|
| 1 | +# Device Attestation Revocation Testing Guide |
| 2 | + |
| 3 | +## Overview |
| 4 | + |
| 5 | +The device attestation revocation tests help identify the devices with revoked |
| 6 | +DACs (Device Attestation Certificates) and PAIs (Product Attestation |
| 7 | +Intermediates) during commissioning. |
| 8 | + |
| 9 | +This guide demonstrates how to use a sample application and chip-tool to test |
| 10 | +the device attestation revocation functionality. |
| 11 | + |
| 12 | +The sample application is injected with revoked DAC and/or PAI certificates. |
| 13 | + |
| 14 | +During commissioning, chip-tool is provided with a revocation set that is |
| 15 | +pre-generated using the `generate_revocation_set.py` script. |
| 16 | + |
| 17 | +## Prerequisites |
| 18 | + |
| 19 | +- Matter application for Linux platform (e.g., examples/lighting-app/linux) |
| 20 | +- DAC provider JSON file containing revoked DAC and/or PAI certificates |
| 21 | +- chip-tool |
| 22 | +- Device attestation revocation set for the respective DAC and/or PAI |
| 23 | + |
| 24 | +## Test Setup |
| 25 | + |
| 26 | +- Build the lighting-app/linux and chip-tool: |
| 27 | + |
| 28 | +``` |
| 29 | +./scripts/examples/gn_build_example.sh examples/lighting-app/linux out/host |
| 30 | +./scripts/examples/gn_build_example.sh examples/chip-tool out/host |
| 31 | +``` |
| 32 | + |
| 33 | +- Run the lighting-app/linux: |
| 34 | + |
| 35 | +``` |
| 36 | +./out/host/chip-lighting-app --dac_provider <json-file-with-attestation-information> |
| 37 | +``` |
| 38 | + |
| 39 | +- Run the chip-tool with the revocation set: |
| 40 | + |
| 41 | +``` |
| 42 | +./out/host/chip-tool pairing onnetwork 11 20202021 --dac-revocation-set-path <revocation-set-file> |
| 43 | +``` |
| 44 | + |
| 45 | +### Test Vectors |
| 46 | + |
| 47 | +| Description | DAC Provider | Revocation Set | Expected Result | |
| 48 | +| --------------------- | ---------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------- | |
| 49 | +| PAI revoked by PAA | [revoked-pai.json](../../credentials/test/revoked-attestation-certificates/dac-provider-test-vectors/revoked-pai.json) | [revocation-set-for-paa.json](../../credentials/test/revoked-attestation-certificates/revocation-sets/revocation-set-for-paa.json) | Commissioning fails with `kPaiRevoked` (202) | |
| 50 | +| DAC-01 revoked by PAI | [revoked-dac-01.json](../../credentials/test/revoked-attestation-certificates/dac-provider-test-vectors/revoked-dac-01.json) | [revocation-set-for-pai.json](../../credentials/test/revoked-attestation-certificates/revocation-sets/revocation-set-for-pai.json) | Commissioning fails with `kDacRevoked` (302) | |
| 51 | +| DAC-02 revoked by PAI | [revoked-dac-02.json](../../credentials/test/revoked-attestation-certificates/dac-provider-test-vectors/revoked-dac-02.json) | [revocation-set-for-pai.json](../../credentials/test/revoked-attestation-certificates/revocation-sets/revocation-set-for-pai.json) | Commissioning fails with `kDacRevoked` (302) | |
| 52 | +| DAC-03 revoked by PAI | [revoked-dac-03.json](../../credentials/test/revoked-attestation-certificates/dac-provider-test-vectors/revoked-dac-03.json) | [revocation-set-for-pai.json](../../credentials/test/revoked-attestation-certificates/revocation-sets/revocation-set-for-pai.json) | Commissioning fails with `kDacRevoked` (302) | |
0 commit comments