Commissioning failed: OpCreds: Failed CertificateChainRequest: 201 (CON-1166)

[bilalmalik76]

Describe the bug A clear and concise description of what the bug is.

Environment

• ESP-Matter Commit Id:

• 01bebca56b42a35b5ad049f59292df7d4c08ea6b

• ESP-IDF Commit Id:

• cbce221e88d52665523093b2b6dd0ebe3f1243f1

• SoC (eg: ESP32 or ESP32-C3):

• ESP32C6

• Device Logs (Please attach the log file): log_cert.txt

• Host Machine OS:

• Ubuntu22

• Commissioner app and versions if present:

• Apple home app

• Commissioner's logs if present: NA Any additional details I am using following command to generate QR code and partition bin file but getting error while commissioning with apple home app: chip-cert gen-cd --format-version 1 --vendor-id 0x1549 --product-id 0x1234 \ --device-type-id 0x0100 --certificate-id CSA00000SWC00000-01 \ --security-level 0 --security-info 0 --version-number 1 \ --certification-type 1 \ --key ../../credentials/test/certification-declaration/Chip-Test-CD-Signing-Key.pem \ --cert ../../credentials/test/certification-declaration/Chip-Test-CD-Signing-Cert.pem \ --out TEST_CD_FFF1_8007.der `

./mfg_tool.py --passcode 89674523 \ --discriminator 2245 \ -cd TEST_CD_FFF1_8007.der \ -v 0x1549 --vendor-name Espressif \ -p 0x1234 --product-name StarPower \ --hw-ver 1 --hw-ver-str DevKit \ `

following are set defconfig:

Disable the DS Peripheral support

CONFIG_ESP_SECURE_CERT_DS_PERIPHERAL=n

Use DAC Provider implementation which reads attestation data from secure cert partition

CONFIG_SEC_CERT_DAC_PROVIDER=n

Enable some options which reads CD and other basic info from the factory partition

CONFIG_ENABLE_ESP32_FACTORY_DATA_PROVIDER=y CONFIG_ENABLE_ESP32_DEVICE_INSTANCE_INFO_PROVIDER=y CONFIG_ENABLE_ESP32_DEVICE_INFO_PROVIDER=y CONFIG_FACTORY_COMMISSIONABLE_DATA_PROVIDER=y CONFIG_FACTORY_DEVICE_INSTANCE_INFO_PROVIDER=y CONFIG_FACTORY_DEVICE_INFO_PROVIDER=y CONFIG_FACTORY_PARTITION_DAC_PROVIDER=y

[shubhamdp]

201 means kPaiSignatureInvalid. You can find the error information here: https://github.com/project-chip/connectedhomeip/blob/master/src/credentials/attestation_verifier/DeviceAttestationVerifier.h#L30.

Since CONFIG_SEC_CERT_DAC_PROVIDER=n, firmware is trying to read the DAC and PAI from the factory partition. And as per your mfg_tool.py command, I do not see a DAC and PAI being added to factory partition.

You have to use few more options, --dac-key <DAC-KEY>--dac-cert --pai -c <PAI>.

Please find more examples and help here: https://github.com/espressif/esp-matter/tree/main/tools/mfg_tool/#generate-factory-partition-using-existing-dac-certificate-and-private-key-optional-arguments----dac-cert-and---dac-key

[jonsmirl]

I use this....

./mfg_tool.py -cn "Test" -v 0xFFF2 -p 0x8001 --pai \
-k ../../connectedhomeip/connectedhomeip/credentials/test/attestation/Chip-Test-PAI-FFF2-8001-Key.pem \
-c ../../connectedhomeip/connectedhomeip/credentials/test/attestation/Chip-Test-PAI-FFF2-8001-Cert.pem \
-cd ../../connectedhomeip/connectedhomeip/credentials/test/certification-declaration/Chip-Test-CD-FFF2-8001.der \
--vendor-name "Company" --product-name "Light" --serial-num "12345678" \
--hw-ver-str "1.0.0" \
--passcode 20202021 --discriminator 3840 

[dhrishi]

@bilalmalik76 Please close the issue if resolved

[bilalmalik76]

@shubhamdp I got this after adding above flags: 2024-05-31 08:30:05,568] [ ERROR] - Please provide PAI certificate along with DAC certificate and DAC key

./mfg_tool.py --passcode 89674523 \ --discriminator 2245 \ -cd TEST_CD_1549_1234.der \ -v 0x1549 --vendor-name Espressif \ -p 0x1234 --product-name StarPower \ --hw-ver 1 --hw-ver-str DevKit \ --dac-key ../../connectedhomeip/connectedhomeip/credentials/test/certification-declaration/Chip-Test-CD-Signing-Key.pem \ --dac-cert ../../connectedhomeip/connectedhomeip/credentials/test/certification-declaration/Chip-Test-CD-Signing-Cert.pem

[bilalmalik76]

I use this....

./mfg_tool.py -cn "Test" -v 0xFFF2 -p 0x8001 --pai \
-k ../../connectedhomeip/connectedhomeip/credentials/test/attestation/Chip-Test-PAI-FFF2-8001-Key.pem \
-c ../../connectedhomeip/connectedhomeip/credentials/test/attestation/Chip-Test-PAI-FFF2-8001-Cert.pem \
-cd ../../connectedhomeip/connectedhomeip/credentials/test/certification-declaration/Chip-Test-CD-FFF2-8001.der \
--vendor-name "Company" --product-name "Light" --serial-num "12345678" \
--hw-ver-str "1.0.0" \
--passcode 20202021 --discriminator 3840 

i want to add our own VID, is just replacing VID will work with command?

[shripad621git]

@bilalmalik76 , you can use your own vid in the command to generate the factory_partition.If you are using the latest commit from esp-matter, then the mfg_tool has been made pip installable and you can refer the documentation here to create partitions.

[dhrishi]

@bilalmalik76 Please close the issue if resolved

[dhrishi]

Closing this now