Skip to content

update test scripts for indirect clr signer use cases #323

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
shubhamdp wants to merge 9 commits into
base: da-revocation-test-data
Choose a base branch
from
Open

update test scripts for indirect clr signer use cases #323

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
561b210
da-revocation: add test data for dac and pai both revoked case
shubhamdp Mar 25, 2025
4460893
Added certification test cases for TC-DA-1-9
shubhamdp Mar 26, 2025
ebde070
fix the yaml indentation
shubhamdp Mar 26, 2025
b5a01c7
Restyled by whitespace
restyled-commits Mar 26, 2025
419842e
Restyled by prettier-json
restyled-commits Mar 26, 2025
65f0aab
Restyled by prettier-markdown
restyled-commits Mar 26, 2025
9c09712
Restyled by prettier-yaml
restyled-commits Mar 26, 2025
786c7e5
Add CRL for revoked PAI CA and adjust the unit tests after clubbing data
shubhamdp Mar 26, 2025
299db9c
update test scripts for indirect clr signer use cases
shubhamdp Mar 27, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
37 changes: 22 additions & 15 deletions credentials/generate_revocation_set.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1006,14 +1006,11 @@ def setUp(self):
def get_test_file_path(self, filename):
return os.path.join(self.test_base_dir, 'test', filename)

def compare_revocation_sets(self, generated_set, expected_file):
with open(os.path.join(self.test_base_dir, expected_file), 'r') as f:
expected_set = [RevocationSet(**r) for r in json.load(f)]

# Compare the contents
self.assertEqual(len([generated_set]), len(expected_set))
expected = expected_set[0]
def get_expected_revocation_set(self, idx):
with open(os.path.join(self.test_base_dir, 'test/revoked-attestation-certificates/revocation-sets/revocation-set.json'), 'r') as f:
return RevocationSet(**json.load(f)[idx])

def compare_revocation_sets(self, generated_set, expected):
# Compare required fields
self.assertEqual(generated_set.type, expected.type)
self.assertEqual(generated_set.issuer_subject_key_id, expected.issuer_subject_key_id)
Expand All @@ -1038,10 +1035,7 @@ def test_paa_revocation_set(self):
revocation_set = generate_revocation_set_from_crl(
crl, crl_signer, ca_name_b64, ca_akid_hex, None)

self.compare_revocation_sets(
revocation_set,
'test/revoked-attestation-certificates/revocation-sets/revocation-set-for-paa.json'
)
self.compare_revocation_sets(revocation_set, self.get_expected_revocation_set(0))

def test_pai_revocation_set(self):
"""Test generation of PAI revocation set"""
Expand All @@ -1057,10 +1051,23 @@ def test_pai_revocation_set(self):
revocation_set = generate_revocation_set_from_crl(
crl, crl_signer, ca_name_b64, ca_akid_hex, None)

self.compare_revocation_sets(
revocation_set,
'test/revoked-attestation-certificates/revocation-sets/revocation-set-for-pai.json'
)
self.compare_revocation_sets(revocation_set, self.get_expected_revocation_set(1))

def test_revoked_pai_revocation_set(self):
"""Test generation of revocation set of revoked PAI"""
with open(self.get_test_file_path('revoked-attestation-certificates/Chip-Test-PAI-FFF1-noPID-Revoked-CRL.pem'), 'rb') as f:
crl = x509.load_pem_x509_crl(f.read())
with open(self.get_test_file_path('revoked-attestation-certificates/Chip-Test-PAI-FFF1-noPID-Revoked-Cert.pem'), 'rb') as f:
crl_signer = x509.load_pem_x509_certificate(f.read())
with open(self.get_test_file_path('revoked-attestation-certificates/Chip-Test-PAA-FFF1-Cert.pem'), 'rb') as f:
paa = x509.load_pem_x509_certificate(f.read())

ca_name_b64, ca_akid_hex = get_certificate_authority_details(
crl_signer, None, paa, False)
revocation_set = generate_revocation_set_from_crl(
crl, crl_signer, ca_name_b64, ca_akid_hex, None)

self.compare_revocation_sets(revocation_set, self.get_expected_revocation_set(2))


if __name__ == "__main__":
Expand Down
Binary file added ...d-attestation-certificates/Chip-Test-DAC-FFF1-8001-Revoked-Signed-By-Revoked-PAI-Cert.der
View file
Open in desktop
Binary file not shown.
13 changes: 13 additions & 0 deletions ...d-attestation-certificates/Chip-Test-DAC-FFF1-8001-Revoked-Signed-By-Revoked-PAI-Cert.pem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
-----BEGIN CERTIFICATE-----
MIICAjCCAaigAwIBAgIIc151wP6PWsUwCgYIKoZIzj0EAwIwRjEuMCwGA1UEAwwl
TWF0dGVyIFRlc3QgUEFJIDB4RkZGMSBubyBQSUQgUmV2b2tlZDEUMBIGCisGAQQB
gqJ8AgEMBEZGRjEwIBcNMjUwMzI1MDAwMDAwWhgPOTk5OTEyMzEyMzU5NTlaMGQx
NjA0BgNVBAMMLU1hdHRlciBUZXN0IFJldm9rZWQgREFDIFNpZ25lZCBieSBSZXZv
a2VkIFBBSTEUMBIGCisGAQQBgqJ8AgEMBEZGRjExFDASBgorBgEEAYKifAICDAQ4
MDAxMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEaELP83azv5+vdJg+vmO/g6td
Z9obWLWWZdgatid+/x5leASGpBEgL0pEv1UZ74ol4bK6S287eQKrIAZB2xdqWaNg
MF4wDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0OBBYEFDO1Scke
5qNNVdIn4aGgsbGhUWs6MB8GA1UdIwQYMBaAFJEzfFz+e7KTdv6IfTyU5/Wd2D0v
MAoGCCqGSM49BAMCA0gAMEUCIGO/qO9oglMxDEPMplwri0o31iRLg/p+qAyhtUC1
DiWxAiEAgv4UPAsPjvj1gPMWaLe9xnbrZOuXg+7bjOFPeODItFc=
-----END CERTIFICATE-----
Binary file added ...ed-attestation-certificates/Chip-Test-DAC-FFF1-8001-Revoked-Signed-By-Revoked-PAI-Key.der
View file
Open in desktop
Binary file not shown.
5 changes: 5 additions & 0 deletions ...ed-attestation-certificates/Chip-Test-DAC-FFF1-8001-Revoked-Signed-By-Revoked-PAI-Key.pem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIJoLKewrsvBa4y0m97yUkHqvZHBNjl32M5xbK15Q+ShHoAoGCCqGSM49
AwEHoUQDQgAEaELP83azv5+vdJg+vmO/g6tdZ9obWLWWZdgatid+/x5leASGpBEg
L0pEv1UZ74ol4bK6S287eQKrIAZB2xdqWQ==
-----END EC PRIVATE KEY-----
Binary file added credentials/test/revoked-attestation-certificates/Chip-Test-PAI-FFF1-noPID-Revoked-CRL.der
View file
Open in desktop
Binary file not shown.
9 changes: 9 additions & 0 deletions credentials/test/revoked-attestation-certificates/Chip-Test-PAI-FFF1-noPID-Revoked-CRL.pem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
-----BEGIN X509 CRL-----
MIIBHjCBxQIBATAKBggqhkjOPQQDAjBGMS4wLAYDVQQDDCVNYXR0ZXIgVGVzdCBQ
QUkgMHhGRkYxIG5vIFBJRCBSZXZva2VkMRQwEgYKKwYBBAGConwCAQwERkZGMRcN
MjUwMzI2MDYyODU2WhgPMjEyNTAzMjcwNjI4NTZaMBswGQIIc151wP6PWsUXDTI1
MDMyNjA2Mjg1NlqgLzAtMB8GA1UdIwQYMBaAFJEzfFz+e7KTdv6IfTyU5/Wd2D0v
MAoGA1UdFAQDAgEAMAoGCCqGSM49BAMCA0gAMEUCIQDM4thiU6vEOH5jwGaFypV2
P9InyjTJKpMo5bR4QEMMRgIgYge7z2UStTlJzS2gVm/MVld7SNnD+020LOVP1SWb
ufk=
-----END X509 CRL-----
9 changes: 9 additions & 0 deletions .../test/revoked-attestation-certificates/dac-provider-test-vectors/revoked-dac-and-pai.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
{
"description": "Revoked DAC and PAI",
"basic_info_pid": 32769,
"certification_declaration": "3081e706092a864886f70d010702a081d93081d6020103310d300b0609608648016503040201304306092a864886f70d010701a0360434152400012501f1ff3602050180182403162c0413435341303030303053574330303030302d303124050024060024070124080018317d307b020103801462fa823359acfaa9963e1cfa140addf504f37160300b0609608648016503040201300a06082a8648ce3d0403020447304502204dc6be89beeb5a49adec51ee7f0e6d1263ffc9e6238f2044385a5e0c86751b83022100ed902842f7a5784368d63eba6a2fb90086dd65a0ce3c283d86b915a3536afdac",
"pai_cert": "308201d43082017aa0030201020208302664392b8a3f2a300a06082a8648ce3d04030230303118301606035504030c0f4d617474657220546573742050414131143012060a2b0601040182a27c02010c04464646313020170d3234313231333030303030305a180f39393939313233313233353935395a3046312e302c06035504030c254d617474657220546573742050414920307846464631206e6f20504944205265766f6b656431143012060a2b0601040182a27c02010c04464646313059301306072a8648ce3d020106082a8648ce3d03010703420004bd58a84f7862e0751c4e56280f149697df7c51aadc5a4fa393c96277a59079de40907ab7860d069de652ea8bc8f7053bfe7c3a8ef4700d76b9cc20db312caf91a366306430120603551d130101ff040830060101ff020100300e0603551d0f0101ff040403020106301d0603551d0e0416041491337c5cfe7bb29376fe887d3c94e7f59dd83d2f301f0603551d230418301680146afd22771f511fecbf1641976710dcdc31a1717e300a06082a8648ce3d04030203480030450221009c74f6a84b3acb5a369de90399114ebf0a55150babd3d52b2898708847bc9c6e0220651881c81b7a20c346b97c68313c4be1c0a88f4f3a4072ed3c7ea11dc60984fc",
"dac_cert": "30820202308201a8a0030201020208735e75c0fe8f5ac5300a06082a8648ce3d0403023046312e302c06035504030c254d617474657220546573742050414920307846464631206e6f20504944205265766f6b656431143012060a2b0601040182a27c02010c04464646313020170d3235303332353030303030305a180f39393939313233313233353935395a30643136303406035504030c2d4d61747465722054657374205265766f6b656420444143205369676e6564206279205265766f6b65642050414931143012060a2b0601040182a27c02010c044646463131143012060a2b0601040182a27c02020c04383030313059301306072a8648ce3d020106082a8648ce3d030107034200046842cff376b3bf9faf74983ebe63bf83ab5d67da1b58b59665d81ab6277eff1e65780486a411202f4a44bf5519ef8a25e1b2ba4b6f3b7902ab200641db176a59a360305e300c0603551d130101ff04023000300e0603551d0f0101ff040403020780301d0603551d0e0416041433b549c91ee6a34d55d227e1a1a0b1b1a1516b3a301f0603551d2304183016801491337c5cfe7bb29376fe887d3c94e7f59dd83d2f300a06082a8648ce3d0403020348003045022063bfa8ef688253310c43cca65c2b8b4a37d6244b83fa7ea80ca1b540b50e25b102210082fe143c0b0f8ef8f580f31668b7bdc676eb64eb9783eedb8ce14f78e0c8b457",
"dac_private_key": "9a0b29ec2bb2f05ae32d26f7bc94907aaf64704d8e5df6339c5b2b5e50f92847",
"dac_public_key": "046842cff376b3bf9faf74983ebe63bf83ab5d67da1b58b59665d81ab6277eff1e65780486a411202f4a44bf5519ef8a25e1b2ba4b6f3b7902ab200641db176a59"
}
9 changes: 0 additions & 9 deletions ...entials/test/revoked-attestation-certificates/revocation-sets/revocation-set-for-paa.json
View file
Open in desktop

This file was deleted.

13 changes: 0 additions & 13 deletions ...entials/test/revoked-attestation-certificates/revocation-sets/revocation-set-for-pai.json
View file
Open in desktop

This file was deleted.

27 changes: 27 additions & 0 deletions credentials/test/revoked-attestation-certificates/revocation-sets/revocation-set.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
[
{
"type": "revocation_set",
"issuer_subject_key_id": "6AFD22771F511FECBF1641976710DCDC31A1717E",
"issuer_name": "MDAxGDAWBgNVBAMMD01hdHRlciBUZXN0IFBBQTEUMBIGCisGAQQBgqJ8AgEMBEZGRjE=",
"revoked_serial_numbers": ["302664392B8A3F2A"],
"crl_signer_cert": "MIIBvTCCAWSgAwIBAgIITqjoMYLUHBwwCgYIKoZIzj0EAwIwMDEYMBYGA1UEAwwPTWF0dGVyIFRlc3QgUEFBMRQwEgYKKwYBBAGConwCAQwERkZGMTAgFw0yMTA2MjgxNDIzNDNaGA85OTk5MTIzMTIzNTk1OVowMDEYMBYGA1UEAwwPTWF0dGVyIFRlc3QgUEFBMRQwEgYKKwYBBAGConwCAQwERkZGMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABLbLY3KIfyko9brIGqnZOuJDHK2p154kL2UXfvnO2TKijs0Duq9qj8oYShpQNUKWDUU/MD8fGUIddR6Pjxqam3WjZjBkMBIGA1UdEwEB/wQIMAYBAf8CAQEwDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBRq/SJ3H1Ef7L8WQZdnENzcMaFxfjAfBgNVHSMEGDAWgBRq/SJ3H1Ef7L8WQZdnENzcMaFxfjAKBggqhkjOPQQDAgNHADBEAiBQqoAC9NkyqaAFOPZTaK0P/8jvu8m+t9pWmDXPmqdRDgIgI7rI/g8j51RFtlM5CBpHmUkpxyqvChVI1A0DTVFLJd4="
},
{
"type": "revocation_set",
"issuer_subject_key_id": "63540E47F64B1C38D13884A462D16C195D8FFB3C",
"issuer_name": "MD0xJTAjBgNVBAMMHE1hdHRlciBEZXYgUEFJIDB4RkZGMSBubyBQSUQxFDASBgorBgEEAYKifAIBDARGRkYx",
"revoked_serial_numbers": [
"0AB042494323FE54",
"19367D978EAC533A",
"2569383D24BB36EA"
],
"crl_signer_cert": "MIIByzCCAXGgAwIBAgIIVq2CIq2UW2QwCgYIKoZIzj0EAwIwMDEYMBYGA1UEAwwPTWF0dGVyIFRlc3QgUEFBMRQwEgYKKwYBBAGConwCAQwERkZGMTAgFw0yMjAyMDUwMDAwMDBaGA85OTk5MTIzMTIzNTk1OVowPTElMCMGA1UEAwwcTWF0dGVyIERldiBQQUkgMHhGRkYxIG5vIFBJRDEUMBIGCisGAQQBgqJ8AgEMBEZGRjEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARBmpMVwhc+DIyHbQPM/JRIUmR/f+xeUIL0BZko7KiUxZQVEwmsYx5MsDOSr2hLC6+35ls7gWLC9Sv5MbjneqqCo2YwZDASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUY1QOR/ZLHDjROISkYtFsGV2P+zwwHwYDVR0jBBgwFoAUav0idx9RH+y/FkGXZxDc3DGhcX4wCgYIKoZIzj0EAwIDSAAwRQIhALLvJ/Sa6bUPuR7qyUxNC9u415KcbLiPrOUpNo0SBUwMAiBlXckrhr2QmIKmxiF3uCXX0F7b58Ivn+pxIg5+pwP4kQ=="
},
{
"type": "revocation_set",
"issuer_subject_key_id": "91337C5CFE7BB29376FE887D3C94E7F59DD83D2F",
"issuer_name": "MEYxLjAsBgNVBAMMJU1hdHRlciBUZXN0IFBBSSAweEZGRjEgbm8gUElEIFJldm9rZWQxFDASBgorBgEEAYKifAIBDARGRkYx",
"revoked_serial_numbers": ["735E75C0FE8F5AC5"],
"crl_signer_cert": "MIIB1DCCAXqgAwIBAgIIMCZkOSuKPyowCgYIKoZIzj0EAwIwMDEYMBYGA1UEAwwPTWF0dGVyIFRlc3QgUEFBMRQwEgYKKwYBBAGConwCAQwERkZGMTAgFw0yNDEyMTMwMDAwMDBaGA85OTk5MTIzMTIzNTk1OVowRjEuMCwGA1UEAwwlTWF0dGVyIFRlc3QgUEFJIDB4RkZGMSBubyBQSUQgUmV2b2tlZDEUMBIGCisGAQQBgqJ8AgEMBEZGRjEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAS9WKhPeGLgdRxOVigPFJaX33xRqtxaT6OTyWJ3pZB53kCQereGDQad5lLqi8j3BTv+fDqO9HANdrnMINsxLK+Ro2YwZDASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUkTN8XP57spN2/oh9PJTn9Z3YPS8wHwYDVR0jBBgwFoAUav0idx9RH+y/FkGXZxDc3DGhcX4wCgYIKoZIzj0EAwIDSAAwRQIhAJx09qhLOstaNp3pA5kRTr8KVRULq9PVKyiYcIhHvJxuAiBlGIHIG3ogw0a5fGgxPEvhwKiPTzpAcu08fqEdxgmE/A=="
}
]
17 changes: 11 additions & 6 deletions docs/guides/device-attestation-revocation-guide.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,9 +44,14 @@ pre-generated using the `generate_revocation_set.py` script.

### Test Vectors

| Description | DAC Provider | Revocation Set | Expected Result |
| --------------------- | ---------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------- |
| PAI revoked by PAA | [revoked-pai.json](../../credentials/test/revoked-attestation-certificates/dac-provider-test-vectors/revoked-pai.json) | [revocation-set-for-paa.json](../../credentials/test/revoked-attestation-certificates/revocation-sets/revocation-set-for-paa.json) | Commissioning fails with `kPaiRevoked` (202) |
| DAC-01 revoked by PAI | [revoked-dac-01.json](../../credentials/test/revoked-attestation-certificates/dac-provider-test-vectors/revoked-dac-01.json) | [revocation-set-for-pai.json](../../credentials/test/revoked-attestation-certificates/revocation-sets/revocation-set-for-pai.json) | Commissioning fails with `kDacRevoked` (302) |
| DAC-02 revoked by PAI | [revoked-dac-02.json](../../credentials/test/revoked-attestation-certificates/dac-provider-test-vectors/revoked-dac-02.json) | [revocation-set-for-pai.json](../../credentials/test/revoked-attestation-certificates/revocation-sets/revocation-set-for-pai.json) | Commissioning fails with `kDacRevoked` (302) |
| DAC-03 revoked by PAI | [revoked-dac-03.json](../../credentials/test/revoked-attestation-certificates/dac-provider-test-vectors/revoked-dac-03.json) | [revocation-set-for-pai.json](../../credentials/test/revoked-attestation-certificates/revocation-sets/revocation-set-for-pai.json) | Commissioning fails with `kDacRevoked` (302) |
Please use
`credentials/test/revoked-attestation-certificates/revocation-sets/revocation-set.json`
as revocation set

| Description | DAC Provider | Expected Result |
| --------------------- | -------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------- |
| PAI revoked by PAA | [revoked-pai.json](../../credentials/test/revoked-attestation-certificates/dac-provider-test-vectors/revoked-pai.json) | Commissioning fails with `kPaiRevoked` (202) |
| DAC-01 revoked by PAI | [revoked-dac-01.json](../../credentials/test/revoked-attestation-certificates/dac-provider-test-vectors/revoked-dac-01.json) | Commissioning fails with `kDacRevoked` (302) |
| DAC-02 revoked by PAI | [revoked-dac-02.json](../../credentials/test/revoked-attestation-certificates/dac-provider-test-vectors/revoked-dac-02.json) | Commissioning fails with `kDacRevoked` (302) |
| DAC-03 revoked by PAI | [revoked-dac-03.json](../../credentials/test/revoked-attestation-certificates/dac-provider-test-vectors/revoked-dac-03.json) | Commissioning fails with `kDacRevoked` (302) |
| DAC and PAI revoked | [revoked-dac-and-pai.json](../../credentials/test/revoked-attestation-certificates/dac-provider-test-vectors/revoked-dac-and-pai.json) | Commissioning fails with `kPaiAndDacRevoked` (208) |
Loading
Loading