forked from hyperledger-archives/fabric
/
validator_eca.go
executable file
·113 lines (84 loc) · 3.7 KB
/
validator_eca.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
/*
Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
*/
package crypto
import (
"crypto/x509"
"fmt"
obcca "github.com/openblockchain/obc-peer/obc-ca/protos"
"github.com/openblockchain/obc-peer/openchain/crypto/utils"
"golang.org/x/net/context"
"strconv"
)
func (validator *validatorImpl) getEnrollmentCert(id []byte) (*x509.Certificate, error) {
if len(id) == 0 {
return nil, fmt.Errorf("Invalid peer id. It is empty.")
}
sid := utils.EncodeBase64(id)
validator.peer.node.log.Debug("Getting enrollment certificate for [%s]", sid)
if cert := validator.enrollCerts[sid]; cert != nil {
validator.peer.node.log.Debug("Enrollment certificate for [%s] already in memory.", sid)
return cert, nil
}
// Retrieve from the DB or from the ECA in case
validator.peer.node.log.Debug("Retrieve Enrollment certificate for [%s]...", sid)
rawCert, err := validator.peer.node.ks.GetSignEnrollmentCert(id, validator.getEnrollmentCertByHashFromECA)
if err != nil {
validator.peer.node.log.Error("Failed getting enrollment certificate for [%s]: [%s]", sid, err)
return nil, err
}
validator.peer.node.log.Debug("Enrollment certificate for [%s] = [%s]", sid, utils.EncodeBase64(rawCert))
cert, err := utils.DERToX509Certificate(rawCert)
if err != nil {
validator.peer.node.log.Error("Failed parsing enrollment certificate for [%s]: [%s],[%s]", sid, utils.EncodeBase64(rawCert), err)
return nil, err
}
validator.enrollCerts[sid] = cert
return cert, nil
}
func (validator *validatorImpl) getEnrollmentCertByHashFromECA(id []byte) ([]byte, []byte, error) {
// Prepare the request
validator.peer.node.log.Debug("Reading certificate for hash [%s]", utils.EncodeBase64(id))
req := &obcca.Hash{Hash: id}
responce, err := validator.peer.node.callECAReadCertificateByHash(context.Background(), req)
if err != nil {
validator.peer.node.log.Error("Failed requesting enrollment certificate [%s].", err.Error())
return nil, nil, err
}
validator.peer.node.log.Debug("Certificate for hash [%s] = [%s][%s]", utils.EncodeBase64(id), utils.EncodeBase64(responce.Sign), utils.EncodeBase64(responce.Enc))
// Verify responce.Sign
x509Cert, err := utils.DERToX509Certificate(responce.Sign)
if err != nil {
validator.peer.node.log.Error("Failed parsing signing enrollment certificate for encrypting: [%s]", err)
return nil, nil, err
}
// Check role
roleRaw, err := utils.GetCriticalExtension(x509Cert, ECertSubjectRole)
if err != nil {
validator.peer.node.log.Error("Failed parsing ECertSubjectRole in enrollment certificate for signing: [%s]", err)
return nil, nil, err
}
role, err := strconv.ParseInt(string(roleRaw), 10, len(roleRaw)*8)
if err != nil {
validator.peer.node.log.Error("Failed parsing ECertSubjectRole in enrollment certificate for signing: [%s]", err)
return nil, nil, err
}
if obcca.Role(role) != obcca.Role_VALIDATOR {
validator.peer.node.log.Error("Invalid ECertSubjectRole in enrollment certificate for signing. Not a validator: [%s]", err)
return nil, nil, err
}
return responce.Sign, responce.Enc, nil
}