PDC/NETIM: Align implementation with latest spec (project-chip#72074)

* Update cluster XML based on latest spec updates

See CHIP-Specifications/connectedhomeip-spec#12939

* zap regen

* PDC/NETIM: Align implementation with latest spec

- Add ClientIndex as a query option to QueryIdentity
- Add ClientIdentityType to ClientStruct and store in the storage layer
- Reject future NASS timestamps in ImportAdminSecret if the clock is
  synchronized

* Make ClangTidy happy and use MockClock for all cluster test cases

Also do time math in Seconds32 and factor out a named constant for max skew.

Author: ksperling-apple

examples/network-manager-app/network-manager-common/network-manager-app.matter

@@ -1507,7 +1507,7 @@ provisional cluster NetworkIdentityManagement = 1104 {
   revision 1;
 
   enum IdentityTypeEnum : enum8 {
-    kECDSA = 0 [spec_name = "ECDSA"];
+    kECDSA = 1 [spec_name = "ECDSA"];
   }
 
   struct ActiveNetworkIdentityStruct {
@@ -1522,7 +1522,8 @@ provisional cluster NetworkIdentityManagement = 1104 {
   struct ClientStruct {
     int16u clientIndex = 0;
     octet_string<20> clientIdentifier = 1;
-    nullable int16u networkIdentityIndex = 2;
+    IdentityTypeEnum clientIdentityType = 2;
+    nullable int16u networkIdentityIndex = 3;
   }
 
   readonly attribute access(read: manage) ActiveNetworkIdentityStruct activeNetworkIdentities[] = 0;
@@ -1550,7 +1551,8 @@ provisional cluster NetworkIdentityManagement = 1104 {
   request struct QueryIdentityRequest {
     optional int16u networkIdentityIndex = 0;
     optional IdentityTypeEnum networkIdentityType = 1;
-    optional octet_string<20> identifier = 2;
+    optional int16u clientIndex = 2;
+    optional octet_string<20> identifier = 3;
   }
 
   response struct QueryIdentityResponse = 4 {

src/app/clusters/network-identity-management-server/DefaultNetworkIdentityStorage.cpp

@@ -115,9 +115,10 @@
 //   [2] allocBitmap      bytes         (256 bytes, bit i = index i is allocated)
 //
 // * g/nim/c/<index>                    detail record
-//   [1] identifier       bytes         20-byte client identifier
-//   [2] compactIdentity  bytes         client identity certificate (compact, max 140)
-//   [3] niIndex          uint16        NI index, or 0xFFFF (= kNullNetworkIdentityIndex, never authenticated)
+//   [1] identityType     uint8         identity type (e.g. kEcdsa)
+//   [2] identifier       bytes         20-byte client identifier
+//   [3] compactIdentity  bytes         client identity certificate (compact, max 140)
+//   [4] niIndex          uint16        NI index, or 0xFFFF (= kNullNetworkIdentityIndex, never authenticated)
 //
 // * g/nim/@<base85-identifier>         client identifier -> index mapping (raw uint16)
 
@@ -169,10 +170,12 @@ struct DefaultNetworkIdentityStorage::TLVConstants
         sizeof(mClientAllocBitmap));                                         // allocBitmap
 
     // Client detail record (g/nim/c/<index>)
-    static constexpr TLV::Tag kClientDetail_Identifier      = TLV::ContextTag(1);
-    static constexpr TLV::Tag kClientDetail_CompactIdentity = TLV::ContextTag(2);
-    static constexpr TLV::Tag kClientDetail_NIIndex         = TLV::ContextTag(3);
+    static constexpr TLV::Tag kClientDetail_IdentityType    = TLV::ContextTag(1);
+    static constexpr TLV::Tag kClientDetail_Identifier      = TLV::ContextTag(2);
+    static constexpr TLV::Tag kClientDetail_CompactIdentity = TLV::ContextTag(3);
+    static constexpr TLV::Tag kClientDetail_NIIndex         = TLV::ContextTag(4);
     static constexpr size_t kClientDetail_Size              = TLV::EstimateStructOverhead( //
+        sizeof(uint8_t),                                                      // identityType
         Credentials::kKeyIdentifierLength,                                    // identifier
         Credentials::kMaxCHIPCompactNetworkIdentityLength,                    // compactIdentity
         sizeof(uint16_t));                                                    // niIndex
@@ -511,9 +514,13 @@ CHIP_ERROR DefaultNetworkIdentityStorage::LoadNetworkIdentity(const NetworkIdent
 
     // Copy fields that are embedded in the table index entry
     outEntry.index   = meta.index;
-    outEntry.type    = meta.type;
     outEntry.current = (FindCurrentNIIndexEntry(meta.type) == &meta);
 
+    if (flags.Has(NetworkIdentityFlags::kPopulateIdentityType))
+    {
+        outEntry.type = meta.type;
+    }
+
     // Client count is stored in the index but may need rebuilding
     if (flags.Has(NetworkIdentityFlags::kPopulateClientCount))
     {
@@ -885,6 +892,7 @@ CHIP_ERROR DefaultNetworkIdentityStorage::StoreClientDetail(uint16_t index, cons
 
     TLV::TLVType outerType;
     ReturnErrorOnFailure(writer.StartContainer(TLV::AnonymousTag(), TLV::kTLVType_Structure, outerType));
+    ReturnErrorOnFailure(writer.Put(TLVConstants::kClientDetail_IdentityType, info.identityType));
     ReturnErrorOnFailure(writer.Put(TLVConstants::kClientDetail_Identifier, ByteSpan(info.identifier)));
     ReturnErrorOnFailure(writer.Put(TLVConstants::kClientDetail_CompactIdentity, info.compactIdentity));
     ReturnErrorOnFailure(writer.Put(TLVConstants::kClientDetail_NIIndex, networkIdentityIndex));
@@ -917,6 +925,12 @@ CHIP_ERROR DefaultNetworkIdentityStorage::LoadClient(uint16_t index, ClientEntry
     ReturnErrorOnFailure(reader.Next(TLV::kTLVType_Structure, TLV::AnonymousTag()));
     ReturnErrorOnFailure(reader.EnterContainer(outerType));
 
+    ReturnErrorOnFailure(reader.Next(TLVConstants::kClientDetail_IdentityType));
+    if (flags.Has(ClientFlags::kPopulateIdentityType))
+    {
+        ReturnErrorOnFailure(reader.Get(outEntry.identityType));
+    }
+
     ReturnErrorOnFailure(reader.Next(TLVConstants::kClientDetail_Identifier));
     if (flags.Has(ClientFlags::kPopulateIdentifier))
     {

src/app/clusters/network-identity-management-server/NetworkIdentityManagementCluster.cpp

@@ -30,6 +30,7 @@
 #include <lib/support/CodeUtils.h>
 #include <lib/support/SafeInt.h>
 #include <protocols/interaction_model/StatusCode.h>
+#include <system/SystemClock.h>
 
 using namespace chip;
 using namespace chip::app;
@@ -42,6 +43,8 @@ using Protocols::InteractionModel::Status;
 
 namespace chip::app::Clusters {
 
+static constexpr System::Clock::Seconds32 kImportAdminSecretMaxClockSkew(60); // per Matter spec
+
 NetworkIdentityManagementCluster::NetworkIdentityManagementCluster(EndpointId endpoint, NetworkIdentityStorage & storage,
                                                                    Crypto::NetworkIdentityKeystore & keystore,
                                                                    NetworkIdentityManagement::AuthenticatorDriver & authenticator) :
@@ -86,9 +89,9 @@ DataModel::ActionReturnStatus NetworkIdentityManagementCluster::ReadActiveNetwor
 {
     using NetworkIdentityFlags = NetworkIdentityStorage::NetworkIdentityFlags;
     return encoder.EncodeList([this](const auto & listEncoder) -> CHIP_ERROR {
-        constexpr BitFlags<NetworkIdentityFlags> flags(NetworkIdentityFlags::kPopulateIdentifier,
-                                                       NetworkIdentityFlags::kPopulateCreatedTimestamp,
-                                                       NetworkIdentityFlags::kPopulateClientCount);
+        constexpr BitFlags<NetworkIdentityFlags> flags(
+            NetworkIdentityFlags::kPopulateIdentityType, NetworkIdentityFlags::kPopulateIdentifier,
+            NetworkIdentityFlags::kPopulateCreatedTimestamp, NetworkIdentityFlags::kPopulateClientCount);
         NetworkIdentityStorage::NetworkIdentityIterator::AutoReleasing iterator(
             mStorage.IterateNetworkIdentities(flags, MutableByteSpan()));
         VerifyOrReturnError(iterator.IsValid(), CHIP_ERROR_INTERNAL);
@@ -255,6 +258,23 @@ NetworkIdentityManagementCluster::HandleImportAdminSecret(const DataModel::Invok
         VerifyOrReturnValue(newSecretData.created > oldSecretInfo.createdTimestamp, Status::DynamicConstraintError);
     }
 
+    // If we have a trusted real-time clock, reject a NASS whose timestamp is more than 1 minute in the future.
+    uint32_t currentTime;
+    if ((err = System::Clock::GetClock_MatterEpochS(currentTime)) == CHIP_NO_ERROR)
+    {
+        VerifyOrReturnValue(newSecretData.created <= System::Clock::Seconds32(currentTime) + kImportAdminSecretMaxClockSkew,
+                            Status::DynamicConstraintError);
+    }
+    else if (err == CHIP_ERROR_REAL_TIME_NOT_SYNCED)
+    {
+        ChipLogProgress(Zcl, "ImportAdminSecret: Skipping check for future NASS timestamp, real-time clock is not synchronized");
+    }
+    else
+    {
+        ChipLogFailure(err, Zcl, "ImportAdminSecret: Failed to read real-time clock");
+        return err;
+    }
+
     // Find retirable (non-current, zero-client) Network Identities so we can work out
     // if there will be enough capacity (including retirements) before making any changes.
     uint16_t networkIdentityCount;
@@ -399,10 +419,11 @@ NetworkIdentityManagementCluster::HandleQueryIdentity(const DataModel::InvokeReq
     QueryIdentity::DecodableType commandData;
     VerifyOrReturnError(DataModel::Decode(input_arguments, commandData) == CHIP_NO_ERROR, Status::InvalidCommand);
 
-    // Exactly one of the three optional fields must be present
+    // Exactly one of the optional fields must be present
     int fieldCount =                                  //
         commandData.networkIdentityIndex.HasValue() + //
         commandData.networkIdentityType.HasValue() +  //
+        commandData.clientIndex.HasValue() +          //
         commandData.identifier.HasValue();
     VerifyOrReturnValue(fieldCount == 1, Status::InvalidCommand);
 
@@ -425,6 +446,12 @@ NetworkIdentityManagementCluster::HandleQueryIdentity(const DataModel::InvokeReq
         err = mStorage.FindCurrentNetworkIdentity(commandData.networkIdentityType.Value(), entry, kPopulateNetworkIdentity, buffer);
         identity = entry.compactIdentity; // points into identityBuf
     }
+    else if (commandData.clientIndex.HasValue())
+    {
+        NetworkIdentityStorage::ClientEntry entry;
+        err      = mStorage.FindClient(commandData.clientIndex.Value(), entry, kPopulateClientIdentity, buffer);
+        identity = entry.compactIdentity; // points into identityBuf
+    }
     else if (commandData.identifier.HasValue())
     {
         ByteSpan identifierSpan = commandData.identifier.Value();
@@ -457,16 +484,18 @@ DataModel::ActionReturnStatus NetworkIdentityManagementCluster::ReadClients(Attr
 {
     using ClientFlags = NetworkIdentityStorage::ClientFlags;
     return encoder.EncodeList([this](const auto & listEncoder) -> CHIP_ERROR {
-        constexpr BitFlags<ClientFlags> flags(ClientFlags::kPopulateIdentifier, ClientFlags::kPopulateNetworkIdentityIndex);
+        constexpr BitFlags<ClientFlags> flags(ClientFlags::kPopulateIdentityType, ClientFlags::kPopulateIdentifier,
+                                              ClientFlags::kPopulateNetworkIdentityIndex);
         NetworkIdentityStorage::ClientIterator::AutoReleasing iterator(mStorage.IterateClients(flags, MutableByteSpan()));
         VerifyOrReturnError(iterator.IsValid(), CHIP_ERROR_INTERNAL);
 
         NetworkIdentityStorage::ClientEntry entry;
         while (iterator.Next(entry))
         {
             Structs::ClientStruct::Type item;
-            item.clientIndex      = entry.index;
-            item.clientIdentifier = entry.identifier;
+            item.clientIndex        = entry.index;
+            item.clientIdentifier   = entry.identifier;
+            item.clientIdentityType = entry.identityType;
             if (entry.networkIdentityIndex != NetworkIdentityStorage::kNullNetworkIdentityIndex)
             {
                 item.networkIdentityIndex.SetNonNull(entry.networkIdentityIndex);
@@ -515,6 +544,7 @@ NetworkIdentityManagementCluster::HandleAddClient(const DataModel::InvokeRequest
     // Build the ClientInfo for storage. Use ClientEntry so the convenience overload
     // populates index and lets us directly pass it on to the authenticator.
     NetworkIdentityStorage::ClientEntry entry;
+    entry.identityType    = IdentityTypeEnum::kEcdsa; // will be derived from clientIdentity if/when there are multiple types
     entry.identifier      = identifier;
     entry.compactIdentity = commandData.clientIdentity;
 

src/app/clusters/network-identity-management-server/NetworkIdentityStorage.cpp

@@ -117,6 +117,7 @@ CHIP_ERROR NetworkIdentityStorage::FindCurrentNetworkIdentityByIterating(Network
                                                                          BitFlags<NetworkIdentityFlags> flags,
                                                                          MutableByteSpan buffer)
 {
+    flags.Set(NetworkIdentityFlags::kPopulateIdentityType); // needed for the predicate
     return FindNetworkIdentityByIterating(
         outEntry, flags, buffer,
         [](const NetworkIdentityEntry & entry, const void * ctx) {

src/app/clusters/network-identity-management-server/NetworkIdentityStorage.h

@@ -72,14 +72,15 @@ class ReadOnlyNetworkIdentityStorage
 
     enum class NetworkIdentityFlags : uint8_t
     {
-        kPopulateIdentifier       = (1 << 0),
-        kPopulateCreatedTimestamp = (1 << 1),
-        kPopulateCompactIdentity  = (1 << 2),
-        kPopulateKeypairHandle    = (1 << 3),
-        kPopulateClientCount      = (1 << 4),
-
-        kPopulateAll = kPopulateIdentifier | kPopulateCreatedTimestamp | kPopulateCompactIdentity | kPopulateKeypairHandle |
-            kPopulateClientCount
+        kPopulateIdentityType     = (1 << 0),
+        kPopulateIdentifier       = (1 << 1),
+        kPopulateCreatedTimestamp = (1 << 2),
+        kPopulateCompactIdentity  = (1 << 3),
+        kPopulateKeypairHandle    = (1 << 4),
+        kPopulateClientCount      = (1 << 5),
+
+        kPopulateAll = kPopulateIdentityType | kPopulateIdentifier | kPopulateCreatedTimestamp | kPopulateCompactIdentity |
+            kPopulateKeypairHandle | kPopulateClientCount
     };
 
     static constexpr size_t NetworkIdentityBufferSize(BitFlags<NetworkIdentityFlags> flags = NetworkIdentityFlags::kPopulateAll)
@@ -92,10 +93,10 @@ class ReadOnlyNetworkIdentityStorage
     /// Input data for storing a Network Identity
     struct NetworkIdentityInfo
     {
-        NetworkIdentityManagement::IdentityTypeEnum type;
-        Credentials::CertificateKeyIdStorage identifier;
-        ByteSpan compactIdentity;
-        ByteSpan keypairHandle; ///< Opaque bytes at storage layer
+        NetworkIdentityManagement::IdentityTypeEnum type; ///< type of identity, retrieved only if kPopulateIdentityType
+        Credentials::CertificateKeyIdStorage identifier;  ///< 20-byte identifier, retrieved only if kPopulateIdentifier
+        ByteSpan compactIdentity;                         ///< identity certificate, retrieved only if kPopulateCompactIdentity
+        ByteSpan keypairHandle; ///< opaque bytes at storage layer, retrieved only if kPopulateKeypairHandle
 
         CHIP_ERROR GetKeypairHandle(Crypto::P256KeypairHandle & outHandle);
     };
@@ -169,11 +170,12 @@ class ReadOnlyNetworkIdentityStorage
 
     enum class ClientFlags : uint8_t
     {
-        kPopulateIdentifier           = (1 << 0),
-        kPopulateCompactIdentity      = (1 << 1),
-        kPopulateNetworkIdentityIndex = (1 << 2),
+        kPopulateIdentityType         = (1 << 0),
+        kPopulateIdentifier           = (1 << 1),
+        kPopulateCompactIdentity      = (1 << 2),
+        kPopulateNetworkIdentityIndex = (1 << 3),
 
-        kPopulateAll = kPopulateIdentifier | kPopulateCompactIdentity | kPopulateNetworkIdentityIndex
+        kPopulateAll = kPopulateIdentityType | kPopulateIdentifier | kPopulateCompactIdentity | kPopulateNetworkIdentityIndex
     };
 
     static constexpr size_t ClientBufferSize(BitFlags<ClientFlags> flags = ClientFlags::kPopulateAll)
@@ -184,13 +186,14 @@ class ReadOnlyNetworkIdentityStorage
 
     struct ClientInfo
     {
-        Credentials::CertificateKeyIdStorage identifier; ///< 20-byte client identifier, retrieved only if kPopulateIdentifier
-        ByteSpan compactIdentity; ///< Client Identity certificate, retrieved only if kPopulateCompactIdentity
+        NetworkIdentityManagement::IdentityTypeEnum identityType; ///< type of identity, retrieved only if kPopulateIdentityType
+        Credentials::CertificateKeyIdStorage identifier;          ///< 20-byte identifier, retrieved only if kPopulateIdentifier
+        ByteSpan compactIdentity; ///< identity certificate, retrieved only if kPopulateCompactIdentity
     };
 
     struct ClientEntry : public ClientInfo
     {
-        uint16_t index;                ///< always populated
+        uint16_t index;                ///< always retrieved
         uint16_t networkIdentityIndex; ///< retrieved only if kPopulateNetworkIdentityIndex
     };