#524 Enable revocation of NOC non-root certificates

Fix bug related to removing certs from subject-key-id map

Signed-off-by: Abdulbois <abdulbois.tursunov@dsr-corporation.com>
Signed-off-by: Abdulbois <abdulbois123@gmail.com>

Author: Abdulbois

integration_tests/cli/pki-noc-certs.sh

@@ -424,7 +424,7 @@ response_does_not_contain "$result" "\"serialNumber\": \"$noc_cert_1_serial_numb
 response_does_not_contain "$result" "\"serialNumber\": \"$noc_cert_1_copy_serial_number\""
 echo $result | jq
 
-echo "Request NOC certificate by VID = $vid should contain ony leaf certificate"
+echo "Request NOC certificate by VID = $vid should contain one leaf certificate"
 result=$(dcld query pki noc-x509-certs --vid="$vid")
 echo $result | jq
 check_response "$result" "\"subject\": \"$noc_leaf_cert_1_subject\""

integration_tests/cli/pki-noc-revocation-with-revoking-child.sh

@@ -204,7 +204,7 @@ check_response "$result" "\"serialNumber\": \"$noc_cert_2_serial_number\""
 check_response "$result" "\"serialNumber\": \"$noc_cert_2_copy_serial_number\""
 check_response "$result" "\"serialNumber\": \"$noc_leaf_cert_2_serial_number\""
 
-echo "$vendor_account Vendor revokes root NOC certificate by setting \"revoke-child\" flag to true, it should revoke child certificates too"
+echo "$vendor_account Vendor revokes non-root NOC certificate by setting \"revoke-child\" flag to true, it should revoke child certificates too"
 result=$(echo "$passphrase" | dcld tx pki revoke-noc-x509-cert --subject="$noc_cert_2_subject" --subject-key-id="$noc_cert_2_subject_key_id" --revoke-child=true --from=$vendor_account --yes)
 check_response "$result" "\"code\": 0"
 

x/pki/handler_revoke_noc_cert_test.go

@@ -202,12 +202,6 @@ func TestHandler_RevokeNocX509Cert_RevokeDefault(t *testing.T) {
 	require.Equal(t, testconstants.NocCert1Subject, revokedNocCerts.Subject)
 	require.Equal(t, testconstants.NocCert1SubjectKeyID, revokedNocCerts.SubjectKeyId)
 
-	revokedCerts, err := queryRevokedCertificates(setup, testconstants.NocCert1Subject, testconstants.NocCert1SubjectKeyID)
-	require.NoError(t, err)
-	require.Equal(t, 2, len(revokedCerts.Certs))
-	require.Equal(t, testconstants.NocCert1Subject, revokedCerts.Subject)
-	require.Equal(t, testconstants.NocCert1SubjectKeyID, revokedCerts.SubjectKeyId)
-
 	// query noc certificate by Subject
 	_, err = queryApprovedCertificatesBySubject(setup, testconstants.NocCert1Subject)
 	require.Error(t, err)
@@ -396,11 +390,6 @@ func TestHandler_RevokeNocX509Cert_RevokeBySerialNumber(t *testing.T) {
 	require.Equal(t, 1, len(revokedNocCerts.Certs))
 	require.Equal(t, testconstants.NocCert1SerialNumber, revokedNocCerts.Certs[0].SerialNumber)
 
-	revokedCerts, err := queryRevokedCertificates(setup, testconstants.NocCert1Subject, testconstants.NocCert1SubjectKeyID)
-	require.NoError(t, err)
-	require.Equal(t, 1, len(revokedCerts.Certs))
-	require.Equal(t, testconstants.NocCert1SerialNumber, revokedCerts.Certs[0].SerialNumber)
-
 	// Child certificate should not be revoked
 	_, err = queryRevokedCertificates(setup, testconstants.NocLeafCert1Subject, testconstants.NocLeafCert1SubjectKeyID)
 	require.Equal(t, codes.NotFound, status.Code(err))

x/pki/keeper/approved_certificates_by_subject_key_id.go

@@ -98,6 +98,12 @@ func (k Keeper) RemoveApprovedCertificatesBySubjectKeyID(
 	}
 }
 
+func (k Keeper) RemoveApprovedCertificatesBySubjectKeyIDAndSerialNumber(ctx sdk.Context, subject, subjectKeyID, serialNumber string) {
+	k._removeCertificatesFromSubjectKeyIDState(ctx, subjectKeyID, func(cert *types.Certificate) bool {
+		return cert.Subject == subject && cert.SubjectKeyId == subjectKeyID && cert.SerialNumber == serialNumber
+	})
+}
+
 // GetAllApprovedCertificatesBySubjectKeyID returns all approvedCertificatesBySubjectKeyId.
 func (k Keeper) GetAllApprovedCertificatesBySubjectKeyID(ctx sdk.Context) (list []types.ApprovedCertificatesBySubjectKeyId) {
 	store := prefix.NewStore(ctx.KVStore(k.storeKey), pkitypes.KeyPrefix(types.ApprovedCertificatesBySubjectKeyIDKeyPrefix))
@@ -113,3 +119,29 @@ func (k Keeper) GetAllApprovedCertificatesBySubjectKeyID(ctx sdk.Context) (list
 
 	return
 }
+
+func (k Keeper) _removeCertificatesFromSubjectKeyIDState(ctx sdk.Context, subjectKeyID string, filter func(cert *types.Certificate) bool) {
+	certs, found := k.GetApprovedCertificatesBySubjectKeyID(ctx, subjectKeyID)
+	if !found {
+		return
+	}
+
+	numCertsBefore := len(certs.Certs)
+	for i := 0; i < len(certs.Certs); {
+		cert := certs.Certs[i]
+		if filter(cert) {
+			certs.Certs = append(certs.Certs[:i], certs.Certs[i+1:]...)
+		} else {
+			i++
+		}
+	}
+
+	if len(certs.Certs) == 0 {
+		store := prefix.NewStore(ctx.KVStore(k.storeKey), pkitypes.KeyPrefix(types.ApprovedCertificatesBySubjectKeyIDKeyPrefix))
+		store.Delete(types.ApprovedCertificatesBySubjectKeyIDKey(
+			subjectKeyID,
+		))
+	} else if numCertsBefore > len(certs.Certs) { // Update state only if any certificate is removed
+		k.SetApprovedCertificatesBySubjectKeyID(ctx, certs)
+	}
+}

x/pki/keeper/msg_server_approve_revoke_x_509_root_cert.go

@@ -131,9 +131,6 @@ func (k msgServer) _revokeRootCertificate(
 		k.RemoveApprovedCertificatesBySubjectKeyID(ctx, cert.Subject, cert.SubjectKeyId)
 	} else {
 		k.SetApprovedCertificates(ctx, certificates)
-		k.SetApprovedCertificatesBySubjectKeyID(
-			ctx,
-			types.ApprovedCertificatesBySubjectKeyId{SubjectKeyId: cert.SubjectKeyId, Certs: certificates.Certs},
-		)
+		k.RemoveApprovedCertificatesBySubjectKeyIDAndSerialNumber(ctx, cert.Subject, cert.SubjectKeyId, serialNumber)
 	}
 }

x/pki/keeper/msg_server_remove_x_509_cert.go

@@ -61,7 +61,7 @@ func (k msgServer) RemoveX509Cert(goCtx context.Context, msg *types.MsgRemoveX50
 		k.removeCertFromList(certBySerialNumber.Issuer, certBySerialNumber.SerialNumber, &certs)
 
 		if foundApproved {
-			k._removeApprovedX509Cert(ctx, certID, certs)
+			k._removeApprovedX509Cert(ctx, certID, certs, msg.SerialNumber)
 		}
 		if foundRevoked {
 			k._removeRevokedX509Cert(ctx, certID, certs)
@@ -83,17 +83,14 @@ func (k msgServer) RemoveX509Cert(goCtx context.Context, msg *types.MsgRemoveX50
 	return &types.MsgRemoveX509CertResponse{}, nil
 }
 
-func (k msgServer) _removeApprovedX509Cert(ctx sdk.Context, certID types.CertificateIdentifier, certificates types.ApprovedCertificates) {
+func (k msgServer) _removeApprovedX509Cert(ctx sdk.Context, certID types.CertificateIdentifier, certificates types.ApprovedCertificates, serialNumber string) {
 	if len(certificates.Certs) == 0 {
 		k.RemoveApprovedCertificates(ctx, certID.Subject, certID.SubjectKeyId)
 		k.RemoveApprovedCertificateBySubject(ctx, certID.Subject, certID.SubjectKeyId)
 		k.RemoveApprovedCertificatesBySubjectKeyID(ctx, certID.Subject, certID.SubjectKeyId)
 	} else {
 		k.SetApprovedCertificates(ctx, certificates)
-		k.SetApprovedCertificatesBySubjectKeyID(
-			ctx,
-			types.ApprovedCertificatesBySubjectKeyId{SubjectKeyId: certID.SubjectKeyId, Certs: certificates.Certs},
-		)
+		k.RemoveApprovedCertificatesBySubjectKeyIDAndSerialNumber(ctx, certID.Subject, certID.SubjectKeyId, serialNumber)
 	}
 }
 

x/pki/keeper/msg_server_revoke_noc_root_x_509_cert.go

@@ -115,10 +115,7 @@ func (k msgServer) _revokeNocRootCertificate(
 	} else {
 		k.RemoveNocRootCertificateBySerialNumber(ctx, vid, cert.Subject, cert.SubjectKeyId, serialNumber)
 		k.SetApprovedCertificates(ctx, certificates)
-		k.SetApprovedCertificatesBySubjectKeyID(
-			ctx,
-			types.ApprovedCertificatesBySubjectKeyId{SubjectKeyId: cert.SubjectKeyId, Certs: certificates.Certs},
-		)
+		k.RemoveApprovedCertificatesBySubjectKeyIDAndSerialNumber(ctx, cert.Subject, cert.SubjectKeyId, serialNumber)
 	}
 
 	return nil

x/pki/keeper/msg_server_revoke_noc_x_509_cert.go

@@ -88,10 +88,7 @@ func (k msgServer) _revokeNocCertificate(
 		k.RemoveApprovedCertificatesBySubjectKeyID(ctx, cert.Subject, cert.SubjectKeyId)
 	} else {
 		k.RemoveNocCertificateBySerialNumber(ctx, vid, cert.Subject, cert.SubjectKeyId, serialNumber)
-		k.SetApprovedCertificatesBySubjectKeyID(
-			ctx,
-			types.ApprovedCertificatesBySubjectKeyId{SubjectKeyId: cert.SubjectKeyId, Certs: certificates.Certs},
-		)
+		k.RemoveApprovedCertificatesBySubjectKeyIDAndSerialNumber(ctx, cert.Subject, cert.SubjectKeyId, serialNumber)
 		k.SetApprovedCertificates(ctx, certificates)
 	}
 

x/pki/keeper/msg_server_revoke_x_509_cert.go

@@ -87,9 +87,6 @@ func (k msgServer) _revokeX509Certificate(ctx sdk.Context, cert *types.Certifica
 		k.RemoveApprovedCertificatesBySubjectKeyID(ctx, cert.Subject, cert.SubjectKeyId)
 	} else {
 		k.SetApprovedCertificates(ctx, certificates)
-		k.SetApprovedCertificatesBySubjectKeyID(
-			ctx,
-			types.ApprovedCertificatesBySubjectKeyId{SubjectKeyId: cert.SubjectKeyId, Certs: certificates.Certs},
-		)
+		k.RemoveApprovedCertificatesBySubjectKeyIDAndSerialNumber(ctx, cert.Subject, cert.SubjectKeyId, cert.SerialNumber)
 	}
 }