Skip to content

Commit 1be8186

Browse files
akarabashovakarabashov
authoredFeb 16, 2024
Merge pull request #541 from zigbee-alliance/specifiying-serial-number-field-while-revoking-certs
#535 Enable providing serial number while revoking x509 certs
2 parents 40fbec3 + 7fb9954 commit 1be8186

40 files changed

+1586
-282
lines changed
 

‎docs/static/openapi.yml

+14
Original file line numberDiff line numberDiff line change
@@ -9536,6 +9536,8 @@ paths:
95369536
type: string
95379537
subjectAsText:
95389538
type: string
9539+
serialNumber:
9540+
type: string
95399541
pagination:
95409542
type: object
95419543
properties:
@@ -9675,6 +9677,8 @@ paths:
96759677
type: string
96769678
subjectAsText:
96779679
type: string
9680+
serialNumber:
9681+
type: string
96789682
default:
96799683
description: An unexpected error response.
96809684
schema:
@@ -9706,6 +9710,10 @@ paths:
97069710
in: path
97079711
required: true
97089712
type: string
9713+
- name: serialNumber
9714+
in: query
9715+
required: false
9716+
type: string
97099717
tags:
97109718
- Query
97119719
/dcl/pki/rejected-certificates:
@@ -20763,6 +20771,8 @@ definitions:
2076320771
type: string
2076420772
subjectAsText:
2076520773
type: string
20774+
serialNumber:
20775+
type: string
2076620776
zigbeealliance.distributedcomplianceledger.pki.QueryAllApprovedCertificatesResponse:
2076720777
type: object
2076820778
properties:
@@ -21012,6 +21022,8 @@ definitions:
2101221022
type: string
2101321023
subjectAsText:
2101421024
type: string
21025+
serialNumber:
21026+
type: string
2101521027
pagination:
2101621028
type: object
2101721029
properties:
@@ -21471,6 +21483,8 @@ definitions:
2147121483
type: string
2147221484
subjectAsText:
2147321485
type: string
21486+
serialNumber:
21487+
type: string
2147421488
zigbeealliance.distributedcomplianceledger.pki.QueryGetRejectedCertificatesResponse:
2147521489
type: object
2147621490
properties:

‎docs/transactions.md

+5-1
Original file line numberDiff line numberDiff line change
@@ -942,6 +942,7 @@ Root certificates can not be revoked this way, use `PROPOSE_X509_CERT_REVOC` an
942942
- Parameters:
943943
- subject: `string` - certificates's `Subject` is base64 encoded subject DER sequence bytes
944944
- subject_key_id: `string` - certificates's `Subject Key Id` in hex string format, e.g: `5A:88:0E:6C:36:53:D0:7F:B0:89:71:A3:F4:73:79:09:30:E6:2B:DB`
945+
- serial-number: `optional(string)` - certificate's serial number
945946
- info: `optional(string)` - information/notes for the revocation
946947
- time: `optional(int64)` - revocation time (number of nanoseconds elapsed since January 1, 1970 UTC). CLI uses the current time for that field.
947948
- In State: `pki/RevokedCertificates/value/<Certificate's Subject>/<Certificate's Subject Key ID>`
@@ -967,6 +968,7 @@ then the certificate will be in a pending state until sufficient number of other
967968
- Parameters:
968969
- subject: `string` - certificates's `Subject` is base64 encoded subject DER sequence bytes
969970
- subject_key_id: `string` - certificates's `Subject Key Id` in hex string format, e.g: `5A:88:0E:6C:36:53:D0:7F:B0:89:71:A3:F4:73:79:09:30:E6:2B:DB`
971+
- serial-number: `optional(string)` - certificate's serial number
970972
- info: `optional(string)` - information/notes for the revocation proposal
971973
- time: `optional(int64)` - revocation proposal time (number of nanoseconds elapsed since January 1, 1970 UTC). CLI uses the current time for that field.
972974
- In State: `pki/ProposedCertificateRevocation/value/<Certificate's Subject>/<Certificate's Subject Key ID>`
@@ -990,6 +992,7 @@ The revocation is not applied until sufficient number of Trustees approve it.
990992
- Parameters:
991993
- subject: `string` - certificates's `Subject` is base64 encoded subject DER sequence bytes
992994
- subject_key_id: `string` - certificates's `Subject Key Id` in hex string format, e.g: `5A:88:0E:6C:36:53:D0:7F:B0:89:71:A3:F4:73:79:09:30:E6:2B:DB`
995+
- serial-number: `optional(string)` - certificate's serial number
993996
- info: `optional(string)` - information/notes for the revocation approval
994997
- time: `optional(int64)` - revocation approval time (number of nanoseconds elapsed since January 1, 1970 UTC). CLI uses the current time for that field.
995998
- In State: `pki/RevokedCertificates/value/<Certificate's Subject>/<Certificate's Subject Key ID>`
@@ -1222,10 +1225,11 @@ If a Revocation Distribution Point (such as RFC5280 Certificate Revocation List)
12221225
- Parameters:
12231226
- subject: `string` - certificates's `Subject` is base64 encoded subject DER sequence bytes
12241227
- subject_key_id: `string` - certificates's `Subject Key Id` in hex string format, e.g: `5A:88:0E:6C:36:53:D0:7F:B0:89:71:A3:F4:73:79:09:30:E6:2B:DB`
1228+
- serial-number: `optional(string)` - certificate's serial number
12251229
- CLI command:
12261230
- `dcld query pki proposed-x509-root-cert-to-revoke --subject=<base64 string> --subject-key-id=<hex string>`
12271231
- REST API:
1228-
- GET `/dcl/pki/proposed-revocation-certificates/{subject}/{subject_key_id}`
1232+
- GET `/dcl/pki/proposed-revocation-certificates/{subject}/{subject_key_id}?serialnumber={serialnumber}`
12291233

12301234
### GET_ALL_X509_ROOT_CERTS
12311235

‎integration_tests/cli/pki-revocation-with-serial-number.sh

+146
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,146 @@
1+
set -euo pipefail
2+
source integration_tests/cli/common.sh
3+
4+
root_cert_1_path="integration_tests/constants/root_with_same_subject_and_skid_1"
5+
root_cert_1_serial_number="1"
6+
root_cert_2_path="integration_tests/constants/root_with_same_subject_and_skid_2"
7+
root_cert_2_serial_number="2"
8+
root_cert_vid=65521
9+
intermediate_cert_1_path="integration_tests/constants/intermediate_with_same_subject_and_skid_1"
10+
intermediate_cert_1_serial_number="3"
11+
intermediate_cert_2_path="integration_tests/constants/intermediate_with_same_subject_and_skid_2"
12+
intermediate_cert_2_serial_number="4"
13+
root_cert_subject="MIGCMQswCQYDVQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxETAPBgNVBAcMCE5ldyBZb3JrMRgwFgYDVQQKDA9FeGFtcGxlIENvbXBhbnkxGTAXBgNVBAsMEFRlc3RpbmcgRGl2aXNpb24xGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbQ=="
14+
root_cert_subject_key_id="33:5E:0C:07:44:F8:B5:9C:CD:55:01:9B:6D:71:23:83:6F:D0:D4:BE"
15+
intermediate_cert_subject="MEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQ="
16+
intermediate_cert_subject_key_id="2E:13:3B:44:52:2C:30:E9:EC:FB:45:FA:5D:E5:04:0A:C1:C6:E6:B9"
17+
18+
trustee_account="jack"
19+
second_trustee_account="alice"
20+
21+
test_divider
22+
23+
echo "REVOKE CERTIFICATES BY SPECIFYING SERIAL NUMBER"
24+
25+
echo "Propose and approve root certificate 1"
26+
result=$(echo "$passphrase" | dcld tx pki propose-add-x509-root-cert --certificate="$root_cert_1_path" --vid "$root_cert_vid" --from $trustee_account --yes)
27+
check_response "$result" "\"code\": 0"
28+
result=$(echo "$passphrase" | dcld tx pki approve-add-x509-root-cert --subject="$root_cert_subject" --subject-key-id="$root_cert_subject_key_id" --from $second_trustee_account --yes)
29+
check_response "$result" "\"code\": 0"
30+
31+
echo "Propose and approve root certificate 2"
32+
result=$(echo "$passphrase" | dcld tx pki propose-add-x509-root-cert --certificate="$root_cert_2_path" --vid "$root_cert_vid" --from $trustee_account --yes)
33+
check_response "$result" "\"code\": 0"
34+
result=$(echo "$passphrase" | dcld tx pki approve-add-x509-root-cert --subject="$root_cert_subject" --subject-key-id="$root_cert_subject_key_id" --from $second_trustee_account --yes)
35+
check_response "$result" "\"code\": 0"
36+
37+
echo "Add an intermediate certificate with serialNumber 3"
38+
result=$(echo "$passphrase" | dcld tx pki add-x509-cert --certificate="$intermediate_cert_1_path" --from $trustee_account --yes)
39+
check_response "$result" "\"code\": 0"
40+
41+
echo "Add an intermediate certificate with serialNumber 4"
42+
result=$(echo "$passphrase" | dcld tx pki add-x509-cert --certificate="$intermediate_cert_2_path" --from $trustee_account --yes)
43+
check_response "$result" "\"code\": 0"
44+
45+
echo "Request all approved root certificates."
46+
result=$(dcld query pki all-x509-certs)
47+
echo $result | jq
48+
check_response "$result" "\"subject\": \"$root_cert_subject\""
49+
check_response "$result" "\"subject\": \"$intermediate_cert_subject\""
50+
check_response "$result" "\"subjectKeyId\": \"$root_cert_subject_key_id\""
51+
check_response "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id\""
52+
check_response "$result" "\"serialNumber\": \"$root_cert_1_serial_number\""
53+
check_response "$result" "\"serialNumber\": \"$intermediate_cert_1_serial_number\""
54+
check_response "$result" "\"serialNumber\": \"$root_cert_2_serial_number\""
55+
check_response "$result" "\"serialNumber\": \"$intermediate_cert_2_serial_number\""
56+
57+
echo "Revoke intermediate certificate with invalid serialNumber"
58+
result=$(echo "$passphrase" | dcld tx pki revoke-x509-cert --subject="$intermediate_cert_subject" --subject-key-id="$intermediate_cert_subject_key_id" --serial-number="invalid" --from=$trustee_account --yes)
59+
check_response "$result" "\"code\": 404"
60+
61+
echo "Revoke intermediate certificate with serialNumber 3"
62+
result=$(echo "$passphrase" | dcld tx pki revoke-x509-cert --subject="$intermediate_cert_subject" --subject-key-id="$intermediate_cert_subject_key_id" --serial-number="$intermediate_cert_1_serial_number" --from=$trustee_account --yes)
63+
check_response "$result" "\"code\": 0"
64+
65+
echo "Request all revoked certificates should contain one intermediate certificate with serialNumber 3"
66+
result=$(dcld query pki all-revoked-x509-certs)
67+
echo $result | jq
68+
check_response "$result" "\"subject\": \"$intermediate_cert_subject\""
69+
check_response "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id\""
70+
check_response "$result" "\"serialNumber\": \"$intermediate_cert_1_serial_number\""
71+
response_does_not_contain "$result" "\"serialNumber\": \"$intermediate_cert_2_serial_number\""
72+
73+
echo "Request all approved intermediate certificates should contain only one certificate with serialNumber 4"
74+
result=$(dcld query pki x509-cert --subject="$intermediate_cert_subject" --subject-key-id="$intermediate_cert_subject_key_id")
75+
echo $result | jq
76+
check_response "$result" "\"subject\": \"$intermediate_cert_subject\""
77+
check_response "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id\""
78+
check_response "$result" "\"serialNumber\": \"$intermediate_cert_2_serial_number\""
79+
response_does_not_contain "$result" "\"serialNumber\": \"$intermediate_cert_1_serial_number\""
80+
81+
echo "$trustee_account (Trustee) proposes to revoke Root certificate with invalid serialNumber"
82+
result=$(echo "$passphrase" | dcld tx pki propose-revoke-x509-root-cert --subject="$root_cert_subject" --subject-key-id="$root_cert_subject_key_id" --serial-number="invalid" --from $trustee_account --yes)
83+
check_response "$result" "\"code\": 404"
84+
85+
echo "$trustee_account (Trustee) proposes to revoke Root certificate with serialNumber 1"
86+
result=$(echo "$passphrase" | dcld tx pki propose-revoke-x509-root-cert --subject="$root_cert_subject" --subject-key-id="$root_cert_subject_key_id" --serial-number="$root_cert_1_serial_number" --from $trustee_account --yes)
87+
check_response "$result" "\"code\": 0"
88+
89+
echo "$second_trustee_account (Second Trustee) approves to revoke Root certificate with serialNumber 1"
90+
result=$(echo "$passphrase" | dcld tx pki approve-revoke-x509-root-cert --subject="$root_cert_subject" --subject-key-id="$root_cert_subject_key_id" --serial-number="$root_cert_1_serial_number" --from $second_trustee_account --yes)
91+
check_response "$result" "\"code\": 0"
92+
93+
echo "Request all revoked certificates should contain one root certificate with serialNumber 1"
94+
result=$(dcld query pki all-revoked-x509-certs)
95+
echo $result | jq
96+
check_response "$result" "\"subject\": \"$root_cert_subject\""
97+
check_response "$result" "\"subjectKeyId\": \"$root_cert_subject_key_id\""
98+
check_response "$result" "\"serialNumber\": \"$root_cert_1_serial_number\""
99+
response_does_not_contain "$result" "\"serialNumber\": \"$root_cert_2_serial_number\""
100+
response_does_not_contain "$result" "\"serialNumber\": \"$intermediate_cert_2_serial_number"
101+
102+
echo "Request all approved certificates should contain one root certificate with serialNumber 2 and one intermediate with serialNumber 4"
103+
result=$(dcld query pki all-x509-certs)
104+
echo $result | jq
105+
check_response "$result" "\"subject\": \"$root_cert_subject\""
106+
check_response "$result" "\"subject\": \"$intermediate_cert_subject\""
107+
check_response "$result" "\"subjectKeyId\": \"$root_cert_subject_key_id\""
108+
check_response "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id"
109+
check_response "$result" "\"serialNumber\": \"$root_cert_2_serial_number\""
110+
check_response "$result" "\"serialNumber\": \"$intermediate_cert_2_serial_number\""
111+
response_does_not_contain "$result" "\"serialNumber\": \"$root_cert_1_serial_number\""
112+
response_does_not_contain "$result" "\"serialNumber\": \"$intermediate_cert_1_serial_number\""
113+
114+
echo "$trustee_account (Trustee) proposes to revoke Root certificate with serialNumber 2"
115+
result=$(echo "$passphrase" | dcld tx pki propose-revoke-x509-root-cert --subject="$root_cert_subject" --subject-key-id="$root_cert_subject_key_id" --serial-number="$root_cert_2_serial_number" --from $trustee_account --yes)
116+
check_response "$result" "\"code\": 0"
117+
118+
echo "$second_trustee_account (Second Trustee) approves to revoke Root certificate with serialNumber 2"
119+
result=$(echo "$passphrase" | dcld tx pki approve-revoke-x509-root-cert --subject="$root_cert_subject" --subject-key-id="$root_cert_subject_key_id" --serial-number="$root_cert_2_serial_number" --from $second_trustee_account --yes)
120+
check_response "$result" "\"code\": 0"
121+
122+
echo "Request all revoked certificates should contain two root and intermediate certificates"
123+
result=$(dcld query pki all-revoked-x509-certs)
124+
echo $result | jq
125+
check_response "$result" "\"subject\": \"$root_cert_subject\""
126+
check_response "$result" "\"subject\": \"$intermediate_cert_subject\""
127+
check_response "$result" "\"subjectKeyId\": \"$root_cert_subject_key_id\""
128+
check_response "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id\""
129+
check_response "$result" "\"serialNumber\": \"$root_cert_1_serial_number\""
130+
check_response "$result" "\"serialNumber\": \"$intermediate_cert_1_serial_number\""
131+
check_response "$result" "\"serialNumber\": \"$root_cert_2_serial_number\""
132+
check_response "$result" "\"serialNumber\": \"$intermediate_cert_2_serial_number\""
133+
134+
echo "Request all approved root certificates should be empty"
135+
result=$(dcld query pki all-x509-root-certs)
136+
echo $result | jq
137+
response_does_not_contain "$result" "\"subject\": \"$root_cert_subject\""
138+
response_does_not_contain "$result" "\"subject\": \"$intermediate_cert_subject\""
139+
response_does_not_contain "$result" "\"subjectKeyId\": \"$root_cert_subject_key_id\""
140+
response_does_not_contain "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id\""
141+
response_does_not_contain "$result" "\"serialNumber\": \"$root_cert_1_serial_number\""
142+
response_does_not_contain "$result" "\"serialNumber\": \"$intermediate_cert_1_serial_number\""
143+
response_does_not_contain "$result" "\"serialNumber\": \"$root_cert_2_serial_number\""
144+
response_does_not_contain "$result" "\"serialNumber\": \"$intermediate_cert_2_serial_number\""
145+
146+
test_divider

0 commit comments

Comments
 (0)