diff --git a/credentials/generate_revocation_set.py b/credentials/generate_revocation_set.py index 6a1374828d43ae..bb2f5b6e9a8d33 100755 --- a/credentials/generate_revocation_set.py +++ b/credentials/generate_revocation_set.py @@ -1006,14 +1006,11 @@ def setUp(self): def get_test_file_path(self, filename): return os.path.join(self.test_base_dir, 'test', filename) - def compare_revocation_sets(self, generated_set, expected_file): - with open(os.path.join(self.test_base_dir, expected_file), 'r') as f: - expected_set = [RevocationSet(**r) for r in json.load(f)] - - # Compare the contents - self.assertEqual(len([generated_set]), len(expected_set)) - expected = expected_set[0] + def get_expected_revocation_set(self, idx): + with open(os.path.join(self.test_base_dir, 'test/revoked-attestation-certificates/revocation-sets/revocation-set.json'), 'r') as f: + return RevocationSet(**json.load(f)[idx]) + def compare_revocation_sets(self, generated_set, expected): # Compare required fields self.assertEqual(generated_set.type, expected.type) self.assertEqual(generated_set.issuer_subject_key_id, expected.issuer_subject_key_id) @@ -1038,10 +1035,7 @@ def test_paa_revocation_set(self): revocation_set = generate_revocation_set_from_crl( crl, crl_signer, ca_name_b64, ca_akid_hex, None) - self.compare_revocation_sets( - revocation_set, - 'test/revoked-attestation-certificates/revocation-sets/revocation-set-for-paa.json' - ) + self.compare_revocation_sets(revocation_set, self.get_expected_revocation_set(0)) def test_pai_revocation_set(self): """Test generation of PAI revocation set""" @@ -1057,10 +1051,23 @@ def test_pai_revocation_set(self): revocation_set = generate_revocation_set_from_crl( crl, crl_signer, ca_name_b64, ca_akid_hex, None) - self.compare_revocation_sets( - revocation_set, - 'test/revoked-attestation-certificates/revocation-sets/revocation-set-for-pai.json' - ) + self.compare_revocation_sets(revocation_set, self.get_expected_revocation_set(1)) + + def test_revoked_pai_revocation_set(self): + """Test generation of revocation set of revoked PAI""" + with open(self.get_test_file_path('revoked-attestation-certificates/Chip-Test-PAI-FFF1-noPID-Revoked-CRL.pem'), 'rb') as f: + crl = x509.load_pem_x509_crl(f.read()) + with open(self.get_test_file_path('revoked-attestation-certificates/Chip-Test-PAI-FFF1-noPID-Revoked-Cert.pem'), 'rb') as f: + crl_signer = x509.load_pem_x509_certificate(f.read()) + with open(self.get_test_file_path('revoked-attestation-certificates/Chip-Test-PAA-FFF1-Cert.pem'), 'rb') as f: + paa = x509.load_pem_x509_certificate(f.read()) + + ca_name_b64, ca_akid_hex = get_certificate_authority_details( + crl_signer, None, paa, False) + revocation_set = generate_revocation_set_from_crl( + crl, crl_signer, ca_name_b64, ca_akid_hex, None) + + self.compare_revocation_sets(revocation_set, self.get_expected_revocation_set(2)) if __name__ == "__main__": diff --git a/credentials/test/revoked-attestation-certificates/Chip-Test-DAC-FFF1-8001-Revoked-Signed-By-Revoked-PAI-Cert.der b/credentials/test/revoked-attestation-certificates/Chip-Test-DAC-FFF1-8001-Revoked-Signed-By-Revoked-PAI-Cert.der new file mode 100644 index 00000000000000..bb928ec9d973a8 Binary files /dev/null and b/credentials/test/revoked-attestation-certificates/Chip-Test-DAC-FFF1-8001-Revoked-Signed-By-Revoked-PAI-Cert.der differ diff --git a/credentials/test/revoked-attestation-certificates/Chip-Test-DAC-FFF1-8001-Revoked-Signed-By-Revoked-PAI-Cert.pem b/credentials/test/revoked-attestation-certificates/Chip-Test-DAC-FFF1-8001-Revoked-Signed-By-Revoked-PAI-Cert.pem new file mode 100644 index 00000000000000..a4ab090693d34f --- /dev/null +++ b/credentials/test/revoked-attestation-certificates/Chip-Test-DAC-FFF1-8001-Revoked-Signed-By-Revoked-PAI-Cert.pem @@ -0,0 +1,13 @@ +-----BEGIN CERTIFICATE----- +MIICAjCCAaigAwIBAgIIc151wP6PWsUwCgYIKoZIzj0EAwIwRjEuMCwGA1UEAwwl +TWF0dGVyIFRlc3QgUEFJIDB4RkZGMSBubyBQSUQgUmV2b2tlZDEUMBIGCisGAQQB +gqJ8AgEMBEZGRjEwIBcNMjUwMzI1MDAwMDAwWhgPOTk5OTEyMzEyMzU5NTlaMGQx +NjA0BgNVBAMMLU1hdHRlciBUZXN0IFJldm9rZWQgREFDIFNpZ25lZCBieSBSZXZv +a2VkIFBBSTEUMBIGCisGAQQBgqJ8AgEMBEZGRjExFDASBgorBgEEAYKifAICDAQ4 +MDAxMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEaELP83azv5+vdJg+vmO/g6td +Z9obWLWWZdgatid+/x5leASGpBEgL0pEv1UZ74ol4bK6S287eQKrIAZB2xdqWaNg +MF4wDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0OBBYEFDO1Scke +5qNNVdIn4aGgsbGhUWs6MB8GA1UdIwQYMBaAFJEzfFz+e7KTdv6IfTyU5/Wd2D0v +MAoGCCqGSM49BAMCA0gAMEUCIGO/qO9oglMxDEPMplwri0o31iRLg/p+qAyhtUC1 +DiWxAiEAgv4UPAsPjvj1gPMWaLe9xnbrZOuXg+7bjOFPeODItFc= +-----END CERTIFICATE----- diff --git a/credentials/test/revoked-attestation-certificates/Chip-Test-DAC-FFF1-8001-Revoked-Signed-By-Revoked-PAI-Key.der b/credentials/test/revoked-attestation-certificates/Chip-Test-DAC-FFF1-8001-Revoked-Signed-By-Revoked-PAI-Key.der new file mode 100644 index 00000000000000..f393b8aafbe496 Binary files /dev/null and b/credentials/test/revoked-attestation-certificates/Chip-Test-DAC-FFF1-8001-Revoked-Signed-By-Revoked-PAI-Key.der differ diff --git a/credentials/test/revoked-attestation-certificates/Chip-Test-DAC-FFF1-8001-Revoked-Signed-By-Revoked-PAI-Key.pem b/credentials/test/revoked-attestation-certificates/Chip-Test-DAC-FFF1-8001-Revoked-Signed-By-Revoked-PAI-Key.pem new file mode 100644 index 00000000000000..55a749be4988f1 --- /dev/null +++ b/credentials/test/revoked-attestation-certificates/Chip-Test-DAC-FFF1-8001-Revoked-Signed-By-Revoked-PAI-Key.pem @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIJoLKewrsvBa4y0m97yUkHqvZHBNjl32M5xbK15Q+ShHoAoGCCqGSM49 +AwEHoUQDQgAEaELP83azv5+vdJg+vmO/g6tdZ9obWLWWZdgatid+/x5leASGpBEg +L0pEv1UZ74ol4bK6S287eQKrIAZB2xdqWQ== +-----END EC PRIVATE KEY----- diff --git a/credentials/test/revoked-attestation-certificates/Chip-Test-PAI-FFF1-noPID-Revoked-CRL.der b/credentials/test/revoked-attestation-certificates/Chip-Test-PAI-FFF1-noPID-Revoked-CRL.der new file mode 100644 index 00000000000000..a9d5970ba2b64d Binary files /dev/null and b/credentials/test/revoked-attestation-certificates/Chip-Test-PAI-FFF1-noPID-Revoked-CRL.der differ diff --git a/credentials/test/revoked-attestation-certificates/Chip-Test-PAI-FFF1-noPID-Revoked-CRL.pem b/credentials/test/revoked-attestation-certificates/Chip-Test-PAI-FFF1-noPID-Revoked-CRL.pem new file mode 100644 index 00000000000000..78eb90079932aa --- /dev/null +++ b/credentials/test/revoked-attestation-certificates/Chip-Test-PAI-FFF1-noPID-Revoked-CRL.pem @@ -0,0 +1,9 @@ +-----BEGIN X509 CRL----- +MIIBHjCBxQIBATAKBggqhkjOPQQDAjBGMS4wLAYDVQQDDCVNYXR0ZXIgVGVzdCBQ +QUkgMHhGRkYxIG5vIFBJRCBSZXZva2VkMRQwEgYKKwYBBAGConwCAQwERkZGMRcN +MjUwMzI2MDYyODU2WhgPMjEyNTAzMjcwNjI4NTZaMBswGQIIc151wP6PWsUXDTI1 +MDMyNjA2Mjg1NlqgLzAtMB8GA1UdIwQYMBaAFJEzfFz+e7KTdv6IfTyU5/Wd2D0v +MAoGA1UdFAQDAgEAMAoGCCqGSM49BAMCA0gAMEUCIQDM4thiU6vEOH5jwGaFypV2 +P9InyjTJKpMo5bR4QEMMRgIgYge7z2UStTlJzS2gVm/MVld7SNnD+020LOVP1SWb +ufk= +-----END X509 CRL----- diff --git a/credentials/test/revoked-attestation-certificates/dac-provider-test-vectors/revoked-dac-and-pai.json b/credentials/test/revoked-attestation-certificates/dac-provider-test-vectors/revoked-dac-and-pai.json new file mode 100644 index 00000000000000..83b2d12752e81a --- /dev/null +++ b/credentials/test/revoked-attestation-certificates/dac-provider-test-vectors/revoked-dac-and-pai.json @@ -0,0 +1,9 @@ +{ + "description": "Revoked DAC and PAI", + "basic_info_pid": 32769, + "certification_declaration": "3081e706092a864886f70d010702a081d93081d6020103310d300b0609608648016503040201304306092a864886f70d010701a0360434152400012501f1ff3602050180182403162c0413435341303030303053574330303030302d303124050024060024070124080018317d307b020103801462fa823359acfaa9963e1cfa140addf504f37160300b0609608648016503040201300a06082a8648ce3d0403020447304502204dc6be89beeb5a49adec51ee7f0e6d1263ffc9e6238f2044385a5e0c86751b83022100ed902842f7a5784368d63eba6a2fb90086dd65a0ce3c283d86b915a3536afdac", + "pai_cert": "308201d43082017aa0030201020208302664392b8a3f2a300a06082a8648ce3d04030230303118301606035504030c0f4d617474657220546573742050414131143012060a2b0601040182a27c02010c04464646313020170d3234313231333030303030305a180f39393939313233313233353935395a3046312e302c06035504030c254d617474657220546573742050414920307846464631206e6f20504944205265766f6b656431143012060a2b0601040182a27c02010c04464646313059301306072a8648ce3d020106082a8648ce3d03010703420004bd58a84f7862e0751c4e56280f149697df7c51aadc5a4fa393c96277a59079de40907ab7860d069de652ea8bc8f7053bfe7c3a8ef4700d76b9cc20db312caf91a366306430120603551d130101ff040830060101ff020100300e0603551d0f0101ff040403020106301d0603551d0e0416041491337c5cfe7bb29376fe887d3c94e7f59dd83d2f301f0603551d230418301680146afd22771f511fecbf1641976710dcdc31a1717e300a06082a8648ce3d04030203480030450221009c74f6a84b3acb5a369de90399114ebf0a55150babd3d52b2898708847bc9c6e0220651881c81b7a20c346b97c68313c4be1c0a88f4f3a4072ed3c7ea11dc60984fc", + "dac_cert": "30820202308201a8a0030201020208735e75c0fe8f5ac5300a06082a8648ce3d0403023046312e302c06035504030c254d617474657220546573742050414920307846464631206e6f20504944205265766f6b656431143012060a2b0601040182a27c02010c04464646313020170d3235303332353030303030305a180f39393939313233313233353935395a30643136303406035504030c2d4d61747465722054657374205265766f6b656420444143205369676e6564206279205265766f6b65642050414931143012060a2b0601040182a27c02010c044646463131143012060a2b0601040182a27c02020c04383030313059301306072a8648ce3d020106082a8648ce3d030107034200046842cff376b3bf9faf74983ebe63bf83ab5d67da1b58b59665d81ab6277eff1e65780486a411202f4a44bf5519ef8a25e1b2ba4b6f3b7902ab200641db176a59a360305e300c0603551d130101ff04023000300e0603551d0f0101ff040403020780301d0603551d0e0416041433b549c91ee6a34d55d227e1a1a0b1b1a1516b3a301f0603551d2304183016801491337c5cfe7bb29376fe887d3c94e7f59dd83d2f300a06082a8648ce3d0403020348003045022063bfa8ef688253310c43cca65c2b8b4a37d6244b83fa7ea80ca1b540b50e25b102210082fe143c0b0f8ef8f580f31668b7bdc676eb64eb9783eedb8ce14f78e0c8b457", + "dac_private_key": "9a0b29ec2bb2f05ae32d26f7bc94907aaf64704d8e5df6339c5b2b5e50f92847", + "dac_public_key": "046842cff376b3bf9faf74983ebe63bf83ab5d67da1b58b59665d81ab6277eff1e65780486a411202f4a44bf5519ef8a25e1b2ba4b6f3b7902ab200641db176a59" +} diff --git a/credentials/test/revoked-attestation-certificates/revocation-sets/revocation-set-for-paa.json b/credentials/test/revoked-attestation-certificates/revocation-sets/revocation-set-for-paa.json deleted file mode 100644 index 93edb94c129df0..00000000000000 --- a/credentials/test/revoked-attestation-certificates/revocation-sets/revocation-set-for-paa.json +++ /dev/null @@ -1,9 +0,0 @@ -[ - { - "type": "revocation_set", - "issuer_subject_key_id": "6AFD22771F511FECBF1641976710DCDC31A1717E", - "issuer_name": "MDAxGDAWBgNVBAMMD01hdHRlciBUZXN0IFBBQTEUMBIGCisGAQQBgqJ8AgEMBEZGRjE=", - "revoked_serial_numbers": ["302664392B8A3F2A"], - "crl_signer_cert": "MIIBvTCCAWSgAwIBAgIITqjoMYLUHBwwCgYIKoZIzj0EAwIwMDEYMBYGA1UEAwwPTWF0dGVyIFRlc3QgUEFBMRQwEgYKKwYBBAGConwCAQwERkZGMTAgFw0yMTA2MjgxNDIzNDNaGA85OTk5MTIzMTIzNTk1OVowMDEYMBYGA1UEAwwPTWF0dGVyIFRlc3QgUEFBMRQwEgYKKwYBBAGConwCAQwERkZGMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABLbLY3KIfyko9brIGqnZOuJDHK2p154kL2UXfvnO2TKijs0Duq9qj8oYShpQNUKWDUU/MD8fGUIddR6Pjxqam3WjZjBkMBIGA1UdEwEB/wQIMAYBAf8CAQEwDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBRq/SJ3H1Ef7L8WQZdnENzcMaFxfjAfBgNVHSMEGDAWgBRq/SJ3H1Ef7L8WQZdnENzcMaFxfjAKBggqhkjOPQQDAgNHADBEAiBQqoAC9NkyqaAFOPZTaK0P/8jvu8m+t9pWmDXPmqdRDgIgI7rI/g8j51RFtlM5CBpHmUkpxyqvChVI1A0DTVFLJd4=" - } -] diff --git a/credentials/test/revoked-attestation-certificates/revocation-sets/revocation-set-for-pai.json b/credentials/test/revoked-attestation-certificates/revocation-sets/revocation-set-for-pai.json deleted file mode 100644 index 46c3c1b66cddd8..00000000000000 --- a/credentials/test/revoked-attestation-certificates/revocation-sets/revocation-set-for-pai.json +++ /dev/null @@ -1,13 +0,0 @@ -[ - { - "type": "revocation_set", - "issuer_subject_key_id": "63540E47F64B1C38D13884A462D16C195D8FFB3C", - "issuer_name": "MD0xJTAjBgNVBAMMHE1hdHRlciBEZXYgUEFJIDB4RkZGMSBubyBQSUQxFDASBgorBgEEAYKifAIBDARGRkYx", - "revoked_serial_numbers": [ - "0AB042494323FE54", - "19367D978EAC533A", - "2569383D24BB36EA" - ], - "crl_signer_cert": "MIIByzCCAXGgAwIBAgIIVq2CIq2UW2QwCgYIKoZIzj0EAwIwMDEYMBYGA1UEAwwPTWF0dGVyIFRlc3QgUEFBMRQwEgYKKwYBBAGConwCAQwERkZGMTAgFw0yMjAyMDUwMDAwMDBaGA85OTk5MTIzMTIzNTk1OVowPTElMCMGA1UEAwwcTWF0dGVyIERldiBQQUkgMHhGRkYxIG5vIFBJRDEUMBIGCisGAQQBgqJ8AgEMBEZGRjEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARBmpMVwhc+DIyHbQPM/JRIUmR/f+xeUIL0BZko7KiUxZQVEwmsYx5MsDOSr2hLC6+35ls7gWLC9Sv5MbjneqqCo2YwZDASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUY1QOR/ZLHDjROISkYtFsGV2P+zwwHwYDVR0jBBgwFoAUav0idx9RH+y/FkGXZxDc3DGhcX4wCgYIKoZIzj0EAwIDSAAwRQIhALLvJ/Sa6bUPuR7qyUxNC9u415KcbLiPrOUpNo0SBUwMAiBlXckrhr2QmIKmxiF3uCXX0F7b58Ivn+pxIg5+pwP4kQ==" - } -] diff --git a/credentials/test/revoked-attestation-certificates/revocation-sets/revocation-set.json b/credentials/test/revoked-attestation-certificates/revocation-sets/revocation-set.json new file mode 100644 index 00000000000000..dc9a1ca2c5dffb --- /dev/null +++ b/credentials/test/revoked-attestation-certificates/revocation-sets/revocation-set.json @@ -0,0 +1,27 @@ +[ + { + "type": "revocation_set", + "issuer_subject_key_id": "6AFD22771F511FECBF1641976710DCDC31A1717E", + "issuer_name": "MDAxGDAWBgNVBAMMD01hdHRlciBUZXN0IFBBQTEUMBIGCisGAQQBgqJ8AgEMBEZGRjE=", + "revoked_serial_numbers": ["302664392B8A3F2A"], + "crl_signer_cert": "MIIBvTCCAWSgAwIBAgIITqjoMYLUHBwwCgYIKoZIzj0EAwIwMDEYMBYGA1UEAwwPTWF0dGVyIFRlc3QgUEFBMRQwEgYKKwYBBAGConwCAQwERkZGMTAgFw0yMTA2MjgxNDIzNDNaGA85OTk5MTIzMTIzNTk1OVowMDEYMBYGA1UEAwwPTWF0dGVyIFRlc3QgUEFBMRQwEgYKKwYBBAGConwCAQwERkZGMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABLbLY3KIfyko9brIGqnZOuJDHK2p154kL2UXfvnO2TKijs0Duq9qj8oYShpQNUKWDUU/MD8fGUIddR6Pjxqam3WjZjBkMBIGA1UdEwEB/wQIMAYBAf8CAQEwDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBRq/SJ3H1Ef7L8WQZdnENzcMaFxfjAfBgNVHSMEGDAWgBRq/SJ3H1Ef7L8WQZdnENzcMaFxfjAKBggqhkjOPQQDAgNHADBEAiBQqoAC9NkyqaAFOPZTaK0P/8jvu8m+t9pWmDXPmqdRDgIgI7rI/g8j51RFtlM5CBpHmUkpxyqvChVI1A0DTVFLJd4=" + }, + { + "type": "revocation_set", + "issuer_subject_key_id": "63540E47F64B1C38D13884A462D16C195D8FFB3C", + "issuer_name": "MD0xJTAjBgNVBAMMHE1hdHRlciBEZXYgUEFJIDB4RkZGMSBubyBQSUQxFDASBgorBgEEAYKifAIBDARGRkYx", + "revoked_serial_numbers": [ + "0AB042494323FE54", + "19367D978EAC533A", + "2569383D24BB36EA" + ], + "crl_signer_cert": "MIIByzCCAXGgAwIBAgIIVq2CIq2UW2QwCgYIKoZIzj0EAwIwMDEYMBYGA1UEAwwPTWF0dGVyIFRlc3QgUEFBMRQwEgYKKwYBBAGConwCAQwERkZGMTAgFw0yMjAyMDUwMDAwMDBaGA85OTk5MTIzMTIzNTk1OVowPTElMCMGA1UEAwwcTWF0dGVyIERldiBQQUkgMHhGRkYxIG5vIFBJRDEUMBIGCisGAQQBgqJ8AgEMBEZGRjEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARBmpMVwhc+DIyHbQPM/JRIUmR/f+xeUIL0BZko7KiUxZQVEwmsYx5MsDOSr2hLC6+35ls7gWLC9Sv5MbjneqqCo2YwZDASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUY1QOR/ZLHDjROISkYtFsGV2P+zwwHwYDVR0jBBgwFoAUav0idx9RH+y/FkGXZxDc3DGhcX4wCgYIKoZIzj0EAwIDSAAwRQIhALLvJ/Sa6bUPuR7qyUxNC9u415KcbLiPrOUpNo0SBUwMAiBlXckrhr2QmIKmxiF3uCXX0F7b58Ivn+pxIg5+pwP4kQ==" + }, + { + "type": "revocation_set", + "issuer_subject_key_id": "91337C5CFE7BB29376FE887D3C94E7F59DD83D2F", + "issuer_name": "MEYxLjAsBgNVBAMMJU1hdHRlciBUZXN0IFBBSSAweEZGRjEgbm8gUElEIFJldm9rZWQxFDASBgorBgEEAYKifAIBDARGRkYx", + "revoked_serial_numbers": ["735E75C0FE8F5AC5"], + "crl_signer_cert": "MIIB1DCCAXqgAwIBAgIIMCZkOSuKPyowCgYIKoZIzj0EAwIwMDEYMBYGA1UEAwwPTWF0dGVyIFRlc3QgUEFBMRQwEgYKKwYBBAGConwCAQwERkZGMTAgFw0yNDEyMTMwMDAwMDBaGA85OTk5MTIzMTIzNTk1OVowRjEuMCwGA1UEAwwlTWF0dGVyIFRlc3QgUEFJIDB4RkZGMSBubyBQSUQgUmV2b2tlZDEUMBIGCisGAQQBgqJ8AgEMBEZGRjEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAS9WKhPeGLgdRxOVigPFJaX33xRqtxaT6OTyWJ3pZB53kCQereGDQad5lLqi8j3BTv+fDqO9HANdrnMINsxLK+Ro2YwZDASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUkTN8XP57spN2/oh9PJTn9Z3YPS8wHwYDVR0jBBgwFoAUav0idx9RH+y/FkGXZxDc3DGhcX4wCgYIKoZIzj0EAwIDSAAwRQIhAJx09qhLOstaNp3pA5kRTr8KVRULq9PVKyiYcIhHvJxuAiBlGIHIG3ogw0a5fGgxPEvhwKiPTzpAcu08fqEdxgmE/A==" + } +] diff --git a/docs/guides/device-attestation-revocation-guide.md b/docs/guides/device-attestation-revocation-guide.md index 6ee4fee8461c23..04c38d4e25ffc4 100644 --- a/docs/guides/device-attestation-revocation-guide.md +++ b/docs/guides/device-attestation-revocation-guide.md @@ -44,9 +44,14 @@ pre-generated using the `generate_revocation_set.py` script. ### Test Vectors -| Description | DAC Provider | Revocation Set | Expected Result | -| --------------------- | ---------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------- | -| PAI revoked by PAA | [revoked-pai.json](../../credentials/test/revoked-attestation-certificates/dac-provider-test-vectors/revoked-pai.json) | [revocation-set-for-paa.json](../../credentials/test/revoked-attestation-certificates/revocation-sets/revocation-set-for-paa.json) | Commissioning fails with `kPaiRevoked` (202) | -| DAC-01 revoked by PAI | [revoked-dac-01.json](../../credentials/test/revoked-attestation-certificates/dac-provider-test-vectors/revoked-dac-01.json) | [revocation-set-for-pai.json](../../credentials/test/revoked-attestation-certificates/revocation-sets/revocation-set-for-pai.json) | Commissioning fails with `kDacRevoked` (302) | -| DAC-02 revoked by PAI | [revoked-dac-02.json](../../credentials/test/revoked-attestation-certificates/dac-provider-test-vectors/revoked-dac-02.json) | [revocation-set-for-pai.json](../../credentials/test/revoked-attestation-certificates/revocation-sets/revocation-set-for-pai.json) | Commissioning fails with `kDacRevoked` (302) | -| DAC-03 revoked by PAI | [revoked-dac-03.json](../../credentials/test/revoked-attestation-certificates/dac-provider-test-vectors/revoked-dac-03.json) | [revocation-set-for-pai.json](../../credentials/test/revoked-attestation-certificates/revocation-sets/revocation-set-for-pai.json) | Commissioning fails with `kDacRevoked` (302) | +Please use +`credentials/test/revoked-attestation-certificates/revocation-sets/revocation-set.json` +as revocation set + +| Description | DAC Provider | Expected Result | +| --------------------- | -------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------- | +| PAI revoked by PAA | [revoked-pai.json](../../credentials/test/revoked-attestation-certificates/dac-provider-test-vectors/revoked-pai.json) | Commissioning fails with `kPaiRevoked` (202) | +| DAC-01 revoked by PAI | [revoked-dac-01.json](../../credentials/test/revoked-attestation-certificates/dac-provider-test-vectors/revoked-dac-01.json) | Commissioning fails with `kDacRevoked` (302) | +| DAC-02 revoked by PAI | [revoked-dac-02.json](../../credentials/test/revoked-attestation-certificates/dac-provider-test-vectors/revoked-dac-02.json) | Commissioning fails with `kDacRevoked` (302) | +| DAC-03 revoked by PAI | [revoked-dac-03.json](../../credentials/test/revoked-attestation-certificates/dac-provider-test-vectors/revoked-dac-03.json) | Commissioning fails with `kDacRevoked` (302) | +| DAC and PAI revoked | [revoked-dac-and-pai.json](../../credentials/test/revoked-attestation-certificates/dac-provider-test-vectors/revoked-dac-and-pai.json) | Commissioning fails with `kPaiAndDacRevoked` (208) | diff --git a/src/app/tests/suites/certification/Test_TC_DA_1_9.yaml b/src/app/tests/suites/certification/Test_TC_DA_1_9.yaml new file mode 100644 index 00000000000000..d0f983d348a50b --- /dev/null +++ b/src/app/tests/suites/certification/Test_TC_DA_1_9.yaml @@ -0,0 +1,252 @@ +# Copyright (c) 2025 Project CHIP Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# TODO: Add the test cases for indirect CRLs + +name: 29.1.9. [TC-DA-1.9] Device Attestation Revocation [DUT-Commissioner] + +PICS: + - MCORE.ROLE.COMMISSIONER + +config: + nodeId: 0x12344321 + cluster: "Basic Information" + endpoint: 0 + +tests: + - label: "Precondition/Test case description" + verification: | + (for all steps, PIs use equivalent command on their respective platform) + Validate that the DUT properly handles revoked device attestation certificates during commissioning, including certificates revoked through indirect CRLs. + set the $CHIP_ROOT environment variable to the location of the connectedhomeip directory (cd to the connectedhomeip directory, use command `export CHIP_ROOT=$(pwd -P)` + For testing Device Attestation Revocation feature, commissioners must allow commissioning the end device with Vendor Id 0xFFF1. + For each test data set scenario outlined in the TC-DA-1.9, perform the following actions + - Start the TH using the required device attestation certificate set. + - Have the DUT commission the TH. If either DAC or PAI certificate has been revoked, verify that the DUT warns the user that they are commissioning a non-genuine device, or otherwise indicates a failure of device attestation, within its error handling APIs or user interface. If either the DAC or PAI is not revoked, verify that the DUT successfully commissions the TH. + - factory reset the TH. + disabled: true + + - label: + "Step 1: Precondition: For each of the following test cases, start the + TH using the appropriate certificate set, commission the TH using the + DUT, then factory reset the TH:" + verification: | + Perform the following actions (PIs use equivalent command on their respective platform) + - Start the TH using the required certificate set and PID. For chip-all-clusters-app, use the command given in the chip-all-clusters app command column + - Have the DUT commission the TH. Verify that the TH is successfully commissioned for each test case + - factory reset the TH + command when using chip-all-clusters-app: sudo rm -rf /tmp/chip_* + disabled: true + + - label: "Step 2: Test case 1: DAC of the TH has been revoked" + verification: | + Perform the following actions (PIs use equivalent command on their respective platform) + + - On TH, run all-clusters-app with the following command line arguments: + ./chip-all-clusters-app --trace_decode 1 --dac_provider $CHIP_ROOT/credentials/test/revoked-attestation-certificates/dac-provider-test-vectors/revoked-dac-01.json + + - Once TH(all-clusters-app) reach the commissionable state please send below mentioned command on DUT(chip-tool). Please use equivalent command on the respective platform + ./chip-tool pairing onnetwork-long 2 20202021 3840 --dac-revocation-set-path $CHIP_ROOT/credentials/test/revoked-attestation-certificates/revocation-sets/revocation-set.json + + - Verify that TH(all-clusters-app) is not commissioned. + + [1742963842.121] [2195:10977512:chip] [SVR] Failsafe timer expired + [1742963842.121] [2195:10977512:chip] [IN] SecureSession[0x158006a80]: MarkForEviction Type:1 LSID:9545 + [1742963842.121] [2195:10977512:chip] [SC] SecureSession[0x158006a80, LSID:9545]: State change 'kActive' --> 'kPendingEviction' + [1742963842.121] [2195:10977512:chip] [IN] SecureSession[0x158006a80]: Released - Type:1 LSID:9545 + [1742963842.121] [2195:10977512:chip] [SVR] Commissioning failed (attempt 1): src/app/server/CommissioningWindowManager.cpp:89: CHIP Error 0x00000032: Timeout + + - Verify DUT(chip-tool) does not commissions the TH and generates the following error. + + [1742963463.083] [1672:10971402:chip] [-] Found revoked DAC in /Users/shubhampatil/esp/connectedhomeip/credentials/test/revoked-attestation-certificates/revocation-sets/revocation-set.json + ... + [1742963463.083] [1672:10971402:chip] [CTL] Failed in verifying 'Attestation Information' command received from the device: err 302. Look at AttestationVerificationResult enum to understand the errors + [1742963463.083] [1672:10971402:chip] [CTL] Error on commissioning step 'AttestationRevocationCheck': 'src/controller/CHIPDeviceController.cpp:1337: CHIP Error 0x000000AC: Internal error' + + - Factory reset the TH + disabled: true + + - label: "Step 3: Test case 2: PAI of the TH has been revoked" + verification: | + Perform the following actions (PIs use equivalent command on their respective platform) + + - On TH, run all-clusters-app with the following command line arguments: + ./chip-all-clusters-app --trace_decode 1 --dac_provider $CHIP_ROOT/credentials/test/revoked-attestation-certificates/dac-provider-test-vectors/revoked-pai.json + + - Once TH(all-clusters-app) reach the commissionable state please send below mentioned command on DUT(chip-tool). Please use equivalent command on the respective platform + ./chip-tool pairing onnetwork-long 2 20202021 3840 --dac-revocation-set-path $CHIP_ROOT/credentials/test/revoked-attestation-certificates/revocation-sets/revocation-set.json + + - Verify that TH(all-clusters-app) is not commissioned. + + [1742963842.121] [2195:10977512:chip] [SVR] Failsafe timer expired + [1742963842.121] [2195:10977512:chip] [IN] SecureSession[0x158006a80]: MarkForEviction Type:1 LSID:9545 + [1742963842.121] [2195:10977512:chip] [SC] SecureSession[0x158006a80, LSID:9545]: State change 'kActive' --> 'kPendingEviction' + [1742963842.121] [2195:10977512:chip] [IN] SecureSession[0x158006a80]: Released - Type:1 LSID:9545 + [1742963842.121] [2195:10977512:chip] [SVR] Commissioning failed (attempt 1): src/app/server/CommissioningWindowManager.cpp:89: CHIP Error 0x00000032: Timeout + + - Verify DUT(chip-tool) does not commissions the TH and generates the following error. + + [1742963842.120] [2215:10977509:chip] [-] Found revoked PAI in /Users/shubhampatil/esp/connectedhomeip/credentials/test/revoked-attestation-certificates/revocation-sets/revocation-set.json + [1742963842.120] [2215:10977509:chip] [CTL] Failed in verifying 'Attestation Information' command received from the device: err 202. Look at AttestationVerificationResult enum to understand the errors + [1742963842.120] [2215:10977509:chip] [CTL] Error on commissioning step 'AttestationRevocationCheck': 'src/controller/CHIPDeviceController.cpp:1337: CHIP Error 0x000000AC: Internal error' + + - Factory reset the TH + disabled: true + + - label: "Step 4: Test case 3: DAC and PAI of the TH has been revoked" + verification: | + Perform the following actions (PIs use equivalent command on their respective platform) + + - On TH, run all-clusters-app with the following command line arguments: + ./chip-all-clusters-app --trace_decode 1 --dac_provider $CHIP_ROOT/credentials/test/revoked-attestation-certificates/dac-provider-test-vectors/revoked-dac-and-pai.json + + - Once TH(all-clusters-app) reach the commissionable state please send below mentioned command on DUT(chip-tool). Please use equivalent command on the respective platform + ./chip-tool pairing onnetwork-long 2 20202021 3840 --dac-revocation-set-path $CHIP_ROOT/credentials/test/revoked-attestation-certificates/revocation-sets/revocation-set.json + + - Verify that TH(all-clusters-app) is not commissioned. + + [1742963842.121] [2195:10977512:chip] [SVR] Failsafe timer expired + [1742963842.121] [2195:10977512:chip] [IN] SecureSession[0x158006a80]: MarkForEviction Type:1 LSID:9545 + [1742963842.121] [2195:10977512:chip] [SC] SecureSession[0x158006a80, LSID:9545]: State change 'kActive' --> 'kPendingEviction' + [1742963842.121] [2195:10977512:chip] [IN] SecureSession[0x158006a80]: Released - Type:1 LSID:9545 + [1742963842.121] [2195:10977512:chip] [SVR] Commissioning failed (attempt 1): src/app/server/CommissioningWindowManager.cpp:89: CHIP Error 0x00000032: Timeout + + - Verify DUT(chip-tool) does not commissions the TH and generates the following error. + + [1742964283.140] [2345:10982441:chip] [-] Found revoked DAC in /Users/shubhampatil/esp/connectedhomeip/credentials/test/revoked-attestation-certificates/revocation-sets/revocation-set.json + ... + [1742964283.140] [2345:10982441:chip] [-] Found revoked PAI in /Users/shubhampatil/esp/connectedhomeip/credentials/test/revoked-attestation-certificates/revocation-sets/revocation-set.json + [1742964283.140] [2345:10982441:chip] [CTL] Failed in verifying 'Attestation Information' command received from the device: err 208. Look at AttestationVerificationResult enum to understand the errors + [1742964283.140] [2345:10982441:chip] [CTL] Error on commissioning step 'AttestationRevocationCheck': 'src/controller/CHIPDeviceController.cpp:1337: CHIP Error 0x000000AC: Internal error' + + - Factory reset the TH + disabled: true + + - label: "Step 5: Test case 4: DAC and PAI has not been revoked" + verification: | + Perform the following actions (PIs use equivalent command on their respective platform) + + - On TH, run all-clusters-app with the following command line arguments: + ./chip-all-clusters-app --trace_decode 1 + + - Once TH(all-clusters-app) reach the commissionable state please send below mentioned command on DUT(chip-tool). Please use equivalent command on the respective platform + ./chip-tool pairing onnetwork-long 2 20202021 3840 --dac-revocation-set-path $CHIP_ROOT/credentials/test/revoked-attestation-certificates/revocation-sets/revocation-set.json + + - Verify that TH(all-clusters-app) has been successfully commissioned by the DUT(chip-tool) + + [1742964438.435] [2434:10984854:chip] [SVR] Commissioning completed successfully + [1742964438.435] [2434:10984854:chip] [DIS] Updating services using commissioning mode 0 + [1742964438.435] [2434:10984854:chip] [DIS] Advertise operational node C8413A3DA6D209C5-0000000000000002 + [1742964438.435] [2434:10984854:chip] [DIS] Registering service C8413A3DA6D209C5-0000000000000002 on host 920F868BAEF5.local. with port 5540 and type: _matter._tcp,_IC8413A3DA6D209C5 on interface id: 0 + + - Verify DUT(chip-tool) commissions the TH. + + [1742964438.435] [2438:10984848:chip] [CTL] Commissioning complete for node ID 0x0000000000000002: success + [1742964438.435] [2438:10984848:chip] [TOO] Device commissioning completed with success + ... + [1742964438.435] [2438:10984843:main] [BLE] ConnectionDelegate CancelConnection + [1742964438.435] [2438:10984843:main] [FP] Shutting down FabricTable + [1742964438.435] [2438:10984843:main] [TS] Pending Last Known Good Time: 2023-10-14T01:16:48 + [1742964438.436] [2438:10984843:main] [TS] Previous Last Known Good Time: 2023-10-14T01:16:48 + [1742964438.436] [2438:10984843:main] [TS] Reverted Last Known Good Time to previous value + [1742964438.436] [2438:10984843:main] [DL] Inet Layer shutdown + [1742964438.436] [2438:10984843:main] [DL] BLE Layer shutdown + [1742964438.436] [2438:10984843:main] [DL] System Layer shutdown + + - Factory reset the TH + disabled: true + + - label: "Step 6: Test case 1: DAC of the TH has been revoked using delegated CRL signer" + verification: | + Perform the following actions (PIs use equivalent command on their respective platform) + + - On TH, run all-clusters-app with the following command line arguments: + ./chip-all-clusters-app --trace_decode 1 --dac_provider $CHIP_ROOT/credentials/test/revoked-attestation-certificates/dac-provider-test-vectors/indirect-revoked-dac-01.json + + - Once TH(all-clusters-app) reach the commissionable state please send below mentioned command on DUT(chip-tool). Please use equivalent command on the respective platform + ./chip-tool pairing onnetwork-long 2 20202021 3840 --dac-revocation-set-path $CHIP_ROOT/credentials/test/revoked-attestation-certificates/revocation-sets/indirect-revocation-set.json + + - Verify that TH(all-clusters-app) is not commissioned. + + [1743059446.357] [56773:11565260:chip] [SVR] Failsafe timer expired + [1743059446.357] [56773:11565260:chip] [IN] SecureSession[0x12f704d70]: MarkForEviction Type:1 LSID:58488 + [1743059446.357] [56773:11565260:chip] [SC] SecureSession[0x12f704d70, LSID:58488]: State change 'kActive' --> 'kPendingEviction' + [1743059446.357] [56773:11565260:chip] [IN] SecureSession[0x12f704d70]: Released - Type:1 LSID:58488 + [1743059446.357] [56773:11565260:chip] [SVR] Commissioning failed (attempt 1): src/app/server/CommissioningWindowManager.cpp:89: CHIP Error 0x00000032: Timeout + + - Verify DUT(chip-tool) does not commissions the TH and generates the following error. + + [1743059446.355] [56783:11565324:chip] [-] Found revoked DAC in /Users/shubhampatil/esp/connectedhomeip/credentials/test/revoked-attestation-certificates/revocation-sets/indirect-revocation-set.json + ... + [1743059446.355] [56783:11565324:chip] [CTL] Failed in verifying 'Attestation Information' command received from the device: err 302. Look at AttestationVerificationResult enum to understand the errors + [1743059446.355] [56783:11565324:chip] [CTL] Error on commissioning step 'AttestationRevocationCheck': 'src/controller/CHIPDeviceController.cpp:1337: CHIP Error 0x000000AC: Internal error' + + - Factory reset the TH + disabled: true + + - label: "Step 7: Test case 2: PAI of the TH has been revoked using delegated CRL signer" + verification: | + Perform the following actions (PIs use equivalent command on their respective platform) + + - On TH, run all-clusters-app with the following command line arguments: + ./chip-all-clusters-app --trace_decode 1 --dac_provider $CHIP_ROOT/credentials/test/revoked-attestation-certificates/dac-provider-test-vectors/indirect-revoked-pai-03.json + + - Once TH(all-clusters-app) reach the commissionable state please send below mentioned command on DUT(chip-tool). Please use equivalent command on the respective platform + ./chip-tool pairing onnetwork-long 2 20202021 3840 --dac-revocation-set-path $CHIP_ROOT/credentials/test/revoked-attestation-certificates/revocation-sets/indirect-revocation-set.json + + - Verify that TH(all-clusters-app) is not commissioned. + + [1743059446.357] [56773:11565260:chip] [SVR] Failsafe timer expired + [1743059446.357] [56773:11565260:chip] [IN] SecureSession[0x12f704d70]: MarkForEviction Type:1 LSID:58488 + [1743059446.357] [56773:11565260:chip] [SC] SecureSession[0x12f704d70, LSID:58488]: State change 'kActive' --> 'kPendingEviction' + [1743059446.357] [56773:11565260:chip] [IN] SecureSession[0x12f704d70]: Released - Type:1 LSID:58488 + [1743059446.357] [56773:11565260:chip] [SVR] Commissioning failed (attempt 1): src/app/server/CommissioningWindowManager.cpp:89: CHIP Error 0x00000032: Timeout + + - Verify DUT(chip-tool) does not commissions the TH and generates the following error. + + [1743059607.133] [56897:11567874:chip] [-] Found revoked PAI in /Users/shubhampatil/esp/connectedhomeip/credentials/test/revoked-attestation-certificates/revocation-sets/indirect-revocation-set.json + [1743059607.133] [56897:11567874:chip] [CTL] Failed in verifying 'Attestation Information' command received from the device: err 202. Look at AttestationVerificationResult enum to understand the errors + [1743059607.133] [56897:11567874:chip] [CTL] Error on commissioning step 'AttestationRevocationCheck': 'src/controller/CHIPDeviceController.cpp:1337: CHIP Error 0x000000AC: Internal error' + + - Factory reset the TH + disabled: true + + - label: "Step 8: Test case 3: DAC and PAI of the TH has been revoked using delegated CRL signer" + verification: | + Perform the following actions (PIs use equivalent command on their respective platform) + + - On TH, run all-clusters-app with the following command line arguments: + ./chip-all-clusters-app --trace_decode 1 --dac_provider $CHIP_ROOT/credentials/test/revoked-attestation-certificates/dac-provider-test-vectors/indirect-revoked-dac-01-pai-03.json + + - Once TH(all-clusters-app) reach the commissionable state please send below mentioned command on DUT(chip-tool). Please use equivalent command on the respective platform + ./chip-tool pairing onnetwork-long 2 20202021 3840 --dac-revocation-set-path $CHIP_ROOT/credentials/test/revoked-attestation-certificates/revocation-sets/indirect-revocation-set.json + + - Verify that TH(all-clusters-app) is not commissioned. + + [1743059446.357] [56773:11565260:chip] [SVR] Failsafe timer expired + [1743059446.357] [56773:11565260:chip] [IN] SecureSession[0x12f704d70]: MarkForEviction Type:1 LSID:58488 + [1743059446.357] [56773:11565260:chip] [SC] SecureSession[0x12f704d70, LSID:58488]: State change 'kActive' --> 'kPendingEviction' + [1743059446.357] [56773:11565260:chip] [IN] SecureSession[0x12f704d70]: Released - Type:1 LSID:58488 + [1743059446.357] [56773:11565260:chip] [SVR] Commissioning failed (attempt 1): src/app/server/CommissioningWindowManager.cpp:89: CHIP Error 0x00000032: Timeout + + - Verify DUT(chip-tool) does not commissions the TH and generates the following error. + + [1743059725.837] [57066:11570600:chip] [-] Found revoked DAC in /Users/shubhampatil/esp/connectedhomeip/credentials/test/revoked-attestation-certificates/revocation-sets/indirect-revocation-set.json + ... + [1743059725.837] [57066:11570600:chip] [-] Found revoked PAI in /Users/shubhampatil/esp/connectedhomeip/credentials/test/revoked-attestation-certificates/revocation-sets/indirect-revocation-set.json + [1743059725.837] [57066:11570600:chip] [CTL] Failed in verifying 'Attestation Information' command received from the device: err 208. Look at AttestationVerificationResult enum to understand the errors + [1743059725.837] [57066:11570600:chip] [CTL] Error on commissioning step 'AttestationRevocationCheck': 'src/controller/CHIPDeviceController.cpp:1337: CHIP Error 0x000000AC: Internal error' + + - Factory reset the TH + disabled: true diff --git a/src/app/tests/suites/manualTests.json b/src/app/tests/suites/manualTests.json index 265607715c07f8..fa9898c6f93e21 100644 --- a/src/app/tests/suites/manualTests.json +++ b/src/app/tests/suites/manualTests.json @@ -61,7 +61,8 @@ "Test_TC_DA_1_3", "Test_TC_DA_1_4", "Test_TC_DA_1_6", - "Test_TC_DA_1_8" + "Test_TC_DA_1_8", + "Test_TC_DA_1_9" ], "DishwasherAlarm": [ "Test_TC_DISHALM_2_1",