Skip to content

Commit

Permalink
#535 Enable providing serial number while revoking x509 certs
Browse files Browse the repository at this point in the history
Resolve MR comments

Signed-off-by: Abdulbois <abdulbois.tursunov@dsr-corporation.com>
Signed-off-by: Abdulbois <abdulbois123@gmail.com>
  • Loading branch information
Abdulbois committed Feb 15, 2024
1 parent 2f8b273 commit a1070bc
Show file tree
Hide file tree
Showing 5 changed files with 63 additions and 66 deletions.
1 change: 0 additions & 1 deletion integration_tests/cli/pki-revocation-with-serial-number.sh
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,6 @@ trustee_account="jack"
second_trustee_account="alice"

echo "Create a VendorAdmin Account"
create_new_account vendor_admin_account "VendorAdmin"

test_divider

Expand Down
50 changes: 30 additions & 20 deletions x/pki/keeper/approved_certificates.go
Original file line number Diff line number Diff line change
Expand Up @@ -74,26 +74,6 @@ func (k Keeper) RemoveApprovedCertificates(
))
}

func (k Keeper) removeCertFromList(serialNumber string, certs *types.ApprovedCertificates) {
certIndex := -1

for i, cert := range certs.Certs {
if cert.SerialNumber == serialNumber {
certIndex = i

break
}
}
if certIndex == -1 {
return
}
if certIndex == len(certs.Certs)-1 {
certs.Certs = certs.Certs[:certIndex]
} else {
certs.Certs = append(certs.Certs[:certIndex], certs.Certs[certIndex+1:]...)
}
}

// GetAllApprovedCertificates returns all approvedCertificates.
func (k Keeper) GetAllApprovedCertificates(ctx sdk.Context) (list []types.ApprovedCertificates) {
store := prefix.NewStore(ctx.KVStore(k.storeKey), pkitypes.KeyPrefix(types.ApprovedCertificatesKeyPrefix))
Expand Down Expand Up @@ -195,3 +175,33 @@ func (k Keeper) verifyCertificate(ctx sdk.Context,
fmt.Sprintf("Certificate verification failed for certificate with subject=%v and subjectKeyID=%v",
x509Certificate.Subject, x509Certificate.SubjectKeyID))
}

func (k Keeper) removeCertFromList(issuer string, serialNumber string, certs *types.ApprovedCertificates) {
certIndex := -1

for i, cert := range certs.Certs {
if cert.SerialNumber == serialNumber && cert.Issuer == issuer {
certIndex = i

break
}
}
if certIndex == -1 {
return
}
if certIndex == len(certs.Certs)-1 {
certs.Certs = certs.Certs[:certIndex]
} else {
certs.Certs = append(certs.Certs[:certIndex], certs.Certs[certIndex+1:]...)
}
}

func findCertificate(serialNumber string, certificates *[]*types.Certificate) (*types.Certificate, bool) {
for _, cert := range *certificates {
if cert.SerialNumber == serialNumber {
return cert, true
}
}

return nil, false
}
55 changes: 29 additions & 26 deletions x/pki/keeper/msg_server_approve_revoke_x_509_root_cert.go
Original file line number Diff line number Diff line change
Expand Up @@ -54,30 +54,19 @@ func (k msgServer) ApproveRevokeX509RootCert(goCtx context.Context, msg *types.M
if !found {
return nil, pkitypes.NewErrCertificateDoesNotExist(msg.Subject, msg.SubjectKeyId)
}

var certBySerialNumber *types.Certificate
// Assign the approvals to the root certificate
for _, cert := range certificates.Certs {
if cert.IsRoot {
cert.Approvals = revocation.Approvals
}
if msg.SerialNumber != "" && cert.SerialNumber == msg.SerialNumber {
certBySerialNumber = cert

break
}
}
certID := types.CertificateIdentifier{
Subject: msg.Subject,
SubjectKeyId: msg.SubjectKeyId,
}
k.RemoveProposedCertificateRevocation(ctx, msg.Subject, msg.SubjectKeyId, msg.SerialNumber)
k.AddRevokedRootCertificate(ctx, certID)
k.RemoveProposedCertificateRevocation(ctx, msg.Subject, msg.SubjectKeyId, msg.SerialNumber)

certBySerialNumber, _ := findCertificate(msg.SerialNumber, &certificates.Certs)
if certBySerialNumber != nil {
k._removeAndRevokeBySerialNumber(ctx, certBySerialNumber, certID, certificates)
certBySerialNumber.Approvals = revocation.Approvals
k._removeAndRevokeBySerialNumber(ctx, certBySerialNumber, certificates)
} else {
k._removeAndRevoke(ctx, certID, certificates)
k._removeAndRevoke(ctx, revocation.Approvals, certificates)
}
} else {
k.SetProposedCertificateRevocation(ctx, revocation)
Expand All @@ -86,30 +75,44 @@ func (k msgServer) ApproveRevokeX509RootCert(goCtx context.Context, msg *types.M
return &types.MsgApproveRevokeX509RootCertResponse{}, nil
}

func (k msgServer) _removeAndRevoke(ctx sdk.Context, certID types.CertificateIdentifier, certificates types.ApprovedCertificates) {
k.AddRevokedCertificates(ctx, certificates)
k.RemoveApprovedCertificates(ctx, certID.Subject, certID.SubjectKeyId)
k.RevokeChildCertificates(ctx, certID.Subject, certID.SubjectKeyId)

func (k msgServer) _removeAndRevoke(ctx sdk.Context, approvals []*types.Grant, certificates types.ApprovedCertificates) {
// Assign the approvals to the root certificate
for _, cert := range certificates.Certs {
if cert.IsRoot {
cert.Approvals = approvals
}
}
certID := types.CertificateIdentifier{
Subject: certificates.Subject,
SubjectKeyId: certificates.SubjectKeyId,
}
// remove from root certs index, add to revoked root certs
k.RemoveApprovedRootCertificate(ctx, certID)
k.AddRevokedCertificates(ctx, certificates)
k.RemoveApprovedCertificates(ctx, certificates.Subject, certificates.SubjectKeyId)
k.RevokeChildCertificates(ctx, certificates.Subject, certificates.SubjectKeyId)
// remove from subject -> subject key ID map
k.RemoveApprovedCertificateBySubject(ctx, certID.Subject, certID.SubjectKeyId)
k.RemoveApprovedCertificateBySubject(ctx, certificates.Subject, certificates.SubjectKeyId)
// remove from subject key ID -> certificates map
k.RemoveApprovedCertificatesBySubjectKeyID(ctx, certID.Subject, certID.SubjectKeyId)
k.RemoveApprovedCertificatesBySubjectKeyID(ctx, certificates.Subject, certificates.SubjectKeyId)
}
func (k msgServer) _removeAndRevokeBySerialNumber(ctx sdk.Context, cert *types.Certificate, certID types.CertificateIdentifier, certificates types.ApprovedCertificates) {
func (k msgServer) _removeAndRevokeBySerialNumber(ctx sdk.Context, cert *types.Certificate, certificates types.ApprovedCertificates) {
k.AddRevokedCertificates(ctx,
types.ApprovedCertificates{
Subject: cert.Subject,
SubjectKeyId: cert.SubjectKeyId,
Certs: []*types.Certificate{cert},
})
k.removeCertFromList(cert.SerialNumber, &certificates)
k.removeCertFromList(cert.Issuer, cert.SerialNumber, &certificates)
if len(certificates.Certs) == 0 {
k.RemoveApprovedCertificates(ctx, cert.Subject, cert.SubjectKeyId)
k.RevokeChildCertificates(ctx, cert.Subject, cert.SubjectKeyId)
k.RemoveApprovedRootCertificate(ctx, certID)
k.RemoveApprovedRootCertificate(ctx,
types.CertificateIdentifier{
Subject: certificates.Subject,
SubjectKeyId: certificates.SubjectKeyId,
},
)
k.RemoveApprovedCertificateBySubject(ctx, cert.Subject, cert.SubjectKeyId)
k.RemoveApprovedCertificatesBySubjectKeyID(ctx, cert.Subject, cert.SubjectKeyId)
} else {
Expand Down
11 changes: 2 additions & 9 deletions x/pki/keeper/msg_server_propose_revoke_x_509_root_cert.go
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ func (k msgServer) ProposeRevokeX509RootCert(goCtx context.Context, msg *types.M

// get corresponding approved certificates
certificates, found := k.GetApprovedCertificates(ctx, msg.Subject, msg.SubjectKeyId)
if !found {
if !found || len(certificates.Certs) == 0 {
return nil, pkitypes.NewErrCertificateDoesNotExist(msg.Subject, msg.SubjectKeyId)
}

Expand All @@ -46,14 +46,7 @@ func (k msgServer) ProposeRevokeX509RootCert(goCtx context.Context, msg *types.M
}
// fail if cert with serial number does not exist
if msg.SerialNumber != "" {
found := false
for _, cert := range certificates.Certs {
if cert.SerialNumber == msg.SerialNumber {
found = true

break
}
}
_, found = findCertificate(msg.SerialNumber, &certificates.Certs)
if !found {
return nil, pkitypes.NewErrCertificateBySerialNumberDoesNotExist(
msg.Subject, msg.SubjectKeyId, msg.SerialNumber,
Expand Down
12 changes: 2 additions & 10 deletions x/pki/keeper/msg_server_revoke_x_509_cert.go
Original file line number Diff line number Diff line change
Expand Up @@ -39,15 +39,7 @@ func (k msgServer) RevokeX509Cert(goCtx context.Context, msg *types.MsgRevokeX50
var certBySerialNumber *types.Certificate

if msg.SerialNumber != "" {
found := false
for _, cert := range certificates.Certs {
if cert.SerialNumber == msg.SerialNumber {
certBySerialNumber = cert
found = true

break
}
}
_, found = findCertificate(msg.SerialNumber, &certificates.Certs)
if !found {
return nil, pkitypes.NewErrCertificateBySerialNumberDoesNotExist(msg.Subject, msg.SubjectKeyId, msg.SerialNumber)
}
Expand Down Expand Up @@ -82,7 +74,7 @@ func (k msgServer) _removeAndRevokeX509CertBySerialNumber(ctx sdk.Context, cert
SubjectKeyId: cert.SubjectKeyId,
Certs: []*types.Certificate{cert},
})
k.removeCertFromList(cert.SerialNumber, &certificates)
k.removeCertFromList(cert.Issuer, cert.SerialNumber, &certificates)
if len(certificates.Certs) == 0 {
k.RemoveApprovedCertificates(ctx, cert.Subject, cert.SubjectKeyId)
// Remove certificate identifier from issuer's ChildCertificates record
Expand Down

0 comments on commit a1070bc

Please sign in to comment.