func (node *nodeImpl) getTLSCertificateFromTLSCA(id, affiliation string) (interface{}, []byte, error) {
node.Debug("getTLSCertificate...")
priv, err := primitives.NewECDSAKey()
if err != nil {
node.Errorf("Failed generating key: %s", err)
return nil, nil, err
}
uuid := util.GenerateUUID()
// Prepare the request
pubraw, _ := x509.MarshalPKIXPublicKey(&priv.PublicKey)
now := time.Now()
timestamp := timestamp.Timestamp{Seconds: int64(now.Second()), Nanos: int32(now.Nanosecond())}
req := &membersrvc.TLSCertCreateReq{
Ts: ×tamp,
Id: &membersrvc.Identity{Id: id + "-" + uuid},
Pub: &membersrvc.PublicKey{
Type: membersrvc.CryptoType_ECDSA,
Key: pubraw,
}, Sig: nil}
rawreq, _ := proto.Marshal(req)
r, s, err := ecdsa.Sign(rand.Reader, priv, primitives.Hash(rawreq))
if err != nil {
panic(err)
}
R, _ := r.MarshalText()
S, _ := s.MarshalText()
req.Sig = &membersrvc.Signature{Type: membersrvc.CryptoType_ECDSA, R: R, S: S}
pbCert, err := node.callTLSCACreateCertificate(context.Background(), req)
if err != nil {
node.Errorf("Failed requesting tls certificate: %s", err)
return nil, nil, err
}
node.Debug("Verifing tls certificate...")
tlsCert, err := primitives.DERToX509Certificate(pbCert.Cert.Cert)
certPK := tlsCert.PublicKey.(*ecdsa.PublicKey)
primitives.VerifySignCapability(priv, certPK)
node.Debug("Verifing tls certificate...done!")
return priv, pbCert.Cert.Cert, nil
}
func BenchmarkSign(b *testing.B) {
b.StopTimer()
b.ResetTimer()
//b.Logf("#iterations %d\n", b.N)
signKey, _ := primitives.NewECDSAKey()
hash := make([]byte, 48)
for i := 0; i < b.N; i++ {
rand.Read(hash)
b.StartTimer()
primitives.ECDSASign(signKey, hash)
b.StopTimer()
}
}
func BenchmarkVerify(b *testing.B) {
b.StopTimer()
b.ResetTimer()
//b.Logf("#iterations %d\n", b.N)
signKey, _ := primitives.NewECDSAKey()
verKey := signKey.PublicKey
hash := make([]byte, 48)
for i := 0; i < b.N; i++ {
rand.Read(hash)
sigma, _ := primitives.ECDSASign(signKey, hash)
b.StartTimer()
primitives.ECDSAVerify(&verKey, hash, sigma)
b.StopTimer()
}
}
//helper function for multiple tests
func enrollUser(user *User) error {
ecap := &ECAP{eca}
// Phase 1 of the protocol: Generate crypto material
signPriv, err := primitives.NewECDSAKey()
user.enrollPrivKey = signPriv
if err != nil {
return err
}
signPub, err := x509.MarshalPKIXPublicKey(&signPriv.PublicKey)
if err != nil {
return err
}
encPriv, err := primitives.NewECDSAKey()
if err != nil {
return err
}
encPub, err := x509.MarshalPKIXPublicKey(&encPriv.PublicKey)
if err != nil {
return err
}
req := &pb.ECertCreateReq{
Ts: &google_protobuf.Timestamp{Seconds: time.Now().Unix(), Nanos: 0},
Id: &pb.Identity{Id: user.enrollID},
Tok: &pb.Token{Tok: user.enrollPwd},
Sign: &pb.PublicKey{Type: pb.CryptoType_ECDSA, Key: signPub},
Enc: &pb.PublicKey{Type: pb.CryptoType_ECDSA, Key: encPub},
Sig: nil}
resp, err := ecap.CreateCertificatePair(context.Background(), req)
if err != nil {
return err
}
//Phase 2 of the protocol
spi := ecies.NewSPI()
eciesKey, err := spi.NewPrivateKey(nil, encPriv)
if err != nil {
return err
}
ecies, err := spi.NewAsymmetricCipherFromPublicKey(eciesKey)
if err != nil {
return err
}
out, err := ecies.Process(resp.Tok.Tok)
if err != nil {
return err
}
req.Tok.Tok = out
req.Sig = nil
hash := primitives.NewHash()
raw, _ := proto.Marshal(req)
hash.Write(raw)
r, s, err := ecdsa.Sign(rand.Reader, signPriv, hash.Sum(nil))
if err != nil {
return err
}
R, _ := r.MarshalText()
S, _ := s.MarshalText()
req.Sig = &pb.Signature{Type: pb.CryptoType_ECDSA, R: R, S: S}
resp, err = ecap.CreateCertificatePair(context.Background(), req)
if err != nil {
return err
}
// Verify we got valid crypto material back
x509SignCert, err := primitives.DERToX509Certificate(resp.Certs.Sign)
if err != nil {
return err
}
_, err = primitives.GetCriticalExtension(x509SignCert, ECertSubjectRole)
if err != nil {
return err
}
x509EncCert, err := primitives.DERToX509Certificate(resp.Certs.Enc)
if err != nil {
return err
}
_, err = primitives.GetCriticalExtension(x509EncCert, ECertSubjectRole)
if err != nil {
return err
}
return nil
}
func (node *nodeImpl) getEnrollmentCertificateFromECA(id, pw string) (interface{}, []byte, []byte, error) {
// Get a new ECA Client
sock, ecaP, err := node.getECAClient()
defer sock.Close()
// Run the protocol
signPriv, err := primitives.NewECDSAKey()
if err != nil {
node.Errorf("Failed generating ECDSA key [%s].", err.Error())
return nil, nil, nil, err
}
signPub, err := x509.MarshalPKIXPublicKey(&signPriv.PublicKey)
if err != nil {
node.Errorf("Failed mashalling ECDSA key [%s].", err.Error())
return nil, nil, nil, err
}
encPriv, err := primitives.NewECDSAKey()
if err != nil {
node.Errorf("Failed generating Encryption key [%s].", err.Error())
return nil, nil, nil, err
}
encPub, err := x509.MarshalPKIXPublicKey(&encPriv.PublicKey)
if err != nil {
node.Errorf("Failed marshalling Encryption key [%s].", err.Error())
return nil, nil, nil, err
}
req := &membersrvc.ECertCreateReq{
Ts: ×tamp.Timestamp{Seconds: time.Now().Unix(), Nanos: 0},
Id: &membersrvc.Identity{Id: id},
Tok: &membersrvc.Token{Tok: []byte(pw)},
Sign: &membersrvc.PublicKey{Type: membersrvc.CryptoType_ECDSA, Key: signPub},
Enc: &membersrvc.PublicKey{Type: membersrvc.CryptoType_ECDSA, Key: encPub},
Sig: nil}
resp, err := ecaP.CreateCertificatePair(context.Background(), req)
if err != nil {
node.Errorf("Failed invoking CreateCertficatePair [%s].", err.Error())
return nil, nil, nil, err
}
if resp.FetchResult != nil && resp.FetchResult.Status != membersrvc.FetchAttrsResult_SUCCESS {
node.Warning(resp.FetchResult.Msg)
}
//out, err := rsa.DecryptPKCS1v15(rand.Reader, encPriv, resp.Tok.Tok)
spi := ecies.NewSPI()
eciesKey, err := spi.NewPrivateKey(nil, encPriv)
if err != nil {
node.Errorf("Failed parsing decrypting key [%s].", err.Error())
return nil, nil, nil, err
}
ecies, err := spi.NewAsymmetricCipherFromPublicKey(eciesKey)
if err != nil {
node.Errorf("Failed creating asymmetrinc cipher [%s].", err.Error())
return nil, nil, nil, err
}
out, err := ecies.Process(resp.Tok.Tok)
if err != nil {
node.Errorf("Failed decrypting toke [%s].", err.Error())
return nil, nil, nil, err
}
req.Tok.Tok = out
req.Sig = nil
hash := primitives.NewHash()
raw, _ := proto.Marshal(req)
hash.Write(raw)
r, s, err := ecdsa.Sign(rand.Reader, signPriv, hash.Sum(nil))
if err != nil {
node.Errorf("Failed signing [%s].", err.Error())
return nil, nil, nil, err
}
R, _ := r.MarshalText()
S, _ := s.MarshalText()
req.Sig = &membersrvc.Signature{Type: membersrvc.CryptoType_ECDSA, R: R, S: S}
resp, err = ecaP.CreateCertificatePair(context.Background(), req)
if err != nil {
node.Errorf("Failed invoking CreateCertificatePair [%s].", err.Error())
return nil, nil, nil, err
}
// Verify response
// Verify cert for signing
node.Debugf("Enrollment certificate for signing [% x]", primitives.Hash(resp.Certs.Sign))
x509SignCert, err := primitives.DERToX509Certificate(resp.Certs.Sign)
if err != nil {
node.Errorf("Failed parsing signing enrollment certificate for signing: [%s]", err)
return nil, nil, nil, err
}
_, err = primitives.GetCriticalExtension(x509SignCert, ECertSubjectRole)
if err != nil {
node.Errorf("Failed parsing ECertSubjectRole in enrollment certificate for signing: [%s]", err)
return nil, nil, nil, err
}
err = primitives.CheckCertAgainstSKAndRoot(x509SignCert, signPriv, node.ecaCertPool)
if err != nil {
node.Errorf("Failed checking signing enrollment certificate for signing: [%s]", err)
return nil, nil, nil, err
}
// Verify cert for encrypting
node.Debugf("Enrollment certificate for encrypting [% x]", primitives.Hash(resp.Certs.Enc))
x509EncCert, err := primitives.DERToX509Certificate(resp.Certs.Enc)
if err != nil {
node.Errorf("Failed parsing signing enrollment certificate for encrypting: [%s]", err)
return nil, nil, nil, err
}
_, err = primitives.GetCriticalExtension(x509EncCert, ECertSubjectRole)
if err != nil {
node.Errorf("Failed parsing ECertSubjectRole in enrollment certificate for encrypting: [%s]", err)
return nil, nil, nil, err
}
err = primitives.CheckCertAgainstSKAndRoot(x509EncCert, encPriv, node.ecaCertPool)
if err != nil {
node.Errorf("Failed checking signing enrollment certificate for encrypting: [%s]", err)
return nil, nil, nil, err
}
return signPriv, resp.Certs.Sign, resp.Pkchain, nil
}
func requestTLSCertificate(t *testing.T) {
var opts []grpc.DialOption
creds, err := credentials.NewClientTLSFromFile(viper.GetString("server.tls.cert.file"), "tlsca")
if err != nil {
t.Logf("Failed creating credentials for TLS-CA client: %s", err)
t.Fail()
}
opts = append(opts, grpc.WithTransportCredentials(creds))
sockP, err := grpc.Dial(viper.GetString("peer.pki.tlsca.paddr"), opts...)
if err != nil {
t.Logf("Failed dialing in: %s", err)
t.Fail()
}
defer sockP.Close()
tlscaP := membersrvc.NewTLSCAPClient(sockP)
// Prepare the request
id := "peer"
priv, err := primitives.NewECDSAKey()
if err != nil {
t.Logf("Failed generating key: %s", err)
t.Fail()
}
uuid := util.GenerateUUID()
pubraw, _ := x509.MarshalPKIXPublicKey(&priv.PublicKey)
now := time.Now()
timestamp := timestamp.Timestamp{Seconds: int64(now.Second()), Nanos: int32(now.Nanosecond())}
req := &membersrvc.TLSCertCreateReq{
Ts: ×tamp,
Id: &membersrvc.Identity{Id: id + "-" + uuid},
Pub: &membersrvc.PublicKey{
Type: membersrvc.CryptoType_ECDSA,
Key: pubraw,
}, Sig: nil}
rawreq, _ := proto.Marshal(req)
r, s, err := ecdsa.Sign(rand.Reader, priv, primitives.Hash(rawreq))
if err != nil {
t.Logf("Failed signing the request: %s", err)
t.Fail()
}
R, _ := r.MarshalText()
S, _ := s.MarshalText()
req.Sig = &membersrvc.Signature{Type: membersrvc.CryptoType_ECDSA, R: R, S: S}
resp, err := tlscaP.CreateCertificate(context.Background(), req)
if err != nil {
t.Logf("Failed requesting tls certificate: %s", err)
t.Fail()
}
storePrivateKeyInClear("tls_peer.priv", priv, t)
storeCert("tls_peer.cert", resp.Cert.Cert, t)
storeCert("tls_peer.ca", resp.RootCert.Cert, t)
}