From 8499c82b4ee0901944c67d523c821c7e18c387cd Mon Sep 17 00:00:00 2001
From: Shubham Patil <shubham.patil@espressif.com>
Date: Sat, 7 Dec 2024 11:21:50 +0530
Subject: [PATCH] da_revocation: Make DeviceAttestationRevocationDelegate a
subclass of DeviceAttestationVerifier
---
.../chip-tool/commands/common/CHIPCommand.cpp | 9 ++--
.../chip-tool/commands/common/CHIPCommand.h | 2 +-
.../common/CredentialIssuerCommands.h | 6 +--
.../example/ExampleCredentialIssuerCommands.h | 6 +--
.../DefaultDeviceAttestationVerifier.cpp | 5 ++-
.../DefaultDeviceAttestationVerifier.h | 5 ++-
.../DeviceAttestationVerifier.h | 44 +++++++++----------
.../TestDACRevocationDelegateImpl.h | 2 +-
8 files changed, 41 insertions(+), 38 deletions(-)
diff --git a/examples/chip-tool/commands/common/CHIPCommand.cpp b/examples/chip-tool/commands/common/CHIPCommand.cpp
index b37bed15afb3d7..305fbf00a45b1e 100644
--- a/examples/chip-tool/commands/common/CHIPCommand.cpp
+++ b/examples/chip-tool/commands/common/CHIPCommand.cpp
@@ -50,8 +50,8 @@ constexpr chip::FabricId kIdentityOtherFabricId = 4;
constexpr char kPAATrustStorePathVariable[] = "CHIPTOOL_PAA_TRUST_STORE_PATH";
constexpr char kCDTrustStorePathVariable[] = "CHIPTOOL_CD_TRUST_STORE_PATH";
-const chip::Credentials::AttestationTrustStore * CHIPCommand::sTrustStore = nullptr;
-chip::Credentials::DeviceAttestationRevocationDelegate * CHIPCommand::sRevocationDelegate = nullptr;
+const chip::Credentials::AttestationTrustStore * CHIPCommand::sTrustStore = nullptr;
+chip::Credentials::DeviceAttestationVerifier::DeviceAttestationRevocationDelegate * CHIPCommand::sRevocationDelegate = nullptr;
chip::Credentials::GroupDataProviderImpl CHIPCommand::sGroupDataProvider{ kMaxGroupsPerFabric, kMaxGroupKeysPerFabric };
// All fabrics share the same ICD client storage.
@@ -91,8 +91,9 @@ CHIP_ERROR GetAttestationTrustStore(const char * paaTrustStorePath, const chip::
return CHIP_NO_ERROR;
}
-CHIP_ERROR GetAttestationRevocationDelegate(const char * revocationSetPath,
- chip::Credentials::DeviceAttestationRevocationDelegate ** revocationDelegate)
+CHIP_ERROR GetAttestationRevocationDelegate(
+ const char * revocationSetPath,
+ chip::Credentials::DeviceAttestationVerifier::DeviceAttestationRevocationDelegate ** revocationDelegate)
{
if (revocationSetPath == nullptr)
{
diff --git a/examples/chip-tool/commands/common/CHIPCommand.h b/examples/chip-tool/commands/common/CHIPCommand.h
index b48455ebed6821..80340ab57ff269 100644
--- a/examples/chip-tool/commands/common/CHIPCommand.h
+++ b/examples/chip-tool/commands/common/CHIPCommand.h
@@ -234,7 +234,7 @@ class CHIPCommand : public Command
// Cached DAC revocation delegate, this can be set using "--dac-revocation-set-path" argument
// Once set this will be used by all commands.
- static chip::Credentials::DeviceAttestationRevocationDelegate * sRevocationDelegate;
+ static chip::Credentials::DeviceAttestationVerifier::DeviceAttestationRevocationDelegate * sRevocationDelegate;
static void RunQueuedCommand(intptr_t commandArg);
typedef decltype(RunQueuedCommand) MatterWorkCallback;
diff --git a/examples/chip-tool/commands/common/CredentialIssuerCommands.h b/examples/chip-tool/commands/common/CredentialIssuerCommands.h
index f8e225afec4c5e..49fd8306432819 100644
--- a/examples/chip-tool/commands/common/CredentialIssuerCommands.h
+++ b/examples/chip-tool/commands/common/CredentialIssuerCommands.h
@@ -61,9 +61,9 @@ class CredentialIssuerCommands
*
* @return CHIP_ERROR CHIP_NO_ERROR on success, or corresponding error code.
*/
- virtual CHIP_ERROR SetupDeviceAttestation(chip::Controller::SetupParams & setupParams,
- const chip::Credentials::AttestationTrustStore * trustStore,
- chip::Credentials::DeviceAttestationRevocationDelegate * revocationDelegate) = 0;
+ virtual CHIP_ERROR SetupDeviceAttestation(
+ chip::Controller::SetupParams & setupParams, const chip::Credentials::AttestationTrustStore * trustStore,
+ chip::Credentials::DeviceAttestationVerifier::DeviceAttestationRevocationDelegate * revocationDelegate) = 0;
/**
* @brief Add a list of additional non-default CD verifying keys (by certificate)
diff --git a/examples/chip-tool/commands/example/ExampleCredentialIssuerCommands.h b/examples/chip-tool/commands/example/ExampleCredentialIssuerCommands.h
index 495ae8d7a544d6..9931bb85022d37 100644
--- a/examples/chip-tool/commands/example/ExampleCredentialIssuerCommands.h
+++ b/examples/chip-tool/commands/example/ExampleCredentialIssuerCommands.h
@@ -33,9 +33,9 @@ class ExampleCredentialIssuerCommands : public CredentialIssuerCommands
{
return mOpCredsIssuer.Initialize(storage);
}
- CHIP_ERROR SetupDeviceAttestation(chip::Controller::SetupParams & setupParams,
- const chip::Credentials::AttestationTrustStore * trustStore,
- chip::Credentials::DeviceAttestationRevocationDelegate * revocationDelegate) override
+ CHIP_ERROR SetupDeviceAttestation(
+ chip::Controller::SetupParams & setupParams, const chip::Credentials::AttestationTrustStore * trustStore,
+ chip::Credentials::DeviceAttestationVerifier::DeviceAttestationRevocationDelegate * revocationDelegate) override
{
chip::Credentials::SetDeviceAttestationCredentialsProvider(chip::Credentials::Examples::GetExampleDACProvider());
diff --git a/src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.cpp b/src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.cpp
index f9cf68e6cf24bd..d4a5c442464977 100644
--- a/src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.cpp
+++ b/src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.cpp
@@ -696,8 +696,9 @@ const AttestationTrustStore * GetTestAttestationTrustStore()
return &gTestAttestationTrustStore.get();
}
-DeviceAttestationVerifier * GetDefaultDACVerifier(const AttestationTrustStore * paaRootStore,
- DeviceAttestationRevocationDelegate * revocationDelegate)
+DeviceAttestationVerifier *
+GetDefaultDACVerifier(const AttestationTrustStore * paaRootStore,
+ DeviceAttestationVerifier::DeviceAttestationRevocationDelegate * revocationDelegate)
{
static DefaultDACVerifier defaultDACVerifier{ paaRootStore, revocationDelegate };
diff --git a/src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.h b/src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.h
index 7e0fc1c4378848..29993282b9271c 100644
--- a/src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.h
+++ b/src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.h
@@ -122,8 +122,9 @@ const AttestationTrustStore * GetTestAttestationTrustStore();
* process lifetime. In particular, after the first call it's not
* possible to change which AttestationTrustStore is used by this verifier.
*/
-DeviceAttestationVerifier * GetDefaultDACVerifier(const AttestationTrustStore * paaRootStore,
- DeviceAttestationRevocationDelegate * revocationDelegate = nullptr);
+DeviceAttestationVerifier *
+GetDefaultDACVerifier(const AttestationTrustStore * paaRootStore,
+ DeviceAttestationVerifier::DeviceAttestationRevocationDelegate * revocationDelegate = nullptr);
} // namespace Credentials
} // namespace chip
diff --git a/src/credentials/attestation_verifier/DeviceAttestationVerifier.h b/src/credentials/attestation_verifier/DeviceAttestationVerifier.h
index e6915931a73b68..d0c28be583e730 100644
--- a/src/credentials/attestation_verifier/DeviceAttestationVerifier.h
+++ b/src/credentials/attestation_verifier/DeviceAttestationVerifier.h
@@ -333,6 +333,28 @@ class DeviceAttestationVerifier
typedef void (*OnAttestationInformationVerification)(void * context, const AttestationInfo & info,
AttestationVerificationResult result);
+ /**
+ * @brief Interface for checking the device attestation revocation status
+ *
+ */
+ class DeviceAttestationRevocationDelegate
+ {
+ public:
+ DeviceAttestationRevocationDelegate() = default;
+ virtual ~DeviceAttestationRevocationDelegate() = default;
+
+ /**
+ * @brief Verify whether or not the given DAC chain is revoked.
+ *
+ * @param[in] info All of the information required to check for revoked DAC chain.
+ * @param[in] onCompletion Callback handler to provide Attestation Information Verification result to the caller of
+ * CheckForRevokedDACChain().
+ */
+ virtual void CheckForRevokedDACChain(
+ const DeviceAttestationVerifier::AttestationInfo & info,
+ Callback::Callback<DeviceAttestationVerifier::OnAttestationInformationVerification> * onCompletion) = 0;
+ };
+
/**
* @brief Verify an attestation information payload against a DAC/PAI chain.
*
@@ -419,28 +441,6 @@ class DeviceAttestationVerifier
bool mEnableCdTestKeySupport = true;
};
-/**
- * @brief Interface for checking the device attestation revocation status
- *
- */
-class DeviceAttestationRevocationDelegate
-{
-public:
- DeviceAttestationRevocationDelegate() = default;
- virtual ~DeviceAttestationRevocationDelegate() = default;
-
- /**
- * @brief Verify whether or not the given DAC chain is revoked.
- *
- * @param[in] info All of the information required to check for revoked DAC chain.
- * @param[in] onCompletion Callback handler to provide Attestation Information Verification result to the caller of
- * CheckForRevokedDACChain().
- */
- virtual void
- CheckForRevokedDACChain(const DeviceAttestationVerifier::AttestationInfo & info,
- Callback::Callback<DeviceAttestationVerifier::OnAttestationInformationVerification> * onCompletion) = 0;
-};
-
/**
* Instance getter for the global DeviceAttestationVerifier.
*
diff --git a/src/credentials/attestation_verifier/TestDACRevocationDelegateImpl.h b/src/credentials/attestation_verifier/TestDACRevocationDelegateImpl.h
index cea143603c341d..545f649cb628bc 100644
--- a/src/credentials/attestation_verifier/TestDACRevocationDelegateImpl.h
+++ b/src/credentials/attestation_verifier/TestDACRevocationDelegateImpl.h
@@ -26,7 +26,7 @@
namespace chip {
namespace Credentials {
-class TestDACRevocationDelegateImpl : public DeviceAttestationRevocationDelegate
+class TestDACRevocationDelegateImpl : public DeviceAttestationVerifier::DeviceAttestationRevocationDelegate
{
public:
TestDACRevocationDelegateImpl() = default;