Skip to content

Commit bff91ee

Browse files
AbdulboisAbdulbois
committed
#535 Make the revocation of child certificates optional
- Cover with extra tests - Add shortcut for `revoke-child` flag3 Signed-off-by: Abdulbois <abdulbois.tursunov@dsr-corporation.com> Signed-off-by: Abdulbois <abdulbois123@gmail.com>
1 parent f8e458d commit bff91ee

File tree

9 files changed

+250
-56
lines changed

9 files changed

+250
-56
lines changed

integration_tests/cli/pki-demo.sh

+39-43
Original file line numberDiff line numberDiff line change
@@ -650,8 +650,8 @@ test_divider
650650
echo "6. REVOKE INTERMEDIATE (AND HENCE LEAF) CERTS - No Approvals needed"
651651
test_divider
652652

653-
echo "$user_account (Not Trustee) revokes Intermediate certificate with \"revoke-child\"=true. This must also revoke its child - Leaf certificate."
654-
result=$(echo "$passphrase" | dcld tx pki revoke-x509-cert --subject="$intermediate_cert_subject" --subject-key-id="$intermediate_cert_subject_key_id" --revoke-child=true --from=$user_account --yes)
653+
echo "$user_account (Not Trustee) revokes only Intermediate certificate. This must not revoke its child - Leaf certificate."
654+
result=$(echo "$passphrase" | dcld tx pki revoke-x509-cert --subject="$intermediate_cert_subject" --subject-key-id="$intermediate_cert_subject_key_id" --from=$user_account --yes)
655655
check_response "$result" "\"code\": 0"
656656

657657
test_divider
@@ -680,8 +680,8 @@ result=$(dcld query pki all-revoked-x509-certs)
680680
echo $result | jq
681681
check_response "$result" "\"subject\": \"$intermediate_cert_subject\""
682682
check_response "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id\""
683-
check_response "$result" "\"subject\": \"$leaf_cert_subject\""
684-
check_response "$result" "\"subjectKeyId\": \"$leaf_cert_subject_key_id\""
683+
response_does_not_contain "$result" "\"subject\": \"$leaf_cert_subject\""
684+
response_does_not_contain "$result" "\"subjectKeyId\": \"$leaf_cert_subject_key_id\""
685685
response_does_not_contain "$result" "\"subject\": \"$root_cert_subject\""
686686
response_does_not_contain "$result" "\"subjectKeyId\": \"$root_cert_subject_key_id\""
687687

@@ -711,21 +711,21 @@ test_divider
711711
echo "Request revoked Leaf certificate"
712712
result=$(dcld query pki revoked-x509-cert --subject="$leaf_cert_subject" --subject-key-id="$leaf_cert_subject_key_id")
713713
echo $result | jq
714-
check_response "$result" "\"subject\": \"$leaf_cert_subject\""
715-
check_response "$result" "\"subjectKeyId\": \"$leaf_cert_subject_key_id\""
716-
check_response "$result" "\"serialNumber\": \"$leaf_cert_serial_number\""
714+
response_does_not_contain "$result" "\"subject\": \"$leaf_cert_subject\""
715+
response_does_not_contain "$result" "\"subjectKeyId\": \"$leaf_cert_subject_key_id\""
716+
response_does_not_contain "$result" "\"serialNumber\": \"$leaf_cert_serial_number\""
717717

718718
test_divider
719719

720720
echo "Request all approved certificates"
721721
result=$(dcld query pki all-x509-certs)
722722
echo $result | jq
723-
check_response "$result" "\"subject\": \"$root_cert_subject\""
724-
check_response "$result" "\"subjectKeyId\": \"$root_cert_subject_key_id\""
725723
response_does_not_contain "$result" "\"subject\": \"$intermediate_cert_subject\""
726724
response_does_not_contain "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id\""
727-
response_does_not_contain "$result" "\"subject\": \"$leaf_cert_subject\""
728-
response_does_not_contain "$result" "\"subjectKeyId\": \"$leaf_cert_subject_key_id\""
725+
check_response "$result" "\"subject\": \"$root_cert_subject\""
726+
check_response "$result" "\"subjectKeyId\": \"$root_cert_subject_key_id\""
727+
check_response "$result" "\"subject\": \"$leaf_cert_subject\""
728+
check_response "$result" "\"subjectKeyId\": \"$leaf_cert_subject_key_id\""
729729

730730
test_divider
731731

@@ -744,12 +744,12 @@ test_divider
744744
echo "Request all subject certificates"
745745
result=$(dcld query pki all-subject-x509-certs --subject="$leaf_cert_subject")
746746
echo $result | jq
747+
check_response "$result" "\"$leaf_cert_subject\""
748+
check_response "$result" "\"$leaf_cert_subject_key_id\""
747749
response_does_not_contain "$result" "\"$root_cert_subject\""
748750
response_does_not_contain "$result" "\"$root_cert_subject_key_id\""
749751
response_does_not_contain "$result" "\"$intermediate_cert_subject\""
750752
response_does_not_contain "$result" "\"$intermediate_cert_subject_key_id\""
751-
response_does_not_contain "$result" "\"$leaf_cert_subject\""
752-
response_does_not_contain "$result" "\"$leaf_cert_subject_key_id\""
753753

754754
test_divider
755755

@@ -775,13 +775,12 @@ response_does_not_contain "$result" "\"serialNumber\": \"$intermediate_cert_seri
775775

776776
test_divider
777777

778-
echo "Approved Leaf certificate must be empty"
778+
echo "Approved Leaf certificate must not be empty"
779779
result=$(dcld query pki x509-cert --subject="$leaf_cert_subject" --subject-key-id="$leaf_cert_subject_key_id")
780780
echo $result | jq
781-
check_response "$result" "Not Found"
782-
response_does_not_contain "$result" "\"subject\": \"$leaf_cert_subject\""
783-
response_does_not_contain "$result" "\"subjectKeyId\": \"$leaf_cert_subject_key_id\""
784-
response_does_not_contain "$result" "\"serialNumber\": \"$leaf_cert_serial_number\""
781+
check_response "$result" "\"subject\": \"$leaf_cert_subject\""
782+
check_response "$result" "\"subjectKeyId\": \"$leaf_cert_subject_key_id\""
783+
check_response "$result" "\"serialNumber\": \"$leaf_cert_serial_number\""
785784

786785
test_divider
787786

@@ -790,8 +789,8 @@ test_divider
790789
echo "7. PROPOSE REVOCATION OF ROOT CERT"
791790
test_divider
792791

793-
echo "$trustee_account (Trustee) proposes to revoke Root certificate with \"revoke-child\"=true flag"
794-
result=$(echo "$passphrase" | dcld tx pki propose-revoke-x509-root-cert --subject="$root_cert_subject" --subject-key-id="$root_cert_subject_key_id" --revoke-child=true --from $trustee_account --yes)
792+
echo "$trustee_account (Trustee) proposes to revoke only Root certificate(child certificates should not be revoked)"
793+
result=$(echo "$passphrase" | dcld tx pki propose-revoke-x509-root-cert --subject="$root_cert_subject" --subject-key-id="$root_cert_subject_key_id" --from $trustee_account --yes)
795794
check_response "$result" "\"code\": 0"
796795

797796
test_divider
@@ -820,8 +819,8 @@ result=$(dcld query pki all-revoked-x509-certs)
820819
echo $result | jq
821820
check_response "$result" "\"subject\": \"$intermediate_cert_subject\""
822821
check_response "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id\""
823-
check_response "$result" "\"subject\": \"$leaf_cert_subject\""
824-
check_response "$result" "\"subjectKeyId\": \"$leaf_cert_subject_key_id\""
822+
response_does_not_contain "$result" "\"subject\": \"$leaf_cert_subject\""
823+
response_does_not_contain "$result" "\"subjectKeyId\": \"$leaf_cert_subject_key_id\""
825824
response_does_not_contain "$result" "\"subject\": \"$root_cert_subject\""
826825
response_does_not_contain "$result" "\"subjectKeyId\": \"$root_cert_subject_key_id\""
827826

@@ -857,10 +856,10 @@ result=$(dcld query pki all-x509-certs)
857856
echo $result | jq
858857
check_response "$result" "\"subject\": \"$root_cert_subject\""
859858
check_response "$result" "\"subjectKeyId\": \"$root_cert_subject_key_id\""
859+
check_response "$result" "\"subject\": \"$leaf_cert_subject\""
860+
check_response "$result" "\"subjectKeyId\": \"$leaf_cert_subject_key_id\""
860861
response_does_not_contain "$result" "\"subject\": \"$intermediate_cert_subject\""
861862
response_does_not_contain "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id\""
862-
response_does_not_contain "$result" "\"subject\": \"$leaf_cert_subject\""
863-
response_does_not_contain "$result" "\"subjectKeyId\": \"$leaf_cert_subject_key_id\""
864863

865864

866865
test_divider
@@ -883,10 +882,10 @@ result=$(dcld query pki all-subject-x509-certs --subject="$root_cert_subject")
883882
echo $result | jq
884883
check_response "$result" "\"$root_cert_subject\""
885884
check_response "$result" "\"$root_cert_subject_key_id\""
886-
response_does_not_contain "$result" "\"$intermediate_cert_subject\""
887-
response_does_not_contain "$result" "\"$intermediate_cert_subject_key_id\""
888885
response_does_not_contain "$result" "\"$leaf_cert_subject\""
889886
response_does_not_contain "$result" "\"$leaf_cert_subject_key_id\""
887+
response_does_not_contain "$result" "\"$intermediate_cert_subject\""
888+
response_does_not_contain "$result" "\"$intermediate_cert_subject_key_id\""
890889

891890
test_divider
892891

@@ -917,14 +916,14 @@ test_divider
917916
echo "Request all revoked certificates should contain approvals from both trustees"
918917
result=$(dcld query pki all-revoked-x509-certs)
919918
echo $result | jq
920-
check_response "$result" "\"subject\": \"$intermediate_cert_subject\""
921-
check_response "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id\""
922-
check_response "$result" "\"subject\": \"$leaf_cert_subject\""
923-
check_response "$result" "\"subjectKeyId\": \"$leaf_cert_subject_key_id\""
924919
check_response "$result" "\"subject\": \"$root_cert_subject\""
925920
check_response "$result" "\"subjectKeyId\": \"$root_cert_subject_key_id\""
926921
check_response "$result" "\"address\": \"$trustee_account_address\""
927922
check_response "$result" "\"address\": \"$second_trustee_account_address\""
923+
check_response "$result" "\"subject\": \"$intermediate_cert_subject\""
924+
check_response "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id\""
925+
response_does_not_contain "$result" "\"subject\": \"$leaf_cert_subject\""
926+
response_does_not_contain "$result" "\"subjectKeyId\": \"$leaf_cert_subject_key_id\""
928927

929928

930929
test_divider
@@ -958,15 +957,15 @@ check_response "$result" "\"address\": \"$second_trustee_account_address\""
958957

959958
test_divider
960959

961-
echo "Request all approved certificates must be empty"
960+
echo "Request all approved certificates must not contain root certificate"
962961
result=$(dcld query pki all-x509-certs)
963962
echo $result | jq
964963
response_does_not_contain "$result" "\"subject\": \"$root_cert_subject\""
965964
response_does_not_contain "$result" "\"subjectKeyId\": \"$root_cert_subject_key_id\""
966965
response_does_not_contain "$result" "\"subject\": \"$intermediate_cert_subject\""
967966
response_does_not_contain "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id\""
968-
response_does_not_contain "$result" "\"subject\": \"$leaf_cert_subject\""
969-
response_does_not_contain "$result" "\"subjectKeyId\": \"$leaf_cert_subject_key_id\""
967+
check_response "$result" "\"subject\": \"$leaf_cert_subject\""
968+
check_response "$result" "\"subjectKeyId\": \"$leaf_cert_subject_key_id\""
970969

971970

972971
echo "Request all approved root certificates must be empty"
@@ -985,7 +984,6 @@ test_divider
985984
echo "Approved Intermediate certificate must be empty"
986985
result=$(dcld query pki x509-cert --subject="$intermediate_cert_subject" --subject-key-id="$intermediate_cert_subject_key_id")
987986
echo $result | jq
988-
check_response "$result" "Not Found"
989987
response_does_not_contain "$result" "\"subject\": \"$intermediate_cert_subject\""
990988
response_does_not_contain "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id\""
991989
response_does_not_contain "$result" "\"serialNumber\": \"$intermediate_cert_serial_number\""
@@ -994,14 +992,13 @@ response_does_not_contain "$result" "\"subjectAsText\": \"$intermediate_cert_sub
994992

995993
test_divider
996994

997-
echo "Approved Leaf certificate must be empty"
995+
echo "Approved Leaf certificate must not be empty"
998996
result=$(dcld query pki x509-cert --subject="$leaf_cert_subject" --subject-key-id="$leaf_cert_subject_key_id")
999997
echo $result | jq
1000-
check_response "$result" "Not Found"
1001-
response_does_not_contain "$result" "\"subject\": \"$leaf_cert_subject\""
1002-
response_does_not_contain "$result" "\"subjectKeyId\": \"$leaf_cert_subject_key_id\""
1003-
response_does_not_contain "$result" "\"serialNumber\": \"$leaf_cert_serial_number\""
1004-
response_does_not_contain "$result" "\"subjectAsText\": \"$leaf_cert_subject_as_text\""
998+
check_response "$result" "\"subject\": \"$leaf_cert_subject\""
999+
check_response "$result" "\"subjectKeyId\": \"$leaf_cert_subject_key_id\""
1000+
check_response "$result" "\"serialNumber\": \"$leaf_cert_serial_number\""
1001+
check_response "$result" "\"subjectAsText\": \"$leaf_cert_subject_as_text\""
10051002

10061003

10071004
test_divider
@@ -1049,9 +1046,8 @@ response_does_not_contain "$result" "\"serialNumber\": \"$google_cert_serial_num
10491046
response_does_not_contain "$result" "\"subjectAsText\": \"$google_cert_subject_as_text\""
10501047
echo $result | jq
10511048

1052-
echo "Request all approved certificates must be empty"
1049+
echo "Request all approved certificates must not contain google certification"
10531050
result=$(dcld query pki all-x509-certs)
1054-
check_response "$result" "\[\]"
10551051
response_does_not_contain "$result" "\"subject\": \"$google_cert_subject\""
10561052
response_does_not_contain "$result" "\"subjectKeyId\": \"$google_cert_subject_key_id\""
10571053
response_does_not_contain "$result" "\"serialNumber\": \"$google_cert_serial_number\""
@@ -1087,7 +1083,7 @@ response_does_not_contain "$result" "\"subject\": \"$google_cert_subject\""
10871083
response_does_not_contain "$result" "\"subjectKeyId\": \"$google_cert_subject_key_id\""
10881084
echo $result | jq
10891085

1090-
echo "Request all revoked certificates must be empty"
1086+
echo "Request all revoked certificates must not contain google certification"
10911087
result=$(dcld query pki all-revoked-x509-certs)
10921088
response_does_not_contain "$result" "\"$google_cert_subject\""
10931089
response_does_not_contain "$result" "\"$google_cert_subject_key_id\""

0 commit comments

Comments
 (0)