From e0b60714bd00fff3bdf779521483d2fe155d1d14 Mon Sep 17 00:00:00 2001
From: Evgeni Margolis <emargolis@google.com>
Date: Fri, 15 Apr 2022 12:02:42 -0700
Subject: [PATCH 1/2] Added Check for RCAC Id Validity Stored in the
 Commissioner Memory.

---
 src/controller/ExampleOperationalCredentialsIssuer.cpp         | 3 +++
 src/controller/java/AndroidOperationalCredentialsIssuer.cpp    | 3 +++
 .../Framework/CHIP/CHIPOperationalCredentialsDelegate.mm       | 3 +++
 3 files changed, 9 insertions(+)

diff --git a/src/controller/ExampleOperationalCredentialsIssuer.cpp b/src/controller/ExampleOperationalCredentialsIssuer.cpp
index 12c85aabb48e1e..0984e290ebc3fb 100644
--- a/src/controller/ExampleOperationalCredentialsIssuer.cpp
+++ b/src/controller/ExampleOperationalCredentialsIssuer.cpp
@@ -124,9 +124,12 @@ CHIP_ERROR ExampleOperationalCredentialsIssuer::GenerateNOCChainAfterValidation(
                       err = mStorage->SyncGetKeyValue(key, rcac.data(), rcacBufLen));
     if (err == CHIP_NO_ERROR)
     {
+        uint64_t rcacId;
         // Found root certificate in the storage.
         rcac.reduce_size(rcacBufLen);
         ReturnErrorOnFailure(ExtractSubjectDNFromX509Cert(rcac, rcac_dn));
+        ReturnErrorOnFailure(rcac_dn.GetCertChipId(rcacId));
+        VerifyOrReturnError(rcacId == mIssuerId, CHIP_ERROR_INTERNAL);
     }
     // If root certificate not found in the storage, generate new root certificate.
     else
diff --git a/src/controller/java/AndroidOperationalCredentialsIssuer.cpp b/src/controller/java/AndroidOperationalCredentialsIssuer.cpp
index 440046d8e6095f..619fc4cb5b8d7b 100644
--- a/src/controller/java/AndroidOperationalCredentialsIssuer.cpp
+++ b/src/controller/java/AndroidOperationalCredentialsIssuer.cpp
@@ -90,9 +90,12 @@ CHIP_ERROR AndroidOperationalCredentialsIssuer::GenerateNOCChainAfterValidation(
                       err = mStorage->SyncGetKeyValue(key, rcac.data(), rcacBufLen));
     if (err == CHIP_NO_ERROR)
     {
+        uint64_t rcacId;
         // Found root certificate in the storage.
         rcac.reduce_size(rcacBufLen);
         ReturnErrorOnFailure(ExtractSubjectDNFromX509Cert(rcac, rcac_dn));
+        ReturnErrorOnFailure(rcac_dn.GetCertChipId(rcacId));
+        VerifyOrReturnError(rcacId == mIssuerId, CHIP_ERROR_INTERNAL);
     }
     // If root certificate not found in the storage, generate new root certificate.
     else
diff --git a/src/darwin/Framework/CHIP/CHIPOperationalCredentialsDelegate.mm b/src/darwin/Framework/CHIP/CHIPOperationalCredentialsDelegate.mm
index b908f5b18ec2d4..7e8810f66da592 100644
--- a/src/darwin/Framework/CHIP/CHIPOperationalCredentialsDelegate.mm
+++ b/src/darwin/Framework/CHIP/CHIPOperationalCredentialsDelegate.mm
@@ -341,8 +341,11 @@ static void ClearSecretData(NSMutableData * data)
         PERSISTENT_KEY_OP(fabricId, kOperationalCredentialsRootCertificateStorage, key,
             haveRootCert = (mStorage->SyncGetKeyValue(key, rcac.data(), rcacBufLen) == CHIP_NO_ERROR));
         if (haveRootCert) {
+            uint64_t rcacId;
             rcac.reduce_size(rcacBufLen);
             ReturnErrorOnFailure(ExtractSubjectDNFromX509Cert(rcac, rcac_dn));
+            ReturnErrorOnFailure(rcac_dn.GetCertChipId(rcacId));
+            VerifyOrReturnError(rcacId == mIssuerId, CHIP_ERROR_INTERNAL);
         }
     }
     if (!haveRootCert) {

From eda9df50c31dce9dfd4002d2eedb0c266cae9bc8 Mon Sep 17 00:00:00 2001
From: Evgeni Margolis <emargolis@google.com>
Date: Fri, 15 Apr 2022 12:25:57 -0700
Subject: [PATCH 2/2] Added Similar Check for ICAC Id.

---
 src/controller/ExampleOperationalCredentialsIssuer.cpp | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/controller/ExampleOperationalCredentialsIssuer.cpp b/src/controller/ExampleOperationalCredentialsIssuer.cpp
index 0984e290ebc3fb..14ad78463ce225 100644
--- a/src/controller/ExampleOperationalCredentialsIssuer.cpp
+++ b/src/controller/ExampleOperationalCredentialsIssuer.cpp
@@ -151,9 +151,12 @@ CHIP_ERROR ExampleOperationalCredentialsIssuer::GenerateNOCChainAfterValidation(
                       err = mStorage->SyncGetKeyValue(key, icac.data(), icacBufLen));
     if (err == CHIP_NO_ERROR)
     {
+        uint64_t icacId;
         // Found intermediate certificate in the storage.
         icac.reduce_size(icacBufLen);
         ReturnErrorOnFailure(ExtractSubjectDNFromX509Cert(icac, icac_dn));
+        ReturnErrorOnFailure(icac_dn.GetCertChipId(icacId));
+        VerifyOrReturnError(icacId == mIntermediateIssuerId, CHIP_ERROR_INTERNAL);
     }
     // If intermediate certificate not found in the storage, generate new intermediate certificate.
     else