Operational Credentials cluster: AddNOC: Set IPK. (#15654)

* Operational Credentials cluster: AddNOC: Set IPK. * Operational Credentials cluster: AddNOC: Review comments applied.
project-chip · Apr 20, 2022 · 6e161bd · 6e161bd
1 parent ab03f97
commit 6e161bd
Showing 1 changed file with 20 additions and 2 deletions.
diff --git a/src/app/clusters/operational-credentials-server/operational-credentials-server.cpp b/src/app/clusters/operational-credentials-server/operational-credentials-server.cpp
@@ -523,14 +523,22 @@ bool emberAfOperationalCredentialsClusterAddNOCCallback(app::CommandHandler * co
     auto & NOCValue      = commandData.NOCValue;
     auto & ICACValue     = commandData.ICACValue;
     auto & adminVendorId = commandData.adminVendorId;
-
-    auto nocResponse = OperationalCertStatus::kSuccess;
+    auto & ipkValue      = commandData.IPKValue;
+    auto * groups        = Credentials::GetGroupDataProvider();
+    auto nocResponse     = OperationalCertStatus::kSuccess;
 
     CHIP_ERROR err          = CHIP_NO_ERROR;
     FabricIndex fabricIndex = 0;
+    Credentials::GroupDataProvider::KeySet keyset;
 
     emberAfPrintln(EMBER_AF_PRINT_DEBUG, "OpCreds: commissioner has added a NOC");
 
+    if (nullptr == groups)
+    {
+        LogErrorOnFailure(commandObj->AddStatus(commandPath, Status::Failure));
+        return true;
+    }
+
     FailSafeContext & failSafeContext = DeviceControlServer::DeviceControlSvr().GetFailSafeContext();
 
     if (!failSafeContext.IsFailSafeArmed(commandObj->GetAccessingFabricIndex()))
@@ -567,6 +575,16 @@ bool emberAfOperationalCredentialsClusterAddNOCCallback(app::CommandHandler * co
     // Notify the secure session of the new fabric.
     commandObj->GetExchangeContext()->GetSessionHandle()->AsSecureSession()->NewFabric(fabricIndex);
 
+    // Set the Identity Protection Key (IPK)
+    VerifyOrExit(ipkValue.size() == Crypto::CHIP_CRYPTO_SYMMETRIC_KEY_LENGTH_BYTES,
+                 nocResponse = ConvertToNOCResponseStatus(CHIP_ERROR_INVALID_ARGUMENT));
+    keyset.keyset_id     = 0; // The IPK SHALL be the operational group key under GroupKeySetID of 0
+    keyset.policy        = GroupKeyManagement::GroupKeySecurityPolicy::kTrustFirst;
+    keyset.num_keys_used = 1;
+    memcpy(keyset.epoch_keys[0].key, ipkValue.data(), Crypto::CHIP_CRYPTO_SYMMETRIC_KEY_LENGTH_BYTES);
+    err = groups->SetKeySet(fabricIndex, keyset);
+    VerifyOrExit(err == CHIP_NO_ERROR, nocResponse = ConvertToNOCResponseStatus(err));
+
     // We might have a new operational identity, so we should start advertising it right away.
     app::DnssdServer::Instance().AdvertiseOperational();