Skip to content

Commit 6f3b8bf

Browse files
AbdulboisAbdulbois
authored
Merge pull request #567 from zigbee-alliance/#560-Enable-removing-ICA-certs
#560 Enable removing NOC ICA certificates
2 parents cd4614e + b694a77 commit 6f3b8bf

29 files changed

+2371
-317
lines changed

.github/workflows/verify.yml

+2-2
Original file line numberDiff line numberDiff line change
@@ -56,8 +56,8 @@ jobs:
5656
if: needs.changes.outputs.workflows == 'true'
5757
name: Run actionlint tool to verify lint issues in GitHub actions
5858
runs-on: ubuntu-latest
59-
# needs:
60-
# - changes
59+
needs:
60+
- changes
6161
steps:
6262
- uses: actions/checkout@master
6363
- uses: reviewdog/action-actionlint@v1

docs/design/noc-root-cert-design.md

+1-1
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,7 @@ A Vendor with DCL write privilege can submit a transaction to remove a NOC root
1313

1414
## Certificate Schema
1515

16-
To distinguesh NOC root certificates from others, an `isNOC` boolean field will be added to the [certificates](https://github.com/zigbee-alliance/distributed-compliance-ledger/blob/master/proto/pki/certificate.proto) schema
16+
To distinguesh NOC root certificates from others, an `isNOC` boolean field will be added to the [certificates](https://github.com/zigbee-alliance/distributed-compliance-ledger/blob/master/proto/zigbeealliance/distributedcomplianceledger/pki/certificate.proto) schema
1717

1818
## Transactions
1919

docs/transactions.md

+19
Original file line numberDiff line numberDiff line change
@@ -1466,6 +1466,25 @@ Revoked certificates can be retrieved by using the [GET_REVOKED_CERT](#get_revok
14661466
- CLI command:
14671467
- `dcld tx pki revoke-noc-x509-ica-cert --subject=<base64 string> --subject-key-id=<hex string> --serial-number=<string> --info=<string> --time=<int64> --revoke-child=<bool> --from=<account>`
14681468

1469+
#### REMOVE_NOC_ICA
1470+
1471+
**Status: Implemented**
1472+
1473+
This transaction completely removes the given NOC ICA owned by the Vendor from the ledger.
1474+
Removed NOC ICA certificates can be re-added using the [ADD_NOC_ICA](#add_noc_ica) transaction.
1475+
1476+
- Who can send: Vendor account
1477+
- Vid field associated with the corresponding NOC certificate on the ledger must be equal to the Vendor account's VID.
1478+
- Validation:
1479+
- a NOC ICA Certificate with the provided `subject` and `subject_key_id` must exist in the ledger.
1480+
- Parameters:
1481+
- subject: `string` - base64 encoded subject DER sequence bytes of the certificate.
1482+
- subject_key_id: `string` - certificate's `Subject Key Id` in hex string format, e.g., `5A:88:0E:6C:36:53:D0:7F:B0:89:71:A3:F4:73:79:09:30:E6:2B:DB`.
1483+
- serial_number: `optional(string)` - certificate's serial number. If not provided, the transaction will remove all certificates that match the given `subject` and `subject_key_id` combination.
1484+
- CLI command:
1485+
- `dcld tx pki remove-noc-x509-ica-cert --subject=<base64 string> --subject-key-id=<hex string> --from=<account>`
1486+
1487+
14691488
#### GET_NOC_ROOT_BY_VID
14701489

14711490
**Status: Implemented**

integration_tests/cli/pki-remove-noc-certificates.sh

+209
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,209 @@
1+
set -euo pipefail
2+
source integration_tests/cli/common.sh
3+
4+
root_cert_1_path="integration_tests/constants/noc_root_cert_1"
5+
root_cert_subject="MHoxCzAJBgNVBAYTAlVaMRMwEQYDVQQIDApTb21lIFN0YXRlMREwDwYDVQQHDAhUYXNoa2VudDEYMBYGA1UECgwPRXhhbXBsZSBDb21wYW55MRkwFwYDVQQLDBBUZXN0aW5nIERpdmlzaW9uMQ4wDAYDVQQDDAVOT0MtMQ=="
6+
root_cert_subject_key_id="44:EB:4C:62:6B:25:48:CD:A2:B3:1C:87:41:5A:08:E7:2B:B9:83:26"
7+
root_cert_1_serial_number="47211865327720222621302679792296833381734533449"
8+
root_cert_vid=65521
9+
intermediate_cert_1_path="integration_tests/constants/noc_cert_1"
10+
intermediate_cert_2_path="integration_tests/constants/noc_cert_1_copy"
11+
intermediate_cert_subject="MIGCMQswCQYDVQQGEwJVWjETMBEGA1UECAwKU29tZSBTdGF0ZTETMBEGA1UEBwwKU29tZSBTdGF0ZTEYMBYGA1UECgwPRXhhbXBsZSBDb21wYW55MRkwFwYDVQQLDBBUZXN0aW5nIERpdmlzaW9uMRQwEgYDVQQDDAtOT0MtY2hpbGQtMQ=="
12+
intermediate_cert_subject_key_id="02:72:6E:BC:BB:EF:D6:BD:8D:9B:42:AE:D4:3C:C0:55:5F:66:3A:B3"
13+
intermediate_cert_1_serial_number="631388393741945881054190991612463928825155142122"
14+
intermediate_cert_2_serial_number="169445068204646961882009388640343665944683778293"
15+
leaf_cert_path="integration_tests/constants/noc_leaf_cert_1"
16+
leaf_cert_subject="MIGBMQswCQYDVQQGEwJVWjETMBEGA1UECAwKU29tZSBTdGF0ZTETMBEGA1UEBwwKU29tZSBTdGF0ZTEYMBYGA1UECgwPRXhhbXBsZSBDb21wYW55MRkwFwYDVQQLDBBUZXN0aW5nIERpdmlzaW9uMRMwEQYDVQQDDApOT0MtbGVhZi0x"
17+
leaf_cert_subject_key_id="77:1F:DB:C4:4C:B1:29:7E:3C:EB:3E:D8:2A:38:0B:63:06:07:00:01"
18+
leaf_cert_serial_number="281347277961838999749763518155363401757954575313"
19+
20+
trustee_account="jack"
21+
22+
test_divider
23+
24+
echo "REMOVE NOC ICA CERTIFICATES"
25+
26+
vendor_account_65521=vendor_account_$root_cert_vid
27+
echo "Create Vendor account - $vendor_account_65521"
28+
create_new_vendor_account $vendor_account_65521 $root_cert_vid
29+
30+
vendor_account_65522=vendor_account_65522
31+
echo "Create Vendor account - $vendor_account_65522"
32+
create_new_vendor_account $vendor_account_65522 65522
33+
34+
echo "Add first NOC root certificate"
35+
result=$(echo "$passphrase" | dcld tx pki add-noc-x509-root-cert --certificate="$root_cert_1_path" --from $vendor_account_65521 --yes)
36+
result=$(get_txn_result "$result")
37+
check_response "$result" "\"code\": 0"
38+
39+
echo "Add first an ICA certificate"
40+
result=$(echo "$passphrase" | dcld tx pki add-noc-x509-ica-cert --certificate="$intermediate_cert_1_path" --from $vendor_account_65521 --yes)
41+
result=$(get_txn_result "$result")
42+
check_response "$result" "\"code\": 0"
43+
44+
echo "Add second an ICA certificate"
45+
result=$(echo "$passphrase" | dcld tx pki add-noc-x509-ica-cert --certificate="$intermediate_cert_2_path" --from $vendor_account_65521 --yes)
46+
result=$(get_txn_result "$result")
47+
check_response "$result" "\"code\": 0"
48+
49+
echo "Add a leaf ICA certificate"
50+
result=$(echo "$passphrase" | dcld tx pki add-noc-x509-ica-cert --certificate="$leaf_cert_path" --from $vendor_account_65521 --yes)
51+
result=$(get_txn_result "$result")
52+
check_response "$result" "\"code\": 0"
53+
54+
echo "Request all approved certificates."
55+
result=$(dcld query pki all-x509-certs)
56+
echo $result | jq
57+
check_response "$result" "\"subject\": \"$root_cert_subject\""
58+
check_response "$result" "\"subject\": \"$intermediate_cert_subject\""
59+
check_response "$result" "\"subjectKeyId\": \"$root_cert_subject_key_id\""
60+
check_response "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id\""
61+
check_response "$result" "\"subjectKeyId\": \"$leaf_cert_subject_key_id\""
62+
check_response "$result" "\"serialNumber\": \"$root_cert_1_serial_number\""
63+
check_response "$result" "\"serialNumber\": \"$intermediate_cert_1_serial_number\""
64+
check_response "$result" "\"serialNumber\": \"$intermediate_cert_2_serial_number\""
65+
check_response "$result" "\"serialNumber\": \"$leaf_cert_serial_number\""
66+
67+
echo "Revoke an ICA certificate with serialNumber $intermediate_cert_1_serial_number"
68+
result=$(echo "$passphrase" | dcld tx pki revoke-noc-x509-ica-cert --subject="$intermediate_cert_subject" --subject-key-id="$intermediate_cert_subject_key_id" --serial-number="$intermediate_cert_1_serial_number" --from=$vendor_account_65521 --yes)
69+
result=$(get_txn_result "$result")
70+
check_response "$result" "\"code\": 0"
71+
72+
echo "Request all revoked certificates should contain only one intermediate ICA certificate with serialNumber $intermediate_cert_1_serial_number"
73+
result=$(dcld query pki all-revoked-x509-certs)
74+
echo $result | jq
75+
check_response "$result" "\"subject\": \"$intermediate_cert_subject\""
76+
check_response "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id\""
77+
check_response "$result" "\"serialNumber\": \"$intermediate_cert_1_serial_number\""
78+
response_does_not_contain "$result" "\"serialNumber\": \"$intermediate_cert_2_serial_number\""
79+
80+
echo "Remove intermediate ICA certificate with invalid serialNumber"
81+
result=$(echo "$passphrase" | dcld tx pki remove-noc-x509-ica-cert --subject="$intermediate_cert_subject" --subject-key-id="$intermediate_cert_subject_key_id" --serial-number="invalid" --from=$vendor_account_65521 --yes)
82+
result=$(get_txn_result "$result")
83+
check_response "$result" "\"code\": 404"
84+
85+
echo "Try to remove the intermediate ICA certificate when sender is not Vendor account"
86+
result=$(echo "$passphrase" | dcld tx pki remove-noc-x509-ica-cert --subject="$intermediate_cert_subject" --subject-key-id="$intermediate_cert_subject_key_id" --serial-number="$intermediate_cert_1_serial_number" --from=$trustee_account --yes)
87+
result=$(get_txn_result "$result")
88+
check_response "$result" "\"code\": 4"
89+
90+
echo "Try to remove the intermediate ICA certificate using a vendor account with other VID"
91+
result=$(echo "$passphrase" | dcld tx pki remove-noc-x509-ica-cert --subject="$intermediate_cert_subject" --subject-key-id="$intermediate_cert_subject_key_id" --serial-number="$intermediate_cert_1_serial_number" --from=$vendor_account_65522 --yes)
92+
result=$(get_txn_result "$result")
93+
check_response "$result" "\"code\": 4"
94+
95+
echo "Remove revoked intermediate ICA certificate with serialNumber $intermediate_cert_1_serial_number"
96+
result=$(echo "$passphrase" | dcld tx pki remove-noc-x509-ica-cert --subject="$intermediate_cert_subject" --subject-key-id="$intermediate_cert_subject_key_id" --serial-number="$intermediate_cert_1_serial_number" --from=$vendor_account_65521 --yes)
97+
result=$(get_txn_result "$result")
98+
check_response "$result" "\"code\": 0"
99+
100+
echo "Request all certificates should not contain intermediate ICA certificate with serialNumber $intermediate_cert_1_serial_number"
101+
result=$(dcld query pki all-x509-certs)
102+
echo $result | jq
103+
check_response "$result" "\"subject\": \"$root_cert_subject\""
104+
check_response "$result" "\"subject\": \"$intermediate_cert_subject\""
105+
check_response "$result" "\"subjectKeyId\": \"$root_cert_subject_key_id\""
106+
check_response "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id\""
107+
check_response "$result" "\"subjectKeyId\": \"$leaf_cert_subject_key_id\""
108+
check_response "$result" "\"serialNumber\": \"$root_cert_1_serial_number\""
109+
check_response "$result" "\"serialNumber\": \"$intermediate_cert_2_serial_number\""
110+
check_response "$result" "\"serialNumber\": \"$leaf_cert_serial_number\""
111+
response_does_not_contain "$result" "\"serialNumber\": \"$intermediate_cert_1_serial_number\""
112+
113+
echo "Request ICA certificates by VID should contain one ICA and leaf certificates"
114+
result=$(dcld query pki noc-x509-ica-certs --vid="$root_cert_vid")
115+
echo $result | jq
116+
check_response "$result" "\"subject\": \"$intermediate_cert_subject\""
117+
check_response "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id\""
118+
check_response "$result" "\"subjectKeyId\": \"$leaf_cert_subject_key_id\""
119+
check_response "$result" "\"serialNumber\": \"$intermediate_cert_2_serial_number\""
120+
response_does_not_contain "$result" "\"serialNumber\": \"$intermediate_cert_1_serial_number\""
121+
122+
echo "Request approved certificates by an intermediate certificate's subject and subjectKeyId should contain only one certificate with serialNumber $intermediate_cert_2_serial_number"
123+
result=$(dcld query pki x509-cert --subject="$intermediate_cert_subject" --subject-key-id="$intermediate_cert_subject_key_id")
124+
echo $result | jq
125+
check_response "$result" "\"subject\": \"$intermediate_cert_subject\""
126+
check_response "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id\""
127+
check_response "$result" "\"serialNumber\": \"$intermediate_cert_2_serial_number\""
128+
response_does_not_contain "$result" "\"serialNumber\": \"$intermediate_cert_1_serial_number\""
129+
130+
echo "Remove an intermediate certificate with subject and subjectKeyId"
131+
result=$(echo "$passphrase" | dcld tx pki remove-noc-x509-ica-cert --subject="$intermediate_cert_subject" --subject-key-id="$intermediate_cert_subject_key_id" --from=$vendor_account_65521 --yes)
132+
result=$(get_txn_result "$result")
133+
check_response "$result" "\"code\": 0"
134+
135+
echo "Request approved certificates by an intermediate certificate's subject and subjectKeyId should be empty"
136+
result=$(dcld query pki x509-cert --subject="$intermediate_cert_subject" --subject-key-id="$intermediate_cert_subject_key_id")
137+
echo $result | jq
138+
check_response "$result" "Not Found"
139+
response_does_not_contain "$result" "\"subject\": \"$intermediate_cert_subject\""
140+
response_does_not_contain "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id\""
141+
response_does_not_contain "$result" "\"serialNumber\": \"$intermediate_cert_2_serial_number\""
142+
response_does_not_contain "$result" "\"serialNumber\": \"$intermediate_cert_1_serial_number\""
143+
144+
echo "Request ICA certificates by VID should contain only one leaf certificate"
145+
result=$(dcld query pki noc-x509-ica-certs --vid="$root_cert_vid")
146+
echo $result | jq
147+
check_response "$result" "\"subject\": \"$leaf_cert_subject\""
148+
check_response "$result" "\"subjectKeyId\": \"$leaf_cert_subject_key_id\""
149+
response_does_not_contain "$result" "\"subject\": \"$intermediate_cert_subject\""
150+
response_does_not_contain "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id\""
151+
response_does_not_contain "$result" "\"serialNumber\": \"$intermediate_cert_2_serial_number\""
152+
response_does_not_contain "$result" "\"serialNumber\": \"$intermediate_cert_1_serial_number\""
153+
154+
echo "Request all revoked certificates should be empty"
155+
result=$(dcld query pki all-revoked-x509-certs)
156+
echo $result | jq
157+
check_response "$result" "\[\]"
158+
response_does_not_contain "$result" "\"subject\": \"$intermediate_cert_subject\""
159+
response_does_not_contain "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id\""
160+
response_does_not_contain "$result" "\"serialNumber\": \"$intermediate_cert_1_serial_number\""
161+
response_does_not_contain "$result" "\"serialNumber\": \"$intermediate_cert_2_serial_number\""
162+
163+
echo "Request all certificates should contain only root and leaf certificates"
164+
result=$(dcld query pki all-x509-certs)
165+
echo $result | jq
166+
check_response "$result" "\"subjectKeyId\": \"$root_cert_subject_key_id\""
167+
check_response "$result" "\"subjectKeyId\": \"$leaf_cert_subject_key_id\""
168+
check_response "$result" "\"serialNumber\": \"$root_cert_1_serial_number\""
169+
check_response "$result" "\"serialNumber\": \"$leaf_cert_serial_number\""
170+
response_does_not_contain "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id\""
171+
response_does_not_contain "$result" "\"serialNumber\": \"$intermediate_cert_2_serial_number\""
172+
response_does_not_contain "$result" "\"serialNumber\": \"$intermediate_cert_1_serial_number\""
173+
174+
echo "Remove leaf certificate"
175+
result=$(echo "$passphrase" | dcld tx pki remove-noc-x509-ica-cert --subject="$leaf_cert_subject" --subject-key-id="$leaf_cert_subject_key_id" --from=$vendor_account_65521 --yes)
176+
result=$(get_txn_result "$result")
177+
check_response "$result" "\"code\": 0"
178+
179+
echo "Request approved leaf certificates should be empty"
180+
result=$(dcld query pki x509-cert --subject="$leaf_cert_subject" --subject-key-id="$leaf_cert_subject_key_id")
181+
echo $result | jq
182+
check_response "$result" "Not Found"
183+
response_does_not_contain "$result" "\"subject\": \"$leaf_cert_subject\""
184+
response_does_not_contain "$result" "\"subjectKeyId\": \"$leaf_cert_subject_key_id\""
185+
response_does_not_contain "$result" "\"serialNumber\": \"$leaf_cert_serial_number"
186+
187+
echo "Request ICA certificates by VID should be empty"
188+
result=$(dcld query pki noc-x509-ica-certs --vid="$root_cert_vid")
189+
echo $result | jq
190+
response_does_not_contain "$result" "\"subject\": \"$intermediate_cert_subject\""
191+
response_does_not_contain "$result" "\"subject\": \"$leaf_cert_subject\""
192+
response_does_not_contain "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id\""
193+
response_does_not_contain "$result" "\"subjectKeyId\": \"$leaf_cert_subject_key_id\""
194+
response_does_not_contain "$result" "\"serialNumber\": \"$intermediate_cert_1_serial_number\""
195+
response_does_not_contain "$result" "\"serialNumber\": \"$intermediate_cert_2_serial_number\""
196+
response_does_not_contain "$result" "\"serialNumber\": \"$leaf_cert_serial_number"
197+
198+
echo "Request all certificates should contain only root certificate"
199+
result=$(dcld query pki all-x509-certs)
200+
echo $result | jq
201+
check_response "$result" "\"subjectKeyId\": \"$root_cert_subject_key_id\""
202+
check_response "$result" "\"serialNumber\": \"$root_cert_1_serial_number\""
203+
response_does_not_contain "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id\""
204+
response_does_not_contain "$result" "\"subjectKeyId\": \"$leaf_cert_subject_key_id"
205+
response_does_not_contain "$result" "\"serialNumber\": \"$intermediate_cert_1_serial_number\""
206+
response_does_not_contain "$result" "\"serialNumber\": \"$intermediate_cert_2_serial_number\""
207+
response_does_not_contain "$result" "\"serialNumber\": \"$leaf_cert_serial_number"
208+
209+
test_divider

0 commit comments

Comments
 (0)