Make CertType an enum class instead of an anonymous enum / uint8_t (#…

…28743)
project-chip · Nov 24, 2023 · 1403022 · 1403022
1 parent 4f158d9
commit 1403022
Show file tree

Hide file tree

Showing 9 changed files with 103 additions and 106 deletions.
diff --git a/src/app/server/Server.h b/src/app/server/Server.h
@@ -542,9 +542,9 @@ class Server
             case Credentials::CertificateValidityResult::kExpired:
             case Credentials::CertificateValidityResult::kExpiredAtLastKnownGoodTime:
             case Credentials::CertificateValidityResult::kTimeUnknown: {
-                uint8_t certType;
+                Credentials::CertType certType;
                 ReturnErrorOnFailure(cert->mSubjectDN.GetCertType(certType));
-                if (certType == Credentials::kCertType_Root)
+                if (certType == Credentials::CertType::kRoot)
                 {
                     return CHIP_NO_ERROR;
                 }

diff --git a/src/credentials/CHIPCert.cpp b/src/credentials/CHIPCert.cpp
@@ -309,7 +309,7 @@ CHIP_ERROR ChipCertificateSet::ValidateCert(const ChipCertificateData * cert, Va
 {
     CHIP_ERROR err                     = CHIP_NO_ERROR;
     const ChipCertificateData * caCert = nullptr;
-    uint8_t certType;
+    CertType certType;
 
     err = cert->mSubjectDN.GetCertType(certType);
     SuccessOrExit(err);
@@ -328,7 +328,7 @@ CHIP_ERROR ChipCertificateSet::ValidateCert(const ChipCertificateData * cert, Va
                      err = CHIP_ERROR_CERT_USAGE_NOT_ALLOWED);
 
         // Verify that the certificate type is set to Root or ICA.
-        VerifyOrExit(certType == kCertType_ICA || certType == kCertType_Root, err = CHIP_ERROR_WRONG_CERT_TYPE);
+        VerifyOrExit(certType == CertType::kICA || certType == CertType::kRoot, err = CHIP_ERROR_WRONG_CERT_TYPE);
 
         // If a path length constraint was included, verify the cert depth vs. the specified constraint.
         //
@@ -365,7 +365,7 @@ CHIP_ERROR ChipCertificateSet::ValidateCert(const ChipCertificateData * cert, Va
         }
 
         // If a required certificate type has been specified, verify it against the current certificate's type.
-        if (context.mRequiredCertType != kCertType_NotSpecified)
+        if (context.mRequiredCertType != CertType::kNotSpecified)
         {
             VerifyOrExit(certType == context.mRequiredCertType, err = CHIP_ERROR_WRONG_CERT_TYPE);
         }
@@ -569,7 +569,7 @@ void ValidationContext::Reset()
     mValidityPolicy = nullptr;
     mRequiredKeyUsages.ClearAll();
     mRequiredKeyPurposes.ClearAll();
-    mRequiredCertType = kCertType_NotSpecified;
+    mRequiredCertType = CertType::kNotSpecified;
 }
 
 bool ChipRDN::IsEqual(const ChipRDN & other) const
@@ -667,40 +667,40 @@ CHIP_ERROR ChipDN::AddAttribute(chip::ASN1::OID oid, CharSpan val, bool isPrinta
     return CHIP_NO_ERROR;
 }
 
-CHIP_ERROR ChipDN::GetCertType(uint8_t & certType) const
+CHIP_ERROR ChipDN::GetCertType(CertType & certType) const
 {
-    uint8_t lCertType    = kCertType_NotSpecified;
+    CertType lCertType   = CertType::kNotSpecified;
     bool fabricIdPresent = false;
     bool catsPresent     = false;
     uint8_t rdnCount     = RDNCount();
 
-    certType = kCertType_NotSpecified;
+    certType = CertType::kNotSpecified;
 
     for (uint8_t i = 0; i < rdnCount; i++)
     {
         if (rdn[i].mAttrOID == kOID_AttributeType_MatterRCACId)
         {
-            VerifyOrReturnError(lCertType == kCertType_NotSpecified, CHIP_ERROR_WRONG_CERT_DN);
+            VerifyOrReturnError(lCertType == CertType::kNotSpecified, CHIP_ERROR_WRONG_CERT_DN);
 
-            lCertType = kCertType_Root;
+            lCertType = CertType::kRoot;
         }
         else if (rdn[i].mAttrOID == kOID_AttributeType_MatterICACId)
         {
-            VerifyOrReturnError(lCertType == kCertType_NotSpecified, CHIP_ERROR_WRONG_CERT_DN);
+            VerifyOrReturnError(lCertType == CertType::kNotSpecified, CHIP_ERROR_WRONG_CERT_DN);
 
-            lCertType = kCertType_ICA;
+            lCertType = CertType::kICA;
         }
         else if (rdn[i].mAttrOID == kOID_AttributeType_MatterNodeId)
         {
-            VerifyOrReturnError(lCertType == kCertType_NotSpecified, CHIP_ERROR_WRONG_CERT_DN);
+            VerifyOrReturnError(lCertType == CertType::kNotSpecified, CHIP_ERROR_WRONG_CERT_DN);
             VerifyOrReturnError(IsOperationalNodeId(rdn[i].mChipVal), CHIP_ERROR_WRONG_NODE_ID);
-            lCertType = kCertType_Node;
+            lCertType = CertType::kNode;
         }
         else if (rdn[i].mAttrOID == kOID_AttributeType_MatterFirmwareSigningId)
         {
-            VerifyOrReturnError(lCertType == kCertType_NotSpecified, CHIP_ERROR_WRONG_CERT_DN);
+            VerifyOrReturnError(lCertType == CertType::kNotSpecified, CHIP_ERROR_WRONG_CERT_DN);
 
-            lCertType = kCertType_FirmwareSigning;
+            lCertType = CertType::kFirmwareSigning;
         }
         else if (rdn[i].mAttrOID == kOID_AttributeType_MatterFabricId)
         {
@@ -717,7 +717,7 @@ CHIP_ERROR ChipDN::GetCertType(uint8_t & certType) const
         }
     }
 
-    if (lCertType == kCertType_Node)
+    if (lCertType == CertType::kNode)
     {
         VerifyOrReturnError(fabricIdPresent, CHIP_ERROR_WRONG_CERT_DN);
     }
@@ -1151,7 +1151,7 @@ CHIP_ERROR ValidateChipRCAC(const ByteSpan & rcac)
     ChipCertificateSet certSet;
     ChipCertificateData certData;
     ValidationContext validContext;
-    uint8_t certType;
+    CertType certType;
 
     // Note that this function doesn't check RCAC NotBefore / NotAfter time validity.
     // It is assumed that RCAC should be valid at the time of installation by definition.
@@ -1161,7 +1161,7 @@ CHIP_ERROR ValidateChipRCAC(const ByteSpan & rcac)
     ReturnErrorOnFailure(certSet.LoadCert(rcac, CertDecodeFlags::kGenerateTBSHash));
 
     ReturnErrorOnFailure(certData.mSubjectDN.GetCertType(certType));
-    VerifyOrReturnError(certType == kCertType_Root, CHIP_ERROR_WRONG_CERT_TYPE);
+    VerifyOrReturnError(certType == CertType::kRoot, CHIP_ERROR_WRONG_CERT_TYPE);
 
     VerifyOrReturnError(certData.mSubjectDN.IsEqual(certData.mIssuerDN), CHIP_ERROR_WRONG_CERT_TYPE);
 
@@ -1337,10 +1337,10 @@ CHIP_ERROR ExtractCATsFromOpCert(const ByteSpan & opcert, CATValues & cats)
 CHIP_ERROR ExtractCATsFromOpCert(const ChipCertificateData & opcert, CATValues & cats)
 {
     uint8_t catCount = 0;
-    uint8_t certType;
+    CertType certType;
 
     ReturnErrorOnFailure(opcert.mSubjectDN.GetCertType(certType));
-    VerifyOrReturnError(certType == kCertType_Node, CHIP_ERROR_INVALID_ARGUMENT);
+    VerifyOrReturnError(certType == CertType::kNode, CHIP_ERROR_INVALID_ARGUMENT);
 
     const ChipDN & subjectDN = opcert.mSubjectDN;
     for (uint8_t i = 0; i < subjectDN.RDNCount(); ++i)

diff --git a/src/credentials/CHIPCert.h b/src/credentials/CHIPCert.h
@@ -101,17 +101,17 @@ enum
  *
  * @note Cert type is an API data type only; it should never be sent over-the-wire.
  */
-enum
+enum class CertType : uint8_t
 {
-    kCertType_NotSpecified    = 0x00, /**< The certificate's type has not been specified. */
-    kCertType_Root            = 0x01, /**< A CHIP Root certificate. */
-    kCertType_ICA             = 0x02, /**< A CHIP Intermediate CA certificate. */
-    kCertType_Node            = 0x03, /**< A CHIP node certificate. */
-    kCertType_FirmwareSigning = 0x04, /**< A CHIP firmware signing certificate. Note that CHIP doesn't
-                                           specify how firmware images are signed and implementation of
-                                           firmware image signing is manufacturer-specific. The CHIP
-                                           certificate format supports encoding of firmware signing
-                                           certificates if chosen by the manufacturer to use them. */
+    kNotSpecified    = 0x00, /**< The certificate's type has not been specified. */
+    kRoot            = 0x01, /**< A CHIP Root certificate. */
+    kICA             = 0x02, /**< A CHIP Intermediate CA certificate. */
+    kNode            = 0x03, /**< A CHIP node certificate. */
+    kFirmwareSigning = 0x04, /**< A CHIP firmware signing certificate. Note that CHIP doesn't
+                                  specify how firmware images are signed and implementation of
+                                  firmware image signing is manufacturer-specific. The CHIP
+                                  certificate format supports encoding of firmware signing
+                                  certificates if chosen by the manufacturer to use them. */
 };
 
 /** X.509 Certificate Key Purpose Flags
@@ -334,7 +334,7 @@ class ChipDN
      *
      * @return Returns a CHIP_ERROR on error, CHIP_NO_ERROR otherwise
      **/
-    CHIP_ERROR GetCertType(uint8_t & certType) const;
+    CHIP_ERROR GetCertType(CertType & certType) const;
 
     /**
      * @brief Retrieve the ID of a CHIP certificate.

diff --git a/src/credentials/CHIPCertificateSet.h b/src/credentials/CHIPCertificateSet.h
@@ -70,7 +70,7 @@ struct ValidationContext
                                                        validated certificate. */
     BitFlags<KeyPurposeFlags> mRequiredKeyPurposes; /**< Extended Key usage extensions that should be present
                                                        in the validated certificate. */
-    uint8_t mRequiredCertType;                      /**< Required certificate type. */
+    CertType mRequiredCertType;                     /**< Required certificate type. */
 
     CertificateValidityPolicy * mValidityPolicy =
         nullptr; /**< Optional application policy to apply for certificate validity period evaluation. */

diff --git a/src/credentials/GenerateChipX509Cert.cpp b/src/credentials/GenerateChipX509Cert.cpp
@@ -326,15 +326,15 @@ CHIP_ERROR EncodeTBSCert(const X509CertRequestParams & requestParams, const Cryp
                          const Crypto::P256PublicKey & issuerPubkey, ASN1Writer & writer)
 {
     CHIP_ERROR err = CHIP_NO_ERROR;
-    uint8_t certType;
+    CertType certType;
     bool isCA;
 
     VerifyOrReturnError(requestParams.SerialNumber >= 0, CHIP_ERROR_INVALID_ARGUMENT);
     VerifyOrReturnError(requestParams.ValidityEnd == kNullCertTime || requestParams.ValidityEnd >= requestParams.ValidityStart,
                         CHIP_ERROR_INVALID_ARGUMENT);
 
     ReturnErrorOnFailure(requestParams.SubjectDN.GetCertType(certType));
-    isCA = (certType == kCertType_ICA || certType == kCertType_Root);
+    isCA = (certType == CertType::kICA || certType == CertType::kRoot);
 
     ASN1_START_SEQUENCE
     {
@@ -405,10 +405,10 @@ CHIP_ERROR NewChipX509Cert(const X509CertRequestParams & requestParams, const Cr
 DLL_EXPORT CHIP_ERROR NewRootX509Cert(const X509CertRequestParams & requestParams, Crypto::P256Keypair & issuerKeypair,
                                       MutableByteSpan & x509Cert)
 {
-    uint8_t certType;
+    CertType certType;
 
     ReturnErrorOnFailure(requestParams.SubjectDN.GetCertType(certType));
-    VerifyOrReturnError(certType == kCertType_Root, CHIP_ERROR_INVALID_ARGUMENT);
+    VerifyOrReturnError(certType == CertType::kRoot, CHIP_ERROR_INVALID_ARGUMENT);
     VerifyOrReturnError(requestParams.SubjectDN.IsEqual(requestParams.IssuerDN), CHIP_ERROR_INVALID_ARGUMENT);
 
     return NewChipX509Cert(requestParams, issuerKeypair.Pubkey(), issuerKeypair, x509Cert);
@@ -417,13 +417,13 @@ DLL_EXPORT CHIP_ERROR NewRootX509Cert(const X509CertRequestParams & requestParam
 DLL_EXPORT CHIP_ERROR NewICAX509Cert(const X509CertRequestParams & requestParams, const Crypto::P256PublicKey & subjectPubkey,
                                      Crypto::P256Keypair & issuerKeypair, MutableByteSpan & x509Cert)
 {
-    uint8_t certType;
+    CertType certType;
 
     ReturnErrorOnFailure(requestParams.SubjectDN.GetCertType(certType));
-    VerifyOrReturnError(certType == kCertType_ICA, CHIP_ERROR_INVALID_ARGUMENT);
+    VerifyOrReturnError(certType == CertType::kICA, CHIP_ERROR_INVALID_ARGUMENT);
 
     ReturnErrorOnFailure(requestParams.IssuerDN.GetCertType(certType));
-    VerifyOrReturnError(certType == kCertType_Root, CHIP_ERROR_INVALID_ARGUMENT);
+    VerifyOrReturnError(certType == CertType::kRoot, CHIP_ERROR_INVALID_ARGUMENT);
 
     return NewChipX509Cert(requestParams, subjectPubkey, issuerKeypair, x509Cert);
 }
@@ -432,13 +432,13 @@ DLL_EXPORT CHIP_ERROR NewNodeOperationalX509Cert(const X509CertRequestParams & r
                                                  const Crypto::P256PublicKey & subjectPubkey, Crypto::P256Keypair & issuerKeypair,
                                                  MutableByteSpan & x509Cert)
 {
-    uint8_t certType;
+    CertType certType;
 
     ReturnErrorOnFailure(requestParams.SubjectDN.GetCertType(certType));
-    VerifyOrReturnError(certType == kCertType_Node, CHIP_ERROR_INVALID_ARGUMENT);
+    VerifyOrReturnError(certType == CertType::kNode, CHIP_ERROR_INVALID_ARGUMENT);
 
     ReturnErrorOnFailure(requestParams.IssuerDN.GetCertType(certType));
-    VerifyOrReturnError(certType == kCertType_ICA || certType == kCertType_Root, CHIP_ERROR_INVALID_ARGUMENT);
+    VerifyOrReturnError(certType == CertType::kICA || certType == CertType::kRoot, CHIP_ERROR_INVALID_ARGUMENT);
 
     return NewChipX509Cert(requestParams, subjectPubkey, issuerKeypair, x509Cert);
 }

diff --git a/src/credentials/tests/TestChipCert.cpp b/src/credentials/tests/TestChipCert.cpp
@@ -244,13 +244,13 @@ static void TestChipCert_GetCertType_ErrorCases(nlTestSuite * inSuite, void * in
 
     for (auto chipCert : gTestCert_GetCertType_ErrorCases)
     {
-        uint8_t certType;
+        CertType certType;
 
         err = certSet.LoadCert(chipCert, sNullDecodeFlag);
         NL_TEST_ASSERT(inSuite, err == CHIP_NO_ERROR);
 
         err = certSet.GetCertSet()->mSubjectDN.GetCertType(certType);
-        NL_TEST_ASSERT(inSuite, err != CHIP_NO_ERROR || certType == kCertType_NotSpecified);
+        NL_TEST_ASSERT(inSuite, err != CHIP_NO_ERROR || certType == CertType::kNotSpecified);
 
         certSet.Clear();
     }
@@ -302,13 +302,13 @@ static void TestChipCert_ChipDN(nlTestSuite * inSuite, void * inContext)
     const static CATValues noc_cats = { { 0xABCD0001, chip::kUndefinedCAT, chip::kUndefinedCAT } };
 
     ChipDN chip_dn;
-    uint8_t certType = kCertType_FirmwareSigning; // Start with non-default value
+    CertType certType = CertType::kFirmwareSigning; // Start with non-default value
 
     NL_TEST_ASSERT(inSuite, chip_dn.IsEmpty());
     NL_TEST_ASSERT(inSuite, chip_dn.RDNCount() == 0);
     NL_TEST_ASSERT(inSuite, chip_dn.GetCertType(certType) == CHIP_NO_ERROR);
     NL_TEST_ASSERT(inSuite, chip_dn.IsEmpty() == true);
-    NL_TEST_ASSERT(inSuite, certType == kCertType_NotSpecified);
+    NL_TEST_ASSERT(inSuite, certType == CertType::kNotSpecified);
 
     NL_TEST_ASSERT(inSuite, chip_dn.AddAttribute_CommonName(CharSpan(noc_rdn, strlen(noc_rdn)), false) == CHIP_NO_ERROR);
     NL_TEST_ASSERT(inSuite, chip_dn.AddAttribute_MatterNodeId(0xAAAABBBBCCCCDDDD) == CHIP_NO_ERROR);
@@ -321,7 +321,7 @@ static void TestChipCert_ChipDN(nlTestSuite * inSuite, void * inContext)
     NL_TEST_ASSERT(inSuite, chip_dn.RDNCount() == 5);
 
     NL_TEST_ASSERT(inSuite, chip_dn.GetCertType(certType) == CHIP_NO_ERROR);
-    NL_TEST_ASSERT(inSuite, certType == kCertType_Node);
+    NL_TEST_ASSERT(inSuite, certType == CertType::kNode);
 
     uint64_t certId;
     NL_TEST_ASSERT(inSuite, chip_dn.GetCertChipId(certId) == CHIP_NO_ERROR);
@@ -334,7 +334,7 @@ static void TestChipCert_ChipDN(nlTestSuite * inSuite, void * inContext)
     chip_dn.Clear();
     NL_TEST_ASSERT(inSuite, chip_dn.GetCertType(certType) == CHIP_NO_ERROR);
     NL_TEST_ASSERT(inSuite, chip_dn.IsEmpty() == true);
-    NL_TEST_ASSERT(inSuite, certType == kCertType_NotSpecified);
+    NL_TEST_ASSERT(inSuite, certType == CertType::kNotSpecified);
 
     CATValues noc_cats2;
     chip::CATValues::Serialized serializedCATs;
@@ -362,7 +362,7 @@ static void TestChipCert_CertValidation(nlTestSuite * inSuite, void * inContext)
     {
         int mSubjectCertIndex;
         uint8_t mValidateFlags;
-        uint8_t mRequiredCertType;
+        CertType mRequiredCertType;
         CHIP_ERROR mExpectedResult;
         int mExpectedCertIndex;
         int mExpectedTrustAnchorIndex;
@@ -375,13 +375,9 @@ static void TestChipCert_CertValidation(nlTestSuite * inSuite, void * inContext)
     };
 
     // Short-hand names to make the test cases table more concise.
-    enum
-    {
-        CTNS   = kCertType_NotSpecified,
-        CTCA   = kCertType_ICA,
-        CTNode = kCertType_Node,
-        CTFS   = kCertType_FirmwareSigning,
-    };
+    const auto CTNS   = CertType::kNotSpecified;
+    const auto CTCA   = CertType::kICA;
+    const auto CTNode = CertType::kNode;
 
     // clang-format off
     static const ValidationTestCase sValidationTestCases[] = {
@@ -1196,28 +1192,28 @@ static void TestChipCert_CertType(nlTestSuite * inSuite, void * inContext)
     struct TestCase
     {
         uint8_t Cert;
-        uint8_t ExpectedCertType;
+        CertType ExpectedCertType;
     };
 
     // clang-format off
     static TestCase sTestCases[] = {
         // Cert                        ExpectedCertType
         // =============================================================
-        {  TestCert::kRoot01,          kCertType_Root            },
-        {  TestCert::kRoot02,          kCertType_Root            },
-        {  TestCert::kICA01,           kCertType_ICA             },
-        {  TestCert::kICA02,           kCertType_ICA             },
-        {  TestCert::kICA01_1,         kCertType_ICA             },
-        {  TestCert::kFWSign01,        kCertType_FirmwareSigning },
-        {  TestCert::kNode01_01,       kCertType_Node            },
-        {  TestCert::kNode01_02,       kCertType_Node            },
-        {  TestCert::kNode02_01,       kCertType_Node            },
-        {  TestCert::kNode02_02,       kCertType_Node            },
+        {  TestCert::kRoot01,          CertType::kRoot            },
+        {  TestCert::kRoot02,          CertType::kRoot            },
+        {  TestCert::kICA01,           CertType::kICA             },
+        {  TestCert::kICA02,           CertType::kICA             },
+        {  TestCert::kICA01_1,         CertType::kICA             },
+        {  TestCert::kFWSign01,        CertType::kFirmwareSigning },
+        {  TestCert::kNode01_01,       CertType::kNode            },
+        {  TestCert::kNode01_02,       CertType::kNode            },
+        {  TestCert::kNode02_01,       CertType::kNode            },
+        {  TestCert::kNode02_02,       CertType::kNode            },
     };
     // clang-format on
     for (const auto & testCase : sTestCases)
     {
-        uint8_t certType;
+        CertType certType;
 
         err = certSet.Init(1);
         NL_TEST_ASSERT(inSuite, err == CHIP_NO_ERROR);