#524 Enable revocation of NOC certificates

Minor refactoring due to comments of PR

Signed-off-by: Abdulbois <abdulbois.tursunov@dsr-corporation.com>
Signed-off-by: Abdulbois <abdulbois123@gmail.com>

Author: Abdulbois

integration_tests/cli/pki-noc-certs.sh

@@ -315,7 +315,7 @@ response_does_not_contain "$result" "\"serialNumber\": \"$noc_root_cert_1_serial
 response_does_not_contain "$result" "\"serialNumber\": \"$noc_root_cert_1_copy_serial_number\""
 echo $result | jq
 
-echo "Request NOC certificate by VID must not contain revoked root certificates"
+echo "Request NOC root certificate by VID = $vid must not contain revoked root certificates"
 result=$(dcld query pki noc-x509-root-certs --vid="$vid")
 check_response "$result" "Not Found"
 response_does_not_contain "$result" "\"subject\": \"$noc_root_cert_1_subject\""

integration_tests/cli/pki-noc-revocation-with-revoking-child.sh

@@ -100,7 +100,7 @@ response_does_not_contain "$result" "\"serialNumber\": \"$noc_root_cert_1_serial
 response_does_not_contain "$result" "\"serialNumber\": \"$noc_root_cert_1_copy_serial_number\""
 echo $result | jq
 
-echo "Request NOC certificate by VID should be empty"
+echo "Request NOC root certificate by VID = $vid should be empty"
 result=$(dcld query pki noc-x509-root-certs --vid="$vid")
 check_response "$result" "Not Found"
 response_does_not_contain "$result" "\"subject\": \"$noc_root_cert_1_subject\""
@@ -109,14 +109,14 @@ response_does_not_contain "$result" "\"serialNumber\": \"$noc_root_cert_1_serial
 response_does_not_contain "$result" "\"serialNumber\": \"$noc_root_cert_1_copy_serial_number\""
 echo $result | jq
 
-echo "Request all certificates by subject should be empty"
+echo "Request all certificates by NOC root certificate's subject should be empty"
 result=$(dcld query pki all-subject-x509-certs --subject="$noc_root_cert_1_subject")
 check_response "$result" "Not Found"
 response_does_not_contain "$result" "\"$noc_root_cert_1_subject\""
 response_does_not_contain "$result" "\"$noc_root_cert_1_subject_key_id\""
 echo $result | jq
 
-echo "Request all certificates by subjectKeyId should be empty"
+echo "Request all certificates by NOC root certificate's subjectKeyId should be empty"
 result=$(dcld query pki x509-cert --subject-key-id="$noc_root_cert_1_subject_key_id")
 check_response "$result" "Not Found"
 response_does_not_contain "$result" "\"subject\": \"$noc_root_cert_1_subject\""

integration_tests/cli/pki-noc-revocation-with-serial-number.sh

@@ -101,7 +101,7 @@ response_does_not_contain "$result" "\"subjectKeyId\": \"$noc_root_cert_1_subjec
 response_does_not_contain "$result" "\"serialNumber\": \"$noc_root_cert_1_serial_number\""
 echo $result | jq
 
-echo "Request NOC certificate by VID should contain only one root certificate with serialNumber=$noc_root_cert_1_copy_serial_number"
+echo "Request NOC root certificate by VID = $vid should contain only one root certificate with serialNumber=$noc_root_cert_1_copy_serial_number"
 result=$(dcld query pki noc-x509-root-certs --vid="$vid")
 check_response "$result" "\"serialNumber\": \"$noc_root_cert_1_copy_serial_number\""
 check_response "$result" "\"subject\": \"$noc_root_cert_1_subject\""
@@ -192,7 +192,7 @@ response_does_not_contain "$result" "\"serialNumber\": \"$noc_root_cert_1_serial
 response_does_not_contain "$result" "\"serialNumber\": \"$noc_root_cert_1_copy_serial_number\""
 echo $result | jq
 
-echo "Request NOC certificate by VID should be empty"
+echo "Request NOC root certificate by VID = $vid should be empty"
 result=$(dcld query pki noc-x509-root-certs --vid="$vid")
 check_response "$result" "Not Found"
 response_does_not_contain "$result" "\"subject\": \"$noc_root_cert_1_subject\""

types/pki/errors.go

@@ -357,6 +357,13 @@ func NewErrMessageRemoveRoot(subject string, subjectKeyID string) error {
 	)
 }
 
+func NewErrMessageExistingCertIsNotRoot(subject string, subjectKeyID string) error {
+	return sdkerrors.Wrapf(ErrInappropriateCertificateType,
+		"The existing certificate with the same combination of subject (%v) and subjectKeyID (%v) is not a root certificate",
+		subject, subjectKeyID,
+	)
+}
+
 func NewErrUnsupportedOperation(e interface{}) error {
 	return sdkerrors.Wrapf(ErrUnsupportedOperation, "%v", e)
 }

x/pki/handler_revoke_noc_root_cert_test.go

@@ -81,7 +81,7 @@ func TestHandler_RevokeNocX509RootCert_CertificateExists(t *testing.T) {
 				Vid:           testconstants.Vid,
 			},
 			nocRoorCert: testconstants.RootCertPem,
-			err:         sdkerrors.ErrUnauthorized,
+			err:         pkitypes.ErrInappropriateCertificateType,
 		},
 		{
 			name: "ExistingNotNocCert",

x/pki/keeper/child_certificates.go

@@ -111,10 +111,10 @@ func (k msgServer) RevokeChildCertificates(ctx sdk.Context, issuer string, autho
 		// Revoke certificates with this subject/subjectKeyID combination
 		certificates, _ := k.GetApprovedCertificates(ctx, certIdentifier.Subject, certIdentifier.SubjectKeyId)
 		k.AddRevokedCertificates(ctx, certificates)
-		// FIXME: Should be replaced
+		// FIXME: Below two lines is not in the context of RevokeChildCertificates method. In future current implementation must be refactored
 		if len(certificates.Certs) > 0 {
 			// If cert is NOC then remove it from NOC certificates list
-			k.RemoveNocCertificates(ctx, certificates.Certs[0].Vid)
+			k.RemoveNocCertificate(ctx, certIdentifier.Subject, certIdentifier.SubjectKeyId, certificates.Certs[0].Vid)
 		}
 		k.RemoveApprovedCertificates(ctx, certIdentifier.Subject, certIdentifier.SubjectKeyId)
 

x/pki/keeper/msg_server_revoke_noc_root_x_509_cert.go

@@ -30,7 +30,7 @@ func (k msgServer) RevokeNocRootX509Cert(goCtx context.Context, msg *types.MsgRe
 
 	cert := certificates.Certs[0]
 	if !cert.IsRoot {
-		return nil, pkitypes.NewErrUnauthorizedCertIssuer(cert.Subject, cert.SubjectKeyId)
+		return nil, pkitypes.NewErrMessageExistingCertIsNotRoot(cert.Subject, cert.SubjectKeyId)
 	}
 	// Existing certificate must be NOC certificate
 	if !cert.IsNoc {

x/pki/keeper/noc_certificates.go

@@ -71,6 +71,27 @@ func (k Keeper) RemoveNocCertificates(
 	))
 }
 
+func (k Keeper) RemoveNocCertificate(ctx sdk.Context, subject, subjectKeyID string, vid int32) {
+	certs, found := k.GetNocCertificates(ctx, vid)
+	if !found {
+		return
+	}
+
+	for i := 0; i < len(certs.Certs); {
+		if certs.Certs[i].Subject == subject && certs.Certs[i].SubjectKeyId == subjectKeyID {
+			certs.Certs = append(certs.Certs[:i], certs.Certs[i+1:]...)
+		} else {
+			i++
+		}
+	}
+
+	if len(certs.Certs) == 0 {
+		k.RemoveNocCertificates(ctx, vid)
+	} else {
+		k.SetNocCertificates(ctx, certs)
+	}
+}
+
 // GetAllNocCertificates returns all nocCertificates.
 func (k Keeper) GetAllNocCertificates(ctx sdk.Context) (list []types.NocCertificates) {
 	store := prefix.NewStore(ctx.KVStore(k.storeKey), pkitypes.KeyPrefix(types.NocCertificatesKeyPrefix))

x/pki/keeper/noc_root_certificates.go

@@ -70,6 +70,27 @@ func (k Keeper) RemoveNocRootCertificates(
 	))
 }
 
+func (k Keeper) RemoveNocRootCertificate(ctx sdk.Context, subject, subjectKeyID string, vid int32) {
+	certs, found := k.GetNocRootCertificates(ctx, vid)
+	if !found {
+		return
+	}
+
+	for i := 0; i < len(certs.Certs); {
+		if certs.Certs[i].Subject == subject && certs.Certs[i].SubjectKeyId == subjectKeyID {
+			certs.Certs = append(certs.Certs[:i], certs.Certs[i+1:]...)
+		} else {
+			i++
+		}
+	}
+
+	if len(certs.Certs) == 0 {
+		k.RemoveNocRootCertificates(ctx, vid)
+	} else {
+		k.SetNocRootCertificates(ctx, certs)
+	}
+}
+
 // GetAllNocRootCertificates returns all nocRootCertificates.
 func (k Keeper) GetAllNocRootCertificates(ctx sdk.Context) (list []types.NocRootCertificates) {
 	store := prefix.NewStore(ctx.KVStore(k.storeKey), pkitypes.KeyPrefix(types.NocRootCertificatesKeyPrefix))