// CheckTransaction is used to verify that a transaction
// is well formed with the respect to the security layer
// prescriptions. To be used for internal verifications.
func (client *clientImpl) checkTransaction(tx *obc.Transaction) error {
if !client.isInitialized {
return utils.ErrNotInitialized
}
if tx.Cert == nil && tx.Signature == nil {
return utils.ErrTransactionMissingCert
}
if tx.Cert != nil && tx.Signature != nil {
// Verify the transaction
// 1. Unmarshal cert
cert, err := primitives.DERToX509Certificate(tx.Cert)
if err != nil {
client.Errorf("Failed unmarshalling cert [%s].", err.Error())
return err
}
// a. Get rid of the extensions that cannot be checked now
cert.UnhandledCriticalExtensions = nil
// b. Check against TCA certPool
if _, err = primitives.CheckCertAgainRoot(cert, client.tcaCertPool); err != nil {
client.Warningf("Failed verifing certificate against TCA cert pool [%s].", err.Error())
// c. Check against ECA certPool, if this check also fails then return an error
if _, err = primitives.CheckCertAgainRoot(cert, client.ecaCertPool); err != nil {
client.Warningf("Failed verifing certificate against ECA cert pool [%s].", err.Error())
return fmt.Errorf("Certificate has not been signed by a trusted authority. [%s]", err)
}
}
// 2. Marshall tx without signature
signature := tx.Signature
tx.Signature = nil
rawTx, err := proto.Marshal(tx)
if err != nil {
client.Errorf("Failed marshaling tx [%s].", err.Error())
return err
}
tx.Signature = signature
// 3. Verify signature
ver, err := client.verify(cert.PublicKey, rawTx, tx.Signature)
if err != nil {
client.Errorf("Failed marshaling tx [%s].", err.Error())
return err
}
if ver {
return nil
}
return utils.ErrInvalidTransactionSignature
}
return utils.ErrTransactionMissingCert
}
// TransactionPreValidation verifies that the transaction is
// well formed with the respect to the security layer
// prescriptions (i.e. signature verification).
func (peer *peerImpl) TransactionPreValidation(tx *obc.Transaction) (*obc.Transaction, error) {
if !peer.IsInitialized() {
return nil, utils.ErrNotInitialized
}
// peer.debug("Pre validating [%s].", tx.String())
peer.Debugf("Tx confdential level [%s].", tx.ConfidentialityLevel.String())
if tx.Cert != nil && tx.Signature != nil {
// Verify the transaction
// 1. Unmarshal cert
cert, err := primitives.DERToX509Certificate(tx.Cert)
if err != nil {
peer.Errorf("TransactionPreExecution: failed unmarshalling cert [%s].", err.Error())
return tx, err
}
// TODO: verify cert
// 3. Marshall tx without signature
signature := tx.Signature
tx.Signature = nil
rawTx, err := proto.Marshal(tx)
if err != nil {
peer.Errorf("TransactionPreExecution: failed marshaling tx [%s].", err.Error())
return tx, err
}
tx.Signature = signature
// 2. Verify signature
ok, err := peer.verify(cert.PublicKey, rawTx, tx.Signature)
if err != nil {
peer.Errorf("TransactionPreExecution: failed marshaling tx [%s].", err.Error())
return tx, err
}
if !ok {
return tx, utils.ErrInvalidTransactionSignature
}
} else {
if tx.Cert == nil {
return tx, utils.ErrTransactionCertificate
}
if tx.Signature == nil {
return tx, utils.ErrTransactionSignature
}
}
return tx, nil
}
// CheckTransaction is used to verify that a transaction
// is well formed with the respect to the security layer
// prescriptions. To be used for internal verifications.
func (client *clientImpl) checkTransaction(tx *obc.Transaction) error {
if !client.isInitialized {
return utils.ErrNotInitialized
}
if tx.Cert == nil && tx.Signature == nil {
return utils.ErrTransactionMissingCert
}
if tx.Cert != nil && tx.Signature != nil {
// Verify the transaction
// 1. Unmarshal cert
cert, err := utils.DERToX509Certificate(tx.Cert)
if err != nil {
client.error("Failed unmarshalling cert [%s].", err.Error())
return err
}
// TODO: verify cert
// 3. Marshall tx without signature
signature := tx.Signature
tx.Signature = nil
rawTx, err := proto.Marshal(tx)
if err != nil {
client.error("Failed marshaling tx [%s].", err.Error())
return err
}
tx.Signature = signature
// 2. Verify signature
ver, err := client.verify(cert.PublicKey, rawTx, tx.Signature)
if err != nil {
client.error("Failed marshaling tx [%s].", err.Error())
return err
}
if ver {
return nil
}
return utils.ErrInvalidTransactionSignature
}
return utils.ErrTransactionMissingCert
}
// TransactionPreValidation verifies that the transaction is
// well formed with the respect to the security layer
// prescriptions (i.e. signature verification).
func (peer *peerImpl) TransactionPreValidation(tx *obc.Transaction) (*obc.Transaction, error) {
if !peer.IsInitialized() {
return nil, utils.ErrNotInitialized
}
// peer.debug("Pre validating [%s].", tx.String())
peer.Debugf("Tx confdential level [%s].", tx.ConfidentialityLevel.String())
if tx.Cert != nil && tx.Signature != nil {
// Verify the transaction
// 1. Unmarshal cert
cert, err := primitives.DERToX509Certificate(tx.Cert)
if err != nil {
peer.Errorf("TransactionPreExecution: failed unmarshalling cert [%s].", err.Error())
return tx, err
}
// Verify transaction certificate against root
// DER to x509
x509Cert, err := primitives.DERToX509Certificate(tx.Cert)
if err != nil {
peer.Debugf("Failed parsing certificate [% x]: [%s].", tx.Cert, err)
return tx, err
}
// 1. Get rid of the extensions that cannot be checked now
x509Cert.UnhandledCriticalExtensions = nil
// 2. Check against TCA certPool
if _, err = primitives.CheckCertAgainRoot(x509Cert, peer.tcaCertPool); err != nil {
peer.Warningf("Failed verifing certificate against TCA cert pool [%s].", err.Error())
// 3. Check against ECA certPool, if this check also fails then return an error
if _, err = primitives.CheckCertAgainRoot(x509Cert, peer.ecaCertPool); err != nil {
peer.Warningf("Failed verifing certificate against ECA cert pool [%s].", err.Error())
return tx, fmt.Errorf("Certificate has not been signed by a trusted authority. [%s]", err)
}
}
// 3. Marshall tx without signature
signature := tx.Signature
tx.Signature = nil
rawTx, err := proto.Marshal(tx)
if err != nil {
peer.Errorf("TransactionPreExecution: failed marshaling tx [%s].", err.Error())
return tx, err
}
tx.Signature = signature
// 2. Verify signature
ok, err := peer.verify(cert.PublicKey, rawTx, tx.Signature)
if err != nil {
peer.Errorf("TransactionPreExecution: failed marshaling tx [%s].", err.Error())
return tx, err
}
if !ok {
return tx, utils.ErrInvalidTransactionSignature
}
} else {
if tx.Cert == nil {
return tx, utils.ErrTransactionCertificate
}
if tx.Signature == nil {
return tx, utils.ErrTransactionSignature
}
}
return tx, nil
}