Merge branch 'master' into feature/502-schema-compatibility

Author: akarabashov

docs/static/openapi.yml

@@ -843,6 +843,7 @@ The certificate is immutable. It can only be revoked by either the owner or a qu
   - no existing `Proposed` certificate with the same `<Certificate's Subject>:<Certificate's Subject Key ID>` combination.
   - no existing certificate with the same `<Certificate's Issuer>:<Certificate's Serial Number>` combination.
   - if approved certificates with the same `<Certificate's Subject>:<Certificate's Subject Key ID>` combination already exists:
+    - the existing certificate must not be NOC certificate
     - sender must match to the owner of the existing certificates.
   - the signature (self-signature) and expiration date are valid.
 
@@ -919,6 +920,7 @@ The certificate is immutable. It can only be revoked by either the owner or a qu
     - `Authority Key Identifier` != `Subject Key Identifier`
   - no existing certificate with the same `<Certificate's Issuer>:<Certificate's Serial Number>` combination.
   - if certificates with the same `<Certificate's Subject>:<Certificate's Subject Key ID>` combination already exist:
+    - the existing certificate must not be NOC certificate
     - sender must match to the owner of the existing certificates.
   - the signature (self-signature) and expiration date are valid.
   - parent certificate must be already stored on the ledger and a valid chain to some root certificate can be built.
@@ -942,6 +944,7 @@ Root certificates can not be revoked this way, use  `PROPOSE_X509_CERT_REVOC` an
 - Parameters:
   - subject: `string`  - certificates's `Subject` is base64 encoded subject DER sequence bytes
   - subject_key_id: `string`  - certificates's `Subject Key Id` in hex string format, e.g: `5A:88:0E:6C:36:53:D0:7F:B0:89:71:A3:F4:73:79:09:30:E6:2B:DB`
+  - serial-number: `optional(string)`  - certificate's serial number
   - info: `optional(string)` - information/notes for the revocation
   - time: `optional(int64)` - revocation time (number of nanoseconds elapsed since January 1, 1970 UTC). CLI uses the current time for that field.
 - In State: `pki/RevokedCertificates/value/<Certificate's Subject>/<Certificate's Subject Key ID>`
@@ -950,6 +953,24 @@ Root certificates can not be revoked this way, use  `PROPOSE_X509_CERT_REVOC` an
 - CLI command:
   - `dcld tx pki revoke-x509-cert --subject=<base64 string> --subject-key-id=<hex string> --from=<account>`
 
+### REMOVE_X509_CERT
+
+**Status: Implemented**
+
+Removes the given X509 certificate (either intermediate or leaf) from approved and revoked certificates list.
+
+Only the owner (sender) can remove the certificate.
+Root certificates can not be removed this way.  
+
+- Parameters:
+  - subject: `string`  - certificates's `Subject` is base64 encoded subject DER sequence bytes
+  - subject_key_id: `string`  - certificates's `Subject Key Id` in hex string format, e.g: `5A:88:0E:6C:36:53:D0:7F:B0:89:71:A3:F4:73:79:09:30:E6:2B:DB`
+  - serial-number: `optional(string)`  - certificate's serial number
+- Who can send:
+  - Any role; owner
+- CLI command:
+  - `dcld tx pki remove-x509-cert --subject=<base64 string> --subject-key-id=<hex string> --from=<account>`
+
 ### PROPOSE_REVOKE_X509_ROOT_CERT
 
 **Status: Implemented**
@@ -967,6 +988,7 @@ then the certificate will be in a pending state until sufficient number of other
 - Parameters:
   - subject: `string`  - certificates's `Subject` is base64 encoded subject DER sequence bytes
   - subject_key_id: `string`  - certificates's `Subject Key Id` in hex string format, e.g: `5A:88:0E:6C:36:53:D0:7F:B0:89:71:A3:F4:73:79:09:30:E6:2B:DB`
+  - serial-number: `optional(string)`  - certificate's serial number
   - info: `optional(string)` - information/notes for the revocation proposal
   - time: `optional(int64)` - revocation proposal time (number of nanoseconds elapsed since January 1, 1970 UTC). CLI uses the current time for that field.
 - In State: `pki/ProposedCertificateRevocation/value/<Certificate's Subject>/<Certificate's Subject Key ID>`
@@ -990,6 +1012,7 @@ The revocation is not applied until sufficient number of Trustees approve it.
 - Parameters:
   - subject: `string`  - certificates's `Subject` is base64 encoded subject DER sequence bytes
   - subject_key_id: `string`  - certificates's `Subject Key Id` in hex string format, e.g: `5A:88:0E:6C:36:53:D0:7F:B0:89:71:A3:F4:73:79:09:30:E6:2B:DB`
+  - serial-number: `optional(string)`  - certificate's serial number
   - info: `optional(string)` - information/notes for the revocation approval
   - time: `optional(int64)` - revocation approval time (number of nanoseconds elapsed since January 1, 1970 UTC). CLI uses the current time for that field.
 - In State: `pki/RevokedCertificates/value/<Certificate's Subject>/<Certificate's Subject Key ID>`
@@ -1101,6 +1124,31 @@ Deletes a PKI Revocation distribution endpoint (such as RFC5280 Certificate Revo
 - CLI command:
   - `dcld tx pki delete-revocation-point --vid=<uint16> --issuer-subject-key-id=<string> --label=<string> --from=<account>`
 
+### ADD_NOC_X509_ROOT_CERTIFICATE
+
+**Status: Implemented**
+
+This transaction adds a NOC root certificate owned by the Vendor.
+
+- Who can send: Vendor account
+- Validation:
+  - the provided certificate must be a root certificate:
+    - `Issuer` == `Subject`
+    - `Authority Key Identifier` == `Subject Key Identifier`
+  - no existing certificate with the same `<Certificate's Issuer>:<Certificate's Serial Number>` combination.
+  - if certificates with the same `<Certificate's Subject>:<Certificate's Subject Key ID>` combination already exist:
+    - the existing certificate must be NOC root certificate
+    - the sender's VID must match the vid field of the existing certificates.
+  - the signature (self-signature) and expiration date must be valid.
+- Parameters:
+  - cert: `string` - The NOC Root Certificate, encoded in X.509v3 PEM format. Can be a PEM string or a file path.
+- In State:
+  - `pki/ApprovedCertificates/value/<Subject>/<SubjectKeyID>`
+  - `pki/ApprovedCertificatesBySubject/value/<Subject>`
+  - `pki/ApprovedCertificatesBySubjectKeyID/value/<SubjectKeyID>`
+  - `pki/NOCRootCertificates/value/<VID>`
+- CLI Command:
+  - `dcld tx pki add-noc-x509-root-cert --certificate=<string-or-path> --from=<account>`
 
 ### GET_X509_CERT
 
@@ -1222,10 +1270,11 @@ If a Revocation Distribution Point (such as RFC5280 Certificate Revocation List)
 - Parameters:
   - subject: `string`  - certificates's `Subject` is base64 encoded subject DER sequence bytes
   - subject_key_id: `string`  - certificates's `Subject Key Id` in hex string format, e.g: `5A:88:0E:6C:36:53:D0:7F:B0:89:71:A3:F4:73:79:09:30:E6:2B:DB`
+  - serial-number: `optional(string)`  - certificate's serial number
 - CLI command:
   - `dcld query pki proposed-x509-root-cert-to-revoke --subject=<base64 string> --subject-key-id=<hex string>`
 - REST API:
-  - GET `/dcl/pki/proposed-revocation-certificates/{subject}/{subject_key_id}`
+  - GET `/dcl/pki/proposed-revocation-certificates/{subject}/{subject_key_id}?serialnumber={serialnumber}`
 
 ### GET_ALL_X509_ROOT_CERTS
 
@@ -1385,6 +1434,34 @@ Should be sent to trusted nodes only.
 - REST API:
   - GET `/dcl/pki/revocation-points`
 
+### GET_NOC_X509_ROOT_CERTS_BY_VID
+
+**Status: Implemented**
+
+Retrieve NOC root certificates associated with a specific VID. 
+
+- Who can send: Any account
+- Parameters:
+  - vid: `uint16` - Vendor ID (positive non-zero)
+- CLI Command:
+  - `dcld query pki noc-x509-root-certs --vid=<uint16>`
+- REST API:
+  - GET `/dcl/pki/noc-root-certificates/{vid}`
+
+### GET_ALL_NOC_X509_ROOT_CERTS
+
+**Status: Implemented**
+
+Retrieve a list of all of NOC root certificates
+
+- Who can send: Any account
+- Parameters:
+  - Common pagination parameters
+- CLI Command:
+  - `dcld query pki all-noc-x509-root-certs`
+- REST API:
+  - GET `/dcl/pki/noc-root-certificates`
+
 ## AUTH
 
 ### PROPOSE_ADD_ACCOUNT

docs/transactions.md

@@ -174,6 +174,11 @@ for node_name in node0 node1 node2 node3 observer0; do
         # Make RPC endpoints available externally
         sed -i $SED_EXT 's/laddr = "tcp:\/\/127.0.0.1:26657"/laddr = "tcp:\/\/0.0.0.0:26657"/g' "$LOCALNET_DIR/${node_name}/config/config.toml"
 
+        # Make REST endpoints available externally
+        sed -i $SED_EXT 's/address = "tcp:\/\/localhost:1317"/address = "tcp:\/\/0.0.0.0:1317"/g' "$LOCALNET_DIR/${node_name}/config/app.toml"
+        # Make gRPC endpoints available externally
+        sed -i $SED_EXT 's/address = "localhost:9090"/address = "0.0.0.0:9090"/g' "$LOCALNET_DIR/${node_name}/config/app.toml"
+
         # sets proper moniker
         sed -i $SED_EXT "s/moniker = .*/moniker = \"$node_name\"/g" "$LOCALNET_DIR/${node_name}/config/config.toml"
 

genlocalnetconfig.sh

@@ -2764,4 +2764,4 @@ rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
 sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o=
 sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo=
 sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8=
-sourcegraph.com/sourcegraph/appdash v0.0.0-20190731080439-ebfcffb1b5c0/go.mod h1:hI742Nqp5OhwiqlzhgfbWU4mW4yO10fP+LoT9WOswdU=
+sourcegraph.com/sourcegraph/appdash v0.0.0-20190731080439-ebfcffb1b5c0/go.mod h1:hI742Nqp5OhwiqlzhgfbWU4mW4yO10fP+LoT9WOswdU=

go.sum

@@ -0,0 +1,176 @@
+set -euo pipefail
+source integration_tests/cli/common.sh
+
+noc_root_cert_1_path="integration_tests/constants/noc_root_cert_1"
+noc_root_cert_1_subject="MFUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxDjAMBgNVBAMMBU5PQy0x"
+noc_root_cert_1_subject_key_id="44:EB:4C:62:6B:25:48:CD:A2:B3:1C:87:41:5A:08:E7:2B:B9:83:26"
+noc_root_cert_1_serial_number="217369606639495620450806539821422258966012867792"
+noc_root_cert_1_subject_as_text="CN=NOC-1,O=Internet Widgits Pty Ltd,ST=Some-State,C=AU"
+
+noc_root_cert_2_path="integration_tests/constants/noc_root_cert_2"
+noc_root_cert_2_subject="MFUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxDjAMBgNVBAMMBU5PQy0y"
+noc_root_cert_2_subject_key_id="CF:E6:DD:37:2B:4C:B2:B9:A9:F2:75:30:1C:AA:B1:37:1B:11:7F:1B"
+noc_root_cert_2_serial_number="720401643293243343104681760462974770802745092176"
+noc_root_cert_2_subject_as_text="CN=NOC-2,O=Internet Widgits Pty Ltd,ST=Some-State,C=AU"
+
+noc_root_cert_3_path="integration_tests/constants/noc_root_cert_3"
+noc_root_cert_3_subject="MFUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxDjAMBgNVBAMMBU5PQy0z"
+noc_root_cert_3_subject_key_id="88:0D:06:D9:64:22:29:34:78:7F:8C:3B:AE:F5:08:93:86:8F:0D:20"
+noc_root_cert_3_serial_number="38457288443253426021793906708335409501754677187"
+noc_root_cert_3_subject_as_text="CN=NOC-3,O=Internet Widgits Pty Ltd,ST=Some-State,C=AU"
+
+trustee_account="jack"
+second_trustee_account="alice"
+
+vid_in_hex_format=0x6006
+vid=24582
+
+vendor_account=vendor_account_$vid_in_hex_format
+echo "Create Vendor account - $vendor_account"
+create_new_vendor_account $vendor_account $vid_in_hex_format
+
+vid_2_in_hex_format=0x125D
+vid_2=4701
+
+vendor_account_2=vendor_account_$vid_2_in_hex_format
+echo "Create Vendor account - $vendor_account_2"
+create_new_vendor_account $vendor_account_2 $vid_2_in_hex_format
+
+
+test_divider
+
+echo "Request NOC certificate by VID must be empty"
+result=$(dcld query pki noc-x509-root-certs --vid="$vid")
+check_response "$result" "Not Found"
+response_does_not_contain "$result" "\"subject\": \"$noc_root_cert_1_subject\""
+response_does_not_contain "$result" "\"subjectKeyId\": \"$noc_root_cert_1_subject_key_id\""
+response_does_not_contain "$result" "\"serialNumber\": \"$noc_root_cert_1_serial_number\""
+response_does_not_contain "$result" "\"subjectAsText\": \"$noc_root_cert_1_subject_as_text\""
+echo $result | jq
+
+test_divider
+
+echo "Request all NOC root certificates must be empty"
+result=$(dcld query pki all-noc-x509-root-certs)
+check_response "$result" "\[\]"
+response_does_not_contain "$result" "\"subject\": \"$noc_root_cert_1_subject\""
+response_does_not_contain "$result" "\"subjectKeyId\": \"$noc_root_cert_1_subject_key_id\""
+response_does_not_contain "$result" "\"serialNumber\": \"$noc_root_cert_1_serial_number\""
+response_does_not_contain "$result" "\"subjectAsText\": \"$noc_root_cert_1_subject_as_text\""
+echo $result | jq
+
+test_divider
+
+echo "Request approved certificate must be empty"
+result=$(dcld query pki x509-cert --subject="$noc_root_cert_1_subject" --subject-key-id="$noc_root_cert_1_subject_key_id")
+check_response "$result" "Not Found"
+response_does_not_contain "$result" "\"subject\": \"$noc_root_cert_1_subject\""
+response_does_not_contain "$result" "\"subjectKeyId\": \"$noc_root_cert_1_subject_key_id\""
+response_does_not_contain "$result" "\"serialNumber\": \"$noc_root_cert_1_serial_number\""
+response_does_not_contain "$result" "\"subjectAsText\": \"$noc_root_cert_1_subject_as_text\""
+echo $result | jq
+
+test_divider
+
+echo "Request all certificates by subject must be empty"
+result=$(dcld query pki all-subject-x509-certs --subject="$noc_root_cert_1_subject")
+check_response "$result" "Not Found"
+response_does_not_contain "$result" "\"subject\": \"$noc_root_cert_1_subject\""
+response_does_not_contain "$result" "\"subjectKeyId\": \"$noc_root_cert_1_subject_key_id\""
+echo $result | jq
+
+test_divider
+
+echo "Request all certificates by subjectKeyId must be empty"
+result=$(dcld query pki x509-cert --subject-key-id="$noc_root_cert_1_subject_key_id")
+check_response "$result" "Not Found"
+response_does_not_contain "$result" "\"subject\": \"$noc_root_cert_1_subject\""
+response_does_not_contain "$result" "\"subjectKeyId\": \"$noc_root_cert_1_subject_key_id\""
+response_does_not_contain "$result" "\"serialNumber\": \"$noc_root_cert_1_serial_number\""
+response_does_not_contain "$result" "\"subjectAsText\": \"$noc_root_cert_1_subject_as_text\""
+echo $result | jq
+
+test_divider
+
+echo "Try to add inermidiate cert using add-noc-x509-root-cert command"
+intermediate_path="integration_tests/constants/intermediate_cert"
+result=$(echo "$passphrase" | dcld tx pki add-noc-x509-root-cert --certificate="$intermediate_path" --from $vendor_account --yes)
+check_response "$result" "\"code\": 414"
+
+echo "Add first NOC root certificate by vendor with VID = $vid"
+result=$(echo "$passphrase" | dcld tx pki add-noc-x509-root-cert --certificate="$noc_root_cert_1_path" --from $vendor_account --yes)
+check_response "$result" "\"code\": 0"
+
+echo "Add second NOC root certificate by vendor with VID = $vid"
+result=$(echo "$passphrase" | dcld tx pki add-noc-x509-root-cert --certificate="$noc_root_cert_2_path" --from $vendor_account --yes)
+check_response "$result" "\"code\": 0"
+
+echo "Add third NOC root certificate by vendor with VID = $vid_2"
+result=$(echo "$passphrase" | dcld tx pki add-noc-x509-root-cert --certificate="$noc_root_cert_3_path" --from $vendor_account_2 --yes)
+check_response "$result" "\"code\": 0"
+
+test_divider
+
+echo "Request NOC root certificate by VID"
+result=$(dcld query pki noc-x509-root-certs --vid="$vid")
+echo $result | jq
+check_response "$result" "\"subject\": \"$noc_root_cert_1_subject\""
+check_response "$result" "\"subjectKeyId\": \"$noc_root_cert_1_subject_key_id\""
+check_response "$result" "\"serialNumber\": \"$noc_root_cert_1_serial_number\""
+check_response "$result" "\"subjectAsText\": \"$noc_root_cert_1_subject_as_text\""
+check_response "$result" "\"subject\": \"$noc_root_cert_2_subject\""
+check_response "$result" "\"subjectKeyId\": \"$noc_root_cert_2_subject_key_id\""
+check_response "$result" "\"serialNumber\": \"$noc_root_cert_2_serial_number\""
+check_response "$result" "\"subjectAsText\": \"$noc_root_cert_2_subject_as_text\""
+check_response "$result" "\"vid\": $vid"
+
+test_divider
+
+echo "Request All NOC root certificate"
+result=$(dcld query pki all-noc-x509-root-certs)
+echo $result | jq
+check_response "$result" "\"subject\": \"$noc_root_cert_1_subject\""
+check_response "$result" "\"subjectKeyId\": \"$noc_root_cert_1_subject_key_id\""
+check_response "$result" "\"serialNumber\": \"$noc_root_cert_1_serial_number\""
+check_response "$result" "\"subjectAsText\": \"$noc_root_cert_1_subject_as_text\""
+check_response "$result" "\"subject\": \"$noc_root_cert_2_subject\""
+check_response "$result" "\"subjectKeyId\": \"$noc_root_cert_2_subject_key_id\""
+check_response "$result" "\"serialNumber\": \"$noc_root_cert_2_serial_number\""
+check_response "$result" "\"subjectAsText\": \"$noc_root_cert_2_subject_as_text\""
+check_response "$result" "\"subject\": \"$noc_root_cert_3_subject\""
+check_response "$result" "\"subjectKeyId\": \"$noc_root_cert_3_subject_key_id\""
+check_response "$result" "\"serialNumber\": \"$noc_root_cert_3_serial_number\""
+check_response "$result" "\"subjectAsText\": \"$noc_root_cert_3_subject_as_text\""
+check_response "$result" "\"vid\": $vid"
+check_response "$result" "\"vid\": $vid_2"
+
+test_divider
+
+echo "Request NOC root certificate by Subject and SubjectKeyID"
+result=$(dcld query pki x509-cert --subject="$noc_root_cert_1_subject" --subject-key-id="$noc_root_cert_1_subject_key_id")
+echo $result | jq
+check_response "$result" "\"subject\": \"$noc_root_cert_1_subject\""
+check_response "$result" "\"subjectKeyId\": \"$noc_root_cert_1_subject_key_id\""
+check_response "$result" "\"serialNumber\": \"$noc_root_cert_1_serial_number\""
+check_response "$result" "\"subjectAsText\": \"$noc_root_cert_1_subject_as_text\""
+check_response "$result" "\"approvals\": \\[\\]"
+
+test_divider
+
+echo "Request NOC root certificate by Subject"
+result=$(dcld query pki all-subject-x509-certs --subject="$noc_root_cert_1_subject")
+echo $result | jq
+check_response "$result" "\"$noc_root_cert_1_subject\""
+check_response "$result" "\"$noc_root_cert_1_subject_key_id\""
+
+test_divider
+
+echo "Request NOC root certificate by SubjectKeyID"
+result=$(dcld query pki x509-cert --subject-key-id="$noc_root_cert_1_subject_key_id")
+echo $result | jq
+check_response "$result" "\"subject\": \"$noc_root_cert_1_subject\""
+check_response "$result" "\"subjectKeyId\": \"$noc_root_cert_1_subject_key_id\""
+check_response "$result" "\"serialNumber\": \"$noc_root_cert_1_serial_number\""
+check_response "$result" "\"subjectAsText\": \"$noc_root_cert_1_subject_as_text\""
+
+test_divider