Add a method to send the NOC with CATs when pairing devices

examples/chip-tool/commands/common/CredentialIssuerCommands.h

@@ -73,6 +73,8 @@ class CredentialIssuerCommands
 
     virtual chip::Controller::OperationalCredentialsDelegate * GetCredentialIssuer() = 0;
 
+    virtual void SetCredentialIssuerCATValues(chip::CATValues cats) = 0;
+
     /**
      * @brief
      *   This function is used to Generate NOC Chain for the Controller/Commissioner. Parameters follow the example implementation,

examples/chip-tool/commands/example/ExampleCredentialIssuerCommands.h

@@ -45,6 +45,7 @@ class ExampleCredentialIssuerCommands : public CredentialIssuerCommands
         return CHIP_NO_ERROR;
     }
     chip::Controller::OperationalCredentialsDelegate * GetCredentialIssuer() override { return &mOpCredsIssuer; }
+    void SetCredentialIssuerCATValues(chip::CATValues cats) override { mOpCredsIssuer.SetCATValuesForNextNOCRequest(cats); }
     CHIP_ERROR GenerateControllerNOCChain(chip::NodeId nodeId, chip::FabricId fabricId, const chip::CATValues & cats,
                                           chip::Crypto::P256Keypair & keypair, chip::MutableByteSpan & rcac,
                                           chip::MutableByteSpan & icac, chip::MutableByteSpan & noc) override

examples/chip-tool/commands/pairing/PairingCommand.cpp

@@ -33,6 +33,21 @@ using namespace ::chip::Controller;
 CHIP_ERROR PairingCommand::RunCommand()
 {
     CurrentCommissioner().RegisterPairingDelegate(this);
+    // Clear the CATs in OperationalCredentialsIssuer
+    mCredIssuerCmds->SetCredentialIssuerCATValues(kUndefinedCATs);
+
+    if (mCASEAuthTags.HasValue() && mCASEAuthTags.Value().size() <= kMaxSubjectCATAttributeCount)
+    {
+        CATValues cats = kUndefinedCATs;
+        for (size_t index = 0; index < mCASEAuthTags.Value().size(); ++index)
+        {
+            cats.values[index] = mCASEAuthTags.Value()[index];
+        }
+        if (cats.AreValid())
+        {
+            mCredIssuerCmds->SetCredentialIssuerCATValues(cats);
+        }
+    }
     return RunInternal(mNodeId);
 }
 

examples/chip-tool/commands/pairing/PairingCommand.h

@@ -64,6 +64,7 @@ class PairingCommand : public CHIPCommand,
         AddArgument("bypass-attestation-verifier", 0, 1, &mBypassAttestationVerifier,
                     "Bypass the attestation verifier. If not provided or false, the attestation verifier is not bypassed."
                     " If true, the commissioning will continue in case of attestation verification failure.");
+        AddArgument("case-auth-tags", 1, UINT32_MAX, &mCASEAuthTags, "The CATs to be encoded in the NOC sent to the commissionee");
 
         switch (networkType)
         {
@@ -188,6 +189,7 @@ class PairingCommand : public CHIPCommand,
     chip::Optional<bool> mPaseOnly;
     chip::Optional<bool> mSkipCommissioningComplete;
     chip::Optional<bool> mBypassAttestationVerifier;
+    chip::Optional<std::vector<uint32_t>> mCASEAuthTags;
     uint16_t mRemotePort;
     uint16_t mDiscriminator;
     uint32_t mSetupPINCode;

src/controller/ExampleOperationalCredentialsIssuer.cpp

@@ -374,7 +374,7 @@ CHIP_ERROR ExampleOperationalCredentialsIssuer::GenerateNOCChain(const ByteSpan
     MutableByteSpan rcacSpan(rcac.Get(), kMaxDERCertLength);
 
     ReturnErrorOnFailure(
-        GenerateNOCChainAfterValidation(assignedId, mNextFabricId, chip::kUndefinedCATs, pubkey, rcacSpan, icacSpan, nocSpan));
+        GenerateNOCChainAfterValidation(assignedId, mNextFabricId, mNextCATs, pubkey, rcacSpan, icacSpan, nocSpan));
 
     // TODO(#13825): Should always generate some IPK. Using a temporary fixed value until APIs are plumbed in to set it end-to-end
     // TODO: Force callers to set IPK if used before GenerateNOCChain will succeed.

src/controller/ExampleOperationalCredentialsIssuer.h

@@ -69,6 +69,8 @@ class DLL_EXPORT ExampleOperationalCredentialsIssuer : public OperationalCredent
 
     void SetFabricIdForNextNOCRequest(FabricId fabricId) override { mNextFabricId = fabricId; }
 
+    void SetCATValuesForNextNOCRequest(CATValues cats) { mNextCATs = cats; }
+
     /**
      * @brief Initialize the issuer with the keypair in the storage.
      *        If the storage doesn't have one, it'll create one, and it to the storage.
@@ -123,6 +125,7 @@ class DLL_EXPORT ExampleOperationalCredentialsIssuer : public OperationalCredent
 
     NodeId mNextRequestedNodeId = 1;
     FabricId mNextFabricId      = 1;
+    CATValues mNextCATs         = kUndefinedCATs;
     bool mNodeIdRequested       = false;
     uint64_t mIndex             = 0;
 };