Skip to content

Commit 2763f34

Browse files
AbdulboisAbdulbois
committed
#524 Enable revocation of NOC certificates
Signed-off-by: Abdulbois <abdulbois.tursunov@dsr-corporation.com> Signed-off-by: Abdulbois <abdulbois123@gmail.com>
1 parent 663e39a commit 2763f34

28 files changed

+2616
-346
lines changed

integration_tests/cli/pki-noc-certs.sh

+81-2
Original file line numberDiff line numberDiff line change
@@ -27,6 +27,9 @@ noc_cert_1_subject="MIGCMQswCQYDVQQGEwJVWjETMBEGA1UECAwKU29tZSBTdGF0ZTETMBEGA1UE
2727
noc_cert_1_subject_key_id="02:72:6E:BC:BB:EF:D6:BD:8D:9B:42:AE:D4:3C:C0:55:5F:66:3A:B3"
2828
noc_cert_1_serial_number="631388393741945881054190991612463928825155142122"
2929

30+
noc_cert_1_copy_path="integration_tests/constants/noc_cert_1_copy"
31+
noc_cert_1_copy_serial_number="169445068204646961882009388640343665944683778293"
32+
3033
noc_cert_2_path="integration_tests/constants/noc_cert_2"
3134
noc_cert_2_subject="MIGCMQswCQYDVQQGEwJVWjETMBEGA1UECAwKU29tZSBTdGF0ZTETMBEGA1UEBwwKU29tZSBTdGF0ZTEYMBYGA1UECgwPRXhhbXBsZSBDb21wYW55MRkwFwYDVQQLDBBUZXN0aW5nIERpdmlzaW9uMRQwEgYDVQQDDAtOT0MtY2hpbGQtMg=="
3235
noc_cert_2_subject_key_id="87:48:A2:33:12:1F:51:5C:93:E6:90:40:4A:2C:AB:9E:D6:19:E5:AD"
@@ -221,12 +224,17 @@ echo "Add second NOC certificate by vendor with VID = $vid"
221224
result=$(echo "$passphrase" | dcld tx pki add-noc-x509-cert --certificate="$noc_cert_2_path" --from $vendor_account --yes)
222225
check_response "$result" "\"code\": 0"
223226

227+
echo "Add third NOC certificate by vendor with VID = $vid"
228+
result=$(echo "$passphrase" | dcld tx pki add-noc-x509-cert --certificate="$noc_cert_1_copy_path" --from $vendor_account --yes)
229+
check_response "$result" "\"code\": 0"
230+
224231
echo "Request all NOC certificates"
225232
result=$(dcld query pki all-noc-x509-certs)
226233
echo $result | jq
227234
check_response "$result" "\"subject\": \"$noc_cert_1_subject\""
228235
check_response "$result" "\"subjectKeyId\": \"$noc_cert_1_subject_key_id\""
229236
check_response "$result" "\"serialNumber\": \"$noc_cert_1_serial_number\""
237+
check_response "$result" "\"serialNumber\": \"$noc_cert_1_copy_serial_number\""
230238
check_response "$result" "\"subject\": \"$noc_cert_2_subject\""
231239
check_response "$result" "\"subjectKeyId\": \"$noc_cert_2_subject_key_id\""
232240
check_response "$result" "\"serialNumber\": \"$noc_cert_2_serial_number\""
@@ -240,6 +248,7 @@ check_response "$result" "\"serialNumber\": \"$noc_root_cert_1_serial_number\""
240248
check_response "$result" "\"subject\": \"$noc_cert_1_subject\""
241249
check_response "$result" "\"subjectKeyId\": \"$noc_cert_1_subject_key_id\""
242250
check_response "$result" "\"serialNumber\": \"$noc_cert_1_serial_number\""
251+
check_response "$result" "\"serialNumber\": \"$noc_cert_1_copy_serial_number\""
243252
check_response "$result" "\"subject\": \"$noc_cert_2_subject\""
244253
check_response "$result" "\"subjectKeyId\": \"$noc_cert_2_subject_key_id\""
245254
check_response "$result" "\"serialNumber\": \"$noc_cert_2_serial_number\""
@@ -266,10 +275,11 @@ echo "Request all NOC certificates"
266275
result=$(dcld query pki all-noc-x509-certs)
267276
echo $result | jq
268277
check_response "$result" "\"serialNumber\": \"$noc_cert_1_serial_number\""
278+
check_response "$result" "\"serialNumber\": \"$noc_cert_1_copy_serial_number\""
269279
check_response "$result" "\"serialNumber\": \"$noc_cert_2_serial_number\""
270280
check_response "$result" "\"serialNumber\": \"$noc_leaf_cert_1_serial_number\""
271281

272-
echo "Try to revoke intermediate with different VID = $vid_2"
282+
echo "Try to revoke NOC root certificate with different VID = $vid_2"
273283
result=$(echo "$passphrase" | dcld tx pki revoke-noc-x509-root-cert --subject="$noc_root_cert_1_subject" --subject-key-id="$noc_root_cert_1_subject_key_id" --from $vendor_account_2 --yes)
274284
check_response "$result" "\"code\": 439"
275285

@@ -347,13 +357,15 @@ check_response "$result" "\"subject\": \"$noc_leaf_cert_1_subject\""
347357
check_response "$result" "\"subjectKeyId\": \"$noc_cert_1_subject_key_id\""
348358
check_response "$result" "\"subjectKeyId\": \"$noc_leaf_cert_1_subject_key_id\""
349359
check_response "$result" "\"serialNumber\": \"$noc_cert_1_serial_number\""
360+
check_response "$result" "\"serialNumber\": \"$noc_cert_1_copy_serial_number\""
350361
check_response "$result" "\"serialNumber\": \"$noc_leaf_cert_1_serial_number\""
351362

352363
echo "Request all approved certificates should not contain revoked NOC root certificates"
353364
result=$(dcld query pki all-x509-certs)
354365
check_response "$result" "\"subject\": \"$noc_cert_1_subject\""
355366
check_response "$result" "\"subjectKeyId\": \"$noc_cert_1_subject_key_id\""
356367
check_response "$result" "\"serialNumber\": \"$noc_cert_1_serial_number\""
368+
check_response "$result" "\"serialNumber\": \"$noc_cert_1_copy_serial_number\""
357369
check_response "$result" "\"subject\": \"$noc_leaf_cert_1_subject\""
358370
check_response "$result" "\"subjectKeyId\": \"$noc_leaf_cert_1_subject_key_id\""
359371
check_response "$result" "\"serialNumber\": \"$noc_leaf_cert_1_serial_number\""
@@ -363,4 +375,71 @@ response_does_not_contain "$result" "\"serialNumber\": \"$noc_root_cert_1_serial
363375
response_does_not_contain "$result" "\"serialNumber\": \"$noc_root_cert_1_copy_serial_number\""
364376
echo $result | jq
365377

366-
test_divider
378+
test_divider
379+
380+
echo "REVOCATION OF NON-ROOT NOC CERTIFICATES"
381+
382+
echo "Try to revoke NOC certificate with different VID = $vid_2"
383+
result=$(echo "$passphrase" | dcld tx pki revoke-noc-x509-cert --subject="$noc_cert_1_subject" --subject-key-id="$noc_cert_1_subject_key_id" --from $vendor_account_2 --yes)
384+
check_response "$result" "\"code\": 439"
385+
386+
echo "$vendor_account Vendor revokes only NOC certificates, it should not revoke leaf certificates"
387+
result=$(echo "$passphrase" | dcld tx pki revoke-noc-x509-cert --subject="$noc_cert_1_subject" --subject-key-id="$noc_cert_1_subject_key_id" --from=$vendor_account --yes)
388+
check_response "$result" "\"code\": 0"
389+
390+
echo "Request all revoked certificates should not contain leaf certificate"
391+
result=$(dcld query pki all-revoked-x509-certs)
392+
echo $result | jq
393+
check_response "$result" "\"subject\": \"$noc_root_cert_1_subject"
394+
check_response "$result" "\"subjectKeyId\": \"$noc_root_cert_1_subject_key_id\""
395+
check_response "$result" "\"serialNumber\": \"$noc_root_cert_1_serial_number\""
396+
check_response "$result" "\"serialNumber\": \"$noc_root_cert_1_copy_serial_number\""
397+
check_response "$result" "\"subject\": \"$noc_cert_1_subject\""
398+
check_response "$result" "\"subjectKeyId\": \"$noc_cert_1_subject_key_id\""
399+
check_response "$result" "\"serialNumber\": \"$noc_cert_1_serial_number"
400+
response_does_not_contain "$result" "\"subject\": \"$noc_leaf_cert_1_subject\""
401+
response_does_not_contain "$result" "\"subjectKeyId\": \"$noc_leaf_cert_1_subject_key_id\""
402+
response_does_not_contain "$result" "\"serialNumber\": \"$noc_leaf_cert_1_serial_number"
403+
404+
echo "Request all revoked noc root certificates should not contain non-root NOC certificates"
405+
result=$(dcld query pki all-revoked-noc-x509-root-certs)
406+
echo $result | jq
407+
response_does_not_contain "$result" "\"subjectKeyId\": \"$noc_cert_1_subject_key_id"
408+
response_does_not_contain "$result" "\"subjectKeyId\": \"$noc_leaf_cert_1_subject_key_id\""
409+
410+
echo "Request all certificates by subject must be empty"
411+
result=$(dcld query pki all-subject-x509-certs --subject="$noc_cert_1_subject")
412+
response_does_not_contain "$result" "\"subject\": \"$noc_cert_1_subject\""
413+
response_does_not_contain "$result" "\"subjectKeyId\": \"$noc_cert_1_subject_key_id\""
414+
echo $result | jq
415+
416+
echo "Request all certificates by subjectKeyId must be empty"
417+
result=$(dcld query pki x509-cert --subject-key-id="$noc_cert_1_subject_key_id")
418+
check_response "$result" "Not Found"
419+
response_does_not_contain "$result" "\"subject\": \"$noc_cert_1_subject\""
420+
response_does_not_contain "$result" "\"subjectKeyId\": \"$noc_cert_1_subject_key_id\""
421+
response_does_not_contain "$result" "\"serialNumber\": \"$noc_cert_1_serial_number\""
422+
response_does_not_contain "$result" "\"serialNumber\": \"$noc_cert_1_copy_serial_number\""
423+
echo $result | jq
424+
425+
echo "Request NOC certificate by VID = $vid should contain ony leaf certificate"
426+
result=$(dcld query pki noc-x509-certs --vid="$vid")
427+
echo $result | jq
428+
check_response "$result" "\"subject\": \"$noc_leaf_cert_1_subject\""
429+
check_response "$result" "\"subjectKeyId\": \"$noc_leaf_cert_1_subject_key_id\""
430+
response_does_not_contain "$result" "\"subject\": \"$noc_cert_1_subject\""
431+
response_does_not_contain "$result" "\"subjectKeyId\": \"$noc_cert_1_subject_key_id\""
432+
433+
echo "Request all approved certificates should not contain revoked NOC certificates"
434+
result=$(dcld query pki all-x509-certs)
435+
check_response "$result" "\"subject\": \"$noc_leaf_cert_1_subject\""
436+
check_response "$result" "\"subjectKeyId\": \"$noc_leaf_cert_1_subject_key_id\""
437+
check_response "$result" "\"serialNumber\": \"$noc_leaf_cert_1_serial_number\""
438+
response_does_not_contain "$result" "\"subject\": \"$noc_cert_1_subject\""
439+
response_does_not_contain "$result" "\"subjectKeyId\": \"$noc_cert_1_subject_key_id\""
440+
response_does_not_contain "$result" "\"serialNumber\": \"$noc_cert_1_serial_number\""
441+
response_does_not_contain "$result" "\"subject\": \"$noc_root_cert_1_subject\""
442+
response_does_not_contain "$result" "\"subjectKeyId\": \"$noc_root_cert_1_subject_key_id\""
443+
response_does_not_contain "$result" "\"serialNumber\": \"$noc_root_cert_1_serial_number\""
444+
response_does_not_contain "$result" "\"serialNumber\": \"$noc_root_cert_1_copy_serial_number\""
445+
echo $result | jq

integration_tests/cli/pki-noc-revocation-with-revoking-child.sh

+108
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,11 @@ noc_root_cert_1_subject="MHoxCzAJBgNVBAYTAlVaMRMwEQYDVQQIDApTb21lIFN0YXRlMREwDwY
66
noc_root_cert_1_subject_key_id="44:EB:4C:62:6B:25:48:CD:A2:B3:1C:87:41:5A:08:E7:2B:B9:83:26"
77
noc_root_cert_1_serial_number="47211865327720222621302679792296833381734533449"
88

9+
noc_root_cert_2_path="integration_tests/constants/noc_root_cert_2"
10+
noc_root_cert_2_subject="MHoxCzAJBgNVBAYTAlVaMRMwEQYDVQQIDApTb21lIFN0YXRlMREwDwYDVQQHDAhUYXNoa2VudDEYMBYGA1UECgwPRXhhbXBsZSBDb21wYW55MRkwFwYDVQQLDBBUZXN0aW5nIERpdmlzaW9uMQ4wDAYDVQQDDAVOT0MtMg=="
11+
noc_root_cert_2_subject_key_id="CF:E6:DD:37:2B:4C:B2:B9:A9:F2:75:30:1C:AA:B1:37:1B:11:7F:1B"
12+
noc_root_cert_2_serial_number="332802481233145945539125204504842614737181725760"
13+
914
noc_root_cert_1_copy_path="integration_tests/constants/noc_root_cert_1_copy"
1015
noc_root_cert_1_copy_serial_number="460647353168152946606945669687905527879095841977"
1116

@@ -19,9 +24,24 @@ noc_leaf_cert_1_subject="MIGBMQswCQYDVQQGEwJVWjETMBEGA1UECAwKU29tZSBTdGF0ZTETMBE
1924
noc_leaf_cert_1_subject_key_id="77:1F:DB:C4:4C:B1:29:7E:3C:EB:3E:D8:2A:38:0B:63:06:07:00:01"
2025
noc_leaf_cert_1_serial_number="281347277961838999749763518155363401757954575313"
2126

27+
noc_cert_2_path="integration_tests/constants/noc_cert_2"
28+
noc_cert_2_subject="MIGCMQswCQYDVQQGEwJVWjETMBEGA1UECAwKU29tZSBTdGF0ZTETMBEGA1UEBwwKU29tZSBTdGF0ZTEYMBYGA1UECgwPRXhhbXBsZSBDb21wYW55MRkwFwYDVQQLDBBUZXN0aW5nIERpdmlzaW9uMRQwEgYDVQQDDAtOT0MtY2hpbGQtMg=="
29+
noc_cert_2_subject_key_id="87:48:A2:33:12:1F:51:5C:93:E6:90:40:4A:2C:AB:9E:D6:19:E5:AD"
30+
noc_cert_2_serial_number="361372967010167010646904372658654439710639340814"
31+
32+
noc_cert_2_copy_path="integration_tests/constants/noc_cert_2_copy"
33+
noc_cert_2_copy_serial_number="157351092243199289154908179633004790674818411696"
34+
35+
noc_leaf_cert_2_path="integration_tests/constants/noc_leaf_cert_2"
36+
noc_leaf_cert_2_subject="MIGBMQswCQYDVQQGEwJVWjETMBEGA1UECAwKU29tZSBTdGF0ZTETMBEGA1UEBwwKU29tZSBTdGF0ZTEYMBYGA1UECgwPRXhhbXBsZSBDb21wYW55MRkwFwYDVQQLDBBUZXN0aW5nIERpdmlzaW9uMRMwEQYDVQQDDApOT0MtbGVhZi0y"
37+
noc_leaf_cert_2_subject_key_id="F7:2D:E5:60:05:1E:06:45:E6:17:09:DE:1A:0C:B7:AE:19:66:EA:D5"
38+
noc_leaf_cert_2_serial_number="628585745496304216074570439204763956375973944746"
39+
2240
vid_in_hex_format=0x6006
2341
vid=24582
2442

43+
echo "REVOCATION OF NOC ROOT CERTIFICATES"
44+
2545
vendor_account=vendor_account_$vid_in_hex_format
2646
echo "Create Vendor account - $vendor_account"
2747
create_new_vendor_account $vendor_account $vid_in_hex_format
@@ -152,4 +172,92 @@ response_does_not_contain "$result" "\"serialNumber\": \"$noc_cert_1_serial_numb
152172
response_does_not_contain "$result" "\"serialNumber\": \"$noc_leaf_cert_1_serial_number\""
153173
echo $result | jq
154174

175+
test_divider
176+
177+
echo "REVOCATION OF NOC NON-ROOT CERTIFICATES"
178+
179+
echo "Add NOC root certificate by vendor with VID = $vid"
180+
result=$(echo "$passphrase" | dcld tx pki add-noc-x509-root-cert --certificate="$noc_root_cert_2_path" --from $vendor_account --yes)
181+
check_response "$result" "\"code\": 0"
182+
183+
echo "Add NOC certificate by vendor with VID = $vid"
184+
result=$(echo "$passphrase" | dcld tx pki add-noc-x509-cert --certificate="$noc_cert_2_path" --from $vendor_account --yes)
185+
check_response "$result" "\"code\": 0"
186+
187+
echo "Add second NOC certificate by vendor with VID = $vid"
188+
result=$(echo "$passphrase" | dcld tx pki add-noc-x509-cert --certificate="$noc_cert_2_copy_path" --from $vendor_account --yes)
189+
check_response "$result" "\"code\": 0"
190+
191+
echo "Add leaf certificate by vendor with VID = $vid"
192+
result=$(echo "$passphrase" | dcld tx pki add-noc-x509-cert --certificate="$noc_leaf_cert_2_path" --from $vendor_account --yes)
193+
check_response "$result" "\"code\": 0"
194+
195+
echo "Request All NOC root certificate"
196+
result=$(dcld query pki all-noc-x509-root-certs)
197+
echo $result | jq
198+
check_response "$result" "\"serialNumber\": \"$noc_root_cert_2_serial_number\""
199+
200+
echo "Request all NOC certificates"
201+
result=$(dcld query pki all-noc-x509-certs)
202+
echo $result | jq
203+
check_response "$result" "\"serialNumber\": \"$noc_cert_2_serial_number\""
204+
check_response "$result" "\"serialNumber\": \"$noc_cert_2_copy_serial_number\""
205+
check_response "$result" "\"serialNumber\": \"$noc_leaf_cert_2_serial_number\""
206+
207+
echo "$vendor_account Vendor revokes root NOC certificate by setting \"revoke-child\" flag to true, it should revoke child certificates too"
208+
result=$(echo "$passphrase" | dcld tx pki revoke-noc-x509-cert --subject="$noc_cert_2_subject" --subject-key-id="$noc_cert_2_subject_key_id" --revoke-child=true --from=$vendor_account --yes)
209+
check_response "$result" "\"code\": 0"
210+
211+
echo "Request all revoked certificates should two intermediate and one leaf certificates"
212+
result=$(dcld query pki all-revoked-x509-certs)
213+
echo $result | jq
214+
check_response "$result" "\"subject\": \"$noc_cert_2_subject\""
215+
check_response "$result" "\"subject\": \"$noc_leaf_cert_2_subject\""
216+
check_response "$result" "\"subjectKeyId\": \"$noc_cert_2_subject_key_id\""
217+
check_response "$result" "\"subjectKeyId\": \"$noc_leaf_cert_2_subject_key_id\""
218+
check_response "$result" "\"serialNumber\": \"$noc_cert_2_serial_number\""
219+
check_response "$result" "\"serialNumber\": \"$noc_cert_2_copy_serial_number\""
220+
check_response "$result" "\"serialNumber\": \"$noc_leaf_cert_2_serial_number\""
221+
response_does_not_contain "$result" "\"subject\": \"$noc_root_cert_2_subject"
222+
response_does_not_contain "$result" "\"subjectKeyId\": \"$noc_root_cert_2_subject_key_id\""
223+
response_does_not_contain "$result" "\"serialNumber\": \"$noc_root_cert_2_serial_number\""
224+
225+
echo "Request all certificates by NOC certificate's subject should be empty"
226+
result=$(dcld query pki all-subject-x509-certs --subject="$noc_cert_2_subject")
227+
check_response "$result" "Not Found"
228+
response_does_not_contain "$result" "\"$noc_cert_1_subject\""
229+
response_does_not_contain "$result" "\"$noc_cert_1_subject_key_id\""
230+
echo $result | jq
231+
232+
echo "Request all certificates by NOC certificate's subjectKeyId should be empty"
233+
result=$(dcld query pki x509-cert --subject-key-id="$noc_cert_2_subject_key_id")
234+
check_response "$result" "Not Found"
235+
response_does_not_contain "$result" "\"subject\": \"$noc_cert_2_subject\""
236+
response_does_not_contain "$result" "\"subjectKeyId\": \"$noc_cert_2_subject_key_id\""
237+
response_does_not_contain "$result" "\"serialNumber\": \"$noc_cert_2_serial_number\""
238+
response_does_not_contain "$result" "\"serialNumber\": \"$noc_cert_2_copy_serial_number\""
239+
echo $result | jq
240+
241+
echo "Request NOC certificate by VID = $vid should not contain intermediate and leaf certificates"
242+
result=$(dcld query pki noc-x509-certs --vid="$vid")
243+
echo $result | jq
244+
response_does_not_contain "$result" "\"subject\": \"$noc_cert_2_subject\""
245+
response_does_not_contain "$result" "\"subject\": \"$noc_leaf_cert_2_subject\""
246+
response_does_not_contain "$result" "\"subjectKeyId\": \"$noc_cert_2_subject_key_id\""
247+
response_does_not_contain "$result" "\"subjectKeyId\": \"$noc_leaf_cert_2_subject_key_id\""
248+
249+
echo "Request all approved certificates should not contain intermediate and leaf certificates"
250+
result=$(dcld query pki all-x509-certs)
251+
check_response "$result" "\"subject\": \"$noc_root_cert_2_subject\""
252+
check_response "$result" "\"subjectKeyId\": \"$noc_root_cert_2_subject_key_id\""
253+
check_response "$result" "\"serialNumber\": \"$noc_root_cert_2_serial_number\""
254+
response_does_not_contain "$result" "\"subject\": \"$noc_cert_2_subject\""
255+
response_does_not_contain "$result" "\"subject\": \"$noc_leaf_cert_2_subject\""
256+
response_does_not_contain "$result" "\"subjectKeyId\": \"$noc_cert_2_subject_key_id\""
257+
response_does_not_contain "$result" "\"subjectKeyId\": \"$noc_leaf_cert_2_subject_key_id\""
258+
response_does_not_contain "$result" "\"serialNumber\": \"$noc_cert_2_serial_number\""
259+
response_does_not_contain "$result" "\"serialNumber\": \"$noc_cert_2_copy_serial_number\""
260+
response_does_not_contain "$result" "\"serialNumber\": \"$noc_leaf_cert_2_serial_number\""
261+
echo $result | jq
262+
155263
test_divider

0 commit comments

Comments
 (0)