Prepare for adding PAA trust store to chip-tool (#15224)

* Separate DefaultDeviceAttestationVerifier from credentials - This PR is on the way to resolving #15209. - This PR does the following: - Splits DefaultDeviceAttesationVerifier from the main src/credentials target since it is an optional component that can be overridden by different commissioners - Adds the beginning of plumbing to properly select the Trust Store for the DefaultDeviceAttestationVerifier. - Moved DefaultDeviceAttestatationVerifier from credentials/examples to credentials/attestation_verifier Missing, to come in the follow-up: - The implementation of a new file-based PAA trust store configured with the path passed in the plumbing added here. Testing done: unit tests and cert tests still pass. Commissioning still works * Restyled by clang-format * Restyled by gn * Fix ESP32 Qemu test * Fix CHIPCommandBridge Co-authored-by: Restyled.io <commits@restyled.io>
project-chip · Feb 22, 2022 · 22fb6c3 · 22fb6c3
1 parent 36564e0
commit 22fb6c3
Show file tree

Hide file tree

Showing 33 changed files with 95 additions and 46 deletions.
diff --git a/BUILD.gn b/BUILD.gn
@@ -70,6 +70,7 @@ if (current_toolchain != "${dir_pw_toolchain}/default:default") {
       "${chip_root}/src/ble",
       "${chip_root}/src/controller",
       "${chip_root}/src/credentials",
+      "${chip_root}/src/credentials:default_attestation_verifier",
       "${chip_root}/src/crypto",
       "${chip_root}/src/inet",
       "${chip_root}/src/lib",

diff --git a/examples/chip-tool-darwin/commands/common/CHIPCommandBridge.h b/examples/chip-tool-darwin/commands/common/CHIPCommandBridge.h
@@ -62,7 +62,8 @@ class CHIPCommandBridge : public Command
     CHIPDeviceController * CurrentCommissioner();
 
 private:
-    CHIP_ERROR InitializeCommissioner(std::string key, chip::FabricId fabricId);
+    CHIP_ERROR InitializeCommissioner(std::string key, chip::FabricId fabricId,
+                                      const chip::Credentials::AttestationTrustStore * trustStore);
     CHIP_ERROR ShutdownCommissioner();
     uint16_t CurrentCommissionerIndex();
 

diff --git a/examples/chip-tool/commands/common/CHIPCommand.cpp b/examples/chip-tool/commands/common/CHIPCommand.cpp
@@ -53,10 +53,13 @@ CHIP_ERROR CHIPCommand::Run()
     factoryInitParams.listenPort               = static_cast<uint16_t>(mDefaultStorage.GetListenPort() + CurrentCommissionerId());
     ReturnLogErrorOnFailure(DeviceControllerFactory::GetInstance().Init(factoryInitParams));
 
-    ReturnLogErrorOnFailure(InitializeCommissioner(kIdentityNull, kIdentityNullFabricId));
-    ReturnLogErrorOnFailure(InitializeCommissioner(kIdentityAlpha, kIdentityAlphaFabricId));
-    ReturnLogErrorOnFailure(InitializeCommissioner(kIdentityBeta, kIdentityBetaFabricId));
-    ReturnLogErrorOnFailure(InitializeCommissioner(kIdentityGamma, kIdentityGammaFabricId));
+    // TODO(issue #15209): Replace this trust store with file-based trust store
+    const chip::Credentials::AttestationTrustStore * trustStore = chip::Credentials::GetTestAttestationTrustStore();
+
+    ReturnLogErrorOnFailure(InitializeCommissioner(kIdentityNull, kIdentityNullFabricId, trustStore));
+    ReturnLogErrorOnFailure(InitializeCommissioner(kIdentityAlpha, kIdentityAlphaFabricId, trustStore));
+    ReturnLogErrorOnFailure(InitializeCommissioner(kIdentityBeta, kIdentityBetaFabricId, trustStore));
+    ReturnLogErrorOnFailure(InitializeCommissioner(kIdentityGamma, kIdentityGammaFabricId, trustStore));
 
     chip::DeviceLayer::PlatformMgr().ScheduleWork(RunQueuedCommand, reinterpret_cast<intptr_t>(this));
     ReturnLogErrorOnFailure(StartWaiting(GetWaitDuration()));
@@ -169,7 +172,8 @@ CHIP_ERROR CHIPCommand::ShutdownCommissioner(std::string key)
     return mCommissioners[key].get()->Shutdown();
 }
 
-CHIP_ERROR CHIPCommand::InitializeCommissioner(std::string key, chip::FabricId fabricId)
+CHIP_ERROR CHIPCommand::InitializeCommissioner(std::string key, chip::FabricId fabricId,
+                                               const chip::Credentials::AttestationTrustStore * trustStore)
 {
     chip::Platform::ScopedMemoryBuffer<uint8_t> noc;
     chip::Platform::ScopedMemoryBuffer<uint8_t> icac;
@@ -178,7 +182,7 @@ CHIP_ERROR CHIPCommand::InitializeCommissioner(std::string key, chip::FabricId f
     std::unique_ptr<ChipDeviceCommissioner> commissioner = std::make_unique<ChipDeviceCommissioner>();
     chip::Controller::SetupParams commissionerParams;
 
-    ReturnLogErrorOnFailure(mCredIssuerCmds->SetupDeviceAttestation(commissionerParams));
+    ReturnLogErrorOnFailure(mCredIssuerCmds->SetupDeviceAttestation(commissionerParams, trustStore));
     chip::Credentials::SetDeviceAttestationVerifier(commissionerParams.deviceAttestationVerifier);
 
     VerifyOrReturnError(noc.Alloc(chip::Controller::kMaxCHIPDERCertLength), CHIP_ERROR_NO_MEMORY);

diff --git a/examples/chip-tool/commands/common/CHIPCommand.h b/examples/chip-tool/commands/common/CHIPCommand.h
@@ -55,6 +55,7 @@ class CHIPCommand : public Command
     CHIPCommand(const char * commandName, CredentialIssuerCommands * credIssuerCmds) :
         Command(commandName), mCredIssuerCmds(credIssuerCmds)
     {
+        AddArgument("paa-trust-store-path", &mPaaTrustStorePath);
         AddArgument("commissioner-name", &mCommissionerName);
 #if CHIP_CONFIG_TRANSPORT_TRACE_ENABLED
         AddArgument("trace_file", &mTraceFile);
@@ -102,12 +103,14 @@ class CHIPCommand : public Command
     ChipDeviceCommissioner & CurrentCommissioner();
 
 private:
-    CHIP_ERROR InitializeCommissioner(std::string key, chip::FabricId fabricId);
+    CHIP_ERROR InitializeCommissioner(std::string key, chip::FabricId fabricId,
+                                      const chip::Credentials::AttestationTrustStore * trustStore);
     CHIP_ERROR ShutdownCommissioner(std::string key);
     chip::FabricId CurrentCommissionerId();
     std::map<std::string, std::unique_ptr<ChipDeviceCommissioner>> mCommissioners;
     chip::Optional<char *> mCommissionerName;
     chip::Optional<uint16_t> mBleAdapterId;
+    chip::Optional<char *> mPaaTrustStorePath;
 
     static void RunQueuedCommand(intptr_t commandArg);
 

diff --git a/examples/chip-tool/commands/common/CredentialIssuerCommands.h b/examples/chip-tool/commands/common/CredentialIssuerCommands.h
@@ -20,6 +20,7 @@
 
 #include <app/util/basic-types.h>
 #include <controller/CHIPDeviceControllerFactory.h>
+#include <credentials/attestation_verifier/DeviceAttestationVerifier.h>
 #include <lib/core/CHIPCore.h>
 #include <lib/core/CHIPPersistentStorageDelegate.h>
 
@@ -46,10 +47,12 @@ class CredentialIssuerCommands
      *
      * @param[in] setupParams A reference to the Setup/Commissioning Parameters, to be initialized with custom Device Attestation
      *                        Verifier.
+     * @param[in] trustStore  A pointer to the PAA trust store to use to find valid PAA roots.
      *
      * @return CHIP_ERROR CHIP_NO_ERROR on success, or corresponding error code.
      */
-    virtual CHIP_ERROR SetupDeviceAttestation(chip::Controller::SetupParams & setupParams) = 0;
+    virtual CHIP_ERROR SetupDeviceAttestation(chip::Controller::SetupParams & setupParams,
+                                              const chip::Credentials::AttestationTrustStore * trustStore) = 0;
 
     virtual chip::Controller::OperationalCredentialsDelegate * GetCredentialIssuer() = 0;
 

diff --git a/examples/chip-tool/commands/example/ExampleCredentialIssuerCommands.h b/examples/chip-tool/commands/example/ExampleCredentialIssuerCommands.h
@@ -21,8 +21,8 @@
 #include <commands/common/CredentialIssuerCommands.h>
 #include <controller/ExampleOperationalCredentialsIssuer.h>
 #include <credentials/DeviceAttestationCredsProvider.h>
-#include <credentials/DeviceAttestationVerifier.h>
-#include <credentials/examples/DefaultDeviceAttestationVerifier.h>
+#include <credentials/attestation_verifier/DefaultDeviceAttestationVerifier.h>
+#include <credentials/attestation_verifier/DeviceAttestationVerifier.h>
 #include <credentials/examples/DeviceAttestationCredsExample.h>
 
 class ExampleCredentialIssuerCommands : public CredentialIssuerCommands
@@ -32,13 +32,12 @@ class ExampleCredentialIssuerCommands : public CredentialIssuerCommands
     {
         return mOpCredsIssuer.Initialize(storage);
     }
-    CHIP_ERROR SetupDeviceAttestation(chip::Controller::SetupParams & setupParams) override
+    CHIP_ERROR SetupDeviceAttestation(chip::Controller::SetupParams & setupParams,
+                                      const chip::Credentials::AttestationTrustStore * trustStore) override
     {
         chip::Credentials::SetDeviceAttestationCredentialsProvider(chip::Credentials::Examples::GetExampleDACProvider());
 
-        // TODO: Replace testingRootStore with a AttestationTrustStore that has the necessary official PAA roots available
-        const chip::Credentials::AttestationTrustStore * testingRootStore = chip::Credentials::GetTestAttestationTrustStore();
-        setupParams.deviceAttestationVerifier = chip::Credentials::GetDefaultDACVerifier(testingRootStore);
+        setupParams.deviceAttestationVerifier = chip::Credentials::GetDefaultDACVerifier(trustStore);
 
         return CHIP_NO_ERROR;
     }

diff --git a/examples/common/credentials/FileBasedTrustStore.h b/examples/common/credentials/FileBasedTrustStore.h
diff --git a/examples/platform/linux/AppMain.cpp b/examples/platform/linux/AppMain.cpp
@@ -26,8 +26,8 @@
 #include <lib/core/NodeId.h>
 
 #include <credentials/DeviceAttestationCredsProvider.h>
-#include <credentials/DeviceAttestationVerifier.h>
-#include <credentials/examples/DefaultDeviceAttestationVerifier.h>
+#include <credentials/attestation_verifier/DefaultDeviceAttestationVerifier.h>
+#include <credentials/attestation_verifier/DeviceAttestationVerifier.h>
 #include <credentials/examples/DeviceAttestationCredsExample.h>
 
 #include <lib/support/CHIPMem.h>

diff --git a/examples/platform/linux/BUILD.gn b/examples/platform/linux/BUILD.gn
@@ -45,6 +45,7 @@ source_set("app-main") {
 
   public_deps = [
     "${chip_root}/src/app/server",
+    "${chip_root}/src/credentials:default_attestation_verifier",
     "${chip_root}/src/lib",
     "${chip_root}/src/lib/shell",
     "${chip_root}/src/lib/shell:shell_core",

diff --git a/examples/tv-casting-app/linux/BUILD.gn b/examples/tv-casting-app/linux/BUILD.gn
@@ -28,6 +28,7 @@ executable("chip-tv-casting-app") {
   deps = [
     "${chip_root}/examples/platform/linux:app-main",
     "${chip_root}/examples/tv-casting-app/tv-casting-common",
+    "${chip_root}/src/credentials:default_attestation_verifier",
     "${chip_root}/src/lib",
     "${chip_root}/third_party/inipp",
   ]

diff --git a/examples/tv-casting-app/linux/main.cpp b/examples/tv-casting-app/linux/main.cpp
@@ -21,8 +21,8 @@
 #include <app/server/Server.h>
 #include <controller/CHIPCommissionableNodeController.h>
 #include <credentials/DeviceAttestationCredsProvider.h>
-#include <credentials/DeviceAttestationVerifier.h>
-#include <credentials/examples/DefaultDeviceAttestationVerifier.h>
+#include <credentials/attestation_verifier/DefaultDeviceAttestationVerifier.h>
+#include <credentials/attestation_verifier/DeviceAttestationVerifier.h>
 #include <credentials/examples/DeviceAttestationCredsExample.h>
 #include <lib/support/CHIPArgParser.hpp>
 #include <lib/support/SafeInt.h>

diff --git a/src/controller/CHIPDeviceController.cpp b/src/controller/CHIPDeviceController.cpp
@@ -1112,8 +1112,8 @@ void DeviceCommissioner::OnDeviceAttestationInformationVerification(void * conte
                          "Failed in verifying 'Attestation Information' command received from the device: err %hu. Look at "
                          "AttestationVerificationResult enum to understand the errors",
                          static_cast<uint16_t>(result));
-            // Go look at AttestationVerificationResult enum in src/credentials/DeviceAttestationVerifier.h to understand the
-            // errors.
+            // Go look at AttestationVerificationResult enum in src/credentials/attestation_verifier/DeviceAttestationVerifier.h to
+            // understand the errors.
             commissioner->CommissioningStageComplete(CHIP_ERROR_INTERNAL, report);
             return;
         }

diff --git a/src/controller/CHIPDeviceController.h b/src/controller/CHIPDeviceController.h
@@ -41,8 +41,8 @@
 #include <controller/CommissioningDelegate.h>
 #include <controller/OperationalCredentialsDelegate.h>
 #include <controller/SetUpCodePairer.h>
-#include <credentials/DeviceAttestationVerifier.h>
 #include <credentials/FabricTable.h>
+#include <credentials/attestation_verifier/DeviceAttestationVerifier.h>
 #include <lib/core/CHIPConfig.h>
 #include <lib/core/CHIPCore.h>
 #include <lib/core/CHIPPersistentStorageDelegate.h>

diff --git a/src/controller/CHIPDeviceControllerFactory.h b/src/controller/CHIPDeviceControllerFactory.h
@@ -31,7 +31,7 @@
 
 #include <controller/CHIPDeviceController.h>
 #include <controller/CHIPDeviceControllerSystemState.h>
-#include <credentials/DeviceAttestationVerifier.h>
+#include <credentials/attestation_verifier/DeviceAttestationVerifier.h>
 
 namespace chip {
 

diff --git a/src/controller/CommissioningDelegate.h b/src/controller/CommissioningDelegate.h
@@ -19,7 +19,7 @@
 #pragma once
 #include <app/OperationalDeviceProxy.h>
 #include <controller/CommissioneeDeviceProxy.h>
-#include <credentials/DeviceAttestationVerifier.h>
+#include <credentials/attestation_verifier/DeviceAttestationVerifier.h>
 #include <lib/support/Variant.h>
 
 namespace chip {

diff --git a/src/controller/java/AndroidDeviceControllerWrapper.cpp b/src/controller/java/AndroidDeviceControllerWrapper.cpp
@@ -25,8 +25,8 @@
 #include <lib/support/JniReferences.h>
 
 #include <controller/CHIPDeviceControllerFactory.h>
-#include <credentials/DeviceAttestationVerifier.h>
-#include <credentials/examples/DefaultDeviceAttestationVerifier.h>
+#include <credentials/attestation_verifier/DefaultDeviceAttestationVerifier.h>
+#include <credentials/attestation_verifier/DeviceAttestationVerifier.h>
 #include <lib/core/CHIPTLV.h>
 #include <lib/support/PersistentStorageMacros.h>
 #include <lib/support/SafeInt.h>

diff --git a/src/controller/java/BUILD.gn b/src/controller/java/BUILD.gn
@@ -46,6 +46,7 @@ shared_library("jni") {
   deps = [
     "${chip_root}/src/controller/data_model",
     "${chip_root}/src/controller/data_model:java-jni-sources",
+    "${chip_root}/src/credentials:default_attestation_verifier",
     "${chip_root}/src/inet",
     "${chip_root}/src/lib",
     "${chip_root}/src/platform",

diff --git a/src/controller/python/BUILD.gn b/src/controller/python/BUILD.gn
@@ -90,6 +90,7 @@ shared_library("ChipDeviceCtrl") {
   public_deps = [
     "${chip_root}/src/app",
     "${chip_root}/src/app/server",
+    "${chip_root}/src/credentials:default_attestation_verifier",
     "${chip_root}/src/lib",
     "${chip_root}/src/lib/core",
     "${chip_root}/src/lib/dnssd",

diff --git a/src/controller/python/ChipDeviceController-ScriptBinding.cpp b/src/controller/python/ChipDeviceController-ScriptBinding.cpp
@@ -55,8 +55,8 @@
 #include <controller/CHIPDeviceControllerFactory.h>
 #include <controller/CommissioningDelegate.h>
 #include <controller/ExampleOperationalCredentialsIssuer.h>
-#include <credentials/DeviceAttestationVerifier.h>
-#include <credentials/examples/DefaultDeviceAttestationVerifier.h>
+#include <credentials/attestation_verifier/DefaultDeviceAttestationVerifier.h>
+#include <credentials/attestation_verifier/DeviceAttestationVerifier.h>
 #include <inet/IPAddress.h>
 #include <lib/dnssd/Resolver.h>
 #include <lib/support/BytesToHex.h>

diff --git a/src/controller/python/OpCredsBinding.cpp b/src/controller/python/OpCredsBinding.cpp
@@ -36,8 +36,8 @@
 #include <lib/support/ScopedBuffer.h>
 #include <lib/support/logging/CHIPLogging.h>
 
-#include <credentials/DeviceAttestationVerifier.h>
-#include <credentials/examples/DefaultDeviceAttestationVerifier.h>
+#include <credentials/attestation_verifier/DefaultDeviceAttestationVerifier.h>
+#include <credentials/attestation_verifier/DeviceAttestationVerifier.h>
 
 using namespace chip;
 

diff --git a/src/controller/python/chip/internal/CommissionerImpl.cpp b/src/controller/python/chip/internal/CommissionerImpl.cpp
@@ -19,8 +19,8 @@
 #include <controller/CHIPDeviceController.h>
 #include <controller/CHIPDeviceControllerFactory.h>
 #include <controller/ExampleOperationalCredentialsIssuer.h>
-#include <credentials/DeviceAttestationVerifier.h>
-#include <credentials/examples/DefaultDeviceAttestationVerifier.h>
+#include <credentials/attestation_verifier/DefaultDeviceAttestationVerifier.h>
+#include <credentials/attestation_verifier/DeviceAttestationVerifier.h>
 #include <lib/support/CodeUtils.h>
 #include <lib/support/ScopedBuffer.h>
 #include <lib/support/ThreadOperationalDataset.h>

diff --git a/src/credentials/BUILD.gn b/src/credentials/BUILD.gn
@@ -32,15 +32,13 @@ static_library("credentials") {
     "DeviceAttestationCredsProvider.cpp",
     "DeviceAttestationCredsProvider.h",
     "DeviceAttestationVendorReserved.h",
-    "DeviceAttestationVerifier.cpp",
-    "DeviceAttestationVerifier.h",
     "FabricTable.cpp",
     "FabricTable.h",
     "GenerateChipX509Cert.cpp",
     "GroupDataProvider.h",
     "GroupDataProviderImpl.cpp",
-    "examples/DefaultDeviceAttestationVerifier.cpp",
-    "examples/DefaultDeviceAttestationVerifier.h",
+    "attestation_verifier/DeviceAttestationVerifier.cpp",
+    "attestation_verifier/DeviceAttestationVerifier.h",
     "examples/DeviceAttestationCredsExample.cpp",
     "examples/DeviceAttestationCredsExample.h",
     "examples/ExampleDACs.cpp",
@@ -76,7 +74,26 @@ static_library("credentials") {
     "${chip_root}/src/lib/asn1",
     "${chip_root}/src/lib/core",
     "${chip_root}/src/lib/support",
-    "${chip_root}/src/transport/raw",
+    "${chip_root}/src/platform",
+    "${nlassert_root}:nlassert",
+  ]
+}
+
+static_library("default_attestation_verifier") {
+  output_name = "libDefaultAttestationVerifier"
+
+  sources = [
+    "attestation_verifier/DefaultDeviceAttestationVerifier.cpp",
+    "attestation_verifier/DefaultDeviceAttestationVerifier.h",
+  ]
+
+  if (chip_device_platform == "esp32" || chip_device_platform == "nrfconnect") {
+    defines = [ "CURRENT_TIME_NOT_IMPLEMENTED=1" ]
+  }
+
+  public_deps = [
+    ":credentials",
+    "${chip_root}/src/crypto",
     "${nlassert_root}:nlassert",
   ]
 }
diff --git a/...ples/DefaultDeviceAttestationVerifier.cpp → ...fier/DefaultDeviceAttestationVerifier.cpp b/...ples/DefaultDeviceAttestationVerifier.cpp → ...fier/DefaultDeviceAttestationVerifier.cpp
diff --git a/...amples/DefaultDeviceAttestationVerifier.h → ...rifier/DefaultDeviceAttestationVerifier.h b/...amples/DefaultDeviceAttestationVerifier.h → ...rifier/DefaultDeviceAttestationVerifier.h
@@ -16,7 +16,7 @@
  */
 #pragma once
 
-#include <credentials/DeviceAttestationVerifier.h>
+#include <credentials/attestation_verifier/DeviceAttestationVerifier.h>
 
 namespace chip {
 namespace Credentials {

diff --git a/...credentials/DeviceAttestationVerifier.cpp → ...on_verifier/DeviceAttestationVerifier.cpp b/...credentials/DeviceAttestationVerifier.cpp → ...on_verifier/DeviceAttestationVerifier.cpp
diff --git a/src/credentials/DeviceAttestationVerifier.h → ...tion_verifier/DeviceAttestationVerifier.h b/src/credentials/DeviceAttestationVerifier.h → ...tion_verifier/DeviceAttestationVerifier.h
diff --git a/src/credentials/tests/BUILD.gn b/src/credentials/tests/BUILD.gn
@@ -19,7 +19,7 @@ import("//build_overrides/nlunit_test.gni")
 import("${chip_root}/build/chip/chip_test_suite.gni")
 
 static_library("cert_test_vectors") {
-  output_name = "libChipCertTestVectors"
+  output_name = "libCertTestVectors"
   output_dir = "${root_out_dir}/lib"
 
   sources = [
@@ -35,7 +35,7 @@ static_library("cert_test_vectors") {
 }
 
 chip_test_suite("tests") {
-  output_name = "libChipCredentials"
+  output_name = "libCredentialsTest"
   output_dir = "${root_out_dir}/lib"
 
   test_sources = [
@@ -52,6 +52,7 @@ chip_test_suite("tests") {
   public_deps = [
     ":cert_test_vectors",
     "${chip_root}/src/credentials",
+    "${chip_root}/src/credentials:default_attestation_verifier",
     "${chip_root}/src/lib/core",
     "${nlunit_test_root}:nlunit-test",
   ]

diff --git a/src/credentials/tests/TestDeviceAttestationCredentials.cpp b/src/credentials/tests/TestDeviceAttestationCredentials.cpp
@@ -20,8 +20,8 @@
 #include <credentials/CHIPCert.h>
 #include <credentials/CertificationDeclaration.h>
 #include <credentials/DeviceAttestationCredsProvider.h>
-#include <credentials/DeviceAttestationVerifier.h>
-#include <credentials/examples/DefaultDeviceAttestationVerifier.h>
+#include <credentials/attestation_verifier/DefaultDeviceAttestationVerifier.h>
+#include <credentials/attestation_verifier/DeviceAttestationVerifier.h>
 #include <credentials/examples/DeviceAttestationCredsExample.h>
 #include <credentials/examples/ExampleDACs.h>
 #include <credentials/examples/ExamplePAI.h>

diff --git a/src/darwin/Framework/CHIP/BUILD.gn b/src/darwin/Framework/CHIP/BUILD.gn
@@ -68,6 +68,7 @@ static_library("framework") {
   public_deps = [
     "${chip_root}/src/controller",
     "${chip_root}/src/controller/data_model",
+    "${chip_root}/src/credentials:default_attestation_verifier",
     "${chip_root}/src/lib/core",
     "${chip_root}/src/lib/support",
   ]

diff --git a/src/darwin/Framework/CHIP/CHIPDeviceController.mm b/src/darwin/Framework/CHIP/CHIPDeviceController.mm
@@ -36,8 +36,8 @@
 
 #include <controller/CHIPDeviceController.h>
 #include <controller/CHIPDeviceControllerFactory.h>
-#include <credentials/DeviceAttestationVerifier.h>
-#include <credentials/examples/DefaultDeviceAttestationVerifier.h>
+#include <credentials/attestation_verifier/DefaultDeviceAttestationVerifier.h>
+#include <credentials/attestation_verifier/DeviceAttestationVerifier.h>
 #include <lib/support/CHIPMem.h>
 #include <platform/PlatformManager.h>
 #include <setup_payload/ManualSetupPayloadGenerator.h>

diff --git a/src/lib/BUILD.gn b/src/lib/BUILD.gn
@@ -33,10 +33,20 @@ static_library("lib") {
     "${chip_root}/src/transport",
   ]
 
+  # Only include the shell if it is being used. The shell is
+  # a debug feature mostly useful for embedded examples.
+  # See src/lib/lib.gni for declaration of this build arg.
   if (chip_build_libshell) {
     public_deps += [ "${chip_root}/src/lib/shell" ]
   }
 
+  # Only include the DefaultAttestationVerifier if needed in the build.
+  # See src/lib/lib.gni for declaration of this build arg.
+  if (chip_build_default_attestation_verifier) {
+    public_deps +=
+        [ "${chip_root}/src/credentials:default_attestation_verifier" ]
+  }
+
   cflags = [ "-Wconversion" ]
 
   output_name = "libCHIP"