#531-Publish-PAI-certificates-for-CRLSignerCertificate-verification

- Add CRLSignerDelegator field into PKI Distribution Point schema - Change handling of PKI Distribution Points Signed-off-by: Abdulbois <abdulbois.tursunov@dsr-corporation.com> Signed-off-by: Abdulbois <abdulbois123@gmail.com>
zigbee-alliance · Mar 28, 2024 · d79b7d3 · d79b7d3
1 parent 7f9ce72
commit d79b7d3
Show file tree

Hide file tree

Showing 29 changed files with 1,044 additions and 226 deletions.
diff --git a/docs/static/openapi.yml b/docs/static/openapi.yml
@@ -10705,6 +10705,8 @@ paths:
                     schemaVersion:
                       type: integer
                       format: int64
+                    crlSignerDelegator:
+                      type: string
               pagination:
                 type: object
                 properties:
@@ -10863,6 +10865,8 @@ paths:
                         schemaVersion:
                           type: integer
                           format: int64
+                        crlSignerDelegator:
+                          type: string
         default:
           description: An unexpected error response.
           schema:
@@ -10935,6 +10939,8 @@ paths:
                   schemaVersion:
                     type: integer
                     format: int64
+                  crlSignerDelegator:
+                    type: string
         default:
           description: An unexpected error response.
           schema:
@@ -21841,6 +21847,8 @@ definitions:
       schemaVersion:
         type: integer
         format: int64
+      crlSignerDelegator:
+        type: string
   zigbeealliance.distributedcomplianceledger.pki.PkiRevocationDistributionPointsByIssuerSubjectKeyID:
     type: object
     properties:
@@ -21881,6 +21889,8 @@ definitions:
             schemaVersion:
               type: integer
               format: int64
+            crlSignerDelegator:
+              type: string
   zigbeealliance.distributedcomplianceledger.pki.ProposedCertificate:
     type: object
     properties:
@@ -22284,6 +22294,8 @@ definitions:
             schemaVersion:
               type: integer
               format: int64
+            crlSignerDelegator:
+              type: string
       pagination:
         type: object
         properties:
@@ -23029,6 +23041,8 @@ definitions:
           schemaVersion:
             type: integer
             format: int64
+          crlSignerDelegator:
+            type: string
   zigbeealliance.distributedcomplianceledger.pki.QueryGetPkiRevocationDistributionPointsByIssuerSubjectKeyIDResponse:
     type: object
     properties:
@@ -23072,6 +23086,8 @@ definitions:
                 schemaVersion:
                   type: integer
                   format: int64
+                crlSignerDelegator:
+                  type: string
   zigbeealliance.distributedcomplianceledger.pki.QueryGetProposedCertificateResponse:
     type: object
     properties:

diff --git a/docs/transactions.md b/docs/transactions.md
@@ -1073,6 +1073,7 @@ and DACs (leaf certificates) added to DCL if they are revoked in the CRL identif
   - isPAA: `bool` -  True if the revocation information distribution point relates to a PAA
   - label: `string` -  A label to disambiguate multiple revocation information partitions of a particular issuer.
   - crlSignerCertificate: `string` - The issuer certificate whose revocation information is provided in the distribution point entry, encoded in X.509v3 PEM format. The corresponding CLI parameter can contain either a PEM string or a path to a file containing the data.
+  - certificate-delegator: `optional(string)` - The delegator certificate of CRL signer Certificate which must be chained back to approved certificate in the ledger, encoded in X.509v3 PEM format. The corresponding CLI parameter can contain either a PEM string or a path to a file containing the data.
   - issuerSubjectKeyID: `string` - Uniquely identifies the PAA or PAI for which this revocation distribution point is provided. Must consist of even number of uppercase hexadecimal characters ([0-9A-F]), with no whitespace and no non-hexadecimal characters., e.g: `5A880E6C3653D07FB08971A3F473790930E62BDB`.
   - dataUrl: `string` -  The URL where to obtain the information in the format indicated by the RevocationType field. Must start with either `http` or `https`. Must be unique for all pairs of VendorID and IssuerSubjectKeyID.
   - dataFileSize: `optional(uint64)` -  Total size in bytes of the file found at the DataUrl. Must be omitted if RevocationType is 1.
@@ -1117,6 +1118,7 @@ Updates an existing PKI Revocation distribution endpoint (such as RFC5280 Certif
   - label: `string` -  A label to disambiguate multiple revocation information partitions of a particular issuer.
   - issuerSubjectKeyID: `string` - Uniquely identifies the PAA or PAI for which this revocation distribution point is provided. Must consist of even number of uppercase hexadecimal characters ([0-9A-F]), with no whitespace and no non-hexadecimal characters., e.g: `5A880E6C3653D07FB08971A3F473790930E62BDB`.
   - crlSignerCertificate: `optional(string)` - The issuer certificate whose revocation information is provided in the distribution point entry, encoded in X.509v3 PEM format. The corresponding CLI parameter can contain either a PEM string or a path to a file containing the data.
+  - certificate-delegator: `optional(string)` - The delegator certificate of CRL signer Certificate which must be chained back to approved certificate in the ledger, encoded in X.509v3 PEM format. The corresponding CLI parameter can contain either a PEM string or a path to a file containing the data.
   - dataUrl: `optional(string)` -  The URL where to obtain the information in the format indicated by the RevocationType field. Must start with either `http` or `https`. Must be unique for all pairs of VendorID and IssuerSubjectKeyID.
   - dataFileSize: `optional(uint64)` -  Total size in bytes of the file found at the DataUrl. Must be omitted if RevocationType is 1.
   - dataDigest: `optional(string)` -  Digest of the entire contents of the associated file downloaded from the DataUrl. Must be omitted if RevocationType is 1. Must be provided if and only if the `DataFileSize` field is present.

diff --git a/integration_tests/cli/pki-revocation-points.sh b/integration_tests/cli/pki-revocation-points.sh
@@ -25,6 +25,18 @@ test_root_cert_path="integration_tests/constants/test_root_cert"
 test_root_cert_subject="MDAxGDAWBgNVBAMMD01hdHRlciBUZXN0IFBBQTEUMBIGCisGAQQBgqJ8AgEMBDEyNUQ="
 test_root_cert_subject_key_id="E2:90:8D:36:9C:3C:A3:C1:13:BB:09:E2:4D:C1:CC:C5:A6:66:91:D4"
 
+root_cert_with_vid_path="integration_tests/constants/root_cert_with_vid"
+root_cert_with_vid_subject="MIGYMQswCQYDVQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxETAPBgNVBAcMCE5ldyBZb3JrMRgwFgYDVQQKDA9FeGFtcGxlIENvbXBhbnkxGTAXBgNVBAsMEFRlc3RpbmcgRGl2aXNpb24xGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbTEUMBIGCisGAQQBgqJ8AgEMBEZGRjE="
+root_cert_with_vid_subject_key_id="CE:A8:92:66:EA:E0:80:BD:2B:B5:68:E4:0B:07:C4:FA:2C:34:6D:31"
+
+delegator_cert_with_vid_65521_path="integration_tests/constants/intermediate_cert_with_vid_1"
+delegator_cert_with_vid_65521_copy_path="integration_tests/constants/intermediate_cert_with_vid_1_copy"
+delegator_cert_with_vid_subject_key_id="0E8CE8C8B8AA50BC258556B9B19CC2C7D9C52F17"
+
+crl_leaf_cert_with_vid_65521_path="integration_tests/constants/leaf_cert_with_vid_65521"
+crl_leaf_cert_with_vid_65522_path="integration_tests/constants/leaf_cert_with_vid_65522"
+crl_leaf_cert_without_vid_path="integration_tests/constants/leaf_cert_without_vid"
+
 trustee_account="jack"
 second_trustee_account="alice"
 third_trustee_account="bob"
@@ -35,6 +47,8 @@ third_trustee_account_address=$(echo $passphrase | dcld keys show bob -a)
 
 label="label"
 label_pai="label_pai"
+label_leaf="label_leaf"
+label_leaf_with_delegator="label_leaf_with_delegator"
 vid=65521
 vid_65522=65522
 vid_non_vid_scoped=4701
@@ -137,6 +151,12 @@ check_response "$result" "\"code\": 0"
 result=$(echo "$passphrase" | dcld tx pki approve-add-x509-root-cert --subject="$test_root_cert_subject" --subject-key-id="$test_root_cert_subject_key_id" --from $second_trustee_account --yes)
 check_response "$result" "\"code\": 0"
 
+echo "Trustees add VID scoped root cert"
+result=$(echo "$passphrase" | dcld tx pki propose-add-x509-root-cert --certificate="$root_cert_with_vid_path" --vid $vid --from $trustee_account --yes)
+check_response "$result" "\"code\": 0"
+result=$(echo "$passphrase" | dcld tx pki approve-add-x509-root-cert --subject="$root_cert_with_vid_subject" --subject-key-id="$root_cert_with_vid_subject_key_id" --from $second_trustee_account --yes)
+check_response "$result" "\"code\": 0"
+
 test_divider
 
 echo "7. ADD REVOCATION POINT FOR PAA WHEN CRL SIGNER CERTIFICATE PEM VALUE IS NOT EQUAL TO STORED CERTIFICATE PEM VALUE"
@@ -255,47 +275,112 @@ response_does_not_contain "$result" "\"label\": \"$vid_non_vid_scoped\""
 
 test_divider
 
-echo "12. UPDATE REVOCATION POINT WHEN POINT NOT FOUND"
+echo "12. ADD REVOCATION POINT FOR CRL SIGNER LEAF CERTIFICATE WHEN DELEGATOR CERTIFICATE IS PROVIDED"
+
+result=$(dcld tx pki add-revocation-point --vid=$vid --is-paa="false" --certificate="$crl_leaf_cert_with_vid_65521_path" --label="$label_leaf_with_delegator" --data-url="$data_url" --issuer-subject-key-id=$delegator_cert_with_vid_subject_key_id --revocation-type=1 --certificate-delegator="$delegator_cert_with_vid_65521_path" --from=$vendor_account --yes)
+check_response "$result" "\"code\": 0"
+
+result=$(dcld query pki revocation-point --vid=$vid --label=$label_leaf_with_delegator --issuer-subject-key-id=$delegator_cert_with_vid_subject_key_id)
+check_response "$result" "\"vid\": $vid"
+check_response "$result" "\"label\": \"$label_leaf_with_delegator\""
+check_response "$result" "\"issuerSubjectKeyID\": \"$delegator_cert_with_vid_subject_key_id\""
+
+echo $result
+
+test_divider
+
+echo "13. ADD REVOCATION POINT FOR CRL SIGNER LEAF CERTIFICATE WHEN IS_PAA=TRUE"
+
+echo "Add PAI certificate"
+result=$(echo "$passphrase" | dcld tx pki add-x509-cert --certificate="$delegator_cert_with_vid_65521_path" --from $vendor_account --yes)
+check_response "$result" "\"code\": 0"
+
+echo "Add PKI revocation point with IS_PAA=true"
+result=$(dcld tx pki add-revocation-point --vid=$vid_65522 --is-paa="true" --certificate="$crl_leaf_cert_without_vid_path" --label="$label_leaf" --data-url="$data_url" --issuer-subject-key-id=$delegator_cert_with_vid_subject_key_id --revocation-type=1 --from=$vendor_account_65522 --yes)
+check_response "$result" "\"code\": 0"
+
+result=$(dcld query pki revocation-point --vid=$vid_65522 --label=$label_leaf --issuer-subject-key-id=$delegator_cert_with_vid_subject_key_id)
+check_response "$result" "\"vid\": $vid_65522"
+check_response "$result" "\"label\": \"$label_leaf\""
+check_response "$result" "\"issuerSubjectKeyID\": \"$delegator_cert_with_vid_subject_key_id\""
+echo $result
+
+test_divider
+
+echo "14. UPDATE REVOCATION POINT FOR CRL SIGNER LEAF CERTIFICATE WHEN DELEGATOR CERTIFICATE IS PROVIDED"
+data_url_new="$data_url"_new
+result=$(dcld tx pki update-revocation-point --vid=$vid --certificate="$crl_leaf_cert_with_vid_65521_path" --label="$label_leaf_with_delegator" --data-url="$data_url_new" --issuer-subject-key-id=$delegator_cert_with_vid_subject_key_id --certificate-delegator="$delegator_cert_with_vid_65521_copy_path" --from=$vendor_account --yes)
+check_response "$result" "\"code\": 0"
+echo $result
+
+result=$(dcld query pki revocation-point --vid=$vid --label=$label_leaf_with_delegator --issuer-subject-key-id=$delegator_cert_with_vid_subject_key_id)
+check_response "$result" "\"vid\": $vid"
+check_response "$result" "\"label\": \"$label_leaf_with_delegator\""
+check_response "$result" "\"issuerSubjectKeyID\": \"$delegator_cert_with_vid_subject_key_id\""
+check_response "$result" "\"dataURL\": \"$data_url_new\""
+check_response "$result" "\"CrlSignerCertificate\": $(<$crl_leaf_cert_with_vid_65521_path)"
+check_response "$result" "\"CrlSignerDelegator\": $(<$delegator_cert_with_vid_65521_copy_path)"
+echo $result
+
+test_divider
+
+echo "15. UPDATE REVOCATION POINT FOR CRL SIGNER LEAF CERTIFICATE"
+result=$(dcld tx pki update-revocation-point --vid=$vid_65522 --certificate="$crl_leaf_cert_with_vid_65522_path" --label="$label_leaf" --data-url="$data_url_new" --issuer-subject-key-id=$delegator_cert_with_vid_subject_key_id --from=$vendor_account_65522 --yes)
+check_response "$result" "\"code\": 0"
+echo $result
+
+result=$(dcld query pki revocation-point --vid=$vid_65522 --label=$label_leaf --issuer-subject-key-id=$delegator_cert_with_vid_subject_key_id)
+check_response "$result" "\"vid\": $vid_65522"
+check_response "$result" "\"label\": \"$label_leaf\""
+check_response "$result" "\"issuerSubjectKeyID\": \"$delegator_cert_with_vid_subject_key_id\""
+check_response "$result" "\"dataURL\": \"$data_url_new\""
+check_response "$result" "\"CrlSignerCertificate\": $(<$crl_leaf_cert_with_vid_65522_path)"
+
+echo $result
+
+test_divider
+
+echo "16. UPDATE REVOCATION POINT WHEN POINT NOT FOUND"
 
 result=$(dcld tx pki update-revocation-point --vid=$vid_65522 --certificate="$pai_cert_with_numeric_vid_pid_path" --label="$label" --data-url="$data_url" --issuer-subject-key-id=$issuer_subject_key_id --from=$vendor_account_65522 --yes)
 response_does_not_contain "$result" "\"code\": 0"
 echo $result
 
 test_divider
 
-echo "13. UPDATE REVOCATION POINT FOR PAA WHEN NEW CERT IS NOT PAA"
+echo "17. UPDATE REVOCATION POINT FOR PAA WHEN NEW CERT IS NOT PAA"
 
 result=$(dcld tx pki update-revocation-point --vid=$vid --certificate="$pai_cert_with_numeric_vid_pid_path" --label="$label" --data-url="$data_url" --issuer-subject-key-id=$issuer_subject_key_id --from=$vendor_account --yes)
 response_does_not_contain "$result" "\"code\": 0"
 echo $result
 
 test_divider
 
-echo "14. UPDATE REVOCATION POINT WHEN SENDER IS NOT VENDOR"
+echo "18. UPDATE REVOCATION POINT WHEN SENDER IS NOT VENDOR"
 
 result=$(dcld tx pki update-revocation-point --vid=$vid --certificate="$paa_cert_with_numeric_vid_path" --label="$label" --data-url="$data_url" --issuer-subject-key-id=$issuer_subject_key_id --from=$trustee_account --yes)
 response_does_not_contain "$result" "\"code\": 0"
 echo $result
 
 test_divider
 
-echo "15. UPDATE REVOCATION POINT FOR PAA WHEN SENDER VID IS NOT EQUAL TO CERT VID"
+echo "19. UPDATE REVOCATION POINT FOR PAA WHEN SENDER VID IS NOT EQUAL TO CERT VID"
 
 result=$(dcld tx pki update-revocation-point --vid=$vid --certificate="$paa_cert_with_numeric_vid_path" --label="$label" --data-url="$data_url" --issuer-subject-key-id=$issuer_subject_key_id --from=$vendor_account_65522 --yes)
 response_does_not_contain "$result" "\"code\": 0"
 echo $result
 
 test_divider
 
-echo "16. UPDATE REVOCATION POINT FOR PAA WHEN MSG VID IS NOT EQUAL TO CERT VID"
+echo "20. UPDATE REVOCATION POINT FOR PAA WHEN MSG VID IS NOT EQUAL TO CERT VID"
 
 result=$(dcld tx pki update-revocation-point --vid=$vid_65522 --certificate="$paa_cert_with_numeric_vid_path" --label="$label" --data-url="$data_url" --issuer-subject-key-id=$issuer_subject_key_id --from=$vendor_account --yes)
 response_does_not_contain "$result" "\"code\": 0"
 echo $result
 
 test_divider
 
-echo "17. UPDATE REVOCATION POINT FOR VID-SCOPED PAA"
+echo "21. UPDATE REVOCATION POINT FOR VID-SCOPED PAA"
 schema_version_3=3
 result=$(dcld tx pki update-revocation-point --vid=$vid --certificate="$root_cert_path" --label="$label" --data-url="$data_url" --issuer-subject-key-id=$issuer_subject_key_id --schemaVersion=$schema_version_3 --from=$vendor_account --yes)
 check_response "$result" "\"code\": 0"
@@ -309,7 +394,7 @@ check_response "$result" "\"issuerSubjectKeyID\": \"$issuer_subject_key_id\""
 check_response "$result" "\"schemaVersion\": $schema_version_3"
 test_divider
 
-echo "18. UPDATE REVOCATION POINT FOR NON-VID SCOPED PAA"
+echo "22. UPDATE REVOCATION POINT FOR NON-VID SCOPED PAA"
 
 result=$(dcld tx pki update-revocation-point --vid=$vid_non_vid_scoped --certificate="$test_root_cert_path" --label="$label_non_vid_scoped" --data-url="$data_url_non_vid_scoped" --issuer-subject-key-id=$issuer_subject_key_id --from=$vendor_account_non_vid_scoped --yes)
 check_response "$result" "\"code\": 0"
@@ -323,7 +408,7 @@ check_response "$result" "\"issuerSubjectKeyID\": \"$issuer_subject_key_id\""
 
 test_divider
 
-echo "19. UPDATE REVOCATION POINT FOR PAI"
+echo "23. UPDATE REVOCATION POINT FOR PAI"
 
 result=$(dcld tx pki update-revocation-point --vid=$vid_65522 --certificate="$pai_cert_vid_path" --label="$label_pai" --data-url="$data_url" --issuer-subject-key-id=$issuer_subject_key_id --from=$vendor_account_65522 --yes)
 check_response "$result" "\"code\": 0"
@@ -337,7 +422,7 @@ check_response "$result" "\"issuerSubjectKeyID\": \"$issuer_subject_key_id\""
 
 test_divider
 
-echo "20. DELETE REVOCATION PAA"
+echo "24. DELETE REVOCATION PAA"
 
 result=$(dcld tx pki delete-revocation-point --vid=$vid --label="$label" --issuer-subject-key-id=$issuer_subject_key_id --from=$vendor_account --yes)
 check_response "$result" "\"code\": 0"
@@ -348,7 +433,7 @@ check_response "$result" "Not Found"
 
 test_divider
 
-echo "21. DELETE REVOCATION PAI"
+echo "25. DELETE REVOCATION PAI"
 
 result=$(dcld tx pki delete-revocation-point --vid=$vid_65522 --label="$label_pai" --issuer-subject-key-id=$issuer_subject_key_id --from=$vendor_account_65522 --yes)
 check_response "$result" "\"code\": 0"