The device attestation revocation tests help identify the devices with revoked DACs (Device Attestation Certificates) and PAIs (Product Attestation Intermediates) during commissioning.
This guide demonstrates how to use a sample application and chip-tool to test the device attestation revocation functionality.
The sample application is injected with revoked DAC and/or PAI certificates.
During commissioning, chip-tool is provided with a revocation set that is pre-generated using the generate_revocation_set.py script.
./scripts/examples/gn_build_example.sh examples/lighting-app/linux out/host ./scripts/examples/gn_build_example.sh examples/chip-tool out/host
./out/host/chip-lighting-app --dac_provider <json-file-with-attestation-information>
./out/host/chip-tool pairing onnetwork 11 20202021 --dac-revocation-set-path <revocation-set-file>
| Description | DAC Provider | Revocation Set | Expected Result |
|---|---|---|---|
| PAI revoked by PAA | revoked-pai.json | revocation-set-for-paa.json | Commissioning fails with kPaiRevoked (202) |
| DAC-01 revoked by PAI | revoked-dac-01.json | revocation-set-for-pai.json | Commissioning fails with kDacRevoked (302) |
| DAC-02 revoked by PAI | revoked-dac-02.json | revocation-set-for-pai.json | Commissioning fails with kDacRevoked (302) |
| DAC-03 revoked by PAI | revoked-dac-03.json | revocation-set-for-pai.json | Commissioning fails with kDacRevoked (302) |