Skip to content

Commit f05b02e

Browse files
AbdulboisAbdulbois
authored
#535 Make the revocation of child certificates optional (#544)
* #535 Make the revocation of child certificates optional - Add `revoke-child` flag - Cover unit and integration tests Signed-off-by: Abdulbois <abdulbois.tursunov@dsr-corporation.com> Signed-off-by: Abdulbois <abdulbois123@gmail.com>
1 parent 25b6642 commit f05b02e

23 files changed

+745
-215
lines changed

docs/static/openapi.yml

+10
Original file line numberDiff line numberDiff line change
@@ -9826,6 +9826,8 @@ paths:
98269826
type: string
98279827
serialNumber:
98289828
type: string
9829+
revokeChild:
9830+
type: boolean
98299831
pagination:
98309832
type: object
98319833
properties:
@@ -9967,6 +9969,8 @@ paths:
99679969
type: string
99689970
serialNumber:
99699971
type: string
9972+
revokeChild:
9973+
type: boolean
99709974
default:
99719975
description: An unexpected error response.
99729976
schema:
@@ -21135,6 +21139,8 @@ definitions:
2113521139
type: string
2113621140
serialNumber:
2113721141
type: string
21142+
revokeChild:
21143+
type: boolean
2113821144
zigbeealliance.distributedcomplianceledger.pki.QueryAllApprovedCertificatesResponse:
2113921145
type: object
2114021146
properties:
@@ -21480,6 +21486,8 @@ definitions:
2148021486
type: string
2148121487
serialNumber:
2148221488
type: string
21489+
revokeChild:
21490+
type: boolean
2148321491
pagination:
2148421492
type: object
2148521493
properties:
@@ -22012,6 +22020,8 @@ definitions:
2201222020
type: string
2201322021
serialNumber:
2201422022
type: string
22023+
revokeChild:
22024+
type: boolean
2201522025
zigbeealliance.distributedcomplianceledger.pki.QueryGetRejectedCertificatesResponse:
2201622026
type: object
2201722027
properties:

docs/transactions.md

+4-2
Original file line numberDiff line numberDiff line change
@@ -936,7 +936,7 @@ Revokes the given X509 certificate (either intermediate or leaf).
936936
Revocation here just means removing it from the ledger.
937937
If a Revocation Distribution Point needs to be published (such as RFC5280 Certificate Revocation List), please use [ADD_PKI_REVOCATION_DISTRIBUTION_POINT](#add_pki_revocation_distribution_point).
938938

939-
All the certificates in the chain signed by the revoked certificate will be revoked as well.
939+
If `revoke-child` flag is set to `true` then all the certificates in the chain signed by the revoked certificate will be revoked as well.
940940

941941
Only the owner (sender) can revoke the certificate.
942942
Root certificates can not be revoked this way, use `PROPOSE_X509_CERT_REVOC` and `APPROVE_X509_ROOT_CERT_REVOC` instead.
@@ -945,6 +945,7 @@ Root certificates can not be revoked this way, use `PROPOSE_X509_CERT_REVOC` an
945945
- subject: `string` - certificates's `Subject` is base64 encoded subject DER sequence bytes
946946
- subject_key_id: `string` - certificates's `Subject Key Id` in hex string format, e.g: `5A:88:0E:6C:36:53:D0:7F:B0:89:71:A3:F4:73:79:09:30:E6:2B:DB`
947947
- serial-number: `optional(string)` - certificate's serial number
948+
- revoke-child: `optional(bool)` - to revoke child certificates in the chain - default is false
948949
- info: `optional(string)` - information/notes for the revocation
949950
- time: `optional(int64)` - revocation time (number of nanoseconds elapsed since January 1, 1970 UTC). CLI uses the current time for that field.
950951
- In State: `pki/RevokedCertificates/value/<Certificate's Subject>/<Certificate's Subject Key ID>`
@@ -980,7 +981,7 @@ Proposes revocation of the given X509 root certificate by a Trustee.
980981
Revocation here just means removing it from the ledger.
981982
If a Revocation Distribution Point needs to be published (such as RFC5280 Certificate Revocation List), please use [ADD_PKI_REVOCATION_DISTRIBUTION_POINT](#add_pki_revocation_distribution_point).
982983

983-
All the certificates in the chain signed by the revoked certificate will be revoked as well.
984+
If `revoke-child` flag is set to `true` then all the certificates in the chain signed by the revoked certificate will be revoked as well.
984985

985986
If more than 1 Trustee signature is required to revoke a root certificate,
986987
then the certificate will be in a pending state until sufficient number of other Trustee's approvals is received.
@@ -989,6 +990,7 @@ then the certificate will be in a pending state until sufficient number of other
989990
- subject: `string` - certificates's `Subject` is base64 encoded subject DER sequence bytes
990991
- subject_key_id: `string` - certificates's `Subject Key Id` in hex string format, e.g: `5A:88:0E:6C:36:53:D0:7F:B0:89:71:A3:F4:73:79:09:30:E6:2B:DB`
991992
- serial-number: `optional(string)` - certificate's serial number
993+
- revoke-child: `optional(bool)` - to revoke child certificates in the chain - default is false
992994
- info: `optional(string)` - information/notes for the revocation proposal
993995
- time: `optional(int64)` - revocation proposal time (number of nanoseconds elapsed since January 1, 1970 UTC). CLI uses the current time for that field.
994996
- In State: `pki/ProposedCertificateRevocation/value/<Certificate's Subject>/<Certificate's Subject Key ID>`

integration_tests/cli/pki-demo.sh

+38-42
Original file line numberDiff line numberDiff line change
@@ -650,7 +650,7 @@ test_divider
650650
echo "6. REVOKE INTERMEDIATE (AND HENCE LEAF) CERTS - No Approvals needed"
651651
test_divider
652652

653-
echo "$user_account (Not Trustee) revokes Intermediate certificate. This must also revoke its child - Leaf certificate."
653+
echo "$user_account (Not Trustee) revokes only Intermediate certificate. This must not revoke its child - Leaf certificate."
654654
result=$(echo "$passphrase" | dcld tx pki revoke-x509-cert --subject="$intermediate_cert_subject" --subject-key-id="$intermediate_cert_subject_key_id" --from=$user_account --yes)
655655
check_response "$result" "\"code\": 0"
656656

@@ -680,8 +680,8 @@ result=$(dcld query pki all-revoked-x509-certs)
680680
echo $result | jq
681681
check_response "$result" "\"subject\": \"$intermediate_cert_subject\""
682682
check_response "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id\""
683-
check_response "$result" "\"subject\": \"$leaf_cert_subject\""
684-
check_response "$result" "\"subjectKeyId\": \"$leaf_cert_subject_key_id\""
683+
response_does_not_contain "$result" "\"subject\": \"$leaf_cert_subject\""
684+
response_does_not_contain "$result" "\"subjectKeyId\": \"$leaf_cert_subject_key_id\""
685685
response_does_not_contain "$result" "\"subject\": \"$root_cert_subject\""
686686
response_does_not_contain "$result" "\"subjectKeyId\": \"$root_cert_subject_key_id\""
687687

@@ -711,21 +711,21 @@ test_divider
711711
echo "Request revoked Leaf certificate"
712712
result=$(dcld query pki revoked-x509-cert --subject="$leaf_cert_subject" --subject-key-id="$leaf_cert_subject_key_id")
713713
echo $result | jq
714-
check_response "$result" "\"subject\": \"$leaf_cert_subject\""
715-
check_response "$result" "\"subjectKeyId\": \"$leaf_cert_subject_key_id\""
716-
check_response "$result" "\"serialNumber\": \"$leaf_cert_serial_number\""
714+
response_does_not_contain "$result" "\"subject\": \"$leaf_cert_subject\""
715+
response_does_not_contain "$result" "\"subjectKeyId\": \"$leaf_cert_subject_key_id\""
716+
response_does_not_contain "$result" "\"serialNumber\": \"$leaf_cert_serial_number\""
717717

718718
test_divider
719719

720720
echo "Request all approved certificates"
721721
result=$(dcld query pki all-x509-certs)
722722
echo $result | jq
723-
check_response "$result" "\"subject\": \"$root_cert_subject\""
724-
check_response "$result" "\"subjectKeyId\": \"$root_cert_subject_key_id\""
725723
response_does_not_contain "$result" "\"subject\": \"$intermediate_cert_subject\""
726724
response_does_not_contain "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id\""
727-
response_does_not_contain "$result" "\"subject\": \"$leaf_cert_subject\""
728-
response_does_not_contain "$result" "\"subjectKeyId\": \"$leaf_cert_subject_key_id\""
725+
check_response "$result" "\"subject\": \"$root_cert_subject\""
726+
check_response "$result" "\"subjectKeyId\": \"$root_cert_subject_key_id\""
727+
check_response "$result" "\"subject\": \"$leaf_cert_subject\""
728+
check_response "$result" "\"subjectKeyId\": \"$leaf_cert_subject_key_id\""
729729

730730
test_divider
731731

@@ -744,12 +744,12 @@ test_divider
744744
echo "Request all subject certificates"
745745
result=$(dcld query pki all-subject-x509-certs --subject="$leaf_cert_subject")
746746
echo $result | jq
747+
check_response "$result" "\"$leaf_cert_subject\""
748+
check_response "$result" "\"$leaf_cert_subject_key_id\""
747749
response_does_not_contain "$result" "\"$root_cert_subject\""
748750
response_does_not_contain "$result" "\"$root_cert_subject_key_id\""
749751
response_does_not_contain "$result" "\"$intermediate_cert_subject\""
750752
response_does_not_contain "$result" "\"$intermediate_cert_subject_key_id\""
751-
response_does_not_contain "$result" "\"$leaf_cert_subject\""
752-
response_does_not_contain "$result" "\"$leaf_cert_subject_key_id\""
753753

754754
test_divider
755755

@@ -775,13 +775,12 @@ response_does_not_contain "$result" "\"serialNumber\": \"$intermediate_cert_seri
775775

776776
test_divider
777777

778-
echo "Approved Leaf certificate must be empty"
778+
echo "Approved Leaf certificate must not be empty"
779779
result=$(dcld query pki x509-cert --subject="$leaf_cert_subject" --subject-key-id="$leaf_cert_subject_key_id")
780780
echo $result | jq
781-
check_response "$result" "Not Found"
782-
response_does_not_contain "$result" "\"subject\": \"$leaf_cert_subject\""
783-
response_does_not_contain "$result" "\"subjectKeyId\": \"$leaf_cert_subject_key_id\""
784-
response_does_not_contain "$result" "\"serialNumber\": \"$leaf_cert_serial_number\""
781+
check_response "$result" "\"subject\": \"$leaf_cert_subject\""
782+
check_response "$result" "\"subjectKeyId\": \"$leaf_cert_subject_key_id\""
783+
check_response "$result" "\"serialNumber\": \"$leaf_cert_serial_number\""
785784

786785
test_divider
787786

@@ -790,7 +789,7 @@ test_divider
790789
echo "7. PROPOSE REVOCATION OF ROOT CERT"
791790
test_divider
792791

793-
echo "$trustee_account (Trustee) proposes to revoke Root certificate"
792+
echo "$trustee_account (Trustee) proposes to revoke only Root certificate(child certificates should not be revoked)"
794793
result=$(echo "$passphrase" | dcld tx pki propose-revoke-x509-root-cert --subject="$root_cert_subject" --subject-key-id="$root_cert_subject_key_id" --from $trustee_account --yes)
795794
check_response "$result" "\"code\": 0"
796795

@@ -820,8 +819,8 @@ result=$(dcld query pki all-revoked-x509-certs)
820819
echo $result | jq
821820
check_response "$result" "\"subject\": \"$intermediate_cert_subject\""
822821
check_response "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id\""
823-
check_response "$result" "\"subject\": \"$leaf_cert_subject\""
824-
check_response "$result" "\"subjectKeyId\": \"$leaf_cert_subject_key_id\""
822+
response_does_not_contain "$result" "\"subject\": \"$leaf_cert_subject\""
823+
response_does_not_contain "$result" "\"subjectKeyId\": \"$leaf_cert_subject_key_id\""
825824
response_does_not_contain "$result" "\"subject\": \"$root_cert_subject\""
826825
response_does_not_contain "$result" "\"subjectKeyId\": \"$root_cert_subject_key_id\""
827826

@@ -857,10 +856,10 @@ result=$(dcld query pki all-x509-certs)
857856
echo $result | jq
858857
check_response "$result" "\"subject\": \"$root_cert_subject\""
859858
check_response "$result" "\"subjectKeyId\": \"$root_cert_subject_key_id\""
859+
check_response "$result" "\"subject\": \"$leaf_cert_subject\""
860+
check_response "$result" "\"subjectKeyId\": \"$leaf_cert_subject_key_id\""
860861
response_does_not_contain "$result" "\"subject\": \"$intermediate_cert_subject\""
861862
response_does_not_contain "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id\""
862-
response_does_not_contain "$result" "\"subject\": \"$leaf_cert_subject\""
863-
response_does_not_contain "$result" "\"subjectKeyId\": \"$leaf_cert_subject_key_id\""
864863

865864

866865
test_divider
@@ -883,10 +882,10 @@ result=$(dcld query pki all-subject-x509-certs --subject="$root_cert_subject")
883882
echo $result | jq
884883
check_response "$result" "\"$root_cert_subject\""
885884
check_response "$result" "\"$root_cert_subject_key_id\""
886-
response_does_not_contain "$result" "\"$intermediate_cert_subject\""
887-
response_does_not_contain "$result" "\"$intermediate_cert_subject_key_id\""
888885
response_does_not_contain "$result" "\"$leaf_cert_subject\""
889886
response_does_not_contain "$result" "\"$leaf_cert_subject_key_id\""
887+
response_does_not_contain "$result" "\"$intermediate_cert_subject\""
888+
response_does_not_contain "$result" "\"$intermediate_cert_subject_key_id\""
890889

891890
test_divider
892891

@@ -902,7 +901,7 @@ check_response "$result" "\"code\": 0"
902901

903902
test_divider
904903

905-
echo "Request all root certificates proposed to revoke. Nothing left in list as the certficate is revoked"
904+
echo "Request all root certificates proposed to revoke. Nothing left in list as the certificates are revoked"
906905
result=$(dcld query pki all-proposed-x509-root-certs-to-revoke)
907906
response_does_not_contain "$result" "\"subject\": \"$root_cert_subject\""
908907
response_does_not_contain "$result" "\"subjectKeyId\": \"$root_cert_subject_key_id\""
@@ -917,14 +916,14 @@ test_divider
917916
echo "Request all revoked certificates should contain approvals from both trustees"
918917
result=$(dcld query pki all-revoked-x509-certs)
919918
echo $result | jq
920-
check_response "$result" "\"subject\": \"$intermediate_cert_subject\""
921-
check_response "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id\""
922-
check_response "$result" "\"subject\": \"$leaf_cert_subject\""
923-
check_response "$result" "\"subjectKeyId\": \"$leaf_cert_subject_key_id\""
924919
check_response "$result" "\"subject\": \"$root_cert_subject\""
925920
check_response "$result" "\"subjectKeyId\": \"$root_cert_subject_key_id\""
926921
check_response "$result" "\"address\": \"$trustee_account_address\""
927922
check_response "$result" "\"address\": \"$second_trustee_account_address\""
923+
check_response "$result" "\"subject\": \"$intermediate_cert_subject\""
924+
check_response "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id\""
925+
response_does_not_contain "$result" "\"subject\": \"$leaf_cert_subject\""
926+
response_does_not_contain "$result" "\"subjectKeyId\": \"$leaf_cert_subject_key_id\""
928927

929928

930929
test_divider
@@ -958,15 +957,15 @@ check_response "$result" "\"address\": \"$second_trustee_account_address\""
958957

959958
test_divider
960959

961-
echo "Request all approved certificates must be empty"
960+
echo "Request all approved certificates must not contain root certificate"
962961
result=$(dcld query pki all-x509-certs)
963962
echo $result | jq
964963
response_does_not_contain "$result" "\"subject\": \"$root_cert_subject\""
965964
response_does_not_contain "$result" "\"subjectKeyId\": \"$root_cert_subject_key_id\""
966965
response_does_not_contain "$result" "\"subject\": \"$intermediate_cert_subject\""
967966
response_does_not_contain "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id\""
968-
response_does_not_contain "$result" "\"subject\": \"$leaf_cert_subject\""
969-
response_does_not_contain "$result" "\"subjectKeyId\": \"$leaf_cert_subject_key_id\""
967+
check_response "$result" "\"subject\": \"$leaf_cert_subject\""
968+
check_response "$result" "\"subjectKeyId\": \"$leaf_cert_subject_key_id\""
970969

971970

972971
echo "Request all approved root certificates must be empty"
@@ -985,7 +984,6 @@ test_divider
985984
echo "Approved Intermediate certificate must be empty"
986985
result=$(dcld query pki x509-cert --subject="$intermediate_cert_subject" --subject-key-id="$intermediate_cert_subject_key_id")
987986
echo $result | jq
988-
check_response "$result" "Not Found"
989987
response_does_not_contain "$result" "\"subject\": \"$intermediate_cert_subject\""
990988
response_does_not_contain "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id\""
991989
response_does_not_contain "$result" "\"serialNumber\": \"$intermediate_cert_serial_number\""
@@ -994,14 +992,13 @@ response_does_not_contain "$result" "\"subjectAsText\": \"$intermediate_cert_sub
994992

995993
test_divider
996994

997-
echo "Approved Leaf certificate must be empty"
995+
echo "Approved Leaf certificate must not be empty"
998996
result=$(dcld query pki x509-cert --subject="$leaf_cert_subject" --subject-key-id="$leaf_cert_subject_key_id")
999997
echo $result | jq
1000-
check_response "$result" "Not Found"
1001-
response_does_not_contain "$result" "\"subject\": \"$leaf_cert_subject\""
1002-
response_does_not_contain "$result" "\"subjectKeyId\": \"$leaf_cert_subject_key_id\""
1003-
response_does_not_contain "$result" "\"serialNumber\": \"$leaf_cert_serial_number\""
1004-
response_does_not_contain "$result" "\"subjectAsText\": \"$leaf_cert_subject_as_text\""
998+
check_response "$result" "\"subject\": \"$leaf_cert_subject\""
999+
check_response "$result" "\"subjectKeyId\": \"$leaf_cert_subject_key_id\""
1000+
check_response "$result" "\"serialNumber\": \"$leaf_cert_serial_number\""
1001+
check_response "$result" "\"subjectAsText\": \"$leaf_cert_subject_as_text\""
10051002

10061003

10071004
test_divider
@@ -1049,9 +1046,8 @@ response_does_not_contain "$result" "\"serialNumber\": \"$google_cert_serial_num
10491046
response_does_not_contain "$result" "\"subjectAsText\": \"$google_cert_subject_as_text\""
10501047
echo $result | jq
10511048

1052-
echo "Request all approved certificates must be empty"
1049+
echo "Request all approved certificates must not contain google certification"
10531050
result=$(dcld query pki all-x509-certs)
1054-
check_response "$result" "\[\]"
10551051
response_does_not_contain "$result" "\"subject\": \"$google_cert_subject\""
10561052
response_does_not_contain "$result" "\"subjectKeyId\": \"$google_cert_subject_key_id\""
10571053
response_does_not_contain "$result" "\"serialNumber\": \"$google_cert_serial_number\""
@@ -1087,7 +1083,7 @@ response_does_not_contain "$result" "\"subject\": \"$google_cert_subject\""
10871083
response_does_not_contain "$result" "\"subjectKeyId\": \"$google_cert_subject_key_id\""
10881084
echo $result | jq
10891085

1090-
echo "Request all revoked certificates must be empty"
1086+
echo "Request all revoked certificates must not contain google certification"
10911087
result=$(dcld query pki all-revoked-x509-certs)
10921088
response_does_not_contain "$result" "\"$google_cert_subject\""
10931089
response_does_not_contain "$result" "\"$google_cert_subject_key_id\""

0 commit comments

Comments
 (0)