登录 注册
开源 企业版 高校版 私有云 Gitee AI NEW
扫描微信二维码支付
取消
支付完成
Watch
不关注 关注所有动态 仅关注版本发行动态 关注但不提醒动态
1 Star 0 Fork 0

peter / fabric

代码 统计 流水线
服务
加入 Gitee
与超过 1200万 开发者一起发现、参与优秀开源项目,私有仓库也完全免费 :)
免费加入
克隆/下载
util.go 4.44 KB
一键复制 编辑 原始数据 按行查看 历史
yacovm 提交于 2019-01-21 20:34 . [FAB-13805] Unify Step and Submit into a stream
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159
/*

Copyright IBM Corp. All Rights Reserved.



SPDX-License-Identifier: Apache-2.0

*/



package comm



import (

	"bytes"

	"context"

	"crypto/sha256"

	"crypto/x509"

	"encoding/pem"



	"github.com/golang/protobuf/proto"

	"github.com/pkg/errors"

	"google.golang.org/grpc/credentials"

	"google.golang.org/grpc/peer"

)



// AddPemToCertPool adds PEM-encoded certs to a cert pool

func AddPemToCertPool(pemCerts []byte, pool *x509.CertPool) error {

	certs, _, err := pemToX509Certs(pemCerts)

	if err != nil {

		return err

	}

	for _, cert := range certs {

		pool.AddCert(cert)

	}

	return nil

}



//utility function to parse PEM-encoded certs

func pemToX509Certs(pemCerts []byte) ([]*x509.Certificate, []string, error) {



	//it's possible that multiple certs are encoded

	certs := []*x509.Certificate{}

	subjects := []string{}

	for len(pemCerts) > 0 {

		var block *pem.Block

		block, pemCerts = pem.Decode(pemCerts)

		if block == nil {

			break

		}

		/** TODO: check why msp does not add type to PEM header

		if block.Type != "CERTIFICATE" || len(block.Headers) != 0 {

			continue

		}

		*/



		cert, err := x509.ParseCertificate(block.Bytes)

		if err != nil {

			return nil, subjects, err

		} else {

			certs = append(certs, cert)

			//extract and append the subject

			subjects = append(subjects, string(cert.RawSubject))

		}

	}

	return certs, subjects, nil

}



// BindingInspector receives as parameters a gRPC context and an Envelope,

// and verifies whether the message contains an appropriate binding to the context

type BindingInspector func(context.Context, proto.Message) error



// CertHashExtractor extracts a certificate from a proto.Message message

type CertHashExtractor func(proto.Message) []byte



// NewBindingInspector returns a BindingInspector according to whether

// mutualTLS is configured or not, and according to a function that extracts

// TLS certificate hashes from proto messages

func NewBindingInspector(mutualTLS bool, extractTLSCertHash CertHashExtractor) BindingInspector {

	if extractTLSCertHash == nil {

		panic(errors.New("extractTLSCertHash parameter is nil"))

	}

	inspectMessage := mutualTLSBinding

	if !mutualTLS {

		inspectMessage = noopBinding

	}

	return func(ctx context.Context, msg proto.Message) error {

		if msg == nil {

			return errors.New("message is nil")

		}

		return inspectMessage(ctx, extractTLSCertHash(msg))

	}

}



// mutualTLSBinding enforces the client to send its TLS cert hash in the message,

// and then compares it to the computed hash that is derived

// from the gRPC context.

// In case they don't match, or the cert hash is missing from the request or

// there is no TLS certificate to be excavated from the gRPC context,

// an error is returned.

func mutualTLSBinding(ctx context.Context, claimedTLScertHash []byte) error {

	if len(claimedTLScertHash) == 0 {

		return errors.Errorf("client didn't include its TLS cert hash")

	}

	actualTLScertHash := ExtractCertificateHashFromContext(ctx)

	if len(actualTLScertHash) == 0 {

		return errors.Errorf("client didn't send a TLS certificate")

	}

	if !bytes.Equal(actualTLScertHash, claimedTLScertHash) {

		return errors.Errorf("claimed TLS cert hash is %v but actual TLS cert hash is %v", claimedTLScertHash, actualTLScertHash)

	}

	return nil

}



// noopBinding is a BindingInspector that always returns nil

func noopBinding(_ context.Context, _ []byte) error {

	return nil

}



// ExtractCertificateHashFromContext extracts the hash of the certificate from the given context.

// If the certificate isn't present, nil is returned

func ExtractCertificateHashFromContext(ctx context.Context) []byte {

	rawCert := ExtractRawCertificateFromContext(ctx)

	if len(rawCert) == 0 {

		return nil

	}

	h := sha256.New()

	h.Write(rawCert)

	return h.Sum(nil)

}



// ExtractCertificateFromContext returns the TLS certificate (if applicable)

// from the given context of a gRPC stream

func ExtractCertificateFromContext(ctx context.Context) *x509.Certificate {

	pr, extracted := peer.FromContext(ctx)

	if !extracted {

		return nil

	}



	authInfo := pr.AuthInfo

	if authInfo == nil {

		return nil

	}



	tlsInfo, isTLSConn := authInfo.(credentials.TLSInfo)

	if !isTLSConn {

		return nil

	}

	certs := tlsInfo.State.PeerCertificates

	if len(certs) == 0 {

		return nil

	}

	return certs[0]

}



// ExtractRawCertificateFromContext returns the raw TLS certificate (if applicable)

// from the given context of a gRPC stream

func ExtractRawCertificateFromContext(ctx context.Context) []byte {

	cert := ExtractCertificateFromContext(ctx)

	if cert == nil {

		return nil

	}

	return cert.Raw

}
1
https://gitee.com/peter_code_git/fabric.git
git@gitee.com:peter_code_git/fabric.git
peter_code_git
fabric
fabric
v1.4.7
点此查找更多帮助

搜索帮助

Git 命令在线学习 如何在 Gitee 导入 GitHub 仓库
Git 仓库基础操作
企业版和社区版功能对比
SSH 公钥设置
如何处理代码冲突
仓库体积过大,如何减小?
如何找回被删除的仓库数据
Gitee 产品配额说明
GitHub仓库快速导入Gitee及同步更新
什么是 Release(发行版)
将 PHP 项目自动发布到 packagist.org
评论
仓库举报
回到顶部