Re-encode ECDSA CRL signature during MSP setup

Perform an asn1.Unmarshal of ECDSA CRL signatures to extract R and S using the same mechanism as Go 1.14 and then re-marshal the signature. This pattern removes any extra bytes from the signature that would cause Go 1.15 to treat the signature as invalid. Without this change, existing CRL signatures that are considered valid in Go 1.14 would no longer be considered valid in Go 1.15 resulting in a validation behavior change. Signed-off-by: Matthew Sykes <sykesmat@us.ibm.com>
hyperledger · Feb 15, 2021 · 15e3f94 · 15e3f94
1 parent 4e91e45
commit 15e3f94
Showing 1 changed file with 32 additions and 0 deletions.
diff --git a/msp/mspimplsetup.go b/msp/mspimplsetup.go
@@ -10,12 +10,14 @@ import (
 	"bytes"
 	"crypto/x509"
 	"crypto/x509/pkix"
+	"encoding/asn1"
 	"fmt"
 	"time"
 
 	"github.com/golang/protobuf/proto"
 	m "github.com/hyperledger/fabric-protos-go/msp"
 	"github.com/hyperledger/fabric/bccsp"
+	"github.com/hyperledger/fabric/bccsp/utils"
 	errors "github.com/pkg/errors"
 )
 
@@ -194,6 +196,23 @@ func (msp *bccspmsp) setupAdminsV142(conf *m.FabricMSPConfig) error {
 	return nil
 }
 
+func isECDSASignatureAlgorithm(algid asn1.ObjectIdentifier) bool {
+	// This is the set of ECDSA algorithms supported by Go 1.14 for CRL
+	// signatures.
+	ecdsaSignaureAlgorithms := []asn1.ObjectIdentifier{
+		{1, 2, 840, 10045, 4, 1},    // oidSignatureECDSAWithSHA1
+		{1, 2, 840, 10045, 4, 3, 2}, // oidSignatureECDSAWithSHA256
+		{1, 2, 840, 10045, 4, 3, 3}, // oidSignatureECDSAWithSHA384
+		{1, 2, 840, 10045, 4, 3, 4}, // oidSignatureECDSAWithSHA512
+	}
+	for _, id := range ecdsaSignaureAlgorithms {
+		if id.Equal(algid) {
+			return true
+		}
+	}
+	return false
+}
+
 func (msp *bccspmsp) setupCRLs(conf *m.FabricMSPConfig) error {
 	// setup the CRL (if present)
 	msp.CRL = make([]*pkix.CertificateList, len(conf.RevocationList))
@@ -203,6 +222,19 @@ func (msp *bccspmsp) setupCRLs(conf *m.FabricMSPConfig) error {
 			return errors.Wrap(err, "could not parse RevocationList")
 		}
 
+		// Massage the ECDSA signature values
+		if isECDSASignatureAlgorithm(crl.SignatureAlgorithm.Algorithm) {
+			r, s, err := utils.UnmarshalECDSASignature(crl.SignatureValue.RightAlign())
+			if err != nil {
+				return err
+			}
+			sig, err := utils.MarshalECDSASignature(r, s)
+			if err != nil {
+				return err
+			}
+			crl.SignatureValue = asn1.BitString{Bytes: sig, BitLength: 8 * len(sig)}
+		}
+
 		// TODO: pre-verify the signature on the CRL and create a map
 		//       of CA certs to respective CRLs so that later upon
 		//       validation we can already look up the CRL given the