#535 Add new txn to remove non-root certificates

Resolve MR's comments

Signed-off-by: Abdulbois <abdulbois.tursunov@dsr-corporation.com>
Signed-off-by: Abdulbois <abdulbois123@gmail.com>

Author: Abdulbois

integration_tests/cli/pki-remove-x509-certificates.sh

@@ -55,6 +55,18 @@ check_response "$result" "\"serialNumber\": \"$intermediate_cert_1_serial_number
 check_response "$result" "\"serialNumber\": \"$intermediate_cert_2_serial_number\""
 check_response "$result" "\"serialNumber\": \"$leaf_cert_serial_number\""
 
+echo "Revoke an intermediate certificate with serialNumber 3"
+result=$(echo "$passphrase" | dcld tx pki revoke-x509-cert --subject="$intermediate_cert_subject" --subject-key-id="$intermediate_cert_subject_key_id" --serial-number="$intermediate_cert_1_serial_number" --from=$trustee_account --yes)
+check_response "$result" "\"code\": 0"
+
+echo "Request all revoked certificates should contain only one intermediate certificate with serialNumber 3"
+result=$(dcld query pki all-revoked-x509-certs)
+echo $result | jq
+check_response "$result" "\"subject\": \"$intermediate_cert_subject\""
+check_response "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id\""
+check_response "$result" "\"serialNumber\": \"$intermediate_cert_1_serial_number\""
+response_does_not_contain "$result" "\"serialNumber\": \"$intermediate_cert_2_serial_number\""
+
 echo "Remove intermediate certificate with invalid serialNumber"
 result=$(echo "$passphrase" | dcld tx pki remove-x509-cert --subject="$intermediate_cert_subject" --subject-key-id="$intermediate_cert_subject_key_id" --serial-number="invalid" --from=$trustee_account --yes)
 check_response "$result" "\"code\": 404"
@@ -84,18 +96,6 @@ check_response "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id\
 check_response "$result" "\"serialNumber\": \"$intermediate_cert_2_serial_number\""
 response_does_not_contain "$result" "\"serialNumber\": \"$intermediate_cert_1_serial_number\""
 
-echo "Revoke an intermediate certificate with serialNumber 3"
-result=$(echo "$passphrase" | dcld tx pki revoke-x509-cert --subject="$intermediate_cert_subject" --subject-key-id="$intermediate_cert_subject_key_id" --serial-number="$intermediate_cert_1_serial_number" --from=$trustee_account --yes)
-check_response "$result" "\"code\": 0"
-
-echo "Request all revoked certificates should contain only one intermediate certificate with serialNumber 3"
-result=$(dcld query pki all-revoked-x509-certs)
-echo $result | jq
-check_response "$result" "\"subject\": \"$intermediate_cert_subject\""
-check_response "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id\""
-check_response "$result" "\"serialNumber\": \"$intermediate_cert_1_serial_number\""
-response_does_not_contain "$result" "\"serialNumber\": \"$intermediate_cert_2_serial_number\""
-
 echo "Remove an intermediate certificate with subject and subjectKeyId"
 result=$(echo "$passphrase" | dcld tx pki remove-x509-cert --subject="$intermediate_cert_subject" --subject-key-id="$intermediate_cert_subject_key_id" --from=$trustee_account --yes)
 check_response "$result" "\"code\": 0"

x/pki/handler_test.go

@@ -1800,6 +1800,70 @@ func TestHandler_RemoveX509Cert_BySerialNumber(t *testing.T) {
 	require.Equal(t, 1, len(leafCerts.Certs))
 }
 
+func TestHandler_RemoveX509Cert_RevokedAndApprovedCertificate(t *testing.T) {
+	setup := Setup(t)
+	// propose and approve x509 root certificate
+	rootCertOptions := &rootCertOptions{
+		pemCert:      testconstants.RootCertWithSameSubjectAndSKID1,
+		subject:      testconstants.RootCertWithSameSubjectAndSKIDSubject,
+		subjectKeyID: testconstants.RootCertWithSameSubjectAndSKIDSubjectKeyID,
+		info:         testconstants.Info,
+		vid:          65521,
+	}
+	proposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertOptions)
+
+	// Add an intermediate certificate
+	addIntermediateX509Cert := types.NewMsgAddX509Cert(setup.Trustee1.String(), testconstants.IntermediateWithSameSubjectAndSKID1)
+	_, err := setup.Handler(setup.Ctx, addIntermediateX509Cert)
+	require.NoError(t, err)
+
+	// get certificates for further comparison
+	allCerts := setup.Keeper.GetAllApprovedCertificates(setup.Ctx)
+	require.NotNil(t, allCerts)
+	require.Equal(t, 2, len(allCerts))
+	require.Equal(t, 2, len(allCerts[0].Certs)+len(allCerts[1].Certs))
+
+	// revoke an intermediate certificate
+	revokeX509Cert := types.NewMsgRemoveX509Cert(
+		setup.Trustee1.String(),
+		testconstants.IntermediateCertWithSameSubjectAndSKIDSubject,
+		testconstants.IntermediateCertWithSameSubjectAndSKIDSubjectKeyID,
+		testconstants.IntermediateCertWithSameSubjectAndSKID1SerialNumber,
+	)
+	_, err = setup.Handler(setup.Ctx, revokeX509Cert)
+	require.NoError(t, err)
+
+	// Add an intermediate certificate with new serial number
+	addIntermediateX509Cert = types.NewMsgAddX509Cert(setup.Trustee1.String(), testconstants.IntermediateWithSameSubjectAndSKID2)
+	_, err = setup.Handler(setup.Ctx, addIntermediateX509Cert)
+	require.NoError(t, err)
+
+	intermediateCerts, _ := queryApprovedCertificates(setup, testconstants.IntermediateCertWithSameSubjectAndSKIDSubject, testconstants.IntermediateCertWithSameSubjectAndSKIDSubjectKeyID)
+	require.Equal(t, 1, len(intermediateCerts.Certs))
+	require.Equal(t, testconstants.IntermediateCertWithSameSubjectAndSKIDSubject, intermediateCerts.Certs[0].Subject)
+	require.Equal(t, testconstants.IntermediateCertWithSameSubjectAndSKIDSubjectKeyID, intermediateCerts.Certs[0].SubjectKeyId)
+	require.Equal(t, testconstants.IntermediateCertWithSameSubjectAndSKID2SerialNumber, intermediateCerts.Certs[0].SerialNumber)
+
+	// remove an intermediate certificate
+	removeX509Cert := types.NewMsgRemoveX509Cert(
+		setup.Trustee1.String(),
+		testconstants.IntermediateCertWithSameSubjectAndSKIDSubject,
+		testconstants.IntermediateCertWithSameSubjectAndSKIDSubjectKeyID,
+		testconstants.IntermediateCertWithSameSubjectAndSKID2SerialNumber,
+	)
+	_, err = setup.Handler(setup.Ctx, removeX509Cert)
+	require.NoError(t, err)
+
+	// check that only root and leaf certificates exists
+	allCerts, _ = queryAllApprovedCertificates(setup)
+	require.Equal(t, 1, len(allCerts))
+	require.Equal(t, true, allCerts[0].Certs[0].IsRoot)
+	_, err = queryApprovedCertificates(setup, testconstants.IntermediateCertWithSameSubjectAndSKIDSubject, testconstants.IntermediateCertWithSameSubjectAndSKIDSubjectKeyID)
+	require.Equal(t, codes.NotFound, status.Code(err))
+	_, err = queryRevokedCertificates(setup, testconstants.IntermediateCertWithSameSubjectAndSKIDSubject, testconstants.IntermediateCertWithSameSubjectAndSKIDSubjectKeyID)
+	require.Equal(t, codes.NotFound, status.Code(err))
+}
+
 func TestHandler_RemoveX509Cert_RevokedCertificate(t *testing.T) {
 	setup := Setup(t)
 	// propose and approve x509 root certificate

x/pki/keeper/msg_server_remove_x_509_cert.go

@@ -14,17 +14,7 @@ func (k msgServer) RemoveX509Cert(goCtx context.Context, msg *types.MsgRemoveX50
 
 	aprCerts, foundApproved := k.GetApprovedCertificates(ctx, msg.Subject, msg.SubjectKeyId)
 	revCerts, foundRevoked := k.GetRevokedCertificates(ctx, msg.Subject, msg.SubjectKeyId)
-	if !foundApproved && !foundRevoked {
-		return nil, pkitypes.NewErrCertificateDoesNotExist(msg.Subject, msg.SubjectKeyId)
-	}
-
-	var certificates []*types.Certificate
-	if foundApproved {
-		certificates = aprCerts.Certs
-	} else {
-		certificates = revCerts.Certs
-	}
-
+	certificates := append(aprCerts.Certs, revCerts.Certs...)
 	if len(certificates) == 0 {
 		return nil, pkitypes.NewErrCertificateDoesNotExist(msg.Subject, msg.SubjectKeyId)
 	}
@@ -57,7 +47,13 @@ func (k msgServer) RemoveX509Cert(goCtx context.Context, msg *types.MsgRemoveX50
 			Certs:        certificates,
 		}
 		k.removeCertFromList(certBySerialNumber.Issuer, certBySerialNumber.SerialNumber, &certs)
-		k._removeX509Cert(ctx, certID, certs, foundRevoked)
+
+		if foundApproved {
+			k._removeApprovedX509Cert(ctx, certID, certs)
+		}
+		if foundRevoked {
+			k._removeRevokedX509Cert(ctx, certID, certs)
+		}
 	} else {
 		k.RemoveApprovedCertificates(ctx, certID.Subject, certID.SubjectKeyId)
 		// remove from subject -> subject key ID map
@@ -75,31 +71,31 @@ func (k msgServer) RemoveX509Cert(goCtx context.Context, msg *types.MsgRemoveX50
 	return &types.MsgRemoveX509CertResponse{}, nil
 }
 
-func (k msgServer) _removeX509Cert(ctx sdk.Context, certID types.CertificateIdentifier, certificates types.ApprovedCertificates, isRevoked bool) {
-	if isRevoked { //nolint:nestif
-		if len(certificates.Certs) == 0 {
-			k.RemoveRevokedCertificates(ctx, certID.Subject, certID.SubjectKeyId)
-		} else {
-			k.SetRevokedCertificates(
-				ctx,
-				types.RevokedCertificates{
-					Subject:      certID.Subject,
-					SubjectKeyId: certID.SubjectKeyId,
-					Certs:        certificates.Certs,
-				},
-			)
-		}
+func (k msgServer) _removeApprovedX509Cert(ctx sdk.Context, certID types.CertificateIdentifier, certificates types.ApprovedCertificates) {
+	if len(certificates.Certs) == 0 {
+		k.RemoveApprovedCertificates(ctx, certID.Subject, certID.SubjectKeyId)
+		k.RemoveApprovedCertificateBySubject(ctx, certID.Subject, certID.SubjectKeyId)
+		k.RemoveApprovedCertificatesBySubjectKeyID(ctx, certID.Subject, certID.SubjectKeyId)
 	} else {
-		if len(certificates.Certs) == 0 {
-			k.RemoveApprovedCertificates(ctx, certID.Subject, certID.SubjectKeyId)
-			k.RemoveApprovedCertificateBySubject(ctx, certID.Subject, certID.SubjectKeyId)
-			k.RemoveApprovedCertificatesBySubjectKeyID(ctx, certID.Subject, certID.SubjectKeyId)
-		} else {
-			k.SetApprovedCertificates(ctx, certificates)
-			k.SetApprovedCertificatesBySubjectKeyID(
-				ctx,
-				types.ApprovedCertificatesBySubjectKeyId{SubjectKeyId: certID.SubjectKeyId, Certs: certificates.Certs},
-			)
-		}
+		k.SetApprovedCertificates(ctx, certificates)
+		k.SetApprovedCertificatesBySubjectKeyID(
+			ctx,
+			types.ApprovedCertificatesBySubjectKeyId{SubjectKeyId: certID.SubjectKeyId, Certs: certificates.Certs},
+		)
+	}
+}
+
+func (k msgServer) _removeRevokedX509Cert(ctx sdk.Context, certID types.CertificateIdentifier, certificates types.ApprovedCertificates) {
+	if len(certificates.Certs) == 0 {
+		k.RemoveRevokedCertificates(ctx, certID.Subject, certID.SubjectKeyId)
+	} else {
+		k.SetRevokedCertificates(
+			ctx,
+			types.RevokedCertificates{
+				Subject:      certID.Subject,
+				SubjectKeyId: certID.SubjectKeyId,
+				Certs:        certificates.Certs,
+			},
+		)
 	}
 }