Skip to content

Commit 0cb5bab

Browse files
AbdulboisAbdulbois
committed
#535 Make the revocation of child certificates optional
- Cover with extra tests - Add shortcut for `revoke-child` flag3 Signed-off-by: Abdulbois <abdulbois.tursunov@dsr-corporation.com> Signed-off-by: Abdulbois <abdulbois123@gmail.com>
1 parent f8e458d commit 0cb5bab

File tree

6 files changed

+313
-5
lines changed

6 files changed

+313
-5
lines changed

integration_tests/cli/pki-revocation-with-revoking-child.sh

+252
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,252 @@
1+
set -euo pipefail
2+
source integration_tests/cli/common.sh
3+
4+
root_cert_1_path="integration_tests/constants/root_with_same_subject_and_skid_1"
5+
root_cert_1_serial_number="1"
6+
root_cert_2_path="integration_tests/constants/root_with_same_subject_and_skid_2"
7+
root_cert_2_serial_number="2"
8+
root_cert_vid=65521
9+
intermediate_cert_1_path="integration_tests/constants/intermediate_with_same_subject_and_skid_1"
10+
intermediate_cert_1_serial_number="3"
11+
intermediate_cert_2_path="integration_tests/constants/intermediate_with_same_subject_and_skid_2"
12+
intermediate_cert_2_serial_number="4"
13+
root_cert_subject="MIGCMQswCQYDVQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxETAPBgNVBAcMCE5ldyBZb3JrMRgwFgYDVQQKDA9FeGFtcGxlIENvbXBhbnkxGTAXBgNVBAsMEFRlc3RpbmcgRGl2aXNpb24xGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbQ=="
14+
root_cert_subject_key_id="33:5E:0C:07:44:F8:B5:9C:CD:55:01:9B:6D:71:23:83:6F:D0:D4:BE"
15+
intermediate_cert_subject="MEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQ="
16+
intermediate_cert_subject_key_id="2E:13:3B:44:52:2C:30:E9:EC:FB:45:FA:5D:E5:04:0A:C1:C6:E6:B9"
17+
leaf_cert_subject="MEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQ="
18+
leaf_cert_subject_key_id="12:16:55:8E:5E:2A:DF:04:D7:E6:FE:D1:53:69:61:98:EF:17:2F:03"
19+
leaf_cert_path="integration_tests/constants/leaf_with_same_subject_and_skid"
20+
leaf_cert_serial_number="5"
21+
22+
trustee_account="jack"
23+
second_trustee_account="alice"
24+
25+
test_divider
26+
27+
echo "REVOKE CERTIFICATES BY SPECIFYING SERIAL NUMBER"
28+
29+
echo "Propose and approve root certificate 1"
30+
result=$(echo "$passphrase" | dcld tx pki propose-add-x509-root-cert --certificate="$root_cert_1_path" --vid "$root_cert_vid" --from $trustee_account --yes)
31+
check_response "$result" "\"code\": 0"
32+
result=$(echo "$passphrase" | dcld tx pki approve-add-x509-root-cert --subject="$root_cert_subject" --subject-key-id="$root_cert_subject_key_id" --from $second_trustee_account --yes)
33+
check_response "$result" "\"code\": 0"
34+
35+
echo "Propose and approve root certificate 2"
36+
result=$(echo "$passphrase" | dcld tx pki propose-add-x509-root-cert --certificate="$root_cert_2_path" --vid "$root_cert_vid" --from $trustee_account --yes)
37+
check_response "$result" "\"code\": 0"
38+
result=$(echo "$passphrase" | dcld tx pki approve-add-x509-root-cert --subject="$root_cert_subject" --subject-key-id="$root_cert_subject_key_id" --from $second_trustee_account --yes)
39+
check_response "$result" "\"code\": 0"
40+
41+
echo "Add an intermediate certificate with serialNumber 3"
42+
result=$(echo "$passphrase" | dcld tx pki add-x509-cert --certificate="$intermediate_cert_1_path" --from $trustee_account --yes)
43+
check_response "$result" "\"code\": 0"
44+
45+
echo "Add an intermediate certificate with serialNumber 4"
46+
result=$(echo "$passphrase" | dcld tx pki add-x509-cert --certificate="$intermediate_cert_2_path" --from $trustee_account --yes)
47+
check_response "$result" "\"code\": 0"
48+
49+
echo "Add a leaf certificate with serialNumber 5"
50+
result=$(echo "$passphrase" | dcld tx pki add-x509-cert --certificate="$leaf_cert_path" --from $trustee_account --yes)
51+
check_response "$result" "\"code\": 0"
52+
53+
echo "Request all approved root certificates."
54+
result=$(dcld query pki all-x509-certs)
55+
echo $result | jq
56+
check_response "$result" "\"subject\": \"$root_cert_subject\""
57+
check_response "$result" "\"subject\": \"$intermediate_cert_subject\""
58+
check_response "$result" "\"subjectKeyId\": \"$root_cert_subject_key_id\""
59+
check_response "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id\""
60+
check_response "$result" "\"subjectKeyId\": \"$leaf_cert_subject_key_id\""
61+
62+
echo "Revoke intermediate certificates only(leaf certificates should not be removed)"
63+
result=$(echo "$passphrase" | dcld tx pki revoke-x509-cert --subject="$intermediate_cert_subject" --subject-key-id="$intermediate_cert_subject_key_id" --from=$trustee_account --yes)
64+
check_response "$result" "\"code\": 0"
65+
66+
echo "Request all revoked certificates should contain two intermediate certificates"
67+
result=$(dcld query pki all-revoked-x509-certs)
68+
echo $result | jq
69+
check_response "$result" "\"subject\": \"$intermediate_cert_subject\""
70+
check_response "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id\""
71+
check_response "$result" "\"serialNumber\": \"$intermediate_cert_1_serial_number\""
72+
check_response "$result" "\"serialNumber\": \"$intermediate_cert_2_serial_number\""
73+
74+
echo "Request all approved intermediate certificates should be emtpy"
75+
result=$(dcld query pki x509-cert --subject="$intermediate_cert_subject" --subject-key-id="$intermediate_cert_subject_key_id")
76+
echo $result | jq
77+
response_does_not_contain "$result" "\"subject\": \"$intermediate_cert_subject\""
78+
response_does_not_contain "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id\""
79+
response_does_not_contain "$result" "\"serialNumber\": \"$intermediate_cert_2_serial_number\""
80+
response_does_not_contain "$result" "\"serialNumber\": \"$intermediate_cert_1_serial_number\""
81+
82+
echo "Request all approved leaf certificates should contain only one certificate with serialNumber 5"
83+
result=$(dcld query pki x509-cert --subject="$leaf_cert_subject" --subject-key-id="$leaf_cert_subject_key_id")
84+
echo $result | jq
85+
check_response "$result" "\"subject\": \"$leaf_cert_subject\""
86+
check_response "$result" "\"subjectKeyId\": \"$leaf_cert_subject_key_id\""
87+
check_response "$result" "\"serialNumber\": \"$leaf_cert_serial_number\""
88+
89+
echo "Remove revoked intermediate certificates to re-add them again"
90+
result=$(echo "$passphrase" | dcld tx pki remove-x509-cert --subject="$intermediate_cert_subject" --subject-key-id="$intermediate_cert_subject_key_id" --from=$trustee_account --yes)
91+
check_response "$result" "\"code\": 0"
92+
93+
echo "Add an intermediate certificate with serialNumber 3"
94+
result=$(echo "$passphrase" | dcld tx pki add-x509-cert --certificate="$intermediate_cert_1_path" --from $trustee_account --yes)
95+
check_response "$result" "\"code\": 0"
96+
97+
echo "Add an intermediate certificate with serialNumber 4"
98+
result=$(echo "$passphrase" | dcld tx pki add-x509-cert --certificate="$intermediate_cert_2_path" --from $trustee_account --yes)
99+
check_response "$result" "\"code\": 0"
100+
101+
echo "Request all approved root certificates."
102+
result=$(dcld query pki all-x509-certs)
103+
echo $result | jq
104+
check_response "$result" "\"subject\": \"$root_cert_subject\""
105+
check_response "$result" "\"subject\": \"$intermediate_cert_subject\""
106+
check_response "$result" "\"subjectKeyId\": \"$root_cert_subject_key_id\""
107+
check_response "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id\""
108+
check_response "$result" "\"subjectKeyId\": \"$leaf_cert_subject_key_id\""
109+
110+
echo "Revoke intermediate certificates and its child certificates too"
111+
result=$(echo "$passphrase" | dcld tx pki revoke-x509-cert --subject="$intermediate_cert_subject" --subject-key-id="$intermediate_cert_subject_key_id" --revoke-child=true --from=$trustee_account --yes)
112+
check_response "$result" "\"code\": 0"
113+
114+
echo "Request all revoked certificates should contain two intermediate and one leaf certificates"
115+
result=$(dcld query pki all-revoked-x509-certs)
116+
echo $result | jq
117+
check_response "$result" "\"subject\": \"$intermediate_cert_subject\""
118+
check_response "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id\""
119+
check_response "$result" "\"subjectKeyId\": \"$leaf_cert_subject_key_id"
120+
check_response "$result" "\"serialNumber\": \"$intermediate_cert_1_serial_number\""
121+
check_response "$result" "\"serialNumber\": \"$intermediate_cert_2_serial_number\""
122+
check_response "$result" "\"serialNumber\": \"$leaf_cert_serial_number\""
123+
124+
echo "Request all approved certificates should contain only two root certificates"
125+
result=$(dcld query pki all-x509-certs)
126+
echo $result | jq
127+
check_response "$result" "\"subject\": \"$root_cert_subject\""
128+
check_response "$result" "\"subjectKeyId\": \"$root_cert_subject_key_id\""
129+
check_response "$result" "\"serialNumber\": \"$root_cert_1_serial_number\""
130+
check_response "$result" "\"serialNumber\": \"$root_cert_2_serial_number\""
131+
response_does_not_contain "$result" "\"subject\": \"$intermediate_cert_subject\""
132+
response_does_not_contain "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id"
133+
response_does_not_contain "$result" "\"subjectKeyId\": \"$leaf_cert_subject_key_id"
134+
response_does_not_contain "$result" "\"serialNumber\": \"$intermediate_cert_1_serial_number\""
135+
response_does_not_contain "$result" "\"serialNumber\": \"$intermediate_cert_2_serial_number\""
136+
response_does_not_contain "$result" "\"serialNumber\": \"$leaf_cert_serial_number"
137+
138+
echo "Remove intermediate and leaf certificates to re-add them again"
139+
result=$(echo "$passphrase" | dcld tx pki remove-x509-cert --subject="$intermediate_cert_subject" --subject-key-id="$intermediate_cert_subject_key_id" --from=$trustee_account --yes)
140+
check_response "$result" "\"code\": 0"
141+
result=$(echo "$passphrase" | dcld tx pki remove-x509-cert --subject="$leaf_cert_subject" --subject-key-id="$leaf_cert_subject_key_id" --from=$trustee_account --yes)
142+
check_response "$result" "\"code\": 0"
143+
144+
echo "Add an intermediate certificate with serialNumber 3"
145+
result=$(echo "$passphrase" | dcld tx pki add-x509-cert --certificate="$intermediate_cert_1_path" --from $trustee_account --yes)
146+
check_response "$result" "\"code\": 0"
147+
148+
echo "Add an intermediate certificate with serialNumber 4"
149+
result=$(echo "$passphrase" | dcld tx pki add-x509-cert --certificate="$intermediate_cert_2_path" --from $trustee_account --yes)
150+
check_response "$result" "\"code\": 0"
151+
152+
echo "Add a leaf certificate with serialNumber 5"
153+
result=$(echo "$passphrase" | dcld tx pki add-x509-cert --certificate="$leaf_cert_path" --from $trustee_account --yes)
154+
check_response "$result" "\"code\": 0"
155+
156+
echo "$trustee_account (Trustee) proposes to revoke Root certificates and its child certificates too"
157+
result=$(echo "$passphrase" | dcld tx pki propose-revoke-x509-root-cert --subject="$root_cert_subject" --subject-key-id="$root_cert_subject_key_id" --revoke-child=true --from $trustee_account --yes)
158+
check_response "$result" "\"code\": 0"
159+
160+
echo "$second_trustee_account (Second Trustee) approves to revoke Root certificate"
161+
result=$(echo "$passphrase" | dcld tx pki approve-revoke-x509-root-cert --subject="$root_cert_subject" --subject-key-id="$root_cert_subject_key_id" --from $second_trustee_account --yes)
162+
check_response "$result" "\"code\": 0"
163+
164+
echo "Request all revoked certificates should contain two root, one intermediate and one leaf certificates"
165+
result=$(dcld query pki all-revoked-x509-certs)
166+
echo $result | jq
167+
check_response "$result" "\"subject\": \"$root_cert_subject\""
168+
check_response "$result" "\"subject\": \"$intermediate_cert_subject\""
169+
check_response "$result" "\"subjectKeyId\": \"$root_cert_subject_key_id\""
170+
check_response "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id\""
171+
check_response "$result" "\"subjectKeyId\": \"$leaf_cert_subject_key_id"
172+
check_response "$result" "\"serialNumber\": \"$root_cert_1_serial_number\""
173+
check_response "$result" "\"serialNumber\": \"$intermediate_cert_1_serial_number\""
174+
check_response "$result" "\"serialNumber\": \"$root_cert_2_serial_number\""
175+
check_response "$result" "\"serialNumber\": \"$intermediate_cert_2_serial_number\""
176+
check_response "$result" "\"serialNumber\": \"$leaf_cert_serial_number"
177+
178+
echo "Request all approved root certificates should be empty"
179+
result=$(dcld query pki all-x509-root-certs)
180+
echo $result | jq
181+
response_does_not_contain "$result" "\"subject\": \"$root_cert_subject\""
182+
response_does_not_contain "$result" "\"subject\": \"$intermediate_cert_subject\""
183+
response_does_not_contain "$result" "\"subjectKeyId\": \"$root_cert_subject_key_id\""
184+
response_does_not_contain "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id\""
185+
response_does_not_contain "$result" "\"serialNumber\": \"$root_cert_1_serial_number\""
186+
response_does_not_contain "$result" "\"serialNumber\": \"$intermediate_cert_1_serial_number\""
187+
response_does_not_contain "$result" "\"serialNumber\": \"$root_cert_2_serial_number\""
188+
response_does_not_contain "$result" "\"serialNumber\": \"$intermediate_cert_2_serial_number\""
189+
190+
root_cert_path="integration_tests/constants/root_cert"
191+
root_cert_subject="MDQxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApzb21lLXN0YXRlMRAwDgYDVQQKDAdyb290LWNh"
192+
root_cert_subject_key_id="5A:88:0E:6C:36:53:D0:7F:B0:89:71:A3:F4:73:79:09:30:E6:2B:DB"
193+
root_cert_serial_number="442314047376310867378175982234956458728610743315"
194+
root_cert_vid=1
195+
196+
intermediate_cert_path="integration_tests/constants/intermediate_cert"
197+
intermediate_cert_subject="MDwxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApzb21lLXN0YXRlMRgwFgYDVQQKDA9pbnRlcm1lZGlhdGUtY2E="
198+
intermediate_cert_subject_key_id="4E:3B:73:F4:70:4D:C2:98:0D:DB:C8:5A:5F:02:3B:BF:86:25:56:2B"
199+
intermediate_cert_serial_number="169917617234879872371588777545667947720450185023"
200+
201+
leaf_cert_path="integration_tests/constants/leaf_cert"
202+
leaf_cert_subject="MDExCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApzb21lLXN0YXRlMQ0wCwYDVQQKDARsZWFm"
203+
leaf_cert_subject_key_id="30:F4:65:75:14:20:B2:AF:3D:14:71:17:AC:49:90:93:3E:24:A0:1F"
204+
leaf_cert_serial_number="143290473708569835418599774898811724528308722063"
205+
leaf_cert_subject_as_text="O=leaf,ST=some-state,C=AU"
206+
207+
208+
echo "Propose and approve root certificate"
209+
result=$(echo "$passphrase" | dcld tx pki propose-add-x509-root-cert --certificate="$root_cert_path" --vid "$root_cert_vid" --from $trustee_account --yes)
210+
check_response "$result" "\"code\": 0"
211+
result=$(echo "$passphrase" | dcld tx pki approve-add-x509-root-cert --subject="$root_cert_subject" --subject-key-id="$root_cert_subject_key_id" --from $second_trustee_account --yes)
212+
check_response "$result" "\"code\": 0"
213+
214+
echo "Add an intermediate certificate with serialNumber $intermediate_cert_serial_number"
215+
result=$(echo "$passphrase" | dcld tx pki add-x509-cert --certificate="$intermediate_cert_path" --from $trustee_account --yes)
216+
check_response "$result" "\"code\": 0"
217+
218+
echo "Add a leaf certificate with serialNumber $leaf_cert_subject_as_text"
219+
result=$(echo "$passphrase" | dcld tx pki add-x509-cert --certificate="$leaf_cert_path" --from $trustee_account --yes)
220+
check_response "$result" "\"code\": 0"
221+
222+
223+
echo "$trustee_account (Trustee) proposes to revoke Root certificates only(child certificates should not be removed)"
224+
result=$(echo "$passphrase" | dcld tx pki propose-revoke-x509-root-cert --subject="$root_cert_subject" --subject-key-id="$root_cert_subject_key_id" --from $trustee_account --yes)
225+
check_response "$result" "\"code\": 0"
226+
227+
echo "$second_trustee_account (Second Trustee) approves to revoke Root certificates only(child certificates should not be removed)"
228+
result=$(echo "$passphrase" | dcld tx pki approve-revoke-x509-root-cert --subject="$root_cert_subject" --subject-key-id="$root_cert_subject_key_id" --from $second_trustee_account --yes)
229+
check_response "$result" "\"code\": 0"
230+
231+
echo "Request all revoked certificates should contain one root certificate"
232+
result=$(dcld query pki all-revoked-x509-certs)
233+
echo $result | jq
234+
check_response "$result" "\"subject\": \"$root_cert_subject\""
235+
check_response "$result" "\"subjectKeyId\": \"$root_cert_subject_key_id\""
236+
check_response "$result" "\"serialNumber\": \"$root_cert_serial_number\""
237+
response_does_not_contain "$result" "\"serialNumber\": \"$intermediate_cert_serial_number"
238+
response_does_not_contain "$result" "\"serialNumber\": \"$leaf_cert_serial_number"
239+
240+
echo "Request all approved certificates should contain one intermediate and one leaf certificates"
241+
result=$(dcld query pki all-x509-certs)
242+
echo $result | jq
243+
check_response "$result" "\"subject\": \"$intermediate_cert_subject\""
244+
check_response "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id"
245+
check_response "$result" "\"subjectKeyId\": \"$leaf_cert_subject_key_id"
246+
check_response "$result" "\"serialNumber\": \"$intermediate_cert_serial_number\""
247+
check_response "$result" "\"serialNumber\": \"$leaf_cert_serial_number"
248+
response_does_not_contain "$result" "\"subject\": \"$root_cert_subject\""
249+
response_does_not_contain "$result" "\"subjectKeyId\": \"$root_cert_subject_key_id\""
250+
response_does_not_contain "$result" "\"serialNumber\": \"$root_cert_serial_number\""
251+
252+
test_divider

0 commit comments

Comments
 (0)