func (peer *peerImpl) getEnrollmentCertByHashFromECA(id []byte) ([]byte, []byte, error) {
// Prepare the request
peer.Debugf("Reading certificate for hash [% x]", id)
req := &membersrvc.Hash{Hash: id}
response, err := peer.callECAReadCertificateByHash(context.Background(), req)
if err != nil {
peer.Errorf("Failed requesting enrollment certificate [%s].", err.Error())
return nil, nil, err
}
peer.Debugf("Certificate for hash [% x] = [% x][% x]", id, response.Sign, response.Enc)
// Verify response.Sign
x509Cert, err := primitives.DERToX509Certificate(response.Sign)
if err != nil {
peer.Errorf("Failed parsing signing enrollment certificate for encrypting: [%s]", err)
return nil, nil, err
}
// Check role
roleRaw, err := primitives.GetCriticalExtension(x509Cert, ECertSubjectRole)
if err != nil {
peer.Errorf("Failed parsing ECertSubjectRole in enrollment certificate for signing: [%s]", err)
return nil, nil, err
}
role, err := strconv.ParseInt(string(roleRaw), 10, len(roleRaw)*8)
if err != nil {
peer.Errorf("Failed parsing ECertSubjectRole in enrollment certificate for signing: [%s]", err)
return nil, nil, err
}
if membersrvc.Role(role) != membersrvc.Role_VALIDATOR && membersrvc.Role(role) != membersrvc.Role_PEER {
peer.Errorf("Invalid ECertSubjectRole in enrollment certificate for signing. Not a validator or peer: [%s]", err)
return nil, nil, err
}
return response.Sign, response.Enc, nil
}
// ReadUserSet returns a list of users matching the parameters set in the read request.
//
func (ecaa *ECAA) ReadUserSet(ctx context.Context, in *pb.ReadUserSetReq) (*pb.UserSet, error) {
Trace.Println("gRPC ECAA:ReadUserSet")
req := in.Req.Id
if ecaa.eca.readRole(req)&int(pb.Role_AUDITOR) == 0 {
return nil, errors.New("Access denied.")
}
raw, err := ecaa.eca.readCertificate(req, x509.KeyUsageDigitalSignature)
if err != nil {
return nil, err
}
cert, err := x509.ParseCertificate(raw)
if err != nil {
return nil, err
}
sig := in.Sig
in.Sig = nil
r, s := big.NewInt(0), big.NewInt(0)
r.UnmarshalText(sig.R)
s.UnmarshalText(sig.S)
hash := primitives.NewHash()
raw, _ = proto.Marshal(in)
hash.Write(raw)
if ecdsa.Verify(cert.PublicKey.(*ecdsa.PublicKey), hash.Sum(nil), r, s) == false {
return nil, errors.New("Signature verification failed.")
}
rows, err := ecaa.eca.readUsers(int(in.Role))
if err != nil {
return nil, err
}
defer rows.Close()
var users []*pb.User
if err == nil {
for rows.Next() {
var id string
var role int
err = rows.Scan(&id, &role)
users = append(users, &pb.User{&pb.Identity{Id: id}, pb.Role(role)})
}
err = rows.Err()
}
return &pb.UserSet{users}, err
}
func registerUser(registrar User, user *User) error {
ecaa := &ECAA{eca}
//create req
req := &pb.RegisterUserReq{
Id: &pb.Identity{Id: user.enrollID},
Role: pb.Role(user.role),
Account: user.affiliation,
Affiliation: user.affiliationRole,
Registrar: &pb.Registrar{
Id: &pb.Identity{Id: registrar.enrollID},
Roles: user.registrarRoles,
DelegateRoles: user.registrarDelegateRoles,
},
Sig: nil}
//sign the req
hash := primitives.NewHash()
raw, _ := proto.Marshal(req)
hash.Write(raw)
r, s, err := ecdsa.Sign(rand.Reader, registrar.enrollPrivKey, hash.Sum(nil))
if err != nil {
msg := "Failed to register user. Error (ECDSA) signing request: " + err.Error()
return errors.New(msg)
}
R, _ := r.MarshalText()
S, _ := s.MarshalText()
req.Sig = &pb.Signature{Type: pb.CryptoType_ECDSA, R: R, S: S}
token, err := ecaa.RegisterUser(context.Background(), req)
if err != nil {
return err
}
if token == nil {
return errors.New("Failed to obtain token")
}
//need the token for later tests
user.enrollPwd = token.Tok
return nil
}
// populateUsersTable populates the users table.
//
func (eca *ECA) populateUsersTable() {
// populate user table
users := viper.GetStringMapString("eca.users")
for id, flds := range users {
vals := strings.Fields(flds)
role, err := strconv.Atoi(vals[0])
if err != nil {
Panic.Panicln(err)
}
var affiliation, affiliationRole string
if len(vals) >= 4 {
affiliation = vals[2]
affiliationRole = vals[3]
}
eca.registerUser(id, affiliation, affiliationRole, pb.Role(role), vals[1])
}
}
// populateUsersTable populates the users table.
//
func (eca *ECA) populateUsersTable() {
// populate user table
users := viper.GetStringMapString("eca.users")
for id, flds := range users {
vals := strings.Fields(flds)
role, err := strconv.Atoi(vals[0])
if err != nil {
ecaLogger.Panic(err)
}
var affiliation, memberMetadata, registrar string
if len(vals) >= 3 {
affiliation = vals[2]
if len(vals) >= 4 {
memberMetadata = vals[3]
if len(vals) >= 5 {
registrar = vals[4]
}
}
}
eca.registerUser(id, affiliation, pb.Role(role), nil, eca.aca, registrar, memberMetadata, vals[1])
}
}