From 9ed9ce44b45d9c37d4fb1112061927cb5ccba5d7 Mon Sep 17 00:00:00 2001 From: Angelo De Caro Date: Wed, 14 Dec 2016 09:28:51 +0100 Subject: [PATCH] core/crypto/primitives cleanup: second step This change-set continues the cleanup of the core/crypto/primitives package. Refactoring has been applied to move methods and files under the packages which need them. Change-Id: Icfe6adf938b9d96df9dfde3dfebf95f3004fcae7 Signed-off-by: Angelo De Caro --- accesscontrol/api.go | 15 ++++ .../attributes/attributes.go | 13 +-- .../attributes/attributes_test.go | 2 +- .../attributes/proto/attributes.pb.go | 0 .../attributes/proto/attributes.proto | 0 .../attributes/test_resources/prek0.dump | 0 .../attributes/test_resources/tcert.dump | 0 accesscontrol/crypto/attr/attr_support.go | 6 +- accesscontrol/crypto/ecdsa/ecdsa_test.go | 25 +++--- .../crypto/utils}/aes.go | 6 +- .../crypto/utils}/aes_test.go | 82 +++++++++---------- .../crypto/utils}/ecdsa.go | 8 +- {core => accesscontrol}/crypto/utils/io.go | 0 .../crypto/utils}/keys.go | 2 +- .../crypto/utils}/x509.go | 8 +- .../shim/crypto/attr/attr_support.go | 6 +- .../chaincode/shim/crypto/ecdsa/ecdsa_test.go | 25 +++--- core/crypto/primitives/hash.go | 11 +-- core/crypto/primitives/random.go | 5 ++ 19 files changed, 117 insertions(+), 97 deletions(-) rename {core/crypto => accesscontrol}/attributes/attributes.go (95%) rename {core/crypto => accesscontrol}/attributes/attributes_test.go (99%) rename {core/crypto => accesscontrol}/attributes/proto/attributes.pb.go (100%) rename {core/crypto => accesscontrol}/attributes/proto/attributes.proto (100%) rename {core/crypto => accesscontrol}/attributes/test_resources/prek0.dump (100%) rename {core/crypto => accesscontrol}/attributes/test_resources/tcert.dump (100%) rename {core/crypto/primitives => accesscontrol/crypto/utils}/aes.go (97%) rename {core/crypto/primitives => accesscontrol/crypto/utils}/aes_test.go (85%) rename {core/crypto/primitives => accesscontrol/crypto/utils}/ecdsa.go (88%) rename {core => accesscontrol}/crypto/utils/io.go (100%) rename {core/crypto/primitives => accesscontrol/crypto/utils}/keys.go (98%) rename {core/crypto/primitives => accesscontrol/crypto/utils}/x509.go (96%) diff --git a/accesscontrol/api.go b/accesscontrol/api.go index 7af80306569..af943656b66 100644 --- a/accesscontrol/api.go +++ b/accesscontrol/api.go @@ -1,3 +1,18 @@ +/* +Copyright IBM Corp. 2016 All Rights Reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ package accesscontrol // Attribute defines a name, value pair to be verified. diff --git a/core/crypto/attributes/attributes.go b/accesscontrol/attributes/attributes.go similarity index 95% rename from core/crypto/attributes/attributes.go rename to accesscontrol/attributes/attributes.go index 557453eff9f..94251446572 100644 --- a/core/crypto/attributes/attributes.go +++ b/accesscontrol/attributes/attributes.go @@ -25,10 +25,11 @@ import ( "strconv" "strings" - pb "github.com/hyperledger/fabric/core/crypto/attributes/proto" + pb "github.com/hyperledger/fabric/accesscontrol/attributes/proto" "github.com/hyperledger/fabric/core/crypto/primitives" "github.com/golang/protobuf/proto" + "github.com/hyperledger/fabric/accesscontrol/crypto/utils" ) var ( @@ -80,7 +81,7 @@ func ReadAttributeHeader(tcert *x509.Certificate, headerKey []byte) (map[string] var err error var headerRaw []byte encrypted := false - if headerRaw, err = primitives.GetCriticalExtension(tcert, TCertAttributesHeaders); err != nil { + if headerRaw, err = utils.GetCriticalExtension(tcert, TCertAttributesHeaders); err != nil { return nil, encrypted, err } headerStr := string(headerRaw) @@ -112,7 +113,7 @@ func ReadTCertAttributeByPosition(tcert *x509.Certificate, position int) ([]byte } oid := asn1.ObjectIdentifier{1, 2, 3, 4, 5, 6, 9 + position} - value, err := primitives.GetCriticalExtension(tcert, oid) + value, err := utils.GetCriticalExtension(tcert, oid) if err != nil { return nil, err } @@ -139,7 +140,7 @@ func ReadTCertAttribute(tcert *x509.Certificate, attributeName string, headerKey //EncryptAttributeValue encrypts "attributeValue" using "attributeKey" func EncryptAttributeValue(attributeKey []byte, attributeValue []byte) ([]byte, error) { value := append(attributeValue, padding...) - return primitives.CBCPKCS7Encrypt(attributeKey, value) + return utils.CBCPKCS7Encrypt(attributeKey, value) } //getAttributeKey returns the attributeKey derived from the preK0 to the attributeName. @@ -155,7 +156,7 @@ func EncryptAttributeValuePK0(preK0 []byte, attributeName string, attributeValue //DecryptAttributeValue decrypts "encryptedValue" using "attributeKey" and return the decrypted value. func DecryptAttributeValue(attributeKey []byte, encryptedValue []byte) ([]byte, error) { - value, err := primitives.CBCPKCS7Decrypt(attributeKey, encryptedValue) + value, err := utils.CBCPKCS7Decrypt(attributeKey, encryptedValue) if err != nil { return nil, err } @@ -238,7 +239,7 @@ func CreateAttributesMetadataFromCert(cert *x509.Certificate, metadata []byte, p //CreateAttributesMetadata create the AttributesMetadata from the original metadata func CreateAttributesMetadata(raw []byte, metadata []byte, preK0 []byte, attributeKeys []string) ([]byte, error) { - cert, err := primitives.DERToX509Certificate(raw) + cert, err := utils.DERToX509Certificate(raw) if err != nil { return nil, err } diff --git a/core/crypto/attributes/attributes_test.go b/accesscontrol/attributes/attributes_test.go similarity index 99% rename from core/crypto/attributes/attributes_test.go rename to accesscontrol/attributes/attributes_test.go index c80b7dd9eac..03715f5102e 100644 --- a/core/crypto/attributes/attributes_test.go +++ b/accesscontrol/attributes/attributes_test.go @@ -28,7 +28,7 @@ import ( "testing" "github.com/golang/protobuf/proto" - pb "github.com/hyperledger/fabric/core/crypto/attributes/proto" + pb "github.com/hyperledger/fabric/accesscontrol/attributes/proto" "github.com/hyperledger/fabric/core/crypto/primitives" ) diff --git a/core/crypto/attributes/proto/attributes.pb.go b/accesscontrol/attributes/proto/attributes.pb.go similarity index 100% rename from core/crypto/attributes/proto/attributes.pb.go rename to accesscontrol/attributes/proto/attributes.pb.go diff --git a/core/crypto/attributes/proto/attributes.proto b/accesscontrol/attributes/proto/attributes.proto similarity index 100% rename from core/crypto/attributes/proto/attributes.proto rename to accesscontrol/attributes/proto/attributes.proto diff --git a/core/crypto/attributes/test_resources/prek0.dump b/accesscontrol/attributes/test_resources/prek0.dump similarity index 100% rename from core/crypto/attributes/test_resources/prek0.dump rename to accesscontrol/attributes/test_resources/prek0.dump diff --git a/core/crypto/attributes/test_resources/tcert.dump b/accesscontrol/attributes/test_resources/tcert.dump similarity index 100% rename from core/crypto/attributes/test_resources/tcert.dump rename to accesscontrol/attributes/test_resources/tcert.dump diff --git a/accesscontrol/crypto/attr/attr_support.go b/accesscontrol/crypto/attr/attr_support.go index 343411609c4..8803e47933a 100644 --- a/accesscontrol/crypto/attr/attr_support.go +++ b/accesscontrol/crypto/attr/attr_support.go @@ -22,8 +22,8 @@ import ( "errors" "github.com/hyperledger/fabric/accesscontrol" - "github.com/hyperledger/fabric/core/crypto/attributes" - "github.com/hyperledger/fabric/core/crypto/primitives" + "github.com/hyperledger/fabric/accesscontrol/attributes" + "github.com/hyperledger/fabric/accesscontrol/crypto/utils" ) // chaincodeHolder is the struct that hold the certificate and the metadata. An implementation is ChaincodeStub @@ -107,7 +107,7 @@ func NewAttributesHandlerImpl(holder chaincodeHolder) (*AttributesHandlerImpl, e return nil, errors.New("The certificate can't be nil.") } var tcert *x509.Certificate - tcert, err = primitives.DERToX509Certificate(certRaw) + tcert, err = utils.DERToX509Certificate(certRaw) if err != nil { return nil, err } diff --git a/accesscontrol/crypto/ecdsa/ecdsa_test.go b/accesscontrol/crypto/ecdsa/ecdsa_test.go index 008367ea1f6..dbf533be1a0 100644 --- a/accesscontrol/crypto/ecdsa/ecdsa_test.go +++ b/accesscontrol/crypto/ecdsa/ecdsa_test.go @@ -19,6 +19,7 @@ package ecdsa import ( "testing" + "github.com/hyperledger/fabric/accesscontrol/crypto/utils" "github.com/hyperledger/fabric/core/crypto/primitives" ) @@ -26,13 +27,13 @@ func TestSignatureVerifier(t *testing.T) { // Create a signature primitives.SetSecurityLevel("SHA3", 256) - cert, key, err := primitives.NewSelfSignedCert() + cert, key, err := utils.NewSelfSignedCert() if err != nil { t.Fatal(err) } message := []byte("Hello World!") - signature, err := primitives.ECDSASign(key, message) + signature, err := utils.ECDSASign(key, message) if err != nil { t.Fatal(err) } @@ -54,13 +55,13 @@ func TestSignatureVerifierSHA2(t *testing.T) { // Create a signature primitives.SetSecurityLevel("SHA2", 256) - cert, key, err := primitives.NewSelfSignedCert() + cert, key, err := utils.NewSelfSignedCert() if err != nil { t.Fatal(err) } message := []byte("Hello World!") - signature, err := primitives.ECDSASign(key, message) + signature, err := utils.ECDSASign(key, message) if err != nil { t.Fatal(err) } @@ -82,13 +83,13 @@ func TestSignatureVerifierSHA2_384(t *testing.T) { // Create a signature primitives.SetSecurityLevel("SHA2", 384) - cert, key, err := primitives.NewSelfSignedCert() + cert, key, err := utils.NewSelfSignedCert() if err != nil { t.Fatal(err) } message := []byte("Hello World!") - signature, err := primitives.ECDSASign(key, message) + signature, err := utils.ECDSASign(key, message) if err != nil { t.Fatal(err) } @@ -110,13 +111,13 @@ func TestSignatureVerifierSHA3_384(t *testing.T) { // Create a signature primitives.SetSecurityLevel("SHA3", 384) - cert, key, err := primitives.NewSelfSignedCert() + cert, key, err := utils.NewSelfSignedCert() if err != nil { t.Fatal(err) } message := []byte("Hello World!") - signature, err := primitives.ECDSASign(key, message) + signature, err := utils.ECDSASign(key, message) if err != nil { t.Fatal(err) } @@ -138,13 +139,13 @@ func TestSignatureVerifierSHA2_512(t *testing.T) { // Create a signature primitives.SetSecurityLevel("SHA2", 512) - cert, key, err := primitives.NewSelfSignedCert() + cert, key, err := utils.NewSelfSignedCert() if err != nil { t.Fatal(err) } message := []byte("Hello World!") - signature, err := primitives.ECDSASign(key, message) + signature, err := utils.ECDSASign(key, message) if err != nil { t.Fatal(err) } @@ -166,13 +167,13 @@ func TestSignatureVerifierSHA3_512(t *testing.T) { // Create a signature primitives.SetSecurityLevel("SHA3", 512) - cert, key, err := primitives.NewSelfSignedCert() + cert, key, err := utils.NewSelfSignedCert() if err != nil { t.Fatal(err) } message := []byte("Hello World!") - signature, err := primitives.ECDSASign(key, message) + signature, err := utils.ECDSASign(key, message) if err != nil { t.Fatal(err) } diff --git a/core/crypto/primitives/aes.go b/accesscontrol/crypto/utils/aes.go similarity index 97% rename from core/crypto/primitives/aes.go rename to accesscontrol/crypto/utils/aes.go index 0cd0ab19c49..08a8d83b415 100644 --- a/core/crypto/primitives/aes.go +++ b/accesscontrol/crypto/utils/aes.go @@ -14,7 +14,7 @@ See the License for the specific language governing permissions and limitations under the License. */ -package primitives +package utils import ( "bytes" @@ -24,6 +24,8 @@ import ( "errors" "fmt" "io" + + "github.com/hyperledger/fabric/core/crypto/primitives" ) const ( @@ -36,7 +38,7 @@ const ( // GenAESKey returns a random AES key of length AESKeyLength func GenAESKey() ([]byte, error) { - return GetRandomBytes(AESKeyLength) + return primitives.GetRandomBytes(AESKeyLength) } // PKCS7Padding pads as prescribed by the PKCS7 standard diff --git a/core/crypto/primitives/aes_test.go b/accesscontrol/crypto/utils/aes_test.go similarity index 85% rename from core/crypto/primitives/aes_test.go rename to accesscontrol/crypto/utils/aes_test.go index 315e02fe1b7..7f7b0bea01b 100644 --- a/core/crypto/primitives/aes_test.go +++ b/accesscontrol/crypto/utils/aes_test.go @@ -16,7 +16,7 @@ limitations under the License. // This package contains unit-tests for the // github.com/hyperledger/fabric/core/crypto/primitives package -package primitives_test +package utils import ( "bytes" @@ -33,18 +33,18 @@ func TestCBCPKCS7EncryptCBCPKCS7Decrypt(t *testing.T) { // Note: The purpose of this test is not to test AES-256 in CBC mode's strength // ... but rather to verify the code wrapping/unwrapping the cipher. - key := make([]byte, primitives.AESKeyLength) + key := make([]byte, AESKeyLength) rand.Reader.Read(key) // 123456789012345678901234567890123456789012 var ptext = []byte("a message with arbitrary length (42 bytes)") - encrypted, encErr := primitives.CBCPKCS7Encrypt(key, ptext) + encrypted, encErr := CBCPKCS7Encrypt(key, ptext) if encErr != nil { t.Fatalf("Error encrypting '%s': %s", ptext, encErr) } - decrypted, dErr := primitives.CBCPKCS7Decrypt(key, encrypted) + decrypted, dErr := CBCPKCS7Decrypt(key, encrypted) if dErr != nil { t.Fatalf("Error decrypting the encrypted '%s': %v", ptext, dErr) } @@ -64,7 +64,7 @@ func TestPKCS7Padding(t *testing.T) { 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16} - result := primitives.PKCS7Padding(ptext) + result := PKCS7Padding(ptext) if !bytes.Equal(expected, result) { t.Fatal("Padding error! Expected: ", expected, "', received: '", result, "'") @@ -76,7 +76,7 @@ func TestPKCS7Padding(t *testing.T) { 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15} - result = primitives.PKCS7Padding(ptext) + result = PKCS7Padding(ptext) if !bytes.Equal(expected, result) { t.Fatal("Padding error! Expected: '", expected, "', received: '", result, "'") @@ -88,7 +88,7 @@ func TestPKCS7Padding(t *testing.T) { 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14} - result = primitives.PKCS7Padding(ptext) + result = PKCS7Padding(ptext) if !bytes.Equal(expected, result) { t.Fatal("Padding error! Expected: '", expected, "', received: '", result, "'") @@ -97,7 +97,7 @@ func TestPKCS7Padding(t *testing.T) { // 3 to aes.BlockSize-1 byte plaintext ptext = []byte("1234567890ABCDEF") for i := 3; i < aes.BlockSize; i++ { - result := primitives.PKCS7Padding(ptext[:i]) + result := PKCS7Padding(ptext[:i]) padding := aes.BlockSize - i expectedPadding := bytes.Repeat([]byte{byte(padding)}, padding) @@ -111,7 +111,7 @@ func TestPKCS7Padding(t *testing.T) { // aes.BlockSize length ptext ptext = bytes.Repeat([]byte{byte('x')}, aes.BlockSize) - result = primitives.PKCS7Padding(ptext) + result = PKCS7Padding(ptext) expectedPadding := bytes.Repeat([]byte{byte(aes.BlockSize)}, aes.BlockSize) expected = append(ptext, expectedPadding...) @@ -136,7 +136,7 @@ func TestPKCS7UnPadding(t *testing.T) { 16, 16, 16, 16, 16, 16, 16, 16} - result, _ := primitives.PKCS7UnPadding(ptext) + result, _ := PKCS7UnPadding(ptext) if !bytes.Equal(expected, result) { t.Fatal("UnPadding error! Expected: '", expected, "', received: '", result, "'") @@ -149,7 +149,7 @@ func TestPKCS7UnPadding(t *testing.T) { 15, 15, 15, 15, 15, 15, 15, 15} - result, _ = primitives.PKCS7UnPadding(ptext) + result, _ = PKCS7UnPadding(ptext) if !bytes.Equal(expected, result) { t.Fatal("UnPadding error! Expected: '", expected, "', received: '", result, "'") @@ -162,7 +162,7 @@ func TestPKCS7UnPadding(t *testing.T) { 14, 14, 14, 14, 14, 14, 14, 14} - result, _ = primitives.PKCS7UnPadding(ptext) + result, _ = PKCS7UnPadding(ptext) if !bytes.Equal(expected, result) { t.Fatal("UnPadding error! Expected: '", expected, "', received: '", result, "'") @@ -176,7 +176,7 @@ func TestPKCS7UnPadding(t *testing.T) { ptext = append(base[:i], padding...) expected := base[:i] - result, _ := primitives.PKCS7UnPadding(ptext) + result, _ := PKCS7UnPadding(ptext) if !bytes.Equal(result, expected) { t.Fatal("UnPadding error! Expected: '", expected, "', received: '", result, "'") @@ -189,7 +189,7 @@ func TestPKCS7UnPadding(t *testing.T) { padding := bytes.Repeat([]byte{byte(aes.BlockSize)}, aes.BlockSize) ptext = append(expected, padding...) - result, _ = primitives.PKCS7UnPadding(ptext) + result, _ = PKCS7UnPadding(ptext) if !bytes.Equal(expected, result) { t.Fatal("UnPadding error! Expected: '", expected, "', received: '", result, "'") @@ -202,18 +202,18 @@ func TestCBCEncryptCBCPKCS7Decrypt_BlockSizeLengthPlaintext(t *testing.T) { // One of the purposes of this test is to also document and clarify the expected behavior, i.e., that an extra // block is appended to the message at the padding stage, as per the spec of PKCS#7 v1.5 [see RFC-2315 p.21] - key := make([]byte, primitives.AESKeyLength) + key := make([]byte, AESKeyLength) rand.Reader.Read(key) // 1234567890123456 var ptext = []byte("a 16 byte messag") - encrypted, encErr := primitives.CBCEncrypt(key, ptext) + encrypted, encErr := CBCEncrypt(key, ptext) if encErr != nil { t.Fatalf("Error encrypting '%s': %v", ptext, encErr) } - decrypted, dErr := primitives.CBCPKCS7Decrypt(key, encrypted) + decrypted, dErr := CBCPKCS7Decrypt(key, encrypted) if dErr == nil { t.Fatalf("Expected an error decrypting ptext '%s'. Decrypted to '%v'", dErr, decrypted) } @@ -225,18 +225,18 @@ func TestCBCPKCS7EncryptCBCDecrypt_ExpectingCorruptMessage(t *testing.T) { // One of the purposes of this test is to also document and clarify the expected behavior, i.e., that an extra // block is appended to the message at the padding stage, as per the spec of PKCS#7 v1.5 [see RFC-2315 p.21] - key := make([]byte, primitives.AESKeyLength) + key := make([]byte, AESKeyLength) rand.Reader.Read(key) // 0123456789ABCDEF var ptext = []byte("a 16 byte messag") - encrypted, encErr := primitives.CBCPKCS7Encrypt(key, ptext) + encrypted, encErr := CBCPKCS7Encrypt(key, ptext) if encErr != nil { t.Fatalf("Error encrypting ptext %v", encErr) } - decrypted, dErr := primitives.CBCDecrypt(key, encrypted) + decrypted, dErr := CBCDecrypt(key, encrypted) if dErr != nil { t.Fatalf("Error encrypting ptext %v, %v", dErr, decrypted) } @@ -256,7 +256,7 @@ func TestCBCPKCS7EncryptCBCDecrypt_ExpectingCorruptMessage(t *testing.T) { // TestCBCPKCS7Encrypt_EmptyPlaintext encrypts and pad an empty ptext. Verifying as well that the ciphertext length is as expected. func TestCBCPKCS7Encrypt_EmptyPlaintext(t *testing.T) { - key := make([]byte, primitives.AESKeyLength) + key := make([]byte, AESKeyLength) rand.Reader.Read(key) t.Log("Generated key: ", key) @@ -264,12 +264,12 @@ func TestCBCPKCS7Encrypt_EmptyPlaintext(t *testing.T) { var emptyPlaintext = []byte("") t.Log("Plaintext length: ", len(emptyPlaintext)) - ciphertext, encErr := primitives.CBCPKCS7Encrypt(key, emptyPlaintext) + ciphertext, encErr := CBCPKCS7Encrypt(key, emptyPlaintext) if encErr != nil { t.Fatalf("Error encrypting '%v'", encErr) } - // Expected ciphertext length: primitives.AESKeyLength (=32) + // Expected ciphertext length: AESKeyLength (=32) // As part of the padding, at least one block gets encrypted (while the first block is the IV) const expectedLength = aes.BlockSize + aes.BlockSize if len(ciphertext) != expectedLength { @@ -283,14 +283,14 @@ func TestCBCPKCS7Encrypt_EmptyPlaintext(t *testing.T) { // TestCBCEncrypt_EmptyPlaintext encrypts an empty message. Verifying as well that the ciphertext length is as expected. func TestCBCEncrypt_EmptyPlaintext(t *testing.T) { - key := make([]byte, primitives.AESKeyLength) + key := make([]byte, AESKeyLength) rand.Reader.Read(key) t.Log("Generated key: ", key) var emptyPlaintext = []byte("") t.Log("Message length: ", len(emptyPlaintext)) - ciphertext, encErr := primitives.CBCEncrypt(key, emptyPlaintext) + ciphertext, encErr := CBCEncrypt(key, emptyPlaintext) if encErr != nil { } @@ -314,13 +314,13 @@ func TestCBCPKCS7Encrypt_VerifyRandomIVs(t *testing.T) { var ptext = []byte("a message to encrypt") - ciphertext1, err := primitives.CBCPKCS7Encrypt(key, ptext) + ciphertext1, err := CBCPKCS7Encrypt(key, ptext) if err != nil { t.Fatalf("Error encrypting '%s': %s", ptext, err) } // Expecting a different IV if same message is encrypted with same key - ciphertext2, err := primitives.CBCPKCS7Encrypt(key, ptext) + ciphertext2, err := CBCPKCS7Encrypt(key, ptext) if err != nil { t.Fatalf("Error encrypting '%s': %s", ptext, err) } @@ -349,7 +349,7 @@ func TestCBCPKCS7Encrypt_CorrectCiphertextLengthCheck(t *testing.T) { var ptext = []byte("0123456789ABCDEF") for i := 1; i < aes.BlockSize; i++ { - ciphertext, err := primitives.CBCPKCS7Encrypt(key, ptext[:i]) + ciphertext, err := CBCPKCS7Encrypt(key, ptext[:i]) if err != nil { t.Fatal("Error encrypting '", ptext, "'") } @@ -374,12 +374,12 @@ func TestCBCEncryptCBCDecrypt_KeyMismatch(t *testing.T) { wrongKey[0] = key[0] + 1 var ptext = []byte("1234567890ABCDEF") - encrypted, encErr := primitives.CBCEncrypt(key, ptext) + encrypted, encErr := CBCEncrypt(key, ptext) if encErr != nil { t.Fatalf("Error encrypting '%s': %v", ptext, encErr) } - decrypted, decErr := primitives.CBCDecrypt(wrongKey, encrypted) + decrypted, decErr := CBCDecrypt(wrongKey, encrypted) if decErr != nil { t.Fatalf("Error decrypting '%s': %v", ptext, decErr) } @@ -392,18 +392,18 @@ func TestCBCEncryptCBCDecrypt_KeyMismatch(t *testing.T) { // TestCBCEncryptCBCDecrypt encrypts with CBCEncrypt and decrypt with CBCDecrypt. func TestCBCEncryptCBCDecrypt(t *testing.T) { - key := make([]byte, primitives.AESKeyLength) + key := make([]byte, AESKeyLength) rand.Reader.Read(key) // 1234567890123456 var ptext = []byte("a 16 byte messag") - encrypted, encErr := primitives.CBCEncrypt(key, ptext) + encrypted, encErr := CBCEncrypt(key, ptext) if encErr != nil { t.Fatalf("Error encrypting '%s': %v", ptext, encErr) } - decrypted, decErr := primitives.CBCDecrypt(key, encrypted) + decrypted, decErr := CBCDecrypt(key, encrypted) if decErr != nil { t.Fatalf("Error decrypting '%s': %v", ptext, decErr) } @@ -416,7 +416,7 @@ func TestCBCEncryptCBCDecrypt(t *testing.T) { // TestAESRelatedUtilFunctions tests various functions commonly used in fabric wrt AES func TestAESRelatedUtilFunctions(t *testing.T) { - key, err := primitives.GenAESKey() + key, err := GenAESKey() if err != nil { t.Fatalf("Failed generating AES key [%s]", err) } @@ -431,12 +431,12 @@ func TestAESRelatedUtilFunctions(t *testing.T) { t.Fatalf("Failed generating AES key [%s]", err) } - ct, err := primitives.CBCPKCS7Encrypt(key, msg) + ct, err := CBCPKCS7Encrypt(key, msg) if err != nil { t.Fatalf("Failed encrypting [%s]", err) } - msg2, err := primitives.CBCPKCS7Decrypt(key, ct) + msg2, err := CBCPKCS7Decrypt(key, ct) if err != nil { t.Fatalf("Failed decrypting [%s]", err) } @@ -451,14 +451,14 @@ func TestAESRelatedUtilFunctions(t *testing.T) { // TestVariousAESKeyEncoding tests some AES <-> PEM conversions func TestVariousAESKeyEncoding(t *testing.T) { - key, err := primitives.GenAESKey() + key, err := GenAESKey() if err != nil { t.Fatalf("Failed generating AES key [%s]", err) } // PEM format - pem := primitives.AEStoPEM(key) - keyFromPEM, err := primitives.PEMtoAES(pem, nil) + pem := AEStoPEM(key) + keyFromPEM, err := PEMtoAES(pem, nil) if err != nil { t.Fatalf("Failed converting PEM to AES key [%s]", err) } @@ -467,11 +467,11 @@ func TestVariousAESKeyEncoding(t *testing.T) { } // Encrypted PEM format - pem, err = primitives.AEStoEncryptedPEM(key, []byte("passwd")) + pem, err = AEStoEncryptedPEM(key, []byte("passwd")) if err != nil { t.Fatalf("Failed converting AES key to Encrypted PEM [%s]", err) } - keyFromPEM, err = primitives.PEMtoAES(pem, []byte("passwd")) + keyFromPEM, err = PEMtoAES(pem, []byte("passwd")) if err != nil { t.Fatalf("Failed converting encrypted PEM to AES key [%s]", err) } diff --git a/core/crypto/primitives/ecdsa.go b/accesscontrol/crypto/utils/ecdsa.go similarity index 88% rename from core/crypto/primitives/ecdsa.go rename to accesscontrol/crypto/utils/ecdsa.go index ed7aace3d1f..ef9fdc28665 100644 --- a/core/crypto/primitives/ecdsa.go +++ b/accesscontrol/crypto/utils/ecdsa.go @@ -14,13 +14,15 @@ See the License for the specific language governing permissions and limitations under the License. */ -package primitives +package utils import ( "crypto/ecdsa" "crypto/rand" "encoding/asn1" "math/big" + + "github.com/hyperledger/fabric/core/crypto/primitives" ) // ECDSASignature represents an ECDSA signature @@ -30,13 +32,13 @@ type ECDSASignature struct { // NewECDSAKey generates a new ECDSA Key func NewECDSAKey() (*ecdsa.PrivateKey, error) { - return ecdsa.GenerateKey(GetDefaultCurve(), rand.Reader) + return ecdsa.GenerateKey(primitives.GetDefaultCurve(), rand.Reader) } // ECDSASign signs func ECDSASign(signKey interface{}, msg []byte) ([]byte, error) { temp := signKey.(*ecdsa.PrivateKey) - h := Hash(msg) + h := primitives.Hash(msg) r, s, err := ecdsa.Sign(rand.Reader, temp, h) if err != nil { return nil, err diff --git a/core/crypto/utils/io.go b/accesscontrol/crypto/utils/io.go similarity index 100% rename from core/crypto/utils/io.go rename to accesscontrol/crypto/utils/io.go diff --git a/core/crypto/primitives/keys.go b/accesscontrol/crypto/utils/keys.go similarity index 98% rename from core/crypto/primitives/keys.go rename to accesscontrol/crypto/utils/keys.go index ab690d4e8bb..2bfb4de2c00 100644 --- a/core/crypto/primitives/keys.go +++ b/accesscontrol/crypto/utils/keys.go @@ -14,7 +14,7 @@ See the License for the specific language governing permissions and limitations under the License. */ -package primitives +package utils import ( "crypto/rand" diff --git a/core/crypto/primitives/x509.go b/accesscontrol/crypto/utils/x509.go similarity index 96% rename from core/crypto/primitives/x509.go rename to accesscontrol/crypto/utils/x509.go index 6beb32e1cee..5b2c022acbf 100644 --- a/core/crypto/primitives/x509.go +++ b/accesscontrol/crypto/utils/x509.go @@ -14,7 +14,7 @@ See the License for the specific language governing permissions and limitations under the License. */ -package primitives +package utils import ( "crypto/rand" @@ -25,8 +25,6 @@ import ( "math/big" "net" "time" - - "github.com/hyperledger/fabric/core/crypto/utils" ) var ( @@ -54,7 +52,7 @@ func DERToX509Certificate(asn1Data []byte) (*x509.Certificate, error) { // of unhandled critical extensions func GetCriticalExtension(cert *x509.Certificate, oid asn1.ObjectIdentifier) ([]byte, error) { for i, ext := range cert.UnhandledCriticalExtensions { - if utils.IntArrayEquals(ext, oid) { + if IntArrayEquals(ext, oid) { cert.UnhandledCriticalExtensions = append(cert.UnhandledCriticalExtensions[:i], cert.UnhandledCriticalExtensions[i+1:]...) break @@ -62,7 +60,7 @@ func GetCriticalExtension(cert *x509.Certificate, oid asn1.ObjectIdentifier) ([] } for _, ext := range cert.Extensions { - if utils.IntArrayEquals(ext.Id, oid) { + if IntArrayEquals(ext.Id, oid) { return ext.Value, nil } } diff --git a/core/chaincode/shim/crypto/attr/attr_support.go b/core/chaincode/shim/crypto/attr/attr_support.go index 35883c66001..fb2f6a9709b 100644 --- a/core/chaincode/shim/crypto/attr/attr_support.go +++ b/core/chaincode/shim/crypto/attr/attr_support.go @@ -21,8 +21,8 @@ import ( "crypto/x509" "errors" - "github.com/hyperledger/fabric/core/crypto/attributes" - "github.com/hyperledger/fabric/core/crypto/primitives" + "github.com/hyperledger/fabric/accesscontrol/attributes" + "github.com/hyperledger/fabric/accesscontrol/crypto/utils" ) //Attribute defines a name, value pair to be verified. @@ -112,7 +112,7 @@ func NewAttributesHandlerImpl(holder chaincodeHolder) (*AttributesHandlerImpl, e return nil, errors.New("The certificate can't be nil.") } var tcert *x509.Certificate - tcert, err = primitives.DERToX509Certificate(certRaw) + tcert, err = utils.DERToX509Certificate(certRaw) if err != nil { return nil, err } diff --git a/core/chaincode/shim/crypto/ecdsa/ecdsa_test.go b/core/chaincode/shim/crypto/ecdsa/ecdsa_test.go index 008367ea1f6..dbf533be1a0 100644 --- a/core/chaincode/shim/crypto/ecdsa/ecdsa_test.go +++ b/core/chaincode/shim/crypto/ecdsa/ecdsa_test.go @@ -19,6 +19,7 @@ package ecdsa import ( "testing" + "github.com/hyperledger/fabric/accesscontrol/crypto/utils" "github.com/hyperledger/fabric/core/crypto/primitives" ) @@ -26,13 +27,13 @@ func TestSignatureVerifier(t *testing.T) { // Create a signature primitives.SetSecurityLevel("SHA3", 256) - cert, key, err := primitives.NewSelfSignedCert() + cert, key, err := utils.NewSelfSignedCert() if err != nil { t.Fatal(err) } message := []byte("Hello World!") - signature, err := primitives.ECDSASign(key, message) + signature, err := utils.ECDSASign(key, message) if err != nil { t.Fatal(err) } @@ -54,13 +55,13 @@ func TestSignatureVerifierSHA2(t *testing.T) { // Create a signature primitives.SetSecurityLevel("SHA2", 256) - cert, key, err := primitives.NewSelfSignedCert() + cert, key, err := utils.NewSelfSignedCert() if err != nil { t.Fatal(err) } message := []byte("Hello World!") - signature, err := primitives.ECDSASign(key, message) + signature, err := utils.ECDSASign(key, message) if err != nil { t.Fatal(err) } @@ -82,13 +83,13 @@ func TestSignatureVerifierSHA2_384(t *testing.T) { // Create a signature primitives.SetSecurityLevel("SHA2", 384) - cert, key, err := primitives.NewSelfSignedCert() + cert, key, err := utils.NewSelfSignedCert() if err != nil { t.Fatal(err) } message := []byte("Hello World!") - signature, err := primitives.ECDSASign(key, message) + signature, err := utils.ECDSASign(key, message) if err != nil { t.Fatal(err) } @@ -110,13 +111,13 @@ func TestSignatureVerifierSHA3_384(t *testing.T) { // Create a signature primitives.SetSecurityLevel("SHA3", 384) - cert, key, err := primitives.NewSelfSignedCert() + cert, key, err := utils.NewSelfSignedCert() if err != nil { t.Fatal(err) } message := []byte("Hello World!") - signature, err := primitives.ECDSASign(key, message) + signature, err := utils.ECDSASign(key, message) if err != nil { t.Fatal(err) } @@ -138,13 +139,13 @@ func TestSignatureVerifierSHA2_512(t *testing.T) { // Create a signature primitives.SetSecurityLevel("SHA2", 512) - cert, key, err := primitives.NewSelfSignedCert() + cert, key, err := utils.NewSelfSignedCert() if err != nil { t.Fatal(err) } message := []byte("Hello World!") - signature, err := primitives.ECDSASign(key, message) + signature, err := utils.ECDSASign(key, message) if err != nil { t.Fatal(err) } @@ -166,13 +167,13 @@ func TestSignatureVerifierSHA3_512(t *testing.T) { // Create a signature primitives.SetSecurityLevel("SHA3", 512) - cert, key, err := primitives.NewSelfSignedCert() + cert, key, err := utils.NewSelfSignedCert() if err != nil { t.Fatal(err) } message := []byte("Hello World!") - signature, err := primitives.ECDSASign(key, message) + signature, err := utils.ECDSASign(key, message) if err != nil { t.Fatal(err) } diff --git a/core/crypto/primitives/hash.go b/core/crypto/primitives/hash.go index 53230108ebb..c6bdd27aa2b 100644 --- a/core/crypto/primitives/hash.go +++ b/core/crypto/primitives/hash.go @@ -43,9 +43,9 @@ func NewHash() hash.Hash { // Hash hashes the msh using the predefined hash function func Hash(msg []byte) []byte { - hash := NewHash() - hash.Write(msg) - return hash.Sum(nil) + h := NewHash() + h.Write(msg) + return h.Sum(nil) } // HMAC hmacs x using key key @@ -63,8 +63,3 @@ func HMACTruncated(key, x []byte, truncation int) []byte { return mac.Sum(nil)[:truncation] } - -// HMACAESTruncated hmacs x using key key and truncate to AESKeyLength -func HMACAESTruncated(key, x []byte) []byte { - return HMACTruncated(key, x, AESKeyLength) -} diff --git a/core/crypto/primitives/random.go b/core/crypto/primitives/random.go index 43f4e6655cf..d81a7ed5405 100644 --- a/core/crypto/primitives/random.go +++ b/core/crypto/primitives/random.go @@ -18,6 +18,11 @@ package primitives import "crypto/rand" +const ( + // NonceSize is the default NonceSize + NonceSize = 24 +) + // GetRandomBytes returns len random looking bytes func GetRandomBytes(len int) ([]byte, error) { key := make([]byte, len)