From 24020742e103fac88a9f75f83831556f2f79fe2b Mon Sep 17 00:00:00 2001 From: Abdulbois Date: Mon, 19 Feb 2024 15:14:27 +0500 Subject: [PATCH] #535 Make the revocation of child certificates optional Signed-off-by: Abdulbois Signed-off-by: Abdulbois --- docs/static/openapi.yml | 10 + docs/transactions.md | 6 +- integration_tests/cli/pki-demo.sh | 10 +- .../cli/pki-revocation-with-serial-number.sh | 37 ++- integration_tests/grpc_rest/pki/helpers.go | 87 ++++++- .../pki/proposed_certificate_revocation.proto | 1 + proto/pki/tx.proto | 2 + .../module/rest.ts | 1 + .../pki/proposed_certificate_revocation.ts | 20 +- .../module/types/pki/tx.ts | 41 ++- x/pki/client/cli/flags.go | 1 + .../cli/tx_propose_revoke_x_509_root_cert.go | 6 +- x/pki/client/cli/tx_revoke_x_509_cert.go | 7 +- x/pki/handler_test.go | 81 +++--- x/pki/handler_update_revocation_test.go | 2 +- ...g_server_approve_revoke_x_509_root_cert.go | 27 +- ...g_server_propose_revoke_x_509_root_cert.go | 1 + x/pki/keeper/msg_server_revoke_x_509_cert.go | 17 +- .../message_propose_revoke_x_509_root_cert.go | 3 +- x/pki/types/message_revoke_x_509_cert.go | 3 +- .../proposed_certificate_revocation.pb.go | 84 ++++-- x/pki/types/tx.pb.go | 244 ++++++++++++------ 22 files changed, 515 insertions(+), 176 deletions(-) diff --git a/docs/static/openapi.yml b/docs/static/openapi.yml index d51969f9d..84c130786 100644 --- a/docs/static/openapi.yml +++ b/docs/static/openapi.yml @@ -9826,6 +9826,8 @@ paths: type: string serialNumber: type: string + revokeChild: + type: boolean pagination: type: object properties: @@ -9967,6 +9969,8 @@ paths: type: string serialNumber: type: string + revokeChild: + type: boolean default: description: An unexpected error response. schema: @@ -21135,6 +21139,8 @@ definitions: type: string serialNumber: type: string + revokeChild: + type: boolean zigbeealliance.distributedcomplianceledger.pki.QueryAllApprovedCertificatesResponse: type: object properties: @@ -21480,6 +21486,8 @@ definitions: type: string serialNumber: type: string + revokeChild: + type: boolean pagination: type: object properties: @@ -22012,6 +22020,8 @@ definitions: type: string serialNumber: type: string + revokeChild: + type: boolean zigbeealliance.distributedcomplianceledger.pki.QueryGetRejectedCertificatesResponse: type: object properties: diff --git a/docs/transactions.md b/docs/transactions.md index 37c48c15d..24c515401 100644 --- a/docs/transactions.md +++ b/docs/transactions.md @@ -936,7 +936,7 @@ Revokes the given X509 certificate (either intermediate or leaf). Revocation here just means removing it from the ledger. If a Revocation Distribution Point needs to be published (such as RFC5280 Certificate Revocation List), please use [ADD_PKI_REVOCATION_DISTRIBUTION_POINT](#add_pki_revocation_distribution_point). -All the certificates in the chain signed by the revoked certificate will be revoked as well. +If `revoke-child` flag is set to `true` then all the certificates in the chain signed by the revoked certificate will be revoked as well. Only the owner (sender) can revoke the certificate. Root certificates can not be revoked this way, use `PROPOSE_X509_CERT_REVOC` and `APPROVE_X509_ROOT_CERT_REVOC` instead. @@ -945,6 +945,7 @@ Root certificates can not be revoked this way, use `PROPOSE_X509_CERT_REVOC` an - subject: `string` - certificates's `Subject` is base64 encoded subject DER sequence bytes - subject_key_id: `string` - certificates's `Subject Key Id` in hex string format, e.g: `5A:88:0E:6C:36:53:D0:7F:B0:89:71:A3:F4:73:79:09:30:E6:2B:DB` - serial-number: `optional(string)` - certificate's serial number + - revoke-child: `optional(bool)` - to revoke child certificates in the chain - default is false - info: `optional(string)` - information/notes for the revocation - time: `optional(int64)` - revocation time (number of nanoseconds elapsed since January 1, 1970 UTC). CLI uses the current time for that field. - In State: `pki/RevokedCertificates/value//` @@ -980,7 +981,7 @@ Proposes revocation of the given X509 root certificate by a Trustee. Revocation here just means removing it from the ledger. If a Revocation Distribution Point needs to be published (such as RFC5280 Certificate Revocation List), please use [ADD_PKI_REVOCATION_DISTRIBUTION_POINT](#add_pki_revocation_distribution_point). -All the certificates in the chain signed by the revoked certificate will be revoked as well. +If `revoke-child` flag is set to `true` then all the certificates in the chain signed by the revoked certificate will be revoked as well. If more than 1 Trustee signature is required to revoke a root certificate, then the certificate will be in a pending state until sufficient number of other Trustee's approvals is received. @@ -989,6 +990,7 @@ then the certificate will be in a pending state until sufficient number of other - subject: `string` - certificates's `Subject` is base64 encoded subject DER sequence bytes - subject_key_id: `string` - certificates's `Subject Key Id` in hex string format, e.g: `5A:88:0E:6C:36:53:D0:7F:B0:89:71:A3:F4:73:79:09:30:E6:2B:DB` - serial-number: `optional(string)` - certificate's serial number + - revoke-child: `optional(bool)` - to revoke child certificates in the chain - default is false - info: `optional(string)` - information/notes for the revocation proposal - time: `optional(int64)` - revocation proposal time (number of nanoseconds elapsed since January 1, 1970 UTC). CLI uses the current time for that field. - In State: `pki/ProposedCertificateRevocation/value//` diff --git a/integration_tests/cli/pki-demo.sh b/integration_tests/cli/pki-demo.sh index dfb9a9df2..c8e22f769 100755 --- a/integration_tests/cli/pki-demo.sh +++ b/integration_tests/cli/pki-demo.sh @@ -650,8 +650,8 @@ test_divider echo "6. REVOKE INTERMEDIATE (AND HENCE LEAF) CERTS - No Approvals needed" test_divider -echo "$user_account (Not Trustee) revokes Intermediate certificate. This must also revoke its child - Leaf certificate." -result=$(echo "$passphrase" | dcld tx pki revoke-x509-cert --subject="$intermediate_cert_subject" --subject-key-id="$intermediate_cert_subject_key_id" --from=$user_account --yes) +echo "$user_account (Not Trustee) revokes Intermediate certificate with \"revoke-child\"=true. This must also revoke its child - Leaf certificate." +result=$(echo "$passphrase" | dcld tx pki revoke-x509-cert --subject="$intermediate_cert_subject" --subject-key-id="$intermediate_cert_subject_key_id" --revoke-child=true --from=$user_account --yes) check_response "$result" "\"code\": 0" test_divider @@ -790,8 +790,8 @@ test_divider echo "7. PROPOSE REVOCATION OF ROOT CERT" test_divider -echo "$trustee_account (Trustee) proposes to revoke Root certificate" -result=$(echo "$passphrase" | dcld tx pki propose-revoke-x509-root-cert --subject="$root_cert_subject" --subject-key-id="$root_cert_subject_key_id" --from $trustee_account --yes) +echo "$trustee_account (Trustee) proposes to revoke Root certificate with \"revoke-child\"=true flag" +result=$(echo "$passphrase" | dcld tx pki propose-revoke-x509-root-cert --subject="$root_cert_subject" --subject-key-id="$root_cert_subject_key_id" --revoke-child=true --from $trustee_account --yes) check_response "$result" "\"code\": 0" test_divider @@ -902,7 +902,7 @@ check_response "$result" "\"code\": 0" test_divider -echo "Request all root certificates proposed to revoke. Nothing left in list as the certficate is revoked" +echo "Request all root certificates proposed to revoke. Nothing left in list as the certificates are revoked" result=$(dcld query pki all-proposed-x509-root-certs-to-revoke) response_does_not_contain "$result" "\"subject\": \"$root_cert_subject\"" response_does_not_contain "$result" "\"subjectKeyId\": \"$root_cert_subject_key_id\"" diff --git a/integration_tests/cli/pki-revocation-with-serial-number.sh b/integration_tests/cli/pki-revocation-with-serial-number.sh index e17416f1f..6991b5e3f 100755 --- a/integration_tests/cli/pki-revocation-with-serial-number.sh +++ b/integration_tests/cli/pki-revocation-with-serial-number.sh @@ -14,6 +14,10 @@ root_cert_subject="MIGCMQswCQYDVQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxETAPBgNVBAcMC root_cert_subject_key_id="33:5E:0C:07:44:F8:B5:9C:CD:55:01:9B:6D:71:23:83:6F:D0:D4:BE" intermediate_cert_subject="MEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQ=" intermediate_cert_subject_key_id="2E:13:3B:44:52:2C:30:E9:EC:FB:45:FA:5D:E5:04:0A:C1:C6:E6:B9" +leaf_cert_subject="MEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQ=" +leaf_cert_subject_key_id="12:16:55:8E:5E:2A:DF:04:D7:E6:FE:D1:53:69:61:98:EF:17:2F:03" +leaf_cert_path="integration_tests/constants/leaf_with_same_subject_and_skid" +leaf_cert_serial_number="5" trustee_account="jack" second_trustee_account="alice" @@ -42,6 +46,10 @@ echo "Add an intermediate certificate with serialNumber 4" result=$(echo "$passphrase" | dcld tx pki add-x509-cert --certificate="$intermediate_cert_2_path" --from $trustee_account --yes) check_response "$result" "\"code\": 0" +echo "Add a leaf certificate with serialNumber 5" +result=$(echo "$passphrase" | dcld tx pki add-x509-cert --certificate="$leaf_cert_path" --from $trustee_account --yes) +check_response "$result" "\"code\": 0" + echo "Request all approved root certificates." result=$(dcld query pki all-x509-certs) echo $result | jq @@ -49,16 +57,18 @@ check_response "$result" "\"subject\": \"$root_cert_subject\"" check_response "$result" "\"subject\": \"$intermediate_cert_subject\"" check_response "$result" "\"subjectKeyId\": \"$root_cert_subject_key_id\"" check_response "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id\"" +check_response "$result" "\"subjectKeyId\": \"$leaf_cert_subject_key_id\"" check_response "$result" "\"serialNumber\": \"$root_cert_1_serial_number\"" check_response "$result" "\"serialNumber\": \"$intermediate_cert_1_serial_number\"" check_response "$result" "\"serialNumber\": \"$root_cert_2_serial_number\"" check_response "$result" "\"serialNumber\": \"$intermediate_cert_2_serial_number\"" +check_response "$result" "\"serialNumber\": \"$leaf_cert_serial_number\"" echo "Revoke intermediate certificate with invalid serialNumber" result=$(echo "$passphrase" | dcld tx pki revoke-x509-cert --subject="$intermediate_cert_subject" --subject-key-id="$intermediate_cert_subject_key_id" --serial-number="invalid" --from=$trustee_account --yes) check_response "$result" "\"code\": 404" -echo "Revoke intermediate certificate with serialNumber 3" +echo "Revoke intermediate certificate with serialNumber 3 only(child certificates should not be removed)" result=$(echo "$passphrase" | dcld tx pki revoke-x509-cert --subject="$intermediate_cert_subject" --subject-key-id="$intermediate_cert_subject_key_id" --serial-number="$intermediate_cert_1_serial_number" --from=$trustee_account --yes) check_response "$result" "\"code\": 0" @@ -69,6 +79,7 @@ check_response "$result" "\"subject\": \"$intermediate_cert_subject\"" check_response "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id\"" check_response "$result" "\"serialNumber\": \"$intermediate_cert_1_serial_number\"" response_does_not_contain "$result" "\"serialNumber\": \"$intermediate_cert_2_serial_number\"" +response_does_not_contain "$result" "\"serialNumber\": \"$leaf_cert_serial_number\"" echo "Request all approved intermediate certificates should contain only one certificate with serialNumber 4" result=$(dcld query pki x509-cert --subject="$intermediate_cert_subject" --subject-key-id="$intermediate_cert_subject_key_id") @@ -78,15 +89,22 @@ check_response "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id\ check_response "$result" "\"serialNumber\": \"$intermediate_cert_2_serial_number\"" response_does_not_contain "$result" "\"serialNumber\": \"$intermediate_cert_1_serial_number\"" +echo "Request all approved leaf certificates should contain only one certificate with serialNumber 5" +result=$(dcld query pki x509-cert --subject="$leaf_cert_subject" --subject-key-id="$leaf_cert_subject_key_id") +echo $result | jq +check_response "$result" "\"subject\": \"$leaf_cert_subject\"" +check_response "$result" "\"subjectKeyId\": \"$leaf_cert_subject_key_id\"" +check_response "$result" "\"serialNumber\": \"$leaf_cert_serial_number\"" + echo "$trustee_account (Trustee) proposes to revoke Root certificate with invalid serialNumber" result=$(echo "$passphrase" | dcld tx pki propose-revoke-x509-root-cert --subject="$root_cert_subject" --subject-key-id="$root_cert_subject_key_id" --serial-number="invalid" --from $trustee_account --yes) check_response "$result" "\"code\": 404" -echo "$trustee_account (Trustee) proposes to revoke Root certificate with serialNumber 1" +echo "$trustee_account (Trustee) proposes to revoke Root certificate with serialNumber 1 only(child certificates should not be removed)" result=$(echo "$passphrase" | dcld tx pki propose-revoke-x509-root-cert --subject="$root_cert_subject" --subject-key-id="$root_cert_subject_key_id" --serial-number="$root_cert_1_serial_number" --from $trustee_account --yes) check_response "$result" "\"code\": 0" -echo "$second_trustee_account (Second Trustee) approves to revoke Root certificate with serialNumber 1" +echo "$second_trustee_account (Second Trustee) approves to revoke Root certificate with serialNumber 1 only(child certificates should not be removed)" result=$(echo "$passphrase" | dcld tx pki approve-revoke-x509-root-cert --subject="$root_cert_subject" --subject-key-id="$root_cert_subject_key_id" --serial-number="$root_cert_1_serial_number" --from $second_trustee_account --yes) check_response "$result" "\"code\": 0" @@ -98,38 +116,43 @@ check_response "$result" "\"subjectKeyId\": \"$root_cert_subject_key_id\"" check_response "$result" "\"serialNumber\": \"$root_cert_1_serial_number\"" response_does_not_contain "$result" "\"serialNumber\": \"$root_cert_2_serial_number\"" response_does_not_contain "$result" "\"serialNumber\": \"$intermediate_cert_2_serial_number" +response_does_not_contain "$result" "\"serialNumber\": \"$leaf_cert_serial_number" -echo "Request all approved certificates should contain one root certificate with serialNumber 2 and one intermediate with serialNumber 4" +echo "Request all approved certificates should contain one root certificate with serialNumber 2, one intermediate with serialNumber 4 and one leaf with serialNumber 5" result=$(dcld query pki all-x509-certs) echo $result | jq check_response "$result" "\"subject\": \"$root_cert_subject\"" check_response "$result" "\"subject\": \"$intermediate_cert_subject\"" check_response "$result" "\"subjectKeyId\": \"$root_cert_subject_key_id\"" check_response "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id" +check_response "$result" "\"subjectKeyId\": \"$leaf_cert_subject_key_id" check_response "$result" "\"serialNumber\": \"$root_cert_2_serial_number\"" check_response "$result" "\"serialNumber\": \"$intermediate_cert_2_serial_number\"" +check_response "$result" "\"serialNumber\": \"$leaf_cert_serial_number" response_does_not_contain "$result" "\"serialNumber\": \"$root_cert_1_serial_number\"" response_does_not_contain "$result" "\"serialNumber\": \"$intermediate_cert_1_serial_number\"" -echo "$trustee_account (Trustee) proposes to revoke Root certificate with serialNumber 2" -result=$(echo "$passphrase" | dcld tx pki propose-revoke-x509-root-cert --subject="$root_cert_subject" --subject-key-id="$root_cert_subject_key_id" --serial-number="$root_cert_2_serial_number" --from $trustee_account --yes) +echo "$trustee_account (Trustee) proposes to revoke Root certificate with serialNumber 2 and its child certificates too" +result=$(echo "$passphrase" | dcld tx pki propose-revoke-x509-root-cert --subject="$root_cert_subject" --subject-key-id="$root_cert_subject_key_id" --serial-number="$root_cert_2_serial_number" --revoke-child=true --from $trustee_account --yes) check_response "$result" "\"code\": 0" echo "$second_trustee_account (Second Trustee) approves to revoke Root certificate with serialNumber 2" result=$(echo "$passphrase" | dcld tx pki approve-revoke-x509-root-cert --subject="$root_cert_subject" --subject-key-id="$root_cert_subject_key_id" --serial-number="$root_cert_2_serial_number" --from $second_trustee_account --yes) check_response "$result" "\"code\": 0" -echo "Request all revoked certificates should contain two root and intermediate certificates" +echo "Request all revoked certificates should contain two root, one intermediate and one leaf certificates" result=$(dcld query pki all-revoked-x509-certs) echo $result | jq check_response "$result" "\"subject\": \"$root_cert_subject\"" check_response "$result" "\"subject\": \"$intermediate_cert_subject\"" check_response "$result" "\"subjectKeyId\": \"$root_cert_subject_key_id\"" check_response "$result" "\"subjectKeyId\": \"$intermediate_cert_subject_key_id\"" +check_response "$result" "\"subjectKeyId\": \"$leaf_cert_subject_key_id" check_response "$result" "\"serialNumber\": \"$root_cert_1_serial_number\"" check_response "$result" "\"serialNumber\": \"$intermediate_cert_1_serial_number\"" check_response "$result" "\"serialNumber\": \"$root_cert_2_serial_number\"" check_response "$result" "\"serialNumber\": \"$intermediate_cert_2_serial_number\"" +check_response "$result" "\"serialNumber\": \"$leaf_cert_serial_number" echo "Request all approved root certificates should be empty" result=$(dcld query pki all-x509-root-certs) diff --git a/integration_tests/grpc_rest/pki/helpers.go b/integration_tests/grpc_rest/pki/helpers.go index 9b9235e8b..9b5bbddeb 100644 --- a/integration_tests/grpc_rest/pki/helpers.go +++ b/integration_tests/grpc_rest/pki/helpers.go @@ -910,10 +910,11 @@ func Demo(suite *utils.TestSuite) { _, err = GetAllChildX509Certs(suite, testconstants.LeafSubject, testconstants.LeafSubjectKeyID) suite.AssertNotFound(err) - // User (Not Trustee) revokes Intermediate certificate. This must also revoke its child - Leaf certificate. + // User (Not Trustee) revokes Intermediate certificate. With `RevokeChild` set to true, its child must also be revoked - Leaf certificate. msgRevokeX509Cert := pkitypes.MsgRevokeX509Cert{ Subject: testconstants.IntermediateSubject, SubjectKeyId: testconstants.IntermediateSubjectKeyID, + RevokeChild: true, Signer: vendorAccount.Address, } _, err = suite.BuildAndBroadcastTx([]sdk.Msg{&msgRevokeX509Cert}, vendorName, vendorAccount) @@ -973,6 +974,7 @@ func Demo(suite *utils.TestSuite) { msgProposeRevokeX509RootCert := pkitypes.MsgProposeRevokeX509RootCert{ Subject: testconstants.RootSubject, SubjectKeyId: testconstants.RootSubjectKeyID, + RevokeChild: true, Signer: jackAccount.Address, } _, err = suite.BuildAndBroadcastTx([]sdk.Msg{&msgProposeRevokeX509RootCert}, jackName, jackAccount) @@ -1000,6 +1002,7 @@ func Demo(suite *utils.TestSuite) { proposedCertificateRevocation, _ := GetProposedRevocationX509Cert(suite, testconstants.RootSubject, testconstants.RootSubjectKeyID) require.Equal(suite.T, testconstants.RootSubject, proposedCertificateRevocation.Subject) require.Equal(suite.T, testconstants.RootSubjectKeyID, proposedCertificateRevocation.SubjectKeyId) + require.Equal(suite.T, true, proposedCertificateRevocation.RevokeChild) require.True(suite.T, proposedCertificateRevocation.HasRevocationFrom(jackAccount.Address)) // Request all approved certificates @@ -1695,7 +1698,7 @@ func Demo(suite *utils.TestSuite) { _, err = suite.BuildAndBroadcastTx([]sdk.Msg{&msgApproveAddX509RootCert}, jackName, jackAccount) require.NoError(suite.T, err) - // Add intermediate certificates + // Add intermediate and leaf certificates msgAddX509Cert = pkitypes.MsgAddX509Cert{ Cert: testconstants.IntermediateWithSameSubjectAndSKID1, Signer: aliceAccount.Address, @@ -1710,11 +1713,20 @@ func Demo(suite *utils.TestSuite) { _, err = suite.BuildAndBroadcastTx([]sdk.Msg{&msgAddX509Cert}, aliceName, aliceAccount) require.NoError(suite.T, err) + msgAddX509Cert = pkitypes.MsgAddX509Cert{ + Cert: testconstants.LeafCertWithSameSubjectAndSKID, + Signer: aliceAccount.Address, + } + _, err = suite.BuildAndBroadcastTx([]sdk.Msg{&msgAddX509Cert}, aliceName, aliceAccount) + require.NoError(suite.T, err) + // Check approved certificate certs, _ := GetX509Cert(suite, testconstants.RootCertWithSameSubjectAndSKIDSubject, testconstants.RootCertWithSameSubjectAndSKIDSubjectKeyID) require.Equal(suite.T, 2, len(certs.Certs)) certs, _ = GetX509Cert(suite, testconstants.IntermediateCertWithSameSubjectAndSKIDSubject, testconstants.IntermediateCertWithSameSubjectAndSKIDSubjectKeyID) require.Equal(suite.T, 2, len(certs.Certs)) + certs, _ = GetX509Cert(suite, testconstants.LeafCertWithSameSubjectAndSKIDSubject, testconstants.LeafCertWithSameSubjectAndSKIDSubjectKeyID) + require.Equal(suite.T, 1, len(certs.Certs)) // Revoke intermediate certificate with invalid serialNumber msgRevokeX509Cert = pkitypes.MsgRevokeX509Cert{ @@ -1726,7 +1738,7 @@ func Demo(suite *utils.TestSuite) { _, err = suite.BuildAndBroadcastTx([]sdk.Msg{&msgRevokeX509Cert}, aliceName, aliceAccount) require.Error(suite.T, err) - // Revoke intermediate certificate with serialNumber 1 + // Revoke intermediate certificate with serialNumber 1 only(child certs should not be removed) msgRevokeX509Cert.SerialNumber = testconstants.IntermediateCertWithSameSubjectAndSKID1SerialNumber _, err = suite.BuildAndBroadcastTx([]sdk.Msg{&msgRevokeX509Cert}, aliceName, aliceAccount) require.NoError(suite.T, err) @@ -1742,6 +1754,9 @@ func Demo(suite *utils.TestSuite) { certs, _ = GetX509Cert(suite, testconstants.IntermediateCertWithSameSubjectAndSKIDSubject, testconstants.IntermediateCertWithSameSubjectAndSKIDSubjectKeyID) require.Equal(suite.T, 1, len(certs.Certs)) require.Equal(suite.T, testconstants.IntermediateCertWithSameSubjectAndSKID2SerialNumber, certs.Certs[0].SerialNumber) + certs, _ = GetX509Cert(suite, testconstants.LeafCertWithSameSubjectAndSKIDSubject, testconstants.LeafCertWithSameSubjectAndSKIDSubjectKeyID) + require.Equal(suite.T, 1, len(certs.Certs)) + require.Equal(suite.T, testconstants.LeafCertWithSameSubjectAndSKIDSerialNumber, certs.Certs[0].SerialNumber) // Revoke Root certificate with invalid serialNumber msgProposeRevokeX509RootCert = pkitypes.MsgProposeRevokeX509RootCert{ @@ -1753,7 +1768,7 @@ func Demo(suite *utils.TestSuite) { _, err = suite.BuildAndBroadcastTx([]sdk.Msg{&msgProposeRevokeX509RootCert}, jackName, jackAccount) require.Error(suite.T, err) - // Revoke Root certificate with serialNumber 1 + // Revoke Root certificate with serialNumber 1 only(child certs should not be removed) msgProposeRevokeX509RootCert.SerialNumber = testconstants.RootCertWithSameSubjectAndSKID1SerialNumber _, err = suite.BuildAndBroadcastTx([]sdk.Msg{&msgProposeRevokeX509RootCert}, jackName, jackAccount) require.NoError(suite.T, err) @@ -1789,6 +1804,10 @@ func Demo(suite *utils.TestSuite) { require.Equal(suite.T, 1, len(certs.Certs)) require.Equal(suite.T, testconstants.IntermediateCertWithSameSubjectAndSKID2SerialNumber, certs.Certs[0].SerialNumber) + certs, _ = GetX509Cert(suite, testconstants.LeafCertWithSameSubjectAndSKIDSubject, testconstants.LeafCertWithSameSubjectAndSKIDSubjectKeyID) + require.Equal(suite.T, 1, len(certs.Certs)) + require.Equal(suite.T, testconstants.LeafCertWithSameSubjectAndSKIDSerialNumber, certs.Certs[0].SerialNumber) + // Remove x509 certificate with invalid serialNumber msgRemoveX509Cert := pkitypes.MsgRemoveX509Cert{ Subject: testconstants.IntermediateCertWithSameSubjectAndSKIDSubject, @@ -1813,6 +1832,18 @@ func Demo(suite *utils.TestSuite) { _, err = GetX509Cert(suite, testconstants.IntermediateCertWithSameSubjectAndSKIDSubject, testconstants.IntermediateCertWithSameSubjectAndSKIDSubjectKeyID) suite.AssertNotFound(err) + // Remove leaf x509 certificate by subject and subject key id + msgRemoveX509Cert = pkitypes.MsgRemoveX509Cert{ + Subject: testconstants.LeafCertWithSameSubjectAndSKIDSubject, + SubjectKeyId: testconstants.LeafCertWithSameSubjectAndSKIDSubjectKeyID, + Signer: aliceAccount.Address, + } + _, err = suite.BuildAndBroadcastTx([]sdk.Msg{&msgRemoveX509Cert}, aliceName, aliceAccount) + require.NoError(suite.T, err) + // Check that leaf certificate removed + _, err = GetX509Cert(suite, testconstants.LeafCertWithSameSubjectAndSKIDSubject, testconstants.LeafCertWithSameSubjectAndSKIDSubjectKeyID) + suite.AssertNotFound(err) + // Remove x509 by subject, subject key id and serial number // Add intermediate certificates msgAddX509Cert = pkitypes.MsgAddX509Cert{ @@ -1882,11 +1913,37 @@ func Demo(suite *utils.TestSuite) { _, err = GetX509Cert(suite, testconstants.LeafCertWithSameSubjectAndSKIDSubject, testconstants.LeafCertWithSameSubjectAndSKIDSubjectKeyID) suite.AssertNotFound(err) - // Revoke Root certificate with serialNumber 2 + // Revoke Root certificate and its child certificates + // Add intermediate and leaf certificates + msgAddX509Cert = pkitypes.MsgAddX509Cert{ + Cert: testconstants.IntermediateWithSameSubjectAndSKID1, + Signer: aliceAccount.Address, + } + _, err = suite.BuildAndBroadcastTx([]sdk.Msg{&msgAddX509Cert}, aliceName, aliceAccount) + require.NoError(suite.T, err) + + msgAddX509Cert = pkitypes.MsgAddX509Cert{ + Cert: testconstants.LeafCertWithSameSubjectAndSKID, + Signer: aliceAccount.Address, + } + _, err = suite.BuildAndBroadcastTx([]sdk.Msg{&msgAddX509Cert}, aliceName, aliceAccount) + require.NoError(suite.T, err) + + // Check that certs are added + certs, _ = GetX509Cert(suite, testconstants.IntermediateCertWithSameSubjectAndSKIDSubject, testconstants.IntermediateCertWithSameSubjectAndSKIDSubjectKeyID) + require.Equal(suite.T, 1, len(certs.Certs)) + require.Equal(suite.T, testconstants.IntermediateCertWithSameSubjectAndSKID1SerialNumber, certs.Certs[0].SerialNumber) + + certs, _ = GetX509Cert(suite, testconstants.LeafCertWithSameSubjectAndSKIDSubject, testconstants.LeafCertWithSameSubjectAndSKIDSubjectKeyID) + require.Equal(suite.T, 1, len(certs.Certs)) + require.Equal(suite.T, testconstants.LeafCertWithSameSubjectAndSKIDSerialNumber, certs.Certs[0].SerialNumber) + + // Revoke root cert and its child msgProposeRevokeX509RootCert = pkitypes.MsgProposeRevokeX509RootCert{ Subject: testconstants.RootCertWithSameSubjectAndSKIDSubject, SubjectKeyId: testconstants.RootCertWithSameSubjectAndSKIDSubjectKeyID, SerialNumber: testconstants.RootCertWithSameSubjectAndSKID2SerialNumber, + RevokeChild: true, Signer: jackAccount.Address, } _, err = suite.BuildAndBroadcastTx([]sdk.Msg{&msgProposeRevokeX509RootCert}, jackName, jackAccount) @@ -1901,7 +1958,7 @@ func Demo(suite *utils.TestSuite) { _, err = suite.BuildAndBroadcastTx([]sdk.Msg{&msgApproveRevokeX509RootCert}, aliceName, aliceAccount) require.NoError(suite.T, err) - // Request revoked Root certificate with serialNumber 2 + // Request revoked certificates revokedCertificate, _ = GetRevokedX509Cert(suite, testconstants.RootCertWithSameSubjectAndSKIDSubject, testconstants.RootCertWithSameSubjectAndSKIDSubjectKeyID) require.Equal(suite.T, 2, len(revokedCertificate.Certs)) require.Equal(suite.T, testconstants.RootCertWithSameSubjectAndSKIDSubject, revokedCertificate.Subject) @@ -1909,6 +1966,24 @@ func Demo(suite *utils.TestSuite) { require.Equal(suite.T, testconstants.RootCertWithSameSubjectAndSKID2SerialNumber, revokedCertificate.Certs[1].SerialNumber) require.True(suite.T, revokedCertificate.Certs[1].IsRoot) + revokedCertificate, _ = GetRevokedX509Cert(suite, testconstants.IntermediateCertWithSameSubjectAndSKIDSubject, testconstants.IntermediateCertWithSameSubjectAndSKIDSubjectKeyID) + require.Equal(suite.T, 1, len(revokedCertificate.Certs)) + require.Equal(suite.T, testconstants.IntermediateCertWithSameSubjectAndSKIDSubject, revokedCertificate.Subject) + require.Equal(suite.T, testconstants.IntermediateCertWithSameSubjectAndSKIDSubjectKeyID, revokedCertificate.SubjectKeyId) + + revokedCertificate, _ = GetRevokedX509Cert(suite, testconstants.LeafCertWithSameSubjectAndSKIDSubject, testconstants.LeafCertWithSameSubjectAndSKIDSubjectKeyID) + require.Equal(suite.T, 1, len(revokedCertificate.Certs)) + require.Equal(suite.T, testconstants.LeafCertWithSameSubjectAndSKIDSubject, revokedCertificate.Subject) + require.Equal(suite.T, testconstants.LeafCertWithSameSubjectAndSKIDSubjectKeyID, revokedCertificate.SubjectKeyId) + + // Check that all certs are removed from approved lists _, err = GetX509Cert(suite, testconstants.RootCertWithSameSubjectAndSKIDSubject, testconstants.RootCertWithSameSubjectAndSKIDSubjectKeyID) suite.AssertNotFound(err) + _, err = GetX509Cert(suite, testconstants.IntermediateCertWithSameSubjectAndSKIDSubject, testconstants.IntermediateCertWithSameSubjectAndSKIDSubjectKeyID) + suite.AssertNotFound(err) + _, err = GetX509Cert(suite, testconstants.LeafCertWithSameSubjectAndSKIDSubject, testconstants.LeafCertWithSameSubjectAndSKIDSubjectKeyID) + suite.AssertNotFound(err) + + certificates, _ = GetAllX509Certs(suite) + require.Equal(suite.T, 0, len(certificates)) } diff --git a/proto/pki/proposed_certificate_revocation.proto b/proto/pki/proposed_certificate_revocation.proto index b74907a97..5d6d6ec64 100644 --- a/proto/pki/proposed_certificate_revocation.proto +++ b/proto/pki/proposed_certificate_revocation.proto @@ -11,5 +11,6 @@ message ProposedCertificateRevocation { repeated Grant approvals = 3; string subjectAsText = 4; string serialNumber = 5; + bool revokeChild = 6; } diff --git a/proto/pki/tx.proto b/proto/pki/tx.proto index fcf1e245b..007262621 100644 --- a/proto/pki/tx.proto +++ b/proto/pki/tx.proto @@ -65,6 +65,7 @@ message MsgProposeRevokeX509RootCert { string info = 4 [(gogoproto.moretags) = "validate:\"max=4096\""]; int64 time = 5; string serialNumber = 6; + bool revokeChild = 7; } message MsgProposeRevokeX509RootCertResponse { @@ -89,6 +90,7 @@ message MsgRevokeX509Cert { string info = 4 [(gogoproto.moretags) = "validate:\"max=4096\""]; int64 time = 5; string serialNumber = 6; + bool revokeChild = 7; } message MsgRevokeX509CertResponse { diff --git a/vue/src/store/generated/zigbee-alliance/distributed-compliance-ledger/zigbeealliance.distributedcomplianceledger.pki/module/rest.ts b/vue/src/store/generated/zigbee-alliance/distributed-compliance-ledger/zigbeealliance.distributedcomplianceledger.pki/module/rest.ts index 7bc5cd36c..846217c49 100644 --- a/vue/src/store/generated/zigbee-alliance/distributed-compliance-ledger/zigbeealliance.distributedcomplianceledger.pki/module/rest.ts +++ b/vue/src/store/generated/zigbee-alliance/distributed-compliance-ledger/zigbeealliance.distributedcomplianceledger.pki/module/rest.ts @@ -143,6 +143,7 @@ export interface PkiProposedCertificateRevocation { serialNumber?: string; approvals?: PkiGrant[]; subjectAsText?: string; + revokeChild?: boolean; } export interface PkiQueryAllApprovedCertificatesResponse { diff --git a/vue/src/store/generated/zigbee-alliance/distributed-compliance-ledger/zigbeealliance.distributedcomplianceledger.pki/module/types/pki/proposed_certificate_revocation.ts b/vue/src/store/generated/zigbee-alliance/distributed-compliance-ledger/zigbeealliance.distributedcomplianceledger.pki/module/types/pki/proposed_certificate_revocation.ts index a48e7d251..3b1a38022 100644 --- a/vue/src/store/generated/zigbee-alliance/distributed-compliance-ledger/zigbeealliance.distributedcomplianceledger.pki/module/types/pki/proposed_certificate_revocation.ts +++ b/vue/src/store/generated/zigbee-alliance/distributed-compliance-ledger/zigbeealliance.distributedcomplianceledger.pki/module/types/pki/proposed_certificate_revocation.ts @@ -10,9 +10,10 @@ export interface ProposedCertificateRevocation { approvals: Grant[] subjectAsText: string serialNumber: string + revokeChild: boolean } -const baseProposedCertificateRevocation: object = { subject: '', subjectKeyId: '', subjectAsText: '', serialNumber: '' } +const baseProposedCertificateRevocation: object = { subject: '', subjectKeyId: '', subjectAsText: '', serialNumber: '', revokeChild: false } export const ProposedCertificateRevocation = { encode(message: ProposedCertificateRevocation, writer: Writer = Writer.create()): Writer { @@ -31,6 +32,9 @@ export const ProposedCertificateRevocation = { if (message.serialNumber !== '') { writer.uint32(42).string(message.serialNumber) } + if (message.revokeChild === true) { + writer.uint32(48).bool(message.revokeChild) + } return writer }, @@ -57,6 +61,9 @@ export const ProposedCertificateRevocation = { case 5: message.serialNumber = reader.string() break + case 6: + message.revokeChild = reader.bool() + break default: reader.skipType(tag & 7) break @@ -93,6 +100,11 @@ export const ProposedCertificateRevocation = { } else { message.serialNumber = '' } + if (object.revokeChild !== undefined && object.revokeChild !== null) { + message.revokeChild = Boolean(object.revokeChild) + } else { + message.revokeChild = false + } return message }, @@ -107,6 +119,7 @@ export const ProposedCertificateRevocation = { } message.subjectAsText !== undefined && (obj.subjectAsText = message.subjectAsText) message.serialNumber !== undefined && (obj.serialNumber = message.serialNumber) + message.revokeChild !== undefined && (obj.revokeChild = message.revokeChild) return obj }, @@ -138,6 +151,11 @@ export const ProposedCertificateRevocation = { } else { message.serialNumber = '' } + if (object.revokeChild !== undefined && object.revokeChild !== null) { + message.revokeChild = object.revokeChild + } else { + message.revokeChild = false + } return message } } diff --git a/vue/src/store/generated/zigbee-alliance/distributed-compliance-ledger/zigbeealliance.distributedcomplianceledger.pki/module/types/pki/tx.ts b/vue/src/store/generated/zigbee-alliance/distributed-compliance-ledger/zigbeealliance.distributedcomplianceledger.pki/module/types/pki/tx.ts index 34e3944b2..3eb776561 100644 --- a/vue/src/store/generated/zigbee-alliance/distributed-compliance-ledger/zigbeealliance.distributedcomplianceledger.pki/module/types/pki/tx.ts +++ b/vue/src/store/generated/zigbee-alliance/distributed-compliance-ledger/zigbeealliance.distributedcomplianceledger.pki/module/types/pki/tx.ts @@ -40,6 +40,7 @@ export interface MsgProposeRevokeX509RootCert { info: string time: number serialNumber: string + revokeChild: boolean } export interface MsgProposeRevokeX509RootCertResponse {} @@ -62,6 +63,7 @@ export interface MsgRevokeX509Cert { info: string time: number serialNumber: string + revokeChild: boolean } export interface MsgRevokeX509CertResponse {} @@ -607,7 +609,7 @@ export const MsgAddX509CertResponse = { } } -const baseMsgProposeRevokeX509RootCert: object = { signer: '', subject: '', subjectKeyId: '', info: '', time: 0, serialNumber: '' } +const baseMsgProposeRevokeX509RootCert: object = { signer: '', subject: '', subjectKeyId: '', info: '', time: 0, serialNumber: '', revokeChild: false } export const MsgProposeRevokeX509RootCert = { encode(message: MsgProposeRevokeX509RootCert, writer: Writer = Writer.create()): Writer { @@ -629,6 +631,9 @@ export const MsgProposeRevokeX509RootCert = { if (message.serialNumber !== '') { writer.uint32(50).string(message.serialNumber) } + if (message.revokeChild === true) { + writer.uint32(56).bool(message.revokeChild) + } return writer }, @@ -657,6 +662,9 @@ export const MsgProposeRevokeX509RootCert = { case 6: message.serialNumber = reader.string() break + case 7: + message.revokeChild = reader.bool() + break default: reader.skipType(tag & 7) break @@ -697,6 +705,11 @@ export const MsgProposeRevokeX509RootCert = { } else { message.serialNumber = '' } + if (object.revokeChild !== undefined && object.revokeChild !== null) { + message.revokeChild = Boolean(object.revokeChild) + } else { + message.revokeChild = false + } return message }, @@ -708,6 +721,7 @@ export const MsgProposeRevokeX509RootCert = { message.info !== undefined && (obj.info = message.info) message.time !== undefined && (obj.time = message.time) message.serialNumber !== undefined && (obj.serialNumber = message.serialNumber) + message.revokeChild !== undefined && (obj.revokeChild = message.revokeChild) return obj }, @@ -743,6 +757,11 @@ export const MsgProposeRevokeX509RootCert = { } else { message.serialNumber = '' } + if (object.revokeChild !== undefined && object.revokeChild !== null) { + message.revokeChild = object.revokeChild + } else { + message.revokeChild = false + } return message } } @@ -963,7 +982,7 @@ export const MsgApproveRevokeX509RootCertResponse = { } } -const baseMsgRevokeX509Cert: object = { signer: '', subject: '', subjectKeyId: '', info: '', time: 0, serialNumber: '' } +const baseMsgRevokeX509Cert: object = { signer: '', subject: '', subjectKeyId: '', info: '', time: 0, serialNumber: '', revokeChild: false } export const MsgRevokeX509Cert = { encode(message: MsgRevokeX509Cert, writer: Writer = Writer.create()): Writer { @@ -985,6 +1004,9 @@ export const MsgRevokeX509Cert = { if (message.serialNumber !== '') { writer.uint32(50).string(message.serialNumber) } + if (message.revokeChild === true) { + writer.uint32(56).bool(message.revokeChild) + } return writer }, @@ -1013,6 +1035,9 @@ export const MsgRevokeX509Cert = { case 6: message.serialNumber = reader.string() break + case 7: + message.revokeChild = reader.bool() + break default: reader.skipType(tag & 7) break @@ -1053,6 +1078,11 @@ export const MsgRevokeX509Cert = { } else { message.serialNumber = '' } + if (object.revokeChild !== undefined && object.revokeChild !== null) { + message.revokeChild = Boolean(object.revokeChild) + } else { + message.revokeChild = false + } return message }, @@ -1064,6 +1094,7 @@ export const MsgRevokeX509Cert = { message.info !== undefined && (obj.info = message.info) message.time !== undefined && (obj.time = message.time) message.serialNumber !== undefined && (obj.serialNumber = message.serialNumber) + message.revokeChild !== undefined && (obj.revokeChild = message.revokeChild) return obj }, @@ -1099,6 +1130,11 @@ export const MsgRevokeX509Cert = { } else { message.serialNumber = '' } + if (object.revokeChild !== undefined && object.revokeChild !== null) { + message.revokeChild = object.revokeChild + } else { + message.revokeChild = false + } return message } } @@ -2391,6 +2427,7 @@ export interface Msg { AssignVid(request: MsgAssignVid): Promise AddNocX509RootCert(request: MsgAddNocX509RootCert): Promise /** this line is used by starport scaffolding # proto/tx/rpc */ + /** this line is used by starport scaffolding # proto/tx/rpc */ RemoveX509Cert(request: MsgRemoveX509Cert): Promise } diff --git a/x/pki/client/cli/flags.go b/x/pki/client/cli/flags.go index 29cff681d..783db06d7 100644 --- a/x/pki/client/cli/flags.go +++ b/x/pki/client/cli/flags.go @@ -26,4 +26,5 @@ const ( FlagLabel = "label" FlagLabelShortcut = "l" FlagIssuerSubjectKeyID = "issuer-subject-key-id" + FlagRevokeChild = "revoke-child" ) diff --git a/x/pki/client/cli/tx_propose_revoke_x_509_root_cert.go b/x/pki/client/cli/tx_propose_revoke_x_509_root_cert.go index 16448c29d..34c2f8f83 100644 --- a/x/pki/client/cli/tx_propose_revoke_x_509_root_cert.go +++ b/x/pki/client/cli/tx_propose_revoke_x_509_root_cert.go @@ -18,7 +18,8 @@ func CmdProposeRevokeX509RootCert() *cobra.Command { cmd := &cobra.Command{ Use: "propose-revoke-x509-root-cert", Short: "Proposes revocation of the given root certificate. " + - "All the certificates in the subtree signed by the revoked certificate will be revoked as well.", + "If revoke-child flag is set to true then all the certificates in the subtree signed by the revoked " + + "certificate will be revoked as well.", Args: cobra.ExactArgs(0), RunE: func(cmd *cobra.Command, args []string) (err error) { clientCtx, err := client.GetClientTxContext(cmd) @@ -30,12 +31,14 @@ func CmdProposeRevokeX509RootCert() *cobra.Command { subjectKeyID := viper.GetString(FlagSubjectKeyID) info := viper.GetString(FlagInfo) serialNumber := viper.GetString(FlagSerialNumber) + revokeChild := viper.GetBool(FlagRevokeChild) msg := types.NewMsgProposeRevokeX509RootCert( clientCtx.GetFromAddress().String(), subject, subjectKeyID, serialNumber, + revokeChild, info, ) // validate basic will be called in GenerateOrBroadcastTxCLI @@ -51,6 +54,7 @@ func CmdProposeRevokeX509RootCert() *cobra.Command { cmd.Flags().StringP(FlagSubject, FlagSubjectShortcut, "", "Certificate's subject") cmd.Flags().StringP(FlagSubjectKeyID, FlagSubjectKeyIDShortcut, "", "Certificate's subject key id (hex)") cmd.Flags().StringP(FlagSerialNumber, FlagSerialNumberShortcut, "", "Certificate's serial number") + cmd.Flags().String(FlagRevokeChild, "", "If flag is true then all the certificates in the subtree will be revoked as well - default is false") cmd.Flags().String(FlagInfo, "", FlagInfoUsage) cli.AddTxFlagsToCmd(cmd) diff --git a/x/pki/client/cli/tx_revoke_x_509_cert.go b/x/pki/client/cli/tx_revoke_x_509_cert.go index df1bdab63..edb39c1d3 100644 --- a/x/pki/client/cli/tx_revoke_x_509_cert.go +++ b/x/pki/client/cli/tx_revoke_x_509_cert.go @@ -18,7 +18,8 @@ func CmdRevokeX509Cert() *cobra.Command { cmd := &cobra.Command{ Use: "revoke-x509-cert", Short: "Revokes the given intermediate or leaf certificate. " + - "All the certificates in the subtree signed by the revoked certificate will be revoked as well.", + "If revoke-child flag is set to true then all the certificates in the subtree signed by the revoked " + + "certificate will be revoked as well.", Args: cobra.ExactArgs(0), RunE: func(cmd *cobra.Command, args []string) (err error) { clientCtx, err := client.GetClientTxContext(cmd) @@ -29,7 +30,7 @@ func CmdRevokeX509Cert() *cobra.Command { subject := viper.GetString(FlagSubject) subjectKeyID := viper.GetString(FlagSubjectKeyID) serialNumber := viper.GetString(FlagSerialNumber) - + revokeChild := viper.GetBool(FlagRevokeChild) infoArg := viper.GetString(FlagInfo) msg := types.NewMsgRevokeX509Cert( @@ -37,6 +38,7 @@ func CmdRevokeX509Cert() *cobra.Command { subject, subjectKeyID, serialNumber, + revokeChild, infoArg, ) // validate basic will be called in GenerateOrBroadcastTxCLI @@ -52,6 +54,7 @@ func CmdRevokeX509Cert() *cobra.Command { cmd.Flags().StringP(FlagSubject, FlagSubjectShortcut, "", "Certificate's subject") cmd.Flags().StringP(FlagSubjectKeyID, FlagSubjectKeyIDShortcut, "", "Certificate's subject key id (hex)") cmd.Flags().StringP(FlagSerialNumber, FlagSerialNumberShortcut, "", "Certificate's serial number") + cmd.Flags().String(FlagRevokeChild, "", "If flag is true then all the certificates in the subtree will be revoked as well - default is false") cmd.Flags().String(FlagInfo, "", FlagInfoUsage) cli.AddTxFlagsToCmd(cmd) diff --git a/x/pki/handler_test.go b/x/pki/handler_test.go index c7f094cd7..8780db134 100644 --- a/x/pki/handler_test.go +++ b/x/pki/handler_test.go @@ -546,7 +546,7 @@ func TestHandler_TwoThirdApprovalsNeededForRevokingRootCertification(t *testing. // Trustee1 proposes to revoke the certificate proposeRevokeX509RootCert := types.NewMsgProposeRevokeX509RootCert( - setup.Trustee1.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.RootSerialNumber, testconstants.Info) + setup.Trustee1.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.RootSerialNumber, false, testconstants.Info) _, err = setup.Handler(setup.Ctx, proposeRevokeX509RootCert) require.NoError(t, err) @@ -1103,7 +1103,7 @@ func TestHandler_ProposeRevokeX509RootCert_ByTrusteeOwner(t *testing.T) { // propose revocation of x509 root certificate by `setup.Trustee` proposeRevokeX509RootCert := types.NewMsgProposeRevokeX509RootCert( - setup.Trustee1.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.RootSerialNumber, testconstants.Info) + setup.Trustee1.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.RootSerialNumber, false, testconstants.Info) _, err := setup.Handler(setup.Ctx, proposeRevokeX509RootCert) require.NoError(t, err) @@ -1140,7 +1140,7 @@ func TestHandler_ProposeRevokeX509RootCert_ByTrusteeNotOwner(t *testing.T) { // propose revocation of x509 root certificate by new trustee proposeRevokeX509RootCert := types.NewMsgProposeRevokeX509RootCert( - anotherTrustee.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.RootSerialNumber, testconstants.Info) + anotherTrustee.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.RootSerialNumber, false, testconstants.Info) _, err := setup.Handler(setup.Ctx, proposeRevokeX509RootCert) require.NoError(t, err) @@ -1181,7 +1181,7 @@ func TestHandler_ProposeRevokeX509RootCert_ByNotTrustee(t *testing.T) { // propose revocation of x509 root certificate proposeRevokeX509RootCert := types.NewMsgProposeRevokeX509RootCert( - accAddress.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.RootSerialNumber, testconstants.Info) + accAddress.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.RootSerialNumber, false, testconstants.Info) _, err := setup.Handler(setup.Ctx, proposeRevokeX509RootCert) require.Error(t, err) require.True(t, sdkerrors.ErrUnauthorized.Is(err)) @@ -1193,7 +1193,7 @@ func TestHandler_ProposeRevokeX509RootCert_CertificateDoesNotExist(t *testing.T) // propose revocation of not existing certificate proposeRevokeX509RootCert := types.NewMsgProposeRevokeX509RootCert( - setup.Trustee1.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.RootSerialNumber, testconstants.Info) + setup.Trustee1.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.RootSerialNumber, false, testconstants.Info) _, err := setup.Handler(setup.Ctx, proposeRevokeX509RootCert) require.Error(t, err) require.True(t, pkitypes.ErrCertificateDoesNotExist.Is(err)) @@ -1213,7 +1213,7 @@ func TestHandler_ProposeRevokeX509RootCert_ForProposedCertificate(t *testing.T) // propose revocation of proposed root certificate proposeRevokeX509RootCert := types.NewMsgProposeRevokeX509RootCert( - setup.Trustee1.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.RootSerialNumber, testconstants.Info) + setup.Trustee1.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.RootSerialNumber, false, testconstants.Info) _, err = setup.Handler(setup.Ctx, proposeRevokeX509RootCert) require.Error(t, err) require.True(t, pkitypes.ErrCertificateDoesNotExist.Is(err)) @@ -1228,7 +1228,7 @@ func TestHandler_ProposeRevokeX509RootCert_ProposedRevocationAlreadyExists(t *te // propose revocation of x509 root certificate proposeRevokeX509RootCert := types.NewMsgProposeRevokeX509RootCert( - setup.Trustee1.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.RootSerialNumber, testconstants.Info) + setup.Trustee1.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.RootSerialNumber, false, testconstants.Info) _, err := setup.Handler(setup.Ctx, proposeRevokeX509RootCert) require.NoError(t, err) @@ -1238,7 +1238,7 @@ func TestHandler_ProposeRevokeX509RootCert_ProposedRevocationAlreadyExists(t *te // propose revocation of the same x509 root certificate again proposeRevokeX509RootCert = types.NewMsgProposeRevokeX509RootCert( - anotherTrustee.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.RootSerialNumber, testconstants.Info) + anotherTrustee.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.RootSerialNumber, false, testconstants.Info) _, err = setup.Handler(setup.Ctx, proposeRevokeX509RootCert) require.Error(t, err) require.True(t, pkitypes.ErrProposedCertificateRevocationAlreadyExists.Is(err)) @@ -1258,7 +1258,7 @@ func TestHandler_ProposeRevokeX509RootCert_ForNonRootCertificate(t *testing.T) { // propose revocation of x509 intermediate certificate proposeRevokeX509RootCert := types.NewMsgProposeRevokeX509RootCert( - setup.Trustee1.String(), testconstants.IntermediateSubject, testconstants.IntermediateSubjectKeyID, testconstants.RootSerialNumber, testconstants.Info) + setup.Trustee1.String(), testconstants.IntermediateSubject, testconstants.IntermediateSubjectKeyID, testconstants.RootSerialNumber, false, testconstants.Info) _, err = setup.Handler(setup.Ctx, proposeRevokeX509RootCert) require.Error(t, err) require.True(t, pkitypes.ErrInappropriateCertificateType.Is(err)) @@ -1277,7 +1277,7 @@ func TestHandler_ApproveRevokeX509RootCert_ForNotEnoughApprovals(t *testing.T) { // propose revocation of x509 root certificate proposeRevokeX509RootCert := types.NewMsgProposeRevokeX509RootCert( - setup.Trustee1.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.RootSerialNumber, testconstants.Info) + setup.Trustee1.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.RootSerialNumber, false, testconstants.Info) _, err := setup.Handler(setup.Ctx, proposeRevokeX509RootCert) require.NoError(t, err) @@ -1317,7 +1317,7 @@ func TestHandler_ApproveRevokeX509RootCert_ForEnoughApprovals(t *testing.T) { // propose revocation of x509 root certificate proposeRevokeX509RootCert := types.NewMsgProposeRevokeX509RootCert( - setup.Trustee1.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.RootSerialNumber, testconstants.Info) + setup.Trustee1.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.RootSerialNumber, false, testconstants.Info) _, err := setup.Handler(setup.Ctx, proposeRevokeX509RootCert) require.NoError(t, err) @@ -1380,7 +1380,7 @@ func TestHandler_ApproveRevokeX509RootCert_BySerialNumber(t *testing.T) { // propose revocation of root certificate with serial number "1" proposeRevokeX509RootCert := types.NewMsgProposeRevokeX509RootCert( - setup.Trustee1.String(), rootSubject, rootSubjectKeyID, "1", testconstants.Info) + setup.Trustee1.String(), rootSubject, rootSubjectKeyID, "1", false, testconstants.Info) _, err = setup.Handler(setup.Ctx, proposeRevokeX509RootCert) require.NoError(t, err) @@ -1410,7 +1410,7 @@ func TestHandler_ApproveRevokeX509RootCert_BySerialNumber(t *testing.T) { // propose revocation of root certificate with serial number "2" proposeRevokeX509RootCert = types.NewMsgProposeRevokeX509RootCert( - setup.Trustee1.String(), rootSubject, rootSubjectKeyID, "2", testconstants.Info) + setup.Trustee1.String(), rootSubject, rootSubjectKeyID, "2", true, testconstants.Info) _, err = setup.Handler(setup.Ctx, proposeRevokeX509RootCert) require.NoError(t, err) @@ -1431,11 +1431,20 @@ func TestHandler_ApproveRevokeX509RootCert_BySerialNumber(t *testing.T) { certsAfterRevocationBySubjectID := setup.Keeper.GetAllApprovedCertificatesBySubjectKeyID(setup.Ctx) require.Equal(t, 0, len(certsAfterRevocationBySubjectID)) - // query and check revoked certificate + // query all revoked certificates + allRevokedCerts, _ := queryAllRevokedCertificates(setup) + require.Equal(t, 2, len(allRevokedCerts)) + + // query and check revoked root certificates revokedCerts, _ := queryRevokedCertificates(setup, rootSubject, rootSubjectKeyID) require.Equal(t, 2, len(revokedCerts.Certs)) require.Equal(t, rootSubject, revokedCerts.Subject) require.Equal(t, rootSubjectKeyID, revokedCerts.SubjectKeyId) + // query and check revoked intermediate certificate + revokedCerts, _ = queryRevokedCertificates(setup, intermediateSubject, intermediateSubjectKeyID) + require.Equal(t, 1, len(revokedCerts.Certs)) + require.Equal(t, intermediateSubject, revokedCerts.Subject) + require.Equal(t, intermediateSubjectKeyID, revokedCerts.SubjectKeyId) } func TestHandler_ApproveRevokeX509RootCert_ByNotTrustee(t *testing.T) { @@ -1447,7 +1456,7 @@ func TestHandler_ApproveRevokeX509RootCert_ByNotTrustee(t *testing.T) { // propose revocation of x509 root certificate proposeRevokeX509RootCert := types.NewMsgProposeRevokeX509RootCert( - setup.Trustee1.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.RootSerialNumber, testconstants.Info) + setup.Trustee1.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.RootSerialNumber, false, testconstants.Info) _, err := setup.Handler(setup.Ctx, proposeRevokeX509RootCert) require.NoError(t, err) @@ -1492,7 +1501,7 @@ func TestHandler_ApproveRevokeX509RootCert_Twice(t *testing.T) { // propose revocation of x509 root certificate proposeRevokeX509RootCert := types.NewMsgProposeRevokeX509RootCert( - setup.Trustee1.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.RootSerialNumber, testconstants.Info) + setup.Trustee1.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.RootSerialNumber, false, testconstants.Info) _, err := setup.Handler(setup.Ctx, proposeRevokeX509RootCert) require.NoError(t, err) @@ -1523,13 +1532,13 @@ func TestHandler_ApproveRevokeX509RootCert_ForTree(t *testing.T) { // propose revocation of x509 root certificate proposeRevokeX509RootCert := types.NewMsgProposeRevokeX509RootCert( - setup.Trustee1.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.RootSerialNumber, testconstants.Info) + setup.Trustee1.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, "", true, testconstants.Info) _, err = setup.Handler(setup.Ctx, proposeRevokeX509RootCert) require.NoError(t, err) // approve approveRevokeX509RootCert := types.NewMsgApproveRevokeX509RootCert( - setup.Trustee2.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.RootSerialNumber, testconstants.Info) + setup.Trustee2.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, "", testconstants.Info) _, err = setup.Handler(setup.Ctx, approveRevokeX509RootCert) require.NoError(t, err) @@ -1612,7 +1621,7 @@ func TestHandler_RevokeX509Cert(t *testing.T) { // revoke x509 certificate revokeX509Cert := types.NewMsgRevokeX509Cert( - accAddress.String(), testconstants.IntermediateSubject, testconstants.IntermediateSubjectKeyID, "", testconstants.Info) + accAddress.String(), testconstants.IntermediateSubject, testconstants.IntermediateSubjectKeyID, "", false, testconstants.Info) _, err = setup.Handler(setup.Ctx, revokeX509Cert) require.NoError(t, err) @@ -1685,9 +1694,9 @@ func TestHandler_RevokeX509Cert_BySerialNumber(t *testing.T) { require.Equal(t, 3, len(allCerts)) require.Equal(t, 4, len(allCerts[0].Certs)+len(allCerts[1].Certs)+len(allCerts[2].Certs)) - // revoke intermediate certificate + // revoke only an intermediate certificate revokeX509Cert := types.NewMsgRevokeX509Cert( - setup.Trustee1.String(), testconstants.IntermediateSubject, testconstants.IntermediateSubjectKeyID, testconstants.IntermediateSerialNumber, testconstants.Info) + setup.Trustee1.String(), testconstants.IntermediateSubject, testconstants.IntermediateSubjectKeyID, testconstants.IntermediateSerialNumber, false, testconstants.Info) _, err = setup.Handler(setup.Ctx, revokeX509Cert) require.NoError(t, err) @@ -1696,13 +1705,16 @@ func TestHandler_RevokeX509Cert_BySerialNumber(t *testing.T) { require.Error(t, err) require.Equal(t, codes.NotFound, status.Code(err)) - // check that only root and two intermediate certificates exists + // check that only root, intermediate and leaf certificates exists allCerts, _ = queryAllApprovedCertificates(setup) require.Equal(t, 3, len(allCerts)) require.Equal(t, 3, len(allCerts[0].Certs)+len(allCerts[1].Certs)+len(allCerts[2].Certs)) intermediateCerts, _ := queryApprovedCertificates(setup, testconstants.IntermediateSubject, testconstants.IntermediateSubjectKeyID) require.Equal(t, 1, len(intermediateCerts.Certs)) require.Equal(t, SerialNumber, intermediateCerts.Certs[0].SerialNumber) + leafCerts, _ := queryApprovedCertificates(setup, testconstants.LeafSubject, testconstants.LeafSubjectKeyID) + require.Equal(t, 1, len(leafCerts.Certs)) + require.Equal(t, testconstants.LeafSerialNumber, leafCerts.Certs[0].SerialNumber) // query and check revoked certificate revokedCertificate, _ := querySingleRevokedCertificate(setup, testconstants.IntermediateSubject, testconstants.IntermediateSubjectKeyID) @@ -1711,9 +1723,9 @@ func TestHandler_RevokeX509Cert_BySerialNumber(t *testing.T) { require.Equal(t, testconstants.IntermediateSubjectKeyID, revokedCertificate.SubjectKeyId) require.Equal(t, testconstants.IntermediateSerialNumber, revokedCertificate.SerialNumber) - // revoke intermediate certificate + // revoke intermediate and leaf certificates revokeX509Cert = types.NewMsgRevokeX509Cert( - setup.Trustee1.String(), testconstants.IntermediateSubject, testconstants.IntermediateSubjectKeyID, SerialNumber, testconstants.Info) + setup.Trustee1.String(), testconstants.IntermediateSubject, testconstants.IntermediateSubjectKeyID, SerialNumber, true, testconstants.Info) _, err = setup.Handler(setup.Ctx, revokeX509Cert) require.NoError(t, err) @@ -1732,6 +1744,12 @@ func TestHandler_RevokeX509Cert_BySerialNumber(t *testing.T) { require.Equal(t, 2, len(revokedCerts.Certs)) require.Equal(t, testconstants.IntermediateSubject, revokedCerts.Subject) require.Equal(t, testconstants.IntermediateSubjectKeyID, revokedCerts.SubjectKeyId) + + // query and check revoked certificate + revokedCerts, _ = queryRevokedCertificates(setup, testconstants.LeafSubject, testconstants.LeafSubjectKeyID) + require.Equal(t, 1, len(revokedCerts.Certs)) + require.Equal(t, testconstants.LeafSubject, revokedCerts.Subject) + require.Equal(t, testconstants.LeafSubjectKeyID, revokedCerts.SubjectKeyId) } func TestHandler_RemoveX509Cert_BySubjectAndSKID(t *testing.T) { @@ -1968,6 +1986,7 @@ func TestHandler_RemoveX509Cert_RevokedCertificate(t *testing.T) { testconstants.IntermediateSubject, testconstants.IntermediateSubjectKeyID, testconstants.IntermediateSerialNumber, + false, testconstants.Info, ) _, err = setup.Handler(setup.Ctx, revokeX509Cert) @@ -2103,7 +2122,7 @@ func TestHandler_RevokeX509RootCertsBySubjectKeyId(t *testing.T) { // revoke certificate revokeX509Cert := types.NewMsgProposeRevokeX509RootCert( - setup.Trustee1.String(), testconstants.PAACertWithSameSubjectID1Subject, testconstants.PAACertWithSameSubjectIDSubjectID, "", testconstants.Info) + setup.Trustee1.String(), testconstants.PAACertWithSameSubjectID1Subject, testconstants.PAACertWithSameSubjectIDSubjectID, "", false, testconstants.Info) _, err := setup.Handler(setup.Ctx, revokeX509Cert) require.NoError(t, err) @@ -2138,7 +2157,7 @@ func TestHandler_RevokeX509CertRoot_CertificateDoesNotExistBySerialNumber(t *tes // revoke x509 certificate revokeX509Cert := types.NewMsgProposeRevokeX509RootCert( - setup.Trustee1.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, "invalid", testconstants.Info) + setup.Trustee1.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, "invalid", false, testconstants.Info) _, err := setup.Handler(setup.Ctx, revokeX509Cert) require.Error(t, err) require.True(t, pkitypes.ErrCertificateDoesNotExist.Is(err)) @@ -2148,7 +2167,7 @@ func TestHandler_RevokeX509Cert_CertificateDoesNotExist(t *testing.T) { // revoke x509 certificate revokeX509Cert := types.NewMsgRevokeX509Cert( - setup.Trustee1.String(), testconstants.IntermediateSubject, testconstants.IntermediateSubjectKeyID, testconstants.IntermediateSerialNumber, testconstants.Info) + setup.Trustee1.String(), testconstants.IntermediateSubject, testconstants.IntermediateSubjectKeyID, testconstants.IntermediateSerialNumber, false, testconstants.Info) _, err := setup.Handler(setup.Ctx, revokeX509Cert) require.Error(t, err) require.True(t, pkitypes.ErrCertificateDoesNotExist.Is(err)) @@ -2167,7 +2186,7 @@ func TestHandler_RevokeX509Cert_CertificateDoesNotExistBySerialNumber(t *testing // revoke x509 certificate revokeX509Cert := types.NewMsgRevokeX509Cert( - setup.Trustee1.String(), testconstants.IntermediateSubject, testconstants.IntermediateSubjectKeyID, "invalid", testconstants.Info) + setup.Trustee1.String(), testconstants.IntermediateSubject, testconstants.IntermediateSubjectKeyID, "invalid", false, testconstants.Info) _, err = setup.Handler(setup.Ctx, revokeX509Cert) require.Error(t, err) require.True(t, pkitypes.ErrCertificateDoesNotExist.Is(err)) @@ -2182,7 +2201,7 @@ func TestHandler_RevokeX509Cert_ForRootCertificate(t *testing.T) { // revoke x509 root certificate revokeX509Cert := types.NewMsgRevokeX509Cert( - setup.Trustee1.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.RootSerialNumber, testconstants.Info) + setup.Trustee1.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.RootSerialNumber, false, testconstants.Info) _, err := setup.Handler(setup.Ctx, revokeX509Cert) require.Error(t, err) require.True(t, pkitypes.ErrInappropriateCertificateType.Is(err)) @@ -2206,7 +2225,7 @@ func TestHandler_RevokeX509Cert_ByNotOwner(t *testing.T) { // revoke x509 certificate by another account revokeX509Cert := types.NewMsgRevokeX509Cert( - anotherTrustee.String(), testconstants.IntermediateSubject, testconstants.IntermediateSubjectKeyID, testconstants.IntermediateSerialNumber, testconstants.Info) + anotherTrustee.String(), testconstants.IntermediateSubject, testconstants.IntermediateSubjectKeyID, testconstants.IntermediateSerialNumber, false, testconstants.Info) _, err = setup.Handler(setup.Ctx, revokeX509Cert) require.Error(t, err) require.True(t, sdkerrors.ErrUnauthorized.Is(err)) @@ -2237,7 +2256,7 @@ func TestHandler_RevokeX509Cert_ForTree(t *testing.T) { // revoke x509 certificate revokeX509Cert := types.NewMsgRevokeX509Cert( - setup.Trustee1.String(), testconstants.IntermediateSubject, testconstants.IntermediateSubjectKeyID, "", testconstants.Info) + setup.Trustee1.String(), testconstants.IntermediateSubject, testconstants.IntermediateSubjectKeyID, "", true, testconstants.Info) _, err = setup.Handler(setup.Ctx, revokeX509Cert) require.NoError(t, err) diff --git a/x/pki/handler_update_revocation_test.go b/x/pki/handler_update_revocation_test.go index 44079a1f1..946403ac8 100644 --- a/x/pki/handler_update_revocation_test.go +++ b/x/pki/handler_update_revocation_test.go @@ -274,7 +274,7 @@ func TestHandler_UpdatePkiRevocationDistributionPoint_PAI_NotChainedOnLedger(t * _, err := setup.Handler(setup.Ctx, addPkiRevocationDistributionPoint) require.NoError(t, err) - proposeRevokeRootCert := types.NewMsgProposeRevokeX509RootCert(setup.Trustee1.String(), testconstants.PAACertWithNumericVidSubject, testconstants.PAACertWithNumericVidSubjectKeyID, "", testconstants.Info) + proposeRevokeRootCert := types.NewMsgProposeRevokeX509RootCert(setup.Trustee1.String(), testconstants.PAACertWithNumericVidSubject, testconstants.PAACertWithNumericVidSubjectKeyID, "", false, testconstants.Info) _, err = setup.Handler(setup.Ctx, proposeRevokeRootCert) require.NoError(t, err) diff --git a/x/pki/keeper/msg_server_approve_revoke_x_509_root_cert.go b/x/pki/keeper/msg_server_approve_revoke_x_509_root_cert.go index 72535d902..af6262d4c 100644 --- a/x/pki/keeper/msg_server_approve_revoke_x_509_root_cert.go +++ b/x/pki/keeper/msg_server_approve_revoke_x_509_root_cert.go @@ -49,21 +49,27 @@ func (k msgServer) ApproveRevokeX509RootCert(goCtx context.Context, msg *types.M revocation.Approvals = append(revocation.Approvals, &grant) // check if proposed certificate revocation has enough approvals - if len(revocation.Approvals) >= k.CertificateApprovalsCount(ctx, k.dclauthKeeper) { + if len(revocation.Approvals) >= k.CertificateApprovalsCount(ctx, k.dclauthKeeper) { //nolint:nestif certificates, found := k.GetApprovedCertificates(ctx, msg.Subject, msg.SubjectKeyId) if !found { return nil, pkitypes.NewErrCertificateDoesNotExist(msg.Subject, msg.SubjectKeyId) } + certID := types.CertificateIdentifier{ Subject: msg.Subject, SubjectKeyId: msg.SubjectKeyId, } k.AddRevokedRootCertificate(ctx, certID) k.RemoveProposedCertificateRevocation(ctx, msg.Subject, msg.SubjectKeyId, msg.SerialNumber) + if msg.SerialNumber != "" { - k._removeAndRevokeBySerialNumber(ctx, revocation.Approvals, msg.SerialNumber, certificates) + k._makeRootCertRevoked(ctx, revocation.Approvals, msg.SerialNumber, certificates) } else { - k._removeAndRevoke(ctx, revocation.Approvals, certificates) + k._makeRootCertsRevoked(ctx, revocation.Approvals, certificates) + } + + if revocation.RevokeChild { + k.RevokeChildCertificates(ctx, certID.Subject, certID.SubjectKeyId) } } else { k.SetProposedCertificateRevocation(ctx, revocation) @@ -72,7 +78,11 @@ func (k msgServer) ApproveRevokeX509RootCert(goCtx context.Context, msg *types.M return &types.MsgApproveRevokeX509RootCertResponse{}, nil } -func (k msgServer) _removeAndRevoke(ctx sdk.Context, approvals []*types.Grant, certificates types.ApprovedCertificates) { +func (k msgServer) _makeRootCertsRevoked( + ctx sdk.Context, + approvals []*types.Grant, + certificates types.ApprovedCertificates, +) { // Assign the approvals to the root certificate for _, cert := range certificates.Certs { if cert.IsRoot { @@ -87,13 +97,17 @@ func (k msgServer) _removeAndRevoke(ctx sdk.Context, approvals []*types.Grant, c k.RemoveApprovedRootCertificate(ctx, certID) k.AddRevokedCertificates(ctx, certificates) k.RemoveApprovedCertificates(ctx, certificates.Subject, certificates.SubjectKeyId) - k.RevokeChildCertificates(ctx, certificates.Subject, certificates.SubjectKeyId) // remove from subject -> subject key ID map k.RemoveApprovedCertificateBySubject(ctx, certificates.Subject, certificates.SubjectKeyId) // remove from subject key ID -> certificates map k.RemoveApprovedCertificatesBySubjectKeyID(ctx, certificates.Subject, certificates.SubjectKeyId) } -func (k msgServer) _removeAndRevokeBySerialNumber(ctx sdk.Context, approvals []*types.Grant, serialNumber string, certificates types.ApprovedCertificates) { +func (k msgServer) _makeRootCertRevoked( + ctx sdk.Context, + approvals []*types.Grant, + serialNumber string, + certificates types.ApprovedCertificates, +) { cert, _ := findCertificate(serialNumber, &certificates.Certs) cert.Approvals = approvals @@ -107,7 +121,6 @@ func (k msgServer) _removeAndRevokeBySerialNumber(ctx sdk.Context, approvals []* if len(certificates.Certs) == 0 { k.RemoveApprovedCertificates(ctx, cert.Subject, cert.SubjectKeyId) - k.RevokeChildCertificates(ctx, cert.Subject, cert.SubjectKeyId) k.RemoveApprovedRootCertificate(ctx, types.CertificateIdentifier{ Subject: certificates.Subject, diff --git a/x/pki/keeper/msg_server_propose_revoke_x_509_root_cert.go b/x/pki/keeper/msg_server_propose_revoke_x_509_root_cert.go index dcbf4330d..65f0963ad 100644 --- a/x/pki/keeper/msg_server_propose_revoke_x_509_root_cert.go +++ b/x/pki/keeper/msg_server_propose_revoke_x_509_root_cert.go @@ -64,6 +64,7 @@ func (k msgServer) ProposeRevokeX509RootCert(goCtx context.Context, msg *types.M Subject: msg.Subject, SubjectKeyId: msg.SubjectKeyId, SerialNumber: msg.SerialNumber, + RevokeChild: msg.RevokeChild, Approvals: []*types.Grant{&grant}, } diff --git a/x/pki/keeper/msg_server_revoke_x_509_cert.go b/x/pki/keeper/msg_server_revoke_x_509_cert.go index ccfbffb65..80fe350e0 100644 --- a/x/pki/keeper/msg_server_revoke_x_509_cert.go +++ b/x/pki/keeper/msg_server_revoke_x_509_cert.go @@ -46,28 +46,31 @@ func (k msgServer) RevokeX509Cert(goCtx context.Context, msg *types.MsgRevokeX50 } if certBySerialNumber != nil { - k._removeAndRevokeX509CertBySerialNumber(ctx, certBySerialNumber, certIdentifier, certificates) + k._makeX509CertRevoked(ctx, certBySerialNumber, certIdentifier, certificates) } else { - k._removeAndRevokeX509Cert(ctx, certIdentifier, certificates) + k._makeX509CertsRevoked(ctx, certIdentifier, certificates) + } + + if msg.RevokeChild { + // Remove certificate identifier from issuer's ChildCertificates record + k.RevokeChildCertificates(ctx, certIdentifier.Subject, certIdentifier.SubjectKeyId) } return &types.MsgRevokeX509CertResponse{}, nil } -func (k msgServer) _removeAndRevokeX509Cert(ctx sdk.Context, certID types.CertificateIdentifier, certificates types.ApprovedCertificates) { +func (k msgServer) _makeX509CertsRevoked(ctx sdk.Context, certID types.CertificateIdentifier, certificates types.ApprovedCertificates) { // Revoke certificates with given subject/subjectKeyID k.AddRevokedCertificates(ctx, certificates) k.RemoveApprovedCertificates(ctx, certID.Subject, certID.SubjectKeyId) // Remove certificate identifier from issuer's ChildCertificates record - k.RevokeChildCertificates(ctx, certID.Subject, certID.SubjectKeyId) - // Remove certificate identifier from issuer's ChildCertificates record k.RemoveChildCertificate(ctx, certificates.Certs[0].Issuer, certificates.Certs[0].AuthorityKeyId, certID) // remove from subject -> subject key ID map k.RemoveApprovedCertificateBySubject(ctx, certID.Subject, certID.SubjectKeyId) // remove from subject key ID -> certificates map k.RemoveApprovedCertificatesBySubjectKeyID(ctx, certID.Subject, certID.SubjectKeyId) } -func (k msgServer) _removeAndRevokeX509CertBySerialNumber(ctx sdk.Context, cert *types.Certificate, certID types.CertificateIdentifier, certificates types.ApprovedCertificates) { +func (k msgServer) _makeX509CertRevoked(ctx sdk.Context, cert *types.Certificate, certID types.CertificateIdentifier, certificates types.ApprovedCertificates) { k.AddRevokedCertificates(ctx, types.ApprovedCertificates{ Subject: cert.Subject, @@ -78,8 +81,6 @@ func (k msgServer) _removeAndRevokeX509CertBySerialNumber(ctx sdk.Context, cert if len(certificates.Certs) == 0 { k.RemoveApprovedCertificates(ctx, cert.Subject, cert.SubjectKeyId) // Remove certificate identifier from issuer's ChildCertificates record - k.RevokeChildCertificates(ctx, cert.Subject, cert.SubjectKeyId) - // Remove certificate identifier from issuer's ChildCertificates record k.RemoveChildCertificate(ctx, cert.Issuer, cert.AuthorityKeyId, certID) k.RemoveApprovedCertificateBySubject(ctx, cert.Subject, cert.SubjectKeyId) diff --git a/x/pki/types/message_propose_revoke_x_509_root_cert.go b/x/pki/types/message_propose_revoke_x_509_root_cert.go index 54987fffd..6ed1c9386 100644 --- a/x/pki/types/message_propose_revoke_x_509_root_cert.go +++ b/x/pki/types/message_propose_revoke_x_509_root_cert.go @@ -13,12 +13,13 @@ const TypeMsgProposeRevokeX509RootCert = "propose_revoke_x_509_root_cert" var _ sdk.Msg = &MsgProposeRevokeX509RootCert{} -func NewMsgProposeRevokeX509RootCert(signer string, subject string, subjectKeyID string, serialNumber, info string) *MsgProposeRevokeX509RootCert { +func NewMsgProposeRevokeX509RootCert(signer string, subject string, subjectKeyID string, serialNumber string, revokeChild bool, info string) *MsgProposeRevokeX509RootCert { return &MsgProposeRevokeX509RootCert{ Signer: signer, Subject: subject, SubjectKeyId: subjectKeyID, SerialNumber: serialNumber, + RevokeChild: revokeChild, Info: info, Time: time.Now().Unix(), } diff --git a/x/pki/types/message_revoke_x_509_cert.go b/x/pki/types/message_revoke_x_509_cert.go index 9c05a58c1..b2d5912e9 100644 --- a/x/pki/types/message_revoke_x_509_cert.go +++ b/x/pki/types/message_revoke_x_509_cert.go @@ -13,12 +13,13 @@ const TypeMsgRevokeX509Cert = "revoke_x_509_cert" var _ sdk.Msg = &MsgRevokeX509Cert{} -func NewMsgRevokeX509Cert(signer string, subject string, subjectKeyID string, serialNumber string, info string) *MsgRevokeX509Cert { +func NewMsgRevokeX509Cert(signer string, subject string, subjectKeyID string, serialNumber string, revokeChild bool, info string) *MsgRevokeX509Cert { return &MsgRevokeX509Cert{ Signer: signer, Subject: subject, SubjectKeyId: subjectKeyID, SerialNumber: serialNumber, + RevokeChild: revokeChild, Info: info, Time: time.Now().Unix(), } diff --git a/x/pki/types/proposed_certificate_revocation.pb.go b/x/pki/types/proposed_certificate_revocation.pb.go index 2b7be48c5..353a4ba69 100644 --- a/x/pki/types/proposed_certificate_revocation.pb.go +++ b/x/pki/types/proposed_certificate_revocation.pb.go @@ -28,6 +28,7 @@ type ProposedCertificateRevocation struct { Approvals []*Grant `protobuf:"bytes,3,rep,name=approvals,proto3" json:"approvals,omitempty"` SubjectAsText string `protobuf:"bytes,4,opt,name=subjectAsText,proto3" json:"subjectAsText,omitempty"` SerialNumber string `protobuf:"bytes,5,opt,name=serialNumber,proto3" json:"serialNumber,omitempty"` + RevokeChild bool `protobuf:"varint,6,opt,name=revokeChild,proto3" json:"revokeChild,omitempty"` } func (m *ProposedCertificateRevocation) Reset() { *m = ProposedCertificateRevocation{} } @@ -98,6 +99,13 @@ func (m *ProposedCertificateRevocation) GetSerialNumber() string { return "" } +func (m *ProposedCertificateRevocation) GetRevokeChild() bool { + if m != nil { + return m.RevokeChild + } + return false +} + func init() { proto.RegisterType((*ProposedCertificateRevocation)(nil), "zigbeealliance.distributedcomplianceledger.pki.ProposedCertificateRevocation") } @@ -107,27 +115,28 @@ func init() { } var fileDescriptor_24b0dc6e71a9ad57 = []byte{ - // 308 bytes of a gzipped FileDescriptorProto - 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x94, 0x90, 0xcd, 0x4a, 0x33, 0x31, - 0x18, 0x85, 0x9b, 0xaf, 0x9f, 0x4a, 0xa3, 0x22, 0xcc, 0x2a, 0x08, 0x86, 0x52, 0x5c, 0xd4, 0x45, - 0x33, 0xa0, 0x78, 0x01, 0xfe, 0x80, 0x88, 0x20, 0x52, 0x5d, 0xb9, 0xb0, 0x24, 0x99, 0xd7, 0x31, - 0x76, 0xda, 0x84, 0x24, 0x53, 0x5a, 0xaf, 0xc2, 0xcb, 0x72, 0xd9, 0xa5, 0x4b, 0xe9, 0xdc, 0x86, - 0x0b, 0x99, 0x9f, 0x3a, 0xed, 0xd2, 0x5d, 0x72, 0x5e, 0x38, 0xcf, 0xc3, 0xc1, 0x47, 0x66, 0xa8, - 0x42, 0x63, 0xb5, 0xd1, 0x0e, 0xa2, 0x81, 0x04, 0xeb, 0xd5, 0xb3, 0x92, 0xdc, 0xc3, 0xc0, 0xc2, - 0x44, 0x4b, 0xee, 0x95, 0x1e, 0x33, 0x63, 0xb5, 0xd7, 0x01, 0x7b, 0x53, 0xb1, 0x00, 0xe0, 0x49, - 0xa2, 0xf8, 0x58, 0x02, 0x8b, 0x94, 0xf3, 0x56, 0x89, 0xd4, 0x43, 0x24, 0xf5, 0xc8, 0x94, 0x69, - 0x02, 0x51, 0x0c, 0x96, 0x99, 0xa1, 0xda, 0xdf, 0xcb, 0xab, 0x63, 0xcb, 0xc7, 0xbe, 0x2c, 0xe8, - 0x7c, 0x23, 0x7c, 0x70, 0x57, 0xa1, 0x2e, 0x6a, 0x52, 0xff, 0x17, 0x14, 0x10, 0xbc, 0xe5, 0x52, - 0xf1, 0x0a, 0xd2, 0x13, 0xd4, 0x46, 0xdd, 0x56, 0x7f, 0xf9, 0x0d, 0x3a, 0x78, 0xa7, 0x7a, 0xde, - 0xc0, 0xec, 0x3a, 0x22, 0xff, 0x8a, 0xf3, 0x5a, 0x16, 0xdc, 0xe3, 0x16, 0x37, 0xc6, 0xea, 0x09, - 0x4f, 0x1c, 0x69, 0xb6, 0x9b, 0xdd, 0xed, 0xe3, 0xd3, 0x3f, 0x4a, 0xb3, 0xab, 0xdc, 0xb7, 0x5f, - 0xf7, 0x04, 0x87, 0x78, 0xb7, 0x82, 0x9c, 0xb9, 0x07, 0x98, 0x7a, 0xf2, 0xbf, 0x20, 0xaf, 0x87, - 0x85, 0x1e, 0x58, 0xc5, 0x93, 0xdb, 0x74, 0x24, 0xc0, 0x92, 0x8d, 0x4a, 0x6f, 0x25, 0x3b, 0x7f, - 0xfa, 0x58, 0x50, 0x34, 0x5f, 0x50, 0xf4, 0xb5, 0xa0, 0xe8, 0x3d, 0xa3, 0x8d, 0x79, 0x46, 0x1b, - 0x9f, 0x19, 0x6d, 0x3c, 0x5e, 0xc6, 0xca, 0xbf, 0xa4, 0x82, 0x49, 0x3d, 0x0a, 0x4b, 0xdf, 0xde, - 0x52, 0x38, 0x5c, 0x11, 0xee, 0xd5, 0xc6, 0xbd, 0x52, 0x39, 0x9c, 0x86, 0xf9, 0xc8, 0x7e, 0x66, - 0xc0, 0x89, 0xcd, 0x62, 0xe5, 0x93, 0x9f, 0x00, 0x00, 0x00, 0xff, 0xff, 0xfb, 0x89, 0xcd, 0xdd, - 0xd3, 0x01, 0x00, 0x00, + // 330 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x94, 0x91, 0xcd, 0x4a, 0xf3, 0x40, + 0x14, 0x86, 0x9b, 0xf6, 0xfb, 0xaa, 0x9d, 0x2a, 0x42, 0x56, 0x83, 0x60, 0x08, 0xc5, 0x45, 0x5d, + 0x34, 0x01, 0xc5, 0x0b, 0xd0, 0x0a, 0x22, 0x82, 0x48, 0x74, 0xe5, 0xc2, 0x32, 0x99, 0x1c, 0xd3, + 0x63, 0xd3, 0xce, 0x30, 0x33, 0x29, 0xad, 0x57, 0xe1, 0x15, 0x78, 0x3d, 0x2e, 0xbb, 0x74, 0x29, + 0xed, 0x8d, 0x48, 0x7e, 0x6a, 0xd3, 0xa5, 0xbb, 0x99, 0x77, 0xe0, 0x3c, 0xef, 0x33, 0x87, 0x9c, + 0xc8, 0x11, 0xfa, 0x52, 0x09, 0x29, 0x34, 0x44, 0x03, 0x0e, 0xca, 0xe0, 0x0b, 0x72, 0x66, 0x60, + 0xa0, 0x60, 0x2a, 0x38, 0x33, 0x28, 0x26, 0x9e, 0x54, 0xc2, 0x08, 0xdb, 0x7b, 0xc3, 0x38, 0x04, + 0x60, 0x49, 0x82, 0x6c, 0xc2, 0xc1, 0x8b, 0x50, 0x1b, 0x85, 0x61, 0x6a, 0x20, 0xe2, 0x62, 0x2c, + 0x8b, 0x34, 0x81, 0x28, 0x06, 0xe5, 0xc9, 0x11, 0x1e, 0x1e, 0x64, 0xa3, 0x63, 0xc5, 0x26, 0xa6, + 0x18, 0xd0, 0xf9, 0xa8, 0x93, 0xa3, 0xfb, 0x12, 0xd5, 0xdf, 0x90, 0x82, 0x5f, 0x90, 0x4d, 0xc9, + 0x8e, 0x4e, 0xc3, 0x57, 0xe0, 0x86, 0x5a, 0xae, 0xd5, 0x6d, 0x05, 0xeb, 0xab, 0xdd, 0x21, 0x7b, + 0xe5, 0xf1, 0x16, 0xe6, 0x37, 0x11, 0xad, 0xe7, 0xcf, 0x5b, 0x99, 0xfd, 0x40, 0x5a, 0x4c, 0x4a, + 0x25, 0xa6, 0x2c, 0xd1, 0xb4, 0xe1, 0x36, 0xba, 0xed, 0xd3, 0xf3, 0x3f, 0x96, 0xf6, 0xae, 0xb3, + 0xbe, 0xc1, 0x66, 0x8e, 0x7d, 0x4c, 0xf6, 0x4b, 0xc8, 0x85, 0x7e, 0x84, 0x99, 0xa1, 0xff, 0x72, + 0xf2, 0x76, 0x98, 0xd7, 0x03, 0x85, 0x2c, 0xb9, 0x4b, 0xc7, 0x21, 0x28, 0xfa, 0xbf, 0xac, 0x57, + 0xc9, 0x6c, 0x97, 0xb4, 0xb3, 0x3f, 0x1d, 0x41, 0x7f, 0x88, 0x49, 0x44, 0x9b, 0xae, 0xd5, 0xdd, + 0x0d, 0xaa, 0xd1, 0xe5, 0xf3, 0xe7, 0xd2, 0xb1, 0x16, 0x4b, 0xc7, 0xfa, 0x5e, 0x3a, 0xd6, 0xfb, + 0xca, 0xa9, 0x2d, 0x56, 0x4e, 0xed, 0x6b, 0xe5, 0xd4, 0x9e, 0xae, 0x62, 0x34, 0xc3, 0x34, 0xf4, + 0xb8, 0x18, 0xfb, 0x85, 0x51, 0x6f, 0xad, 0xe4, 0x57, 0x94, 0x7a, 0x1b, 0xa7, 0x5e, 0x21, 0xe5, + 0xcf, 0xfc, 0x6c, 0x0d, 0x66, 0x2e, 0x41, 0x87, 0xcd, 0x7c, 0x0f, 0x67, 0x3f, 0x01, 0x00, 0x00, + 0xff, 0xff, 0xc3, 0xe4, 0xa0, 0xad, 0xf5, 0x01, 0x00, 0x00, } func (m *ProposedCertificateRevocation) Marshal() (dAtA []byte, err error) { @@ -150,6 +159,16 @@ func (m *ProposedCertificateRevocation) MarshalToSizedBuffer(dAtA []byte) (int, _ = i var l int _ = l + if m.RevokeChild { + i-- + if m.RevokeChild { + dAtA[i] = 1 + } else { + dAtA[i] = 0 + } + i-- + dAtA[i] = 0x30 + } if len(m.SerialNumber) > 0 { i -= len(m.SerialNumber) copy(dAtA[i:], m.SerialNumber) @@ -234,6 +253,9 @@ func (m *ProposedCertificateRevocation) Size() (n int) { if l > 0 { n += 1 + l + sovProposedCertificateRevocation(uint64(l)) } + if m.RevokeChild { + n += 2 + } return n } @@ -434,6 +456,26 @@ func (m *ProposedCertificateRevocation) Unmarshal(dAtA []byte) error { } m.SerialNumber = string(dAtA[iNdEx:postIndex]) iNdEx = postIndex + case 6: + if wireType != 0 { + return fmt.Errorf("proto: wrong wireType = %d for field RevokeChild", wireType) + } + var v int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowProposedCertificateRevocation + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + v |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + m.RevokeChild = bool(v != 0) default: iNdEx = preIndex skippy, err := skipProposedCertificateRevocation(dAtA[iNdEx:]) diff --git a/x/pki/types/tx.pb.go b/x/pki/types/tx.pb.go index c1bb76454..ec70137e9 100644 --- a/x/pki/types/tx.pb.go +++ b/x/pki/types/tx.pb.go @@ -364,6 +364,7 @@ type MsgProposeRevokeX509RootCert struct { Info string `protobuf:"bytes,4,opt,name=info,proto3" json:"info,omitempty" validate:"max=4096"` Time int64 `protobuf:"varint,5,opt,name=time,proto3" json:"time,omitempty"` SerialNumber string `protobuf:"bytes,6,opt,name=serialNumber,proto3" json:"serialNumber,omitempty"` + RevokeChild bool `protobuf:"varint,7,opt,name=revokeChild,proto3" json:"revokeChild,omitempty"` } func (m *MsgProposeRevokeX509RootCert) Reset() { *m = MsgProposeRevokeX509RootCert{} } @@ -441,6 +442,13 @@ func (m *MsgProposeRevokeX509RootCert) GetSerialNumber() string { return "" } +func (m *MsgProposeRevokeX509RootCert) GetRevokeChild() bool { + if m != nil { + return m.RevokeChild + } + return false +} + type MsgProposeRevokeX509RootCertResponse struct { } @@ -604,6 +612,7 @@ type MsgRevokeX509Cert struct { Info string `protobuf:"bytes,4,opt,name=info,proto3" json:"info,omitempty" validate:"max=4096"` Time int64 `protobuf:"varint,5,opt,name=time,proto3" json:"time,omitempty"` SerialNumber string `protobuf:"bytes,6,opt,name=serialNumber,proto3" json:"serialNumber,omitempty"` + RevokeChild bool `protobuf:"varint,7,opt,name=revokeChild,proto3" json:"revokeChild,omitempty"` } func (m *MsgRevokeX509Cert) Reset() { *m = MsgRevokeX509Cert{} } @@ -681,6 +690,13 @@ func (m *MsgRevokeX509Cert) GetSerialNumber() string { return "" } +func (m *MsgRevokeX509Cert) GetRevokeChild() bool { + if m != nil { + return m.RevokeChild + } + return false +} + type MsgRevokeX509CertResponse struct { } @@ -1589,86 +1605,88 @@ func init() { func init() { proto.RegisterFile("pki/tx.proto", fileDescriptor_badfdb2b39855d16) } var fileDescriptor_badfdb2b39855d16 = []byte{ - // 1253 bytes of a gzipped FileDescriptorProto - 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xec, 0x59, 0xcf, 0x6f, 0xdb, 0x54, - 0x1c, 0x9f, 0xf3, 0xa3, 0x3f, 0xbe, 0x2b, 0x95, 0x78, 0x74, 0x9d, 0xeb, 0x96, 0x24, 0xf3, 0xaa, - 0xad, 0x12, 0x6d, 0x92, 0x76, 0x4d, 0x59, 0x27, 0x0a, 0x4a, 0x17, 0x36, 0xaa, 0xb5, 0x53, 0x71, - 0x3b, 0x40, 0x08, 0x31, 0x39, 0xf1, 0x9b, 0x79, 0xd4, 0xc9, 0x33, 0xb6, 0x13, 0xb5, 0xbb, 0xf1, - 0x17, 0x80, 0x84, 0xb8, 0x0c, 0x89, 0x1b, 0x1c, 0xb8, 0x82, 0xb8, 0x22, 0x71, 0xe2, 0x82, 0x34, - 0x21, 0x24, 0x38, 0x45, 0x53, 0x7b, 0xe3, 0x98, 0x3b, 0x12, 0xb2, 0x9d, 0xd8, 0x71, 0x66, 0xa7, - 0x89, 0x9b, 0x4a, 0x50, 0x7a, 0xb3, 0x5f, 0xde, 0xe7, 0xf3, 0xbe, 0xdf, 0xcf, 0xfb, 0xf8, 0xbd, - 0xef, 0x7b, 0x81, 0x31, 0x75, 0x8f, 0x64, 0x8c, 0xfd, 0xb4, 0xaa, 0x51, 0x83, 0xa2, 0xf4, 0x63, - 0x22, 0x17, 0x31, 0x16, 0x15, 0x85, 0x88, 0x95, 0x12, 0x4e, 0x4b, 0x44, 0x37, 0x34, 0x52, 0xac, - 0x1a, 0x58, 0x2a, 0xd1, 0xb2, 0x6a, 0xb7, 0x2a, 0x58, 0x92, 0xb1, 0x96, 0x56, 0xf7, 0x08, 0x37, - 0x55, 0xa2, 0x7a, 0x99, 0xea, 0x0f, 0x2d, 0x74, 0xc6, 0x7e, 0xb1, 0xa9, 0xb8, 0x09, 0x99, 0xca, - 0xd4, 0x6e, 0x37, 0x9f, 0xec, 0x56, 0xfe, 0x49, 0x04, 0xa6, 0xb6, 0x74, 0x79, 0x5b, 0xa3, 0x2a, - 0xd5, 0x71, 0x5e, 0x92, 0xde, 0xcb, 0x65, 0x57, 0x05, 0x4a, 0x8d, 0xdb, 0x58, 0x33, 0xd0, 0x5d, - 0x18, 0xd2, 0x89, 0x5c, 0xc1, 0x1a, 0xcb, 0xa4, 0x98, 0xb9, 0xd1, 0xf5, 0x4c, 0xa3, 0x9e, 0x7c, - 0xa9, 0x26, 0x2a, 0x44, 0x12, 0x0d, 0x7c, 0x8b, 0xd7, 0xf0, 0x27, 0x55, 0xa2, 0x61, 0x89, 0xff, - 0xed, 0x87, 0x85, 0x89, 0xe6, 0x60, 0x79, 0x49, 0xd2, 0xb0, 0xae, 0xef, 0x18, 0x1a, 0xa9, 0xc8, - 0x42, 0x13, 0x8e, 0x6e, 0x42, 0xac, 0x84, 0x35, 0x83, 0x8d, 0x58, 0x34, 0xb3, 0x8d, 0x7a, 0x32, - 0xf5, 0x3c, 0xcd, 0x7c, 0x59, 0xdc, 0x5f, 0x5b, 0xcc, 0x2e, 0xdf, 0xcc, 0xbd, 0xba, 0x92, 0xe5, - 0x05, 0x0b, 0x81, 0x5e, 0x81, 0x18, 0xa9, 0x3c, 0xa2, 0x6c, 0xd4, 0x42, 0x5e, 0xf6, 0x06, 0x60, - 0x02, 0x96, 0xb3, 0xab, 0x2b, 0xbc, 0x60, 0x75, 0x42, 0x08, 0x62, 0x06, 0x29, 0x63, 0x36, 0x96, - 0x62, 0xe6, 0xa2, 0x82, 0xf5, 0x8c, 0x56, 0x21, 0x5a, 0x23, 0x12, 0x1b, 0x4f, 0x31, 0x73, 0xf1, - 0xf5, 0xeb, 0x8d, 0x7a, 0xf2, 0xaa, 0x8b, 0x97, 0x0d, 0xbc, 0xb6, 0x38, 0xaf, 0x18, 0x78, 0x6d, - 0x25, 0x97, 0xbb, 0x91, 0x9b, 0x77, 0x12, 0x12, 0x4c, 0x0c, 0x7f, 0x15, 0xae, 0x04, 0x6a, 0x23, - 0x60, 0x5d, 0xa5, 0x15, 0x1d, 0xf3, 0xdf, 0xda, 0x0a, 0xe6, 0x55, 0x55, 0xa3, 0xb5, 0xd3, 0x53, - 0xf0, 0x16, 0x0c, 0xeb, 0xd5, 0xe2, 0xc7, 0xb8, 0xd4, 0x12, 0x31, 0xd5, 0xa8, 0x27, 0x67, 0x02, - 0x45, 0x5c, 0x5a, 0xe6, 0x85, 0x16, 0x00, 0xdd, 0x86, 0xb1, 0xe6, 0xe3, 0x3d, 0x7c, 0xb0, 0x21, - 0x35, 0xb5, 0x4c, 0x36, 0xea, 0xc9, 0xe9, 0x00, 0x82, 0xa5, 0xdc, 0x0a, 0x2f, 0x78, 0x40, 0xce, - 0x44, 0xc4, 0xfa, 0x99, 0x88, 0xb8, 0x3b, 0x11, 0x4d, 0x35, 0xfd, 0x75, 0x72, 0xd4, 0xfc, 0x9d, - 0x81, 0x71, 0xb3, 0x97, 0xfd, 0xf3, 0x59, 0x31, 0x21, 0xcf, 0xc2, 0xa4, 0x37, 0x2b, 0x27, 0xe1, - 0x5f, 0x23, 0x30, 0xe3, 0x9a, 0x4c, 0xc0, 0x35, 0xba, 0x87, 0xcf, 0x1d, 0xe4, 0xeb, 0x20, 0xc4, - 0xc3, 0x98, 0x8e, 0x35, 0x22, 0x2a, 0xf7, 0xab, 0xe5, 0x22, 0xd6, 0xd8, 0x21, 0x93, 0x48, 0xf0, - 0xb4, 0xf1, 0xd7, 0x60, 0xb6, 0x9b, 0x9c, 0x9d, 0xba, 0x37, 0xed, 0xf8, 0xbf, 0xd0, 0x3d, 0xde, - 0x8f, 0xee, 0x43, 0x5d, 0x74, 0x1f, 0x0e, 0xd4, 0x3d, 0x50, 0x4e, 0x47, 0xf7, 0x9f, 0x23, 0xf0, - 0xe2, 0x96, 0x2e, 0xbb, 0x3d, 0xce, 0x4d, 0xde, 0xbf, 0xc9, 0xa7, 0xad, 0x2d, 0xc7, 0xab, 0xa1, - 0xa3, 0xf0, 0x37, 0x11, 0x60, 0xad, 0x5f, 0xcd, 0xa0, 0xce, 0xf7, 0xa3, 0xc0, 0xfd, 0x88, 0x87, - 0x54, 0x90, 0x4c, 0x8e, 0x96, 0x5f, 0xc5, 0x6d, 0x5b, 0x4b, 0xd2, 0xf6, 0x1e, 0x31, 0xf5, 0x2e, - 0x89, 0x06, 0xa1, 0x95, 0x42, 0xab, 0x0c, 0x23, 0xb4, 0xb2, 0x4d, 0x49, 0x65, 0x80, 0xba, 0x36, - 0xcb, 0x95, 0x48, 0xff, 0xe5, 0x0a, 0xca, 0x42, 0x54, 0x25, 0xb6, 0x9a, 0xf1, 0xf5, 0x44, 0xa3, - 0x9e, 0xe4, 0xbc, 0xd0, 0xac, 0x0b, 0xe5, 0x05, 0xb3, 0x2b, 0x9a, 0x80, 0x38, 0xd1, 0xb7, 0xf3, - 0x79, 0x4b, 0xc4, 0x11, 0xc1, 0x7e, 0x41, 0x0b, 0x10, 0x57, 0xc4, 0x22, 0x56, 0xfc, 0x17, 0x0c, - 0x77, 0x50, 0xbb, 0x17, 0xba, 0x07, 0x13, 0x25, 0x4d, 0xd9, 0xb1, 0xc2, 0x37, 0xc5, 0x23, 0x8f, - 0x48, 0x49, 0x34, 0xec, 0x15, 0xa4, 0x0b, 0xda, 0x17, 0x84, 0xee, 0x02, 0x22, 0xba, 0x5e, 0xc5, - 0xda, 0x8e, 0x3b, 0xd7, 0x05, 0x7b, 0xc1, 0x09, 0xa6, 0xf2, 0x81, 0xa0, 0x1c, 0x0c, 0x4b, 0xa2, - 0x21, 0x3e, 0x10, 0x36, 0xd9, 0x11, 0x0b, 0x3d, 0xdd, 0xa8, 0x27, 0x2f, 0xfb, 0xd8, 0xab, 0xaa, - 0x29, 0xbc, 0xd0, 0xea, 0x6b, 0x7e, 0x7d, 0xe6, 0xe3, 0x1d, 0xa2, 0xe0, 0x1d, 0xf2, 0x18, 0xb3, - 0xa3, 0x29, 0x66, 0x2e, 0x26, 0x78, 0xda, 0x50, 0x02, 0xc0, 0x7c, 0x2f, 0x10, 0x19, 0xeb, 0x06, - 0x0b, 0xd6, 0xf7, 0xd9, 0xd6, 0x82, 0xae, 0xc1, 0xb8, 0xfb, 0xb6, 0x7b, 0xa0, 0x62, 0xf6, 0x62, - 0x8a, 0x99, 0x7b, 0x41, 0xe8, 0x68, 0x45, 0x6f, 0xc0, 0xb8, 0xe6, 0x58, 0xca, 0xea, 0x37, 0x66, - 0xf6, 0x0b, 0xce, 0xb3, 0xa3, 0x3b, 0x9f, 0x86, 0xf9, 0x5e, 0xcc, 0xe9, 0xb8, 0xf9, 0xef, 0x28, - 0x5c, 0xdf, 0xd2, 0xe5, 0x07, 0xaa, 0x49, 0xfc, 0x1f, 0x30, 0xb4, 0x63, 0xc4, 0x68, 0x4f, 0x46, - 0x5c, 0x0a, 0x30, 0xa2, 0xb5, 0x42, 0xf4, 0xe5, 0xb7, 0x78, 0xff, 0x7e, 0x5b, 0x71, 0xfd, 0x66, - 0x1b, 0x7f, 0xa6, 0x51, 0x4f, 0xb2, 0x2e, 0x9a, 0x96, 0x89, 0x81, 0xcb, 0xaa, 0x71, 0x70, 0x8c, - 0xe1, 0x86, 0x8f, 0x35, 0xdc, 0x48, 0x0f, 0x86, 0x1b, 0xf5, 0x33, 0x1c, 0xbf, 0x08, 0x99, 0x1e, - 0xa7, 0xbf, 0x7d, 0x33, 0x31, 0x2d, 0x53, 0xc0, 0x0a, 0x3e, 0x8b, 0x96, 0xf1, 0x9f, 0xfe, 0x58, - 0xdf, 0xd3, 0xdf, 0x94, 0xb6, 0x17, 0x99, 0x1c, 0x69, 0xbf, 0x88, 0xc0, 0x98, 0xf9, 0xf9, 0xea, - 0x66, 0xd6, 0xef, 0x10, 0xe9, 0x0c, 0xed, 0xcd, 0xcd, 0x09, 0x8c, 0x85, 0x38, 0x73, 0x4f, 0xc2, - 0x44, 0xbb, 0x28, 0x8e, 0x5a, 0x4f, 0x18, 0xb8, 0x64, 0x2f, 0x76, 0xf7, 0x69, 0xe9, 0x5f, 0x76, - 0x49, 0xc1, 0x27, 0xe1, 0x65, 0xdf, 0xd8, 0x9c, 0xe8, 0x3f, 0x6d, 0x55, 0xbd, 0x65, 0x5a, 0x3b, - 0x8b, 0x55, 0x6f, 0x67, 0xd1, 0x1a, 0xeb, 0x52, 0xb4, 0xb6, 0x4b, 0xd0, 0x12, 0x68, 0xe9, 0x2f, - 0x04, 0xd1, 0x2d, 0x5d, 0x46, 0x3f, 0x32, 0x30, 0x19, 0x70, 0x19, 0xb5, 0xd1, 0xe7, 0x65, 0x58, - 0x3a, 0xf0, 0xee, 0x86, 0x7b, 0x7b, 0x60, 0x54, 0xad, 0x04, 0xac, 0xc0, 0x03, 0xee, 0x80, 0xc2, - 0x04, 0xee, 0x4f, 0x15, 0x2a, 0xf0, 0xee, 0x37, 0x2e, 0xe8, 0x4b, 0x06, 0x2e, 0xb6, 0x5f, 0xb7, - 0xbc, 0x1e, 0x66, 0x08, 0x17, 0xcf, 0xdd, 0x39, 0x19, 0xde, 0x89, 0xeb, 0x27, 0x06, 0xa6, 0x82, - 0x6f, 0x45, 0x36, 0xc3, 0xcf, 0xe0, 0xf3, 0x6c, 0xdc, 0xee, 0x20, 0xd9, 0x3c, 0x19, 0x04, 0xdf, - 0x2f, 0x6c, 0x86, 0x9f, 0xca, 0x01, 0x65, 0x70, 0xec, 0x61, 0x1d, 0x7d, 0xcd, 0xc0, 0x78, 0xc7, - 0x49, 0x3d, 0x1f, 0x62, 0x20, 0x2f, 0x05, 0xb7, 0x71, 0x62, 0x0a, 0x27, 0xc0, 0xef, 0x19, 0xb8, - 0xe4, 0x7f, 0xd0, 0x7d, 0x2b, 0xd4, 0x20, 0x3e, 0x4c, 0xdc, 0xf6, 0xa0, 0x98, 0x9c, 0xa8, 0xff, - 0x60, 0xe0, 0xca, 0xf1, 0x47, 0xca, 0xdd, 0x70, 0x1f, 0x52, 0x77, 0x56, 0xee, 0x83, 0xd3, 0x60, - 0x75, 0x32, 0x7b, 0xc6, 0xc0, 0x6c, 0x4f, 0xc7, 0x8b, 0x77, 0x43, 0x84, 0xd1, 0x0b, 0x31, 0xf7, - 0xf0, 0x94, 0x88, 0x3d, 0x29, 0xf6, 0x54, 0x0e, 0x87, 0x49, 0xb1, 0x17, 0xe2, 0x50, 0x29, 0xf6, - 0x53, 0x99, 0xa2, 0xcf, 0x18, 0x18, 0x75, 0xcb, 0xd2, 0xd7, 0xc2, 0x38, 0xa6, 0x85, 0xe6, 0x0a, - 0x27, 0x41, 0x3b, 0x11, 0x7d, 0xc7, 0x00, 0xf2, 0x29, 0xfd, 0xde, 0x0c, 0x67, 0xe6, 0x0e, 0x1a, - 0x6e, 0x6b, 0x20, 0x34, 0x1d, 0xab, 0xa6, 0xa7, 0xd2, 0x0b, 0xb7, 0x6a, 0xb6, 0x53, 0x84, 0x5c, - 0x35, 0xfd, 0x8a, 0xad, 0xf5, 0x0f, 0x7f, 0x39, 0x4c, 0x30, 0x4f, 0x0f, 0x13, 0xcc, 0xb3, 0xc3, - 0x04, 0xf3, 0xf9, 0x51, 0xe2, 0xc2, 0xd3, 0xa3, 0xc4, 0x85, 0x3f, 0x8f, 0x12, 0x17, 0xde, 0x2f, - 0xc8, 0xc4, 0xf8, 0xa8, 0x5a, 0x4c, 0x97, 0x68, 0x39, 0x63, 0x0f, 0xb7, 0xd0, 0x1a, 0x2f, 0xd3, - 0x36, 0xde, 0x82, 0x3b, 0xe0, 0x82, 0x3d, 0x62, 0x66, 0x3f, 0x63, 0xfd, 0x71, 0x79, 0xa0, 0x62, - 0xbd, 0x38, 0x64, 0xfd, 0xb7, 0x78, 0xe3, 0x9f, 0x00, 0x00, 0x00, 0xff, 0xff, 0x66, 0xfe, 0xa2, - 0xe9, 0xcc, 0x1c, 0x00, 0x00, + // 1281 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xec, 0x59, 0xdf, 0x6f, 0xdb, 0x54, + 0x14, 0x9e, 0xf3, 0xa3, 0x3f, 0xce, 0x4a, 0x25, 0x2e, 0xdd, 0xe6, 0xba, 0x25, 0xc9, 0xbc, 0x6a, + 0x8b, 0x44, 0x9b, 0xa4, 0x5d, 0x53, 0xd6, 0x89, 0x82, 0xd2, 0x86, 0x8d, 0x6a, 0xed, 0x54, 0xdc, + 0x0e, 0x10, 0x42, 0x4c, 0x4e, 0x7c, 0xe7, 0x5d, 0xea, 0xe4, 0x1a, 0xdb, 0xa9, 0xda, 0xbd, 0xf1, + 0x17, 0x80, 0x84, 0x78, 0x19, 0x12, 0x6f, 0xf0, 0xc0, 0x2b, 0x88, 0x57, 0x5e, 0x79, 0x41, 0x9a, + 0x10, 0x12, 0x3c, 0x45, 0x53, 0xcb, 0x13, 0x2f, 0x48, 0x79, 0x47, 0x42, 0xb6, 0x13, 0x3b, 0x4e, + 0xed, 0x36, 0x71, 0x53, 0x09, 0x4a, 0xdf, 0xec, 0x9b, 0x7b, 0xbe, 0x73, 0xce, 0x77, 0xbe, 0x7b, + 0x7d, 0xee, 0x0d, 0x8c, 0xa8, 0xdb, 0x24, 0x6b, 0xec, 0x66, 0x54, 0x8d, 0x1a, 0x14, 0x65, 0x9e, + 0x10, 0xb9, 0x84, 0xb1, 0xa8, 0x28, 0x44, 0xac, 0x96, 0x71, 0x46, 0x22, 0xba, 0xa1, 0x91, 0x52, + 0xcd, 0xc0, 0x52, 0x99, 0x56, 0x54, 0x7b, 0x54, 0xc1, 0x92, 0x8c, 0xb5, 0x8c, 0xba, 0x4d, 0xb8, + 0xf1, 0x32, 0xd5, 0x2b, 0x54, 0x7f, 0x68, 0x59, 0x67, 0xed, 0x17, 0x1b, 0x8a, 0x1b, 0x93, 0xa9, + 0x4c, 0xed, 0x71, 0xf3, 0xc9, 0x1e, 0xe5, 0x9f, 0x46, 0x60, 0x7c, 0x5d, 0x97, 0x37, 0x34, 0xaa, + 0x52, 0x1d, 0x17, 0x24, 0xe9, 0xbd, 0x7c, 0x6e, 0x51, 0xa0, 0xd4, 0x58, 0xc1, 0x9a, 0x81, 0xee, + 0xc2, 0x80, 0x4e, 0xe4, 0x2a, 0xd6, 0x58, 0x26, 0xc5, 0xa4, 0x87, 0x97, 0xb3, 0x8d, 0x7a, 0xf2, + 0xa5, 0x1d, 0x51, 0x21, 0x92, 0x68, 0xe0, 0xdb, 0xbc, 0x86, 0x3f, 0xae, 0x11, 0x0d, 0x4b, 0xfc, + 0x2f, 0xdf, 0xcf, 0x8c, 0x35, 0x9d, 0x15, 0x24, 0x49, 0xc3, 0xba, 0xbe, 0x69, 0x68, 0xa4, 0x2a, + 0x0b, 0x4d, 0x73, 0x74, 0x0b, 0x62, 0x65, 0xac, 0x19, 0x6c, 0xc4, 0x82, 0x99, 0x6a, 0xd4, 0x93, + 0xa9, 0xc3, 0x30, 0xd3, 0x15, 0x71, 0x77, 0x69, 0x36, 0x37, 0x7f, 0x2b, 0xff, 0xea, 0x42, 0x8e, + 0x17, 0x2c, 0x0b, 0xf4, 0x0a, 0xc4, 0x48, 0xf5, 0x11, 0x65, 0xa3, 0x96, 0xe5, 0x15, 0x6f, 0x00, + 0xa6, 0xc1, 0x7c, 0x6e, 0x71, 0x81, 0x17, 0xac, 0x49, 0x08, 0x41, 0xcc, 0x20, 0x15, 0xcc, 0xc6, + 0x52, 0x4c, 0x3a, 0x2a, 0x58, 0xcf, 0x68, 0x11, 0xa2, 0x3b, 0x44, 0x62, 0xe3, 0x29, 0x26, 0x1d, + 0x5f, 0xbe, 0xd1, 0xa8, 0x27, 0xaf, 0xb9, 0xf6, 0xb2, 0x81, 0x97, 0x66, 0xa7, 0x15, 0x03, 0x2f, + 0x2d, 0xe4, 0xf3, 0x37, 0xf3, 0xd3, 0x4e, 0x42, 0x82, 0x69, 0xc3, 0x5f, 0x83, 0xab, 0x81, 0xdc, + 0x08, 0x58, 0x57, 0x69, 0x55, 0xc7, 0xfc, 0x37, 0x36, 0x83, 0x05, 0x55, 0xd5, 0xe8, 0xce, 0xe9, + 0x31, 0x78, 0x1b, 0x06, 0xf5, 0x5a, 0xe9, 0x23, 0x5c, 0x6e, 0x91, 0x98, 0x6a, 0xd4, 0x93, 0x93, + 0x81, 0x24, 0xce, 0xcd, 0xf3, 0x42, 0xcb, 0x00, 0xad, 0xc0, 0x48, 0xf3, 0xf1, 0x1e, 0xde, 0x5b, + 0x95, 0x9a, 0x5c, 0x26, 0x1b, 0xf5, 0xe4, 0x44, 0x00, 0xc0, 0x5c, 0x7e, 0x81, 0x17, 0x3c, 0x46, + 0x4e, 0x21, 0x62, 0xbd, 0x14, 0x22, 0xee, 0x16, 0xa2, 0xc9, 0xa6, 0x3f, 0x4f, 0x0e, 0x9b, 0xbf, + 0x32, 0x30, 0x6a, 0xce, 0xb2, 0x7f, 0x3e, 0x2b, 0x22, 0xe4, 0x59, 0xb8, 0xec, 0xcd, 0xca, 0x49, + 0xf8, 0xaf, 0x08, 0x4c, 0xba, 0x22, 0x13, 0xf0, 0x0e, 0xdd, 0xc6, 0xe7, 0x0a, 0xf2, 0x55, 0x10, + 0xe2, 0x61, 0x44, 0xc7, 0x1a, 0x11, 0x95, 0xfb, 0xb5, 0x4a, 0x09, 0x6b, 0xec, 0x80, 0x09, 0x24, + 0x78, 0xc6, 0x50, 0x0a, 0x2e, 0x6a, 0x16, 0x89, 0x2b, 0x8f, 0x89, 0x22, 0xb1, 0x83, 0x29, 0x26, + 0x3d, 0x24, 0xb4, 0x0f, 0xf1, 0xd7, 0x61, 0xea, 0x28, 0xc2, 0x9d, 0xca, 0xfc, 0x6c, 0x57, 0xa6, + 0x29, 0xd8, 0xff, 0x45, 0x65, 0xe2, 0xbd, 0x54, 0x66, 0xe0, 0x88, 0xca, 0x0c, 0x1e, 0xae, 0x4c, + 0x93, 0xf7, 0x40, 0x3a, 0x1d, 0xde, 0xff, 0x88, 0xc0, 0x8b, 0xeb, 0xba, 0xec, 0xce, 0x38, 0x5f, + 0x06, 0xa7, 0xb1, 0x0c, 0x26, 0xac, 0xcf, 0x96, 0x97, 0x65, 0xa7, 0x06, 0x5f, 0x47, 0x80, 0xb5, + 0x7e, 0x35, 0xc3, 0x3e, 0xff, 0xa6, 0x05, 0x7e, 0xd3, 0x78, 0x48, 0x05, 0xd1, 0xe4, 0x70, 0xf9, + 0x65, 0xdc, 0x16, 0xbe, 0x24, 0x6d, 0x6c, 0x13, 0x93, 0xef, 0xb2, 0x68, 0x10, 0x5a, 0x2d, 0xb6, + 0x5a, 0x39, 0x42, 0xab, 0x1b, 0x94, 0x54, 0xfb, 0xc8, 0x6b, 0xb3, 0xe5, 0x89, 0xf4, 0xde, 0xf2, + 0xa0, 0x1c, 0x44, 0x55, 0x62, 0xb3, 0x19, 0x5f, 0x4e, 0x34, 0xea, 0x49, 0xce, 0x6b, 0x9a, 0x73, + 0x4d, 0x79, 0xc1, 0x9c, 0x8a, 0xc6, 0x20, 0x4e, 0xf4, 0x8d, 0x42, 0xc1, 0x22, 0x71, 0x48, 0xb0, + 0x5f, 0xd0, 0x0c, 0xc4, 0x15, 0xb1, 0x84, 0x15, 0xff, 0x2d, 0xc5, 0x75, 0x6a, 0xcf, 0x42, 0xf7, + 0x60, 0xac, 0xac, 0x29, 0x9b, 0x56, 0xf8, 0x26, 0x79, 0xe4, 0x11, 0x29, 0x8b, 0x86, 0xbd, 0xc7, + 0x1c, 0x61, 0xed, 0x6b, 0x84, 0xee, 0x02, 0x22, 0xba, 0x5e, 0xc3, 0xda, 0xa6, 0x5b, 0xeb, 0xa2, + 0xbd, 0x25, 0x05, 0x43, 0xf9, 0x98, 0xa0, 0x3c, 0x0c, 0x4a, 0xa2, 0x21, 0x3e, 0x10, 0xd6, 0xd8, + 0x21, 0xcb, 0x7a, 0xa2, 0x51, 0x4f, 0x5e, 0xf1, 0x91, 0x57, 0x4d, 0x53, 0x78, 0xa1, 0x35, 0xd7, + 0x5c, 0x9f, 0xe6, 0xe3, 0x1d, 0xa2, 0xe0, 0x4d, 0xf2, 0x04, 0xb3, 0xc3, 0x29, 0x26, 0x1d, 0x13, + 0x3c, 0x63, 0x28, 0x01, 0x60, 0xbe, 0x17, 0x89, 0x8c, 0x75, 0x83, 0x05, 0x6b, 0x05, 0xb7, 0x8d, + 0xa0, 0xeb, 0x30, 0xea, 0xbe, 0x6d, 0xed, 0xa9, 0x98, 0xbd, 0x98, 0x62, 0xd2, 0x2f, 0x08, 0x1d, + 0xa3, 0xe8, 0x0d, 0x18, 0xd5, 0x1c, 0x49, 0x59, 0xf3, 0x46, 0xcc, 0x79, 0xc1, 0x79, 0x76, 0x4c, + 0xe7, 0x33, 0x30, 0xdd, 0x8d, 0x38, 0x1d, 0x35, 0xff, 0x1d, 0x85, 0x1b, 0xeb, 0xba, 0xfc, 0x40, + 0x35, 0x81, 0xff, 0x03, 0x82, 0x76, 0x84, 0x18, 0xed, 0x4a, 0x88, 0x73, 0x01, 0x42, 0xb4, 0x76, + 0x88, 0x9e, 0xf4, 0x16, 0xef, 0x5d, 0x6f, 0x0b, 0xae, 0xde, 0x6c, 0xe1, 0x4f, 0x36, 0xea, 0x49, + 0xd6, 0xb5, 0xa6, 0x15, 0x62, 0xe0, 0x8a, 0x6a, 0xec, 0x1d, 0x23, 0xb8, 0xc1, 0x63, 0x05, 0x37, + 0xd4, 0x85, 0xe0, 0x86, 0xfd, 0x04, 0xc7, 0xcf, 0x42, 0xb6, 0xcb, 0xf2, 0xb7, 0x7f, 0x4c, 0x4c, + 0xc9, 0x14, 0xb1, 0x82, 0xcf, 0xa2, 0x64, 0xfc, 0xcb, 0x1f, 0xeb, 0xb9, 0xfc, 0x4d, 0x6a, 0xbb, + 0xa1, 0xc9, 0xa1, 0xf6, 0xf3, 0x08, 0x8c, 0x98, 0xcb, 0x57, 0x37, 0xb3, 0x7e, 0x87, 0x48, 0x67, + 0xe8, 0xdb, 0xdc, 0x2c, 0x60, 0x2c, 0xc4, 0xb9, 0xfd, 0x32, 0x8c, 0xb5, 0x93, 0xe2, 0xb0, 0xf5, + 0x94, 0x81, 0x4b, 0xf6, 0x66, 0x77, 0x9f, 0x96, 0xff, 0x65, 0x17, 0x1d, 0x7c, 0x12, 0x5e, 0xf6, + 0x8d, 0xcd, 0x89, 0xfe, 0x93, 0x56, 0x5f, 0x5c, 0xa1, 0x3b, 0x67, 0xb1, 0x2f, 0xee, 0x6c, 0x6b, + 0x63, 0x3e, 0x67, 0x88, 0x56, 0xd3, 0xda, 0x4e, 0x41, 0x8b, 0xa0, 0xb9, 0x3f, 0x11, 0x44, 0xd7, + 0x75, 0x19, 0xfd, 0xc0, 0xc0, 0xe5, 0x80, 0x0b, 0xad, 0xd5, 0x1e, 0x2f, 0xd4, 0x32, 0x81, 0xf7, + 0x3f, 0xdc, 0xdb, 0x7d, 0x83, 0x6a, 0x25, 0x60, 0x05, 0x1e, 0x70, 0x8f, 0x14, 0x26, 0x70, 0x7f, + 0xa8, 0x50, 0x81, 0x1f, 0x7d, 0x6b, 0x83, 0xbe, 0x60, 0xe0, 0x62, 0xfb, 0x95, 0xcd, 0xeb, 0x61, + 0x5c, 0xb8, 0xf6, 0xdc, 0x9d, 0x93, 0xd9, 0x3b, 0x71, 0xfd, 0xc8, 0xc0, 0x78, 0xf0, 0xcd, 0xca, + 0x5a, 0xf8, 0x0a, 0x1e, 0x46, 0xe3, 0xb6, 0xfa, 0x89, 0xe6, 0xc9, 0x20, 0xf8, 0x06, 0x62, 0x2d, + 0x7c, 0x29, 0xfb, 0x94, 0xc1, 0xb1, 0xc7, 0x79, 0xf4, 0x15, 0x03, 0xa3, 0x1d, 0x67, 0xf9, 0x42, + 0x08, 0x47, 0x5e, 0x08, 0x6e, 0xf5, 0xc4, 0x10, 0x4e, 0x80, 0xdf, 0x31, 0x70, 0xc9, 0xff, 0xa0, + 0xfb, 0x56, 0x28, 0x27, 0x3e, 0x48, 0xdc, 0x46, 0xbf, 0x90, 0x9c, 0xa8, 0x7f, 0x63, 0xe0, 0xea, + 0xf1, 0x47, 0xca, 0xad, 0x70, 0x0b, 0xe9, 0x68, 0x54, 0xee, 0x83, 0xd3, 0x40, 0x75, 0x32, 0x7b, + 0xce, 0xc0, 0x54, 0x57, 0xc7, 0x8b, 0x77, 0x43, 0x84, 0xd1, 0x0d, 0x30, 0xf7, 0xf0, 0x94, 0x80, + 0x3d, 0x29, 0x76, 0xd5, 0x0e, 0x87, 0x49, 0xb1, 0x1b, 0xe0, 0x50, 0x29, 0xf6, 0xd2, 0x99, 0xa2, + 0x4f, 0x19, 0x18, 0x76, 0xdb, 0xd2, 0xd7, 0xc2, 0x28, 0xa6, 0x65, 0xcd, 0x15, 0x4f, 0x62, 0xed, + 0x44, 0xf4, 0x2d, 0x03, 0xc8, 0xa7, 0xf5, 0x7b, 0x33, 0x9c, 0x98, 0x3b, 0x60, 0xb8, 0xf5, 0xbe, + 0xc0, 0x74, 0xec, 0x9a, 0x9e, 0x4e, 0x2f, 0xdc, 0xae, 0xd9, 0x0e, 0x11, 0x72, 0xd7, 0xf4, 0x6b, + 0xb6, 0x96, 0x3f, 0xfc, 0x69, 0x3f, 0xc1, 0x3c, 0xdb, 0x4f, 0x30, 0xcf, 0xf7, 0x13, 0xcc, 0x67, + 0x07, 0x89, 0x0b, 0xcf, 0x0e, 0x12, 0x17, 0x7e, 0x3f, 0x48, 0x5c, 0x78, 0xbf, 0x28, 0x13, 0xe3, + 0x71, 0xad, 0x94, 0x29, 0xd3, 0x4a, 0xd6, 0x76, 0x37, 0xd3, 0xf2, 0x97, 0x6d, 0xf3, 0x37, 0xe3, + 0x3a, 0x9c, 0xb1, 0x3d, 0x66, 0x77, 0xb3, 0xd6, 0x9f, 0x9f, 0x7b, 0x2a, 0xd6, 0x4b, 0x03, 0xd6, + 0xff, 0x93, 0x37, 0xff, 0x09, 0x00, 0x00, 0xff, 0xff, 0x3f, 0x47, 0xac, 0x16, 0x10, 0x1d, 0x00, + 0x00, } // Reference imports to suppress errors if they are not otherwise used. @@ -2431,6 +2449,16 @@ func (m *MsgProposeRevokeX509RootCert) MarshalToSizedBuffer(dAtA []byte) (int, e _ = i var l int _ = l + if m.RevokeChild { + i-- + if m.RevokeChild { + dAtA[i] = 1 + } else { + dAtA[i] = 0 + } + i-- + dAtA[i] = 0x38 + } if len(m.SerialNumber) > 0 { i -= len(m.SerialNumber) copy(dAtA[i:], m.SerialNumber) @@ -2603,6 +2631,16 @@ func (m *MsgRevokeX509Cert) MarshalToSizedBuffer(dAtA []byte) (int, error) { _ = i var l int _ = l + if m.RevokeChild { + i-- + if m.RevokeChild { + dAtA[i] = 1 + } else { + dAtA[i] = 0 + } + i-- + dAtA[i] = 0x38 + } if len(m.SerialNumber) > 0 { i -= len(m.SerialNumber) copy(dAtA[i:], m.SerialNumber) @@ -3398,6 +3436,9 @@ func (m *MsgProposeRevokeX509RootCert) Size() (n int) { if l > 0 { n += 1 + l + sovTx(uint64(l)) } + if m.RevokeChild { + n += 2 + } return n } @@ -3480,6 +3521,9 @@ func (m *MsgRevokeX509Cert) Size() (n int) { if l > 0 { n += 1 + l + sovTx(uint64(l)) } + if m.RevokeChild { + n += 2 + } return n } @@ -4676,6 +4720,26 @@ func (m *MsgProposeRevokeX509RootCert) Unmarshal(dAtA []byte) error { } m.SerialNumber = string(dAtA[iNdEx:postIndex]) iNdEx = postIndex + case 7: + if wireType != 0 { + return fmt.Errorf("proto: wrong wireType = %d for field RevokeChild", wireType) + } + var v int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowTx + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + v |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + m.RevokeChild = bool(v != 0) default: iNdEx = preIndex skippy, err := skipTx(dAtA[iNdEx:]) @@ -5234,6 +5298,26 @@ func (m *MsgRevokeX509Cert) Unmarshal(dAtA []byte) error { } m.SerialNumber = string(dAtA[iNdEx:postIndex]) iNdEx = postIndex + case 7: + if wireType != 0 { + return fmt.Errorf("proto: wrong wireType = %d for field RevokeChild", wireType) + } + var v int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowTx + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + v |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + m.RevokeChild = bool(v != 0) default: iNdEx = preIndex skippy, err := skipTx(dAtA[iNdEx:])