From d79b7d3b0891dff61dfa0f558e03267f9e67d504 Mon Sep 17 00:00:00 2001 From: Abdulbois Date: Thu, 21 Mar 2024 14:45:44 +0500 Subject: [PATCH 1/5] #531-Publish-PAI-certificates-for-CRLSignerCertificate-verification - Add CRLSignerDelegator field into PKI Distribution Point schema - Change handling of PKI Distribution Points Signed-off-by: Abdulbois Signed-off-by: Abdulbois --- docs/static/openapi.yml | 16 + docs/transactions.md | 2 + .../cli/pki-revocation-points.sh | 105 ++++++- integration_tests/constants/constants.go | 132 ++++++-- .../constants/intermediate_cert_with_vid_1 | 14 +- .../intermediate_cert_with_vid_1_copy | 17 + .../constants/intermediate_cert_with_vid_2 | 14 +- .../constants/leaf_cert_with_vid_65521 | 17 + .../constants/leaf_cert_with_vid_65522 | 17 + .../constants/leaf_cert_without_vid | 17 + .../pki_revocation_distribution_point.proto | 1 + proto/pki/tx.proto | 2 + types/pki/errors.go | 25 ++ .../module/rest.ts | 9 +- .../pki/pki_revocation_distribution_point.ts | 21 +- .../module/types/pki/tx.ts | 42 ++- x/pki/client/cli/flags.go | 1 + ...x_add_pki_revocation_distribution_point.go | 8 + ...pdate_pki_revocation_distribution_point.go | 8 + x/pki/handler_add_revocation_test.go | 82 ++++- x/pki/handler_update_revocation_test.go | 51 +++ ...r_add_pki_revocation_distribution_point.go | 26 +- ...pdate_pki_revocation_distribution_point.go | 24 +- x/pki/revocation_message_utils_test.go | 14 + ...e_add_pki_revocation_distribution_point.go | 78 ++++- ..._pki_revocation_distribution_point_test.go | 127 ++++++-- ...pdate_pki_revocation_distribution_point.go | 4 +- .../pki_revocation_distribution_point.pb.go | 104 +++++-- x/pki/types/tx.pb.go | 292 ++++++++++++------ 29 files changed, 1044 insertions(+), 226 deletions(-) create mode 100644 integration_tests/constants/intermediate_cert_with_vid_1_copy create mode 100644 integration_tests/constants/leaf_cert_with_vid_65521 create mode 100644 integration_tests/constants/leaf_cert_with_vid_65522 create mode 100644 integration_tests/constants/leaf_cert_without_vid diff --git a/docs/static/openapi.yml b/docs/static/openapi.yml index 4407ed11d..74e4069ee 100644 --- a/docs/static/openapi.yml +++ b/docs/static/openapi.yml @@ -10705,6 +10705,8 @@ paths: schemaVersion: type: integer format: int64 + crlSignerDelegator: + type: string pagination: type: object properties: @@ -10863,6 +10865,8 @@ paths: schemaVersion: type: integer format: int64 + crlSignerDelegator: + type: string default: description: An unexpected error response. schema: @@ -10935,6 +10939,8 @@ paths: schemaVersion: type: integer format: int64 + crlSignerDelegator: + type: string default: description: An unexpected error response. schema: @@ -21841,6 +21847,8 @@ definitions: schemaVersion: type: integer format: int64 + crlSignerDelegator: + type: string zigbeealliance.distributedcomplianceledger.pki.PkiRevocationDistributionPointsByIssuerSubjectKeyID: type: object properties: @@ -21881,6 +21889,8 @@ definitions: schemaVersion: type: integer format: int64 + crlSignerDelegator: + type: string zigbeealliance.distributedcomplianceledger.pki.ProposedCertificate: type: object properties: @@ -22284,6 +22294,8 @@ definitions: schemaVersion: type: integer format: int64 + crlSignerDelegator: + type: string pagination: type: object properties: @@ -23029,6 +23041,8 @@ definitions: schemaVersion: type: integer format: int64 + crlSignerDelegator: + type: string zigbeealliance.distributedcomplianceledger.pki.QueryGetPkiRevocationDistributionPointsByIssuerSubjectKeyIDResponse: type: object properties: @@ -23072,6 +23086,8 @@ definitions: schemaVersion: type: integer format: int64 + crlSignerDelegator: + type: string zigbeealliance.distributedcomplianceledger.pki.QueryGetProposedCertificateResponse: type: object properties: diff --git a/docs/transactions.md b/docs/transactions.md index f0ec26825..8e360af5c 100644 --- a/docs/transactions.md +++ b/docs/transactions.md @@ -1073,6 +1073,7 @@ and DACs (leaf certificates) added to DCL if they are revoked in the CRL identif - isPAA: `bool` - True if the revocation information distribution point relates to a PAA - label: `string` - A label to disambiguate multiple revocation information partitions of a particular issuer. - crlSignerCertificate: `string` - The issuer certificate whose revocation information is provided in the distribution point entry, encoded in X.509v3 PEM format. The corresponding CLI parameter can contain either a PEM string or a path to a file containing the data. + - certificate-delegator: `optional(string)` - The delegator certificate of CRL signer Certificate which must be chained back to approved certificate in the ledger, encoded in X.509v3 PEM format. The corresponding CLI parameter can contain either a PEM string or a path to a file containing the data. - issuerSubjectKeyID: `string` - Uniquely identifies the PAA or PAI for which this revocation distribution point is provided. Must consist of even number of uppercase hexadecimal characters ([0-9A-F]), with no whitespace and no non-hexadecimal characters., e.g: `5A880E6C3653D07FB08971A3F473790930E62BDB`. - dataUrl: `string` - The URL where to obtain the information in the format indicated by the RevocationType field. Must start with either `http` or `https`. Must be unique for all pairs of VendorID and IssuerSubjectKeyID. - dataFileSize: `optional(uint64)` - Total size in bytes of the file found at the DataUrl. Must be omitted if RevocationType is 1. @@ -1117,6 +1118,7 @@ Updates an existing PKI Revocation distribution endpoint (such as RFC5280 Certif - label: `string` - A label to disambiguate multiple revocation information partitions of a particular issuer. - issuerSubjectKeyID: `string` - Uniquely identifies the PAA or PAI for which this revocation distribution point is provided. Must consist of even number of uppercase hexadecimal characters ([0-9A-F]), with no whitespace and no non-hexadecimal characters., e.g: `5A880E6C3653D07FB08971A3F473790930E62BDB`. - crlSignerCertificate: `optional(string)` - The issuer certificate whose revocation information is provided in the distribution point entry, encoded in X.509v3 PEM format. The corresponding CLI parameter can contain either a PEM string or a path to a file containing the data. + - certificate-delegator: `optional(string)` - The delegator certificate of CRL signer Certificate which must be chained back to approved certificate in the ledger, encoded in X.509v3 PEM format. The corresponding CLI parameter can contain either a PEM string or a path to a file containing the data. - dataUrl: `optional(string)` - The URL where to obtain the information in the format indicated by the RevocationType field. Must start with either `http` or `https`. Must be unique for all pairs of VendorID and IssuerSubjectKeyID. - dataFileSize: `optional(uint64)` - Total size in bytes of the file found at the DataUrl. Must be omitted if RevocationType is 1. - dataDigest: `optional(string)` - Digest of the entire contents of the associated file downloaded from the DataUrl. Must be omitted if RevocationType is 1. Must be provided if and only if the `DataFileSize` field is present. diff --git a/integration_tests/cli/pki-revocation-points.sh b/integration_tests/cli/pki-revocation-points.sh index e3abb9893..eb1cab947 100755 --- a/integration_tests/cli/pki-revocation-points.sh +++ b/integration_tests/cli/pki-revocation-points.sh @@ -25,6 +25,18 @@ test_root_cert_path="integration_tests/constants/test_root_cert" test_root_cert_subject="MDAxGDAWBgNVBAMMD01hdHRlciBUZXN0IFBBQTEUMBIGCisGAQQBgqJ8AgEMBDEyNUQ=" test_root_cert_subject_key_id="E2:90:8D:36:9C:3C:A3:C1:13:BB:09:E2:4D:C1:CC:C5:A6:66:91:D4" +root_cert_with_vid_path="integration_tests/constants/root_cert_with_vid" +root_cert_with_vid_subject="MIGYMQswCQYDVQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxETAPBgNVBAcMCE5ldyBZb3JrMRgwFgYDVQQKDA9FeGFtcGxlIENvbXBhbnkxGTAXBgNVBAsMEFRlc3RpbmcgRGl2aXNpb24xGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbTEUMBIGCisGAQQBgqJ8AgEMBEZGRjE=" +root_cert_with_vid_subject_key_id="CE:A8:92:66:EA:E0:80:BD:2B:B5:68:E4:0B:07:C4:FA:2C:34:6D:31" + +delegator_cert_with_vid_65521_path="integration_tests/constants/intermediate_cert_with_vid_1" +delegator_cert_with_vid_65521_copy_path="integration_tests/constants/intermediate_cert_with_vid_1_copy" +delegator_cert_with_vid_subject_key_id="0E8CE8C8B8AA50BC258556B9B19CC2C7D9C52F17" + +crl_leaf_cert_with_vid_65521_path="integration_tests/constants/leaf_cert_with_vid_65521" +crl_leaf_cert_with_vid_65522_path="integration_tests/constants/leaf_cert_with_vid_65522" +crl_leaf_cert_without_vid_path="integration_tests/constants/leaf_cert_without_vid" + trustee_account="jack" second_trustee_account="alice" third_trustee_account="bob" @@ -35,6 +47,8 @@ third_trustee_account_address=$(echo $passphrase | dcld keys show bob -a) label="label" label_pai="label_pai" +label_leaf="label_leaf" +label_leaf_with_delegator="label_leaf_with_delegator" vid=65521 vid_65522=65522 vid_non_vid_scoped=4701 @@ -137,6 +151,12 @@ check_response "$result" "\"code\": 0" result=$(echo "$passphrase" | dcld tx pki approve-add-x509-root-cert --subject="$test_root_cert_subject" --subject-key-id="$test_root_cert_subject_key_id" --from $second_trustee_account --yes) check_response "$result" "\"code\": 0" +echo "Trustees add VID scoped root cert" +result=$(echo "$passphrase" | dcld tx pki propose-add-x509-root-cert --certificate="$root_cert_with_vid_path" --vid $vid --from $trustee_account --yes) +check_response "$result" "\"code\": 0" +result=$(echo "$passphrase" | dcld tx pki approve-add-x509-root-cert --subject="$root_cert_with_vid_subject" --subject-key-id="$root_cert_with_vid_subject_key_id" --from $second_trustee_account --yes) +check_response "$result" "\"code\": 0" + test_divider echo "7. ADD REVOCATION POINT FOR PAA WHEN CRL SIGNER CERTIFICATE PEM VALUE IS NOT EQUAL TO STORED CERTIFICATE PEM VALUE" @@ -255,7 +275,72 @@ response_does_not_contain "$result" "\"label\": \"$vid_non_vid_scoped\"" test_divider -echo "12. UPDATE REVOCATION POINT WHEN POINT NOT FOUND" +echo "12. ADD REVOCATION POINT FOR CRL SIGNER LEAF CERTIFICATE WHEN DELEGATOR CERTIFICATE IS PROVIDED" + +result=$(dcld tx pki add-revocation-point --vid=$vid --is-paa="false" --certificate="$crl_leaf_cert_with_vid_65521_path" --label="$label_leaf_with_delegator" --data-url="$data_url" --issuer-subject-key-id=$delegator_cert_with_vid_subject_key_id --revocation-type=1 --certificate-delegator="$delegator_cert_with_vid_65521_path" --from=$vendor_account --yes) +check_response "$result" "\"code\": 0" + +result=$(dcld query pki revocation-point --vid=$vid --label=$label_leaf_with_delegator --issuer-subject-key-id=$delegator_cert_with_vid_subject_key_id) +check_response "$result" "\"vid\": $vid" +check_response "$result" "\"label\": \"$label_leaf_with_delegator\"" +check_response "$result" "\"issuerSubjectKeyID\": \"$delegator_cert_with_vid_subject_key_id\"" + +echo $result + +test_divider + +echo "13. ADD REVOCATION POINT FOR CRL SIGNER LEAF CERTIFICATE WHEN IS_PAA=TRUE" + +echo "Add PAI certificate" +result=$(echo "$passphrase" | dcld tx pki add-x509-cert --certificate="$delegator_cert_with_vid_65521_path" --from $vendor_account --yes) +check_response "$result" "\"code\": 0" + +echo "Add PKI revocation point with IS_PAA=true" +result=$(dcld tx pki add-revocation-point --vid=$vid_65522 --is-paa="true" --certificate="$crl_leaf_cert_without_vid_path" --label="$label_leaf" --data-url="$data_url" --issuer-subject-key-id=$delegator_cert_with_vid_subject_key_id --revocation-type=1 --from=$vendor_account_65522 --yes) +check_response "$result" "\"code\": 0" + +result=$(dcld query pki revocation-point --vid=$vid_65522 --label=$label_leaf --issuer-subject-key-id=$delegator_cert_with_vid_subject_key_id) +check_response "$result" "\"vid\": $vid_65522" +check_response "$result" "\"label\": \"$label_leaf\"" +check_response "$result" "\"issuerSubjectKeyID\": \"$delegator_cert_with_vid_subject_key_id\"" +echo $result + +test_divider + +echo "14. UPDATE REVOCATION POINT FOR CRL SIGNER LEAF CERTIFICATE WHEN DELEGATOR CERTIFICATE IS PROVIDED" +data_url_new="$data_url"_new +result=$(dcld tx pki update-revocation-point --vid=$vid --certificate="$crl_leaf_cert_with_vid_65521_path" --label="$label_leaf_with_delegator" --data-url="$data_url_new" --issuer-subject-key-id=$delegator_cert_with_vid_subject_key_id --certificate-delegator="$delegator_cert_with_vid_65521_copy_path" --from=$vendor_account --yes) +check_response "$result" "\"code\": 0" +echo $result + +result=$(dcld query pki revocation-point --vid=$vid --label=$label_leaf_with_delegator --issuer-subject-key-id=$delegator_cert_with_vid_subject_key_id) +check_response "$result" "\"vid\": $vid" +check_response "$result" "\"label\": \"$label_leaf_with_delegator\"" +check_response "$result" "\"issuerSubjectKeyID\": \"$delegator_cert_with_vid_subject_key_id\"" +check_response "$result" "\"dataURL\": \"$data_url_new\"" +check_response "$result" "\"CrlSignerCertificate\": $(<$crl_leaf_cert_with_vid_65521_path)" +check_response "$result" "\"CrlSignerDelegator\": $(<$delegator_cert_with_vid_65521_copy_path)" +echo $result + +test_divider + +echo "15. UPDATE REVOCATION POINT FOR CRL SIGNER LEAF CERTIFICATE" +result=$(dcld tx pki update-revocation-point --vid=$vid_65522 --certificate="$crl_leaf_cert_with_vid_65522_path" --label="$label_leaf" --data-url="$data_url_new" --issuer-subject-key-id=$delegator_cert_with_vid_subject_key_id --from=$vendor_account_65522 --yes) +check_response "$result" "\"code\": 0" +echo $result + +result=$(dcld query pki revocation-point --vid=$vid_65522 --label=$label_leaf --issuer-subject-key-id=$delegator_cert_with_vid_subject_key_id) +check_response "$result" "\"vid\": $vid_65522" +check_response "$result" "\"label\": \"$label_leaf\"" +check_response "$result" "\"issuerSubjectKeyID\": \"$delegator_cert_with_vid_subject_key_id\"" +check_response "$result" "\"dataURL\": \"$data_url_new\"" +check_response "$result" "\"CrlSignerCertificate\": $(<$crl_leaf_cert_with_vid_65522_path)" + +echo $result + +test_divider + +echo "16. UPDATE REVOCATION POINT WHEN POINT NOT FOUND" result=$(dcld tx pki update-revocation-point --vid=$vid_65522 --certificate="$pai_cert_with_numeric_vid_pid_path" --label="$label" --data-url="$data_url" --issuer-subject-key-id=$issuer_subject_key_id --from=$vendor_account_65522 --yes) response_does_not_contain "$result" "\"code\": 0" @@ -263,7 +348,7 @@ echo $result test_divider -echo "13. UPDATE REVOCATION POINT FOR PAA WHEN NEW CERT IS NOT PAA" +echo "17. UPDATE REVOCATION POINT FOR PAA WHEN NEW CERT IS NOT PAA" result=$(dcld tx pki update-revocation-point --vid=$vid --certificate="$pai_cert_with_numeric_vid_pid_path" --label="$label" --data-url="$data_url" --issuer-subject-key-id=$issuer_subject_key_id --from=$vendor_account --yes) response_does_not_contain "$result" "\"code\": 0" @@ -271,7 +356,7 @@ echo $result test_divider -echo "14. UPDATE REVOCATION POINT WHEN SENDER IS NOT VENDOR" +echo "18. UPDATE REVOCATION POINT WHEN SENDER IS NOT VENDOR" result=$(dcld tx pki update-revocation-point --vid=$vid --certificate="$paa_cert_with_numeric_vid_path" --label="$label" --data-url="$data_url" --issuer-subject-key-id=$issuer_subject_key_id --from=$trustee_account --yes) response_does_not_contain "$result" "\"code\": 0" @@ -279,7 +364,7 @@ echo $result test_divider -echo "15. UPDATE REVOCATION POINT FOR PAA WHEN SENDER VID IS NOT EQUAL TO CERT VID" +echo "19. UPDATE REVOCATION POINT FOR PAA WHEN SENDER VID IS NOT EQUAL TO CERT VID" result=$(dcld tx pki update-revocation-point --vid=$vid --certificate="$paa_cert_with_numeric_vid_path" --label="$label" --data-url="$data_url" --issuer-subject-key-id=$issuer_subject_key_id --from=$vendor_account_65522 --yes) response_does_not_contain "$result" "\"code\": 0" @@ -287,7 +372,7 @@ echo $result test_divider -echo "16. UPDATE REVOCATION POINT FOR PAA WHEN MSG VID IS NOT EQUAL TO CERT VID" +echo "20. UPDATE REVOCATION POINT FOR PAA WHEN MSG VID IS NOT EQUAL TO CERT VID" result=$(dcld tx pki update-revocation-point --vid=$vid_65522 --certificate="$paa_cert_with_numeric_vid_path" --label="$label" --data-url="$data_url" --issuer-subject-key-id=$issuer_subject_key_id --from=$vendor_account --yes) response_does_not_contain "$result" "\"code\": 0" @@ -295,7 +380,7 @@ echo $result test_divider -echo "17. UPDATE REVOCATION POINT FOR VID-SCOPED PAA" +echo "21. UPDATE REVOCATION POINT FOR VID-SCOPED PAA" schema_version_3=3 result=$(dcld tx pki update-revocation-point --vid=$vid --certificate="$root_cert_path" --label="$label" --data-url="$data_url" --issuer-subject-key-id=$issuer_subject_key_id --schemaVersion=$schema_version_3 --from=$vendor_account --yes) check_response "$result" "\"code\": 0" @@ -309,7 +394,7 @@ check_response "$result" "\"issuerSubjectKeyID\": \"$issuer_subject_key_id\"" check_response "$result" "\"schemaVersion\": $schema_version_3" test_divider -echo "18. UPDATE REVOCATION POINT FOR NON-VID SCOPED PAA" +echo "22. UPDATE REVOCATION POINT FOR NON-VID SCOPED PAA" result=$(dcld tx pki update-revocation-point --vid=$vid_non_vid_scoped --certificate="$test_root_cert_path" --label="$label_non_vid_scoped" --data-url="$data_url_non_vid_scoped" --issuer-subject-key-id=$issuer_subject_key_id --from=$vendor_account_non_vid_scoped --yes) check_response "$result" "\"code\": 0" @@ -323,7 +408,7 @@ check_response "$result" "\"issuerSubjectKeyID\": \"$issuer_subject_key_id\"" test_divider -echo "19. UPDATE REVOCATION POINT FOR PAI" +echo "23. UPDATE REVOCATION POINT FOR PAI" result=$(dcld tx pki update-revocation-point --vid=$vid_65522 --certificate="$pai_cert_vid_path" --label="$label_pai" --data-url="$data_url" --issuer-subject-key-id=$issuer_subject_key_id --from=$vendor_account_65522 --yes) check_response "$result" "\"code\": 0" @@ -337,7 +422,7 @@ check_response "$result" "\"issuerSubjectKeyID\": \"$issuer_subject_key_id\"" test_divider -echo "20. DELETE REVOCATION PAA" +echo "24. DELETE REVOCATION PAA" result=$(dcld tx pki delete-revocation-point --vid=$vid --label="$label" --issuer-subject-key-id=$issuer_subject_key_id --from=$vendor_account --yes) check_response "$result" "\"code\": 0" @@ -348,7 +433,7 @@ check_response "$result" "Not Found" test_divider -echo "21. DELETE REVOCATION PAI" +echo "25. DELETE REVOCATION PAI" result=$(dcld tx pki delete-revocation-point --vid=$vid_65522 --label="$label_pai" --issuer-subject-key-id=$issuer_subject_key_id --from=$vendor_account_65522 --yes) check_response "$result" "\"code\": 0" diff --git a/integration_tests/constants/constants.go b/integration_tests/constants/constants.go index 1c45ac443..71c5afc94 100644 --- a/integration_tests/constants/constants.go +++ b/integration_tests/constants/constants.go @@ -561,37 +561,91 @@ HGBcCo5whZU= -----END CERTIFICATE-----` IntermediateCertWithVid1 = `-----BEGIN CERTIFICATE----- -MIICejCCAiGgAwIBAgIBAzAKBggqhkjOPQQDAjCBmDELMAkGA1UEBhMCVVMxETAP +MIICiTCCAi+gAwIBAgIBAzAKBggqhkjOPQQDAjCBmDELMAkGA1UEBhMCVVMxETAP BgNVBAgMCE5ldyBZb3JrMREwDwYDVQQHDAhOZXcgWW9yazEYMBYGA1UECgwPRXhh bXBsZSBDb21wYW55MRkwFwYDVQQLDBBUZXN0aW5nIERpdmlzaW9uMRgwFgYDVQQD -DA93d3cuZXhhbXBsZS5jb20xFDASBgorBgEEAYKifAIBDARGRkYxMCAXDTI0MDIy -NjEyMDczMloYDzMwMjMwNjI5MTIwNzMyWjCBrjELMAkGA1UEBhMCVVMxETAPBgNV +DA93d3cuZXhhbXBsZS5jb20xFDASBgorBgEEAYKifAIBDARGRkYxMCAXDTI0MDMy +NzA2MDcxMloYDzMwMjMwNzI5MDYwNzEyWjCBrjELMAkGA1UEBhMCVVMxETAPBgNV BAgMCE5ldyBZb3JrMREwDwYDVQQHDAhOZXcgWW9yazEYMBYGA1UECgwPRXhhbXBs ZSBDb21wYW55MRkwFwYDVQQLDBBUZXN0aW5nIERpdmlzaW9uMRgwFgYDVQQDDA93 d3cuZXhhbXBsZS5jb20xFDASBgorBgEEAYKifAIBDARGRkYxMRQwEgYKKwYBBAGC onwCAgwERkZGMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABOTNh8u27CnRGdj0 G0/z0oo9rsKcpgUogQ8fYYEg/QClYFHJuhFbf1M+VdeMScbllpt4kGH2ih7aU1b7 -1jRkVsyjQjBAMB0GA1UdDgQWBBQOjOjIuKpQvCWFVrmxnMLH2cUvFzAfBgNVHSME -GDAWgBTOqJJm6uCAvSu1aOQLB8T6LDRtMTAKBggqhkjOPQQDAgNHADBEAiAOQSIQ -sdClGJ86LQ1p7e+kb0Dg+YsyxIv2XHdUvIVn2gIgBkbzBccRbDG3p/+gnPhF+7xP -T/SKbO+GZvoizizl6Gc= +1jRkVsyjUDBOMB0GA1UdDgQWBBQOjOjIuKpQvCWFVrmxnMLH2cUvFzAfBgNVHSME +GDAWgBTOqJJm6uCAvSu1aOQLB8T6LDRtMTAMBgNVHRMEBTADAQH/MAoGCCqGSM49 +BAMCA0gAMEUCIQCy8SeF6UXIGM+0X6fc5tqSrgAQ1nCN5cvsWyfZvH0y9wIgQ45S +TXQomsOa4eHQpJzsY/JQqprA0FapY1nsvL+PQFg= -----END CERTIFICATE-----` IntermediateCertWithVid2 = `-----BEGIN CERTIFICATE----- -MIICezCCAiGgAwIBAgIBBDAKBggqhkjOPQQDAjCBmDELMAkGA1UEBhMCVVMxETAP +MIICiDCCAi+gAwIBAgIBBDAKBggqhkjOPQQDAjCBmDELMAkGA1UEBhMCVVMxETAP BgNVBAgMCE5ldyBZb3JrMREwDwYDVQQHDAhOZXcgWW9yazEYMBYGA1UECgwPRXhh bXBsZSBDb21wYW55MRkwFwYDVQQLDBBUZXN0aW5nIERpdmlzaW9uMRgwFgYDVQQD -DA93d3cuZXhhbXBsZS5jb20xFDASBgorBgEEAYKifAIBDARGRkYxMCAXDTI0MDIy -NjEzMDcwNVoYDzMwMjMwNjI5MTMwNzA1WjCBrjELMAkGA1UEBhMCVVMxETAPBgNV +DA93d3cuZXhhbXBsZS5jb20xFDASBgorBgEEAYKifAIBDARGRkYxMCAXDTI0MDMy +NzE1MzQxMVoYDzMwMjMwNzI5MTUzNDExWjCBrjELMAkGA1UEBhMCVVMxETAPBgNV BAgMCE5ldyBZb3JrMREwDwYDVQQHDAhOZXcgWW9yazEYMBYGA1UECgwPRXhhbXBs ZSBDb21wYW55MRkwFwYDVQQLDBBUZXN0aW5nIERpdmlzaW9uMRgwFgYDVQQDDA93 d3cuZXhhbXBsZS5jb20xFDASBgorBgEEAYKifAIBDARGRkYyMRQwEgYKKwYBBAGC onwCAgwERkZGMjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABOTNh8u27CnRGdj0 G0/z0oo9rsKcpgUogQ8fYYEg/QClYFHJuhFbf1M+VdeMScbllpt4kGH2ih7aU1b7 -1jRkVsyjQjBAMB0GA1UdDgQWBBQOjOjIuKpQvCWFVrmxnMLH2cUvFzAfBgNVHSME -GDAWgBTOqJJm6uCAvSu1aOQLB8T6LDRtMTAKBggqhkjOPQQDAgNIADBFAiEAkApx -PWFFDoptmYnsW1QhKqrcD+xmFgJA4SWTH5Q1efMCIDWqdG0sAgum+FphfM4HF6XV -M6mDL6NurBAW1pJlg8OT +1jRkVsyjUDBOMB0GA1UdDgQWBBQOjOjIuKpQvCWFVrmxnMLH2cUvFzAfBgNVHSME +GDAWgBTOqJJm6uCAvSu1aOQLB8T6LDRtMTAMBgNVHRMEBTADAQH/MAoGCCqGSM49 +BAMCA0cAMEQCIHkhL7r/xEi16827IYysHe0w8X0rsbU5zcHcbK1wt0ALAiASEZMI +NN1ZIQJHBjCm+vWh3Jsjt2wUHKIM5i64Wd9kPA== +-----END CERTIFICATE-----` + + LeafCertWithVid = `-----BEGIN CERTIFICATE----- +MIICrjCCAlSgAwIBAgIUBCg+BsyaPLK2sNxttFUIbDF/FPAwCgYIKoZIzj0EAwIw +ga4xCzAJBgNVBAYTAlVTMREwDwYDVQQIDAhOZXcgWW9yazERMA8GA1UEBwwITmV3 +IFlvcmsxGDAWBgNVBAoMD0V4YW1wbGUgQ29tcGFueTEZMBcGA1UECwwQVGVzdGlu +ZyBEaXZpc2lvbjEYMBYGA1UEAwwPd3d3LmV4YW1wbGUuY29tMRQwEgYKKwYBBAGC +onwCAQwERkZGMTEUMBIGCisGAQQBgqJ8AgIMBEZGRjEwIBcNMjQwMzI2MTAyNDI1 +WhgPMzAyMzA3MjgxMDI0MjVaMIGaMQswCQYDVQQGEwJVUzERMA8GA1UECAwITmV3 +IFlvcmsxETAPBgNVBAcMCE5ldyBZb3JrMRowGAYDVQQKDBFDUkwtbGVhZiB3aXRo +IFZJRDEZMBcGA1UECwwQVGVzdGluZyBEaXZpc2lvbjEYMBYGA1UEAwwPd3d3LmV4 +YW1wbGUuY29tMRQwEgYKKwYBBAGConwCAQwERkZGMTBZMBMGByqGSM49AgEGCCqG +SM49AwEHA0IABNk/8AZJsYEd7kBVDv5c+Mm4kNsuyMF1d+UTOTlptsCzx4YwLlCX +SSr2SwDHbkRvMbp5cfFt9uyNc0Tx3bVVyPWjYDBeMB0GA1UdDgQWBBTWmCYQvqwj +dAkKQAvNOWVT8Xaw9TAfBgNVHSMEGDAWgBQOjOjIuKpQvCWFVrmxnMLH2cUvFzAM +BgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIBgjAKBggqhkjOPQQDAgNIADBFAiEA +nAoa731+XkR5/0XaESqHG40IZysduxN8sJo2sJpPvvwCICGn7oAwDmQh0umEJ6dK +Vtv3RJ9iuKtC/fkzUzhv9c0z +-----END CERTIFICATE-----` + + LeafCertWithVidPid = `-----BEGIN CERTIFICATE----- +MIICzDCCAnKgAwIBAgIUG6W5A5QhAdUKiVAG9yo5VrndE2IwCgYIKoZIzj0EAwIw +ga4xCzAJBgNVBAYTAlVTMREwDwYDVQQIDAhOZXcgWW9yazERMA8GA1UEBwwITmV3 +IFlvcmsxGDAWBgNVBAoMD0V4YW1wbGUgQ29tcGFueTEZMBcGA1UECwwQVGVzdGlu +ZyBEaXZpc2lvbjEYMBYGA1UEAwwPd3d3LmV4YW1wbGUuY29tMRQwEgYKKwYBBAGC +onwCAQwERkZGMTEUMBIGCisGAQQBgqJ8AgIMBEZGRjEwIBcNMjQwMzI2MTAzNTI4 +WhgPMzAyMzA3MjgxMDM1MjhaMIG4MQswCQYDVQQGEwJVUzERMA8GA1UECAwITmV3 +IFlvcmsxETAPBgNVBAcMCE5ldyBZb3JrMSIwIAYDVQQKDBlDUkwtbGVhZiB3aXRo +IFZJRCBhbmQgUElEMRkwFwYDVQQLDBBUZXN0aW5nIERpdmlzaW9uMRgwFgYDVQQD +DA93d3cuZXhhbXBsZS5jb20xFDASBgorBgEEAYKifAIBDARGRkYxMRQwEgYKKwYB +BAGConwCAgwERkZGMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABNk/8AZJsYEd +7kBVDv5c+Mm4kNsuyMF1d+UTOTlptsCzx4YwLlCXSSr2SwDHbkRvMbp5cfFt9uyN +c0Tx3bVVyPWjYDBeMB0GA1UdDgQWBBTWmCYQvqwjdAkKQAvNOWVT8Xaw9TAfBgNV +HSMEGDAWgBQOjOjIuKpQvCWFVrmxnMLH2cUvFzAMBgNVHRMBAf8EAjAAMA4GA1Ud +DwEB/wQEAwIBgjAKBggqhkjOPQQDAgNIADBFAiEAhs/qxSBUSsRdqXfC8tQlPIPU +CNbAI81hYOHbiOx6fD0CIFz63D+Ug7xurPSqAPHoTAY6MhseK4IrbAjKRPA0sQl5 +-----END CERTIFICATE-----` + + LeafCertWithoutVidPid = `-----BEGIN CERTIFICATE----- +MIICozCCAkmgAwIBAgIUDXi3VEZsSRTrSqZuIqDWX0Ar4egwCgYIKoZIzj0EAwIw +ga4xCzAJBgNVBAYTAlVTMREwDwYDVQQIDAhOZXcgWW9yazERMA8GA1UEBwwITmV3 +IFlvcmsxGDAWBgNVBAoMD0V4YW1wbGUgQ29tcGFueTEZMBcGA1UECwwQVGVzdGlu +ZyBEaXZpc2lvbjEYMBYGA1UEAwwPd3d3LmV4YW1wbGUuY29tMRQwEgYKKwYBBAGC +onwCAQwERkZGMTEUMBIGCisGAQQBgqJ8AgIMBEZGRjEwIBcNMjQwMzI2MTEwNjIz +WhgPMzAyMzA3MjgxMTA2MjNaMIGPMQswCQYDVQQGEwJVUzERMA8GA1UECAwITmV3 +IFlvcmsxETAPBgNVBAcMCE5ldyBZb3JrMSUwIwYDVQQKDBxDUkwtbGVhZiB3aXRo +b3V0IFZJRCBhbmQgUElEMRkwFwYDVQQLDBBUZXN0aW5nIERpdmlzaW9uMRgwFgYD +VQQDDA93d3cuZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATZ +P/AGSbGBHe5AVQ7+XPjJuJDbLsjBdXflEzk5abbAs8eGMC5Ql0kq9ksAx25EbzG6 +eXHxbfbsjXNE8d21Vcj1o2AwXjAdBgNVHQ4EFgQU1pgmEL6sI3QJCkALzTllU/F2 +sPUwHwYDVR0jBBgwFoAUDozoyLiqULwlhVa5sZzCx9nFLxcwDAYDVR0TAQH/BAIw +ADAOBgNVHQ8BAf8EBAMCAYIwCgYIKoZIzj0EAwIDSAAwRQIhAPIzS2Tlov+9/R6U +fJhEWAA8mOgN9OVCdPWAegWuN3b2AiApXciu/dT4B5db3puPWrAsMjAUYF2Owc/D +eujhLsD51w== -----END CERTIFICATE-----` RootIssuer = "MDQxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApzb21lLXN0YXRlMRAwDgYDVQQKDAdyb290LWNh" @@ -613,12 +667,13 @@ M6mDL6NurBAW1pJlg8OT LeafCertWithSameSubjectAndSKIDSubjectKeyID = "12:16:55:8E:5E:2A:DF:04:D7:E6:FE:D1:53:69:61:98:EF:17:2F:03" LeafCertWithSameSubjectAndSKIDSerialNumber = "5" - IntermediateIssuer = "MDQxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApzb21lLXN0YXRlMRAwDgYDVQQKDAdyb290LWNh" - IntermediateAuthorityKeyID = "5A:88:0E:6C:36:53:D0:7F:B0:89:71:A3:F4:73:79:09:30:E6:2B:DB" - IntermediateSubject = "MDwxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApzb21lLXN0YXRlMRgwFgYDVQQKDA9pbnRlcm1lZGlhdGUtY2E=" - IntermediateSubjectAsText = "O=intermediate-ca,ST=some-state,C=AU" - IntermediateSubjectKeyID = "4E:3B:73:F4:70:4D:C2:98:0D:DB:C8:5A:5F:02:3B:BF:86:25:56:2B" - IntermediateSerialNumber = "169917617234879872371588777545667947720450185023" + IntermediateIssuer = "MDQxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApzb21lLXN0YXRlMRAwDgYDVQQKDAdyb290LWNh" + IntermediateAuthorityKeyID = "5A:88:0E:6C:36:53:D0:7F:B0:89:71:A3:F4:73:79:09:30:E6:2B:DB" + IntermediateSubject = "MDwxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApzb21lLXN0YXRlMRgwFgYDVQQKDA9pbnRlcm1lZGlhdGUtY2E=" + IntermediateSubjectAsText = "O=intermediate-ca,ST=some-state,C=AU" + IntermediateSubjectKeyID = "4E:3B:73:F4:70:4D:C2:98:0D:DB:C8:5A:5F:02:3B:BF:86:25:56:2B" + IntermediateSubjectKeyIDWithoutColumns = "4E3B73F4704DC2980DDBC85A5F023BBF8625562B" + IntermediateSerialNumber = "169917617234879872371588777545667947720450185023" LeafIssuer = "MDwxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApzb21lLXN0YXRlMRgwFgYDVQQKDA9pbnRlcm1lZGlhdGUtY2E=" LeafAuthorityKeyID = "4E:3B:73:F4:70:4D:C2:98:D:DB:C8:5A:5F:02:3B:BF:86:25:56:2B" @@ -657,16 +712,39 @@ M6mDL6NurBAW1pJlg8OT TestCertPemVid = 4701 - RootCertWithVidSubject = "MIGYMQswCQYDVQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxETAPBgNVBAcMCE5ldyBZb3JrMRgwFgYDVQQKDA9FeGFtcGxlIENvbXBhbnkxGTAXBgNVBAsMEFRlc3RpbmcgRGl2aXNpb24xGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbTEUMBIGCisGAQQBgqJ8AgEMBEZGRjE=" - RootCertWithVidSubjectKeyID = "CE:A8:92:66:EA:E0:80:BD:2B:B5:68:E4:0B:07:C4:FA:2C:34:6D:31" - RootCertWithVidVid = 65521 + RootCertWithVidSubject = "MIGYMQswCQYDVQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxETAPBgNVBAcMCE5ldyBZb3JrMRgwFgYDVQQKDA9FeGFtcGxlIENvbXBhbnkxGTAXBgNVBAsMEFRlc3RpbmcgRGl2aXNpb24xGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbTEUMBIGCisGAQQBgqJ8AgEMBEZGRjE=" + RootCertWithVidSubjectKeyID = "CE:A8:92:66:EA:E0:80:BD:2B:B5:68:E4:0B:07:C4:FA:2C:34:6D:31" + RootCertWithVidSubjectKeyIDWithoutColumns = "CEA89266EAE080BD2BB568E40B07C4FA2C346D31" + RootCertWithVidVid = 65521 - IntermediateCertWithVid1Subject = "MIGuMQswCQYDVQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxETAPBgNVBAcMCE5ldyBZb3JrMRgwFgYDVQQKDA9FeGFtcGxlIENvbXBhbnkxGTAXBgNVBAsMEFRlc3RpbmcgRGl2aXNpb24xGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbTEUMBIGCisGAQQBgqJ8AgEMBEZGRjExFDASBgorBgEEAYKifAICDARGRkYx" - IntermediateCertWithVid1SubjectKeyID = "0E:8C:E8:C8:B8:AA:50:BC:25:85:56:B9:B1:9C:C2:C7:D9:C5:2F:17" - IntermediateCertWithVid1SerialNumber = "3" - IntermediateCertWithVid1Vid = 65521 + IntermediateCertWithVid1Subject = "MIGuMQswCQYDVQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxETAPBgNVBAcMCE5ldyBZb3JrMRgwFgYDVQQKDA9FeGFtcGxlIENvbXBhbnkxGTAXBgNVBAsMEFRlc3RpbmcgRGl2aXNpb24xGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbTEUMBIGCisGAQQBgqJ8AgEMBEZGRjExFDASBgorBgEEAYKifAICDARGRkYx" + IntermediateCertWithVid1SubjectKeyID = "0E:8C:E8:C8:B8:AA:50:BC:25:85:56:B9:B1:9C:C2:C7:D9:C5:2F:17" + IntermediateCertWithVid1SubjectKeyIDWithoutColumns = "0E8CE8C8B8AA50BC258556B9B19CC2C7D9C52F17" + IntermediateCertWithVid1SerialNumber = "3" + IntermediateCertWithVid1Vid = 65521 IntermediateCertWithVid2SubjectKeyID = "0E:8C:E8:C8:B8:AA:50:BC:25:85:56:B9:B1:9C:C2:C7:D9:C5:2F:17" IntermediateCertWithVid2SerialNumber = "4" IntermediateCertWithVid2Vid = 65522 + + LeafCertWithVidSubject = "MIGaMQswCQYDVQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxETAPBgNVBAcMCE5ldyBZb3JrMRowGAYDVQQKDBFDUkwtbGVhZiB3aXRoIFZJRDEZMBcGA1UECwwQVGVzdGluZyBEaXZpc2lvbjEYMBYGA1UEAwwPd3d3LmV4YW1wbGUuY29tMRQwEgYKKwYBBAGConwCAQwERkZGMQ==" + LeafCertWithVidSubjectAsText = "CN=www.example.com,OU=Testing Division,O=CRL-leaf with VID,L=New York,ST=New York,C=US,vid=0xFFF1" + LeafCertWithVidSubjectKeyID = "D6:98:26:10:BE:AC:23:74:09:0A:40:0B:CD:39:65:53:F1:76:B0:F5" + LeafCertWithVidAuthorityKeyID = IntermediateCertWithVid1SubjectKeyID + LeafCertWithVidSerialNumber = "23733396166621909643583307546615137635389084912" + LeafCertWithVidVid = 65521 + + LeafCertWithVidPidSubject = "MIG4MQswCQYDVQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxETAPBgNVBAcMCE5ldyBZb3JrMSIwIAYDVQQKDBlDUkwtbGVhZiB3aXRoIFZJRCBhbmQgUElEMRkwFwYDVQQLDBBUZXN0aW5nIERpdmlzaW9uMRgwFgYDVQQDDA93d3cuZXhhbXBsZS5jb20xFDASBgorBgEEAYKifAIBDARGRkYxMRQwEgYKKwYBBAGConwCAgwERkZGMQ==" + LeafCertWithVidPidSubjectAsText = "CN=www.example.com,OU=Testing Division,O=CRL-leaf with VID and PID,L=New York,ST=New York,C=US,pid=0xFFF1,vid=0xFFF1" + LeafCertWithVidPidSubjectKeyID = "D6:98:26:10:BE:AC:23:74:09:0A:40:0B:CD:39:65:53:F1:76:B0:F5" + LeafCertWithVidPidAuthorityKeyID = IntermediateCertWithVid1SubjectKeyID + LeafCertWithVidPidSerialNumber = "157838490760642822714861562571853387507185816418" + LeafCertWithVidPidVid = 65521 + LeafCertWithVidPidPid = 65521 + + LeafCertWithoutVidPidSubject = "MIGPMQswCQYDVQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxETAPBgNVBAcMCE5ldyBZb3JrMSUwIwYDVQQKDBxDUkwtbGVhZiB3aXRob3V0IFZJRCBhbmQgUElEMRkwFwYDVQQLDBBUZXN0aW5nIERpdmlzaW9uMRgwFgYDVQQDDA93d3cuZXhhbXBsZS5jb20=" + LeafCertWithoutVidPidSubjectAsText = "CN=www.example.com,OU=Testing Division,O=CRL-leaf without VID and PID,L=New York,ST=New York,C=US" + LeafCertWithoutVidPidSubjectKeyID = "D6:98:26:10:BE:AC:23:74:09:0A:40:0B:CD:39:65:53:F1:76:B0:F5" + LeafCertWithoutVidPidAuthorityKeyID = IntermediateCertWithVid1SubjectKeyID + LeafCertWithoutVidPidSerialNumber = "76908939670186132114931832808683834138281370088" ) diff --git a/integration_tests/constants/intermediate_cert_with_vid_1 b/integration_tests/constants/intermediate_cert_with_vid_1 index 41e40b049..2a8e9b086 100644 --- a/integration_tests/constants/intermediate_cert_with_vid_1 +++ b/integration_tests/constants/intermediate_cert_with_vid_1 @@ -1,16 +1,16 @@ -----BEGIN CERTIFICATE----- -MIICejCCAiGgAwIBAgIBAzAKBggqhkjOPQQDAjCBmDELMAkGA1UEBhMCVVMxETAP +MIICiTCCAi+gAwIBAgIBAzAKBggqhkjOPQQDAjCBmDELMAkGA1UEBhMCVVMxETAP BgNVBAgMCE5ldyBZb3JrMREwDwYDVQQHDAhOZXcgWW9yazEYMBYGA1UECgwPRXhh bXBsZSBDb21wYW55MRkwFwYDVQQLDBBUZXN0aW5nIERpdmlzaW9uMRgwFgYDVQQD -DA93d3cuZXhhbXBsZS5jb20xFDASBgorBgEEAYKifAIBDARGRkYxMCAXDTI0MDIy -NjEyMDczMloYDzMwMjMwNjI5MTIwNzMyWjCBrjELMAkGA1UEBhMCVVMxETAPBgNV +DA93d3cuZXhhbXBsZS5jb20xFDASBgorBgEEAYKifAIBDARGRkYxMCAXDTI0MDMy +NzA2MDcxMloYDzMwMjMwNzI5MDYwNzEyWjCBrjELMAkGA1UEBhMCVVMxETAPBgNV BAgMCE5ldyBZb3JrMREwDwYDVQQHDAhOZXcgWW9yazEYMBYGA1UECgwPRXhhbXBs ZSBDb21wYW55MRkwFwYDVQQLDBBUZXN0aW5nIERpdmlzaW9uMRgwFgYDVQQDDA93 d3cuZXhhbXBsZS5jb20xFDASBgorBgEEAYKifAIBDARGRkYxMRQwEgYKKwYBBAGC onwCAgwERkZGMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABOTNh8u27CnRGdj0 G0/z0oo9rsKcpgUogQ8fYYEg/QClYFHJuhFbf1M+VdeMScbllpt4kGH2ih7aU1b7 -1jRkVsyjQjBAMB0GA1UdDgQWBBQOjOjIuKpQvCWFVrmxnMLH2cUvFzAfBgNVHSME -GDAWgBTOqJJm6uCAvSu1aOQLB8T6LDRtMTAKBggqhkjOPQQDAgNHADBEAiAOQSIQ -sdClGJ86LQ1p7e+kb0Dg+YsyxIv2XHdUvIVn2gIgBkbzBccRbDG3p/+gnPhF+7xP -T/SKbO+GZvoizizl6Gc= +1jRkVsyjUDBOMB0GA1UdDgQWBBQOjOjIuKpQvCWFVrmxnMLH2cUvFzAfBgNVHSME +GDAWgBTOqJJm6uCAvSu1aOQLB8T6LDRtMTAMBgNVHRMEBTADAQH/MAoGCCqGSM49 +BAMCA0gAMEUCIQCy8SeF6UXIGM+0X6fc5tqSrgAQ1nCN5cvsWyfZvH0y9wIgQ45S +TXQomsOa4eHQpJzsY/JQqprA0FapY1nsvL+PQFg= -----END CERTIFICATE----- \ No newline at end of file diff --git a/integration_tests/constants/intermediate_cert_with_vid_1_copy b/integration_tests/constants/intermediate_cert_with_vid_1_copy new file mode 100644 index 000000000..499a9e4b5 --- /dev/null +++ b/integration_tests/constants/intermediate_cert_with_vid_1_copy @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICnTCCAkKgAwIBAgIUD05hvGL08UmRJivrVoLd/raw9gswCgYIKoZIzj0EAwIw +gZgxCzAJBgNVBAYTAlVTMREwDwYDVQQIDAhOZXcgWW9yazERMA8GA1UEBwwITmV3 +IFlvcmsxGDAWBgNVBAoMD0V4YW1wbGUgQ29tcGFueTEZMBcGA1UECwwQVGVzdGlu +ZyBEaXZpc2lvbjEYMBYGA1UEAwwPd3d3LmV4YW1wbGUuY29tMRQwEgYKKwYBBAGC +onwCAQwERkZGMTAgFw0yNDAzMjcxNTQyNDBaGA8zMDIzMDcyOTE1NDI0MFowga4x +CzAJBgNVBAYTAlVTMREwDwYDVQQIDAhOZXcgWW9yazERMA8GA1UEBwwITmV3IFlv +cmsxGDAWBgNVBAoMD0V4YW1wbGUgQ29tcGFueTEZMBcGA1UECwwQVGVzdGluZyBE +aXZpc2lvbjEYMBYGA1UEAwwPd3d3LmV4YW1wbGUuY29tMRQwEgYKKwYBBAGConwC +AQwERkZGMTEUMBIGCisGAQQBgqJ8AgIMBEZGRjEwWTATBgcqhkjOPQIBBggqhkjO +PQMBBwNCAATkzYfLtuwp0RnY9BtP89KKPa7CnKYFKIEPH2GBIP0ApWBRyboRW39T +PlXXjEnG5ZabeJBh9ooe2lNW+9Y0ZFbMo1AwTjAdBgNVHQ4EFgQUDozoyLiqULwl +hVa5sZzCx9nFLxcwHwYDVR0jBBgwFoAUzqiSZurggL0rtWjkCwfE+iw0bTEwDAYD +VR0TBAUwAwEB/zAKBggqhkjOPQQDAgNJADBGAiEAl/iTG29rwOctwFeMaHgTodgd +DYLiKs1zgIKJhrFxgkICIQCGd/dl4uGHg4bHO9ip46oMrsTs0OZNtEYx9df8AG7w +IA== +-----END CERTIFICATE----- \ No newline at end of file diff --git a/integration_tests/constants/intermediate_cert_with_vid_2 b/integration_tests/constants/intermediate_cert_with_vid_2 index f3397aa54..ffbf0b90d 100644 --- a/integration_tests/constants/intermediate_cert_with_vid_2 +++ b/integration_tests/constants/intermediate_cert_with_vid_2 @@ -1,16 +1,16 @@ -----BEGIN CERTIFICATE----- -MIICezCCAiGgAwIBAgIBBDAKBggqhkjOPQQDAjCBmDELMAkGA1UEBhMCVVMxETAP +MIICiDCCAi+gAwIBAgIBBDAKBggqhkjOPQQDAjCBmDELMAkGA1UEBhMCVVMxETAP BgNVBAgMCE5ldyBZb3JrMREwDwYDVQQHDAhOZXcgWW9yazEYMBYGA1UECgwPRXhh bXBsZSBDb21wYW55MRkwFwYDVQQLDBBUZXN0aW5nIERpdmlzaW9uMRgwFgYDVQQD -DA93d3cuZXhhbXBsZS5jb20xFDASBgorBgEEAYKifAIBDARGRkYxMCAXDTI0MDIy -NjEzMDcwNVoYDzMwMjMwNjI5MTMwNzA1WjCBrjELMAkGA1UEBhMCVVMxETAPBgNV +DA93d3cuZXhhbXBsZS5jb20xFDASBgorBgEEAYKifAIBDARGRkYxMCAXDTI0MDMy +NzE1MzQxMVoYDzMwMjMwNzI5MTUzNDExWjCBrjELMAkGA1UEBhMCVVMxETAPBgNV BAgMCE5ldyBZb3JrMREwDwYDVQQHDAhOZXcgWW9yazEYMBYGA1UECgwPRXhhbXBs ZSBDb21wYW55MRkwFwYDVQQLDBBUZXN0aW5nIERpdmlzaW9uMRgwFgYDVQQDDA93 d3cuZXhhbXBsZS5jb20xFDASBgorBgEEAYKifAIBDARGRkYyMRQwEgYKKwYBBAGC onwCAgwERkZGMjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABOTNh8u27CnRGdj0 G0/z0oo9rsKcpgUogQ8fYYEg/QClYFHJuhFbf1M+VdeMScbllpt4kGH2ih7aU1b7 -1jRkVsyjQjBAMB0GA1UdDgQWBBQOjOjIuKpQvCWFVrmxnMLH2cUvFzAfBgNVHSME -GDAWgBTOqJJm6uCAvSu1aOQLB8T6LDRtMTAKBggqhkjOPQQDAgNIADBFAiEAkApx -PWFFDoptmYnsW1QhKqrcD+xmFgJA4SWTH5Q1efMCIDWqdG0sAgum+FphfM4HF6XV -M6mDL6NurBAW1pJlg8OT +1jRkVsyjUDBOMB0GA1UdDgQWBBQOjOjIuKpQvCWFVrmxnMLH2cUvFzAfBgNVHSME +GDAWgBTOqJJm6uCAvSu1aOQLB8T6LDRtMTAMBgNVHRMEBTADAQH/MAoGCCqGSM49 +BAMCA0cAMEQCIHkhL7r/xEi16827IYysHe0w8X0rsbU5zcHcbK1wt0ALAiASEZMI +NN1ZIQJHBjCm+vWh3Jsjt2wUHKIM5i64Wd9kPA== -----END CERTIFICATE----- \ No newline at end of file diff --git a/integration_tests/constants/leaf_cert_with_vid_65521 b/integration_tests/constants/leaf_cert_with_vid_65521 new file mode 100644 index 000000000..01cefbc6c --- /dev/null +++ b/integration_tests/constants/leaf_cert_with_vid_65521 @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICrjCCAlSgAwIBAgIUBCg+BsyaPLK2sNxttFUIbDF/FPAwCgYIKoZIzj0EAwIw +ga4xCzAJBgNVBAYTAlVTMREwDwYDVQQIDAhOZXcgWW9yazERMA8GA1UEBwwITmV3 +IFlvcmsxGDAWBgNVBAoMD0V4YW1wbGUgQ29tcGFueTEZMBcGA1UECwwQVGVzdGlu +ZyBEaXZpc2lvbjEYMBYGA1UEAwwPd3d3LmV4YW1wbGUuY29tMRQwEgYKKwYBBAGC +onwCAQwERkZGMTEUMBIGCisGAQQBgqJ8AgIMBEZGRjEwIBcNMjQwMzI2MTAyNDI1 +WhgPMzAyMzA3MjgxMDI0MjVaMIGaMQswCQYDVQQGEwJVUzERMA8GA1UECAwITmV3 +IFlvcmsxETAPBgNVBAcMCE5ldyBZb3JrMRowGAYDVQQKDBFDUkwtbGVhZiB3aXRo +IFZJRDEZMBcGA1UECwwQVGVzdGluZyBEaXZpc2lvbjEYMBYGA1UEAwwPd3d3LmV4 +YW1wbGUuY29tMRQwEgYKKwYBBAGConwCAQwERkZGMTBZMBMGByqGSM49AgEGCCqG +SM49AwEHA0IABNk/8AZJsYEd7kBVDv5c+Mm4kNsuyMF1d+UTOTlptsCzx4YwLlCX +SSr2SwDHbkRvMbp5cfFt9uyNc0Tx3bVVyPWjYDBeMB0GA1UdDgQWBBTWmCYQvqwj +dAkKQAvNOWVT8Xaw9TAfBgNVHSMEGDAWgBQOjOjIuKpQvCWFVrmxnMLH2cUvFzAM +BgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIBgjAKBggqhkjOPQQDAgNIADBFAiEA +nAoa731+XkR5/0XaESqHG40IZysduxN8sJo2sJpPvvwCICGn7oAwDmQh0umEJ6dK +Vtv3RJ9iuKtC/fkzUzhv9c0z +-----END CERTIFICATE----- \ No newline at end of file diff --git a/integration_tests/constants/leaf_cert_with_vid_65522 b/integration_tests/constants/leaf_cert_with_vid_65522 new file mode 100644 index 000000000..e1fa2e5a0 --- /dev/null +++ b/integration_tests/constants/leaf_cert_with_vid_65522 @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICuTCCAl+gAwIBAgIUJ8QWVXvctSk1w7hRdtLIvrgglgAwCgYIKoZIzj0EAwIw +ga4xCzAJBgNVBAYTAlVTMREwDwYDVQQIDAhOZXcgWW9yazERMA8GA1UEBwwITmV3 +IFlvcmsxGDAWBgNVBAoMD0V4YW1wbGUgQ29tcGFueTEZMBcGA1UECwwQVGVzdGlu +ZyBEaXZpc2lvbjEYMBYGA1UEAwwPd3d3LmV4YW1wbGUuY29tMRQwEgYKKwYBBAGC +onwCAQwERkZGMTEUMBIGCisGAQQBgqJ8AgIMBEZGRjEwIBcNMjQwMzI3MTI1MDI3 +WhgPMzAyMzA3MjkxMjUwMjdaMIGlMQswCQYDVQQGEwJVUzERMA8GA1UECAwITmV3 +IFlvcmsxETAPBgNVBAcMCE5ldyBZb3JrMSUwIwYDVQQKDBxDUkwtbGVhZiB3aXRo +b3V0IFZJRCBhbmQgUElEMRkwFwYDVQQLDBBUZXN0aW5nIERpdmlzaW9uMRgwFgYD +VQQDDA93d3cuZXhhbXBsZS5jb20xFDASBgorBgEEAYKifAIBDARGRkYyMFkwEwYH +KoZIzj0CAQYIKoZIzj0DAQcDQgAE2T/wBkmxgR3uQFUO/lz4ybiQ2y7IwXV35RM5 +OWm2wLPHhjAuUJdJKvZLAMduRG8xunlx8W327I1zRPHdtVXI9aNgMF4wHQYDVR0O +BBYEFNaYJhC+rCN0CQpAC805ZVPxdrD1MB8GA1UdIwQYMBaAFA6M6Mi4qlC8JYVW +ubGcwsfZxS8XMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgGCMAoGCCqGSM49 +BAMCA0gAMEUCIQCqGZtCl5fCQf9KIAl6rOE9Xegf/NZAtrJoVmDfJ8yFbgIgZXBs +CBffM8rd8twMhqjhovJDeDRYSbYeWq8mgdLkycc= +-----END CERTIFICATE----- \ No newline at end of file diff --git a/integration_tests/constants/leaf_cert_without_vid b/integration_tests/constants/leaf_cert_without_vid new file mode 100644 index 000000000..be68beed4 --- /dev/null +++ b/integration_tests/constants/leaf_cert_without_vid @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICozCCAkmgAwIBAgIUDXi3VEZsSRTrSqZuIqDWX0Ar4egwCgYIKoZIzj0EAwIw +ga4xCzAJBgNVBAYTAlVTMREwDwYDVQQIDAhOZXcgWW9yazERMA8GA1UEBwwITmV3 +IFlvcmsxGDAWBgNVBAoMD0V4YW1wbGUgQ29tcGFueTEZMBcGA1UECwwQVGVzdGlu +ZyBEaXZpc2lvbjEYMBYGA1UEAwwPd3d3LmV4YW1wbGUuY29tMRQwEgYKKwYBBAGC +onwCAQwERkZGMTEUMBIGCisGAQQBgqJ8AgIMBEZGRjEwIBcNMjQwMzI2MTEwNjIz +WhgPMzAyMzA3MjgxMTA2MjNaMIGPMQswCQYDVQQGEwJVUzERMA8GA1UECAwITmV3 +IFlvcmsxETAPBgNVBAcMCE5ldyBZb3JrMSUwIwYDVQQKDBxDUkwtbGVhZiB3aXRo +b3V0IFZJRCBhbmQgUElEMRkwFwYDVQQLDBBUZXN0aW5nIERpdmlzaW9uMRgwFgYD +VQQDDA93d3cuZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATZ +P/AGSbGBHe5AVQ7+XPjJuJDbLsjBdXflEzk5abbAs8eGMC5Ql0kq9ksAx25EbzG6 +eXHxbfbsjXNE8d21Vcj1o2AwXjAdBgNVHQ4EFgQU1pgmEL6sI3QJCkALzTllU/F2 +sPUwHwYDVR0jBBgwFoAUDozoyLiqULwlhVa5sZzCx9nFLxcwDAYDVR0TAQH/BAIw +ADAOBgNVHQ8BAf8EBAMCAYIwCgYIKoZIzj0EAwIDSAAwRQIhAPIzS2Tlov+9/R6U +fJhEWAA8mOgN9OVCdPWAegWuN3b2AiApXciu/dT4B5db3puPWrAsMjAUYF2Owc/D +eujhLsD51w== +-----END CERTIFICATE----- \ No newline at end of file diff --git a/proto/pki/pki_revocation_distribution_point.proto b/proto/pki/pki_revocation_distribution_point.proto index 7818ab4e2..6b7338e7f 100644 --- a/proto/pki/pki_revocation_distribution_point.proto +++ b/proto/pki/pki_revocation_distribution_point.proto @@ -16,5 +16,6 @@ message PkiRevocationDistributionPoint { uint32 dataDigestType = 10; uint32 revocationType = 11; uint32 schemaVersion = 12; + string crlSignerDelegator = 13; } diff --git a/proto/pki/tx.proto b/proto/pki/tx.proto index c16050eb0..ea750f404 100644 --- a/proto/pki/tx.proto +++ b/proto/pki/tx.proto @@ -131,6 +131,7 @@ message MsgAddPkiRevocationDistributionPoint { uint32 dataDigestType = 11; uint32 revocationType = 12 [(gogoproto.moretags) = "validate:\"required\""]; uint32 schemaVersion = 13 [(gogoproto.moretags) = "validate:\"gte=0,lte=65535\""]; + string crlSignerDelegator = 14 [(gogoproto.moretags) = "validate:\"max=10485760\""]; } message MsgAddPkiRevocationDistributionPointResponse { @@ -147,6 +148,7 @@ message MsgUpdatePkiRevocationDistributionPoint { string dataDigest = 8; uint32 dataDigestType = 9; uint32 schemaVersion = 10 [(gogoproto.moretags) = "validate:\"gte=0,lte=65535\""]; + string crlSignerDelegator = 11 [(gogoproto.moretags) = "validate:\"max=10485760\""]; } message MsgUpdatePkiRevocationDistributionPointResponse { diff --git a/types/pki/errors.go b/types/pki/errors.go index 407128a66..0133e4004 100644 --- a/types/pki/errors.go +++ b/types/pki/errors.go @@ -49,6 +49,8 @@ var ( ErrCertNotChainedBack = sdkerrors.Register(ModuleName, 438, "Certificate is not chained back to a root certificate on DCL") ErrCertVidNotEqualAccountVid = sdkerrors.Register(ModuleName, 439, "account's vid is not equal to certificate vid") ErrCertVidNotEqualToRootVid = sdkerrors.Register(ModuleName, 440, "certificate's vid is not equal to vid of root certificate ") + ErrCRLSignerCertificateInvalidFormat = sdkerrors.Register(ModuleName, 441, "invalid CRLSignerCertificate certificate") + ErrInvalidAuthorityKeyIDFormat = sdkerrors.Register(ModuleName, 442, "invalid AuthorityKeyID format") ) func NewErrUnauthorizedRole(transactionName string, requiredRole types.AccountRole) error { @@ -231,6 +233,13 @@ func NewErrRootCertVidNotEqualToAccountVid(rootVID int32, accountVID int32) erro rootVID, accountVID) } +func NewErrCRLSignerCertificateInvalidFormat() error { + return sdkerrors.Wrapf( + ErrCRLSignerCertificateInvalidFormat, + "Invalid CRL Signer Certificate format", + ) +} + func NewErrCRLSignerCertificatePidNotEqualMsgPid(certificatePid int32, messagePid int32) error { return sdkerrors.Wrapf( ErrCRLSignerCertificatePidNotEqualMsgPid, @@ -296,6 +305,14 @@ func NewErrWrongSubjectKeyIDFormat() error { ) } +func NewErrInvalidAuthorityKeyIDFormat() error { + return sdkerrors.Wrapf( + ErrInvalidAuthorityKeyIDFormat, + "Invalid AuthorityKeyID format. It must consist of even number of uppercase hexadecimal characters ([0-9A-F]), "+ + "with no whitespace and no non-hexadecimal characters", + ) +} + func NewErrVidNotFound(e interface{}) error { return sdkerrors.Wrapf(ErrVidNotFound, "%v", e) @@ -387,3 +404,11 @@ func NewErrCertificateVidNotEqualMsgVid(e interface{}) error { func NewErrCertNotChainedBack() error { return sdkerrors.Wrapf(ErrCertNotChainedBack, "CRL Signer Certificate is not chained back to root certificate on DCL") } + +func NewErrCRLSignerCertNotChainedBackToDelegator() error { + return sdkerrors.Wrapf(ErrCertNotChainedBack, "CRL Signer Certificate is not chained back to delegated PAI CRL Signer certificate") +} + +func NewErrCRLSignerCertDelegatorNotChainedBack() error { + return sdkerrors.Wrapf(ErrCertNotChainedBack, "Delegated CRL Signer Certificate is not chained back to root certificate on DCL") +} diff --git a/vue/src/store/generated/zigbee-alliance/distributed-compliance-ledger/zigbeealliance.distributedcomplianceledger.pki/module/rest.ts b/vue/src/store/generated/zigbee-alliance/distributed-compliance-ledger/zigbeealliance.distributedcomplianceledger.pki/module/rest.ts index e76620458..c1ab351c9 100644 --- a/vue/src/store/generated/zigbee-alliance/distributed-compliance-ledger/zigbeealliance.distributedcomplianceledger.pki/module/rest.ts +++ b/vue/src/store/generated/zigbee-alliance/distributed-compliance-ledger/zigbeealliance.distributedcomplianceledger.pki/module/rest.ts @@ -43,6 +43,9 @@ export interface PkiRevokedNocRootCertificates { subject?: string; subjectKeyId?: string; certs?: PkiCertificate[]; + + /** @format int64 */ + schemaVersion?: number; } export interface PkiCertificate { @@ -141,8 +144,10 @@ export interface PkiPkiRevocationDistributionPoint { /** @format int64 */ revocationType?: number; - /** @format int64 */ - schemaVersion?: number; + /** @format int64 */ + schemaVersion?: number; + + crlSignerDelegator?: string; } export interface PkiPkiRevocationDistributionPointsByIssuerSubjectKeyID { diff --git a/vue/src/store/generated/zigbee-alliance/distributed-compliance-ledger/zigbeealliance.distributedcomplianceledger.pki/module/types/pki/pki_revocation_distribution_point.ts b/vue/src/store/generated/zigbee-alliance/distributed-compliance-ledger/zigbeealliance.distributedcomplianceledger.pki/module/types/pki/pki_revocation_distribution_point.ts index 4b44bb783..82c9f9783 100644 --- a/vue/src/store/generated/zigbee-alliance/distributed-compliance-ledger/zigbeealliance.distributedcomplianceledger.pki/module/types/pki/pki_revocation_distribution_point.ts +++ b/vue/src/store/generated/zigbee-alliance/distributed-compliance-ledger/zigbeealliance.distributedcomplianceledger.pki/module/types/pki/pki_revocation_distribution_point.ts @@ -17,6 +17,7 @@ export interface PkiRevocationDistributionPoint { dataDigestType: number revocationType: number schemaVersion: number + crlSignerDelegator: string } const basePkiRevocationDistributionPoint: object = { @@ -31,7 +32,8 @@ const basePkiRevocationDistributionPoint: object = { dataDigest: '', dataDigestType: 0, revocationType: 0, - schemaVersion: 0 + schemaVersion: 0, + crlSignerDelegator: '' } export const PkiRevocationDistributionPoint = { @@ -72,6 +74,9 @@ export const PkiRevocationDistributionPoint = { if (message.schemaVersion !== 0) { writer.uint32(96).uint32(message.schemaVersion) } + if (message.crlSignerDelegator !== '') { + writer.uint32(106).string(message.crlSignerDelegator) + } return writer }, @@ -118,6 +123,9 @@ export const PkiRevocationDistributionPoint = { case 12: message.schemaVersion = reader.uint32() break + case 13: + message.crlSignerDelegator = reader.string() + break default: reader.skipType(tag & 7) break @@ -188,6 +196,11 @@ export const PkiRevocationDistributionPoint = { } else { message.schemaVersion = 0 } + if (object.crlSignerDelegator !== undefined && object.crlSignerDelegator !== null) { + message.crlSignerDelegator = String(object.crlSignerDelegator) + } else { + message.crlSignerDelegator = '' + } return message }, @@ -205,6 +218,7 @@ export const PkiRevocationDistributionPoint = { message.dataDigestType !== undefined && (obj.dataDigestType = message.dataDigestType) message.revocationType !== undefined && (obj.revocationType = message.revocationType) message.schemaVersion !== undefined && (obj.schemaVersion = message.schemaVersion) + message.crlSignerDelegator !== undefined && (obj.crlSignerDelegator = message.crlSignerDelegator) return obj }, @@ -270,6 +284,11 @@ export const PkiRevocationDistributionPoint = { } else { message.schemaVersion = 0 } + if (object.crlSignerDelegator !== undefined && object.crlSignerDelegator !== null) { + message.crlSignerDelegator = object.crlSignerDelegator + } else { + message.crlSignerDelegator = '' + } return message } } diff --git a/vue/src/store/generated/zigbee-alliance/distributed-compliance-ledger/zigbeealliance.distributedcomplianceledger.pki/module/types/pki/tx.ts b/vue/src/store/generated/zigbee-alliance/distributed-compliance-ledger/zigbeealliance.distributedcomplianceledger.pki/module/types/pki/tx.ts index 77cbbbf95..4938da6a8 100644 --- a/vue/src/store/generated/zigbee-alliance/distributed-compliance-ledger/zigbeealliance.distributedcomplianceledger.pki/module/types/pki/tx.ts +++ b/vue/src/store/generated/zigbee-alliance/distributed-compliance-ledger/zigbeealliance.distributedcomplianceledger.pki/module/types/pki/tx.ts @@ -99,6 +99,7 @@ export interface MsgAddPkiRevocationDistributionPoint { dataDigestType: number revocationType: number schemaVersion: number + crlSignerDelegator: string } export interface MsgAddPkiRevocationDistributionPointResponse {} @@ -114,6 +115,7 @@ export interface MsgUpdatePkiRevocationDistributionPoint { dataDigest: string dataDigestType: number schemaVersion: number + crlSignerDelegator: string } export interface MsgUpdatePkiRevocationDistributionPointResponse {} @@ -1525,7 +1527,8 @@ const baseMsgAddPkiRevocationDistributionPoint: object = { dataDigest: '', dataDigestType: 0, revocationType: 0, - schemaVersion: 0 + schemaVersion: 0, + crlSignerDelegator: '' } export const MsgAddPkiRevocationDistributionPoint = { @@ -1569,6 +1572,9 @@ export const MsgAddPkiRevocationDistributionPoint = { if (message.schemaVersion !== 0) { writer.uint32(104).uint32(message.schemaVersion) } + if (message.crlSignerDelegator !== '') { + writer.uint32(114).string(message.crlSignerDelegator) + } return writer }, @@ -1618,6 +1624,9 @@ export const MsgAddPkiRevocationDistributionPoint = { case 13: message.schemaVersion = reader.uint32() break + case 14: + message.crlSignerDelegator = reader.string() + break default: reader.skipType(tag & 7) break @@ -1693,6 +1702,11 @@ export const MsgAddPkiRevocationDistributionPoint = { } else { message.schemaVersion = 0 } + if (object.crlSignerDelegator !== undefined && object.crlSignerDelegator !== null) { + message.crlSignerDelegator = String(object.crlSignerDelegator) + } else { + message.crlSignerDelegator = '' + } return message }, @@ -1711,6 +1725,7 @@ export const MsgAddPkiRevocationDistributionPoint = { message.dataDigestType !== undefined && (obj.dataDigestType = message.dataDigestType) message.revocationType !== undefined && (obj.revocationType = message.revocationType) message.schemaVersion !== undefined && (obj.schemaVersion = message.schemaVersion) + message.crlSignerDelegator !== undefined && (obj.crlSignerDelegator = message.crlSignerDelegator) return obj }, @@ -1781,6 +1796,11 @@ export const MsgAddPkiRevocationDistributionPoint = { } else { message.schemaVersion = 0 } + if (object.crlSignerDelegator !== undefined && object.crlSignerDelegator !== null) { + message.crlSignerDelegator = object.crlSignerDelegator + } else { + message.crlSignerDelegator = '' + } return message } } @@ -1833,7 +1853,8 @@ const baseMsgUpdatePkiRevocationDistributionPoint: object = { dataFileSize: 0, dataDigest: '', dataDigestType: 0, - schemaVersion: 0 + schemaVersion: 0, + crlSignerDelegator: '' } export const MsgUpdatePkiRevocationDistributionPoint = { @@ -1868,6 +1889,9 @@ export const MsgUpdatePkiRevocationDistributionPoint = { if (message.schemaVersion !== 0) { writer.uint32(80).uint32(message.schemaVersion) } + if (message.crlSignerDelegator !== '') { + writer.uint32(90).string(message.crlSignerDelegator) + } return writer }, @@ -1908,6 +1932,9 @@ export const MsgUpdatePkiRevocationDistributionPoint = { case 10: message.schemaVersion = reader.uint32() break + case 11: + message.crlSignerDelegator = reader.string() + break default: reader.skipType(tag & 7) break @@ -1968,6 +1995,11 @@ export const MsgUpdatePkiRevocationDistributionPoint = { } else { message.schemaVersion = 0 } + if (object.crlSignerDelegator !== undefined && object.crlSignerDelegator !== null) { + message.crlSignerDelegator = String(object.crlSignerDelegator) + } else { + message.crlSignerDelegator = '' + } return message }, @@ -1983,6 +2015,7 @@ export const MsgUpdatePkiRevocationDistributionPoint = { message.dataDigest !== undefined && (obj.dataDigest = message.dataDigest) message.dataDigestType !== undefined && (obj.dataDigestType = message.dataDigestType) message.schemaVersion !== undefined && (obj.schemaVersion = message.schemaVersion) + message.crlSignerDelegator !== undefined && (obj.crlSignerDelegator = message.crlSignerDelegator) return obj }, @@ -2038,6 +2071,11 @@ export const MsgUpdatePkiRevocationDistributionPoint = { } else { message.schemaVersion = 0 } + if (object.crlSignerDelegator !== undefined && object.crlSignerDelegator !== null) { + message.crlSignerDelegator = object.crlSignerDelegator + } else { + message.crlSignerDelegator = '' + } return message } } diff --git a/x/pki/client/cli/flags.go b/x/pki/client/cli/flags.go index a6322f0c8..25b0a497c 100644 --- a/x/pki/client/cli/flags.go +++ b/x/pki/client/cli/flags.go @@ -29,4 +29,5 @@ const ( FlagRevokeChild = "revoke-child" FlagRevokeChildShortcut = "r" FlagCertificateSchemaVersion = "certificate-schema-version" + FlagCertificateDelegator = "certificate-delegator" ) diff --git a/x/pki/client/cli/tx_add_pki_revocation_distribution_point.go b/x/pki/client/cli/tx_add_pki_revocation_distribution_point.go index 7ae91dfc0..bda5bc4f7 100644 --- a/x/pki/client/cli/tx_add_pki_revocation_distribution_point.go +++ b/x/pki/client/cli/tx_add_pki_revocation_distribution_point.go @@ -22,6 +22,7 @@ func CmdAddPkiRevocationDistributionPoint() *cobra.Command { isPAA bool label string crlSignerCertificate string + crlSignerDelegator string issuerSubjectKeyID string dataURL string dataFileSize uint64 @@ -46,6 +47,11 @@ func CmdAddPkiRevocationDistributionPoint() *cobra.Command { return err } + crlSignerDelegatorPem, err := cli.ReadFromFile(crlSignerDelegator) + if err != nil { + return err + } + msg := types.NewMsgAddPkiRevocationDistributionPoint( clientCtx.GetFromAddress().String(), vid, @@ -53,6 +59,7 @@ func CmdAddPkiRevocationDistributionPoint() *cobra.Command { isPAA, label, cert, + crlSignerDelegatorPem, issuerSubjectKeyID, dataURL, dataFileSize, @@ -79,6 +86,7 @@ func CmdAddPkiRevocationDistributionPoint() *cobra.Command { cmd.Flags().BoolVar(&isPAA, FlagIsPAA, true, "True if the revocation information distribution point relates to a PAA (Root certificate)") cmd.Flags().StringVarP(&label, FlagLabel, FlagLabelShortcut, "", " A label to disambiguate multiple revocation information partitions of a particular issuer") cmd.Flags().StringVarP(&crlSignerCertificate, FlagCertificate, FlagCertificateShortcut, "", "The issuer certificate whose revocation information is provided in the distribution point entry, encoded in X.509v3 PEM format. The corresponding CLI parameter can contain either a PEM string or a path to a file containing the data") + cmd.Flags().StringVar(&crlSignerDelegator, FlagCertificateDelegator, "", "The delegator certificate of CRL signer Certificate which must be chained back to approved certificate in the ledger, encoded in X.509v3 PEM format. The corresponding CLI parameter can contain either a PEM string or a path to a file containing the data") cmd.Flags().StringVar(&issuerSubjectKeyID, FlagIssuerSubjectKeyID, "", "Uniquely identifies the PAA or PAI for which this revocation distribution point is provided. Must consist of even number of uppercase hexadecimal characters ([0-9A-F]), with no whitespace and no non-hexadecimal characters., e.g: 5A880E6C3653D07FB08971A3F473790930E62BDB") cmd.Flags().StringVar(&dataURL, FlagDataURL, "", "The URL where to obtain the information in the format indicated by the RevocationType field. Must start with either http or https") cmd.Flags().Uint64Var(&dataFileSize, FlagDataFileSize, 0, "Total size in bytes of the file found at the DataURL. Must be omitted if RevocationType is 1") diff --git a/x/pki/client/cli/tx_update_pki_revocation_distribution_point.go b/x/pki/client/cli/tx_update_pki_revocation_distribution_point.go index cfbfa75ae..533b0a295 100644 --- a/x/pki/client/cli/tx_update_pki_revocation_distribution_point.go +++ b/x/pki/client/cli/tx_update_pki_revocation_distribution_point.go @@ -20,6 +20,7 @@ func CmdUpdatePkiRevocationDistributionPoint() *cobra.Command { vid int32 label string crlSignerCertificate string + crlSignerDelegator string issuerSubjectKeyID string dataURL string dataFileSize uint64 @@ -43,11 +44,17 @@ func CmdUpdatePkiRevocationDistributionPoint() *cobra.Command { return err } + crlSignerDelegatorPem, err := cli.ReadFromFile(crlSignerDelegator) + if err != nil { + return err + } + msg := types.NewMsgUpdatePkiRevocationDistributionPoint( clientCtx.GetFromAddress().String(), vid, label, cert, + crlSignerDelegatorPem, issuerSubjectKeyID, dataURL, dataFileSize, @@ -70,6 +77,7 @@ func CmdUpdatePkiRevocationDistributionPoint() *cobra.Command { "Vendor ID (positive non-zero). Must be the same as Vendor account's VID and vid field in the VID-scoped CRLSignerCertificate") cmd.Flags().StringVarP(&label, FlagLabel, FlagLabelShortcut, "", " A label to disambiguate multiple revocation information partitions of a particular issuer") cmd.Flags().StringVarP(&crlSignerCertificate, FlagCertificate, FlagCertificateShortcut, "", "The issuer certificate whose revocation information is provided in the distribution point entry, encoded in X.509v3 PEM format. The corresponding CLI parameter can contain either a PEM string or a path to a file containing the data") + cmd.Flags().StringVar(&crlSignerDelegator, FlagCertificateDelegator, "", "The delegator certificate of CRL signer Certificate which must be chained back to approved certificate in the ledger, encoded in X.509v3 PEM format. The corresponding CLI parameter can contain either a PEM string or a path to a file containing the data") cmd.Flags().StringVar(&issuerSubjectKeyID, FlagIssuerSubjectKeyID, "", "Uniquely identifies the PAA or PAI for which this revocation distribution point is provided. Must consist of even number of uppercase hexadecimal characters ([0-9A-F]), with no whitespace and no non-hexadecimal characters., e.g: 5A880E6C3653D07FB08971A3F473790930E62BDB") cmd.Flags().StringVar(&dataURL, FlagDataURL, "", "The URL where to obtain the information in the format indicated by the RevocationType field. Must start with either http or https") cmd.Flags().Uint64Var(&dataFileSize, FlagDataFileSize, 0, "Total size in bytes of the file found at the DataURL. Must be omitted if RevocationType is 1") diff --git a/x/pki/handler_add_revocation_test.go b/x/pki/handler_add_revocation_test.go index 8ea6d8a5d..847d4fbc8 100644 --- a/x/pki/handler_add_revocation_test.go +++ b/x/pki/handler_add_revocation_test.go @@ -104,6 +104,63 @@ func TestHandler_AddPkiRevocationDistributionPoint_NegativeCases(t *testing.T) { addRevocation: createAddRevocationMessageWithPAACertNoVid(accAddress.String(), testconstants.Vid), err: pkitypes.ErrMessageVidNotEqualRootCertVid, }, + { + name: "Invalid PAI Delegator certificate", + accountVid: testconstants.LeafCertWithVidVid, + accountRole: dclauthtypes.Vendor, + rootCertOptions: createRootWithVidOptions(), + addRevocation: &types.MsgAddPkiRevocationDistributionPoint{ + Signer: accAddress.String(), + Vid: testconstants.LeafCertWithVidVid, + IsPAA: false, + Pid: 0, + CrlSignerCertificate: testconstants.LeafCertWithVid, + CrlSignerDelegator: "invalid", + Label: label, + DataURL: testconstants.DataURL, + IssuerSubjectKeyID: testconstants.IntermediateCertWithVid1SubjectKeyIDWithoutColumns, + RevocationType: types.CRLRevocationType, + }, + err: pkitypes.ErrInvalidCertificate, + }, + { + name: "CRL Signer Certificate is not chained back to Delegator PAI certificate", + accountVid: testconstants.LeafCertWithVidVid, + accountRole: dclauthtypes.Vendor, + rootCertOptions: createRootWithVidOptions(), + addRevocation: &types.MsgAddPkiRevocationDistributionPoint{ + Signer: accAddress.String(), + Vid: testconstants.LeafCertWithVidVid, + IsPAA: false, + Pid: 0, + CrlSignerCertificate: testconstants.LeafCertWithVid, + CrlSignerDelegator: testconstants.IntermediateCertPem, + Label: label, + DataURL: testconstants.DataURL, + IssuerSubjectKeyID: testconstants.IntermediateSubjectKeyIDWithoutColumns, + RevocationType: types.CRLRevocationType, + }, + err: pkitypes.ErrCertNotChainedBack, + }, + { + name: "Delegated CRL Signer Certificate is not chained back to root certificate on DCL", + accountVid: testconstants.LeafCertWithVidVid, + accountRole: dclauthtypes.Vendor, + rootCertOptions: createTestRootCertOptions(), + addRevocation: &types.MsgAddPkiRevocationDistributionPoint{ + Signer: accAddress.String(), + Vid: testconstants.LeafCertWithVidVid, + IsPAA: false, + Pid: 0, + CrlSignerCertificate: testconstants.LeafCertWithVid, + CrlSignerDelegator: testconstants.IntermediateCertWithVid1, + Label: label, + DataURL: testconstants.DataURL, + IssuerSubjectKeyID: testconstants.IntermediateCertWithVid1SubjectKeyIDWithoutColumns, + RevocationType: types.CRLRevocationType, + }, + err: pkitypes.ErrCertNotChainedBack, + }, } for _, tc := range cases { @@ -172,7 +229,7 @@ func TestHandler_AddPkiRevocationDistributionPoint_PositiveCases(t *testing.T) { name: "PAANoVid", rootCertOptions: createPAACertNoVidOptions(testconstants.VendorID1), addRevocation: createAddRevocationMessageWithPAACertNoVid(vendorAcc.String(), testconstants.VendorID1), - SchemaVersion: 1000000, + SchemaVersion: 65535, }, { name: "PAIWithVid", @@ -188,7 +245,24 @@ func TestHandler_AddPkiRevocationDistributionPoint_PositiveCases(t *testing.T) { IssuerSubjectKeyID: testconstants.SubjectKeyIDWithoutColons, RevocationType: types.CRLRevocationType, }, - SchemaVersion: 999999999, + SchemaVersion: testconstants.SchemaVersion, + }, + { + name: "PAIWithDelegatedCert", + rootCertOptions: createTestRootCertOptions(), + addRevocation: &types.MsgAddPkiRevocationDistributionPoint{ + Signer: vendorAcc.String(), + Vid: 65522, + IsPAA: false, + Pid: 0, + CrlSignerCertificate: testconstants.LeafCertPem, + CrlSignerDelegator: testconstants.IntermediateCertPem, + Label: label, + DataURL: testconstants.DataURL, + IssuerSubjectKeyID: testconstants.IntermediateSubjectKeyIDWithoutColumns, + RevocationType: types.CRLRevocationType, + }, + SchemaVersion: testconstants.SchemaVersion, }, } @@ -202,11 +276,11 @@ func TestHandler_AddPkiRevocationDistributionPoint_PositiveCases(t *testing.T) { _, err := setup.Handler(setup.Ctx, tc.addRevocation) require.NoError(t, err) - revocationPoint, isFound := setup.Keeper.GetPkiRevocationDistributionPoint(setup.Ctx, tc.addRevocation.Vid, label, testconstants.SubjectKeyIDWithoutColons) + revocationPoint, isFound := setup.Keeper.GetPkiRevocationDistributionPoint(setup.Ctx, tc.addRevocation.Vid, label, tc.addRevocation.IssuerSubjectKeyID) require.True(t, isFound) assertRevocationPointEqual(t, tc.addRevocation, &revocationPoint) - revocationPointBySubjectKeyID, isFound := setup.Keeper.GetPkiRevocationDistributionPointsByIssuerSubjectKeyID(setup.Ctx, testconstants.SubjectKeyIDWithoutColons) + revocationPointBySubjectKeyID, isFound := setup.Keeper.GetPkiRevocationDistributionPointsByIssuerSubjectKeyID(setup.Ctx, tc.addRevocation.IssuerSubjectKeyID) require.True(t, isFound) assertRevocationPointEqual(t, tc.addRevocation, revocationPointBySubjectKeyID.Points[0]) }) diff --git a/x/pki/handler_update_revocation_test.go b/x/pki/handler_update_revocation_test.go index 2f3732802..5f6dfe7c9 100644 --- a/x/pki/handler_update_revocation_test.go +++ b/x/pki/handler_update_revocation_test.go @@ -168,6 +168,42 @@ func TestHandler_UpdatePkiRevocationDistributionPoint_NegativeCases(t *testing.T }, err: pkitypes.ErrDataFieldPresented, }, + { + name: "Invalid PAI Delegator certificate", + accountVid: testconstants.LeafCertWithVidVid, + vendorAccVid: testconstants.LeafCertWithVidVid, + accountRole: dclauthtypes.Vendor, + rootCertOptions: createRootWithVidOptions(), + addRevocation: createAddRevocationMessageWithLeafCertWithVid(vendorAcc.String()), + updatedRevocation: &types.MsgUpdatePkiRevocationDistributionPoint{ + Signer: vendorAcc.String(), + Vid: testconstants.LeafCertWithVidVid, + CrlSignerCertificate: testconstants.LeafCertWithVid, + CrlSignerDelegator: "invalid", + Label: label, + DataURL: testconstants.DataURL, + IssuerSubjectKeyID: testconstants.IntermediateCertWithVid1SubjectKeyIDWithoutColumns, + }, + err: pkitypes.ErrInvalidCertificate, + }, + { + name: "CRL Signer Certificate is not chained back to Delegator PAI certificate", + accountVid: testconstants.LeafCertWithVidVid, + vendorAccVid: testconstants.LeafCertWithVidVid, + accountRole: dclauthtypes.Vendor, + rootCertOptions: createRootWithVidOptions(), + addRevocation: createAddRevocationMessageWithLeafCertWithVid(vendorAcc.String()), + updatedRevocation: &types.MsgUpdatePkiRevocationDistributionPoint{ + Signer: vendorAcc.String(), + Vid: testconstants.LeafCertWithVidVid, + CrlSignerCertificate: testconstants.LeafCertWithVid, + CrlSignerDelegator: testconstants.IntermediateCertPem, + Label: label, + DataURL: testconstants.DataURL, + IssuerSubjectKeyID: testconstants.IntermediateCertWithVid1SubjectKeyIDWithoutColumns, + }, + err: pkitypes.ErrCertNotChainedBack, + }, } for _, tc := range cases { @@ -683,6 +719,21 @@ func TestHandler_UpdatePkiRevocationDistributionPoint_CrlSignerCertificateField( IssuerSubjectKeyID: testconstants.SubjectKeyIDWithoutColons, }, }, + { + name: "PAI_With_Delegated_Certificate", + rootCertOptions1: createTestRootCertOptions(), + rootCertOptions2: createRootWithVidOptions(), + addRevocation: createAddRevocationMessageWithLeafCertWithVid(vendorAcc.String()), + updateRevocation: &types.MsgUpdatePkiRevocationDistributionPoint{ + Signer: vendorAcc.String(), + Vid: 65521, + CrlSignerCertificate: testconstants.LeafCertWithVid, + CrlSignerDelegator: testconstants.IntermediateCertWithVid1, + Label: label, + DataURL: testconstants.DataURL, + IssuerSubjectKeyID: testconstants.IntermediateCertWithVid1SubjectKeyIDWithoutColumns, + }, + }, } for _, tc := range cases { diff --git a/x/pki/keeper/msg_server_add_pki_revocation_distribution_point.go b/x/pki/keeper/msg_server_add_pki_revocation_distribution_point.go index f90f1b89b..2f95ad044 100644 --- a/x/pki/keeper/msg_server_add_pki_revocation_distribution_point.go +++ b/x/pki/keeper/msg_server_add_pki_revocation_distribution_point.go @@ -46,7 +46,7 @@ func (k msgServer) AddPkiRevocationDistributionPoint(goCtx context.Context, msg err = k.checkRootCert(ctx, crlSignerCertificate, msg) } else { // check that crlSignerCertificate is chained back to a certificate on the ledger - err = k.checkNonRootCert(ctx, crlSignerCertificate) + err = k.checkCRLSignerNonRootCert(ctx, crlSignerCertificate, msg.CrlSignerDelegator, msg.IsPAA) } if err != nil { return nil, err @@ -69,6 +69,7 @@ func (k msgServer) AddPkiRevocationDistributionPoint(goCtx context.Context, msg Pid: msg.Pid, IsPAA: msg.IsPAA, CrlSignerCertificate: msg.CrlSignerCertificate, + CrlSignerDelegator: msg.CrlSignerDelegator, DataURL: msg.DataURL, DataFileSize: msg.DataFileSize, DataDigest: msg.DataDigest, @@ -116,9 +117,28 @@ func (k msgServer) checkRootCert(ctx sdk.Context, crlSignerCertificate *x509.Cer return nil } -func (k msgServer) checkNonRootCert(ctx sdk.Context, crlSignerCertificate *x509.Certificate) error { +func (k msgServer) checkCRLSignerNonRootCert(ctx sdk.Context, crlSignerCertificate *x509.Certificate, crlSignerDelegator string, isPAA bool) error { + if crlSignerDelegator != "" && !isPAA { + crlSignerDelegatorCert, err := x509.DecodeX509Certificate(crlSignerDelegator) + if err != nil { + return pkitypes.NewErrInvalidCertificate(err) + } + + // verify CRL Signer certificate against Delegated PAI certificate + if err = crlSignerCertificate.Verify(crlSignerDelegatorCert, ctx.BlockTime()); err != nil { + return pkitypes.NewErrCRLSignerCertNotChainedBackToDelegator() + } + + if _, err = k.verifyCertificate(ctx, crlSignerDelegatorCert); err != nil { + return pkitypes.NewErrCRLSignerCertDelegatorNotChainedBack() + } + + return nil + } + // check that it's chained back to a cert on DCL - if _, err := k.verifyCertificate(ctx, crlSignerCertificate); err != nil { + _, err := k.verifyCertificate(ctx, crlSignerCertificate) + if err != nil { return pkitypes.NewErrCertNotChainedBack() } diff --git a/x/pki/keeper/msg_server_update_pki_revocation_distribution_point.go b/x/pki/keeper/msg_server_update_pki_revocation_distribution_point.go index a433728fd..e770d3c98 100644 --- a/x/pki/keeper/msg_server_update_pki_revocation_distribution_point.go +++ b/x/pki/keeper/msg_server_update_pki_revocation_distribution_point.go @@ -36,10 +36,13 @@ func (k msgServer) UpdatePkiRevocationDistributionPoint(goCtx context.Context, m // validate and update new values if msg.CrlSignerCertificate != "" { - if err := k.verifyUpdatedCertificate(ctx, msg.CrlSignerCertificate, &pkiRevocationDistributionPoint); err != nil { + err = k.verifyUpdatedCertificate(ctx, msg.CrlSignerCertificate, msg.CrlSignerDelegator, &pkiRevocationDistributionPoint) + if err != nil { return nil, err } + pkiRevocationDistributionPoint.CrlSignerCertificate = msg.CrlSignerCertificate + pkiRevocationDistributionPoint.CrlSignerDelegator = msg.CrlSignerDelegator } if pkiRevocationDistributionPoint.RevocationType == types.CRLRevocationType && (msg.DataFileSize != 0 || msg.DataDigest != "" || msg.DataDigestType != 0) { @@ -79,7 +82,7 @@ func (k msgServer) UpdatePkiRevocationDistributionPoint(goCtx context.Context, m return &types.MsgUpdatePkiRevocationDistributionPointResponse{}, nil } -func (k msgServer) verifyUpdatedCertificate(ctx sdk.Context, newCertificatePem string, revocationPoint *types.PkiRevocationDistributionPoint) error { +func (k msgServer) verifyUpdatedCertificate(ctx sdk.Context, newCertificatePem, newDelegatorCertPem string, revocationPoint *types.PkiRevocationDistributionPoint) error { oldCertificate, err := x509.DecodeX509Certificate(revocationPoint.CrlSignerCertificate) if err != nil { return pkitypes.NewErrInvalidCertificate(err) @@ -88,7 +91,7 @@ func (k msgServer) verifyUpdatedCertificate(ctx sdk.Context, newCertificatePem s if oldCertificate.IsSelfSigned() { err = k.verifyUpdatedPAA(ctx, newCertificatePem, revocationPoint) } else { - err = k.verifyUpdatedPAI(ctx, newCertificatePem, revocationPoint) + err = k.verifyUpdatedPAI(ctx, newCertificatePem, newDelegatorCertPem, revocationPoint) } if err != nil { @@ -154,7 +157,7 @@ func (k msgServer) verifyUpdatedPAA(ctx sdk.Context, newCertificatePem string, r return nil } -func (k msgServer) verifyUpdatedPAI(ctx sdk.Context, newCertificatePem string, revocationPoint *types.PkiRevocationDistributionPoint) error { +func (k msgServer) verifyUpdatedPAI(ctx sdk.Context, newCertificatePem, newDelegatorCertPem string, revocationPoint *types.PkiRevocationDistributionPoint) error { // decode new cert newCertificate, err := x509.DecodeX509Certificate(newCertificatePem) if err != nil { @@ -187,9 +190,18 @@ func (k msgServer) verifyUpdatedPAI(ctx sdk.Context, newCertificatePem string, r return pkitypes.NewErrPidNotFoundInCertificateButProvidedInRevocationPoint() } + // Check for static validation when CRL Signer is a Leaf certificate + if revocationPoint.IsPAA || revocationPoint.CrlSignerDelegator != "" { + err = types.VerifyCRLSignerCertFormat(newCertificate) + if err != nil { + return err + } + } + // check that it's chained back to a cert on DCL - if _, err = k.verifyCertificate(ctx, newCertificate); err != nil { - return pkitypes.NewErrCertNotChainedBack() + err = k.checkCRLSignerNonRootCert(ctx, newCertificate, newDelegatorCertPem, revocationPoint.IsPAA) + if err != nil { + return err } return nil diff --git a/x/pki/revocation_message_utils_test.go b/x/pki/revocation_message_utils_test.go index a1b2b8f67..bc4cd8782 100644 --- a/x/pki/revocation_message_utils_test.go +++ b/x/pki/revocation_message_utils_test.go @@ -66,6 +66,20 @@ func createAddRevocationMessageWithPAACertNoVid(signer string, vid int32) *types } } +func createAddRevocationMessageWithLeafCertWithVid(signer string) *types.MsgAddPkiRevocationDistributionPoint { + return &types.MsgAddPkiRevocationDistributionPoint{ + Signer: signer, + Vid: testconstants.LeafCertWithVidVid, + IsPAA: false, + CrlSignerCertificate: testconstants.LeafCertWithVid, + CrlSignerDelegator: testconstants.IntermediateCertWithVid1, + Label: label, + DataURL: testconstants.DataURL, + IssuerSubjectKeyID: testconstants.IntermediateCertWithVid1SubjectKeyIDWithoutColumns, + RevocationType: types.CRLRevocationType, + } +} + func assertRevocationPointEqual(t *testing.T, expected *types.MsgAddPkiRevocationDistributionPoint, actual *types.PkiRevocationDistributionPoint) { require.Equal(t, expected.CrlSignerCertificate, actual.CrlSignerCertificate) require.Equal(t, expected.CrlSignerCertificate, actual.CrlSignerCertificate) diff --git a/x/pki/types/message_add_pki_revocation_distribution_point.go b/x/pki/types/message_add_pki_revocation_distribution_point.go index 00895f724..635c857dd 100644 --- a/x/pki/types/message_add_pki_revocation_distribution_point.go +++ b/x/pki/types/message_add_pki_revocation_distribution_point.go @@ -1,9 +1,12 @@ package types import ( + x509std "crypto/x509" + "encoding/asn1" "strings" sdk "github.com/cosmos/cosmos-sdk/types" + pkitypes "github.com/zigbee-alliance/distributed-compliance-ledger/types/pki" "github.com/zigbee-alliance/distributed-compliance-ledger/utils/validator" "github.com/zigbee-alliance/distributed-compliance-ledger/x/pki/x509" @@ -14,7 +17,7 @@ const TypeMsgAddPkiRevocationDistributionPoint = "add_pki_revocation_distributio var _ sdk.Msg = &MsgAddPkiRevocationDistributionPoint{} func NewMsgAddPkiRevocationDistributionPoint(signer string, vid int32, pid int32, isPAA bool, label string, - crlSignerCertificate string, issuerSubjectKeyID string, dataURL string, dataFileSize uint64, dataDigest string, + crlSignerCertificate string, crlSignerDelegator string, issuerSubjectKeyID string, dataURL string, dataFileSize uint64, dataDigest string, dataDigestType uint32, revocationType uint32, schemaVersion uint32) *MsgAddPkiRevocationDistributionPoint { return &MsgAddPkiRevocationDistributionPoint{ Signer: signer, @@ -23,6 +26,7 @@ func NewMsgAddPkiRevocationDistributionPoint(signer string, vid int32, pid int32 IsPAA: isPAA, Label: label, CrlSignerCertificate: crlSignerCertificate, + CrlSignerDelegator: crlSignerDelegator, IssuerSubjectKeyID: issuerSubjectKeyID, DataURL: dataURL, DataFileSize: dataFileSize, @@ -61,8 +65,9 @@ func (msg *MsgAddPkiRevocationDistributionPoint) verifyPAA(cert *x509.Certificat return pkitypes.NewErrNotEmptyPidForRootCertificate() } - if !cert.IsSelfSigned() { - return pkitypes.NewErrRootCertificateIsNotSelfSigned() + pid, _ := x509.GetPidFromSubject(cert.SubjectAsText) + if pid != 0 { + return pkitypes.NewErrNotEmptyPidForNonRootCertificate() } // verify VID @@ -75,6 +80,13 @@ func (msg *MsgAddPkiRevocationDistributionPoint) verifyPAA(cert *x509.Certificat return pkitypes.NewErrCRLSignerCertificateVidNotEqualMsgVid(vid, msg.Vid) } + if !cert.IsSelfSigned() { + err = VerifyCRLSignerCertFormat(cert) + if err != nil { + return err + } + } + return nil } @@ -108,6 +120,62 @@ func (msg *MsgAddPkiRevocationDistributionPoint) verifyPAI(cert *x509.Certificat return pkitypes.NewErrCRLSignerCertificatePidNotEqualMsgPid(pid, msg.Pid) } + if msg.CrlSignerDelegator != "" { + if cert.AuthorityKeyID == "" { + return pkitypes.NewErrInvalidAuthorityKeyIDFormat() + } + err = VerifyCRLSignerCertFormat(cert) + if err != nil { + return err + } + } + + return nil +} + +func VerifyCRLSignerCertFormat(certificate *x509.Certificate) error { + if certificate.SubjectKeyID == "" { + return pkitypes.NewErrWrongSubjectKeyIDFormat() + } + + cert := certificate.Certificate + if cert.Version != 3 { + return pkitypes.NewErrCRLSignerCertificateInvalidFormat() + } + + if cert.SignatureAlgorithm != x509std.ECDSAWithSHA256 { + return pkitypes.NewErrCRLSignerCertificateInvalidFormat() + } + + if cert.PublicKeyAlgorithm != x509std.ECDSA { + return pkitypes.NewErrCRLSignerCertificateInvalidFormat() + } + // Basic Constraint extension should be marked critical and have the cA field set to false + if !cert.BasicConstraintsValid || cert.IsCA { + return pkitypes.NewErrCRLSignerCertificateInvalidFormat() + } + + // Key Usage extension should be marked critical + oidKeyUsage := asn1.ObjectIdentifier{2, 5, 29, 15} + isCritical := false + for _, ext := range cert.Extensions { + if ext.Id.Equal(oidKeyUsage) { + isCritical = ext.Critical + + break + } + } + if !isCritical { + return pkitypes.NewErrCRLSignerCertificateInvalidFormat() + } + + if cert.KeyUsage&x509std.KeyUsageCRLSign == 0 { + return pkitypes.NewErrCRLSignerCertificateInvalidFormat() + } + if cert.KeyUsage&^(x509std.KeyUsageCRLSign|x509std.KeyUsageDigitalSignature) != 0 { + return pkitypes.NewErrCRLSignerCertificateInvalidFormat() + } + return nil } @@ -200,11 +268,11 @@ func (msg *MsgAddPkiRevocationDistributionPoint) ValidateBasic() error { return err } - if err := msg.verifyFields(); err != nil { + if err = msg.verifyFields(); err != nil { return err } - if err := msg.verifySignerCertificate(); err != nil { + if err = msg.verifySignerCertificate(); err != nil { return err } diff --git a/x/pki/types/message_add_pki_revocation_distribution_point_test.go b/x/pki/types/message_add_pki_revocation_distribution_point_test.go index 2ca3838c0..bef8c6ec5 100644 --- a/x/pki/types/message_add_pki_revocation_distribution_point_test.go +++ b/x/pki/types/message_add_pki_revocation_distribution_point_test.go @@ -1,15 +1,18 @@ package types import ( - fmt "fmt" + x509std "crypto/x509" + "fmt" "testing" sdkerrors "github.com/cosmos/cosmos-sdk/types/errors" "github.com/stretchr/testify/require" + testconstants "github.com/zigbee-alliance/distributed-compliance-ledger/integration_tests/constants" "github.com/zigbee-alliance/distributed-compliance-ledger/testutil/sample" pkitypes "github.com/zigbee-alliance/distributed-compliance-ledger/types/pki" "github.com/zigbee-alliance/distributed-compliance-ledger/utils/validator" + "github.com/zigbee-alliance/distributed-compliance-ledger/x/pki/x509" ) func TestMsgAddPkiRevocationDistributionPoint_ValidateBasic(t *testing.T) { @@ -365,20 +368,6 @@ func TestMsgAddPkiRevocationDistributionPoint_ValidateBasic(t *testing.T) { }, err: pkitypes.ErrNonRootCertificateSelfSigned, }, - { - name: "IsPAA true, certificate is non-root", - msg: MsgAddPkiRevocationDistributionPoint{ - Signer: sample.AccAddress(), - Vid: testconstants.Vid, - IsPAA: true, - CrlSignerCertificate: testconstants.IntermediateCertPem, - Label: "label", - DataURL: testconstants.DataURL, - IssuerSubjectKeyID: testconstants.SubjectKeyIDWithoutColons, - RevocationType: 1, - }, - err: pkitypes.ErrRootCertificateIsNotSelfSigned, - }, { name: "PAA is true, CRL signer certificate contains vid != msg.vid", msg: MsgAddPkiRevocationDistributionPoint{ @@ -461,12 +450,12 @@ func TestMsgAddPkiRevocationDistributionPoint_ValidateBasic(t *testing.T) { name: "minimal msg isPAA true", msg: MsgAddPkiRevocationDistributionPoint{ Signer: sample.AccAddress(), - Vid: testconstants.PAACertWithNumericVidVid, + Vid: testconstants.LeafCertWithVidVid, IsPAA: true, - CrlSignerCertificate: testconstants.PAACertWithNumericVid, + CrlSignerCertificate: testconstants.LeafCertWithVid, Label: "label", DataURL: testconstants.DataURL, - IssuerSubjectKeyID: testconstants.SubjectKeyIDWithoutColons, + IssuerSubjectKeyID: testconstants.IntermediateCertWithVid1SubjectKeyIDWithoutColumns, RevocationType: 1, }, }, @@ -474,13 +463,12 @@ func TestMsgAddPkiRevocationDistributionPoint_ValidateBasic(t *testing.T) { name: "minimal msg isPAA false", msg: MsgAddPkiRevocationDistributionPoint{ Signer: sample.AccAddress(), - Vid: testconstants.PAICertWithNumericPidVidVid, + Vid: testconstants.LeafCertWithVidVid, IsPAA: false, - Pid: testconstants.PAICertWithNumericPidVidPid, - CrlSignerCertificate: testconstants.PAICertWithNumericPidVid, + CrlSignerCertificate: testconstants.LeafCertWithVid, Label: "label", DataURL: testconstants.DataURL, - IssuerSubjectKeyID: testconstants.SubjectKeyIDWithoutColons, + IssuerSubjectKeyID: testconstants.IntermediateCertWithVid1SubjectKeyIDWithoutColumns, RevocationType: 1, }, }, @@ -488,12 +476,12 @@ func TestMsgAddPkiRevocationDistributionPoint_ValidateBasic(t *testing.T) { name: "vid == cert.vid", msg: MsgAddPkiRevocationDistributionPoint{ Signer: sample.AccAddress(), - Vid: testconstants.PAACertWithNumericVidVid, + Vid: testconstants.LeafCertWithVidVid, IsPAA: true, - CrlSignerCertificate: testconstants.PAACertWithNumericVid, + CrlSignerCertificate: testconstants.LeafCertWithVid, Label: "label", DataURL: testconstants.DataURL, - IssuerSubjectKeyID: testconstants.SubjectKeyIDWithoutColons, + IssuerSubjectKeyID: testconstants.IntermediateCertWithVid1SubjectKeyIDWithoutColumns, RevocationType: 1, }, }, @@ -501,13 +489,13 @@ func TestMsgAddPkiRevocationDistributionPoint_ValidateBasic(t *testing.T) { name: "vid == cert.vid, pid == cert.pid", msg: MsgAddPkiRevocationDistributionPoint{ Signer: sample.AccAddress(), - Vid: testconstants.PAICertWithNumericPidVidVid, + Vid: testconstants.LeafCertWithVidPidVid, IsPAA: false, - CrlSignerCertificate: testconstants.PAICertWithNumericPidVid, + CrlSignerCertificate: testconstants.LeafCertWithVidPid, Label: "label", DataURL: testconstants.DataURL, - IssuerSubjectKeyID: testconstants.SubjectKeyIDWithoutColons, - Pid: testconstants.PAICertWithNumericPidVidPid, + IssuerSubjectKeyID: testconstants.IntermediateCertWithVid1SubjectKeyIDWithoutColumns, + Pid: testconstants.LeafCertWithVidPidPid, RevocationType: 1, }, }, @@ -530,10 +518,10 @@ func TestMsgAddPkiRevocationDistributionPoint_ValidateBasic(t *testing.T) { Signer: sample.AccAddress(), Vid: testconstants.Vid, IsPAA: true, - CrlSignerCertificate: testconstants.RootCertPem, + CrlSignerCertificate: testconstants.LeafCertWithoutVidPid, Label: "label", DataURL: testconstants.DataURL, - IssuerSubjectKeyID: testconstants.SubjectKeyIDWithoutColons, + IssuerSubjectKeyID: testconstants.IntermediateCertWithVid1SubjectKeyIDWithoutColumns, RevocationType: 1, }, }, @@ -582,3 +570,80 @@ func TestMsgAddPkiRevocationDistributionPoint_ValidateBasic(t *testing.T) { }) } } +func TestMsgAddPkiRevocationDistributionPoint_verifyCRLCertFormat(t *testing.T) { + negativeTests := []struct { + name string + init func(*x509.Certificate) + err error + }{ + { + name: "empty subject-key-id", + init: func(certificate *x509.Certificate) { + certificate.SubjectKeyID = "" + }, + err: pkitypes.ErrWrongSubjectKeyIDFormat, + }, + { + name: "version is not v3", + init: func(certificate *x509.Certificate) { + certificate.Certificate.Version = 2 + }, + err: pkitypes.ErrCRLSignerCertificateInvalidFormat, + }, + { + name: "SignatureAlgorithm is not ECDSAWithSHA256", + init: func(certificate *x509.Certificate) { + certificate.Certificate.SignatureAlgorithm = x509std.ECDSAWithSHA384 + }, + err: pkitypes.ErrCRLSignerCertificateInvalidFormat, + }, + { + name: "PublicKeyAlgorithm is not ECDSA", + init: func(certificate *x509.Certificate) { + certificate.Certificate.PublicKeyAlgorithm = x509std.Ed25519 + }, + err: pkitypes.ErrCRLSignerCertificateInvalidFormat, + }, + { + name: "Key Usage extension is not critical", + init: func(certificate *x509.Certificate) { + certificate.Certificate.Extensions[3].Critical = false + }, + err: pkitypes.ErrCRLSignerCertificateInvalidFormat, + }, + { + name: "The cRLSign bits is not in the KeyUsage bitstring", + init: func(certificate *x509.Certificate) { + certificate.Certificate.KeyUsage = x509std.KeyUsageCertSign + }, + err: pkitypes.ErrCRLSignerCertificateInvalidFormat, + }, + { + name: "Other Key Usage bits expect KeyUsageCRLSign and KeyUsageDigitalSignature is not be set", + init: func(certificate *x509.Certificate) { + certificate.Certificate.KeyUsage = x509std.KeyUsageCertSign | x509std.KeyUsageCRLSign | x509std.KeyUsageDigitalSignature + }, + err: pkitypes.ErrCRLSignerCertificateInvalidFormat, + }, + } + + for _, tt := range negativeTests { + t.Run(tt.name, func(t *testing.T) { + cert, err := x509.DecodeX509Certificate(testconstants.LeafCertWithVid) + require.NoError(t, err) + + tt.init(cert) + + err = VerifyCRLSignerCertFormat(cert) + require.Error(t, err) + require.ErrorIs(t, err, tt.err) + }) + } + + // Positive case + cert, err := x509.DecodeX509Certificate(testconstants.LeafCertWithVid) + require.NoError(t, err) + + err = VerifyCRLSignerCertFormat(cert) + require.NoError(t, err) +} diff --git a/x/pki/types/message_update_pki_revocation_distribution_point.go b/x/pki/types/message_update_pki_revocation_distribution_point.go index 1b868ae31..81237c3da 100644 --- a/x/pki/types/message_update_pki_revocation_distribution_point.go +++ b/x/pki/types/message_update_pki_revocation_distribution_point.go @@ -13,12 +13,14 @@ const TypeMsgUpdatePkiRevocationDistributionPoint = "update_pki_revocation_distr var _ sdk.Msg = &MsgUpdatePkiRevocationDistributionPoint{} func NewMsgUpdatePkiRevocationDistributionPoint(signer string, vid int32, label string, crlSignerCertificate string, - issuerSubjectKeyID string, dataURL string, dataFileSize uint64, dataDigest string, dataDigestType uint32, schemaVersion uint32) *MsgUpdatePkiRevocationDistributionPoint { + crlSignerDelegator string, issuerSubjectKeyID string, dataURL string, dataFileSize uint64, dataDigest string, + dataDigestType uint32, schemaVersion uint32) *MsgUpdatePkiRevocationDistributionPoint { return &MsgUpdatePkiRevocationDistributionPoint{ Signer: signer, Vid: vid, Label: label, CrlSignerCertificate: crlSignerCertificate, + CrlSignerDelegator: crlSignerDelegator, IssuerSubjectKeyID: issuerSubjectKeyID, DataURL: dataURL, DataFileSize: dataFileSize, diff --git a/x/pki/types/pki_revocation_distribution_point.pb.go b/x/pki/types/pki_revocation_distribution_point.pb.go index 1b6bc47f7..e6f413592 100644 --- a/x/pki/types/pki_revocation_distribution_point.pb.go +++ b/x/pki/types/pki_revocation_distribution_point.pb.go @@ -35,6 +35,7 @@ type PkiRevocationDistributionPoint struct { DataDigestType uint32 `protobuf:"varint,10,opt,name=dataDigestType,proto3" json:"dataDigestType,omitempty"` RevocationType uint32 `protobuf:"varint,11,opt,name=revocationType,proto3" json:"revocationType,omitempty"` SchemaVersion uint32 `protobuf:"varint,12,opt,name=schemaVersion,proto3" json:"schemaVersion,omitempty"` + CrlSignerDelegator string `protobuf:"bytes,13,opt,name=crlSignerDelegator,proto3" json:"crlSignerDelegator,omitempty"` } func (m *PkiRevocationDistributionPoint) Reset() { *m = PkiRevocationDistributionPoint{} } @@ -154,6 +155,13 @@ func (m *PkiRevocationDistributionPoint) GetSchemaVersion() uint32 { return 0 } +func (m *PkiRevocationDistributionPoint) GetCrlSignerDelegator() string { + if m != nil { + return m.CrlSignerDelegator + } + return "" +} + func init() { proto.RegisterType((*PkiRevocationDistributionPoint)(nil), "zigbeealliance.distributedcomplianceledger.pki.PkiRevocationDistributionPoint") } @@ -163,32 +171,33 @@ func init() { } var fileDescriptor_35504fa19b856908 = []byte{ - // 396 bytes of a gzipped FileDescriptorProto - 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x6c, 0x92, 0xcd, 0x6e, 0x13, 0x31, - 0x14, 0x85, 0x63, 0xd2, 0xf4, 0xc7, 0xb4, 0x08, 0x59, 0x5d, 0x78, 0x65, 0x8d, 0x2a, 0x84, 0x46, - 0x42, 0x99, 0x91, 0xe0, 0x09, 0x0a, 0x11, 0x12, 0x82, 0x45, 0x34, 0x01, 0x16, 0x2c, 0xa8, 0x3c, - 0x9e, 0xcb, 0xf4, 0x92, 0xc9, 0xd8, 0xb2, 0x3d, 0x15, 0xe9, 0x53, 0xf0, 0x18, 0x3c, 0x0a, 0xcb, - 0x2e, 0x59, 0xa2, 0xe4, 0x45, 0xd0, 0xd8, 0x6a, 0x93, 0xa0, 0xec, 0x7c, 0x8e, 0x3f, 0x7d, 0x9b, - 0x7b, 0xe8, 0x0b, 0x33, 0xc7, 0xdc, 0xcc, 0xf1, 0xca, 0xc2, 0x8d, 0x56, 0xd2, 0xa3, 0x6e, 0xaf, - 0x2a, 0x74, 0xde, 0x62, 0xd9, 0x85, 0x60, 0x34, 0xb6, 0x3e, 0x33, 0x56, 0x7b, 0xcd, 0xb2, 0x5b, - 0xac, 0x4b, 0x00, 0xd9, 0x34, 0x28, 0x5b, 0x05, 0xd9, 0x03, 0x08, 0x95, 0xd2, 0x0b, 0x13, 0xdb, - 0x06, 0xaa, 0x1a, 0x6c, 0x66, 0xe6, 0x78, 0xf1, 0x6b, 0x48, 0xc5, 0x74, 0x8e, 0xc5, 0x83, 0x7a, - 0xb2, 0x65, 0x9e, 0xf6, 0x62, 0xf6, 0x94, 0x0e, 0x6f, 0xb0, 0xe2, 0x24, 0x21, 0xe9, 0xa8, 0xe8, - 0x9f, 0xec, 0x9c, 0x8e, 0x1a, 0x59, 0x42, 0xc3, 0x1f, 0x25, 0x24, 0x3d, 0x29, 0x62, 0x60, 0x19, - 0x65, 0xe8, 0x5c, 0x07, 0x76, 0xd6, 0x95, 0xdf, 0x41, 0xf9, 0xf7, 0xb0, 0x7c, 0x37, 0xe1, 0xc3, - 0x80, 0xec, 0xf9, 0xe9, 0xbd, 0x06, 0x2b, 0x7e, 0x10, 0xbd, 0x26, 0x7a, 0xd1, 0x4d, 0x2f, 0x2f, - 0xf9, 0x28, 0x21, 0xe9, 0x71, 0x11, 0x03, 0x7b, 0x49, 0xcf, 0x95, 0x6d, 0x66, 0x58, 0xb7, 0x60, - 0xdf, 0x80, 0xf5, 0xf8, 0x0d, 0x95, 0xf4, 0xc0, 0x0f, 0x83, 0x79, 0xef, 0x1f, 0xe3, 0xf4, 0xa8, - 0x92, 0x5e, 0x7e, 0x2a, 0x3e, 0xf0, 0xa3, 0x80, 0xdd, 0x47, 0x76, 0x41, 0x4f, 0xfb, 0xe7, 0x5b, - 0x6c, 0x60, 0x86, 0xb7, 0xc0, 0x8f, 0x13, 0x92, 0x1e, 0x14, 0x3b, 0x1d, 0x13, 0x94, 0xf6, 0x79, - 0x82, 0x35, 0x38, 0xcf, 0x4f, 0x82, 0x60, 0xab, 0x61, 0xcf, 0xe9, 0x93, 0x4d, 0xfa, 0xb8, 0x34, - 0xc0, 0x69, 0x42, 0xd2, 0xb3, 0xe2, 0xbf, 0xb6, 0xe7, 0x36, 0x37, 0x0b, 0xdc, 0xe3, 0xc8, 0xed, - 0xb6, 0xec, 0x19, 0x3d, 0x73, 0xea, 0x1a, 0x16, 0xf2, 0x33, 0x58, 0x87, 0xba, 0xe5, 0xa7, 0x01, - 0xdb, 0x2d, 0x5f, 0x7f, 0xfd, 0xbd, 0x12, 0xe4, 0x6e, 0x25, 0xc8, 0xdf, 0x95, 0x20, 0x3f, 0xd7, - 0x62, 0x70, 0xb7, 0x16, 0x83, 0x3f, 0x6b, 0x31, 0xf8, 0x32, 0xa9, 0xd1, 0x5f, 0x77, 0x65, 0xa6, - 0xf4, 0x22, 0x8f, 0xf7, 0x1f, 0xdf, 0x0f, 0x20, 0xdf, 0x1a, 0xc0, 0x78, 0xb3, 0x80, 0x71, 0x9c, - 0x40, 0xfe, 0xa3, 0x1f, 0x56, 0xee, 0x97, 0x06, 0x5c, 0x79, 0x18, 0x16, 0xf4, 0xea, 0x5f, 0x00, - 0x00, 0x00, 0xff, 0xff, 0xb4, 0x5c, 0x42, 0x90, 0x70, 0x02, 0x00, 0x00, + // 411 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x6c, 0x92, 0xcd, 0x6e, 0xd4, 0x30, + 0x14, 0x85, 0xc7, 0x4c, 0xa7, 0x3f, 0xa6, 0x83, 0x90, 0xd5, 0x85, 0x57, 0x51, 0x54, 0x21, 0x14, + 0x09, 0x4d, 0x22, 0xc1, 0x13, 0x14, 0x22, 0x24, 0x04, 0x8b, 0x51, 0x06, 0x58, 0xb0, 0xa0, 0x72, + 0x92, 0x4b, 0x7a, 0x99, 0x4c, 0x6c, 0xd9, 0x4e, 0xc5, 0xf4, 0x29, 0x78, 0x2c, 0x96, 0x5d, 0x76, + 0x89, 0x66, 0x5e, 0x04, 0xd9, 0x56, 0xe7, 0x87, 0x76, 0x77, 0xcf, 0xb9, 0x47, 0x9f, 0xe4, 0xeb, + 0x43, 0x5f, 0xa9, 0x39, 0x66, 0x6a, 0x8e, 0x97, 0x1a, 0xae, 0x65, 0x25, 0x2c, 0xca, 0xee, 0xb2, + 0x46, 0x63, 0x35, 0x96, 0xbd, 0x17, 0x4a, 0x62, 0x67, 0x53, 0xa5, 0xa5, 0x95, 0x2c, 0xbd, 0xc1, + 0xa6, 0x04, 0x10, 0x6d, 0x8b, 0xa2, 0xab, 0x20, 0xdd, 0x04, 0xa1, 0xae, 0xe4, 0x42, 0x05, 0xb7, + 0x85, 0xba, 0x01, 0x9d, 0xaa, 0x39, 0x9e, 0xdf, 0x0d, 0x69, 0x34, 0x9d, 0x63, 0xb1, 0x41, 0xe7, + 0x3b, 0xe4, 0xa9, 0x03, 0xb3, 0xe7, 0x74, 0x78, 0x8d, 0x35, 0x27, 0x31, 0x49, 0x46, 0x85, 0x1b, + 0xd9, 0x19, 0x1d, 0xb5, 0xa2, 0x84, 0x96, 0x3f, 0x89, 0x49, 0x72, 0x52, 0x04, 0xc1, 0x52, 0xca, + 0xd0, 0x98, 0x1e, 0xf4, 0xac, 0x2f, 0x7f, 0x42, 0x65, 0x3f, 0xc2, 0xf2, 0x43, 0xce, 0x87, 0x3e, + 0xf2, 0xc8, 0xc6, 0x71, 0x15, 0xd6, 0xfc, 0x20, 0x70, 0x55, 0xe0, 0xa2, 0x99, 0x5e, 0x5c, 0xf0, + 0x51, 0x4c, 0x92, 0xe3, 0x22, 0x08, 0xf6, 0x9a, 0x9e, 0x55, 0xba, 0x9d, 0x61, 0xd3, 0x81, 0x7e, + 0x07, 0xda, 0xe2, 0x0f, 0xac, 0x84, 0x05, 0x7e, 0xe8, 0xc9, 0x8f, 0xee, 0x18, 0xa7, 0x47, 0xb5, + 0xb0, 0xe2, 0x4b, 0xf1, 0x89, 0x1f, 0xf9, 0xd8, 0xbd, 0x64, 0xe7, 0xf4, 0xd4, 0x8d, 0xef, 0xb1, + 0x85, 0x19, 0xde, 0x00, 0x3f, 0x8e, 0x49, 0x72, 0x50, 0xec, 0x79, 0x2c, 0xa2, 0xd4, 0xe9, 0x1c, + 0x1b, 0x30, 0x96, 0x9f, 0x78, 0xc0, 0x8e, 0xc3, 0x5e, 0xd2, 0x67, 0x5b, 0xf5, 0x79, 0xa9, 0x80, + 0xd3, 0x98, 0x24, 0xe3, 0xe2, 0x3f, 0xd7, 0xe5, 0xb6, 0x7f, 0xe6, 0x73, 0x4f, 0x43, 0x6e, 0xdf, + 0x65, 0x2f, 0xe8, 0xd8, 0x54, 0x57, 0xb0, 0x10, 0x5f, 0x41, 0x1b, 0x94, 0x1d, 0x3f, 0xf5, 0xb1, + 0x7d, 0xd3, 0xdd, 0x77, 0xf3, 0xd6, 0x1c, 0x5a, 0x68, 0x84, 0x95, 0x9a, 0x8f, 0xc3, 0x7d, 0x1f, + 0x6e, 0xde, 0x7e, 0xff, 0xb3, 0x8a, 0xc8, 0xed, 0x2a, 0x22, 0x7f, 0x57, 0x11, 0xf9, 0xbd, 0x8e, + 0x06, 0xb7, 0xeb, 0x68, 0x70, 0xb7, 0x8e, 0x06, 0xdf, 0xf2, 0x06, 0xed, 0x55, 0x5f, 0xa6, 0x95, + 0x5c, 0x64, 0xa1, 0x2f, 0x93, 0xfb, 0xc2, 0x64, 0x3b, 0x85, 0x99, 0x6c, 0x1b, 0x33, 0x09, 0x95, + 0xc9, 0x7e, 0xb9, 0x22, 0x66, 0x76, 0xa9, 0xc0, 0x94, 0x87, 0xbe, 0x71, 0x6f, 0xfe, 0x05, 0x00, + 0x00, 0xff, 0xff, 0x13, 0xa7, 0x00, 0x1d, 0xa0, 0x02, 0x00, 0x00, } func (m *PkiRevocationDistributionPoint) Marshal() (dAtA []byte, err error) { @@ -211,6 +220,13 @@ func (m *PkiRevocationDistributionPoint) MarshalToSizedBuffer(dAtA []byte) (int, _ = i var l int _ = l + if len(m.CrlSignerDelegator) > 0 { + i -= len(m.CrlSignerDelegator) + copy(dAtA[i:], m.CrlSignerDelegator) + i = encodeVarintPkiRevocationDistributionPoint(dAtA, i, uint64(len(m.CrlSignerDelegator))) + i-- + dAtA[i] = 0x6a + } if m.SchemaVersion != 0 { i = encodeVarintPkiRevocationDistributionPoint(dAtA, i, uint64(m.SchemaVersion)) i-- @@ -347,6 +363,10 @@ func (m *PkiRevocationDistributionPoint) Size() (n int) { if m.SchemaVersion != 0 { n += 1 + sovPkiRevocationDistributionPoint(uint64(m.SchemaVersion)) } + l = len(m.CrlSignerDelegator) + if l > 0 { + n += 1 + l + sovPkiRevocationDistributionPoint(uint64(l)) + } return n } @@ -679,6 +699,38 @@ func (m *PkiRevocationDistributionPoint) Unmarshal(dAtA []byte) error { break } } + case 13: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field CrlSignerDelegator", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowPkiRevocationDistributionPoint + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthPkiRevocationDistributionPoint + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthPkiRevocationDistributionPoint + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.CrlSignerDelegator = string(dAtA[iNdEx:postIndex]) + iNdEx = postIndex default: iNdEx = preIndex skippy, err := skipPkiRevocationDistributionPoint(dAtA[iNdEx:]) diff --git a/x/pki/types/tx.pb.go b/x/pki/types/tx.pb.go index 9116a5b4d..c07381911 100644 --- a/x/pki/types/tx.pb.go +++ b/x/pki/types/tx.pb.go @@ -915,6 +915,7 @@ type MsgAddPkiRevocationDistributionPoint struct { DataDigestType uint32 `protobuf:"varint,11,opt,name=dataDigestType,proto3" json:"dataDigestType,omitempty"` RevocationType uint32 `protobuf:"varint,12,opt,name=revocationType,proto3" json:"revocationType,omitempty" validate:"required"` SchemaVersion uint32 `protobuf:"varint,13,opt,name=schemaVersion,proto3" json:"schemaVersion,omitempty" validate:"gte=0,lte=65535"` + CrlSignerDelegator string `protobuf:"bytes,14,opt,name=crlSignerDelegator,proto3" json:"crlSignerDelegator,omitempty" validate:"max=10485760"` } func (m *MsgAddPkiRevocationDistributionPoint) Reset() { *m = MsgAddPkiRevocationDistributionPoint{} } @@ -1041,6 +1042,13 @@ func (m *MsgAddPkiRevocationDistributionPoint) GetSchemaVersion() uint32 { return 0 } +func (m *MsgAddPkiRevocationDistributionPoint) GetCrlSignerDelegator() string { + if m != nil { + return m.CrlSignerDelegator + } + return "" +} + type MsgAddPkiRevocationDistributionPointResponse struct { } @@ -1092,6 +1100,7 @@ type MsgUpdatePkiRevocationDistributionPoint struct { DataDigest string `protobuf:"bytes,8,opt,name=dataDigest,proto3" json:"dataDigest,omitempty"` DataDigestType uint32 `protobuf:"varint,9,opt,name=dataDigestType,proto3" json:"dataDigestType,omitempty"` SchemaVersion uint32 `protobuf:"varint,10,opt,name=schemaVersion,proto3" json:"schemaVersion,omitempty" validate:"gte=0,lte=65535"` + CrlSignerDelegator string `protobuf:"bytes,11,opt,name=crlSignerDelegator,proto3" json:"crlSignerDelegator,omitempty" validate:"max=10485760"` } func (m *MsgUpdatePkiRevocationDistributionPoint) Reset() { @@ -1199,6 +1208,13 @@ func (m *MsgUpdatePkiRevocationDistributionPoint) GetSchemaVersion() uint32 { return 0 } +func (m *MsgUpdatePkiRevocationDistributionPoint) GetCrlSignerDelegator() string { + if m != nil { + return m.CrlSignerDelegator + } + return "" +} + type MsgUpdatePkiRevocationDistributionPointResponse struct { } @@ -2075,100 +2091,102 @@ func init() { func init() { proto.RegisterFile("pki/tx.proto", fileDescriptor_badfdb2b39855d16) } var fileDescriptor_badfdb2b39855d16 = []byte{ - // 1482 bytes of a gzipped FileDescriptorProto - 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xec, 0x5a, 0xdf, 0x6f, 0xd3, 0xd6, - 0x17, 0xc7, 0xf9, 0xd1, 0x1f, 0x87, 0x52, 0x89, 0xfb, 0x2d, 0x25, 0x04, 0xbe, 0x49, 0x30, 0x08, - 0x2a, 0xad, 0x4d, 0x4a, 0x21, 0x1d, 0xa0, 0xb1, 0x29, 0x25, 0xe3, 0x87, 0x68, 0x51, 0xe7, 0x02, - 0x9b, 0xa6, 0x69, 0x28, 0x89, 0x2f, 0xe6, 0xae, 0x4e, 0xec, 0xd9, 0x4e, 0x45, 0x79, 0xdb, 0x5f, - 0xb0, 0x49, 0xd3, 0x5e, 0xf7, 0xb6, 0x4d, 0x42, 0x1a, 0xd2, 0xb4, 0x1f, 0xaf, 0x7b, 0xd8, 0xcb, - 0x5e, 0x26, 0xa1, 0xbd, 0x6c, 0x4f, 0x11, 0x83, 0x97, 0x49, 0xbc, 0xe5, 0x2f, 0x98, 0x7c, 0xed, - 0x5c, 0xc7, 0x89, 0xdd, 0x26, 0x37, 0x61, 0xea, 0x4a, 0xdf, 0xec, 0x9b, 0x7b, 0x3e, 0xf7, 0xdc, - 0xf3, 0xf9, 0xdc, 0x63, 0x9f, 0xe3, 0xc0, 0x84, 0xbe, 0x4e, 0x72, 0xd6, 0x83, 0xac, 0x6e, 0x68, - 0x96, 0x86, 0xb2, 0x0f, 0x89, 0x52, 0xc6, 0xb8, 0xa4, 0xaa, 0xa4, 0x54, 0xab, 0xe0, 0xac, 0x4c, - 0x4c, 0xcb, 0x20, 0xe5, 0xba, 0x85, 0xe5, 0x8a, 0x56, 0xd5, 0x9d, 0x51, 0x15, 0xcb, 0x0a, 0x36, - 0xb2, 0xfa, 0x3a, 0x49, 0x1e, 0xa9, 0x68, 0x66, 0x55, 0x33, 0xef, 0x52, 0xeb, 0x9c, 0x73, 0xe3, - 0x40, 0x25, 0xa7, 0x14, 0x4d, 0xd1, 0x9c, 0x71, 0xfb, 0xca, 0x19, 0x15, 0x1f, 0x47, 0xe1, 0xc8, - 0x8a, 0xa9, 0xac, 0x1a, 0x9a, 0xae, 0x99, 0xb8, 0x20, 0xcb, 0xef, 0xe5, 0xe7, 0x2f, 0x48, 0x9a, - 0x66, 0x5d, 0xc6, 0x86, 0x85, 0xae, 0xc2, 0x88, 0x49, 0x94, 0x1a, 0x36, 0x12, 0x42, 0x46, 0x98, - 0x19, 0x5f, 0xca, 0x35, 0x1b, 0xe9, 0xff, 0x6d, 0x94, 0x54, 0x22, 0x97, 0x2c, 0x7c, 0x51, 0x34, - 0xf0, 0xc7, 0x75, 0x62, 0x60, 0x59, 0xfc, 0xfd, 0x87, 0xb9, 0x29, 0x77, 0xb1, 0x82, 0x2c, 0x1b, - 0xd8, 0x34, 0xd7, 0x2c, 0x83, 0xd4, 0x14, 0xc9, 0x35, 0x47, 0xe7, 0x21, 0x56, 0xc1, 0x86, 0x95, - 0x88, 0x50, 0x98, 0x93, 0xcd, 0x46, 0x3a, 0xd3, 0x0d, 0x33, 0x5b, 0x2d, 0x3d, 0xb8, 0x74, 0x66, - 0xfe, 0xdc, 0xf9, 0xfc, 0xeb, 0x8b, 0xf3, 0xa2, 0x44, 0x2d, 0xd0, 0x6b, 0x10, 0x23, 0xb5, 0x7b, - 0x5a, 0x22, 0x4a, 0x2d, 0x0f, 0xfb, 0x1d, 0xb0, 0x0d, 0xce, 0xcd, 0x5f, 0x58, 0x14, 0x25, 0x3a, - 0x09, 0x21, 0x88, 0x59, 0xa4, 0x8a, 0x13, 0xb1, 0x8c, 0x30, 0x13, 0x95, 0xe8, 0x35, 0xba, 0x00, - 0xd1, 0x0d, 0x22, 0x27, 0xe2, 0x19, 0x61, 0x26, 0xbe, 0x74, 0xba, 0xd9, 0x48, 0x9f, 0xf0, 0xec, - 0x15, 0x0b, 0x5f, 0x3a, 0x33, 0xab, 0x5a, 0xf8, 0xd2, 0x62, 0x3e, 0x7f, 0x36, 0x3f, 0xcb, 0x36, - 0x24, 0xd9, 0x36, 0x68, 0x19, 0x0e, 0xda, 0x3e, 0xac, 0x55, 0xee, 0xe3, 0x6a, 0xe9, 0x0e, 0x36, - 0x4c, 0xa2, 0xd5, 0x12, 0x23, 0x19, 0x61, 0xe6, 0xc0, 0x52, 0xaa, 0xd9, 0x48, 0x27, 0xfd, 0x40, - 0xf3, 0x1e, 0x90, 0x28, 0x75, 0x1b, 0xa2, 0x22, 0x1c, 0x30, 0x7d, 0x48, 0xa3, 0x3d, 0x21, 0xf9, - 0x8d, 0xc4, 0x13, 0x70, 0x3c, 0x94, 0x2f, 0x09, 0x9b, 0xba, 0x56, 0x33, 0xb1, 0xf8, 0x75, 0x84, - 0xb2, 0x5a, 0xd0, 0x75, 0x43, 0xdb, 0x78, 0x79, 0xac, 0x5e, 0x84, 0x51, 0xb3, 0x5e, 0xfe, 0x08, - 0x57, 0x5a, 0xc4, 0x66, 0x9a, 0x8d, 0xf4, 0xb1, 0x50, 0x62, 0x17, 0xce, 0x89, 0x52, 0xcb, 0x00, - 0x5d, 0x86, 0x09, 0xf7, 0xf2, 0x06, 0xde, 0xbc, 0x2e, 0xbb, 0xfc, 0xa6, 0x9b, 0x8d, 0xf4, 0xd1, - 0x10, 0x80, 0x85, 0xfc, 0xa2, 0x28, 0xf9, 0x8c, 0x98, 0x38, 0x62, 0xfd, 0x88, 0x23, 0xee, 0x89, - 0xc3, 0x8d, 0x66, 0x70, 0x9c, 0x58, 0x34, 0xff, 0x8e, 0xc0, 0xa4, 0x3d, 0xcb, 0xf9, 0x79, 0xd7, - 0x1c, 0x8c, 0x40, 0x75, 0xc7, 0x87, 0xa6, 0xee, 0x11, 0x1e, 0x75, 0x27, 0x60, 0xda, 0x1f, 0x69, - 0x46, 0xc2, 0x8f, 0x51, 0x38, 0xe6, 0x09, 0x5f, 0xc2, 0x1b, 0xda, 0x3a, 0xde, 0x53, 0x75, 0xa0, - 0xaa, 0x91, 0x08, 0x13, 0x26, 0x36, 0x48, 0x49, 0xbd, 0x59, 0xaf, 0x96, 0xb1, 0x41, 0xa9, 0x18, - 0x97, 0x7c, 0x63, 0x28, 0x03, 0xfb, 0x0d, 0x1a, 0xc4, 0xcb, 0xf7, 0x89, 0x2a, 0xd3, 0x5c, 0x34, - 0x26, 0xb5, 0x0f, 0x75, 0x33, 0x3a, 0xc6, 0xc3, 0xe8, 0x29, 0x38, 0xb9, 0x15, 0x6d, 0x8c, 0xdf, - 0xdf, 0x22, 0x94, 0x5f, 0xf7, 0x28, 0xbe, 0x12, 0xfc, 0xc6, 0xfb, 0xe1, 0x77, 0x64, 0x0b, 0x7e, - 0x47, 0xbb, 0xf9, 0x75, 0xe3, 0x1e, 0x1a, 0x4e, 0x16, 0xf7, 0x47, 0x51, 0x38, 0xb8, 0x62, 0x2a, - 0xde, 0x8c, 0xbd, 0xc3, 0xb4, 0x73, 0x0f, 0xd3, 0x51, 0xfa, 0x58, 0xf7, 0x73, 0xc5, 0x98, 0x7c, - 0x11, 0x81, 0x04, 0xfd, 0xd5, 0xde, 0xfc, 0xde, 0x33, 0x3f, 0x94, 0xd0, 0xe1, 0x3c, 0xa9, 0x44, - 0xc8, 0x84, 0x05, 0x9b, 0x31, 0xf2, 0x57, 0xdc, 0x39, 0x84, 0xb2, 0xbc, 0xba, 0x4e, 0x6c, 0xd6, - 0x2a, 0x25, 0x8b, 0x68, 0xb5, 0x62, 0xeb, 0x25, 0x9e, 0x68, 0xb5, 0x55, 0x8d, 0xd4, 0x86, 0xc8, - 0x8e, 0xfb, 0xb2, 0x1b, 0xe1, 0x78, 0xd9, 0x9d, 0x87, 0xa8, 0x4e, 0x1c, 0x4e, 0xe2, 0xdb, 0x06, - 0xc3, 0x9e, 0x8a, 0xa6, 0x20, 0x4e, 0xcc, 0xd5, 0x42, 0x81, 0x52, 0x31, 0x26, 0x39, 0x37, 0x68, - 0x0e, 0xe2, 0x6a, 0xa9, 0x8c, 0xd5, 0xe0, 0xf4, 0xe6, 0x2d, 0xea, 0xcc, 0x42, 0x37, 0x60, 0xaa, - 0x62, 0xa8, 0x6b, 0xd4, 0x7d, 0x3b, 0x78, 0xe4, 0x1e, 0xa9, 0x94, 0x2c, 0x27, 0xdf, 0x6d, 0x61, - 0x1d, 0x68, 0x84, 0xae, 0x02, 0x22, 0xa6, 0x59, 0xc7, 0xc6, 0x9a, 0xa7, 0x98, 0xa2, 0x93, 0x1e, - 0xc3, 0xa1, 0x02, 0x4c, 0x50, 0x1e, 0x46, 0xe5, 0x92, 0x55, 0xba, 0x2d, 0x2d, 0xd3, 0x83, 0x3a, - 0xbe, 0x74, 0xb4, 0xd9, 0x48, 0x1f, 0x0e, 0x10, 0x69, 0xdd, 0x50, 0x45, 0xa9, 0x35, 0xd7, 0xce, - 0x15, 0xf6, 0xe5, 0x15, 0xa2, 0xe2, 0x35, 0xf2, 0x10, 0x27, 0xc6, 0x33, 0xc2, 0x4c, 0x4c, 0xf2, - 0x8d, 0xa1, 0x14, 0x80, 0x7d, 0x5f, 0x24, 0x0a, 0x36, 0xad, 0x04, 0xd0, 0x6c, 0xd2, 0x36, 0x82, - 0x4e, 0xc1, 0xa4, 0x77, 0x77, 0x6b, 0x53, 0xc7, 0x89, 0xfd, 0xb6, 0x3e, 0xa5, 0x8e, 0x51, 0xf4, - 0x16, 0x4c, 0x1a, 0x4c, 0x52, 0x74, 0xde, 0x04, 0xd5, 0x71, 0xe8, 0x3e, 0x3b, 0xa6, 0x77, 0x9f, - 0x83, 0x03, 0x3c, 0xe7, 0x20, 0x0b, 0xb3, 0xbd, 0x48, 0x9c, 0x9d, 0x89, 0x5f, 0x62, 0x70, 0x7a, - 0xc5, 0x54, 0x6e, 0xeb, 0x36, 0xfc, 0x7f, 0xe0, 0x58, 0x30, 0x39, 0x47, 0x7b, 0x92, 0xf3, 0x42, - 0x88, 0x9c, 0x69, 0xb6, 0xea, 0x4b, 0xb5, 0xf1, 0xfe, 0x55, 0xbb, 0xe8, 0xa9, 0xd6, 0x39, 0x3e, - 0xc7, 0x9a, 0x8d, 0x74, 0xc2, 0xb3, 0xd6, 0xaa, 0xc4, 0xc2, 0x55, 0xdd, 0xda, 0xdc, 0x46, 0xb6, - 0xa3, 0xdb, 0xca, 0x76, 0xac, 0x07, 0xd9, 0x8e, 0x07, 0xca, 0xb6, 0x4b, 0x75, 0xc0, 0xa3, 0xba, - 0x33, 0x90, 0xeb, 0x51, 0x44, 0x4c, 0x78, 0x5f, 0x45, 0xa8, 0xf0, 0x8a, 0x58, 0xc5, 0xbb, 0x51, - 0x78, 0xc1, 0x22, 0x8a, 0xf5, 0x2d, 0x22, 0x37, 0xb4, 0xbd, 0x84, 0x89, 0x85, 0xf6, 0xf3, 0x08, - 0x4c, 0xd8, 0x49, 0xc0, 0xb4, 0x77, 0x7d, 0x87, 0xc8, 0xbb, 0xe8, 0x6d, 0xc3, 0x25, 0x30, 0xd6, - 0x3f, 0x81, 0xe2, 0x34, 0x4c, 0xb5, 0x07, 0x85, 0x45, 0xeb, 0x71, 0x04, 0x0e, 0x39, 0x29, 0xf3, - 0xa6, 0x56, 0xd9, 0x69, 0xed, 0xb6, 0xc0, 0xa6, 0x40, 0x6c, 0x68, 0x4d, 0x81, 0x38, 0xcf, 0x61, - 0x4f, 0xc3, 0xff, 0x03, 0xe3, 0xc5, 0x22, 0xfa, 0x49, 0xc4, 0xad, 0x61, 0xaa, 0xda, 0xc6, 0x6e, - 0xac, 0x61, 0x3a, 0x4b, 0x90, 0x58, 0x40, 0xbd, 0xd7, 0x2a, 0x0d, 0xda, 0x43, 0xe0, 0x15, 0x79, - 0x4e, 0x80, 0xbc, 0x10, 0xee, 0x68, 0xb9, 0x45, 0x87, 0x26, 0xb7, 0x18, 0x7f, 0x91, 0xe5, 0x8f, - 0x15, 0x8b, 0xe4, 0x77, 0x51, 0xb7, 0xc8, 0xb2, 0x4b, 0xb0, 0x9b, 0x5a, 0xc5, 0xd6, 0xe2, 0xab, - 0xa9, 0xb8, 0xc1, 0xdb, 0x18, 0xff, 0x56, 0xd5, 0xdc, 0x2a, 0xd5, 0x02, 0x28, 0x63, 0xbc, 0x7e, - 0x1b, 0xa5, 0xd9, 0x9a, 0x4d, 0xda, 0xe3, 0x74, 0x67, 0x73, 0x9a, 0xa2, 0xdd, 0xc2, 0x2e, 0xba, - 0x5a, 0x7c, 0x2e, 0xbc, 0x98, 0x86, 0xe8, 0x8a, 0xa9, 0xa0, 0x9f, 0x04, 0x98, 0x0e, 0xf9, 0xb8, - 0x75, 0xbd, 0xcf, 0x8f, 0x6b, 0xd9, 0xd0, 0xef, 0x2e, 0xc9, 0x77, 0x86, 0x06, 0xd5, 0xda, 0x00, - 0x75, 0x3c, 0xe4, 0xfb, 0x0d, 0x8f, 0xe3, 0xc1, 0x50, 0x5c, 0x8e, 0x6f, 0xfd, 0xb5, 0x04, 0x7d, - 0x21, 0xc0, 0xfe, 0xf6, 0x4f, 0x25, 0x6f, 0xf2, 0x2c, 0xe1, 0xd9, 0x27, 0xaf, 0x0c, 0x66, 0xcf, - 0xfc, 0xfa, 0x59, 0x80, 0x23, 0xe1, 0x5f, 0x0f, 0x96, 0xf9, 0x19, 0xec, 0x46, 0x4b, 0xde, 0x1a, - 0x26, 0x9a, 0x6f, 0x07, 0xe1, 0xfd, 0xf1, 0x65, 0x7e, 0x2a, 0x87, 0xb4, 0x83, 0x6d, 0x9b, 0xcd, - 0xe8, 0x4b, 0x01, 0x26, 0x3b, 0x3a, 0xcd, 0x05, 0x8e, 0x85, 0xfc, 0x10, 0xc9, 0xeb, 0x03, 0x43, - 0x30, 0x07, 0xbf, 0x17, 0xe0, 0x50, 0x70, 0x03, 0xf5, 0x1a, 0xd7, 0x22, 0x01, 0x48, 0xc9, 0xd5, - 0x61, 0x21, 0x31, 0xaf, 0xff, 0x10, 0xe0, 0xf8, 0xf6, 0x4d, 0xc6, 0x5b, 0x7c, 0x07, 0x69, 0x6b, - 0xd4, 0xe4, 0x07, 0x2f, 0x03, 0x95, 0xed, 0xec, 0xa9, 0x00, 0x27, 0x7b, 0x6a, 0x15, 0xbd, 0xcb, - 0xe1, 0x46, 0x2f, 0xc0, 0xc9, 0xbb, 0x2f, 0x09, 0xd8, 0xb7, 0xc5, 0x9e, 0x9a, 0x12, 0x3c, 0x5b, - 0xec, 0x05, 0x98, 0x6b, 0x8b, 0xfd, 0xf4, 0x07, 0xd0, 0xa7, 0x02, 0x8c, 0x7b, 0xcd, 0x81, 0x37, - 0x78, 0x14, 0xd3, 0xb2, 0x4e, 0x16, 0x07, 0xb1, 0x66, 0x1e, 0x3d, 0x12, 0x00, 0x05, 0x14, 0xe0, - 0x6f, 0xf3, 0x89, 0xb9, 0x03, 0x26, 0xb9, 0x32, 0x14, 0x98, 0x8e, 0xac, 0xe9, 0xab, 0x6d, 0xf9, - 0xb2, 0x66, 0x3b, 0x04, 0x67, 0xd6, 0x0c, 0x2a, 0x2f, 0xa9, 0x83, 0x1d, 0xb5, 0x65, 0x61, 0xa0, - 0x10, 0x70, 0x3b, 0x18, 0x5c, 0xb5, 0xb9, 0x69, 0x3d, 0xa8, 0x64, 0xbb, 0xc6, 0xfd, 0xec, 0xe8, - 0x40, 0xe2, 0x4c, 0xeb, 0x5b, 0xd4, 0x24, 0xe8, 0x1b, 0x01, 0x0e, 0x76, 0x17, 0x24, 0xc5, 0x41, - 0xd6, 0x61, 0xde, 0x2e, 0x0f, 0x03, 0xa5, 0xe5, 0xe9, 0xd2, 0x87, 0xbf, 0x3e, 0x4b, 0x09, 0x4f, - 0x9e, 0xa5, 0x84, 0xa7, 0xcf, 0x52, 0xc2, 0x67, 0xcf, 0x53, 0xfb, 0x9e, 0x3c, 0x4f, 0xed, 0xfb, - 0xf3, 0x79, 0x6a, 0xdf, 0xfb, 0x45, 0x85, 0x58, 0xf7, 0xeb, 0xe5, 0x6c, 0x45, 0xab, 0xe6, 0x9c, - 0x15, 0xe7, 0x5a, 0x4b, 0xe6, 0xda, 0x96, 0x9c, 0xf3, 0xd6, 0x9c, 0x73, 0x16, 0xcd, 0x3d, 0xc8, - 0xd1, 0x7f, 0xc2, 0x6d, 0xea, 0xd8, 0x2c, 0x8f, 0xd0, 0x3f, 0xab, 0x9d, 0xfd, 0x27, 0x00, 0x00, - 0xff, 0xff, 0xb7, 0xd1, 0xd2, 0x13, 0x1d, 0x27, 0x00, 0x00, + // 1505 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xec, 0x5a, 0xdd, 0x6f, 0xd3, 0x56, + 0x14, 0xc7, 0xf9, 0xe8, 0xc7, 0x69, 0xa9, 0xc4, 0x5d, 0x29, 0x26, 0xb0, 0x24, 0x18, 0x04, 0x95, + 0xd6, 0x26, 0xa5, 0x90, 0x0e, 0xd0, 0xd8, 0x94, 0x92, 0xf1, 0x21, 0x5a, 0xd4, 0xb9, 0xc0, 0xa6, + 0x69, 0x1a, 0x72, 0xe2, 0x8b, 0xb9, 0xab, 0x13, 0x7b, 0xb6, 0x53, 0x51, 0xde, 0xf6, 0x17, 0x0c, + 0x69, 0xda, 0xeb, 0xde, 0xb6, 0x49, 0x48, 0x43, 0x9a, 0xf6, 0xf1, 0xba, 0xd7, 0xbd, 0x4c, 0x42, + 0x7b, 0xd9, 0x9e, 0x22, 0x04, 0x2f, 0x93, 0x78, 0xcb, 0x5f, 0x30, 0xf9, 0xda, 0xb1, 0xe3, 0xc4, + 0x6e, 0x93, 0xdb, 0x74, 0xea, 0x4a, 0xdf, 0xec, 0x9b, 0x7b, 0x7e, 0xf7, 0xdc, 0xf3, 0xfb, 0x9d, + 0x63, 0x9f, 0xeb, 0xc0, 0xb8, 0xbe, 0x46, 0xf2, 0xd6, 0xc3, 0x9c, 0x6e, 0x68, 0x96, 0x86, 0x72, + 0x8f, 0x88, 0x52, 0xc6, 0x58, 0x52, 0x55, 0x22, 0xd5, 0x2a, 0x38, 0x27, 0x13, 0xd3, 0x32, 0x48, + 0xb9, 0x6e, 0x61, 0xb9, 0xa2, 0x55, 0x75, 0x67, 0x54, 0xc5, 0xb2, 0x82, 0x8d, 0x9c, 0xbe, 0x46, + 0x52, 0x47, 0x2b, 0x9a, 0x59, 0xd5, 0xcc, 0x7b, 0xd4, 0x3a, 0xef, 0xdc, 0x38, 0x50, 0xa9, 0x49, + 0x45, 0x53, 0x34, 0x67, 0xdc, 0xbe, 0x72, 0x46, 0x85, 0xa7, 0x71, 0x38, 0xba, 0x6c, 0x2a, 0x2b, + 0x86, 0xa6, 0x6b, 0x26, 0x2e, 0xca, 0xf2, 0x47, 0x85, 0xb9, 0x8b, 0xa2, 0xa6, 0x59, 0x57, 0xb0, + 0x61, 0xa1, 0x6b, 0x30, 0x64, 0x12, 0xa5, 0x86, 0x0d, 0x9e, 0xcb, 0x72, 0xd3, 0xa3, 0x8b, 0xf9, + 0x66, 0x23, 0xf3, 0xc6, 0xba, 0xa4, 0x12, 0x59, 0xb2, 0xf0, 0x25, 0xc1, 0xc0, 0x9f, 0xd7, 0x89, + 0x81, 0x65, 0xe1, 0xcf, 0x9f, 0x67, 0x27, 0xdd, 0xc5, 0x8a, 0xb2, 0x6c, 0x60, 0xd3, 0x5c, 0xb5, + 0x0c, 0x52, 0x53, 0x44, 0xd7, 0x1c, 0x5d, 0x80, 0x44, 0x05, 0x1b, 0x16, 0x1f, 0xa3, 0x30, 0xa7, + 0x9a, 0x8d, 0x4c, 0xb6, 0x1b, 0x66, 0xa6, 0x2a, 0x3d, 0xbc, 0x7c, 0x76, 0xee, 0xfc, 0x85, 0xc2, + 0xdb, 0x0b, 0x73, 0x82, 0x48, 0x2d, 0xd0, 0x5b, 0x90, 0x20, 0xb5, 0xfb, 0x1a, 0x1f, 0xa7, 0x96, + 0x47, 0x82, 0x0e, 0xd8, 0x06, 0xe7, 0xe7, 0x2e, 0x2e, 0x08, 0x22, 0x9d, 0x84, 0x10, 0x24, 0x2c, + 0x52, 0xc5, 0x7c, 0x22, 0xcb, 0x4d, 0xc7, 0x45, 0x7a, 0x8d, 0x2e, 0x42, 0x7c, 0x9d, 0xc8, 0x7c, + 0x32, 0xcb, 0x4d, 0x27, 0x17, 0xcf, 0x34, 0x1b, 0x99, 0x93, 0xbe, 0xbd, 0x62, 0xe1, 0xcb, 0x67, + 0x67, 0x54, 0x0b, 0x5f, 0x5e, 0x28, 0x14, 0xce, 0x15, 0x66, 0xbc, 0x0d, 0x89, 0xb6, 0x0d, 0x5a, + 0x82, 0x43, 0xb6, 0x0f, 0xab, 0x95, 0x07, 0xb8, 0x2a, 0xdd, 0xc5, 0x86, 0x49, 0xb4, 0x1a, 0x3f, + 0x94, 0xe5, 0xa6, 0x0f, 0x2e, 0xa6, 0x9b, 0x8d, 0x4c, 0x2a, 0x08, 0x34, 0xe7, 0x03, 0x09, 0x62, + 0xb7, 0x21, 0x2a, 0xc1, 0x41, 0x33, 0x80, 0x34, 0xdc, 0x13, 0x52, 0xd0, 0x48, 0x38, 0x09, 0x27, + 0x22, 0xf9, 0x12, 0xb1, 0xa9, 0x6b, 0x35, 0x13, 0x0b, 0xdf, 0xc5, 0x28, 0xab, 0x45, 0x5d, 0x37, + 0xb4, 0xf5, 0x9d, 0x63, 0xf5, 0x12, 0x0c, 0x9b, 0xf5, 0xf2, 0x67, 0xb8, 0xd2, 0x22, 0x36, 0xdb, + 0x6c, 0x64, 0x8e, 0x47, 0x12, 0x3b, 0x7f, 0x5e, 0x10, 0x5b, 0x06, 0xe8, 0x0a, 0x8c, 0xbb, 0x97, + 0x37, 0xf1, 0xc6, 0x0d, 0xd9, 0xe5, 0x37, 0xd3, 0x6c, 0x64, 0x8e, 0x45, 0x00, 0xcc, 0x17, 0x16, + 0x04, 0x31, 0x60, 0xe4, 0x89, 0x23, 0xd1, 0x8f, 0x38, 0x92, 0xbe, 0x38, 0xdc, 0x68, 0x86, 0xc7, + 0xc9, 0x8b, 0xe6, 0x3f, 0x31, 0x98, 0xb0, 0x67, 0x39, 0x3f, 0xef, 0x99, 0xc4, 0x08, 0x55, 0x77, + 0x72, 0x60, 0xea, 0x1e, 0x62, 0x51, 0x37, 0x0f, 0x53, 0xc1, 0x48, 0x7b, 0x24, 0xfc, 0x12, 0x87, + 0xe3, 0xbe, 0xf0, 0x45, 0xbc, 0xae, 0xad, 0xe1, 0x7d, 0x55, 0x87, 0xaa, 0x1a, 0x09, 0x30, 0x6e, + 0x62, 0x83, 0x48, 0xea, 0xad, 0x7a, 0xb5, 0x8c, 0x0d, 0x4a, 0xc5, 0xa8, 0x18, 0x18, 0x43, 0x59, + 0x18, 0x33, 0x68, 0x10, 0xaf, 0x3c, 0x20, 0xaa, 0x4c, 0x6b, 0xd1, 0x88, 0xd8, 0x3e, 0xd4, 0xcd, + 0xe8, 0x08, 0x0b, 0xa3, 0xa7, 0xe1, 0xd4, 0x66, 0xb4, 0x79, 0xfc, 0xfe, 0x11, 0xa3, 0xfc, 0xba, + 0xa9, 0xf8, 0x5a, 0xf0, 0x9b, 0xec, 0x87, 0xdf, 0xa1, 0x4d, 0xf8, 0x1d, 0xee, 0xe6, 0xd7, 0x8d, + 0x7b, 0x64, 0x38, 0xbd, 0xb8, 0x3f, 0x89, 0xc3, 0xa1, 0x65, 0x53, 0xf1, 0x67, 0xec, 0x27, 0xd3, + 0xee, 0x4d, 0xa6, 0x63, 0xf4, 0xb1, 0x1e, 0xe4, 0xca, 0x63, 0xf2, 0x55, 0x0c, 0x78, 0xfa, 0xab, + 0xbd, 0xf9, 0xfd, 0x67, 0x7e, 0x24, 0xa1, 0x83, 0x79, 0x52, 0x09, 0x90, 0x8d, 0x0a, 0xb6, 0xc7, + 0xc8, 0xd3, 0x21, 0x27, 0x09, 0x65, 0x79, 0x65, 0x8d, 0xd8, 0xac, 0x55, 0x24, 0x8b, 0x68, 0xb5, + 0x52, 0xeb, 0x25, 0x9e, 0x68, 0xb5, 0x15, 0x8d, 0xd4, 0x06, 0xc8, 0x8e, 0xfb, 0xb2, 0x1b, 0x63, + 0x78, 0xd9, 0x9d, 0x83, 0xb8, 0x4e, 0x1c, 0x4e, 0x92, 0x5b, 0x06, 0xc3, 0x9e, 0x8a, 0x26, 0x21, + 0x49, 0xcc, 0x95, 0x62, 0x91, 0x52, 0x31, 0x22, 0x3a, 0x37, 0x68, 0x16, 0x92, 0xaa, 0x54, 0xc6, + 0x6a, 0x78, 0x79, 0xf3, 0x17, 0x75, 0x66, 0xa1, 0x9b, 0x30, 0x59, 0x31, 0xd4, 0x55, 0xea, 0xbe, + 0x1d, 0x3c, 0x72, 0x9f, 0x54, 0x24, 0xcb, 0xa9, 0x77, 0x9b, 0x58, 0x87, 0x1a, 0xa1, 0x6b, 0x80, + 0x88, 0x69, 0xd6, 0xb1, 0xb1, 0xea, 0x2b, 0xa6, 0xe4, 0x94, 0xc7, 0x68, 0xa8, 0x10, 0x13, 0x54, + 0x80, 0x61, 0x59, 0xb2, 0xa4, 0x3b, 0xe2, 0x12, 0x4d, 0xd4, 0xd1, 0xc5, 0x63, 0xcd, 0x46, 0xe6, + 0x48, 0x88, 0x48, 0xeb, 0x86, 0x2a, 0x88, 0xad, 0xb9, 0x76, 0xad, 0xb0, 0x2f, 0xaf, 0x12, 0x15, + 0xaf, 0x92, 0x47, 0x98, 0x1f, 0xcd, 0x72, 0xd3, 0x09, 0x31, 0x30, 0x86, 0xd2, 0x00, 0xf6, 0x7d, + 0x89, 0x28, 0xd8, 0xb4, 0x78, 0xa0, 0xd5, 0xa4, 0x6d, 0x04, 0x9d, 0x86, 0x09, 0xff, 0xee, 0xf6, + 0x86, 0x8e, 0xf9, 0x31, 0x5b, 0x9f, 0x62, 0xc7, 0x28, 0x7a, 0x0f, 0x26, 0x0c, 0x4f, 0x52, 0x74, + 0xde, 0x38, 0xd5, 0x71, 0xe4, 0x3e, 0x3b, 0xa6, 0x77, 0xe7, 0xc1, 0x41, 0x86, 0x3c, 0x40, 0x37, + 0x01, 0x79, 0x54, 0x94, 0xb0, 0x8a, 0x15, 0xc9, 0xd2, 0x0c, 0x7e, 0x22, 0x2c, 0x68, 0xc1, 0xb7, + 0xd8, 0x10, 0x33, 0x21, 0x07, 0x33, 0xbd, 0xe4, 0x8b, 0x97, 0x60, 0x8f, 0x93, 0x70, 0x66, 0xd9, + 0x54, 0xee, 0xe8, 0xf6, 0x02, 0xff, 0x83, 0x1c, 0xf3, 0x72, 0x23, 0xde, 0x53, 0x6e, 0xcc, 0x47, + 0xe4, 0x06, 0x2d, 0x7d, 0x7d, 0xa5, 0x40, 0xb2, 0xff, 0x14, 0x58, 0xf0, 0x53, 0xc0, 0xc9, 0xc5, + 0xe3, 0xcd, 0x46, 0x86, 0xf7, 0xad, 0xb5, 0x2a, 0xb1, 0x70, 0x55, 0xb7, 0x36, 0xb6, 0xc8, 0x81, + 0xe1, 0x2d, 0x73, 0x60, 0xa4, 0x87, 0x1c, 0x18, 0x0d, 0xcd, 0x81, 0x2e, 0x09, 0xc3, 0xe0, 0x24, + 0x3c, 0xc6, 0x26, 0xe1, 0xb3, 0x90, 0xef, 0x51, 0x91, 0x9e, 0x8a, 0xbf, 0x8d, 0x51, 0x15, 0xdb, + 0x18, 0x7b, 0x51, 0xc5, 0xe1, 0x8a, 0x4c, 0xf4, 0xad, 0x48, 0x37, 0xb4, 0xbd, 0x84, 0xc9, 0x0b, + 0xed, 0x57, 0x31, 0x18, 0xb7, 0x2b, 0x8a, 0x69, 0xef, 0xfa, 0x2e, 0x91, 0xf7, 0xd0, 0x7b, 0x90, + 0x4b, 0x60, 0xa2, 0x7f, 0x02, 0x85, 0x29, 0x98, 0x6c, 0x0f, 0x8a, 0xff, 0xbe, 0x12, 0x83, 0xc3, + 0x4e, 0xfd, 0xbd, 0xa5, 0x55, 0x76, 0xdb, 0x41, 0x60, 0xe8, 0x71, 0x45, 0x62, 0x60, 0xc7, 0x15, + 0x49, 0x96, 0x97, 0xc0, 0x0c, 0xbc, 0x19, 0x1a, 0x2f, 0x2f, 0xa2, 0x5f, 0xc4, 0xdc, 0xee, 0xaa, + 0xaa, 0xad, 0xef, 0xc5, 0xee, 0xaa, 0xb3, 0x39, 0x4a, 0x84, 0x74, 0xa2, 0xad, 0xa6, 0xa5, 0x3d, + 0x04, 0x7e, 0xfb, 0xe9, 0x04, 0xc8, 0x0f, 0xe1, 0xae, 0x96, 0x5b, 0x7c, 0x60, 0x72, 0x4b, 0xb0, + 0xb7, 0x7f, 0xc1, 0x58, 0x79, 0x91, 0xfc, 0x31, 0xee, 0xb6, 0x7f, 0x76, 0x73, 0x78, 0x4b, 0xab, + 0xd8, 0x5a, 0x7c, 0x3d, 0x15, 0xb7, 0xfd, 0x03, 0x96, 0xff, 0xaa, 0x9f, 0x6f, 0x35, 0x91, 0x21, + 0x94, 0x79, 0xbc, 0xfe, 0x10, 0xa7, 0xd5, 0xda, 0x9b, 0xb4, 0xcf, 0xe9, 0xee, 0xe6, 0x34, 0x4d, + 0xcf, 0x31, 0xbb, 0xe8, 0x6a, 0xf1, 0x39, 0xff, 0x6a, 0x0a, 0xe2, 0xcb, 0xa6, 0x82, 0x7e, 0xe5, + 0x60, 0x2a, 0xe2, 0xb3, 0xdb, 0x8d, 0x3e, 0x3f, 0xfb, 0xe5, 0x22, 0xbf, 0x08, 0xa5, 0x3e, 0x18, + 0x18, 0x54, 0x6b, 0x03, 0xd4, 0xf1, 0x88, 0x2f, 0x4b, 0x2c, 0x8e, 0x87, 0x43, 0x31, 0x39, 0xbe, + 0xf9, 0x77, 0x1c, 0xf4, 0x35, 0x07, 0x63, 0xed, 0x1f, 0x71, 0xde, 0x65, 0x59, 0xc2, 0xb7, 0x4f, + 0x5d, 0xdd, 0x9e, 0xbd, 0xe7, 0xd7, 0x6f, 0x1c, 0x1c, 0x8d, 0xfe, 0xae, 0xb1, 0xc4, 0xce, 0x60, + 0x37, 0x5a, 0xea, 0xf6, 0x20, 0xd1, 0x02, 0x3b, 0x88, 0x3e, 0xb9, 0x5f, 0x62, 0xa7, 0x72, 0x40, + 0x3b, 0xd8, 0xf2, 0x18, 0x1c, 0x7d, 0xc3, 0xc1, 0x44, 0xc7, 0x19, 0x78, 0x91, 0x61, 0xa1, 0x20, + 0x44, 0xea, 0xc6, 0xb6, 0x21, 0x3c, 0x07, 0x7f, 0xe2, 0xe0, 0x70, 0xf8, 0xd1, 0xee, 0x75, 0xa6, + 0x45, 0x42, 0x90, 0x52, 0x2b, 0x83, 0x42, 0xf2, 0xbc, 0xfe, 0x8b, 0x83, 0x13, 0x5b, 0x1f, 0x7f, + 0xde, 0x66, 0x4b, 0xa4, 0xcd, 0x51, 0x53, 0x9f, 0xec, 0x04, 0xaa, 0xb7, 0xb3, 0xe7, 0x1c, 0x9c, + 0xea, 0xe9, 0xdc, 0xe9, 0x43, 0x06, 0x37, 0x7a, 0x01, 0x4e, 0xdd, 0xdb, 0x21, 0xe0, 0xc0, 0x16, + 0x7b, 0x3a, 0x94, 0x60, 0xd9, 0x62, 0x2f, 0xc0, 0x4c, 0x5b, 0xec, 0xe7, 0x7c, 0x00, 0x7d, 0xc9, + 0xc1, 0xa8, 0x7f, 0x38, 0xf0, 0x0e, 0x8b, 0x62, 0x5a, 0xd6, 0xa9, 0xd2, 0x76, 0xac, 0x3d, 0x8f, + 0x9e, 0x70, 0x80, 0x42, 0x1a, 0xf0, 0xf7, 0xd9, 0xc4, 0xdc, 0x01, 0x93, 0x5a, 0x1e, 0x08, 0x4c, + 0x47, 0xd5, 0x0c, 0xf4, 0xb6, 0x6c, 0x55, 0xb3, 0x1d, 0x82, 0xb1, 0x6a, 0x86, 0xb5, 0x97, 0xd4, + 0xc1, 0x8e, 0xde, 0xb2, 0xb8, 0xad, 0x10, 0x30, 0x3b, 0x18, 0xde, 0xb5, 0xb9, 0x65, 0x3d, 0xac, + 0x65, 0xbb, 0xce, 0xfc, 0xec, 0xe8, 0x40, 0x62, 0x2c, 0xeb, 0x9b, 0xf4, 0x24, 0xe8, 0x7b, 0x0e, + 0x0e, 0x75, 0x37, 0x24, 0xa5, 0xed, 0xac, 0xe3, 0x79, 0xbb, 0x34, 0x08, 0x94, 0x96, 0xa7, 0x8b, + 0x9f, 0xfe, 0xfe, 0x22, 0xcd, 0x3d, 0x7b, 0x91, 0xe6, 0x9e, 0xbf, 0x48, 0x73, 0x8f, 0x5f, 0xa6, + 0x0f, 0x3c, 0x7b, 0x99, 0x3e, 0xf0, 0xf7, 0xcb, 0xf4, 0x81, 0x8f, 0x4b, 0x0a, 0xb1, 0x1e, 0xd4, + 0xcb, 0xb9, 0x8a, 0x56, 0xcd, 0x3b, 0x2b, 0xce, 0xb6, 0x96, 0xcc, 0xb7, 0x2d, 0x39, 0xeb, 0xaf, + 0x39, 0xeb, 0x2c, 0x9a, 0x7f, 0x98, 0xa7, 0xff, 0xd1, 0xdb, 0xd0, 0xb1, 0x59, 0x1e, 0xa2, 0x7f, + 0xa3, 0x3b, 0xf7, 0x6f, 0x00, 0x00, 0x00, 0xff, 0xff, 0x6b, 0xee, 0x4b, 0x70, 0xb7, 0x27, 0x00, + 0x00, } // Reference imports to suppress errors if they are not otherwise used. @@ -3431,6 +3449,13 @@ func (m *MsgAddPkiRevocationDistributionPoint) MarshalToSizedBuffer(dAtA []byte) _ = i var l int _ = l + if len(m.CrlSignerDelegator) > 0 { + i -= len(m.CrlSignerDelegator) + copy(dAtA[i:], m.CrlSignerDelegator) + i = encodeVarintTx(dAtA, i, uint64(len(m.CrlSignerDelegator))) + i-- + dAtA[i] = 0x72 + } if m.SchemaVersion != 0 { i = encodeVarintTx(dAtA, i, uint64(m.SchemaVersion)) i-- @@ -3559,6 +3584,13 @@ func (m *MsgUpdatePkiRevocationDistributionPoint) MarshalToSizedBuffer(dAtA []by _ = i var l int _ = l + if len(m.CrlSignerDelegator) > 0 { + i -= len(m.CrlSignerDelegator) + copy(dAtA[i:], m.CrlSignerDelegator) + i = encodeVarintTx(dAtA, i, uint64(len(m.CrlSignerDelegator))) + i-- + dAtA[i] = 0x5a + } if m.SchemaVersion != 0 { i = encodeVarintTx(dAtA, i, uint64(m.SchemaVersion)) i-- @@ -4562,6 +4594,10 @@ func (m *MsgAddPkiRevocationDistributionPoint) Size() (n int) { if m.SchemaVersion != 0 { n += 1 + sovTx(uint64(m.SchemaVersion)) } + l = len(m.CrlSignerDelegator) + if l > 0 { + n += 1 + l + sovTx(uint64(l)) + } return n } @@ -4616,6 +4652,10 @@ func (m *MsgUpdatePkiRevocationDistributionPoint) Size() (n int) { if m.SchemaVersion != 0 { n += 1 + sovTx(uint64(m.SchemaVersion)) } + l = len(m.CrlSignerDelegator) + if l > 0 { + n += 1 + l + sovTx(uint64(l)) + } return n } @@ -7200,6 +7240,38 @@ func (m *MsgAddPkiRevocationDistributionPoint) Unmarshal(dAtA []byte) error { break } } + case 14: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field CrlSignerDelegator", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowTx + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthTx + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthTx + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.CrlSignerDelegator = string(dAtA[iNdEx:postIndex]) + iNdEx = postIndex default: iNdEx = preIndex skippy, err := skipTx(dAtA[iNdEx:]) @@ -7568,6 +7640,38 @@ func (m *MsgUpdatePkiRevocationDistributionPoint) Unmarshal(dAtA []byte) error { break } } + case 11: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field CrlSignerDelegator", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowTx + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthTx + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthTx + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.CrlSignerDelegator = string(dAtA[iNdEx:postIndex]) + iNdEx = postIndex default: iNdEx = preIndex skippy, err := skipTx(dAtA[iNdEx:]) From b24b41488387a5ef8c9fabdbbeef10ac06908dc9 Mon Sep 17 00:00:00 2001 From: Abdulbois Date: Thu, 28 Mar 2024 18:27:46 +0500 Subject: [PATCH 2/5] #531-Publish-PAI-certificates-for-CRLSignerCertificate-verification Minor refactoring due to PR's comments Signed-off-by: Abdulbois Signed-off-by: Abdulbois --- docs/transactions.md | 8 ++-- .../cli/pki-revocation-points.sh | 39 +++++++------------ integration_tests/constants/constants.go | 32 ++++++++++++--- x/pki/handler_add_revocation_test.go | 20 +++++++++- x/pki/handler_update_revocation_test.go | 23 ++++++++++- ...e_add_pki_revocation_distribution_point.go | 3 -- 6 files changed, 86 insertions(+), 39 deletions(-) diff --git a/docs/transactions.md b/docs/transactions.md index 8e360af5c..adc5080f2 100644 --- a/docs/transactions.md +++ b/docs/transactions.md @@ -1055,9 +1055,11 @@ Publishes a PKI Revocation distribution endpoint (such as RFC5280 Certificate Re If `crlSignerCertificate` is a PAA (root certificate), then it must be present on DCL. -If `crlSignerCertificate` is a PAI (intermediate certificate), then it must be chained back to a valid PAA (root certificate) present on DCL. +If `crlSignerCertificate` is a PAI (intermediate certificate) or delegated by PAA, then it must be chained back to a valid PAA (root certificate) present on DCL. In this case `crlSignerCertificate` is not required to be present on DCL, and will not be added to DCL as a result of this transaction. If PAI needs to be added to DCL, it should be done via [ADD_X509_CERT](#add_x509_cert) transaction. +If the `crlSignerCertificate` is delegated by a PAI, the delegator certificate must be provided using the `certificate-delegator` field. +Additionally, the `crlSignerCertificate` must be chained back to the PAA through the delegator certificate, the PAA must be present on the DCL. Publishing the revocation distribution endpoint doesn't automatically remove PAI (Intermediate certificates) and DACs (leaf certificates) added to DCL if they are revoked in the CRL identified by this distribution point. @@ -1072,7 +1074,7 @@ and DACs (leaf certificates) added to DCL if they are revoked in the CRL identif - pid: `optional(uint16)` - Product ID (positive non-zero). Must be empty if `IsPAA` is true. Must be equal to a `pid` field in `CRLSignerCertificate`. - isPAA: `bool` - True if the revocation information distribution point relates to a PAA - label: `string` - A label to disambiguate multiple revocation information partitions of a particular issuer. - - crlSignerCertificate: `string` - The issuer certificate whose revocation information is provided in the distribution point entry, encoded in X.509v3 PEM format. The corresponding CLI parameter can contain either a PEM string or a path to a file containing the data. + - certificate: `string` - The issuer certificate whose revocation information is provided in the distribution point entry, encoded in X.509v3 PEM format. The corresponding CLI parameter can contain either a PEM string or a path to a file containing the data. - certificate-delegator: `optional(string)` - The delegator certificate of CRL signer Certificate which must be chained back to approved certificate in the ledger, encoded in X.509v3 PEM format. The corresponding CLI parameter can contain either a PEM string or a path to a file containing the data. - issuerSubjectKeyID: `string` - Uniquely identifies the PAA or PAI for which this revocation distribution point is provided. Must consist of even number of uppercase hexadecimal characters ([0-9A-F]), with no whitespace and no non-hexadecimal characters., e.g: `5A880E6C3653D07FB08971A3F473790930E62BDB`. - dataUrl: `string` - The URL where to obtain the information in the format indicated by the RevocationType field. Must start with either `http` or `https`. Must be unique for all pairs of VendorID and IssuerSubjectKeyID. @@ -1117,7 +1119,7 @@ Updates an existing PKI Revocation distribution endpoint (such as RFC5280 Certif - vid: `uint16` - Vendor ID (positive non-zero). Must be the same as Vendor account's VID and `vid` field in the VID-scoped `CRLSignerCertificate`. Must be the same as a `vid` associated with non-VID scoped `CRLSignerCertificate` on the ledger. - label: `string` - A label to disambiguate multiple revocation information partitions of a particular issuer. - issuerSubjectKeyID: `string` - Uniquely identifies the PAA or PAI for which this revocation distribution point is provided. Must consist of even number of uppercase hexadecimal characters ([0-9A-F]), with no whitespace and no non-hexadecimal characters., e.g: `5A880E6C3653D07FB08971A3F473790930E62BDB`. - - crlSignerCertificate: `optional(string)` - The issuer certificate whose revocation information is provided in the distribution point entry, encoded in X.509v3 PEM format. The corresponding CLI parameter can contain either a PEM string or a path to a file containing the data. + - certificate: `optional(string)` - The issuer certificate whose revocation information is provided in the distribution point entry, encoded in X.509v3 PEM format. The corresponding CLI parameter can contain either a PEM string or a path to a file containing the data. - certificate-delegator: `optional(string)` - The delegator certificate of CRL signer Certificate which must be chained back to approved certificate in the ledger, encoded in X.509v3 PEM format. The corresponding CLI parameter can contain either a PEM string or a path to a file containing the data. - dataUrl: `optional(string)` - The URL where to obtain the information in the format indicated by the RevocationType field. Must start with either `http` or `https`. Must be unique for all pairs of VendorID and IssuerSubjectKeyID. - dataFileSize: `optional(uint64)` - Total size in bytes of the file found at the DataUrl. Must be omitted if RevocationType is 1. diff --git a/integration_tests/cli/pki-revocation-points.sh b/integration_tests/cli/pki-revocation-points.sh index eb1cab947..b7a139b5f 100755 --- a/integration_tests/cli/pki-revocation-points.sh +++ b/integration_tests/cli/pki-revocation-points.sh @@ -33,9 +33,9 @@ delegator_cert_with_vid_65521_path="integration_tests/constants/intermediate_cer delegator_cert_with_vid_65521_copy_path="integration_tests/constants/intermediate_cert_with_vid_1_copy" delegator_cert_with_vid_subject_key_id="0E8CE8C8B8AA50BC258556B9B19CC2C7D9C52F17" -crl_leaf_cert_with_vid_65521_path="integration_tests/constants/leaf_cert_with_vid_65521" -crl_leaf_cert_with_vid_65522_path="integration_tests/constants/leaf_cert_with_vid_65522" -crl_leaf_cert_without_vid_path="integration_tests/constants/leaf_cert_without_vid" +crl_signer_delegated_by_pai_1="integration_tests/constants/leaf_cert_with_vid_65521" +crl_signer_delegated_by_pai_2="integration_tests/constants/leaf_cert_with_vid_65522" +crl_signer_delegated_by_paa="integration_tests/constants/leaf_cert_without_vid" trustee_account="jack" second_trustee_account="alice" @@ -275,9 +275,9 @@ response_does_not_contain "$result" "\"label\": \"$vid_non_vid_scoped\"" test_divider -echo "12. ADD REVOCATION POINT FOR CRL SIGNER LEAF CERTIFICATE WHEN DELEGATOR CERTIFICATE IS PROVIDED" +echo "12. ADD REVOCATION POINT FOR CRL SIGNER CERTIFICATE DELEGATED BY PAI" -result=$(dcld tx pki add-revocation-point --vid=$vid --is-paa="false" --certificate="$crl_leaf_cert_with_vid_65521_path" --label="$label_leaf_with_delegator" --data-url="$data_url" --issuer-subject-key-id=$delegator_cert_with_vid_subject_key_id --revocation-type=1 --certificate-delegator="$delegator_cert_with_vid_65521_path" --from=$vendor_account --yes) +result=$(dcld tx pki add-revocation-point --vid=$vid --is-paa="false" --certificate="$crl_signer_delegated_by_pai_1" --label="$label_leaf_with_delegator" --data-url="$data_url" --issuer-subject-key-id=$delegator_cert_with_vid_subject_key_id --revocation-type=1 --certificate-delegator="$delegator_cert_with_vid_65521_path" --from=$vendor_account --yes) check_response "$result" "\"code\": 0" result=$(dcld query pki revocation-point --vid=$vid --label=$label_leaf_with_delegator --issuer-subject-key-id=$delegator_cert_with_vid_subject_key_id) @@ -289,14 +289,14 @@ echo $result test_divider -echo "13. ADD REVOCATION POINT FOR CRL SIGNER LEAF CERTIFICATE WHEN IS_PAA=TRUE" +echo "13. ADD REVOCATION POINT FOR CRL SIGNER CERTIFICATE DELEGATED BY PAA" echo "Add PAI certificate" result=$(echo "$passphrase" | dcld tx pki add-x509-cert --certificate="$delegator_cert_with_vid_65521_path" --from $vendor_account --yes) check_response "$result" "\"code\": 0" echo "Add PKI revocation point with IS_PAA=true" -result=$(dcld tx pki add-revocation-point --vid=$vid_65522 --is-paa="true" --certificate="$crl_leaf_cert_without_vid_path" --label="$label_leaf" --data-url="$data_url" --issuer-subject-key-id=$delegator_cert_with_vid_subject_key_id --revocation-type=1 --from=$vendor_account_65522 --yes) +result=$(dcld tx pki add-revocation-point --vid=$vid_65522 --is-paa="true" --certificate="$crl_signer_delegated_by_paa" --label="$label_leaf" --data-url="$data_url" --issuer-subject-key-id=$delegator_cert_with_vid_subject_key_id --revocation-type=1 --from=$vendor_account_65522 --yes) check_response "$result" "\"code\": 0" result=$(dcld query pki revocation-point --vid=$vid_65522 --label=$label_leaf --issuer-subject-key-id=$delegator_cert_with_vid_subject_key_id) @@ -307,9 +307,9 @@ echo $result test_divider -echo "14. UPDATE REVOCATION POINT FOR CRL SIGNER LEAF CERTIFICATE WHEN DELEGATOR CERTIFICATE IS PROVIDED" +echo "14. UPDATE REVOCATION POINT FOR CRL SIGNER CERTIFICATE DELEGATED BY PAI" data_url_new="$data_url"_new -result=$(dcld tx pki update-revocation-point --vid=$vid --certificate="$crl_leaf_cert_with_vid_65521_path" --label="$label_leaf_with_delegator" --data-url="$data_url_new" --issuer-subject-key-id=$delegator_cert_with_vid_subject_key_id --certificate-delegator="$delegator_cert_with_vid_65521_copy_path" --from=$vendor_account --yes) +result=$(dcld tx pki update-revocation-point --vid=$vid --certificate="$crl_signer_delegated_by_pai_1" --label="$label_leaf_with_delegator" --data-url="$data_url_new" --issuer-subject-key-id=$delegator_cert_with_vid_subject_key_id --certificate-delegator="$delegator_cert_with_vid_65521_copy_path" --from=$vendor_account --yes) check_response "$result" "\"code\": 0" echo $result @@ -318,14 +318,14 @@ check_response "$result" "\"vid\": $vid" check_response "$result" "\"label\": \"$label_leaf_with_delegator\"" check_response "$result" "\"issuerSubjectKeyID\": \"$delegator_cert_with_vid_subject_key_id\"" check_response "$result" "\"dataURL\": \"$data_url_new\"" -check_response "$result" "\"CrlSignerCertificate\": $(<$crl_leaf_cert_with_vid_65521_path)" +check_response "$result" "\"CrlSignerCertificate\": $(<$crl_signer_delegated_by_pai_1)" check_response "$result" "\"CrlSignerDelegator\": $(<$delegator_cert_with_vid_65521_copy_path)" echo $result test_divider -echo "15. UPDATE REVOCATION POINT FOR CRL SIGNER LEAF CERTIFICATE" -result=$(dcld tx pki update-revocation-point --vid=$vid_65522 --certificate="$crl_leaf_cert_with_vid_65522_path" --label="$label_leaf" --data-url="$data_url_new" --issuer-subject-key-id=$delegator_cert_with_vid_subject_key_id --from=$vendor_account_65522 --yes) +echo "15. UPDATE REVOCATION POINT FOR CRL SIGNER CERTIFICATE DELEGATED BY PAA" +result=$(dcld tx pki update-revocation-point --vid=$vid_65522 --certificate="$crl_signer_delegated_by_pai_2" --label="$label_leaf" --data-url="$data_url_new" --issuer-subject-key-id=$delegator_cert_with_vid_subject_key_id --from=$vendor_account_65522 --yes) check_response "$result" "\"code\": 0" echo $result @@ -334,7 +334,7 @@ check_response "$result" "\"vid\": $vid_65522" check_response "$result" "\"label\": \"$label_leaf\"" check_response "$result" "\"issuerSubjectKeyID\": \"$delegator_cert_with_vid_subject_key_id\"" check_response "$result" "\"dataURL\": \"$data_url_new\"" -check_response "$result" "\"CrlSignerCertificate\": $(<$crl_leaf_cert_with_vid_65522_path)" +check_response "$result" "\"CrlSignerCertificate\": $(<$crl_signer_delegated_by_pai_2)" echo $result @@ -422,7 +422,7 @@ check_response "$result" "\"issuerSubjectKeyID\": \"$issuer_subject_key_id\"" test_divider -echo "24. DELETE REVOCATION PAA" +echo "24. DELETE REVOCATION POINT" result=$(dcld tx pki delete-revocation-point --vid=$vid --label="$label" --issuer-subject-key-id=$issuer_subject_key_id --from=$vendor_account --yes) check_response "$result" "\"code\": 0" @@ -431,15 +431,4 @@ echo $result result=$(dcld query pki revocation-point --vid=$vid --label=$label --issuer-subject-key-id=$issuer_subject_key_id) check_response "$result" "Not Found" -test_divider - -echo "25. DELETE REVOCATION PAI" - -result=$(dcld tx pki delete-revocation-point --vid=$vid_65522 --label="$label_pai" --issuer-subject-key-id=$issuer_subject_key_id --from=$vendor_account_65522 --yes) -check_response "$result" "\"code\": 0" -echo $result - -result=$(dcld query pki revocation-point --vid=$vid_65522 --label=$label_pai --issuer-subject-key-id=$issuer_subject_key_id) -check_response "$result" "Not Found" - test_divider \ No newline at end of file diff --git a/integration_tests/constants/constants.go b/integration_tests/constants/constants.go index 71c5afc94..a395a9d29 100644 --- a/integration_tests/constants/constants.go +++ b/integration_tests/constants/constants.go @@ -592,6 +592,23 @@ G0/z0oo9rsKcpgUogQ8fYYEg/QClYFHJuhFbf1M+VdeMScbllpt4kGH2ih7aU1b7 GDAWgBTOqJJm6uCAvSu1aOQLB8T6LDRtMTAMBgNVHRMEBTADAQH/MAoGCCqGSM49 BAMCA0cAMEQCIHkhL7r/xEi16827IYysHe0w8X0rsbU5zcHcbK1wt0ALAiASEZMI NN1ZIQJHBjCm+vWh3Jsjt2wUHKIM5i64Wd9kPA== +-----END CERTIFICATE-----` + + IntermediateCertWithoutVidPid = `-----BEGIN CERTIFICATE----- +MIICfjCCAiOgAwIBAgIUApsGBeXsNPxNq4brOXLNfbYysakwCgYIKoZIzj0EAwIw +gZgxCzAJBgNVBAYTAlVTMREwDwYDVQQIDAhOZXcgWW9yazERMA8GA1UEBwwITmV3 +IFlvcmsxGDAWBgNVBAoMD0V4YW1wbGUgQ29tcGFueTEZMBcGA1UECwwQVGVzdGlu +ZyBEaXZpc2lvbjEYMBYGA1UEAwwPd3d3LmV4YW1wbGUuY29tMRQwEgYKKwYBBAGC +onwCAQwERkZGMTAgFw0yNDAzMjgxMzEzMjVaGA8zMDIzMDczMDEzMTMyNVowgYIx +CzAJBgNVBAYTAlVTMREwDwYDVQQIDAhOZXcgWW9yazERMA8GA1UEBwwITmV3IFlv +cmsxGDAWBgNVBAoMD0V4YW1wbGUgQ29tcGFueTEZMBcGA1UECwwQVGVzdGluZyBE +aXZpc2lvbjEYMBYGA1UEAwwPd3d3LmV4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYI +KoZIzj0DAQcDQgAE5M2Hy7bsKdEZ2PQbT/PSij2uwpymBSiBDx9hgSD9AKVgUcm6 +EVt/Uz5V14xJxuWWm3iQYfaKHtpTVvvWNGRWzKNdMFswHQYDVR0OBBYEFA6M6Mi4 +qlC8JYVWubGcwsfZxS8XMB8GA1UdIwQYMBaAFM6okmbq4IC9K7Vo5AsHxPosNG0x +MAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQDAgGCMAoGCCqGSM49BAMCA0kAMEYCIQDm +jhpYAW9UseDLyoF2bmvy36jV7Hwvst+R3wJi0jh4xAIhAPXCfe8DUCoRV32q97C0 +IYJElzT/KwBY6c2Xyu4gsjqh -----END CERTIFICATE-----` LeafCertWithVid = `-----BEGIN CERTIFICATE----- @@ -648,11 +665,12 @@ fJhEWAA8mOgN9OVCdPWAegWuN3b2AiApXciu/dT4B5db3puPWrAsMjAUYF2Owc/D eujhLsD51w== -----END CERTIFICATE-----` - RootIssuer = "MDQxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApzb21lLXN0YXRlMRAwDgYDVQQKDAdyb290LWNh" - RootSubject = "MDQxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApzb21lLXN0YXRlMRAwDgYDVQQKDAdyb290LWNh" - RootSubjectAsText = "O=root-ca,ST=some-state,C=AU" - RootSubjectKeyID = "5A:88:0E:6C:36:53:D0:7F:B0:89:71:A3:F4:73:79:09:30:E6:2B:DB" - RootSerialNumber = "442314047376310867378175982234956458728610743315" + RootIssuer = "MDQxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApzb21lLXN0YXRlMRAwDgYDVQQKDAdyb290LWNh" + RootSubject = "MDQxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApzb21lLXN0YXRlMRAwDgYDVQQKDAdyb290LWNh" + RootSubjectAsText = "O=root-ca,ST=some-state,C=AU" + RootSubjectKeyID = "5A:88:0E:6C:36:53:D0:7F:B0:89:71:A3:F4:73:79:09:30:E6:2B:DB" + RootSubjectKeyIDWithoutColumns = "5A880E6C3653D07FB08971A3F473790930E62BDB" + RootSerialNumber = "442314047376310867378175982234956458728610743315" RootCertWithSameSubjectAndSKIDSubject = "MIGCMQswCQYDVQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxETAPBgNVBAcMCE5ldyBZb3JrMRgwFgYDVQQKDA9FeGFtcGxlIENvbXBhbnkxGTAXBgNVBAsMEFRlc3RpbmcgRGl2aXNpb24xGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbQ==" RootCertWithSameSubjectAndSKIDSubjectKeyID = "33:5E:0C:07:44:F8:B5:9C:CD:55:01:9B:6D:71:23:83:6F:D0:D4:BE" @@ -727,6 +745,10 @@ eujhLsD51w== IntermediateCertWithVid2SerialNumber = "4" IntermediateCertWithVid2Vid = 65522 + IntermediateCertWithoutVidPidSubject = "MIGCMQswCQYDVQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxETAPBgNVBAcMCE5ldyBZb3JrMRgwFgYDVQQKDA9FeGFtcGxlIENvbXBhbnkxGTAXBgNVBAsMEFRlc3RpbmcgRGl2aXNpb24xGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbQ==" + IntermediateCertWithoutVidPidSubjectKeyID = "0E:8C:E8:C8:B8:AA:50:BC:25:85:56:B9:B1:9C:C2:C7:D9:C5:2F:17" + IntermediateCertWithoutVidPidSerialNumber = "14875121728167018569770528052537472929544450473" + LeafCertWithVidSubject = "MIGaMQswCQYDVQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxETAPBgNVBAcMCE5ldyBZb3JrMRowGAYDVQQKDBFDUkwtbGVhZiB3aXRoIFZJRDEZMBcGA1UECwwQVGVzdGluZyBEaXZpc2lvbjEYMBYGA1UEAwwPd3d3LmV4YW1wbGUuY29tMRQwEgYKKwYBBAGConwCAQwERkZGMQ==" LeafCertWithVidSubjectAsText = "CN=www.example.com,OU=Testing Division,O=CRL-leaf with VID,L=New York,ST=New York,C=US,vid=0xFFF1" LeafCertWithVidSubjectKeyID = "D6:98:26:10:BE:AC:23:74:09:0A:40:0B:CD:39:65:53:F1:76:B0:F5" diff --git a/x/pki/handler_add_revocation_test.go b/x/pki/handler_add_revocation_test.go index 847d4fbc8..c8066e20f 100644 --- a/x/pki/handler_add_revocation_test.go +++ b/x/pki/handler_add_revocation_test.go @@ -248,7 +248,7 @@ func TestHandler_AddPkiRevocationDistributionPoint_PositiveCases(t *testing.T) { SchemaVersion: testconstants.SchemaVersion, }, { - name: "PAIWithDelegatedCert", + name: "CrlSignerDelegatedByPAI", rootCertOptions: createTestRootCertOptions(), addRevocation: &types.MsgAddPkiRevocationDistributionPoint{ Signer: vendorAcc.String(), @@ -259,7 +259,23 @@ func TestHandler_AddPkiRevocationDistributionPoint_PositiveCases(t *testing.T) { CrlSignerDelegator: testconstants.IntermediateCertPem, Label: label, DataURL: testconstants.DataURL, - IssuerSubjectKeyID: testconstants.IntermediateSubjectKeyIDWithoutColumns, + IssuerSubjectKeyID: testconstants.RootSubjectKeyIDWithoutColumns, + RevocationType: types.CRLRevocationType, + }, + SchemaVersion: testconstants.SchemaVersion, + }, + { + name: "CrlSignerDelegatedByPAA", + rootCertOptions: createTestRootCertOptions(), + addRevocation: &types.MsgAddPkiRevocationDistributionPoint{ + Signer: vendorAcc.String(), + Vid: 65522, + IsPAA: true, + Pid: 0, + CrlSignerCertificate: testconstants.IntermediateCertPem, + Label: label, + DataURL: testconstants.DataURL, + IssuerSubjectKeyID: testconstants.RootSubjectKeyIDWithoutColumns, RevocationType: types.CRLRevocationType, }, SchemaVersion: testconstants.SchemaVersion, diff --git a/x/pki/handler_update_revocation_test.go b/x/pki/handler_update_revocation_test.go index 5f6dfe7c9..9208f0cd7 100644 --- a/x/pki/handler_update_revocation_test.go +++ b/x/pki/handler_update_revocation_test.go @@ -720,7 +720,7 @@ func TestHandler_UpdatePkiRevocationDistributionPoint_CrlSignerCertificateField( }, }, { - name: "PAI_With_Delegated_Certificate", + name: "CrlSignerDelegatedByPAI", rootCertOptions1: createTestRootCertOptions(), rootCertOptions2: createRootWithVidOptions(), addRevocation: createAddRevocationMessageWithLeafCertWithVid(vendorAcc.String()), @@ -734,6 +734,27 @@ func TestHandler_UpdatePkiRevocationDistributionPoint_CrlSignerCertificateField( IssuerSubjectKeyID: testconstants.IntermediateCertWithVid1SubjectKeyIDWithoutColumns, }, }, + { + name: "CrlSignerDelegatedByPAA", + rootCertOptions1: createTestRootCertOptions(), + rootCertOptions2: createRootWithVidOptions(), + addRevocation: &types.MsgAddPkiRevocationDistributionPoint{ + Signer: vendorAcc.String(), + IsPAA: true, + CrlSignerCertificate: testconstants.IntermediateCertPem, + Label: label, + DataURL: testconstants.DataURL, + IssuerSubjectKeyID: testconstants.RootSubjectKeyIDWithoutColumns, + RevocationType: types.CRLRevocationType, + }, + updateRevocation: &types.MsgUpdatePkiRevocationDistributionPoint{ + Signer: vendorAcc.String(), + CrlSignerCertificate: testconstants.IntermediateCertWithoutVidPid, + Label: label, + DataURL: testconstants.DataURL, + IssuerSubjectKeyID: testconstants.RootSubjectKeyIDWithoutColumns, + }, + }, } for _, tc := range cases { diff --git a/x/pki/types/message_add_pki_revocation_distribution_point.go b/x/pki/types/message_add_pki_revocation_distribution_point.go index 635c857dd..ce13a530a 100644 --- a/x/pki/types/message_add_pki_revocation_distribution_point.go +++ b/x/pki/types/message_add_pki_revocation_distribution_point.go @@ -121,9 +121,6 @@ func (msg *MsgAddPkiRevocationDistributionPoint) verifyPAI(cert *x509.Certificat } if msg.CrlSignerDelegator != "" { - if cert.AuthorityKeyID == "" { - return pkitypes.NewErrInvalidAuthorityKeyIDFormat() - } err = VerifyCRLSignerCertFormat(cert) if err != nil { return err From a1b9a20c499a6cac4d50b6532eb5fd00a0aa65bc Mon Sep 17 00:00:00 2001 From: "aziz.karabashov" Date: Tue, 9 Apr 2024 16:18:33 +0500 Subject: [PATCH 3/5] Fix issues highlighted in PR feedback --- docs/transactions.md | 14 +++--- types/pki/errors.go | 14 ++++-- ...x_add_pki_revocation_distribution_point.go | 4 +- ...pdate_pki_revocation_distribution_point.go | 4 +- ...e_add_pki_revocation_distribution_point.go | 45 ++++++++++++++----- ...elete_pki_revocation_distribution_point.go | 2 +- ...pdate_pki_revocation_distribution_point.go | 2 +- 7 files changed, 58 insertions(+), 27 deletions(-) diff --git a/docs/transactions.md b/docs/transactions.md index adc5080f2..b841de35c 100644 --- a/docs/transactions.md +++ b/docs/transactions.md @@ -1058,7 +1058,7 @@ If `crlSignerCertificate` is a PAA (root certificate), then it must be present o If `crlSignerCertificate` is a PAI (intermediate certificate) or delegated by PAA, then it must be chained back to a valid PAA (root certificate) present on DCL. In this case `crlSignerCertificate` is not required to be present on DCL, and will not be added to DCL as a result of this transaction. If PAI needs to be added to DCL, it should be done via [ADD_X509_CERT](#add_x509_cert) transaction. -If the `crlSignerCertificate` is delegated by a PAI, the delegator certificate must be provided using the `certificate-delegator` field. +If the `crlSignerCertificate` is delegated by a PAI, the delegator certificate must be provided using the `crlSignerDelegator` field. Additionally, the `crlSignerCertificate` must be chained back to the PAA through the delegator certificate, the PAA must be present on the DCL. Publishing the revocation distribution endpoint doesn't automatically remove PAI (Intermediate certificates) @@ -1074,8 +1074,8 @@ and DACs (leaf certificates) added to DCL if they are revoked in the CRL identif - pid: `optional(uint16)` - Product ID (positive non-zero). Must be empty if `IsPAA` is true. Must be equal to a `pid` field in `CRLSignerCertificate`. - isPAA: `bool` - True if the revocation information distribution point relates to a PAA - label: `string` - A label to disambiguate multiple revocation information partitions of a particular issuer. - - certificate: `string` - The issuer certificate whose revocation information is provided in the distribution point entry, encoded in X.509v3 PEM format. The corresponding CLI parameter can contain either a PEM string or a path to a file containing the data. - - certificate-delegator: `optional(string)` - The delegator certificate of CRL signer Certificate which must be chained back to approved certificate in the ledger, encoded in X.509v3 PEM format. The corresponding CLI parameter can contain either a PEM string or a path to a file containing the data. + - crlSignerCertificate: `string` - The issuer certificate whose revocation information is provided in the distribution point entry, encoded in X.509v3 PEM format. The corresponding CLI parameter can contain either a PEM string or a path to a file containing the data. Please note that if crlSignerCertificate is a delegated certificate by a PAI, the delegator certificate must be provided using the `crlSignerDelegator` field. + - crlSignerDelegator: `optional(string)` - If crlSignerCertificate is a delegated certificate by a PAI, then crlSignerDelegator must contain the delegator PAI certificate which must be chained back to an approved certificate in the ledger, encoded in X.509v3 PEM format. Otherwise this field can be omitted. The corresponding CLI parameter can contain either a PEM string or a path to a file containing the data. - issuerSubjectKeyID: `string` - Uniquely identifies the PAA or PAI for which this revocation distribution point is provided. Must consist of even number of uppercase hexadecimal characters ([0-9A-F]), with no whitespace and no non-hexadecimal characters., e.g: `5A880E6C3653D07FB08971A3F473790930E62BDB`. - dataUrl: `string` - The URL where to obtain the information in the format indicated by the RevocationType field. Must start with either `http` or `https`. Must be unique for all pairs of VendorID and IssuerSubjectKeyID. - dataFileSize: `optional(uint64)` - Total size in bytes of the file found at the DataUrl. Must be omitted if RevocationType is 1. @@ -1088,7 +1088,7 @@ and DACs (leaf certificates) added to DCL if they are revoked in the CRL identif - `pki/RevocationDistributionPoint/value///