#531-Publish-PAI-certificates-for-CRLSignerCertificate-verification

Minor refactoring due to PR's comments

Signed-off-by: Abdulbois <abdulbois.tursunov@dsr-corporation.com>
Signed-off-by: Abdulbois <abdulbois123@gmail.com>

docs/transactions.md

@@ -1055,9 +1055,11 @@ Publishes a PKI Revocation distribution endpoint (such as RFC5280 Certificate Re
 
 If `crlSignerCertificate` is a PAA (root certificate), then it must be present on DCL.
 
-If `crlSignerCertificate` is a PAI (intermediate certificate), then it must be chained back to a valid PAA (root certificate) present on DCL.
+If `crlSignerCertificate` is a PAI (intermediate certificate) or delegated by PAA, then it must be chained back to a valid PAA (root certificate) present on DCL.
 In this case `crlSignerCertificate` is not required to be present on DCL, and will not be added to DCL as a result of this transaction.
 If PAI needs to be added to DCL, it should be done via [ADD_X509_CERT](#add_x509_cert) transaction.
+If the `crlSignerCertificate` is delegated by a PAI, the delegator certificate must be provided using the `certificate-delegator` field. 
+Additionally, the `crlSignerCertificate` must be chained back to the PAA through the delegator certificate, the PAA must be present on the DCL.
 
 Publishing the revocation distribution endpoint doesn't automatically remove PAI (Intermediate certificates)
 and DACs (leaf certificates) added to DCL if they are revoked in the CRL identified by this distribution point.
@@ -1072,7 +1074,7 @@ and DACs (leaf certificates) added to DCL if they are revoked in the CRL identif
   - pid: `optional(uint16)` -  Product ID (positive non-zero). Must be empty if `IsPAA` is true. Must be equal to a `pid` field in `CRLSignerCertificate`.
   - isPAA: `bool` -  True if the revocation information distribution point relates to a PAA
   - label: `string` -  A label to disambiguate multiple revocation information partitions of a particular issuer.
-  - crlSignerCertificate: `string` - The issuer certificate whose revocation information is provided in the distribution point entry, encoded in X.509v3 PEM format. The corresponding CLI parameter can contain either a PEM string or a path to a file containing the data.
+  - certificate: `string` - The issuer certificate whose revocation information is provided in the distribution point entry, encoded in X.509v3 PEM format. The corresponding CLI parameter can contain either a PEM string or a path to a file containing the data.
   - certificate-delegator: `optional(string)` - The delegator certificate of CRL signer Certificate which must be chained back to approved certificate in the ledger, encoded in X.509v3 PEM format. The corresponding CLI parameter can contain either a PEM string or a path to a file containing the data.
   - issuerSubjectKeyID: `string` - Uniquely identifies the PAA or PAI for which this revocation distribution point is provided. Must consist of even number of uppercase hexadecimal characters ([0-9A-F]), with no whitespace and no non-hexadecimal characters., e.g: `5A880E6C3653D07FB08971A3F473790930E62BDB`.
   - dataUrl: `string` -  The URL where to obtain the information in the format indicated by the RevocationType field. Must start with either `http` or `https`. Must be unique for all pairs of VendorID and IssuerSubjectKeyID.
@@ -1117,7 +1119,7 @@ Updates an existing PKI Revocation distribution endpoint (such as RFC5280 Certif
   - vid: `uint16` -  Vendor ID (positive non-zero). Must be the same as Vendor account's VID and `vid` field in the VID-scoped `CRLSignerCertificate`. Must be the same as a `vid` associated with non-VID scoped `CRLSignerCertificate` on the ledger.
   - label: `string` -  A label to disambiguate multiple revocation information partitions of a particular issuer.
   - issuerSubjectKeyID: `string` - Uniquely identifies the PAA or PAI for which this revocation distribution point is provided. Must consist of even number of uppercase hexadecimal characters ([0-9A-F]), with no whitespace and no non-hexadecimal characters., e.g: `5A880E6C3653D07FB08971A3F473790930E62BDB`.
-  - crlSignerCertificate: `optional(string)` - The issuer certificate whose revocation information is provided in the distribution point entry, encoded in X.509v3 PEM format. The corresponding CLI parameter can contain either a PEM string or a path to a file containing the data.
+  - certificate: `optional(string)` - The issuer certificate whose revocation information is provided in the distribution point entry, encoded in X.509v3 PEM format. The corresponding CLI parameter can contain either a PEM string or a path to a file containing the data.
   - certificate-delegator: `optional(string)` - The delegator certificate of CRL signer Certificate which must be chained back to approved certificate in the ledger, encoded in X.509v3 PEM format. The corresponding CLI parameter can contain either a PEM string or a path to a file containing the data.
   - dataUrl: `optional(string)` -  The URL where to obtain the information in the format indicated by the RevocationType field. Must start with either `http` or `https`. Must be unique for all pairs of VendorID and IssuerSubjectKeyID.
   - dataFileSize: `optional(uint64)` -  Total size in bytes of the file found at the DataUrl. Must be omitted if RevocationType is 1.

integration_tests/cli/pki-revocation-points.sh

@@ -33,9 +33,9 @@ delegator_cert_with_vid_65521_path="integration_tests/constants/intermediate_cer
 delegator_cert_with_vid_65521_copy_path="integration_tests/constants/intermediate_cert_with_vid_1_copy"
 delegator_cert_with_vid_subject_key_id="0E8CE8C8B8AA50BC258556B9B19CC2C7D9C52F17"
 
-crl_leaf_cert_with_vid_65521_path="integration_tests/constants/leaf_cert_with_vid_65521"
-crl_leaf_cert_with_vid_65522_path="integration_tests/constants/leaf_cert_with_vid_65522"
-crl_leaf_cert_without_vid_path="integration_tests/constants/leaf_cert_without_vid"
+crl_signer_delegated_by_pai_1="integration_tests/constants/leaf_cert_with_vid_65521"
+crl_signer_delegated_by_pai_2="integration_tests/constants/leaf_cert_with_vid_65522"
+crl_signer_delegated_by_paa="integration_tests/constants/leaf_cert_without_vid"
 
 trustee_account="jack"
 second_trustee_account="alice"
@@ -275,9 +275,9 @@ response_does_not_contain "$result" "\"label\": \"$vid_non_vid_scoped\""
 
 test_divider
 
-echo "12. ADD REVOCATION POINT FOR CRL SIGNER LEAF CERTIFICATE WHEN DELEGATOR CERTIFICATE IS PROVIDED"
+echo "12. ADD REVOCATION POINT FOR CRL SIGNER CERTIFICATE DELEGATED BY PAI"
 
-result=$(dcld tx pki add-revocation-point --vid=$vid --is-paa="false" --certificate="$crl_leaf_cert_with_vid_65521_path" --label="$label_leaf_with_delegator" --data-url="$data_url" --issuer-subject-key-id=$delegator_cert_with_vid_subject_key_id --revocation-type=1 --certificate-delegator="$delegator_cert_with_vid_65521_path" --from=$vendor_account --yes)
+result=$(dcld tx pki add-revocation-point --vid=$vid --is-paa="false" --certificate="$crl_signer_delegated_by_pai_1" --label="$label_leaf_with_delegator" --data-url="$data_url" --issuer-subject-key-id=$delegator_cert_with_vid_subject_key_id --revocation-type=1 --certificate-delegator="$delegator_cert_with_vid_65521_path" --from=$vendor_account --yes)
 check_response "$result" "\"code\": 0"
 
 result=$(dcld query pki revocation-point --vid=$vid --label=$label_leaf_with_delegator --issuer-subject-key-id=$delegator_cert_with_vid_subject_key_id)
@@ -289,14 +289,14 @@ echo $result
 
 test_divider
 
-echo "13. ADD REVOCATION POINT FOR CRL SIGNER LEAF CERTIFICATE WHEN IS_PAA=TRUE"
+echo "13. ADD REVOCATION POINT FOR CRL SIGNER CERTIFICATE DELEGATED BY PAA"
 
 echo "Add PAI certificate"
 result=$(echo "$passphrase" | dcld tx pki add-x509-cert --certificate="$delegator_cert_with_vid_65521_path" --from $vendor_account --yes)
 check_response "$result" "\"code\": 0"
 
 echo "Add PKI revocation point with IS_PAA=true"
-result=$(dcld tx pki add-revocation-point --vid=$vid_65522 --is-paa="true" --certificate="$crl_leaf_cert_without_vid_path" --label="$label_leaf" --data-url="$data_url" --issuer-subject-key-id=$delegator_cert_with_vid_subject_key_id --revocation-type=1 --from=$vendor_account_65522 --yes)
+result=$(dcld tx pki add-revocation-point --vid=$vid_65522 --is-paa="true" --certificate="$crl_signer_delegated_by_paa" --label="$label_leaf" --data-url="$data_url" --issuer-subject-key-id=$delegator_cert_with_vid_subject_key_id --revocation-type=1 --from=$vendor_account_65522 --yes)
 check_response "$result" "\"code\": 0"
 
 result=$(dcld query pki revocation-point --vid=$vid_65522 --label=$label_leaf --issuer-subject-key-id=$delegator_cert_with_vid_subject_key_id)
@@ -307,9 +307,9 @@ echo $result
 
 test_divider
 
-echo "14. UPDATE REVOCATION POINT FOR CRL SIGNER LEAF CERTIFICATE WHEN DELEGATOR CERTIFICATE IS PROVIDED"
+echo "14. UPDATE REVOCATION POINT FOR CRL SIGNER CERTIFICATE DELEGATED BY PAI"
 data_url_new="$data_url"_new
-result=$(dcld tx pki update-revocation-point --vid=$vid --certificate="$crl_leaf_cert_with_vid_65521_path" --label="$label_leaf_with_delegator" --data-url="$data_url_new" --issuer-subject-key-id=$delegator_cert_with_vid_subject_key_id --certificate-delegator="$delegator_cert_with_vid_65521_copy_path" --from=$vendor_account --yes)
+result=$(dcld tx pki update-revocation-point --vid=$vid --certificate="$crl_signer_delegated_by_pai_1" --label="$label_leaf_with_delegator" --data-url="$data_url_new" --issuer-subject-key-id=$delegator_cert_with_vid_subject_key_id --certificate-delegator="$delegator_cert_with_vid_65521_copy_path" --from=$vendor_account --yes)
 check_response "$result" "\"code\": 0"
 echo $result
 
@@ -318,14 +318,14 @@ check_response "$result" "\"vid\": $vid"
 check_response "$result" "\"label\": \"$label_leaf_with_delegator\""
 check_response "$result" "\"issuerSubjectKeyID\": \"$delegator_cert_with_vid_subject_key_id\""
 check_response "$result" "\"dataURL\": \"$data_url_new\""
-check_response "$result" "\"CrlSignerCertificate\": $(<$crl_leaf_cert_with_vid_65521_path)"
+check_response "$result" "\"CrlSignerCertificate\": $(<$crl_signer_delegated_by_pai_1)"
 check_response "$result" "\"CrlSignerDelegator\": $(<$delegator_cert_with_vid_65521_copy_path)"
 echo $result
 
 test_divider
 
-echo "15. UPDATE REVOCATION POINT FOR CRL SIGNER LEAF CERTIFICATE"
-result=$(dcld tx pki update-revocation-point --vid=$vid_65522 --certificate="$crl_leaf_cert_with_vid_65522_path" --label="$label_leaf" --data-url="$data_url_new" --issuer-subject-key-id=$delegator_cert_with_vid_subject_key_id --from=$vendor_account_65522 --yes)
+echo "15. UPDATE REVOCATION POINT FOR CRL SIGNER CERTIFICATE DELEGATED BY PAA"
+result=$(dcld tx pki update-revocation-point --vid=$vid_65522 --certificate="$crl_signer_delegated_by_pai_2" --label="$label_leaf" --data-url="$data_url_new" --issuer-subject-key-id=$delegator_cert_with_vid_subject_key_id --from=$vendor_account_65522 --yes)
 check_response "$result" "\"code\": 0"
 echo $result
 
@@ -334,7 +334,7 @@ check_response "$result" "\"vid\": $vid_65522"
 check_response "$result" "\"label\": \"$label_leaf\""
 check_response "$result" "\"issuerSubjectKeyID\": \"$delegator_cert_with_vid_subject_key_id\""
 check_response "$result" "\"dataURL\": \"$data_url_new\""
-check_response "$result" "\"CrlSignerCertificate\": $(<$crl_leaf_cert_with_vid_65522_path)"
+check_response "$result" "\"CrlSignerCertificate\": $(<$crl_signer_delegated_by_pai_2)"
 
 echo $result
 
@@ -422,7 +422,7 @@ check_response "$result" "\"issuerSubjectKeyID\": \"$issuer_subject_key_id\""
 
 test_divider
 
-echo "24. DELETE REVOCATION PAA"
+echo "24. DELETE REVOCATION POINT"
 
 result=$(dcld tx pki delete-revocation-point --vid=$vid --label="$label" --issuer-subject-key-id=$issuer_subject_key_id --from=$vendor_account --yes)
 check_response "$result" "\"code\": 0"
@@ -431,15 +431,4 @@ echo $result
 result=$(dcld query pki revocation-point --vid=$vid --label=$label --issuer-subject-key-id=$issuer_subject_key_id)
 check_response "$result" "Not Found"
 
-test_divider
-
-echo "25. DELETE REVOCATION PAI"
-
-result=$(dcld tx pki delete-revocation-point --vid=$vid_65522 --label="$label_pai" --issuer-subject-key-id=$issuer_subject_key_id --from=$vendor_account_65522 --yes)
-check_response "$result" "\"code\": 0"
-echo $result
-
-result=$(dcld query pki revocation-point --vid=$vid_65522 --label=$label_pai --issuer-subject-key-id=$issuer_subject_key_id)
-check_response "$result" "Not Found"
-
 test_divider

integration_tests/constants/constants.go

@@ -592,6 +592,23 @@ G0/z0oo9rsKcpgUogQ8fYYEg/QClYFHJuhFbf1M+VdeMScbllpt4kGH2ih7aU1b7
 GDAWgBTOqJJm6uCAvSu1aOQLB8T6LDRtMTAMBgNVHRMEBTADAQH/MAoGCCqGSM49
 BAMCA0cAMEQCIHkhL7r/xEi16827IYysHe0w8X0rsbU5zcHcbK1wt0ALAiASEZMI
 NN1ZIQJHBjCm+vWh3Jsjt2wUHKIM5i64Wd9kPA==
+-----END CERTIFICATE-----`
+
+	IntermediateCertWithoutVidPid = `-----BEGIN CERTIFICATE-----
+MIICfjCCAiOgAwIBAgIUApsGBeXsNPxNq4brOXLNfbYysakwCgYIKoZIzj0EAwIw
+gZgxCzAJBgNVBAYTAlVTMREwDwYDVQQIDAhOZXcgWW9yazERMA8GA1UEBwwITmV3
+IFlvcmsxGDAWBgNVBAoMD0V4YW1wbGUgQ29tcGFueTEZMBcGA1UECwwQVGVzdGlu
+ZyBEaXZpc2lvbjEYMBYGA1UEAwwPd3d3LmV4YW1wbGUuY29tMRQwEgYKKwYBBAGC
+onwCAQwERkZGMTAgFw0yNDAzMjgxMzEzMjVaGA8zMDIzMDczMDEzMTMyNVowgYIx
+CzAJBgNVBAYTAlVTMREwDwYDVQQIDAhOZXcgWW9yazERMA8GA1UEBwwITmV3IFlv
+cmsxGDAWBgNVBAoMD0V4YW1wbGUgQ29tcGFueTEZMBcGA1UECwwQVGVzdGluZyBE
+aXZpc2lvbjEYMBYGA1UEAwwPd3d3LmV4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYI
+KoZIzj0DAQcDQgAE5M2Hy7bsKdEZ2PQbT/PSij2uwpymBSiBDx9hgSD9AKVgUcm6
+EVt/Uz5V14xJxuWWm3iQYfaKHtpTVvvWNGRWzKNdMFswHQYDVR0OBBYEFA6M6Mi4
+qlC8JYVWubGcwsfZxS8XMB8GA1UdIwQYMBaAFM6okmbq4IC9K7Vo5AsHxPosNG0x
+MAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQDAgGCMAoGCCqGSM49BAMCA0kAMEYCIQDm
+jhpYAW9UseDLyoF2bmvy36jV7Hwvst+R3wJi0jh4xAIhAPXCfe8DUCoRV32q97C0
+IYJElzT/KwBY6c2Xyu4gsjqh
 -----END CERTIFICATE-----`
 
 	LeafCertWithVid = `-----BEGIN CERTIFICATE-----
@@ -648,11 +665,12 @@ fJhEWAA8mOgN9OVCdPWAegWuN3b2AiApXciu/dT4B5db3puPWrAsMjAUYF2Owc/D
 eujhLsD51w==
 -----END CERTIFICATE-----`
 
-	RootIssuer        = "MDQxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApzb21lLXN0YXRlMRAwDgYDVQQKDAdyb290LWNh"
-	RootSubject       = "MDQxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApzb21lLXN0YXRlMRAwDgYDVQQKDAdyb290LWNh"
-	RootSubjectAsText = "O=root-ca,ST=some-state,C=AU"
-	RootSubjectKeyID  = "5A:88:0E:6C:36:53:D0:7F:B0:89:71:A3:F4:73:79:09:30:E6:2B:DB"
-	RootSerialNumber  = "442314047376310867378175982234956458728610743315"
+	RootIssuer                     = "MDQxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApzb21lLXN0YXRlMRAwDgYDVQQKDAdyb290LWNh"
+	RootSubject                    = "MDQxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApzb21lLXN0YXRlMRAwDgYDVQQKDAdyb290LWNh"
+	RootSubjectAsText              = "O=root-ca,ST=some-state,C=AU"
+	RootSubjectKeyID               = "5A:88:0E:6C:36:53:D0:7F:B0:89:71:A3:F4:73:79:09:30:E6:2B:DB"
+	RootSubjectKeyIDWithoutColumns = "5A880E6C3653D07FB08971A3F473790930E62BDB"
+	RootSerialNumber               = "442314047376310867378175982234956458728610743315"
 
 	RootCertWithSameSubjectAndSKIDSubject         = "MIGCMQswCQYDVQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxETAPBgNVBAcMCE5ldyBZb3JrMRgwFgYDVQQKDA9FeGFtcGxlIENvbXBhbnkxGTAXBgNVBAsMEFRlc3RpbmcgRGl2aXNpb24xGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbQ=="
 	RootCertWithSameSubjectAndSKIDSubjectKeyID    = "33:5E:0C:07:44:F8:B5:9C:CD:55:01:9B:6D:71:23:83:6F:D0:D4:BE"
@@ -727,6 +745,10 @@ eujhLsD51w==
 	IntermediateCertWithVid2SerialNumber = "4"
 	IntermediateCertWithVid2Vid          = 65522
 
+	IntermediateCertWithoutVidPidSubject      = "MIGCMQswCQYDVQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxETAPBgNVBAcMCE5ldyBZb3JrMRgwFgYDVQQKDA9FeGFtcGxlIENvbXBhbnkxGTAXBgNVBAsMEFRlc3RpbmcgRGl2aXNpb24xGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbQ=="
+	IntermediateCertWithoutVidPidSubjectKeyID = "0E:8C:E8:C8:B8:AA:50:BC:25:85:56:B9:B1:9C:C2:C7:D9:C5:2F:17"
+	IntermediateCertWithoutVidPidSerialNumber = "14875121728167018569770528052537472929544450473"
+
 	LeafCertWithVidSubject        = "MIGaMQswCQYDVQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxETAPBgNVBAcMCE5ldyBZb3JrMRowGAYDVQQKDBFDUkwtbGVhZiB3aXRoIFZJRDEZMBcGA1UECwwQVGVzdGluZyBEaXZpc2lvbjEYMBYGA1UEAwwPd3d3LmV4YW1wbGUuY29tMRQwEgYKKwYBBAGConwCAQwERkZGMQ=="
 	LeafCertWithVidSubjectAsText  = "CN=www.example.com,OU=Testing Division,O=CRL-leaf with VID,L=New York,ST=New York,C=US,vid=0xFFF1"
 	LeafCertWithVidSubjectKeyID   = "D6:98:26:10:BE:AC:23:74:09:0A:40:0B:CD:39:65:53:F1:76:B0:F5"

x/pki/handler_add_revocation_test.go

@@ -248,7 +248,7 @@ func TestHandler_AddPkiRevocationDistributionPoint_PositiveCases(t *testing.T) {
 			SchemaVersion: testconstants.SchemaVersion,
 		},
 		{
-			name:            "PAIWithDelegatedCert",
+			name:            "CrlSignerDelegatedByPAI",
 			rootCertOptions: createTestRootCertOptions(),
 			addRevocation: &types.MsgAddPkiRevocationDistributionPoint{
 				Signer:               vendorAcc.String(),
@@ -259,7 +259,23 @@ func TestHandler_AddPkiRevocationDistributionPoint_PositiveCases(t *testing.T) {
 				CrlSignerDelegator:   testconstants.IntermediateCertPem,
 				Label:                label,
 				DataURL:              testconstants.DataURL,
-				IssuerSubjectKeyID:   testconstants.IntermediateSubjectKeyIDWithoutColumns,
+				IssuerSubjectKeyID:   testconstants.RootSubjectKeyIDWithoutColumns,
+				RevocationType:       types.CRLRevocationType,
+			},
+			SchemaVersion: testconstants.SchemaVersion,
+		},
+		{
+			name:            "CrlSignerDelegatedByPAA",
+			rootCertOptions: createTestRootCertOptions(),
+			addRevocation: &types.MsgAddPkiRevocationDistributionPoint{
+				Signer:               vendorAcc.String(),
+				Vid:                  65522,
+				IsPAA:                true,
+				Pid:                  0,
+				CrlSignerCertificate: testconstants.IntermediateCertPem,
+				Label:                label,
+				DataURL:              testconstants.DataURL,
+				IssuerSubjectKeyID:   testconstants.RootSubjectKeyIDWithoutColumns,
 				RevocationType:       types.CRLRevocationType,
 			},
 			SchemaVersion: testconstants.SchemaVersion,

x/pki/handler_update_revocation_test.go

@@ -720,7 +720,7 @@ func TestHandler_UpdatePkiRevocationDistributionPoint_CrlSignerCertificateField(
 			},
 		},
 		{
-			name:             "PAI_With_Delegated_Certificate",
+			name:             "CrlSignerDelegatedByPAI",
 			rootCertOptions1: createTestRootCertOptions(),
 			rootCertOptions2: createRootWithVidOptions(),
 			addRevocation:    createAddRevocationMessageWithLeafCertWithVid(vendorAcc.String()),
@@ -734,6 +734,27 @@ func TestHandler_UpdatePkiRevocationDistributionPoint_CrlSignerCertificateField(
 				IssuerSubjectKeyID:   testconstants.IntermediateCertWithVid1SubjectKeyIDWithoutColumns,
 			},
 		},
+		{
+			name:             "CrlSignerDelegatedByPAA",
+			rootCertOptions1: createTestRootCertOptions(),
+			rootCertOptions2: createRootWithVidOptions(),
+			addRevocation: &types.MsgAddPkiRevocationDistributionPoint{
+				Signer:               vendorAcc.String(),
+				IsPAA:                true,
+				CrlSignerCertificate: testconstants.IntermediateCertPem,
+				Label:                label,
+				DataURL:              testconstants.DataURL,
+				IssuerSubjectKeyID:   testconstants.RootSubjectKeyIDWithoutColumns,
+				RevocationType:       types.CRLRevocationType,
+			},
+			updateRevocation: &types.MsgUpdatePkiRevocationDistributionPoint{
+				Signer:               vendorAcc.String(),
+				CrlSignerCertificate: testconstants.IntermediateCertWithoutVidPid,
+				Label:                label,
+				DataURL:              testconstants.DataURL,
+				IssuerSubjectKeyID:   testconstants.RootSubjectKeyIDWithoutColumns,
+			},
+		},
 	}
 
 	for _, tc := range cases {

x/pki/types/message_add_pki_revocation_distribution_point.go

@@ -121,9 +121,6 @@ func (msg *MsgAddPkiRevocationDistributionPoint) verifyPAI(cert *x509.Certificat
 	}
 
 	if msg.CrlSignerDelegator != "" {
-		if cert.AuthorityKeyID == "" {
-			return pkitypes.NewErrInvalidAuthorityKeyIDFormat()
-		}
 		err = VerifyCRLSignerCertFormat(cert)
 		if err != nil {
 			return err