option to configure the revocation set file in chip-tool

Author: shubhamdp

examples/chip-tool/commands/common/CHIPCommand.cpp

@@ -452,6 +452,8 @@ CHIP_ERROR CHIPCommand::InitializeCommissioner(CommissionerIdentity & identity,
 
     ReturnLogErrorOnFailure(mCredIssuerCmds->SetupDeviceAttestation(commissionerParams, sTrustStore));
 
+    mCredIssuerCmds->SetupDeviceAttestationRevocationSetPath(mDacRevocationSetPath.ValueOr(nullptr));
+
     chip::Crypto::P256Keypair ephemeralKey;
 
     if (fabricId != chip::kUndefinedFabricId)

examples/chip-tool/commands/common/CHIPCommand.h

@@ -86,6 +86,8 @@ class CHIPCommand : public Command
         AddArgument("only-allow-trusted-cd-keys", 0, 1, &mOnlyAllowTrustedCdKeys,
                     "Only allow trusted CD verifying keys (disallow test keys). If not provided or 0 (\"false\"), untrusted CD "
                     "verifying keys are allowed. If 1 (\"true\"), test keys are disallowed.");
+        AddArgument("dac-revocation-set-path", &mDacRevocationSetPath,
+                    "Path to json file containing the device attestation revocation set.");
 #if CHIP_CONFIG_TRANSPORT_TRACE_ENABLED
         AddArgument("trace_file", &mTraceFile);
         AddArgument("trace_log", 0, 1, &mTraceLog);
@@ -222,6 +224,7 @@ class CHIPCommand : public Command
     chip::Optional<char *> mCDTrustStorePath;
     chip::Optional<bool> mUseMaxSizedCerts;
     chip::Optional<bool> mOnlyAllowTrustedCdKeys;
+    chip::Optional<char *> mDacRevocationSetPath;
 
     // Cached trust store so commands other than the original startup command
     // can spin up commissioners as needed.

examples/chip-tool/commands/common/CredentialIssuerCommands.h

@@ -62,6 +62,15 @@ class CredentialIssuerCommands
     virtual CHIP_ERROR SetupDeviceAttestation(chip::Controller::SetupParams & setupParams,
                                               const chip::Credentials::AttestationTrustStore * trustStore) = 0;
 
+    /**
+     * @brief
+     *   This function is used to set the path to Device Attestation revocation set JSON file.
+     *
+     * @param[in] path Path to the JSON file containing list of revoked DACs or PAIs.
+     *                 It can be generated using credentials/generate-revocation-set.py script
+     */
+    virtual void SetupDeviceAttestationRevocationSetPath(const char * path) = 0;
+
     /**
      * @brief Add a list of additional non-default CD verifying keys (by certificate)
      *

examples/chip-tool/commands/example/ExampleCredentialIssuerCommands.h

@@ -44,6 +44,17 @@ class ExampleCredentialIssuerCommands : public CredentialIssuerCommands
 
         return CHIP_NO_ERROR;
     }
+
+    void SetupDeviceAttestationRevocationSetPath(const char * path) override
+    {
+        if (path)
+        {
+            // As we know that we are using DefaultDACVerifier, we can downcast from
+            // DeviceAttestationVerifier to DefaultDACVerifier to set the revocation set
+            static_cast<chip::Credentials::DefaultDACVerifier *>(mDacVerifier)->SetDeviceAttestationRevocationSetPath(path);
+        }
+    }
+
     chip::Controller::OperationalCredentialsDelegate * GetCredentialIssuer() override { return &mOpCredsIssuer; }
     void SetCredentialIssuerCATValues(chip::CATValues cats) override { mOpCredsIssuer.SetCATValuesForNextNOCRequest(cats); }
     CHIP_ERROR GenerateControllerNOCChain(chip::NodeId nodeId, chip::FabricId fabricId, const chip::CATValues & cats,