Esempio n. 1
0
// ReadUserSet returns a list of users matching the parameters set in the read request.
//
func (ecaa *ECAA) ReadUserSet(ctx context.Context, in *pb.ReadUserSetReq) (*pb.UserSet, error) {
	Trace.Println("grpc ECAA:ReadUserSet")

	req := in.Req.Id
	if ecaa.eca.readRole(req)&int(pb.Role_AUDITOR) == 0 {
		return nil, errors.New("access denied")
	}

	raw, err := ecaa.eca.readCertificate(req, x509.KeyUsageDigitalSignature)
	if err != nil {
		return nil, err
	}
	cert, err := x509.ParseCertificate(raw)
	if err != nil {
		return nil, err
	}

	sig := in.Sig
	in.Sig = nil

	r, s := big.NewInt(0), big.NewInt(0)
	r.UnmarshalText(sig.R)
	s.UnmarshalText(sig.S)

	hash := utils.NewHash()
	raw, _ = proto.Marshal(in)
	hash.Write(raw)
	if ecdsa.Verify(cert.PublicKey.(*ecdsa.PublicKey), hash.Sum(nil), r, s) == false {
		return nil, errors.New("signature does not verify")
	}

	rows, err := ecaa.eca.readUsers(int(in.Role))
	if err != nil {
		return nil, err
	}
	defer rows.Close()

	var users []*pb.User
	if err == nil {
		for rows.Next() {
			var id string
			var role int

			err = rows.Scan(&id, &role)
			users = append(users, &pb.User{&pb.Identity{id}, pb.Role(role)})
		}
		err = rows.Err()
	}

	return &pb.UserSet{users}, err
}
Esempio n. 2
0
func (validator *validatorImpl) getEnrollmentCertByHashFromECA(id []byte) ([]byte, []byte, error) {
	// Prepare the request
	validator.peer.node.log.Debug("Reading certificate for hash [%s]", utils.EncodeBase64(id))

	req := &obcca.Hash{Hash: id}
	responce, err := validator.peer.node.callECAReadCertificateByHash(context.Background(), req)
	if err != nil {
		validator.peer.node.log.Error("Failed requesting enrollment certificate [%s].", err.Error())

		return nil, nil, err
	}

	validator.peer.node.log.Debug("Certificate for hash [%s] = [%s][%s]", utils.EncodeBase64(id), utils.EncodeBase64(responce.Sign), utils.EncodeBase64(responce.Enc))

	// Verify responce.Sign
	x509Cert, err := utils.DERToX509Certificate(responce.Sign)
	if err != nil {
		validator.peer.node.log.Error("Failed parsing signing enrollment certificate for encrypting: [%s]", err)

		return nil, nil, err
	}

	// Check role
	roleRaw, err := utils.GetCriticalExtension(x509Cert, ECertSubjectRole)
	if err != nil {
		validator.peer.node.log.Error("Failed parsing ECertSubjectRole in enrollment certificate for signing: [%s]", err)

		return nil, nil, err
	}

	role, err := strconv.ParseInt(string(roleRaw), 10, len(roleRaw)*8)
	if err != nil {
		validator.peer.node.log.Error("Failed parsing ECertSubjectRole in enrollment certificate for signing: [%s]", err)

		return nil, nil, err
	}

	if obcca.Role(role) != obcca.Role_VALIDATOR {
		validator.peer.node.log.Error("Invalid ECertSubjectRole in enrollment certificate for signing. Not a validator: [%s]", err)

		return nil, nil, err
	}

	return responce.Sign, responce.Enc, nil
}