Merge branch 'master' into patch-9

config/nrfconnect/chip-gn/.gn

@@ -14,6 +14,7 @@
 
 import("//build_overrides/build.gni")
 import("//build_overrides/chip.gni")
+import("//build_overrides/pigweed.gni")
 
 # The location of the build configuration file.
 buildconfig = "${build_root}/config/BUILDCONFIG.gn"
@@ -25,5 +26,14 @@ default_args = {
   target_cpu = "arm"
   target_os = "zephyr"
 
+  pw_sys_io_BACKEND = dir_pw_sys_io_stdio
+  pw_assert_BACKEND = dir_pw_assert_log
+  pw_log_BACKEND = dir_pw_log_basic
+
+  pw_build_LINK_DEPS = [
+    "$dir_pw_assert:impl",
+    "$dir_pw_log:impl",
+  ]
+
   import("${chip_root}/config/nrfconnect/chip-gn/args.gni")
 }

examples/chip-tool/commands/common/CHIPCommand.cpp

@@ -166,7 +166,8 @@ CHIP_ERROR CHIPCommand::MaybeSetUpStack()
             cdTrustStorePath = getenv(kCDTrustStorePathVariable);
         }
 
-        auto additionalCdCerts = chip::Credentials::LoadAllX509DerCerts(cdTrustStorePath);
+        auto additionalCdCerts =
+            chip::Credentials::LoadAllX509DerCerts(cdTrustStorePath, chip::Credentials::CertificateValidationMode::kPublicKeyOnly);
         if (cdTrustStorePath != nullptr && additionalCdCerts.size() == 0)
         {
             ChipLogError(chipTool, "Warning: no CD signing certs found in path: %s, only defaults will be used", cdTrustStorePath);

scripts/setup/constraints.txt

@@ -98,7 +98,7 @@ ghapi==1.0.3
     # via -r requirements.memory.txt
 humanfriendly==10.0
     # via coloredlogs
-idf-component-manager==1.2.2
+idf-component-manager==1.5.2
     # via -r requirements.esp32.txt
 idna==3.4
     # via requests

scripts/tools/check_includes_config.py

@@ -160,6 +160,9 @@
     'src/tracing/json/json_tracing.cpp': {'string', 'sstream'},
     'src/tracing/json/json_tracing.h': {'fstream', 'unordered_map'},
 
+    # esp32 tracing
+    'src/tracing/esp32_trace/esp32_tracing.h': {'unordered_map'},
+
     # Not intended for embedded clients
     'src/app/PendingResponseTrackerImpl.h': {'unordered_set'},
 

src/BUILD.gn

@@ -143,7 +143,8 @@ if (chip_build_tests) {
     if (chip_monolithic_tests) {
       # TODO [PW_MIGRATION] Remove this if after migartion to PW_TEST is completed for all platforms
       # TODO [PW_MIGRATION] There will be a list of already migrated platforms
-      if (chip_device_platform == "esp32") {
+      if (chip_device_platform == "esp32" ||
+          chip_device_platform == "nrfconnect") {
         deps += [ "${chip_root}/src/lib/support:pw_tests_wrapper" ]
       }
       build_monolithic_library = true

src/controller/java/BUILD.gn

@@ -365,11 +365,7 @@ kotlin_library("kotlin_matter_controller") {
 
   output_name = "KotlinMatterController.jar"
 
-  deps = [
-    ":java",
-    ":tlv",
-    "${chip_root}/third_party/java_deps:annotation",
-  ]
+  deps = [ ":java" ]
 
   sources = [
     "src/matter/controller/CompletionListenerAdapter.kt",

src/credentials/attestation_verifier/FileAttestationTrustStore.cpp

@@ -53,7 +53,7 @@ FileAttestationTrustStore::FileAttestationTrustStore(const char * paaTrustStoreP
     mIsInitialized = true;
 }
 
-std::vector<std::vector<uint8_t>> LoadAllX509DerCerts(const char * trustStorePath)
+std::vector<std::vector<uint8_t>> LoadAllX509DerCerts(const char * trustStorePath, CertificateValidationMode validationMode)
 {
     std::vector<std::vector<uint8_t>> certs;
     if (trustStorePath == nullptr)
@@ -89,21 +89,39 @@ std::vector<std::vector<uint8_t>> LoadAllX509DerCerts(const char * trustStorePat
                 if ((certificateLength > 0) && (certificateLength <= kMaxDERCertLength))
                 {
                     certificate.resize(certificateLength);
-                    // Only accumulate certificate if it has a subject key ID extension
-                    {
-                        uint8_t kidBuf[Crypto::kSubjectKeyIdentifierLength] = { 0 };
-                        MutableByteSpan kidSpan{ kidBuf };
-                        ByteSpan certSpan{ certificate.data(), certificate.size() };
+                    ByteSpan certSpan{ certificate.data(), certificate.size() };
 
+                    // Only accumulate certificate if it passes validation.
+                    bool isValid = false;
+                    switch (validationMode)
+                    {
+                    case CertificateValidationMode::kPAA: {
                         if (CHIP_NO_ERROR != VerifyAttestationCertificateFormat(certSpan, Crypto::AttestationCertType::kPAA))
                         {
-                            continue;
+                            break;
                         }
 
+                        uint8_t kidBuf[Crypto::kSubjectKeyIdentifierLength] = { 0 };
+                        MutableByteSpan kidSpan{ kidBuf };
                         if (CHIP_NO_ERROR == Crypto::ExtractSKIDFromX509Cert(certSpan, kidSpan))
                         {
-                            certs.push_back(certificate);
+                            isValid = true;
                         }
+                        break;
+                    }
+                    case CertificateValidationMode::kPublicKeyOnly: {
+                        Crypto::P256PublicKey publicKey;
+                        if (CHIP_NO_ERROR == Crypto::ExtractPubkeyFromX509Cert(certSpan, publicKey))
+                        {
+                            isValid = true;
+                        }
+                        break;
+                    }
+                    }
+
+                    if (isValid)
+                    {
+                        certs.push_back(certificate);
                     }
                 }
                 fclose(file);

src/credentials/attestation_verifier/FileAttestationTrustStore.h

@@ -25,17 +25,29 @@
 namespace chip {
 namespace Credentials {
 
+enum class CertificateValidationMode
+{
+    // Validate that the certificate is a valid PAA certificate.
+    kPAA,
+    // Validate just that the certificate has a public key we can extract
+    // (e.g. it's a CD signing certificate).
+    kPublicKeyOnly,
+};
+
 /**
  * @brief Load all X.509 DER certificates in a given path.
  *
- * Silently ignores non-X.509 files and X.509 files without a subject key identifier.
+ * Silently ignores non-X.509 files and X.509 files that fail validation as
+ * determined by the provided validation mode.
  *
  * Returns an empty vector if no files are found or unrecoverable errors arise.
  *
  * @param trustStorePath - path from where to search for certificates.
+ * @param validationMode - how the certificate files should be validated.
  * @return a vector of certificate DER data
  */
-std::vector<std::vector<uint8_t>> LoadAllX509DerCerts(const char * trustStorePath);
+std::vector<std::vector<uint8_t>> LoadAllX509DerCerts(const char * trustStorePath,
+                                                      CertificateValidationMode validationMode = CertificateValidationMode::kPAA);
 
 class FileAttestationTrustStore : public AttestationTrustStore
 {

src/test_driver/nrfconnect/main/runner.cpp

@@ -16,6 +16,7 @@
  */
 
 #include <lib/support/CodeUtils.h>
+#include <lib/support/UnitTest.h>
 #include <lib/support/UnitTestRegistration.h>
 #include <platform/CHIPDeviceLayer.h>
 
@@ -35,6 +36,7 @@ extern "C" int main(void)
 
     LOG_INF("Starting CHIP tests!");
     int status = RunRegisteredUnitTests();
+    status += chip::test::RunAllTests();
     LOG_INF("CHIP test status: %d", status);
 
     _exit(status);