Added additional AttestationVerificationResult values

src/credentials/DeviceAttestationVerifier.h

@@ -34,21 +34,24 @@ enum class AttestationVerificationResult : uint16_t
     kPaaSignatureInvalid = 103,
     kPaaRevoked          = 104,
     kPaaFormatInvalid    = 105,
+    kPaaArgumentInvalid  = 106,
 
     kPaiExpired           = 200,
     kPaiSignatureInvalid  = 201,
     kPaiRevoked           = 202,
     kPaiFormatInvalid     = 203,
-    kPaiVendorIdMismatch  = 204,
-    kPaiAuthorityNotFound = 205,
+    kPaiArgumentInvalid   = 204,
+    kPaiVendorIdMismatch  = 205,
+    kPaiAuthorityNotFound = 206,
 
     kDacExpired           = 300,
     kDacSignatureInvalid  = 301,
     kDacRevoked           = 302,
     kDacFormatInvalid     = 303,
-    kDacVendorIdMismatch  = 304,
-    kDacProductIdMismatch = 305,
-    kDacAuthorityNotFound = 306,
+    kDacArgumentInvalid   = 304,
+    kDacVendorIdMismatch  = 305,
+    kDacProductIdMismatch = 306,
+    kDacAuthorityNotFound = 307,
 
     kFirmwareInformationMismatch = 400,
     kFirmwareInformationMissing  = 401,
@@ -69,6 +72,8 @@ enum class AttestationVerificationResult : uint16_t
 
     kInvalidArgument = 800,
 
+    kInternalError = 900,
+
     kNotImplemented = 0xFFFFU,
 
     // TODO: Add more attestation verification errors

src/credentials/examples/DefaultDeviceAttestationVerifier.cpp

@@ -115,6 +115,42 @@ const ByteSpan kTestPaaRoots[] = {
 
 const ArrayAttestationTrustStore kTestAttestationTrustStore{ &kTestPaaRoots[0], ArraySize(kTestPaaRoots) };
 
+AttestationVerificationResult MapError(CertificateChainValidationResult certificateChainValidationResult)
+{
+    switch (certificateChainValidationResult)
+    {
+    case CertificateChainValidationResult::kRootFormatInvalid:
+        return AttestationVerificationResult::kPaaFormatInvalid;
+
+    case CertificateChainValidationResult::kRootArgumentInvalid:
+        return AttestationVerificationResult::kPaaArgumentInvalid;
+
+    case CertificateChainValidationResult::kICAFormatInvalid:
+        return AttestationVerificationResult::kPaiFormatInvalid;
+
+    case CertificateChainValidationResult::kICAArgumentInvalid:
+        return AttestationVerificationResult::kPaiArgumentInvalid;
+
+    case CertificateChainValidationResult::kLeafFormatInvalid:
+        return AttestationVerificationResult::kDacFormatInvalid;
+
+    case CertificateChainValidationResult::kLeafArgumentInvalid:
+        return AttestationVerificationResult::kDacArgumentInvalid;
+
+    case CertificateChainValidationResult::kChainInvalid:
+        return AttestationVerificationResult::kDacSignatureInvalid;
+
+    case CertificateChainValidationResult::kNoMemory:
+        return AttestationVerificationResult::kNoMemory;
+
+    case CertificateChainValidationResult::kInternalFrameworkError:
+        return AttestationVerificationResult::kInternalError;
+
+    default:
+        return AttestationVerificationResult::kInternalError;
+    }
+}
+
 /**
  * @brief Look-up of well-known keys used for CD signing by CSA.
  *
@@ -258,9 +294,10 @@ AttestationVerificationResult DefaultDACVerifier::VerifyAttestationInformation(c
     VerifyOrReturnError(IsCertificateValidAtIssuance(dacDerBuffer, paaDerBuffer) == CHIP_NO_ERROR,
                         AttestationVerificationResult::kPaaExpired);
 
+    CertificateChainValidationResult chainValidationResult;
     VerifyOrReturnError(ValidateCertificateChain(paaDerBuffer.data(), paaDerBuffer.size(), paiDerBuffer.data(), paiDerBuffer.size(),
-                                                 dacDerBuffer.data(), dacDerBuffer.size()) == CHIP_NO_ERROR,
-                        AttestationVerificationResult::kDacSignatureInvalid);
+                                                 dacDerBuffer.data(), dacDerBuffer.size(), chainValidationResult) == CHIP_NO_ERROR,
+                        MapError(chainValidationResult));
 
     // if PAA contains VID, see if matches with DAC's VID.
     {

src/crypto/CHIPCryptoPAL.h

@@ -1208,8 +1208,29 @@ CHIP_ERROR LoadCertFromPKCS7(const char * pkcs7, X509DerCertificate * x509list,
 
 CHIP_ERROR GetNumberOfCertsFromPKCS7(const char * pkcs7, uint32_t * n_certs);
 
+enum class CertificateChainValidationResult
+{
+    kSuccess = 0,
+
+    kRootFormatInvalid   = 100,
+    kRootArgumentInvalid = 101,
+
+    kICAFormatInvalid   = 200,
+    kICAArgumentInvalid = 201,
+
+    kLeafFormatInvalid   = 300,
+    kLeafArgumentInvalid = 301,
+
+    kChainInvalid = 400,
+
+    kNoMemory = 500,
+
+    kInternalFrameworkError = 600,
+};
+
 CHIP_ERROR ValidateCertificateChain(const uint8_t * rootCertificate, size_t rootCertificateLen, const uint8_t * caCertificate,
-                                    size_t caCertificateLen, const uint8_t * leafCertificate, size_t leafCertificateLen);
+                                    size_t caCertificateLen, const uint8_t * leafCertificate, size_t leafCertificateLen,
+                                    CertificateChainValidationResult & result);
 
 /**
  * @brief Validate timestamp of a certificate (toBeEvaluatedCertificate) in comparison with other certificate's

src/crypto/CHIPCryptoPALOpenSSL.cpp

@@ -1650,7 +1650,8 @@ CHIP_ERROR GetNumberOfCertsFromPKCS7(const char * pkcs7, uint32_t * n_certs)
 }
 
 CHIP_ERROR ValidateCertificateChain(const uint8_t * rootCertificate, size_t rootCertificateLen, const uint8_t * caCertificate,
-                                    size_t caCertificateLen, const uint8_t * leafCertificate, size_t leafCertificateLen)
+                                    size_t caCertificateLen, const uint8_t * leafCertificate, size_t leafCertificateLen,
+                                    CertificateChainValidationResult & result)
 {
     CHIP_ERROR err             = CHIP_NO_ERROR;
     int status                 = 0;
@@ -1660,38 +1661,45 @@ CHIP_ERROR ValidateCertificateChain(const uint8_t * rootCertificate, size_t root
     X509 * x509CACertificate   = nullptr;
     X509 * x509LeafCertificate = nullptr;
 
+    VerifyOrReturnError(rootCertificate != nullptr && rootCertificateLen != 0,
+                        (result = CertificateChainValidationResult::kRootArgumentInvalid, CHIP_ERROR_INVALID_ARGUMENT));
+    VerifyOrReturnError(caCertificate != nullptr && caCertificateLen != 0,
+                        (result = CertificateChainValidationResult::kICAArgumentInvalid, CHIP_ERROR_INVALID_ARGUMENT));
+    VerifyOrReturnError(leafCertificate != nullptr && leafCertificateLen != 0,
+                        (result = CertificateChainValidationResult::kLeafArgumentInvalid, CHIP_ERROR_INVALID_ARGUMENT));
+
     store = X509_STORE_new();
-    VerifyOrExit(store != nullptr, err = CHIP_ERROR_NO_MEMORY);
+    VerifyOrExit(store != nullptr, (result = CertificateChainValidationResult::kNoMemory, err = CHIP_ERROR_NO_MEMORY));
 
     verifyCtx = X509_STORE_CTX_new();
-    VerifyOrExit(verifyCtx != nullptr, err = CHIP_ERROR_NO_MEMORY);
+    VerifyOrExit(verifyCtx != nullptr, (result = CertificateChainValidationResult::kNoMemory, err = CHIP_ERROR_NO_MEMORY));
 
     x509RootCertificate = d2i_X509(NULL, &rootCertificate, static_cast<long>(rootCertificateLen));
-    VerifyOrExit(x509RootCertificate != nullptr, err = CHIP_ERROR_NO_MEMORY);
+    VerifyOrExit(x509RootCertificate != nullptr,
+                 (result = CertificateChainValidationResult::kRootFormatInvalid, err = CHIP_ERROR_INTERNAL));
 
     status = X509_STORE_add_cert(store, x509RootCertificate);
-    VerifyOrExit(status == 1, err = CHIP_ERROR_INTERNAL);
+    VerifyOrExit(status == 1, (result = CertificateChainValidationResult::kInternalFrameworkError, err = CHIP_ERROR_INTERNAL));
 
-    if (caCertificate != nullptr && caCertificateLen != 0)
-    {
-        x509CACertificate = d2i_X509(NULL, &caCertificate, static_cast<long>(caCertificateLen));
-        VerifyOrExit(x509CACertificate != nullptr, err = CHIP_ERROR_NO_MEMORY);
+    x509CACertificate = d2i_X509(NULL, &caCertificate, static_cast<long>(caCertificateLen));
+    VerifyOrExit(x509CACertificate != nullptr,
+                 (result = CertificateChainValidationResult::kICAFormatInvalid, err = CHIP_ERROR_INTERNAL));
 
-        status = X509_STORE_add_cert(store, x509CACertificate);
-        VerifyOrExit(status == 1, err = CHIP_ERROR_INTERNAL);
-    }
+    status = X509_STORE_add_cert(store, x509CACertificate);
+    VerifyOrExit(status == 1, (result = CertificateChainValidationResult::kInternalFrameworkError, err = CHIP_ERROR_INTERNAL));
 
     x509LeafCertificate = d2i_X509(NULL, &leafCertificate, static_cast<long>(leafCertificateLen));
-    VerifyOrExit(x509LeafCertificate != nullptr, err = CHIP_ERROR_NO_MEMORY);
+    VerifyOrExit(x509LeafCertificate != nullptr,
+                 (result = CertificateChainValidationResult::kLeafFormatInvalid, err = CHIP_ERROR_INTERNAL));
 
     status = X509_STORE_CTX_init(verifyCtx, store, x509LeafCertificate, NULL);
-    VerifyOrExit(status == 1, err = CHIP_ERROR_INTERNAL);
+    VerifyOrExit(status == 1, (result = CertificateChainValidationResult::kInternalFrameworkError, err = CHIP_ERROR_INTERNAL));
 
-    // TODO: If any specific error occurs here, it should be flagged accordingly
     status = X509_verify_cert(verifyCtx);
-    VerifyOrExit(status == 1, err = CHIP_ERROR_CERT_NOT_TRUSTED);
+    VerifyOrExit(status == 1, (result = CertificateChainValidationResult::kChainInvalid, err = CHIP_ERROR_CERT_NOT_TRUSTED));
 
-    err = CHIP_NO_ERROR;
+    err    = CHIP_NO_ERROR;
+    result = CertificateChainValidationResult::kSuccess;
 
 exit:
     X509_free(x509LeafCertificate);

src/crypto/CHIPCryptoPALmbedTLS.cpp

@@ -1217,46 +1217,63 @@ CHIP_ERROR GetNumberOfCertsFromPKCS7(const char * pkcs7, uint32_t * n_certs)
 }
 
 CHIP_ERROR ValidateCertificateChain(const uint8_t * rootCertificate, size_t rootCertificateLen, const uint8_t * caCertificate,
-                                    size_t caCertificateLen, const uint8_t * leafCertificate, size_t leafCertificateLen)
+                                    size_t caCertificateLen, const uint8_t * leafCertificate, size_t leafCertificateLen,
+                                    CertificateChainValidationResult & result)
 {
 #if defined(MBEDTLS_X509_CRT_PARSE_C)
     CHIP_ERROR error = CHIP_NO_ERROR;
-    mbedtls_x509_crt cert_chain;
-    mbedtls_x509_crt root_cert;
-    int result;
+    mbedtls_x509_crt certChain;
+    mbedtls_x509_crt rootCert;
+    int mbedResult;
     uint32_t flags;
 
-    mbedtls_x509_crt_init(&cert_chain);
-    mbedtls_x509_crt_init(&root_cert);
+    VerifyOrReturnError(rootCertificate != nullptr && rootCertificateLen != 0,
+                        (result = CertificateChainValidationResult::kRootArgumentInvalid, CHIP_ERROR_INVALID_ARGUMENT));
+    VerifyOrReturnError(caCertificate != nullptr && caCertificateLen != 0,
+                        (result = CertificateChainValidationResult::kICAArgumentInvalid, CHIP_ERROR_INVALID_ARGUMENT));
+    VerifyOrReturnError(leafCertificate != nullptr && leafCertificateLen != 0,
+                        (result = CertificateChainValidationResult::kLeafArgumentInvalid, CHIP_ERROR_INVALID_ARGUMENT));
+
+    mbedtls_x509_crt_init(&certChain);
+    mbedtls_x509_crt_init(&rootCert);
 
     /* Start of chain  */
-    result = mbedtls_x509_crt_parse(&cert_chain, Uint8::to_const_uchar(leafCertificate), leafCertificateLen);
-    VerifyOrExit(result == 0, error = CHIP_ERROR_INTERNAL);
+    mbedResult = mbedtls_x509_crt_parse(&certChain, Uint8::to_const_uchar(leafCertificate), leafCertificateLen);
+    VerifyOrExit(mbedResult == 0, (result = CertificateChainValidationResult::kLeafFormatInvalid, error = CHIP_ERROR_INTERNAL));
 
-    if (caCertificate != nullptr && caCertificateLen != 0)
-    {
-        /* Add the intermediate to the chain  */
-        result = mbedtls_x509_crt_parse(&cert_chain, Uint8::to_const_uchar(caCertificate), caCertificateLen);
-        VerifyOrExit(result == 0, error = CHIP_ERROR_INTERNAL);
-    }
+    /* Add the intermediate to the chain  */
+    mbedResult = mbedtls_x509_crt_parse(&certChain, Uint8::to_const_uchar(caCertificate), caCertificateLen);
+    VerifyOrExit(mbedResult == 0, (result = CertificateChainValidationResult::kICAFormatInvalid, error = CHIP_ERROR_INTERNAL));
 
     /* Add the root to the chain */
-    result = mbedtls_x509_crt_parse(&cert_chain, Uint8::to_const_uchar(rootCertificate), rootCertificateLen);
-    VerifyOrExit(result == 0, error = CHIP_ERROR_INTERNAL);
+    mbedResult = mbedtls_x509_crt_parse(&certChain, Uint8::to_const_uchar(rootCertificate), rootCertificateLen);
+    VerifyOrExit(mbedResult == 0, (result = CertificateChainValidationResult::kRootFormatInvalid, error = CHIP_ERROR_INTERNAL));
 
     /* Parse the root cert */
-    result = mbedtls_x509_crt_parse(&root_cert, Uint8::to_const_uchar(rootCertificate), rootCertificateLen);
-    VerifyOrExit(result == 0, error = CHIP_ERROR_INTERNAL);
+    mbedResult = mbedtls_x509_crt_parse(&rootCert, Uint8::to_const_uchar(rootCertificate), rootCertificateLen);
+    VerifyOrExit(mbedResult == 0, (result = CertificateChainValidationResult::kRootFormatInvalid, error = CHIP_ERROR_INTERNAL));
 
-    // TODO: If any specific error occurs here, it should be flagged accordingly, such as specific chain element errors
     /* Verify the chain against the root */
-    result = mbedtls_x509_crt_verify(&cert_chain, &root_cert, NULL, NULL, &flags, NULL, NULL);
-    VerifyOrExit(result == 0 && flags == 0, error = CHIP_ERROR_CERT_NOT_TRUSTED);
+    mbedResult = mbedtls_x509_crt_verify(&certChain, &rootCert, NULL, NULL, &flags, NULL, NULL);
+
+    switch (mbedResult)
+    {
+    case 0:
+        VerifyOrExit(flags == 0, (result = CertificateChainValidationResult::kInternalFrameworkError, error = CHIP_ERROR_INTERNAL));
+        result = CertificateChainValidationResult::kSuccess;
+        break;
+    case MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:
+        result = CertificateChainValidationResult::kChainInvalid;
+        error  = CHIP_ERROR_CERT_NOT_TRUSTED;
+        break;
+    default:
+        SuccessOrExit((result = CertificateChainValidationResult::kInternalFrameworkError, error = CHIP_ERROR_INTERNAL));
+    }
 
 exit:
-    _log_mbedTLS_error(result);
-    mbedtls_x509_crt_free(&cert_chain);
-    mbedtls_x509_crt_free(&root_cert);
+    _log_mbedTLS_error(mbedResult);
+    mbedtls_x509_crt_free(&certChain);
+    mbedtls_x509_crt_free(&rootCert);
 
 #else
     (void) rootCertificate;

src/crypto/tests/CHIPCryptoPALTest.cpp

@@ -1853,19 +1853,11 @@ static void TestX509_CertChainValidation(nlTestSuite * inSuite, void * inContext
     err = GetTestCert(TestCert::kNode01_01, TestCertLoadFlags::kDERForm, leaf_cert);
     NL_TEST_ASSERT(inSuite, err == CHIP_NO_ERROR);
 
+    CertificateChainValidationResult chainValidationResult;
     err = ValidateCertificateChain(root_cert.data(), root_cert.size(), ica_cert.data(), ica_cert.size(), leaf_cert.data(),
-                                   leaf_cert.size());
-    NL_TEST_ASSERT(inSuite, err == CHIP_NO_ERROR);
-
-    // Now test chain without ICA certificate
-    err = GetTestCert(TestCert::kRoot01, TestCertLoadFlags::kDERForm, root_cert);
-    NL_TEST_ASSERT(inSuite, err == CHIP_NO_ERROR);
-
-    err = GetTestCert(TestCert::kNode01_02, TestCertLoadFlags::kDERForm, leaf_cert);
-    NL_TEST_ASSERT(inSuite, err == CHIP_NO_ERROR);
-
-    err = ValidateCertificateChain(root_cert.data(), root_cert.size(), nullptr, 0, leaf_cert.data(), leaf_cert.size());
+                                   leaf_cert.size(), chainValidationResult);
     NL_TEST_ASSERT(inSuite, err == CHIP_NO_ERROR);
+    NL_TEST_ASSERT(inSuite, chainValidationResult == CertificateChainValidationResult::kSuccess);
 }
 
 static void TestX509_IssuingTimestampValidation(nlTestSuite * inSuite, void * inContext)