Generated Negative Test Cases for Matter Operational Certificates (NO…

…C, ICAC, RCAC). (#24043)

Added python script that generates negative test vectors using chip-cert tool.
Those new test vectors are used to verify failure scenarios for the following use cases:
  - Conversion of DER encoded operation certificate to CHIP TLV format
  - Conversion of CHIP TLV encoded certificate to DER format
  - Loading and parsing of the CHIP TLV encoded certificate
  - Checking validity of the certificate subject field

As a result of these new test one bug was found and fixed in the ChipDN::DecodeFromTLV()
function, where chipAttr should be used instead of attrOID when NodeId/FabricId validity
is checked.

Some extra validity checks were added to the following methods:
  - ConvertChipCertToX509Cert()
  - ConvertX509CertToChipCert()

The chip-cert tool was updated and enhanced with more error cases.

.gitattributes

@@ -7,3 +7,5 @@ src/controller/python/chip/clusters/CHIPClusters.py linguist-generated
 src/controller/python/chip/clusters/Objects.py linguist-generated
 # Let bat file use CRLF linebreak
 **/*.bat eol=crlf
+# Mark Matter operational certificate/key files as binary
+**/*.chip binary

credentials/test/operational-certificates-error-cases/Chip-Test-ICAC-Ext-AKID-Length-Invalid-Key.chip

@@ -0,0 +1 @@
+N�AWS�ψj*r��S�IA�s�� ���F�k�j�{@�E�"pN� �O�^+��2(DU�V��dA�����6��:��H#aM��SvcJ�a޽�QIj

credentials/test/operational-certificates-error-cases/Chip-Test-ICAC-Ext-Basic-CA-Missing-Key.chip

@@ -0,0 +1 @@
+(LKy�:������y�&��NK�j���U��J�ݣUq�����>�Q�[lԋ�>�̱����j�y�߼y)���a���sM��+nF�^t

credentials/test/operational-certificates-error-cases/Chip-Test-ICAC-Ext-Basic-CA-Wrong-Key.chip

@@ -0,0 +1,2 @@
+f���jA8�����A�=s"��;ʥvDl���:n����ڂR���zĚ��uI4s
+����Xܹa6�V��1$"��Sަ�������()��

credentials/test/operational-certificates-error-cases/Chip-Test-ICAC-Ext-Basic-Missing-Key.chip

@@ -0,0 +1 @@
+�R�w�Pqv~�LJ���0-�����M����a8��ց4���J�')��	�-/�,j����A�6}����%�plZ�K�ʤG`	���iRƔ0��

credentials/test/operational-certificates-error-cases/Chip-Test-ICAC-Ext-Basic-PathLen-Presence-Wrong-Key.chip

@@ -0,0 +1 @@
+,2�!��u��m�hh2p��C�	��U���'q{��0�����i��J9�y,88��Z�8�YlE;�cQ���e�!l��ވ�y���ԍx���w1

credentials/test/operational-certificates-error-cases/Chip-Test-ICAC-Ext-Basic-PathLen2-Key.chip

@@ -0,0 +1 @@
+@#Y՟aP	��&�:��z�/��Q{a�|�)?���0��i��l�U�B���+L��+�%���נ+��4J^Wą$�iC��+D�>9ǖ�

credentials/test/operational-certificates-error-cases/Chip-Test-ICAC-Ext-KeyUsage-KeyCertSign-Wrong-Key.chip

@@ -0,0 +1 @@
+nS����^a^���s��뜅��y�w�$�n���9��v3����$��hZ�i�3�\�k��P��Je�e�@�w�KCJ��`7�V��U��7�"

credentials/test/operational-certificates-error-cases/Chip-Test-ICAC-Ext-SKID-Length-Invalid-Key.chip

@@ -0,0 +1 @@
+�D������R��+Ͻ�*��f�G�
>�������:�< e�g�T���2����+��w��C0Gq�6�D��qB�a���{�7c��h=UHꤱ�

credentials/test/operational-certificates-error-cases/Chip-Test-ICAC-Ext-SKID-Missing-Key.chip

@@ -0,0 +1 @@
+��T��8:�]���U
l����YI
�lAv���G����5}J��Q���f��
����0��N�ڽ(b-����s$�$ 6���ЫÛ�P���:r

credentials/test/operational-certificates-error-cases/Chip-Test-ICAC-Issuer-Missing-Key.chip

@@ -0,0 +1,2 @@
+Ņ��ߗ��$g�32et��_r��B�� ~�z�E8	|�% 뎨����m�
+�{1}����{iϯ32!�>�xì���}���%k�8�
�De

credentials/test/operational-certificates-error-cases/Chip-Test-ICAC-Oversized-Key.chip

@@ -0,0 +1 @@
+��9��cæf;A&���?�L�DlE�=�_�!TU&�<M�U������Y(P5��hW`e|�+����ǽ��"��=@������D��Ê;K7	

credentials/test/operational-certificates-error-cases/Chip-Test-ICAC-PublicKey-Wrong-Key.chip

@@ -0,0 +1,2 @@
+������[���%��-h%-Ŝ����C���@u��S�I\�hk�n��O�([*=5HIc��X���rIlE^�+�2>�����y
+�^

credentials/test/operational-certificates-error-cases/Chip-Test-ICAC-Serial-Number-Missing-Key.chip

@@ -0,0 +1 @@
+�t#��ؑj:����@SA<0Cd�KCNn�_�c� ����c�8М�4٩%�
V%{��M�d�(*laÑֽ�m��Z�]��}��\vk��Z�&

credentials/test/operational-certificates-error-cases/Chip-Test-ICAC-Sig-Algo-ECDSA-With-SHA1-Key.chip

@@ -0,0 +1,2 @@
+_���H�pnU~P��m%B�4�M
+����z/]/m��N��ij5i{���q��J��xS�Є�ہ�4N���w}t����B	��CK4���<��N

credentials/test/operational-certificates-error-cases/Chip-Test-ICAC-Sig-Curve-Secp256k1-Key.chip

@@ -0,0 +1 @@
+��ؚ��x�6_��9Q��m"(������(2`/�Q�V�mH���MA(�4��ⳫS�N.��F�IT���������}��C�sUz��x�

credentials/test/operational-certificates-error-cases/Chip-Test-ICAC-Signature-Wrong-Key.chip

@@ -0,0 +1,2 @@
+�XkK"�`0g�Vn	��QH�
+��0;���4@�cC�>݄����ݑ�Z{LT#p�a�p��O�6�Ip�z���2�'�tj��1/<�����

credentials/test/operational-certificates-error-cases/Chip-Test-ICAC-Subject-CAT-Invalid-Key.chip

@@ -0,0 +1,2 @@
+l��{8,q(k�l'Q�9��f�;+�!CML�5L
+xd����x�A�L���CF�v�.���g�w'Q.U�c�2N�Y%n�1g"`E��gp�@�7�@5

credentials/test/operational-certificates-error-cases/Chip-Test-ICAC-Subject-FabricId-Invalid-Key.chip

@@ -0,0 +1 @@
+��)e/���ϑ`�H���m�T܇a_���4~ٴ�ܺ+�� 5�<�,�J)C���3:	���Q2}��a���?P�5yI�^!c8���+�V�i��F�

credentials/test/operational-certificates-error-cases/Chip-Test-ICAC-Subject-MatterId-Missing-Key.chip

@@ -0,0 +1,2 @@
+ZU%���#r{n��/{'N��P��t̅1��p�Ĉp�<�j�Ɇ=+h�S��c?�����^�r����g
+D)�w!0�L��*h{�\b���G�u�

credentials/test/operational-certificates-error-cases/Chip-Test-ICAC-Subject-Missing-Key.chip

@@ -0,0 +1 @@
+�e�rF�c+���^�1��O���	m�5���k�D4Ҍ�nq��3?������V����npTZ�&F@�yh|�7T���#}��eQ�

credentials/test/operational-certificates-error-cases/Chip-Test-ICAC-Validity-Not-After-Missing-Key.chip

@@ -0,0 +1 @@
+ �ϯ��@��H/:RO����rt���ب|�~M�D~.c^��>S�x}�7wBF�f&�E ��j��ʌ߬#�H|gT�F+�an�2J�C�4_Db-�

credentials/test/operational-certificates-error-cases/Chip-Test-ICAC-Validity-Not-Before-Missing-Key.chip

@@ -0,0 +1 @@
+gL5�B|�@�S�y_�V�a�ND��iq|0��c{�kq����΄n>F�c�%'f�C�oT�C^���S�o���+m~��oCfT��u�\

credentials/test/operational-certificates-error-cases/Chip-Test-NOC-Ext-AKID-Length-Invalid-Key.chip

@@ -0,0 +1,2 @@
+F_{�d,25�Ɉ_M�6.C�'#��լ]�������9[q�}I�Z+��!b$q�Ƚ�o(��H�1�����0~����x�
+�A�p���2�D��

credentials/test/operational-certificates-error-cases/Chip-Test-NOC-Ext-AKID-Missing-Key.chip

@@ -0,0 +1,2 @@
+ب��+x$5�q�H�a���r4-S���ee@�
+��(4qa\����QS�����⬆�ȡ�O�/Ҍ+ϥ�UhO���;��R�M�����V�

credentials/test/operational-certificates-error-cases/Chip-Test-NOC-Ext-Basic-CA-Missing-Key.chip

@@ -0,0 +1,2 @@
+�������2�$��a|���W
+��)8{ �V��T�u`�ڊ�m�}sG3⧖�5��"'a���ݡ��W��;����m7X��J�c��u�Z�>

credentials/test/operational-certificates-error-cases/Chip-Test-NOC-Ext-Basic-CA-Wrong-Key.chip

@@ -0,0 +1 @@
+�u�:Ɲ���|����փ��*�����}�X3�u�������r��G��_�ʸ# �ID(��J��'���Iȯ��0���~GK�v�߹}	�

credentials/test/operational-certificates-error-cases/Chip-Test-NOC-Ext-Basic-Missing-Key.chip

@@ -0,0 +1 @@
+hdUN�v�t�HQ0&L�����1�������(�P>��ͨY>k!Q�3�)uz�[��/[���,������l���h�k@�2Y�K��S��܀�Y

credentials/test/operational-certificates-error-cases/Chip-Test-NOC-Ext-Basic-PathLen-Presence-Wrong-Key.chip

@@ -0,0 +1 @@
+���}|��0��gH�t��=��?H�����_*��\�^�w:"�vB{~��0�*��A�j5�����i��+C�\/Tq>=E�Q�?�##�R����

credentials/test/operational-certificates-error-cases/Chip-Test-NOC-Ext-Basic-PathLen2-Key.chip

@@ -0,0 +1,2 @@
+������i�JĂ9���cY�H���$;'���Q[=
+b7�����\�A���$O4�Gr�#l�N��g͂�J�����O�N3��-�l��2

credentials/test/operational-certificates-error-cases/Chip-Test-NOC-Ext-KeyUsage-KeyCertSign-Wrong-Key.chip

@@ -0,0 +1,2 @@
+�ހ���}����B��e�gm��������D;L��j=k,��,U1�(��P��\s���Rg
��1��_A	��S,O�1D��K}�^
+Q��#�I

credentials/test/operational-certificates-error-cases/Chip-Test-NOC-Ext-KeyUsage-Missing-Key.chip

@@ -0,0 +1 @@
+�.�nѲlul�]{��k�fb��'�R�I��%kX�}b	�Zȱ���S�P�3!n�z^������
���j�SnJ�g{E� �${1a�oQ�鼐g

credentials/test/operational-certificates-error-cases/Chip-Test-NOC-Ext-SKID-Length-Invalid-Key.chip

@@ -0,0 +1 @@
+����I)o�0���r�Rae:��둏M�e���I���@����Z�Ȅi�'+��M!lg�M}���J4�qF#0pI)`Q�<%�����T��"X

credentials/test/operational-certificates-error-cases/Chip-Test-NOC-Ext-SKID-Missing-Key.chip

@@ -0,0 +1,2 @@
+��W}S�)@�r�lG�x���t�r�9��v�k�ʓ���Z;>�X�V�Іd��d��Qe�=��5�Y�����r
+Z�cq�n'tD�����!

credentials/test/operational-certificates-error-cases/Chip-Test-NOC-Issuer-Missing-Key.chip

@@ -0,0 +1,3 @@
+��B�����
+�zA;B�9����'5b�4ĵ��O�@k<ZTK��3�c�7_
+�Yh����#{Y�Z��0du�ߊd�Ӝ�Zah�B�QNT

credentials/test/operational-certificates-error-cases/Chip-Test-NOC-Oversized-Key.chip

@@ -0,0 +1 @@
+0.�e������kҰ�-�B�}(x!0��b��o_QH@dܥA������B�o8Vi�{�mi,|�v�F|w�Z��;�Tw֪o=���t�~|۷"

credentials/test/operational-certificates-error-cases/Chip-Test-NOC-Serial-Number-Missing-Key.chip

@@ -0,0 +1 @@
+�B���ŎDW�?�;�
^%4[Ë��wF��UZ��PPrƭu����r�s�"��֒���Z��ݐm��`ߝ����x��1?�0��뢶�\

credentials/test/operational-certificates-error-cases/Chip-Test-NOC-Sig-Algo-ECDSA-With-SHA1-Key.chip

@@ -0,0 +1 @@
+�1����s��w�����52�c�q�JF�v�R{�p\�PDB��DW�Pzj����7��#�5��hT�Ȳ���
v��H�V��//�9}p�@�

credentials/test/operational-certificates-error-cases/Chip-Test-NOC-Sig-Curve-Secp256k1-Key.chip

@@ -0,0 +1 @@
+q��5Uv���;��o��'�vF�� �`��j\�Spͥ�zD�R�.�Z���FVdq��:]��U��s���m�G&�b�J�o܋�(��

credentials/test/operational-certificates-error-cases/Chip-Test-NOC-Subject-CAT-Invalid-Key.chip

@@ -0,0 +1 @@
+�*Om2�L:�Y���_;�NWaM]B�c�^��q�ݙ\>xO�:��M-O<��DųB�|+B�찬��ƳM��[$D�;��v��i�b��4���

credentials/test/operational-certificates-error-cases/Chip-Test-NOC-Subject-CAT-Twice-Key.chip

@@ -0,0 +1,2 @@
+]򗚰���0���k~��E�dz�e��n�$p�c�^E��?,Mm��
+bsLJ;l�T�/����ݖM"SG���'�1IS8ّ��H�c����

credentials/test/operational-certificates-error-cases/Chip-Test-NOC-Subject-FabricId-Invalid-Key.chip

@@ -0,0 +1,2 @@
+�S�Ϡ�Xg��
���-��>�[�"D��=��
+LL5�wĨ���w3qH�vۗK���uw�2}�II��@L��6b���~�3+ҁ�cc�v��3

credentials/test/operational-certificates-error-cases/Chip-Test-NOC-Subject-FabricId-Missing-Key.chip

@@ -0,0 +1 @@
+2橭�?;��Ƣ�^踇�F/A���}��|�2_0�;�i{%U$����7x���S��8�v�{$6ý�.�!�&_���`�[۞��+7:'z�ۺ

credentials/test/operational-certificates-error-cases/Chip-Test-NOC-Subject-FabricId-Twice-Key.chip

@@ -0,0 +1 @@
+������]�d���3�x]`��FE�_�
39��=�R�>Z��q���3��\��=�$1���}K4'a�����0�֕%�����
��m�g

credentials/test/operational-certificates-error-cases/Chip-Test-NOC-Subject-MatterId-Missing-Key.chip

@@ -0,0 +1,3 @@
+U*o�D�y�(Y�Y�m�C�S\��K%��v��7
+Ň>��ܲ�;��É�������%v��Z5�
+5�6�YE���.���ɂ��?-j�3�o'�M��

credentials/test/operational-certificates-error-cases/Chip-Test-NOC-Subject-MatterId-Twice-Key.chip

@@ -0,0 +1 @@
+oG�x:4��~�;�=B{9ӪP�x�V.���w��ז��ˍ���N!*1�;n�����`�8ؿ��?;�|�'�.hl�	��kI����Kh���

credentials/test/operational-certificates-error-cases/Chip-Test-NOC-Subject-NodeId-Invalid-Key.chip

@@ -0,0 +1 @@
+��2�AIy��L�����\Ʋ��N����o6��I�R]?'%����P�M#��X<��4ܒ�wr5bX�"kU"�70 ����!V�{octH3�@`BH��

credentials/test/operational-certificates-error-cases/Chip-Test-NOC-Validity-Not-Before-Missing-Key.chip

@@ -0,0 +1,2 @@
+���%�M�Q��Md{�p��Z�
+�\c�v�����!��,t�����|D�5L��i��F��L�ga.͞$)Xg٨�:q�G�g`w���sח���T�

credentials/test/operational-certificates-error-cases/Chip-Test-NOC-Validity-Wrong-Key.chip

@@ -0,0 +1 @@
+z$����<�6���P'lk�4W�K%���A��9M]�ٿr|��`#��dZ�Ɯ-W	Ő5vQd\讑��#AT�R{�p!�a
xH`�

credentials/test/operational-certificates-error-cases/Chip-Test-RCAC-Ext-AKID-Length-Invalid-Key.chip

@@ -0,0 +1 @@
+��N���*�I�V_�Хz!���FnN~2�/tEp�,������!ϩa���d��-|�0��4%r<39Я~�_�K�!
�LvQ��8��o

credentials/test/operational-certificates-error-cases/Chip-Test-RCAC-Ext-Basic-CA-Missing-Key.chip

@@ -0,0 +1,3 @@
+��8�0�
+�K'8�����W{��_��q��Y���1�өe���5j���Csb!"���EuZq�p�=dKÃ��=L�R��J����?h�Q�
+�

credentials/test/operational-certificates-error-cases/Chip-Test-RCAC-Ext-Basic-CA-Wrong-Key.chip

@@ -0,0 +1 @@
+O|�&����/�(+���7���g���}�ڪm��
�P��N���i/|�Uu��s�q>�4NC%����-0��/�7����w��s� j���

credentials/test/operational-certificates-error-cases/Chip-Test-RCAC-Ext-Basic-PathLen-Presence-Wrong-Key.chip

@@ -0,0 +1 @@
+{{A�"'�:�À�/�<j6����������z�6���RV����Nt���6j��2ʶ�KDk�V��&6�1�M�bIJ/ڄ<	�Y��I[��

credentials/test/operational-certificates-error-cases/Chip-Test-RCAC-Ext-Basic-PathLen2-Key.chip

@@ -0,0 +1 @@
+<$6v��^sꂏ `��,_"�cn�ˋS��J�1 u�-(m[�eP�73�d�@��-C�%����x�5�����݅0������+"�3"t�@��4�ni

credentials/test/operational-certificates-error-cases/Chip-Test-RCAC-Ext-KeyUsage-KeyCertSign-Wrong-Key.chip

@@ -0,0 +1 @@
+�{ф�X=C��O�T����Q�$5�]N�-�����z��(�$� �푤vTZ�_��y���b^g�~u`����*~�仠���vG�"�8�

credentials/test/operational-certificates-error-cases/Chip-Test-RCAC-Ext-SKID-Missing-Key.chip

@@ -0,0 +1 @@
+�=�ػXČͬ�����[��n,��:�����\_Ja�W,bI�F��O���X�^¶���/�E���͋7j����&#�B��b�[���E

credentials/test/operational-certificates-error-cases/Chip-Test-RCAC-Issuer-Missing-Key.chip

@@ -0,0 +1 @@
+��1�T�[�v�q����3( t�4�T	L����[��՝����ܓS�m��D��^_���ŷ�<�xg0~����>�9
��Ĩ�**w]���8�H���<

credentials/test/operational-certificates-error-cases/Chip-Test-RCAC-Oversized-Key.chip

@@ -0,0 +1,2 @@
+
+�=�gEߌ:�G�{��S�/��*?\P�l�@m�2����$z���kB�`J��)A�wK�E7�~���E��wݜ86�^�p?߰j
���ϭ�

credentials/test/operational-certificates-error-cases/Chip-Test-RCAC-PublicKey-Wrong-Key.chip

@@ -0,0 +1,2 @@
+�a���'��gw��S��d�8I��S�yK
+_7���xh�����3��M?*����hR3�qP�A������Ec�H[��9##
��~

credentials/test/operational-certificates-error-cases/Chip-Test-RCAC-Serial-Number-Missing-Key.chip

@@ -0,0 +1,2 @@
+�Z�e��]�j	��Ȓ̕ɿ��'��!�Z�
+nC��ў�z��Z ��T{G� �)���Ul�׊q� *`�}�*������t�W���h
�g!

credentials/test/operational-certificates-error-cases/Chip-Test-RCAC-Sig-Algo-ECDSA-With-SHA1-Key.chip

@@ -0,0 +1 @@
+�O�Z8Lǡ����D�7hq�Q�q�t�S�t�b^<���Ff�d���O�3����h��E$܇���.m��р_k�Sm�����\�������

credentials/test/operational-certificates-error-cases/Chip-Test-RCAC-Sig-Curve-Secp256k1-Key.chip

@@ -0,0 +1 @@
+�{ΥW�|T�rʐ�~�2�|[^��cF+���_����'�!�*5;�>\�4�ߍh`�r�+�r� �7?��#OWBu����e�L�	`�^����

credentials/test/operational-certificates-error-cases/Chip-Test-RCAC-Signature-Wrong-Key.chip

@@ -0,0 +1 @@
+Qrs���&a�*��4�R�\T��Մw�}��i�L��R��=�9X�KRŵ�<n��GѼ*X�rMb[o�An8�{I�_�.ȷ�x���:N$6�

credentials/test/operational-certificates-error-cases/Chip-Test-RCAC-Subject-CAT-Invalid-Key.chip

@@ -0,0 +1 @@
+�y���@�|��Rl�����&� ��/��qr#����RJU�ձd������Ar��[�s�}�IsL̺���e=$R	e��C�J�D�)�ڶ���

credentials/test/operational-certificates-error-cases/Chip-Test-RCAC-Subject-FabricId-Invalid-Key.chip

@@ -0,0 +1,2 @@
+��Gb�-]�k�){q�o~��^�!b|�j0�_{x�S��D҅��9�Xj�G�@U(@𜖸5>
+޺Vg⺫&���&Yr�-�,̄�xjkk=��~�]j

credentials/test/operational-certificates-error-cases/Chip-Test-RCAC-Subject-FabricId-Twice-Key.chip

@@ -0,0 +1 @@
+_X#]�t�b�-��K�p�ݓs款�=P�g��:W�i�j�1ޞ�7�?����$��j+��bIw�ۈf�f��4��@e��gmd�]-"�E6�

credentials/test/operational-certificates-error-cases/Chip-Test-RCAC-Subject-MatterId-Missing-Cert.chip

@@ -0,0 +1,3 @@
+0
,j�c) `�$
7&�'&n��L7$
$
0	Am�C,"�X�w�j�#���Op�9>���
+��J���"��	�u��3��YJ8����:wD����ì�7
+5
)
$`0�%���]�g�R4������0�%���]�g�R4������0@�g���[+~o�-�Z?!�=����H�RݸsТyi�n��Vߌ+R��8F7HDs?b�ݺ�>�\

credentials/test/operational-certificates-error-cases/Chip-Test-RCAC-Subject-MatterId-Missing-Key.chip

@@ -0,0 +1,2 @@
+m�C,"�X�w�j�#���Op�9>���
+��J���"��	�u��3��YJ8����:wD��������^����'k�������A:S�v��L�8z

credentials/test/operational-certificates-error-cases/Chip-Test-RCAC-Validity-Not-After-Missing-Key.chip

@@ -0,0 +1 @@
+;�>:��+�M�����Z�#*=Xh*�D	�;��6�IYa]((3G��d)M����~V��zɐ%V��$��HI����X�5)���8(�l���

credentials/test/operational-certificates-error-cases/Chip-Test-RCAC-Validity-Wrong-Key.chip

@@ -0,0 +1 @@
+~�ɐM�<�E)ž�NQ}=���0^{���'�A�̌2��*g���2~*��!9懽�����ڌ�ߌ����+�����F�YQ���������IP

credentials/test/operational-certificates/Chip-Test-ICA02-Cert.chip-b64

@@ -0,0 +1 @@
+FTABCBzFj7/ulkVKJAIBNwMnFAIAAADKysrKJxUdAAAAAACw+hgmBO8XGycmBW61uUw3BicTBAAAAMrKysonFR0AAAAAALD6GCQHASQIATAJQQT6n9KMt2p37w45MNWeQSvRjrIO/9UZfvRxOTeTkDeKSAQySBicxKl0F3V+Dnt2cjTZywPcdSiamXS+Pfdhp1a+Nwo1ASkBJAIAGCQCYDAEFOHnbmd3hR3XdBa93TXsPBN8RyncMAUUYr65ZxyRw1XIbwb6bAiAFFHhoOoYMAtAb/pzwEJsnKst5iB26+JLXnniu5jyFKtu6PBDfFV950PHU9rn3fOwJ8LxPiPOOjq51DT8fqFbudZ3w2yci1UVQhg=

credentials/test/operational-certificates/Chip-Test-ICA02-Cert.pem

@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB5DCCAYqgAwIBAgIIHMWPv+6WRUowCgYIKoZIzj0EAwIwRDEgMB4GCisGAQQB
+gqJ8AQQMEENBQ0FDQUNBMDAwMDAwMDIxIDAeBgorBgEEAYKifAEFDBBGQUIwMDAw
+MDAwMDAwMDFEMB4XDTIwMTAxNTE0MjM0M1oXDTQwMTAxNTE0MjM0MlowRDEgMB4G
+CisGAQQBgqJ8AQMMEENBQ0FDQUNBMDAwMDAwMDQxIDAeBgorBgEEAYKifAEFDBBG
+QUIwMDAwMDAwMDAwMDFEMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE+p/SjLdq
+d+8OOTDVnkEr0Y6yDv/VGX70cTk3k5A3ikgEMkgYnMSpdBd1fg57dnI02csD3HUo
+mpl0vj33YadWvqNmMGQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMC
+AQYwHQYDVR0OBBYEFOHnbmd3hR3XdBa93TXsPBN8RyncMB8GA1UdIwQYMBaAFGK+
+uWcckcNVyG8G+mwIgBRR4aDqMAoGCCqGSM49BAMCA0gAMEUCIG/6c8BCbJyrLeYg
+duviS1554ruY8hSrbujwQ3xVfedDAiEAx1Pa593zsCfC8T4jzjo6udQ0/H6hW7nW
+d8NsnItVFUI=
+-----END CERTIFICATE-----

credentials/test/operational-certificates/Chip-Test-ICA02-Key.pem

@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEILp2etVZ4xX7pwGY3Y/JdiCDBZT6Xrta8JD1jv8bnWCloAoGCCqGSM49
+AwEHoUQDQgAE+p/SjLdqd+8OOTDVnkEr0Y6yDv/VGX70cTk3k5A3ikgEMkgYnMSp
+dBd1fg57dnI02csD3HUompl0vj33YadWvg==
+-----END EC PRIVATE KEY-----

credentials/test/operational-certificates/Chip-Test-Root01-Cert.chip-b64

@@ -0,0 +1 @@
+FTABCFNMRYJzYjUUJAIBNwMnFAEAAADKysrKGCYE7xcbJyYFbrW5TDcGJxQBAAAAysrKyhgkBwEkCAEwCUEEO4hGDsloel0PO0s7E/zSmcL21QUdAD7knJkkz5j094DrIP03yNNYNH9fh9CMMhPlQK8RurkTfkk1TwxbY0PeYzcKNQEpARgkAmAwBBTMEwivgs/uUF6yO1e/6GoxFmVTXzAFFMwTCK+Cz+5QXrI7V7/oajEWZVNfGDALQPfwCSaQSU5GyLHFy9GlCF4eZdQ2D5jpbE6OSV3F4hbQv6I9j1dHDYn92vA/BGSwro4flW1vZ6MRJDhYJGiXgKkY

credentials/test/operational-certificates/Chip-Test-Root01-Cert.pem

@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBnjCCAUOgAwIBAgIIU0xFgnNiNRQwCgYIKoZIzj0EAwIwIjEgMB4GCisGAQQB
+gqJ8AQQMEENBQ0FDQUNBMDAwMDAwMDEwHhcNMjAxMDE1MTQyMzQzWhcNNDAxMDE1
+MTQyMzQyWjAiMSAwHgYKKwYBBAGConwBBAwQQ0FDQUNBQ0EwMDAwMDAwMTBZMBMG
+ByqGSM49AgEGCCqGSM49AwEHA0IABDuIRg7JaHpdDztLOxP80pnC9tUFHQA+5JyZ
+JM+Y9PeA6yD9N8jTWDR/X4fQjDIT5UCvEbq5E35JNU8MW2ND3mOjYzBhMA8GA1Ud
+EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBTMEwivgs/uUF6y
+O1e/6GoxFmVTXzAfBgNVHSMEGDAWgBTMEwivgs/uUF6yO1e/6GoxFmVTXzAKBggq
+hkjOPQQDAgNJADBGAiEA9/AJJpBJTkbIscXL0aUIXh5l1DYPmOlsTo5JXcXiFtAC
+IQC/oj2PV0cNif3a8D8EZLCujh+VbW9noxEkOFgkaJeAqQ==
+-----END CERTIFICATE-----

credentials/test/operational-certificates/Chip-Test-Root01-Key.pem

@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIPzd/ZESsw0kD2rm3ieiAp57tudDd+O3l1120j3jw2gUoAoGCCqGSM49
+AwEHoUQDQgAEO4hGDsloel0PO0s7E/zSmcL21QUdAD7knJkkz5j094DrIP03yNNY
+NH9fh9CMMhPlQK8RurkTfkk1TwxbY0PeYw==
+-----END EC PRIVATE KEY-----

src/credentials/CHIPCert.cpp

@@ -875,11 +875,11 @@ CHIP_ERROR ChipDN::DecodeFromTLV(TLVReader & reader)
             ReturnErrorOnFailure(reader.Get(chipAttr));
             if (attrOID == chip::ASN1::kOID_AttributeType_MatterNodeId)
             {
-                VerifyOrReturnError(IsOperationalNodeId(attrOID), CHIP_ERROR_WRONG_NODE_ID);
+                VerifyOrReturnError(IsOperationalNodeId(chipAttr), CHIP_ERROR_WRONG_NODE_ID);
             }
             else if (attrOID == chip::ASN1::kOID_AttributeType_MatterFabricId)
             {
-                VerifyOrReturnError(IsValidFabricId(attrOID), CHIP_ERROR_INVALID_ARGUMENT);
+                VerifyOrReturnError(IsValidFabricId(chipAttr), CHIP_ERROR_INVALID_ARGUMENT);
             }
             ReturnErrorOnFailure(AddAttribute(attrOID, chipAttr));
         }

src/credentials/CHIPCertFromX509.cpp

@@ -61,25 +61,25 @@ static CHIP_ERROR ConvertValidity(ASN1Reader & reader, TLVWriter & writer)
 {
     CHIP_ERROR err;
     ASN1UniversalTime asn1Time;
-    uint32_t chipEpochTime;
+    uint32_t chipEpochTimeNotBefore;
+    uint32_t chipEpochTimeNotAfter;
 
     ASN1_PARSE_ENTER_SEQUENCE
     {
         ASN1_PARSE_TIME(asn1Time);
-
-        err = ASN1ToChipEpochTime(asn1Time, chipEpochTime);
-        SuccessOrExit(err);
-
-        err = writer.Put(ContextTag(kTag_NotBefore), chipEpochTime);
-        SuccessOrExit(err);
+        ReturnErrorOnFailure(ASN1ToChipEpochTime(asn1Time, chipEpochTimeNotBefore));
 
         ASN1_PARSE_TIME(asn1Time);
+        ReturnErrorOnFailure(ASN1ToChipEpochTime(asn1Time, chipEpochTimeNotAfter));
 
-        err = ASN1ToChipEpochTime(asn1Time, chipEpochTime);
-        SuccessOrExit(err);
+        // Perform this check if NotAfter value is different from Never-Expire value.
+        if (chipEpochTimeNotAfter != kNullCertTime)
+        {
+            VerifyOrReturnError(chipEpochTimeNotBefore < chipEpochTimeNotAfter, ASN1_ERROR_INVALID_ENCODING);
+        }
 
-        err = writer.Put(ContextTag(kTag_NotAfter), chipEpochTime);
-        SuccessOrExit(err);
+        ReturnErrorOnFailure(writer.Put(ContextTag(kTag_NotBefore), chipEpochTimeNotBefore));
+        ReturnErrorOnFailure(writer.Put(ContextTag(kTag_NotAfter), chipEpochTimeNotAfter));
     }
     ASN1_EXIT_SEQUENCE;
 

src/credentials/CHIPCertToX509.cpp

@@ -73,6 +73,12 @@ static CHIP_ERROR DecodeConvertValidity(TLVReader & reader, ASN1Writer & writer,
         ReturnErrorOnFailure(reader.Get(certData.mNotAfterTime));
         ReturnErrorOnFailure(ChipEpochToASN1Time(certData.mNotAfterTime, asn1Time));
         ASN1_ENCODE_TIME(asn1Time);
+
+        // Perform this check if NotAfter value is different from Never-Expire value.
+        if (certData.mNotAfterTime != kNullCertTime)
+        {
+            VerifyOrReturnError(certData.mNotBeforeTime < certData.mNotAfterTime, CHIP_ERROR_UNSUPPORTED_CERT_FORMAT);
+        }
     }
     ASN1_END_SEQUENCE;