vid for PAIs (#585)

VID field for VID scoped PAI certificates

Author: DenisRybas

integration_tests/cli/pki-add-vendor-x509-certificates.sh

@@ -55,6 +55,12 @@ check_response "$result" "\"subject\": \"$intermediate_cert_with_vid_65521_subje
 check_response "$result" "\"subjectKeyId\": \"$intermediate_cert_with_vid_65521_subject_key_id\""
 check_response "$result" "\"serialNumber\": \"$intermediate_cert_with_vid_65521_serial_number\""
 
+echo "Request intermediate certificate by subject=$intermediate_cert_with_vid_65521_subject and skid=$intermediate_cert_with_vid_65521_subject_key_id."
+result=$(dcld query pki x509-cert --subject="$intermediate_cert_with_vid_65521_subject" --subject-key-id="$intermediate_cert_with_vid_65521_subject_key_id")
+echo $result | jq
+check_response "$result" "\"serialNumber\": \"$intermediate_cert_with_vid_65521_serial_number\""
+check_response "$result" "\"vid\": $intermediate_cert_with_vid_65521_vid"
+
 echo "Try to add an intermediate certificate with vid=$intermediate_cert_with_vid_65522_vid by $vendor_account_65521 with vid=$vendor_vid_65521"
 result=$(echo "$passphrase" | dcld tx pki add-x509-cert --certificate="$intermediate_cert_with_vid_65522_path" --from $vendor_account_65521 --yes)
 result=$(get_txn_result "$result")

integration_tests/constants/constants.go

@@ -356,7 +356,7 @@ FGE90Ic1XvCLrgHkxpqPxz2sjH39MB8GA1UdIwQYMBaAFHhc5wW4a49Ob8eTqmDL
 Q+ppaILVMAoGCCqGSM49BAMCA0gAMEUCIQDfwJ3oS/qVbWDW/vTirREL3iIqMogw
 pn4/F7keUYUaeAIgce2XGOSIsrjPlUQ1zj/zLqUFVhQ8TyycBaIK8z7Uytk=
 -----END CERTIFICATE-----`
-
+	PAICertWithNumericVidVid          = 65522
 	PAICertWithNumericVidSubject      = "MDAxGDAWBgNVBAMMD01hdHRlciBUZXN0IFBBSTEUMBIGCisGAQQBgqJ8AgEMBEZGRjI="
 	PAICertWithNumericVidSubjectKeyID = "61:3D:D0:87:35:5E:F0:8B:AE:01:E4:C6:9A:8F:C7:3D:AC:8C:7D:FD"
 

integration_tests/grpc_rest/pki/helpers.go

@@ -2151,4 +2151,5 @@ func Demo(suite *utils.TestSuite) {
 	// Check there is only one approved intermediate certificate
 	certs, _ = GetX509Cert(suite, testconstants.PAICertWithNumericVidSubject, testconstants.PAICertWithNumericVidSubjectKeyID)
 	require.Equal(suite.T, 1, len(certs.Certs))
+	require.Equal(suite.T, int32(testconstants.PAICertWithNumericVidVid), certs.Certs[0].Vid)
 }

x/pki/handler_add_non_root_cert_test.go

@@ -31,7 +31,7 @@ func TestHandler_AddX509Cert(t *testing.T) {
 	// query certificate
 	certificate, _ := querySingleApprovedCertificate(
 		setup, testconstants.IntermediateSubject, testconstants.IntermediateSubjectKeyID)
-	require.Equal(t, intermediateCertificate(accAddress), *certificate)
+	require.Equal(t, intermediateCertificateNoVid(accAddress), *certificate)
 
 	certificateBySubjectKeyID, _ := queryAllApprovedCertificatesBySubjectKeyID(setup, testconstants.IntermediateSubjectKeyID)
 	require.Equal(t, 1, len(certificateBySubjectKeyID))
@@ -130,7 +130,7 @@ func TestHandler_AddX509Cert_ForExistingNocCertificate(t *testing.T) {
 	setup.AddAccount(vendorAccAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.Vid)
 
 	// Store the NOC certificate
-	nocCertificate := intermediateCertificate(vendorAccAddress)
+	nocCertificate := intermediateCertificateNoVid(vendorAccAddress)
 	nocCertificate.SerialNumber = testconstants.TestSerialNumber
 	nocCertificate.IsNoc = true
 
@@ -156,7 +156,7 @@ func TestHandler_AddX509Cert_NoRootCert(t *testing.T) {
 	setup.AddAccount(vendorAccAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.Vid)
 
 	// add intermediate certificate
-	intermediateCertificate := intermediateCertificate(vendorAccAddress)
+	intermediateCertificate := intermediateCertificateNoVid(vendorAccAddress)
 	setup.Keeper.AddApprovedCertificate(setup.Ctx, intermediateCertificate)
 
 	// add leaf x509 certificate
@@ -182,6 +182,29 @@ func TestHandler_AddX509Cert_RootIsNoc(t *testing.T) {
 	require.ErrorIs(t, err, pkitypes.ErrInappropriateCertificateType)
 }
 
+func TestHandler_AddX509Cert_VIDScoped(t *testing.T) {
+	setup := Setup(t)
+
+	// // store root certificate
+	rootCertOptions := createPAACertWithNumericVidOptions()
+	proposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertOptions)
+
+	accAddress := GenerateAccAddress()
+	setup.AddAccount(accAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.PAACertWithNumericVidVid)
+
+	// add x509 certificate
+	addX509Cert := types.NewMsgAddX509Cert(accAddress.String(), testconstants.PAICertWithNumericPidVid, testconstants.CertSchemaVersion)
+	_, err := setup.Handler(setup.Ctx, addX509Cert)
+	require.NoError(t, err)
+
+	// query certificate
+	intermediateCerts, _ := queryApprovedCertificates(setup, testconstants.PAICertWithNumericPidVidSubject, testconstants.PAICertWithNumericPidVidSubjectKeyID)
+	require.Equal(t, 1, len(intermediateCerts.Certs))
+	require.Equal(t, testconstants.PAICertWithNumericPidVidSubject, intermediateCerts.Certs[0].Subject)
+	require.Equal(t, testconstants.PAICertWithNumericPidVidSubjectKeyID, intermediateCerts.Certs[0].SubjectKeyId)
+	require.Equal(t, int32(testconstants.PAICertWithNumericPidVidVid), intermediateCerts.Certs[0].Vid)
+}
+
 func TestHandler_AddX509Cert_ForDifferentSerialNumber(t *testing.T) {
 	setup := Setup(t)
 
@@ -193,7 +216,7 @@ func TestHandler_AddX509Cert_ForDifferentSerialNumber(t *testing.T) {
 	setup.AddAccount(vendorAccAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.Vid)
 
 	// store intermediate certificate with different serial number
-	intermediateCertificate := intermediateCertificate(vendorAccAddress)
+	intermediateCertificate := intermediateCertificateNoVid(vendorAccAddress)
 	intermediateCertificate.SerialNumber = SerialNumber
 	setup.Keeper.SetUniqueCertificate(
 		setup.Ctx,
@@ -333,7 +356,7 @@ func TestHandler_AddX509Cert_EachChildCertRefersToTwoParentCerts(t *testing.T) {
 	setup.AddAccount(vendorAccAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.Vid)
 
 	// store intermediate certificate (it refers to two parent certificates)
-	intermediateCertificate := intermediateCertificate(vendorAccAddress)
+	intermediateCertificate := intermediateCertificateNoVid(vendorAccAddress)
 	intermediateCertificate.SerialNumber = SerialNumber
 
 	setup.Keeper.AddApprovedCertificate(setup.Ctx, intermediateCertificate)
@@ -409,7 +432,7 @@ func TestHandler_AddX509Cert_ByNotOwnerButSameVendor(t *testing.T) {
 	setup.AddAccount(vendorAccAddress1, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.Vid)
 
 	// Store an intermediate certificate with the first vendor account as the owner
-	intermediateCertificate := intermediateCertificate(vendorAccAddress1)
+	intermediateCertificate := intermediateCertificateNoVid(vendorAccAddress1)
 	intermediateCertificate.SerialNumber = SerialNumber
 	setup.Keeper.AddApprovedCertificate(setup.Ctx, intermediateCertificate)
 	setup.Keeper.AddApprovedCertificateBySubjectKeyID(setup.Ctx, intermediateCertificate)
@@ -440,7 +463,7 @@ func TestHandler_AddX509Cert_ByOtherVendor(t *testing.T) {
 	setup.AddAccount(vendorAccAddress1, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.Vid)
 
 	// Store an intermediate certificate with the first vendor account as the owner
-	intermediateCertificate := intermediateCertificate(vendorAccAddress1)
+	intermediateCertificate := intermediateCertificateNoVid(vendorAccAddress1)
 	intermediateCertificate.SerialNumber = SerialNumber
 	setup.Keeper.AddApprovedCertificate(setup.Ctx, intermediateCertificate)
 	setup.Keeper.AddApprovedCertificateBySubjectKeyID(setup.Ctx, intermediateCertificate)

x/pki/handler_revoke_non_root_cert_test.go

@@ -212,7 +212,7 @@ func TestHandler_RevokeX509Cert_ByNotOwnerButSameVendor(t *testing.T) {
 	require.Equal(t, testconstants.IntermediateSubject, revokedCertificates.Subject)
 	require.Equal(t, testconstants.IntermediateSubjectKeyID, revokedCertificates.SubjectKeyId)
 	require.Equal(t, 1, len(revokedCertificates.Certs))
-	require.Equal(t, intermediateCertificate(vendorAccAddress1), *revokedCertificates.Certs[0])
+	require.Equal(t, intermediateCertificateNoVid(vendorAccAddress1), *revokedCertificates.Certs[0])
 
 	// check that revoked certificate removed from approved certificates list
 	_, err = queryApprovedCertificates(setup, testconstants.IntermediateSubject, testconstants.IntermediateSubjectKeyID)
@@ -380,7 +380,7 @@ func TestHandler_RevokeX509Cert_BySerialNumber(t *testing.T) {
 	addIntermediateX509Cert := types.NewMsgAddX509Cert(vendorAccAddress.String(), testconstants.IntermediateCertPem, testconstants.CertSchemaVersion)
 	_, err := setup.Handler(setup.Ctx, addIntermediateX509Cert)
 	require.NoError(t, err)
-	intermediateCertificate := intermediateCertificate(vendorAccAddress)
+	intermediateCertificate := intermediateCertificateNoVid(vendorAccAddress)
 	intermediateCertificate.SerialNumber = SerialNumber
 	setup.Keeper.AddApprovedCertificate(setup.Ctx, intermediateCertificate)
 	setup.Keeper.AddApprovedCertificateBySubjectKeyID(setup.Ctx, intermediateCertificate)

x/pki/handler_test.go

@@ -2308,7 +2308,7 @@ func rootCertificate(address sdk.AccAddress) types.Certificate {
 	)
 }
 
-func intermediateCertificate(address sdk.AccAddress) types.Certificate {
+func intermediateCertificateNoVid(address sdk.AccAddress) types.Certificate {
 	return types.NewNonRootCertificate(
 		testconstants.IntermediateCertPem,
 		testconstants.IntermediateSubject,
@@ -2320,6 +2320,7 @@ func intermediateCertificate(address sdk.AccAddress) types.Certificate {
 		testconstants.RootSubject,
 		testconstants.RootSubjectKeyID,
 		address.String(),
+		0,
 		testconstants.SchemaVersion,
 	)
 }

x/pki/keeper/msg_server_add_x_509_cert.go

@@ -86,6 +86,11 @@ func (k msgServer) AddX509Cert(goCtx context.Context, msg *types.MsgAddX509Cert)
 		return nil, err
 	}
 
+	subjectVid, err := x509.GetVidFromSubject(x509Certificate.SubjectAsText)
+	if err != nil {
+		return nil, pkitypes.NewErrInvalidCertificate(err)
+	}
+
 	// create new certificate
 	certificate := types.NewNonRootCertificate(
 		msg.Cert,
@@ -98,6 +103,7 @@ func (k msgServer) AddX509Cert(goCtx context.Context, msg *types.MsgAddX509Cert)
 		rootCert.Subject,
 		rootCert.SubjectKeyId,
 		msg.Signer,
+		subjectVid,
 		msg.CertSchemaVersion,
 	)
 

x/pki/types/certificate.go

@@ -21,7 +21,7 @@ func NewRootCertificate(pemCert string, subject string, subjectAsText string, su
 func NewNonRootCertificate(pemCert string, subject string, subjectAsText string, subjectKeyID string, serialNumber string,
 	issuer string, authorityKeyID string,
 	rootSubject string, rootSubjectKeyID string,
-	owner string,
+	owner string, vid int32,
 	schemaVersion uint32,
 ) Certificate {
 	return Certificate{
@@ -36,6 +36,7 @@ func NewNonRootCertificate(pemCert string, subject string, subjectAsText string,
 		RootSubjectKeyId: rootSubjectKeyID,
 		IsRoot:           false,
 		Owner:            owner,
+		Vid:              vid,
 		SchemaVersion:    schemaVersion,
 	}
 }