From 29068501d9217d1d09b183f61e094a1ed1dd8380 Mon Sep 17 00:00:00 2001
From: Evgeny Margolis <emargolis@google.com>
Date: Tue, 10 May 2022 22:36:26 -0700
Subject: [PATCH] Updated DefaultDeviceAttestationVerifier to Verify that PAA
 KeyId is in the Certification Declaration. (#18219)

---
 .../DefaultDeviceAttestationVerifier.cpp           | 14 ++++++++++++++
 .../DeviceAttestationVerifier.h                    |  7 +++++--
 2 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.cpp b/src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.cpp
index 896cfe9f3a0138..6524fafa80f836 100644
--- a/src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.cpp
+++ b/src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.cpp
@@ -278,6 +278,12 @@ void DefaultDACVerifier::VerifyAttestationInformation(const DeviceAttestationVer
             .paaVendorId  = paaVidPid.mVendorId.ValueOr(VendorId::NotSpecified),
         };
 
+        MutableByteSpan paaSKID(deviceInfo.paaSKID);
+        VerifyOrExit(ExtractSKIDFromX509Cert(paaDerBuffer, paaSKID) == CHIP_NO_ERROR,
+                     attestationError = AttestationVerificationResult::kPaaFormatInvalid);
+        VerifyOrExit(paaSKID.size() == sizeof(deviceInfo.paaSKID),
+                     attestationError = AttestationVerificationResult::kPaaFormatInvalid);
+
         VerifyOrExit(DeconstructAttestationElements(info.attestationElementsBuffer, certificationDeclarationSpan,
                                                     attestationNonceSpan, timestampDeconstructed, firmwareInfoSpan,
                                                     vendorReserved) == CHIP_NO_ERROR,
@@ -384,6 +390,14 @@ AttestationVerificationResult DefaultDACVerifier::ValidateCertificateDeclaration
         }
     }
 
+    if (cdContent.authorizedPAAListPresent)
+    {
+        // The Subject Key Id of the PAA SHALL match one of the values present in the authorized_paa_list
+        // in the Certification Declaration.
+        VerifyOrReturnError(cdElementsDecoder.HasAuthorizedPAA(certDeclBuffer, ByteSpan(deviceInfo.paaSKID)),
+                            AttestationVerificationResult::kCertificationDeclarationInvalidPAA);
+    }
+
     return AttestationVerificationResult::kSuccess;
 }
 
diff --git a/src/credentials/attestation_verifier/DeviceAttestationVerifier.h b/src/credentials/attestation_verifier/DeviceAttestationVerifier.h
index 038559882dd427..756759d32ebe03 100644
--- a/src/credentials/attestation_verifier/DeviceAttestationVerifier.h
+++ b/src/credentials/attestation_verifier/DeviceAttestationVerifier.h
@@ -68,6 +68,7 @@ enum class AttestationVerificationResult : uint16_t
     kCertificationDeclarationInvalidFormat      = 603,
     kCertificationDeclarationInvalidVendorId    = 604,
     kCertificationDeclarationInvalidProductId   = 605,
+    kCertificationDeclarationInvalidPAA         = 606,
 
     kNoMemory = 700,
 
@@ -93,7 +94,7 @@ struct DeviceInfoForAttestation
     uint16_t vendorId = VendorId::NotSpecified;
     // Product ID reported by device in Basic Information cluster
     uint16_t productId = 0;
-    // Vendor ID from  DAC
+    // Vendor ID from DAC
     uint16_t dacVendorId = VendorId::NotSpecified;
     // Product ID from DAC
     uint16_t dacProductId = 0;
@@ -101,8 +102,10 @@ struct DeviceInfoForAttestation
     uint16_t paiVendorId = VendorId::NotSpecified;
     // Product ID from PAI cert (0 if absent)
     uint16_t paiProductId = 0;
-    // Vendor ID from  PAA cert
+    // Vendor ID from PAA cert
     uint16_t paaVendorId = VendorId::NotSpecified;
+    // Subject Key Identifier (SKID) from PAA cert
+    uint8_t paaSKID[Crypto::kSubjectKeyIdentifierLength] = { 0 };
 };
 
 typedef void (*OnAttestationInformationVerification)(void * context, AttestationVerificationResult result);