From 17005089ffbe071f758a54b46b0ef51ef1f9d8ad Mon Sep 17 00:00:00 2001
From: Robert Schulze <112553298+deveritec-rosc@users.noreply.github.com>
Date: Fri, 6 Jan 2023 10:35:08 +0100
Subject: [PATCH] [nrfconnect] Allow use of certifcates stored on the HDD for
 factory data (#24274)

* [nrfconnect] Allow use of certifcates stored somewhere on the HDD for factory data

Instead of just allow usage for the default certificates or certificates
generated on demand also add the possibility to use certificates already
located on the HDD. This makes it easier to use generated test DCL certificates.

* [nrfconnect] Rename options and provide help string

Signed-off-by: Robert Schulze <robert.schulze@deveritec.com>

* [nrfconnect] fix indententaion error in Kconfig

Signed-off-by: Robert Schulze <robert.schulze@deveritec.com>

Signed-off-by: Robert Schulze <robert.schulze@deveritec.com>
---
 config/nrfconnect/chip-module/Kconfig         | 47 +++++++++++++++----
 .../chip-module/generate_factory_data.cmake   |  4 ++
 2 files changed, 42 insertions(+), 9 deletions(-)

diff --git a/config/nrfconnect/chip-module/Kconfig b/config/nrfconnect/chip-module/Kconfig
index 4b477d357287d1..b6700cbe7f3602 100644
--- a/config/nrfconnect/chip-module/Kconfig
+++ b/config/nrfconnect/chip-module/Kconfig
@@ -135,16 +135,45 @@ config CHIP_FACTORY_DATA_MERGE_WITH_FIRMWARE
 	  As a result, a new output file merged.hex will consist of all partitions including 
 	  factory data.
 
-# Use default certificates without generating or providing them
-config CHIP_FACTORY_DATA_USE_DEFAULT_CERTS
-	bool "Use default certificates located in Matter repository"
-	default y
+# Select source of the certificates
+choice CHIP_FACTORY_DATA_CERT_SOURCE
+	prompt "Attestation certificate file source"
+	default CHIP_FACTORY_DATA_USE_DEFAULT_CERTS
+
+	config CHIP_FACTORY_DATA_USE_DEFAULT_CERTS
+		bool "Use pre-generated development certificates"
+		help
+			Use pre-generated certificate files from the credentials/development/attestation/
+			directory that match the configured Product ID. This can be used for development
+			purpose.
+	config CHIP_FACTORY_DATA_CERT_SOURCE_GENERATED
+		bool "Auto-generate certificates"
+		help
+			Generate new certificates instead of using pre-generated ones.
+			The certificates are generated on every build.
+	config CHIP_FACTORY_DATA_CERT_SOURCE_USER
+		bool "Use user-provided certificate files"
+		help
+			Use user-provided certificate files.
+			The user needs to specify the absolute path to all necessary files.
+endchoice
+
+if CHIP_FACTORY_DATA_CERT_SOURCE_USER
+
+config CHIP_FACTORY_DATA_USER_CERTS_DAC_CERT
+	string "Path to the DAC certificate *.der-file"
+	help
+		Absolute path to the DAC certificate file in binary format.
+config CHIP_FACTORY_DATA_USER_CERTS_DAC_KEY
+	string "Path to the DAC private key *.der-file"
 	help
-	  Pre-generated certificates can be used for development purpose.
-	  This config includes default pre-generated certificates 
-	  which are located in credentials/development/attestation/ directory 
-	  instead of generating new ones.
-	  If this config is set to `n` new certificates will be generated.
+		Absolute path to the DAC keysfile in binary format.
+		Note that both public and private keys must be present (will be extracted automatically).
+config CHIP_FACTORY_DATA_USER_CERTS_PAI_CERT
+	string "Path to the PAI certificate *.der-file"
+	help
+		Absolute path pointing to the PAI certificate in binary format.
+endif
 
 # Configs for SPAKE2 generation
 config CHIP_FACTORY_DATA_GENERATE_SPAKE2_VERIFIER
diff --git a/config/nrfconnect/chip-module/generate_factory_data.cmake b/config/nrfconnect/chip-module/generate_factory_data.cmake
index 2888822efcaea3..be0c4c0fac692c 100644
--- a/config/nrfconnect/chip-module/generate_factory_data.cmake
+++ b/config/nrfconnect/chip-module/generate_factory_data.cmake
@@ -69,6 +69,10 @@ if(CONFIG_CHIP_FACTORY_DATA_USE_DEFAULT_CERTS)
     string(APPEND script_args "--dac_cert \"${CHIP_ROOT}/credentials/development/attestation/Matter-Development-DAC-${raw_pid_upper}-Cert.der\"\n")
     string(APPEND script_args "--dac_key \"${CHIP_ROOT}/credentials/development/attestation/Matter-Development-DAC-${raw_pid_upper}-Key.der\"\n")
     string(APPEND script_args "--pai_cert \"${CHIP_ROOT}/credentials/development/attestation/Matter-Development-PAI-noPID-Cert.der\"\n")
+elseif(CONFIG_CHIP_FACTORY_DATA_CERT_SOURCE_USER)
+    string(APPEND script_args "--dac_cert \"${CONFIG_CHIP_FACTORY_DATA_USER_CERTS_DAC_CERT}\"\n")
+    string(APPEND script_args "--dac_key \"${CONFIG_CHIP_FACTORY_DATA_USER_CERTS_DAC_KEY}\"\n")
+    string(APPEND script_args "--pai_cert \"${CONFIG_CHIP_FACTORY_DATA_USER_CERTS_PAI_CERT}\"\n")
 else()
     find_program(chip_cert_exe NAMES chip-cert REQUIRED)
     string(APPEND script_args "--gen_cd\n")