zigbee-alliance · ashcherbakov · Nov 19, 2024 · Nov 13, 2024 · Nov 18, 2024 · Nov 18, 2024
diff --git a/docs/static/openapi.yml b/docs/static/openapi.yml
@@ -9435,6 +9435,10 @@ paths:
           in: query
           required: false
           type: boolean
+        - name: subjectKeyId
+          in: query
+          required: false
+          type: string
       tags:
         - Query
   /dcl/pki/all-certificates/{subject}:

diff --git a/docs/transactions.md b/docs/transactions.md
@@ -170,7 +170,8 @@ Please make sure that TLS is enabled in gRPC, REST or Light Client Proxy for sec
 | **GLOBAL - Work for all certificate types (DA, NOC)**                                                                                                                               |                                                                                                                                                                                                                                                                                                                                           |
 | [GET_CERT](transactions/pki.md#get_cert) <br><br> Gets a certificate (PAA, PAI, RCAC, ICAC)                                                                                         | CLI `dcld query pki cert --subject=<base64 string> --subject-key-id=<hex string>` <br><br> GET `/dcl/pki/all-certificates/{subject}/{subject_key_id}`                                                                                                                                                                                     |
 | [GET_ALL_CERTS](transactions/pki.md#get_all_certs) <br><br> Gets all certificates (PAA, PAI, RCAC, ICAC)                                                                            | CLI `dcld query pki all-certs`  <br><br> GET `/dcl/pki/all-certificates`                                                                                                                                                                                                                                                                  |
-| [GET_ALL_CERTS_BY_SUBJECT](transactions/pki.md#get_all_certs_by_subject) <br><br>                                                                                                   | CLI `dcld query pki all-subject-certs --subject=<base64 string>`  <br><br> GET `/dcl/pki/all-certificates/{subject}`                                                                                                                                                                                                                      |
+| [GET_ALL_CERTS_BY_SUBJECT](transactions/pki.md#get_all_certs_by_subject) <br><br> Gets all certificates associated with a subject (PAA, PAI, RCAC, ICAC)                            | CLI `dcld query pki all-subject-certs --subject=<base64 string>`  <br><br> GET `/dcl/pki/all-certificates/{subject}`                                                                                                                                                                                                                      |
+| [GET_ALL_CERTS_BY_SKID](transactions/pki.md#get_all_certs_by_skid) <br><br> Gets all certificates by the given subject key ID (PAA, PAI, RCAC, ICAC)                                | CLI `dcld query pki cert --subject-key-id=<hex string>`  <br><br> GET `/dcl/pki/all-certificates?subjectKeyId={subjectKeyId}`                                                                                                                                                                                                             |
 | [GET_CHILD_CERTS](transactions/pki.md#get_child_certs) <br><br> Gets all child certificates for the given certificate (PAA, PAI, RCAC, ICAC)                                        | CLI `dcld query pki all-child-x509-certs --subject=<base64 string> --subject-key-id=<hex string>`  <br><br> GET `/dcl/pki/child-certificates/{subject}/{subject_key_id}`                                                                                                                                                                  |
 | **DA - Work for DA certificate types (PAA, PAI)**                                                                                                                                   |                                                                                                                                                                                                                                                                                                                                           |
 | [PROPOSE_ADD_PAA](transactions/pki.md#propose_add_paa) <br><br> Proposes a new PAA (self-signed root certificate)                                                                   | CLI `dcld tx pki propose-add-x509-root-cert --certificate=<string-or-path>` <br><br> POST `/cosmos/tx/v1beta1/txs`([MsgProposeAddX509RootCert](https://github.com/zigbee-alliance/distributed-compliance-ledger/blob/master/proto/zigbeealliance/distributedcomplianceledger/pki/tx.proto#L34))                                           |

diff --git a/docs/transactions/pki.md b/docs/transactions/pki.md
@@ -67,6 +67,24 @@ Use [GET_ALL_REVOKED_NOC_ICA_CERTS](#get_all_revoked_noc_ica-icacs) to get a lis
 - REST API:
   - GET `/dcl/pki/all-certificates/{subject}`
 
+#### GET_ALL_CERTS_BY_SKID
+
+**Status: Implemented**
+
+Gets all certificates by the given subject key ID attribute. This query works for all types certificates (PAA, PAI, RCAC, ICAC).
+
+Revoked certificates are not returned.
+Use [GET_ALL_REVOKED_DA_CERTS](#get_all_revoked_da_certs) to get a list of all revoked DA certificates.
+Use [GET_ALL_REVOKED_NOC_ROOT_CERTS](#get_all_revoked_noc_root-rcacs) to get a list of all revoked Noc Root certificates.
+Use [GET_ALL_REVOKED_NOC_ICA_CERTS](#get_all_revoked_noc_ica-icacs) to get a list of all revoked Noc ICA certificates.
+
+- Parameters:
+  - subject_key_id: `string`  - certificates's `Subject Key Id` in hex string format, e.g: `5A:88:0E:6C:36:53:D0:7F:B0:89:71:A3:F4:73:79:09:30:E6:2B:DB`
+- CLI command:
+  - `dcld query pki cert --subject-key-id=<hex string>`
+- REST API:
+  - GET `/dcl/pki/all-certificates?subjectKeyId={subjectKeyId}`
+
 #### GET_CHILD_CERTS
 
 **Status: Implemented**

diff --git a/integration_tests/cli/pki-combine-certs.sh b/integration_tests/cli/pki-combine-certs.sh
@@ -283,6 +283,41 @@ response_does_not_contain "$result" "\"subjectKeyId\": \"$da_root_subject_key_id
 
 test_divider
 
+echo "Request certificates by subject key id"
+echo "Request DA certificate using global command"
+result=$(dcld query pki cert --subject-key-id="$da_root_subject_key_id")
+echo $result | jq
+check_response "$result" "\"subjectKeyId\": \"$da_root_subject_key_id\""
+
+echo "Request NOC certificate using global command"
+result=$(dcld query pki cert --subject-key-id="$noc_root_subject_key_id")
+echo $result | jq
+check_response "$result" "\"subjectKeyId\": \"$noc_root_subject_key_id\""
+
+echo "Request DA certificate"
+result=$(dcld query pki x509-cert --subject-key-id="$da_root_subject_key_id")
+echo $result | jq
+check_response "$result" "\"subjectKeyId\": \"$da_root_subject_key_id\""
+
+echo "Request NOC certificate using DA command (must be empty)"
+result=$(dcld query pki x509-cert --subject="$noc_root_subject" --subject-key-id="$noc_root_subject_key_id")
+echo $result | jq
+check_response "$result" "Not Found"
+response_does_not_contain "$result" "\"subjectKeyId\": \"$noc_root_subject_key_id\""
+
+echo "Request NOC Root certificate"
+result=$(dcld query pki noc-x509-cert --subject="$noc_root_subject" --subject-key-id="$noc_root_subject_key_id")
+echo $result | jq
+check_response "$result" "\"subjectKeyId\": \"$noc_root_subject_key_id\""
+
+echo "Request DA certificate using NOC command (must be empty)"
+result=$(dcld query pki noc-x509-cert --subject="$da_root_subject" --subject-key-id="$da_root_subject_key_id")
+echo $result | jq
+check_response "$result" "Not Found"
+response_does_not_contain "$result" "\"subjectKeyId\": \"$da_root_subject_key_id\""
+
+test_divider
+
 echo "Request DA certificates by subject using global command"
 result=$(dcld query pki all-subject-certs --subject=$da_root_subject)
 echo $result | jq