Complete TC tests for TLS Certificate Management & fix impl (#41046)

* Complete TC tests

* TC test check-in; tests should be complete, impl needs to be fixed to pass tests

* TLS TC Tests Completed & all passing against impl

* Python lint fixes

* Python lint fixes

* Fix camera app compile errors

* Apply review comments

Author: gmarcosb

examples/all-clusters-app/all-clusters-common/include/tls-certificate-management-instance.h

@@ -36,9 +36,9 @@ class TlsCertificateManagementCommandDelegate : public TlsCertificateManagementD
     TlsCertificateManagementCommandDelegate(Tls::CertificateTable & certificateTable) : mCertificateTable(certificateTable) {}
     ~TlsCertificateManagementCommandDelegate() = default;
 
-    Protocols::InteractionModel::ClusterStatusCode ProvisionRootCert(EndpointId matterEndpoint, FabricIndex fabric,
-                                                                     const ProvisionRootCertificateType & provisionReq,
-                                                                     Tls::TLSCAID & outCaid) override;
+    Protocols::InteractionModel::Status ProvisionRootCert(EndpointId matterEndpoint, FabricIndex fabric,
+                                                          const ProvisionRootCertificateType & provisionReq,
+                                                          Tls::TLSCAID & outCaid) override;
 
     CHIP_ERROR LoadedRootCerts(EndpointId matterEndpoint, FabricIndex fabric,
                                LoadedRootCertificateCallback loadedCallback) const override;
@@ -56,9 +56,8 @@ class TlsCertificateManagementCommandDelegate : public TlsCertificateManagementD
     Protocols::InteractionModel::Status GenerateClientCsr(EndpointId matterEndpoint, FabricIndex fabric,
                                                           const ClientCsrType & request,
                                                           GeneratedCsrCallback loadedCallback) const override;
-    Protocols::InteractionModel::ClusterStatusCode
-    ProvisionClientCert(EndpointId matterEndpoint, FabricIndex fabric,
-                        const ProvisionClientCertificateType & provisionReq) override;
+    Protocols::InteractionModel::Status ProvisionClientCert(EndpointId matterEndpoint, FabricIndex fabric,
+                                                            const ProvisionClientCertificateType & provisionReq) override;
 
     CHIP_ERROR LoadedClientCerts(EndpointId matterEndpoint, FabricIndex fabric,
                                  LoadedClientCertificateCallback loadedCallback) const override;
@@ -73,7 +72,7 @@ class TlsCertificateManagementCommandDelegate : public TlsCertificateManagementD
                                 LoadedClientCertificateCallback loadedCallback) const override;
     Protocols::InteractionModel::Status RemoveClientCert(EndpointId matterEndpoint, FabricIndex fabric, Tls::TLSCCDID id) override;
 
-    static inline TlsCertificateManagementCommandDelegate & getInstance() { return instance; }
+    static inline TlsCertificateManagementCommandDelegate & GetInstance() { return instance; }
 };
 
 } // namespace Clusters

examples/all-clusters-app/all-clusters-common/include/tls-client-management-instance.h

@@ -61,6 +61,9 @@ class TlsClientManagementCommandDelegate : public TlsClientManagementDelegate
     Protocols::InteractionModel::ClusterStatusCode RemoveProvisionedEndpointByID(EndpointId matterEndpoint, FabricIndex fabric,
                                                                                  uint16_t endpointID) override;
 
+    CHIP_ERROR RootCertCanBeRemoved(EndpointId matterEndpoint, FabricIndex fabric, Tls::TLSCAID id) override;
+    CHIP_ERROR ClientCertCanBeRemoved(EndpointId matterEndpoint, FabricIndex fabric, Tls::TLSCCDID id) override;
+
     static inline TlsClientManagementCommandDelegate & GetInstance() { return instance; }
 
     uint16_t GetEndpointId(Provisioned * provisioned);

examples/all-clusters-app/all-clusters-common/src/tls-certificate-management-instance.cpp

@@ -22,6 +22,7 @@
 #include <clusters/TlsCertificateManagement/Commands.h>
 #include <crypto/CHIPCryptoPAL.h>
 #include <tls-certificate-management-instance.h>
+#include <tls-client-management-instance.h>
 
 using namespace chip;
 using namespace chip::app;
@@ -135,31 +136,31 @@ struct InlineEncodableClientCert : RefEncodableClientCert
     InlineEncodableClientCert() : RefEncodableClientCert(inlineCertificate) {}
 };
 
-static constexpr uint8_t kMaxRootCerts   = 254;
-static constexpr uint8_t kMaxClientCerts = 254;
+static constexpr uint8_t kMaxRootCerts   = kMaxRootCertificatesPerFabric;
+static constexpr uint8_t kMaxClientCerts = kMaxClientCertificatesPerFabric;
 
 CHIP_ERROR FingerprintMatch(const ByteSpan & fingerprint, const ByteSpan & cert, bool & outMatch)
 {
-    std::array<uint8_t, chip::Crypto::kSHA1_Hash_Length> fingerprintPayload = { 0 };
+    std::array<uint8_t, chip::Crypto::kSHA256_Hash_Length> fingerprintPayload = { 0 };
     MutableByteSpan calculatedFingerprint(fingerprintPayload);
-    ReturnErrorOnFailure(Hash_SHA1(cert.data(), cert.size(), fingerprintPayload.data()));
+    ReturnErrorOnFailure(Hash_SHA256(cert.data(), cert.size(), fingerprintPayload.data()));
     outMatch = fingerprint.data_equal(calculatedFingerprint);
     return CHIP_NO_ERROR;
 }
 
-ClusterStatusCode TlsCertificateManagementCommandDelegate::ProvisionRootCert(EndpointId matterEndpoint, FabricIndex fabric,
-                                                                             const ProvisionRootCertificateType & provisionReq,
-                                                                             Tls::TLSCAID & outCaid)
+Status TlsCertificateManagementCommandDelegate::ProvisionRootCert(EndpointId matterEndpoint, FabricIndex fabric,
+                                                                  const ProvisionRootCertificateType & provisionReq,
+                                                                  Tls::TLSCAID & outCaid)
 {
     auto localId = provisionReq.caid.IsNull() ? Optional<Tls::TLSCAID>() : Optional<Tls::TLSCAID>(provisionReq.caid.Value());
     UniquePtr<InlineBufferedRootCert> certBuffer(New<InlineBufferedRootCert>());
-    VerifyOrReturnError(certBuffer, ClusterStatusCode(CHIP_ERROR_NO_MEMORY));
+    VerifyOrReturnError(certBuffer, Status::ResourceExhausted);
 
     auto result = mCertificateTable.UpsertRootCertificateEntry(fabric, localId, certBuffer->buffer, provisionReq.certificate);
 
-    VerifyOrReturnValue(result == CHIP_NO_ERROR, ClusterStatusCode(Status::Failure));
+    VerifyOrReturnValue(result == CHIP_NO_ERROR, Status::Failure);
     outCaid = localId.Value();
-    return ClusterStatusCode(Status::Success);
+    return Status::Success;
 }
 
 CHIP_ERROR TlsCertificateManagementCommandDelegate::LoadedRootCerts(EndpointId matterEndpoint, FabricIndex fabric,
@@ -252,9 +253,9 @@ CHIP_ERROR TlsCertificateManagementCommandDelegate::LookupRootCert(EndpointId ma
                                                                    const ByteSpan & certificate,
                                                                    LoadedRootCertificateCallback loadedCallback) const
 {
-    std::array<uint8_t, chip::Crypto::kSHA1_Hash_Length> fingerprintPayload = { 0 };
+    std::array<uint8_t, Crypto::kSHA256_Hash_Length> fingerprintPayload = { 0 };
     MutableByteSpan calculatedFingerprint(fingerprintPayload);
-    ReturnErrorOnFailure(Hash_SHA1(certificate.data(), certificate.size(), fingerprintPayload.data()));
+    ReturnErrorOnFailure(Hash_SHA256(certificate.data(), certificate.size(), fingerprintPayload.data()));
     return LookupRootCertByFingerprint(matterEndpoint, fabric, calculatedFingerprint, loadedCallback);
 }
 
@@ -302,19 +303,25 @@ Status TlsCertificateManagementCommandDelegate::GenerateClientCsr(EndpointId mat
     return loadedCallback(csrResponse);
 }
 
-ClusterStatusCode TlsCertificateManagementCommandDelegate::ProvisionClientCert(EndpointId matterEndpoint, FabricIndex fabric,
-                                                                               const ProvisionClientCertificateType & provisionReq)
+Status TlsCertificateManagementCommandDelegate::ProvisionClientCert(EndpointId matterEndpoint, FabricIndex fabric,
+                                                                    const ProvisionClientCertificateType & provisionReq)
 {
     UniquePtr<InlineBufferedClientCert> certBuffer(New<InlineBufferedClientCert>());
-    VerifyOrReturnError(certBuffer, ClusterStatusCode(CHIP_ERROR_NO_MEMORY));
+    VerifyOrReturnError(certBuffer, Status::ResourceExhausted);
+
     TLSClientCertificateDetailStruct::DecodableType details;
     details.ccdid = provisionReq.ccdid;
     details.clientCertificate.SetValue(provisionReq.clientCertificate);
     details.intermediateCertificates.SetValue(provisionReq.intermediateCertificates);
     details.SetFabricIndex(fabric);
+
     auto result = mCertificateTable.UpdateClientCertificateEntry(fabric, provisionReq.ccdid, certBuffer->buffer, details);
-    ReturnValueOnFailure(result, ClusterStatusCode(Status::Failure));
-    return ClusterStatusCode(Status::Success);
+    if (result == CHIP_ERROR_INVALID_ARGUMENT)
+    {
+        return Status::DynamicConstraintError;
+    }
+    ReturnValueOnFailure(result, Status::Failure);
+    return Status::Success;
 }
 
 CHIP_ERROR TlsCertificateManagementCommandDelegate::LoadedClientCerts(EndpointId matterEndpoint, FabricIndex fabric,
@@ -413,13 +420,13 @@ CHIP_ERROR TlsCertificateManagementCommandDelegate::LookupClientCert(EndpointId
                                                                      const ByteSpan & certificate,
                                                                      LoadedClientCertificateCallback loadedCallback) const
 {
-    std::array<uint8_t, chip::Crypto::kSHA1_Hash_Length> fingerprintPayload = { 0 };
+    std::array<uint8_t, Crypto::kSHA256_Hash_Length> fingerprintPayload = { 0 };
     MutableByteSpan calculatedFingerprint(fingerprintPayload);
-    ReturnErrorOnFailure(Hash_SHA1(certificate.data(), certificate.size(), fingerprintPayload.data()));
+    ReturnErrorOnFailure(Hash_SHA256(certificate.data(), certificate.size(), fingerprintPayload.data()));
     return LookupClientCertByFingerprint(matterEndpoint, fabric, calculatedFingerprint, loadedCallback);
 }
 
-Status TlsCertificateManagementCommandDelegate::RemoveClientCert(EndpointId matterEndpoint, FabricIndex fabric, Tls::TLSCAID id)
+Status TlsCertificateManagementCommandDelegate::RemoveClientCert(EndpointId matterEndpoint, FabricIndex fabric, Tls::TLSCCDID id)
 {
     VerifyOrReturnValue(matterEndpoint == EndpointId(1), Status::ConstraintError);
 
@@ -436,9 +443,9 @@ Status TlsCertificateManagementCommandDelegate::RemoveClientCert(EndpointId matt
 
 static CertificateTableImpl gCertificateTableInstance;
 TlsCertificateManagementCommandDelegate TlsCertificateManagementCommandDelegate::instance(gCertificateTableInstance);
-static TlsCertificateManagementServer gTlsCertificateManagementClusterServerInstance =
-    TlsCertificateManagementServer(EndpointId(1), TlsCertificateManagementCommandDelegate::getInstance(), gCertificateTableInstance,
-                                   kMaxRootCerts, kMaxClientCerts);
+static TlsCertificateManagementServer gTlsCertificateManagementClusterServerInstance = TlsCertificateManagementServer(
+    EndpointId(1), TlsCertificateManagementCommandDelegate::GetInstance(), TlsClientManagementCommandDelegate::GetInstance(),
+    gCertificateTableInstance, kMaxRootCerts, kMaxClientCerts);
 
 void emberAfTlsCertificateManagementClusterInitCallback(EndpointId matterEndpoint)
 {

examples/all-clusters-app/all-clusters-common/src/tls-client-management-instance.cpp

@@ -201,6 +201,33 @@ ClusterStatusCode TlsClientManagementCommandDelegate::RemoveProvisionedEndpointB
     return ClusterStatusCode(Status::Success);
 }
 
+CHIP_ERROR TlsClientManagementCommandDelegate::RootCertCanBeRemoved(EndpointId matterEndpoint, FabricIndex fabric, Tls::TLSCAID id)
+{
+    auto i = mProvisioned.begin();
+    for (; i != mProvisioned.end(); i++)
+    {
+        if (i->payload.caid == id)
+        {
+            return CHIP_ERROR_BAD_REQUEST;
+        }
+    }
+    return CHIP_NO_ERROR;
+}
+
+CHIP_ERROR TlsClientManagementCommandDelegate::ClientCertCanBeRemoved(EndpointId matterEndpoint, FabricIndex fabric,
+                                                                      Tls::TLSCCDID id)
+{
+    auto i = mProvisioned.begin();
+    for (; i != mProvisioned.end(); i++)
+    {
+        if (i->payload.ccdid == id)
+        {
+            return CHIP_ERROR_BAD_REQUEST;
+        }
+    }
+    return CHIP_NO_ERROR;
+}
+
 static CertificateTableImpl gCertificateTableInstance;
 TlsClientManagementCommandDelegate TlsClientManagementCommandDelegate::instance(gCertificateTableInstance);
 static TlsClientManagementServer gTlsClientManagementClusterServerInstance = TlsClientManagementServer(

examples/camera-app/camera-common/src/camera-app.cpp

@@ -52,7 +52,7 @@ CameraApp::CameraApp(chip::EndpointId aClustersEndpoint, CameraDeviceInterface *
                                                                     &Clusters::TlsClientManagementCommandDelegate::GetInstance());
 
     Clusters::PushAvStreamTransport::SetTlsCertificateManagementDelegate(
-        mEndpoint, &Clusters::TlsCertificateManagementCommandDelegate::getInstance());
+        mEndpoint, &Clusters::TlsCertificateManagementCommandDelegate::GetInstance());
     // Fetch all initialization parameters for CameraAVStreamMgmt Server
     BitFlags<CameraAvStreamManagement::Feature> avsmFeatures;
     BitFlags<CameraAvStreamManagement::OptionalAttribute> avsmOptionalAttrs;

src/app/clusters/push-av-stream-transport-server/tests/TestPushAVStreamTransportCluster.cpp

@@ -391,29 +391,41 @@ class TestTlsClientManagementDelegate : public TlsClientManagementDelegate
 
 public:
     CHIP_ERROR GetProvisionedEndpointByIndex(EndpointId matterEndpoint, FabricIndex fabric, size_t index,
-                                             EndpointStructType & endpoint) const
+                                             EndpointStructType & endpoint) const override
     {
         return CHIP_NO_ERROR;
     }
 
     Protocols::InteractionModel::ClusterStatusCode
     ProvisionEndpoint(EndpointId matterEndpoint, FabricIndex fabric,
-                      const TlsClientManagement::Commands::ProvisionEndpoint::DecodableType & provisionReq, uint16_t & endpointID)
+                      const TlsClientManagement::Commands::ProvisionEndpoint::DecodableType & provisionReq,
+                      uint16_t & endpointID) override
     {
         return ClusterStatusCode(Status::Success);
     }
 
     Protocols::InteractionModel::Status FindProvisionedEndpointByID(EndpointId matterEndpoint, FabricIndex fabric,
-                                                                    uint16_t endpointID, EndpointStructType & endpoint) const
+                                                                    uint16_t endpointID,
+                                                                    EndpointStructType & endpoint) const override
     {
         return Status::Success;
     }
 
     Protocols::InteractionModel::ClusterStatusCode RemoveProvisionedEndpointByID(EndpointId matterEndpoint, FabricIndex fabric,
-                                                                                 uint16_t endpointID)
+                                                                                 uint16_t endpointID) override
     {
         return ClusterStatusCode(Status::Success);
     }
+
+    CHIP_ERROR RootCertCanBeRemoved(EndpointId matterEndpoint, FabricIndex fabric, Tls::TLSCAID id) override
+    {
+        return CHIP_NO_ERROR;
+    }
+
+    CHIP_ERROR ClientCertCanBeRemoved(EndpointId matterEndpoint, FabricIndex fabric, Tls::TLSCCDID id) override
+    {
+        return CHIP_NO_ERROR;
+    }
 };
 
 class TestPushAVStreamTransportServerLogic : public ::testing::Test

src/app/clusters/tls-certificate-management-server/CertificateTable.h

@@ -191,6 +191,38 @@ class CertificateTable
     }
 };
 
+/** @brief
+ *  Defines methods for implementing application-specific logic for checking if a certificate
+ *  has no blocking dependencies and can be removed.
+ */
+class CertificateDependencyChecker
+{
+public:
+    CertificateDependencyChecker() = default;
+
+    virtual ~CertificateDependencyChecker() = default;
+
+    /**
+     * @brief Checks whether the root certificate with the given (matterEndpoint, fabric, id) has no dependencies
+     *
+     * @param[in] matterEndpoint The matter endpoint to query against
+     * @param[in] fabric The fabric the certificate is associated with
+     * @param[in] id The id of the root certificate to remove.
+     * @return CHIP_NO_ERROR if the certificate can be removed.
+     */
+    virtual CHIP_ERROR RootCertCanBeRemoved(EndpointId matterEndpoint, FabricIndex fabric, Tls::TLSCAID id) = 0;
+
+    /**
+     * @brief Checks whether the client certificate with the given (matterEndpoint, fabric, id) has no dependencies
+     *
+     * @param[in] matterEndpoint The matter endpoint to query against
+     * @param[in] fabric The fabric the certificate is associated with
+     * @param[in] id The id of the client certificate to remove.
+     * @return CHIP_NO_ERROR if the certificate can be removed.
+     */
+    virtual CHIP_ERROR ClientCertCanBeRemoved(EndpointId matterEndpoint, FabricIndex fabric, Tls::TLSCCDID id) = 0;
+};
+
 } // namespace Tls
 } // namespace Clusters
 

src/app/clusters/tls-certificate-management-server/CertificateTableImpl.cpp

@@ -672,6 +672,15 @@ CHIP_ERROR CertificateTableImpl::UpdateClientCertificateEntry(FabricIndex fabric
     ClientCertWithKey certWithKey;
     CertificateId localId(id);
     ReturnErrorOnFailure(mClientCertificates.GetTableEntry(fabric_index, localId, certWithKey, buffer));
+    Crypto::P256PublicKey certPubKey;
+    ReturnErrorOnFailure(Crypto::ExtractPubkeyFromX509Cert(entry.clientCertificate.Value().Value(), certPubKey));
+    Crypto::P256Keypair keyPair;
+    ReturnErrorOnFailure(keyPair.Deserialize(certWithKey.key));
+    auto & storedPubKey = keyPair.Pubkey();
+    if (!ByteSpan(storedPubKey, storedPubKey.Length()).data_equal(ByteSpan(certPubKey, certPubKey.Length())))
+    {
+        return CHIP_ERROR_INVALID_ARGUMENT;
+    }
     certWithKey.detail       = entry;
     certWithKey.detail.ccdid = id;