Implement VID Verification in OpCreds cluster (2/2) (project-chip#38469)

* Implement VID Verification in OpCreds cluster (2/2)

- Add VVS/VVSC storage in PersistentStorageOpCertStore
- Finished all attributes and commands in Opcreds cluster
- Bumped Opcreds revision to 2
- Added all necessary testability features to matter_testing support
  for list subscriptions
- NOTE: this includes project-chip#38445 temporarily until merged

Testing done:

- Integration tests through TC-OPCREDS-3.9
- More unit tests to follow, but coverage through TC-OPCREDS-3.9 is near
  exhaustive.

* Restyled by clang-format

* Restyled by autopep8

* Restyled by isort

* Fix TC-CGEN-2.9

- Fabric table was incorrectly read, which could lead to issues
  when the fabric table has more fields than before.

* Address review comments from cecille@

* Restyled by clang-format

* Renamed TC-OPCREDS-3.9 to TC-OPCREDS-3.8

* Added comments to AttributeMatcher

* Renamed test in TC_OPCREDS_3_8.py

* Restyled by autopep8

* More logging in TC-CGEN-2.9

* Restyled by autopep8

* Restyled by isort

* Add a verification against some node ID to diagnose CI

* Restyled by clang-format

* Fix hermeticity of TC-CGEN scripts in CI

- The scripts did not factory reset properly so they were
  impacted by lack of hermeticity, causing a failure of CGEN-2.9
  after unrelated master changes.
- The method to find "commissioner's fabric" before some fabric
  removal was wrong in CGEN-2.9. Fixed the method to use CurrentFabricIndex

* Add logging

* Restyled by autopep8

* Revert "Restyled by clang-format"

This reverts commit 66dee3d.

* Revert "Add a verification against some node ID to diagnose CI"

This reverts commit b188e36.

* Use fix-cgen-2.9

* Update cgen

---------

Co-authored-by: Restyled.io <[email protected]>

Author: tcarmelveilleux

src/app/chip_data_model.gni

@@ -493,6 +493,9 @@ template("chip_data_model") {
           "${_app_root}/clusters/${cluster}/${cluster}.cpp",
           "${_app_root}/clusters/${cluster}/${cluster}.h",
         ]
+      } else if (cluster == "operational-credentials-server") {
+        sources += [ "${_app_root}/clusters/operational-credentials-server/operational-credentials-server.cpp" ]
+        deps += [ "${chip_root}/zzz_generated/app-common/clusters/OperationalCredentials:metadata" ]
       } else {
         sources += [ "${_app_root}/clusters/${cluster}/${cluster}.cpp" ]
       }

src/app/clusters/operational-credentials-server/operational-credentials-server.cpp

@@ -36,6 +36,7 @@
 #include <clusters/OperationalCredentials/Attributes.h>
 #include <clusters/OperationalCredentials/Commands.h>
 #include <clusters/OperationalCredentials/Events.h>
+#include <clusters/OperationalCredentials/Metadata.h>
 #include <clusters/OperationalCredentials/Structs.h>
 #include <credentials/CHIPCert.h>
 #include <credentials/CertificationDeclaration.h>
@@ -63,13 +64,13 @@ using namespace chip::Protocols::InteractionModel;
 
 namespace {
 
+constexpr auto kDACCertificate = CertificateChainTypeEnum::kDACCertificate;
+constexpr auto kPAICertificate = CertificateChainTypeEnum::kPAICertificate;
+
 void SendNOCResponse(app::CommandHandler * commandObj, const ConcreteCommandPath & path, NodeOperationalCertStatusEnum status,
                      uint8_t index, const CharSpan & debug_text);
 NodeOperationalCertStatusEnum ConvertToNOCResponseStatus(CHIP_ERROR err);
 
-constexpr auto kDACCertificate = CertificateChainTypeEnum::kDACCertificate;
-constexpr auto kPAICertificate = CertificateChainTypeEnum::kPAICertificate;
-
 CHIP_ERROR CreateAccessControlEntryForNewFabricAdministrator(const Access::SubjectDescriptor & subjectDescriptor,
                                                              FabricIndex fabricIndex, uint64_t subject)
 {
@@ -247,10 +248,11 @@ OperationalCredentialsAttrAccess gAttrAccess;
 
 CHIP_ERROR OperationalCredentialsAttrAccess::Read(const ConcreteReadAttributePath & aPath, AttributeValueEncoder & aEncoder)
 {
-    VerifyOrDie(aPath.mClusterId == Clusters::OperationalCredentials::Id);
-
     switch (aPath.mAttributeId)
     {
+    case Attributes::ClusterRevision::Id: {
+        return aEncoder.Encode(kRevision);
+    }
     case Attributes::NOCs::Id: {
         return ReadNOCs(aPath.mEndpointId, aEncoder);
     }
@@ -1232,8 +1234,59 @@ bool emberAfOperationalCredentialsClusterSetVIDVerificationStatementCallback(
     app::CommandHandler * commandObj, const app::ConcreteCommandPath & commandPath,
     const Commands::SetVIDVerificationStatement::DecodableType & commandData)
 {
-    (void) commandData;
-    commandObj->AddStatus(commandPath, Status::UnsupportedCommand);
+
+    FabricIndex fabricIndex = commandObj->GetAccessingFabricIndex();
+    ChipLogProgress(Zcl, "OpCreds: Received a SetVIDVerificationStatement Command for FabricIndex 0x%x",
+                    static_cast<unsigned>(fabricIndex));
+
+    if (!commandData.vendorID.HasValue() && !commandData.VIDVerificationStatement.HasValue() && !commandData.vvsc.HasValue())
+    {
+        commandObj->AddStatus(commandPath, Status::InvalidCommand);
+        return true;
+    }
+
+    if (commandData.vendorID.HasValue() && !IsVendorIdValidOperationally(commandData.vendorID.Value()))
+    {
+        commandObj->AddStatus(commandPath, Status::ConstraintError);
+        return true;
+    }
+
+    auto & fabricTable = Server::GetInstance().GetFabricTable();
+
+    bool fabricChangesOccurred = false;
+    CHIP_ERROR err             = fabricTable.SetVIDVerificationStatementElements(
+        fabricIndex, commandData.vendorID, commandData.VIDVerificationStatement, commandData.vvsc, fabricChangesOccurred);
+    if (err == CHIP_ERROR_INVALID_ARGUMENT)
+    {
+        commandObj->AddStatus(commandPath, Status::ConstraintError);
+    }
+    else if (err == CHIP_ERROR_INCORRECT_STATE)
+    {
+        commandObj->AddStatus(commandPath, Status::InvalidCommand);
+    }
+    else if (err != CHIP_NO_ERROR)
+    {
+        // We have no idea what happened; just report failure.
+        StatusIB status(err);
+        commandObj->AddStatus(commandPath, status.mStatus);
+    }
+    else
+    {
+        commandObj->AddStatus(commandPath, Status::Success);
+    }
+
+    // Handle dirty-marking if anything changed. Only `Fabrics` attribute is reported since `NOCs`
+    // is not reportable (`C` quality).
+    if (fabricChangesOccurred)
+    {
+        MatterReportingAttributeChangeCallback(commandPath.mEndpointId, OperationalCredentials::Id,
+                                               OperationalCredentials::Attributes::Fabrics::Id);
+    }
+
+    if (err != CHIP_NO_ERROR)
+    {
+        ChipLogError(Zcl, "SetVIDVerificationStatement failed: %" CHIP_ERROR_FORMAT, err.Format());
+    }
     return true;
 }
 

src/app/tests/suites/TestOperationalCredentialsCluster.yaml

@@ -28,13 +28,21 @@ tests:
               - name: "nodeId"
                 value: nodeId
 
+    - label: "ClusterRevision must be the latest"
+      command: "readAttribute"
+      attribute: "ClusterRevision"
+      response:
+          constraints:
+              type: int16u
+          value: 2
+
     - label: "Read number of supported fabrics"
       command: "readAttribute"
       attribute: "SupportedFabrics"
       response:
           constraints:
               type: int8u
-              minValue: 4
+              minValue: 5
 
     - label: "Read number of commissioned fabrics"
       command: "readAttribute"
@@ -130,13 +138,3 @@ tests:
           values:
               - name: "FabricIndex"
                 value: 1
-
-    # Not yet implemented!
-    - label: "Check SetVIDVerificationStatement not implemented"
-      command: "SetVIDVerificationStatement"
-      arguments:
-          values:
-              - name: "VendorID"
-                value: 0xfff1
-      response:
-          error: UNSUPPORTED_COMMAND

src/controller/python/chip/ChipDeviceCtrl.py

@@ -1059,12 +1059,12 @@ def GetCompressedFabricId(self):
 
         return fabricid.value
 
-    def GetFabricIdInternal(self):
+    def GetFabricIdInternal(self) -> int:
         '''
         Get the fabric ID from the object. Only used to validate cached value from property.
 
         Returns:
-            int: The compressed fabric ID as a 64-bit integer.
+            int: The raw fabric ID as a 64-bit integer.
 
         Raises:
             ChipStackError: On failure.
@@ -1080,12 +1080,12 @@ def GetFabricIdInternal(self):
 
         return fabricid.value
 
-    def GetFabricIndexInternal(self):
+    def GetFabricIndexInternal(self) -> int:
         '''
         Get the fabric index from the object. Only used to validate cached value from property.
 
         Returns:
-            int: The compressed fabric ID as a 64-bit integer.
+            int: fabric index in local fabric table associated with this controller.
 
         Raises:
             ChipStackError: On failure.

src/credentials/FabricTable.cpp

@@ -29,6 +29,7 @@
 #include <lib/support/SafeInt.h>
 #include <lib/support/ScopedBuffer.h>
 #include <lib/support/TypeTraits.h>
+#include <lib/support/logging/CHIPLogging.h>
 #include <platform/LockTracker.h>
 #include <tracing/macros.h>
 
@@ -2180,22 +2181,16 @@ CHIP_ERROR FabricTable::SetShouldAdvertiseIdentity(FabricIndex fabricIndex, Adve
 CHIP_ERROR FabricTable::FetchVIDVerificationStatement(FabricIndex fabricIndex, MutableByteSpan & outVIDVerificationStatement) const
 {
     VerifyOrReturnError(mOpCertStore != nullptr, CHIP_ERROR_INCORRECT_STATE);
-    VerifyOrReturnError(outVIDVerificationStatement.size() >= kVendorIdVerificationStatementV1Size, CHIP_ERROR_BUFFER_TOO_SMALL);
-
-    // TODO(#38308): Add VIDVerificationStatement loading support. Empty for now since setting is still
-    // to be done and the result will be correct with more of the actual code running.
-    outVIDVerificationStatement.reduce_size(0);
-    return CHIP_NO_ERROR;
+    return mOpCertStore->GetVidVerificationElement(
+        fabricIndex, OperationalCertificateStore::VidVerificationElement::kVidVerificationStatement, outVIDVerificationStatement);
 }
 
 CHIP_ERROR FabricTable::FetchVVSC(FabricIndex fabricIndex, MutableByteSpan & outVVSC) const
 {
     VerifyOrReturnError(mOpCertStore != nullptr, CHIP_ERROR_INCORRECT_STATE);
-    VerifyOrReturnError(outVVSC.size() >= kMaxCHIPCertLength, CHIP_ERROR_BUFFER_TOO_SMALL);
 
-    // TODO(#38308): Add VVSC loading support. Empty for now since setting is still
-    // to be done and the result will be correct with more of the actual code running.
-    outVVSC.reduce_size(0);
+    return mOpCertStore->GetVidVerificationElement(fabricIndex, OperationalCertificateStore::VidVerificationElement::kVvsc,
+                                                   outVVSC);
     return CHIP_NO_ERROR;
 }
 
@@ -2246,4 +2241,66 @@ CHIP_ERROR FabricTable::SignVIDVerificationRequest(FabricIndex fabricIndex, Byte
     return CHIP_NO_ERROR;
 }
 
+CHIP_ERROR FabricTable::SetVIDVerificationStatementElements(FabricIndex fabricIndex, Optional<uint16_t> vendorId,
+                                                            Optional<ByteSpan> VIDVerificationStatement, Optional<ByteSpan> VVSC,
+                                                            bool & outFabricTableWasChanged)
+{
+    VerifyOrReturnError(mOpCertStore != nullptr, CHIP_ERROR_INTERNAL);
+    VerifyOrReturnError(IsValidFabricIndex(fabricIndex), CHIP_ERROR_INVALID_ARGUMENT);
+
+    FabricInfo * fabricInfo = GetMutableFabricByIndex(fabricIndex);
+    VerifyOrReturnError(fabricInfo != nullptr, CHIP_ERROR_INVALID_ARGUMENT);
+
+    // PendingNew fabric means AddNOC had been called. ShadowPending fabric is the overlay version
+    // that is used when UpdateNOC had been called. This is to detect either condition of not
+    // fully committed fabric.
+    bool isTargetFabricPending = (GetPendingNewFabricIndex() == fabricIndex) ||
+        ((GetShadowPendingFabricEntry() != nullptr) && (GetShadowPendingFabricEntry()->GetFabricIndex() == fabricIndex));
+
+    outFabricTableWasChanged = false;
+
+    // Start with VVSC first as it's the most likely to fail.
+    if (VVSC.HasValue())
+    {
+        ReturnErrorOnFailure(mOpCertStore->UpdateVidVerificationSignerCertForFabric(fabricIndex, VVSC.Value()));
+    }
+
+    if (VIDVerificationStatement.HasValue())
+    {
+        bool wasVvsEqual = false;
+        {
+            // This is in a scope to save stack space from getting too deep.
+            uint8_t vidVerificationStatementBuffer[Crypto::kVendorIdVerificationStatementV1Size];
+            MutableByteSpan vidVerificationStatementSpan{ vidVerificationStatementBuffer };
+            ReturnErrorOnFailure(mOpCertStore->GetVidVerificationElement(
+                fabricIndex, OperationalCertificateStore::VidVerificationElement::kVidVerificationStatement,
+                vidVerificationStatementSpan));
+            wasVvsEqual = vidVerificationStatementSpan.data_equal(VIDVerificationStatement.Value());
+        }
+
+        if (!wasVvsEqual)
+        {
+            ReturnErrorOnFailure(
+                mOpCertStore->UpdateVidVerificationStatementForFabric(fabricIndex, VIDVerificationStatement.Value()));
+            outFabricTableWasChanged = true;
+        }
+    }
+
+    if (vendorId.HasValue())
+    {
+        if (static_cast<uint16_t>(fabricInfo->GetVendorId()) != vendorId.Value())
+        {
+            fabricInfo->SetVendorId(static_cast<VendorId>(vendorId.Value()));
+            // Immediately commit Vendor ID if not a pending fabric. Otherwise the commit occurs on CommissioningComplete.
+            if (!isTargetFabricPending)
+            {
+                ReturnErrorOnFailure(StoreFabricMetadata(fabricInfo));
+                outFabricTableWasChanged = true;
+            }
+        }
+    }
+
+    return CHIP_NO_ERROR;
+}
+
 } // namespace chip

src/credentials/FabricTable.h

@@ -104,6 +104,7 @@ class DLL_EXPORT FabricInfo
 
     CHIP_ERROR FetchRootPubkey(Crypto::P256PublicKey & outPublicKey) const;
 
+    void SetVendorId(VendorId vendorId) { mVendorId = vendorId; }
     VendorId GetVendorId() const { return mVendorId; }
 
     bool IsInitialized() const { return (mFabricIndex != kUndefinedFabricIndex) && IsOperationalNodeId(mNodeId); }
@@ -1098,6 +1099,25 @@ class DLL_EXPORT FabricTable
     CHIP_ERROR SignVIDVerificationRequest(FabricIndex fabricIndex, ByteSpan clientChallenge, ByteSpan attestationChallenge,
                                           SignVIDVerificationResponseData & outResponse);
 
+    /**
+     * @brief Handle setting data related to Fabric Table VID Verification.
+     *
+     * This is on purpose structured to mirror the SetVIDVerificationStatement Operational Credentials Cluster command
+     *
+     * @param[in] fabricIndex - Fabric Index for which to produce the response.
+     * @param[in] vendorID - New VendorID to set on the Fabric (ignored if missing)
+     * @param[in] VIDVerificationStatement - VID Verification Statement to add/remove (ignored if missing)
+     * @param[in] VVSC - VID Verification Signing Certificate to add/remove (ignored if missing)
+     * @param[out] outFabricTableWasChanged - This is set to true if FabricTable saw a change from prior value, even if
+     *                                        method returns an error (appies to VIDVerificationStatement and VendorID)
+     * @retval CHIP_NO_ERROR on success
+     * @retval CHIP_ERROR_INVALID_ARGUMENT if vendorID, VVSC or VIDVerificationStatement are not correct (maps to CONSTRAINT_ERROR)
+     * @retval CHIP_ERROR_INCORRECT_STATE if VVSC cannot be set due to ICAC presence (maps to INVALID_COMMAND)
+     */
+    CHIP_ERROR SetVIDVerificationStatementElements(FabricIndex fabricIndex, Optional<uint16_t> vendorId,
+                                                   Optional<ByteSpan> VIDVerificationStatement, Optional<ByteSpan> VVSC,
+                                                   bool & outFabricTableWasChanged);
+
 private:
     enum class StateFlags : uint16_t
     {