zigbee-alliance · akarabashov · Mar 7, 2024 · Feb 27, 2024 · Feb 28, 2024 · Feb 28, 2024
diff --git a/docs/transactions.md b/docs/transactions.md
@@ -905,13 +905,17 @@ already present on the ledger.
 
 The certificate is immutable. It can only be revoked by either the owner or a quorum of Trustees.
 
+- Who can send: Vendor account
+  - PAA (Root certificates) are VID-scoped:
+    - the vid field in the subject of the root certificate, as well as in the intermediate/leaf X509 certificates and the Vendor account's VID certificate, must be the same.
+  - Non-VID scoped PAAs (Root certificates):
+    - if the intermediate/leaf X509 certificate is VID-scoped, then the `vid` field in the certificate must match the corresponding PAA's `vid` field on the ledger, or the intermediate/leaf X509 certificate must not be VID-scoped.
+    - `vid` field associated with the corresponding PAA on the ledger must be equal to the Vendor account's VID.
 - Parameters:
   - cert: `string` - PEM encoded certificate. The corresponding CLI parameter can contain either a PEM string or a path to a file containing the data.
 - In State:
   - `pki/ApprovedCertificates/value/<Certificate's Subject>/<Certificate's Subject Key ID>`
   - `pki/ChildCertificates/value/<Certificate's Subject>/<Certificate's Subject Key ID>`
-- Who can send:
-  - Any role
 - CLI command:
   - `dcld tx pki add-x509-cert --certificate=<string-or-path> --from=<account>`
 - Validation:
@@ -921,7 +925,7 @@ The certificate is immutable. It can only be revoked by either the owner or a qu
   - no existing certificate with the same `<Certificate's Issuer>:<Certificate's Serial Number>` combination.
   - if certificates with the same `<Certificate's Subject>:<Certificate's Subject Key ID>` combination already exist:
     - the existing certificate must not be NOC certificate
-    - sender must match to the owner of the existing certificates.
+    - the sender's VID must match the `vid` field of the existing certificates.
   - the signature (self-signature) and expiration date are valid.
   - parent certificate must be already stored on the ledger and a valid chain to some root certificate can be built.
 
@@ -938,9 +942,10 @@ If a Revocation Distribution Point needs to be published (such as RFC5280 Certif
 
 If `revoke-child` flag is set to `true` then all the certificates in the chain signed by the revoked certificate will be revoked as well.
 
-Only the owner (sender) can revoke the certificate.
 Root certificates can not be revoked this way, use  `PROPOSE_X509_CERT_REVOC` and `APPROVE_X509_ROOT_CERT_REVOC` instead.  
 
+- Who can send: Vendor account
+  - the sender's VID must match the `vid` field of the revoking certificates.
 - Parameters:
   - subject: `string`  - certificates's `Subject` is base64 encoded subject DER sequence bytes
   - subject_key_id: `string`  - certificates's `Subject Key Id` in hex string format, e.g: `5A:88:0E:6C:36:53:D0:7F:B0:89:71:A3:F4:73:79:09:30:E6:2B:DB`
@@ -949,8 +954,6 @@ Root certificates can not be revoked this way, use  `PROPOSE_X509_CERT_REVOC` an
   - info: `optional(string)` - information/notes for the revocation
   - time: `optional(int64)` - revocation time (number of nanoseconds elapsed since January 1, 1970 UTC). CLI uses the current time for that field.
 - In State: `pki/RevokedCertificates/value/<Certificate's Subject>/<Certificate's Subject Key ID>`
-- Who can send:
-  - Any role; owner
 - CLI command:
   - `dcld tx pki revoke-x509-cert --subject=<base64 string> --subject-key-id=<hex string> --from=<account>`
 
@@ -960,15 +963,14 @@ Root certificates can not be revoked this way, use  `PROPOSE_X509_CERT_REVOC` an
 
 Removes the given X509 certificate (either intermediate or leaf) from approved and revoked certificates list.
 
-Only the owner (sender) can remove the certificate.
 Root certificates can not be removed this way.  
 
+- Who can send: Vendor account
+  - the sender's VID must match the `vid` field of the removing certificates.
 - Parameters:
   - subject: `string`  - certificates's `Subject` is base64 encoded subject DER sequence bytes
   - subject_key_id: `string`  - certificates's `Subject Key Id` in hex string format, e.g: `5A:88:0E:6C:36:53:D0:7F:B0:89:71:A3:F4:73:79:09:30:E6:2B:DB`
   - serial-number: `optional(string)`  - certificate's serial number
-- Who can send:
-  - Any role; owner
 - CLI command:
   - `dcld tx pki remove-x509-cert --subject=<base64 string> --subject-key-id=<hex string> --from=<account>`
 
@@ -1041,7 +1043,6 @@ Publishing the revocation distribution endpoint doesn't automatically remove PAI
 and DACs (leaf certificates) added to DCL if they are revoked in the CRL identified by this distribution point.
 [REVOKE_X509_CERT](#revoke_x509_cert) needs to be called to remove an intermediate or leaf certificate from the ledger. 
 
-
 - Who can send: Vendor account
   - `vid` field in the transaction (`VendorID`) must be equal to the Vendor account's VID
   - VID-scoped PAAs (Root certs) and PAIs (Intermediate certs): `vid` field in the `CRLSignerCertificate`'s subject must be equal to the Vendor account's VID
@@ -1140,7 +1141,7 @@ This transaction adds a NOC root certificate owned by the Vendor.
   - no existing certificate with the same `<Certificate's Issuer>:<Certificate's Serial Number>` combination.
   - if certificates with the same `<Certificate's Subject>:<Certificate's Subject Key ID>` combination already exist:
     - the existing certificate must be NOC root certificate
-    - the sender's VID must match the vid field of the existing certificates.
+    - the sender's VID must match the `vid` field of the existing certificates.
   - the signature (self-signature) and expiration date must be valid.
 - Parameters:
   - cert: `string` - The NOC Root Certificate, encoded in X.509v3 PEM format. Can be a PEM string or a file path.

diff --git a/integration_tests/cli/pki-add-vendor-x509-certificates.sh b/integration_tests/cli/pki-add-vendor-x509-certificates.sh
@@ -5,13 +5,15 @@ root_cert_with_vid_65521_subject="MIGYMQswCQYDVQQGEwJVUzERMA8GA1UECAwITmV3IFlvcm
 root_cert_with_vid_65521_subject_key_id="CE:A8:92:66:EA:E0:80:BD:2B:B5:68:E4:0B:07:C4:FA:2C:34:6D:31"
 root_cert_with_vid_65521_path="integration_tests/constants/root_cert_with_vid"
 root_cert_with_vid_65521_vid=65521
-intermediate_cert_with_vid_subject="MIGuMQswCQYDVQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxETAPBgNVBAcMCE5ldyBZb3JrMRgwFgYDVQQKDA9FeGFtcGxlIENvbXBhbnkxGTAXBgNVBAsMEFRlc3RpbmcgRGl2aXNpb24xGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbTEUMBIGCisGAQQBgqJ8AgEMBEZGRjExFDASBgorBgEEAYKifAICDARGRkYx"
-intermediate_cert_with_vid_subject_key_id="0E:8C:E8:C8:B8:AA:50:BC:25:85:56:B9:B1:9C:C2:C7:D9:C5:2F:17"
+
+intermediate_cert_with_vid_65521_subject="MIGuMQswCQYDVQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxETAPBgNVBAcMCE5ldyBZb3JrMRgwFgYDVQQKDA9FeGFtcGxlIENvbXBhbnkxGTAXBgNVBAsMEFRlc3RpbmcgRGl2aXNpb24xGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbTEUMBIGCisGAQQBgqJ8AgEMBEZGRjExFDASBgorBgEEAYKifAICDARGRkYx"
+intermediate_cert_with_vid_65521_subject_key_id="0E:8C:E8:C8:B8:AA:50:BC:25:85:56:B9:B1:9C:C2:C7:D9:C5:2F:17"
 intermediate_cert_with_vid_65521_path="integration_tests/constants/intermediate_cert_with_vid_1"
-intermediate_cert_with_vid_65522_path="integration_tests/constants/intermediate_cert_with_vid_2"
 intermediate_cert_with_vid_65521_serial_number="3"
-intermediate_cert_with_vid_65522_serial_number="4"
 intermediate_cert_with_vid_65521_vid=65521
+
+intermediate_cert_with_vid_65522_path="integration_tests/constants/intermediate_cert_with_vid_2"
+intermediate_cert_with_vid_65522_serial_number="4"
 intermediate_cert_with_vid_65522_vid=65522
 
 trustee_account="jack"
@@ -32,6 +34,10 @@ check_response "$result" "\"code\": 0"
 result=$(echo "$passphrase" | dcld tx pki approve-add-x509-root-cert --subject="$root_cert_with_vid_65521_subject" --subject-key-id="$root_cert_with_vid_65521_subject_key_id" --from $second_trustee_account --yes)
 check_response "$result" "\"code\": 0"
 
+echo "Try to add the intermediate certificate using an account that does not have vendor role"
+result=$(echo "$passphrase" | dcld tx pki add-x509-cert --certificate="$intermediate_cert_with_vid_65521_path" --from $trustee_account --yes)
+check_response "$result" "\"code\": 4"
+
 echo "Add an intermediate certificate with vid=$intermediate_cert_with_vid_65521_vid by $vendor_account_65521 with vid=$vendor_vid_65521"
 result=$(echo "$passphrase" | dcld tx pki add-x509-cert --certificate="$intermediate_cert_with_vid_65521_path" --from $vendor_account_65521 --yes)
 check_response "$result" "\"code\": 0"
@@ -41,8 +47,8 @@ result=$(dcld query pki all-x509-certs)
 echo $result | jq
 check_response "$result" "\"subject\": \"$root_cert_with_vid_65521_subject\""
 check_response "$result" "\"subjectKeyId\": \"$root_cert_with_vid_65521_subject_key_id\""
-check_response "$result" "\"subject\": \"$intermediate_cert_with_vid_subject\""
-check_response "$result" "\"subjectKeyId\": \"$intermediate_cert_with_vid_subject_key_id\""
+check_response "$result" "\"subject\": \"$intermediate_cert_with_vid_65521_subject\""
+check_response "$result" "\"subjectKeyId\": \"$intermediate_cert_with_vid_65521_subject_key_id\""
 check_response "$result" "\"serialNumber\": \"$intermediate_cert_with_vid_65521_serial_number\""
 
 echo "Try to add an intermediate certificate with vid=$intermediate_cert_with_vid_65522_vid by $vendor_account_65521 with vid=$vendor_vid_65521"
@@ -53,15 +59,16 @@ echo "Request all approved root certificates should not contain intermediate cer
 result=$(dcld query pki all-x509-certs)
 echo $result | jq
 check_response "$result" "\"subject\": \"$root_cert_with_vid_65521_subject\""
-check_response "$result" "\"subject\": \"$intermediate_cert_with_vid_subject\""
+check_response "$result" "\"subject\": \"$intermediate_cert_with_vid_65521_subject\""
 check_response "$result" "\"subjectKeyId\": \"$root_cert_with_vid_65521_subject_key_id\""
-check_response "$result" "\"subjectKeyId\": \"$intermediate_cert_with_vid_subject_key_id\""
+check_response "$result" "\"subjectKeyId\": \"$intermediate_cert_with_vid_65521_subject_key_id\""
 check_response "$result" "\"serialNumber\": \"$intermediate_cert_with_vid_65521_serial_number\""
 response_does_not_contain "$result" "\"serialNumber\": \"$intermediate_cert_with_vid_65522_serial_number\""
 
 root_cert_with_no_vid_path="integration_tests/constants/paa_cert_no_vid"
 root_cert_with_no_vid_subject="MBoxGDAWBgNVBAMMD01hdHRlciBUZXN0IFBBQQ=="
 root_cert_with_no_vid_subject_key_id="78:5C:E7:05:B8:6B:8F:4E:6F:C7:93:AA:60:CB:43:EA:69:68:82:D5"
+
 intermediate_cert_with_vid_65522_path="integration_tests/constants/pai_cert_numeric_vid"
 intermediate_cert_with_vid_65522_subject="MDAxGDAWBgNVBAMMD01hdHRlciBUZXN0IFBBSTEUMBIGCisGAQQBgqJ8AgEMBEZGRjI="
 intermediate_cert_with_vid_65522_subject_key_id="61:3D:D0:87:35:5E:F0:8B:AE:01:E4:C6:9A:8F:C7:3D:AC:8C:7D:FD"
@@ -111,3 +118,66 @@ check_response "$result" "\"subjectKeyId\": \"$intermediate_cert_with_vid_65522_
 check_response "$result" "\"serialNumber\": \"$intermediate_cert_with_vid_65522_serial_number\""
 
 test_divider
+
+root_cert_subject="MIGCMQswCQYDVQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxETAPBgNVBAcMCE5ldyBZb3JrMRgwFgYDVQQKDA9FeGFtcGxlIENvbXBhbnkxGTAXBgNVBAsMEFRlc3RpbmcgRGl2aXNpb24xGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbQ=="
+root_cert_subject_key_id="33:5E:0C:07:44:F8:B5:9C:CD:55:01:9B:6D:71:23:83:6F:D0:D4:BE"
+root_cert_path="integration_tests/constants/root_with_same_subject_and_skid_1"
+root_cert_serial_number="1"
+
+intermediate_cert_subject="MEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQ="
+intermediate_cert_subject_key_id="2E:13:3B:44:52:2C:30:E9:EC:FB:45:FA:5D:E5:04:0A:C1:C6:E6:B9"
+intermediate_cert_1_path="integration_tests/constants/intermediate_with_same_subject_and_skid_1"
+intermediate_cert_1_serial_number="3"
+intermediate_cert_2_path="integration_tests/constants/intermediate_with_same_subject_and_skid_2"
+intermediate_cert_2_serial_number="4"
+
+echo "Propose and approve root certificate"
+result=$(echo "$passphrase" | dcld tx pki propose-add-x509-root-cert --certificate="$root_cert_path" --vid "$vendor_vid_65521" --from $trustee_account --yes)
+check_response "$result" "\"code\": 0"
+result=$(echo "$passphrase" | dcld tx pki approve-add-x509-root-cert --subject="$root_cert_subject" --subject-key-id="$root_cert_subject_key_id" --from $second_trustee_account --yes)
+check_response "$result" "\"code\": 0"
+
+echo "Add first intermediate certificate by $vendor_account_65521"
+result=$(echo "$passphrase" | dcld tx pki add-x509-cert --certificate="$intermediate_cert_1_path" --from $vendor_account_65521 --yes)
+check_response "$result" "\"code\": 0"
+
+echo "Request all approved root certificates."
+result=$(dcld query pki all-x509-certs)
+echo $result | jq
+check_response "$result" "\"subject\": \"$root_cert_subject\""
+check_response "$result" "\"subjectKeyId\": \"$root_cert_subject_key_id\""
+check_response "$result" "\"subject\": \"$intermediate_cert_subject\""
+check_response "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id\""
+check_response "$result" "\"serialNumber\": \"$intermediate_cert_1_serial_number\""
+
+echo "Try to add second intermediate certificate with same subject and SKID by $vendor_account_65523"
+result=$(echo "$passphrase" | dcld tx pki add-x509-cert --certificate="$intermediate_cert_2_path" --from $vendor_account_65523 --yes)
+check_response "$result" "\"code\": 4"
+
+echo "Request all approved root certificates should not contain intermediate cert with serialNumber=$intermediate_cert_2_serial_number"
+result=$(dcld query pki all-x509-certs)
+echo $result | jq
+check_response "$result" "\"subject\": \"$root_cert_subject\""
+check_response "$result" "\"subjectKeyId\": \"$root_cert_subject_key_id\""
+check_response "$result" "\"subject\": \"$intermediate_cert_subject\""
+check_response "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id\""
+check_response "$result" "\"serialNumber\": \"$intermediate_cert_1_serial_number\""
+response_does_not_contain "$result" "\"serialNumber\": \"$intermediate_cert_2_serial_number\""
+
+second_vendor_account_65521=second_vendor_account_$vendor_vid_65521
+echo "Create Vendor account - $second_vendor_account_65521"
+create_new_vendor_account $second_vendor_account_65521 $vendor_vid_65521
+
+echo "Add second intermediate certificate with same subject and SKID by $second_vendor_account_65521"
+result=$(echo "$passphrase" | dcld tx pki add-x509-cert --certificate="$intermediate_cert_2_path" --from $vendor_account_65521 --yes)
+check_response "$result" "\"code\": 0"
+
+echo "Request all approved root certificates should contain intermediate cert with serialNumber=$intermediate_cert_2_serial_number"
+result=$(dcld query pki all-x509-certs)
+echo $result | jq
+check_response "$result" "\"subject\": \"$root_cert_subject\""
+check_response "$result" "\"subjectKeyId\": \"$root_cert_subject_key_id\""
+check_response "$result" "\"subject\": \"$intermediate_cert_subject\""
+check_response "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id\""
+check_response "$result" "\"serialNumber\": \"$intermediate_cert_1_serial_number\""
+check_response "$result" "\"serialNumber\": \"$intermediate_cert_2_serial_number\""
diff --git a/integration_tests/cli/pki-demo.sh b/integration_tests/cli/pki-demo.sh
@@ -43,6 +43,14 @@ trustee_account_address=$(echo $passphrase | dcld keys show jack -a)
 second_trustee_account_address=$(echo $passphrase | dcld keys show alice -a)
 third_trustee_account_address=$(echo $passphrase | dcld keys show bob -a)
 
+vendor_account=vendor_account_$vid
+echo "Create Vendor account - $vendor_account"
+create_new_vendor_account $vendor_account $vid
+
+vendor_account_65522=vendor_account_65522
+echo "Create Vendor account - $vendor_account_65522"
+create_new_vendor_account $vendor_account_65522 65522
+
 echo "Create regular account"
 create_new_account user_account "CertificationCenter"
 test_divider
@@ -374,9 +382,9 @@ echo "4. ADD INTERMEDIATE CERT"
 test_divider
 
 
-echo "$user_account (Not Trustee) adds Intermediate certificate"
+echo "$vendor_account adds Intermediate certificate"
 intermediate_path="integration_tests/constants/intermediate_cert"
-result=$(echo "$passphrase" | dcld tx pki add-x509-cert --certificate="$intermediate_path" --from $user_account --yes)
+result=$(echo "$passphrase" | dcld tx pki add-x509-cert --certificate="$intermediate_path" --from $vendor_account --yes)
 check_response "$result" "\"code\": 0"
 
 
@@ -442,9 +450,9 @@ test_divider
 echo "5. ADD LEAF CERT"
 test_divider
 
-echo "$trustee_account (Trustee) add Leaf certificate"
+echo "$vendor_account add Leaf certificate"
 leaf_path="integration_tests/constants/leaf_cert"
-result=$(echo "$passphrase" | dcld tx pki add-x509-cert --certificate="$leaf_path" --from $trustee_account --yes)
+result=$(echo "$passphrase" | dcld tx pki add-x509-cert --certificate="$leaf_path" --from $vendor_account --yes)
 check_response "$result" "\"code\": 0"
 
 test_divider
@@ -650,8 +658,16 @@ test_divider
 echo "6. REVOKE INTERMEDIATE (AND HENCE  LEAF) CERTS - No Approvals needed"
 test_divider
 
-echo "$user_account (Not Trustee) revokes only Intermediate certificate. This must not revoke its child - Leaf certificate."
+echo "Try to revoke the intermediate certificate when sender is not Vendor account"
 result=$(echo "$passphrase" | dcld tx pki revoke-x509-cert --subject="$intermediate_cert_subject" --subject-key-id="$intermediate_cert_subject_key_id" --from=$user_account --yes)
+check_response "$result" "\"code\": 4"
+
+echo "Try to revoke the intermediate certificate using a vendor account with other VID"
+result=$(echo "$passphrase" | dcld tx pki revoke-x509-cert --subject="$intermediate_cert_subject" --subject-key-id="$intermediate_cert_subject_key_id" --from=$vendor_account_65522 --yes)
+check_response "$result" "\"code\": 4"
+
+echo "$vendor_account (Not Trustee) revokes only Intermediate certificate. This must not revoke its child - Leaf certificate."
+result=$(echo "$passphrase" | dcld tx pki revoke-x509-cert --subject="$intermediate_cert_subject" --subject-key-id="$intermediate_cert_subject_key_id" --from=$vendor_account --yes)
 check_response "$result" "\"code\": 0"
 
 test_divider