Sync csa branch with main (#652)

Author: mkardous-silabs

examples/all-clusters-app/all-clusters-common/include/tls-certificate-management-instance.h

@@ -36,9 +36,9 @@ class TlsCertificateManagementCommandDelegate : public TlsCertificateManagementD
     TlsCertificateManagementCommandDelegate(Tls::CertificateTable & certificateTable) : mCertificateTable(certificateTable) {}
     ~TlsCertificateManagementCommandDelegate() = default;
 
-    Protocols::InteractionModel::ClusterStatusCode ProvisionRootCert(EndpointId matterEndpoint, FabricIndex fabric,
-                                                                     const ProvisionRootCertificateType & provisionReq,
-                                                                     Tls::TLSCAID & outCaid) override;
+    Protocols::InteractionModel::Status ProvisionRootCert(EndpointId matterEndpoint, FabricIndex fabric,
+                                                          const ProvisionRootCertificateType & provisionReq,
+                                                          Tls::TLSCAID & outCaid) override;
 
     CHIP_ERROR LoadedRootCerts(EndpointId matterEndpoint, FabricIndex fabric,
                                LoadedRootCertificateCallback loadedCallback) const override;
@@ -56,9 +56,8 @@ class TlsCertificateManagementCommandDelegate : public TlsCertificateManagementD
     Protocols::InteractionModel::Status GenerateClientCsr(EndpointId matterEndpoint, FabricIndex fabric,
                                                           const ClientCsrType & request,
                                                           GeneratedCsrCallback loadedCallback) const override;
-    Protocols::InteractionModel::ClusterStatusCode
-    ProvisionClientCert(EndpointId matterEndpoint, FabricIndex fabric,
-                        const ProvisionClientCertificateType & provisionReq) override;
+    Protocols::InteractionModel::Status ProvisionClientCert(EndpointId matterEndpoint, FabricIndex fabric,
+                                                            const ProvisionClientCertificateType & provisionReq) override;
 
     CHIP_ERROR LoadedClientCerts(EndpointId matterEndpoint, FabricIndex fabric,
                                  LoadedClientCertificateCallback loadedCallback) const override;
@@ -73,7 +72,7 @@ class TlsCertificateManagementCommandDelegate : public TlsCertificateManagementD
                                 LoadedClientCertificateCallback loadedCallback) const override;
     Protocols::InteractionModel::Status RemoveClientCert(EndpointId matterEndpoint, FabricIndex fabric, Tls::TLSCCDID id) override;
 
-    static inline TlsCertificateManagementCommandDelegate & getInstance() { return instance; }
+    static inline TlsCertificateManagementCommandDelegate & GetInstance() { return instance; }
 };
 
 } // namespace Clusters

examples/all-clusters-app/all-clusters-common/include/tls-client-management-instance.h

@@ -61,6 +61,9 @@ class TlsClientManagementCommandDelegate : public TlsClientManagementDelegate
     Protocols::InteractionModel::ClusterStatusCode RemoveProvisionedEndpointByID(EndpointId matterEndpoint, FabricIndex fabric,
                                                                                  uint16_t endpointID) override;
 
+    CHIP_ERROR RootCertCanBeRemoved(EndpointId matterEndpoint, FabricIndex fabric, Tls::TLSCAID id) override;
+    CHIP_ERROR ClientCertCanBeRemoved(EndpointId matterEndpoint, FabricIndex fabric, Tls::TLSCCDID id) override;
+
     static inline TlsClientManagementCommandDelegate & GetInstance() { return instance; }
 
     uint16_t GetEndpointId(Provisioned * provisioned);

examples/all-clusters-app/all-clusters-common/src/tls-certificate-management-instance.cpp

@@ -22,6 +22,7 @@
 #include <clusters/TlsCertificateManagement/Commands.h>
 #include <crypto/CHIPCryptoPAL.h>
 #include <tls-certificate-management-instance.h>
+#include <tls-client-management-instance.h>
 
 using namespace chip;
 using namespace chip::app;
@@ -135,31 +136,31 @@ struct InlineEncodableClientCert : RefEncodableClientCert
     InlineEncodableClientCert() : RefEncodableClientCert(inlineCertificate) {}
 };
 
-static constexpr uint8_t kMaxRootCerts   = 254;
-static constexpr uint8_t kMaxClientCerts = 254;
+static constexpr uint8_t kMaxRootCerts   = kMaxRootCertificatesPerFabric;
+static constexpr uint8_t kMaxClientCerts = kMaxClientCertificatesPerFabric;
 
 CHIP_ERROR FingerprintMatch(const ByteSpan & fingerprint, const ByteSpan & cert, bool & outMatch)
 {
-    std::array<uint8_t, chip::Crypto::kSHA1_Hash_Length> fingerprintPayload = { 0 };
+    std::array<uint8_t, chip::Crypto::kSHA256_Hash_Length> fingerprintPayload = { 0 };
     MutableByteSpan calculatedFingerprint(fingerprintPayload);
-    ReturnErrorOnFailure(Hash_SHA1(cert.data(), cert.size(), fingerprintPayload.data()));
+    ReturnErrorOnFailure(Hash_SHA256(cert.data(), cert.size(), fingerprintPayload.data()));
     outMatch = fingerprint.data_equal(calculatedFingerprint);
     return CHIP_NO_ERROR;
 }
 
-ClusterStatusCode TlsCertificateManagementCommandDelegate::ProvisionRootCert(EndpointId matterEndpoint, FabricIndex fabric,
-                                                                             const ProvisionRootCertificateType & provisionReq,
-                                                                             Tls::TLSCAID & outCaid)
+Status TlsCertificateManagementCommandDelegate::ProvisionRootCert(EndpointId matterEndpoint, FabricIndex fabric,
+                                                                  const ProvisionRootCertificateType & provisionReq,
+                                                                  Tls::TLSCAID & outCaid)
 {
     auto localId = provisionReq.caid.IsNull() ? Optional<Tls::TLSCAID>() : Optional<Tls::TLSCAID>(provisionReq.caid.Value());
     UniquePtr<InlineBufferedRootCert> certBuffer(New<InlineBufferedRootCert>());
-    VerifyOrReturnError(certBuffer, ClusterStatusCode(CHIP_ERROR_NO_MEMORY));
+    VerifyOrReturnError(certBuffer, Status::ResourceExhausted);
 
     auto result = mCertificateTable.UpsertRootCertificateEntry(fabric, localId, certBuffer->buffer, provisionReq.certificate);
 
-    VerifyOrReturnValue(result == CHIP_NO_ERROR, ClusterStatusCode(Status::Failure));
+    VerifyOrReturnValue(result == CHIP_NO_ERROR, Status::Failure);
     outCaid = localId.Value();
-    return ClusterStatusCode(Status::Success);
+    return Status::Success;
 }
 
 CHIP_ERROR TlsCertificateManagementCommandDelegate::LoadedRootCerts(EndpointId matterEndpoint, FabricIndex fabric,
@@ -252,9 +253,9 @@ CHIP_ERROR TlsCertificateManagementCommandDelegate::LookupRootCert(EndpointId ma
                                                                    const ByteSpan & certificate,
                                                                    LoadedRootCertificateCallback loadedCallback) const
 {
-    std::array<uint8_t, chip::Crypto::kSHA1_Hash_Length> fingerprintPayload = { 0 };
+    std::array<uint8_t, Crypto::kSHA256_Hash_Length> fingerprintPayload = { 0 };
     MutableByteSpan calculatedFingerprint(fingerprintPayload);
-    ReturnErrorOnFailure(Hash_SHA1(certificate.data(), certificate.size(), fingerprintPayload.data()));
+    ReturnErrorOnFailure(Hash_SHA256(certificate.data(), certificate.size(), fingerprintPayload.data()));
     return LookupRootCertByFingerprint(matterEndpoint, fabric, calculatedFingerprint, loadedCallback);
 }
 
@@ -302,19 +303,25 @@ Status TlsCertificateManagementCommandDelegate::GenerateClientCsr(EndpointId mat
     return loadedCallback(csrResponse);
 }
 
-ClusterStatusCode TlsCertificateManagementCommandDelegate::ProvisionClientCert(EndpointId matterEndpoint, FabricIndex fabric,
-                                                                               const ProvisionClientCertificateType & provisionReq)
+Status TlsCertificateManagementCommandDelegate::ProvisionClientCert(EndpointId matterEndpoint, FabricIndex fabric,
+                                                                    const ProvisionClientCertificateType & provisionReq)
 {
     UniquePtr<InlineBufferedClientCert> certBuffer(New<InlineBufferedClientCert>());
-    VerifyOrReturnError(certBuffer, ClusterStatusCode(CHIP_ERROR_NO_MEMORY));
+    VerifyOrReturnError(certBuffer, Status::ResourceExhausted);
+
     TLSClientCertificateDetailStruct::DecodableType details;
     details.ccdid = provisionReq.ccdid;
     details.clientCertificate.SetValue(provisionReq.clientCertificate);
     details.intermediateCertificates.SetValue(provisionReq.intermediateCertificates);
     details.SetFabricIndex(fabric);
+
     auto result = mCertificateTable.UpdateClientCertificateEntry(fabric, provisionReq.ccdid, certBuffer->buffer, details);
-    ReturnValueOnFailure(result, ClusterStatusCode(Status::Failure));
-    return ClusterStatusCode(Status::Success);
+    if (result == CHIP_ERROR_INVALID_ARGUMENT)
+    {
+        return Status::DynamicConstraintError;
+    }
+    ReturnValueOnFailure(result, Status::Failure);
+    return Status::Success;
 }
 
 CHIP_ERROR TlsCertificateManagementCommandDelegate::LoadedClientCerts(EndpointId matterEndpoint, FabricIndex fabric,
@@ -413,13 +420,13 @@ CHIP_ERROR TlsCertificateManagementCommandDelegate::LookupClientCert(EndpointId
                                                                      const ByteSpan & certificate,
                                                                      LoadedClientCertificateCallback loadedCallback) const
 {
-    std::array<uint8_t, chip::Crypto::kSHA1_Hash_Length> fingerprintPayload = { 0 };
+    std::array<uint8_t, Crypto::kSHA256_Hash_Length> fingerprintPayload = { 0 };
     MutableByteSpan calculatedFingerprint(fingerprintPayload);
-    ReturnErrorOnFailure(Hash_SHA1(certificate.data(), certificate.size(), fingerprintPayload.data()));
+    ReturnErrorOnFailure(Hash_SHA256(certificate.data(), certificate.size(), fingerprintPayload.data()));
     return LookupClientCertByFingerprint(matterEndpoint, fabric, calculatedFingerprint, loadedCallback);
 }
 
-Status TlsCertificateManagementCommandDelegate::RemoveClientCert(EndpointId matterEndpoint, FabricIndex fabric, Tls::TLSCAID id)
+Status TlsCertificateManagementCommandDelegate::RemoveClientCert(EndpointId matterEndpoint, FabricIndex fabric, Tls::TLSCCDID id)
 {
     VerifyOrReturnValue(matterEndpoint == EndpointId(1), Status::ConstraintError);
 
@@ -436,9 +443,9 @@ Status TlsCertificateManagementCommandDelegate::RemoveClientCert(EndpointId matt
 
 static CertificateTableImpl gCertificateTableInstance;
 TlsCertificateManagementCommandDelegate TlsCertificateManagementCommandDelegate::instance(gCertificateTableInstance);
-static TlsCertificateManagementServer gTlsCertificateManagementClusterServerInstance =
-    TlsCertificateManagementServer(EndpointId(1), TlsCertificateManagementCommandDelegate::getInstance(), gCertificateTableInstance,
-                                   kMaxRootCerts, kMaxClientCerts);
+static TlsCertificateManagementServer gTlsCertificateManagementClusterServerInstance = TlsCertificateManagementServer(
+    EndpointId(1), TlsCertificateManagementCommandDelegate::GetInstance(), TlsClientManagementCommandDelegate::GetInstance(),
+    gCertificateTableInstance, kMaxRootCerts, kMaxClientCerts);
 
 void emberAfTlsCertificateManagementClusterInitCallback(EndpointId matterEndpoint)
 {

examples/all-clusters-app/all-clusters-common/src/tls-client-management-instance.cpp

@@ -201,6 +201,33 @@ ClusterStatusCode TlsClientManagementCommandDelegate::RemoveProvisionedEndpointB
     return ClusterStatusCode(Status::Success);
 }
 
+CHIP_ERROR TlsClientManagementCommandDelegate::RootCertCanBeRemoved(EndpointId matterEndpoint, FabricIndex fabric, Tls::TLSCAID id)
+{
+    auto i = mProvisioned.begin();
+    for (; i != mProvisioned.end(); i++)
+    {
+        if (i->payload.caid == id)
+        {
+            return CHIP_ERROR_BAD_REQUEST;
+        }
+    }
+    return CHIP_NO_ERROR;
+}
+
+CHIP_ERROR TlsClientManagementCommandDelegate::ClientCertCanBeRemoved(EndpointId matterEndpoint, FabricIndex fabric,
+                                                                      Tls::TLSCCDID id)
+{
+    auto i = mProvisioned.begin();
+    for (; i != mProvisioned.end(); i++)
+    {
+        if (i->payload.ccdid == id)
+        {
+            return CHIP_ERROR_BAD_REQUEST;
+        }
+    }
+    return CHIP_NO_ERROR;
+}
+
 static CertificateTableImpl gCertificateTableInstance;
 TlsClientManagementCommandDelegate TlsClientManagementCommandDelegate::instance(gCertificateTableInstance);
 static TlsClientManagementServer gTlsClientManagementClusterServerInstance = TlsClientManagementServer(

examples/camera-app/camera-common/src/camera-app.cpp

@@ -52,7 +52,7 @@ CameraApp::CameraApp(chip::EndpointId aClustersEndpoint, CameraDeviceInterface *
                                                                     &Clusters::TlsClientManagementCommandDelegate::GetInstance());
 
     Clusters::PushAvStreamTransport::SetTlsCertificateManagementDelegate(
-        mEndpoint, &Clusters::TlsCertificateManagementCommandDelegate::getInstance());
+        mEndpoint, &Clusters::TlsCertificateManagementCommandDelegate::GetInstance());
     // Fetch all initialization parameters for CameraAVStreamMgmt Server
     BitFlags<CameraAvStreamManagement::Feature> avsmFeatures;
     BitFlags<CameraAvStreamManagement::OptionalAttribute> avsmOptionalAttrs;

examples/camera-controller/BUILD.gn

@@ -111,7 +111,6 @@ static_library("camera-controller-utils") {
 
   public_deps = [
     "${chip_root}/examples/common/tracing:commandline",
-    "${chip_root}/src/app:required-privileges",
     "${chip_root}/src/app/server",
     "${chip_root}/src/app/tests/suites/commands/interaction_model",
     "${chip_root}/src/controller/data_model",

examples/chef/chef.py

@@ -892,6 +892,7 @@ def main() -> int:
                  f'"CHIP_DEVICE_CONFIG_DEVICE_PRODUCT_ID={options.pid}", '
                  f'"CONFIG_ENABLE_PW_RPC={int(options.do_rpc)}", '
                  f'"CHIP_DEVICE_CONFIG_DEVICE_PRODUCT_NAME=\\"{str(options.pname)}\\""]'),
+                'chip_app_data_model_target = "//:chef-data-model"',
             ])
 
             uname_resp = shell.run_cmd("uname -m", return_cmd_output=True)

examples/contact-sensor-app/bouffalolab/bl702l/args.gni

@@ -27,3 +27,4 @@ chip_error_logging = true
 chip_enable_icd_server = true
 chip_enable_icd_lit = true
 chip_enable_icd_dsls = true
+chip_app_data_model_target = "//:bouffalolab_contact_sensor"

examples/lighting-app/bouffalolab/bl602/args.gni

@@ -32,3 +32,4 @@ pw_build_LINK_DEPS = [
   "$dir_pw_assert:impl",
   "$dir_pw_log:impl",
 ]
+chip_app_data_model_target = "//:bouffalolab-lighting"

examples/lighting-app/bouffalolab/bl616/args.gni

@@ -23,3 +23,4 @@ chip_detail_logging = false
 
 # use -Os instead of -Og
 is_debug = false
+chip_app_data_model_target = "//:bouffalolab-lighting"