The device attestation revocation tests help identify the devices with revoked DACs (Device Attestation Certificates) and PAIs (Product Attestation Intermediates) during commissioning.
This guide demonstrates how to use a sample application and chip-tool to test the device attestation revocation functionality.
The sample application is injected with revoked DAC and/or PAI certificates.
During commissioning, chip-tool is provided with a revocation set that is pre-generated using the generate_revocation_set.py script.
./scripts/examples/gn_build_example.sh examples/lighting-app/linux out/host ./scripts/examples/gn_build_example.sh examples/chip-tool out/host
./out/host/chip-lighting-app --dac_provider <json-file-with-attestation-information>
./out/host/chip-tool pairing onnetwork 11 20202021 --dac-revocation-set-path <revocation-set-file>
Please use credentials/test/revoked-attestation-certificates/revocation-sets/revocation-set.json as revocation set
| Description | DAC Provider | Expected Result |
|---|---|---|
| PAI revoked by PAA | revoked-pai.json | Commissioning fails with kPaiRevoked (202) |
| DAC-01 revoked by PAI | revoked-dac-01.json | Commissioning fails with kDacRevoked (302) |
| DAC-02 revoked by PAI | revoked-dac-02.json | Commissioning fails with kDacRevoked (302) |
| DAC-03 revoked by PAI | revoked-dac-03.json | Commissioning fails with kDacRevoked (302) |
| DAC and PAI revoked | revoked-dac-and-pai.json | Commissioning fails with kPaiAndDacRevoked (208) |