Update API to match conversation

- Remove CD stuff from FileAttestationTrustStore
- Refactor FileAttestationTrustStore to allow loading
  of any X.509 cert directory
- Add a command line to chip-tool to disallow test keys
  (`only-allow-trusted-cd-keys`)
- Add plumbing to enable CD keys lookup properly without mixing-up
  with PAA semantics
- Add official CD verifying key and official SDK CD test key
  in the default CD trust store as-is

examples/chip-tool/commands/common/CHIPCommand.cpp

@@ -48,26 +48,21 @@ const chip::Credentials::AttestationTrustStore * CHIPCommand::sTrustStore = null
 chip::Credentials::GroupDataProviderImpl CHIPCommand::sGroupDataProvider{ kMaxGroupsPerFabric, kMaxGroupKeysPerFabric };
 
 namespace {
-const CHIP_ERROR GetAttestationTrustStore(const char * paaTrustStorePath, const char * cdTrustStorePath,
+const CHIP_ERROR GetAttestationTrustStore(const char * paaTrustStorePath,
                                           const chip::Credentials::AttestationTrustStore ** trustStore)
 {
     if (paaTrustStorePath == nullptr)
     {
         paaTrustStorePath = getenv(kPAATrustStorePathVariable);
     }
 
-    if (cdTrustStorePath == nullptr)
-    {
-        cdTrustStorePath = getenv(kCDTrustStorePathVariable);
-    }
-
-    if (paaTrustStorePath == nullptr && cdTrustStorePath == nullptr)
+    if (paaTrustStorePath == nullptr)
     {
         *trustStore = chip::Credentials::GetTestAttestationTrustStore();
         return CHIP_NO_ERROR;
     }
 
-    static chip::Credentials::FileAttestationTrustStore attestationTrustStore{ paaTrustStorePath, cdTrustStorePath };
+    static chip::Credentials::FileAttestationTrustStore attestationTrustStore{ paaTrustStorePath };
 
     if (paaTrustStorePath != nullptr && attestationTrustStore.paaCount() == 0)
     {
@@ -80,17 +75,6 @@ const CHIP_ERROR GetAttestationTrustStore(const char * paaTrustStorePath, const
         return CHIP_ERROR_INVALID_ARGUMENT;
     }
 
-    if (cdTrustStorePath != nullptr && attestationTrustStore.cdCount() == 0)
-    {
-        ChipLogError(chipTool, "No CDs found in path: %s", cdTrustStorePath);
-        ChipLogError(chipTool,
-                     "Please specify a valid path containing trusted CD certificates using "
-                     "the argument [--cd-trust-store-path cd/file/path] "
-                     "or environment variable [%s=cd/file/path]",
-                     kCDTrustStorePathVariable);
-        return CHIP_ERROR_INVALID_ARGUMENT;
-    }
-
     *trustStore = &attestationTrustStore;
     return CHIP_NO_ERROR;
 }
@@ -139,11 +123,34 @@ CHIP_ERROR CHIPCommand::MaybeSetUpStack()
     factoryInitParams.listenPort = port;
     ReturnLogErrorOnFailure(DeviceControllerFactory::GetInstance().Init(factoryInitParams));
 
-    ReturnErrorOnFailure(
-        GetAttestationTrustStore(mPaaTrustStorePath.ValueOr(nullptr), mCDTrustStorePath.ValueOr(nullptr), &sTrustStore));
+    ReturnErrorOnFailure(GetAttestationTrustStore(mPaaTrustStorePath.ValueOr(nullptr), &sTrustStore));
 
     ReturnLogErrorOnFailure(InitializeCommissioner(kIdentityNull, kIdentityNullFabricId));
 
+    // After initializing first commissioner, add the additional CD certs once
+    {
+        const char * cdTrustStorePath = mCDTrustStorePath.ValueOr(nullptr);
+        if (cdTrustStorePath == nullptr)
+        {
+            cdTrustStorePath = getenv(kCDTrustStorePathVariable);
+        }
+
+        auto additionalCdCerts = chip::Credentials::LoadAllX509DerCerts(cdTrustStorePath);
+        if (cdTrustStorePath != nullptr && additionalCdCerts.size() == 0)
+        {
+            ChipLogError(chipTool, "Warning: no CD signing certs found in path: %s, only defaults will be used", cdTrustStorePath);
+            ChipLogError(chipTool,
+                         "Please specify a path containing trusted CD verifying key certificates using "
+                         "the argument [--cd-trust-store-path cd/file/path] "
+                         "or environment variable [%s=cd/file/path]",
+                         kCDTrustStorePathVariable);
+        }
+        ReturnErrorOnFailure(mCredIssuerCmds->AddAdditionalCDVerifyingCerts(additionalCdCerts));
+    }
+    bool allowTestCdSigningKey = !mOnlyAllowTrustedCdKeys.ValueOr(false);
+    mCredIssuerCmds->SetCredentialIssuerOption(CredentialIssuerCommands::CredentialIssuerOptions::kAllowTestCdSigningKey,
+                                               allowTestCdSigningKey);
+
     return CHIP_NO_ERROR;
 }
 

examples/chip-tool/commands/common/CHIPCommand.h

@@ -76,6 +76,9 @@ class CHIPCommand : public Command
         AddArgument("use-max-sized-certs", 0, 1, &mUseMaxSizedCerts,
                     "Maximize the size of operational certificates. If not provided or 0 (\"false\"), normally sized operational "
                     "certificates are generated.");
+        AddArgument("only-allow-trusted-cd-keys", 0, 1, &mOnlyAllowTrustedCdKeys,
+                    "Only allow trusted CD verifying keys (disallow test keys). If not provided or 0 (\"false\"), untrusted CD "
+                    "verifying keys are allowed. If 1 (\"true\"), test keys are disallowed.");
 #if CHIP_CONFIG_TRANSPORT_TRACE_ENABLED
         AddArgument("trace_file", &mTraceFile);
         AddArgument("trace_log", 0, 1, &mTraceLog);
@@ -161,6 +164,7 @@ class CHIPCommand : public Command
     chip::Optional<char *> mPaaTrustStorePath;
     chip::Optional<char *> mCDTrustStorePath;
     chip::Optional<bool> mUseMaxSizedCerts;
+    chip::Optional<bool> mOnlyAllowTrustedCdKeys;
 
     // Cached trust store so commands other than the original startup command
     // can spin up commissioners as needed.

examples/chip-tool/commands/common/CredentialIssuerCommands.h

@@ -23,6 +23,7 @@
 #include <credentials/attestation_verifier/DeviceAttestationVerifier.h>
 #include <lib/core/CHIPCore.h>
 #include <lib/core/CHIPPersistentStorageDelegate.h>
+#include <vector>
 
 class CredentialIssuerCommands
 {
@@ -54,6 +55,16 @@ class CredentialIssuerCommands
     virtual CHIP_ERROR SetupDeviceAttestation(chip::Controller::SetupParams & setupParams,
                                               const chip::Credentials::AttestationTrustStore * trustStore) = 0;
 
+    /**
+     * @brief Add a list of additional non-default CD verifying keys (by certificate)
+     *
+     * Must be called AFTER SetupDeviceAttestation.
+     *
+     * @param additionalCdCerts - vector of X.509 DER verifying cert bodies
+     * @return CHIP_NO_ERROR on succes, another CHIP_ERROR on internal failures.
+     */
+    virtual CHIP_ERROR AddAdditionalCDVerifyingCerts(const std::vector<std::vector<uint8_t>> & additionalCdCerts) = 0;
+
     virtual chip::Controller::OperationalCredentialsDelegate * GetCredentialIssuer() = 0;
 
     /**
@@ -79,6 +90,7 @@ class CredentialIssuerCommands
     enum CredentialIssuerOptions : uint8_t
     {
         kMaximizeCertificateSizes = 0, // If set, certificate chains will be maximized for testing via padding
+        kAllowTestCdSigningKey    = 1, // If set, allow development/test SDK CD verifying key to be used
     };
 
     virtual void SetCredentialIssuerOption(CredentialIssuerOptions option, bool isEnabled)

examples/chip-tool/commands/example/ExampleCredentialIssuerCommands.h

@@ -37,7 +37,9 @@ class ExampleCredentialIssuerCommands : public CredentialIssuerCommands
     {
         chip::Credentials::SetDeviceAttestationCredentialsProvider(chip::Credentials::Examples::GetExampleDACProvider());
 
-        setupParams.deviceAttestationVerifier = chip::Credentials::GetDefaultDACVerifier(trustStore);
+        mDacVerifier                          = chip::Credentials::GetDefaultDACVerifier(trustStore);
+        setupParams.deviceAttestationVerifier = mDacVerifier;
+        mDacVerifier->EnableCdTestKeySupport(mAllowTestCdSigningKey);
 
         return CHIP_NO_ERROR;
     }
@@ -49,6 +51,20 @@ class ExampleCredentialIssuerCommands : public CredentialIssuerCommands
         return mOpCredsIssuer.GenerateNOCChainAfterValidation(nodeId, fabricId, cats, keypair.Pubkey(), rcac, icac, noc);
     }
 
+    CHIP_ERROR AddAdditionalCDVerifyingCerts(const std::vector<std::vector<uint8_t>> & additionalCdCerts) override
+    {
+        VerifyOrReturnError(mDacVerifier != nullptr, CHIP_ERROR_INCORRECT_STATE);
+
+        for (const auto & cert : additionalCdCerts)
+        {
+            auto cdTrustStore = mDacVerifier->GetCertificationDeclarationTrustStore();
+            VerifyOrReturnError(cdTrustStore != nullptr, CHIP_ERROR_INCORRECT_STATE);
+            ReturnErrorOnFailure(cdTrustStore->AddTrustedKey(chip::ByteSpan(cert.data(), cert.size())));
+        }
+
+        return CHIP_NO_ERROR;
+    }
+
     void SetCredentialIssuerOption(CredentialIssuerOptions option, bool isEnabled) override
     {
         switch (option)
@@ -57,6 +73,13 @@ class ExampleCredentialIssuerCommands : public CredentialIssuerCommands
             mUsesMaxSizedCerts = isEnabled;
             mOpCredsIssuer.SetMaximallyLargeCertsUsed(mUsesMaxSizedCerts);
             break;
+        case CredentialIssuerOptions::kAllowTestCdSigningKey:
+            mAllowTestCdSigningKey = isEnabled;
+            if (mDacVerifier != nullptr)
+            {
+                mDacVerifier->EnableCdTestKeySupport(isEnabled);
+            }
+
         default:
             break;
         }
@@ -68,14 +91,19 @@ class ExampleCredentialIssuerCommands : public CredentialIssuerCommands
         {
         case CredentialIssuerOptions::kMaximizeCertificateSizes:
             return mUsesMaxSizedCerts;
+        case CredentialIssuerOptions::kAllowTestCdSigningKey:
+            return mAllowTestCdSigningKey;
         default:
             return false;
         }
     }
 
 protected:
     bool mUsesMaxSizedCerts = false;
+    // Starts true for legacy purposes
+    bool mAllowTestCdSigningKey = true;
 
 private:
     chip::Controller::ExampleOperationalCredentialsIssuer mOpCredsIssuer;
+    chip::Credentials::DeviceAttestationVerifier * mDacVerifier;
 };