#535 Enable providing serial number while revoking x509 certs

Signed-off-by: Abdulbois <abdulbois.tursunov@dsr-corporation.com> Signed-off-by: Abdulbois <abdulbois123@gmail.com>
zigbee-alliance · Feb 14, 2024 · e015d33 · e015d33
1 parent 40fbec3
commit e015d33
Show file tree

Hide file tree

Showing 40 changed files with 1,537 additions and 277 deletions.
diff --git a/docs/static/openapi.yml b/docs/static/openapi.yml
@@ -9536,6 +9536,8 @@ paths:
                             type: string
                     subjectAsText:
                       type: string
+                    serialNumber:
+                      type: string
               pagination:
                 type: object
                 properties:
@@ -9675,6 +9677,8 @@ paths:
                           type: string
                   subjectAsText:
                     type: string
+                  serialNumber:
+                    type: string
         default:
           description: An unexpected error response.
           schema:
@@ -9706,6 +9710,10 @@ paths:
           in: path
           required: true
           type: string
+        - name: serialNumber
+          in: query
+          required: false
+          type: string
       tags:
         - Query
   /dcl/pki/rejected-certificates:
@@ -20763,6 +20771,8 @@ definitions:
               type: string
       subjectAsText:
         type: string
+      serialNumber:
+        type: string
   zigbeealliance.distributedcomplianceledger.pki.QueryAllApprovedCertificatesResponse:
     type: object
     properties:
@@ -21012,6 +21022,8 @@ definitions:
                     type: string
             subjectAsText:
               type: string
+            serialNumber:
+              type: string
       pagination:
         type: object
         properties:
@@ -21471,6 +21483,8 @@ definitions:
                   type: string
           subjectAsText:
             type: string
+          serialNumber:
+            type: string
   zigbeealliance.distributedcomplianceledger.pki.QueryGetRejectedCertificatesResponse:
     type: object
     properties:

diff --git a/docs/transactions.md b/docs/transactions.md
@@ -942,6 +942,7 @@ Root certificates can not be revoked this way, use  `PROPOSE_X509_CERT_REVOC` an
 - Parameters:
   - subject: `string`  - certificates's `Subject` is base64 encoded subject DER sequence bytes
   - subject_key_id: `string`  - certificates's `Subject Key Id` in hex string format, e.g: `5A:88:0E:6C:36:53:D0:7F:B0:89:71:A3:F4:73:79:09:30:E6:2B:DB`
+  - serial-number: `optional(string)`  - certificate's serial number
   - info: `optional(string)` - information/notes for the revocation
   - time: `optional(int64)` - revocation time (number of nanoseconds elapsed since January 1, 1970 UTC). CLI uses the current time for that field.
 - In State: `pki/RevokedCertificates/value/<Certificate's Subject>/<Certificate's Subject Key ID>`
@@ -967,6 +968,7 @@ then the certificate will be in a pending state until sufficient number of other
 - Parameters:
   - subject: `string`  - certificates's `Subject` is base64 encoded subject DER sequence bytes
   - subject_key_id: `string`  - certificates's `Subject Key Id` in hex string format, e.g: `5A:88:0E:6C:36:53:D0:7F:B0:89:71:A3:F4:73:79:09:30:E6:2B:DB`
+  - serial-number: `optional(string)`  - certificate's serial number
   - info: `optional(string)` - information/notes for the revocation proposal
   - time: `optional(int64)` - revocation proposal time (number of nanoseconds elapsed since January 1, 1970 UTC). CLI uses the current time for that field.
 - In State: `pki/ProposedCertificateRevocation/value/<Certificate's Subject>/<Certificate's Subject Key ID>`
@@ -990,6 +992,7 @@ The revocation is not applied until sufficient number of Trustees approve it.
 - Parameters:
   - subject: `string`  - certificates's `Subject` is base64 encoded subject DER sequence bytes
   - subject_key_id: `string`  - certificates's `Subject Key Id` in hex string format, e.g: `5A:88:0E:6C:36:53:D0:7F:B0:89:71:A3:F4:73:79:09:30:E6:2B:DB`
+  - serial-number: `optional(string)`  - certificate's serial number
   - info: `optional(string)` - information/notes for the revocation approval
   - time: `optional(int64)` - revocation approval time (number of nanoseconds elapsed since January 1, 1970 UTC). CLI uses the current time for that field.
 - In State: `pki/RevokedCertificates/value/<Certificate's Subject>/<Certificate's Subject Key ID>`
@@ -1222,10 +1225,11 @@ If a Revocation Distribution Point (such as RFC5280 Certificate Revocation List)
 - Parameters:
   - subject: `string`  - certificates's `Subject` is base64 encoded subject DER sequence bytes
   - subject_key_id: `string`  - certificates's `Subject Key Id` in hex string format, e.g: `5A:88:0E:6C:36:53:D0:7F:B0:89:71:A3:F4:73:79:09:30:E6:2B:DB`
+  - serial-number: `optional(string)`  - certificate's serial number
 - CLI command:
   - `dcld query pki proposed-x509-root-cert-to-revoke --subject=<base64 string> --subject-key-id=<hex string>`
 - REST API:
-  - GET `/dcl/pki/proposed-revocation-certificates/{subject}/{subject_key_id}`
+  - GET `/dcl/pki/proposed-revocation-certificates/{subject}/{subject_key_id}?serialnumber={serialnumber}`
 
 ### GET_ALL_X509_ROOT_CERTS
 

diff --git a/integration_tests/cli/pki-revocation-with-serial-number.sh b/integration_tests/cli/pki-revocation-with-serial-number.sh
@@ -0,0 +1,140 @@
+set -euo pipefail
+source integration_tests/cli/common.sh
+
+root_cert_1_path="integration_tests/constants/root_with_same_subject_and_skid_1"
+root_cert_1_serial_number="1"
+root_cert_2_path="integration_tests/constants/root_with_same_subject_and_skid_2"
+root_cert_2_serial_number="2"
+intermediate_cert_1_path="integration_tests/constants/intermediate_with_same_subject_and_skid_1"
+intermediate_cert_1_serial_number="3"
+intermediate_cert_2_path="integration_tests/constants/intermediate_with_same_subject_and_skid_2"
+intermediate_cert_2_serial_number="4"
+root_cert_subject="MIGCMQswCQYDVQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxETAPBgNVBAcMCE5ldyBZb3JrMRgwFgYDVQQKDA9FeGFtcGxlIENvbXBhbnkxGTAXBgNVBAsMEFRlc3RpbmcgRGl2aXNpb24xGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbQ=="
+root_cert_subject_key_id="33:5E:0C:07:44:F8:B5:9C:CD:55:01:9B:6D:71:23:83:6F:D0:D4:BE"
+intermediate_cert_subject="MEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQ"
+intermediate_cert_subject_key_id="2E:13:3B:44:52:2C:30:E9:EC:FB:45:FA:5D:E5:04:0A:C1:C6:E6:B9"
+
+trustee_account="jack"
+second_trustee_account="alice"
+
+echo "Create a VendorAdmin Account"
+create_new_account vendor_admin_account "VendorAdmin"
+
+test_divider
+
+echo "REVOKE CERTIFICATES BY SPECIFYING SERIAL NUMBER"
+
+echo "Propose and approve root certificate 1"
+result=$(echo "$passphrase" | dcld tx pki propose-add-x509-root-cert --certificate="$root_cert_1_path" --from $trustee_account --yes)
+check_response "$result" "\"code\": 0"
+result=$(echo "$passphrase" | dcld tx pki approve-add-x509-root-cert --subject="$root_cert_subject" --subject-key-id="$root_cert_subject_key_id" --from $second_trustee_account --yes)
+check_response "$result" "\"code\": 0"
+
+echo "Propose and approve root certificate 2"
+result=$(echo "$passphrase" | dcld tx pki propose-add-x509-root-cert --certificate="$root_cert_2_path" --from $trustee_account --yes)
+check_response "$result" "\"code\": 0"
+result=$(echo "$passphrase" | dcld tx pki approve-add-x509-root-cert --subject="$root_cert_subject" --subject-key-id="$root_cert_subject_key_id" --from $second_trustee_account --yes)
+check_response "$result" "\"code\": 0"
+
+echo "Add an intermediate certificate with serialNumber 3"
+result=$(echo "$passphrase" | dcld tx pki add-x509-cert --certificate="$intermediate_cert_1_path" --from $trustee_account --yes)
+check_response "$result" "\"code\": 0"
+
+echo "Add an intermediate certificate with serialNumber 4"
+result=$(echo "$passphrase" | dcld tx pki add-x509-cert --certificate="$intermediate_cert_2_path" --from $trustee_account --yes)
+check_response "$result" "\"code\": 0"
+
+echo "Request all approved root certificates."
+result=$(dcld query pki all-x509-root-certs)
+echo $result | jq
+check_response "$result" "\"subject\": \"$root_cert_subject\""
+check_response "$result" "\"subject\": \"$intermediate_cert_subject\""
+check_response "$result" "\"subjectKeyId\": \"$root_cert_subject_key_id\""
+check_response "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id\""
+check_response "$result" "\"serialNumber\": \"$root_cert_1_serial_number\""
+check_response "$result" "\"serialNumber\": \"$intermediate_cert_1_serial_number\""
+check_response "$result" "\"serialNumber\": \"$root_cert_2_serial_number\""
+check_response "$result" "\"serialNumber\": \"$intermediate_cert_2_serial_number\""
+
+echo "Revoke intermediate certificate with serialNumber 3"
+result=$(echo "$passphrase" | dcld tx pki revoke-x509-cert --subject="$intermediate_cert_subject" --subject-key-id="$intermediate_cert_subject_key_id" --serial-number="$intermediate_cert_1_serial_number" --from=$trustee_account --yes)
+check_response "$result" "\"code\": 0"
+
+echo "Request all revoked certificates should contain one intermediate certificate with serialNumber 3"
+result=$(dcld query pki all-revoked-x509-certs)
+echo $result | jq
+check_response "$result" "\"subject\": \"$intermediate_cert_subject\""
+check_response "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id\""
+check_response "$result" "\"serialNumber\": \"$intermediate_cert_1_serial_number\""
+response_does_not_contain "$result" "\"serialNumber\": \"$intermediate_cert_2_serial_number\""
+
+echo "Request all approved intermediate certificates should contain only one certificate with serialNumber 4"
+result=$(dcld query pki x509-cert --subject="$intermediate_cert_subject" --subject-key-id="$intermediate_cert_subject_key_id")
+echo $result | jq
+check_response "$result" "\"subject\": \"$intermediate_cert_subject\""
+check_response "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id\""
+check_response "$result" "\"serialNumber\": \"$intermediate_cert_2_serial_number\""
+response_does_not_contain "$result" "\"serialNumber\": \"$intermediate_cert_1_serial_number\""
+
+echo "$trustee_account (Trustee) proposes to revoke Root certificate with serialNumber 1"
+result=$(echo "$passphrase" | dcld tx pki propose-revoke-x509-root-cert --subject="$root_cert_subject" --subject-key-id="$root_cert_subject_key_id" --serial-number="$root_cert_1_serial_number" --from $trustee_account --yes)
+check_response "$result" "\"code\": 0"
+
+echo "$second_trustee_account (Second Trustee) approves to revoke Root certificate with serialNumber 1"
+result=$(echo "$passphrase" | dcld tx pki approve-revoke-x509-root-cert --subject="$root_cert_subject" --subject-key-id="$root_cert_subject_key_id" --serial-number="$root_cert_1_serial_number" --from $second_trustee_account --yes)
+check_response "$result" "\"code\": 0"
+
+echo "Request all revoked certificates should contain one root certificate with serialNumber 1"
+result=$(dcld query pki all-revoked-x509-certs)
+echo $result | jq
+check_response "$result" "\"subject\": \"$root_cert_subject\""
+check_response "$result" "\"subjectKeyId\": \"$root_cert_subject_key_id\""
+check_response "$result" "\"serialNumber\": \"$root_cert_1_serial_number\""
+response_does_not_contain "$result" "\"serialNumber\": \"$root_cert_2_serial_number\""
+response_does_not_contain "$result" "\"serialNumber\": \"$intermediate_cert_2_serial_number"
+
+echo "Request all approved certificates should contain one root certificate with serialNumber 2 and one intermediate with serialNumber 4"
+result=$(dcld query pki all-x509-certs)
+echo $result | jq
+check_response "$result" "\"subject\": \"$root_cert_subject\""
+check_response "$result" "\"subject\": \"$intermediate_cert_subject\""
+check_response "$result" "\"subjectKeyId\": \"$root_cert_subject_key_id\""
+check_response "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id"
+check_response "$result" "\"serialNumber\": \"$root_cert_2_serial_number\""
+check_response "$result" "\"serialNumber\": \"$intermediate_cert_2_serial_number\""
+response_does_not_contain "$result" "\"serialNumber\": \"$root_cert_1_serial_number\""
+response_does_not_contain "$result" "\"serialNumber\": \"$intermediate_cert_1_serial_number\""
+
+echo "$trustee_account (Trustee) proposes to revoke Root certificate with serialNumber 2"
+result=$(echo "$passphrase" | dcld tx pki propose-revoke-x509-root-cert --subject="$root_cert_subject" --subject-key-id="$root_cert_subject_key_id" --serial-number="$root_cert_2_serial_number" --from $trustee_account --yes)
+check_response "$result" "\"code\": 0"
+
+echo "$second_trustee_account (Second Trustee) approves to revoke Root certificate with serialNumber 2"
+result=$(echo "$passphrase" | dcld tx pki approve-revoke-x509-root-cert --subject="$root_cert_subject" --subject-key-id="$root_cert_subject_key_id" --serial-number="$root_cert_2_serial_number" --from $second_trustee_account --yes)
+check_response "$result" "\"code\": 0"
+
+echo "Request all revoked certificates should contain two root and intermediate certificates"
+result=$(dcld query pki all-revoked-x509-certs)
+echo $result | jq
+check_response "$result" "\"subject\": \"$root_cert_subject\""
+check_response "$result" "\"subject\": \"$intermediate_cert_subject\""
+check_response "$result" "\"subjectKeyId\": \"$root_cert_subject_key_id\""
+check_response "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id\""
+check_response "$result" "\"serialNumber\": \"$root_cert_1_serial_number\""
+check_response "$result" "\"serialNumber\": \"$intermediate_cert_1_serial_number\""
+check_response "$result" "\"serialNumber\": \"$root_cert_2_serial_number\""
+check_response "$result" "\"serialNumber\": \"$intermediate_cert_2_serial_number\""
+
+echo "Request all approved root certificates should be empty"
+result=$(dcld query pki all-x509-root-certs)
+echo $result | jq
+response_does_not_contain "$result" "\"subject\": \"$root_cert_subject\""
+response_does_not_contain "$result" "\"subject\": \"$intermediate_cert_subject\""
+response_does_not_contain "$result" "\"subjectKeyId\": \"$root_cert_subject_key_id\""
+response_does_not_contain "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id\""
+response_does_not_contain "$result" "\"serialNumber\": \"$root_cert_1_serial_number\""
+response_does_not_contain "$result" "\"serialNumber\": \"$intermediate_cert_1_serial_number\""
+response_does_not_contain "$result" "\"serialNumber\": \"$root_cert_2_serial_number\""
+response_does_not_contain "$result" "\"serialNumber\": \"$intermediate_cert_2_serial_number\""
+
+test_divider