// ReadUserSet returns a list of users matching the parameters set in the read request.
//
func (ecaa *ECAA) ReadUserSet(ctx context.Context, in *pb.ReadUserSetReq) (*pb.UserSet, error) {
Trace.Println("grpc ECAA:ReadUserSet")
req := in.Req.Id
if ecaa.eca.readRole(req)&int(pb.Role_AUDITOR) == 0 {
return nil, errors.New("access denied")
}
raw, err := ecaa.eca.readCertificate(req, x509.KeyUsageDigitalSignature)
if err != nil {
return nil, err
}
cert, err := x509.ParseCertificate(raw)
if err != nil {
return nil, err
}
sig := in.Sig
in.Sig = nil
r, s := big.NewInt(0), big.NewInt(0)
r.UnmarshalText(sig.R)
s.UnmarshalText(sig.S)
hash := utils.NewHash()
raw, _ = proto.Marshal(in)
hash.Write(raw)
if ecdsa.Verify(cert.PublicKey.(*ecdsa.PublicKey), hash.Sum(nil), r, s) == false {
return nil, errors.New("signature does not verify")
}
rows, err := ecaa.eca.readUsers(int(in.Role))
if err != nil {
return nil, err
}
defer rows.Close()
var users []*pb.User
if err == nil {
for rows.Next() {
var id string
var role int
err = rows.Scan(&id, &role)
users = append(users, &pb.User{&pb.Identity{id}, pb.Role(role)})
}
err = rows.Err()
}
return &pb.UserSet{users}, err
}
func (validator *validatorImpl) getEnrollmentCertByHashFromECA(id []byte) ([]byte, []byte, error) {
// Prepare the request
validator.peer.node.log.Debug("Reading certificate for hash [%s]", utils.EncodeBase64(id))
req := &obcca.Hash{Hash: id}
responce, err := validator.peer.node.callECAReadCertificateByHash(context.Background(), req)
if err != nil {
validator.peer.node.log.Error("Failed requesting enrollment certificate [%s].", err.Error())
return nil, nil, err
}
validator.peer.node.log.Debug("Certificate for hash [%s] = [%s][%s]", utils.EncodeBase64(id), utils.EncodeBase64(responce.Sign), utils.EncodeBase64(responce.Enc))
// Verify responce.Sign
x509Cert, err := utils.DERToX509Certificate(responce.Sign)
if err != nil {
validator.peer.node.log.Error("Failed parsing signing enrollment certificate for encrypting: [%s]", err)
return nil, nil, err
}
// Check role
roleRaw, err := utils.GetCriticalExtension(x509Cert, ECertSubjectRole)
if err != nil {
validator.peer.node.log.Error("Failed parsing ECertSubjectRole in enrollment certificate for signing: [%s]", err)
return nil, nil, err
}
role, err := strconv.ParseInt(string(roleRaw), 10, len(roleRaw)*8)
if err != nil {
validator.peer.node.log.Error("Failed parsing ECertSubjectRole in enrollment certificate for signing: [%s]", err)
return nil, nil, err
}
if obcca.Role(role) != obcca.Role_VALIDATOR {
validator.peer.node.log.Error("Invalid ECertSubjectRole in enrollment certificate for signing. Not a validator: [%s]", err)
return nil, nil, err
}
return responce.Sign, responce.Enc, nil
}
