Implemented PR #31222 review comments

Author: vijs

docs/ERROR_CODES.md

@@ -47,6 +47,7 @@ This file was **AUTOMATICALLY** generated by
 | 29        | 0x1D  | `CHIP_ERROR_INVALID_IPK`                           |
 | 30        | 0x1E  | `CHIP_ERROR_INVALID_STRING_LENGTH`                 |
 | 31        | 0x1F  | `CHIP_ERROR_INVALID_LIST_LENGTH`                   |
+| 32        | 0x20  | `CHIP_ERROR_FAILED_DEVICE_ATTESTATION`             |
 | 33        | 0x21  | `CHIP_ERROR_END_OF_TLV`                            |
 | 34        | 0x22  | `CHIP_ERROR_TLV_UNDERRUN`                          |
 | 35        | 0x23  | `CHIP_ERROR_INVALID_TLV_ELEMENT`                   |

src/controller/AutoCommissioner.cpp

@@ -388,7 +388,8 @@ CommissioningStage AutoCommissioner::GetNextCommissioningStageInternal(Commissio
     case CommissioningStage::kSendAttestationRequest:
         return CommissioningStage::kAttestationVerification;
     case CommissioningStage::kAttestationVerification:
-        return CommissioningStage::kAttestationRevocationCheck;
+        return mBypassDeviceAttestation ? CommissioningStage::kSendOpCertSigningRequest
+                                        : CommissioningStage::kAttestationRevocationCheck;
     case CommissioningStage::kAttestationRevocationCheck:
         return CommissioningStage::kSendOpCertSigningRequest;
     case CommissioningStage::kSendOpCertSigningRequest:
@@ -577,6 +578,7 @@ CHIP_ERROR AutoCommissioner::StartCommissioning(DeviceCommissioner * commissione
         return CHIP_ERROR_INVALID_ARGUMENT;
     }
     mStopCommissioning       = false;
+    mBypassDeviceAttestation = false;
     mCommissioner            = commissioner;
     mCommissioneeDeviceProxy = proxy;
     mNeedsNetworkSetup =

src/controller/AutoCommissioner.h

@@ -37,6 +37,7 @@ class AutoCommissioner : public CommissioningDelegate
 
     CHIP_ERROR StartCommissioning(DeviceCommissioner * commissioner, CommissioneeDeviceProxy * proxy) override;
     void StopCommissioning() { mStopCommissioning = true; };
+    void BypassDeviceAttestation() override { mBypassDeviceAttestation = true; }
 
     CHIP_ERROR CommissioningStepFinished(CHIP_ERROR err, CommissioningDelegate::CommissioningReport report) override;
 
@@ -92,7 +93,8 @@ class AutoCommissioner : public CommissioningDelegate
                  mDeviceCommissioningInfo.network.thread.endpoint != kInvalidEndpointId));
     };
 
-    bool mStopCommissioning = false;
+    bool mStopCommissioning       = false;
+    bool mBypassDeviceAttestation = false;
 
     DeviceCommissioner * mCommissioner                               = nullptr;
     CommissioneeDeviceProxy * mCommissioneeDeviceProxy               = nullptr;

src/controller/CHIPDeviceController.cpp

@@ -392,8 +392,8 @@ DeviceCommissioner::DeviceCommissioner() :
     mOnDeviceConnectionRetryCallback(OnDeviceConnectionRetryFn, this),
 #endif // CHIP_DEVICE_CONFIG_ENABLE_AUTOMATIC_CASE_RETRIES
     mDeviceAttestationInformationVerificationCallback(OnDeviceAttestationInformationVerification, this),
-    mDACChainRevocationStatusVerificationCallback(OnDACChainRevocationStatusVerification, this),
-    mDeviceNOCChainCallback(OnDeviceNOCChainGeneration, this), mSetUpCodePairer(this)
+    mDACChainRevocationStatusCallback(OnDACChainRevocationStatus, this), mDeviceNOCChainCallback(OnDeviceNOCChainGeneration, this),
+    mSetUpCodePairer(this)
 {}
 
 CHIP_ERROR DeviceCommissioner::Init(CommissionerInitParams params)
@@ -888,6 +888,8 @@ DeviceCommissioner::ContinueCommissioningAfterDeviceAttestation(DeviceProxy * de
     ChipLogProgress(Controller, "Continuing commissioning after attestation failure for device ID 0x" ChipLogFormatX64,
                     ChipLogValueX64(commissioneeDevice->GetDeviceId()));
 
+    mCommissioningDelegate->BypassDeviceAttestation();
+
     if (attestationResult != AttestationVerificationResult::kSuccess)
     {
         ChipLogError(Controller, "Client selected error: %u for failed 'Attestation Information' for device",
@@ -1107,6 +1109,22 @@ void DeviceCommissioner::OnDeviceAttestationInformationVerification(
     MATTER_TRACE_SCOPE("OnDeviceAttestationInformationVerification", "DeviceCommissioner");
     DeviceCommissioner * commissioner = reinterpret_cast<DeviceCommissioner *>(context);
 
+    if (commissioner->attestationInformationVerificationResult == AttestationVerificationResult::kNotImplemented)
+    {
+        commissioner->attestationInformationVerificationResult = result;
+    }
+
+    if (commissioner->attestationInformationVerificationResult == AttestationVerificationResult::kSuccess &&
+        commissioner->dacChainRevocationStatusResult == AttestationVerificationResult::kNotImplemented)
+    {
+        // Check for revoked DAC Chain before calling delegate. Enter next stage.
+        return commissioner->CommissioningStageComplete(CHIP_NO_ERROR);
+    }
+
+    result = commissioner->attestationInformationVerificationResult != AttestationVerificationResult::kSuccess
+        ? commissioner->attestationInformationVerificationResult
+        : commissioner->dacChainRevocationStatusResult;
+
     if (!commissioner->mDeviceBeingCommissioned)
     {
         ChipLogError(Controller, "Device attestation verification result received when we're not commissioning a device");
@@ -1156,64 +1174,21 @@ void DeviceCommissioner::OnDeviceAttestationInformationVerification(
     }
 }
 
-void DeviceCommissioner::OnDACChainRevocationStatusVerification(
-    void * context, const Credentials::DeviceAttestationVerifier::AttestationInfo & info, AttestationVerificationResult result)
+void DeviceCommissioner::OnDACChainRevocationStatus(void * context,
+                                                    const Credentials::DeviceAttestationVerifier::AttestationInfo & info,
+                                                    AttestationVerificationResult result)
 {
-    MATTER_TRACE_SCOPE("OnDACChainRevocationStatusVerification", "DeviceCommissioner");
+    MATTER_TRACE_SCOPE("OnDeviceAttestationInformationVerification", "DeviceCommissioner");
     DeviceCommissioner * commissioner = reinterpret_cast<DeviceCommissioner *>(context);
 
-    if (!commissioner->mDeviceBeingCommissioned)
+    if (commissioner->dacChainRevocationStatusResult == AttestationVerificationResult::kNotImplemented)
     {
-        ChipLogError(Controller, "Device attestation verification result received when we're not commissioning a device");
-        return;
+        commissioner->dacChainRevocationStatusResult = result;
     }
 
-    auto & params = commissioner->mDefaultCommissioner->GetCommissioningParameters();
-    Credentials::DeviceAttestationDelegate * deviceAttestationDelegate = params.GetDeviceAttestationDelegate();
-
-    if (result != AttestationVerificationResult::kSuccess)
-    {
-        CommissioningDelegate::CommissioningReport report;
-        report.Set<AttestationErrorInfo>(result);
-        if (result == AttestationVerificationResult::kNotImplemented)
-        {
-            ChipLogError(Controller,
-                         "Failed in verifying 'DAC Chain Revocation Status' command received from the device due to default "
-                         "DeviceAttestationVerifier Class not being overridden by a real implementation.");
-            commissioner->CommissioningStageComplete(CHIP_ERROR_NOT_IMPLEMENTED, report);
-            return;
-        }
-
-        ChipLogError(Controller,
-                     "Failed in verifying 'DAC Chain Revocation Status' command received from the device: err %hu. Look at "
-                     "AttestationVerificationResult enum to understand the errors",
-                     static_cast<uint16_t>(result));
-        // Go look at AttestationVerificationResult enum in src/credentials/attestation_verifier/DeviceAttestationVerifier.h to
-        // understand the errors.
+    VerifyOrReturn(commissioner->attestationInformationVerificationResult != AttestationVerificationResult::kNotImplemented);
 
-        // If a device attestation status delegate is installed, delegate handling of failure to the client and let them decide on
-        // whether to proceed further or not.
-        if (deviceAttestationDelegate)
-        {
-            commissioner->ExtendArmFailSafeForDeviceAttestation(info, result);
-        }
-        else
-        {
-            commissioner->CommissioningStageComplete(CHIP_ERROR_INTERNAL, report);
-        }
-    }
-    else
-    {
-        if (deviceAttestationDelegate && deviceAttestationDelegate->ShouldWaitAfterDeviceAttestation())
-        {
-            commissioner->ExtendArmFailSafeForDeviceAttestation(info, result);
-        }
-        else
-        {
-            ChipLogProgress(Controller, "Successfully validated 'DAC Chain Revocation Status' command received from the device.");
-            commissioner->CommissioningStageComplete(CHIP_NO_ERROR);
-        }
-    }
+    OnDeviceAttestationInformationVerification(context, info, commissioner->dacChainRevocationStatusResult);
 }
 
 void DeviceCommissioner::OnArmFailSafeExtendedForDeviceAttestation(
@@ -1363,13 +1338,13 @@ CHIP_ERROR DeviceCommissioner::ValidateAttestationInfo(const Credentials::Device
 }
 
 CHIP_ERROR
-DeviceCommissioner::ValidateDACChainRevocationStatus(const Credentials::DeviceAttestationVerifier::AttestationInfo & info)
+DeviceCommissioner::CheckForRevokedDACChain(const Credentials::DeviceAttestationVerifier::AttestationInfo & info)
 {
-    MATTER_TRACE_SCOPE("ValidateDACChainRevocationStatus", "DeviceCommissioner");
+    MATTER_TRACE_SCOPE("CheckForRevokedDACChain", "DeviceCommissioner");
     VerifyOrReturnError(mState == State::Initialized, CHIP_ERROR_INCORRECT_STATE);
     VerifyOrReturnError(mDeviceAttestationVerifier != nullptr, CHIP_ERROR_INCORRECT_STATE);
 
-    mDeviceAttestationVerifier->ValidateDACChainRevocationStatus(info, &mDACChainRevocationStatusVerificationCallback);
+    mDeviceAttestationVerifier->CheckForRevokedDACChain(info, &mDACChainRevocationStatusCallback);
 
     return CHIP_NO_ERROR;
 }
@@ -2971,14 +2946,11 @@ void DeviceCommissioner::PerformCommissioningStep(DeviceProxy * proxy, Commissio
     }
     case CommissioningStage::kAttestationVerification: {
         ChipLogProgress(Controller, "Verifying attestation");
-        if (!params.GetAttestationElements().HasValue() || !params.GetAttestationSignature().HasValue() ||
-            !params.GetAttestationNonce().HasValue() || !params.GetDAC().HasValue() || !params.GetPAI().HasValue() ||
-            !params.GetRemoteVendorId().HasValue() || !params.GetRemoteProductId().HasValue())
-        {
-            ChipLogError(Controller, "Missing attestation information");
-            CommissioningStageComplete(CHIP_ERROR_INVALID_ARGUMENT);
-            return;
-        }
+        VerifyOrReturn(IsAttestationInformationMissing(params) == false);
+
+        // Reset results before verifying
+        attestationInformationVerificationResult = AttestationVerificationResult::kNotImplemented;
+        dacChainRevocationStatusResult           = AttestationVerificationResult::kNotImplemented;
 
         DeviceAttestationVerifier::AttestationInfo info(
             params.GetAttestationElements().Value(),
@@ -2996,25 +2968,18 @@ void DeviceCommissioner::PerformCommissioningStep(DeviceProxy * proxy, Commissio
     break;
     case CommissioningStage::kAttestationRevocationCheck: {
         ChipLogProgress(Controller, "Verifying device's DAC chain revocation status");
-        if (!params.GetAttestationElements().HasValue() || !params.GetAttestationSignature().HasValue() ||
-            !params.GetAttestationNonce().HasValue() || !params.GetDAC().HasValue() || !params.GetPAI().HasValue() ||
-            !params.GetRemoteVendorId().HasValue() || !params.GetRemoteProductId().HasValue())
-        {
-            ChipLogError(Controller, "Missing attestation certificates");
-            CommissioningStageComplete(CHIP_ERROR_INVALID_ARGUMENT);
-            return;
-        }
+        VerifyOrReturn(IsAttestationInformationMissing(params) == false);
 
         DeviceAttestationVerifier::AttestationInfo info(
             params.GetAttestationElements().Value(),
             proxy->GetSecureSession().Value()->AsSecureSession()->GetCryptoContext().GetAttestationChallenge(),
             params.GetAttestationSignature().Value(), params.GetPAI().Value(), params.GetDAC().Value(),
             params.GetAttestationNonce().Value(), params.GetRemoteVendorId().Value(), params.GetRemoteProductId().Value());
 
-        if (ValidateDACChainRevocationStatus(info) != CHIP_NO_ERROR)
+        if (CheckForRevokedDACChain(info) != CHIP_NO_ERROR)
         {
             ChipLogError(Controller, "Error validating device's DAC chain revocation status");
-            CommissioningStageComplete(CHIP_ERROR_INVALID_ARGUMENT);
+            CommissioningStageComplete(CHIP_ERROR_FAILED_DEVICE_ATTESTATION);
             return;
         }
     }
@@ -3359,6 +3324,20 @@ void DeviceCommissioner::ExtendFailsafeBeforeNetworkEnable(DeviceProxy * device,
     }
 }
 
+bool DeviceCommissioner::IsAttestationInformationMissing(CommissioningParameters & params)
+{
+    if (!params.GetAttestationElements().HasValue() || !params.GetAttestationSignature().HasValue() ||
+        !params.GetAttestationNonce().HasValue() || !params.GetDAC().HasValue() || !params.GetPAI().HasValue() ||
+        !params.GetRemoteVendorId().HasValue() || !params.GetRemoteProductId().HasValue())
+    {
+        ChipLogError(Controller, "Missing attestation information");
+        CommissioningStageComplete(CHIP_ERROR_INVALID_ARGUMENT);
+        return true;
+    }
+
+    return false;
+}
+
 CHIP_ERROR DeviceController::GetCompressedFabricIdBytes(MutableByteSpan & outBytes) const
 {
     const auto * fabricInfo = GetFabricInfo();

src/controller/CHIPDeviceController.h

@@ -610,7 +610,7 @@ class DLL_EXPORT DeviceCommissioner : public DeviceController,
      *
      * @param[in] info Structure contatining all the required information for validating the device attestation.
      */
-    CHIP_ERROR ValidateDACChainRevocationStatus(const Credentials::DeviceAttestationVerifier::AttestationInfo & info);
+    CHIP_ERROR CheckForRevokedDACChain(const Credentials::DeviceAttestationVerifier::AttestationInfo & info);
 
     /**
      * @brief
@@ -792,6 +792,11 @@ class DLL_EXPORT DeviceCommissioner : public DeviceController,
 
     ObjectPool<CommissioneeDeviceProxy, kNumMaxActiveDevices> mCommissioneeDevicePool;
 
+    Credentials::AttestationVerificationResult attestationInformationVerificationResult =
+        Credentials::AttestationVerificationResult::kNotImplemented;
+    Credentials::AttestationVerificationResult dacChainRevocationStatusResult =
+        Credentials::AttestationVerificationResult::kNotImplemented;
+
 #if CHIP_DEVICE_CONFIG_ENABLE_COMMISSIONER_DISCOVERY // make this commissioner discoverable
     UserDirectedCommissioningServer * mUdcServer = nullptr;
     // mUdcTransportMgr is for insecure communication (ex. user directed commissioning)
@@ -892,9 +897,8 @@ class DLL_EXPORT DeviceCommissioner : public DeviceController,
     static void OnDeviceAttestationInformationVerification(void * context,
                                                            const Credentials::DeviceAttestationVerifier::AttestationInfo & info,
                                                            Credentials::AttestationVerificationResult result);
-    static void OnDACChainRevocationStatusVerification(void * context,
-                                                       const Credentials::DeviceAttestationVerifier::AttestationInfo & info,
-                                                       Credentials::AttestationVerificationResult result);
+    static void OnDACChainRevocationStatus(void * context, const Credentials::DeviceAttestationVerifier::AttestationInfo & info,
+                                           Credentials::AttestationVerificationResult result);
 
     static void OnDeviceNOCChainGeneration(void * context, CHIP_ERROR status, const ByteSpan & noc, const ByteSpan & icac,
                                            const ByteSpan & rcac, Optional<IdentityProtectionKeySpan> ipk,
@@ -1020,6 +1024,8 @@ class DLL_EXPORT DeviceCommissioner : public DeviceController,
     // extend it).
     void ExtendFailsafeBeforeNetworkEnable(DeviceProxy * device, CommissioningParameters & params, CommissioningStage step);
 
+    bool IsAttestationInformationMissing(CommissioningParameters & params);
+
     chip::Callback::Callback<OnDeviceConnected> mOnDeviceConnectedCallback;
     chip::Callback::Callback<OnDeviceConnectionFailure> mOnDeviceConnectionFailureCallback;
 #if CHIP_DEVICE_CONFIG_ENABLE_AUTOMATIC_CASE_RETRIES
@@ -1029,7 +1035,7 @@ class DLL_EXPORT DeviceCommissioner : public DeviceController,
     chip::Callback::Callback<Credentials::DeviceAttestationVerifier::OnAttestationInformationVerification>
         mDeviceAttestationInformationVerificationCallback;
     chip::Callback::Callback<Credentials::DeviceAttestationVerifier::OnAttestationInformationVerification>
-        mDACChainRevocationStatusVerificationCallback;
+        mDACChainRevocationStatusCallback;
 
     chip::Callback::Callback<OnNOCChainGeneration> mDeviceNOCChainCallback;
     SetUpCodePairer mSetUpCodePairer;

src/controller/CommissioningDelegate.h

@@ -761,6 +761,7 @@ class CommissioningDelegate
      * kSendDACCertificateRequest: RequestedCertificate
      * kSendAttestationRequest: AttestationResponse
      * kAttestationVerification: AttestationErrorInfo if there is an error
+     * kAttestationRevocationCheck: AttestationErrorInfo if there is an error
      * kSendOpCertSigningRequest: CSRResponse
      * kGenerateNOCChain: NocChain
      * kSendTrustedRootCert: None
@@ -786,6 +787,7 @@ class CommissioningDelegate
     virtual void SetOperationalCredentialsDelegate(OperationalCredentialsDelegate * operationalCredentialsDelegate) = 0;
     virtual CHIP_ERROR StartCommissioning(DeviceCommissioner * commissioner, CommissioneeDeviceProxy * proxy)       = 0;
     virtual CHIP_ERROR CommissioningStepFinished(CHIP_ERROR err, CommissioningReport report)                        = 0;
+    virtual void BypassDeviceAttestation()                                                                          = 0;
 };
 
 } // namespace Controller

src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.cpp

@@ -607,12 +607,12 @@ CHIP_ERROR DefaultDACVerifier::VerifyNodeOperationalCSRInformation(const ByteSpa
     return CHIP_NO_ERROR;
 }
 
-void DefaultDACVerifier::ValidateDACChainRevocationStatus(const AttestationInfo & info,
-                                                          Callback::Callback<OnAttestationInformationVerification> * onCompletion)
+void DefaultDACVerifier::CheckForRevokedDACChain(const AttestationInfo & info,
+                                                 Callback::Callback<OnAttestationInformationVerification> * onCompletion)
 {
     AttestationVerificationResult attestationError = AttestationVerificationResult::kSuccess;
 
-    // TODO
+    // TODO(#xyz): Implement default version of CheckForRevokedDACChain
 
     onCompletion->mCall(onCompletion->mContext, info, attestationError);
 }

src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.h

@@ -74,8 +74,8 @@ class DefaultDACVerifier : public DeviceAttestationVerifier
                                                    const ByteSpan & attestationSignatureBuffer,
                                                    const Crypto::P256PublicKey & dacPublicKey, const ByteSpan & csrNonce) override;
 
-    void ValidateDACChainRevocationStatus(const AttestationInfo & info,
-                                          Callback::Callback<OnAttestationInformationVerification> * onCompletion) override;
+    void CheckForRevokedDACChain(const AttestationInfo & info,
+                                 Callback::Callback<OnAttestationInformationVerification> * onCompletion) override;
 
     CsaCdKeysTrustStore * GetCertificationDeclarationTrustStore() override { return &mCdKeysTrustStore; }
 

src/credentials/attestation_verifier/DeviceAttestationVerifier.cpp

@@ -70,11 +70,12 @@ class UnimplementedDACVerifier : public DeviceAttestationVerifier
         return CHIP_ERROR_NOT_IMPLEMENTED;
     }
 
-    void ValidateDACChainRevocationStatus(const AttestationInfo & info,
-                                          Callback::Callback<OnAttestationInformationVerification> * onCompletion) override
+    void CheckForRevokedDACChain(const AttestationInfo & info,
+                                 Callback::Callback<OnAttestationInformationVerification> * onCompletion) override
     {
         (void) info;
         (void) onCompletion;
+        VerifyOrDie(false);
     }
 };