代码拉取完成,页面将自动刷新
/*
Copyright IBM Corp. All Rights Reserved.
SPDX-License-Identifier: Apache-2.0
*/
package msp
import (
"bytes"
"crypto/ecdsa"
"crypto/x509"
"crypto/x509/pkix"
"encoding/asn1"
"encoding/pem"
"errors"
"fmt"
"math/big"
"time"
"github.com/hyperledger/fabric/bccsp/sw"
)
type dsaSignature struct {
R, S *big.Int
}
type ecdsaSignature dsaSignature
type validity struct {
NotBefore, NotAfter time.Time
}
type publicKeyInfo struct {
Raw asn1.RawContent
Algorithm pkix.AlgorithmIdentifier
PublicKey asn1.BitString
}
type certificate struct {
Raw asn1.RawContent
TBSCertificate tbsCertificate
SignatureAlgorithm pkix.AlgorithmIdentifier
SignatureValue asn1.BitString
}
type tbsCertificate struct {
Raw asn1.RawContent
Version int `asn1:"optional,explicit,default:0,tag:0"`
SerialNumber *big.Int
SignatureAlgorithm pkix.AlgorithmIdentifier
Issuer asn1.RawValue
Validity validity
Subject asn1.RawValue
PublicKey publicKeyInfo
UniqueId asn1.BitString `asn1:"optional,tag:1"`
SubjectUniqueId asn1.BitString `asn1:"optional,tag:2"`
Extensions []pkix.Extension `asn1:"optional,explicit,tag:3"`
}
func isECDSASignedCert(cert *x509.Certificate) bool {
return cert.SignatureAlgorithm == x509.ECDSAWithSHA1 ||
cert.SignatureAlgorithm == x509.ECDSAWithSHA256 ||
cert.SignatureAlgorithm == x509.ECDSAWithSHA384 ||
cert.SignatureAlgorithm == x509.ECDSAWithSHA512
}
// sanitizeECDSASignedCert checks that the signatures signing a cert
// is in low-S. This is checked against the public key of parentCert.
// If the signature is not in low-S, then a new certificate is generated
// that is equals to cert but the signature that is in low-S.
func sanitizeECDSASignedCert(cert *x509.Certificate, parentCert *x509.Certificate) (*x509.Certificate, error) {
if cert == nil {
return nil, errors.New("Certificate must be different from nil.")
}
if parentCert == nil {
return nil, errors.New("Parent certificate must be different from nil.")
}
expectedSig, err := sw.SignatureToLowS(parentCert.PublicKey.(*ecdsa.PublicKey), cert.Signature)
if err != nil {
return nil, err
}
// if sig == cert.Signature, nothing needs to be done
if bytes.Equal(cert.Signature, expectedSig) {
return cert, nil
}
// otherwise create a new certificate with the new signature
// 1. Unmarshal cert.Raw to get an instance of certificate,
// the lower level interface that represent an x509 certificate
// encoding
var newCert certificate
newCert, err = certFromX509Cert(cert)
if err != nil {
return nil, err
}
// 2. Change the signature
newCert.SignatureValue = asn1.BitString{Bytes: expectedSig, BitLength: len(expectedSig) * 8}
// 3. marshal again newCert. Raw must be nil
newCert.Raw = nil
newRaw, err := asn1.Marshal(newCert)
if err != nil {
return nil, err
}
// 4. parse newRaw to get an x509 certificate
return x509.ParseCertificate(newRaw)
}
func certFromX509Cert(cert *x509.Certificate) (certificate, error) {
var newCert certificate
_, err := asn1.Unmarshal(cert.Raw, &newCert)
if err != nil {
return certificate{}, err
}
return newCert, nil
}
// String returns a PEM representation of a certificate
func (c certificate) String() string {
b, err := asn1.Marshal(c)
if err != nil {
return fmt.Sprintf("Failed marshaling cert: %v", err)
}
block := &pem.Block{
Bytes: b,
Type: "CERTIFICATE",
}
b = pem.EncodeToMemory(block)
return string(b)
}
// certToPEM converts the given x509.Certificate to a PEM
// encoded string
func certToPEM(certificate *x509.Certificate) string {
cert, err := certFromX509Cert(certificate)
if err != nil {
mspIdentityLogger.Warning("Failed converting certificate to asn1", err)
return ""
}
return cert.String()
}
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。
马建仓 AI 助手
