Testing Aliro Reader Certificate

The Aliro Reader Certificate is an optional X.509 certificate that allows a Reader device to authenticate itself to the User Device during the expedited standard phase of the Aliro protocol. When a certificate is provisioned, the Reader sends a LOAD_CERT command after the AUTH0 exchange, allowing the User Device to verify the Reader’s identity.

This feature is controlled by the CONFIG_DOOR_LOCK_READER_CERTIFICATE Kconfig option (enabled by default for non-Matter builds).

Certificate generation and provisioning

This section describes how to generate Reader certificates and provision them on the device under test (DUT).

Generating certificates

  1. Generate an Issuer key pair for signing certificates:

    cd scripts
    python3 generate_keypair.py --verbose
    
  2. Save the output:

    • ISSUER_PRIV - Issuer Private Key (32 bytes hex)

    • ISSUER_PUB - Issuer Public Key (65 bytes hex)

  3. Generate a Reader certificate. You can choose between two certificate sizes:

    • Short certificate (~152 bytes) - It does not require APDU chaining. You can generate it by running the following command:

      python3 generate_reader_cert.py \
      --subject-pubkey <DUT_READER_PUBLIC_KEY> \
      --issuer-privkey <ISSUER_PRIV> \
      --output hex | xargs python3 compress_reader_cert.py
      
    • Long certificate (~270 bytes) - It requires APDU chaining (for testing chaining mechanism). You can generate it by running the following command:

      ./generate_max_size_cert.sh <DUT_READER_PUBLIC_KEY> <ISSUER_PRIV>
      
  4. Save the compressed certificate HEX output for provisioning.

Configuring Test Harness

Update your Test Harness project configuration with the following fields:

  • dut_reader_issuer_public_key - Set to the ISSUER_PUB.

  • dut_reader_issuer_group_identifier - Set it to a value different from dut_reader_group_identifier. Otherwise, you will not be able to test certificate-based authentication.

    {
    "config": {
       "test_parameters": {
          "dut_reader_public_key": "<DUT_READER_PUBLIC_KEY>",
          "dut_reader_group_identifier": "00113344667799AA00113344667799AB",
          "dut_reader_issuer_group_identifier": "FFEEDDCCBBAA998877665544332211FF",
          "dut_reader_issuer_public_key": "<ISSUER_PUB>"
       }
    }
    }
    

Provisioning DUT

Connect to the DUT through serial console and provision both the certificate and issuer public key:

  1. Install the proper Reader group identifier (dut_reader_issuer_group_identifier value):

    uart:~$ reader group_id <dut_reader_issuer_group_identifier>
    
  2. Provision the Issuer Public Key:

    uart:~$ reader issuer_public_key set <ISSUER_PUB>
    
  3. Provision the Reader Certificate (compressed):

    uart:~$ reader certificate set <COMPRESSED_CERT>
    
  4. Verify provisioning:

    uart:~$ reader issuer_public_key list
    Issuer public key (65 bytes): <ISSUER_PUB>
    
    uart:~$ reader certificate list
    Reader certificate (XXX bytes):
    <HEX_DUMP>
    

Note

The certificate size is limited by CONFIG_DOOR_LOCK_ALIRO_READER_STORAGE_CERTIFICATE_MAX_SIZE. By default it is set to 512 bytes. If you need to provision larger certificates, increase this value in your project configuration.

Running tests with certificates

Once the certificate is provisioned, execute Test Harness test cases that include the LOAD_CERT command:

  • NFC_RDR_STANDARD_CERT_IN_LOAD_CERT - Standard certificate test

  • NFC_RDR_STANDARD_CERT_IN_LOAD_CERT_WITH_CHAINING - Certificate with APDU chaining

You can expect the following behavior:

  • DUT sends LOAD_CERT command with the provisioned certificate.

  • If you are using a long certificate, APDU chaining will be used (in multiple chunks).

  • Test Harness verifies the certificate signature using ISSUER_PUB.

  • Transaction proceeds normally after validating the certificate.

Clearing certificates

To run standard tests without certificates, clear the provisioned data:

uart:~$ reader certificate clear
uart:~$ reader issuer_public_key clear

After clearing, the DUT will skip the LOAD_CERT state and proceed directly from AUTH0 response to AUTH1 (expedited standard phase).