#524 Enable revocation of NOC certificates

Signed-off-by: Abdulbois <abdulbois.tursunov@dsr-corporation.com> Signed-off-by: Abdulbois <abdulbois123@gmail.com>
zigbee-alliance · Mar 15, 2024 · a4f6a99 · a4f6a99
1 parent bb8407f
commit a4f6a99
Show file tree

Hide file tree

Showing 29 changed files with 2,638 additions and 347 deletions.
diff --git a/docs/transactions.md b/docs/transactions.md
@@ -1208,6 +1208,29 @@ Revoked NOC root certificates can be re-added using the `ADD_NOC_X509_ROOT_CERTI
 - CLI command:
   - `dcld tx pki revoke-noc-x509-root-cert --subject=<base64 string> --subject-key-id=<hex string> --serial-number=<string> --info=<string> --time=<int64> --revoke-child=<bool> --from=<account>`
 
+### REVOKE_NOC_X509_CERT
+
+**Status: Implemented**
+
+This transaction revokes a NOC non-root certificate owned by the Vendor.
+Revoked NOC non-root certificates can be re-added using the `ADD_NOC_X509_CERTIFICATE` transaction.
+
+- Who can send: Vendor account
+  - Vid field associated with the corresponding NOC certificate on the ledger must be equal to the Vendor account's VID.
+- Validation:
+  - a NOC Certificate with the provided `subject` and `subject_key_id` must exist in the ledger.
+- Parameters:
+  - subject: `string` - base64 encoded subject DER sequence bytes of the certificate.
+  - subject_key_id: `string` - certificate's `Subject Key Id` in hex string format, e.g., `5A:88:0E:6C:36:53:D0:7F:B0:89:71:A3:F4:73:79:09:30:E6:2B:DB`.
+  - serial_number: `optional(string)` - certificate's serial number. If not provided, the transaction will revoke all certificates that match the given `subject` and `subject_key_id` combination.
+  - revoke-child: `optional(bool)` - if true, then all certificates in the chain signed by the revoked certificate (leaf) are revoked as well. If false, only the current cert is revoked (default: false).
+  - info: `optional(string)` - information/notes for the revocation
+  - time: `optional(int64)` - revocation time (number of nanoseconds elapsed since January 1, 1970 UTC). CLI uses the current time for that field.
+- In State: 
+  - `pki/RevokedCertificates/value/<Certificate's Subject>/<Certificate's Subject Key ID>`
+- CLI command:
+  - `dcld tx pki revoke-noc-x509-cert --subject=<base64 string> --subject-key-id=<hex string> --serial-number=<string> --info=<string> --time=<int64> --revoke-child=<bool> --from=<account>`
+
 ### GET_X509_CERT
 
 **Status: Implemented**

diff --git a/integration_tests/cli/pki-noc-certs.sh b/integration_tests/cli/pki-noc-certs.sh
@@ -27,6 +27,9 @@ noc_cert_1_subject="MIGCMQswCQYDVQQGEwJVWjETMBEGA1UECAwKU29tZSBTdGF0ZTETMBEGA1UE
 noc_cert_1_subject_key_id="02:72:6E:BC:BB:EF:D6:BD:8D:9B:42:AE:D4:3C:C0:55:5F:66:3A:B3"
 noc_cert_1_serial_number="631388393741945881054190991612463928825155142122"
 
+noc_cert_1_copy_path="integration_tests/constants/noc_cert_1_copy"
+noc_cert_1_copy_serial_number="169445068204646961882009388640343665944683778293"
+
 noc_cert_2_path="integration_tests/constants/noc_cert_2"
 noc_cert_2_subject="MIGCMQswCQYDVQQGEwJVWjETMBEGA1UECAwKU29tZSBTdGF0ZTETMBEGA1UEBwwKU29tZSBTdGF0ZTEYMBYGA1UECgwPRXhhbXBsZSBDb21wYW55MRkwFwYDVQQLDBBUZXN0aW5nIERpdmlzaW9uMRQwEgYDVQQDDAtOT0MtY2hpbGQtMg=="
 noc_cert_2_subject_key_id="87:48:A2:33:12:1F:51:5C:93:E6:90:40:4A:2C:AB:9E:D6:19:E5:AD"
@@ -221,12 +224,17 @@ echo "Add second NOC certificate by vendor with VID = $vid"
 result=$(echo "$passphrase" | dcld tx pki add-noc-x509-cert --certificate="$noc_cert_2_path" --from $vendor_account --yes)
 check_response "$result" "\"code\": 0"
 
+echo "Add third NOC certificate by vendor with VID = $vid"
+result=$(echo "$passphrase" | dcld tx pki add-noc-x509-cert --certificate="$noc_cert_1_copy_path" --from $vendor_account --yes)
+check_response "$result" "\"code\": 0"
+
 echo "Request all NOC certificates"
 result=$(dcld query pki all-noc-x509-certs)
 echo $result | jq
 check_response "$result" "\"subject\": \"$noc_cert_1_subject\""
 check_response "$result" "\"subjectKeyId\": \"$noc_cert_1_subject_key_id\""
 check_response "$result" "\"serialNumber\": \"$noc_cert_1_serial_number\""
+check_response "$result" "\"serialNumber\": \"$noc_cert_1_copy_serial_number\""
 check_response "$result" "\"subject\": \"$noc_cert_2_subject\""
 check_response "$result" "\"subjectKeyId\": \"$noc_cert_2_subject_key_id\""
 check_response "$result" "\"serialNumber\": \"$noc_cert_2_serial_number\""
@@ -240,6 +248,7 @@ check_response "$result" "\"serialNumber\": \"$noc_root_cert_1_serial_number\""
 check_response "$result" "\"subject\": \"$noc_cert_1_subject\""
 check_response "$result" "\"subjectKeyId\": \"$noc_cert_1_subject_key_id\""
 check_response "$result" "\"serialNumber\": \"$noc_cert_1_serial_number\""
+check_response "$result" "\"serialNumber\": \"$noc_cert_1_copy_serial_number\""
 check_response "$result" "\"subject\": \"$noc_cert_2_subject\""
 check_response "$result" "\"subjectKeyId\": \"$noc_cert_2_subject_key_id\""
 check_response "$result" "\"serialNumber\": \"$noc_cert_2_serial_number\""
@@ -266,10 +275,11 @@ echo "Request all NOC certificates"
 result=$(dcld query pki all-noc-x509-certs)
 echo $result | jq
 check_response "$result" "\"serialNumber\": \"$noc_cert_1_serial_number\""
+check_response "$result" "\"serialNumber\": \"$noc_cert_1_copy_serial_number\""
 check_response "$result" "\"serialNumber\": \"$noc_cert_2_serial_number\""
 check_response "$result" "\"serialNumber\": \"$noc_leaf_cert_1_serial_number\""
 
-echo "Try to revoke intermediate with different VID = $vid_2"
+echo "Try to revoke NOC root certificate with different VID = $vid_2"
 result=$(echo "$passphrase" | dcld tx pki revoke-noc-x509-root-cert --subject="$noc_root_cert_1_subject" --subject-key-id="$noc_root_cert_1_subject_key_id" --from $vendor_account_2 --yes)
 check_response "$result" "\"code\": 439"
 
@@ -349,13 +359,15 @@ check_response "$result" "\"subject\": \"$noc_leaf_cert_1_subject\""
 check_response "$result" "\"subjectKeyId\": \"$noc_cert_1_subject_key_id\""
 check_response "$result" "\"subjectKeyId\": \"$noc_leaf_cert_1_subject_key_id\""
 check_response "$result" "\"serialNumber\": \"$noc_cert_1_serial_number\""
+check_response "$result" "\"serialNumber\": \"$noc_cert_1_copy_serial_number\""
 check_response "$result" "\"serialNumber\": \"$noc_leaf_cert_1_serial_number\""
 
 echo "Request all approved certificates should not contain revoked NOC root certificates"
 result=$(dcld query pki all-x509-certs)
 check_response "$result" "\"subject\": \"$noc_cert_1_subject\""
 check_response "$result" "\"subjectKeyId\": \"$noc_cert_1_subject_key_id\""
 check_response "$result" "\"serialNumber\": \"$noc_cert_1_serial_number\""
+check_response "$result" "\"serialNumber\": \"$noc_cert_1_copy_serial_number\""
 check_response "$result" "\"subject\": \"$noc_leaf_cert_1_subject\""
 check_response "$result" "\"subjectKeyId\": \"$noc_leaf_cert_1_subject_key_id\""
 check_response "$result" "\"serialNumber\": \"$noc_leaf_cert_1_serial_number\""
@@ -365,4 +377,71 @@ response_does_not_contain "$result" "\"serialNumber\": \"$noc_root_cert_1_serial
 response_does_not_contain "$result" "\"serialNumber\": \"$noc_root_cert_1_copy_serial_number\""
 echo $result | jq
 
-test_divider
+test_divider
+
+echo "REVOCATION OF NON-ROOT NOC CERTIFICATES"
+
+echo "Try to revoke NOC certificate with different VID = $vid_2"
+result=$(echo "$passphrase" | dcld tx pki revoke-noc-x509-cert --subject="$noc_cert_1_subject" --subject-key-id="$noc_cert_1_subject_key_id" --from $vendor_account_2 --yes)
+check_response "$result" "\"code\": 439"
+
+echo "$vendor_account Vendor revokes only NOC certificates, it should not revoke leaf certificates"
+result=$(echo "$passphrase" | dcld tx pki revoke-noc-x509-cert --subject="$noc_cert_1_subject" --subject-key-id="$noc_cert_1_subject_key_id" --from=$vendor_account --yes)
+check_response "$result" "\"code\": 0"
+
+echo "Request all revoked certificates should not contain leaf certificate"
+result=$(dcld query pki all-revoked-x509-certs)
+echo $result | jq
+check_response "$result" "\"subject\": \"$noc_root_cert_1_subject"
+check_response "$result" "\"subjectKeyId\": \"$noc_root_cert_1_subject_key_id\""
+check_response "$result" "\"serialNumber\": \"$noc_root_cert_1_serial_number\""
+check_response "$result" "\"serialNumber\": \"$noc_root_cert_1_copy_serial_number\""
+check_response "$result" "\"subject\": \"$noc_cert_1_subject\""
+check_response "$result" "\"subjectKeyId\": \"$noc_cert_1_subject_key_id\""
+check_response "$result" "\"serialNumber\": \"$noc_cert_1_serial_number"
+response_does_not_contain "$result" "\"subject\": \"$noc_leaf_cert_1_subject\""
+response_does_not_contain "$result" "\"subjectKeyId\": \"$noc_leaf_cert_1_subject_key_id\""
+response_does_not_contain "$result" "\"serialNumber\": \"$noc_leaf_cert_1_serial_number"
+
+echo "Request all revoked noc root certificates should not contain non-root NOC certificates"
+result=$(dcld query pki all-revoked-noc-x509-root-certs)
+echo $result | jq
+response_does_not_contain "$result" "\"subjectKeyId\": \"$noc_cert_1_subject_key_id"
+response_does_not_contain "$result" "\"subjectKeyId\": \"$noc_leaf_cert_1_subject_key_id\""
+
+echo "Request all certificates by subject must be empty"
+result=$(dcld query pki all-subject-x509-certs --subject="$noc_cert_1_subject")
+response_does_not_contain "$result" "\"subject\": \"$noc_cert_1_subject\""
+response_does_not_contain "$result" "\"subjectKeyId\": \"$noc_cert_1_subject_key_id\""
+echo $result | jq
+
+echo "Request all certificates by subjectKeyId must be empty"
+result=$(dcld query pki x509-cert --subject-key-id="$noc_cert_1_subject_key_id")
+check_response "$result" "Not Found"
+response_does_not_contain "$result" "\"subject\": \"$noc_cert_1_subject\""
+response_does_not_contain "$result" "\"subjectKeyId\": \"$noc_cert_1_subject_key_id\""
+response_does_not_contain "$result" "\"serialNumber\": \"$noc_cert_1_serial_number\""
+response_does_not_contain "$result" "\"serialNumber\": \"$noc_cert_1_copy_serial_number\""
+echo $result | jq
+
+echo "Request NOC certificate by VID = $vid should contain ony leaf certificate"
+result=$(dcld query pki noc-x509-certs --vid="$vid")
+echo $result | jq
+check_response "$result" "\"subject\": \"$noc_leaf_cert_1_subject\""
+check_response "$result" "\"subjectKeyId\": \"$noc_leaf_cert_1_subject_key_id\""
+response_does_not_contain "$result" "\"subject\": \"$noc_cert_1_subject\""
+response_does_not_contain "$result" "\"subjectKeyId\": \"$noc_cert_1_subject_key_id\""
+
+echo "Request all approved certificates should not contain revoked NOC certificates"
+result=$(dcld query pki all-x509-certs)
+check_response "$result" "\"subject\": \"$noc_leaf_cert_1_subject\""
+check_response "$result" "\"subjectKeyId\": \"$noc_leaf_cert_1_subject_key_id\""
+check_response "$result" "\"serialNumber\": \"$noc_leaf_cert_1_serial_number\""
+response_does_not_contain "$result" "\"subject\": \"$noc_cert_1_subject\""
+response_does_not_contain "$result" "\"subjectKeyId\": \"$noc_cert_1_subject_key_id\""
+response_does_not_contain "$result" "\"serialNumber\": \"$noc_cert_1_serial_number\""
+response_does_not_contain "$result" "\"subject\": \"$noc_root_cert_1_subject\""
+response_does_not_contain "$result" "\"subjectKeyId\": \"$noc_root_cert_1_subject_key_id\""
+response_does_not_contain "$result" "\"serialNumber\": \"$noc_root_cert_1_serial_number\""
+response_does_not_contain "$result" "\"serialNumber\": \"$noc_root_cert_1_copy_serial_number\""
+echo $result | jq
diff --git a/integration_tests/cli/pki-noc-revocation-with-revoking-child.sh b/integration_tests/cli/pki-noc-revocation-with-revoking-child.sh
@@ -6,6 +6,11 @@ noc_root_cert_1_subject="MHoxCzAJBgNVBAYTAlVaMRMwEQYDVQQIDApTb21lIFN0YXRlMREwDwY
 noc_root_cert_1_subject_key_id="44:EB:4C:62:6B:25:48:CD:A2:B3:1C:87:41:5A:08:E7:2B:B9:83:26"
 noc_root_cert_1_serial_number="47211865327720222621302679792296833381734533449"
 
+noc_root_cert_2_path="integration_tests/constants/noc_root_cert_2"
+noc_root_cert_2_subject="MHoxCzAJBgNVBAYTAlVaMRMwEQYDVQQIDApTb21lIFN0YXRlMREwDwYDVQQHDAhUYXNoa2VudDEYMBYGA1UECgwPRXhhbXBsZSBDb21wYW55MRkwFwYDVQQLDBBUZXN0aW5nIERpdmlzaW9uMQ4wDAYDVQQDDAVOT0MtMg=="
+noc_root_cert_2_subject_key_id="CF:E6:DD:37:2B:4C:B2:B9:A9:F2:75:30:1C:AA:B1:37:1B:11:7F:1B"
+noc_root_cert_2_serial_number="332802481233145945539125204504842614737181725760"
+
 noc_root_cert_1_copy_path="integration_tests/constants/noc_root_cert_1_copy"
 noc_root_cert_1_copy_serial_number="460647353168152946606945669687905527879095841977"
 
@@ -19,9 +24,24 @@ noc_leaf_cert_1_subject="MIGBMQswCQYDVQQGEwJVWjETMBEGA1UECAwKU29tZSBTdGF0ZTETMBE
 noc_leaf_cert_1_subject_key_id="77:1F:DB:C4:4C:B1:29:7E:3C:EB:3E:D8:2A:38:0B:63:06:07:00:01"
 noc_leaf_cert_1_serial_number="281347277961838999749763518155363401757954575313"
 
+noc_cert_2_path="integration_tests/constants/noc_cert_2"
+noc_cert_2_subject="MIGCMQswCQYDVQQGEwJVWjETMBEGA1UECAwKU29tZSBTdGF0ZTETMBEGA1UEBwwKU29tZSBTdGF0ZTEYMBYGA1UECgwPRXhhbXBsZSBDb21wYW55MRkwFwYDVQQLDBBUZXN0aW5nIERpdmlzaW9uMRQwEgYDVQQDDAtOT0MtY2hpbGQtMg=="
+noc_cert_2_subject_key_id="87:48:A2:33:12:1F:51:5C:93:E6:90:40:4A:2C:AB:9E:D6:19:E5:AD"
+noc_cert_2_serial_number="361372967010167010646904372658654439710639340814"
+
+noc_cert_2_copy_path="integration_tests/constants/noc_cert_2_copy"
+noc_cert_2_copy_serial_number="157351092243199289154908179633004790674818411696"
+
+noc_leaf_cert_2_path="integration_tests/constants/noc_leaf_cert_2"
+noc_leaf_cert_2_subject="MIGBMQswCQYDVQQGEwJVWjETMBEGA1UECAwKU29tZSBTdGF0ZTETMBEGA1UEBwwKU29tZSBTdGF0ZTEYMBYGA1UECgwPRXhhbXBsZSBDb21wYW55MRkwFwYDVQQLDBBUZXN0aW5nIERpdmlzaW9uMRMwEQYDVQQDDApOT0MtbGVhZi0y"
+noc_leaf_cert_2_subject_key_id="F7:2D:E5:60:05:1E:06:45:E6:17:09:DE:1A:0C:B7:AE:19:66:EA:D5"
+noc_leaf_cert_2_serial_number="628585745496304216074570439204763956375973944746"
+
 vid_in_hex_format=0x6006
 vid=24582
 
+echo "REVOCATION OF NOC ROOT CERTIFICATES"
+
 vendor_account=vendor_account_$vid_in_hex_format
 echo "Create Vendor account - $vendor_account"
 create_new_vendor_account $vendor_account $vid_in_hex_format
@@ -152,4 +172,92 @@ response_does_not_contain "$result" "\"serialNumber\": \"$noc_cert_1_serial_numb
 response_does_not_contain "$result" "\"serialNumber\": \"$noc_leaf_cert_1_serial_number\""
 echo $result | jq
 
+test_divider
+
+echo "REVOCATION OF NOC NON-ROOT CERTIFICATES"
+
+echo "Add NOC root certificate by vendor with VID = $vid"
+result=$(echo "$passphrase" | dcld tx pki add-noc-x509-root-cert --certificate="$noc_root_cert_2_path" --from $vendor_account --yes)
+check_response "$result" "\"code\": 0"
+
+echo "Add NOC certificate by vendor with VID = $vid"
+result=$(echo "$passphrase" | dcld tx pki add-noc-x509-cert --certificate="$noc_cert_2_path" --from $vendor_account --yes)
+check_response "$result" "\"code\": 0"
+
+echo "Add second NOC certificate by vendor with VID = $vid"
+result=$(echo "$passphrase" | dcld tx pki add-noc-x509-cert --certificate="$noc_cert_2_copy_path" --from $vendor_account --yes)
+check_response "$result" "\"code\": 0"
+
+echo "Add leaf certificate by vendor with VID = $vid"
+result=$(echo "$passphrase" | dcld tx pki add-noc-x509-cert --certificate="$noc_leaf_cert_2_path" --from $vendor_account --yes)
+check_response "$result" "\"code\": 0"
+
+echo "Request All NOC root certificate"
+result=$(dcld query pki all-noc-x509-root-certs)
+echo $result | jq
+check_response "$result" "\"serialNumber\": \"$noc_root_cert_2_serial_number\""
+
+echo "Request all NOC certificates"
+result=$(dcld query pki all-noc-x509-certs)
+echo $result | jq
+check_response "$result" "\"serialNumber\": \"$noc_cert_2_serial_number\""
+check_response "$result" "\"serialNumber\": \"$noc_cert_2_copy_serial_number\""
+check_response "$result" "\"serialNumber\": \"$noc_leaf_cert_2_serial_number\""
+
+echo "$vendor_account Vendor revokes root NOC certificate by setting \"revoke-child\" flag to true, it should revoke child certificates too"
+result=$(echo "$passphrase" | dcld tx pki revoke-noc-x509-cert --subject="$noc_cert_2_subject" --subject-key-id="$noc_cert_2_subject_key_id" --revoke-child=true --from=$vendor_account --yes)
+check_response "$result" "\"code\": 0"
+
+echo "Request all revoked certificates should two intermediate and one leaf certificates"
+result=$(dcld query pki all-revoked-x509-certs)
+echo $result | jq
+check_response "$result" "\"subject\": \"$noc_cert_2_subject\""
+check_response "$result" "\"subject\": \"$noc_leaf_cert_2_subject\""
+check_response "$result" "\"subjectKeyId\": \"$noc_cert_2_subject_key_id\""
+check_response "$result" "\"subjectKeyId\": \"$noc_leaf_cert_2_subject_key_id\""
+check_response "$result" "\"serialNumber\": \"$noc_cert_2_serial_number\""
+check_response "$result" "\"serialNumber\": \"$noc_cert_2_copy_serial_number\""
+check_response "$result" "\"serialNumber\": \"$noc_leaf_cert_2_serial_number\""
+response_does_not_contain "$result" "\"subject\": \"$noc_root_cert_2_subject"
+response_does_not_contain "$result" "\"subjectKeyId\": \"$noc_root_cert_2_subject_key_id\""
+response_does_not_contain "$result" "\"serialNumber\": \"$noc_root_cert_2_serial_number\""
+
+echo "Request all certificates by NOC certificate's subject should be empty"
+result=$(dcld query pki all-subject-x509-certs --subject="$noc_cert_2_subject")
+check_response "$result" "Not Found"
+response_does_not_contain "$result" "\"$noc_cert_1_subject\""
+response_does_not_contain "$result" "\"$noc_cert_1_subject_key_id\""
+echo $result | jq
+
+echo "Request all certificates by NOC certificate's subjectKeyId should be empty"
+result=$(dcld query pki x509-cert --subject-key-id="$noc_cert_2_subject_key_id")
+check_response "$result" "Not Found"
+response_does_not_contain "$result" "\"subject\": \"$noc_cert_2_subject\""
+response_does_not_contain "$result" "\"subjectKeyId\": \"$noc_cert_2_subject_key_id\""
+response_does_not_contain "$result" "\"serialNumber\": \"$noc_cert_2_serial_number\""
+response_does_not_contain "$result" "\"serialNumber\": \"$noc_cert_2_copy_serial_number\""
+echo $result | jq
+
+echo "Request NOC certificate by VID = $vid should not contain intermediate and leaf certificates"
+result=$(dcld query pki noc-x509-certs --vid="$vid")
+echo $result | jq
+response_does_not_contain "$result" "\"subject\": \"$noc_cert_2_subject\""
+response_does_not_contain "$result" "\"subject\": \"$noc_leaf_cert_2_subject\""
+response_does_not_contain "$result" "\"subjectKeyId\": \"$noc_cert_2_subject_key_id\""
+response_does_not_contain "$result" "\"subjectKeyId\": \"$noc_leaf_cert_2_subject_key_id\""
+
+echo "Request all approved certificates should not contain intermediate and leaf certificates"
+result=$(dcld query pki all-x509-certs)
+check_response "$result" "\"subject\": \"$noc_root_cert_2_subject\""
+check_response "$result" "\"subjectKeyId\": \"$noc_root_cert_2_subject_key_id\""
+check_response "$result" "\"serialNumber\": \"$noc_root_cert_2_serial_number\""
+response_does_not_contain "$result" "\"subject\": \"$noc_cert_2_subject\""
+response_does_not_contain "$result" "\"subject\": \"$noc_leaf_cert_2_subject\""
+response_does_not_contain "$result" "\"subjectKeyId\": \"$noc_cert_2_subject_key_id\""
+response_does_not_contain "$result" "\"subjectKeyId\": \"$noc_leaf_cert_2_subject_key_id\""
+response_does_not_contain "$result" "\"serialNumber\": \"$noc_cert_2_serial_number\""
+response_does_not_contain "$result" "\"serialNumber\": \"$noc_cert_2_copy_serial_number\""
+response_does_not_contain "$result" "\"serialNumber\": \"$noc_leaf_cert_2_serial_number\""
+echo $result | jq
+
 test_divider