Skip to content

Commit 79a3b53

Browse files
AbdulboisAbdulbois
committed
#535 Enable providing serial number while revoking x509 certs
Signed-off-by: Abdulbois <abdulbois.tursunov@dsr-corporation.com> Signed-off-by: Abdulbois <abdulbois123@gmail.com>
1 parent 40fbec3 commit 79a3b53

40 files changed

+1593
-278
lines changed

docs/static/openapi.yml

+14
Original file line numberDiff line numberDiff line change
@@ -9536,6 +9536,8 @@ paths:
95369536
type: string
95379537
subjectAsText:
95389538
type: string
9539+
serialNumber:
9540+
type: string
95399541
pagination:
95409542
type: object
95419543
properties:
@@ -9675,6 +9677,8 @@ paths:
96759677
type: string
96769678
subjectAsText:
96779679
type: string
9680+
serialNumber:
9681+
type: string
96789682
default:
96799683
description: An unexpected error response.
96809684
schema:
@@ -9706,6 +9710,10 @@ paths:
97069710
in: path
97079711
required: true
97089712
type: string
9713+
- name: serialNumber
9714+
in: query
9715+
required: false
9716+
type: string
97099717
tags:
97109718
- Query
97119719
/dcl/pki/rejected-certificates:
@@ -20763,6 +20771,8 @@ definitions:
2076320771
type: string
2076420772
subjectAsText:
2076520773
type: string
20774+
serialNumber:
20775+
type: string
2076620776
zigbeealliance.distributedcomplianceledger.pki.QueryAllApprovedCertificatesResponse:
2076720777
type: object
2076820778
properties:
@@ -21012,6 +21022,8 @@ definitions:
2101221022
type: string
2101321023
subjectAsText:
2101421024
type: string
21025+
serialNumber:
21026+
type: string
2101521027
pagination:
2101621028
type: object
2101721029
properties:
@@ -21471,6 +21483,8 @@ definitions:
2147121483
type: string
2147221484
subjectAsText:
2147321485
type: string
21486+
serialNumber:
21487+
type: string
2147421488
zigbeealliance.distributedcomplianceledger.pki.QueryGetRejectedCertificatesResponse:
2147521489
type: object
2147621490
properties:

docs/transactions.md

+5-1
Original file line numberDiff line numberDiff line change
@@ -942,6 +942,7 @@ Root certificates can not be revoked this way, use `PROPOSE_X509_CERT_REVOC` an
942942
- Parameters:
943943
- subject: `string` - certificates's `Subject` is base64 encoded subject DER sequence bytes
944944
- subject_key_id: `string` - certificates's `Subject Key Id` in hex string format, e.g: `5A:88:0E:6C:36:53:D0:7F:B0:89:71:A3:F4:73:79:09:30:E6:2B:DB`
945+
- serial-number: `optional(string)` - certificate's serial number
945946
- info: `optional(string)` - information/notes for the revocation
946947
- time: `optional(int64)` - revocation time (number of nanoseconds elapsed since January 1, 1970 UTC). CLI uses the current time for that field.
947948
- In State: `pki/RevokedCertificates/value/<Certificate's Subject>/<Certificate's Subject Key ID>`
@@ -967,6 +968,7 @@ then the certificate will be in a pending state until sufficient number of other
967968
- Parameters:
968969
- subject: `string` - certificates's `Subject` is base64 encoded subject DER sequence bytes
969970
- subject_key_id: `string` - certificates's `Subject Key Id` in hex string format, e.g: `5A:88:0E:6C:36:53:D0:7F:B0:89:71:A3:F4:73:79:09:30:E6:2B:DB`
971+
- serial-number: `optional(string)` - certificate's serial number
970972
- info: `optional(string)` - information/notes for the revocation proposal
971973
- time: `optional(int64)` - revocation proposal time (number of nanoseconds elapsed since January 1, 1970 UTC). CLI uses the current time for that field.
972974
- In State: `pki/ProposedCertificateRevocation/value/<Certificate's Subject>/<Certificate's Subject Key ID>`
@@ -990,6 +992,7 @@ The revocation is not applied until sufficient number of Trustees approve it.
990992
- Parameters:
991993
- subject: `string` - certificates's `Subject` is base64 encoded subject DER sequence bytes
992994
- subject_key_id: `string` - certificates's `Subject Key Id` in hex string format, e.g: `5A:88:0E:6C:36:53:D0:7F:B0:89:71:A3:F4:73:79:09:30:E6:2B:DB`
995+
- serial-number: `optional(string)` - certificate's serial number
993996
- info: `optional(string)` - information/notes for the revocation approval
994997
- time: `optional(int64)` - revocation approval time (number of nanoseconds elapsed since January 1, 1970 UTC). CLI uses the current time for that field.
995998
- In State: `pki/RevokedCertificates/value/<Certificate's Subject>/<Certificate's Subject Key ID>`
@@ -1222,10 +1225,11 @@ If a Revocation Distribution Point (such as RFC5280 Certificate Revocation List)
12221225
- Parameters:
12231226
- subject: `string` - certificates's `Subject` is base64 encoded subject DER sequence bytes
12241227
- subject_key_id: `string` - certificates's `Subject Key Id` in hex string format, e.g: `5A:88:0E:6C:36:53:D0:7F:B0:89:71:A3:F4:73:79:09:30:E6:2B:DB`
1228+
- serial-number: `optional(string)` - certificate's serial number
12251229
- CLI command:
12261230
- `dcld query pki proposed-x509-root-cert-to-revoke --subject=<base64 string> --subject-key-id=<hex string>`
12271231
- REST API:
1228-
- GET `/dcl/pki/proposed-revocation-certificates/{subject}/{subject_key_id}`
1232+
- GET `/dcl/pki/proposed-revocation-certificates/{subject}/{subject_key_id}?serialnumber={serialnumber}`
12291233

12301234
### GET_ALL_X509_ROOT_CERTS
12311235

integration_tests/cli/pki-revocation-with-serial-number.sh

+149
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,149 @@
1+
set -euo pipefail
2+
source integration_tests/cli/common.sh
3+
4+
root_cert_1_path="integration_tests/constants/root_with_same_subject_and_skid_1"
5+
root_cert_1_serial_number="1"
6+
root_cert_2_path="integration_tests/constants/root_with_same_subject_and_skid_2"
7+
root_cert_2_serial_number="2"
8+
root_cert_vid=65521
9+
intermediate_cert_1_path="integration_tests/constants/intermediate_with_same_subject_and_skid_1"
10+
intermediate_cert_1_serial_number="3"
11+
intermediate_cert_2_path="integration_tests/constants/intermediate_with_same_subject_and_skid_2"
12+
intermediate_cert_2_serial_number="4"
13+
root_cert_subject="MIGCMQswCQYDVQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxETAPBgNVBAcMCE5ldyBZb3JrMRgwFgYDVQQKDA9FeGFtcGxlIENvbXBhbnkxGTAXBgNVBAsMEFRlc3RpbmcgRGl2aXNpb24xGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbQ=="
14+
root_cert_subject_key_id="33:5E:0C:07:44:F8:B5:9C:CD:55:01:9B:6D:71:23:83:6F:D0:D4:BE"
15+
intermediate_cert_subject="MEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQ="
16+
intermediate_cert_subject_key_id="2E:13:3B:44:52:2C:30:E9:EC:FB:45:FA:5D:E5:04:0A:C1:C6:E6:B9"
17+
18+
trustee_account="jack"
19+
second_trustee_account="alice"
20+
21+
echo "Create a VendorAdmin Account"
22+
create_new_account vendor_admin_account "VendorAdmin"
23+
24+
test_divider
25+
26+
echo "REVOKE CERTIFICATES BY SPECIFYING SERIAL NUMBER"
27+
28+
echo "Propose and approve root certificate 1"
29+
result=$(echo "$passphrase" | dcld tx pki propose-add-x509-root-cert --certificate="$root_cert_1_path" --vid "$root_cert_vid" --from $trustee_account --yes)
30+
check_response "$result" "\"code\": 0"
31+
result=$(echo "$passphrase" | dcld tx pki approve-add-x509-root-cert --subject="$root_cert_subject" --subject-key-id="$root_cert_subject_key_id" --from $second_trustee_account --yes)
32+
check_response "$result" "\"code\": 0"
33+
34+
echo "Propose and approve root certificate 2"
35+
result=$(echo "$passphrase" | dcld tx pki propose-add-x509-root-cert --certificate="$root_cert_2_path" --vid "$root_cert_vid" --from $trustee_account --yes)
36+
check_response "$result" "\"code\": 0"
37+
result=$(echo "$passphrase" | dcld tx pki approve-add-x509-root-cert --subject="$root_cert_subject" --subject-key-id="$root_cert_subject_key_id" --from $second_trustee_account --yes)
38+
check_response "$result" "\"code\": 0"
39+
40+
echo "Add an intermediate certificate with serialNumber 3"
41+
result=$(echo "$passphrase" | dcld tx pki add-x509-cert --certificate="$intermediate_cert_1_path" --from $trustee_account --yes)
42+
check_response "$result" "\"code\": 0"
43+
44+
echo "Add an intermediate certificate with serialNumber 4"
45+
result=$(echo "$passphrase" | dcld tx pki add-x509-cert --certificate="$intermediate_cert_2_path" --from $trustee_account --yes)
46+
check_response "$result" "\"code\": 0"
47+
48+
echo "Request all approved root certificates."
49+
result=$(dcld query pki all-x509-certs)
50+
echo $result | jq
51+
check_response "$result" "\"subject\": \"$root_cert_subject\""
52+
check_response "$result" "\"subject\": \"$intermediate_cert_subject\""
53+
check_response "$result" "\"subjectKeyId\": \"$root_cert_subject_key_id\""
54+
check_response "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id\""
55+
check_response "$result" "\"serialNumber\": \"$root_cert_1_serial_number\""
56+
check_response "$result" "\"serialNumber\": \"$intermediate_cert_1_serial_number\""
57+
check_response "$result" "\"serialNumber\": \"$root_cert_2_serial_number\""
58+
check_response "$result" "\"serialNumber\": \"$intermediate_cert_2_serial_number\""
59+
60+
echo "Revoke intermediate certificate with invalid serialNumber"
61+
result=$(echo "$passphrase" | dcld tx pki revoke-x509-cert --subject="$intermediate_cert_subject" --subject-key-id="$intermediate_cert_subject_key_id" --serial-number="invalid" --from=$trustee_account --yes)
62+
check_response "$result" "Not Found"
63+
64+
echo "Revoke intermediate certificate with serialNumber 3"
65+
result=$(echo "$passphrase" | dcld tx pki revoke-x509-cert --subject="$intermediate_cert_subject" --subject-key-id="$intermediate_cert_subject_key_id" --serial-number="$intermediate_cert_1_serial_number" --from=$trustee_account --yes)
66+
check_response "$result" "\"code\": 0"
67+
68+
echo "Request all revoked certificates should contain one intermediate certificate with serialNumber 3"
69+
result=$(dcld query pki all-revoked-x509-certs)
70+
echo $result | jq
71+
check_response "$result" "\"subject\": \"$intermediate_cert_subject\""
72+
check_response "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id\""
73+
check_response "$result" "\"serialNumber\": \"$intermediate_cert_1_serial_number\""
74+
response_does_not_contain "$result" "\"serialNumber\": \"$intermediate_cert_2_serial_number\""
75+
76+
echo "Request all approved intermediate certificates should contain only one certificate with serialNumber 4"
77+
result=$(dcld query pki x509-cert --subject="$intermediate_cert_subject" --subject-key-id="$intermediate_cert_subject_key_id")
78+
echo $result | jq
79+
check_response "$result" "\"subject\": \"$intermediate_cert_subject\""
80+
check_response "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id\""
81+
check_response "$result" "\"serialNumber\": \"$intermediate_cert_2_serial_number\""
82+
response_does_not_contain "$result" "\"serialNumber\": \"$intermediate_cert_1_serial_number\""
83+
84+
echo "$trustee_account (Trustee) proposes to revoke Root certificate with invalid serialNumber"
85+
result=$(echo "$passphrase" | dcld tx pki propose-revoke-x509-root-cert --subject="$root_cert_subject" --subject-key-id="$root_cert_subject_key_id" --serial-number="invalid" --from $trustee_account --yes)
86+
check_response "$result" "Not Found"
87+
88+
echo "$trustee_account (Trustee) proposes to revoke Root certificate with serialNumber 1"
89+
result=$(echo "$passphrase" | dcld tx pki propose-revoke-x509-root-cert --subject="$root_cert_subject" --subject-key-id="$root_cert_subject_key_id" --serial-number="$root_cert_1_serial_number" --from $trustee_account --yes)
90+
check_response "$result" "\"code\": 0"
91+
92+
echo "$second_trustee_account (Second Trustee) approves to revoke Root certificate with serialNumber 1"
93+
result=$(echo "$passphrase" | dcld tx pki approve-revoke-x509-root-cert --subject="$root_cert_subject" --subject-key-id="$root_cert_subject_key_id" --serial-number="$root_cert_1_serial_number" --from $second_trustee_account --yes)
94+
check_response "$result" "\"code\": 0"
95+
96+
echo "Request all revoked certificates should contain one root certificate with serialNumber 1"
97+
result=$(dcld query pki all-revoked-x509-certs)
98+
echo $result | jq
99+
check_response "$result" "\"subject\": \"$root_cert_subject\""
100+
check_response "$result" "\"subjectKeyId\": \"$root_cert_subject_key_id\""
101+
check_response "$result" "\"serialNumber\": \"$root_cert_1_serial_number\""
102+
response_does_not_contain "$result" "\"serialNumber\": \"$root_cert_2_serial_number\""
103+
response_does_not_contain "$result" "\"serialNumber\": \"$intermediate_cert_2_serial_number"
104+
105+
echo "Request all approved certificates should contain one root certificate with serialNumber 2 and one intermediate with serialNumber 4"
106+
result=$(dcld query pki all-x509-certs)
107+
echo $result | jq
108+
check_response "$result" "\"subject\": \"$root_cert_subject\""
109+
check_response "$result" "\"subject\": \"$intermediate_cert_subject\""
110+
check_response "$result" "\"subjectKeyId\": \"$root_cert_subject_key_id\""
111+
check_response "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id"
112+
check_response "$result" "\"serialNumber\": \"$root_cert_2_serial_number\""
113+
check_response "$result" "\"serialNumber\": \"$intermediate_cert_2_serial_number\""
114+
response_does_not_contain "$result" "\"serialNumber\": \"$root_cert_1_serial_number\""
115+
response_does_not_contain "$result" "\"serialNumber\": \"$intermediate_cert_1_serial_number\""
116+
117+
echo "$trustee_account (Trustee) proposes to revoke Root certificate with serialNumber 2"
118+
result=$(echo "$passphrase" | dcld tx pki propose-revoke-x509-root-cert --subject="$root_cert_subject" --subject-key-id="$root_cert_subject_key_id" --serial-number="$root_cert_2_serial_number" --from $trustee_account --yes)
119+
check_response "$result" "\"code\": 0"
120+
121+
echo "$second_trustee_account (Second Trustee) approves to revoke Root certificate with serialNumber 2"
122+
result=$(echo "$passphrase" | dcld tx pki approve-revoke-x509-root-cert --subject="$root_cert_subject" --subject-key-id="$root_cert_subject_key_id" --serial-number="$root_cert_2_serial_number" --from $second_trustee_account --yes)
123+
check_response "$result" "\"code\": 0"
124+
125+
echo "Request all revoked certificates should contain two root and intermediate certificates"
126+
result=$(dcld query pki all-revoked-x509-certs)
127+
echo $result | jq
128+
check_response "$result" "\"subject\": \"$root_cert_subject\""
129+
check_response "$result" "\"subject\": \"$intermediate_cert_subject\""
130+
check_response "$result" "\"subjectKeyId\": \"$root_cert_subject_key_id\""
131+
check_response "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id\""
132+
check_response "$result" "\"serialNumber\": \"$root_cert_1_serial_number\""
133+
check_response "$result" "\"serialNumber\": \"$intermediate_cert_1_serial_number\""
134+
check_response "$result" "\"serialNumber\": \"$root_cert_2_serial_number\""
135+
check_response "$result" "\"serialNumber\": \"$intermediate_cert_2_serial_number\""
136+
137+
echo "Request all approved root certificates should be empty"
138+
result=$(dcld query pki all-x509-root-certs)
139+
echo $result | jq
140+
response_does_not_contain "$result" "\"subject\": \"$root_cert_subject\""
141+
response_does_not_contain "$result" "\"subject\": \"$intermediate_cert_subject\""
142+
response_does_not_contain "$result" "\"subjectKeyId\": \"$root_cert_subject_key_id\""
143+
response_does_not_contain "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id\""
144+
response_does_not_contain "$result" "\"serialNumber\": \"$root_cert_1_serial_number\""
145+
response_does_not_contain "$result" "\"serialNumber\": \"$intermediate_cert_1_serial_number\""
146+
response_does_not_contain "$result" "\"serialNumber\": \"$root_cert_2_serial_number\""
147+
response_does_not_contain "$result" "\"serialNumber\": \"$intermediate_cert_2_serial_number\""
148+
149+
test_divider

0 commit comments

Comments
 (0)