Skip to content

Commit 15c51d4

Browse files
akarabashovakarabashov
committed
Update documentation for add/revoke/remove transactions
1 parent 8df9615 commit 15c51d4

File tree

1 file changed

+11
-6
lines changed

1 file changed

+11
-6
lines changed

docs/transactions.md

+11-6
Original file line numberDiff line numberDiff line change
@@ -905,13 +905,17 @@ already present on the ledger.
905905

906906
The certificate is immutable. It can only be revoked by either the owner or a quorum of Trustees.
907907

908+
- Who can send: Vendor account
909+
- PAA (Root certificates) are VID-scoped:
910+
- the `vid` field in the subject of the intermediate/leaf X509 certificate must be equal to the Vendor account's VID.
911+
- Non-VID scoped PAAs (Root certificates):
912+
- if the intermediate/leaf X509 certificate is VID-scoped, then the `vid` field in the certificate must match the corresponding PAA's `vid` field on the ledger, or the intermediate/leaf X509 certificate must not be VID-scoped.
913+
- `vid` field associated with the corresponding PAA on the ledger must be equal to the Vendor account's VID.
908914
- Parameters:
909915
- cert: `string` - PEM encoded certificate. The corresponding CLI parameter can contain either a PEM string or a path to a file containing the data.
910916
- In State:
911917
- `pki/ApprovedCertificates/value/<Certificate's Subject>/<Certificate's Subject Key ID>`
912918
- `pki/ChildCertificates/value/<Certificate's Subject>/<Certificate's Subject Key ID>`
913-
- Who can send:
914-
- Any role
915919
- CLI command:
916920
- `dcld tx pki add-x509-cert --certificate=<string-or-path> --from=<account>`
917921
- Validation:
@@ -921,7 +925,7 @@ The certificate is immutable. It can only be revoked by either the owner or a qu
921925
- no existing certificate with the same `<Certificate's Issuer>:<Certificate's Serial Number>` combination.
922926
- if certificates with the same `<Certificate's Subject>:<Certificate's Subject Key ID>` combination already exist:
923927
- the existing certificate must not be NOC certificate
924-
- sender must match to the owner of the existing certificates.
928+
- the sender's VID must match the vid field of the existing certificates.
925929
- the signature (self-signature) and expiration date are valid.
926930
- parent certificate must be already stored on the ledger and a valid chain to some root certificate can be built.
927931

@@ -941,6 +945,8 @@ If `revoke-child` flag is set to `true` then all the certificates in the chain s
941945
Only the owner (sender) can revoke the certificate.
942946
Root certificates can not be revoked this way, use `PROPOSE_X509_CERT_REVOC` and `APPROVE_X509_ROOT_CERT_REVOC` instead.
943947

948+
- Who can send: Vendor account
949+
- the sender's VID must match the vid field of the revoking certificates.
944950
- Parameters:
945951
- subject: `string` - certificates's `Subject` is base64 encoded subject DER sequence bytes
946952
- subject_key_id: `string` - certificates's `Subject Key Id` in hex string format, e.g: `5A:88:0E:6C:36:53:D0:7F:B0:89:71:A3:F4:73:79:09:30:E6:2B:DB`
@@ -949,8 +955,6 @@ Root certificates can not be revoked this way, use `PROPOSE_X509_CERT_REVOC` an
949955
- info: `optional(string)` - information/notes for the revocation
950956
- time: `optional(int64)` - revocation time (number of nanoseconds elapsed since January 1, 1970 UTC). CLI uses the current time for that field.
951957
- In State: `pki/RevokedCertificates/value/<Certificate's Subject>/<Certificate's Subject Key ID>`
952-
- Who can send:
953-
- Any role; owner
954958
- CLI command:
955959
- `dcld tx pki revoke-x509-cert --subject=<base64 string> --subject-key-id=<hex string> --from=<account>`
956960

@@ -963,6 +967,8 @@ Removes the given X509 certificate (either intermediate or leaf) from approved a
963967
Only the owner (sender) can remove the certificate.
964968
Root certificates can not be removed this way.
965969

970+
- Who can send: Vendor account
971+
- the sender's VID must match the vid field of the removing certificates.
966972
- Parameters:
967973
- subject: `string` - certificates's `Subject` is base64 encoded subject DER sequence bytes
968974
- subject_key_id: `string` - certificates's `Subject Key Id` in hex string format, e.g: `5A:88:0E:6C:36:53:D0:7F:B0:89:71:A3:F4:73:79:09:30:E6:2B:DB`
@@ -1041,7 +1047,6 @@ Publishing the revocation distribution endpoint doesn't automatically remove PAI
10411047
and DACs (leaf certificates) added to DCL if they are revoked in the CRL identified by this distribution point.
10421048
[REVOKE_X509_CERT](#revoke_x509_cert) needs to be called to remove an intermediate or leaf certificate from the ledger.
10431049

1044-
10451050
- Who can send: Vendor account
10461051
- `vid` field in the transaction (`VendorID`) must be equal to the Vendor account's VID
10471052
- VID-scoped PAAs (Root certs) and PAIs (Intermediate certs): `vid` field in the `CRLSignerCertificate`'s subject must be equal to the Vendor account's VID

0 commit comments

Comments
 (0)