#535 Make the revocation of child certificates optional

Signed-off-by: Abdulbois <abdulbois.tursunov@dsr-corporation.com> Signed-off-by: Abdulbois <abdulbois123@gmail.com>
zigbee-alliance · Feb 21, 2024 · 2402074 · 2402074
1 parent 25b6642
commit 2402074
Show file tree

Hide file tree

Showing 22 changed files with 515 additions and 176 deletions.
diff --git a/docs/static/openapi.yml b/docs/static/openapi.yml
@@ -9826,6 +9826,8 @@ paths:
                       type: string
                     serialNumber:
                       type: string
+                    revokeChild:
+                      type: boolean
               pagination:
                 type: object
                 properties:
@@ -9967,6 +9969,8 @@ paths:
                     type: string
                   serialNumber:
                     type: string
+                  revokeChild:
+                    type: boolean
         default:
           description: An unexpected error response.
           schema:
@@ -21135,6 +21139,8 @@ definitions:
         type: string
       serialNumber:
         type: string
+      revokeChild:
+        type: boolean
   zigbeealliance.distributedcomplianceledger.pki.QueryAllApprovedCertificatesResponse:
     type: object
     properties:
@@ -21480,6 +21486,8 @@ definitions:
               type: string
             serialNumber:
               type: string
+            revokeChild:
+              type: boolean
       pagination:
         type: object
         properties:
@@ -22012,6 +22020,8 @@ definitions:
             type: string
           serialNumber:
             type: string
+          revokeChild:
+            type: boolean
   zigbeealliance.distributedcomplianceledger.pki.QueryGetRejectedCertificatesResponse:
     type: object
     properties:

diff --git a/docs/transactions.md b/docs/transactions.md
@@ -936,7 +936,7 @@ Revokes the given X509 certificate (either intermediate or leaf).
 Revocation here just means removing it from the ledger.
 If a Revocation Distribution Point needs to be published (such as RFC5280 Certificate Revocation List), please use [ADD_PKI_REVOCATION_DISTRIBUTION_POINT](#add_pki_revocation_distribution_point).
 
-All the certificates in the chain signed by the revoked certificate will be revoked as well.
+If `revoke-child` flag is set to `true` then all the certificates in the chain signed by the revoked certificate will be revoked as well.
 
 Only the owner (sender) can revoke the certificate.
 Root certificates can not be revoked this way, use  `PROPOSE_X509_CERT_REVOC` and `APPROVE_X509_ROOT_CERT_REVOC` instead.  
@@ -945,6 +945,7 @@ Root certificates can not be revoked this way, use  `PROPOSE_X509_CERT_REVOC` an
   - subject: `string`  - certificates's `Subject` is base64 encoded subject DER sequence bytes
   - subject_key_id: `string`  - certificates's `Subject Key Id` in hex string format, e.g: `5A:88:0E:6C:36:53:D0:7F:B0:89:71:A3:F4:73:79:09:30:E6:2B:DB`
   - serial-number: `optional(string)`  - certificate's serial number
+  - revoke-child: `optional(bool)`  - to revoke child certificates in the chain - default is false
   - info: `optional(string)` - information/notes for the revocation
   - time: `optional(int64)` - revocation time (number of nanoseconds elapsed since January 1, 1970 UTC). CLI uses the current time for that field.
 - In State: `pki/RevokedCertificates/value/<Certificate's Subject>/<Certificate's Subject Key ID>`
@@ -980,7 +981,7 @@ Proposes revocation of the given X509 root certificate by a Trustee.
 Revocation here just means removing it from the ledger.
 If a Revocation Distribution Point needs to be published (such as RFC5280 Certificate Revocation List), please use [ADD_PKI_REVOCATION_DISTRIBUTION_POINT](#add_pki_revocation_distribution_point).
 
-All the certificates in the chain signed by the revoked certificate will be revoked as well.
+If `revoke-child` flag is set to `true` then all the certificates in the chain signed by the revoked certificate will be revoked as well.
 
 If more than 1 Trustee signature is required to revoke a root certificate,
 then the certificate will be in a pending state until sufficient number of other Trustee's approvals is received.
@@ -989,6 +990,7 @@ then the certificate will be in a pending state until sufficient number of other
   - subject: `string`  - certificates's `Subject` is base64 encoded subject DER sequence bytes
   - subject_key_id: `string`  - certificates's `Subject Key Id` in hex string format, e.g: `5A:88:0E:6C:36:53:D0:7F:B0:89:71:A3:F4:73:79:09:30:E6:2B:DB`
   - serial-number: `optional(string)`  - certificate's serial number
+  - revoke-child: `optional(bool)`  - to revoke child certificates in the chain - default is false
   - info: `optional(string)` - information/notes for the revocation proposal
   - time: `optional(int64)` - revocation proposal time (number of nanoseconds elapsed since January 1, 1970 UTC). CLI uses the current time for that field.
 - In State: `pki/ProposedCertificateRevocation/value/<Certificate's Subject>/<Certificate's Subject Key ID>`

diff --git a/integration_tests/cli/pki-demo.sh b/integration_tests/cli/pki-demo.sh
@@ -650,8 +650,8 @@ test_divider
 echo "6. REVOKE INTERMEDIATE (AND HENCE  LEAF) CERTS - No Approvals needed"
 test_divider
 
-echo "$user_account (Not Trustee) revokes Intermediate certificate. This must also revoke its child - Leaf certificate."
-result=$(echo "$passphrase" | dcld tx pki revoke-x509-cert --subject="$intermediate_cert_subject" --subject-key-id="$intermediate_cert_subject_key_id" --from=$user_account --yes)
+echo "$user_account (Not Trustee) revokes Intermediate certificate with \"revoke-child\"=true. This must also revoke its child - Leaf certificate."
+result=$(echo "$passphrase" | dcld tx pki revoke-x509-cert --subject="$intermediate_cert_subject" --subject-key-id="$intermediate_cert_subject_key_id" --revoke-child=true --from=$user_account --yes)
 check_response "$result" "\"code\": 0"
 
 test_divider
@@ -790,8 +790,8 @@ test_divider
 echo "7. PROPOSE REVOCATION OF ROOT CERT"
 test_divider
 
-echo "$trustee_account (Trustee) proposes to revoke Root certificate"
-result=$(echo "$passphrase" | dcld tx pki propose-revoke-x509-root-cert --subject="$root_cert_subject" --subject-key-id="$root_cert_subject_key_id" --from $trustee_account --yes)
+echo "$trustee_account (Trustee) proposes to revoke Root certificate with \"revoke-child\"=true flag"
+result=$(echo "$passphrase" | dcld tx pki propose-revoke-x509-root-cert --subject="$root_cert_subject" --subject-key-id="$root_cert_subject_key_id" --revoke-child=true --from $trustee_account --yes)
 check_response "$result" "\"code\": 0"
 
 test_divider
@@ -902,7 +902,7 @@ check_response "$result" "\"code\": 0"
 
 test_divider
 
-echo "Request all root certificates proposed to revoke. Nothing left in list as the certficate is revoked"
+echo "Request all root certificates proposed to revoke. Nothing left in list as the certificates are revoked"
 result=$(dcld query pki all-proposed-x509-root-certs-to-revoke)
 response_does_not_contain "$result" "\"subject\": \"$root_cert_subject\""
 response_does_not_contain "$result" "\"subjectKeyId\": \"$root_cert_subject_key_id\""

diff --git a/integration_tests/cli/pki-revocation-with-serial-number.sh b/integration_tests/cli/pki-revocation-with-serial-number.sh
@@ -14,6 +14,10 @@ root_cert_subject="MIGCMQswCQYDVQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxETAPBgNVBAcMC
 root_cert_subject_key_id="33:5E:0C:07:44:F8:B5:9C:CD:55:01:9B:6D:71:23:83:6F:D0:D4:BE"
 intermediate_cert_subject="MEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQ="
 intermediate_cert_subject_key_id="2E:13:3B:44:52:2C:30:E9:EC:FB:45:FA:5D:E5:04:0A:C1:C6:E6:B9"
+leaf_cert_subject="MEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQ="
+leaf_cert_subject_key_id="12:16:55:8E:5E:2A:DF:04:D7:E6:FE:D1:53:69:61:98:EF:17:2F:03"
+leaf_cert_path="integration_tests/constants/leaf_with_same_subject_and_skid"
+leaf_cert_serial_number="5"
 
 trustee_account="jack"
 second_trustee_account="alice"
@@ -42,23 +46,29 @@ echo "Add an intermediate certificate with serialNumber 4"
 result=$(echo "$passphrase" | dcld tx pki add-x509-cert --certificate="$intermediate_cert_2_path" --from $trustee_account --yes)
 check_response "$result" "\"code\": 0"
 
+echo "Add a leaf certificate with serialNumber 5"
+result=$(echo "$passphrase" | dcld tx pki add-x509-cert --certificate="$leaf_cert_path" --from $trustee_account --yes)
+check_response "$result" "\"code\": 0"
+
 echo "Request all approved root certificates."
 result=$(dcld query pki all-x509-certs)
 echo $result | jq
 check_response "$result" "\"subject\": \"$root_cert_subject\""
 check_response "$result" "\"subject\": \"$intermediate_cert_subject\""
 check_response "$result" "\"subjectKeyId\": \"$root_cert_subject_key_id\""
 check_response "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id\""
+check_response "$result" "\"subjectKeyId\": \"$leaf_cert_subject_key_id\""
 check_response "$result" "\"serialNumber\": \"$root_cert_1_serial_number\""
 check_response "$result" "\"serialNumber\": \"$intermediate_cert_1_serial_number\""
 check_response "$result" "\"serialNumber\": \"$root_cert_2_serial_number\""
 check_response "$result" "\"serialNumber\": \"$intermediate_cert_2_serial_number\""
+check_response "$result" "\"serialNumber\": \"$leaf_cert_serial_number\""
 
 echo "Revoke intermediate certificate with invalid serialNumber"
 result=$(echo "$passphrase" | dcld tx pki revoke-x509-cert --subject="$intermediate_cert_subject" --subject-key-id="$intermediate_cert_subject_key_id" --serial-number="invalid" --from=$trustee_account --yes)
 check_response "$result" "\"code\": 404"
 
-echo "Revoke intermediate certificate with serialNumber 3"
+echo "Revoke intermediate certificate with serialNumber 3 only(child certificates should not be removed)"
 result=$(echo "$passphrase" | dcld tx pki revoke-x509-cert --subject="$intermediate_cert_subject" --subject-key-id="$intermediate_cert_subject_key_id" --serial-number="$intermediate_cert_1_serial_number" --from=$trustee_account --yes)
 check_response "$result" "\"code\": 0"
 
@@ -69,6 +79,7 @@ check_response "$result" "\"subject\": \"$intermediate_cert_subject\""
 check_response "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id\""
 check_response "$result" "\"serialNumber\": \"$intermediate_cert_1_serial_number\""
 response_does_not_contain "$result" "\"serialNumber\": \"$intermediate_cert_2_serial_number\""
+response_does_not_contain "$result" "\"serialNumber\": \"$leaf_cert_serial_number\""
 
 echo "Request all approved intermediate certificates should contain only one certificate with serialNumber 4"
 result=$(dcld query pki x509-cert --subject="$intermediate_cert_subject" --subject-key-id="$intermediate_cert_subject_key_id")
@@ -78,15 +89,22 @@ check_response "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id\
 check_response "$result" "\"serialNumber\": \"$intermediate_cert_2_serial_number\""
 response_does_not_contain "$result" "\"serialNumber\": \"$intermediate_cert_1_serial_number\""
 
+echo "Request all approved leaf certificates should contain only one certificate with serialNumber 5"
+result=$(dcld query pki x509-cert --subject="$leaf_cert_subject" --subject-key-id="$leaf_cert_subject_key_id")
+echo $result | jq
+check_response "$result" "\"subject\": \"$leaf_cert_subject\""
+check_response "$result" "\"subjectKeyId\": \"$leaf_cert_subject_key_id\""
+check_response "$result" "\"serialNumber\": \"$leaf_cert_serial_number\""
+
 echo "$trustee_account (Trustee) proposes to revoke Root certificate with invalid serialNumber"
 result=$(echo "$passphrase" | dcld tx pki propose-revoke-x509-root-cert --subject="$root_cert_subject" --subject-key-id="$root_cert_subject_key_id" --serial-number="invalid" --from $trustee_account --yes)
 check_response "$result" "\"code\": 404"
 
-echo "$trustee_account (Trustee) proposes to revoke Root certificate with serialNumber 1"
+echo "$trustee_account (Trustee) proposes to revoke Root certificate with serialNumber 1 only(child certificates should not be removed)"
 result=$(echo "$passphrase" | dcld tx pki propose-revoke-x509-root-cert --subject="$root_cert_subject" --subject-key-id="$root_cert_subject_key_id" --serial-number="$root_cert_1_serial_number" --from $trustee_account --yes)
 check_response "$result" "\"code\": 0"
 
-echo "$second_trustee_account (Second Trustee) approves to revoke Root certificate with serialNumber 1"
+echo "$second_trustee_account (Second Trustee) approves to revoke Root certificate with serialNumber 1 only(child certificates should not be removed)"
 result=$(echo "$passphrase" | dcld tx pki approve-revoke-x509-root-cert --subject="$root_cert_subject" --subject-key-id="$root_cert_subject_key_id" --serial-number="$root_cert_1_serial_number" --from $second_trustee_account --yes)
 check_response "$result" "\"code\": 0"
 
@@ -98,38 +116,43 @@ check_response "$result" "\"subjectKeyId\": \"$root_cert_subject_key_id\""
 check_response "$result" "\"serialNumber\": \"$root_cert_1_serial_number\""
 response_does_not_contain "$result" "\"serialNumber\": \"$root_cert_2_serial_number\""
 response_does_not_contain "$result" "\"serialNumber\": \"$intermediate_cert_2_serial_number"
+response_does_not_contain "$result" "\"serialNumber\": \"$leaf_cert_serial_number"
 
-echo "Request all approved certificates should contain one root certificate with serialNumber 2 and one intermediate with serialNumber 4"
+echo "Request all approved certificates should contain one root certificate with serialNumber 2, one intermediate with serialNumber 4 and one leaf with serialNumber 5"
 result=$(dcld query pki all-x509-certs)
 echo $result | jq
 check_response "$result" "\"subject\": \"$root_cert_subject\""
 check_response "$result" "\"subject\": \"$intermediate_cert_subject\""
 check_response "$result" "\"subjectKeyId\": \"$root_cert_subject_key_id\""
 check_response "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id"
+check_response "$result" "\"subjectKeyId\": \"$leaf_cert_subject_key_id"
 check_response "$result" "\"serialNumber\": \"$root_cert_2_serial_number\""
 check_response "$result" "\"serialNumber\": \"$intermediate_cert_2_serial_number\""
+check_response "$result" "\"serialNumber\": \"$leaf_cert_serial_number"
 response_does_not_contain "$result" "\"serialNumber\": \"$root_cert_1_serial_number\""
 response_does_not_contain "$result" "\"serialNumber\": \"$intermediate_cert_1_serial_number\""
 
-echo "$trustee_account (Trustee) proposes to revoke Root certificate with serialNumber 2"
-result=$(echo "$passphrase" | dcld tx pki propose-revoke-x509-root-cert --subject="$root_cert_subject" --subject-key-id="$root_cert_subject_key_id" --serial-number="$root_cert_2_serial_number" --from $trustee_account --yes)
+echo "$trustee_account (Trustee) proposes to revoke Root certificate with serialNumber 2 and its child certificates too"
+result=$(echo "$passphrase" | dcld tx pki propose-revoke-x509-root-cert --subject="$root_cert_subject" --subject-key-id="$root_cert_subject_key_id" --serial-number="$root_cert_2_serial_number" --revoke-child=true --from $trustee_account --yes)
 check_response "$result" "\"code\": 0"
 
 echo "$second_trustee_account (Second Trustee) approves to revoke Root certificate with serialNumber 2"
 result=$(echo "$passphrase" | dcld tx pki approve-revoke-x509-root-cert --subject="$root_cert_subject" --subject-key-id="$root_cert_subject_key_id" --serial-number="$root_cert_2_serial_number" --from $second_trustee_account --yes)
 check_response "$result" "\"code\": 0"
 
-echo "Request all revoked certificates should contain two root and intermediate certificates"
+echo "Request all revoked certificates should contain two root, one intermediate and one leaf certificates"
 result=$(dcld query pki all-revoked-x509-certs)
 echo $result | jq
 check_response "$result" "\"subject\": \"$root_cert_subject\""
 check_response "$result" "\"subject\": \"$intermediate_cert_subject\""
 check_response "$result" "\"subjectKeyId\": \"$root_cert_subject_key_id\""
 check_response "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id\""
+check_response "$result" "\"subjectKeyId\": \"$leaf_cert_subject_key_id"
 check_response "$result" "\"serialNumber\": \"$root_cert_1_serial_number\""
 check_response "$result" "\"serialNumber\": \"$intermediate_cert_1_serial_number\""
 check_response "$result" "\"serialNumber\": \"$root_cert_2_serial_number\""
 check_response "$result" "\"serialNumber\": \"$intermediate_cert_2_serial_number\""
+check_response "$result" "\"serialNumber\": \"$leaf_cert_serial_number"
 
 echo "Request all approved root certificates should be empty"
 result=$(dcld query pki all-x509-root-certs)