Attempt #2 - separate PAAs used in non-test

cecille · Sep 27, 2023 · 836257b · 836257b
1 parent 3fb83ea
commit 836257b
Show file tree

Hide file tree

Showing 8 changed files with 323 additions and 372 deletions.
diff --git a/src/credentials/BUILD.gn b/src/credentials/BUILD.gn
@@ -126,6 +126,18 @@ static_library("credentials") {
   ]
 }
 
+source_set("test_paa_store") {
+  sources = [
+    "attestation_verifier/CHIPAttCert_test_paa_store.cpp",
+    "attestation_verifier/CHIPAttCert_test_paa_store.h",
+  ]
+
+  public_deps = [
+    "${chip_root}/src/lib/core:chip_config_header",  # for lib/support/Span.h
+    "${nlassert_root}:nlassert",  # for lib/support/Span.h
+  ]
+}
+
 static_library("default_attestation_verifier") {
   output_name = "libDefaultAttestationVerifier"
 
@@ -144,6 +156,7 @@ static_library("default_attestation_verifier") {
 
   public_deps = [
     ":credentials",
+    ":test_paa_store",
     "${chip_root}/src/crypto",
     "${nlassert_root}:nlassert",
   ]

diff --git a/src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.cpp b/src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.cpp
@@ -29,14 +29,10 @@
 #include <lib/support/ScopedBuffer.h>
 #include <lib/support/Span.h>
 
-namespace chip {
-namespace TestCerts {
-extern const Span<const ByteSpan> kTestAttestationTrustStoreRoots;
-} // namespace TestCerts
-} // namespace chip
+#include "credentials/attestation_verifier/CHIPAttCert_test_paa_store.h"
 
 using namespace chip::Crypto;
-using chip::TestCerts::kTestAttestationTrustStoreRoots;
+using chip::TestCerts::GetTestPaaRootStore;
 
 namespace chip {
 namespace Credentials {
@@ -275,7 +271,7 @@ constexpr std::array<MatterCDSigningKey, 6> gCdSigningKeys = { {
 struct TestAttestationTrustStore final : public ArrayAttestationTrustStore
 {
     TestAttestationTrustStore() :
-        ArrayAttestationTrustStore(kTestAttestationTrustStoreRoots.data(), kTestAttestationTrustStoreRoots.size())
+        ArrayAttestationTrustStore(GetTestPaaRootStore().data(), GetTestPaaRootStore().size())
     {}
 };
 Global<TestAttestationTrustStore> gTestAttestationTrustStore;

diff --git a/src/credentials/tests/BUILD.gn b/src/credentials/tests/BUILD.gn
@@ -36,7 +36,10 @@ static_library("cert_test_vectors") {
 
   cflags = [ "-Wconversion" ]
 
-  public_deps = [ "${chip_root}/src/credentials" ]
+  public_deps = [
+    "${chip_root}/src/credentials",
+    "${chip_root}/src/credentials:test_paa_store",
+  ]
 }
 
 chip_test_suite("tests") {

diff --git a/src/credentials/tests/CHIPAttCert_test_vectors.cpp b/src/credentials/tests/CHIPAttCert_test_vectors.cpp
diff --git a/src/credentials/tests/CHIPAttCert_test_vectors.h b/src/credentials/tests/CHIPAttCert_test_vectors.h
@@ -23,9 +23,6 @@
 namespace chip {
 namespace TestCerts {
 
-// Root CA certs for chip::Credentials::GetTestAttestationTrustStore()
-extern const Span<const ByteSpan> kTestAttestationTrustStoreRoots;
-
 extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_2CDPs_Cert;
 extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_2CDPs_SKID;
 extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_2CDPs_PublicKey;
@@ -316,7 +313,7 @@ extern const ByteSpan sTestCert_DAC_FFF2_8006_0035_Val1SecBefore_SKID;
 extern const ByteSpan sTestCert_DAC_FFF2_8006_0035_Val1SecBefore_PublicKey;
 extern const ByteSpan sTestCert_DAC_FFF2_8006_0035_Val1SecBefore_PrivateKey;
 
-extern const ByteSpan sTestCert_PAA_FFF1_Cert;
+// Cert is provided in the PAA store file as it is used in the default verifier.
 extern const ByteSpan sTestCert_PAA_FFF1_SKID;
 extern const ByteSpan sTestCert_PAA_FFF1_PublicKey;
 extern const ByteSpan sTestCert_PAA_FFF1_PrivateKey;
@@ -331,7 +328,7 @@ extern const ByteSpan sTestCert_PAA_FFF2_ValInPast_SKID;
 extern const ByteSpan sTestCert_PAA_FFF2_ValInPast_PublicKey;
 extern const ByteSpan sTestCert_PAA_FFF2_ValInPast_PrivateKey;
 
-extern const ByteSpan sTestCert_PAA_NoVID_Cert;
+// Cert is provided in the PAA store file as it is used in the default verifier.
 extern const ByteSpan sTestCert_PAA_NoVID_SKID;
 extern const ByteSpan sTestCert_PAA_NoVID_PublicKey;
 extern const ByteSpan sTestCert_PAA_NoVID_PrivateKey;

diff --git a/src/credentials/tests/TestDeviceAttestationCredentials.cpp b/src/credentials/tests/TestDeviceAttestationCredentials.cpp
@@ -20,6 +20,7 @@
 #include <credentials/CHIPCert.h>
 #include <credentials/CertificationDeclaration.h>
 #include <credentials/DeviceAttestationCredsProvider.h>
+#include <credentials/attestation_verifier/CHIPAttCert_test_paa_store.h>
 #include <credentials/attestation_verifier/DefaultDeviceAttestationVerifier.h>
 #include <credentials/attestation_verifier/DeviceAttestationVerifier.h>
 #include <credentials/examples/DeviceAttestationCredsExample.h>

diff --git a/src/crypto/tests/BUILD.gn b/src/crypto/tests/BUILD.gn
@@ -64,6 +64,7 @@ chip_test_suite("tests") {
   cflags = [ "-Wconversion" ]
 
   public_deps = [
+    "${chip_root}/src/credentials:test_paa_store",
     "${chip_root}/src/credentials/tests:cert_test_vectors",
     "${chip_root}/src/crypto",
     "${chip_root}/src/lib/core",

diff --git a/src/crypto/tests/CHIPCryptoPALTest.cpp b/src/crypto/tests/CHIPCryptoPALTest.cpp
@@ -57,6 +57,7 @@
 #endif
 
 #include <credentials/CHIPCert.h>
+#include <credentials/attestation_verifier/CHIPAttCert_test_paa_store.h>
 #include <credentials/tests/CHIPAttCert_test_vectors.h>
 #include <credentials/tests/CHIPCert_test_vectors.h>