zigbee-alliance · ashcherbakov · Sep 4, 2024 · Aug 30, 2024 · Aug 30, 2024 · Sep 2, 2024
diff --git a/integration_tests/constants/constants.go b/integration_tests/constants/constants.go
@@ -280,9 +280,25 @@ HSMEGDAWgBRq/SJ3H1Ef7L8WQZdnENzcMaFxfjAKBggqhkjOPQQDAgNHADBEAiBQ
 qoAC9NkyqaAFOPZTaK0P/8jvu8m+t9pWmDXPmqdRDgIgI7rI/g8j51RFtlM5CBpH
 mUkpxyqvChVI1A0DTVFLJd4=
 -----END CERTIFICATE-----`
-	PAACertWithNumericVidSubject      = "MDAxGDAWBgNVBAMMD01hdHRlciBUZXN0IFBBQTEUMBIGCisGAQQBgqJ8AgEMBEZGRjE="
-	PAACertWithNumericVidSubjectKeyID = "6A:FD:22:77:1F:51:1F:EC:BF:16:41:97:67:10:DC:DC:31:A1:71:7E"
-	PAACertWithNumericVidVid          = 65521
+	PAACertWithNumericVidSubject              = "MDAxGDAWBgNVBAMMD01hdHRlciBUZXN0IFBBQTEUMBIGCisGAQQBgqJ8AgEMBEZGRjE="
+	PAACertWithNumericVidSubjectKeyID         = "6A:FD:22:77:1F:51:1F:EC:BF:16:41:97:67:10:DC:DC:31:A1:71:7E"
+	PAACertWithNumericVidVid                  = 65521
+	PAACertWithNumericVidDifferentWhitespaces = `
+-----BEGIN CERTIFICATE-----
+MIIBvTCCAWSgAwIBAgIITqjoMY
+LUHBwwCgYIKoZIzj0EAwIwMDEYMBYGA1UEAwwP
+TWF0dGVyIFRlc3QgUEFBMRQ
+wEgYKKwYBBAGConwCAQwERkZGMTAgFw0yMTA2Mjgx
+ND  IzNDNaGA85OTk5MTI
+zMTIzNTk1OVowMDEYMBYGA1UEAwwPTWF0dGVyIFRlc3Qg
+UEFBMRQwEgYKKwYBBAGConwCAQwERkZGMTBZMBMGByqGSM49AgEGCCqGSM49AwEH
+A0IABLbLY3KIfyko9brIGqnZOuJDHK2p154kL2UXfvnO2TKijs0Duq9qj8oYShpQ
+NUKWDUU/	MD8fGUIddR6Pjxqam3WjZjBkMBIGA1UdEwEB/wQIMAYBAf8CAQEwDgYD
+VR0PAQH/BAQDAgEGMB0GA1Ud     DgQWBBRq/SJ3H1Ef7L8WQZdnENzcMaFxfjAfBgNV
+HSMEGDAWgBRq/SJ3H1Ef7L8WQZdnENzcMaFxfjAKBggqhkjOPQQDAgNHADBEAiBQ
+qoAC9NkyqaAFOPZTaK0P/8jvu8m+t9pWmDXPmqdRDgIgI7rI/g8j51RFtlM5CBpH
+mUkpxyqvChVI1A0DTVFLJd4=
+-----END CERTIFICATE-----`
 
 	PAACertNoVid = `
 -----BEGIN CERTIFICATE-----
@@ -314,6 +330,7 @@ NbKsuLiNm8I5idctQg3eaw==
 -----END CERTIFICATE-----`
 	PAACertWithNumericVid1Subject      = "MDAxGDAWBgNVBAMMD01hdHRlciBUZXN0IFBBQTEUMBIGCisGAQQBgqJ8AgEMBEZGRjI="
 	PAACertWithNumericVid1SubjectKeyID = "7F:1D:AA:F2:44:98:B9:86:68:0E:A0:8F:C1:89:21:E8:48:48:9D:17"
+	PAACertWithNumericVid1Vid          = 65522
 
 	PAICertWithNumericPidVid = `
 -----BEGIN CERTIFICATE-----
@@ -550,7 +567,8 @@ al/8sTx3xx7fWpS+rJ3jviCpHgP+cGV/ANg8hOlyr68u0FE+x6pye00TmxcFzDuo
 2Vciq5eYOIi+PlP+HI5QzlZYxSqFjJrFcfzYCJ4=
 -----END CERTIFICATE-----`
 
-	RootCertWithVid = `-----BEGIN CERTIFICATE-----
+	RootCertWithVid = `
+-----BEGIN CERTIFICATE-----
 MIICdDCCAhmgAwIBAgIBATAKBggqhkjOPQQDAjCBmDELMAkGA1UEBhMCVVMxETAP
 BgNVBAgMCE5ldyBZb3JrMREwDwYDVQQHDAhOZXcgWW9yazEYMBYGA1UECgwPRXhh
 bXBsZSBDb21wYW55MRkwFwYDVQQLDBBUZXN0aW5nIERpdmlzaW9uMRgwFgYDVQQD
@@ -565,6 +583,24 @@ kmbq4IC9K7Vo5AsHxPosNG0xMB8GA1UdIwQYMBaAFM6okmbq4IC9K7Vo5AsHxPos
 NG0xMAwGA1UdEwQFMAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAOdYHo1krgzyV+CT
 G+RKcYoxHr6YS9ddNOJibjBx/I63AiEAxNl6kcOH0Rovwi2wySHvTD26kfUYJAmi
 HGBcCo5whZU=
+-----END CERTIFICATE-----`
+	RootCertWithVidDifferentWhitespaces = `
+-----BEGIN CERTIFICATE-----
+MIICdDCCAhmgAwIBAgIBATAKBggqhkjOPQQDAjCBmDELMAkGA1UEBhMCVVMxETAP
+BgNVBAgMCE5ldyBZb3JrMREwDwYDVQQHDAhOZXcgWW9yazEYMBYGA1UECgwPRXhh
+bXBsZSBDb21wYW55MRkwFw
+YDVQQLDBBUZXN0aW5nIERpdmlzaW9uMRgwFgYDVQQD
+DA93d3cuZXhhbXBsZS5jb20xFDASBgorBgEEAYKifAIBDARGRkYxMCAXDTI0MDIy
+NjExNTQzMVoYDzMwMjMwNjI5	MTE1NDMxWjCBmDELMAkGA1UEBhMCVVMxETAPBgNV
+BAgMCE5ldyBZb3JrMREwDwYDVQQHDAhOZXcgWW9yazEYMBYGA1UECgwPRXhhbXBs
+ZSBDb21wYW55MRkwFwYDVQ  QLDBBUZXN0aW5nIERpdmlzaW9uMRgwFgYDVQQDDA93
+d3cuZXhhbXBsZS5jb20xFDASBgorBgEEAYKifAIBDARGRkYxMFkwEwYHKoZIzj0C
+AQYIKoZIzj0DAQcDQgAEDcguargOjH5nh4SCsflFk1ACqNBOR6Wua8huVYPBfse6
+uwfkgmyTJrCBCUAq9ayPD83jPVor1NN9YAx/V0zbsKNQME4wHQYDVR0OBBYEFM6o
+	kmbq4IC9K7Vo5AsHxPosNG0xMB8GA1UdIwQYMBaAFM6okmbq4IC9K7Vo5AsHxPos
+NG0xMAwGA1UdEwQFMAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAOdYHo1krgzyV+CT
+G+RKcYoxHr6YS9d dNOJibjBx/I63AiEAxNl6kcOH0Rovwi2wySHvTD26kfUYJAmi
+HGBcCo5whZU=
 -----END CERTIFICATE-----`
 
 	IntermediateCertWithVid1 = `-----BEGIN CERTIFICATE-----

diff --git a/integration_tests/grpc_rest/pki/grpc_test.go b/integration_tests/grpc_rest/pki/grpc_test.go
@@ -35,3 +35,8 @@ func TestPkiDemoGRPC(t *testing.T) {
 	pki.Demo(&suite)
 	pki.NocCertDemo(&suite)
 }
+
+func TestAddUpdateRevocationPointForSameCertificateWithDifferentWhitespacesGRPC(t *testing.T) {
+	suite := utils.SetupTest(t, testconstants.ChainID, false)
+	pki.AddUpdateRevocationPointForSameCertificateWithDifferentWhitespaces(&suite)
+}
diff --git a/integration_tests/grpc_rest/pki/helpers.go b/integration_tests/grpc_rest/pki/helpers.go
@@ -1687,6 +1687,21 @@ func Demo(suite *utils.TestSuite) {
 	revDistPoints, _ = GetAllPkiRevocationDistributionPoints(suite)
 	require.Equal(suite.T, 1, len(revDistPoints))
 
+	// Add revocation distribution point for PAA by Vendor with certificate with different whitespaces
+	msgAddPkiRevDistPoints = pkitypes.MsgAddPkiRevocationDistributionPoint{
+		Signer:               vendorAccount.Address,
+		Vid:                  vendorAccount.VendorID,
+		IssuerSubjectKeyID:   testconstants.SubjectKeyIDWithoutColons,
+		IsPAA:                true,
+		CrlSignerCertificate: testconstants.PAACertWithNumericVidDifferentWhitespaces,
+		Label:                "label" + "-new",
+		DataURL:              testconstants.DataURL + "-new",
+		RevocationType:       1,
+		SchemaVersion:        0,
+	}
+	_, err = suite.BuildAndBroadcastTx([]sdk.Msg{&msgAddPkiRevDistPoints}, vendorName, vendorAccount)
+	require.NoError(suite.T, err)
+
 	// Revoke certificates by serialNumber
 
 	// Add root certificates
@@ -2153,3 +2168,97 @@ func Demo(suite *utils.TestSuite) {
 	require.Equal(suite.T, 1, len(certs.Certs))
 	require.Equal(suite.T, int32(testconstants.PAICertWithNumericVidVid), certs.Certs[0].Vid)
 }
+
+func AddUpdateRevocationPointForSameCertificateWithDifferentWhitespaces(suite *utils.TestSuite) {
+	// Alice and Jack are predefined Trustees
+	aliceName := testconstants.AliceAccount
+	aliceKeyInfo, err := suite.Kr.Key(aliceName)
+	require.NoError(suite.T, err)
+	address, err := aliceKeyInfo.GetAddress()
+	require.NoError(suite.T, err)
+	aliceAccount, err := test_dclauth.GetAccount(suite, address)
+	require.NoError(suite.T, err)
+
+	jackName := testconstants.JackAccount
+	jackKeyInfo, err := suite.Kr.Key(jackName)
+	require.NoError(suite.T, err)
+	address, err = jackKeyInfo.GetAddress()
+	require.NoError(suite.T, err)
+	jackAccount, err := test_dclauth.GetAccount(suite, address)
+	require.NoError(suite.T, err)
+
+	// Register new Vendor account
+	vendorName := utils.RandString()
+	vendorAccount := test_dclauth.CreateVendorAccount(
+		suite,
+		vendorName,
+		dclauthtypes.AccountRoles{dclauthtypes.Vendor},
+		testconstants.RootCertWithVidVid,
+		testconstants.ProductIDsEmpty,
+		aliceName,
+		aliceAccount,
+		jackName,
+		jackAccount,
+		testconstants.Info,
+	)
+	require.NotNil(suite.T, vendorAccount)
+
+	// Propose
+	msgProposeAddX509RootCert := pkitypes.MsgProposeAddX509RootCert{
+		Cert:   testconstants.RootCertWithVid,
+		Signer: jackAccount.Address,
+		Vid:    testconstants.RootCertWithVidVid,
+	}
+	_, err = suite.BuildAndBroadcastTx([]sdk.Msg{&msgProposeAddX509RootCert}, jackName, jackAccount)
+	require.NoError(suite.T, err)
+
+	// Approve
+	msgApproveAddX509RootCert := pkitypes.MsgApproveAddX509RootCert{
+		Subject:      testconstants.RootCertWithVidSubject,
+		SubjectKeyId: testconstants.RootCertWithVidSubjectKeyID,
+		Signer:       aliceAccount.Address,
+	}
+	_, err = suite.BuildAndBroadcastTx([]sdk.Msg{&msgApproveAddX509RootCert}, aliceName, aliceAccount)
+	require.NoError(suite.T, err)
+
+	// Add revocation distribution point
+	label := "label-add-update"
+	dataURL := testconstants.DataURL + "add-update"
+	msgAddPkiRevocationDistributionPoint := pkitypes.MsgAddPkiRevocationDistributionPoint{
+		Signer:               vendorAccount.Address,
+		Vid:                  vendorAccount.VendorID,
+		IsPAA:                true,
+		Pid:                  8,
+		CrlSignerCertificate: testconstants.RootCertWithVidDifferentWhitespaces,
+		Label:                label,
+		DataURL:              dataURL,
+		IssuerSubjectKeyID:   testconstants.SubjectKeyIDWithoutColons,
+		RevocationType:       1,
+	}
+	_, err = suite.BuildAndBroadcastTx([]sdk.Msg{&msgAddPkiRevocationDistributionPoint}, vendorName, vendorAccount)
+	require.NoError(suite.T, err)
+
+	revocationPointBySubjectKeyID, err := GetPkiRevocationDistributionPointsBySubject(suite, testconstants.SubjectKeyIDWithoutColons)
+	require.NoError(suite.T, err)
+	require.Equal(suite.T, 1, len(revocationPointBySubjectKeyID.Points))
+	require.Equal(suite.T, msgAddPkiRevocationDistributionPoint.CrlSignerCertificate, revocationPointBySubjectKeyID.Points[0].CrlSignerCertificate)
+
+	// Update revocation distribution point
+	msgUpdatePkiRevocationDistributionPoint := pkitypes.MsgUpdatePkiRevocationDistributionPoint{
+		Signer:               vendorAccount.Address,
+		Vid:                  vendorAccount.VendorID,
+		IssuerSubjectKeyID:   testconstants.SubjectKeyIDWithoutColons,
+		CrlSignerCertificate: testconstants.RootCertWithVid,
+		Label:                label,
+		DataURL:              dataURL + "/new",
+		SchemaVersion:        0,
+	}
+	_, err = suite.BuildAndBroadcastTx([]sdk.Msg{&msgUpdatePkiRevocationDistributionPoint}, vendorName, vendorAccount)
+	require.NoError(suite.T, err)
+
+	revocationPointBySubjectKeyID, err = GetPkiRevocationDistributionPointsBySubject(suite, testconstants.SubjectKeyIDWithoutColons)
+	require.NoError(suite.T, err)
+	require.Equal(suite.T, 1, len(revocationPointBySubjectKeyID.Points))
+	require.Equal(suite.T, msgUpdatePkiRevocationDistributionPoint.CrlSignerCertificate, revocationPointBySubjectKeyID.Points[0].CrlSignerCertificate)
+	require.Equal(suite.T, msgUpdatePkiRevocationDistributionPoint.DataURL, revocationPointBySubjectKeyID.Points[0].DataURL)
+}
diff --git a/integration_tests/grpc_rest/pki/rest_test.go b/integration_tests/grpc_rest/pki/rest_test.go
@@ -35,3 +35,8 @@ func TestPkiDemoREST(t *testing.T) {
 	pki.Demo(&suite)
 	pki.NocCertDemo(&suite)
 }
+
+func TestAddUpdateRevocationPointForSameCertificateWithDifferentWhitespacesREST(t *testing.T) {
+	suite := utils.SetupTest(t, testconstants.ChainID, true)
+	pki.AddUpdateRevocationPointForSameCertificateWithDifferentWhitespaces(&suite)
+}
diff --git a/x/pki/handler_test.go b/x/pki/handler_test.go
@@ -1824,6 +1824,96 @@ func TestHandler_RevocationPointsByIssuerSubjectKeyID(t *testing.T) {
 	require.Equal(t, len(revocationPointBySubjectKeyID.Points), 1)
 }
 
+func TestHandler_AddRevocationPointForSameCertificateWithDifferentWhitespaces(t *testing.T) {
+	setup := Setup(t)
+
+	vendorAcc := GenerateAccAddress()
+	setup.AddAccount(vendorAcc, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, 65521)
+
+	// propose x509 root certificate by account Trustee1
+	proposeAddX509RootCert := types.NewMsgProposeAddX509RootCert(setup.Trustee1.String(), testconstants.PAACertWithNumericVid, testconstants.Info, testconstants.Vid, testconstants.CertSchemaVersion)
+	_, err := setup.Handler(setup.Ctx, proposeAddX509RootCert)
+	require.NoError(t, err)
+
+	// approve
+	approveAddX509RootCert := types.NewMsgApproveAddX509RootCert(
+		setup.Trustee2.String(), testconstants.PAACertWithNumericVidSubject, testconstants.PAACertWithNumericVidSubjectKeyID, testconstants.Info)
+	_, err = setup.Handler(setup.Ctx, approveAddX509RootCert)
+	require.NoError(t, err)
+
+	addPkiRevocationDistributionPoint := types.MsgAddPkiRevocationDistributionPoint{
+		Signer:               vendorAcc.String(),
+		Vid:                  testconstants.PAACertWithNumericVidVid,
+		IsPAA:                true,
+		Pid:                  8,
+		CrlSignerCertificate: testconstants.PAACertWithNumericVidDifferentWhitespaces,
+		Label:                "label",
+		DataURL:              testconstants.DataURL + "/1",
+		IssuerSubjectKeyID:   testconstants.SubjectKeyIDWithoutColons,
+		RevocationType:       1,
+	}
+	_, err = setup.Handler(setup.Ctx, &addPkiRevocationDistributionPoint)
+	require.NoError(t, err)
+
+	revocationPointBySubjectKeyID, isFound := setup.Keeper.GetPkiRevocationDistributionPointsByIssuerSubjectKeyID(setup.Ctx, testconstants.SubjectKeyIDWithoutColons)
+	require.True(t, isFound)
+	require.Equal(t, len(revocationPointBySubjectKeyID.Points), 1)
+	require.Equal(t, revocationPointBySubjectKeyID.Points[0].CrlSignerCertificate, addPkiRevocationDistributionPoint.CrlSignerCertificate)
+}
+
+func TestHandler_UpdateRevocationPointForSameCertificateWithDifferentWhitespaces(t *testing.T) {
+	setup := Setup(t)
+
+	vendorAcc := GenerateAccAddress()
+	setup.AddAccount(vendorAcc, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, 65521)
+
+	// propose x509 root certificate by account Trustee1
+	proposeAddX509RootCert := types.NewMsgProposeAddX509RootCert(setup.Trustee1.String(), testconstants.PAACertWithNumericVid, testconstants.Info, testconstants.Vid, testconstants.CertSchemaVersion)
+	_, err := setup.Handler(setup.Ctx, proposeAddX509RootCert)
+	require.NoError(t, err)
+
+	// approve
+	approveAddX509RootCert := types.NewMsgApproveAddX509RootCert(
+		setup.Trustee2.String(), testconstants.PAACertWithNumericVidSubject, testconstants.PAACertWithNumericVidSubjectKeyID, testconstants.Info)
+	_, err = setup.Handler(setup.Ctx, approveAddX509RootCert)
+	require.NoError(t, err)
+
+	addPkiRevocationDistributionPoint := types.MsgAddPkiRevocationDistributionPoint{
+		Signer:               vendorAcc.String(),
+		Vid:                  testconstants.PAACertWithNumericVidVid,
+		IsPAA:                true,
+		Pid:                  8,
+		CrlSignerCertificate: testconstants.PAACertWithNumericVid,
+		Label:                "label",
+		DataURL:              testconstants.DataURL + "/1",
+		IssuerSubjectKeyID:   testconstants.SubjectKeyIDWithoutColons,
+		RevocationType:       1,
+	}
+	_, err = setup.Handler(setup.Ctx, &addPkiRevocationDistributionPoint)
+	require.NoError(t, err)
+
+	revocationPointBySubjectKeyID, isFound := setup.Keeper.GetPkiRevocationDistributionPointsByIssuerSubjectKeyID(setup.Ctx, testconstants.SubjectKeyIDWithoutColons)
+	require.True(t, isFound)
+	require.Equal(t, len(revocationPointBySubjectKeyID.Points), 1)
+
+	dataURLNew := testconstants.DataURL + "/new"
+	updatePkiRevocationDistributionPoint := types.MsgUpdatePkiRevocationDistributionPoint{
+		Signer:               vendorAcc.String(),
+		Vid:                  testconstants.PAACertWithNumericVidVid,
+		CrlSignerCertificate: testconstants.PAACertWithNumericVidDifferentWhitespaces,
+		Label:                "label",
+		DataURL:              dataURLNew,
+		IssuerSubjectKeyID:   testconstants.SubjectKeyIDWithoutColons,
+	}
+	_, err = setup.Handler(setup.Ctx, &updatePkiRevocationDistributionPoint)
+	require.NoError(t, err)
+
+	revocationPointBySubjectKeyID, isFound = setup.Keeper.GetPkiRevocationDistributionPointsByIssuerSubjectKeyID(setup.Ctx, testconstants.SubjectKeyIDWithoutColons)
+	require.True(t, isFound)
+	require.Equal(t, revocationPointBySubjectKeyID.Points[0].CrlSignerCertificate, updatePkiRevocationDistributionPoint.CrlSignerCertificate)
+	require.Equal(t, revocationPointBySubjectKeyID.Points[0].DataURL, updatePkiRevocationDistributionPoint.DataURL)
+}
+
 func TestHandler_AssignVid_SenderNotVendorAdmin(t *testing.T) {
 	setup := Setup(t)
 

diff --git a/x/pki/keeper/msg_server_add_pki_revocation_distribution_point.go b/x/pki/keeper/msg_server_add_pki_revocation_distribution_point.go
@@ -94,7 +94,7 @@ func (k msgServer) checkRootCert(ctx sdk.Context, crlSignerCertificate *x509.Cer
 	// check that it has the same PEM value
 	var foundRootCert *types.Certificate
 	for _, approvedCertificate := range approvedCertificates.Certs {
-		if approvedCertificate.PemCert == msg.CrlSignerCertificate {
+		if x509.RemoveWhitespaces(approvedCertificate.PemCert) == x509.RemoveWhitespaces(msg.CrlSignerCertificate) {
 			foundRootCert = approvedCertificate
 
 			break

diff --git a/x/pki/keeper/msg_server_update_pki_revocation_distribution_point.go b/x/pki/keeper/msg_server_update_pki_revocation_distribution_point.go
@@ -131,7 +131,7 @@ func (k msgServer) verifyUpdatedPAA(ctx sdk.Context, newCertificatePem string, r
 	// check that it has the same PEM value
 	var foundRootCert *types.Certificate
 	for _, approvedCertificate := range approvedCertificates.Certs {
-		if approvedCertificate.PemCert == newCertificatePem {
+		if x509.RemoveWhitespaces(approvedCertificate.PemCert) == x509.RemoveWhitespaces(newCertificatePem) {
 			foundRootCert = approvedCertificate
 
 			break

diff --git a/x/pki/x509/x509.go b/x/pki/x509/x509.go
@@ -24,6 +24,7 @@ import (
 	"strconv"
 	"strings"
 	"time"
+	"unicode"
 
 	pkitypes "github.com/zigbee-alliance/distributed-compliance-ledger/types/pki"
 )
@@ -163,6 +164,18 @@ func BytesToHex(bytes []byte) string {
 	return strings.Join(bytesHex, ":")
 }
 
+func RemoveWhitespaces(pem string) string {
+	var builder strings.Builder
+
+	for _, r := range pem {
+		if !unicode.IsSpace(r) {
+			builder.WriteRune(r)
+		}
+	}
+
+	return builder.String()
+}
+
 func (c Certificate) Verify(parent *Certificate, blockTime time.Time) error {
 	roots := x509.NewCertPool()
 	roots.AddCert(parent.Certificate)