Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

#531 Publish pai certificates for crl signer certificate verification #557

Merged
merged 6 commits into from
Apr 10, 2024
Merged

#531 Publish pai certificates for crl signer certificate verification #557

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
d79b7d3
#531-Publish-PAI-certificates-for-CRLSignerCertificate-verification
Abdulbois Mar 21, 2024
b24b414
#531-Publish-PAI-certificates-for-CRLSignerCertificate-verification
Abdulbois Mar 28, 2024
a1b9a20
Fix issues highlighted in PR feedback
akarabashov Apr 9, 2024
a093608
Merge branch 'master' into #531-Publish-PAI-certificates-for-CRLSigne…
akarabashov Apr 10, 2024
cf28090
Fix the transaction proto
akarabashov Apr 10, 2024
b9c12cf
Fix the unit test related to CRL signer certificate verification
akarabashov Apr 10, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions docs/static/openapi.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10705,6 +10705,8 @@ paths:
schemaVersion:
type: integer
format: int64
crlSignerDelegator:
type: string
pagination:
type: object
properties:
Expand Down Expand Up @@ -10863,6 +10865,8 @@ paths:
schemaVersion:
type: integer
format: int64
crlSignerDelegator:
type: string
default:
description: An unexpected error response.
schema:
Expand Down Expand Up @@ -10935,6 +10939,8 @@ paths:
schemaVersion:
type: integer
format: int64
crlSignerDelegator:
type: string
default:
description: An unexpected error response.
schema:
Expand Down Expand Up @@ -21841,6 +21847,8 @@ definitions:
schemaVersion:
type: integer
format: int64
crlSignerDelegator:
type: string
zigbeealliance.distributedcomplianceledger.pki.PkiRevocationDistributionPointsByIssuerSubjectKeyID:
type: object
properties:
Expand Down Expand Up @@ -21881,6 +21889,8 @@ definitions:
schemaVersion:
type: integer
format: int64
crlSignerDelegator:
type: string
zigbeealliance.distributedcomplianceledger.pki.ProposedCertificate:
type: object
properties:
Expand Down Expand Up @@ -22284,6 +22294,8 @@ definitions:
schemaVersion:
type: integer
format: int64
crlSignerDelegator:
type: string
pagination:
type: object
properties:
Expand Down Expand Up @@ -23029,6 +23041,8 @@ definitions:
schemaVersion:
type: integer
format: int64
crlSignerDelegator:
type: string
zigbeealliance.distributedcomplianceledger.pki.QueryGetPkiRevocationDistributionPointsByIssuerSubjectKeyIDResponse:
type: object
properties:
Expand Down Expand Up @@ -23072,6 +23086,8 @@ definitions:
schemaVersion:
type: integer
format: int64
crlSignerDelegator:
type: string
zigbeealliance.distributedcomplianceledger.pki.QueryGetProposedCertificateResponse:
type: object
properties:
Expand Down
12 changes: 7 additions & 5 deletions docs/transactions.md
View file
Open in desktop
akarabashov marked this conversation as resolved.
Show resolved Hide resolved
Original file line number Diff line number Diff line change
Expand Up @@ -1007,7 +1007,7 @@ Publishes a PKI Revocation distribution endpoint (such as RFC5280 Certificate Re

If `crlSignerCertificate` is a PAA (root certificate), then it must be present on DCL.

If `crlSignerCertificate` is a PAI (intermediate certificate), then it must be chained back to a valid PAA (root certificate) present on DCL.
If `crlSignerCertificate` is a PAI (intermediate certificate) or delegated by PAA, then it must be chained back to a valid PAA (root certificate) present on DCL.
In this case `crlSignerCertificate` is not required to be present on DCL, and will not be added to DCL as a result of this transaction.
If PAI needs to be added to DCL, it should be done via [ADD_PAI](#add_pai) transaction.

Expand All @@ -1024,7 +1024,8 @@ and DACs (leaf certificates) added to DCL if they are revoked in the CRL identif
- pid: `optional(uint16)` - Product ID (positive non-zero). Must be empty if `IsPAA` is true. Must be equal to a `pid` field in `CRLSignerCertificate`.
- isPAA: `bool` - True if the revocation information distribution point relates to a PAA
- label: `string` - A label to disambiguate multiple revocation information partitions of a particular issuer.
- crlSignerCertificate: `string` - The issuer certificate whose revocation information is provided in the distribution point entry, encoded in X.509v3 PEM format. The corresponding CLI parameter can contain either a PEM string or a path to a file containing the data.
- crlSignerCertificate: `string` - The issuer certificate whose revocation information is provided in the distribution point entry, encoded in X.509v3 PEM format. The corresponding CLI parameter can contain either a PEM string or a path to a file containing the data. Please note that if crlSignerCertificate is a delegated certificate by a PAI, the delegator certificate must be provided using the `crlSignerDelegator` field.
- crlSignerDelegator: `optional(string)` - If crlSignerCertificate is a delegated certificate by a PAI, then crlSignerDelegator must contain the delegator PAI certificate which must be chained back to an approved certificate in the ledger, encoded in X.509v3 PEM format. Otherwise this field can be omitted. The corresponding CLI parameter can contain either a PEM string or a path to a file containing the data.
- issuerSubjectKeyID: `string` - Uniquely identifies the PAA or PAI for which this revocation distribution point is provided. Must consist of even number of uppercase hexadecimal characters ([0-9A-F]), with no whitespace and no non-hexadecimal characters., e.g: `5A880E6C3653D07FB08971A3F473790930E62BDB`.
- dataUrl: `string` - The URL where to obtain the information in the format indicated by the RevocationType field. Must start with either `http` or `https`. Must be unique for all pairs of VendorID and IssuerSubjectKeyID.
- dataFileSize: `optional(uint64)` - Total size in bytes of the file found at the DataUrl. Must be omitted if RevocationType is 1.
Expand All @@ -1037,7 +1038,7 @@ and DACs (leaf certificates) added to DCL if they are revoked in the CRL identif
- `pki/RevocationDistributionPoint/value/<IssuerSubjectKeyID>/<vid>/<label>`-> Revocation Distribution Point
- CLI command:
- `dcld tx pki add-revocation-point --vid=<uint16> --pid=<uint16> --issuer-subject-key-id=<string> --is-paa=<bool> --label=<string>
--certificate=<string-or-path> --data-url=<string> --revocation-type=1 --from=<account>`
--certificate=<string-or-path> --certificate-delegator=<string-or-path> --data-url=<string> --revocation-type=1 --from=<account>`

#### UPDATE_REVOCATION_DISTRIBUTION_POINT

Expand All @@ -1053,7 +1054,8 @@ Updates an existing PKI Revocation distribution endpoint (such as RFC5280 Certif
- vid: `uint16` - Vendor ID (positive non-zero). Must be the same as Vendor account's VID and `vid` field in the VID-scoped `CRLSignerCertificate`. Must be the same as a `vid` associated with non-VID scoped `CRLSignerCertificate` on the ledger.
- label: `string` - A label to disambiguate multiple revocation information partitions of a particular issuer.
- issuerSubjectKeyID: `string` - Uniquely identifies the PAA or PAI for which this revocation distribution point is provided. Must consist of even number of uppercase hexadecimal characters ([0-9A-F]), with no whitespace and no non-hexadecimal characters., e.g: `5A880E6C3653D07FB08971A3F473790930E62BDB`.
- crlSignerCertificate: `optional(string)` - The issuer certificate whose revocation information is provided in the distribution point entry, encoded in X.509v3 PEM format. The corresponding CLI parameter can contain either a PEM string or a path to a file containing the data.
- crlSignerCertificate: `optional(string)` - The issuer certificate whose revocation information is provided in the distribution point entry, encoded in X.509v3 PEM format. The corresponding CLI parameter can contain either a PEM string or a path to a file containing the data. Please note that if crlSignerCertificate is a delegated certificate by a PAI, the delegator certificate must be provided using the `crlSignerDelegator` field.
- crlSignerDelegator: `optional(string)` - If crlSignerCertificate is a delegated certificate by a PAI, then crlSignerDelegator must contain the delegator PAI certificate which must be chained back to an approved certificate in the ledger, encoded in X.509v3 PEM format. Otherwise this field can be omitted. The corresponding CLI parameter can contain either a PEM string or a path to a file containing the data.
- dataUrl: `optional(string)` - The URL where to obtain the information in the format indicated by the RevocationType field. Must start with either `http` or `https`. Must be unique for all pairs of VendorID and IssuerSubjectKeyID.
- dataFileSize: `optional(uint64)` - Total size in bytes of the file found at the DataUrl. Must be omitted if RevocationType is 1.
- dataDigest: `optional(string)` - Digest of the entire contents of the associated file downloaded from the DataUrl. Must be omitted if RevocationType is 1. Must be provided if and only if the `DataFileSize` field is present.
Expand All @@ -1064,7 +1066,7 @@ Updates an existing PKI Revocation distribution endpoint (such as RFC5280 Certif
- `pki/RevocationDistributionPoint/value/<IssuerSubjectKeyID>/<vid>/<label>` -> Revocation Distribution Point
- CLI command:
- `dcld tx pki update-revocation-point --vid=<uint16> --issuer-subject-key-id=<string> --label=<string>
--data-url=<string> --certificate=<string-or-path> --from=<account>`
--data-url=<string> --certificate=<string-or-path> --certificate-delegator=<string-or-path> --from=<account>`

#### DELETE_REVOCATION_DISTRIBUTION_POINT

Expand Down
Loading
Loading