@
 
     'src/credentials/attestation_verifier/FileAttestationTrustStore.h': {'vector'},
     'src/credentials/attestation_verifier/FileAttestationTrustStore.cpp': {'string'},
+    'src/credentials/attestation_verifier/JSONFileRevocationSet.cpp': {'fstream'},
 
     'src/setup_payload/AdditionalDataPayload.h': {'string'},
     'src/setup_payload/AdditionalDataPayloadParser.cpp': {'vector'},
diff --git a/src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.cpp b/src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.cpp
@@ -459,45 +459,15 @@ void DefaultDACVerifier::VerifyAttestationInformation(const DeviceAttestationVer
     }
 
     {
-        uint8_t issuerBuf[kMaxCertificateDistinguishedNameLength] = { 0 };
-        MutableByteSpan paaIssuer(issuerBuf);
-        MutableByteSpan paiIssuer(issuerBuf);
-        MutableByteSpan dacIssuer(issuerBuf);
-        uint8_t akidBuf[kAuthorityKeyIdentifierLength];
-        MutableByteSpan akid(akidBuf);
-        uint8_t serialNumberBuf[kMaxCertificateSerialNumberLength];
-        MutableByteSpan serialNumber(serialNumberBuf);
-
-        VerifyOrExit(ExtractIssuerFromX509Cert(paaDerBuffer, paaIssuer) == CHIP_NO_ERROR,
-                     attestationError = AttestationVerificationResult::kPaaFormatInvalid);
-        VerifyOrExit(ExtractAKIDFromX509Cert(paaDerBuffer, akid) == CHIP_NO_ERROR,
-                     attestationError = AttestationVerificationResult::kPaaFormatInvalid);
-        VerifyOrExit(ExtractSerialNumberFromX509Cert(paaDerBuffer, serialNumber) == CHIP_NO_ERROR,
-                     attestationError = AttestationVerificationResult::kPaaFormatInvalid);
-
-        attestationError = IsCertificateRevoked(true, paaVidPid, paaIssuer, akid, serialNumber);
+        attestationError = IsCertificateRevoked(true, paaVidPid, paaDerBuffer);
         VerifyOrExit(attestationError == AttestationVerificationResult::kSuccess,
                      attestationError = AttestationVerificationResult::kPaaRevoked);
 
-        VerifyOrExit(ExtractIssuerFromX509Cert(info.paiDerBuffer, paiIssuer) == CHIP_NO_ERROR,
-                     attestationError = AttestationVerificationResult::kPaiFormatInvalid);
-        VerifyOrExit(ExtractAKIDFromX509Cert(info.paiDerBuffer, akid) == CHIP_NO_ERROR,
-                     attestationError = AttestationVerificationResult::kPaiFormatInvalid);
-        VerifyOrExit(ExtractSerialNumberFromX509Cert(info.paiDerBuffer, serialNumber) == CHIP_NO_ERROR,
-                     attestationError = AttestationVerificationResult::kPaiFormatInvalid);
-
-        attestationError = IsCertificateRevoked(false, paiVidPid, paiIssuer, akid, serialNumber);
+        attestationError = IsCertificateRevoked(false, paiVidPid, info.paiDerBuffer);
         VerifyOrExit(attestationError == AttestationVerificationResult::kSuccess,
                      attestationError = AttestationVerificationResult::kPaiRevoked);
 
-        VerifyOrExit(ExtractIssuerFromX509Cert(info.dacDerBuffer, dacIssuer) == CHIP_NO_ERROR,
-                     attestationError = AttestationVerificationResult::kDacFormatInvalid);
-        VerifyOrExit(ExtractAKIDFromX509Cert(info.dacDerBuffer, akid) == CHIP_NO_ERROR,
-                     attestationError = AttestationVerificationResult::kDacFormatInvalid);
-        VerifyOrExit(ExtractSerialNumberFromX509Cert(info.dacDerBuffer, serialNumber) == CHIP_NO_ERROR,
-                     attestationError = AttestationVerificationResult::kDacFormatInvalid);
-
-        attestationError = IsCertificateRevoked(false, dacVidPid, dacIssuer, akid, serialNumber);
+        attestationError = IsCertificateRevoked(false, dacVidPid, info.dacDerBuffer);
         VerifyOrExit(attestationError == AttestationVerificationResult::kSuccess,
                      attestationError = AttestationVerificationResult::kDacRevoked);
     }
@@ -651,11 +621,31 @@ CHIP_ERROR DefaultDACVerifier::VerifyNodeOperationalCSRInformation(const ByteSpa
     return CHIP_NO_ERROR;
 }
 
+AttestationVerificationResult DefaultDACVerifier::IsCertificateRevoked(bool isPaa, Crypto::AttestationCertVidPid vidPidUnderTest,
+                                                                       ByteSpan certificate)
+{
+    uint8_t issuerBuf[kMaxCertificateDistinguishedNameLength] = { 0 };
+    MutableByteSpan issuer(issuerBuf);
+    uint8_t akidBuf[kAuthorityKeyIdentifierLength];
+    MutableByteSpan akid(akidBuf);
+    uint8_t serialNumberBuf[kMaxCertificateSerialNumberLength];
+    MutableByteSpan serialNumber(serialNumberBuf);
+
+    VerifyOrReturnError(ExtractIssuerFromX509Cert(certificate, issuer) == CHIP_NO_ERROR,
+                        AttestationVerificationResult::kPaaFormatInvalid);
+    VerifyOrReturnError(ExtractAKIDFromX509Cert(certificate, akid) == CHIP_NO_ERROR,
+                        AttestationVerificationResult::kPaaFormatInvalid);
+    VerifyOrReturnError(ExtractSerialNumberFromX509Cert(certificate, serialNumber) == CHIP_NO_ERROR,
+                        AttestationVerificationResult::kPaaFormatInvalid);
+
+    return IsCertificateRevoked(isPaa, vidPidUnderTest, issuer, akid, serialNumber);
+}
+
 AttestationVerificationResult DefaultDACVerifier::IsCertificateRevoked(bool isPaa, AttestationCertVidPid vidPidUnderTest,
                                                                        ByteSpan issuer, ByteSpan authorityKeyId,
                                                                        ByteSpan serialNumber)
 {
-    VerifyOrReturnError(mRevocationSet != nullptr, AttestationVerificationResult::kNotImplemented);
+    VerifyOrReturnError(mRevocationSet != nullptr, AttestationVerificationResult::kSuccess);
 
     return mRevocationSet->IsCertificateRevoked(isPaa, vidPidUnderTest, issuer, authorityKeyId, serialNumber);
 }
diff --git a/src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.h b/src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.h
@@ -87,6 +87,9 @@ class DefaultDACVerifier : public DeviceAttestationVerifier
     CsaCdKeysTrustStore mCdKeysTrustStore;
     const AttestationTrustStore * mAttestationTrustStore;
     const RevocationSet * mRevocationSet;
+
+    AttestationVerificationResult IsCertificateRevoked(bool isPaa, Crypto::AttestationCertVidPid vidPidUnderTest,
+                                                       ByteSpan certificate);
 };
 
 /**
@@ -115,7 +118,8 @@ const AttestationTrustStore * GetTestAttestationTrustStore();
  *          process lifetime.  In particular, after the first call it's not
  *          possible to change which AttestationTrustStore is used by this verifier.
  */
-DeviceAttestationVerifier * GetDefaultDACVerifier(const AttestationTrustStore * paaRootStore, const RevocationSet * revocationSet);
+DeviceAttestationVerifier * GetDefaultDACVerifier(const AttestationTrustStore * paaRootStore,
+                                                  const RevocationSet * revocationSet = nullptr);
 
 } // namespace Credentials
 } // namespace chip
diff --git a/src/credentials/attestation_verifier/JSONFileRevocationSet.cpp b/src/credentials/attestation_verifier/JSONFileRevocationSet.cpp
@@ -16,13 +16,13 @@
  */
 #include "JSONFileRevocationSet.h"
 
+#include <lib/core/CHIPSafeCasts.h>
 #include <lib/support/Base64.h>
 #include <lib/support/BytesToHex.h>
 #include <lib/support/ScopedBuffer.h>
 
 #include <cstdlib>
 #include <fstream>
-#include <iostream>
 
 namespace chip {
 namespace Credentials {
@@ -53,17 +53,16 @@ AttestationVerificationResult JSONFileRevocationSet::IsCertificateRevoked(bool i
                                                                           ByteSpan issuer, ByteSpan authorityKeyId,
                                                                           ByteSpan serialNumber) const
 {
-    for (size_t revocation_set_idx = 0; revocation_set_idx < mRevocationSet.size(); ++revocation_set_idx)
+    for (int revocation_set_idx = 0; revocation_set_idx < static_cast<int>(mRevocationSet.size()); ++revocation_set_idx)
     {
-        Json::Value type = mRevocationSet[static_cast<int>(revocation_set_idx)]["type"];
+        Json::Value revocationSetEntry = mRevocationSet[revocation_set_idx];
 
         // 1.
-        if (type.asString().compare("revocation_set") == 0)
+        if (revocationSetEntry["type"].asString().compare("revocation_set") == 0)
         {
-            Json::Value jsonCrlIssuerSubjectKeyId = mRevocationSet[static_cast<int>(revocation_set_idx)]["issuer_subject_key_id"];
-            Json::Value jsonCrlIssuerName         = mRevocationSet[static_cast<int>(revocation_set_idx)]["issuer_name"];
-            Json::Value jsonCrlRevokedSerialNumbers =
-                mRevocationSet[static_cast<int>(revocation_set_idx)]["revoked_serial_numbers"];
+            Json::Value jsonCrlIssuerSubjectKeyId   = revocationSetEntry["issuer_subject_key_id"];
+            Json::Value jsonCrlIssuerName           = revocationSetEntry["issuer_name"];
+            Json::Value jsonCrlRevokedSerialNumbers = revocationSetEntry["revoked_serial_numbers"];
 
             uint8_t crlIssuerSubjectKeyIdBuf[Crypto::kAuthorityKeyIdentifierLength] = { 0 };
             ByteSpan crlIssuerSubjectKeyId(crlIssuerSubjectKeyIdBuf);
@@ -81,62 +80,46 @@ AttestationVerificationResult JSONFileRevocationSet::IsCertificateRevoked(bool i
 
             // 2.
             size_t crlSignerCertificateLength =
-                Base64Decode(jsonCrlIssuerName.asString().c_str(), jsonCrlIssuerName.asString().size(), crlSignerCertificate.Get());
+                Base64Decode(jsonCrlIssuerName.asString().c_str(), static_cast<uint16_t>(jsonCrlIssuerName.asString().size()),
+                             crlSignerCertificate.Get());
             VerifyOrReturnError(crlSignerCertificateLength > 0 && crlSignerCertificateLength != UINT16_MAX,
                                 AttestationVerificationResult::kInternalError);
 
-            // 3.
-            if (isPaa)
-            {
-                Crypto::AttestationCertVidPid vid;
+            // 3. && 4.
+            Crypto::AttestationCertVidPid vidPid;
 
-                Crypto::ExtractVIDPIDFromAttributeString(
-                    Crypto::DNAttrType::kCommonName, ByteSpan(crlSignerCertificate.Get(), crlSignerCertificateLength), vid, vid);
+            Crypto::ExtractVIDPIDFromAttributeString(
+                Crypto::DNAttrType::kCommonName, ByteSpan(crlSignerCertificate.Get(), crlSignerCertificateLength), vidPid, vidPid);
 
-                if (vid.mVendorId.HasValue())
+            if (vidPid.mVendorId.HasValue() && vidPid.mVendorId.Value() != vidPidUnderTest.mVendorId.Value())
+            {
+                // VID does not match. Stop further processing and continue to next entry.
+                continue;
+            }
+
+            if (isPaa)
+            {
+                if (vidPid.mProductId.HasValue())
                 {
-                    if (vid.mVendorId.Value() != vidPidUnderTest.mVendorId.Value())
-                    {
-                        // VID does not match. Stop further processing and continue to next entry.
-                        continue;
-                    }
+                    // PAA must not contain PID entry. Format wrong. Continuing to next entry.
+                    continue;
                 }
             }
-            // 4.
             else
             {
-                Crypto::AttestationCertVidPid vidPid;
-
-                Crypto::ExtractVIDPIDFromAttributeString(Crypto::DNAttrType::kCommonName,
-                                                         ByteSpan(crlSignerCertificate.Get(), crlSignerCertificateLength), vidPid,
-                                                         vidPid);
-
-                if (vidPid.mVendorId.HasValue() && vidPid.mVendorId.Value() != vidPidUnderTest.mVendorId.Value())
+                if (vidPid.mProductId.HasValue() && vidPid.mProductId.Value() != vidPidUnderTest.mProductId.Value())
                 {
-                    // VID does not match. Stop further processing and continue to next entry.
+                    // PID does not match. Stop further processing and continue to next entry.
                     continue;
                 }
-
-                if (vidPid.mProductId.HasValue())
-                {
-                    if (vidPid.mProductId.Value() != vidPidUnderTest.mProductId.Value())
-                    {
-                        // PID does not match. Stop further processing and continue to next entry.
-                        continue;
-                    }
-                }
             }
 
-            // 7.a Perform CRLFile validation
+            // 7. Perform CRLFile validation
             if (authorityKeyId.data_equal(crlIssuerSubjectKeyId) == false)
             {
                 continue;
             }
 
-            // TODO: 7.b
-
-            // TODO: 8.
-
             // 9. && 10.
             for (int serial_number_idx = 0; serial_number_idx < static_cast<int>(jsonCrlRevokedSerialNumbers.size());
                  ++serial_number_idx)
@@ -151,15 +134,16 @@ AttestationVerificationResult JSONFileRevocationSet::IsCertificateRevoked(bool i
 
                 size_t revokedSerialNumberLength =
                     Base64Decode(jsonCrlRevokedSerialNumbers[serial_number_idx].asString().c_str(),
-                                 jsonCrlRevokedSerialNumbers[serial_number_idx].asString().size(), revokedSerialNumber.Get());
+                                 static_cast<uint16_t>(jsonCrlRevokedSerialNumbers[serial_number_idx].asString().size()),
+                                 revokedSerialNumber.Get());
                 VerifyOrReturnError(revokedSerialNumberLength > 0 && revokedSerialNumberLength != UINT16_MAX,
                                     AttestationVerificationResult::kInternalError);
 
                 uint8_t crlRevokedSerialNumberBuf[Crypto::kMaxCertificateSerialNumberLength] = { 0 };
                 ByteSpan crlSerialNumber(crlRevokedSerialNumberBuf);
 
-                VerifyOrReturnError(Encoding::HexToBytes(reinterpret_cast<char *>(revokedSerialNumber.Get()),
-                                                         revokedSerialNumberLength, crlRevokedSerialNumberBuf,
+                VerifyOrReturnError(Encoding::HexToBytes(Uint8::to_char(revokedSerialNumber.Get()), revokedSerialNumberLength,
+                                                         crlRevokedSerialNumberBuf,
                                                          sizeof(crlRevokedSerialNumberBuf)) == sizeof(crlRevokedSerialNumberBuf),
                                     AttestationVerificationResult::kInvalidArgument);
 
