登录 注册
开源 企业版 高校版 私有云 Gitee AI NEW
扫描微信二维码支付
取消
支付完成
Watch
不关注 关注所有动态 仅关注版本发行动态 关注但不提醒动态
3 Star 14 Fork 4

赵春/fabric-gm

代码 Issues 1 Pull Requests 0 Wiki 统计 流水线
服务
加入 Gitee
与超过 1200万 开发者一起发现、参与优秀开源项目,私有仓库也完全免费 :)
免费加入
文件
克隆/下载
expiration.go 4.30 KB
一键复制 编辑 原始数据 按行查看 历史
赵春 提交于 2022-02-22 14:31 . 基础版本作成
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145
/*

Copyright IBM Corp. All Rights Reserved.



SPDX-License-Identifier: Apache-2.0

*/



package crypto



import (

	"bytes"

	"encoding/pem"

	"time"



	"gitee.com/zhaochuninhefei/gmgo/x509"

	"github.com/golang/protobuf/proto"

	"github.com/hyperledger/fabric-protos-go/msp"

	"github.com/pkg/errors"

)



// ExpiresAt returns when the given identity expires, or a zero time.Time

// in case we cannot determine that

func ExpiresAt(identityBytes []byte) time.Time {

	sId := &msp.SerializedIdentity{}

	// If protobuf parsing failed, we make no decisions about the expiration time

	if err := proto.Unmarshal(identityBytes, sId); err != nil {

		return time.Time{}

	}

	return certExpirationTime(sId.IdBytes)

}



func certExpirationTime(pemBytes []byte) time.Time {

	bl, _ := pem.Decode(pemBytes)

	if bl == nil {

		// If the identity isn't a PEM block, we make no decisions about the expiration time

		return time.Time{}

	}

	cert, err := x509.ParseCertificate(bl.Bytes)

	if err != nil {

		return time.Time{}

	}

	return cert.NotAfter

}



// MessageFunc notifies a message happened with the given format, and can be replaced with Warnf or Infof of a logger.

type MessageFunc func(format string, args ...interface{})



// Scheduler invokes f after d time, and can be replaced with time.AfterFunc.

type Scheduler func(d time.Duration, f func()) *time.Timer



// TrackExpiration warns a week before one of the certificates expires

func TrackExpiration(tls bool, serverCert []byte, clientCertChain [][]byte, sIDBytes []byte, info MessageFunc, warn MessageFunc, now time.Time, s Scheduler) {

	sID := &msp.SerializedIdentity{}

	if err := proto.Unmarshal(sIDBytes, sID); err != nil {

		return

	}



	trackCertExpiration(sID.IdBytes, "enrollment", info, warn, now, s)



	if !tls {

		return

	}



	trackCertExpiration(serverCert, "server TLS", info, warn, now, s)



	if len(clientCertChain) == 0 || len(clientCertChain[0]) == 0 {

		return

	}



	trackCertExpiration(clientCertChain[0], "client TLS", info, warn, now, s)

}



func trackCertExpiration(rawCert []byte, certRole string, info MessageFunc, warn MessageFunc, now time.Time, sched Scheduler) {

	expirationTime := certExpirationTime(rawCert)

	if expirationTime.IsZero() {

		// If the certificate expiration time cannot be classified, return.

		return

	}



	timeLeftUntilExpiration := expirationTime.Sub(now)

	oneWeek := time.Hour * 24 * 7



	if timeLeftUntilExpiration < 0 {

		warn("The %s certificate has expired", certRole)

		return

	}



	info("The %s certificate will expire on %s", certRole, expirationTime)



	if timeLeftUntilExpiration < oneWeek {

		days := timeLeftUntilExpiration / (time.Hour * 24)

		hours := (timeLeftUntilExpiration - (days * time.Hour * 24)) / time.Hour

		warn("The %s certificate expires within %d days and %d hours", certRole, days, hours)

		return

	}



	timeLeftUntilOneWeekBeforeExpiration := timeLeftUntilExpiration - oneWeek



	sched(timeLeftUntilOneWeekBeforeExpiration, func() {

		warn("The %s certificate will expire within one week", certRole)

	})



}



var (

	// ErrPubKeyMismatch is used by CertificatesWithSamePublicKey to indicate the two public keys mismatch

	ErrPubKeyMismatch = errors.New("public keys do not match")

)



// LogNonPubKeyMismatchErr logs an error which is not an ErrPubKeyMismatch error

func LogNonPubKeyMismatchErr(log func(template string, args ...interface{}), err error, cert1DER, cert2DER []byte) {

	cert1PEM := &pem.Block{Type: "CERTIFICATE", Bytes: cert1DER}

	cert2PEM := &pem.Block{Type: "CERTIFICATE", Bytes: cert2DER}

	log("Failed determining if public key of %s matches public key of %s: %s",

		string(pem.EncodeToMemory(cert1PEM)),

		string(pem.EncodeToMemory(cert2PEM)),

		err)

}



// CertificatesWithSamePublicKey returns nil if both byte slices

// are valid DER encoding of certificates with the same public key.

func CertificatesWithSamePublicKey(der1, der2 []byte) error {

	cert1canonized, err := publicKeyFromCertificate(der1)

	if err != nil {

		return err

	}



	cert2canonized, err := publicKeyFromCertificate(der2)

	if err != nil {

		return err

	}



	if bytes.Equal(cert1canonized, cert2canonized) {

		return nil

	}

	return ErrPubKeyMismatch

}



// publicKeyFromCertificate returns the public key of the given ASN1 DER certificate.

func publicKeyFromCertificate(der []byte) ([]byte, error) {

	cert, err := x509.ParseCertificate(der)

	if err != nil {

		return nil, err

	}

	return x509.MarshalPKIXPublicKey(cert.PublicKey)

}
马建仓 AI 助手
尝试更多
代码解读
代码找茬
代码优化
Go
1
https://gitee.com/zhaochuninhefei/fabric-gm.git
git@gitee.com:zhaochuninhefei/fabric-gm.git
zhaochuninhefei
fabric-gm
fabric-gm
v0.0.2
点此查找更多帮助

搜索帮助

Git 命令在线学习 如何在 Gitee 导入 GitHub 仓库
Git 仓库基础操作
企业版和社区版功能对比
SSH 公钥设置
如何处理代码冲突
仓库体积过大,如何减小?
如何找回被删除的仓库数据
Gitee 产品配额说明
GitHub仓库快速导入Gitee及同步更新
什么是 Release(发行版)
将 PHP 项目自动发布到 packagist.org
评论
仓库举报
回到顶部