登录 注册
开源 企业版 高校版 私有云 Gitee AI NEW
扫描微信二维码支付
取消
支付完成
Watch
不关注 关注所有动态 仅关注版本发行动态 关注但不提醒动态
1 Star 0 Fork 0

妥協 / fabric

代码 Issues 0 Pull Requests 0 Wiki 统计 流水线
服务
加入 Gitee
与超过 1200万 开发者一起发现、参与优秀开源项目,私有仓库也完全免费 :)
免费加入
克隆/下载
cert.go 4.29 KB
一键复制 编辑 原始数据 按行查看 历史
Angelo De Caro 提交于 2017-11-27 14:24 . [FAB-7107] BCCSP common ECDSA utils
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150
/*

Copyright IBM Corp. 2017 All Rights Reserved.



Licensed under the Apache License, Version 2.0 (the "License");

you may not use this file except in compliance with the License.

You may obtain a copy of the License at



		 http://www.apache.org/licenses/LICENSE-2.0



Unless required by applicable law or agreed to in writing, software

distributed under the License is distributed on an "AS IS" BASIS,

WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

See the License for the specific language governing permissions and

limitations under the License.

*/



package msp



import (

	"bytes"

	"crypto/ecdsa"

	"crypto/x509"

	"crypto/x509/pkix"

	"encoding/asn1"

	"encoding/pem"

	"fmt"

	"math/big"

	"time"



	"github.com/hyperledger/fabric/bccsp/utils"

	"github.com/pkg/errors"

)



type validity struct {

	NotBefore, NotAfter time.Time

}



type publicKeyInfo struct {

	Raw       asn1.RawContent

	Algorithm pkix.AlgorithmIdentifier

	PublicKey asn1.BitString

}



type certificate struct {

	Raw                asn1.RawContent

	TBSCertificate     tbsCertificate

	SignatureAlgorithm pkix.AlgorithmIdentifier

	SignatureValue     asn1.BitString

}



type tbsCertificate struct {

	Raw                asn1.RawContent

	Version            int `asn1:"optional,explicit,default:0,tag:0"`

	SerialNumber       *big.Int

	SignatureAlgorithm pkix.AlgorithmIdentifier

	Issuer             asn1.RawValue

	Validity           validity

	Subject            asn1.RawValue

	PublicKey          publicKeyInfo

	UniqueId           asn1.BitString   `asn1:"optional,tag:1"`

	SubjectUniqueId    asn1.BitString   `asn1:"optional,tag:2"`

	Extensions         []pkix.Extension `asn1:"optional,explicit,tag:3"`

}



func isECDSASignedCert(cert *x509.Certificate) bool {

	return cert.SignatureAlgorithm == x509.ECDSAWithSHA1 ||

		cert.SignatureAlgorithm == x509.ECDSAWithSHA256 ||

		cert.SignatureAlgorithm == x509.ECDSAWithSHA384 ||

		cert.SignatureAlgorithm == x509.ECDSAWithSHA512

}



// sanitizeECDSASignedCert checks that the signatures signing a cert

// is in low-S. This is checked against the public key of parentCert.

// If the signature is not in low-S, then a new certificate is generated

// that is equals to cert but the signature that is in low-S.

func sanitizeECDSASignedCert(cert *x509.Certificate, parentCert *x509.Certificate) (*x509.Certificate, error) {

	if cert == nil {

		return nil, errors.New("certificate must be different from nil")

	}

	if parentCert == nil {

		return nil, errors.New("parent certificate must be different from nil")

	}



	expectedSig, err := utils.SignatureToLowS(parentCert.PublicKey.(*ecdsa.PublicKey), cert.Signature)

	if err != nil {

		return nil, err

	}



	// if sig == cert.Signature, nothing needs to be done

	if bytes.Equal(cert.Signature, expectedSig) {

		return cert, nil

	}

	// otherwise create a new certificate with the new signature



	// 1. Unmarshal cert.Raw to get an instance of certificate,

	//    the lower level interface that represent an x509 certificate

	//    encoding

	var newCert certificate

	newCert, err = certFromX509Cert(cert)

	if err != nil {

		return nil, err

	}



	// 2. Change the signature

	newCert.SignatureValue = asn1.BitString{Bytes: expectedSig, BitLength: len(expectedSig) * 8}



	// 3. marshal again newCert. Raw must be nil

	newCert.Raw = nil

	newRaw, err := asn1.Marshal(newCert)

	if err != nil {

		return nil, errors.Wrap(err, "marshalling of the certificate failed")

	}



	// 4. parse newRaw to get an x509 certificate

	return x509.ParseCertificate(newRaw)

}



func certFromX509Cert(cert *x509.Certificate) (certificate, error) {

	var newCert certificate

	_, err := asn1.Unmarshal(cert.Raw, &newCert)

	if err != nil {

		return certificate{}, errors.Wrap(err, "unmarshalling of the certificate failed")

	}

	return newCert, nil

}



// String returns a PEM representation of a certificate

func (c certificate) String() string {

	b, err := asn1.Marshal(c)

	if err != nil {

		return fmt.Sprintf("Failed marshaling cert: %v", err)

	}

	block := &pem.Block{

		Bytes: b,

		Type:  "CERTIFICATE",

	}

	b = pem.EncodeToMemory(block)

	return string(b)

}



// certToPEM converts the given x509.Certificate to a PEM

// encoded string

func certToPEM(certificate *x509.Certificate) string {

	cert, err := certFromX509Cert(certificate)

	if err != nil {

		mspIdentityLogger.Warning("Failed converting certificate to asn1", err)

		return ""

	}

	return cert.String()

}
1
https://gitee.com/liurenhao/fabric.git
git@gitee.com:liurenhao/fabric.git
liurenhao
fabric
fabric
v2.1.1
点此查找更多帮助

搜索帮助

Git 命令在线学习 如何在 Gitee 导入 GitHub 仓库
Git 仓库基础操作
企业版和社区版功能对比
SSH 公钥设置
如何处理代码冲突
仓库体积过大,如何减小?
如何找回被删除的仓库数据
Gitee 产品配额说明
GitHub仓库快速导入Gitee及同步更新
什么是 Release(发行版)
将 PHP 项目自动发布到 packagist.org
评论
仓库举报
回到顶部