Added CD Generation Option to the chip-cert Tool. (#10475)

-- added gen-cd command
  -- Used new tool command to generate Test CD samples, which can be
     found in credentials/test/certification-declaration/
  -- added script that was used to generate Test CD samples:
     credentials/test/gen-test-cds.sh
  -- added new functions to parse uint16_t and uint8_t integers from string
  -- minor chip-cert tool code cleanups

credentials/test/certification-declaration/Chip-Test-CD-Signing-Cert.pem

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBszCCAVqgAwIBAgIIRdrzneR6oI8wCgYIKoZIzj0EAwIwKzEpMCcGA1UEAwwg
+TWF0dGVyIFRlc3QgQ0QgU2lnbmluZyBBdXRob3JpdHkwIBcNMjEwNjI4MTQyMzQz
+WhgPOTk5OTEyMzEyMzU5NTlaMCsxKTAnBgNVBAMMIE1hdHRlciBUZXN0IENEIFNp
+Z25pbmcgQXV0aG9yaXR5MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEPDmJIkUr
+VcrzicJb0bykZWlSzLkOiGkkmthHRlMBTL+V1oeWXgNrUhxRA35rjO3vyh60QEZp
+T6CIgu7WUZ3suqNmMGQwEgYDVR0TAQH/BAgwBgEB/wIBATAOBgNVHQ8BAf8EBAMC
+AQYwHQYDVR0OBBYEFGL6gjNZrPqplj4c+hQK3fUE83FgMB8GA1UdIwQYMBaAFGL6
+gjNZrPqplj4c+hQK3fUE83FgMAoGCCqGSM49BAMCA0cAMEQCICxUXOTkV9im8NnZ
+u+vW7OHd/n+MbZps83UyH8b6xxOEAiBUB3jodDlyUn7t669YaGIgtUB48s1OYqdq
+58u5L/VMiw==
+-----END CERTIFICATE-----

credentials/test/certification-declaration/Chip-Test-CD-Signing-Key.pem

@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIK7zSEEW6UgexXvgRy30G/SZBk5QJK2GnspeiJgC1IB1oAoGCCqGSM49
+AwEHoUQDQgAEPDmJIkUrVcrzicJb0bykZWlSzLkOiGkkmthHRlMBTL+V1oeWXgNr
+UhxRA35rjO3vyh60QEZpT6CIgu7WUZ3sug==
+-----END EC PRIVATE KEY-----

credentials/test/gen-test-cds.sh

@@ -0,0 +1,84 @@
+#!/usr/bin/env bash
+
+#
+# Copyright (c) 2021 Project CHIP Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+# Script that can be used to generate Certification Declaration (CD)
+# for testing purposes.
+# The script expects the path to the chip-cert tool binary as an input argument.
+#
+# Usage example when the script is run from the CHIP SDK root directory:
+#     ./credentials/test/gen-test-cds.sh ./out/debug/standalone/chip-cert
+#
+# The result will be stored in:
+#     credentials/test/certification-declaration
+#
+# If the intention is to re-generate a new set of CDs that replace the already
+# present ones then it is recommended to clear the folder:
+#     rm credentials/test/certification-declaration/*
+#
+
+set -e
+
+here=${0%/*}
+
+dest_dir="$here/certification-declaration"
+
+mkdir -p "$dest_dir"
+
+if [ $# == 1 ]; then
+    chip_cert_tool=$1
+else
+    echo "Error: Please specify exactly one input argument; the path to the chip-cert tool binary"
+    exit
+fi
+
+cert_valid_from="2021-06-28 14:23:43"
+cert_lifetime=4294967295
+
+format_version=1
+vids=(FFF2 FFF3)
+pid0=8001
+pid1=8002
+device_type_id=0x1234
+certificate_id0="ZIG20141ZB330001-24"
+certificate_id1="ZIG20142ZB330002-24"
+security_level=0
+security_info=0
+version_num=9876
+certification_type=0
+dac_origin_vendor_id=0xFFF1
+dac_origin_product_id=0x8000
+
+cd_signing_key="$dest_dir/Chip-Test-CD-Signing-Key.pem"
+cd_signing_cert="$dest_dir/Chip-Test-CD-Signing-Cert.pem"
+
+# Using gen-att-cert command to generate CD Signing Cert/Key:
+"$chip_cert_tool" gen-att-cert --type a --subject-cn "Matter Test CD Signing Authority" --valid-from "$cert_valid_from" --lifetime "$cert_lifetime" --out-key "$cd_signing_key" --out "$cd_signing_cert"
+
+for vid in "${vids[@]}"; do
+
+    "$chip_cert_tool" gen-cd --key "$cd_signing_key" --cert "$cd_signing_cert" --out "$dest_dir/Chip-Test-CD-$vid-$pid0.der" --format-version "$format_version" --vendor-id "0x$vid" --product-id "0x$pid0" --device-type-id "$device_type_id" --certificate-id "$certificate_id0" --security-level "$security_level" --security-info "$security_info" --version-number "$version_num" --certification-type "$certification_type"
+
+    "$chip_cert_tool" gen-cd --key "$cd_signing_key" --cert "$cd_signing_cert" --out "$dest_dir/Chip-Test-CD-$vid-$pid1.der" --format-version "$format_version" --vendor-id "0x$vid" --product-id "0x$pid1" --device-type-id "$device_type_id" --certificate-id "$certificate_id1" --security-level "$security_level" --security-info "$security_info" --version-number "$version_num" --certification-type "$certification_type"
+
+    "$chip_cert_tool" gen-cd --key "$cd_signing_key" --cert "$cd_signing_cert" --out "$dest_dir/Chip-Test-CD-$vid-$pid1-WithDACOrigin.der" --format-version "$format_version" --vendor-id "0x$vid" --product-id "0x$pid1" --device-type-id "$device_type_id" --certificate-id "$certificate_id1" --security-level "$security_level" --security-info "$security_info" --version-number "$version_num" --certification-type "$certification_type" --dac-origin-vendor-id "$dac_origin_vendor_id" --dac-origin-product-id "$dac_origin_product_id"
+
+    "$chip_cert_tool" gen-cd --key "$cd_signing_key" --cert "$cd_signing_cert" --out "$dest_dir/Chip-Test-CD-$vid-$pid0-$pid1.der" --format-version "$format_version" --vendor-id "0x$vid" --product-id "0x$pid0" --product-id "0x$pid1" --device-type-id "$device_type_id" --certificate-id "$certificate_id1" --security-level "$security_level" --security-info "$security_info" --version-number "$version_num" --certification-type "$certification_type"
+
+    "$chip_cert_tool" gen-cd --key "$cd_signing_key" --cert "$cd_signing_cert" --out "$dest_dir/Chip-Test-CD-$vid-$pid0-$pid1-WithDACOrigin.der" --format-version "$format_version" --vendor-id "0x$vid" --product-id "0x$pid0" --product-id "0x$pid1" --device-type-id "$device_type_id" --certificate-id "$certificate_id1" --security-level "$security_level" --security-info "$security_info" --version-number "$version_num" --certification-type "$certification_type" --dac-origin-vendor-id "$dac_origin_vendor_id" --dac-origin-product-id "$dac_origin_product_id"
+
+done

src/lib/support/CHIPArgParser.cpp

@@ -753,6 +753,64 @@ bool ParseInt(const char * str, int32_t & output, int base)
     return parseEnd > str && *parseEnd == 0 && ((v != LONG_MIN && v != LONG_MAX) || errno == 0);
 }
 
+/**
+ * Parse and attempt to convert a string to a 16-bit unsigned integer,
+ * applying the appropriate interpretation based on the base parameter.
+ *
+ * @param[in]  str    A pointer to a NULL-terminated C string representing
+ *                    the integer to parse.
+ * @param[out] output A reference to storage for a 16-bit unsigned integer
+ *                    to which the parsed value will be stored on success.
+ * @param[in]  base   The base according to which the string should be
+ *                    interpreted and parsed. If 0 or 16, the string may
+ *                    be hexadecimal and prefixed with "0x". Otherwise, a 0
+ *                    is implied as 10 unless a leading 0 is encountered in
+ *                    which 8 is implied.
+ *
+ * @return true on success; otherwise, false on failure.
+ */
+bool ParseInt(const char * str, uint16_t & output, int base)
+{
+    uint32_t v;
+
+    if (!ParseInt(str, v, base) || !CanCastTo<uint16_t>(v))
+    {
+        return false;
+    }
+    output = static_cast<uint16_t>(v);
+
+    return true;
+}
+
+/**
+ * Parse and attempt to convert a string to a 8-bit unsigned integer,
+ * applying the appropriate interpretation based on the base parameter.
+ *
+ * @param[in]  str    A pointer to a NULL-terminated C string representing
+ *                    the integer to parse.
+ * @param[out] output A reference to storage for a 8-bit unsigned integer
+ *                    to which the parsed value will be stored on success.
+ * @param[in]  base   The base according to which the string should be
+ *                    interpreted and parsed. If 0 or 16, the string may
+ *                    be hexadecimal and prefixed with "0x". Otherwise, a 0
+ *                    is implied as 10 unless a leading 0 is encountered in
+ *                    which 8 is implied.
+ *
+ * @return true on success; otherwise, false on failure.
+ */
+bool ParseInt(const char * str, uint8_t & output, int base)
+{
+    uint32_t v;
+
+    if (!ParseInt(str, v, base) || !CanCastTo<uint8_t>(v))
+    {
+        return false;
+    }
+    output = static_cast<uint8_t>(v);
+
+    return true;
+}
+
 /**
  * Parse and attempt to convert a string interpreted as a decimal
  * value to a 64-bit unsigned integer, applying the appropriate

src/lib/support/CHIPArgParser.hpp

@@ -123,6 +123,8 @@ bool ParseInt(const char * str, uint16_t & output);
 bool ParseInt(const char * str, int32_t & output);
 bool ParseInt(const char * str, uint32_t & output);
 bool ParseInt(const char * str, uint64_t & output);
+bool ParseInt(const char * str, uint8_t & output, int base);
+bool ParseInt(const char * str, uint16_t & output, int base);
 bool ParseInt(const char * str, int32_t & output, int base);
 bool ParseInt(const char * str, uint32_t & output, int base);
 bool ParseInt(const char * str, uint64_t & output, int base);

src/tools/chip-cert/BUILD.gn

@@ -24,6 +24,7 @@ executable("chip-cert") {
     "Cmd_ConvertCert.cpp",
     "Cmd_ConvertKey.cpp",
     "Cmd_GenAttCert.cpp",
+    "Cmd_GenCD.cpp",
     "Cmd_GenCert.cpp",
     "Cmd_PrintCert.cpp",
     "Cmd_ResignCert.cpp",

src/tools/chip-cert/CertUtils.cpp

@@ -166,7 +166,7 @@ namespace {
 CertFormat DetectCertFormat(uint8_t * cert, uint32_t certLen)
 {
     static const uint8_t chipRawPrefix[] = { 0x15, 0x30, 0x01 };
-    static const char * chipB64Prefix    = "FTABC";
+    static const char * chipB64Prefix    = "FTAB";
     static const size_t chipB64PrefixLen = strlen(chipB64Prefix);
     static const char * pemMarker        = "-----BEGIN CERTIFICATE-----";
 

src/tools/chip-cert/Cmd_GenAttCert.cpp

@@ -150,8 +150,6 @@ struct tm gValidFrom;
 
 bool HandleOption(const char * progName, OptionSet * optSet, int id, const char * name, const char * arg)
 {
-    uint64_t chip64bitAttr;
-
     switch (id)
     {
     case 't':
@@ -181,20 +179,18 @@ bool HandleOption(const char * progName, OptionSet * optSet, int id, const char
         gSubjectCN = arg;
         break;
     case 'V':
-        if (!ParseChip64bitAttr(arg, chip64bitAttr) || !chip::CanCastTo<uint16_t>(chip64bitAttr))
+        if (!ParseInt(arg, gSubjectVID, 16))
         {
             PrintArgError("%s: Invalid value specified for the subject VID attribute: %s\n", progName, arg);
             return false;
         }
-        gSubjectVID = static_cast<uint16_t>(chip64bitAttr);
         break;
     case 'P':
-        if (!ParseChip64bitAttr(arg, chip64bitAttr) || !chip::CanCastTo<uint16_t>(chip64bitAttr))
+        if (!ParseInt(arg, gSubjectPID, 16))
         {
             PrintArgError("%s: Invalid value specified for the subject PID attribute: %s\n", progName, arg);
             return false;
         }
-        gSubjectPID = static_cast<uint16_t>(chip64bitAttr);
         break;
     case 'k':
         gInKeyFileName = arg;