Merge 2e6bd54 into 6c09e34

src/app/server/Server.cpp

@@ -556,7 +556,11 @@ void Server::ResumeSubscriptions()
 Credentials::IgnoreCertificateValidityPeriodPolicy Server::sDefaultCertValidityPolicy;
 
 KvsPersistentStorageDelegate CommonCaseDeviceServerInitParams::sKvsPersistenStorageDelegate;
+#if CHIP_CRYPTO_PSA
+Crypto::PSAOperationalKeystore CommonCaseDeviceServerInitParams::sPersistentStorageOperationalKeystore;
+#else
 PersistentStorageOperationalKeystore CommonCaseDeviceServerInitParams::sPersistentStorageOperationalKeystore;
+#endif
 Credentials::PersistentStorageOpCertStore CommonCaseDeviceServerInitParams::sPersistentStorageOpCertStore;
 Credentials::GroupDataProviderImpl CommonCaseDeviceServerInitParams::sGroupDataProvider;
 app::DefaultTimerDelegate CommonCaseDeviceServerInitParams::sTimerDelegate;

src/app/server/Server.h

@@ -40,7 +40,11 @@
 #include <credentials/PersistentStorageOpCertStore.h>
 #include <crypto/DefaultSessionKeystore.h>
 #include <crypto/OperationalKeystore.h>
+#if CHIP_CRYPTO_PSA
+#include <crypto/PSAOperationalKeystore.h>
+#else
 #include <crypto/PersistentStorageOperationalKeystore.h>
+#endif
 #include <inet/InetConfig.h>
 #include <lib/core/CHIPConfig.h>
 #include <lib/support/SafeInt.h>
@@ -206,7 +210,11 @@ struct CommonCaseDeviceServerInitParams : public ServerInitParams
         {
             // WARNING: PersistentStorageOperationalKeystore::Finish() is never called. It's fine for
             //          for examples and for now.
+#if !CHIP_CRYPTO_PSA
             ReturnErrorOnFailure(sPersistentStorageOperationalKeystore.Init(this->persistentStorageDelegate));
+#else
+            // Note: PSA Operational keystore does not require initialization
+#endif
             this->operationalKeystore = &sPersistentStorageOperationalKeystore;
         }
 
@@ -263,7 +271,11 @@ struct CommonCaseDeviceServerInitParams : public ServerInitParams
 
 private:
     static KvsPersistentStorageDelegate sKvsPersistenStorageDelegate;
+#if CHIP_CRYPTO_PSA
+    static Crypto::PSAOperationalKeystore sPersistentStorageOperationalKeystore;
+#else
     static PersistentStorageOperationalKeystore sPersistentStorageOperationalKeystore;
+#endif
     static Credentials::PersistentStorageOpCertStore sPersistentStorageOpCertStore;
     static Credentials::GroupDataProviderImpl sGroupDataProvider;
     static chip::app::DefaultTimerDelegate sTimerDelegate;

src/app/tests/integration/common.cpp

@@ -26,7 +26,11 @@
 
 #include <app/tests/integration/common.h>
 #include <credentials/PersistentStorageOpCertStore.h>
+#if CHIP_CRYPTO_PSA
+#include <crypto/PSAOperationalKeystore.h>
+#else
 #include <crypto/PersistentStorageOperationalKeystore.h>
+#endif
 #include <lib/core/CHIPCore.h>
 #include <lib/core/TLVDebug.h>
 #include <lib/support/CodeUtils.h>
@@ -41,7 +45,11 @@ chip::SessionManager gSessionManager;
 chip::secure_channel::MessageCounterManager gMessageCounterManager;
 chip::SessionHolder gSession;
 chip::TestPersistentStorageDelegate gStorage;
+#if CHIP_CRYPTO_PSA
+chip::Crypto::PSAOperationalKeystore gOperationalKeystore;
+#else
 chip::PersistentStorageOperationalKeystore gOperationalKeystore;
+#endif
 chip::Credentials::PersistentStorageOpCertStore gOpCertStore;
 chip::Crypto::DefaultSessionKeystore gSessionKeystore;
 
@@ -64,8 +72,10 @@ void InitializeChip()
     err = gOpCertStore.Init(&gStorage);
     SuccessOrExit(err);
 
+#if !CHIP_CRYPTO_PSA
     err = gOperationalKeystore.Init(&gStorage);
     SuccessOrExit(err);
+#endif
 
     fabricTableInitParams.storage             = &gStorage;
     fabricTableInitParams.operationalKeystore = &gOperationalKeystore;
@@ -92,7 +102,9 @@ void ShutdownChip()
     gSessionManager.Shutdown();
 
     gFabricTable.Shutdown();
+#if !CHIP_CRYPTO_PSA
     gOperationalKeystore.Finish();
+#endif
     gOpCertStore.Finish();
 
     chip::DeviceLayer::PlatformMgr().Shutdown();

src/app/tests/suites/credentials/TestHarnessDACProvider.cpp

@@ -176,16 +176,6 @@ bool ReadValue(Json::Value jsonValue)
     return false;
 }
 
-// TODO: This should be moved to a method of P256Keypair
-CHIP_ERROR LoadKeypairFromRaw(ByteSpan private_key, ByteSpan public_key, Crypto::P256Keypair & keypair)
-{
-    Crypto::P256SerializedKeypair serialized_keypair;
-    ReturnErrorOnFailure(serialized_keypair.SetLength(private_key.size() + public_key.size()));
-    memcpy(serialized_keypair.Bytes(), public_key.data(), public_key.size());
-    memcpy(serialized_keypair.Bytes() + public_key.size(), private_key.data(), private_key.size());
-    return keypair.Deserialize(serialized_keypair);
-}
-
 } // namespace
 
 TestHarnessDACProvider::TestHarnessDACProvider()
@@ -321,7 +311,8 @@ CHIP_ERROR TestHarnessDACProvider::SignWithDeviceAttestationKey(const ByteSpan &
 
     // In a non-exemplary implementation, the public key is not needed here. It is used here merely because
     // Crypto::P256Keypair is only (currently) constructable from raw keys if both private/public keys are present.
-    ReturnErrorOnFailure(LoadKeypairFromRaw(mDacPrivateKey, mDacPublicKey, keypair));
+    ReturnErrorOnFailure(keypair.ImportRawKeypair(mDacPrivateKey, mDacPublicKey));
+
     ReturnErrorOnFailure(keypair.ECDSA_sign_msg(message_to_sign.data(), message_to_sign.size(), signature));
 
     return CopySpanToMutableSpan(ByteSpan{ signature.ConstBytes(), signature.Length() }, out_signature_buffer);

src/credentials/FabricTable.cpp

@@ -241,9 +241,6 @@ CHIP_ERROR FabricInfo::SetOperationalKeypair(const P256Keypair * keyPair)
 {
     VerifyOrReturnError(keyPair != nullptr, CHIP_ERROR_INVALID_ARGUMENT);
 
-    P256SerializedKeypair serialized;
-    ReturnErrorOnFailure(keyPair->Serialize(serialized));
-
     if (mHasExternallyOwnedOperationalKey)
     {
         // Drop it, so we will allocate an internally owned one.
@@ -256,7 +253,7 @@ CHIP_ERROR FabricInfo::SetOperationalKeypair(const P256Keypair * keyPair)
         mOperationalKey = chip::Platform::New<P256Keypair>();
     }
     VerifyOrReturnError(mOperationalKey != nullptr, CHIP_ERROR_NO_MEMORY);
-    return mOperationalKey->Deserialize(serialized);
+    return mOperationalKey->Copy(*keyPair);
 }
 
 CHIP_ERROR FabricInfo::SetExternallyOwnedOperationalKeypair(P256Keypair * keyPair)
@@ -690,16 +687,12 @@ CHIP_ERROR FabricTable::AddNewFabricForTest(const ByteSpan & rootCert, const Byt
     CHIP_ERROR err = CHIP_ERROR_INTERNAL;
 
     Crypto::P256Keypair injectedOpKey;
-    Crypto::P256SerializedKeypair injectedOpKeysSerialized;
-
     Crypto::P256Keypair * opKey = nullptr;
+
     if (!opKeySpan.empty())
     {
-        VerifyOrReturnError(opKeySpan.size() == injectedOpKeysSerialized.Capacity(), CHIP_ERROR_INVALID_ARGUMENT);
-
-        memcpy(injectedOpKeysSerialized.Bytes(), opKeySpan.data(), opKeySpan.size());
-        SuccessOrExit(err = injectedOpKeysSerialized.SetLength(opKeySpan.size()));
-        SuccessOrExit(err = injectedOpKey.Deserialize(injectedOpKeysSerialized));
+        VerifyOrReturnError(opKeySpan.size() == kP256_PublicKey_Length + kP256_PrivateKey_Length, CHIP_ERROR_INVALID_ARGUMENT);
+        SuccessOrExit(err = injectedOpKey.ImportRawKeypair(opKeySpan));
         opKey = &injectedOpKey;
     }
 

src/credentials/TestOnlyLocalCertificateAuthority.h

@@ -69,7 +69,7 @@ class TestOnlyLocalCertificateAuthority
 
         if (rootKeyPair.Length() != 0)
         {
-            mCurrentStatus = mRootKeypair->Deserialize(rootKeyPair);
+            mCurrentStatus = mRootKeypair->ImportRawKeypair(rootKeyPair.Span());
             SuccessOrExit(mCurrentStatus);
         }
         else

src/credentials/examples/DeviceAttestationCredsExample.cpp

@@ -31,16 +31,6 @@ namespace Examples {
 
 namespace {
 
-// TODO: This should be moved to a method of P256Keypair
-CHIP_ERROR LoadKeypairFromRaw(ByteSpan private_key, ByteSpan public_key, Crypto::P256Keypair & keypair)
-{
-    Crypto::P256SerializedKeypair serialized_keypair;
-    ReturnErrorOnFailure(serialized_keypair.SetLength(private_key.size() + public_key.size()));
-    memcpy(serialized_keypair.Bytes(), public_key.data(), public_key.size());
-    memcpy(serialized_keypair.Bytes() + public_key.size(), private_key.data(), private_key.size());
-    return keypair.Deserialize(serialized_keypair);
-}
-
 class ExampleDACProvider : public DeviceAttestationCredentialsProvider
 {
 public:
@@ -196,7 +186,7 @@ CHIP_ERROR ExampleDACProvider::SignWithDeviceAttestationKey(const ByteSpan & mes
 
     // In a non-exemplary implementation, the public key is not needed here. It is used here merely because
     // Crypto::P256Keypair is only (currently) constructable from raw keys if both private/public keys are present.
-    ReturnErrorOnFailure(LoadKeypairFromRaw(DevelopmentCerts::kDacPrivateKey, DevelopmentCerts::kDacPublicKey, keypair));
+    ReturnErrorOnFailure(keypair.ImportRawKeypair(DevelopmentCerts::kDacPrivateKey, DevelopmentCerts::kDacPublicKey));
     ReturnErrorOnFailure(keypair.ECDSA_sign_msg(message_to_sign.data(), message_to_sign.size(), signature));
 
     return CopySpanToMutableSpan(ByteSpan{ signature.ConstBytes(), signature.Length() }, out_signature_buffer);

src/credentials/tests/TestCertificationDeclaration.cpp

@@ -363,12 +363,11 @@ static void TestCD_CMSSignAndVerify(nlTestSuite * inSuite, void * inContext)
 
     // Test with known key
     P256Keypair keypair2;
-    P256SerializedKeypair serializedKeypair;
-    memcpy(serializedKeypair.Bytes(), sTestCMS_SignerSerializedKeypair, sizeof(sTestCMS_SignerSerializedKeypair));
-    serializedKeypair.SetLength(sizeof(sTestCMS_SignerSerializedKeypair));
     cdContentIn   = ByteSpan(sTestCMS_CDContent02);
     signedMessage = MutableByteSpan(signedMessageBuf);
-    NL_TEST_ASSERT(inSuite, keypair2.Deserialize(serializedKeypair) == CHIP_NO_ERROR);
+    NL_TEST_ASSERT(inSuite,
+                   keypair2.ImportRawKeypair(sTestCMS_SignerSerializedKeypair, sizeof(sTestCMS_SignerSerializedKeypair)) ==
+                       CHIP_NO_ERROR);
     NL_TEST_ASSERT(inSuite, CMS_Sign(cdContentIn, signerKeyId, keypair2, signedMessage) == CHIP_NO_ERROR);
     NL_TEST_ASSERT(inSuite, CMS_Verify(signedMessage, keypair2.Pubkey(), cdContentOut) == CHIP_NO_ERROR);
     NL_TEST_ASSERT(inSuite, cdContentIn.data_equal(cdContentOut));