Merge pull request #543 from zigbee-alliance/feature/524-adding-noc-root-certificate

#524 Implement adding and requesting root NOC certificates

Author: akarabashov

docs/static/openapi.yml

@@ -843,6 +843,7 @@ The certificate is immutable. It can only be revoked by either the owner or a qu
   - no existing `Proposed` certificate with the same `<Certificate's Subject>:<Certificate's Subject Key ID>` combination.
   - no existing certificate with the same `<Certificate's Issuer>:<Certificate's Serial Number>` combination.
   - if approved certificates with the same `<Certificate's Subject>:<Certificate's Subject Key ID>` combination already exists:
+    - the existing certificate must not be NOC certificate
     - sender must match to the owner of the existing certificates.
   - the signature (self-signature) and expiration date are valid.
 
@@ -919,6 +920,7 @@ The certificate is immutable. It can only be revoked by either the owner or a qu
     - `Authority Key Identifier` != `Subject Key Identifier`
   - no existing certificate with the same `<Certificate's Issuer>:<Certificate's Serial Number>` combination.
   - if certificates with the same `<Certificate's Subject>:<Certificate's Subject Key ID>` combination already exist:
+    - the existing certificate must not be NOC certificate
     - sender must match to the owner of the existing certificates.
   - the signature (self-signature) and expiration date are valid.
   - parent certificate must be already stored on the ledger and a valid chain to some root certificate can be built.
@@ -1122,6 +1124,31 @@ Deletes a PKI Revocation distribution endpoint (such as RFC5280 Certificate Revo
 - CLI command:
   - `dcld tx pki delete-revocation-point --vid=<uint16> --issuer-subject-key-id=<string> --label=<string> --from=<account>`
 
+### ADD_NOC_X509_ROOT_CERTIFICATE
+
+**Status: Implemented**
+
+This transaction adds a NOC root certificate owned by the Vendor.
+
+- Who can send: Vendor account
+- Validation:
+  - the provided certificate must be a root certificate:
+    - `Issuer` == `Subject`
+    - `Authority Key Identifier` == `Subject Key Identifier`
+  - no existing certificate with the same `<Certificate's Issuer>:<Certificate's Serial Number>` combination.
+  - if certificates with the same `<Certificate's Subject>:<Certificate's Subject Key ID>` combination already exist:
+    - the existing certificate must be NOC root certificate
+    - the sender's VID must match the vid field of the existing certificates.
+  - the signature (self-signature) and expiration date must be valid.
+- Parameters:
+  - cert: `string` - The NOC Root Certificate, encoded in X.509v3 PEM format. Can be a PEM string or a file path.
+- In State:
+  - `pki/ApprovedCertificates/value/<Subject>/<SubjectKeyID>`
+  - `pki/ApprovedCertificatesBySubject/value/<Subject>`
+  - `pki/ApprovedCertificatesBySubjectKeyID/value/<SubjectKeyID>`
+  - `pki/NOCRootCertificates/value/<VID>`
+- CLI Command:
+  - `dcld tx pki add-noc-x509-root-cert --certificate=<string-or-path> --from=<account>`
 
 ### GET_X509_CERT
 
@@ -1407,6 +1434,34 @@ Should be sent to trusted nodes only.
 - REST API:
   - GET `/dcl/pki/revocation-points`
 
+### GET_NOC_X509_ROOT_CERTS_BY_VID
+
+**Status: Implemented**
+
+Retrieve NOC root certificates associated with a specific VID. 
+
+- Who can send: Any account
+- Parameters:
+  - vid: `uint16` - Vendor ID (positive non-zero)
+- CLI Command:
+  - `dcld query pki noc-x509-root-certs --vid=<uint16>`
+- REST API:
+  - GET `/dcl/pki/noc-root-certificates/{vid}`
+
+### GET_ALL_NOC_X509_ROOT_CERTS
+
+**Status: Implemented**
+
+Retrieve a list of all of NOC root certificates
+
+- Who can send: Any account
+- Parameters:
+  - Common pagination parameters
+- CLI Command:
+  - `dcld query pki all-noc-x509-root-certs`
+- REST API:
+  - GET `/dcl/pki/noc-root-certificates`
+
 ## AUTH
 
 ### PROPOSE_ADD_ACCOUNT

docs/transactions.md

@@ -174,6 +174,11 @@ for node_name in node0 node1 node2 node3 observer0; do
         # Make RPC endpoints available externally
         sed -i $SED_EXT 's/laddr = "tcp:\/\/127.0.0.1:26657"/laddr = "tcp:\/\/0.0.0.0:26657"/g' "$LOCALNET_DIR/${node_name}/config/config.toml"
 
+        # Make REST endpoints available externally
+        sed -i $SED_EXT 's/address = "tcp:\/\/localhost:1317"/address = "tcp:\/\/0.0.0.0:1317"/g' "$LOCALNET_DIR/${node_name}/config/app.toml"
+        # Make gRPC endpoints available externally
+        sed -i $SED_EXT 's/address = "localhost:9090"/address = "0.0.0.0:9090"/g' "$LOCALNET_DIR/${node_name}/config/app.toml"
+
         # sets proper moniker
         sed -i $SED_EXT "s/moniker = .*/moniker = \"$node_name\"/g" "$LOCALNET_DIR/${node_name}/config/config.toml"
 

genlocalnetconfig.sh

@@ -2764,4 +2764,4 @@ rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
 sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o=
 sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo=
 sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8=
-sourcegraph.com/sourcegraph/appdash v0.0.0-20190731080439-ebfcffb1b5c0/go.mod h1:hI742Nqp5OhwiqlzhgfbWU4mW4yO10fP+LoT9WOswdU=
+sourcegraph.com/sourcegraph/appdash v0.0.0-20190731080439-ebfcffb1b5c0/go.mod h1:hI742Nqp5OhwiqlzhgfbWU4mW4yO10fP+LoT9WOswdU=

go.sum

@@ -0,0 +1,176 @@
+set -euo pipefail
+source integration_tests/cli/common.sh
+
+noc_root_cert_1_path="integration_tests/constants/noc_root_cert_1"
+noc_root_cert_1_subject="MFUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxDjAMBgNVBAMMBU5PQy0x"
+noc_root_cert_1_subject_key_id="44:EB:4C:62:6B:25:48:CD:A2:B3:1C:87:41:5A:08:E7:2B:B9:83:26"
+noc_root_cert_1_serial_number="217369606639495620450806539821422258966012867792"
+noc_root_cert_1_subject_as_text="CN=NOC-1,O=Internet Widgits Pty Ltd,ST=Some-State,C=AU"
+
+noc_root_cert_2_path="integration_tests/constants/noc_root_cert_2"
+noc_root_cert_2_subject="MFUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxDjAMBgNVBAMMBU5PQy0y"
+noc_root_cert_2_subject_key_id="CF:E6:DD:37:2B:4C:B2:B9:A9:F2:75:30:1C:AA:B1:37:1B:11:7F:1B"
+noc_root_cert_2_serial_number="720401643293243343104681760462974770802745092176"
+noc_root_cert_2_subject_as_text="CN=NOC-2,O=Internet Widgits Pty Ltd,ST=Some-State,C=AU"
+
+noc_root_cert_3_path="integration_tests/constants/noc_root_cert_3"
+noc_root_cert_3_subject="MFUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxDjAMBgNVBAMMBU5PQy0z"
+noc_root_cert_3_subject_key_id="88:0D:06:D9:64:22:29:34:78:7F:8C:3B:AE:F5:08:93:86:8F:0D:20"
+noc_root_cert_3_serial_number="38457288443253426021793906708335409501754677187"
+noc_root_cert_3_subject_as_text="CN=NOC-3,O=Internet Widgits Pty Ltd,ST=Some-State,C=AU"
+
+trustee_account="jack"
+second_trustee_account="alice"
+
+vid_in_hex_format=0x6006
+vid=24582
+
+vendor_account=vendor_account_$vid_in_hex_format
+echo "Create Vendor account - $vendor_account"
+create_new_vendor_account $vendor_account $vid_in_hex_format
+
+vid_2_in_hex_format=0x125D
+vid_2=4701
+
+vendor_account_2=vendor_account_$vid_2_in_hex_format
+echo "Create Vendor account - $vendor_account_2"
+create_new_vendor_account $vendor_account_2 $vid_2_in_hex_format
+
+
+test_divider
+
+echo "Request NOC certificate by VID must be empty"
+result=$(dcld query pki noc-x509-root-certs --vid="$vid")
+check_response "$result" "Not Found"
+response_does_not_contain "$result" "\"subject\": \"$noc_root_cert_1_subject\""
+response_does_not_contain "$result" "\"subjectKeyId\": \"$noc_root_cert_1_subject_key_id\""
+response_does_not_contain "$result" "\"serialNumber\": \"$noc_root_cert_1_serial_number\""
+response_does_not_contain "$result" "\"subjectAsText\": \"$noc_root_cert_1_subject_as_text\""
+echo $result | jq
+
+test_divider
+
+echo "Request all NOC root certificates must be empty"
+result=$(dcld query pki all-noc-x509-root-certs)
+check_response "$result" "\[\]"
+response_does_not_contain "$result" "\"subject\": \"$noc_root_cert_1_subject\""
+response_does_not_contain "$result" "\"subjectKeyId\": \"$noc_root_cert_1_subject_key_id\""
+response_does_not_contain "$result" "\"serialNumber\": \"$noc_root_cert_1_serial_number\""
+response_does_not_contain "$result" "\"subjectAsText\": \"$noc_root_cert_1_subject_as_text\""
+echo $result | jq
+
+test_divider
+
+echo "Request approved certificate must be empty"
+result=$(dcld query pki x509-cert --subject="$noc_root_cert_1_subject" --subject-key-id="$noc_root_cert_1_subject_key_id")
+check_response "$result" "Not Found"
+response_does_not_contain "$result" "\"subject\": \"$noc_root_cert_1_subject\""
+response_does_not_contain "$result" "\"subjectKeyId\": \"$noc_root_cert_1_subject_key_id\""
+response_does_not_contain "$result" "\"serialNumber\": \"$noc_root_cert_1_serial_number\""
+response_does_not_contain "$result" "\"subjectAsText\": \"$noc_root_cert_1_subject_as_text\""
+echo $result | jq
+
+test_divider
+
+echo "Request all certificates by subject must be empty"
+result=$(dcld query pki all-subject-x509-certs --subject="$noc_root_cert_1_subject")
+check_response "$result" "Not Found"
+response_does_not_contain "$result" "\"subject\": \"$noc_root_cert_1_subject\""
+response_does_not_contain "$result" "\"subjectKeyId\": \"$noc_root_cert_1_subject_key_id\""
+echo $result | jq
+
+test_divider
+
+echo "Request all certificates by subjectKeyId must be empty"
+result=$(dcld query pki x509-cert --subject-key-id="$noc_root_cert_1_subject_key_id")
+check_response "$result" "Not Found"
+response_does_not_contain "$result" "\"subject\": \"$noc_root_cert_1_subject\""
+response_does_not_contain "$result" "\"subjectKeyId\": \"$noc_root_cert_1_subject_key_id\""
+response_does_not_contain "$result" "\"serialNumber\": \"$noc_root_cert_1_serial_number\""
+response_does_not_contain "$result" "\"subjectAsText\": \"$noc_root_cert_1_subject_as_text\""
+echo $result | jq
+
+test_divider
+
+echo "Try to add inermidiate cert using add-noc-x509-root-cert command"
+intermediate_path="integration_tests/constants/intermediate_cert"
+result=$(echo "$passphrase" | dcld tx pki add-noc-x509-root-cert --certificate="$intermediate_path" --from $vendor_account --yes)
+check_response "$result" "\"code\": 414"
+
+echo "Add first NOC root certificate by vendor with VID = $vid"
+result=$(echo "$passphrase" | dcld tx pki add-noc-x509-root-cert --certificate="$noc_root_cert_1_path" --from $vendor_account --yes)
+check_response "$result" "\"code\": 0"
+
+echo "Add second NOC root certificate by vendor with VID = $vid"
+result=$(echo "$passphrase" | dcld tx pki add-noc-x509-root-cert --certificate="$noc_root_cert_2_path" --from $vendor_account --yes)
+check_response "$result" "\"code\": 0"
+
+echo "Add third NOC root certificate by vendor with VID = $vid_2"
+result=$(echo "$passphrase" | dcld tx pki add-noc-x509-root-cert --certificate="$noc_root_cert_3_path" --from $vendor_account_2 --yes)
+check_response "$result" "\"code\": 0"
+
+test_divider
+
+echo "Request NOC root certificate by VID"
+result=$(dcld query pki noc-x509-root-certs --vid="$vid")
+echo $result | jq
+check_response "$result" "\"subject\": \"$noc_root_cert_1_subject\""
+check_response "$result" "\"subjectKeyId\": \"$noc_root_cert_1_subject_key_id\""
+check_response "$result" "\"serialNumber\": \"$noc_root_cert_1_serial_number\""
+check_response "$result" "\"subjectAsText\": \"$noc_root_cert_1_subject_as_text\""
+check_response "$result" "\"subject\": \"$noc_root_cert_2_subject\""
+check_response "$result" "\"subjectKeyId\": \"$noc_root_cert_2_subject_key_id\""
+check_response "$result" "\"serialNumber\": \"$noc_root_cert_2_serial_number\""
+check_response "$result" "\"subjectAsText\": \"$noc_root_cert_2_subject_as_text\""
+check_response "$result" "\"vid\": $vid"
+
+test_divider
+
+echo "Request All NOC root certificate"
+result=$(dcld query pki all-noc-x509-root-certs)
+echo $result | jq
+check_response "$result" "\"subject\": \"$noc_root_cert_1_subject\""
+check_response "$result" "\"subjectKeyId\": \"$noc_root_cert_1_subject_key_id\""
+check_response "$result" "\"serialNumber\": \"$noc_root_cert_1_serial_number\""
+check_response "$result" "\"subjectAsText\": \"$noc_root_cert_1_subject_as_text\""
+check_response "$result" "\"subject\": \"$noc_root_cert_2_subject\""
+check_response "$result" "\"subjectKeyId\": \"$noc_root_cert_2_subject_key_id\""
+check_response "$result" "\"serialNumber\": \"$noc_root_cert_2_serial_number\""
+check_response "$result" "\"subjectAsText\": \"$noc_root_cert_2_subject_as_text\""
+check_response "$result" "\"subject\": \"$noc_root_cert_3_subject\""
+check_response "$result" "\"subjectKeyId\": \"$noc_root_cert_3_subject_key_id\""
+check_response "$result" "\"serialNumber\": \"$noc_root_cert_3_serial_number\""
+check_response "$result" "\"subjectAsText\": \"$noc_root_cert_3_subject_as_text\""
+check_response "$result" "\"vid\": $vid"
+check_response "$result" "\"vid\": $vid_2"
+
+test_divider
+
+echo "Request NOC root certificate by Subject and SubjectKeyID"
+result=$(dcld query pki x509-cert --subject="$noc_root_cert_1_subject" --subject-key-id="$noc_root_cert_1_subject_key_id")
+echo $result | jq
+check_response "$result" "\"subject\": \"$noc_root_cert_1_subject\""
+check_response "$result" "\"subjectKeyId\": \"$noc_root_cert_1_subject_key_id\""
+check_response "$result" "\"serialNumber\": \"$noc_root_cert_1_serial_number\""
+check_response "$result" "\"subjectAsText\": \"$noc_root_cert_1_subject_as_text\""
+check_response "$result" "\"approvals\": \\[\\]"
+
+test_divider
+
+echo "Request NOC root certificate by Subject"
+result=$(dcld query pki all-subject-x509-certs --subject="$noc_root_cert_1_subject")
+echo $result | jq
+check_response "$result" "\"$noc_root_cert_1_subject\""
+check_response "$result" "\"$noc_root_cert_1_subject_key_id\""
+
+test_divider
+
+echo "Request NOC root certificate by SubjectKeyID"
+result=$(dcld query pki x509-cert --subject-key-id="$noc_root_cert_1_subject_key_id")
+echo $result | jq
+check_response "$result" "\"subject\": \"$noc_root_cert_1_subject\""
+check_response "$result" "\"subjectKeyId\": \"$noc_root_cert_1_subject_key_id\""
+check_response "$result" "\"serialNumber\": \"$noc_root_cert_1_serial_number\""
+check_response "$result" "\"subjectAsText\": \"$noc_root_cert_1_subject_as_text\""
+
+test_divider

integration_tests/cli/pki-noc-certs.sh

@@ -0,0 +1,64 @@
+package testconstants
+
+const (
+	NocRootCert1 = `
+-----BEGIN CERTIFICATE-----
+MIICATCCAaegAwIBAgIUJhMwtZzr6dGO6tqHmuDi4Bz/tNAwCgYIKoZIzj0EAwIw
+VTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGElu
+dGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEOMAwGA1UEAwwFTk9DLTEwIBcNMjQwMjE0
+MTQ0NzI1WhgPMzAyMzA2MTcxNDQ3MjVaMFUxCzAJBgNVBAYTAkFVMRMwEQYDVQQI
+DApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQx
+DjAMBgNVBAMMBU5PQy0xMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAECsW1A5xK
+Tv4qbfUsUp74bQNlkJV6GZL59b+PgqLyq7P1PMtJK3L7NmisUvdsT1dYr1sMzDEK
+6ZuajkpkIfeV3qNTMFEwHQYDVR0OBBYEFETrTGJrJUjNorMch0FaCOcruYMmMB8G
+A1UdIwQYMBaAFETrTGJrJUjNorMch0FaCOcruYMmMA8GA1UdEwEB/wQFMAMBAf8w
+CgYIKoZIzj0EAwIDSAAwRQIgS4gxVvmQghH93BbG3RRpJ07Re5+gTFAo5qfVTtDo
+teUCIQCQwlaPb8U8S0ee3Iz1gg4LOTxZ/IWyCzPpCteAEKcl+w==
+-----END CERTIFICATE-----
+	`
+	NocRootCert2 = `
+-----BEGIN CERTIFICATE-----
+MIICATCCAaegAwIBAgIUfi/tSwkm8n1SVPVYvpmRj7WDKFAwCgYIKoZIzj0EAwIw
+VTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGElu
+dGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEOMAwGA1UEAwwFTk9DLTIwIBcNMjQwMjE0
+MTQ0NzQ1WhgPMzAyMzA2MTcxNDQ3NDVaMFUxCzAJBgNVBAYTAkFVMRMwEQYDVQQI
+DApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQx
+DjAMBgNVBAMMBU5PQy0yMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEdyZTx3lJ
+ZYUEazRXrDUgtut3EF1iXFXibKttwgvqIQqo/8Z/5uh402+AjqlsYRW7J2XhAaNl
+jd+mU2GZc9whuaNTMFEwHQYDVR0OBBYEFM/m3TcrTLK5qfJ1MByqsTcbEX8bMB8G
+A1UdIwQYMBaAFM/m3TcrTLK5qfJ1MByqsTcbEX8bMA8GA1UdEwEB/wQFMAMBAf8w
+CgYIKoZIzj0EAwIDSAAwRQIhAPxnWiN91np0FqsJ3wzxbBhUvb0L7tCCG8b78ug5
+M4e6AiAzKpDZ//MaM3khHSuiJhXBWhN+HR/veWVfeLLKtMhoKg==
+-----END CERTIFICATE-----
+	`
+	NocRootCert3 = `
+-----BEGIN CERTIFICATE-----
+MIICAjCCAaegAwIBAgIUBrx8BUhP5Vi8W79pFDlqwkIw18MwCgYIKoZIzj0EAwIw
+VTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGElu
+dGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEOMAwGA1UEAwwFTk9DLTMwIBcNMjQwMjE0
+MTQ0ODE4WhgPMzAyMzA2MTcxNDQ4MThaMFUxCzAJBgNVBAYTAkFVMRMwEQYDVQQI
+DApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQx
+DjAMBgNVBAMMBU5PQy0zMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFC9UKPtv
++KzUrKTUGhsysPy6jKTLiAzRt2k+DQeV5MQxyjke4x/SvWg9jHJXiO3t52xCF803
+7YDN5/GCAvu+x6NTMFEwHQYDVR0OBBYEFIgNBtlkIik0eH+MO671CJOGjw0gMB8G
+A1UdIwQYMBaAFIgNBtlkIik0eH+MO671CJOGjw0gMA8GA1UdEwEB/wQFMAMBAf8w
+CgYIKoZIzj0EAwIDSQAwRgIhAIF/kTHuWYLfJtb/TWwmhEtVRoULLet3NDIjwvw1
+F5UqAiEAshHfXxUpdfxqiLoTjQjkNf0AHVYBFhLdB+iIFspwTyg=
+-----END CERTIFICATE-----
+	`
+
+	NocRootCert1Subject       = "MFUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxDjAMBgNVBAMMBU5PQy0x"
+	NocRootCert1SubjectKeyID  = "44:EB:4C:62:6B:25:48:CD:A2:B3:1C:87:41:5A:08:E7:2B:B9:83:26"
+	NocRootCert1SerialNumber  = "217369606639495620450806539821422258966012867792"
+	NocRootCert1SubjectAsText = "CN=NOC-1,O=Internet Widgits Pty Ltd,ST=Some-State,C=AU"
+
+	NocRootCert2Subject       = "MFUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxDjAMBgNVBAMMBU5PQy0y"
+	NocRootCert2SubjectKeyID  = "CF:E6:DD:37:2B:4C:B2:B9:A9:F2:75:30:1C:AA:B1:37:1B:11:7F:1B"
+	NocRootCert2SerialNumber  = "720401643293243343104681760462974770802745092176"
+	NocRootCert2SubjectAsText = "CN=NOC-2,O=Internet Widgits Pty Ltd,ST=Some-State,C=AU"
+
+	NocRootCert3Subject       = "MFUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxDjAMBgNVBAMMBU5PQy0z"
+	NocRootCert3SubjectKeyID  = "88:0D:06:D9:64:22:29:34:78:7F:8C:3B:AE:F5:08:93:86:8F:0D:20"
+	NocRootCert3SerialNumber  = "38457288443253426021793906708335409501754677187"
+	NocRootCert3SubjectAsText = "CN=NOC-3,O=Internet Widgits Pty Ltd,ST=Some-State,C=AU"
+)

integration_tests/constants/noc_constants.go

@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIICATCCAaegAwIBAgIUJhMwtZzr6dGO6tqHmuDi4Bz/tNAwCgYIKoZIzj0EAwIw
+VTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGElu
+dGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEOMAwGA1UEAwwFTk9DLTEwIBcNMjQwMjE0
+MTQ0NzI1WhgPMzAyMzA2MTcxNDQ3MjVaMFUxCzAJBgNVBAYTAkFVMRMwEQYDVQQI
+DApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQx
+DjAMBgNVBAMMBU5PQy0xMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAECsW1A5xK
+Tv4qbfUsUp74bQNlkJV6GZL59b+PgqLyq7P1PMtJK3L7NmisUvdsT1dYr1sMzDEK
+6ZuajkpkIfeV3qNTMFEwHQYDVR0OBBYEFETrTGJrJUjNorMch0FaCOcruYMmMB8G
+A1UdIwQYMBaAFETrTGJrJUjNorMch0FaCOcruYMmMA8GA1UdEwEB/wQFMAMBAf8w
+CgYIKoZIzj0EAwIDSAAwRQIgS4gxVvmQghH93BbG3RRpJ07Re5+gTFAo5qfVTtDo
+teUCIQCQwlaPb8U8S0ee3Iz1gg4LOTxZ/IWyCzPpCteAEKcl+w==
+-----END CERTIFICATE-----

integration_tests/constants/noc_root_cert_1

@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIICATCCAaegAwIBAgIUfi/tSwkm8n1SVPVYvpmRj7WDKFAwCgYIKoZIzj0EAwIw
+VTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGElu
+dGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEOMAwGA1UEAwwFTk9DLTIwIBcNMjQwMjE0
+MTQ0NzQ1WhgPMzAyMzA2MTcxNDQ3NDVaMFUxCzAJBgNVBAYTAkFVMRMwEQYDVQQI
+DApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQx
+DjAMBgNVBAMMBU5PQy0yMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEdyZTx3lJ
+ZYUEazRXrDUgtut3EF1iXFXibKttwgvqIQqo/8Z/5uh402+AjqlsYRW7J2XhAaNl
+jd+mU2GZc9whuaNTMFEwHQYDVR0OBBYEFM/m3TcrTLK5qfJ1MByqsTcbEX8bMB8G
+A1UdIwQYMBaAFM/m3TcrTLK5qfJ1MByqsTcbEX8bMA8GA1UdEwEB/wQFMAMBAf8w
+CgYIKoZIzj0EAwIDSAAwRQIhAPxnWiN91np0FqsJ3wzxbBhUvb0L7tCCG8b78ug5
+M4e6AiAzKpDZ//MaM3khHSuiJhXBWhN+HR/veWVfeLLKtMhoKg==
+-----END CERTIFICATE-----

integration_tests/constants/noc_root_cert_2

@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIICAjCCAaegAwIBAgIUBrx8BUhP5Vi8W79pFDlqwkIw18MwCgYIKoZIzj0EAwIw
+VTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGElu
+dGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEOMAwGA1UEAwwFTk9DLTMwIBcNMjQwMjE0
+MTQ0ODE4WhgPMzAyMzA2MTcxNDQ4MThaMFUxCzAJBgNVBAYTAkFVMRMwEQYDVQQI
+DApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQx
+DjAMBgNVBAMMBU5PQy0zMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFC9UKPtv
++KzUrKTUGhsysPy6jKTLiAzRt2k+DQeV5MQxyjke4x/SvWg9jHJXiO3t52xCF803
+7YDN5/GCAvu+x6NTMFEwHQYDVR0OBBYEFIgNBtlkIik0eH+MO671CJOGjw0gMB8G
+A1UdIwQYMBaAFIgNBtlkIik0eH+MO671CJOGjw0gMA8GA1UdEwEB/wQFMAMBAf8w
+CgYIKoZIzj0EAwIDSQAwRgIhAIF/kTHuWYLfJtb/TWwmhEtVRoULLet3NDIjwvw1
+F5UqAiEAshHfXxUpdfxqiLoTjQjkNf0AHVYBFhLdB+iIFspwTyg=
+-----END CERTIFICATE-----

integration_tests/constants/noc_root_cert_3

@@ -33,4 +33,5 @@ import (
 func TestPkiDemoGRPC(t *testing.T) {
 	suite := utils.SetupTest(t, testconstants.ChainID, false)
 	pki.Demo(&suite)
+	pki.NocCertDemo(&suite)
 }