From 6e161bd72f125c92e04446ed3e7b245774732396 Mon Sep 17 00:00:00 2001
From: Ricardo Casallas <77841255+rcasallas-silabs@users.noreply.github.com>
Date: Mon, 7 Mar 2022 14:15:25 -0500
Subject: [PATCH] Operational Credentials cluster: AddNOC: Set IPK. (#15654)

* Operational Credentials cluster: AddNOC: Set IPK.

* Operational Credentials cluster: AddNOC: Review comments applied.
---
 .../operational-credentials-server.cpp        | 22 +++++++++++++++++--
 1 file changed, 20 insertions(+), 2 deletions(-)

diff --git a/src/app/clusters/operational-credentials-server/operational-credentials-server.cpp b/src/app/clusters/operational-credentials-server/operational-credentials-server.cpp
index 6d053b2a608a54..dc3a9850e96f51 100644
--- a/src/app/clusters/operational-credentials-server/operational-credentials-server.cpp
+++ b/src/app/clusters/operational-credentials-server/operational-credentials-server.cpp
@@ -523,14 +523,22 @@ bool emberAfOperationalCredentialsClusterAddNOCCallback(app::CommandHandler * co
     auto & NOCValue      = commandData.NOCValue;
     auto & ICACValue     = commandData.ICACValue;
     auto & adminVendorId = commandData.adminVendorId;
-
-    auto nocResponse = OperationalCertStatus::kSuccess;
+    auto & ipkValue      = commandData.IPKValue;
+    auto * groups        = Credentials::GetGroupDataProvider();
+    auto nocResponse     = OperationalCertStatus::kSuccess;
 
     CHIP_ERROR err          = CHIP_NO_ERROR;
     FabricIndex fabricIndex = 0;
+    Credentials::GroupDataProvider::KeySet keyset;
 
     emberAfPrintln(EMBER_AF_PRINT_DEBUG, "OpCreds: commissioner has added a NOC");
 
+    if (nullptr == groups)
+    {
+        LogErrorOnFailure(commandObj->AddStatus(commandPath, Status::Failure));
+        return true;
+    }
+
     FailSafeContext & failSafeContext = DeviceControlServer::DeviceControlSvr().GetFailSafeContext();
 
     if (!failSafeContext.IsFailSafeArmed(commandObj->GetAccessingFabricIndex()))
@@ -567,6 +575,16 @@ bool emberAfOperationalCredentialsClusterAddNOCCallback(app::CommandHandler * co
     // Notify the secure session of the new fabric.
     commandObj->GetExchangeContext()->GetSessionHandle()->AsSecureSession()->NewFabric(fabricIndex);
 
+    // Set the Identity Protection Key (IPK)
+    VerifyOrExit(ipkValue.size() == Crypto::CHIP_CRYPTO_SYMMETRIC_KEY_LENGTH_BYTES,
+                 nocResponse = ConvertToNOCResponseStatus(CHIP_ERROR_INVALID_ARGUMENT));
+    keyset.keyset_id     = 0; // The IPK SHALL be the operational group key under GroupKeySetID of 0
+    keyset.policy        = GroupKeyManagement::GroupKeySecurityPolicy::kTrustFirst;
+    keyset.num_keys_used = 1;
+    memcpy(keyset.epoch_keys[0].key, ipkValue.data(), Crypto::CHIP_CRYPTO_SYMMETRIC_KEY_LENGTH_BYTES);
+    err = groups->SetKeySet(fabricIndex, keyset);
+    VerifyOrExit(err == CHIP_NO_ERROR, nocResponse = ConvertToNOCResponseStatus(err));
+
     // We might have a new operational identity, so we should start advertising it right away.
     app::DnssdServer::Instance().AdvertiseOperational();