Avoid changing ArrayAttestationTrustStore API...

... by moving kTestAttestationTrustStoreRoots (formerly kTestPaaRoots) into CHIPAttCert_test_vectors.cpp where the certificate spans themselves are defined.
project-chip · Sep 18, 2023 · ca5aea4 · ca5aea4
1 parent 4e4ae83
commit ca5aea4
Show file tree

Hide file tree

Showing 5 changed files with 22 additions and 18 deletions.
diff --git a/src/credentials/BUILD.gn b/src/credentials/BUILD.gn
@@ -135,6 +135,8 @@ static_library("default_attestation_verifier") {
     "attestation_verifier/DefaultDeviceAttestationVerifier.cpp",
     "attestation_verifier/DefaultDeviceAttestationVerifier.h",
     "attestation_verifier/DeviceAttestationDelegate.h",
+    "tests/CHIPAttCert_test_vectors.cpp",
+    "tests/CHIPAttCert_test_vectors.h",
   ]
 
   if (chip_device_platform == "esp32" || chip_device_platform == "nrfconnect" ||

diff --git a/src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.cpp b/src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.cpp
@@ -21,23 +21,17 @@
 #include <credentials/CertificationDeclaration.h>
 #include <credentials/DeviceAttestationConstructor.h>
 #include <credentials/DeviceAttestationVendorReserved.h>
+#include <credentials/tests/CHIPAttCert_test_vectors.h>
 #include <crypto/CHIPCryptoPAL.h>
-#include <string.h>
 
 #include <lib/core/CHIPError.h>
 #include <lib/core/Global.h>
 #include <lib/support/CodeUtils.h>
 #include <lib/support/ScopedBuffer.h>
 #include <lib/support/Span.h>
 
-namespace chip {
-namespace TestCerts {
-extern const ByteSpan sTestCert_PAA_FFF1_Cert;
-extern const ByteSpan sTestCert_PAA_NoVID_Cert;
-} // namespace TestCerts
-} // namespace chip
-
 using namespace chip::Crypto;
+using chip::TestCerts::kTestAttestationTrustStoreRoots;
 
 namespace chip {
 namespace Credentials {
@@ -273,14 +267,11 @@ constexpr std::array<MatterCDSigningKey, 6> gCdSigningKeys = { {
     { FixedByteSpan<20>{ gCdSigningKey005Kid }, FixedByteSpan<65>{ gCdSigningKey005PubkeyBytes } },
 } };
 
-constexpr ByteSpan const * kTestPaaRoots[] = {
-    &TestCerts::sTestCert_PAA_FFF1_Cert,
-    &TestCerts::sTestCert_PAA_NoVID_Cert,
-};
-
 struct TestAttestationTrustStore final : public ArrayAttestationTrustStore
 {
-    TestAttestationTrustStore() : ArrayAttestationTrustStore(kTestPaaRoots, ArraySize(kTestPaaRoots)) {}
+    TestAttestationTrustStore() :
+        ArrayAttestationTrustStore(kTestAttestationTrustStoreRoots.data(), kTestAttestationTrustStoreRoots.size())
+    {}
 };
 Global<TestAttestationTrustStore> gTestAttestationTrustStore;
 

diff --git a/src/credentials/attestation_verifier/DeviceAttestationVerifier.h b/src/credentials/attestation_verifier/DeviceAttestationVerifier.h
@@ -226,17 +226,20 @@ class WellKnownKeysTrustStore
 class ArrayAttestationTrustStore : public AttestationTrustStore
 {
 public:
-    ArrayAttestationTrustStore(const ByteSpan * const * derCerts, size_t numCerts) : mDerCerts(derCerts), mNumCerts(numCerts) {}
+    ArrayAttestationTrustStore(const ByteSpan * derCerts, size_t numCerts) : mDerCerts(derCerts), mNumCerts(numCerts) {}
 
     CHIP_ERROR GetProductAttestationAuthorityCert(const ByteSpan & skid, MutableByteSpan & outPaaDerBuffer) const override
     {
         VerifyOrReturnError(!skid.empty() && (skid.data() != nullptr), CHIP_ERROR_INVALID_ARGUMENT);
         VerifyOrReturnError(skid.size() == Crypto::kSubjectKeyIdentifierLength, CHIP_ERROR_INVALID_ARGUMENT);
 
-        for (size_t paaIdx = 0; paaIdx < mNumCerts; ++paaIdx)
+        size_t paaIdx;
+        ByteSpan candidate;
+
+        for (paaIdx = 0; paaIdx < mNumCerts; ++paaIdx)
         {
             uint8_t skidBuf[Crypto::kSubjectKeyIdentifierLength] = { 0 };
-            ByteSpan const & candidate                           = *mDerCerts[paaIdx];
+            candidate                                            = mDerCerts[paaIdx];
             MutableByteSpan candidateSkidSpan{ skidBuf };
             VerifyOrReturnError(CHIP_NO_ERROR == Crypto::ExtractSKIDFromX509Cert(candidate, candidateSkidSpan),
                                 CHIP_ERROR_INTERNAL);
@@ -252,7 +255,7 @@ class ArrayAttestationTrustStore : public AttestationTrustStore
     }
 
 protected:
-    const ByteSpan * const * mDerCerts;
+    const ByteSpan * mDerCerts;
     const size_t mNumCerts;
 };
 

diff --git a/src/credentials/tests/CHIPAttCert_test_vectors.cpp b/src/credentials/tests/CHIPAttCert_test_vectors.cpp
@@ -4289,5 +4289,10 @@ constexpr uint8_t sTestCert_PAI_FFF2_NoPID_Resigned_SKID_Array[] = {
 
 extern const ByteSpan sTestCert_PAI_FFF2_NoPID_Resigned_SKID = ByteSpan(sTestCert_PAI_FFF2_NoPID_Resigned_SKID_Array);
 
+extern constexpr Span<const ByteSpan> kTestAttestationTrustStoreRoots((const ByteSpan[]){
+    sTestCert_PAA_FFF1_Cert,
+    sTestCert_PAA_NoVID_Cert,
+});
+
 } // namespace TestCerts
 } // namespace chip
diff --git a/src/credentials/tests/CHIPAttCert_test_vectors.h b/src/credentials/tests/CHIPAttCert_test_vectors.h
@@ -23,6 +23,9 @@
 namespace chip {
 namespace TestCerts {
 
+// Root CA certs for chip::Credentials::GetTestAttestationTrustStore()
+extern const Span<const ByteSpan> kTestAttestationTrustStoreRoots;
+
 extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_2CDPs_Cert;
 extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_2CDPs_SKID;
 extern const ByteSpan sTestCert_DAC_FFF1_8000_0000_2CDPs_PublicKey;