Skip to content

Commit

Permalink
#535 Enable providing serial number while revoking x509 certs
Browse files Browse the repository at this point in the history
Signed-off-by: Abdulbois <abdulbois.tursunov@dsr-corporation.com>
Signed-off-by: Abdulbois <abdulbois123@gmail.com>
  • Loading branch information
Abdulbois committed Feb 15, 2024
1 parent 40fbec3 commit 2f8b273
Show file tree
Hide file tree
Showing 40 changed files with 1,593 additions and 278 deletions.
14 changes: 14 additions & 0 deletions docs/static/openapi.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9536,6 +9536,8 @@ paths:
type: string
subjectAsText:
type: string
serialNumber:
type: string
pagination:
type: object
properties:
Expand Down Expand Up @@ -9675,6 +9677,8 @@ paths:
type: string
subjectAsText:
type: string
serialNumber:
type: string
default:
description: An unexpected error response.
schema:
Expand Down Expand Up @@ -9706,6 +9710,10 @@ paths:
in: path
required: true
type: string
- name: serialNumber
in: query
required: false
type: string
tags:
- Query
/dcl/pki/rejected-certificates:
Expand Down Expand Up @@ -20763,6 +20771,8 @@ definitions:
type: string
subjectAsText:
type: string
serialNumber:
type: string
zigbeealliance.distributedcomplianceledger.pki.QueryAllApprovedCertificatesResponse:
type: object
properties:
Expand Down Expand Up @@ -21012,6 +21022,8 @@ definitions:
type: string
subjectAsText:
type: string
serialNumber:
type: string
pagination:
type: object
properties:
Expand Down Expand Up @@ -21471,6 +21483,8 @@ definitions:
type: string
subjectAsText:
type: string
serialNumber:
type: string
zigbeealliance.distributedcomplianceledger.pki.QueryGetRejectedCertificatesResponse:
type: object
properties:
Expand Down
6 changes: 5 additions & 1 deletion docs/transactions.md
Original file line number Diff line number Diff line change
Expand Up @@ -942,6 +942,7 @@ Root certificates can not be revoked this way, use `PROPOSE_X509_CERT_REVOC` an
- Parameters:
- subject: `string` - certificates's `Subject` is base64 encoded subject DER sequence bytes
- subject_key_id: `string` - certificates's `Subject Key Id` in hex string format, e.g: `5A:88:0E:6C:36:53:D0:7F:B0:89:71:A3:F4:73:79:09:30:E6:2B:DB`
- serial-number: `optional(string)` - certificate's serial number
- info: `optional(string)` - information/notes for the revocation
- time: `optional(int64)` - revocation time (number of nanoseconds elapsed since January 1, 1970 UTC). CLI uses the current time for that field.
- In State: `pki/RevokedCertificates/value/<Certificate's Subject>/<Certificate's Subject Key ID>`
Expand All @@ -967,6 +968,7 @@ then the certificate will be in a pending state until sufficient number of other
- Parameters:
- subject: `string` - certificates's `Subject` is base64 encoded subject DER sequence bytes
- subject_key_id: `string` - certificates's `Subject Key Id` in hex string format, e.g: `5A:88:0E:6C:36:53:D0:7F:B0:89:71:A3:F4:73:79:09:30:E6:2B:DB`
- serial-number: `optional(string)` - certificate's serial number
- info: `optional(string)` - information/notes for the revocation proposal
- time: `optional(int64)` - revocation proposal time (number of nanoseconds elapsed since January 1, 1970 UTC). CLI uses the current time for that field.
- In State: `pki/ProposedCertificateRevocation/value/<Certificate's Subject>/<Certificate's Subject Key ID>`
Expand All @@ -990,6 +992,7 @@ The revocation is not applied until sufficient number of Trustees approve it.
- Parameters:
- subject: `string` - certificates's `Subject` is base64 encoded subject DER sequence bytes
- subject_key_id: `string` - certificates's `Subject Key Id` in hex string format, e.g: `5A:88:0E:6C:36:53:D0:7F:B0:89:71:A3:F4:73:79:09:30:E6:2B:DB`
- serial-number: `optional(string)` - certificate's serial number
- info: `optional(string)` - information/notes for the revocation approval
- time: `optional(int64)` - revocation approval time (number of nanoseconds elapsed since January 1, 1970 UTC). CLI uses the current time for that field.
- In State: `pki/RevokedCertificates/value/<Certificate's Subject>/<Certificate's Subject Key ID>`
Expand Down Expand Up @@ -1222,10 +1225,11 @@ If a Revocation Distribution Point (such as RFC5280 Certificate Revocation List)
- Parameters:
- subject: `string` - certificates's `Subject` is base64 encoded subject DER sequence bytes
- subject_key_id: `string` - certificates's `Subject Key Id` in hex string format, e.g: `5A:88:0E:6C:36:53:D0:7F:B0:89:71:A3:F4:73:79:09:30:E6:2B:DB`
- serial-number: `optional(string)` - certificate's serial number
- CLI command:
- `dcld query pki proposed-x509-root-cert-to-revoke --subject=<base64 string> --subject-key-id=<hex string>`
- REST API:
- GET `/dcl/pki/proposed-revocation-certificates/{subject}/{subject_key_id}`
- GET `/dcl/pki/proposed-revocation-certificates/{subject}/{subject_key_id}?serialnumber={serialnumber}`

### GET_ALL_X509_ROOT_CERTS

Expand Down
149 changes: 149 additions & 0 deletions integration_tests/cli/pki-revocation-with-serial-number.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,149 @@
set -euo pipefail
source integration_tests/cli/common.sh

root_cert_1_path="integration_tests/constants/root_with_same_subject_and_skid_1"
root_cert_1_serial_number="1"
root_cert_2_path="integration_tests/constants/root_with_same_subject_and_skid_2"
root_cert_2_serial_number="2"
root_cert_vid=65521
intermediate_cert_1_path="integration_tests/constants/intermediate_with_same_subject_and_skid_1"
intermediate_cert_1_serial_number="3"
intermediate_cert_2_path="integration_tests/constants/intermediate_with_same_subject_and_skid_2"
intermediate_cert_2_serial_number="4"
root_cert_subject="MIGCMQswCQYDVQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxETAPBgNVBAcMCE5ldyBZb3JrMRgwFgYDVQQKDA9FeGFtcGxlIENvbXBhbnkxGTAXBgNVBAsMEFRlc3RpbmcgRGl2aXNpb24xGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbQ=="
root_cert_subject_key_id="33:5E:0C:07:44:F8:B5:9C:CD:55:01:9B:6D:71:23:83:6F:D0:D4:BE"
intermediate_cert_subject="MEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQ="
intermediate_cert_subject_key_id="2E:13:3B:44:52:2C:30:E9:EC:FB:45:FA:5D:E5:04:0A:C1:C6:E6:B9"

trustee_account="jack"
second_trustee_account="alice"

echo "Create a VendorAdmin Account"
create_new_account vendor_admin_account "VendorAdmin"

test_divider

echo "REVOKE CERTIFICATES BY SPECIFYING SERIAL NUMBER"

echo "Propose and approve root certificate 1"
result=$(echo "$passphrase" | dcld tx pki propose-add-x509-root-cert --certificate="$root_cert_1_path" --vid "$root_cert_vid" --from $trustee_account --yes)
check_response "$result" "\"code\": 0"
result=$(echo "$passphrase" | dcld tx pki approve-add-x509-root-cert --subject="$root_cert_subject" --subject-key-id="$root_cert_subject_key_id" --from $second_trustee_account --yes)
check_response "$result" "\"code\": 0"

echo "Propose and approve root certificate 2"
result=$(echo "$passphrase" | dcld tx pki propose-add-x509-root-cert --certificate="$root_cert_2_path" --vid "$root_cert_vid" --from $trustee_account --yes)
check_response "$result" "\"code\": 0"
result=$(echo "$passphrase" | dcld tx pki approve-add-x509-root-cert --subject="$root_cert_subject" --subject-key-id="$root_cert_subject_key_id" --from $second_trustee_account --yes)
check_response "$result" "\"code\": 0"

echo "Add an intermediate certificate with serialNumber 3"
result=$(echo "$passphrase" | dcld tx pki add-x509-cert --certificate="$intermediate_cert_1_path" --from $trustee_account --yes)
check_response "$result" "\"code\": 0"

echo "Add an intermediate certificate with serialNumber 4"
result=$(echo "$passphrase" | dcld tx pki add-x509-cert --certificate="$intermediate_cert_2_path" --from $trustee_account --yes)
check_response "$result" "\"code\": 0"

echo "Request all approved root certificates."
result=$(dcld query pki all-x509-certs)
echo $result | jq
check_response "$result" "\"subject\": \"$root_cert_subject\""
check_response "$result" "\"subject\": \"$intermediate_cert_subject\""
check_response "$result" "\"subjectKeyId\": \"$root_cert_subject_key_id\""
check_response "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id\""
check_response "$result" "\"serialNumber\": \"$root_cert_1_serial_number\""
check_response "$result" "\"serialNumber\": \"$intermediate_cert_1_serial_number\""
check_response "$result" "\"serialNumber\": \"$root_cert_2_serial_number\""
check_response "$result" "\"serialNumber\": \"$intermediate_cert_2_serial_number\""

echo "Revoke intermediate certificate with invalid serialNumber"
result=$(echo "$passphrase" | dcld tx pki revoke-x509-cert --subject="$intermediate_cert_subject" --subject-key-id="$intermediate_cert_subject_key_id" --serial-number="invalid" --from=$trustee_account --yes)
check_response "$result" "\"code\": 404"

echo "Revoke intermediate certificate with serialNumber 3"
result=$(echo "$passphrase" | dcld tx pki revoke-x509-cert --subject="$intermediate_cert_subject" --subject-key-id="$intermediate_cert_subject_key_id" --serial-number="$intermediate_cert_1_serial_number" --from=$trustee_account --yes)
check_response "$result" "\"code\": 0"

echo "Request all revoked certificates should contain one intermediate certificate with serialNumber 3"
result=$(dcld query pki all-revoked-x509-certs)
echo $result | jq
check_response "$result" "\"subject\": \"$intermediate_cert_subject\""
check_response "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id\""
check_response "$result" "\"serialNumber\": \"$intermediate_cert_1_serial_number\""
response_does_not_contain "$result" "\"serialNumber\": \"$intermediate_cert_2_serial_number\""

echo "Request all approved intermediate certificates should contain only one certificate with serialNumber 4"
result=$(dcld query pki x509-cert --subject="$intermediate_cert_subject" --subject-key-id="$intermediate_cert_subject_key_id")
echo $result | jq
check_response "$result" "\"subject\": \"$intermediate_cert_subject\""
check_response "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id\""
check_response "$result" "\"serialNumber\": \"$intermediate_cert_2_serial_number\""
response_does_not_contain "$result" "\"serialNumber\": \"$intermediate_cert_1_serial_number\""

echo "$trustee_account (Trustee) proposes to revoke Root certificate with invalid serialNumber"
result=$(echo "$passphrase" | dcld tx pki propose-revoke-x509-root-cert --subject="$root_cert_subject" --subject-key-id="$root_cert_subject_key_id" --serial-number="invalid" --from $trustee_account --yes)
check_response "$result" "\"code\": 404"

echo "$trustee_account (Trustee) proposes to revoke Root certificate with serialNumber 1"
result=$(echo "$passphrase" | dcld tx pki propose-revoke-x509-root-cert --subject="$root_cert_subject" --subject-key-id="$root_cert_subject_key_id" --serial-number="$root_cert_1_serial_number" --from $trustee_account --yes)
check_response "$result" "\"code\": 0"

echo "$second_trustee_account (Second Trustee) approves to revoke Root certificate with serialNumber 1"
result=$(echo "$passphrase" | dcld tx pki approve-revoke-x509-root-cert --subject="$root_cert_subject" --subject-key-id="$root_cert_subject_key_id" --serial-number="$root_cert_1_serial_number" --from $second_trustee_account --yes)
check_response "$result" "\"code\": 0"

echo "Request all revoked certificates should contain one root certificate with serialNumber 1"
result=$(dcld query pki all-revoked-x509-certs)
echo $result | jq
check_response "$result" "\"subject\": \"$root_cert_subject\""
check_response "$result" "\"subjectKeyId\": \"$root_cert_subject_key_id\""
check_response "$result" "\"serialNumber\": \"$root_cert_1_serial_number\""
response_does_not_contain "$result" "\"serialNumber\": \"$root_cert_2_serial_number\""
response_does_not_contain "$result" "\"serialNumber\": \"$intermediate_cert_2_serial_number"

echo "Request all approved certificates should contain one root certificate with serialNumber 2 and one intermediate with serialNumber 4"
result=$(dcld query pki all-x509-certs)
echo $result | jq
check_response "$result" "\"subject\": \"$root_cert_subject\""
check_response "$result" "\"subject\": \"$intermediate_cert_subject\""
check_response "$result" "\"subjectKeyId\": \"$root_cert_subject_key_id\""
check_response "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id"
check_response "$result" "\"serialNumber\": \"$root_cert_2_serial_number\""
check_response "$result" "\"serialNumber\": \"$intermediate_cert_2_serial_number\""
response_does_not_contain "$result" "\"serialNumber\": \"$root_cert_1_serial_number\""
response_does_not_contain "$result" "\"serialNumber\": \"$intermediate_cert_1_serial_number\""

echo "$trustee_account (Trustee) proposes to revoke Root certificate with serialNumber 2"
result=$(echo "$passphrase" | dcld tx pki propose-revoke-x509-root-cert --subject="$root_cert_subject" --subject-key-id="$root_cert_subject_key_id" --serial-number="$root_cert_2_serial_number" --from $trustee_account --yes)
check_response "$result" "\"code\": 0"

echo "$second_trustee_account (Second Trustee) approves to revoke Root certificate with serialNumber 2"
result=$(echo "$passphrase" | dcld tx pki approve-revoke-x509-root-cert --subject="$root_cert_subject" --subject-key-id="$root_cert_subject_key_id" --serial-number="$root_cert_2_serial_number" --from $second_trustee_account --yes)
check_response "$result" "\"code\": 0"

echo "Request all revoked certificates should contain two root and intermediate certificates"
result=$(dcld query pki all-revoked-x509-certs)
echo $result | jq
check_response "$result" "\"subject\": \"$root_cert_subject\""
check_response "$result" "\"subject\": \"$intermediate_cert_subject\""
check_response "$result" "\"subjectKeyId\": \"$root_cert_subject_key_id\""
check_response "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id\""
check_response "$result" "\"serialNumber\": \"$root_cert_1_serial_number\""
check_response "$result" "\"serialNumber\": \"$intermediate_cert_1_serial_number\""
check_response "$result" "\"serialNumber\": \"$root_cert_2_serial_number\""
check_response "$result" "\"serialNumber\": \"$intermediate_cert_2_serial_number\""

echo "Request all approved root certificates should be empty"
result=$(dcld query pki all-x509-root-certs)
echo $result | jq
response_does_not_contain "$result" "\"subject\": \"$root_cert_subject\""
response_does_not_contain "$result" "\"subject\": \"$intermediate_cert_subject\""
response_does_not_contain "$result" "\"subjectKeyId\": \"$root_cert_subject_key_id\""
response_does_not_contain "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id\""
response_does_not_contain "$result" "\"serialNumber\": \"$root_cert_1_serial_number\""
response_does_not_contain "$result" "\"serialNumber\": \"$intermediate_cert_1_serial_number\""
response_does_not_contain "$result" "\"serialNumber\": \"$root_cert_2_serial_number\""
response_does_not_contain "$result" "\"serialNumber\": \"$intermediate_cert_2_serial_number\""

test_divider
Loading

0 comments on commit 2f8b273

Please sign in to comment.