From 0f6de14328b37377d34b69e80f77ce7ed9bcecaa Mon Sep 17 00:00:00 2001
From: Maciej Baczmanski <maciej.baczmanski@nordicsemi.no>
Date: Fri, 9 Aug 2024 15:35:18 +0200
Subject: [PATCH] Add ICD CIP and DAC key slots for PSA

---
 src/crypto/BUILD.gn           |  1 +
 src/crypto/CHIPCryptoPALPSA.h | 20 +++++++++++++++++---
 2 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/src/crypto/BUILD.gn b/src/crypto/BUILD.gn
index 1fb8b94f39a82f..9de65971ecaac8 100644
--- a/src/crypto/BUILD.gn
+++ b/src/crypto/BUILD.gn
@@ -71,6 +71,7 @@ source_set("public_headers") {
     "${chip_root}/src/lib/core",
     "${chip_root}/src/lib/core:types",
     "${chip_root}/src/lib/support",
+    "${chip_root}/src/app/icd/server:icd-server-config",
     "${nlassert_root}:nlassert",
   ]
 }
diff --git a/src/crypto/CHIPCryptoPALPSA.h b/src/crypto/CHIPCryptoPALPSA.h
index 50d7555eb1b628..6b101c56cf518f 100644
--- a/src/crypto/CHIPCryptoPALPSA.h
+++ b/src/crypto/CHIPCryptoPALPSA.h
@@ -27,6 +27,7 @@
 #pragma once
 
 #include "CHIPCryptoPAL.h"
+#include <app/icd/server/ICDServerConfig.h>
 #include <lib/core/DataModelTypes.h>
 #include <lib/support/SafePointerCast.h>
 
@@ -55,14 +56,27 @@ namespace Crypto {
 #define CHIP_CONFIG_CRYPTO_PSA_KEY_ID_BASE 0x30000
 #endif // CHIP_CONFIG_CRYPTO_PSA_KEY_ID_BASE
 
+#if CHIP_CONFIG_ENABLE_ICD_CIP
+static constexpr uint32_t kMaxICDClientKeys = CHIP_CONFIG_ICD_CLIENTS_SUPPORTED_PER_FABRIC * CHIP_CONFIG_MAX_FABRICS;
+#endif // CHIP_CONFIG_ENABLE_ICD_CIP
+
 /**
  * @brief Defines subranges of the PSA key identifier space used by Matter.
  */
 enum class KeyIdBase : psa_key_id_t
 {
-    Minimum     = CHIP_CONFIG_CRYPTO_PSA_KEY_ID_BASE,
-    Operational = Minimum, ///< Base of the PSA key ID range for Node Operational Certificate private keys
-    Maximum     = Operational + kMaxValidFabricIndex,
+    Minimum              = CHIP_CONFIG_CRYPTO_PSA_KEY_ID_BASE,
+    Operational          = Minimum, ///< Base of the PSA key ID range for Node Operational Certificate private keys
+    DACPrivKey           = Operational + kMaxValidFabricIndex + 1,
+#if CHIP_CONFIG_ENABLE_ICD_CIP
+    ICDHmacKeyRangeStart = DACPrivKey + 1,
+    ICDAesKeyRangeStart  = ICDHmacKeyRangeStart + kMaxICDClientKeys,
+    ICDKeysRangeEnd      = ICDAesKeyRangeStart + kMaxICDClientKeys,
+#else
+    // If Check-In Protocol is disabled, set ICDKeysRangeEnd to previous key, to allow setting next key ID to `ICDKeysRangeEnd + 1`
+    ICDKeysRangeEnd      = DACPrivKey,
+#endif // CHIP_CONFIG_ENABLE_ICD_CIP
+    Maximum              = ICDKeysRangeEnd,
 };
 
 static_assert(to_underlying(KeyIdBase::Minimum) >= PSA_KEY_ID_USER_MIN && to_underlying(KeyIdBase::Maximum) <= PSA_KEY_ID_USER_MAX,