func storeCert(alias string, der []byte, t *testing.T) {
err := ioutil.WriteFile(filepath.Join(".obcca/", alias), utils.DERCertToPEM(der), 0700)
if err != nil {
t.Logf("Failed storing certificate [%s]: [%s]", alias, err)
t.Fail()
}
}
func (node *nodeImpl) retrieveTCACertsChain(userID string) error {
// Retrieve TCA certificate and verify it
tcaCertRaw, err := node.getTCACertificate()
if err != nil {
node.log.Error("Failed getting TCA certificate [%s].", err.Error())
return err
}
node.log.Debug("TCA certificate [%s]", utils.EncodeBase64(tcaCertRaw))
// TODO: Test TCA cert againt root CA
_, err = utils.DERToX509Certificate(tcaCertRaw)
if err != nil {
node.log.Error("Failed parsing TCA certificate [%s].", err.Error())
return err
}
// Store TCA cert
node.log.Debug("Storing TCA certificate for validator [%s]...", userID)
err = ioutil.WriteFile(node.conf.getTCACertsChainPath(), utils.DERCertToPEM(tcaCertRaw), 0700)
if err != nil {
node.log.Error("Failed storing tca certificate [%s].", err.Error())
return err
}
return nil
}
func (node *nodeImpl) retrieveTLSCertificate(id, affiliation string) error {
key, tlsCertRaw, err := node.getTLSCertificateFromTLSCA(id, affiliation)
if err != nil {
node.log.Error("Failed getting tls certificate [id=%s] %s", id, err)
return err
}
node.log.Info("Register:cert %s", utils.EncodeBase64(tlsCertRaw))
// Store enrollment key
node.log.Info("Storing enrollment key and certificate for user [%s]...", id)
rawKey, err := utils.PrivateKeyToPEM(key)
if err != nil {
node.log.Error("Failed converting tls key to PEM [id=%s]: %s", id, err)
return err
}
err = ioutil.WriteFile(node.conf.getTLSKeyPath(), rawKey, 0700)
if err != nil {
node.log.Error("Failed storing tls key [id=%s]: %s", id, err)
return err
}
// Store tls cert
err = ioutil.WriteFile(node.conf.getTLSCertPath(), utils.DERCertToPEM(tlsCertRaw), 0700)
if err != nil {
node.log.Error("Failed storing tls certificate [id=%s]: %s", id, err)
return err
}
return nil
}
func (ks *keyStore) storeCert(alias string, der []byte) error {
err := ioutil.WriteFile(ks.conf.getPathForAlias(alias), utils.DERCertToPEM(der), 0700)
if err != nil {
ks.log.Error("Failed storing certificate [%s]: [%s]", alias, err)
return err
}
return nil
}
func (node *nodeImpl) retrieveEnrollmentData(userID, pwd string) error {
key, enrollCertRaw, enrollChainKey, err := node.getEnrollmentCertificateFromECA(userID, pwd)
if err != nil {
node.log.Error("Failed getting enrollment certificate [id=%s] ", userID, err)
return err
}
node.log.Debug("Enrollment certificate [%s].", utils.EncodeBase64(enrollCertRaw))
// validatorLogger.Info("Register:key ", utils.EncodeBase64(key))
// Store enrollment key
node.log.Debug("Storing enrollment data for user [%s]...", userID)
rawKey, err := utils.PrivateKeyToPEM(key)
if err != nil {
node.log.Error("Failed converting enrollment key to PEM [id=%s]: ", userID, err)
return err
}
err = ioutil.WriteFile(node.conf.getEnrollmentKeyPath(), rawKey, 0700)
if err != nil {
node.log.Error("Failed storing enrollment key [id=%s]: ", userID, err)
return err
}
// Store enrollment cert
err = ioutil.WriteFile(node.conf.getEnrollmentCertPath(), utils.DERCertToPEM(enrollCertRaw), 0700)
if err != nil {
node.log.Error("Failed storing enrollment certificate [id=%s]: ", userID, err)
return err
}
// Store enrollment id
err = ioutil.WriteFile(node.conf.getEnrollmentIDPath(), []byte(userID), 0700)
if err != nil {
node.log.Error("Failed storing enrollment certificate [id=%s]: ", userID, err)
return err
}
// Store enrollment chain key
err = ioutil.WriteFile(node.conf.getEnrollmentChainKeyPath(), utils.AEStoPEM(enrollChainKey), 0700)
if err != nil {
node.log.Error("Failed storing enrollment chain key [id=%s]: ", userID, err)
return err
}
return nil
}
// GetEnrollmentCert retrieves the enrollment certificate for a given user.
func (s *ServerOpenchainREST) GetEnrollmentCert(rw web.ResponseWriter, req *web.Request) {
// Parse out the user enrollment ID
enrollmentID := req.PathParams["id"]
if restLogger.IsEnabledFor(logging.DEBUG) {
restLogger.Debug("REST received enrollment certificate retrieval request for registrationID '%s'", enrollmentID)
}
// If security is enabled, initialize the crypto client
if viper.GetBool("security.enabled") {
if restLogger.IsEnabledFor(logging.DEBUG) {
restLogger.Debug("Initializing secure client using context '%s'", enrollmentID)
}
// Initialize the security client
sec, err := crypto.InitClient(enrollmentID, nil)
if err != nil {
rw.WriteHeader(http.StatusBadRequest)
fmt.Fprintf(rw, "{\"Error\": \"%s\"}", err)
restLogger.Error(fmt.Sprintf("{\"Error\": \"%s\"}", err))
return
}
// Obtain the client CertificateHandler
handler, err := sec.GetEnrollmentCertificateHandler()
if err != nil {
rw.WriteHeader(http.StatusInternalServerError)
fmt.Fprintf(rw, "{\"Error\": \"%s\"}", err)
restLogger.Error(fmt.Sprintf("{\"Error\": \"%s\"}", err))
return
}
// Certificate handler can not be hil
if handler == nil {
rw.WriteHeader(http.StatusInternalServerError)
fmt.Fprintf(rw, "{\"Error\": \"Error retrieving certificate handler.\"}")
restLogger.Error("{\"Error\": \"Error retrieving certificate handler.\"}")
return
}
// Obtain the DER encoded certificate
certDER := handler.GetCertificate()
// Confirm the retrieved enrollment certificate is not nil
if certDER == nil {
rw.WriteHeader(http.StatusInternalServerError)
fmt.Fprintf(rw, "{\"Error\": \"Enrollment certificate is nil.\"}")
restLogger.Error("{\"Error\": \"Enrollment certificate is nil.\"}")
return
}
// Confirm the retrieved enrollment certificate has non-zero length
if len(certDER) == 0 {
rw.WriteHeader(http.StatusInternalServerError)
fmt.Fprintf(rw, "{\"Error\": \"Enrollment certificate length is 0.\"}")
restLogger.Error("{\"Error\": \"Enrollment certificate length is 0.\"}")
return
}
// Transforms the DER encoded certificate to a PEM encoded certificate
certPEM := utils.DERCertToPEM(certDER)
// As the enrollment certifiacate contains \n characters, url encode it before outputting
urlEncodedCert := url.QueryEscape(string(certPEM))
// Close the security client
crypto.CloseClient(sec)
rw.WriteHeader(http.StatusOK)
fmt.Fprintf(rw, "{\"OK\": \"%s\"}", urlEncodedCert)
if restLogger.IsEnabledFor(logging.DEBUG) {
restLogger.Debug("Sucessfully retrieved enrollment certificate for secure context '%s'", enrollmentID)
}
} else {
// Security must be enabled to request enrollment certificates
rw.WriteHeader(http.StatusBadRequest)
fmt.Fprintf(rw, "{\"Error\": \"Security functionality must be enabled before requesting client certificates.\"}")
restLogger.Error("{\"Error\": \"Security functionality must be enabled before requesting client certificates.\"}")
return
}
}
