-
Notifications
You must be signed in to change notification settings - Fork 8.8k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Restore RSA support for x509 public key import
While RSA has never been supported by Fabric for transaction signing and verification, prior to version 2.x, MSPs could include CA certificates that included RSA public keys. This was broken with the removal of the unsupported RSA code. This change modifies the key import function used by the MSP to convert an RSA public key to a bccsp.Key that can then be used as part of an MSP identity. This code does *not* add support for RSA on transaction paths. Signed-off-by: Matthew Sykes <sykesmat@us.ibm.com>
- Loading branch information
Showing
4 changed files
with
130 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,52 @@ | ||
/* | ||
Copyright IBM Corp. All Rights Reserved. | ||
SPDX-License-Identifier: Apache-2.0 | ||
*/ | ||
|
||
package sw | ||
|
||
import ( | ||
"crypto/rsa" | ||
"crypto/sha256" | ||
"crypto/x509" | ||
"errors" | ||
"fmt" | ||
|
||
"github.com/hyperledger/fabric/bccsp" | ||
) | ||
|
||
// An rsaPublicKey wraps the standard library implementation of an RSA public | ||
// key with functions that satisfy the bccsp.Key interface. | ||
// | ||
// NOTE: Fabric does not support RSA signing or verification. This code simply | ||
// allows MSPs to include RSA CAs in their certificate chains. | ||
type rsaPublicKey struct{ pubKey *rsa.PublicKey } | ||
|
||
func (k *rsaPublicKey) Symmetric() bool { return false } | ||
func (k *rsaPublicKey) Private() bool { return false } | ||
func (k *rsaPublicKey) PublicKey() (bccsp.Key, error) { return k, nil } | ||
|
||
// Bytes converts this key to its serialized representation. | ||
func (k *rsaPublicKey) Bytes() (raw []byte, err error) { | ||
if k.pubKey == nil { | ||
return nil, errors.New("Failed marshalling key. Key is nil.") | ||
} | ||
raw, err = x509.MarshalPKIXPublicKey(k.pubKey) | ||
if err != nil { | ||
return nil, fmt.Errorf("Failed marshalling key [%s]", err) | ||
} | ||
return | ||
} | ||
|
||
// SKI returns the subject key identifier of this key. | ||
func (k *rsaPublicKey) SKI() []byte { | ||
if k.pubKey == nil { | ||
return nil | ||
} | ||
|
||
// Marshal the public key and hash it | ||
raw := x509.MarshalPKCS1PublicKey(k.pubKey) | ||
hash := sha256.Sum256(raw) | ||
return hash[:] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,58 @@ | ||
/* | ||
Copyright IBM Corp. All Rights Reserved. | ||
SPDX-License-Identifier: Apache-2.0 | ||
*/ | ||
|
||
package sw | ||
|
||
import ( | ||
"crypto/rand" | ||
"crypto/rsa" | ||
"crypto/sha256" | ||
"crypto/x509" | ||
"encoding/asn1" | ||
"math/big" | ||
"testing" | ||
|
||
"github.com/stretchr/testify/require" | ||
) | ||
|
||
type rsaPublicKeyASN struct { | ||
N *big.Int | ||
E int | ||
} | ||
|
||
func TestRSAPublicKey(t *testing.T) { | ||
lowLevelKey, err := rsa.GenerateKey(rand.Reader, 2048) | ||
require.NoError(t, err) | ||
k := &rsaPublicKey{&lowLevelKey.PublicKey} | ||
|
||
require.False(t, k.Symmetric()) | ||
require.False(t, k.Private()) | ||
|
||
k.pubKey = nil | ||
ski := k.SKI() | ||
require.Nil(t, ski) | ||
|
||
k.pubKey = &lowLevelKey.PublicKey | ||
ski = k.SKI() | ||
raw, err := asn1.Marshal(rsaPublicKeyASN{N: k.pubKey.N, E: k.pubKey.E}) | ||
require.NoError(t, err, "asn1 marshal failed") | ||
hash := sha256.New() | ||
hash.Write(raw) | ||
ski2 := hash.Sum(nil) | ||
require.Equal(t, ski, ski2, "SKI is not computed in the right way.") | ||
|
||
pk, err := k.PublicKey() | ||
require.NoError(t, err) | ||
require.Equal(t, k, pk) | ||
|
||
bytes, err := k.Bytes() | ||
require.NoError(t, err) | ||
bytes2, err := x509.MarshalPKIXPublicKey(k.pubKey) | ||
require.Equal(t, bytes2, bytes, "bytes are not computed in the right way.") | ||
|
||
_, err = (&rsaPublicKey{}).Bytes() | ||
require.EqualError(t, err, "Failed marshalling key. Key is nil.") | ||
} |