// ReadCertAttribute returns the value specified by `attributeName` from the transaction tCert.
func (stub *ChaincodeStub) ReadCertAttribute(attributeName string) ([]byte, error) {
tcertder := stub.securityContext.CallerCert
tcert, err := utils.DERToX509Certificate(tcertder)
if err != nil {
return nil, err
}
var headerRaw []byte
if headerRaw, err = utils.GetCriticalExtension(tcert, utils.TCertAttributesHeaders); err != nil {
return nil, err
}
headerStr := string(headerRaw)
var header map[string]int
header, err = stub.parseHeader(headerStr)
if err != nil {
return nil, err
}
position := header[attributeName]
if position == 0 {
return nil, errors.New("Failed attribute doesn't exists in the TCert.")
}
oid := asn1.ObjectIdentifier{1, 2, 3, 4, 5, 6, 9 + position}
var value []byte
if value, err = utils.GetCriticalExtension(tcert, oid); err != nil {
return nil, err
}
return value, nil
}
// CertAttributes returns all the attributes stored in the transaction tCert.
func (stub *ChaincodeStub) CertAttributes() ([]string, error) {
tcertder := stub.securityContext.CallerCert
tcert, err := utils.DERToX509Certificate(tcertder)
if err != nil {
return nil, err
}
var headerRaw []byte
if headerRaw, err = utils.GetCriticalExtension(tcert, utils.TCertAttributesHeaders); err != nil {
return nil, err
}
headerStr := string(headerRaw)
var header map[string]int
header, err = stub.parseHeader(headerStr)
if err != nil {
return nil, err
}
attributes := make([]string, len(header))
count := 0
for k := range header {
attributes[count] = k
count++
}
return attributes, nil
}
func (client *clientImpl) getTCertFromExternalDER(der []byte) (tCert, error) {
// DER to x509
x509Cert, err := utils.DERToX509Certificate(der)
if err != nil {
client.debug("Failed parsing certificate [% x]: [%s].", der, err)
return nil, err
}
// Handle Critical Extension TCertEncTCertIndex
if _, err = utils.GetCriticalExtension(x509Cert, utils.TCertEncTCertIndex); err != nil {
client.error("Failed getting extension TCERT_ENC_TCERTINDEX [% x]: [%s].", der, err)
return nil, err
}
// Handle Critical Extension TCertEncEnrollmentID TODO validate encEnrollmentID
_, err = utils.GetCriticalExtension(x509Cert, utils.TCertEncEnrollmentID)
if err != nil {
client.error("Failed getting extension TCERT_ENC_ENROLLMENT_ID [%s].", err.Error())
return nil, err
}
// Handle Critical Extension TCertAttributes
// for i := 0; i < len(x509Cert.Extensions) - 2; i++ {
// attributeExtensionIdentifier := append(utils.TCertEncAttributesBase, i + 9)
// _ , err = utils.GetCriticalExtension(x509Cert, attributeExtensionIdentifier)
// if err != nil {
// client.error("Failed getting extension TCERT_ATTRIBUTE_%s [%s].", i, err.Error())
//
// return nil, err
// }
// }
// Verify certificate against root
if _, err := utils.CheckCertAgainRoot(x509Cert, client.tcaCertPool); err != nil {
client.warning("Warning verifing certificate [% x]: [%s].", der, err)
return nil, err
}
return &tCertImpl{client, x509Cert, nil}, nil
}
// Read the attribute with name 'attributeName' from the der encoded x509.Certificate 'tcertder'.
func (client *clientImpl) ReadAttribute(attributeName string, tcertder []byte) ([]byte, error) {
tcert, err := utils.DERToX509Certificate(tcertder)
if err != nil {
client.debug("Failed parsing certificate [% x]: [%s].", tcertder, err)
return nil, err
}
var headerRaw []byte
if headerRaw, err = utils.GetCriticalExtension(tcert, utils.TCertAttributesHeaders); err != nil {
client.error("Failed getting extension TCERT_ATTRIBUTES_HEADER [% x]: [%s].", tcertder, err)
return nil, err
}
headerStr := string(headerRaw)
var header map[string]int
header, err = client.parseHeader(headerStr)
if err != nil {
return nil, err
}
position := header[attributeName]
if position == 0 {
return nil, errors.New("Failed attribute doesn't exists in the TCert.")
}
oid := asn1.ObjectIdentifier{1, 2, 3, 4, 5, 6, 9 + position}
var value []byte
if value, err = utils.GetCriticalExtension(tcert, oid); err != nil {
client.error("Failed getting extension Attribute Value [% x]: [%s].", tcertder, err)
return nil, err
}
return value, nil
}
func (peer *peerImpl) getEnrollmentCertByHashFromECA(id []byte) ([]byte, []byte, error) {
// Prepare the request
peer.debug("Reading certificate for hash [% x]", id)
req := &membersrvc.Hash{Hash: id}
response, err := peer.callECAReadCertificateByHash(context.Background(), req)
if err != nil {
peer.error("Failed requesting enrollment certificate [%s].", err.Error())
return nil, nil, err
}
peer.debug("Certificate for hash [% x] = [% x][% x]", id, response.Sign, response.Enc)
// Verify response.Sign
x509Cert, err := utils.DERToX509Certificate(response.Sign)
if err != nil {
peer.error("Failed parsing signing enrollment certificate for encrypting: [%s]", err)
return nil, nil, err
}
// Check role
roleRaw, err := utils.GetCriticalExtension(x509Cert, ECertSubjectRole)
if err != nil {
peer.error("Failed parsing ECertSubjectRole in enrollment certificate for signing: [%s]", err)
return nil, nil, err
}
role, err := strconv.ParseInt(string(roleRaw), 10, len(roleRaw)*8)
if err != nil {
peer.error("Failed parsing ECertSubjectRole in enrollment certificate for signing: [%s]", err)
return nil, nil, err
}
if membersrvc.Role(role) != membersrvc.Role_VALIDATOR && membersrvc.Role(role) != membersrvc.Role_PEER {
peer.error("Invalid ECertSubjectRole in enrollment certificate for signing. Not a validator or peer: [%s]", err)
return nil, nil, err
}
return response.Sign, response.Enc, nil
}
func (client *clientImpl) getTCertsFromTCA(num int) error {
client.debug("Get [%d] certificates from the TCA...", num)
// Contact the TCA
TCertOwnerKDFKey, certDERs, err := client.callTCACreateCertificateSet(num)
if err != nil {
client.debug("Failed contacting TCA [%s].", err.Error())
return err
}
// client.debug("TCertOwnerKDFKey [%s].", utils.EncodeBase64(TCertOwnerKDFKey))
// Store TCertOwnerKDFKey and checks that every time it is always the same key
if client.tCertOwnerKDFKey != nil {
// Check that the keys are the same
equal := bytes.Equal(client.tCertOwnerKDFKey, TCertOwnerKDFKey)
if !equal {
return errors.New("Failed reciving kdf key from TCA. The keys are different.")
}
} else {
client.tCertOwnerKDFKey = TCertOwnerKDFKey
// TODO: handle this situation more carefully
if err := client.storeTCertOwnerKDFKey(); err != nil {
client.error("Failed storing TCertOwnerKDFKey [%s].", err.Error())
return err
}
}
// Validate the Certificates obtained
TCertOwnerEncryptKey := primitives.HMACAESTruncated(client.tCertOwnerKDFKey, []byte{1})
ExpansionKey := primitives.HMAC(client.tCertOwnerKDFKey, []byte{2})
j := 0
for i := 0; i < num; i++ {
// DER to x509
x509Cert, err := utils.DERToX509Certificate(certDERs[i].Cert)
if err != nil {
client.debug("Failed parsing certificate [% x]: [%s].", certDERs[i].Cert, err)
continue
}
// Handle Critical Extenstion TCertEncTCertIndex
tCertIndexCT, err := utils.GetCriticalExtension(x509Cert, utils.TCertEncTCertIndex)
if err != nil {
client.error("Failed getting extension TCERT_ENC_TCERTINDEX [% x]: [%s].", err)
continue
}
// Verify certificate against root
if _, err := utils.CheckCertAgainRoot(x509Cert, client.tcaCertPool); err != nil {
client.warning("Warning verifing certificate [%s].", err.Error())
continue
}
// Verify public key
// 384-bit ExpansionValue = HMAC(Expansion_Key, TCertIndex)
// Let TCertIndex = Timestamp, RandValue, 1,2,…
// Timestamp assigned, RandValue assigned and counter reinitialized to 1 per batch
// Decrypt ct to TCertIndex (TODO: || EnrollPub_Key || EnrollID ?)
pt, err := primitives.CBCPKCS7Decrypt(TCertOwnerEncryptKey, tCertIndexCT)
if err != nil {
client.error("Failed decrypting extension TCERT_ENC_TCERTINDEX [%s].", err.Error())
continue
}
// Compute ExpansionValue based on TCertIndex
TCertIndex := pt
// TCertIndex := []byte(strconv.Itoa(i))
client.debug("TCertIndex: [% x].", TCertIndex)
mac := hmac.New(primitives.NewHash, ExpansionKey)
mac.Write(TCertIndex)
ExpansionValue := mac.Sum(nil)
// Derive tpk and tsk accordingly to ExapansionValue from enrollment pk,sk
// Computable by TCA / Auditor: TCertPub_Key = EnrollPub_Key + ExpansionValue G
// using elliptic curve point addition per NIST FIPS PUB 186-4- specified P-384
// Compute temporary secret key
tempSK := &ecdsa.PrivateKey{
PublicKey: ecdsa.PublicKey{
Curve: client.enrollPrivKey.Curve,
X: new(big.Int),
Y: new(big.Int),
},
D: new(big.Int),
}
var k = new(big.Int).SetBytes(ExpansionValue)
var one = new(big.Int).SetInt64(1)
n := new(big.Int).Sub(client.enrollPrivKey.Params().N, one)
k.Mod(k, n)
k.Add(k, one)
tempSK.D.Add(client.enrollPrivKey.D, k)
tempSK.D.Mod(tempSK.D, client.enrollPrivKey.PublicKey.Params().N)
// Compute temporary public key
tempX, tempY := client.enrollPrivKey.PublicKey.ScalarBaseMult(k.Bytes())
tempSK.PublicKey.X, tempSK.PublicKey.Y =
tempSK.PublicKey.Add(
client.enrollPrivKey.PublicKey.X, client.enrollPrivKey.PublicKey.Y,
tempX, tempY,
)
// Verify temporary public key is a valid point on the reference curve
isOn := tempSK.Curve.IsOnCurve(tempSK.PublicKey.X, tempSK.PublicKey.Y)
if !isOn {
client.error("Failed temporary public key IsOnCurve check.")
continue
}
// Check that the derived public key is the same as the one in the certificate
certPK := x509Cert.PublicKey.(*ecdsa.PublicKey)
if certPK.X.Cmp(tempSK.PublicKey.X) != 0 {
client.error("Derived public key is different on X")
continue
}
if certPK.Y.Cmp(tempSK.PublicKey.Y) != 0 {
client.error("Derived public key is different on Y")
continue
}
// Verify the signing capability of tempSK
err = primitives.VerifySignCapability(tempSK, x509Cert.PublicKey)
if err != nil {
client.error("Failed verifing signing capability [%s].", err.Error())
continue
}
// Marshall certificate and secret key to be stored in the database
if err != nil {
client.error("Failed marshalling private key [%s].", err.Error())
continue
}
if err := utils.CheckCertPKAgainstSK(x509Cert, interface{}(tempSK)); err != nil {
client.error("Failed checking TCA cert PK against private key [%s].", err.Error())
continue
}
client.debug("Sub index [%d]", j)
j++
client.debug("Certificate [%d] validated.", i)
client.tCertPool.AddTCert(&tCertImpl{client, x509Cert, tempSK})
}
if j == 0 {
client.error("No valid TCert was sent")
return errors.New("No valid TCert was sent.")
}
return nil
}
func (client *clientImpl) getTCertFromDER(der []byte) (tCert tCert, err error) {
if client.tCertOwnerKDFKey == nil {
return nil, fmt.Errorf("KDF key not initialized yet")
}
TCertOwnerEncryptKey := primitives.HMACAESTruncated(client.tCertOwnerKDFKey, []byte{1})
ExpansionKey := primitives.HMAC(client.tCertOwnerKDFKey, []byte{2})
// DER to x509
x509Cert, err := utils.DERToX509Certificate(der)
if err != nil {
client.debug("Failed parsing certificate [% x]: [%s].", der, err)
return
}
// Handle Critical Extenstion TCertEncTCertIndex
tCertIndexCT, err := utils.GetCriticalExtension(x509Cert, utils.TCertEncTCertIndex)
if err != nil {
client.error("Failed getting extension TCERT_ENC_TCERTINDEX [%s].", err.Error())
return
}
// Verify certificate against root
if _, err = utils.CheckCertAgainRoot(x509Cert, client.tcaCertPool); err != nil {
client.warning("Warning verifing certificate [%s].", err.Error())
return
}
// Verify public key
// 384-bit ExpansionValue = HMAC(Expansion_Key, TCertIndex)
// Let TCertIndex = Timestamp, RandValue, 1,2,…
// Timestamp assigned, RandValue assigned and counter reinitialized to 1 per batch
// Decrypt ct to TCertIndex (TODO: || EnrollPub_Key || EnrollID ?)
pt, err := primitives.CBCPKCS7Decrypt(TCertOwnerEncryptKey, tCertIndexCT)
if err != nil {
client.error("Failed decrypting extension TCERT_ENC_TCERTINDEX [%s].", err.Error())
return
}
// Compute ExpansionValue based on TCertIndex
TCertIndex := pt
// TCertIndex := []byte(strconv.Itoa(i))
client.debug("TCertIndex: [% x].", TCertIndex)
mac := hmac.New(primitives.NewHash, ExpansionKey)
mac.Write(TCertIndex)
ExpansionValue := mac.Sum(nil)
// Derive tpk and tsk accordingly to ExapansionValue from enrollment pk,sk
// Computable by TCA / Auditor: TCertPub_Key = EnrollPub_Key + ExpansionValue G
// using elliptic curve point addition per NIST FIPS PUB 186-4- specified P-384
// Compute temporary secret key
tempSK := &ecdsa.PrivateKey{
PublicKey: ecdsa.PublicKey{
Curve: client.enrollPrivKey.Curve,
X: new(big.Int),
Y: new(big.Int),
},
D: new(big.Int),
}
var k = new(big.Int).SetBytes(ExpansionValue)
var one = new(big.Int).SetInt64(1)
n := new(big.Int).Sub(client.enrollPrivKey.Params().N, one)
k.Mod(k, n)
k.Add(k, one)
tempSK.D.Add(client.enrollPrivKey.D, k)
tempSK.D.Mod(tempSK.D, client.enrollPrivKey.PublicKey.Params().N)
// Compute temporary public key
tempX, tempY := client.enrollPrivKey.PublicKey.ScalarBaseMult(k.Bytes())
tempSK.PublicKey.X, tempSK.PublicKey.Y =
tempSK.PublicKey.Add(
client.enrollPrivKey.PublicKey.X, client.enrollPrivKey.PublicKey.Y,
tempX, tempY,
)
// Verify temporary public key is a valid point on the reference curve
isOn := tempSK.Curve.IsOnCurve(tempSK.PublicKey.X, tempSK.PublicKey.Y)
if !isOn {
client.error("Failed temporary public key IsOnCurve check.")
return nil, fmt.Errorf("Failed temporary public key IsOnCurve check.")
}
// Check that the derived public key is the same as the one in the certificate
certPK := x509Cert.PublicKey.(*ecdsa.PublicKey)
if certPK.X.Cmp(tempSK.PublicKey.X) != 0 {
client.error("Derived public key is different on X")
return nil, fmt.Errorf("Derived public key is different on X")
}
if certPK.Y.Cmp(tempSK.PublicKey.Y) != 0 {
client.error("Derived public key is different on Y")
return nil, fmt.Errorf("Derived public key is different on Y")
}
// Verify the signing capability of tempSK
err = primitives.VerifySignCapability(tempSK, x509Cert.PublicKey)
if err != nil {
client.error("Failed verifing signing capability [%s].", err.Error())
return
}
// Marshall certificate and secret key to be stored in the database
if err != nil {
client.error("Failed marshalling private key [%s].", err.Error())
return
}
if err = utils.CheckCertPKAgainstSK(x509Cert, interface{}(tempSK)); err != nil {
client.error("Failed checking TCA cert PK against private key [%s].", err.Error())
return
}
tCert = &tCertImpl{client, x509Cert, tempSK}
return
}
func (node *nodeImpl) getEnrollmentCertificateFromECA(id, pw string) (interface{}, []byte, []byte, error) {
// Get a new ECA Client
sock, ecaP, err := node.getECAClient()
defer sock.Close()
// Run the protocol
signPriv, err := primitives.NewECDSAKey()
if err != nil {
node.error("Failed generating ECDSA key [%s].", err.Error())
return nil, nil, nil, err
}
signPub, err := x509.MarshalPKIXPublicKey(&signPriv.PublicKey)
if err != nil {
node.error("Failed mashalling ECDSA key [%s].", err.Error())
return nil, nil, nil, err
}
encPriv, err := primitives.NewECDSAKey()
if err != nil {
node.error("Failed generating Encryption key [%s].", err.Error())
return nil, nil, nil, err
}
encPub, err := x509.MarshalPKIXPublicKey(&encPriv.PublicKey)
if err != nil {
node.error("Failed marshalling Encryption key [%s].", err.Error())
return nil, nil, nil, err
}
req := &membersrvc.ECertCreateReq{
Ts: &protobuf.Timestamp{Seconds: time.Now().Unix(), Nanos: 0},
Id: &membersrvc.Identity{Id: id},
Tok: &membersrvc.Token{Tok: []byte(pw)},
Sign: &membersrvc.PublicKey{Type: membersrvc.CryptoType_ECDSA, Key: signPub},
Enc: &membersrvc.PublicKey{Type: membersrvc.CryptoType_ECDSA, Key: encPub},
Sig: nil}
resp, err := ecaP.CreateCertificatePair(context.Background(), req)
if err != nil {
node.error("Failed invoking CreateCertficatePair [%s].", err.Error())
return nil, nil, nil, err
}
//out, err := rsa.DecryptPKCS1v15(rand.Reader, encPriv, resp.Tok.Tok)
spi := ecies.NewSPI()
eciesKey, err := spi.NewPrivateKey(nil, encPriv)
if err != nil {
node.error("Failed parsing decrypting key [%s].", err.Error())
return nil, nil, nil, err
}
ecies, err := spi.NewAsymmetricCipherFromPublicKey(eciesKey)
if err != nil {
node.error("Failed creating asymmetrinc cipher [%s].", err.Error())
return nil, nil, nil, err
}
out, err := ecies.Process(resp.Tok.Tok)
if err != nil {
node.error("Failed decrypting toke [%s].", err.Error())
return nil, nil, nil, err
}
req.Tok.Tok = out
req.Sig = nil
hash := primitives.NewHash()
raw, _ := proto.Marshal(req)
hash.Write(raw)
r, s, err := ecdsa.Sign(rand.Reader, signPriv, hash.Sum(nil))
if err != nil {
node.error("Failed signing [%s].", err.Error())
return nil, nil, nil, err
}
R, _ := r.MarshalText()
S, _ := s.MarshalText()
req.Sig = &membersrvc.Signature{Type: membersrvc.CryptoType_ECDSA, R: R, S: S}
resp, err = ecaP.CreateCertificatePair(context.Background(), req)
if err != nil {
node.error("Failed invoking CreateCertificatePair [%s].", err.Error())
return nil, nil, nil, err
}
// Verify response
// Verify cert for signing
node.debug("Enrollment certificate for signing [% x]", primitives.Hash(resp.Certs.Sign))
x509SignCert, err := utils.DERToX509Certificate(resp.Certs.Sign)
if err != nil {
node.error("Failed parsing signing enrollment certificate for signing: [%s]", err)
return nil, nil, nil, err
}
_, err = utils.GetCriticalExtension(x509SignCert, ECertSubjectRole)
if err != nil {
node.error("Failed parsing ECertSubjectRole in enrollment certificate for signing: [%s]", err)
return nil, nil, nil, err
}
err = utils.CheckCertAgainstSKAndRoot(x509SignCert, signPriv, node.ecaCertPool)
if err != nil {
node.error("Failed checking signing enrollment certificate for signing: [%s]", err)
return nil, nil, nil, err
}
// Verify cert for encrypting
node.debug("Enrollment certificate for encrypting [% x]", primitives.Hash(resp.Certs.Enc))
x509EncCert, err := utils.DERToX509Certificate(resp.Certs.Enc)
if err != nil {
node.error("Failed parsing signing enrollment certificate for encrypting: [%s]", err)
return nil, nil, nil, err
}
_, err = utils.GetCriticalExtension(x509EncCert, ECertSubjectRole)
if err != nil {
node.error("Failed parsing ECertSubjectRole in enrollment certificate for encrypting: [%s]", err)
return nil, nil, nil, err
}
err = utils.CheckCertAgainstSKAndRoot(x509EncCert, encPriv, node.ecaCertPool)
if err != nil {
node.error("Failed checking signing enrollment certificate for encrypting: [%s]", err)
return nil, nil, nil, err
}
return signPriv, resp.Certs.Sign, resp.Pkchain, nil
}
