Maintain compatibility with 1.2 release of the API

[robszewczyk]

Problem

In generic APIs for getting certificates are expected to return the certificates from the DA PKI. To that end, in 1.2:

• GET /dcl/pki/certificates returns a list of certificates
• GET /dcl/pki/certificates/{subject} returns a list of certificates by subject
• GET /dcl/pki/certificates/{subject}/{skid} returns a certificate for a subject and SKID

The crititical problem is that a 1.2 client would never look at the new fields added in Certificate.proto and thus not be aware that the returned values have different semantics.

Proposed resolution

• the existing APIs for certificates continue to return certificates from the DA PKI with old semantics
• we create a new set of endpoints e.g. certificates2 that have the semantics of getting all certificates

[hawk248]

Reading DCL 1.2 docs, it clearly state Gets all certificates (root, intermediate and leaf). for /dcl/pki/certficates API. It is meant to be generic common API dealing with all certificates.

Alternatively, the correct API for root (PAA) certs is /dcl/pki/root-certificates which ONLY returns PAA. The docs mention:Gets all approved root certificates. Revoked certificates are not returned. Use GET_ALL_REVOKED_X509_CERTS_ROOT to get a list of all revoked root certificates.

[hawk248]

In DCL 1.2 -> /dcl/pki/root-certificates : Returns ONLY PAA. In DCL 1.4 -> /dcl/pki/root-certificates : Returns ONLY PAA. In DCL 1.4 -> /dcl/pki/noc-root-certificates : Returns ONLY RCAC.

[hawk248]

Update /dcl/pki/certificates in 1.4 so that it will ONLY return PAA, PAI and DAC if PAI and DAC have been uploaded in device attestation chain.

Implement another API that returns certificates regardless of PKI chain e.g. inclusive of DA or NOC.

paa-certificates rcac-certificates

[hawk248]

Addressed as part of #612