async def test_TC_DA_1_7(self):
# Option to allow SDK roots (skip step 4 check 2)
allow_sdk_dac = self.user_params.get("allow_sdk_dac", False)
logging.info("Pre-condition: load all PAAs SKIDs")
conf = self.matter_test_config
paa_by_skid = load_all_paa(conf.paa_trust_store_path)
logging.info("Found %d PAAs" % len(paa_by_skid))
logging.info("Step 1: Commissioning, already done")
dev_ctrl = self.default_controller
logging.info("Step 2: Get PAI of DUT1 with certificate chain request")
result = await dev_ctrl.SendCommand(
self.dut_node_id, 0,
Clusters.OperationalCredentials.Commands.CertificateChainRequest(2)
)
pai_1 = result.certificate
asserts.assert_less_equal(len(pai_1), 600,
"PAI cert must be at most 600 bytes")
self.record_data({"pai_1": hex_from_bytes(pai_1)})
logging.info("Step 3: Get DAC of DUT1 with certificate chain request")
result = await dev_ctrl.SendCommand(
self.dut_node_id, 0,
Clusters.OperationalCredentials.Commands.CertificateChainRequest(1)
)
dac_1 = result.certificate
asserts.assert_less_equal(len(dac_1), 600,
"DAC cert must be at most 600 bytes")
self.record_data({"dac_1": hex_from_bytes(dac_1)})
logging.info(
"Step 4 check 1: Ensure PAI's AKID matches a PAA and signature is valid"
)
pai1_cert = load_der_x509_certificate(pai_1)
pai1_akid = extract_akid(pai1_cert)
if pai1_akid not in paa_by_skid:
asserts.fail("DUT1's PAI (%s) not matched in PAA trust store" %
hex_from_bytes(pai1_akid))
filename, paa_cert = paa_by_skid[pai1_akid]
logging.info("Matched PAA file %s, subject: %s" %
(filename, paa_cert.subject))
public_key = paa_cert.public_key()
try:
public_key.verify(signature=pai1_cert.signature,
data=pai1_cert.tbs_certificate_bytes,
signature_algorithm=ec.ECDSA(hashes.SHA256()))
except InvalidSignature as e:
asserts.fail(
"Failed to verify PAI signature against PAA public key: %s" %
str(e))
logging.info("Validated PAI signature against PAA")
logging.info(
"Step 4 check 2: Verify PAI AKID not in denylist of SDK PAIs")
if allow_sdk_dac:
logging.warn("===> TEST STEP SKIPPED: Allowing SDK DACs!")
else:
for candidate in FORBIDDEN_AKID:
asserts.assert_not_equal(hex_from_bytes(pai1_akid),
hex_from_bytes(candidate),
"PAI AKID must not be in denylist")
logging.info("Step 5: Extract subject public key of DAC and save")
dac1_cert = load_der_x509_certificate(dac_1)
pk_1 = dac1_cert.public_key().public_bytes(
encoding=Encoding.X962, format=PublicFormat.UncompressedPoint)
logging.info("Subject public key pk_1: %s" % hex_from_bytes(pk_1))
self.record_data({"pk_1": hex_from_bytes(pk_1)})
def test_assert_not_equal_fail_with_msg_and_extras(self):
with self.assertRaises(signals.TestFailure) as cm:
asserts.assert_not_equal(1, 1, msg='Message', extras='Extras')
self.assertEqual(cm.exception.details, '1 == 1 Message')
self.assertEqual(cm.exception.extras, 'Extras')
def test_assert_not_equal_pass_with_msg_and_extras(self):
asserts.assert_not_equal(1, 2, msg='Message', extras='Extras')
def test_assert_not_equal_fail(self):
with self.assertRaises(signals.TestFailure) as cm:
asserts.assert_not_equal(1, 1)
self.assertEqual(cm.exception.details, '1 == 1')
def test_assert_not_equal_pass(self):
asserts.assert_not_equal(1, 2)