Skip to content

Commit f8e458d

Browse files
AbdulboisAbdulbois
committed
#535 Make the revocation of child certificates optional
Signed-off-by: Abdulbois <abdulbois.tursunov@dsr-corporation.com> Signed-off-by: Abdulbois <abdulbois123@gmail.com>
1 parent 25b6642 commit f8e458d

22 files changed

+512
-176
lines changed

docs/static/openapi.yml

+10
Original file line numberDiff line numberDiff line change
@@ -9826,6 +9826,8 @@ paths:
98269826
type: string
98279827
serialNumber:
98289828
type: string
9829+
revokeChild:
9830+
type: boolean
98299831
pagination:
98309832
type: object
98319833
properties:
@@ -9967,6 +9969,8 @@ paths:
99679969
type: string
99689970
serialNumber:
99699971
type: string
9972+
revokeChild:
9973+
type: boolean
99709974
default:
99719975
description: An unexpected error response.
99729976
schema:
@@ -21135,6 +21139,8 @@ definitions:
2113521139
type: string
2113621140
serialNumber:
2113721141
type: string
21142+
revokeChild:
21143+
type: boolean
2113821144
zigbeealliance.distributedcomplianceledger.pki.QueryAllApprovedCertificatesResponse:
2113921145
type: object
2114021146
properties:
@@ -21480,6 +21486,8 @@ definitions:
2148021486
type: string
2148121487
serialNumber:
2148221488
type: string
21489+
revokeChild:
21490+
type: boolean
2148321491
pagination:
2148421492
type: object
2148521493
properties:
@@ -22012,6 +22020,8 @@ definitions:
2201222020
type: string
2201322021
serialNumber:
2201422022
type: string
22023+
revokeChild:
22024+
type: boolean
2201522025
zigbeealliance.distributedcomplianceledger.pki.QueryGetRejectedCertificatesResponse:
2201622026
type: object
2201722027
properties:

docs/transactions.md

+4-2
Original file line numberDiff line numberDiff line change
@@ -936,7 +936,7 @@ Revokes the given X509 certificate (either intermediate or leaf).
936936
Revocation here just means removing it from the ledger.
937937
If a Revocation Distribution Point needs to be published (such as RFC5280 Certificate Revocation List), please use [ADD_PKI_REVOCATION_DISTRIBUTION_POINT](#add_pki_revocation_distribution_point).
938938

939-
All the certificates in the chain signed by the revoked certificate will be revoked as well.
939+
If `revoke-child` flag is set to `true` then all the certificates in the chain signed by the revoked certificate will be revoked as well.
940940

941941
Only the owner (sender) can revoke the certificate.
942942
Root certificates can not be revoked this way, use `PROPOSE_X509_CERT_REVOC` and `APPROVE_X509_ROOT_CERT_REVOC` instead.
@@ -945,6 +945,7 @@ Root certificates can not be revoked this way, use `PROPOSE_X509_CERT_REVOC` an
945945
- subject: `string` - certificates's `Subject` is base64 encoded subject DER sequence bytes
946946
- subject_key_id: `string` - certificates's `Subject Key Id` in hex string format, e.g: `5A:88:0E:6C:36:53:D0:7F:B0:89:71:A3:F4:73:79:09:30:E6:2B:DB`
947947
- serial-number: `optional(string)` - certificate's serial number
948+
- revoke-child: `optional(bool)` - to revoke child certificates in the chain - default is false
948949
- info: `optional(string)` - information/notes for the revocation
949950
- time: `optional(int64)` - revocation time (number of nanoseconds elapsed since January 1, 1970 UTC). CLI uses the current time for that field.
950951
- In State: `pki/RevokedCertificates/value/<Certificate's Subject>/<Certificate's Subject Key ID>`
@@ -980,7 +981,7 @@ Proposes revocation of the given X509 root certificate by a Trustee.
980981
Revocation here just means removing it from the ledger.
981982
If a Revocation Distribution Point needs to be published (such as RFC5280 Certificate Revocation List), please use [ADD_PKI_REVOCATION_DISTRIBUTION_POINT](#add_pki_revocation_distribution_point).
982983

983-
All the certificates in the chain signed by the revoked certificate will be revoked as well.
984+
If `revoke-child` flag is set to `true` then all the certificates in the chain signed by the revoked certificate will be revoked as well.
984985

985986
If more than 1 Trustee signature is required to revoke a root certificate,
986987
then the certificate will be in a pending state until sufficient number of other Trustee's approvals is received.
@@ -989,6 +990,7 @@ then the certificate will be in a pending state until sufficient number of other
989990
- subject: `string` - certificates's `Subject` is base64 encoded subject DER sequence bytes
990991
- subject_key_id: `string` - certificates's `Subject Key Id` in hex string format, e.g: `5A:88:0E:6C:36:53:D0:7F:B0:89:71:A3:F4:73:79:09:30:E6:2B:DB`
991992
- serial-number: `optional(string)` - certificate's serial number
993+
- revoke-child: `optional(bool)` - to revoke child certificates in the chain - default is false
992994
- info: `optional(string)` - information/notes for the revocation proposal
993995
- time: `optional(int64)` - revocation proposal time (number of nanoseconds elapsed since January 1, 1970 UTC). CLI uses the current time for that field.
994996
- In State: `pki/ProposedCertificateRevocation/value/<Certificate's Subject>/<Certificate's Subject Key ID>`

integration_tests/cli/pki-demo.sh

+5-5
Original file line numberDiff line numberDiff line change
@@ -650,8 +650,8 @@ test_divider
650650
echo "6. REVOKE INTERMEDIATE (AND HENCE LEAF) CERTS - No Approvals needed"
651651
test_divider
652652

653-
echo "$user_account (Not Trustee) revokes Intermediate certificate. This must also revoke its child - Leaf certificate."
654-
result=$(echo "$passphrase" | dcld tx pki revoke-x509-cert --subject="$intermediate_cert_subject" --subject-key-id="$intermediate_cert_subject_key_id" --from=$user_account --yes)
653+
echo "$user_account (Not Trustee) revokes Intermediate certificate with \"revoke-child\"=true. This must also revoke its child - Leaf certificate."
654+
result=$(echo "$passphrase" | dcld tx pki revoke-x509-cert --subject="$intermediate_cert_subject" --subject-key-id="$intermediate_cert_subject_key_id" --revoke-child=true --from=$user_account --yes)
655655
check_response "$result" "\"code\": 0"
656656

657657
test_divider
@@ -790,8 +790,8 @@ test_divider
790790
echo "7. PROPOSE REVOCATION OF ROOT CERT"
791791
test_divider
792792

793-
echo "$trustee_account (Trustee) proposes to revoke Root certificate"
794-
result=$(echo "$passphrase" | dcld tx pki propose-revoke-x509-root-cert --subject="$root_cert_subject" --subject-key-id="$root_cert_subject_key_id" --from $trustee_account --yes)
793+
echo "$trustee_account (Trustee) proposes to revoke Root certificate with \"revoke-child\"=true flag"
794+
result=$(echo "$passphrase" | dcld tx pki propose-revoke-x509-root-cert --subject="$root_cert_subject" --subject-key-id="$root_cert_subject_key_id" --revoke-child=true --from $trustee_account --yes)
795795
check_response "$result" "\"code\": 0"
796796

797797
test_divider
@@ -902,7 +902,7 @@ check_response "$result" "\"code\": 0"
902902

903903
test_divider
904904

905-
echo "Request all root certificates proposed to revoke. Nothing left in list as the certficate is revoked"
905+
echo "Request all root certificates proposed to revoke. Nothing left in list as the certificates are revoked"
906906
result=$(dcld query pki all-proposed-x509-root-certs-to-revoke)
907907
response_does_not_contain "$result" "\"subject\": \"$root_cert_subject\""
908908
response_does_not_contain "$result" "\"subjectKeyId\": \"$root_cert_subject_key_id\""

integration_tests/cli/pki-revocation-with-serial-number.sh

+30-7
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,10 @@ root_cert_subject="MIGCMQswCQYDVQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxETAPBgNVBAcMC
1414
root_cert_subject_key_id="33:5E:0C:07:44:F8:B5:9C:CD:55:01:9B:6D:71:23:83:6F:D0:D4:BE"
1515
intermediate_cert_subject="MEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQ="
1616
intermediate_cert_subject_key_id="2E:13:3B:44:52:2C:30:E9:EC:FB:45:FA:5D:E5:04:0A:C1:C6:E6:B9"
17+
leaf_cert_subject="MEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQ="
18+
leaf_cert_subject_key_id="12:16:55:8E:5E:2A:DF:04:D7:E6:FE:D1:53:69:61:98:EF:17:2F:03"
19+
leaf_cert_path="integration_tests/constants/leaf_with_same_subject_and_skid"
20+
leaf_cert_serial_number="5"
1721

1822
trustee_account="jack"
1923
second_trustee_account="alice"
@@ -42,23 +46,29 @@ echo "Add an intermediate certificate with serialNumber 4"
4246
result=$(echo "$passphrase" | dcld tx pki add-x509-cert --certificate="$intermediate_cert_2_path" --from $trustee_account --yes)
4347
check_response "$result" "\"code\": 0"
4448

49+
echo "Add a leaf certificate with serialNumber 5"
50+
result=$(echo "$passphrase" | dcld tx pki add-x509-cert --certificate="$leaf_cert_path" --from $trustee_account --yes)
51+
check_response "$result" "\"code\": 0"
52+
4553
echo "Request all approved root certificates."
4654
result=$(dcld query pki all-x509-certs)
4755
echo $result | jq
4856
check_response "$result" "\"subject\": \"$root_cert_subject\""
4957
check_response "$result" "\"subject\": \"$intermediate_cert_subject\""
5058
check_response "$result" "\"subjectKeyId\": \"$root_cert_subject_key_id\""
5159
check_response "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id\""
60+
check_response "$result" "\"subjectKeyId\": \"$leaf_cert_subject_key_id\""
5261
check_response "$result" "\"serialNumber\": \"$root_cert_1_serial_number\""
5362
check_response "$result" "\"serialNumber\": \"$intermediate_cert_1_serial_number\""
5463
check_response "$result" "\"serialNumber\": \"$root_cert_2_serial_number\""
5564
check_response "$result" "\"serialNumber\": \"$intermediate_cert_2_serial_number\""
65+
check_response "$result" "\"serialNumber\": \"$leaf_cert_serial_number\""
5666

5767
echo "Revoke intermediate certificate with invalid serialNumber"
5868
result=$(echo "$passphrase" | dcld tx pki revoke-x509-cert --subject="$intermediate_cert_subject" --subject-key-id="$intermediate_cert_subject_key_id" --serial-number="invalid" --from=$trustee_account --yes)
5969
check_response "$result" "\"code\": 404"
6070

61-
echo "Revoke intermediate certificate with serialNumber 3"
71+
echo "Revoke intermediate certificate with serialNumber 3 only(child certificates should not be removed)"
6272
result=$(echo "$passphrase" | dcld tx pki revoke-x509-cert --subject="$intermediate_cert_subject" --subject-key-id="$intermediate_cert_subject_key_id" --serial-number="$intermediate_cert_1_serial_number" --from=$trustee_account --yes)
6373
check_response "$result" "\"code\": 0"
6474

@@ -69,6 +79,7 @@ check_response "$result" "\"subject\": \"$intermediate_cert_subject\""
6979
check_response "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id\""
7080
check_response "$result" "\"serialNumber\": \"$intermediate_cert_1_serial_number\""
7181
response_does_not_contain "$result" "\"serialNumber\": \"$intermediate_cert_2_serial_number\""
82+
response_does_not_contain "$result" "\"serialNumber\": \"$leaf_cert_serial_number\""
7283

7384
echo "Request all approved intermediate certificates should contain only one certificate with serialNumber 4"
7485
result=$(dcld query pki x509-cert --subject="$intermediate_cert_subject" --subject-key-id="$intermediate_cert_subject_key_id")
@@ -78,15 +89,22 @@ check_response "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id\
7889
check_response "$result" "\"serialNumber\": \"$intermediate_cert_2_serial_number\""
7990
response_does_not_contain "$result" "\"serialNumber\": \"$intermediate_cert_1_serial_number\""
8091

92+
echo "Request all approved leaf certificates should contain only one certificate with serialNumber 5"
93+
result=$(dcld query pki x509-cert --subject="$leaf_cert_subject" --subject-key-id="$leaf_cert_subject_key_id")
94+
echo $result | jq
95+
check_response "$result" "\"subject\": \"$leaf_cert_subject\""
96+
check_response "$result" "\"subjectKeyId\": \"$leaf_cert_subject_key_id\""
97+
check_response "$result" "\"serialNumber\": \"$leaf_cert_serial_number\""
98+
8199
echo "$trustee_account (Trustee) proposes to revoke Root certificate with invalid serialNumber"
82100
result=$(echo "$passphrase" | dcld tx pki propose-revoke-x509-root-cert --subject="$root_cert_subject" --subject-key-id="$root_cert_subject_key_id" --serial-number="invalid" --from $trustee_account --yes)
83101
check_response "$result" "\"code\": 404"
84102

85-
echo "$trustee_account (Trustee) proposes to revoke Root certificate with serialNumber 1"
103+
echo "$trustee_account (Trustee) proposes to revoke Root certificate with serialNumber 1 only(child certificates should not be removed)"
86104
result=$(echo "$passphrase" | dcld tx pki propose-revoke-x509-root-cert --subject="$root_cert_subject" --subject-key-id="$root_cert_subject_key_id" --serial-number="$root_cert_1_serial_number" --from $trustee_account --yes)
87105
check_response "$result" "\"code\": 0"
88106

89-
echo "$second_trustee_account (Second Trustee) approves to revoke Root certificate with serialNumber 1"
107+
echo "$second_trustee_account (Second Trustee) approves to revoke Root certificate with serialNumber 1 only(child certificates should not be removed)"
90108
result=$(echo "$passphrase" | dcld tx pki approve-revoke-x509-root-cert --subject="$root_cert_subject" --subject-key-id="$root_cert_subject_key_id" --serial-number="$root_cert_1_serial_number" --from $second_trustee_account --yes)
91109
check_response "$result" "\"code\": 0"
92110

@@ -98,38 +116,43 @@ check_response "$result" "\"subjectKeyId\": \"$root_cert_subject_key_id\""
98116
check_response "$result" "\"serialNumber\": \"$root_cert_1_serial_number\""
99117
response_does_not_contain "$result" "\"serialNumber\": \"$root_cert_2_serial_number\""
100118
response_does_not_contain "$result" "\"serialNumber\": \"$intermediate_cert_2_serial_number"
119+
response_does_not_contain "$result" "\"serialNumber\": \"$leaf_cert_serial_number"
101120

102-
echo "Request all approved certificates should contain one root certificate with serialNumber 2 and one intermediate with serialNumber 4"
121+
echo "Request all approved certificates should contain one root certificate with serialNumber 2, one intermediate with serialNumber 4 and one leaf with serialNumber 5"
103122
result=$(dcld query pki all-x509-certs)
104123
echo $result | jq
105124
check_response "$result" "\"subject\": \"$root_cert_subject\""
106125
check_response "$result" "\"subject\": \"$intermediate_cert_subject\""
107126
check_response "$result" "\"subjectKeyId\": \"$root_cert_subject_key_id\""
108127
check_response "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id"
128+
check_response "$result" "\"subjectKeyId\": \"$leaf_cert_subject_key_id"
109129
check_response "$result" "\"serialNumber\": \"$root_cert_2_serial_number\""
110130
check_response "$result" "\"serialNumber\": \"$intermediate_cert_2_serial_number\""
131+
check_response "$result" "\"serialNumber\": \"$leaf_cert_serial_number"
111132
response_does_not_contain "$result" "\"serialNumber\": \"$root_cert_1_serial_number\""
112133
response_does_not_contain "$result" "\"serialNumber\": \"$intermediate_cert_1_serial_number\""
113134

114-
echo "$trustee_account (Trustee) proposes to revoke Root certificate with serialNumber 2"
115-
result=$(echo "$passphrase" | dcld tx pki propose-revoke-x509-root-cert --subject="$root_cert_subject" --subject-key-id="$root_cert_subject_key_id" --serial-number="$root_cert_2_serial_number" --from $trustee_account --yes)
135+
echo "$trustee_account (Trustee) proposes to revoke Root certificate with serialNumber 2 and its child certificates too"
136+
result=$(echo "$passphrase" | dcld tx pki propose-revoke-x509-root-cert --subject="$root_cert_subject" --subject-key-id="$root_cert_subject_key_id" --serial-number="$root_cert_2_serial_number" --revoke-child=true --from $trustee_account --yes)
116137
check_response "$result" "\"code\": 0"
117138

118139
echo "$second_trustee_account (Second Trustee) approves to revoke Root certificate with serialNumber 2"
119140
result=$(echo "$passphrase" | dcld tx pki approve-revoke-x509-root-cert --subject="$root_cert_subject" --subject-key-id="$root_cert_subject_key_id" --serial-number="$root_cert_2_serial_number" --from $second_trustee_account --yes)
120141
check_response "$result" "\"code\": 0"
121142

122-
echo "Request all revoked certificates should contain two root and intermediate certificates"
143+
echo "Request all revoked certificates should contain two root, one intermediate and one leaf certificates"
123144
result=$(dcld query pki all-revoked-x509-certs)
124145
echo $result | jq
125146
check_response "$result" "\"subject\": \"$root_cert_subject\""
126147
check_response "$result" "\"subject\": \"$intermediate_cert_subject\""
127148
check_response "$result" "\"subjectKeyId\": \"$root_cert_subject_key_id\""
128149
check_response "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id\""
150+
check_response "$result" "\"subjectKeyId\": \"$leaf_cert_subject_key_id"
129151
check_response "$result" "\"serialNumber\": \"$root_cert_1_serial_number\""
130152
check_response "$result" "\"serialNumber\": \"$intermediate_cert_1_serial_number\""
131153
check_response "$result" "\"serialNumber\": \"$root_cert_2_serial_number\""
132154
check_response "$result" "\"serialNumber\": \"$intermediate_cert_2_serial_number\""
155+
check_response "$result" "\"serialNumber\": \"$leaf_cert_serial_number"
133156

134157
echo "Request all approved root certificates should be empty"
135158
result=$(dcld query pki all-x509-root-certs)

0 commit comments

Comments
 (0)