[chip-tool] Add a parameter on pairing commands to bypass attestation verifier (#24155)
* Add the parameter 'bypass-attestation-verifier' in chip-tool pairing commands.
* Restyled by whitespace
* Restyled by clang-format
* Update examples/chip-tool/commands/pairing/PairingCommand.h
Co-authored-by: Boris Zbarsky <bzbarsky@apple.com>
* Update examples/chip-tool/commands/pairing/PairingCommand.h
Co-authored-by: Boris Zbarsky <bzbarsky@apple.com>
Co-authored-by: Restyled.io <commits@restyled.io>
Co-authored-by: Boris Zbarsky <bzbarsky@apple.com>
diff --git a/examples/chip-tool/commands/pairing/PairingCommand.cpp b/examples/chip-tool/commands/pairing/PairingCommand.cpp
index 9c18502..ec8deb7 100644
--- a/examples/chip-tool/commands/pairing/PairingCommand.cpp
+++ b/examples/chip-tool/commands/pairing/PairingCommand.cpp
@@ -72,6 +72,10 @@
{
auto params = CommissioningParameters();
params.SetSkipCommissioningComplete(mSkipCommissioningComplete.ValueOr(false));
+ if (mBypassAttestationVerifier.ValueOr(false))
+ {
+ params.SetDeviceAttestationDelegate(this);
+ }
switch (mNetworkType)
{
@@ -281,3 +285,19 @@
command->SetCommandExitStatus(err);
}
+
+chip::Optional<uint16_t> PairingCommand::FailSafeExpiryTimeoutSecs() const
+{
+ // We don't need to set additional failsafe timeout as we don't ask the final user if he wants to continue
+ return chip::Optional<uint16_t>();
+}
+
+void PairingCommand::OnDeviceAttestationCompleted(chip::Controller::DeviceCommissioner * deviceCommissioner,
+ chip::DeviceProxy * device,
+ const chip::Credentials::DeviceAttestationVerifier::AttestationDeviceInfo & info,
+ chip::Credentials::AttestationVerificationResult attestationResult)
+{
+ // Bypass attestation verification, continue with success
+ deviceCommissioner->ContinueCommissioningAfterDeviceAttestation(device,
+ chip::Credentials::AttestationVerificationResult::kSuccess);
+}
diff --git a/examples/chip-tool/commands/pairing/PairingCommand.h b/examples/chip-tool/commands/pairing/PairingCommand.h
index 4919ec8..142a090 100644
--- a/examples/chip-tool/commands/pairing/PairingCommand.h
+++ b/examples/chip-tool/commands/pairing/PairingCommand.h
@@ -48,7 +48,8 @@
class PairingCommand : public CHIPCommand,
public chip::Controller::DevicePairingDelegate,
- public chip::Controller::DeviceDiscoveryDelegate
+ public chip::Controller::DeviceDiscoveryDelegate,
+ public chip::Credentials::DeviceAttestationDelegate
{
public:
PairingCommand(const char * commandName, PairingMode mode, PairingNetworkType networkType,
@@ -60,6 +61,9 @@
mCurrentFabricRemoveCallback(OnCurrentFabricRemove, this)
{
AddArgument("node-id", 0, UINT64_MAX, &mNodeId);
+ AddArgument("bypass-attestation-verifier", 0, 1, &mBypassAttestationVerifier,
+ "Bypass the attestation verifier. If not provided or false, the attestation verifier is not bypassed."
+ " If true, the commissioning will continue in case of attestation verification failure.");
switch (networkType)
{
@@ -158,6 +162,12 @@
void OnDiscoveredDevice(const chip::Dnssd::DiscoveredNodeData & nodeData) override;
bool IsDiscoverOnce() { return mDiscoverOnce.ValueOr(false); }
+ /////////// DeviceAttestationDelegate /////////
+ chip::Optional<uint16_t> FailSafeExpiryTimeoutSecs() const override;
+ void OnDeviceAttestationCompleted(chip::Controller::DeviceCommissioner * deviceCommissioner, chip::DeviceProxy * device,
+ const chip::Credentials::DeviceAttestationVerifier::AttestationDeviceInfo & info,
+ chip::Credentials::AttestationVerificationResult attestationResult) override;
+
private:
CHIP_ERROR RunInternal(NodeId remoteId);
CHIP_ERROR Pair(NodeId remoteId, PeerAddress address);
@@ -177,6 +187,7 @@
chip::Optional<bool> mUseOnlyOnNetworkDiscovery;
chip::Optional<bool> mPaseOnly;
chip::Optional<bool> mSkipCommissioningComplete;
+ chip::Optional<bool> mBypassAttestationVerifier;
uint16_t mRemotePort;
uint16_t mDiscriminator;
uint32_t mSetupPINCode;
