Publish PAI certificates for CRLSignerCertificate verification

[julienDelplancke]

In the context of CRL of DAC certificates, the CRLSignerCertificate can be a delegate of the PAI issued by the PAI certificate. The problem in this case is that there is no way to verify the certificate chain from the CRLSignerCertificate up to the PAA from the information contained in the DCL as the DCL does not contain the PAI certificate. Note it is still possible to verify the chain at the time of commissioning the device but it would also be good to be able to verify all the certificates contained in the DCL without knowing the device.

We would like to have the possibility to upload the PAI certificates in the DCL so that the certificate chains can be verified. The PAI shall be uploaded at least in the case of CRL signing delegation by a PAI.

One possibility to implement this could be to add a new field in the Device Attestation PKI Revocation Distribution Points Schema to contain the PAI certificate. When the CRLSignerCertificate is a PAA certificate, a delegate of the PAA certificate or is a PAI certificate then this field can be omitted but when the CRLSignerCertificate is a delegate of a PAI certificate then this field shall contain the PAI certificate.

[tcarmelveilleux]

100% recommend using the CRLSignerCertificate schema and adding a field there, as it's the only feature that cares about those certificates and would make use of it. Would also avoid needing to do joins across schemas where not needed.

[jcps07]

DCL-TT: Team decided to implement it on 1.3. Preliminary decision is to go with Option 2: add a new field for PAI-1 (no additional nesting).

[ashcherbakov]

1. Option to implement

It seems the updates made in https://github.com/CHIP-Specifications/connectedhomeip-spec/pull/7512 differ from what has been previously discussed and approved on the DCL TT calls.

There are two options how to solve the issue:

• Option 1: Require publishing PAI to DCL (in case of delegation)
• Option 2: Extend revocation schema to add new field for the delegated PAI. The new field will have the whole pem.

DCL TT decided to go with Option 2, but https://github.com/CHIP-Specifications/connectedhomeip-spec/pull/7512 assumes Option 1.

2. Additional Changes

Regardless of the selected Option above, https://github.com/CHIP-Specifications/connectedhomeip-spec/pull/7512 requires additional changes to be implemented on DCL.

1. Changes in static validation (https://github.com/zigbee-alliance/distributed-compliance-ledger/blob/master/x/pki/types/message_add_pki_revocation_distribution_point.go):
   • Consider a new case: isPAA is true, but CRLSignerCertificate is not self-signed
2. Changes in https://github.com/zigbee-alliance/distributed-compliance-ledger/blob/master/x/pki/keeper/msg_server_add_pki_revocation_distribution_point.go
   If CRLSignerCertificate is not self-signed, then instead of assuming that it's signed by a PAA on the ledger, more cases must be considered:
   • If isPAA is true, then
     • CRLSignerCertificate must be chained back to a PAA on the ledger
     • additional validation of the CRLSignerCertificate format must be done as described in https://github.com/CHIP-Specifications/connectedhomeip-spec/pull/7512
   • If isPAA is false, then
     • If CRLSignerCertificate is chained back to a PAA on the ledger - current logic
     • If CRLSignerCertificate is not chained back to a PAA on the ledger
       • additional validation of the CRLSignerCertificate format must be done as described in https://github.com/CHIP-Specifications/connectedhomeip-spec/pull/7512
       • CRLSignerCertificate is chained back to a PAI on the ledger (or to a PAI present in a new field, depending on the option from Section 1).

[julienDelplancke]

Hi @ashcherbakov , with https://github.com/CHIP-Specifications/connectedhomeip-spec/pull/7512 the spec was updated to clarify that if the CRLSignerCertificate is a delegate of a PAI, then the PAI certificate must be present in the DCL. But the text does not specify where this certificate is located in the DCL. Following a call in the DCL TT, the expectation is to have option 2 implemented with a new field to contain the PAI certificate. We can then refine the text of the spec when this new field is defined.

[akarabashov]

PR: #557

• Functionality implemented as described in the specification
• Unit and integration tests are added
• Docs are updated.