func (node *nodeImpl) loadEnrollmentCertificate() error { node.log.Debug("Loading enrollment certificate...") cert, der, err := node.ks.loadCertX509AndDer(node.conf.getEnrollmentCertFilename()) if err != nil { node.log.Error("Failed parsing enrollment certificate [%s].", err.Error()) return err } node.enrollCert = cert // TODO: move this to retrieve pk := node.enrollCert.PublicKey.(*ecdsa.PublicKey) err = utils.VerifySignCapability(node.enrollPrivKey, pk) if err != nil { node.log.Error("Failed checking enrollment certificate against enrollment key [%s].", err.Error()) return err } // Set node ID node.id = utils.Hash(der) node.log.Debug("Setting id to [%s].", utils.EncodeBase64(node.id)) // Set eCertHash node.enrollCertHash = utils.Hash(der) node.log.Debug("Setting enrollCertHash to [%s].", utils.EncodeBase64(node.enrollCertHash)) return nil }
func (node *nodeImpl) loadEnrollmentCertificate() error { node.log.Debug("Loading enrollment certificate at [%s]...", node.conf.getEnrollmentCertPath()) pemEnrollCert, err := ioutil.ReadFile(node.conf.getEnrollmentCertPath()) if err != nil { node.log.Error("Failed loading enrollment certificate [%s].", err.Error()) return err } enrollCert, rawEnrollCert, err := utils.PEMtoCertificateAndDER(pemEnrollCert) if err != nil { node.log.Error("Failed parsing enrollment certificate [%s].", err.Error()) return err } node.enrollCert = enrollCert pk := node.enrollCert.PublicKey.(*ecdsa.PublicKey) err = utils.VerifySignCapability(node.enrollPrivKey, pk) if err != nil { node.log.Error("Failed checking enrollment certificate against enrollment key [%s].", err.Error()) return err } // Set node ID node.id = utils.Hash(rawEnrollCert) node.log.Debug("Setting id to [%s].", utils.EncodeBase64(node.id)) return nil }
func (node *nodeImpl) getTLSCertificateFromTLSCA(id, affiliation string) (interface{}, []byte, error) { node.log.Info("getTLSCertificate...") priv, err := utils.NewECDSAKey() if err != nil { node.log.Error("Failed generating key: %s", err) return nil, nil, err } uuid, err := util.GenerateUUID() if err != nil { node.log.Error("Failed generating uuid: %s", err) return nil, nil, err } // Prepare the request pubraw, _ := x509.MarshalPKIXPublicKey(&priv.PublicKey) now := time.Now() timestamp := google_protobuf.Timestamp{int64(now.Second()), int32(now.Nanosecond())} req := &obcca.TLSCertCreateReq{ ×tamp, &obcca.Identity{Id: id + "-" + uuid}, &obcca.Password{Pw: ""}, &obcca.PublicKey{ Type: obcca.CryptoType_ECDSA, Key: pubraw, }, nil} rawreq, _ := proto.Marshal(req) r, s, err := ecdsa.Sign(rand.Reader, priv, utils.Hash(rawreq)) if err != nil { panic(err) } R, _ := r.MarshalText() S, _ := s.MarshalText() req.Sig = &obcca.Signature{obcca.CryptoType_ECDSA, R, S} pbCert, err := node.callTLSCACreateCertificate(context.Background(), req) if err != nil { node.log.Error("Failed requesting tls certificate: %s", err) return nil, nil, err } node.log.Info("Verifing tls certificate...") tlsCert, err := utils.DERToX509Certificate(pbCert.Cert) certPK := tlsCert.PublicKey.(*ecdsa.PublicKey) utils.VerifySignCapability(priv, certPK) node.log.Info("Verifing tls certificate...done!") return priv, pbCert.Cert, nil }
func (node *nodeImpl) getEnrollmentCertificateFromECA(id, pw string) (interface{}, []byte, []byte, error) { priv, err := utils.NewECDSAKey() if err != nil { node.log.Error("Failed generating key [%s].", err.Error()) return nil, nil, nil, err } // Prepare the request pubraw, _ := x509.MarshalPKIXPublicKey(&priv.PublicKey) req := &obcca.ECertCreateReq{ Ts: &protobuf.Timestamp{Seconds: time.Now().Unix(), Nanos: 0}, Id: &obcca.Identity{Id: id}, Pw: &obcca.Password{Pw: pw}, Pub: &obcca.PublicKey{Type: obcca.CryptoType_ECDSA, Key: pubraw}, Sig: nil} rawreq, _ := proto.Marshal(req) r, s, err := ecdsa.Sign(rand.Reader, priv, utils.Hash(rawreq)) if err != nil { node.log.Error("Failed signing request [%s].", err.Error()) return nil, nil, nil, err } R, _ := r.MarshalText() S, _ := s.MarshalText() req.Sig = &obcca.Signature{obcca.CryptoType_ECDSA, R, S} pbCert, key, err := node.callECACreateCertificate(context.Background(), req) if err != nil { node.log.Error("Failed requesting enrollment certificate [%s].", err.Error()) return nil, nil, nil, err } node.log.Debug("Enrollment certificate hash [%s].", utils.EncodeBase64(utils.Hash(pbCert.Cert))) // Verify pbCert.Cert return priv, pbCert.Cert, key, nil }
func (handler *eCertTransactionHandlerImpl) init(client *clientImpl) error { nonce, err := client.createTransactionNonce() if err != nil { client.node.log.Error("Failed initiliazing transaction handler [%s]", err) return err } handler.client = client handler.nonce = nonce handler.binding = utils.Hash(append(handler.client.node.enrollCert.Raw, handler.nonce...)) return nil }
func (handler *tCertTransactionHandlerImpl) init(tCertHandler *tCertHandlerImpl) error { nonce, err := tCertHandler.client.createTransactionNonce() if err != nil { tCertHandler.client.error("Failed initiliazing transaction handler [%s]", err) return err } handler.tCertHandler = tCertHandler handler.nonce = nonce handler.binding = utils.Hash(append(handler.tCertHandler.tCert.GetCertificate().Raw, nonce...)) return nil }
func createConfidentialECertHDeployTransaction(t *testing.T) (*obc.Transaction, *obc.Transaction, error) { uuid, err := util.GenerateUUID() if err != nil { return nil, nil, err } cds := &obc.ChaincodeDeploymentSpec{ ChaincodeSpec: &obc.ChaincodeSpec{ Type: obc.ChaincodeSpec_GOLANG, ChaincodeID: &obc.ChaincodeID{Path: "Contract001"}, CtorMsg: nil, ConfidentialityLevel: obc.ConfidentialityLevel_CONFIDENTIAL, }, EffectiveDate: nil, CodePackage: nil, } otx, err := obc.NewChaincodeDeployTransaction(cds, uuid) if err != nil { return nil, nil, err } handler, err := deployer.GetEnrollmentCertificateHandler() if err != nil { return nil, nil, err } txHandler, err := handler.GetTransactionHandler() if err != nil { return nil, nil, err } tx, err := txHandler.NewChaincodeDeployTransaction(cds, uuid) // Check binding consistency binding, _ := txHandler.GetBinding() if !reflect.DeepEqual(binding, utils.Hash(append(handler.GetCertificate(), tx.Nonce...))) { t.Fatal("Binding is malformed!") } // Check confidentiality level if tx.ConfidentialityLevel != cds.ChaincodeSpec.ConfidentialityLevel { t.Fatal("Failed setting confidentiality level") } // Check metadata if !reflect.DeepEqual(cds.ChaincodeSpec.Metadata, tx.Metadata) { t.Fatal("Failed copying metadata") } return otx, tx, err }
func createConfidentialTCertHQueryTransaction(t *testing.T) (*obc.Transaction, *obc.Transaction, error) { uuid, err := util.GenerateUUID() if err != nil { return nil, nil, err } cis := &obc.ChaincodeInvocationSpec{ ChaincodeSpec: &obc.ChaincodeSpec{ Type: obc.ChaincodeSpec_GOLANG, ChaincodeID: &obc.ChaincodeID{Path: "Contract001"}, CtorMsg: nil, ConfidentialityLevel: obc.ConfidentialityLevel_CONFIDENTIAL, }, } otx, err := obc.NewChaincodeExecute(cis, uuid, obc.Transaction_CHAINCODE_QUERY) if err != nil { return nil, nil, err } handler, err := invoker.GetTCertificateHandlerNext() if err != nil { return nil, nil, err } txHandler, err := handler.GetTransactionHandler() if err != nil { return nil, nil, err } tx, err := txHandler.NewChaincodeQuery(cis, uuid) // Check binding consistency binding, _ := txHandler.GetBinding() if !reflect.DeepEqual(binding, utils.Hash(append(handler.GetCertificate(), tx.Nonce...))) { t.Fatal("Binding is malformed!") } // Check confidentiality level if tx.ConfidentialityLevel != cis.ChaincodeSpec.ConfidentialityLevel { t.Fatal("Failed setting confidentiality level") } // Check metadata if !reflect.DeepEqual(cis.ChaincodeSpec.Metadata, tx.Metadata) { t.Fatal("Failed copying metadata") } return otx, tx, err }
func (validator *validatorImpl) GetStateEncryptor(deployTx, executeTx *obc.Transaction) (StateEncryptor, error) { // Check nonce if deployTx.Nonce == nil || len(deployTx.Nonce) == 0 { return nil, errors.New("Invalid deploy nonce.") } if executeTx.Nonce == nil || len(executeTx.Nonce) == 0 { return nil, errors.New("Invalid invoke nonce.") } // Check ChaincodeID if deployTx.ChaincodeID == nil { return nil, errors.New("Invalid deploy chaincodeID.") } if executeTx.ChaincodeID == nil { return nil, errors.New("Invalid execute chaincodeID.") } // Check that deployTx and executeTx refers to the same chaincode if !reflect.DeepEqual(deployTx.ChaincodeID, executeTx.ChaincodeID) { return nil, utils.ErrDirrentChaincodeID } validator.peer.node.log.Debug("Parsing transaction. Type [%s].", executeTx.Type.String()) if executeTx.Type == obc.Transaction_CHAINCODE_QUERY { validator.peer.node.log.Debug("Parsing Query transaction...") // Compute deployTxKey key from the deploy transaction. This is used to decrypt the actual state // of the chaincode deployTxKey := utils.HMAC(validator.peer.node.enrollChainKey, deployTx.Nonce) // Compute the key used to encrypt the result of the query queryKey := utils.HMACTruncated(validator.peer.node.enrollChainKey, append([]byte{6}, executeTx.Nonce...), utils.AESKeyLength) // Init the state encryptor se := queryStateEncryptor{} err := se.init(validator.peer.node.log, queryKey, deployTxKey) if err != nil { return nil, err } return &se, nil } // Compute deployTxKey key from the deploy transaction deployTxKey := utils.HMAC(validator.peer.node.enrollChainKey, deployTx.Nonce) // Mask executeTx.Nonce executeTxNonce := utils.HMACTruncated(deployTxKey, utils.Hash(executeTx.Nonce), utils.NonceSize) // Compute stateKey to encrypt the states and nonceStateKey to generates IVs. This // allows validators to reach consesus stateKey := utils.HMACTruncated(deployTxKey, append([]byte{3}, executeTxNonce...), utils.AESKeyLength) nonceStateKey := utils.HMAC(deployTxKey, append([]byte{4}, executeTxNonce...)) // Init the state encryptor se := stateEncryptorImpl{} err := se.init(validator.peer.node.log, stateKey, nonceStateKey, deployTxKey, executeTxNonce) if err != nil { return nil, err } return &se, nil }
func requestTLSCertificate(t *testing.T) { var opts []grpc.DialOption creds, err := credentials.NewClientTLSFromFile(viper.GetString("server.tls.certfile"), "tlsca") if err != nil { t.Logf("Failed creating credentials for TLS-CA client: %s", err) t.Fail() } opts = append(opts, grpc.WithTransportCredentials(creds)) sockP, err := grpc.Dial(viper.GetString("peer.pki.tlsca.paddr"), opts...) if err != nil { t.Logf("Failed dialing in: %s", err) t.Fail() } defer sockP.Close() tlscaP := obcca.NewTLSCAPClient(sockP) // Prepare the request id := "peer" priv, err := utils.NewECDSAKey() if err != nil { t.Logf("Failed generating key: %s", err) t.Fail() } uuid, err := util.GenerateUUID() if err != nil { t.Logf("Failed generating uuid: %s", err) t.Fail() } pubraw, _ := x509.MarshalPKIXPublicKey(&priv.PublicKey) now := time.Now() timestamp := google_protobuf.Timestamp{int64(now.Second()), int32(now.Nanosecond())} req := &obcca.TLSCertCreateReq{ ×tamp, &obcca.Identity{Id: id + "-" + uuid}, &obcca.PublicKey{ Type: obcca.CryptoType_ECDSA, Key: pubraw, }, nil} rawreq, _ := proto.Marshal(req) r, s, err := ecdsa.Sign(rand.Reader, priv, utils.Hash(rawreq)) if err != nil { t.Logf("Failed signing the request: %s", err) t.Fail() } R, _ := r.MarshalText() S, _ := s.MarshalText() req.Sig = &obcca.Signature{obcca.CryptoType_ECDSA, R, S} resp, err := tlscaP.CreateCertificate(context.Background(), req) if err != nil { t.Logf("Failed requesting tls certificate: %s", err) t.Fail() } storePrivateKeyInClear("tls_peer.priv", priv, t) storeCert("tls_peer.cert", resp.Cert.Cert, t) storeCert("tls_peer.ca", resp.RootCert.Cert, t) }
func (node *nodeImpl) getEnrollmentCertificateFromECA(id, pw string) (interface{}, []byte, []byte, error) { // Get a new ECA Client sock, ecaP, err := node.getECAClient() defer sock.Close() // Run the protocol signPriv, err := utils.NewECDSAKey() if err != nil { node.log.Error("Failed generating ECDSA key [%s].", err.Error()) return nil, nil, nil, err } signPub, err := x509.MarshalPKIXPublicKey(&signPriv.PublicKey) if err != nil { node.log.Error("Failed mashalling ECDSA key [%s].", err.Error()) return nil, nil, nil, err } encPriv, err := utils.NewECDSAKey() if err != nil { node.log.Error("Failed generating Encryption key [%s].", err.Error()) return nil, nil, nil, err } encPub, err := x509.MarshalPKIXPublicKey(&encPriv.PublicKey) if err != nil { node.log.Error("Failed marshalling Encryption key [%s].", err.Error()) return nil, nil, nil, err } req := &obcca.ECertCreateReq{&protobuf.Timestamp{Seconds: time.Now().Unix(), Nanos: 0}, &obcca.Identity{id}, &obcca.Token{Tok: []byte(pw)}, &obcca.PublicKey{obcca.CryptoType_ECDSA, signPub}, &obcca.PublicKey{obcca.CryptoType_ECDSA, encPub}, nil} resp, err := ecaP.CreateCertificatePair(context.Background(), req) if err != nil { node.log.Error("Failed invoking CreateCertficatePair [%s].", err.Error()) return nil, nil, nil, err } //out, err := rsa.DecryptPKCS1v15(rand.Reader, encPriv, resp.Tok.Tok) spi := ecies.NewSPI() eciesKey, err := spi.NewPrivateKey(nil, encPriv) if err != nil { node.log.Error("Failed parsing decrypting key [%s].", err.Error()) return nil, nil, nil, err } ecies, err := spi.NewAsymmetricCipherFromPublicKey(eciesKey) if err != nil { node.log.Error("Failed creating asymmetrinc cipher [%s].", err.Error()) return nil, nil, nil, err } out, err := ecies.Process(resp.Tok.Tok) if err != nil { node.log.Error("Failed decrypting toke [%s].", err.Error()) return nil, nil, nil, err } req.Tok.Tok = out req.Sig = nil hash := utils.NewHash() raw, _ := proto.Marshal(req) hash.Write(raw) r, s, err := ecdsa.Sign(rand.Reader, signPriv, hash.Sum(nil)) if err != nil { node.log.Error("Failed signing [%s].", err.Error()) return nil, nil, nil, err } R, _ := r.MarshalText() S, _ := s.MarshalText() req.Sig = &obcca.Signature{obcca.CryptoType_ECDSA, R, S} resp, err = ecaP.CreateCertificatePair(context.Background(), req) if err != nil { node.log.Error("Failed invoking CreateCertificatePair [%s].", err.Error()) return nil, nil, nil, err } // Verify response // Verify cert for signing node.log.Debug("Enrollment certificate for signing [%s]", utils.EncodeBase64(utils.Hash(resp.Certs.Sign))) x509SignCert, err := utils.DERToX509Certificate(resp.Certs.Sign) if err != nil { node.log.Error("Failed parsing signing enrollment certificate for signing: [%s]", err) return nil, nil, nil, err } _, err = utils.GetCriticalExtension(x509SignCert, ECertSubjectRole) if err != nil { node.log.Error("Failed parsing ECertSubjectRole in enrollment certificate for signing: [%s]", err) return nil, nil, nil, err } err = utils.CheckCertAgainstSKAndRoot(x509SignCert, signPriv, node.ecaCertPool) if err != nil { node.log.Error("Failed checking signing enrollment certificate for signing: [%s]", err) return nil, nil, nil, err } // Verify cert for encrypting node.log.Debug("Enrollment certificate for encrypting [%s]", utils.EncodeBase64(utils.Hash(resp.Certs.Enc))) x509EncCert, err := utils.DERToX509Certificate(resp.Certs.Enc) if err != nil { node.log.Error("Failed parsing signing enrollment certificate for encrypting: [%s]", err) return nil, nil, nil, err } _, err = utils.GetCriticalExtension(x509EncCert, ECertSubjectRole) if err != nil { node.log.Error("Failed parsing ECertSubjectRole in enrollment certificate for encrypting: [%s]", err) return nil, nil, nil, err } err = utils.CheckCertAgainstSKAndRoot(x509EncCert, encPriv, node.ecaCertPool) if err != nil { node.log.Error("Failed checking signing enrollment certificate for encrypting: [%s]", err) return nil, nil, nil, err } // END return signPriv, resp.Certs.Sign, resp.Chain.Tok, nil }
func (peer *peerImpl) GetTransactionBinding(tx *obc.Transaction) ([]byte, error) { return utils.Hash(append(tx.Cert, tx.Nonce...)), nil }