/
vaultManager.go
150 lines (124 loc) · 3.85 KB
/
vaultManager.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
package manager
import (
"crypto/ecdsa"
"crypto/rand"
"encoding/base64"
"errors"
"fmt"
"path/filepath"
"strings"
"github.com/atomyze-foundation/cartridge/cryptocache"
vault "github.com/hashicorp/vault/api"
"github.com/hyperledger/fabric/bccsp/utils"
)
// Option is a function that configures a VaultManager
type Option func(c *VaultManager) error
// VaultManager handles VaultManager operations
type VaultManager struct {
client *vault.Client
memcache cryptocache.CryptoCache
signingIdentity *VaultSigningIdentity
}
// NewVaultManager gets new instance of VaultManager
func NewVaultManager(mspID, userCert, address, token, namespace string) (*VaultManager, error) {
config := &vault.Config{Address: address}
client, err := vault.NewClient(config)
if err != nil {
return nil, err
}
client.SetToken(token)
manager := &VaultManager{client: client, memcache: cryptocache.NewMemCache()}
if err = PullCrypto(manager, namespace, ""); err != nil {
return nil, err
}
manager.signingIdentity, err = NewVaultSigningIdentity(mspID, userCert, manager)
if err != nil {
return nil, err
}
return manager, nil
}
// PullCrypto pulls crypto from Vault
func PullCrypto(manager *VaultManager, vaultPath string, keyname string) error {
list, err := manager.client.Logical().List(vaultPath)
if err != nil {
return err
}
//nolint:nestif
if list == nil {
data, err := manager.client.Logical().Read(vaultPath)
if err != nil {
return err
}
// if Vault empty, return error
if data == nil || data.Data["data"] == nil {
return fmt.Errorf("path %s is empty", vaultPath)
}
cryptoAsString, ok := data.Data["data"].(string)
if !ok {
return fmt.Errorf("failed to cast value of key %s to string", vaultPath)
}
cryptoAsBytes, err := base64.StdEncoding.DecodeString(cryptoAsString)
if err != nil && strings.Contains(err.Error(), "illegal base64 data at input byte 0") {
cryptoAsBytes = []byte(cryptoAsString)
} else if err != nil {
return err
}
if strings.Contains(vaultPath, "/tls/") {
parts := strings.Split(vaultPath, "/")
if err := manager.memcache.SetCrypto(fmt.Sprintf("%s/%s/%s", parts[len(parts)-3], parts[len(parts)-2], keyname), cryptoAsBytes); err != nil { // username[@org]/tls/cryptoname
return err
}
} else {
if err := manager.memcache.SetCrypto(keyname, cryptoAsBytes); err != nil {
return err
}
}
return nil
}
keys, _ := list.Data["keys"].([]interface{})
for _, key := range keys {
keyname = key.(string) //nolint:forcetypeassert
if err = PullCrypto(manager, filepath.Join(vaultPath, keyname), keyname); err != nil {
return err
}
}
return nil
}
// Sign signs the digest
func (v *VaultManager) Sign(digest []byte, ecdsaPrivateKey *ecdsa.PrivateKey, ecdsaPublicKey *ecdsa.PublicKey) ([]byte, error) {
r, s, err := ecdsa.Sign(rand.Reader, ecdsaPrivateKey, digest)
if err != nil {
return nil, err
}
signature, err := utils.ToLowS(ecdsaPublicKey, s)
if err != nil {
return nil, err
}
return utils.MarshalECDSASignature(r, signature)
}
// Verify verifies the signature
func (v *VaultManager) Verify(digest, signature []byte, ecdsaPublicKey *ecdsa.PublicKey) error {
r, s, err := utils.UnmarshalECDSASignature(signature)
if err != nil {
return fmt.Errorf("failed unmashalling signature [%w]", err)
}
lowS, err := utils.IsLowS(ecdsaPublicKey, s)
if err != nil {
return err
}
if !lowS {
return fmt.Errorf("invalid S. Must be smaller than half the order [%s][%s]", s, utils.GetCurveHalfOrdersAt(ecdsaPublicKey.Curve))
}
if ok := ecdsa.Verify(ecdsaPublicKey, digest, r, s); ok {
return nil
}
return errors.New("invalid signature")
}
// SigningIdentity returns the signing identity
func (v *VaultManager) SigningIdentity() CartridgeSigningIdentity {
return v.signingIdentity
}
// Cache returns the cache
func (v *VaultManager) Cache() cryptocache.CryptoCache {
return v.memcache
}