[chip-tool] Add a parameter on pairing commands to bypass attestation verifier (#24155)

caipiblack · restyled-commits · bzbarsky-apple · pull[bot] · commit 46914736df9c · 2023-10-10T01:33:40.000Z
* Add the parameter 'bypass-attestation-verifier' in chip-tool pairing commands.

* Restyled by whitespace

* Restyled by clang-format

* Update examples/chip-tool/commands/pairing/PairingCommand.h

Co-authored-by: Boris Zbarsky &lt;bzbarsky@apple.com&gt;

* Update examples/chip-tool/commands/pairing/PairingCommand.h

Co-authored-by: Boris Zbarsky &lt;bzbarsky@apple.com&gt;

Co-authored-by: Restyled.io &lt;commits@restyled.io&gt;
Co-authored-by: Boris Zbarsky &lt;bzbarsky@apple.com&gt;
diff --git a/examples/chip-tool/commands/pairing/PairingCommand.cpp b/examples/chip-tool/commands/pairing/PairingCommand.cpp
@@ -72,6 +72,10 @@ CommissioningParameters PairingCommand::GetCommissioningParameters()
 {
     auto params = CommissioningParameters();
     params.SetSkipCommissioningComplete(mSkipCommissioningComplete.ValueOr(false));
+    if (mBypassAttestationVerifier.ValueOr(false))
+    {
+        params.SetDeviceAttestationDelegate(this);
+    }
 
     switch (mNetworkType)
     {
@@ -281,3 +285,19 @@ void PairingCommand::OnCurrentFabricRemove(void * context, NodeId nodeId, CHIP_E
 
     command->SetCommandExitStatus(err);
 }
+
+chip::Optional<uint16_t> PairingCommand::FailSafeExpiryTimeoutSecs() const
+{
+    // We don't need to set additional failsafe timeout as we don't ask the final user if he wants to continue
+    return chip::Optional<uint16_t>();
+}
+
+void PairingCommand::OnDeviceAttestationCompleted(chip::Controller::DeviceCommissioner * deviceCommissioner,
+                                                  chip::DeviceProxy * device,
+                                                  const chip::Credentials::DeviceAttestationVerifier::AttestationDeviceInfo & info,
+                                                  chip::Credentials::AttestationVerificationResult attestationResult)
+{
+    // Bypass attestation verification, continue with success
+    deviceCommissioner->ContinueCommissioningAfterDeviceAttestation(device,
+                                                                    chip::Credentials::AttestationVerificationResult::kSuccess);
+}
diff --git a/examples/chip-tool/commands/pairing/PairingCommand.h b/examples/chip-tool/commands/pairing/PairingCommand.h
@@ -48,7 +48,8 @@ enum class PairingNetworkType
 
 class PairingCommand : public CHIPCommand,
                        public chip::Controller::DevicePairingDelegate,
-                       public chip::Controller::DeviceDiscoveryDelegate
+                       public chip::Controller::DeviceDiscoveryDelegate,
+                       public chip::Credentials::DeviceAttestationDelegate
 {
 public:
     PairingCommand(const char * commandName, PairingMode mode, PairingNetworkType networkType,
@@ -60,6 +61,9 @@ class PairingCommand : public CHIPCommand,
         mCurrentFabricRemoveCallback(OnCurrentFabricRemove, this)
     {
         AddArgument("node-id", 0, UINT64_MAX, &mNodeId);
+        AddArgument("bypass-attestation-verifier", 0, 1, &mBypassAttestationVerifier,
+                    "Bypass the attestation verifier. If not provided or false, the attestation verifier is not bypassed."
+                    " If true, the commissioning will continue in case of attestation verification failure.");
 
         switch (networkType)
         {
@@ -158,6 +162,12 @@ class PairingCommand : public CHIPCommand,
     void OnDiscoveredDevice(const chip::Dnssd::DiscoveredNodeData & nodeData) override;
     bool IsDiscoverOnce() { return mDiscoverOnce.ValueOr(false); }
 
+    /////////// DeviceAttestationDelegate /////////
+    chip::Optional<uint16_t> FailSafeExpiryTimeoutSecs() const override;
+    void OnDeviceAttestationCompleted(chip::Controller::DeviceCommissioner * deviceCommissioner, chip::DeviceProxy * device,
+                                      const chip::Credentials::DeviceAttestationVerifier::AttestationDeviceInfo & info,
+                                      chip::Credentials::AttestationVerificationResult attestationResult) override;
+
 private:
     CHIP_ERROR RunInternal(NodeId remoteId);
     CHIP_ERROR Pair(NodeId remoteId, PeerAddress address);
@@ -177,6 +187,7 @@ class PairingCommand : public CHIPCommand,
     chip::Optional<bool> mUseOnlyOnNetworkDiscovery;
     chip::Optional<bool> mPaseOnly;
     chip::Optional<bool> mSkipCommissioningComplete;
+    chip::Optional<bool> mBypassAttestationVerifier;
     uint16_t mRemotePort;
     uint16_t mDiscriminator;
     uint32_t mSetupPINCode;
