Initial version of Joint Fabric implementation

Author: vijs

.github/workflows/tests.yaml

@@ -142,6 +142,7 @@ jobs:
                       src/app/zap-templates/zcl/data-model/chip/group-key-mgmt-cluster.xml \
                       src/app/zap-templates/zcl/data-model/chip/identify-cluster.xml \
                       src/app/zap-templates/zcl/data-model/chip/illuminance-measurement-cluster.xml \
+                      src/app/zap-templates/zcl/data-model/chip/joint-fabric-pki-cluster.xml \
                       src/app/zap-templates/zcl/data-model/chip/keypad-input-cluster.xml \
                       src/app/zap-templates/zcl/data-model/chip/laundry-washer-mode-cluster.xml \
                       src/app/zap-templates/zcl/data-model/chip/laundry-dryer-controls-cluster.xml \

docs/zap_clusters.md

@@ -43,6 +43,7 @@ Generally regenerate using one of:
 |         57 |       0x39 | BridgedDeviceBasicInformation                           |
 |         59 |       0x3B | Switch                                                  |
 |         60 |       0x3C | AdministratorCommissioning                              |
+|         61 |       0x3D | JointFabricPki                                          |
 |         62 |       0x3E | OperationalCredentials                                  |
 |         63 |       0x3F | GroupKeyManagement                                      |
 |         64 |       0x40 | FixedLabel                                              |

examples/all-clusters-app/all-clusters-common/all-clusters-app.matter

@@ -2444,6 +2444,68 @@ cluster AdministratorCommissioning = 60 {
   timed command access(invoke: administer) RevokeCommissioning(): DefaultSuccess = 2;
 }
 
+/** Joint Fabric Pki Cluster. */
+cluster JointFabricPki = 61 {
+  revision 1; // NOTE: Default/not specifically set
+
+  enum JointFabricStatusEnum : enum8 {
+    kOK = 0;
+    kInvalidPublicKey = 1;
+    kInvalidNodeOpId = 2;
+    kInvalidNOC = 3;
+    kMissingCsr = 4;
+    kTableFull = 5;
+    kInvalidAdminSubject = 6;
+    kFabricConflict = 9;
+    kLabelConflict = 10;
+    kInvalidFabricIndex = 11;
+  }
+
+  enum SignNOCIssuerRequestStatusEnum : enum8 {
+    kOK = 0;
+    kFailSafeRequired = 1;
+    kInvalidNOCIssuerCSR = 2;
+    kChainValidationFailed = 3;
+    kTrustQuotientThreshold = 4;
+    kSignNOCIssuerFailed = 5;
+  }
+
+  readonly attribute command_id generatedCommandList[] = 65528;
+  readonly attribute command_id acceptedCommandList[] = 65529;
+  readonly attribute event_id eventList[] = 65530;
+  readonly attribute attrib_id attributeList[] = 65531;
+  readonly attribute bitmap32 featureMap = 65532;
+  readonly attribute int16u clusterRevision = 65533;
+
+  request struct JointFabricRequestRequest {
+    int64u fabricIndex = 0;
+  }
+
+  response struct SignNOCIssuerRequest = 1 {
+    octet_string<400> NOCIssuerCSR = 0;
+  }
+
+  request struct SignNOCIssuerResponseRequest {
+    SignNOCIssuerRequestStatusEnum statusCode = 0;
+    octet_string<400> NOCIssuerCert = 1;
+    node_id nodeId = 2;
+    fabric_id fabricId = 3;
+    vendor_id adminVendorId = 4;
+    int64u caseAdminSubject = 5;
+  }
+
+  response struct JointFabricResponse = 3 {
+    JointFabricStatusEnum statusCode = 0;
+    optional fabric_idx fabricIndex = 1;
+    optional char_string<128> debugText = 2;
+  }
+
+  /** Client requests Server's ICA CSR and CA Chain. */
+  command access(invoke: administer) JointFabricRequest(JointFabricRequestRequest): SignNOCIssuerRequest = 0;
+  /** Joint Fabric ICA generated. */
+  command access(invoke: administer) SignNOCIssuerResponse(SignNOCIssuerResponseRequest): JointFabricResponse = 2;
+}
+
 /** This cluster is used to add or remove Operational Credentials on a Commissionee or Node, as well as manage the associated Fabrics. */
 cluster OperationalCredentials = 62 {
   revision 1; // NOTE: Default/not specifically set
@@ -7863,6 +7925,15 @@ endpoint 0 {
     handle command RevokeCommissioning;
   }
 
+  server cluster JointFabricPki {
+    ram      attribute clusterRevision default = 1;
+
+    handle command JointFabricRequest;
+    handle command SignNOCIssuerRequest;
+    handle command SignNOCIssuerResponse;
+    handle command JointFabricResponse;
+  }
+
   server cluster OperationalCredentials {
     callback attribute NOCs;
     callback attribute fabrics;

examples/all-clusters-app/all-clusters-common/all-clusters-app.zap

@@ -5368,6 +5368,66 @@
             }
           ]
         },
+        {
+          "name": "Joint Fabric Pki",
+          "code": 61,
+          "mfgCode": null,
+          "define": "JOINT_FABRIC_PKI_CLUSTER",
+          "side": "server",
+          "enabled": 1,
+          "commands": [
+            {
+              "name": "JointFabricRequest",
+              "code": 0,
+              "mfgCode": null,
+              "source": "client",
+              "isIncoming": 1,
+              "isEnabled": 1
+            },
+            {
+              "name": "SignNOCIssuerRequest",
+              "code": 1,
+              "mfgCode": null,
+              "source": "server",
+              "isIncoming": 0,
+              "isEnabled": 1
+            },
+            {
+              "name": "SignNOCIssuerResponse",
+              "code": 2,
+              "mfgCode": null,
+              "source": "client",
+              "isIncoming": 1,
+              "isEnabled": 1
+            },
+            {
+              "name": "JointFabricResponse",
+              "code": 3,
+              "mfgCode": null,
+              "source": "server",
+              "isIncoming": 0,
+              "isEnabled": 1
+            }
+          ],
+          "attributes": [
+            {
+              "name": "ClusterRevision",
+              "code": 65533,
+              "mfgCode": null,
+              "side": "server",
+              "type": "int16u",
+              "included": 1,
+              "storageOption": "RAM",
+              "singleton": 0,
+              "bounded": 0,
+              "defaultValue": "1",
+              "reportable": 1,
+              "minInterval": 0,
+              "maxInterval": 65344,
+              "reportableChange": 0
+            }
+          ]
+        },
         {
           "name": "Operational Credentials",
           "code": 62,

examples/chip-tool/commands/pairing/PairingCommand.cpp

@@ -103,6 +103,7 @@ CommissioningParameters PairingCommand::GetCommissioningParameters()
 {
     auto params = CommissioningParameters();
     params.SetSkipCommissioningComplete(mSkipCommissioningComplete.ValueOr(false));
+    params.SetJointFabric(mJointFabric.ValueOr(false));
     if (mBypassAttestationVerifier.ValueOr(false))
     {
         params.SetDeviceAttestationDelegate(this);

examples/chip-tool/commands/pairing/PairingCommand.h

@@ -82,6 +82,7 @@ class PairingCommand : public CHIPCommand,
         AddArgument("icd-symmetric-key", &mICDSymmetricKey, "The 16 bytes ICD symmetric key, default: randomly generated.");
         AddArgument("icd-stay-active-duration", 0, UINT32_MAX, &mICDStayActiveDurationMsec,
                     "If set, a LIT ICD that is commissioned will be requested to stay active for this many milliseconds");
+        AddArgument("joint-fabric", 0, 1, &mJointFabric, "Enable Joint Fabric commissioning mode.");
         switch (networkType)
         {
         case PairingNetworkType::None:
@@ -265,6 +266,7 @@ class PairingCommand : public CHIPCommand,
     chip::app::DataModel::List<chip::app::Clusters::TimeSynchronization::Structs::DSTOffsetStruct::Type> mDSTOffsetList;
     TypedComplexArgument<chip::app::DataModel::List<chip::app::Clusters::TimeSynchronization::Structs::DSTOffsetStruct::Type>>
         mComplex_DSTOffsets;
+    chip::Optional<bool> mJointFabric;
 
     uint16_t mRemotePort;
     // mDiscriminator is only used for some situations, but in those situations

examples/platform/linux/AppMain.cpp

@@ -20,6 +20,7 @@
 #include <platform/PlatformManager.h>
 
 #include <app/InteractionModelEngine.h>
+#include <app/clusters/joint-fabric-pki-server/joint-fabric-pki-server.h>
 #include <app/clusters/network-commissioning/network-commissioning.h>
 #include <app/server/Dnssd.h>
 #include <app/server/OnboardingCodesUtil.h>
@@ -114,8 +115,12 @@
 #include <platform/Linux/NetworkCommissioningDriver.h>
 #endif // CHIP_DEVICE_LAYER_TARGET_LINUX
 
+#include <controller/ExampleOperationalCredentialsIssuer.h>
+#include <controller/ExamplePersistentStorage.h>
+
 using namespace chip;
 using namespace chip::ArgParser;
+using namespace chip::Controller;
 using namespace chip::Credentials;
 using namespace chip::DeviceLayer;
 using namespace chip::Inet;
@@ -509,6 +514,21 @@ int ChipLinuxAppInit(int argc, char * const argv[], OptionSet * customOptions,
     return 0;
 }
 
+namespace {
+static constexpr size_t kFabricId = 1;
+
+ExampleOperationalCredentialsIssuer gOpCredsIssuer(kFabricId);
+PersistentStorage gStorage;
+
+CHIP_ERROR PrepareJointFabricCluster()
+{
+    SetPersistentStorageDelegate(&gStorage);
+    SetOperationalCredentialsIssuer(&gOpCredsIssuer);
+    SetChipToolKvs(LinuxDeviceOptions::GetInstance().chipToolKvs);
+    return CHIP_NO_ERROR;
+}
+} // namespace
+
 void ChipLinuxAppMainLoop(AppMainLoopImplementation * impl)
 {
     gMainLoopImplementation = impl;
@@ -596,6 +616,8 @@ void ChipLinuxAppMainLoop(AppMainLoopImplementation * impl)
     // Init ZCL Data Model and CHIP App Server
     Server::GetInstance().Init(initParams);
 
+    VerifyOrDie(PrepareJointFabricCluster() == CHIP_NO_ERROR);
+
 #if CONFIG_BUILD_FOR_HOST_UNIT_TEST
     // Set ReadHandler Capacity for Subscriptions
     chip::app::InteractionModelEngine::GetInstance()->SetHandlerCapacityForSubscriptions(

examples/platform/linux/Options.cpp

@@ -109,6 +109,7 @@ enum
 #if CHIP_DEVICE_CONFIG_ENABLE_WIFIPAF
     kDeviceOption_WiFi_PAF,
 #endif
+    kDeviceOption_ChipToolKvs,
 };
 
 constexpr unsigned kAppUsageLength = 64;
@@ -177,6 +178,7 @@ OptionDef sDeviceOptionDefs[] = {
 #if CHIP_WITH_NLFAULTINJECTION
     { "faults", kArgumentRequired, kDeviceOption_FaultInjection },
 #endif
+    { "chip-tool-kvs", kArgumentRequired, kDeviceOption_ChipToolKvs },
     {}
 };
 
@@ -318,6 +320,8 @@ const char * sDeviceOptionHelp =
     "  --faults <fault-string,...>\n"
     "       Inject specified fault(s) at runtime.\n"
 #endif
+    "  --chip-tool-kvs <filepath>\n"
+    "       A file to sync Key Value Store items with chip-tool.\n"
     "\n";
 
 bool Base64ArgToVector(const char * arg, size_t maxSize, std::vector<uint8_t> & outVector)
@@ -608,6 +612,9 @@ bool HandleOption(const char * aProgram, OptionSet * aOptions, int aIdentifier,
         break;
     }
 #endif
+    case kDeviceOption_ChipToolKvs:
+        LinuxDeviceOptions::GetInstance().chipToolKvs = aValue;
+        break;
     default:
         PrintArgError("%s: INTERNAL ERROR: Unhandled option: %s\n", aProgram, aName);
         retval = false;

examples/platform/linux/Options.h

@@ -82,6 +82,7 @@ struct LinuxDeviceOptions
     int32_t subscriptionCapacity                   = CHIP_IM_MAX_NUM_SUBSCRIPTIONS;
     int32_t subscriptionResumptionRetryIntervalSec = -1;
 #endif
+    const char * chipToolKvs = nullptr;
     static LinuxDeviceOptions & GetInstance();
 };
 

scripts/rules.matterlint

@@ -49,6 +49,7 @@ load "../src/app/zap-templates/zcl/data-model/chip/groups-cluster.xml";
 load "../src/app/zap-templates/zcl/data-model/chip/group-key-mgmt-cluster.xml";
 load "../src/app/zap-templates/zcl/data-model/chip/identify-cluster.xml";
 load "../src/app/zap-templates/zcl/data-model/chip/illuminance-measurement-cluster.xml";
+load "../src/app/zap-templates/zcl/data-model/chip/joint-fabric-pki-cluster.xml";
 load "../src/app/zap-templates/zcl/data-model/chip/keypad-input-cluster.xml";
 load "../src/app/zap-templates/zcl/data-model/chip/laundry-washer-mode-cluster.xml";
 load "../src/app/zap-templates/zcl/data-model/chip/laundry-dryer-controls-cluster.xml";
@@ -152,6 +153,7 @@ endpoint 0 {
   require server cluster GeneralCommissioning;
   require server cluster AdministratorCommissioning;
   require server cluster OperationalCredentials;
+  require server cluster JointFabricPki
   require server cluster GeneralDiagnostics;
 
   // Example rejection of clusters:

src/app/BUILD.gn

@@ -427,6 +427,7 @@ static_library("app") {
   output_name = "libCHIPDataModel"
 
   sources = [
+    "${chip_root}/src/controller/ExamplePersistentStorage.cpp",
     "AttributePathExpandIterator.h",
     "AttributePersistenceProvider.h",
     "ChunkedWriteCallback.cpp",
@@ -473,6 +474,7 @@ static_library("app") {
     "${chip_root}/src/messaging",
     "${chip_root}/src/protocols/interaction_model",
     "${chip_root}/src/system",
+    "${chip_root}/third_party/inipp",
   ]
 
   if (chip_use_data_model_interface == "disabled") {