Expose API to generate a CSR in the Darwin framework. (#18672)

There seem to be no OS-provided APIs for this on iOS, and a CSR is
needed to get a NOC issued by an external CA.

src/darwin/Framework/CHIP/CHIPP256KeypairBridge.mm

@@ -31,6 +31,7 @@
     if (![keypair respondsToSelector:@selector(ECDSA_sign_message_DER:)]
         && ![keypair respondsToSelector:@selector(ECDSA_sign_message_raw:)]) {
         // Not a valid CHIPKeypair implementation.
+        NSLog(@"Keypair does not support message signing");
         return CHIP_ERROR_INVALID_ARGUMENT;
     }
 

src/darwin/Framework/CHIP/MTRCertificates.h

@@ -111,6 +111,22 @@ NS_ASSUME_NONNULL_BEGIN
  */
 + (BOOL)isCertificate:(NSData *)certificate1 equalTo:(NSData *)certificate2;
 
+/**
+ * Generate a PKCS#10 certificate signing request from a CHIPKeypair.  This can
+ * then be used to request an operational or ICA certificate from an external
+ * certificate authority.
+ *
+ * The CSR will have the subject OU DN set to 'CSA', because omitting all
+ * identifying information altogether often trips up CSR parsing code.  The CA
+ * being used should expect this and ignore the request subject, producing a
+ * subject that matches the rules for Matter certificates.
+ *
+ * On failure returns nil and if "error" is not null sets *error to the relevant
+ * error.
+ */
++ (nullable NSData *)generateCertificateSigningRequest:(id<CHIPKeypair>)keypair
+                                                 error:(NSError * __autoreleasing _Nullable * _Nullable)error;
+
 @end
 
 NS_ASSUME_NONNULL_END

src/darwin/Framework/CHIP/MTRCertificates.mm

@@ -114,6 +114,8 @@ + (nullable NSData *)generateOperationalCertificate:(id<CHIPKeypair>)signingKeyp
 
 + (BOOL)keypair:(id<CHIPKeypair>)keypair matchesCertificate:(NSData *)certificate
 {
+    AutoPlatformMemory platformMemory;
+
     P256PublicKey keypairPubKey;
     CHIP_ERROR err = CHIPP256KeypairBridge::MatterPubKeyFromSecKeyRef(keypair.pubkey, &keypairPubKey);
     if (err != CHIP_NO_ERROR) {
@@ -135,6 +137,8 @@ + (BOOL)keypair:(id<CHIPKeypair>)keypair matchesCertificate:(NSData *)certificat
 
 + (BOOL)isCertificate:(NSData *)certificate1 equalTo:(NSData *)certificate2
 {
+    AutoPlatformMemory platformMemory;
+
     P256PublicKey pubKey1;
     CHIP_ERROR err = ExtractPubkeyFromX509Cert(AsByteSpan(certificate1), pubKey1);
     if (err != CHIP_NO_ERROR) {
@@ -172,4 +176,34 @@ + (BOOL)isCertificate:(NSData *)certificate1 equalTo:(NSData *)certificate2
     return subject1.IsEqual(subject2);
 }
 
++ (nullable NSData *)generateCertificateSigningRequest:(id<CHIPKeypair>)keypair
+                                                 error:(NSError * __autoreleasing _Nullable * _Nullable)error
+{
+    AutoPlatformMemory platformMemory;
+
+    CHIPP256KeypairBridge keypairBridge;
+    CHIP_ERROR err = CHIP_NO_ERROR;
+    do {
+        err = keypairBridge.Init(keypair);
+        if (err != CHIP_NO_ERROR) {
+            break;
+        }
+        CHIPP256KeypairNativeBridge nativeKeypair(keypairBridge);
+
+        uint8_t buf[kMAX_CSR_Length];
+        MutableByteSpan csr(buf);
+        err = GenerateCertificateSigningRequest(&nativeKeypair, csr);
+        if (err != CHIP_NO_ERROR) {
+            break;
+        }
+
+        return AsData(csr);
+    } while (0);
+
+    if (error) {
+        *error = [CHIPError errorForCHIPErrorCode:err];
+    }
+    return nil;
+}
+
 @end

src/darwin/Framework/CHIPTests/MatterCertificateTests.m

@@ -192,4 +192,15 @@ - (void)testGenerateOperationalCertErrorCases
     XCTAssertNil(operationalCert);
 }
 
+- (void)testGenerateCSR
+{
+    __auto_type * testKeys = [[CHIPTestKeys alloc] init];
+    XCTAssertNotNil(testKeys);
+
+    __auto_type * csr = [MTRCertificates generateCertificateSigningRequest:testKeys error:nil];
+    XCTAssertNotNil(csr);
+
+    // Wish there was something we could test here about the CSR.
+}
+
 @end