// CreateCertificatePair requests the creation of a new enrollment certificate pair by the ECA.
//
func (ecap *ECAP) CreateCertificatePair(ctx context.Context, in *pb.ECertCreateReq) (*pb.ECertCreateResp, error) {
Trace.Println("grpc ECAP:CreateCertificate")
// validate token
var tok, prev []byte
var role, state int
id := in.Id.Id
err := ecap.eca.readUser(id).Scan(&role, &tok, &state, &prev)
if err != nil || !bytes.Equal(tok, in.Tok.Tok) {
return nil, errors.New("identity or token do not match")
}
ekey, err := x509.ParsePKIXPublicKey(in.Enc.Key)
if err != nil {
return nil, err
}
switch {
case state == 0:
// initial request, create encryption challenge
tok = []byte(randomString(12))
_, err = ecap.eca.db.Exec("UPDATE Users SET token=?, state=?, key=? WHERE id=?", tok, 1, in.Enc.Key, id)
if err != nil {
Error.Println(err)
return nil, err
}
// out, err := rsa.EncryptPKCS1v15(rand.Reader, ekey.(*rsa.PublicKey), tok)
spi := ecies.NewSPI()
eciesKey, err := spi.NewPublicKey(nil, ekey.(*ecdsa.PublicKey))
if err != nil {
return nil, err
}
ecies, err := spi.NewAsymmetricCipherFromPublicKey(eciesKey)
if err != nil {
return nil, err
}
out, err := ecies.Process(tok)
return &pb.ECertCreateResp{nil, nil, nil, &pb.Token{out}}, err
case state == 1:
// ensure that the same encryption key is signed that has been used for the challenge
if subtle.ConstantTimeCompare(in.Enc.Key, prev) != 1 {
return nil, errors.New("encryption keys don't match")
}
// validate request signature
sig := in.Sig
in.Sig = nil
r, s := big.NewInt(0), big.NewInt(0)
r.UnmarshalText(sig.R)
s.UnmarshalText(sig.S)
if in.Sign.Type != pb.CryptoType_ECDSA {
return nil, errors.New("unsupported key type")
}
skey, err := x509.ParsePKIXPublicKey(in.Sign.Key)
if err != nil {
return nil, err
}
hash := utils.NewHash()
raw, _ := proto.Marshal(in)
hash.Write(raw)
if ecdsa.Verify(skey.(*ecdsa.PublicKey), hash.Sum(nil), r, s) == false {
return nil, errors.New("signature does not verify")
}
// create new certificate pair
ts := time.Now().Add(-1 * time.Minute).UnixNano()
sraw, err := ecap.eca.createCertificate(id, skey.(*ecdsa.PublicKey), x509.KeyUsageDigitalSignature, ts, nil, pkix.Extension{Id: ECertSubjectRole, Critical: true, Value: []byte(strconv.Itoa(ecap.eca.readRole(id)))})
if err != nil {
Error.Println(err)
return nil, err
}
eraw, err := ecap.eca.createCertificate(id, ekey.(*ecdsa.PublicKey), x509.KeyUsageDataEncipherment, ts, nil, pkix.Extension{Id: ECertSubjectRole, Critical: true, Value: []byte(strconv.Itoa(ecap.eca.readRole(id)))})
if err != nil {
ecap.eca.db.Exec("DELETE FROM Certificates Where id=?", id)
Error.Println(err)
return nil, err
}
_, err = ecap.eca.db.Exec("UPDATE Users SET state=? WHERE id=?", 2, id)
if err != nil {
ecap.eca.db.Exec("DELETE FROM Certificates Where id=?", id)
Error.Println(err)
return nil, err
}
var obcECKey []byte
if role == int(pb.Role_VALIDATOR) {
//if role&(int(pb.Role_VALIDATOR)|int(pb.Role_AUDITOR)) != 0 {
obcECKey = ecap.eca.obcPriv
} else {
obcECKey = ecap.eca.obcPub
}
return &pb.ECertCreateResp{&pb.CertPair{sraw, eraw}, &pb.Token{ecap.eca.obcKey}, obcECKey, nil}, nil
}
return nil, errors.New("certificate creation token expired")
}
func (node *nodeImpl) getEnrollmentCertificateFromECA(id, pw string) (interface{}, []byte, []byte, error) {
// Get a new ECA Client
sock, ecaP, err := node.getECAClient()
defer sock.Close()
// Run the protocol
signPriv, err := utils.NewECDSAKey()
if err != nil {
node.log.Error("Failed generating ECDSA key [%s].", err.Error())
return nil, nil, nil, err
}
signPub, err := x509.MarshalPKIXPublicKey(&signPriv.PublicKey)
if err != nil {
node.log.Error("Failed mashalling ECDSA key [%s].", err.Error())
return nil, nil, nil, err
}
encPriv, err := utils.NewECDSAKey()
if err != nil {
node.log.Error("Failed generating Encryption key [%s].", err.Error())
return nil, nil, nil, err
}
encPub, err := x509.MarshalPKIXPublicKey(&encPriv.PublicKey)
if err != nil {
node.log.Error("Failed marshalling Encryption key [%s].", err.Error())
return nil, nil, nil, err
}
req := &obcca.ECertCreateReq{&protobuf.Timestamp{Seconds: time.Now().Unix(), Nanos: 0},
&obcca.Identity{id},
&obcca.Token{Tok: []byte(pw)},
&obcca.PublicKey{obcca.CryptoType_ECDSA, signPub},
&obcca.PublicKey{obcca.CryptoType_ECDSA, encPub},
nil}
resp, err := ecaP.CreateCertificatePair(context.Background(), req)
if err != nil {
node.log.Error("Failed invoking CreateCertficatePair [%s].", err.Error())
return nil, nil, nil, err
}
//out, err := rsa.DecryptPKCS1v15(rand.Reader, encPriv, resp.Tok.Tok)
spi := ecies.NewSPI()
eciesKey, err := spi.NewPrivateKey(nil, encPriv)
if err != nil {
node.log.Error("Failed parsing decrypting key [%s].", err.Error())
return nil, nil, nil, err
}
ecies, err := spi.NewAsymmetricCipherFromPublicKey(eciesKey)
if err != nil {
node.log.Error("Failed creating asymmetrinc cipher [%s].", err.Error())
return nil, nil, nil, err
}
out, err := ecies.Process(resp.Tok.Tok)
if err != nil {
node.log.Error("Failed decrypting toke [%s].", err.Error())
return nil, nil, nil, err
}
req.Tok.Tok = out
req.Sig = nil
hash := utils.NewHash()
raw, _ := proto.Marshal(req)
hash.Write(raw)
r, s, err := ecdsa.Sign(rand.Reader, signPriv, hash.Sum(nil))
if err != nil {
node.log.Error("Failed signing [%s].", err.Error())
return nil, nil, nil, err
}
R, _ := r.MarshalText()
S, _ := s.MarshalText()
req.Sig = &obcca.Signature{obcca.CryptoType_ECDSA, R, S}
resp, err = ecaP.CreateCertificatePair(context.Background(), req)
if err != nil {
node.log.Error("Failed invoking CreateCertificatePair [%s].", err.Error())
return nil, nil, nil, err
}
// Verify response
// Verify cert for signing
node.log.Debug("Enrollment certificate for signing [%s]", utils.EncodeBase64(utils.Hash(resp.Certs.Sign)))
x509SignCert, err := utils.DERToX509Certificate(resp.Certs.Sign)
if err != nil {
node.log.Error("Failed parsing signing enrollment certificate for signing: [%s]", err)
return nil, nil, nil, err
}
_, err = utils.GetCriticalExtension(x509SignCert, ECertSubjectRole)
if err != nil {
node.log.Error("Failed parsing ECertSubjectRole in enrollment certificate for signing: [%s]", err)
return nil, nil, nil, err
}
err = utils.CheckCertAgainstSKAndRoot(x509SignCert, signPriv, node.ecaCertPool)
if err != nil {
node.log.Error("Failed checking signing enrollment certificate for signing: [%s]", err)
return nil, nil, nil, err
}
// Verify cert for encrypting
node.log.Debug("Enrollment certificate for encrypting [%s]", utils.EncodeBase64(utils.Hash(resp.Certs.Enc)))
x509EncCert, err := utils.DERToX509Certificate(resp.Certs.Enc)
if err != nil {
node.log.Error("Failed parsing signing enrollment certificate for encrypting: [%s]", err)
return nil, nil, nil, err
}
_, err = utils.GetCriticalExtension(x509EncCert, ECertSubjectRole)
if err != nil {
node.log.Error("Failed parsing ECertSubjectRole in enrollment certificate for encrypting: [%s]", err)
return nil, nil, nil, err
}
err = utils.CheckCertAgainstSKAndRoot(x509EncCert, encPriv, node.ecaCertPool)
if err != nil {
node.log.Error("Failed checking signing enrollment certificate for encrypting: [%s]", err)
return nil, nil, nil, err
}
// END
return signPriv, resp.Certs.Sign, resp.Chain.Tok, nil
}