Merge pull request #568 from zigbee-alliance/#524-Enable-removing-NOC-root-certs

#524 Enable removing NOC root certificates

Author: akarabashov

docs/transactions.md

@@ -1406,6 +1406,26 @@ Revoked certificates can be retrieved by using the [GET_REVOKED_CERT](#get_revok
 - Validation:
   - a NOC Root Certificate with the provided `subject` and `subject_key_id` must exist in the ledger.
 
+#### REMOVE_NOC_ROOT
+
+**Status: Implemented**
+
+This transaction completely removes the given NOC root certificate owned by the Vendor from the ledger.
+Removed NOC root certificates can be re-added using the [ADD_NOC_ROOT](#add_noc_root) transaction.
+
+- Who can send: Vendor account
+  - Vid field associated with the corresponding NOC certificate on the ledger must be equal to the Vendor account's VID.
+- Validation:
+  - a NOC Root Certificate with the provided `subject` and `subject_key_id` must exist in the ledger.
+- Parameters:
+  - subject: `string` - base64 encoded subject DER sequence bytes of the certificate.
+  - subject_key_id: `string` - certificate's `Subject Key Id` in hex string format, e.g., `5A:88:0E:6C:36:53:D0:7F:B0:89:71:A3:F4:73:79:09:30:E6:2B:DB`.
+  - serial_number: `optional(string)` - certificate's serial number. If not provided, the transaction will remove all certificates that match the given `subject` and `subject_key_id` combination.
+- CLI command:
+  - `dcld tx pki remove-noc-x509-root-cert --subject=<base64 string> --subject-key-id=<hex string> --from=<account>`
+
+
+
 #### ADD_NOC_ICA
 
 **Status: Implemented**

integration_tests/cli/pki-remove-noc-certificates.sh

@@ -5,13 +5,19 @@ root_cert_1_path="integration_tests/constants/noc_root_cert_1"
 root_cert_subject="MHoxCzAJBgNVBAYTAlVaMRMwEQYDVQQIDApTb21lIFN0YXRlMREwDwYDVQQHDAhUYXNoa2VudDEYMBYGA1UECgwPRXhhbXBsZSBDb21wYW55MRkwFwYDVQQLDBBUZXN0aW5nIERpdmlzaW9uMQ4wDAYDVQQDDAVOT0MtMQ=="
 root_cert_subject_key_id="44:EB:4C:62:6B:25:48:CD:A2:B3:1C:87:41:5A:08:E7:2B:B9:83:26"
 root_cert_1_serial_number="47211865327720222621302679792296833381734533449"
+
+root_cert_1_copy_path="integration_tests/constants/noc_root_cert_1_copy"
+root_cert_1_copy_serial_number="460647353168152946606945669687905527879095841977"
+
 root_cert_vid=65521
+
 intermediate_cert_1_path="integration_tests/constants/noc_cert_1"
 intermediate_cert_2_path="integration_tests/constants/noc_cert_1_copy"
 intermediate_cert_subject="MIGCMQswCQYDVQQGEwJVWjETMBEGA1UECAwKU29tZSBTdGF0ZTETMBEGA1UEBwwKU29tZSBTdGF0ZTEYMBYGA1UECgwPRXhhbXBsZSBDb21wYW55MRkwFwYDVQQLDBBUZXN0aW5nIERpdmlzaW9uMRQwEgYDVQQDDAtOT0MtY2hpbGQtMQ=="
 intermediate_cert_subject_key_id="02:72:6E:BC:BB:EF:D6:BD:8D:9B:42:AE:D4:3C:C0:55:5F:66:3A:B3"
 intermediate_cert_1_serial_number="631388393741945881054190991612463928825155142122"
 intermediate_cert_2_serial_number="169445068204646961882009388640343665944683778293"
+
 leaf_cert_path="integration_tests/constants/noc_leaf_cert_1"
 leaf_cert_subject="MIGBMQswCQYDVQQGEwJVWjETMBEGA1UECAwKU29tZSBTdGF0ZTETMBEGA1UEBwwKU29tZSBTdGF0ZTEYMBYGA1UECgwPRXhhbXBsZSBDb21wYW55MRkwFwYDVQQLDBBUZXN0aW5nIERpdmlzaW9uMRMwEQYDVQQDDApOT0MtbGVhZi0x"
 leaf_cert_subject_key_id="77:1F:DB:C4:4C:B1:29:7E:3C:EB:3E:D8:2A:38:0B:63:06:07:00:01"
@@ -21,7 +27,7 @@ trustee_account="jack"
 
 test_divider
 
-echo "REMOVE NOC ICA CERTIFICATES"
+echo "REMOVING the NOC and ICA CERTIFICATES"
 
 vendor_account_65521=vendor_account_$root_cert_vid
 echo "Create Vendor account - $vendor_account_65521"
@@ -206,4 +212,105 @@ response_does_not_contain "$result" "\"serialNumber\": \"$intermediate_cert_1_se
 response_does_not_contain "$result" "\"serialNumber\": \"$intermediate_cert_2_serial_number\""
 response_does_not_contain "$result" "\"serialNumber\": \"$leaf_cert_serial_number"
 
+echo "Add second NOC root certificate"
+result=$(echo "$passphrase" | dcld tx pki add-noc-x509-root-cert --certificate="$root_cert_1_copy_path" --from $vendor_account_65521 --yes)
+result=$(get_txn_result "$result")
+check_response "$result" "\"code\": 0"
+
+echo "Re-add an ICA certificate"
+result=$(echo "$passphrase" | dcld tx pki add-noc-x509-ica-cert --certificate="$intermediate_cert_1_path" --from $vendor_account_65521 --yes)
+result=$(get_txn_result "$result")
+check_response "$result" "\"code\": 0"
+
+echo "Check that root cert is added. Request all approved certificates."
+result=$(dcld query pki all-x509-certs)
+echo $result | jq
+check_response "$result" "\"serialNumber\": \"$root_cert_1_serial_number\""
+check_response "$result" "\"serialNumber\": \"$root_cert_1_copy_serial_number\""
+
+echo "Try to remove NOC root certificate with invalid serialNumber"
+result=$(echo "$passphrase" | dcld tx pki remove-noc-x509-root-cert --subject="$root_cert_subject" --subject-key-id="$root_cert_subject_key_id" --serial-number="invalid" --from=$vendor_account_65521 --yes)
+result=$(get_txn_result "$result")
+check_response "$result" "\"code\": 404"
+
+echo "Try to remove NOC root certificate when sender is not Vendor account"
+result=$(echo "$passphrase" | dcld tx pki remove-noc-x509-root-cert --subject="$root_cert_subject" --subject-key-id="$root_cert_subject_key_id" --serial-number="$root_cert_1_serial_number" --from=$trustee_account --yes)
+result=$(get_txn_result "$result")
+check_response "$result" "\"code\": 4"
+
+echo "Try to remove NOC root certificate using a vendor account with other VID"
+result=$(echo "$passphrase" | dcld tx pki remove-noc-x509-root-cert --subject="$root_cert_subject" --subject-key-id="$root_cert_subject_key_id" --serial-number="$root_cert_1_serial_number" --from=$vendor_account_65522 --yes)
+result=$(get_txn_result "$result")
+check_response "$result" "\"code\": 4"
+
+echo "Revoke NOC root certificate with serialNumber $root_cert_1_serial_number"
+result=$(echo "$passphrase" | dcld tx pki revoke-noc-x509-root-cert --subject="$root_cert_subject" --subject-key-id="$root_cert_subject_key_id" --serial-number="$root_cert_1_serial_number" --from=$vendor_account_65521 --yes)
+result=$(get_txn_result "$result")
+check_response "$result" "\"code\": 0"
+
+echo "Request all revoked certificates should contain NOC root certificate with serialNumber $root_cert_1_serial_number"
+result=$(dcld query pki all-revoked-x509-certs)
+echo $result | jq
+check_response "$result" "\"serialNumber\": \"$root_cert_1_serial_number\""
+
+echo "Remove NOC root certificate with serialNumber $root_cert_1_serial_number"
+result=$(echo "$passphrase" | dcld tx pki remove-noc-x509-root-cert --subject="$root_cert_subject" --subject-key-id="$root_cert_subject_key_id" --serial-number="$root_cert_1_serial_number" --from=$vendor_account_65521 --yes)
+result=$(get_txn_result "$result")
+check_response "$result" "\"code\": 0"
+
+echo "Request all certificates should contain only one NOC root certificate"
+result=$(dcld query pki all-x509-certs)
+echo $result | jq
+check_response "$result" "\"serialNumber\": \"$root_cert_1_copy_serial_number\""
+check_response "$result" "\"serialNumber\": \"$intermediate_cert_1_serial_number\""
+response_does_not_contain "$result" "\"serialNumber\": \"$root_cert_1_serial_number\""
+
+echo "Request NOC certificates by VID should contain one NOC root certificate"
+result=$(dcld query pki noc-x509-root-certs --vid="$root_cert_vid")
+echo $result | jq
+check_response "$result" "\"serialNumber\": \"$root_cert_1_copy_serial_number\""
+response_does_not_contain "$result" "\"serialNumber\": \"$root_cert_1_serial_number\""
+
+echo "Request approved certificates by NOC root's subject and subjectKeyId should contain only one root certificate"
+result=$(dcld query pki x509-cert --subject="$root_cert_subject" --subject-key-id="$root_cert_subject_key_id")
+echo $result | jq
+check_response "$result" "\"serialNumber\": \"$root_cert_1_copy_serial_number\""
+response_does_not_contain "$result" "\"serialNumber\": \"$root_cert_1_serial_number\""
+
+echo "Re-add NOC root certificate"
+result=$(echo "$passphrase" | dcld tx pki add-noc-x509-root-cert --certificate="$root_cert_1_path" --from $vendor_account_65521 --yes)
+result=$(get_txn_result "$result")
+check_response "$result" "\"code\": 0"
+
+echo "Check that root cert is added. Request all approved certificates."
+result=$(dcld query pki all-x509-certs)
+echo $result | jq
+check_response "$result" "\"serialNumber\": \"$root_cert_1_serial_number\""
+check_response "$result" "\"serialNumber\": \"$root_cert_1_copy_serial_number\""
+
+echo "Remove NOC root certificates"
+result=$(echo "$passphrase" | dcld tx pki remove-noc-x509-root-cert --subject="$root_cert_subject" --subject-key-id="$root_cert_subject_key_id" --from=$vendor_account_65521 --yes)
+result=$(get_txn_result "$result")
+check_response "$result" "\"code\": 0"
+
+echo "Request approved NOC root certificates should be empty"
+result=$(dcld query pki x509-cert --subject="$root_cert_subject" --subject-key-id="$root_cert_subject_key_id")
+echo $result | jq
+check_response "$result" "Not Found"
+response_does_not_contain "$result" "\"serialNumber\": \"$root_cert_1_serial_number"
+response_does_not_contain "$result" "\"serialNumber\": \"$root_cert_1_copy_serial_number"
+
+echo "Request NOC root certificates by VID should be empty"
+result=$(dcld query pki noc-x509-root-certs --vid="$root_cert_vid")
+echo $result | jq
+response_does_not_contain "$result" "\"serialNumber\": \"$root_cert_1_serial_number"
+response_does_not_contain "$result" "\"serialNumber\": \"$root_cert_1_copy_serial_number"
+
+echo "Request all certificates should contain only ICA certificate"
+result=$(dcld query pki all-x509-certs)
+echo $result | jq
+check_response "$result" "\"serialNumber\": \"$intermediate_cert_1_serial_number\""
+response_does_not_contain "$result" "\"serialNumber\": \"$root_cert_1_serial_number"
+response_does_not_contain "$result" "\"serialNumber\": \"$root_cert_1_copy_serial_number"
+
 test_divider

integration_tests/grpc_rest/pki/noc_cert_helpers.go

@@ -667,4 +667,85 @@ func NocCertDemo(suite *utils.TestSuite) {
 	require.Empty(suite.T, certificates)
 	certificates = GetNocX509IcaCertsBySubjectAndSKID(suite, vid1, testconstants.NocLeafCert1Subject, testconstants.NocLeafCert1SubjectKeyID)
 	require.Empty(suite.T, certificates)
+
+	// Remove revoked NOC root certificate by invalid serial number
+	msgRemoveRootCert := pkitypes.MsgRemoveNocX509RootCert{
+		Signer:       vendor1Account.Address,
+		Subject:      testconstants.NocRootCert1Subject,
+		SubjectKeyId: testconstants.NocRootCert1SubjectKeyID,
+		SerialNumber: "invalid",
+	}
+	_, err = suite.BuildAndBroadcastTx([]sdk.Msg{&msgRemoveRootCert}, vendor1Name, vendor1Account)
+	require.Error(suite.T, err)
+
+	// Remove revoked NOC root certificate by serial number
+	msgRemoveRootCert = pkitypes.MsgRemoveNocX509RootCert{
+		Signer:       vendor1Account.Address,
+		Subject:      testconstants.NocRootCert1Subject,
+		SubjectKeyId: testconstants.NocRootCert1SubjectKeyID,
+		SerialNumber: testconstants.NocRootCert1SerialNumber,
+	}
+	_, err = suite.BuildAndBroadcastTx([]sdk.Msg{&msgRemoveRootCert}, vendor1Name, vendor1Account)
+	require.NoError(suite.T, err)
+
+	// Check that NOC root certificate is removed
+	revokedCerts, _ = GetRevokedX509Cert(suite, testconstants.NocRootCert1Subject, testconstants.NocRootCert1SubjectKeyID)
+	require.Equal(suite.T, 1, len(revokedCerts.Certs))
+	require.Equal(suite.T, testconstants.NocRootCert1CopySerialNumber, revokedCerts.Certs[0].SerialNumber)
+	_, err = GetX509Cert(suite, testconstants.NocRootCert1Subject, testconstants.NocRootCert1SubjectKeyID)
+	suite.AssertNotFound(err)
+
+	// Add root NOC certificate
+	msgAddNocRootCert = pkitypes.MsgAddNocX509RootCert{
+		Signer: vendor1Account.Address,
+		Cert:   testconstants.NocRootCert1,
+	}
+	_, err = suite.BuildAndBroadcastTx([]sdk.Msg{&msgAddNocRootCert}, vendor1Name, vendor1Account)
+	require.NoError(suite.T, err)
+
+	// Remove revoked ICA certificate to re-add it again
+	msgRemoveCert = pkitypes.MsgRemoveNocX509IcaCert{
+		Signer:       vendor1Account.Address,
+		Subject:      testconstants.NocCert1Subject,
+		SubjectKeyId: testconstants.NocCert1SubjectKeyID,
+		SerialNumber: "",
+	}
+	_, err = suite.BuildAndBroadcastTx([]sdk.Msg{&msgRemoveCert}, vendor1Name, vendor1Account)
+	require.NoError(suite.T, err)
+
+	// Add ICA certificates
+	msgAddNocCert = pkitypes.MsgAddNocX509IcaCert{
+		Signer: vendor1Account.Address,
+		Cert:   testconstants.NocCert1,
+	}
+	_, err = suite.BuildAndBroadcastTx([]sdk.Msg{&msgAddNocCert}, vendor1Name, vendor1Account)
+	require.NoError(suite.T, err)
+
+	certs, _ = GetX509Cert(suite, testconstants.NocRootCert1Subject, testconstants.NocRootCert1SubjectKeyID)
+	require.Equal(suite.T, 1, len(certs.Certs))
+
+	// Remove revoked NOC root certificates
+	msgRemoveRootCert = pkitypes.MsgRemoveNocX509RootCert{
+		Signer:       vendor1Account.Address,
+		Subject:      testconstants.NocRootCert1Subject,
+		SubjectKeyId: testconstants.NocRootCert1SubjectKeyID,
+		SerialNumber: "",
+	}
+	_, err = suite.BuildAndBroadcastTx([]sdk.Msg{&msgRemoveRootCert}, vendor1Name, vendor1Account)
+	require.NoError(suite.T, err)
+
+	// Check that certificates are removed
+	_, err = GetX509Cert(suite, testconstants.NocRootCert1Subject, testconstants.NocRootCert1SubjectKeyID)
+	suite.AssertNotFound(err)
+	_, err = GetRevokedX509Cert(suite, testconstants.NocRootCert1Subject, testconstants.NocRootCert1SubjectKeyID)
+	suite.AssertNotFound(err)
+	_, err = GetNocX509RootCertsByVidAndSkid(suite, vid1, testconstants.NocRootCert1SubjectKeyID)
+	suite.AssertNotFound(err)
+
+	// Check that child is not removed
+	certs, _ = GetX509Cert(suite, testconstants.NocCert1Subject, testconstants.NocCert1SubjectKeyID)
+	require.Equal(suite.T, 1, len(certs.Certs))
+	certificates = GetNocX509IcaCertsBySubjectAndSKID(suite, vid1, testconstants.NocCert1Subject, testconstants.NocCert1SubjectKeyID)
+	require.Equal(suite.T, 1, len(certificates))
+	require.Equal(suite.T, testconstants.NocCert1SerialNumber, certificates[0].SerialNumber)
 }

proto/zigbeealliance/distributedcomplianceledger/pki/tx.proto

@@ -27,6 +27,7 @@ service Msg {
   rpc RevokeNocX509RootCert(MsgRevokeNocX509RootCert) returns (MsgRevokeNocX509RootCertResponse);
   rpc RevokeNocX509IcaCert(MsgRevokeNocX509IcaCert) returns (MsgRevokeNocX509IcaCertResponse);
   rpc RemoveNocX509IcaCert (MsgRemoveNocX509IcaCert) returns (MsgRemoveNocX509IcaCertResponse);
+  rpc RemoveNocX509RootCert (MsgRemoveNocX509RootCert) returns (MsgRemoveNocX509RootCertResponse);
   // this line is used by starport scaffolding # proto/tx/rpc
 }
 
@@ -241,3 +242,12 @@ message MsgRemoveNocX509IcaCert {
 }
 
 message MsgRemoveNocX509IcaCertResponse {}
+
+message MsgRemoveNocX509RootCert {
+  string signer = 1 [(cosmos_proto.scalar) = "cosmos.AddressString", (gogoproto.moretags) = "validate:\"required\""];
+  string subject = 2 [(gogoproto.moretags) = "validate:\"required,max=1024\""];
+  string subjectKeyId = 3 [(gogoproto.moretags) = "validate:\"required,max=256\""];
+  string serialNumber = 4;
+}
+
+message MsgRemoveNocX509RootCertResponse {}

scripts/ignite/07.pki_types.sh

@@ -2,3 +2,4 @@
 
 #    messages
 ignite scaffold --module pki message RemoveNocX509IcaCert subject subjectKeyId serialNumber --signer signer
+ignite scaffold --module pki message RemoveNocX509RootCert subject subjectKeyId serialNumber --signer signer