zigbee-alliance
diff --git a/‎integration_tests/cli/pki-noc-certs.sh
+81-2 b/‎integration_tests/cli/pki-noc-certs.sh
+81-2
diff --git a/‎integration_tests/constants/noc_cert_1_copy
+15 b/‎integration_tests/constants/noc_cert_1_copy
+15
diff --git a/‎integration_tests/constants/noc_constants.go
+22 b/‎integration_tests/constants/noc_constants.go
+22
diff --git a/‎proto/pki/tx.proto
+14 b/‎proto/pki/tx.proto
+14
diff --git a/‎scripts/starport/upgrade-0.44/07.pki_types.sh
+1 b/‎scripts/starport/upgrade-0.44/07.pki_types.sh
+1
diff --git a/‎types/pki/errors.go
+1-1 b/‎types/pki/errors.go
+1-1
@@ -27,6 +27,9 @@ noc_cert_1_subject="MIGCMQswCQYDVQQGEwJVWjETMBEGA1UECAwKU29tZSBTdGF0ZTETMBEGA1UE
 noc_cert_1_subject_key_id="02:72:6E:BC:BB:EF:D6:BD:8D:9B:42:AE:D4:3C:C0:55:5F:66:3A:B3"
 noc_cert_1_serial_number="631388393741945881054190991612463928825155142122"
 
+noc_cert_1_copy_path="integration_tests/constants/noc_cert_1_copy"
+noc_cert_1_copy_serial_number="169445068204646961882009388640343665944683778293"
+
 noc_cert_2_path="integration_tests/constants/noc_cert_2"
 noc_cert_2_subject="MIGCMQswCQYDVQQGEwJVWjETMBEGA1UECAwKU29tZSBTdGF0ZTETMBEGA1UEBwwKU29tZSBTdGF0ZTEYMBYGA1UECgwPRXhhbXBsZSBDb21wYW55MRkwFwYDVQQLDBBUZXN0aW5nIERpdmlzaW9uMRQwEgYDVQQDDAtOT0MtY2hpbGQtMg=="
 noc_cert_2_subject_key_id="87:48:A2:33:12:1F:51:5C:93:E6:90:40:4A:2C:AB:9E:D6:19:E5:AD"
@@ -221,12 +224,17 @@ echo "Add second NOC certificate by vendor with VID = $vid"
 result=$(echo "$passphrase" | dcld tx pki add-noc-x509-cert --certificate="$noc_cert_2_path" --from $vendor_account --yes)
 check_response "$result" "\"code\": 0"
 
+echo "Add third NOC certificate by vendor with VID = $vid"
+result=$(echo "$passphrase" | dcld tx pki add-noc-x509-cert --certificate="$noc_cert_1_copy_path" --from $vendor_account --yes)
+check_response "$result" "\"code\": 0"
+
 echo "Request all NOC certificates"
 result=$(dcld query pki all-noc-x509-certs)
 echo $result | jq
 check_response "$result" "\"subject\": \"$noc_cert_1_subject\""
 check_response "$result" "\"subjectKeyId\": \"$noc_cert_1_subject_key_id\""
 check_response "$result" "\"serialNumber\": \"$noc_cert_1_serial_number\""
+check_response "$result" "\"serialNumber\": \"$noc_cert_1_copy_serial_number\""
 check_response "$result" "\"subject\": \"$noc_cert_2_subject\""
 check_response "$result" "\"subjectKeyId\": \"$noc_cert_2_subject_key_id\""
 check_response "$result" "\"serialNumber\": \"$noc_cert_2_serial_number\""
@@ -240,6 +248,7 @@ check_response "$result" "\"serialNumber\": \"$noc_root_cert_1_serial_number\""
 check_response "$result" "\"subject\": \"$noc_cert_1_subject\""
 check_response "$result" "\"subjectKeyId\": \"$noc_cert_1_subject_key_id\""
 check_response "$result" "\"serialNumber\": \"$noc_cert_1_serial_number\""
+check_response "$result" "\"serialNumber\": \"$noc_cert_1_copy_serial_number\""
 check_response "$result" "\"subject\": \"$noc_cert_2_subject\""
 check_response "$result" "\"subjectKeyId\": \"$noc_cert_2_subject_key_id\""
 check_response "$result" "\"serialNumber\": \"$noc_cert_2_serial_number\""
@@ -266,10 +275,11 @@ echo "Request all NOC certificates"
 result=$(dcld query pki all-noc-x509-certs)
 echo $result | jq
 check_response "$result" "\"serialNumber\": \"$noc_cert_1_serial_number\""
+check_response "$result" "\"serialNumber\": \"$noc_cert_1_copy_serial_number\""
 check_response "$result" "\"serialNumber\": \"$noc_cert_2_serial_number\""
 check_response "$result" "\"serialNumber\": \"$noc_leaf_cert_1_serial_number\""
 
-echo "Try to revoke intermediate with different VID = $vid_2"
+echo "Try to revoke NOC root certificate with different VID = $vid_2"
 result=$(echo "$passphrase" | dcld tx pki revoke-noc-x509-root-cert --subject="$noc_root_cert_1_subject" --subject-key-id="$noc_root_cert_1_subject_key_id" --from $vendor_account_2 --yes)
 check_response "$result" "\"code\": 439"
 
@@ -347,13 +357,15 @@ check_response "$result" "\"subject\": \"$noc_leaf_cert_1_subject\""
 check_response "$result" "\"subjectKeyId\": \"$noc_cert_1_subject_key_id\""
 check_response "$result" "\"subjectKeyId\": \"$noc_leaf_cert_1_subject_key_id\""
 check_response "$result" "\"serialNumber\": \"$noc_cert_1_serial_number\""
+check_response "$result" "\"serialNumber\": \"$noc_cert_1_copy_serial_number\""
 check_response "$result" "\"serialNumber\": \"$noc_leaf_cert_1_serial_number\""
 
 echo "Request all approved certificates should not contain revoked NOC root certificates"
 result=$(dcld query pki all-x509-certs)
 check_response "$result" "\"subject\": \"$noc_cert_1_subject\""
 check_response "$result" "\"subjectKeyId\": \"$noc_cert_1_subject_key_id\""
 check_response "$result" "\"serialNumber\": \"$noc_cert_1_serial_number\""
+check_response "$result" "\"serialNumber\": \"$noc_cert_1_copy_serial_number\""
 check_response "$result" "\"subject\": \"$noc_leaf_cert_1_subject\""
 check_response "$result" "\"subjectKeyId\": \"$noc_leaf_cert_1_subject_key_id\""
 check_response "$result" "\"serialNumber\": \"$noc_leaf_cert_1_serial_number\""
@@ -363,4 +375,71 @@ response_does_not_contain "$result" "\"serialNumber\": \"$noc_root_cert_1_serial
 response_does_not_contain "$result" "\"serialNumber\": \"$noc_root_cert_1_copy_serial_number\""
 echo $result | jq
 
-test_divider
+test_divider
+
+echo "REVOCATION OF NON-ROOT NOC CERTIFICATES"
+
+echo "Try to revoke NOC certificate with different VID = $vid_2"
+result=$(echo "$passphrase" | dcld tx pki revoke-noc-x509-cert --subject="$noc_cert_1_subject" --subject-key-id="$noc_cert_1_subject_key_id" --from $vendor_account_2 --yes)
+check_response "$result" "\"code\": 439"
+
+echo "$vendor_account Vendor revokes only NOC certificates, it should not revoke leaf certificates"
+result=$(echo "$passphrase" | dcld tx pki revoke-noc-x509-cert --subject="$noc_cert_1_subject" --subject-key-id="$noc_cert_1_subject_key_id" --from=$vendor_account --yes)
+check_response "$result" "\"code\": 0"
+
+echo "Request all revoked certificates should not contain leaf certificate"
+result=$(dcld query pki all-revoked-x509-certs)
+echo $result | jq
+check_response "$result" "\"subject\": \"$noc_root_cert_1_subject"
+check_response "$result" "\"subjectKeyId\": \"$noc_root_cert_1_subject_key_id\""
+check_response "$result" "\"serialNumber\": \"$noc_root_cert_1_serial_number\""
+check_response "$result" "\"serialNumber\": \"$noc_root_cert_1_copy_serial_number\""
+check_response "$result" "\"subject\": \"$noc_cert_1_subject\""
+check_response "$result" "\"subjectKeyId\": \"$noc_cert_1_subject_key_id\""
+check_response "$result" "\"serialNumber\": \"$noc_cert_1_serial_number"
+response_does_not_contain "$result" "\"subject\": \"$noc_leaf_cert_1_subject\""
+response_does_not_contain "$result" "\"subjectKeyId\": \"$noc_leaf_cert_1_subject_key_id\""
+response_does_not_contain "$result" "\"serialNumber\": \"$noc_leaf_cert_1_serial_number"
+
+echo "Request all revoked noc root certificates should not contain non-root NOC certificates"
+result=$(dcld query pki all-revoked-noc-x509-root-certs)
+echo $result | jq
+response_does_not_contain "$result" "\"subjectKeyId\": \"$noc_cert_1_subject_key_id"
+response_does_not_contain "$result" "\"subjectKeyId\": \"$noc_leaf_cert_1_subject_key_id\""
+
+echo "Request all certificates by subject must be empty"
+result=$(dcld query pki all-subject-x509-certs --subject="$noc_cert_1_subject")
+response_does_not_contain "$result" "\"subject\": \"$noc_cert_1_subject\""
+response_does_not_contain "$result" "\"subjectKeyId\": \"$noc_cert_1_subject_key_id\""
+echo $result | jq
+
+echo "Request all certificates by subjectKeyId must be empty"
+result=$(dcld query pki x509-cert --subject-key-id="$noc_cert_1_subject_key_id")
+check_response "$result" "Not Found"
+response_does_not_contain "$result" "\"subject\": \"$noc_cert_1_subject\""
+response_does_not_contain "$result" "\"subjectKeyId\": \"$noc_cert_1_subject_key_id\""
+response_does_not_contain "$result" "\"serialNumber\": \"$noc_cert_1_serial_number\""
+response_does_not_contain "$result" "\"serialNumber\": \"$noc_cert_1_copy_serial_number\""
+echo $result | jq
+
+echo "Request NOC certificate by VID = $vid should contain ony leaf certificate"
+result=$(dcld query pki noc-x509-certs --vid="$vid")
+echo $result | jq
+check_response "$result" "\"subject\": \"$noc_leaf_cert_1_subject\""
+check_response "$result" "\"subjectKeyId\": \"$noc_leaf_cert_1_subject_key_id\""
+response_does_not_contain "$result" "\"subject\": \"$noc_cert_1_subject\""
+response_does_not_contain "$result" "\"subjectKeyId\": \"$noc_cert_1_subject_key_id\""
+
+echo "Request all approved certificates should not contain revoked NOC certificates"
+result=$(dcld query pki all-x509-certs)
+check_response "$result" "\"subject\": \"$noc_leaf_cert_1_subject\""
+check_response "$result" "\"subjectKeyId\": \"$noc_leaf_cert_1_subject_key_id\""
+check_response "$result" "\"serialNumber\": \"$noc_leaf_cert_1_serial_number\""
+response_does_not_contain "$result" "\"subject\": \"$noc_cert_1_subject\""
+response_does_not_contain "$result" "\"subjectKeyId\": \"$noc_cert_1_subject_key_id\""
+response_does_not_contain "$result" "\"serialNumber\": \"$noc_cert_1_serial_number\""
+response_does_not_contain "$result" "\"subject\": \"$noc_root_cert_1_subject\""
+response_does_not_contain "$result" "\"subjectKeyId\": \"$noc_root_cert_1_subject_key_id\""
+response_does_not_contain "$result" "\"serialNumber\": \"$noc_root_cert_1_serial_number\""
+response_does_not_contain "$result" "\"serialNumber\": \"$noc_root_cert_1_copy_serial_number\""
+echo $result | jq
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICUTCCAfegAwIBAgIUHa4t/R+Gtf/22F5T6n+f6zfGkPUwCgYIKoZIzj0EAwIw
+ejELMAkGA1UEBhMCVVoxEzARBgNVBAgMClNvbWUgU3RhdGUxETAPBgNVBAcMCFRh
+c2hrZW50MRgwFgYDVQQKDA9FeGFtcGxlIENvbXBhbnkxGTAXBgNVBAsMEFRlc3Rp
+bmcgRGl2aXNpb24xDjAMBgNVBAMMBU5PQy0xMCAXDTI0MDMxMzE2NDIwM1oYDzMw
+MjMwNzE1MTY0MjAzWjCBgjELMAkGA1UEBhMCVVoxEzARBgNVBAgMClNvbWUgU3Rh
+dGUxEzARBgNVBAcMClNvbWUgU3RhdGUxGDAWBgNVBAoMD0V4YW1wbGUgQ29tcGFu
+eTEZMBcGA1UECwwQVGVzdGluZyBEaXZpc2lvbjEUMBIGA1UEAwwLTk9DLWNoaWxk
+LTEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATOPY6vbvv8no8NcIdfa/MbkJep
+FkUcfOYym0gajL2yph8a/wk0RpYqL+M+KJ4oja70oKK/igBmEitRD4VB3mXQo1Aw
+TjAdBgNVHQ4EFgQUAnJuvLvv1r2Nm0Ku1DzAVV9mOrMwHwYDVR0jBBgwFoAUROtM
+YmslSM2isxyHQVoI5yu5gyYwDAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAgNIADBF
+AiEA7Z1xDQHO2B0kFC5rdVuXGzH150tJEoCwZMohKpnK+kUCIBzFXAoaURzHVyTG
+oB0TJHTlKONyyEXKnHf8pJedjOq4
+-----END CERTIFICATE-----
@@ -79,6 +79,22 @@ TjAdBgNVHQ4EFgQUAnJuvLvv1r2Nm0Ku1DzAVV9mOrMwHwYDVR0jBBgwFoAUROtM
 YmslSM2isxyHQVoI5yu5gyYwDAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAgNJADBG
 AiEAzUSg9uY1+hn4Xe5ZyxmhEe5ycTtA7o94jA3x1ygGXcECIQD8mYhLsOss/API
 /xNPu7fcgPAwhltZAf6Cf9QVxRme/Q==
+-----END CERTIFICATE-----`
+
+	NocCert1Copy = `-----BEGIN CERTIFICATE-----
+MIICUTCCAfegAwIBAgIUHa4t/R+Gtf/22F5T6n+f6zfGkPUwCgYIKoZIzj0EAwIw
+ejELMAkGA1UEBhMCVVoxEzARBgNVBAgMClNvbWUgU3RhdGUxETAPBgNVBAcMCFRh
+c2hrZW50MRgwFgYDVQQKDA9FeGFtcGxlIENvbXBhbnkxGTAXBgNVBAsMEFRlc3Rp
+bmcgRGl2aXNpb24xDjAMBgNVBAMMBU5PQy0xMCAXDTI0MDMxMzE2NDIwM1oYDzMw
+MjMwNzE1MTY0MjAzWjCBgjELMAkGA1UEBhMCVVoxEzARBgNVBAgMClNvbWUgU3Rh
+dGUxEzARBgNVBAcMClNvbWUgU3RhdGUxGDAWBgNVBAoMD0V4YW1wbGUgQ29tcGFu
+eTEZMBcGA1UECwwQVGVzdGluZyBEaXZpc2lvbjEUMBIGA1UEAwwLTk9DLWNoaWxk
+LTEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATOPY6vbvv8no8NcIdfa/MbkJep
+FkUcfOYym0gajL2yph8a/wk0RpYqL+M+KJ4oja70oKK/igBmEitRD4VB3mXQo1Aw
+TjAdBgNVHQ4EFgQUAnJuvLvv1r2Nm0Ku1DzAVV9mOrMwHwYDVR0jBBgwFoAUROtM
+YmslSM2isxyHQVoI5yu5gyYwDAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAgNIADBF
+AiEA7Z1xDQHO2B0kFC5rdVuXGzH150tJEoCwZMohKpnK+kUCIBzFXAoaURzHVyTG
+oB0TJHTlKONyyEXKnHf8pJedjOq4
 -----END CERTIFICATE-----`
 
 	NocCert2 = `-----BEGIN CERTIFICATE-----
@@ -139,6 +155,12 @@ zodhpBXZfzhHDvINejK8wzwWgf7Ds8wk3oENlmAj
 	NocCert1SerialNumber  = "631388393741945881054190991612463928825155142122"
 	NocCert1SubjectAsText = "CN=NOC-child-1,OU=Testing Division,O=Example Company,L=Some State,ST=Some State,C=UZ"
 
+	NocCert1CopySubject       = "MIGCMQswCQYDVQQGEwJVWjETMBEGA1UECAwKU29tZSBTdGF0ZTETMBEGA1UEBwwKU29tZSBTdGF0ZTEYMBYGA1UECgwPRXhhbXBsZSBDb21wYW55MRkwFwYDVQQLDBBUZXN0aW5nIERpdmlzaW9uMRQwEgYDVQQDDAtOT0MtY2hpbGQtMQ=="
+	NocCert1CopyIssuer        = NocRootCert1Subject
+	NocCert1CopySubjectKeyID  = "02:72:6E:BC:BB:EF:D6:BD:8D:9B:42:AE:D4:3C:C0:55:5F:66:3A:B3"
+	NocCert1CopySerialNumber  = "169445068204646961882009388640343665944683778293"
+	NocCert1CopySubjectAsText = "CN=NOC-child-1,OU=Testing Division,O=Example Company,L=Some State,ST=Some State,C=UZ"
+
 	NocCert2Subject       = "MIGCMQswCQYDVQQGEwJVWjETMBEGA1UECAwKU29tZSBTdGF0ZTETMBEGA1UEBwwKU29tZSBTdGF0ZTEYMBYGA1UECgwPRXhhbXBsZSBDb21wYW55MRkwFwYDVQQLDBBUZXN0aW5nIERpdmlzaW9uMRQwEgYDVQQDDAtOT0MtY2hpbGQtMg=="
 	NocCert2Issuer        = NocRootCert2Subject
 	NocCert2SubjectKeyID  = "87:48:A2:33:12:1F:51:5C:93:E6:90:40:4A:2C:AB:9E:D6:19:E5:AD"
 
@@ -25,6 +25,7 @@ service Msg {
   rpc RemoveX509Cert(MsgRemoveX509Cert) returns (MsgRemoveX509CertResponse);
   rpc AddNocX509Cert(MsgAddNocX509Cert) returns (MsgAddNocX509CertResponse);
   rpc RevokeNocRootX509Cert(MsgRevokeNocRootX509Cert) returns (MsgRevokeNocRootX509CertResponse);
+  rpc RevokeNocX509Cert(MsgRevokeNocX509Cert) returns (MsgRevokeNocX509CertResponse);
 // this line is used by starport scaffolding # proto/tx/rpc
 }
 
@@ -201,4 +202,17 @@ message MsgRevokeNocRootX509Cert {
 message MsgRevokeNocRootX509CertResponse {
 }
 
+message MsgRevokeNocX509Cert {
+  string signer = 1 [(cosmos_proto.scalar) = "cosmos.AddressString", (gogoproto.moretags) = "validate:\"required\""];
+  string subject = 2 [(gogoproto.moretags) = "validate:\"required,max=1024\""];
+  string subjectKeyId = 3 [(gogoproto.moretags) = "validate:\"required,max=256\""];
+  string serialNumber = 4;
+  string info = 5 [(gogoproto.moretags) = "validate:\"max=4096\""];
+  int64 time = 6;
+  bool revokeChild = 7;
+}
+
+message MsgRevokeNocX509CertResponse {
+}
+
 // this line is used by starport scaffolding # proto/tx/message
@@ -20,6 +20,7 @@ starport scaffold --module pki message delete-pki-revocation-distribution-point
 starport scaffold --module pki message AddNocX509RootCert  cert --signer signer
 starport scaffold --module pki message AddNocX509Cert  cert --signer signer
 starport scaffold --module pki message RevokeNocRootX509Cert subject subjectKeyId serialNumber info time:uint revokeChild:bool --signer signer
+starport scaffold --module pki message RevokeNocX509Cert subject subjectKeyId serialNumber info time:uint revokeChild:bool --signer signer
 
 # CRUD data types
 starport scaffold --module pki map ApprovedCertificates certs:strings --index subject,subjectKeyId --no-message
 
@@ -351,7 +351,7 @@ func NewErrMessageVidNotEqualAccountVid(msgVid int32, accountVid int32) error {
 	return sdkerrors.Wrapf(ErrMessageVidNotEqualAccountVid, "Message vid=%d is not equal to account vid=%d", msgVid, accountVid)
 }
 
-func NewErrMessageRemoveRoot(subject string, subjectKeyID string) error {
+func NewErrMessageExpectedNonRoot(subject string, subjectKeyID string) error {
 	return sdkerrors.Wrapf(ErrInappropriateCertificateType, "Inappropriate Certificate Type: Certificate with subject=%s and subjectKeyID=%s "+
 		"is a root certificate.", subject, subjectKeyID,
 	)
Original file line number	Diff line number	Diff line change
`@@ -351,7 +351,7 @@ func NewErrMessageVidNotEqualAccountVid(msgVid int32, accountVid int32) error {`
`351`	`351`	`return sdkerrors.Wrapf(ErrMessageVidNotEqualAccountVid, "Message vid=%d is not equal to account vid=%d", msgVid, accountVid)`
`352`	`352`	`}`
`353`	`353`
`354`		`-func NewErrMessageRemoveRoot(subject string, subjectKeyID string) error {`
	`354`	`+func NewErrMessageExpectedNonRoot(subject string, subjectKeyID string) error {`
`355`	`355`	`return sdkerrors.Wrapf(ErrInappropriateCertificateType, "Inappropriate Certificate Type: Certificate with subject=%s and subjectKeyID=%s "+`
`356`	`356`	`"is a root certificate.", subject, subjectKeyID,`
`357`	`357`	`)`