// ReadUserSet returns a list of users matching the parameters set in the read request. // func (ecaa *ECAA) ReadUserSet(ctx context.Context, in *pb.ReadUserSetReq) (*pb.UserSet, error) { Trace.Println("grpc ECAA:ReadUserSet") req := in.Req.Id if ecaa.eca.readRole(req)&int(pb.Role_AUDITOR) == 0 { return nil, errors.New("access denied") } raw, err := ecaa.eca.readCertificate(req, x509.KeyUsageDigitalSignature) if err != nil { return nil, err } cert, err := x509.ParseCertificate(raw) if err != nil { return nil, err } sig := in.Sig in.Sig = nil r, s := big.NewInt(0), big.NewInt(0) r.UnmarshalText(sig.R) s.UnmarshalText(sig.S) hash := utils.NewHash() raw, _ = proto.Marshal(in) hash.Write(raw) if ecdsa.Verify(cert.PublicKey.(*ecdsa.PublicKey), hash.Sum(nil), r, s) == false { return nil, errors.New("signature does not verify") } rows, err := ecaa.eca.readUsers(int(in.Role)) if err != nil { return nil, err } defer rows.Close() var users []*pb.User if err == nil { for rows.Next() { var id string var role int err = rows.Scan(&id, &role) users = append(users, &pb.User{&pb.Identity{id}, pb.Role(role)}) } err = rows.Err() } return &pb.UserSet{users}, err }
func (validator *validatorImpl) getEnrollmentCertByHashFromECA(id []byte) ([]byte, []byte, error) { // Prepare the request validator.peer.node.log.Debug("Reading certificate for hash [%s]", utils.EncodeBase64(id)) req := &obcca.Hash{Hash: id} responce, err := validator.peer.node.callECAReadCertificateByHash(context.Background(), req) if err != nil { validator.peer.node.log.Error("Failed requesting enrollment certificate [%s].", err.Error()) return nil, nil, err } validator.peer.node.log.Debug("Certificate for hash [%s] = [%s][%s]", utils.EncodeBase64(id), utils.EncodeBase64(responce.Sign), utils.EncodeBase64(responce.Enc)) // Verify responce.Sign x509Cert, err := utils.DERToX509Certificate(responce.Sign) if err != nil { validator.peer.node.log.Error("Failed parsing signing enrollment certificate for encrypting: [%s]", err) return nil, nil, err } // Check role roleRaw, err := utils.GetCriticalExtension(x509Cert, ECertSubjectRole) if err != nil { validator.peer.node.log.Error("Failed parsing ECertSubjectRole in enrollment certificate for signing: [%s]", err) return nil, nil, err } role, err := strconv.ParseInt(string(roleRaw), 10, len(roleRaw)*8) if err != nil { validator.peer.node.log.Error("Failed parsing ECertSubjectRole in enrollment certificate for signing: [%s]", err) return nil, nil, err } if obcca.Role(role) != obcca.Role_VALIDATOR { validator.peer.node.log.Error("Invalid ECertSubjectRole in enrollment certificate for signing. Not a validator: [%s]", err) return nil, nil, err } return responce.Sign, responce.Enc, nil }