diff --git a/integration_tests/constants/noc_constants.go b/integration_tests/constants/noc_constants.go index 1d2c96e0c..f114171ff 100644 --- a/integration_tests/constants/noc_constants.go +++ b/integration_tests/constants/noc_constants.go @@ -129,6 +129,7 @@ BAMCA0kAMEYCIQDzsjB569j1SsltNIP8CMTD4kRsTulqSp+O7JbQdWyzPAIhAODV zodhpBXZfzhHDvINejK8wzwWgf7Ds8wk3oENlmAj -----END CERTIFICATE-----` + NocRootCert1Issuer = "MHoxCzAJBgNVBAYTAlVaMRMwEQYDVQQIDApTb21lIFN0YXRlMREwDwYDVQQHDAhUYXNoa2VudDEYMBYGA1UECgwPRXhhbXBsZSBDb21wYW55MRkwFwYDVQQLDBBUZXN0aW5nIERpdmlzaW9uMQ4wDAYDVQQDDAVOT0MtMQ==" NocRootCert1Subject = "MHoxCzAJBgNVBAYTAlVaMRMwEQYDVQQIDApTb21lIFN0YXRlMREwDwYDVQQHDAhUYXNoa2VudDEYMBYGA1UECgwPRXhhbXBsZSBDb21wYW55MRkwFwYDVQQLDBBUZXN0aW5nIERpdmlzaW9uMQ4wDAYDVQQDDAVOT0MtMQ==" NocRootCert1SubjectKeyID = "44:EB:4C:62:6B:25:48:CD:A2:B3:1C:87:41:5A:08:E7:2B:B9:83:26" NocRootCert1SerialNumber = "47211865327720222621302679792296833381734533449" @@ -149,11 +150,12 @@ zodhpBXZfzhHDvINejK8wzwWgf7Ds8wk3oENlmAj NocRootCert3SerialNumber = "38457288443253426021793906708335409501754677187" NocRootCert3SubjectAsText = "CN=NOC-3,O=Internet Widgits Pty Ltd,ST=Some-State,C=AU" - NocCert1Subject = "MIGCMQswCQYDVQQGEwJVWjETMBEGA1UECAwKU29tZSBTdGF0ZTETMBEGA1UEBwwKU29tZSBTdGF0ZTEYMBYGA1UECgwPRXhhbXBsZSBDb21wYW55MRkwFwYDVQQLDBBUZXN0aW5nIERpdmlzaW9uMRQwEgYDVQQDDAtOT0MtY2hpbGQtMQ==" - NocCert1Issuer = NocRootCert1Subject - NocCert1SubjectKeyID = "02:72:6E:BC:BB:EF:D6:BD:8D:9B:42:AE:D4:3C:C0:55:5F:66:3A:B3" - NocCert1SerialNumber = "631388393741945881054190991612463928825155142122" - NocCert1SubjectAsText = "CN=NOC-child-1,OU=Testing Division,O=Example Company,L=Some State,ST=Some State,C=UZ" + NocCert1Subject = "MIGCMQswCQYDVQQGEwJVWjETMBEGA1UECAwKU29tZSBTdGF0ZTETMBEGA1UEBwwKU29tZSBTdGF0ZTEYMBYGA1UECgwPRXhhbXBsZSBDb21wYW55MRkwFwYDVQQLDBBUZXN0aW5nIERpdmlzaW9uMRQwEgYDVQQDDAtOT0MtY2hpbGQtMQ==" + NocCert1Issuer = NocRootCert1Subject + NocCert1AuthorityKeyID = NocRootCert1SubjectKeyID + NocCert1SubjectKeyID = "02:72:6E:BC:BB:EF:D6:BD:8D:9B:42:AE:D4:3C:C0:55:5F:66:3A:B3" + NocCert1SerialNumber = "631388393741945881054190991612463928825155142122" + NocCert1SubjectAsText = "CN=NOC-child-1,OU=Testing Division,O=Example Company,L=Some State,ST=Some State,C=UZ" NocCert1CopySubject = "MIGCMQswCQYDVQQGEwJVWjETMBEGA1UECAwKU29tZSBTdGF0ZTETMBEGA1UEBwwKU29tZSBTdGF0ZTEYMBYGA1UECgwPRXhhbXBsZSBDb21wYW55MRkwFwYDVQQLDBBUZXN0aW5nIERpdmlzaW9uMRQwEgYDVQQDDAtOT0MtY2hpbGQtMQ==" NocCert1CopyIssuer = NocRootCert1Subject diff --git a/ts-client/zigbeealliance.distributedcomplianceledger.pki/types/zigbeealliance/distributedcomplianceledger/pki/all_certificates_by_subject_key_id.ts b/ts-client/zigbeealliance.distributedcomplianceledger.pki/types/zigbeealliance/distributedcomplianceledger/pki/all_certificates_by_subject_key_id.ts new file mode 100644 index 000000000..abb4c3e4d --- /dev/null +++ b/ts-client/zigbeealliance.distributedcomplianceledger.pki/types/zigbeealliance/distributedcomplianceledger/pki/all_certificates_by_subject_key_id.ts @@ -0,0 +1,99 @@ +/* eslint-disable */ +import _m0 from "protobufjs/minimal"; +import { Certificate } from "./certificate"; + +export const protobufPackage = "zigbeealliance.distributedcomplianceledger.pki"; + +export interface AllCertificatesBySubjectKeyId { + subjectKeyId: string; + certs: Certificate[]; + schemaVersion: number; +} + +function createBaseAllCertificatesBySubjectKeyId(): AllCertificatesBySubjectKeyId { + return { subjectKeyId: "", certs: [], schemaVersion: 0 }; +} + +export const AllCertificatesBySubjectKeyId = { + encode(message: AllCertificatesBySubjectKeyId, writer: _m0.Writer = _m0.Writer.create()): _m0.Writer { + if (message.subjectKeyId !== "") { + writer.uint32(10).string(message.subjectKeyId); + } + for (const v of message.certs) { + Certificate.encode(v!, writer.uint32(18).fork()).ldelim(); + } + if (message.schemaVersion !== 0) { + writer.uint32(24).uint32(message.schemaVersion); + } + return writer; + }, + + decode(input: _m0.Reader | Uint8Array, length?: number): AllCertificatesBySubjectKeyId { + const reader = input instanceof _m0.Reader ? input : new _m0.Reader(input); + let end = length === undefined ? reader.len : reader.pos + length; + const message = createBaseAllCertificatesBySubjectKeyId(); + while (reader.pos < end) { + const tag = reader.uint32(); + switch (tag >>> 3) { + case 1: + message.subjectKeyId = reader.string(); + break; + case 2: + message.certs.push(Certificate.decode(reader, reader.uint32())); + break; + case 3: + message.schemaVersion = reader.uint32(); + break; + default: + reader.skipType(tag & 7); + break; + } + } + return message; + }, + + fromJSON(object: any): AllCertificatesBySubjectKeyId { + return { + subjectKeyId: isSet(object.subjectKeyId) ? String(object.subjectKeyId) : "", + certs: Array.isArray(object?.certs) ? object.certs.map((e: any) => Certificate.fromJSON(e)) : [], + schemaVersion: isSet(object.schemaVersion) ? Number(object.schemaVersion) : 0, + }; + }, + + toJSON(message: AllCertificatesBySubjectKeyId): unknown { + const obj: any = {}; + message.subjectKeyId !== undefined && (obj.subjectKeyId = message.subjectKeyId); + if (message.certs) { + obj.certs = message.certs.map((e) => e ? Certificate.toJSON(e) : undefined); + } else { + obj.certs = []; + } + message.schemaVersion !== undefined && (obj.schemaVersion = Math.round(message.schemaVersion)); + return obj; + }, + + fromPartial, I>>( + object: I, + ): AllCertificatesBySubjectKeyId { + const message = createBaseAllCertificatesBySubjectKeyId(); + message.subjectKeyId = object.subjectKeyId ?? ""; + message.certs = object.certs?.map((e) => Certificate.fromPartial(e)) || []; + message.schemaVersion = object.schemaVersion ?? 0; + return message; + }, +}; + +type Builtin = Date | Function | Uint8Array | string | number | boolean | undefined; + +export type DeepPartial = T extends Builtin ? T + : T extends Array ? Array> : T extends ReadonlyArray ? ReadonlyArray> + : T extends {} ? { [K in keyof T]?: DeepPartial } + : Partial; + +type KeysOfUnion = T extends T ? keyof T : never; +export type Exact = P extends Builtin ? P + : P & { [K in keyof P]: Exact } & { [K in Exclude>]: never }; + +function isSet(value: any): boolean { + return value !== null && value !== undefined; +} diff --git a/x/pki/keeper/approved_root_certificates.go b/x/pki/keeper/approved_root_certificates.go index 3c911e122..ec5ab5f74 100644 --- a/x/pki/keeper/approved_root_certificates.go +++ b/x/pki/keeper/approved_root_certificates.go @@ -35,9 +35,14 @@ func (k Keeper) RemoveApprovedRootCertificates(ctx sdk.Context) { } // Add root certificate to the list. -func (k Keeper) AddApprovedRootCertificate(ctx sdk.Context, certID types.CertificateIdentifier) { +func (k Keeper) AddApprovedRootCertificate(ctx sdk.Context, certificate types.Certificate) { rootCertificates, _ := k.GetApprovedRootCertificates(ctx) + certID := types.CertificateIdentifier{ + Subject: certificate.Subject, + SubjectKeyId: certificate.SubjectKeyId, + } + // Check if the root cert is already there for _, existingCertID := range rootCertificates.Certs { if *existingCertID == certID { @@ -51,7 +56,16 @@ func (k Keeper) AddApprovedRootCertificate(ctx sdk.Context, certID types.Certifi } // Remove root certificate from the list. -func (k Keeper) RemoveApprovedRootCertificate(ctx sdk.Context, certID types.CertificateIdentifier) { +func (k Keeper) RemoveApprovedRootCertificate( + ctx sdk.Context, + subject string, + subjectKeyID string, +) { + certID := types.CertificateIdentifier{ + Subject: subject, + SubjectKeyId: subjectKeyID, + } + rootCertificates, _ := k.GetApprovedRootCertificates(ctx) certIDIndex := -1 diff --git a/x/pki/keeper/certificate_helpers.go b/x/pki/keeper/certificate_helpers.go new file mode 100644 index 000000000..6e1601465 --- /dev/null +++ b/x/pki/keeper/certificate_helpers.go @@ -0,0 +1,258 @@ +package keeper + +import ( + "math" + + sdk "github.com/cosmos/cosmos-sdk/types" + pkitypes "github.com/zigbee-alliance/distributed-compliance-ledger/types/pki" + authTypes "github.com/zigbee-alliance/distributed-compliance-ledger/x/dclauth/types" + "github.com/zigbee-alliance/distributed-compliance-ledger/x/pki/types" +) + +func (k Keeper) CertificateApprovalsCount(ctx sdk.Context, authKeeper types.DclauthKeeper) int { + return int(math.Ceil(types.RootCertificateApprovalsPercent * + float64(authKeeper.CountAccountsWithRole(ctx, authTypes.Trustee)))) +} + +func (k Keeper) CertificateRejectApprovalsCount(ctx sdk.Context, authKeeper types.DclauthKeeper) int { + return authKeeper.CountAccountsWithRole(ctx, authTypes.Trustee) - k.CertificateApprovalsCount(ctx, authKeeper) + 1 +} + +func (k Keeper) EnsureVidMatches(ctx sdk.Context, owner string, signer string) error { + // get signer VID + signerAddr, err := sdk.AccAddressFromBech32(signer) + if err != nil { + return pkitypes.NewErrInvalidAddress(err) + } + + signerAccount, _ := k.dclauthKeeper.GetAccountO(ctx, signerAddr) + signerVid := signerAccount.VendorID + + // get owner VID + ownerAddr, err := sdk.AccAddressFromBech32(owner) + if err != nil { + return pkitypes.NewErrInvalidAddress(err) + } + + ownerAccount, _ := k.dclauthKeeper.GetAccountO(ctx, ownerAddr) + ownerVid := ownerAccount.VendorID + + if signerVid != ownerVid { + return pkitypes.NewErrUnauthorizedCertVendor(ownerVid) + } + + return nil +} + +func RemoveCertFromList(issuer string, serialNumber string, certs *[]*types.Certificate) { + certIndex := -1 + + for i, cert := range *certs { + if cert.SerialNumber == serialNumber && cert.Issuer == issuer { + certIndex = i + + break + } + } + if certIndex == -1 { + return + } + *certs = append((*certs)[:certIndex], (*certs)[certIndex+1:]...) +} + +func FindCertificateInList(serialNumber string, certificates *[]*types.Certificate) (*types.Certificate, bool) { + for _, cert := range *certificates { + if cert.SerialNumber == serialNumber { + return cert, true + } + } + + return nil, false +} + +func FilterCertificateList(certificates *[]*types.Certificate, predicate CertificatePredicate) []*types.Certificate { + var result []*types.Certificate + + for _, s := range *certificates { + if predicate(s) { + result = append(result, s) + } + } + + return result +} + +func (k msgServer) AddCertificateToGlobalCertificateIndexes( + ctx sdk.Context, + certificate types.Certificate, +) { + // add to the global list of certificates + k.AddAllCertificate(ctx, certificate) + // add to the global list of certificates indexed by subject key id + k.AddAllCertificateBySubjectKeyID(ctx, certificate) + // add to the global list of certificates indexed by subject + k.AddAllCertificateBySubject(ctx, certificate.Subject, certificate.SubjectKeyId) +} + +func (k msgServer) RemoveCertificateFromGlobalCertificateIndexes( + ctx sdk.Context, + subject string, + subjectKeyID string, +) { + // remove from the global list of certificates + k.RemoveAllCertificates(ctx, subject, subjectKeyID) + // remove from the global list of certificates indexed by subject key id + k.RemoveAllCertificatesBySubjectKeyID(ctx, subject, subjectKeyID) + // remove from the global list of certificates indexed by subject + k.RemoveAllCertificateBySubject(ctx, subject, subjectKeyID) +} + +func (k msgServer) StoreDaCertificate( + ctx sdk.Context, + certificate types.Certificate, + isRoot bool, +) { + // add to Global certificates indexes + k.AddCertificateToGlobalCertificateIndexes(ctx, certificate) + + // add to list of certificates with the same Subject/SubjectKeyID combination and store updated list + k.AddApprovedCertificate(ctx, certificate) + + // add to list of certificates indexed by subject + k.AddApprovedCertificateBySubject(ctx, certificate.Subject, certificate.SubjectKeyId) + + // add to list of certificates indexed by subject key id + k.AddApprovedCertificateBySubjectKeyID(ctx, certificate) + + if isRoot { + // add to root certificates index + k.AddApprovedRootCertificate(ctx, certificate) + } else { + // add the certificate identifier to the issuer's Child Certificates record + k.AddChildCertificate(ctx, certificate) + } +} + +func (k msgServer) RemoveDaCertificate( + ctx sdk.Context, + subject string, + subjectKeyID string, + isRoot bool, +) { + // remove from global list + k.RemoveCertificateFromGlobalCertificateIndexes(ctx, subject, subjectKeyID) + // remove from approved certificates map + k.RemoveApprovedCertificates(ctx, subject, subjectKeyID) + // remove from subject -> subject key ID map + k.RemoveApprovedCertificateBySubject(ctx, subject, subjectKeyID) + // remove from subject key ID -> certificates map + k.RemoveApprovedCertificatesBySubjectKeyID(ctx, subject, subjectKeyID) + if isRoot { + k.RemoveApprovedRootCertificate(ctx, subject, subjectKeyID) + } +} + +func (k msgServer) RemoveDaCertificateBySerialNumber( + ctx sdk.Context, + subject string, + subjectKeyID string, + certificates *types.ApprovedCertificates, + serialNumber string, + issuer string, + isRoot bool, +) { + RemoveCertFromList(issuer, serialNumber, &certificates.Certs) + + if len(certificates.Certs) == 0 { + k.RemoveDaCertificate(ctx, subject, subjectKeyID, isRoot) + } else { + k.RemoveAllCertificatesBySerialNumber(ctx, subject, subjectKeyID, serialNumber) + k.RemoveAllCertificatesBySubjectKeyIDBySerialNumber(ctx, subject, subjectKeyID, serialNumber) + k.RemoveApprovedCertificatesBySerialNumber(ctx, subject, subjectKeyID, serialNumber) + k.RemoveApprovedCertificatesBySubjectKeyIDBySerialNumber(ctx, subject, subjectKeyID, serialNumber) + } +} + +func (k msgServer) StoreNocCertificate( + ctx sdk.Context, + certificate types.Certificate, + isRoot bool) { + // add to Global certificates indexes + k.AddCertificateToGlobalCertificateIndexes(ctx, certificate) + + // add to the list of all NOC certificates + k.AddNocCertificate(ctx, certificate) + + // add to certificates map indexed by vid/skid + k.AddNocCertificateByVidAndSkid(ctx, certificate) + + // add to certificates map indexed by subject + k.AddNocCertificateBySubject(ctx, certificate) + + // add to certificates map indexed by subject key id + k.AddNocCertificateBySubjectKeyID(ctx, certificate) + + if isRoot { + // add to the list of NOC root certificates with the same VID + k.AddNocRootCertificate(ctx, certificate) + } else { + // add to the list of NOC ica certificates with the same VID + k.AddNocIcaCertificate(ctx, certificate) + // add the certificate identifier to the issuer's Child Certificates record + k.AddChildCertificate(ctx, certificate) + } +} + +func (k msgServer) RemoveNocCertificate( + ctx sdk.Context, + subject string, + subjectKeyID string, + accountVid int32, + isRoot bool, +) { + // remove from global list + k.RemoveCertificateFromGlobalCertificateIndexes(ctx, subject, subjectKeyID) + // remove from noc certificates map + k.RemoveNocCertificates(ctx, subject, subjectKeyID) + // remove from vid, subject key id map + k.RemoveNocCertificatesByVidAndSkid(ctx, accountVid, subjectKeyID) + // remove from subject -> subject key ID map + k.RemoveNocCertificateBySubject(ctx, subject, subjectKeyID) + // remove from subject key ID -> certificates map + k.RemoveNocCertificatesBySubjectAndSubjectKeyID(ctx, subject, subjectKeyID) + if isRoot { + // remove from noc root certificates map + k.RemoveNocRootCertificate(ctx, subject, subjectKeyID, accountVid) + } else { + // remove from noc ica certificates map + k.RemoveNocIcaCertificate(ctx, subject, subjectKeyID, accountVid) + } +} + +func (k msgServer) RemoveNocCertBySerialNumber( + ctx sdk.Context, + subject string, + subjectKeyID string, + certificates *types.NocCertificates, + accountVid int32, + serialNumber string, + issuer string, + isRoot bool, +) { + RemoveCertFromList(issuer, serialNumber, &certificates.Certs) + + if len(certificates.Certs) == 0 { + k.RemoveNocCertificate(ctx, subject, subjectKeyID, accountVid, isRoot) + } else { + k.RemoveAllCertificatesBySerialNumber(ctx, subject, subjectKeyID, serialNumber) + k.RemoveAllCertificatesBySubjectKeyIDBySerialNumber(ctx, subject, subjectKeyID, serialNumber) + k.RemoveNocCertificatesBySerialNumber(ctx, subject, subjectKeyID, serialNumber) + k.RemoveNocCertificatesBySubjectKeyIDBySerialNumber(ctx, subject, subjectKeyID, serialNumber) + k.RemoveNocCertificatesByVidAndSkidBySerialNumber(ctx, accountVid, subject, subjectKeyID, serialNumber) + if isRoot { + k.RemoveNocRootCertificateBySerialNumber(ctx, subject, subjectKeyID, accountVid, serialNumber) + } else { + k.RemoveNocIcaCertificateBySerialNumber(ctx, subject, subjectKeyID, accountVid, serialNumber) + } + } +} diff --git a/x/pki/keeper/child_certificates.go b/x/pki/keeper/child_certificates.go index aff2055fc..6a6053bec 100644 --- a/x/pki/keeper/child_certificates.go +++ b/x/pki/keeper/child_certificates.go @@ -68,19 +68,24 @@ func (k Keeper) GetAllChildCertificates(ctx sdk.Context) (list []types.ChildCert } // Add a child certificate to the list of child certificate IDs for the issuer/authorityKeyId map. -func (k Keeper) AddChildCertificate(ctx sdk.Context, issuer string, authorityKeyID string, certID types.CertificateIdentifier) { +func (k Keeper) AddChildCertificate(ctx sdk.Context, certificate types.Certificate) { store := prefix.NewStore(ctx.KVStore(k.storeKey), pkitypes.KeyPrefix(types.ChildCertificatesKeyPrefix)) + certID := types.CertificateIdentifier{ + Subject: certificate.Subject, + SubjectKeyId: certificate.SubjectKeyId, + } + childCertificatesBytes := store.Get(types.ChildCertificatesKey( - issuer, - authorityKeyID, + certificate.Issuer, + certificate.AuthorityKeyId, )) var childCertificates types.ChildCertificates if childCertificatesBytes == nil { childCertificates = types.ChildCertificates{ - Issuer: issuer, - AuthorityKeyId: authorityKeyID, + Issuer: certificate.Issuer, + AuthorityKeyId: certificate.AuthorityKeyId, CertIds: []*types.CertificateIdentifier{}, } } else { @@ -97,8 +102,8 @@ func (k Keeper) AddChildCertificate(ctx sdk.Context, issuer string, authorityKey b := k.cdc.MustMarshal(&childCertificates) store.Set(types.ChildCertificatesKey( - issuer, - authorityKeyID, + certificate.Issuer, + certificate.AuthorityKeyId, ), b) } @@ -108,30 +113,13 @@ func (k msgServer) RevokeApprovedChildCertificates(ctx sdk.Context, issuer strin // For each child certificate subject/subjectKeyID combination for _, certIdentifier := range childCertificates.CertIds { - // Revoke certificates with this subject/subjectKeyID combination + // Add revoked certificates with this subject/subjectKeyID combination certificates, _ := k.GetApprovedCertificates(ctx, certIdentifier.Subject, certIdentifier.SubjectKeyId) k.AddRevokedCertificates(ctx, types.RevokedCertificates(certificates)) - - // Remove certificate from global certificates list - k.RemoveAllCertificates(ctx, certIdentifier.Subject, certIdentifier.SubjectKeyId) - - // remove from global subject -> subject key ID map - k.RemoveAllCertificateBySubject(ctx, certIdentifier.Subject, certIdentifier.SubjectKeyId) - - // remove from global certificate -> subject key ID map - k.RemoveAllCertificatesBySubjectKeyID(ctx, certIdentifier.Subject, certIdentifier.SubjectKeyId) - - // Remove certificate from approved certificates list - k.RemoveApprovedCertificates(ctx, certIdentifier.Subject, certIdentifier.SubjectKeyId) - - // remove from subject -> subject key ID map - k.RemoveApprovedCertificateBySubject(ctx, certIdentifier.Subject, certIdentifier.SubjectKeyId) - - // remove from subject key ID -> certificates map - k.RemoveApprovedCertificatesBySubjectKeyID(ctx, certIdentifier.Subject, certIdentifier.SubjectKeyId) - + // Remove certificate from da list + k.RemoveDaCertificate(ctx, certificates.Subject, certificates.SubjectKeyId, false) // Process child certificates recursively - k.RevokeApprovedChildCertificates(ctx, certIdentifier.Subject, certIdentifier.SubjectKeyId) + k.RevokeApprovedChildCertificates(ctx, certificates.Subject, certificates.SubjectKeyId) } // Delete entire ChildCertificates record of issuer @@ -144,48 +132,27 @@ func (k msgServer) RevokeNocChildCertificates(ctx sdk.Context, issuer string, au // For each child certificate subject/subjectKeyID combination for _, certIdentifier := range childCertificates.CertIds { - // Revoke certificates with this subject/subjectKeyID combination + // Add revoked certificates with this subject/subjectKeyID combination certificates, _ := k.GetNocCertificates(ctx, certIdentifier.Subject, certIdentifier.SubjectKeyId) - k.AddRevokedNocIcaCertificates(ctx, types.RevokedNocIcaCertificates{ Subject: certificates.Subject, SubjectKeyId: certificates.SubjectKeyId, Certs: certificates.Certs, }) - - // Remove certificate from global certificates list - k.RemoveAllCertificates(ctx, certIdentifier.Subject, certIdentifier.SubjectKeyId) - - // remove from global subject -> subject key ID map - k.RemoveAllCertificateBySubject(ctx, certIdentifier.Subject, certIdentifier.SubjectKeyId) - - // remove from global subject -> subject key ID map - k.RemoveAllCertificatesBySubjectKeyID(ctx, certIdentifier.Subject, certIdentifier.SubjectKeyId) - - // Remove certificate from noc certificates list - k.RemoveNocCertificates(ctx, certIdentifier.Subject, certIdentifier.SubjectKeyId) - - // Remove it from NOC ICA certificates list - k.RemoveNocIcaCertificate(ctx, certIdentifier.Subject, certIdentifier.SubjectKeyId, certificates.Certs[0].Vid) - - // Remove from vid, subject key ID -> certificates map - k.RemoveNocCertificateByVidSubjectAndSkid(ctx, certificates.Certs[0].Vid, certIdentifier.Subject, certificates.SubjectKeyId) - - // remove from subject -> subject key ID map - k.RemoveNocCertificateBySubject(ctx, certIdentifier.Subject, certIdentifier.SubjectKeyId) - - // remove from subject key ID -> certificates map - k.RemoveNocCertificatesBySubjectAndSubjectKeyID(ctx, certIdentifier.Subject, certIdentifier.SubjectKeyId) - + // Remove certificate from da list + k.RemoveNocCertificate(ctx, certificates.Subject, certificates.SubjectKeyId, certificates.Certs[0].Vid, false) // Process child certificates recursively - k.RevokeNocChildCertificates(ctx, certIdentifier.Subject, certIdentifier.SubjectKeyId) + k.RevokeNocChildCertificates(ctx, certificates.Subject, certificates.SubjectKeyId) } // Delete entire ChildCertificates record of issuer k.RemoveChildCertificates(ctx, issuer, authorityKeyID) } -func (k msgServer) RemoveChildCertificate(ctx sdk.Context, issuer string, authorityKeyID string, +func (k msgServer) RemoveChildCertificate( + ctx sdk.Context, + issuer string, + authorityKeyID string, certIdentifier types.CertificateIdentifier, ) { childCertificates, _ := k.GetChildCertificates(ctx, issuer, authorityKeyID) @@ -211,3 +178,17 @@ func (k msgServer) RemoveChildCertificate(ctx sdk.Context, issuer string, author k.RemoveChildCertificates(ctx, issuer, authorityKeyID) } } + +// IsChildCertificatePresent Check if the Child Certificate is present in the store. +func (k Keeper) IsChildCertificatePresent( + ctx sdk.Context, + issuer string, + authorityKeyID string, +) bool { + store := prefix.NewStore(ctx.KVStore(k.storeKey), pkitypes.KeyPrefix(types.ChildCertificatesKeyPrefix)) + + return store.Has(types.ChildCertificatesKey( + issuer, + authorityKeyID, + )) +} diff --git a/x/pki/keeper/keeper.go b/x/pki/keeper/keeper.go index 53439e8b2..cc767562e 100644 --- a/x/pki/keeper/keeper.go +++ b/x/pki/keeper/keeper.go @@ -2,14 +2,13 @@ package keeper import ( "fmt" - "math" "github.com/cometbft/cometbft/libs/log" "github.com/cosmos/cosmos-sdk/codec" storetypes "github.com/cosmos/cosmos-sdk/store/types" sdk "github.com/cosmos/cosmos-sdk/types" + pkitypes "github.com/zigbee-alliance/distributed-compliance-ledger/types/pki" - authTypes "github.com/zigbee-alliance/distributed-compliance-ledger/x/dclauth/types" "github.com/zigbee-alliance/distributed-compliance-ledger/x/pki/types" ) @@ -43,129 +42,3 @@ func NewKeeper( func (k Keeper) Logger(ctx sdk.Context) log.Logger { return ctx.Logger().With("module", fmt.Sprintf("x/%s", pkitypes.ModuleName)) } - -func (k Keeper) CertificateApprovalsCount(ctx sdk.Context, authKeeper types.DclauthKeeper) int { - return int(math.Ceil(types.RootCertificateApprovalsPercent * - float64(authKeeper.CountAccountsWithRole(ctx, authTypes.Trustee)))) -} - -func (k Keeper) CertificateRejectApprovalsCount(ctx sdk.Context, authKeeper types.DclauthKeeper) int { - return authKeeper.CountAccountsWithRole(ctx, authTypes.Trustee) - k.CertificateApprovalsCount(ctx, authKeeper) + 1 -} - -func (k Keeper) EnsureVidMatches(ctx sdk.Context, owner string, signer string) error { - // get signer VID - signerAddr, err := sdk.AccAddressFromBech32(signer) - if err != nil { - return pkitypes.NewErrInvalidAddress(err) - } - - signerAccount, _ := k.dclauthKeeper.GetAccountO(ctx, signerAddr) - signerVid := signerAccount.VendorID - - // get owner VID - ownerAddr, err := sdk.AccAddressFromBech32(owner) - if err != nil { - return pkitypes.NewErrInvalidAddress(err) - } - - ownerAccount, _ := k.dclauthKeeper.GetAccountO(ctx, ownerAddr) - ownerVid := ownerAccount.VendorID - - if signerVid != ownerVid { - return pkitypes.NewErrUnauthorizedCertVendor(ownerVid) - } - - return nil -} - -func removeCertFromList(issuer string, serialNumber string, certs *[]*types.Certificate) { - certIndex := -1 - - for i, cert := range *certs { - if cert.SerialNumber == serialNumber && cert.Issuer == issuer { - certIndex = i - - break - } - } - if certIndex == -1 { - return - } - *certs = append((*certs)[:certIndex], (*certs)[certIndex+1:]...) -} - -func findCertificate(serialNumber string, certificates *[]*types.Certificate) (*types.Certificate, bool) { - for _, cert := range *certificates { - if cert.SerialNumber == serialNumber { - return cert, true - } - } - - return nil, false -} - -func filterCertificates(certificates *[]*types.Certificate, predicate CertificatePredicate) []*types.Certificate { - var result []*types.Certificate - - for _, s := range *certificates { - if predicate(s) { - result = append(result, s) - } - } - - return result -} - -func (k msgServer) removeApprovedX509Cert(ctx sdk.Context, certID types.CertificateIdentifier, certificates *types.ApprovedCertificates, serialNumber string) { - if len(certificates.Certs) == 0 { - k.RemoveAllCertificates(ctx, certID.Subject, certID.SubjectKeyId) - k.RemoveAllCertificateBySubject(ctx, certID.Subject, certID.SubjectKeyId) - k.RemoveAllCertificatesBySubjectKeyID(ctx, certID.Subject, certID.SubjectKeyId) - k.RemoveApprovedCertificates(ctx, certID.Subject, certID.SubjectKeyId) - k.RemoveApprovedCertificateBySubject(ctx, certID.Subject, certID.SubjectKeyId) - k.RemoveApprovedCertificatesBySubjectKeyID(ctx, certID.Subject, certID.SubjectKeyId) - } else { - k.RemoveAllCertificatesBySerialNumber(ctx, certID.Subject, certID.SubjectKeyId, serialNumber) - k.RemoveAllCertificatesBySubjectKeyIDBySerialNumber(ctx, certID.Subject, certID.SubjectKeyId, serialNumber) - k.RemoveApprovedCertificatesBySerialNumber(ctx, certID.Subject, certID.SubjectKeyId, serialNumber) - k.RemoveApprovedCertificatesBySubjectKeyIDBySerialNumber(ctx, certID.Subject, certID.SubjectKeyId, serialNumber) - } -} - -func (k msgServer) removeNocX509Cert( - ctx sdk.Context, - certID types.CertificateIdentifier, - certificates *types.NocCertificates, - accountVid int32, - serialNumber string, - isRoot bool, -) { - if len(certificates.Certs) == 0 { //nolint:nestif - k.RemoveAllCertificates(ctx, certID.Subject, certID.SubjectKeyId) - k.RemoveAllCertificateBySubject(ctx, certID.Subject, certID.SubjectKeyId) - k.RemoveAllCertificatesBySubjectKeyID(ctx, certID.Subject, certID.SubjectKeyId) - k.RemoveNocCertificates(ctx, certID.Subject, certID.SubjectKeyId) - k.RemoveNocCertificateBySubject(ctx, certID.Subject, certID.SubjectKeyId) - k.RemoveNocCertificatesBySubjectAndSubjectKeyID(ctx, certID.Subject, certID.SubjectKeyId) - k.RemoveNocCertificatesByVidAndSkid(ctx, accountVid, certID.SubjectKeyId) - - if isRoot { - k.RemoveNocRootCertificate(ctx, certID.Subject, certID.SubjectKeyId, accountVid) - } else { - k.RemoveNocIcaCertificate(ctx, certID.Subject, certID.SubjectKeyId, accountVid) - } - } else { - k.RemoveAllCertificatesBySerialNumber(ctx, certID.Subject, certID.SubjectKeyId, serialNumber) - k.RemoveAllCertificatesBySubjectKeyIDBySerialNumber(ctx, certID.Subject, certID.SubjectKeyId, serialNumber) - k.RemoveNocCertificatesBySerialNumber(ctx, certID.Subject, certID.SubjectKeyId, serialNumber) - k.RemoveNocCertificatesBySubjectKeyIDBySerialNumber(ctx, certID.Subject, certID.SubjectKeyId, serialNumber) - k.RemoveNocCertificatesByVidAndSkidBySerialNumber(ctx, accountVid, certID.Subject, certID.SubjectKeyId, serialNumber) - - if isRoot { - k.RemoveNocRootCertificateBySerialNumber(ctx, certID.Subject, certID.SubjectKeyId, accountVid, serialNumber) - } else { - k.RemoveNocIcaCertificateBySerialNumber(ctx, certID.Subject, certID.SubjectKeyId, accountVid, serialNumber) - } - } -} diff --git a/x/pki/keeper/msg_server_add_noc_x_509_ica_cert.go b/x/pki/keeper/msg_server_add_noc_x_509_ica_cert.go index c4fcf3dc7..db932346d 100644 --- a/x/pki/keeper/msg_server_add_noc_x_509_ica_cert.go +++ b/x/pki/keeper/msg_server_add_noc_x_509_ica_cert.go @@ -103,44 +103,11 @@ func (k msgServer) AddNocX509IcaCert(goCtx context.Context, msg *types.MsgAddNoc msg.CertSchemaVersion, ) - // Add to the global list of certificates - k.AddAllCertificate(ctx, certificate) - - // append to global list of certificates indexed by subject - k.AddAllCertificateBySubject(ctx, certificate.Subject, certificate.SubjectKeyId) - - // add to global list of certificates indexed by skid - k.AddAllCertificateBySubjectKeyID(ctx, certificate) - - // Add to the list of all NOC certificates - k.AddNocCertificate(ctx, certificate) - - // Add to the list of NOC ica certificates with the same VID - k.AddNocIcaCertificate(ctx, certificate) - - // add to certificates map indexed by { vid, subject key id } - k.AddNocCertificateByVidAndSkid(ctx, certificate) - - // add to certificates map indexed by { subject } - k.AddNocCertificateBySubject(ctx, certificate) - - // add to certificates map indexed by { subject key id } - k.AddNocCertificateBySubjectKeyID(ctx, certificate) - - // add the certificate identifier to the issuer's Child Certificates record - certificateIdentifier := types.CertificateIdentifier{ - Subject: certificate.Subject, - SubjectKeyId: certificate.SubjectKeyId, - } - k.AddChildCertificate(ctx, certificate.Issuer, certificate.AuthorityKeyId, certificateIdentifier) - // register the unique certificate key - uniqueCertificate := types.UniqueCertificate{ - Issuer: x509Certificate.Issuer, - SerialNumber: x509Certificate.SerialNumber, - Present: true, - } - k.SetUniqueCertificate(ctx, uniqueCertificate) + k.SetUniqueX509Certificate(ctx, x509Certificate) + + // store Noc certificate in indexes + k.StoreNocCertificate(ctx, certificate, false) return &types.MsgAddNocX509IcaCertResponse{}, nil } diff --git a/x/pki/keeper/msg_server_add_noc_x_509_root_cert.go b/x/pki/keeper/msg_server_add_noc_x_509_root_cert.go index 0f22ab2f0..1954acda6 100644 --- a/x/pki/keeper/msg_server_add_noc_x_509_root_cert.go +++ b/x/pki/keeper/msg_server_add_noc_x_509_root_cert.go @@ -84,37 +84,11 @@ func (k msgServer) AddNocX509RootCert(goCtx context.Context, msg *types.MsgAddNo msg.CertSchemaVersion, ) - // Add to the global list of certificates - k.AddAllCertificate(ctx, certificate) - - // append to global list of certificates indexed by subject - k.AddAllCertificateBySubject(ctx, certificate.Subject, certificate.SubjectKeyId) - - // add to global list of certificates indexed by skid - k.AddAllCertificateBySubjectKeyID(ctx, certificate) - - // Add to the list of all NOC certificates - k.AddNocCertificate(ctx, certificate) - - // Add to the list of NOC root certificates with the same VID - k.AddNocRootCertificate(ctx, certificate) - // register the unique certificate key - uniqueCertificate := types.UniqueCertificate{ - Issuer: x509Certificate.Issuer, - SerialNumber: x509Certificate.SerialNumber, - Present: true, - } - k.SetUniqueCertificate(ctx, uniqueCertificate) - - // add to certificates map indexed by { vid, subject key id } - k.AddNocCertificateByVidAndSkid(ctx, certificate) - - // add to certificates map indexed by { subject } - k.AddNocCertificateBySubject(ctx, certificate) + k.SetUniqueX509Certificate(ctx, x509Certificate) - // add to certificates map indexed by { subject key id } - k.AddNocCertificateBySubjectKeyID(ctx, certificate) + // store Noc certificate in indexes + k.StoreNocCertificate(ctx, certificate, true) return &types.MsgAddNocX509RootCertResponse{}, nil } diff --git a/x/pki/keeper/msg_server_add_x_509_cert.go b/x/pki/keeper/msg_server_add_x_509_cert.go index 816f446d1..69b3c5ab1 100644 --- a/x/pki/keeper/msg_server_add_x_509_cert.go +++ b/x/pki/keeper/msg_server_add_x_509_cert.go @@ -107,38 +107,11 @@ func (k msgServer) AddX509Cert(goCtx context.Context, msg *types.MsgAddX509Cert) msg.CertSchemaVersion, ) - // append to global list of certificates - k.AddAllCertificate(ctx, certificate) - - // append to global list of certificates indexed by subject - k.AddAllCertificateBySubject(ctx, certificate.Subject, certificate.SubjectKeyId) - - // add to global list of certificates indexed by skid - k.AddAllCertificateBySubjectKeyID(ctx, certificate) - - // append new certificate to list of certificates with the same Subject/SubjectKeyID combination and store updated list - k.AddApprovedCertificate(ctx, certificate) - - // add to subject -> subject key ID map - k.AddApprovedCertificateBySubject(ctx, certificate.Subject, certificate.SubjectKeyId) - - // add to subject key ID -> certificates map - k.AddApprovedCertificateBySubjectKeyID(ctx, certificate) - - // add the certificate identifier to the issuer's Child Certificates record - certificateIdentifier := types.CertificateIdentifier{ - Subject: certificate.Subject, - SubjectKeyId: certificate.SubjectKeyId, - } - k.AddChildCertificate(ctx, certificate.Issuer, certificate.AuthorityKeyId, certificateIdentifier) - // register the unique certificate key - uniqueCertificate := types.UniqueCertificate{ - Issuer: x509Certificate.Issuer, - SerialNumber: x509Certificate.SerialNumber, - Present: true, - } - k.SetUniqueCertificate(ctx, uniqueCertificate) + k.SetUniqueX509Certificate(ctx, x509Certificate) + + // store DA certificate in indexes + k.StoreDaCertificate(ctx, certificate, false) return &types.MsgAddX509CertResponse{}, nil } diff --git a/x/pki/keeper/msg_server_approve_add_x_509_root_cert.go b/x/pki/keeper/msg_server_approve_add_x_509_root_cert.go index 757891504..a735b3544 100644 --- a/x/pki/keeper/msg_server_approve_add_x_509_root_cert.go +++ b/x/pki/keeper/msg_server_approve_add_x_509_root_cert.go @@ -79,30 +79,8 @@ func (k msgServer) ApproveAddX509RootCert(goCtx context.Context, msg *types.MsgA // delete proposed certificate k.RemoveProposedCertificate(ctx, msg.Subject, msg.SubjectKeyId) - // add approved certificate to stored list of all certificates - k.AddAllCertificate(ctx, rootCertificate) - - // append to global list of certificates indexed by subject - k.AddAllCertificateBySubject(ctx, rootCertificate.Subject, rootCertificate.SubjectKeyId) - - // add to global list of certificates indexed by skid - k.AddAllCertificateBySubjectKeyID(ctx, rootCertificate) - - // add approved certificate to stored list of certificates with the same Subject/SubjectKeyID combination - k.AddApprovedCertificate(ctx, rootCertificate) - - // add to root certificates index - certID := types.CertificateIdentifier{ - Subject: rootCertificate.Subject, - SubjectKeyId: rootCertificate.SubjectKeyId, - } - k.AddApprovedRootCertificate(ctx, certID) - - // add to subject -> subject key ID map - k.AddApprovedCertificateBySubject(ctx, rootCertificate.Subject, rootCertificate.SubjectKeyId) - - // add to subject key ID -> certificates map - k.AddApprovedCertificateBySubjectKeyID(ctx, rootCertificate) + // store DA certificate in indexes + k.StoreDaCertificate(ctx, rootCertificate, true) } else { // update proposed certificate k.SetProposedCertificate(ctx, proposedCertificate) diff --git a/x/pki/keeper/msg_server_approve_revoke_x_509_root_cert.go b/x/pki/keeper/msg_server_approve_revoke_x_509_root_cert.go index e02a221a3..f0c51889e 100644 --- a/x/pki/keeper/msg_server_approve_revoke_x_509_root_cert.go +++ b/x/pki/keeper/msg_server_approve_revoke_x_509_root_cert.go @@ -65,9 +65,12 @@ func (k msgServer) ApproveRevokeX509RootCert(goCtx context.Context, msg *types.M k.RemoveProposedCertificateRevocation(ctx, msg.Subject, msg.SubjectKeyId, msg.SerialNumber) if msg.SerialNumber != "" { - k._revokeRootCertificate(ctx, revocation.Approvals, msg.SerialNumber, certificates, revocation.SchemaVersion) + err := k.revokeRootCertificateBySerialNumber(ctx, revocation.Approvals, msg.SerialNumber, certificates) + if err != nil { + return nil, err + } } else { - k._revokeRootCertificates(ctx, revocation.Approvals, certificates, revocation.SchemaVersion) + k.revokeRootCertificate(ctx, revocation.Approvals, certificates, revocation.SchemaVersion) } if revocation.RevokeChild { @@ -80,7 +83,7 @@ func (k msgServer) ApproveRevokeX509RootCert(goCtx context.Context, msg *types.M return &types.MsgApproveRevokeX509RootCertResponse{}, nil } -func (k msgServer) _revokeRootCertificates( +func (k msgServer) revokeRootCertificate( ctx sdk.Context, approvals []*types.Grant, certificates types.ApprovedCertificates, @@ -92,32 +95,23 @@ func (k msgServer) _revokeRootCertificates( cert.Approvals = approvals } } - certID := types.CertificateIdentifier{ - Subject: certificates.Subject, - SubjectKeyId: certificates.SubjectKeyId, - } // remove from root certs index, add to revoked root certs k.AddRevokedCertificates(ctx, types.RevokedCertificates(certificates)) - - k.RemoveApprovedRootCertificate(ctx, certID) - k.RemoveAllCertificates(ctx, certificates.Subject, certificates.SubjectKeyId) - k.RemoveAllCertificateBySubject(ctx, certificates.Subject, certificates.SubjectKeyId) - k.RemoveAllCertificatesBySubjectKeyID(ctx, certificates.Subject, certificates.SubjectKeyId) - k.RemoveApprovedCertificates(ctx, certificates.Subject, certificates.SubjectKeyId) - // remove from subject -> subject key ID map - k.RemoveApprovedCertificateBySubject(ctx, certificates.Subject, certificates.SubjectKeyId) - // remove from subject key ID -> certificates map - k.RemoveApprovedCertificatesBySubjectKeyID(ctx, certificates.Subject, certificates.SubjectKeyId) + // remove certificate from da list + k.RemoveDaCertificate(ctx, certificates.Subject, certificates.SubjectKeyId, true) } -func (k msgServer) _revokeRootCertificate( + +func (k msgServer) revokeRootCertificateBySerialNumber( ctx sdk.Context, approvals []*types.Grant, serialNumber string, certificates types.ApprovedCertificates, - schemaVersion uint32, -) { - cert, _ := findCertificate(serialNumber, &certificates.Certs) +) error { + cert, found := FindCertificateInList(serialNumber, &certificates.Certs) + if !found { + return pkitypes.NewErrCertificateBySerialNumberDoesNotExist(certificates.Subject, certificates.SubjectKeyId, serialNumber) + } cert.Approvals = approvals revCert := types.RevokedCertificates{ Subject: cert.Subject, @@ -125,27 +119,20 @@ func (k msgServer) _revokeRootCertificate( Certs: []*types.Certificate{cert}, SchemaVersion: cert.SchemaVersion, } + + // remove from root certs index, add to revoked root certs k.AddRevokedCertificates(ctx, revCert) - removeCertFromList(cert.Issuer, cert.SerialNumber, &certificates.Certs) - - if len(certificates.Certs) == 0 { - k.RemoveAllCertificates(ctx, cert.Subject, cert.SubjectKeyId) - k.RemoveAllCertificateBySubject(ctx, cert.Subject, cert.SubjectKeyId) - k.RemoveAllCertificatesBySubjectKeyID(ctx, cert.Subject, cert.SubjectKeyId) - k.RemoveApprovedCertificates(ctx, cert.Subject, cert.SubjectKeyId) - k.RemoveApprovedRootCertificate(ctx, - types.CertificateIdentifier{ - Subject: certificates.Subject, - SubjectKeyId: certificates.SubjectKeyId, - }, - ) - k.RemoveApprovedCertificateBySubject(ctx, cert.Subject, cert.SubjectKeyId) - k.RemoveApprovedCertificatesBySubjectKeyID(ctx, cert.Subject, cert.SubjectKeyId) - } else { - k.SetApprovedCertificates(ctx, certificates) - k.RemoveAllCertificatesBySerialNumber(ctx, cert.Subject, cert.SubjectKeyId, serialNumber) - k.RemoveAllCertificatesBySubjectKeyIDBySerialNumber(ctx, cert.Subject, cert.SubjectKeyId, serialNumber) - k.RemoveApprovedCertificatesBySubjectKeyIDBySerialNumber(ctx, cert.Subject, cert.SubjectKeyId, serialNumber) - } + // remove from certificate indexes + k.RemoveDaCertificateBySerialNumber( + ctx, + cert.Subject, + cert.SubjectKeyId, + &certificates, + cert.SerialNumber, + cert.Issuer, + true, + ) + + return nil } diff --git a/x/pki/keeper/msg_server_propose_add_x_509_root_cert.go b/x/pki/keeper/msg_server_propose_add_x_509_root_cert.go index ccd786dac..79e2b2c8e 100644 --- a/x/pki/keeper/msg_server_propose_add_x_509_root_cert.go +++ b/x/pki/keeper/msg_server_propose_add_x_509_root_cert.go @@ -109,12 +109,7 @@ func (k msgServer) ProposeAddX509RootCert(goCtx context.Context, msg *types.MsgP } // register the unique certificate key - uniqueCertificate := types.UniqueCertificate{ - Issuer: x509Certificate.Issuer, - SerialNumber: x509Certificate.SerialNumber, - Present: true, - } - k.SetUniqueCertificate(ctx, uniqueCertificate) + k.SetUniqueX509Certificate(ctx, x509Certificate) return &types.MsgProposeAddX509RootCertResponse{}, nil } diff --git a/x/pki/keeper/msg_server_propose_revoke_x_509_root_cert.go b/x/pki/keeper/msg_server_propose_revoke_x_509_root_cert.go index a01a0a514..85f4c6fdd 100644 --- a/x/pki/keeper/msg_server_propose_revoke_x_509_root_cert.go +++ b/x/pki/keeper/msg_server_propose_revoke_x_509_root_cert.go @@ -47,7 +47,7 @@ func (k msgServer) ProposeRevokeX509RootCert(goCtx context.Context, msg *types.M } // fail if cert with serial number does not exist if msg.SerialNumber != "" { - _, found = findCertificate(msg.SerialNumber, &certificates.Certs) + _, found = FindCertificateInList(msg.SerialNumber, &certificates.Certs) if !found { return nil, pkitypes.NewErrCertificateBySerialNumberDoesNotExist( msg.Subject, msg.SubjectKeyId, msg.SerialNumber, diff --git a/x/pki/keeper/msg_server_remove_noc_x_509_ica_cert.go b/x/pki/keeper/msg_server_remove_noc_x_509_ica_cert.go index 9a5b0ad47..9072007c6 100644 --- a/x/pki/keeper/msg_server_remove_noc_x_509_ica_cert.go +++ b/x/pki/keeper/msg_server_remove_noc_x_509_ica_cert.go @@ -59,8 +59,8 @@ func (k msgServer) RemoveNocX509IcaCert(goCtx context.Context, msg *types.MsgRem SubjectKeyId: msg.SubjectKeyId, } - if msg.SerialNumber != "" { - certBySerialNumber, found := findCertificate(msg.SerialNumber, &certificates) + if msg.SerialNumber != "" { //nolint:nestif + certBySerialNumber, found := FindCertificateInList(msg.SerialNumber, &certificates) if !found { return nil, pkitypes.NewErrCertificateBySerialNumberDoesNotExist(msg.Subject, msg.SubjectKeyId, msg.SerialNumber) } @@ -70,33 +70,35 @@ func (k msgServer) RemoveNocX509IcaCert(goCtx context.Context, msg *types.MsgRem if foundActive { // Remove from certificates lists - removeCertFromList(certBySerialNumber.Issuer, certBySerialNumber.SerialNumber, &icaCerts.Certs) - k.removeNocX509Cert(ctx, certID, &icaCerts, accountVid, msg.SerialNumber, false) + k.RemoveNocCertBySerialNumber( + ctx, + certBySerialNumber.Subject, + certBySerialNumber.SubjectKeyId, + &icaCerts, + accountVid, + certBySerialNumber.SerialNumber, + certBySerialNumber.Issuer, + false, + ) + if len(icaCerts.Certs) == 0 { + k.RemoveChildCertificate(ctx, certBySerialNumber.Issuer, certBySerialNumber.AuthorityKeyId, types.CertificateIdentifier{ + Subject: icaCerts.Subject, + SubjectKeyId: icaCerts.SubjectKeyId, + }) + } } if foundRevoked { - removeCertFromList(certBySerialNumber.Issuer, certBySerialNumber.SerialNumber, &revCerts.Certs) - k._removeRevokedNocX509IcaCert(ctx, certID, &revCerts) + RemoveCertFromList(certBySerialNumber.Issuer, certBySerialNumber.SerialNumber, &revCerts.Certs) + k.removeRevokedNocX509IcaCert(ctx, certID, &revCerts) } } else { - // remove from global certificates map - k.RemoveAllCertificates(ctx, certID.Subject, certID.SubjectKeyId) - // remove from global subject -> subject map - k.RemoveAllCertificateBySubject(ctx, certID.Subject, certID.SubjectKeyId) - // remove from global certificates -> subject key ID map - k.RemoveAllCertificatesBySubjectKeyID(ctx, certID.Subject, certID.SubjectKeyId) - // remove from noc certificates map - k.RemoveNocCertificates(ctx, certID.Subject, certID.SubjectKeyId) - // remove from noc ica certificates map - k.RemoveNocIcaCertificate(ctx, certID.Subject, certID.SubjectKeyId, accountVid) - // remove from vid, subject key id map - k.RemoveNocCertificatesByVidAndSkid(ctx, accountVid, certID.SubjectKeyId) - // remove from subject -> subject key ID map - k.RemoveNocCertificateBySubject(ctx, certID.Subject, certID.SubjectKeyId) - // remove from subject key ID -> certificates map - k.RemoveNocCertificatesBySubjectAndSubjectKeyID(ctx, certID.Subject, certID.SubjectKeyId) // remove from revoked list k.RemoveRevokedNocIcaCertificates(ctx, certID.Subject, certID.SubjectKeyId) + // remove from noc certificates map + k.RemoveNocCertificate(ctx, cert.Subject, cert.SubjectKeyId, accountVid, false) + // Remove certificate identifier from issuer's ChildCertificates record + k.RemoveChildCertificate(ctx, certificates[0].Issuer, certificates[0].AuthorityKeyId, certID) // remove from subject with serialNumber map for _, cert := range certificates { k.RemoveUniqueCertificate(ctx, cert.Issuer, cert.SerialNumber) @@ -106,7 +108,7 @@ func (k msgServer) RemoveNocX509IcaCert(goCtx context.Context, msg *types.MsgRem return &types.MsgRemoveNocX509IcaCertResponse{}, nil } -func (k msgServer) _removeRevokedNocX509IcaCert(ctx sdk.Context, certID types.CertificateIdentifier, certificates *types.RevokedNocIcaCertificates) { +func (k msgServer) removeRevokedNocX509IcaCert(ctx sdk.Context, certID types.CertificateIdentifier, certificates *types.RevokedNocIcaCertificates) { if len(certificates.Certs) == 0 { k.RemoveRevokedNocIcaCertificates(ctx, certID.Subject, certID.SubjectKeyId) } else { diff --git a/x/pki/keeper/msg_server_remove_noc_x_509_root_cert.go b/x/pki/keeper/msg_server_remove_noc_x_509_root_cert.go index c14313a05..ee65c2600 100644 --- a/x/pki/keeper/msg_server_remove_noc_x_509_root_cert.go +++ b/x/pki/keeper/msg_server_remove_noc_x_509_root_cert.go @@ -56,7 +56,7 @@ func (k msgServer) RemoveNocX509RootCert(goCtx context.Context, msg *types.MsgRe } if msg.SerialNumber != "" { - certBySerialNumber, found := findCertificate(msg.SerialNumber, &certificates) + certBySerialNumber, found := FindCertificateInList(msg.SerialNumber, &certificates) if !found { return nil, pkitypes.NewErrCertificateBySerialNumberDoesNotExist(msg.Subject, msg.SubjectKeyId, msg.SerialNumber) } @@ -66,33 +66,27 @@ func (k msgServer) RemoveNocX509RootCert(goCtx context.Context, msg *types.MsgRe if foundActive { // Remove from lists - removeCertFromList(certBySerialNumber.Issuer, certBySerialNumber.SerialNumber, &nocCerts.Certs) - k.removeNocX509Cert(ctx, certID, &nocCerts, accountVid, msg.SerialNumber, true) + k.RemoveNocCertBySerialNumber( + ctx, + certBySerialNumber.Subject, + certBySerialNumber.SubjectKeyId, + &nocCerts, + accountVid, + msg.SerialNumber, + cert.Issuer, + true, + ) } if foundRevoked { - removeCertFromList(certBySerialNumber.Issuer, certBySerialNumber.SerialNumber, &revCerts.Certs) - k._removeRevokedNocX509RootCert(ctx, certID, &revCerts) + RemoveCertFromList(certBySerialNumber.Issuer, certBySerialNumber.SerialNumber, &revCerts.Certs) + k.removeRevokedNocX509RootCert(ctx, certID, &revCerts) } } else { - // remove from global certificates map - k.RemoveAllCertificates(ctx, certID.Subject, certID.SubjectKeyId) - // remove from global subject -> subject key ID map - k.RemoveAllCertificateBySubject(ctx, certID.Subject, certID.SubjectKeyId) - // remove from global subject -> subject key ID map - k.RemoveAllCertificatesBySubjectKeyID(ctx, certID.Subject, certID.SubjectKeyId) - // remove from noc certificates map - k.RemoveNocCertificates(ctx, certID.Subject, certID.SubjectKeyId) - // remove from noc root certificates map - k.RemoveNocRootCertificate(ctx, certID.Subject, certID.SubjectKeyId, accountVid) - // remove from vid, subject key id map - k.RemoveNocCertificatesByVidAndSkid(ctx, accountVid, certID.SubjectKeyId) - // remove from subject -> subject key ID map - k.RemoveNocCertificateBySubject(ctx, certID.Subject, certID.SubjectKeyId) - // remove from subject key ID -> certificates map - k.RemoveNocCertificatesBySubjectAndSubjectKeyID(ctx, certID.Subject, certID.SubjectKeyId) // remove from revoked noc root certs k.RemoveRevokedNocRootCertificates(ctx, certID.Subject, certID.SubjectKeyId) + // remove from noc certificates map + k.RemoveNocCertificate(ctx, cert.Subject, cert.SubjectKeyId, accountVid, true) // remove from subject with serialNumber map for _, cert := range certificates { k.RemoveUniqueCertificate(ctx, cert.Subject, cert.SerialNumber) @@ -102,7 +96,7 @@ func (k msgServer) RemoveNocX509RootCert(goCtx context.Context, msg *types.MsgRe return &types.MsgRemoveNocX509RootCertResponse{}, nil } -func (k msgServer) _removeRevokedNocX509RootCert(ctx sdk.Context, certID types.CertificateIdentifier, certificates *types.RevokedNocRootCertificates) { +func (k msgServer) removeRevokedNocX509RootCert(ctx sdk.Context, certID types.CertificateIdentifier, certificates *types.RevokedNocRootCertificates) { if len(certificates.Certs) == 0 { k.RemoveRevokedNocRootCertificates(ctx, certID.Subject, certID.SubjectKeyId) } else { diff --git a/x/pki/keeper/msg_server_remove_x_509_cert.go b/x/pki/keeper/msg_server_remove_x_509_cert.go index 7f8269477..d1bf40047 100644 --- a/x/pki/keeper/msg_server_remove_x_509_cert.go +++ b/x/pki/keeper/msg_server_remove_x_509_cert.go @@ -44,13 +44,8 @@ func (k msgServer) RemoveX509Cert(goCtx context.Context, msg *types.MsgRemoveX50 return nil, err } - certID := types.CertificateIdentifier{ - Subject: msg.Subject, - SubjectKeyId: msg.SubjectKeyId, - } - - if msg.SerialNumber != "" { - certBySerialNumber, found := findCertificate(msg.SerialNumber, &certificates) + if msg.SerialNumber != "" { //nolint:nestif + certBySerialNumber, found := FindCertificateInList(msg.SerialNumber, &certificates) if !found { return nil, pkitypes.NewErrCertificateBySerialNumberDoesNotExist(msg.Subject, msg.SubjectKeyId, msg.SerialNumber) } @@ -59,28 +54,37 @@ func (k msgServer) RemoveX509Cert(goCtx context.Context, msg *types.MsgRemoveX50 k.RemoveUniqueCertificate(ctx, certBySerialNumber.Issuer, certBySerialNumber.SerialNumber) if foundApproved { - removeCertFromList(certBySerialNumber.Issuer, certBySerialNumber.SerialNumber, &aprCerts.Certs) - k.removeApprovedX509Cert(ctx, certID, &aprCerts, msg.SerialNumber) + k.RemoveDaCertificateBySerialNumber( + ctx, + certBySerialNumber.Subject, + certBySerialNumber.SubjectKeyId, + &aprCerts, + certBySerialNumber.SerialNumber, + certBySerialNumber.Issuer, + false, + ) + if len(aprCerts.Certs) == 0 { + k.RemoveChildCertificate(ctx, certBySerialNumber.Issuer, certBySerialNumber.AuthorityKeyId, types.CertificateIdentifier{ + Subject: aprCerts.Subject, + SubjectKeyId: aprCerts.SubjectKeyId, + }) + } } if foundRevoked { - removeCertFromList(certBySerialNumber.Issuer, certBySerialNumber.SerialNumber, &revCerts.Certs) - k.removeOrUpdateRevokedX509Cert(ctx, certID, &revCerts) + RemoveCertFromList(certBySerialNumber.Issuer, certBySerialNumber.SerialNumber, &revCerts.Certs) + k.removeOrUpdateRevokedX509Cert(ctx, msg.Subject, msg.SubjectKeyId, &revCerts) } } else { - // remove from global certificates map - k.RemoveAllCertificates(ctx, certID.Subject, certID.SubjectKeyId) - // remove from global subject -> subject map - k.RemoveAllCertificateBySubject(ctx, certID.Subject, certID.SubjectKeyId) - // remove from global subject -> subject key ID map - k.RemoveAllCertificatesBySubjectKeyID(ctx, certID.Subject, certID.SubjectKeyId) - // remove from approved certificates map - k.RemoveApprovedCertificates(ctx, certID.Subject, certID.SubjectKeyId) - // remove from subject -> subject key ID map - k.RemoveApprovedCertificateBySubject(ctx, certID.Subject, certID.SubjectKeyId) - // remove from subject key ID -> certificates map - k.RemoveApprovedCertificatesBySubjectKeyID(ctx, certID.Subject, certID.SubjectKeyId) + certIdentifier := types.CertificateIdentifier{ + Subject: msg.Subject, + SubjectKeyId: msg.SubjectKeyId, + } + // remove from da certificates map + k.RemoveDaCertificate(ctx, msg.Subject, msg.SubjectKeyId, false) // remove from revoked list - k.RemoveRevokedCertificates(ctx, certID.Subject, certID.SubjectKeyId) + k.RemoveRevokedCertificates(ctx, msg.Subject, msg.SubjectKeyId) + // Remove certificate identifier from issuer's ChildCertificates record + k.RemoveChildCertificate(ctx, certificates[0].Issuer, certificates[0].AuthorityKeyId, certIdentifier) // remove from subject with serialNumber map for _, cert := range certificates { k.RemoveUniqueCertificate(ctx, cert.Issuer, cert.SerialNumber) diff --git a/x/pki/keeper/msg_server_revoke_noc_x_509_ica_cert.go b/x/pki/keeper/msg_server_revoke_noc_x_509_ica_cert.go index add76ed31..18e9bf03a 100644 --- a/x/pki/keeper/msg_server_revoke_noc_x_509_ica_cert.go +++ b/x/pki/keeper/msg_server_revoke_noc_x_509_ica_cert.go @@ -44,12 +44,12 @@ func (k msgServer) RevokeNocX509IcaCert(goCtx context.Context, msg *types.MsgRev } if msg.SerialNumber != "" { - err = k._revokeNocCertificate(ctx, msg.SerialNumber, certificates, cert.Vid) + err = k.revokeNocIcaCertificateBySerialNumber(ctx, msg.SerialNumber, certificates, cert.Vid) if err != nil { return nil, err } } else { - k._revokeNocIcaCertificates(ctx, certificates, cert.Vid) + k.revokeNocIcaCertificate(ctx, certificates, cert.Vid) } if msg.RevokeChild { @@ -60,70 +60,59 @@ func (k msgServer) RevokeNocX509IcaCert(goCtx context.Context, msg *types.MsgRev return &types.MsgRevokeNocX509IcaCertResponse{}, nil } -func (k msgServer) _revokeNocCertificate( +func (k msgServer) revokeNocIcaCertificateBySerialNumber( ctx sdk.Context, serialNumber string, certificates types.NocCertificates, vid int32, ) error { - cert, found := findCertificate(serialNumber, &certificates.Certs) + cert, found := FindCertificateInList(serialNumber, &certificates.Certs) if !found { return pkitypes.NewErrCertificateBySerialNumberDoesNotExist( certificates.Subject, certificates.SubjectKeyId, serialNumber, ) } - revCerts := types.RevokedNocIcaCertificates{ + k.AddRevokedNocIcaCertificates(ctx, types.RevokedNocIcaCertificates{ Subject: cert.Subject, SubjectKeyId: cert.SubjectKeyId, Certs: []*types.Certificate{cert}, - } - k.AddRevokedNocIcaCertificates(ctx, revCerts) + }) - removeCertFromList(cert.Issuer, cert.SerialNumber, &certificates.Certs) + k.RemoveNocCertBySerialNumber( + ctx, + cert.Subject, + cert.SubjectKeyId, + &certificates, + vid, + cert.SerialNumber, + cert.Issuer, + false, + ) if len(certificates.Certs) == 0 { - k.RemoveAllCertificates(ctx, certificates.Subject, certificates.SubjectKeyId) - k.RemoveAllCertificateBySubject(ctx, certificates.Subject, certificates.SubjectKeyId) - k.RemoveAllCertificatesBySubjectKeyID(ctx, certificates.Subject, certificates.SubjectKeyId) - k.RemoveNocCertificates(ctx, certificates.Subject, certificates.SubjectKeyId) - k.RemoveNocIcaCertificate(ctx, certificates.Subject, certificates.SubjectKeyId, vid) - k.RemoveNocCertificatesByVidAndSkid(ctx, vid, cert.SubjectKeyId) - k.RemoveNocCertificateBySubject(ctx, cert.Subject, cert.SubjectKeyId) - k.RemoveNocCertificatesBySubjectAndSubjectKeyID(ctx, cert.Subject, cert.SubjectKeyId) - } else { - k.RemoveAllCertificatesBySerialNumber(ctx, cert.Subject, cert.SubjectKeyId, serialNumber) - k.RemoveAllCertificatesBySubjectKeyIDBySerialNumber(ctx, cert.Subject, cert.SubjectKeyId, serialNumber) - k.RemoveNocCertificatesBySerialNumber(ctx, cert.Subject, cert.SubjectKeyId, serialNumber) - k.RemoveNocIcaCertificateBySerialNumber(ctx, cert.Subject, cert.SubjectKeyId, vid, serialNumber) - k.RemoveNocCertificatesByVidAndSkidBySerialNumber(ctx, vid, cert.Subject, cert.SubjectKeyId, serialNumber) - k.RemoveNocCertificatesBySubjectKeyIDBySerialNumber(ctx, cert.Subject, cert.SubjectKeyId, serialNumber) + k.RemoveChildCertificate(ctx, cert.Issuer, cert.AuthorityKeyId, types.CertificateIdentifier{ + Subject: certificates.Subject, + SubjectKeyId: certificates.SubjectKeyId, + }) } return nil } -func (k msgServer) _revokeNocIcaCertificates(ctx sdk.Context, certificates types.NocCertificates, vid int32) { +func (k msgServer) revokeNocIcaCertificate(ctx sdk.Context, certificates types.NocCertificates, vid int32) { + certID := types.CertificateIdentifier{ + Subject: certificates.Subject, + SubjectKeyId: certificates.SubjectKeyId, + } // Add certs into revoked lists k.AddRevokedNocIcaCertificates(ctx, types.RevokedNocIcaCertificates{ Subject: certificates.Subject, SubjectKeyId: certificates.SubjectKeyId, Certs: certificates.Certs, }) - // remove cert from global certs list - k.RemoveAllCertificates(ctx, certificates.Subject, certificates.SubjectKeyId) - // remove cert from global certs list -> subject map - k.RemoveAllCertificateBySubject(ctx, certificates.Subject, certificates.SubjectKeyId) - // remove cert from global certs list -> subject key ID map - k.RemoveAllCertificatesBySubjectKeyID(ctx, certificates.Subject, certificates.SubjectKeyId) - // remove cert from NOC certs list - k.RemoveNocCertificates(ctx, certificates.Subject, certificates.SubjectKeyId) - // remove cert from NOC ica certs list - k.RemoveNocIcaCertificate(ctx, certificates.Subject, certificates.SubjectKeyId, vid) - // remove from subject -> subject key ID map - k.RemoveNocCertificateBySubject(ctx, certificates.Subject, certificates.SubjectKeyId) - // remove from subject key ID -> certificates map - k.RemoveNocCertificatesBySubjectAndSubjectKeyID(ctx, certificates.Subject, certificates.SubjectKeyId) - // remove from vid, subject key ID -> certificates map - k.RemoveNocCertificateByVidSubjectAndSkid(ctx, vid, certificates.Subject, certificates.SubjectKeyId) + // Remove certificate from noc list + k.RemoveNocCertificate(ctx, certificates.Subject, certificates.SubjectKeyId, vid, false) + // Remove certificate identifier from issuer's ChildCertificates record + k.RemoveChildCertificate(ctx, certificates.Certs[0].Issuer, certificates.Certs[0].AuthorityKeyId, certID) } diff --git a/x/pki/keeper/msg_server_revoke_noc_x_509_root_cert.go b/x/pki/keeper/msg_server_revoke_noc_x_509_root_cert.go index 043f4d65b..e8872dabb 100644 --- a/x/pki/keeper/msg_server_revoke_noc_x_509_root_cert.go +++ b/x/pki/keeper/msg_server_revoke_noc_x_509_root_cert.go @@ -45,91 +45,62 @@ func (k msgServer) RevokeNocX509RootCert(goCtx context.Context, msg *types.MsgRe } if msg.SerialNumber != "" { - err = k._revokeNocRootCertificate(ctx, msg.SerialNumber, certificates, cert.Vid) + err = k.revokeNocRootCertificateBySerialNumber(ctx, msg.SerialNumber, certificates, cert.Vid) if err != nil { return nil, err } } else { - k._revokeNocRootCertificates(ctx, certificates, cert.Vid) + k.revokeNocRootCertificate(ctx, certificates, cert.Vid) } if msg.RevokeChild { - certID := types.CertificateIdentifier{ - Subject: msg.Subject, - SubjectKeyId: msg.SubjectKeyId, - } // Remove certificate identifier from issuer's ChildCertificates record - k.RevokeNocChildCertificates(ctx, certID.Subject, certID.SubjectKeyId) + k.RevokeNocChildCertificates(ctx, msg.Subject, msg.SubjectKeyId) } return &types.MsgRevokeNocX509RootCertResponse{}, nil } -func (k msgServer) _revokeNocRootCertificate( +func (k msgServer) revokeNocRootCertificateBySerialNumber( ctx sdk.Context, serialNumber string, certificates types.NocCertificates, vid int32, ) error { - cert, found := findCertificate(serialNumber, &certificates.Certs) + cert, found := FindCertificateInList(serialNumber, &certificates.Certs) if !found { return pkitypes.NewErrCertificateBySerialNumberDoesNotExist( certificates.Subject, certificates.SubjectKeyId, serialNumber, ) } - revNocCerts := types.RevokedNocRootCertificates{ + k.AddRevokedNocRootCertificates(ctx, types.RevokedNocRootCertificates{ Subject: certificates.Subject, SubjectKeyId: certificates.SubjectKeyId, Certs: []*types.Certificate{cert}, - } - k.AddRevokedNocRootCertificates(ctx, revNocCerts) + }) - removeCertFromList(cert.Issuer, cert.SerialNumber, &certificates.Certs) - - if len(certificates.Certs) == 0 { - k.RemoveAllCertificates(ctx, certificates.Subject, certificates.SubjectKeyId) - k.RemoveAllCertificateBySubject(ctx, certificates.Subject, certificates.SubjectKeyId) - k.RemoveAllCertificatesBySubjectKeyID(ctx, certificates.Subject, certificates.SubjectKeyId) - k.RemoveNocCertificates(ctx, certificates.Subject, certificates.SubjectKeyId) - k.RemoveNocRootCertificate(ctx, certificates.Subject, certificates.SubjectKeyId, vid) - k.RemoveNocCertificatesByVidAndSkid(ctx, vid, cert.SubjectKeyId) - k.RemoveNocCertificateBySubject(ctx, cert.Subject, cert.SubjectKeyId) - k.RemoveNocCertificatesBySubjectAndSubjectKeyID(ctx, cert.Subject, cert.SubjectKeyId) - } else { - k.RemoveAllCertificatesBySerialNumber(ctx, cert.Subject, cert.SubjectKeyId, serialNumber) - k.RemoveAllCertificatesBySubjectKeyIDBySerialNumber(ctx, cert.Subject, cert.SubjectKeyId, serialNumber) - k.RemoveNocCertificatesBySerialNumber(ctx, cert.Subject, cert.SubjectKeyId, serialNumber) - k.RemoveNocRootCertificateBySerialNumber(ctx, cert.Subject, cert.SubjectKeyId, vid, serialNumber) - k.RemoveNocCertificatesByVidAndSkidBySerialNumber(ctx, vid, cert.Subject, cert.SubjectKeyId, serialNumber) - k.RemoveNocCertificatesBySubjectKeyIDBySerialNumber(ctx, cert.Subject, cert.SubjectKeyId, serialNumber) - } + k.RemoveNocCertBySerialNumber( + ctx, + cert.Subject, + cert.SubjectKeyId, + &certificates, + vid, + serialNumber, + cert.Issuer, + true, + ) return nil } -func (k msgServer) _revokeNocRootCertificates(ctx sdk.Context, certificates types.NocCertificates, vid int32) { +func (k msgServer) revokeNocRootCertificate(ctx sdk.Context, certificates types.NocCertificates, vid int32) { // Add certs into revoked lists k.AddRevokedNocRootCertificates(ctx, types.RevokedNocRootCertificates{ Subject: certificates.Subject, SubjectKeyId: certificates.SubjectKeyId, Certs: certificates.Certs, }) - - // remove cert from global certs list - k.RemoveAllCertificates(ctx, certificates.Subject, certificates.SubjectKeyId) - // remove cert from global certs list -> subject map - k.RemoveAllCertificateBySubject(ctx, certificates.Subject, certificates.SubjectKeyId) - // remove cert from global certs list -> subject key ID map - k.RemoveAllCertificatesBySubjectKeyID(ctx, certificates.Subject, certificates.SubjectKeyId) - // remove cert from NOC certs list - k.RemoveNocCertificates(ctx, certificates.Subject, certificates.SubjectKeyId) - // remove cert from NOC ica certs list - k.RemoveNocRootCertificate(ctx, certificates.Subject, certificates.SubjectKeyId, vid) - // remove from subject -> subject key ID map - k.RemoveNocCertificateBySubject(ctx, certificates.Subject, certificates.SubjectKeyId) - // remove from subject key ID -> certificates map - k.RemoveNocCertificatesBySubjectAndSubjectKeyID(ctx, certificates.Subject, certificates.SubjectKeyId) - // remove from vid, subject key ID -> certificates map - k.RemoveNocCertificateByVidSubjectAndSkid(ctx, vid, certificates.Subject, certificates.SubjectKeyId) + // Remove certificate from noc list + k.RemoveNocCertificate(ctx, certificates.Subject, certificates.SubjectKeyId, vid, true) } diff --git a/x/pki/keeper/msg_server_revoke_x_509_cert.go b/x/pki/keeper/msg_server_revoke_x_509_cert.go index 614b3f3ea..3b3eab9ee 100644 --- a/x/pki/keeper/msg_server_revoke_x_509_cert.go +++ b/x/pki/keeper/msg_server_revoke_x_509_cert.go @@ -41,14 +41,12 @@ func (k msgServer) RevokeX509Cert(goCtx context.Context, msg *types.MsgRevokeX50 } if msg.SerialNumber != "" { - certBySerialNumber, found := findCertificate(msg.SerialNumber, &certificates.Certs) - if !found { - return nil, pkitypes.NewErrCertificateBySerialNumberDoesNotExist(msg.Subject, msg.SubjectKeyId, msg.SerialNumber) + err = k.revokeDaCertificateBySerialNumber(ctx, msg.SerialNumber, certificates) + if err != nil { + return nil, err } - - k._revokeX509Certificate(ctx, certBySerialNumber, certIdentifier, certificates) } else { - k._revokeX509Certificates(ctx, certIdentifier, certificates) + k.revokeDaCertificate(ctx, certIdentifier, certificates) } if msg.RevokeChild { @@ -59,48 +57,48 @@ func (k msgServer) RevokeX509Cert(goCtx context.Context, msg *types.MsgRevokeX50 return &types.MsgRevokeX509CertResponse{}, nil } -func (k msgServer) _revokeX509Certificates(ctx sdk.Context, certID types.CertificateIdentifier, certificates types.ApprovedCertificates) { +func (k msgServer) revokeDaCertificate(ctx sdk.Context, certID types.CertificateIdentifier, certificates types.ApprovedCertificates) { // Revoke certificates with given subject/subjectKeyID k.AddRevokedCertificates(ctx, types.RevokedCertificates(certificates)) - - // Remove certificate from global list - k.RemoveAllCertificates(ctx, certID.Subject, certID.SubjectKeyId) - // Remove certificate from global list -> subject map - k.RemoveAllCertificateBySubject(ctx, certID.Subject, certID.SubjectKeyId) - // Remove certificate from global list -> subject key ID map - k.RemoveAllCertificatesBySubjectKeyID(ctx, certID.Subject, certID.SubjectKeyId) - // Remove certificate from approved list - k.RemoveApprovedCertificates(ctx, certID.Subject, certID.SubjectKeyId) + // Remove certificate from da list + k.RemoveDaCertificate(ctx, certID.Subject, certID.SubjectKeyId, false) // Remove certificate identifier from issuer's ChildCertificates record k.RemoveChildCertificate(ctx, certificates.Certs[0].Issuer, certificates.Certs[0].AuthorityKeyId, certID) - // remove from subject -> subject key ID map - k.RemoveApprovedCertificateBySubject(ctx, certID.Subject, certID.SubjectKeyId) - // remove from subject key ID -> certificates map - k.RemoveApprovedCertificatesBySubjectKeyID(ctx, certID.Subject, certID.SubjectKeyId) } -func (k msgServer) _revokeX509Certificate(ctx sdk.Context, cert *types.Certificate, certID types.CertificateIdentifier, certificates types.ApprovedCertificates) { - revCerts := types.RevokedCertificates{ +func (k msgServer) revokeDaCertificateBySerialNumber( + ctx sdk.Context, + serialNumber string, + certificates types.ApprovedCertificates, +) error { + cert, found := FindCertificateInList(serialNumber, &certificates.Certs) + if !found { + return pkitypes.NewErrCertificateBySerialNumberDoesNotExist(certificates.Subject, certificates.SubjectKeyId, serialNumber) + } + + k.AddRevokedCertificates(ctx, types.RevokedCertificates{ Subject: cert.Subject, SubjectKeyId: cert.SubjectKeyId, Certs: []*types.Certificate{cert}, SchemaVersion: cert.SchemaVersion, - } - k.AddRevokedCertificates(ctx, revCerts) + }) + + k.RemoveDaCertificateBySerialNumber( + ctx, + certificates.Subject, + certificates.SubjectKeyId, + &certificates, + cert.SerialNumber, + cert.Issuer, + false, + ) - removeCertFromList(cert.Issuer, cert.SerialNumber, &certificates.Certs) if len(certificates.Certs) == 0 { - k.RemoveAllCertificates(ctx, cert.Subject, cert.SubjectKeyId) - k.RemoveAllCertificateBySubject(ctx, cert.Subject, cert.SubjectKeyId) - k.RemoveAllCertificatesBySubjectKeyID(ctx, cert.Subject, cert.SubjectKeyId) - k.RemoveApprovedCertificates(ctx, cert.Subject, cert.SubjectKeyId) - k.RemoveApprovedCertificateBySubject(ctx, cert.Subject, cert.SubjectKeyId) - k.RemoveApprovedCertificatesBySubjectKeyID(ctx, cert.Subject, cert.SubjectKeyId) - k.RemoveChildCertificate(ctx, cert.Issuer, cert.AuthorityKeyId, certID) - } else { - k.RemoveAllCertificatesBySerialNumber(ctx, cert.Subject, cert.SubjectKeyId, cert.SerialNumber) - k.RemoveAllCertificatesBySubjectKeyIDBySerialNumber(ctx, cert.Subject, cert.SubjectKeyId, cert.SerialNumber) - k.RemoveApprovedCertificatesBySerialNumber(ctx, cert.Subject, cert.SubjectKeyId, cert.SerialNumber) - k.RemoveApprovedCertificatesBySubjectKeyIDBySerialNumber(ctx, cert.Subject, cert.SubjectKeyId, cert.SerialNumber) + k.RemoveChildCertificate(ctx, cert.Issuer, cert.AuthorityKeyId, types.CertificateIdentifier{ + Subject: certificates.Subject, + SubjectKeyId: certificates.SubjectKeyId, + }) } + + return nil } diff --git a/x/pki/keeper/noc_certificates_by_vid_and_skid.go b/x/pki/keeper/noc_certificates_by_vid_and_skid.go index 0e1368d04..00110d4bf 100644 --- a/x/pki/keeper/noc_certificates_by_vid_and_skid.go +++ b/x/pki/keeper/noc_certificates_by_vid_and_skid.go @@ -120,7 +120,7 @@ func (k Keeper) _filterAndSetNocCertificateByVidAndSkid( predicate CertificatePredicate, ) { nocCertificates, _ := k.GetNocCertificatesByVidAndSkid(ctx, vid, subjectKeyID) - filteredCertificates := filterCertificates(&nocCertificates.Certs, predicate) + filteredCertificates := FilterCertificateList(&nocCertificates.Certs, predicate) if len(filteredCertificates) > 0 { nocCertificates.Certs = filteredCertificates diff --git a/x/pki/keeper/proposed_certificate.go b/x/pki/keeper/proposed_certificate.go index 8d48ac46b..8f6e7245b 100644 --- a/x/pki/keeper/proposed_certificate.go +++ b/x/pki/keeper/proposed_certificate.go @@ -67,8 +67,7 @@ func (k Keeper) GetAllProposedCertificate(ctx sdk.Context) (list []types.Propose return } -// Check if the Proposed Certificate record associated with a -// Subject/SubjectKeyID combination is present in the store. +// IsProposedCertificatePresent Check if the Proposed Certificate record associated with a Subject/SubjectKeyID combination is present in the store. func (k Keeper) IsProposedCertificatePresent( ctx sdk.Context, subject string, diff --git a/x/pki/keeper/rejected_certificate.go b/x/pki/keeper/rejected_certificate.go index 3fd77aaf1..eaf3747d4 100644 --- a/x/pki/keeper/rejected_certificate.go +++ b/x/pki/keeper/rejected_certificate.go @@ -66,3 +66,17 @@ func (k Keeper) GetAllRejectedCertificate(ctx sdk.Context) (list []types.Rejecte return } + +// Check if the rejected certificate exists. +func (k Keeper) IsRejectedCertificatePresent( + ctx sdk.Context, + subject string, + subjectKeyID string, +) bool { + store := prefix.NewStore(ctx.KVStore(k.storeKey), pkitypes.KeyPrefix(types.RejectedCertificateKeyPrefix)) + + return store.Has(types.RejectedCertificateKey( + subject, + subjectKeyID, + )) +} diff --git a/x/pki/keeper/revoked_certificates.go b/x/pki/keeper/revoked_certificates.go index d9566d852..4c82926e1 100644 --- a/x/pki/keeper/revoked_certificates.go +++ b/x/pki/keeper/revoked_certificates.go @@ -96,9 +96,13 @@ func (k Keeper) AddRevokedCertificates(ctx sdk.Context, approvedCertificates typ ), b) } -func (k msgServer) removeOrUpdateRevokedX509Cert(ctx sdk.Context, certID types.CertificateIdentifier, certificates *types.RevokedCertificates) { +func (k msgServer) removeOrUpdateRevokedX509Cert( + ctx sdk.Context, + subject string, + subjectKeyID string, + certificates *types.RevokedCertificates) { if len(certificates.Certs) == 0 { - k.RemoveRevokedCertificates(ctx, certID.Subject, certID.SubjectKeyId) + k.RemoveRevokedCertificates(ctx, subject, subjectKeyID) } else { k.SetRevokedCertificates( ctx, @@ -106,3 +110,17 @@ func (k msgServer) removeOrUpdateRevokedX509Cert(ctx sdk.Context, certID types.C ) } } + +// IsRevokedCertificatePresent Check if the Revoked Certificate is present in the store. +func (k Keeper) IsRevokedCertificatePresent( + ctx sdk.Context, + subject string, + subjectKeyID string, +) bool { + store := prefix.NewStore(ctx.KVStore(k.storeKey), pkitypes.KeyPrefix(types.RevokedCertificatesKeyPrefix)) + + return store.Has(types.RevokedCertificatesKey( + subject, + subjectKeyID, + )) +} diff --git a/x/pki/keeper/revoked_noc_ica_certificates.go b/x/pki/keeper/revoked_noc_ica_certificates.go index dc9578a02..f9bbddf8a 100644 --- a/x/pki/keeper/revoked_noc_ica_certificates.go +++ b/x/pki/keeper/revoked_noc_ica_certificates.go @@ -97,3 +97,17 @@ func (k Keeper) GetAllRevokedNocIcaCertificates(ctx sdk.Context) (list []types.R return } + +// IsRevokedNocIcaCertificatePresent Check if the Revoked Noc ICA Certificate record associated with a Subject/SubjectKeyID combination is present in the store. +func (k Keeper) IsRevokedNocIcaCertificatePresent( + ctx sdk.Context, + subject string, + subjectKeyID string, +) bool { + store := prefix.NewStore(ctx.KVStore(k.storeKey), pkitypes.KeyPrefix(types.RevokedNocIcaCertificatesKeyPrefix)) + + return store.Has(types.RevokedNocIcaCertificatesKey( + subject, + subjectKeyID, + )) +} diff --git a/x/pki/keeper/revoked_noc_root_certificates.go b/x/pki/keeper/revoked_noc_root_certificates.go index 4bb8a9f47..ed0b97a73 100644 --- a/x/pki/keeper/revoked_noc_root_certificates.go +++ b/x/pki/keeper/revoked_noc_root_certificates.go @@ -97,3 +97,17 @@ func (k Keeper) GetAllRevokedNocRootCertificates(ctx sdk.Context) (list []types. return } + +// IsRevokedNocRootCertificatePresent Check if the Revoked Noc Root Certificate record associated with a Subject/SubjectKeyID combination is present in the store. +func (k Keeper) IsRevokedNocRootCertificatePresent( + ctx sdk.Context, + subject string, + subjectKeyID string, +) bool { + store := prefix.NewStore(ctx.KVStore(k.storeKey), pkitypes.KeyPrefix(types.RevokedNocRootCertificatesKeyPrefix)) + + return store.Has(types.RevokedNocRootCertificatesKey( + subject, + subjectKeyID, + )) +} diff --git a/x/pki/keeper/unique_certificate.go b/x/pki/keeper/unique_certificate.go index bfa1b9e5b..272ab82ad 100644 --- a/x/pki/keeper/unique_certificate.go +++ b/x/pki/keeper/unique_certificate.go @@ -5,6 +5,7 @@ import ( sdk "github.com/cosmos/cosmos-sdk/types" pkitypes "github.com/zigbee-alliance/distributed-compliance-ledger/types/pki" "github.com/zigbee-alliance/distributed-compliance-ledger/x/pki/types" + "github.com/zigbee-alliance/distributed-compliance-ledger/x/pki/x509" ) // SetUniqueCertificate set a specific uniqueCertificate in the store from its index. @@ -17,6 +18,16 @@ func (k Keeper) SetUniqueCertificate(ctx sdk.Context, uniqueCertificate types.Un ), b) } +// SetUniqueX509Certificate set a specific x509 certificate in the store from its index. +func (k Keeper) SetUniqueX509Certificate(ctx sdk.Context, x509Certificate *x509.Certificate) { + uniqueCertificate := types.UniqueCertificate{ + Issuer: x509Certificate.Issuer, + SerialNumber: x509Certificate.SerialNumber, + Present: true, + } + k.SetUniqueCertificate(ctx, uniqueCertificate) +} + // GetUniqueCertificate returns a uniqueCertificate from its index. func (k Keeper) GetUniqueCertificate( ctx sdk.Context, diff --git a/x/pki/handler_add_noc_ica_cert_test.go b/x/pki/tests/handler_add_noc_ica_cert_test.go similarity index 95% rename from x/pki/handler_add_noc_ica_cert_test.go rename to x/pki/tests/handler_add_noc_ica_cert_test.go index 7b5d1bdc0..482be236d 100644 --- a/x/pki/handler_add_noc_ica_cert_test.go +++ b/x/pki/tests/handler_add_noc_ica_cert_test.go @@ -1,4 +1,4 @@ -package pki +package tests import ( "testing" @@ -14,39 +14,38 @@ import ( // Main -func TestHandler_AddNocX509Cert_AddNewIca(t *testing.T) { +func TestHandler_AddNocIntermediateCert(t *testing.T) { setup := Setup(t) - accAddress := GenerateAccAddress() - vid := testconstants.Vid - setup.AddAccount(accAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, vid) + accAddress := setup.CreateVendorAccount(testconstants.Vid) // add NOC root certificate addNocRootCertificate(setup, accAddress, testconstants.NocRootCert1) // add NOC ICA certificate - addNocIcaCertificate(setup, accAddress, testconstants.NocCert1) + addNocIntermediateCertificate(setup, accAddress, testconstants.NocCert1) - ensureNocIcaCertificateExist( + // Check: Noc + All + UniqueCertificate + ensureNocIntermediateCertificateExist( t, setup, testconstants.NocCert1Subject, testconstants.NocCert1SubjectKeyID, testconstants.NocCert1Issuer, testconstants.NocCert1SerialNumber, - vid, - false) + testconstants.Vid, + false, + ) // ChildCertificates: check that child certificates of issuer contains certificate identifier - issuerChildren, _ := queryChildCertificates( - setup, testconstants.NocRootCert1Subject, testconstants.NocRootCert1SubjectKeyID) - require.Equal(t, 1, len(issuerChildren.CertIds)) - require.Equal(t, - &types.CertificateIdentifier{ - Subject: testconstants.NocCert1Subject, - SubjectKeyId: testconstants.NocCert1SubjectKeyID, - }, - issuerChildren.CertIds[0]) + ensureChildCertificateExist( + t, + setup, + testconstants.NocRootCert1Subject, + testconstants.NocRootCert1SubjectKeyID, + testconstants.NocCert1Subject, + testconstants.NocCert1SubjectKeyID, + ) } // Extra cases diff --git a/x/pki/handler_add_noc_root_cert_test.go b/x/pki/tests/handler_add_noc_root_cert_test.go similarity index 97% rename from x/pki/handler_add_noc_root_cert_test.go rename to x/pki/tests/handler_add_noc_root_cert_test.go index 46bd22302..46b78b1a4 100644 --- a/x/pki/handler_add_noc_root_cert_test.go +++ b/x/pki/tests/handler_add_noc_root_cert_test.go @@ -1,4 +1,4 @@ -package pki +package tests import ( "testing" @@ -13,16 +13,15 @@ import ( // Main -func TestHandler_AddNocX509Cert_AddNewRoot(t *testing.T) { +func TestHandler_AddNocRootCert(t *testing.T) { setup := Setup(t) - accAddress := GenerateAccAddress() - vid := testconstants.Vid - setup.AddAccount(accAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, vid) + accAddress := setup.CreateVendorAccount(testconstants.Vid) // add NOC root certificate addNocRootCertificate(setup, accAddress, testconstants.NocRootCert1) + // Check: Noc + All + UniqueCertificate ensureNocRootCertificateExist( t, setup, @@ -30,7 +29,7 @@ func TestHandler_AddNocX509Cert_AddNewRoot(t *testing.T) { testconstants.NocRootCert1SubjectKeyID, testconstants.NocCert1Issuer, testconstants.NocRootCert1SerialNumber, - vid) + testconstants.Vid) } // Extra cases diff --git a/x/pki/handler_add_paa_cert_test.go b/x/pki/tests/handler_add_paa_cert_test.go similarity index 90% rename from x/pki/handler_add_paa_cert_test.go rename to x/pki/tests/handler_add_paa_cert_test.go index 871c10eeb..e68a07987 100644 --- a/x/pki/handler_add_paa_cert_test.go +++ b/x/pki/tests/handler_add_paa_cert_test.go @@ -1,4 +1,4 @@ -package pki +package tests import ( "math" @@ -18,15 +18,21 @@ import ( // Main -func TestHandler_ProposeAddX509RootCert_ByTrustee(t *testing.T) { +func TestHandler_ProposeAddDaRootCert(t *testing.T) { setup := Setup(t) - // propose x509 root certificate - proposeAddX509RootCert := types.NewMsgProposeAddX509RootCert(setup.Trustee1.String(), testconstants.RootCertPem, testconstants.Info, testconstants.Vid, testconstants.CertSchemaVersion) + // propose DA root certificate + proposeAddX509RootCert := types.NewMsgProposeAddX509RootCert( + setup.Trustee1.String(), + testconstants.RootCertPem, + testconstants.Info, + testconstants.Vid, + testconstants.CertSchemaVersion, + ) _, err := setup.Handler(setup.Ctx, proposeAddX509RootCert) require.NoError(t, err) - // query proposed certificate + // Check: ProposedCertificate - present proposedCertificate, _ := queryProposedCertificate(setup, testconstants.RootSubject, testconstants.RootSubjectKeyID) require.Equal(t, proposeAddX509RootCert.Cert, proposedCertificate.PemCert) require.Equal(t, proposeAddX509RootCert.Signer, proposedCertificate.Owner) @@ -35,43 +41,68 @@ func TestHandler_ProposeAddX509RootCert_ByTrustee(t *testing.T) { require.Equal(t, testconstants.RootSerialNumber, proposedCertificate.SerialNumber) require.True(t, proposedCertificate.HasApprovalFrom(proposeAddX509RootCert.Signer)) - // check that unique certificate key is registered + // Check: UniqueCertificate - present require.True(t, setup.Keeper.IsUniqueCertificatePresent( setup.Ctx, testconstants.RootIssuer, testconstants.RootSerialNumber)) - // query approved certificate - _, err = querySingleApprovedCertificate(setup, testconstants.RootSubject, testconstants.RootSubjectKeyID) - require.Error(t, err) - require.Equal(t, codes.NotFound, status.Code(err)) + // Check: RejectedCertificate - empty + require.False(t, setup.Keeper.IsRejectedCertificatePresent( + setup.Ctx, testconstants.RootSubject, testconstants.RootSubjectKeyID)) - // query approved certificate - _, err = querySingleCertificateFromAllCertificatesIndex(setup, testconstants.RootSubject, testconstants.RootSubjectKeyID) - require.Error(t, err) - require.Equal(t, codes.NotFound, status.Code(err)) + // Check: Approved DA - empty + ensureCertificateNotPresentInDaCertificateIndexes( + t, + setup, + testconstants.RootSubject, + testconstants.RootSubjectKeyID, + true, + false, + ) + + // Check: Global - empty + ensureGlobalCertificateNotExist( + t, + setup, + testconstants.RootSubject, + testconstants.RootSubjectKeyID, + false, + ) } -func TestHandler_ApproveAddX509RootCert_ForEnoughApprovals(t *testing.T) { +func TestHandler_AddDaRootCert(t *testing.T) { setup := Setup(t) // propose add x509 root certificate by trustee - proposeAddX509RootCert := types.NewMsgProposeAddX509RootCert(setup.Trustee1.String(), testconstants.RootCertPem, testconstants.Info, testconstants.Vid, testconstants.CertSchemaVersion) + proposeAddX509RootCert := types.NewMsgProposeAddX509RootCert( + setup.Trustee1.String(), + testconstants.RootCertPem, + testconstants.Info, + testconstants.Vid, + testconstants.CertSchemaVersion, + ) _, err := setup.Handler(setup.Ctx, proposeAddX509RootCert) require.NoError(t, err) // approve by second trustee approveAddX509RootCert := types.NewMsgApproveAddX509RootCert( - setup.Trustee2.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.Info) + setup.Trustee2.String(), + testconstants.RootSubject, + testconstants.RootSubjectKeyID, + testconstants.Info, + ) _, err = setup.Handler(setup.Ctx, approveAddX509RootCert) require.NoError(t, err) - // DA proposed certificates indexes checks - // query proposed certificate must be empty - _, err = queryProposedCertificate(setup, testconstants.RootSubject, testconstants.RootSubjectKeyID) - require.Error(t, err) - require.Equal(t, codes.NotFound, status.Code(err)) + // Check: ProposedCertificate - empty + require.False(t, setup.Keeper.IsProposedCertificatePresent( + setup.Ctx, testconstants.RootSubject, testconstants.RootSubjectKeyID)) - // Check that root certificate exists - ensureDaPaaCertificateExist( + // Check: UniqueCertificate - present + require.True(t, setup.Keeper.IsUniqueCertificatePresent( + setup.Ctx, testconstants.RootIssuer, testconstants.RootSerialNumber)) + + // Check: DA + All + UniqueCertificate + ensureDaRootCertificateExist( t, setup, testconstants.RootSubject, @@ -80,11 +111,17 @@ func TestHandler_ApproveAddX509RootCert_ForEnoughApprovals(t *testing.T) { testconstants.RootSerialNumber) } -func TestHandler_TwoThirdApprovalsNeededForAddingRootCertification(t *testing.T) { +func TestHandler_AddDaRootCert_TwoThirdApprovalsNeeded(t *testing.T) { setup := Setup(t) // propose x509 root certificate by account without trustee role - proposeAddX509RootCert := types.NewMsgProposeAddX509RootCert(setup.Trustee1.String(), testconstants.RootCertPem, testconstants.Info, testconstants.Vid, testconstants.CertSchemaVersion) + proposeAddX509RootCert := types.NewMsgProposeAddX509RootCert( + setup.Trustee1.String(), + testconstants.RootCertPem, + testconstants.Info, + testconstants.Vid, + testconstants.CertSchemaVersion, + ) _, err := setup.Handler(setup.Ctx, proposeAddX509RootCert) require.NoError(t, err) @@ -105,7 +142,11 @@ func TestHandler_TwoThirdApprovalsNeededForAddingRootCertification(t *testing.T) // Until we hit 2/3 of the total number of Trustees, we should not be able to approve the certificate for i := 1; i < twoThirds-1; i++ { approveAddX509RootCert := types.NewMsgApproveAddX509RootCert( - trusteeAccounts[i].String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.Info) + trusteeAccounts[i].String(), + testconstants.RootSubject, + testconstants.RootSubjectKeyID, + testconstants.Info, + ) _, err = setup.Handler(setup.Ctx, approveAddX509RootCert) require.NoError(t, err) @@ -120,16 +161,25 @@ func TestHandler_TwoThirdApprovalsNeededForAddingRootCertification(t *testing.T) _, err = setup.Handler(setup.Ctx, approveAddX509RootCert) require.NoError(t, err) - // Check that root certificate exists - ensureDaPaaCertificateExist( + // Check: ProposedCertificate - empty + require.False(t, setup.Keeper.IsProposedCertificatePresent( + setup.Ctx, testconstants.RootSubject, testconstants.RootSubjectKeyID)) + + // Check: UniqueCertificate - present + require.True(t, setup.Keeper.IsUniqueCertificatePresent( + setup.Ctx, testconstants.RootIssuer, testconstants.RootSerialNumber)) + + // Check: DA + All + UniqueCertificate + ensureDaRootCertificateExist( t, setup, testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.RootIssuer, - testconstants.RootSerialNumber) + testconstants.RootSerialNumber, + ) - // query approved certificate and we should get one back + // Check: Approvals approvedCertificate, _ := querySingleApprovedCertificate(setup, testconstants.RootSubject, testconstants.RootSubjectKeyID) require.Equal(t, testconstants.RootIssuer, approvedCertificate.Subject) require.Equal(t, testconstants.RootSerialNumber, approvedCertificate.SerialNumber) @@ -142,7 +192,7 @@ func TestHandler_TwoThirdApprovalsNeededForAddingRootCertification(t *testing.T) require.Equal(t, approvedCertificate.HasApprovalFrom(setup.Trustee2.String()), true) } -func TestHandler_ApproveX509RootCert_FourApprovalsAreNeeded_FiveTrustees(t *testing.T) { +func TestHandler_AddDaRootCert_FourApprovalsAreNeeded_FiveTrustees(t *testing.T) { setup := Setup(t) // we have 5 trustees: 1 approval comes from propose => we need 3 more approvals @@ -156,43 +206,70 @@ func TestHandler_ApproveX509RootCert_FourApprovalsAreNeeded_FiveTrustees(t *test setup.AddAccount(fifthTrustee, []dclauthtypes.AccountRole{dclauthtypes.Trustee}, 1) // propose x509 root certificate by account Trustee1 - proposeAddX509RootCert := types.NewMsgProposeAddX509RootCert(setup.Trustee1.String(), testconstants.RootCertPem, testconstants.Info, testconstants.Vid, testconstants.CertSchemaVersion) + proposeAddX509RootCert := types.NewMsgProposeAddX509RootCert( + setup.Trustee1.String(), + testconstants.RootCertPem, + testconstants.Info, + testconstants.Vid, + testconstants.CertSchemaVersion, + ) _, err := setup.Handler(setup.Ctx, proposeAddX509RootCert) require.NoError(t, err) // approve x509 root certificate by account Trustee2 - approveAddX509RootCert := types.NewMsgApproveAddX509RootCert(setup.Trustee2.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.Info) + approveAddX509RootCert := types.NewMsgApproveAddX509RootCert( + setup.Trustee2.String(), + testconstants.RootSubject, + testconstants.RootSubjectKeyID, + testconstants.Info, + ) _, err = setup.Handler(setup.Ctx, approveAddX509RootCert) require.NoError(t, err) // approve x509 root certificate by account Trustee3 - approveAddX509RootCert = types.NewMsgApproveAddX509RootCert(setup.Trustee3.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.Info) + approveAddX509RootCert = types.NewMsgApproveAddX509RootCert( + setup.Trustee3.String(), + testconstants.RootSubject, + testconstants.RootSubjectKeyID, + testconstants.Info, + ) _, err = setup.Handler(setup.Ctx, approveAddX509RootCert) require.NoError(t, err) // reject x509 root certificate by account Trustee4 - rejectAddX509RootCert := types.NewMsgRejectAddX509RootCert(fourthTrustee.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.Info) + rejectAddX509RootCert := types.NewMsgRejectAddX509RootCert( + fourthTrustee.String(), + testconstants.RootSubject, + testconstants.RootSubjectKeyID, + testconstants.Info, + ) _, err = setup.Handler(setup.Ctx, rejectAddX509RootCert) require.NoError(t, err) - // certificate should be in the entity , because we haven't enough approvals - proposedCertificate, err := queryProposedCertificate(setup, testconstants.RootSubject, testconstants.RootSubjectKeyID) - require.NoError(t, err) - - // check proposed certificate - require.Equal(t, proposeAddX509RootCert.Cert, proposedCertificate.PemCert) - require.Equal(t, proposeAddX509RootCert.Signer, proposedCertificate.Owner) - require.Equal(t, testconstants.RootSubject, proposedCertificate.Subject) - require.Equal(t, testconstants.RootSubjectKeyID, proposedCertificate.SubjectKeyId) - require.Equal(t, testconstants.RootSerialNumber, proposedCertificate.SerialNumber) + // Check: ProposedCertificate - present because we haven't enough approvals + require.True(t, setup.Keeper.IsProposedCertificatePresent( + setup.Ctx, testconstants.RootSubject, testconstants.RootSubjectKeyID)) // approve x509 root certificate by account Trustee5 - approveAddX509RootCert = types.NewMsgApproveAddX509RootCert(fifthTrustee.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.Info) + approveAddX509RootCert = types.NewMsgApproveAddX509RootCert( + fifthTrustee.String(), + testconstants.RootSubject, + testconstants.RootSubjectKeyID, + testconstants.Info, + ) _, err = setup.Handler(setup.Ctx, approveAddX509RootCert) require.NoError(t, err) - // certificate should be in the entity , because we have enough approvals - ensureDaPaaCertificateExist( + // Check: ProposedCertificate - empty + require.False(t, setup.Keeper.IsProposedCertificatePresent( + setup.Ctx, testconstants.RootSubject, testconstants.RootSubjectKeyID)) + + // Check: UniqueCertificate - present + require.True(t, setup.Keeper.IsUniqueCertificatePresent( + setup.Ctx, testconstants.RootIssuer, testconstants.RootSerialNumber)) + + // Check: DA + All + UniqueCertificate + ensureDaRootCertificateExist( t, setup, testconstants.RootSubject, @@ -257,7 +334,7 @@ func TestHandler_AddX509RootCertsBySubjectKeyId(t *testing.T) { require.Equal(t, testconstants.PAACertWithSameSubjectID2Subject, approvedCertificates[0].Certs[1].Subject) } -func TestHandler_RejectX509RootCert_TwoRejectApprovalsAreNeeded(t *testing.T) { +func TestHandler_RejectAddDaRootCert(t *testing.T) { setup := Setup(t) // propose x509 root certificate by account Trustee1 @@ -310,6 +387,16 @@ func TestHandler_RejectX509RootCert_TwoRejectApprovalsAreNeeded(t *testing.T) { require.Equal(t, testconstants.Info, rejectedCertificate.Rejects[0].Info) require.Equal(t, setup.Trustee3.String(), rejectedCertificate.Rejects[1].Address) require.Equal(t, testconstants.Info, rejectedCertificate.Rejects[1].Info) + + // Check: Global + Approved DA + UniqueCertificate - missing + ensureDaRootCertificateNotExist( + t, + setup, + testconstants.RootSubject, + testconstants.RootSubjectKeyID, + testconstants.RootSubject, + testconstants.RootSerialNumber, + false) } func TestHandler_ApproveX509RootCertAndRejectX509RootCert_FromTheSameTrustee(t *testing.T) { diff --git a/x/pki/handler_add_pai_cert_test.go b/x/pki/tests/handler_add_pai_cert_test.go similarity index 95% rename from x/pki/handler_add_pai_cert_test.go rename to x/pki/tests/handler_add_pai_cert_test.go index a6114db51..fb6a6beb9 100644 --- a/x/pki/handler_add_pai_cert_test.go +++ b/x/pki/tests/handler_add_pai_cert_test.go @@ -1,4 +1,4 @@ -package pki +package tests import ( "testing" @@ -15,14 +15,12 @@ import ( // Main -func TestHandler_AddX509Cert(t *testing.T) { +func TestHandler_AddDaIntermediateCert(t *testing.T) { setup := Setup(t) - accAddress := GenerateAccAddress() - vid := testconstants.Vid - setup.AddAccount(accAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, vid) + accAddress := setup.CreateVendorAccount(testconstants.Vid) - // add DA PAA certificate + // add DA root certificate rootCertOptions := createTestRootCertOptions() proposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertOptions) @@ -31,8 +29,8 @@ func TestHandler_AddX509Cert(t *testing.T) { _, err := setup.Handler(setup.Ctx, addX509Cert) require.NoError(t, err) - // Check that root certificate exists - ensureDaPaiCertificateExist( + // Check: DA + All + UniqueCertificate + ensureDaIntermediateCertificateExist( t, setup, testconstants.IntermediateSubject, @@ -42,20 +40,18 @@ func TestHandler_AddX509Cert(t *testing.T) { false) // ChildCertificates: check that child certificates of issuer contains certificate identifier - issuerChildren, _ := queryChildCertificates( - setup, testconstants.IntermediateIssuer, testconstants.IntermediateAuthorityKeyID) - require.Equal(t, 1, len(issuerChildren.CertIds)) - require.Equal(t, - &types.CertificateIdentifier{ - Subject: testconstants.IntermediateSubject, - SubjectKeyId: testconstants.IntermediateSubjectKeyID, - }, - issuerChildren.CertIds[0]) + ensureChildCertificateExist( + t, + setup, + testconstants.IntermediateIssuer, + testconstants.IntermediateAuthorityKeyID, + testconstants.IntermediateSubject, + testconstants.IntermediateSubjectKeyID, + ) - // check that no proposed certificate has been created - _, err = queryProposedCertificate(setup, testconstants.IntermediateSubject, testconstants.IntermediateSubjectKeyID) - require.Error(t, err) - require.Equal(t, codes.NotFound, status.Code(err)) + // Check: ProposedCertificate - empty + require.False(t, setup.Keeper.IsProposedCertificatePresent( + setup.Ctx, testconstants.IntermediateSubject, testconstants.IntermediateSubjectKeyID)) } // Extra cases @@ -63,15 +59,17 @@ func TestHandler_AddX509Cert(t *testing.T) { func TestHandler_AddX509Cert_VIDScoped(t *testing.T) { setup := Setup(t) + accAddress := setup.CreateVendorAccount(testconstants.PAACertWithNumericVidVid) + // store root certificate rootCertOptions := createPAACertWithNumericVidOptions() proposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertOptions) - accAddress := GenerateAccAddress() - setup.AddAccount(accAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.PAACertWithNumericVidVid) - // add x509 certificate - addX509Cert := types.NewMsgAddX509Cert(accAddress.String(), testconstants.PAICertWithNumericPidVid, testconstants.CertSchemaVersion) + addX509Cert := types.NewMsgAddX509Cert( + accAddress.String(), + testconstants.PAICertWithNumericPidVid, + testconstants.CertSchemaVersion) _, err := setup.Handler(setup.Ctx, addX509Cert) require.NoError(t, err) diff --git a/x/pki/handler_add_revocation_test.go b/x/pki/tests/handler_add_revocation_test.go similarity index 99% rename from x/pki/handler_add_revocation_test.go rename to x/pki/tests/handler_add_revocation_test.go index 2b7e8e4b9..37ba9801d 100644 --- a/x/pki/handler_add_revocation_test.go +++ b/x/pki/tests/handler_add_revocation_test.go @@ -1,4 +1,4 @@ -package pki +package tests import ( "testing" diff --git a/x/pki/handler_assign_vid_test.go b/x/pki/tests/handler_assign_vid_test.go similarity index 99% rename from x/pki/handler_assign_vid_test.go rename to x/pki/tests/handler_assign_vid_test.go index 410500266..31b148079 100644 --- a/x/pki/handler_assign_vid_test.go +++ b/x/pki/tests/handler_assign_vid_test.go @@ -1,4 +1,4 @@ -package pki +package tests import ( "testing" diff --git a/x/pki/handler_delete_revocation_test.go b/x/pki/tests/handler_delete_revocation_test.go similarity index 99% rename from x/pki/handler_delete_revocation_test.go rename to x/pki/tests/handler_delete_revocation_test.go index bc2919b61..908af4135 100644 --- a/x/pki/handler_delete_revocation_test.go +++ b/x/pki/tests/handler_delete_revocation_test.go @@ -1,4 +1,4 @@ -package pki +package tests import ( "testing" diff --git a/x/pki/handler_remove_noc_ica_cert_test.go b/x/pki/tests/handler_remove_noc_ica_cert_test.go similarity index 87% rename from x/pki/handler_remove_noc_ica_cert_test.go rename to x/pki/tests/handler_remove_noc_ica_cert_test.go index 93140816a..258a4cdee 100644 --- a/x/pki/handler_remove_noc_ica_cert_test.go +++ b/x/pki/tests/handler_remove_noc_ica_cert_test.go @@ -1,4 +1,4 @@ -package pki +package tests import ( "testing" @@ -15,6 +15,70 @@ import ( // Main +func TestHandler_RemoveNocIntermediateCert(t *testing.T) { + setup := Setup(t) + + // Add vendor account + vendorAccAddress := setup.CreateVendorAccount(testconstants.Vid) + + // add NOC root certificate + addNocRootCertificate(setup, vendorAccAddress, testconstants.NocRootCert1) + + // add intermediate certificate + addNocIntermediateCertificate(setup, vendorAccAddress, testconstants.NocCert1) + + // remove intermediate certificate + removeIcaCert := types.NewMsgRemoveNocX509IcaCert( + vendorAccAddress.String(), + testconstants.NocCert1Subject, + testconstants.NocCert1SubjectKeyID, + "", + ) + _, err := setup.Handler(setup.Ctx, removeIcaCert) + require.NoError(t, err) + + // Check: Noc - missing + ensureCertificateNotPresentInNocCertificateIndexes( + t, + setup, + testconstants.NocCert1Subject, + testconstants.NocCert1SubjectKeyID, + testconstants.Vid, + false, + false, + ) + + // Check: All - missing + ensureGlobalCertificateNotExist( + t, + setup, + testconstants.NocCert1Subject, + testconstants.NocCert1SubjectKeyID, + false, + ) + + // Check: UniqueCertificate - missing + found := setup.Keeper.IsUniqueCertificatePresent( + setup.Ctx, + testconstants.NocCert1Issuer, + testconstants.NocCert1SerialNumber) + require.False(t, found) + + // Check: RevokedCertificates (ica) - missing + found = setup.Keeper.IsRevokedNocIcaCertificatePresent( + setup.Ctx, + testconstants.NocCert1Subject, + testconstants.NocCert1SubjectKeyID) + require.False(t, found) + + // Check: child certificate - missing + found = setup.Keeper.IsChildCertificatePresent( + setup.Ctx, + testconstants.NocCert1Issuer, + testconstants.NocCert1AuthorityKeyID) + require.False(t, found) +} + func TestHandler_RemoveNocX509IcaCert_BySubjectAndSKID(t *testing.T) { setup := Setup(t) @@ -27,9 +91,9 @@ func TestHandler_RemoveNocX509IcaCert_BySubjectAndSKID(t *testing.T) { addNocRootCertificate(setup, vendorAccAddress, testconstants.NocRootCert1) // add two intermediate certificates - addNocIcaCertificate(setup, vendorAccAddress, testconstants.NocCert1) - addNocIcaCertificate(setup, vendorAccAddress, testconstants.NocCert1Copy) - addNocIcaCertificate(setup, vendorAccAddress, testconstants.NocLeafCert1) + addNocIntermediateCertificate(setup, vendorAccAddress, testconstants.NocCert1) + addNocIntermediateCertificate(setup, vendorAccAddress, testconstants.NocCert1Copy) + addNocIntermediateCertificate(setup, vendorAccAddress, testconstants.NocLeafCert1) // get certificates for further comparison nocCerts := setup.Keeper.GetAllNocCertificates(setup.Ctx) @@ -48,7 +112,7 @@ func TestHandler_RemoveNocX509IcaCert_BySubjectAndSKID(t *testing.T) { require.NoError(t, err) // Check that intermediate certificates does not exist - ensureNocIcaCertificateDoesNotExist( + ensureNocIntermediateCertificateNotExist( t, setup, testconstants.NocCert1Subject, @@ -59,7 +123,7 @@ func TestHandler_RemoveNocX509IcaCert_BySubjectAndSKID(t *testing.T) { true, // leaf certificate with the same vid exists false) - ensureNocIcaCertificateDoesNotExist( + ensureNocIntermediateCertificateNotExist( t, setup, testconstants.NocCert1CopySubject, @@ -71,7 +135,7 @@ func TestHandler_RemoveNocX509IcaCert_BySubjectAndSKID(t *testing.T) { false) // Check that leaf certificate exists - ensureNocIcaCertificateExist( + ensureNocIntermediateCertificateExist( t, setup, testconstants.NocLeafCert1Subject, @@ -116,13 +180,13 @@ func TestHandler_RemoveNocX509IcaCert_BySerialNumber(t *testing.T) { addNocRootCertificate(setup, vendorAccAddress, testconstants.NocRootCert1) // Add ICA certificates - addNocIcaCertificate(setup, vendorAccAddress, testconstants.NocCert1) + addNocIntermediateCertificate(setup, vendorAccAddress, testconstants.NocCert1) // Add ICA certificates with sam subject and SKID but different serial number - addNocIcaCertificate(setup, vendorAccAddress, testconstants.NocCert1Copy) + addNocIntermediateCertificate(setup, vendorAccAddress, testconstants.NocCert1Copy) // Add a leaf certificate - addNocIcaCertificate(setup, vendorAccAddress, testconstants.NocLeafCert1) + addNocIntermediateCertificate(setup, vendorAccAddress, testconstants.NocLeafCert1) // get certificates for further comparison intermediateCerts, _ := queryNocCertificates(setup, testconstants.NocCert1Subject, testconstants.NocCert1SubjectKeyID) @@ -153,7 +217,7 @@ func TestHandler_RemoveNocX509IcaCert_BySerialNumber(t *testing.T) { require.Equal(t, 3, len(allCerts[0].Certs)+len(allCerts[1].Certs)+len(allCerts[2].Certs)) // Check that intermediate certificates with NocCert1CopySerialNumber exist - ensureNocIcaCertificateExist( + ensureNocIntermediateCertificateExist( t, setup, testconstants.NocCert1CopySubject, @@ -164,7 +228,7 @@ func TestHandler_RemoveNocX509IcaCert_BySerialNumber(t *testing.T) { true) // Check that leaf certificate exists - ensureNocIcaCertificateExist( + ensureNocIntermediateCertificateExist( t, setup, testconstants.NocLeafCert1Subject, @@ -200,7 +264,7 @@ func TestHandler_RemoveNocX509IcaCert_BySerialNumber(t *testing.T) { require.Equal(t, 2, len(allCerts[0].Certs)+len(allCerts[1].Certs)) // Check that intermediate certificates with NocCert1SerialNumber does not exist - ensureNocIcaCertificateDoesNotExist( + ensureNocIntermediateCertificateNotExist( t, setup, testconstants.NocCert1Subject, @@ -212,7 +276,7 @@ func TestHandler_RemoveNocX509IcaCert_BySerialNumber(t *testing.T) { false) // Check that intermediate certificates with NocCert1CopySerialNumber does not exist - ensureNocIcaCertificateDoesNotExist( + ensureNocIntermediateCertificateNotExist( t, setup, testconstants.NocCert1CopySubject, @@ -224,7 +288,7 @@ func TestHandler_RemoveNocX509IcaCert_BySerialNumber(t *testing.T) { false) // Check that leaf certificate exists - ensureNocIcaCertificateExist( + ensureNocIntermediateCertificateExist( t, setup, testconstants.NocLeafCert1Subject, @@ -264,10 +328,10 @@ func TestHandler_RemoveNocX509IcaCert_RevokedCertificate(t *testing.T) { addNocRootCertificate(setup, vendorAccAddress, testconstants.NocRootCert1) // Add an intermediate certificate - addNocIcaCertificate(setup, vendorAccAddress, testconstants.NocCert1) + addNocIntermediateCertificate(setup, vendorAccAddress, testconstants.NocCert1) // Check that certificate exists - ensureNocIcaCertificateExist( + ensureNocIntermediateCertificateExist( t, setup, testconstants.NocCert1Subject, @@ -290,7 +354,7 @@ func TestHandler_RemoveNocX509IcaCert_RevokedCertificate(t *testing.T) { require.NoError(t, err) // Check that certificate does not exist - ensureNocIcaCertificateDoesNotExist( + ensureNocIntermediateCertificateNotExist( t, setup, testconstants.NocCert1Subject, @@ -323,7 +387,7 @@ func TestHandler_RemoveNocX509IcaCert_RevokedCertificate(t *testing.T) { require.Equal(t, true, allCerts[0].Certs[0].IsRoot) // Check that certificate does not exist - ensureNocIcaCertificateDoesNotExist( + ensureNocIntermediateCertificateNotExist( t, setup, testconstants.NocCert1Subject, @@ -357,10 +421,10 @@ func TestHandler_RemoveNocX509IcaCert_RevokedAndActiveCertificate(t *testing.T) addNocRootCertificate(setup, vendorAccAddress, testconstants.NocRootCert1) // Add an intermediate certificate - addNocIcaCertificate(setup, vendorAccAddress, testconstants.NocCert1) + addNocIntermediateCertificate(setup, vendorAccAddress, testconstants.NocCert1) // Check that certificate exists - ensureNocIcaCertificateExist( + ensureNocIntermediateCertificateExist( t, setup, testconstants.NocCert1Subject, @@ -383,7 +447,7 @@ func TestHandler_RemoveNocX509IcaCert_RevokedAndActiveCertificate(t *testing.T) require.NoError(t, err) // Check that certificate does not exist - ensureNocIcaCertificateDoesNotExist( + ensureNocIntermediateCertificateNotExist( t, setup, testconstants.NocCert1Subject, @@ -400,14 +464,14 @@ func TestHandler_RemoveNocX509IcaCert_RevokedAndActiveCertificate(t *testing.T) require.Equal(t, 1, len(revokedNocCerts.Certs)) // Add an intermediate certificate with new serial number - addNocIcaCertificate(setup, vendorAccAddress, testconstants.NocCert1Copy) + addNocIntermediateCertificate(setup, vendorAccAddress, testconstants.NocCert1Copy) // Ensure that only 1 certificate exists intermediateCerts, _ := queryNocCertificates(setup, testconstants.NocCert1Subject, testconstants.NocCert1SubjectKeyID) require.Equal(t, 1, len(intermediateCerts.Certs)) // Check that certificate exists (with new serial number) - ensureNocIcaCertificateExist( + ensureNocIntermediateCertificateExist( t, setup, testconstants.NocCert1CopySubject, @@ -433,7 +497,7 @@ func TestHandler_RemoveNocX509IcaCert_RevokedAndActiveCertificate(t *testing.T) require.Equal(t, true, allCerts[0].Certs[0].IsRoot) // Check that certificate does not exist - ensureNocIcaCertificateDoesNotExist( + ensureNocIntermediateCertificateNotExist( t, setup, testconstants.NocCert1CopySubject, diff --git a/x/pki/handler_remove_noc_root_cert_test.go b/x/pki/tests/handler_remove_noc_root_cert_test.go similarity index 90% rename from x/pki/handler_remove_noc_root_cert_test.go rename to x/pki/tests/handler_remove_noc_root_cert_test.go index 36bd8b81e..891e7d33b 100644 --- a/x/pki/handler_remove_noc_root_cert_test.go +++ b/x/pki/tests/handler_remove_noc_root_cert_test.go @@ -1,4 +1,4 @@ -package pki +package tests import ( "testing" @@ -15,6 +15,60 @@ import ( // Main +func TestHandler_RemoveNocRootCert(t *testing.T) { + setup := Setup(t) + + // Add vendor account + vendorAccAddress := setup.CreateVendorAccount(testconstants.Vid) + + // add NOC root certificates + addNocRootCertificate(setup, vendorAccAddress, testconstants.NocRootCert1) + + // remove noc root certificate + removeIcaCert := types.NewMsgRemoveNocX509RootCert( + vendorAccAddress.String(), + testconstants.NocRootCert1Subject, + testconstants.NocRootCert1SubjectKeyID, + "", + ) + _, err := setup.Handler(setup.Ctx, removeIcaCert) + require.NoError(t, err) + + // Check: Noc - missing + ensureCertificateNotPresentInNocCertificateIndexes( + t, + setup, + testconstants.NocRootCert1Subject, + testconstants.NocRootCert1SubjectKeyID, + testconstants.Vid, + true, + false, + ) + + // Check: All - missing + ensureGlobalCertificateNotExist( + t, + setup, + testconstants.NocRootCert1Subject, + testconstants.NocRootCert1SubjectKeyID, + false, + ) + + // Check: UniqueCertificate - missing + found := setup.Keeper.IsUniqueCertificatePresent( + setup.Ctx, + testconstants.NocRootCert1Issuer, + testconstants.NocRootCert1SerialNumber) + require.False(t, found) + + // Check: RevokedCertificates (root) - missing + found = setup.Keeper.IsRevokedNocRootCertificatePresent( + setup.Ctx, + testconstants.NocRootCert1Subject, + testconstants.NocRootCert1SubjectKeyID) + require.False(t, found) +} + func TestHandler_RemoveNocX509RootCert_BySubjectAndSKID(t *testing.T) { setup := Setup(t) @@ -28,7 +82,7 @@ func TestHandler_RemoveNocX509RootCert_BySubjectAndSKID(t *testing.T) { addNocRootCertificate(setup, vendorAccAddress, testconstants.NocRootCert1Copy) // Add intermediate certificate - addNocIcaCertificate(setup, vendorAccAddress, testconstants.NocCert1) + addNocIntermediateCertificate(setup, vendorAccAddress, testconstants.NocCert1) // get certificates for further comparison nocCerts := setup.Keeper.GetAllNocCertificates(setup.Ctx) @@ -53,7 +107,7 @@ func TestHandler_RemoveNocX509RootCert_BySubjectAndSKID(t *testing.T) { require.Equal(t, testconstants.NocCert1SerialNumber, nocCerts[0].Certs[0].SerialNumber) // Check that root certificates does not exist - ensureNocRootCertificateDoesNotExist( + ensureNocRootCertificateNotExist( t, setup, testconstants.NocRootCert1Subject, @@ -65,7 +119,7 @@ func TestHandler_RemoveNocX509RootCert_BySubjectAndSKID(t *testing.T) { false) // Check that root copy certificates does not exist - ensureNocRootCertificateDoesNotExist( + ensureNocRootCertificateNotExist( t, setup, testconstants.NocRootCert1CopySubject, @@ -77,7 +131,7 @@ func TestHandler_RemoveNocX509RootCert_BySubjectAndSKID(t *testing.T) { false) // Check that intermediate certificates does not exist - ensureNocIcaCertificateExist( + ensureNocIntermediateCertificateExist( t, setup, testconstants.NocCert1Subject, @@ -101,7 +155,7 @@ func TestHandler_RemoveNocX509RootCert_BySerialNumber(t *testing.T) { addNocRootCertificate(setup, vendorAccAddress, testconstants.NocRootCert1Copy) // Add ICA certificates - addNocIcaCertificate(setup, vendorAccAddress, testconstants.NocCert1) + addNocIntermediateCertificate(setup, vendorAccAddress, testconstants.NocCert1) // remove NOC root certificate by serial number removeIcaCert := types.NewMsgRemoveNocX509RootCert( @@ -132,7 +186,7 @@ func TestHandler_RemoveNocX509RootCert_BySerialNumber(t *testing.T) { vid) // Check that intermediate certificates does not exist - ensureNocIcaCertificateExist( + ensureNocIntermediateCertificateExist( t, setup, testconstants.NocCert1Subject, @@ -158,7 +212,7 @@ func TestHandler_RemoveNocX509RootCert_BySerialNumber(t *testing.T) { require.Equal(t, testconstants.NocCert1SerialNumber, nocCerts[0].Certs[0].SerialNumber) // Check that root certificates does not exist - ensureNocRootCertificateDoesNotExist( + ensureNocRootCertificateNotExist( t, setup, testconstants.NocRootCert1Subject, @@ -170,7 +224,7 @@ func TestHandler_RemoveNocX509RootCert_BySerialNumber(t *testing.T) { false) // Check that root copy certificates does not exist - ensureNocRootCertificateDoesNotExist( + ensureNocRootCertificateNotExist( t, setup, testconstants.NocRootCert1CopySubject, @@ -182,7 +236,7 @@ func TestHandler_RemoveNocX509RootCert_BySerialNumber(t *testing.T) { false) // Check that intermediate certificates does not exist - ensureNocIcaCertificateExist( + ensureNocIntermediateCertificateExist( t, setup, testconstants.NocCert1Subject, @@ -206,7 +260,7 @@ func TestHandler_RemoveNocX509RootCert_RevokedCertificate(t *testing.T) { addNocRootCertificate(setup, vendorAccAddress, testconstants.NocRootCert1Copy) // Add an intermediate certificate - addNocIcaCertificate(setup, vendorAccAddress, testconstants.NocCert1) + addNocIntermediateCertificate(setup, vendorAccAddress, testconstants.NocCert1) // revoke NOC root certificates revokeX509Cert := types.NewMsgRevokeNocX509RootCert( @@ -221,7 +275,7 @@ func TestHandler_RemoveNocX509RootCert_RevokedCertificate(t *testing.T) { require.NoError(t, err) // Check that root copy certificates does not exist - ensureNocRootCertificateDoesNotExist( + ensureNocRootCertificateNotExist( t, setup, testconstants.NocRootCert1Subject, @@ -233,7 +287,7 @@ func TestHandler_RemoveNocX509RootCert_RevokedCertificate(t *testing.T) { true) // Check that root copy certificates does not exist - ensureNocRootCertificateDoesNotExist( + ensureNocRootCertificateNotExist( t, setup, testconstants.NocRootCert1CopySubject, @@ -252,7 +306,7 @@ func TestHandler_RemoveNocX509RootCert_RevokedCertificate(t *testing.T) { require.Equal(t, testconstants.NocRootCert1CopySubjectKeyID, revokedCerts.Certs[1].SubjectKeyId) // Check that intermediate certificates does not exist - ensureNocIcaCertificateExist( + ensureNocIntermediateCertificateExist( t, setup, testconstants.NocCert1Subject, @@ -277,7 +331,7 @@ func TestHandler_RemoveNocX509RootCert_RevokedCertificate(t *testing.T) { require.Equal(t, testconstants.NocCert1SerialNumber, allCerts[0].Certs[0].SerialNumber) // Check that intermediate certificates does not exist - ensureNocIcaCertificateExist( + ensureNocIntermediateCertificateExist( t, setup, testconstants.NocCert1Subject, @@ -288,7 +342,7 @@ func TestHandler_RemoveNocX509RootCert_RevokedCertificate(t *testing.T) { false) // Check that root copy certificates does not exist - ensureNocRootCertificateDoesNotExist( + ensureNocRootCertificateNotExist( t, setup, testconstants.NocRootCert1Subject, @@ -300,7 +354,7 @@ func TestHandler_RemoveNocX509RootCert_RevokedCertificate(t *testing.T) { true) // Check that root copy certificates does not exist - ensureNocRootCertificateDoesNotExist( + ensureNocRootCertificateNotExist( t, setup, testconstants.NocRootCert1CopySubject, diff --git a/x/pki/handler_remove_pai_cert_test.go b/x/pki/tests/handler_remove_pai_cert_test.go similarity index 84% rename from x/pki/handler_remove_pai_cert_test.go rename to x/pki/tests/handler_remove_pai_cert_test.go index 80b81842b..d9c3f6446 100644 --- a/x/pki/handler_remove_pai_cert_test.go +++ b/x/pki/tests/handler_remove_pai_cert_test.go @@ -1,4 +1,4 @@ -package pki +package tests import ( "testing" @@ -15,7 +15,93 @@ import ( // Main -func TestHandler_RemoveX509Cert_BySubjectAndSKID(t *testing.T) { +func TestHandler_RemoveDaIntermediateCert_BySubjectAndSKID(t *testing.T) { + setup := Setup(t) + + // Add vendor account + vendorAccAddress := setup.CreateVendorAccount(testconstants.RootCertWithVidVid) + + // propose and approve x509 root certificate + rootCertOptions := &rootCertOptions{ + pemCert: testconstants.RootCertWithSameSubjectAndSKID1, + subject: testconstants.RootCertWithSameSubjectAndSKIDSubject, + subjectKeyID: testconstants.RootCertWithSameSubjectAndSKIDSubjectKeyID, + info: testconstants.Info, + vid: testconstants.RootCertWithVidVid, + } + proposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertOptions) + + // Add intermediate certificates + addDaIntermediateCertificate(setup, vendorAccAddress, testconstants.IntermediateWithSameSubjectAndSKID1) + + // Remove intermediate certificate + removeX509Cert := types.NewMsgRemoveX509Cert( + vendorAccAddress.String(), + testconstants.IntermediateCertWithSameSubjectAndSKIDSubject, + testconstants.IntermediateCertWithSameSubjectAndSKIDSubjectKeyID, + "", + ) + _, err := setup.Handler(setup.Ctx, removeX509Cert) + require.NoError(t, err) + + // Check: only one certificate exists + allCerts, _ := queryAllApprovedCertificates(setup) + require.Equal(t, 1, len(allCerts)) + + // Check: UniqueCertificate - missing + found := setup.Keeper.IsUniqueCertificatePresent(setup.Ctx, testconstants.RootIssuer, testconstants.RootSerialNumber) + require.False(t, found) + + // Check: RevokedCertificates - missing + found = setup.Keeper.IsProposedCertificatePresent(setup.Ctx, testconstants.RootSubject, testconstants.RootSubjectKeyID) + require.False(t, found) + + // Check: ProposedCertificateRevocation - missing + found = setup.Keeper.IsProposedCertificateRevocationPresent( + setup.Ctx, + testconstants.IntermediateSubject, + testconstants.IntermediateSubjectKeyID, + testconstants.IntermediateSerialNumber, + ) + require.False(t, found) + + // Check: All - missing + ensureGlobalCertificateNotExist( + t, + setup, + testconstants.IntermediateSubject, + testconstants.IntermediateSubjectKeyID, + false, + ) + + // Check: DA - missing + ensureCertificateNotPresentInDaCertificateIndexes( + t, + setup, + testconstants.IntermediateSubject, + testconstants.IntermediateSubjectKeyID, + false, + false, + ) + + // Check: child certificate - missing + found = setup.Keeper.IsChildCertificatePresent( + setup.Ctx, + testconstants.IntermediateIssuer, + testconstants.IntermediateAuthorityKeyID) + require.False(t, found) + + // Check: root exists + ensureDaRootCertificateExist( + t, + setup, + testconstants.RootCertWithSameSubjectAndSKIDSubject, + testconstants.RootCertWithSameSubjectAndSKIDSubjectKeyID, + testconstants.RootCertWithSameSubjectAndSKIDSubject, + testconstants.RootCertWithSameSubjectAndSKID1SerialNumber) +} + +func TestHandler_RemoveX509Cert_BySubjectAndSKID_TwoCerts(t *testing.T) { setup := Setup(t) // Add vendor account @@ -33,11 +119,11 @@ func TestHandler_RemoveX509Cert_BySubjectAndSKID(t *testing.T) { proposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertOptions) // Add two intermediate certificates - addDaPaiCertificate(setup, vendorAccAddress, testconstants.IntermediateWithSameSubjectAndSKID1) - addDaPaiCertificate(setup, vendorAccAddress, testconstants.IntermediateWithSameSubjectAndSKID2) + addDaIntermediateCertificate(setup, vendorAccAddress, testconstants.IntermediateWithSameSubjectAndSKID1) + addDaIntermediateCertificate(setup, vendorAccAddress, testconstants.IntermediateWithSameSubjectAndSKID2) // Add a leaf certificate - addDaPaiCertificate(setup, vendorAccAddress, testconstants.LeafCertWithSameSubjectAndSKID) + addDaIntermediateCertificate(setup, vendorAccAddress, testconstants.LeafCertWithSameSubjectAndSKID) // get certificates for further comparison allCerts := setup.Keeper.GetAllApprovedCertificates(setup.Ctx) @@ -61,7 +147,7 @@ func TestHandler_RemoveX509Cert_BySubjectAndSKID(t *testing.T) { require.Equal(t, 2, len(allCerts[0].Certs)+len(allCerts[1].Certs)) // Check that intermediate certificates does not exist - ensureDaPaiCertificateDoesNotExist( + ensureDaIntermediateCertificateNotExist( t, setup, testconstants.IntermediateCertWithSameSubjectAndSKIDSubject, @@ -71,7 +157,7 @@ func TestHandler_RemoveX509Cert_BySubjectAndSKID(t *testing.T) { false, true) // leaf has same subject - ensureDaPaiCertificateDoesNotExist( + ensureDaIntermediateCertificateNotExist( t, setup, testconstants.IntermediateCertWithSameSubjectAndSKIDSubject, @@ -82,7 +168,7 @@ func TestHandler_RemoveX509Cert_BySubjectAndSKID(t *testing.T) { true) // leaf has same subject // check that leaf certificate exists - ensureDaPaiCertificateExist( + ensureDaIntermediateCertificateExist( t, setup, testconstants.LeafCertWithSameSubjectAndSKIDSubject, @@ -92,7 +178,7 @@ func TestHandler_RemoveX509Cert_BySubjectAndSKID(t *testing.T) { false) // check that root certificate exists - ensureDaPaaCertificateExist( + ensureDaRootCertificateExist( t, setup, testconstants.RootCertWithSameSubjectAndSKIDSubject, @@ -101,7 +187,7 @@ func TestHandler_RemoveX509Cert_BySubjectAndSKID(t *testing.T) { testconstants.RootCertWithSameSubjectAndSKID1SerialNumber) } -func TestHandler_RemoveX509Cert_BySerialNumber(t *testing.T) { +func TestHandler_RemoveX509Cert_BySerialNumber_TwoCerts(t *testing.T) { setup := Setup(t) // Add vendor account @@ -119,11 +205,11 @@ func TestHandler_RemoveX509Cert_BySerialNumber(t *testing.T) { proposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertOptions) // Add intermediate certificates - addDaPaiCertificate(setup, vendorAccAddress, testconstants.IntermediateWithSameSubjectAndSKID1) - addDaPaiCertificate(setup, vendorAccAddress, testconstants.IntermediateWithSameSubjectAndSKID2) + addDaIntermediateCertificate(setup, vendorAccAddress, testconstants.IntermediateWithSameSubjectAndSKID1) + addDaIntermediateCertificate(setup, vendorAccAddress, testconstants.IntermediateWithSameSubjectAndSKID2) // Add a leaf certificate - addDaPaiCertificate(setup, vendorAccAddress, testconstants.LeafCertWithSameSubjectAndSKID) + addDaIntermediateCertificate(setup, vendorAccAddress, testconstants.LeafCertWithSameSubjectAndSKID) // remove intermediate certificate by serial number removeX509Cert := types.NewMsgRemoveX509Cert( @@ -141,7 +227,7 @@ func TestHandler_RemoveX509Cert_BySerialNumber(t *testing.T) { require.Equal(t, 3, len(allCerts[0].Certs)+len(allCerts[1].Certs)+len(allCerts[2].Certs)) // Check that intermediate certificates exist - ensureDaPaiCertificateExist( + ensureDaIntermediateCertificateExist( t, setup, testconstants.IntermediateCertWithSameSubjectAndSKIDSubject, @@ -151,7 +237,7 @@ func TestHandler_RemoveX509Cert_BySerialNumber(t *testing.T) { true) // check that leaf certificate exists - ensureDaPaiCertificateExist( + ensureDaIntermediateCertificateExist( t, setup, testconstants.LeafCertWithSameSubjectAndSKIDSubject, @@ -161,7 +247,7 @@ func TestHandler_RemoveX509Cert_BySerialNumber(t *testing.T) { true) // check that root certificate exists - ensureDaPaaCertificateExist( + ensureDaRootCertificateExist( t, setup, testconstants.RootCertWithSameSubjectAndSKIDSubject, @@ -184,7 +270,7 @@ func TestHandler_RemoveX509Cert_BySerialNumber(t *testing.T) { require.Equal(t, 2, len(allCerts[0].Certs)+len(allCerts[1].Certs)) // Check that intermediate certificates does not exist - ensureDaPaiCertificateDoesNotExist( + ensureDaIntermediateCertificateNotExist( t, setup, testconstants.IntermediateCertWithSameSubjectAndSKIDSubject, @@ -194,7 +280,7 @@ func TestHandler_RemoveX509Cert_BySerialNumber(t *testing.T) { false, true) // leaf has same subject - ensureDaPaiCertificateDoesNotExist( + ensureDaIntermediateCertificateNotExist( t, setup, testconstants.IntermediateCertWithSameSubjectAndSKIDSubject, @@ -205,7 +291,7 @@ func TestHandler_RemoveX509Cert_BySerialNumber(t *testing.T) { true) // leaf has same subject // check that leaf certificate exists - ensureDaPaiCertificateExist( + ensureDaIntermediateCertificateExist( t, setup, testconstants.LeafCertWithSameSubjectAndSKIDSubject, @@ -215,7 +301,7 @@ func TestHandler_RemoveX509Cert_BySerialNumber(t *testing.T) { true) // check that root certificate exists - ensureDaPaaCertificateExist( + ensureDaRootCertificateExist( t, setup, testconstants.RootCertWithSameSubjectAndSKIDSubject, @@ -242,7 +328,7 @@ func TestHandler_RemoveX509Cert_RevokedCertificate(t *testing.T) { proposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertOptions) // Add two intermediate certificates again - addDaPaiCertificate(setup, vendorAccAddress, testconstants.IntermediateCertPem) + addDaIntermediateCertificate(setup, vendorAccAddress, testconstants.IntermediateCertPem) // revoke intermediate certificate by serial number revokeX509Cert := types.NewMsgRevokeX509Cert( @@ -274,7 +360,7 @@ func TestHandler_RemoveX509Cert_RevokedCertificate(t *testing.T) { _, err = setup.Handler(setup.Ctx, removeX509Cert) require.NoError(t, err) - ensureDaPaiCertificateDoesNotExist( + ensureDaIntermediateCertificateNotExist( t, setup, testconstants.IntermediateSubject, diff --git a/x/pki/handler_revoke_noc_ica_cert_test.go b/x/pki/tests/handler_revoke_noc_ica_cert_test.go similarity index 86% rename from x/pki/handler_revoke_noc_ica_cert_test.go rename to x/pki/tests/handler_revoke_noc_ica_cert_test.go index e5171f10a..852f9bd37 100644 --- a/x/pki/handler_revoke_noc_ica_cert_test.go +++ b/x/pki/tests/handler_revoke_noc_ica_cert_test.go @@ -1,4 +1,4 @@ -package pki +package tests import ( "testing" @@ -16,6 +16,78 @@ import ( // Main +func TestHandler_RevokeNocIntermediateCert(t *testing.T) { + setup := Setup(t) + + accAddress := setup.CreateVendorAccount(testconstants.Vid) + + // add the first NOC root certificate + addNocRootCertificate(setup, accAddress, testconstants.NocRootCert1) + + // add the NOC non-root certificate + addNocIntermediateCertificate(setup, accAddress, testconstants.NocCert1) + + // Revoke NOC with subject and subject key id only + revokeCert := types.NewMsgRevokeNocX509IcaCert( + accAddress.String(), + testconstants.NocCert1Subject, + testconstants.NocCert1SubjectKeyID, + "", + testconstants.Info, + false, + ) + _, err := setup.Handler(setup.Ctx, revokeCert) + require.NoError(t, err) + + // Check: Noc - missing + ensureCertificateNotPresentInNocCertificateIndexes( + t, + setup, + testconstants.NocCert1Subject, + testconstants.NocCert1SubjectKeyID, + testconstants.Vid, + false, + false, + ) + + // Check: All - missing + ensureGlobalCertificateNotExist( + t, + setup, + testconstants.NocCert1Subject, + testconstants.NocCert1SubjectKeyID, + false, + ) + + // Check: UniqueCertificate - present + found := setup.Keeper.IsUniqueCertificatePresent( + setup.Ctx, + testconstants.NocCert1Issuer, + testconstants.NocCert1SerialNumber) + require.True(t, found) + + // Check: RevokedCertificates (ica) - present + found = setup.Keeper.IsRevokedNocIcaCertificatePresent( + setup.Ctx, + testconstants.NocCert1Subject, + testconstants.NocCert1SubjectKeyID) + require.True(t, found) + + // Check: RevokedCertificates (root) - missing + found = setup.Keeper.IsRevokedNocRootCertificatePresent( + setup.Ctx, + testconstants.NocCert1Subject, + testconstants.NocCert1SubjectKeyID) + require.False(t, found) + + // Check: child certificate - missing + found = setup.Keeper.IsChildCertificatePresent( + setup.Ctx, + testconstants.NocCert1Issuer, + testconstants.NocCert1AuthorityKeyID) + require.False(t, found) +} + func TestHandler_RevokeNocX509Cert_RevokeDefault(t *testing.T) { setup := Setup(t) @@ -26,13 +98,13 @@ func TestHandler_RevokeNocX509Cert_RevokeDefault(t *testing.T) { addNocRootCertificate(setup, accAddress, testconstants.NocRootCert1) // add the first NOC non-root certificate - addNocIcaCertificate(setup, accAddress, testconstants.NocCert1) + addNocIntermediateCertificate(setup, accAddress, testconstants.NocCert1) // add the second NOC non-root certificate - addNocIcaCertificate(setup, accAddress, testconstants.NocCert1Copy) + addNocIntermediateCertificate(setup, accAddress, testconstants.NocCert1Copy) // add the NOC leaf certificate - addNocIcaCertificate(setup, accAddress, testconstants.NocLeafCert1) + addNocIntermediateCertificate(setup, accAddress, testconstants.NocLeafCert1) // Revoke NOC with subject and subject key id only revokeCert := types.NewMsgRevokeNocX509IcaCert( @@ -54,7 +126,7 @@ func TestHandler_RevokeNocX509Cert_RevokeDefault(t *testing.T) { require.Equal(t, testconstants.NocCert1SubjectKeyID, revokedNocCerts.SubjectKeyId) // Check that intermediate certificates does not exist - ensureNocIcaCertificateDoesNotExist( + ensureNocIntermediateCertificateNotExist( t, setup, testconstants.NocCert1Subject, @@ -65,7 +137,7 @@ func TestHandler_RevokeNocX509Cert_RevokeDefault(t *testing.T) { true, // leaf certificate with the same vid exists true) - ensureNocIcaCertificateDoesNotExist( + ensureNocIntermediateCertificateNotExist( t, setup, testconstants.NocCert1CopySubject, @@ -77,7 +149,7 @@ func TestHandler_RevokeNocX509Cert_RevokeDefault(t *testing.T) { true) // Check that leaf certificate exists - ensureNocIcaCertificateExist( + ensureNocIntermediateCertificateExist( t, setup, testconstants.NocLeafCert1Subject, @@ -98,13 +170,13 @@ func TestHandler_RevokeNocX509Cert_RevokeWithChild(t *testing.T) { addNocRootCertificate(setup, accAddress, testconstants.NocRootCert1) // add the first NOC non-root certificate - addNocIcaCertificate(setup, accAddress, testconstants.NocCert1) + addNocIntermediateCertificate(setup, accAddress, testconstants.NocCert1) // add the second NOC non-root certificate - addNocIcaCertificate(setup, accAddress, testconstants.NocCert1Copy) + addNocIntermediateCertificate(setup, accAddress, testconstants.NocCert1Copy) // add the NOC leaf certificate - addNocIcaCertificate(setup, accAddress, testconstants.NocLeafCert1) + addNocIntermediateCertificate(setup, accAddress, testconstants.NocLeafCert1) // Revoke noc with subject and subject key id and its child too revokeCert := types.NewMsgRevokeNocX509IcaCert( @@ -136,7 +208,7 @@ func TestHandler_RevokeNocX509Cert_RevokeWithChild(t *testing.T) { require.Equal(t, testconstants.NocRootCert1SubjectKeyID, certs[0].SubjectKeyId) // Check that intermediate certificates does not exist - ensureNocIcaCertificateDoesNotExist( + ensureNocIntermediateCertificateNotExist( t, setup, testconstants.NocCert1Subject, @@ -147,7 +219,7 @@ func TestHandler_RevokeNocX509Cert_RevokeWithChild(t *testing.T) { false, true) - ensureNocIcaCertificateDoesNotExist( + ensureNocIntermediateCertificateNotExist( t, setup, testconstants.NocCert1CopySubject, @@ -159,7 +231,7 @@ func TestHandler_RevokeNocX509Cert_RevokeWithChild(t *testing.T) { true) // Check that leaf certificate exists - ensureNocIcaCertificateDoesNotExist( + ensureNocIntermediateCertificateNotExist( t, setup, testconstants.NocLeafCert1Subject, @@ -181,13 +253,13 @@ func TestHandler_RevokeNocX509Cert_RevokeBySerialNumber(t *testing.T) { addNocRootCertificate(setup, accAddress, testconstants.NocRootCert1) // add the first NOC non-root certificate - addNocIcaCertificate(setup, accAddress, testconstants.NocCert1) + addNocIntermediateCertificate(setup, accAddress, testconstants.NocCert1) // add the second NOC non-root certificate - addNocIcaCertificate(setup, accAddress, testconstants.NocCert1Copy) + addNocIntermediateCertificate(setup, accAddress, testconstants.NocCert1Copy) // add the NOC leaf certificate - addNocIcaCertificate(setup, accAddress, testconstants.NocLeafCert1) + addNocIntermediateCertificate(setup, accAddress, testconstants.NocLeafCert1) // Revoke NOC by serial number only revokeCert := types.NewMsgRevokeNocX509IcaCert( diff --git a/x/pki/handler_revoke_noc_root_cert_test.go b/x/pki/tests/handler_revoke_noc_root_cert_test.go similarity index 93% rename from x/pki/handler_revoke_noc_root_cert_test.go rename to x/pki/tests/handler_revoke_noc_root_cert_test.go index 334435aa2..efa6caec2 100644 --- a/x/pki/handler_revoke_noc_root_cert_test.go +++ b/x/pki/tests/handler_revoke_noc_root_cert_test.go @@ -1,4 +1,4 @@ -package pki +package tests import ( "testing" @@ -14,148 +14,73 @@ import ( "github.com/zigbee-alliance/distributed-compliance-ledger/x/pki/types" ) -func TestHandler_RevokeNocX509RootCert_SenderNotVendor(t *testing.T) { +// Main + +func TestHandler_RevokeNoRootCert(t *testing.T) { setup := Setup(t) - accAddress := GenerateAccAddress() - setup.AddAccount(accAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.Vid) + accAddress := setup.CreateVendorAccount(testconstants.Vid) - // add the new NOC root certificate - addNocX509RootCert := types.NewMsgAddNocX509RootCert(accAddress.String(), testconstants.NocRootCert1, testconstants.CertSchemaVersion) + // add the first NOC root certificate + addNocX509RootCert := types.NewMsgAddNocX509RootCert( + accAddress.String(), + testconstants.NocRootCert1, + testconstants.CertSchemaVersion) _, err := setup.Handler(setup.Ctx, addNocX509RootCert) require.NoError(t, err) + // Revoke NOC root with subject and subject key id only revokeCert := types.NewMsgRevokeNocX509RootCert( - setup.Trustee1.String(), + accAddress.String(), testconstants.NocRootCert1Subject, testconstants.NocRootCert1SubjectKeyID, - testconstants.NocRootCert1SerialNumber, "", + testconstants.Info, false, ) _, err = setup.Handler(setup.Ctx, revokeCert) + require.NoError(t, err) - require.Error(t, err) - require.ErrorIs(t, err, sdkerrors.ErrUnauthorized) -} - -func TestHandler_RevokeNocX509RootCert_CertificateDoesNotExist(t *testing.T) { - setup := Setup(t) - - accAddress := GenerateAccAddress() - setup.AddAccount(accAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.Vid) - - revokeCert := types.NewMsgRevokeNocX509RootCert( - accAddress.String(), + // Check: Noc - missing + ensureCertificateNotPresentInNocCertificateIndexes( + t, + setup, testconstants.NocRootCert1Subject, testconstants.NocRootCert1SubjectKeyID, - testconstants.NocRootCert1SerialNumber, - "", + testconstants.Vid, + true, false, ) - _, err := setup.Handler(setup.Ctx, revokeCert) - - require.Error(t, err) - require.ErrorIs(t, err, pkitypes.ErrCertificateDoesNotExist) -} - -func TestHandler_RevokeNocX509RootCert_CertificateExists(t *testing.T) { - accAddress := GenerateAccAddress() - cases := []struct { - name string - existingCert *types.Certificate - nocRoorCert string - err error - }{ - { - name: "ExistingNonRootCert", - existingCert: &types.Certificate{ - Issuer: testconstants.NocRootCert1Subject, - Subject: testconstants.NocRootCert1Subject, - SubjectAsText: testconstants.NocRootCert1SubjectAsText, - SubjectKeyId: testconstants.NocRootCert1SubjectKeyID, - SerialNumber: testconstants.NocRootCert1SerialNumber, - IsRoot: false, - CertificateType: types.CertificateType_OperationalPKI, - Vid: testconstants.Vid, - }, - nocRoorCert: testconstants.RootCertPem, - err: pkitypes.ErrInappropriateCertificateType, - }, - { - name: "ExistingNotNocCert", - existingCert: &types.Certificate{ - Issuer: testconstants.NocRootCert1Subject, - Subject: testconstants.NocRootCert1Subject, - SubjectAsText: testconstants.NocRootCert1SubjectAsText, - SubjectKeyId: testconstants.NocRootCert1SubjectKeyID, - SerialNumber: testconstants.NocRootCert1SerialNumber, - IsRoot: true, - CertificateType: types.CertificateType_DeviceAttestationPKI, - Vid: testconstants.Vid, - }, - nocRoorCert: testconstants.RootCertPem, - err: pkitypes.ErrInappropriateCertificateType, - }, - { - name: "ExistingCertWithDifferentVid", - existingCert: &types.Certificate{ - Issuer: testconstants.NocRootCert1Subject, - Subject: testconstants.NocRootCert1Subject, - SubjectAsText: testconstants.NocRootCert1SubjectAsText, - SubjectKeyId: testconstants.NocRootCert1SubjectKeyID, - SerialNumber: testconstants.NocRootCert1SerialNumber, - IsRoot: true, - CertificateType: types.CertificateType_OperationalPKI, - Vid: testconstants.VendorID1, - }, - nocRoorCert: testconstants.RootCertPem, - err: pkitypes.ErrCertVidNotEqualAccountVid, - }, - { - name: "ExistingCertWithDifferentSerialNumber", - existingCert: &types.Certificate{ - Issuer: testconstants.NocRootCert1Subject, - Subject: testconstants.NocRootCert1Subject, - SubjectAsText: testconstants.NocRootCert1SubjectAsText, - SubjectKeyId: testconstants.NocRootCert1SubjectKeyID, - SerialNumber: "1234567", - IsRoot: true, - CertificateType: types.CertificateType_OperationalPKI, - Vid: testconstants.Vid, - }, - nocRoorCert: testconstants.RootCertPem, - err: pkitypes.ErrCertificateDoesNotExist, - }, - } + // Check: All - missing + ensureGlobalCertificateNotExist( + t, + setup, + testconstants.NocRootCert1Subject, + testconstants.NocRootCert1SubjectKeyID, + false, + ) - for _, tc := range cases { - t.Run(tc.name, func(t *testing.T) { - setup := Setup(t) - setup.AddAccount(accAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.Vid) + // Check: UniqueCertificate - present + found := setup.Keeper.IsUniqueCertificatePresent( + setup.Ctx, + testconstants.NocRootCert1Issuer, + testconstants.NocRootCert1SerialNumber) + require.True(t, found) - // add the existing certificate - setup.Keeper.AddNocCertificate(setup.Ctx, *tc.existingCert) - uniqueCertificate := types.UniqueCertificate{ - Issuer: tc.existingCert.Issuer, - SerialNumber: tc.existingCert.SerialNumber, - Present: true, - } - setup.Keeper.SetUniqueCertificate(setup.Ctx, uniqueCertificate) + // Check: RevokedCertificates (root) - present + found = setup.Keeper.IsRevokedNocRootCertificatePresent( + setup.Ctx, + testconstants.NocRootCert1Subject, + testconstants.NocRootCert1SubjectKeyID) + require.True(t, found) - revokeCert := types.NewMsgRevokeNocX509RootCert( - accAddress.String(), - testconstants.NocRootCert1Subject, - testconstants.NocRootCert1SubjectKeyID, - testconstants.NocRootCert1SerialNumber, - "", - false, - ) - _, err := setup.Handler(setup.Ctx, revokeCert) - require.ErrorIs(t, err, tc.err) - }) - } + // Check: RevokedCertificates (ica) - missing + found = setup.Keeper.IsRevokedNocIcaCertificatePresent( + setup.Ctx, + testconstants.NocRootCert1Subject, + testconstants.NocRootCert1SubjectKeyID) + require.False(t, found) } func TestHandler_RevokeNocX509RootCert_RevokeDefault(t *testing.T) { @@ -551,3 +476,151 @@ func TestHandler_RevokeNocX509RootCert_RevokeWithSerialNumberAndChild(t *testing require.False(t, setup.Keeper.IsUniqueCertificatePresent(setup.Ctx, testconstants.NocCert1, testconstants.NocCert1SerialNumber)) } + +// Extra cases + +// Error cases + +func TestHandler_RevokeNocX509RootCert_SenderNotVendor(t *testing.T) { + setup := Setup(t) + + accAddress := GenerateAccAddress() + setup.AddAccount(accAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.Vid) + + // add the new NOC root certificate + addNocX509RootCert := types.NewMsgAddNocX509RootCert(accAddress.String(), testconstants.NocRootCert1, testconstants.CertSchemaVersion) + _, err := setup.Handler(setup.Ctx, addNocX509RootCert) + require.NoError(t, err) + + revokeCert := types.NewMsgRevokeNocX509RootCert( + setup.Trustee1.String(), + testconstants.NocRootCert1Subject, + testconstants.NocRootCert1SubjectKeyID, + testconstants.NocRootCert1SerialNumber, + "", + false, + ) + _, err = setup.Handler(setup.Ctx, revokeCert) + + require.Error(t, err) + require.ErrorIs(t, err, sdkerrors.ErrUnauthorized) +} + +func TestHandler_RevokeNocX509RootCert_CertificateDoesNotExist(t *testing.T) { + setup := Setup(t) + + accAddress := GenerateAccAddress() + setup.AddAccount(accAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.Vid) + + revokeCert := types.NewMsgRevokeNocX509RootCert( + accAddress.String(), + testconstants.NocRootCert1Subject, + testconstants.NocRootCert1SubjectKeyID, + testconstants.NocRootCert1SerialNumber, + "", + false, + ) + _, err := setup.Handler(setup.Ctx, revokeCert) + + require.Error(t, err) + require.ErrorIs(t, err, pkitypes.ErrCertificateDoesNotExist) +} + +func TestHandler_RevokeNocX509RootCert_CertificateExists(t *testing.T) { + accAddress := GenerateAccAddress() + + cases := []struct { + name string + existingCert *types.Certificate + nocRoorCert string + err error + }{ + { + name: "ExistingNonRootCert", + existingCert: &types.Certificate{ + Issuer: testconstants.NocRootCert1Subject, + Subject: testconstants.NocRootCert1Subject, + SubjectAsText: testconstants.NocRootCert1SubjectAsText, + SubjectKeyId: testconstants.NocRootCert1SubjectKeyID, + SerialNumber: testconstants.NocRootCert1SerialNumber, + IsRoot: false, + CertificateType: types.CertificateType_OperationalPKI, + Vid: testconstants.Vid, + }, + nocRoorCert: testconstants.RootCertPem, + err: pkitypes.ErrInappropriateCertificateType, + }, + { + name: "ExistingNotNocCert", + existingCert: &types.Certificate{ + Issuer: testconstants.NocRootCert1Subject, + Subject: testconstants.NocRootCert1Subject, + SubjectAsText: testconstants.NocRootCert1SubjectAsText, + SubjectKeyId: testconstants.NocRootCert1SubjectKeyID, + SerialNumber: testconstants.NocRootCert1SerialNumber, + IsRoot: true, + CertificateType: types.CertificateType_DeviceAttestationPKI, + Vid: testconstants.Vid, + }, + nocRoorCert: testconstants.RootCertPem, + err: pkitypes.ErrInappropriateCertificateType, + }, + { + name: "ExistingCertWithDifferentVid", + existingCert: &types.Certificate{ + Issuer: testconstants.NocRootCert1Subject, + Subject: testconstants.NocRootCert1Subject, + SubjectAsText: testconstants.NocRootCert1SubjectAsText, + SubjectKeyId: testconstants.NocRootCert1SubjectKeyID, + SerialNumber: testconstants.NocRootCert1SerialNumber, + IsRoot: true, + CertificateType: types.CertificateType_OperationalPKI, + Vid: testconstants.VendorID1, + }, + nocRoorCert: testconstants.RootCertPem, + err: pkitypes.ErrCertVidNotEqualAccountVid, + }, + { + name: "ExistingCertWithDifferentSerialNumber", + existingCert: &types.Certificate{ + Issuer: testconstants.NocRootCert1Subject, + Subject: testconstants.NocRootCert1Subject, + SubjectAsText: testconstants.NocRootCert1SubjectAsText, + SubjectKeyId: testconstants.NocRootCert1SubjectKeyID, + SerialNumber: "1234567", + IsRoot: true, + CertificateType: types.CertificateType_OperationalPKI, + Vid: testconstants.Vid, + }, + nocRoorCert: testconstants.RootCertPem, + err: pkitypes.ErrCertificateDoesNotExist, + }, + } + + for _, tc := range cases { + t.Run(tc.name, func(t *testing.T) { + setup := Setup(t) + setup.AddAccount(accAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.Vid) + + // add the existing certificate + setup.Keeper.AddNocCertificate(setup.Ctx, *tc.existingCert) + uniqueCertificate := types.UniqueCertificate{ + Issuer: tc.existingCert.Issuer, + SerialNumber: tc.existingCert.SerialNumber, + Present: true, + } + setup.Keeper.SetUniqueCertificate(setup.Ctx, uniqueCertificate) + + revokeCert := types.NewMsgRevokeNocX509RootCert( + accAddress.String(), + testconstants.NocRootCert1Subject, + testconstants.NocRootCert1SubjectKeyID, + testconstants.NocRootCert1SerialNumber, + "", + false, + ) + _, err := setup.Handler(setup.Ctx, revokeCert) + require.ErrorIs(t, err, tc.err) + }) + } +} diff --git a/x/pki/handler_revoke_paa_cert_test.go b/x/pki/tests/handler_revoke_paa_cert_test.go similarity index 93% rename from x/pki/handler_revoke_paa_cert_test.go rename to x/pki/tests/handler_revoke_paa_cert_test.go index 09d724925..5d98bb878 100644 --- a/x/pki/handler_revoke_paa_cert_test.go +++ b/x/pki/tests/handler_revoke_paa_cert_test.go @@ -1,4 +1,4 @@ -package pki +package tests import ( "math" @@ -18,7 +18,7 @@ import ( // Main -func TestHandler_ProposeRevokeX509RootCert_ByTrusteeOwner(t *testing.T) { +func TestHandler_ProposeRevokeDaRootCert(t *testing.T) { setup := Setup(t) // propose x509 root certificate by `setup.Trustee` and approve by another trustee @@ -27,31 +27,36 @@ func TestHandler_ProposeRevokeX509RootCert_ByTrusteeOwner(t *testing.T) { // propose revocation of x509 root certificate by `setup.Trustee` proposeRevokeX509RootCert := types.NewMsgProposeRevokeX509RootCert( - setup.Trustee1.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.RootSerialNumber, false, testconstants.Info) + setup.Trustee1.String(), + testconstants.RootSubject, + testconstants.RootSubjectKeyID, + testconstants.RootSerialNumber, + false, + testconstants.Info) _, err := setup.Handler(setup.Ctx, proposeRevokeX509RootCert) require.NoError(t, err) - // query and check proposed certificate revocation + // Check: ProposedCertificateRevocation - present proposedRevocation, _ := queryProposedCertificateRevocation(setup, testconstants.RootSerialNumber) require.Equal(t, testconstants.RootSubject, proposedRevocation.Subject) require.Equal(t, testconstants.RootSubjectKeyID, proposedRevocation.SubjectKeyId) require.True(t, proposedRevocation.HasRevocationFrom(setup.Trustee1.String())) - // check that approved certificate still exists - certificate, _ := querySingleApprovedCertificate(setup, testconstants.RootSubject, testconstants.RootSubjectKeyID) - require.NotNil(t, certificate) + // Check: DA + All + UniqueCertificate + ensureDaRootCertificateExist( + t, + setup, + testconstants.RootSubject, + testconstants.RootSubjectKeyID, + testconstants.RootIssuer, + testconstants.RootSerialNumber) // check that revoked certificate does not exist - _, err = queryRevokedCertificates(setup, testconstants.RootSubject, testconstants.RootSubjectKeyID) - require.Error(t, err) - require.Equal(t, codes.NotFound, status.Code(err)) - - // check that unique certificate key stays registered - require.True(t, - setup.Keeper.IsUniqueCertificatePresent(setup.Ctx, testconstants.RootIssuer, testconstants.RootSerialNumber)) + require.False(t, setup.Keeper.IsRevokedCertificatePresent( + setup.Ctx, testconstants.RootSubject, testconstants.RootSubjectKeyID)) } -func TestHandler_TwoThirdApprovalsNeededForRevokingRootCertification(t *testing.T) { +func TestHandler_RevokeDaRootCert_TwoThirdApprovalsNeeded(t *testing.T) { setup := Setup(t) // propose x509 root certificate by account without trustee role @@ -65,11 +70,14 @@ func TestHandler_TwoThirdApprovalsNeededForRevokingRootCertification(t *testing. _, err = setup.Handler(setup.Ctx, approveAddX509RootCert) require.NoError(t, err) - approvedCertificate, _ := querySingleApprovedCertificate(setup, testconstants.RootSubject, testconstants.RootSubjectKeyID) - require.Equal(t, testconstants.RootIssuer, approvedCertificate.Subject) - require.Equal(t, testconstants.RootSerialNumber, approvedCertificate.SerialNumber) - require.True(t, approvedCertificate.IsRoot) - require.True(t, approvedCertificate.HasApprovalFrom(setup.Trustee1.String())) + // Check: DA + All + UniqueCertificate + ensureDaRootCertificateExist( + t, + setup, + testconstants.RootSubject, + testconstants.RootSubjectKeyID, + testconstants.RootIssuer, + testconstants.RootSerialNumber) // Create an array of trustee account from 1 to 50 trusteeAccounts := make([]sdk.AccAddress, 50) @@ -87,7 +95,12 @@ func TestHandler_TwoThirdApprovalsNeededForRevokingRootCertification(t *testing. // Trustee1 proposes to revoke the certificate proposeRevokeX509RootCert := types.NewMsgProposeRevokeX509RootCert( - setup.Trustee1.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.RootSerialNumber, false, testconstants.Info) + setup.Trustee1.String(), + testconstants.RootSubject, + testconstants.RootSubjectKeyID, + testconstants.RootSerialNumber, + false, + testconstants.Info) _, err = setup.Handler(setup.Ctx, proposeRevokeX509RootCert) require.NoError(t, err) @@ -96,34 +109,67 @@ func TestHandler_TwoThirdApprovalsNeededForRevokingRootCertification(t *testing. for i := 1; i < twoThirds-1; i++ { // approve the revocation approveRevokeX509RootCert := types.NewMsgApproveRevokeX509RootCert( - trusteeAccounts[i].String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.RootSerialNumber, testconstants.Info) + trusteeAccounts[i].String(), + testconstants.RootSubject, + testconstants.RootSubjectKeyID, + testconstants.RootSerialNumber, + testconstants.Info) _, err = setup.Handler(setup.Ctx, approveRevokeX509RootCert) require.NoError(t, err) // check that the certificate is still not revoked - approvedCertificate, _ := querySingleApprovedCertificate(setup, testconstants.RootSubject, testconstants.RootSubjectKeyID) - require.Equal(t, testconstants.RootIssuer, approvedCertificate.Subject) - require.Equal(t, testconstants.RootSerialNumber, approvedCertificate.SerialNumber) - require.True(t, approvedCertificate.IsRoot) + ensureDaRootCertificateExist( + t, + setup, + testconstants.RootSubject, + testconstants.RootSubjectKeyID, + testconstants.RootIssuer, + testconstants.RootSerialNumber) } // One more revoke will revoke the certificate approveRevokeX509RootCert := types.NewMsgApproveRevokeX509RootCert( - setup.Trustee2.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.RootSerialNumber, testconstants.Info) + setup.Trustee2.String(), + testconstants.RootSubject, + testconstants.RootSubjectKeyID, + testconstants.RootSerialNumber, + testconstants.Info) _, err = setup.Handler(setup.Ctx, approveRevokeX509RootCert) require.NoError(t, err) - // Check that the certificate is revoked - ensureDaPaaCertificateDoesNotExist( + // Check: DA - missing + ensureCertificateNotPresentInDaCertificateIndexes( t, setup, testconstants.RootSubject, testconstants.RootSubjectKeyID, - testconstants.RootIssuer, + true, + false, + ) + + // Check: All - missing + ensureGlobalCertificateNotExist( + t, + setup, + testconstants.RootSubject, + testconstants.RootSubjectKeyID, + false, + ) + + // Check: ProposedCertificateRevocation - missing + found := setup.Keeper.IsProposedCertificateRevocationPresent( + setup.Ctx, + testconstants.RootSubject, + testconstants.RootSubjectKeyID, testconstants.RootSerialNumber, - true) + ) + require.False(t, found) + + // Check: UniqueCertificate - present + found = setup.Keeper.IsUniqueCertificatePresent(setup.Ctx, testconstants.RootIssuer, testconstants.RootSerialNumber) + require.True(t, found) - // Check that the certificate is revoked + // Check: Revoked - present revokedCertificate, err := querySingleRevokedCertificate(setup, testconstants.RootSubject, testconstants.RootSubjectKeyID) require.NoError(t, err) require.Equal(t, testconstants.RootIssuer, revokedCertificate.Subject) @@ -137,7 +183,7 @@ func TestHandler_TwoThirdApprovalsNeededForRevokingRootCertification(t *testing. require.Equal(t, revokedCertificate.HasApprovalFrom(setup.Trustee2.String()), true) } -func TestHandler_ProposeRevokeX509RootCert_ByTrusteeNotOwner(t *testing.T) { +func TestHandler_ProposeRevokeDaRootCert_ByTrusteeNotOwner(t *testing.T) { setup := Setup(t) // propose x509 root certificate by `setup.Trustee` and approve by another trustee @@ -150,7 +196,12 @@ func TestHandler_ProposeRevokeX509RootCert_ByTrusteeNotOwner(t *testing.T) { // propose revocation of x509 root certificate by new trustee proposeRevokeX509RootCert := types.NewMsgProposeRevokeX509RootCert( - anotherTrustee.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.RootSerialNumber, false, testconstants.Info) + anotherTrustee.String(), + testconstants.RootSubject, + testconstants.RootSubjectKeyID, + testconstants.RootSerialNumber, + false, + testconstants.Info) _, err := setup.Handler(setup.Ctx, proposeRevokeX509RootCert) require.NoError(t, err) @@ -161,8 +212,13 @@ func TestHandler_ProposeRevokeX509RootCert_ByTrusteeNotOwner(t *testing.T) { require.True(t, proposedRevocation.HasRevocationFrom(anotherTrustee.String())) // check that approved certificate still exists - certificate, _ := querySingleApprovedCertificate(setup, testconstants.RootSubject, testconstants.RootSubjectKeyID) - require.NotNil(t, certificate) + ensureDaRootCertificateExist( + t, + setup, + testconstants.RootSubject, + testconstants.RootSubjectKeyID, + testconstants.RootIssuer, + testconstants.RootSerialNumber) // check that revoked certificate does not exist _, err = queryRevokedCertificates(setup, testconstants.RootSubject, testconstants.RootSubjectKeyID) @@ -187,10 +243,10 @@ func TestHandler_ApproveRevokeX509RootCert_ForTree(t *testing.T) { setup.AddAccount(vendorAccAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.Vid) // add intermediate x509 certificate - addDaPaiCertificate(setup, vendorAccAddress, testconstants.IntermediateCertPem) + addDaIntermediateCertificate(setup, vendorAccAddress, testconstants.IntermediateCertPem) // add leaf x509 certificate - addDaPaiCertificate(setup, vendorAccAddress, testconstants.LeafCertPem) + addDaIntermediateCertificate(setup, vendorAccAddress, testconstants.LeafCertPem) // propose revocation of x509 root certificate proposeRevokeX509RootCert := types.NewMsgProposeRevokeX509RootCert( @@ -252,7 +308,7 @@ func TestHandler_ApproveRevokeX509RootCert_ForTree(t *testing.T) { require.Nil(t, leafCertChildren) // check that root certificate does not exist - ensureDaPaaCertificateDoesNotExist( + ensureDaRootCertificateNotExist( t, setup, testconstants.RootSubject, @@ -262,7 +318,7 @@ func TestHandler_ApproveRevokeX509RootCert_ForTree(t *testing.T) { true) // check that intermediate certificate does not exist - ensureDaPaiCertificateDoesNotExist( + ensureDaIntermediateCertificateNotExist( t, setup, testconstants.IntermediateSubject, @@ -273,7 +329,7 @@ func TestHandler_ApproveRevokeX509RootCert_ForTree(t *testing.T) { false) // check that intermediate certificate does not exist - ensureDaPaiCertificateDoesNotExist( + ensureDaIntermediateCertificateNotExist( t, setup, testconstants.LeafSubject, diff --git a/x/pki/handler_revoke_pai_cert_test.go b/x/pki/tests/handler_revoke_pai_cert_test.go similarity index 90% rename from x/pki/handler_revoke_pai_cert_test.go rename to x/pki/tests/handler_revoke_pai_cert_test.go index e36703547..8c7bcc451 100644 --- a/x/pki/handler_revoke_pai_cert_test.go +++ b/x/pki/tests/handler_revoke_pai_cert_test.go @@ -1,4 +1,4 @@ -package pki +package tests import ( "testing" @@ -15,12 +15,11 @@ import ( // Main -func TestHandler_RevokeX509Cert(t *testing.T) { +func TestHandler_RevokeDaIntermediateCert(t *testing.T) { setup := Setup(t) // Add vendor account - vendorAccAddress := GenerateAccAddress() - setup.AddAccount(vendorAccAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.RootCertWithVidVid) + vendorAccAddress := setup.CreateVendorAccount(testconstants.RootCertWithVidVid) // propose and approve x509 root certificate rootCertOptions := &rootCertOptions{ @@ -32,10 +31,10 @@ func TestHandler_RevokeX509Cert(t *testing.T) { } proposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertOptions) - // Add two intermediate certificates again - addDaPaiCertificate(setup, vendorAccAddress, testconstants.IntermediateCertPem) + // Add intermediate certificate + addDaIntermediateCertificate(setup, vendorAccAddress, testconstants.IntermediateCertPem) - // revoke x509 certificate + // revoke intermediate certificate revokeX509Cert := types.NewMsgRevokeX509Cert( vendorAccAddress.String(), testconstants.IntermediateSubject, @@ -47,63 +46,77 @@ func TestHandler_RevokeX509Cert(t *testing.T) { _, err := setup.Handler(setup.Ctx, revokeX509Cert) require.NoError(t, err) - // check that intermediate certificate has been revoked + // Check: Revoked - present allRevokedCertificates, _ := queryAllRevokedCertificates(setup) require.Equal(t, 1, len(allRevokedCertificates)) require.Equal(t, testconstants.IntermediateSubject, allRevokedCertificates[0].Subject) require.Equal(t, testconstants.IntermediateSubjectKeyID, allRevokedCertificates[0].SubjectKeyId) require.Equal(t, 1, len(allRevokedCertificates[0].Certs)) - ensureDaPaiCertificateDoesNotExist( + // Check: UniqueCertificate - present + found := setup.Keeper.IsUniqueCertificatePresent(setup.Ctx, testconstants.RootIssuer, testconstants.RootSerialNumber) + require.True(t, found) + + // Check: ProposedCertificateRevocation - missing + found = setup.Keeper.IsProposedCertificateRevocationPresent( + setup.Ctx, + testconstants.IntermediateSubject, + testconstants.IntermediateSubjectKeyID, + testconstants.IntermediateSerialNumber, + ) + require.False(t, found) + + // Check: All - missing + ensureGlobalCertificateNotExist( + t, + setup, + testconstants.IntermediateSubject, + testconstants.IntermediateSubjectKeyID, + false, + ) + + // Check: DA - missing + ensureCertificateNotPresentInDaCertificateIndexes( t, setup, testconstants.IntermediateSubject, testconstants.IntermediateSubjectKeyID, + false, + false, + ) + + // Check: child certificate - missing + found = setup.Keeper.IsChildCertificatePresent( + setup.Ctx, testconstants.IntermediateIssuer, - testconstants.IntermediateSerialNumber, - true, - false) + testconstants.IntermediateAuthorityKeyID) + require.False(t, found) - // check that root certificate stays approved - ensureDaPaaCertificateExist( + // Check: Root stays approved + ensureDaRootCertificateExist( t, setup, testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.RootSubject, testconstants.RootSerialNumber) - - // check that no proposed certificate revocations have been created - allProposedCertificateRevocations, _ := queryAllProposedCertificateRevocations(setup) - require.NoError(t, err) - require.Equal(t, 0, len(allProposedCertificateRevocations)) - - // check that child certificate identifiers list of issuer do not exist anymore - _, err = queryChildCertificates(setup, testconstants.IntermediateIssuer, testconstants.IntermediateAuthorityKeyID) - require.Error(t, err) - require.Equal(t, codes.NotFound, status.Code(err)) - - // check that unique certificate key stays registered - require.True(t, setup.Keeper.IsUniqueCertificatePresent(setup.Ctx, - testconstants.IntermediateIssuer, testconstants.IntermediateSerialNumber)) } func TestHandler_RevokeX509Cert_ForTree(t *testing.T) { setup := Setup(t) // Add vendor account - vendorAccAddress := GenerateAccAddress() - setup.AddAccount(vendorAccAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.Vid) + vendorAccAddress := setup.CreateVendorAccount(testconstants.Vid) // add root x509 certificate rootCertOptions := createTestRootCertOptions() proposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertOptions) // add intermediate x509 certificate - addDaPaiCertificate(setup, vendorAccAddress, testconstants.IntermediateCertPem) + addDaIntermediateCertificate(setup, vendorAccAddress, testconstants.IntermediateCertPem) // add leaf x509 certificate - addDaPaiCertificate(setup, vendorAccAddress, testconstants.LeafCertPem) + addDaIntermediateCertificate(setup, vendorAccAddress, testconstants.LeafCertPem) // revoke x509 certificate revokeX509Cert := types.NewMsgRevokeX509Cert( @@ -130,7 +143,7 @@ func TestHandler_RevokeX509Cert_ForTree(t *testing.T) { require.Equal(t, testconstants.IntermediateCertPem, allRevokedCertificates[1].Certs[0].PemCert) // check that root certificate stays approved - ensureDaPaaCertificateExist( + ensureDaRootCertificateExist( t, setup, testconstants.RootSubject, @@ -171,7 +184,7 @@ func TestHandler_RevokeX509Cert_BySerialNumber(t *testing.T) { proposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertOptions) // Add two intermediate certificates - addDaPaiCertificate(setup, vendorAccAddress, testconstants.IntermediateCertPem) + addDaIntermediateCertificate(setup, vendorAccAddress, testconstants.IntermediateCertPem) intermediateCertificate := intermediateCertificateNoVid(vendorAccAddress) intermediateCertificate.SerialNumber = SerialNumber @@ -184,7 +197,7 @@ func TestHandler_RevokeX509Cert_BySerialNumber(t *testing.T) { ) // Add a leaf certificate - addDaPaiCertificate(setup, vendorAccAddress, testconstants.LeafCertPem) + addDaIntermediateCertificate(setup, vendorAccAddress, testconstants.LeafCertPem) // get certificates for further comparison allCerts := setup.Keeper.GetAllApprovedCertificates(setup.Ctx) diff --git a/x/pki/handler_test.go b/x/pki/tests/handler_test.go similarity index 89% rename from x/pki/handler_test.go rename to x/pki/tests/handler_test.go index f5a489536..93dcb902a 100644 --- a/x/pki/handler_test.go +++ b/x/pki/tests/handler_test.go @@ -1,16 +1,17 @@ -package pki +package tests import ( "context" "testing" - "google.golang.org/grpc/codes" - "google.golang.org/grpc/status" - "github.com/cosmos/cosmos-sdk/testutil/testdata" sdk "github.com/cosmos/cosmos-sdk/types" "github.com/stretchr/testify/mock" "github.com/stretchr/testify/require" + "github.com/zigbee-alliance/distributed-compliance-ledger/x/pki" + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" + testconstants "github.com/zigbee-alliance/distributed-compliance-ledger/integration_tests/constants" testkeeper "github.com/zigbee-alliance/distributed-compliance-ledger/testutil/keeper" dclauthtypes "github.com/zigbee-alliance/distributed-compliance-ledger/x/dclauth/types" @@ -74,6 +75,13 @@ func removeItemFromExpectedCalls(expectedCalls []*mock.Call, methodName string) } } +func (setup *TestSetup) CreateVendorAccount(vid int32) sdk.AccAddress { + accAddress := GenerateAccAddress() + setup.AddAccount(accAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, vid) + + return accAddress +} + func (setup *TestSetup) AddAccount( accAddress sdk.AccAddress, roles []dclauthtypes.AccountRole, @@ -119,7 +127,7 @@ func Setup(t *testing.T) *TestSetup { Wctx: sdk.WrapSDKContext(ctx), Keeper: keeper, DclauthKeeper: dclauthKeeper, - Handler: NewHandler(*keeper), + Handler: pki.NewHandler(*keeper), Trustee1: GenerateAccAddress(), Trustee2: GenerateAccAddress(), Trustee3: GenerateAccAddress(), @@ -275,6 +283,23 @@ func querySingleApprovedCertificate( return certificates.Certs[0], nil } +func querySingleApprovedRootCertificate( + setup *TestSetup, + subject string, + subjectKeyID string, +) (*types.Certificate, error) { + certificates, err := queryApprovedRootCertificates(setup, subject, subjectKeyID) + if err != nil { + return nil, err + } + + if len(certificates) > 1 { + require.Fail(setup.T, "More than 1 certificate returned") + } + + return certificates[0], nil +} + func queryApprovedCertificates( setup *TestSetup, subject string, @@ -903,7 +928,36 @@ func certificateIdentifier(subject string, subjectKeyID string) types.Certificat } } -func ensureCertificatePresentInGlobalCertificateIndexes( +func ensureUniqueCertificateCertificateExist( + t *testing.T, + setup *TestSetup, + issuer string, + serialNumber string, +) { + t.Helper() + + // UniqueCertificate: check that unique certificate key registered + require.True(t, setup.Keeper.IsUniqueCertificatePresent( + setup.Ctx, issuer, serialNumber)) +} + +func ensureUniqueCertificateCertificateNotExist( + t *testing.T, + setup *TestSetup, + issuer string, + serialNumber string, + skipCheck bool, +) { + t.Helper() + + if !skipCheck { + // UniqueCertificate: check that unique certificate key registered + found := setup.Keeper.IsUniqueCertificatePresent(setup.Ctx, issuer, serialNumber) + require.False(t, found) + } +} + +func ensureGlobalCertificateExist( t *testing.T, setup *TestSetup, subject string, @@ -934,7 +988,7 @@ func ensureCertificatePresentInGlobalCertificateIndexes( } } -func ensureCertificateNotPresentInGlobalCertificateIndexes( +func ensureGlobalCertificateNotExist( t *testing.T, setup *TestSetup, subject string, @@ -978,6 +1032,15 @@ func ensureCertificatePresentInDaCertificateIndexes( require.Equal(t, serialNumber, approvedCertificate.SerialNumber) require.Equal(t, isRoot, approvedCertificate.IsRoot) + if isRoot { + // DaCertificates: Root Subject and SKID + approvedRootCertificate, _ := querySingleApprovedRootCertificate(setup, subject, subjectKeyID) + require.Equal(t, subject, approvedRootCertificate.Subject) + require.Equal(t, subjectKeyID, approvedRootCertificate.SubjectKeyId) + require.Equal(t, serialNumber, approvedRootCertificate.SerialNumber) + require.Equal(t, isRoot, approvedRootCertificate.IsRoot) + } + // DaCertificates: SKID certificateBySubjectKeyID, _ := queryAllApprovedCertificatesBySubjectKeyID(setup, subjectKeyID) require.Len(t, certificateBySubjectKeyID, 1) @@ -992,6 +1055,39 @@ func ensureCertificatePresentInDaCertificateIndexes( } } +func ensureCertificateNotPresentInDaCertificateIndexes( + t *testing.T, + setup *TestSetup, + subject string, + subjectKeyID string, + isRoot bool, + skipCheckForSubject bool, // TODO: FIX constants and eliminate this condition +) { + t.Helper() + + // DA certificates indexes checks + + // DaCertificates: Subject and SKID + _, err := querySingleApprovedCertificate(setup, subject, subjectKeyID) + require.Equal(t, codes.NotFound, status.Code(err)) + + if isRoot { + // DaCertificates: Root Subject and SKID + _, err := querySingleApprovedRootCertificate(setup, subject, subjectKeyID) + require.Equal(t, codes.NotFound, status.Code(err)) + } + + // DaCertificates: SubjectKeyID + certificatesBySubjectKeyID, _ := queryAllApprovedCertificatesBySubjectKeyID(setup, subjectKeyID) + require.Empty(t, certificatesBySubjectKeyID) + + if !skipCheckForSubject { + // NocCertificates: Subject + _, err = queryApprovedCertificatesBySubject(setup, subject) + require.Equal(t, codes.NotFound, status.Code(err)) + } +} + func ensureCertificatePresentInNocCertificateIndexes( t *testing.T, setup *TestSetup, @@ -1050,32 +1146,6 @@ func ensureCertificatePresentInNocCertificateIndexes( } } -func ensureCertificateNotPresentInDaCertificateIndexes( - t *testing.T, - setup *TestSetup, - subject string, - subjectKeyID string, - skipCheckForSubject bool, // TODO: FIX constants and eliminate this condition -) { - t.Helper() - - // DA certificates indexes checks - - // DaCertificates: Subject and SKID - _, err := querySingleApprovedCertificate(setup, subject, subjectKeyID) - require.Equal(t, codes.NotFound, status.Code(err)) - - // DaCertificates: SubjectKeyID - certificatesBySubjectKeyID, _ := queryAllApprovedCertificatesBySubjectKeyID(setup, subjectKeyID) - require.Empty(t, certificatesBySubjectKeyID) - - if !skipCheckForSubject { - // NocCertificates: Subject - _, err = queryApprovedCertificatesBySubject(setup, subject) - require.Equal(t, codes.NotFound, status.Code(err)) - } -} - func ensureCertificateNotPresentInNocCertificateIndexes( t *testing.T, setup *TestSetup, @@ -1119,36 +1189,7 @@ func ensureCertificateNotPresentInNocCertificateIndexes( } } -func ensureCertificatePresentInUniqueCertificateIndexes( - t *testing.T, - setup *TestSetup, - issuer string, - serialNumber string, -) { - t.Helper() - - // UniqueCertificate: check that unique certificate key registered - require.True(t, setup.Keeper.IsUniqueCertificatePresent( - setup.Ctx, issuer, serialNumber)) -} - -func ensureCertificateNotPresentInUniqueCertificateIndexes( - t *testing.T, - setup *TestSetup, - issuer string, - serialNumber string, - skipCheck bool, -) { - t.Helper() - - if !skipCheck { - // UniqueCertificate: check that unique certificate key registered - found := setup.Keeper.IsUniqueCertificatePresent(setup.Ctx, issuer, serialNumber) - require.False(t, found) - } -} - -func ensureDaPaaCertificateExist( +func ensureDaRootCertificateExist( t *testing.T, setup *TestSetup, subject string, @@ -1162,13 +1203,13 @@ func ensureDaPaaCertificateExist( ensureCertificatePresentInDaCertificateIndexes(t, setup, subject, subjectKeyID, serialNumber, true, false) // All certificates indexes checks - ensureCertificatePresentInGlobalCertificateIndexes(t, setup, subject, subjectKeyID, serialNumber, false) + ensureGlobalCertificateExist(t, setup, subject, subjectKeyID, serialNumber, false) // UniqueCertificate: check that unique certificate key registered - ensureCertificatePresentInUniqueCertificateIndexes(t, setup, issuer, serialNumber) + ensureUniqueCertificateCertificateExist(t, setup, issuer, serialNumber) } -func ensureDaPaiCertificateExist( +func ensureDaIntermediateCertificateExist( t *testing.T, setup *TestSetup, subject string, @@ -1183,13 +1224,13 @@ func ensureDaPaiCertificateExist( ensureCertificatePresentInDaCertificateIndexes(t, setup, subject, subjectKeyID, serialNumber, false, skipCheckForSubject) // All certificates indexes checks - ensureCertificatePresentInGlobalCertificateIndexes(t, setup, subject, subjectKeyID, serialNumber, skipCheckForSubject) + ensureGlobalCertificateExist(t, setup, subject, subjectKeyID, serialNumber, skipCheckForSubject) // UniqueCertificate: check that unique certificate key registered - ensureCertificatePresentInUniqueCertificateIndexes(t, setup, issuer, serialNumber) + ensureUniqueCertificateCertificateExist(t, setup, issuer, serialNumber) } -func ensureDaPaaCertificateDoesNotExist( +func ensureDaRootCertificateNotExist( t *testing.T, setup *TestSetup, subject string, @@ -1201,16 +1242,16 @@ func ensureDaPaaCertificateDoesNotExist( t.Helper() // DA certificates indexes checks - ensureCertificateNotPresentInDaCertificateIndexes(t, setup, subject, subjectKeyID, false) + ensureCertificateNotPresentInDaCertificateIndexes(t, setup, subject, subjectKeyID, true, false) // All certificates indexes checks - ensureCertificateNotPresentInGlobalCertificateIndexes(t, setup, subject, subjectKeyID, false) + ensureGlobalCertificateNotExist(t, setup, subject, subjectKeyID, false) // UniqueCertificate: check that unique certificate key registered - ensureCertificateNotPresentInUniqueCertificateIndexes(t, setup, issuer, serialNumber, isRevoked) + ensureUniqueCertificateCertificateNotExist(t, setup, issuer, serialNumber, isRevoked) } -func ensureDaPaiCertificateDoesNotExist( +func ensureDaIntermediateCertificateNotExist( t *testing.T, setup *TestSetup, subject string, @@ -1223,13 +1264,13 @@ func ensureDaPaiCertificateDoesNotExist( t.Helper() // DA certificates indexes checks - ensureCertificateNotPresentInDaCertificateIndexes(t, setup, subject, subjectKeyID, skipCheckForSubject) + ensureCertificateNotPresentInDaCertificateIndexes(t, setup, subject, subjectKeyID, false, skipCheckForSubject) // All certificates indexes checks - ensureCertificateNotPresentInGlobalCertificateIndexes(t, setup, subject, subjectKeyID, skipCheckForSubject) + ensureGlobalCertificateNotExist(t, setup, subject, subjectKeyID, skipCheckForSubject) // UniqueCertificate: check that unique certificate key registered - ensureCertificateNotPresentInUniqueCertificateIndexes(t, setup, issuer, serialNumber, skipCheckForUniqueness) + ensureUniqueCertificateCertificateNotExist(t, setup, issuer, serialNumber, skipCheckForUniqueness) } func ensureNocRootCertificateExist( @@ -1247,13 +1288,13 @@ func ensureNocRootCertificateExist( ensureCertificatePresentInNocCertificateIndexes(t, setup, subject, subjectKeyID, serialNumber, vid, true, false) // All certificates indexes checks - ensureCertificatePresentInGlobalCertificateIndexes(t, setup, subject, subjectKeyID, serialNumber, false) + ensureGlobalCertificateExist(t, setup, subject, subjectKeyID, serialNumber, false) // UniqueCertificate: check that unique certificate key registered - ensureCertificatePresentInUniqueCertificateIndexes(t, setup, issuer, serialNumber) + ensureUniqueCertificateCertificateExist(t, setup, issuer, serialNumber) } -func ensureNocIcaCertificateExist( +func ensureNocIntermediateCertificateExist( t *testing.T, setup *TestSetup, subject string, @@ -1269,13 +1310,13 @@ func ensureNocIcaCertificateExist( ensureCertificatePresentInNocCertificateIndexes(t, setup, subject, subjectKeyID, serialNumber, vid, false, skipCheckByVid) // All certificates indexes checks - ensureCertificatePresentInGlobalCertificateIndexes(t, setup, subject, subjectKeyID, serialNumber, false) + ensureGlobalCertificateExist(t, setup, subject, subjectKeyID, serialNumber, false) // UniqueCertificate: check that unique certificate key registered - ensureCertificatePresentInUniqueCertificateIndexes(t, setup, issuer, serialNumber) + ensureUniqueCertificateCertificateExist(t, setup, issuer, serialNumber) } -func ensureNocIcaCertificateDoesNotExist( +func ensureNocIntermediateCertificateNotExist( t *testing.T, setup *TestSetup, subject string, @@ -1292,13 +1333,13 @@ func ensureNocIcaCertificateDoesNotExist( ensureCertificateNotPresentInNocCertificateIndexes(t, setup, subject, subjectKeyID, vid, false, skipCheckByVid) // All certificates indexes checks - ensureCertificateNotPresentInGlobalCertificateIndexes(t, setup, subject, subjectKeyID, false) + ensureGlobalCertificateNotExist(t, setup, subject, subjectKeyID, false) // UniqueCertificate: check that unique certificate key registered - ensureCertificateNotPresentInUniqueCertificateIndexes(t, setup, issuer, serialNumber, skipCheckForUniqueness) + ensureUniqueCertificateCertificateNotExist(t, setup, issuer, serialNumber, skipCheckForUniqueness) } -func ensureNocRootCertificateDoesNotExist( +func ensureNocRootCertificateNotExist( t *testing.T, setup *TestSetup, subject string, @@ -1315,13 +1356,33 @@ func ensureNocRootCertificateDoesNotExist( ensureCertificateNotPresentInNocCertificateIndexes(t, setup, subject, subjectKeyID, vid, true, skipCheckByVid) // All certificates indexes checks - ensureCertificateNotPresentInGlobalCertificateIndexes(t, setup, subject, subjectKeyID, false) + ensureGlobalCertificateNotExist(t, setup, subject, subjectKeyID, false) // UniqueCertificate: check that unique certificate key registered - ensureCertificateNotPresentInUniqueCertificateIndexes(t, setup, issuer, serialNumber, skipCheckForUniqueness) + ensureUniqueCertificateCertificateNotExist(t, setup, issuer, serialNumber, skipCheckForUniqueness) +} + +func ensureChildCertificateExist( + t *testing.T, + setup *TestSetup, + subject string, + subjectKeyID string, + issuer string, + authorityKeyId string, +) { + t.Helper() + + issuerChildren, _ := queryChildCertificates(setup, subject, subjectKeyID) + require.Equal(t, 1, len(issuerChildren.CertIds)) + + certID := types.CertificateIdentifier{ + Subject: issuer, + SubjectKeyId: authorityKeyId, + } + require.Equal(t, &certID, issuerChildren.CertIds[0]) } -func addDaPaiCertificate(setup *TestSetup, address sdk.AccAddress, pemCert string) { +func addDaIntermediateCertificate(setup *TestSetup, address sdk.AccAddress, pemCert string) { addX509Cert := types.NewMsgAddX509Cert(address.String(), pemCert, testconstants.CertSchemaVersion) _, err := setup.Handler(setup.Ctx, addX509Cert) require.NoError(setup.T, err) @@ -1334,7 +1395,7 @@ func addNocRootCertificate(setup *TestSetup, address sdk.AccAddress, pemCert str require.NoError(setup.T, err) } -func addNocIcaCertificate(setup *TestSetup, address sdk.AccAddress, pemCert string) { +func addNocIntermediateCertificate(setup *TestSetup, address sdk.AccAddress, pemCert string) { // add the new NOC root certificate nocX509Cert := types.NewMsgAddNocX509IcaCert(address.String(), pemCert, testconstants.CertSchemaVersion) _, err := setup.Handler(setup.Ctx, nocX509Cert) diff --git a/x/pki/handler_update_revocation_test.go b/x/pki/tests/handler_update_revocation_test.go similarity index 99% rename from x/pki/handler_update_revocation_test.go rename to x/pki/tests/handler_update_revocation_test.go index 3e08db1f4..bb6af8de4 100644 --- a/x/pki/handler_update_revocation_test.go +++ b/x/pki/tests/handler_update_revocation_test.go @@ -1,4 +1,4 @@ -package pki +package tests import ( "testing" diff --git a/x/pki/revocation_message_utils_test.go b/x/pki/tests/revocation_message_utils_test.go similarity index 99% rename from x/pki/revocation_message_utils_test.go rename to x/pki/tests/revocation_message_utils_test.go index 207b923c4..9f116f521 100644 --- a/x/pki/revocation_message_utils_test.go +++ b/x/pki/tests/revocation_message_utils_test.go @@ -1,4 +1,4 @@ -package pki +package tests import ( "testing" diff --git a/x/pki/tests/test-design.md b/x/pki/tests/test-design.md new file mode 100644 index 000000000..6fb04fdfb --- /dev/null +++ b/x/pki/tests/test-design.md @@ -0,0 +1,276 @@ +## [Add DA Root](./handler_add_paa_cert_test.go) + +### Propose adding of DA root certificate + +Indexes to check: + +* Present: + * `ProposedCertificate` + * `UniqueCertificate` +* Missing: + * `RejectedCertificate` + * `All Certificates`: Subject+SKID, SKID, Subject + * `DA Certificates`: Subject+SKID (approved), Subject+SKID (root), SKID, Subject + +Test cases: + +* Positive: + * Propose adding of DA root certificate: `TestHandler_ProposeAddDaRootCert` + * Propose adding of previously rejected DA root certificate: ? + * Propose adding of DA root certificate with same Subject/SKID as existing Approved certificate but different Serial + Number: `TestHandler_ProposeAddX509RootCert_ForDifferentSerialNumber` (need to rewrite) +* Negative: + * TBD + +### Propose and approve adding of DA root certificate + +Indexes: + +* Present: + * `UniqueCertificate` + * `All Certificates`: Subject+SKID, SKID, Subject + * `DA Certificates`: Subject+SKID (approved), Subject+SKID (root), SKID, Subject +* Missing: + * `ProposedCertificate` + +Test cases: + +* Positive: + * Propose add approve adding of DA root certificate: `TestHandler_AddDaRootCert`, + `TestHandler_AddDaRootCert_TwoThirdApprovalsNeeded`, + `TestHandler_AddDaRootCert_FourApprovalsAreNeeded_FiveTrustees` +* Negative: + * TBD + +### Propose and reject adding of DA root certificate + +Indexes: + +* Present: + * `RejectedCertificate` +* Missing: + * `ProposedCertificate` + * `UniqueCertificate` + * `All Certificates`: Subject+SKID, SKID, Subject + * `DA Certificates`: Subject+SKID (approved), Subject+SKID (root), SKID, Subject + +Test cases: + +* Positive: + * Propose add reject adding of DA root certificate: `TestHandler_RejectAddDaRootCert`, +* Negative: + * TBD + +## [Add DA Intermediate](./handler_add_pai_cert_test.go) + +Indexes to check: + +* Present: + * `UniqueCertificate` + * `All Certificates`: Subject+SKID, SKID, Subject + * `DA Certificates`: Subject+SKID (approved), SKID, Subject + * `ChildCertificates`: for parent +* Missing: + * `ProposedCertificate` + +Test cases: + +* Positive: + * Add DA intermediate certificate: `TestHandler_AddDaIntermediateCert` +* Negative: + * TBD + +## [Revoke DA Root](./handler_revoke_paa_cert_test.go) + +### Propose revocation of DA root certificate + +Indexes to check: + +* Present: + * `ProposedCertificateRevocation` + * `UniqueCertificate` + * `All Certificates`: Subject+SKID, SKID, Subject + * `DA Certificates`: Subject+SKID (approved), Subject+SKID (root), SKID, Subject +* Missing: + * `RevokedCertificates` + +Test cases: + +* Positive: + * Propose revocation of DA root certificate: `TestHandler_ProposeRevokeDaRootCert` + * Propose revocation of DA root certificate by not owner: `TestHandler_ProposeRevokeDaRootCert_ByTrusteeNotOwner` +* Negative: + * TBD + +### Propose and approve revocation of DA root certificate + +Indexes: + +* Present: + * `RevokedCertificates` + * `UniqueCertificate` +* Missing: + * `ProposedCertificateRevocation` + * `All Certificates`: Subject+SKID, SKID, Subject + * `DA Certificates`: Subject+SKID (approved), Subject+SKID (root), SKID, Subject + +Test cases: + +* Positive: + * Propose and approve revocation of DA root certificate: `TestHandler_RevokeDaRootCert_TwoThirdApprovalsNeeded` +* Negative: + * TBD + +## [Revoke DA Intermediate](./handler_revoke_pai_cert_test.go) + +Indexes to check: + +* Present: + * `RevokedCertificates` + * `UniqueCertificate` + * Root - stays approved +* Missing: + * `ProposedCertificateRevocation` + * `All Certificates`: Subject+SKID, SKID, Subject + * `DA Certificates`: Subject+SKID (approved), SKID, Subject + * `ChildCertificates`: for parent + +Test cases: + +* Positive: + * Revoke DA intermediate certificate: `TestHandler_RevokeDaIntermediateCert` +* Negative: + * TBD + +## [Remove DA Intermediate](./handler_remove_pai_cert_test.go) + +Indexes to check: + +* Present: + * no +* Missing: + * `RevokedCertificates` + * `UniqueCertificate` + * `All Certificates`: Subject+SKID, SKID, Subject + * `DA Certificates`: Subject+SKID (approved), SKID, Subject + * `ChildCertificates`: for parent + +Test cases: + +* Positive: + * Remove DA intermediate certificate: `TestHandler_RemoveDaIntermediateCert_BySubjectAndSKID` +* Negative: + * TBD + +## [Add Noc Root](./handler_add_noc_root_cert_test.go) + +Indexes to check: + +* Present: + * `UniqueCertificate` + * `All Certificates`: Subject+SKID, SKID, Subject + * `Noc Certificates`: Subject+SKID, SKID, Subject, VID (root), VID+SKID +* Missing: + * no + +Test cases: + +* Positive: + * Add Noc root certificate: `TestHandler_AddNocRootCert` +* Negative: + * TBD + +## [Add Noc Intermediate](./handler_add_noc_ica_cert_test.go) + +Indexes to check: + +* Present: + * `UniqueCertificate` + * `All Certificates`: Subject+SKID, SKID, Subject + * `Noc Certificates`: Subject+SKID, SKID, Subject, VID (ica), VID+SKID + * `ChildCertificates`: for parent +* Missing: + * no + +Test cases: + +* Positive: + * Add Noc intermediate certificate: `TestHandler_AddNocIntermediateCert` +* Negative: + * TBD + +## [Revoke Noc Root](./handler_revoke_noc_root_cert_test.go) + +Indexes: + +* Present: + * `RevokedCertificates` (root) + * `UniqueCertificate` +* Missing: + * `RevokedCertificates` (ica) + * `All Certificates`: Subject+SKID, SKID, Subject + * `Noc Certificates`: Subject+SKID, SKID, Subject, VID (root), VID+SKID + +* Positive: + * Revoke Noc root certificate: `TestHandler_RevokeNoRootCert` +* Negative: + * TBD + +## [Revoke Noc Ica](./handler_revoke_noc_ica_cert_test.go) + +Indexes: + +* Present: + * `RevokedCertificates` (ica) + * `UniqueCertificate` +* Missing: + * `RevokedCertificates` (root) + * `All Certificates`: Subject+SKID, SKID, Subject + * `Noc Certificates`: Subject+SKID, SKID, Subject, VID (ica), VID+SKID + * `ChildCertificates`: for parent + +Test cases: + +* Positive: + * Revoke Noc ica certificate: `TestHandler_RevokeNocIntermediateCert` +* Negative: + * TBD + +## [Remove Noc Root](./handler_remove_noc_root_cert_test.go) + +Indexes to check: + +* Present: + * no +* Missing: + * `RevokedCertificates` (root) + * `UniqueCertificate` + * `All Certificates`: Subject+SKID, SKID, Subject + * `Noc Certificates`: Subject+SKID, SKID, Subject, VID (root), VID+SKID + +Test cases: + +* Positive: + * Remove Noc root certificate by Subject/SKID: `TestHandler_RemoveNocRootCert` +* Negative: + * TBD + +## [Remove Noc Intermediate](./handler_remove_noc_ica_cert_test.go) + +Indexes to check: + +* Present: + * no +* Missing: + * `RevokedCertificates` (ica) + * `UniqueCertificate` + * `All Certificates`: Subject+SKID, SKID, Subject + * `Noc Certificates`: Subject+SKID, SKID, Subject, VID (ica), VID+SKID + * `ChildCertificates`: for parent + +Test cases: + +* Positive: + * Remove Noc ica certificate by Subject/SKID: `TestHandler_RemoveNocIntermediateCert` +* Negative: + * TBD \ No newline at end of file