Skip to content

Commit 1bac3fe

Browse files
AbdulboisAbdulbois
committed
#535 Enable providing serial number while revoking x509 certs
Signed-off-by: Abdulbois <abdulbois.tursunov@dsr-corporation.com> Signed-off-by: Abdulbois <abdulbois123@gmail.com>
1 parent 40fbec3 commit 1bac3fe

40 files changed

+1539
-278
lines changed

docs/static/openapi.yml

+14
Original file line numberDiff line numberDiff line change
@@ -9536,6 +9536,8 @@ paths:
95369536
type: string
95379537
subjectAsText:
95389538
type: string
9539+
serialNumber:
9540+
type: string
95399541
pagination:
95409542
type: object
95419543
properties:
@@ -9675,6 +9677,8 @@ paths:
96759677
type: string
96769678
subjectAsText:
96779679
type: string
9680+
serialNumber:
9681+
type: string
96789682
default:
96799683
description: An unexpected error response.
96809684
schema:
@@ -9706,6 +9710,10 @@ paths:
97069710
in: path
97079711
required: true
97089712
type: string
9713+
- name: serialNumber
9714+
in: query
9715+
required: false
9716+
type: string
97099717
tags:
97109718
- Query
97119719
/dcl/pki/rejected-certificates:
@@ -20763,6 +20771,8 @@ definitions:
2076320771
type: string
2076420772
subjectAsText:
2076520773
type: string
20774+
serialNumber:
20775+
type: string
2076620776
zigbeealliance.distributedcomplianceledger.pki.QueryAllApprovedCertificatesResponse:
2076720777
type: object
2076820778
properties:
@@ -21012,6 +21022,8 @@ definitions:
2101221022
type: string
2101321023
subjectAsText:
2101421024
type: string
21025+
serialNumber:
21026+
type: string
2101521027
pagination:
2101621028
type: object
2101721029
properties:
@@ -21471,6 +21483,8 @@ definitions:
2147121483
type: string
2147221484
subjectAsText:
2147321485
type: string
21486+
serialNumber:
21487+
type: string
2147421488
zigbeealliance.distributedcomplianceledger.pki.QueryGetRejectedCertificatesResponse:
2147521489
type: object
2147621490
properties:

docs/transactions.md

+5-1
Original file line numberDiff line numberDiff line change
@@ -942,6 +942,7 @@ Root certificates can not be revoked this way, use `PROPOSE_X509_CERT_REVOC` an
942942
- Parameters:
943943
- subject: `string` - certificates's `Subject` is base64 encoded subject DER sequence bytes
944944
- subject_key_id: `string` - certificates's `Subject Key Id` in hex string format, e.g: `5A:88:0E:6C:36:53:D0:7F:B0:89:71:A3:F4:73:79:09:30:E6:2B:DB`
945+
- serial-number: `optional(string)` - certificate's serial number
945946
- info: `optional(string)` - information/notes for the revocation
946947
- time: `optional(int64)` - revocation time (number of nanoseconds elapsed since January 1, 1970 UTC). CLI uses the current time for that field.
947948
- In State: `pki/RevokedCertificates/value/<Certificate's Subject>/<Certificate's Subject Key ID>`
@@ -967,6 +968,7 @@ then the certificate will be in a pending state until sufficient number of other
967968
- Parameters:
968969
- subject: `string` - certificates's `Subject` is base64 encoded subject DER sequence bytes
969970
- subject_key_id: `string` - certificates's `Subject Key Id` in hex string format, e.g: `5A:88:0E:6C:36:53:D0:7F:B0:89:71:A3:F4:73:79:09:30:E6:2B:DB`
971+
- serial-number: `optional(string)` - certificate's serial number
970972
- info: `optional(string)` - information/notes for the revocation proposal
971973
- time: `optional(int64)` - revocation proposal time (number of nanoseconds elapsed since January 1, 1970 UTC). CLI uses the current time for that field.
972974
- In State: `pki/ProposedCertificateRevocation/value/<Certificate's Subject>/<Certificate's Subject Key ID>`
@@ -990,6 +992,7 @@ The revocation is not applied until sufficient number of Trustees approve it.
990992
- Parameters:
991993
- subject: `string` - certificates's `Subject` is base64 encoded subject DER sequence bytes
992994
- subject_key_id: `string` - certificates's `Subject Key Id` in hex string format, e.g: `5A:88:0E:6C:36:53:D0:7F:B0:89:71:A3:F4:73:79:09:30:E6:2B:DB`
995+
- serial-number: `optional(string)` - certificate's serial number
993996
- info: `optional(string)` - information/notes for the revocation approval
994997
- time: `optional(int64)` - revocation approval time (number of nanoseconds elapsed since January 1, 1970 UTC). CLI uses the current time for that field.
995998
- In State: `pki/RevokedCertificates/value/<Certificate's Subject>/<Certificate's Subject Key ID>`
@@ -1222,10 +1225,11 @@ If a Revocation Distribution Point (such as RFC5280 Certificate Revocation List)
12221225
- Parameters:
12231226
- subject: `string` - certificates's `Subject` is base64 encoded subject DER sequence bytes
12241227
- subject_key_id: `string` - certificates's `Subject Key Id` in hex string format, e.g: `5A:88:0E:6C:36:53:D0:7F:B0:89:71:A3:F4:73:79:09:30:E6:2B:DB`
1228+
- serial-number: `optional(string)` - certificate's serial number
12251229
- CLI command:
12261230
- `dcld query pki proposed-x509-root-cert-to-revoke --subject=<base64 string> --subject-key-id=<hex string>`
12271231
- REST API:
1228-
- GET `/dcl/pki/proposed-revocation-certificates/{subject}/{subject_key_id}`
1232+
- GET `/dcl/pki/proposed-revocation-certificates/{subject}/{subject_key_id}?serialnumber={serialnumber}`
12291233

12301234
### GET_ALL_X509_ROOT_CERTS
12311235

integration_tests/cli/pki-revocation-with-serial-number.sh

+141
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,141 @@
1+
set -euo pipefail
2+
source integration_tests/cli/common.sh
3+
4+
root_cert_1_path="integration_tests/constants/root_with_same_subject_and_skid_1"
5+
root_cert_1_serial_number="1"
6+
root_cert_2_path="integration_tests/constants/root_with_same_subject_and_skid_2"
7+
root_cert_2_serial_number="2"
8+
root_cert_vid=65521
9+
intermediate_cert_1_path="integration_tests/constants/intermediate_with_same_subject_and_skid_1"
10+
intermediate_cert_1_serial_number="3"
11+
intermediate_cert_2_path="integration_tests/constants/intermediate_with_same_subject_and_skid_2"
12+
intermediate_cert_2_serial_number="4"
13+
root_cert_subject="MIGCMQswCQYDVQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxETAPBgNVBAcMCE5ldyBZb3JrMRgwFgYDVQQKDA9FeGFtcGxlIENvbXBhbnkxGTAXBgNVBAsMEFRlc3RpbmcgRGl2aXNpb24xGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbQ=="
14+
root_cert_subject_key_id="33:5E:0C:07:44:F8:B5:9C:CD:55:01:9B:6D:71:23:83:6F:D0:D4:BE"
15+
intermediate_cert_subject="MEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQ="
16+
intermediate_cert_subject_key_id="2E:13:3B:44:52:2C:30:E9:EC:FB:45:FA:5D:E5:04:0A:C1:C6:E6:B9"
17+
18+
trustee_account="jack"
19+
second_trustee_account="alice"
20+
21+
echo "Create a VendorAdmin Account"
22+
create_new_account vendor_admin_account "VendorAdmin"
23+
24+
test_divider
25+
26+
echo "REVOKE CERTIFICATES BY SPECIFYING SERIAL NUMBER"
27+
28+
echo "Propose and approve root certificate 1"
29+
result=$(echo "$passphrase" | dcld tx pki propose-add-x509-root-cert --certificate="$root_cert_1_path" --vid "$root_cert_vid" --from $trustee_account --yes)
30+
check_response "$result" "\"code\": 0"
31+
result=$(echo "$passphrase" | dcld tx pki approve-add-x509-root-cert --subject="$root_cert_subject" --subject-key-id="$root_cert_subject_key_id" --from $second_trustee_account --yes)
32+
check_response "$result" "\"code\": 0"
33+
34+
echo "Propose and approve root certificate 2"
35+
result=$(echo "$passphrase" | dcld tx pki propose-add-x509-root-cert --certificate="$root_cert_2_path" --vid "$root_cert_vid" --from $trustee_account --yes)
36+
check_response "$result" "\"code\": 0"
37+
result=$(echo "$passphrase" | dcld tx pki approve-add-x509-root-cert --subject="$root_cert_subject" --subject-key-id="$root_cert_subject_key_id" --from $second_trustee_account --yes)
38+
check_response "$result" "\"code\": 0"
39+
40+
echo "Add an intermediate certificate with serialNumber 3"
41+
result=$(echo "$passphrase" | dcld tx pki add-x509-cert --certificate="$intermediate_cert_1_path" --from $trustee_account --yes)
42+
check_response "$result" "\"code\": 0"
43+
44+
echo "Add an intermediate certificate with serialNumber 4"
45+
result=$(echo "$passphrase" | dcld tx pki add-x509-cert --certificate="$intermediate_cert_2_path" --from $trustee_account --yes)
46+
check_response "$result" "\"code\": 0"
47+
48+
echo "Request all approved root certificates."
49+
result=$(dcld query pki all-x509-certs)
50+
echo $result | jq
51+
check_response "$result" "\"subject\": \"$root_cert_subject\""
52+
check_response "$result" "\"subject\": \"$intermediate_cert_subject\""
53+
check_response "$result" "\"subjectKeyId\": \"$root_cert_subject_key_id\""
54+
check_response "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id\""
55+
check_response "$result" "\"serialNumber\": \"$root_cert_1_serial_number\""
56+
check_response "$result" "\"serialNumber\": \"$intermediate_cert_1_serial_number\""
57+
check_response "$result" "\"serialNumber\": \"$root_cert_2_serial_number\""
58+
check_response "$result" "\"serialNumber\": \"$intermediate_cert_2_serial_number\""
59+
60+
echo "Revoke intermediate certificate with serialNumber 3"
61+
result=$(echo "$passphrase" | dcld tx pki revoke-x509-cert --subject="$intermediate_cert_subject" --subject-key-id="$intermediate_cert_subject_key_id" --serial-number="$intermediate_cert_1_serial_number" --from=$trustee_account --yes)
62+
check_response "$result" "\"code\": 0"
63+
64+
echo "Request all revoked certificates should contain one intermediate certificate with serialNumber 3"
65+
result=$(dcld query pki all-revoked-x509-certs)
66+
echo $result | jq
67+
check_response "$result" "\"subject\": \"$intermediate_cert_subject\""
68+
check_response "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id\""
69+
check_response "$result" "\"serialNumber\": \"$intermediate_cert_1_serial_number\""
70+
response_does_not_contain "$result" "\"serialNumber\": \"$intermediate_cert_2_serial_number\""
71+
72+
echo "Request all approved intermediate certificates should contain only one certificate with serialNumber 4"
73+
result=$(dcld query pki x509-cert --subject="$intermediate_cert_subject" --subject-key-id="$intermediate_cert_subject_key_id")
74+
echo $result | jq
75+
check_response "$result" "\"subject\": \"$intermediate_cert_subject\""
76+
check_response "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id\""
77+
check_response "$result" "\"serialNumber\": \"$intermediate_cert_2_serial_number\""
78+
response_does_not_contain "$result" "\"serialNumber\": \"$intermediate_cert_1_serial_number\""
79+
80+
echo "$trustee_account (Trustee) proposes to revoke Root certificate with serialNumber 1"
81+
result=$(echo "$passphrase" | dcld tx pki propose-revoke-x509-root-cert --subject="$root_cert_subject" --subject-key-id="$root_cert_subject_key_id" --serial-number="$root_cert_1_serial_number" --from $trustee_account --yes)
82+
check_response "$result" "\"code\": 0"
83+
84+
echo "$second_trustee_account (Second Trustee) approves to revoke Root certificate with serialNumber 1"
85+
result=$(echo "$passphrase" | dcld tx pki approve-revoke-x509-root-cert --subject="$root_cert_subject" --subject-key-id="$root_cert_subject_key_id" --serial-number="$root_cert_1_serial_number" --from $second_trustee_account --yes)
86+
check_response "$result" "\"code\": 0"
87+
88+
echo "Request all revoked certificates should contain one root certificate with serialNumber 1"
89+
result=$(dcld query pki all-revoked-x509-certs)
90+
echo $result | jq
91+
check_response "$result" "\"subject\": \"$root_cert_subject\""
92+
check_response "$result" "\"subjectKeyId\": \"$root_cert_subject_key_id\""
93+
check_response "$result" "\"serialNumber\": \"$root_cert_1_serial_number\""
94+
response_does_not_contain "$result" "\"serialNumber\": \"$root_cert_2_serial_number\""
95+
response_does_not_contain "$result" "\"serialNumber\": \"$intermediate_cert_2_serial_number"
96+
97+
echo "Request all approved certificates should contain one root certificate with serialNumber 2 and one intermediate with serialNumber 4"
98+
result=$(dcld query pki all-x509-certs)
99+
echo $result | jq
100+
check_response "$result" "\"subject\": \"$root_cert_subject\""
101+
check_response "$result" "\"subject\": \"$intermediate_cert_subject\""
102+
check_response "$result" "\"subjectKeyId\": \"$root_cert_subject_key_id\""
103+
check_response "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id"
104+
check_response "$result" "\"serialNumber\": \"$root_cert_2_serial_number\""
105+
check_response "$result" "\"serialNumber\": \"$intermediate_cert_2_serial_number\""
106+
response_does_not_contain "$result" "\"serialNumber\": \"$root_cert_1_serial_number\""
107+
response_does_not_contain "$result" "\"serialNumber\": \"$intermediate_cert_1_serial_number\""
108+
109+
echo "$trustee_account (Trustee) proposes to revoke Root certificate with serialNumber 2"
110+
result=$(echo "$passphrase" | dcld tx pki propose-revoke-x509-root-cert --subject="$root_cert_subject" --subject-key-id="$root_cert_subject_key_id" --serial-number="$root_cert_2_serial_number" --from $trustee_account --yes)
111+
check_response "$result" "\"code\": 0"
112+
113+
echo "$second_trustee_account (Second Trustee) approves to revoke Root certificate with serialNumber 2"
114+
result=$(echo "$passphrase" | dcld tx pki approve-revoke-x509-root-cert --subject="$root_cert_subject" --subject-key-id="$root_cert_subject_key_id" --serial-number="$root_cert_2_serial_number" --from $second_trustee_account --yes)
115+
check_response "$result" "\"code\": 0"
116+
117+
echo "Request all revoked certificates should contain two root and intermediate certificates"
118+
result=$(dcld query pki all-revoked-x509-certs)
119+
echo $result | jq
120+
check_response "$result" "\"subject\": \"$root_cert_subject\""
121+
check_response "$result" "\"subject\": \"$intermediate_cert_subject\""
122+
check_response "$result" "\"subjectKeyId\": \"$root_cert_subject_key_id\""
123+
check_response "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id\""
124+
check_response "$result" "\"serialNumber\": \"$root_cert_1_serial_number\""
125+
check_response "$result" "\"serialNumber\": \"$intermediate_cert_1_serial_number\""
126+
check_response "$result" "\"serialNumber\": \"$root_cert_2_serial_number\""
127+
check_response "$result" "\"serialNumber\": \"$intermediate_cert_2_serial_number\""
128+
129+
echo "Request all approved root certificates should be empty"
130+
result=$(dcld query pki all-x509-root-certs)
131+
echo $result | jq
132+
response_does_not_contain "$result" "\"subject\": \"$root_cert_subject\""
133+
response_does_not_contain "$result" "\"subject\": \"$intermediate_cert_subject\""
134+
response_does_not_contain "$result" "\"subjectKeyId\": \"$root_cert_subject_key_id\""
135+
response_does_not_contain "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id\""
136+
response_does_not_contain "$result" "\"serialNumber\": \"$root_cert_1_serial_number\""
137+
response_does_not_contain "$result" "\"serialNumber\": \"$intermediate_cert_1_serial_number\""
138+
response_does_not_contain "$result" "\"serialNumber\": \"$root_cert_2_serial_number\""
139+
response_does_not_contain "$result" "\"serialNumber\": \"$intermediate_cert_2_serial_number\""
140+
141+
test_divider

0 commit comments

Comments
 (0)