github.com/IBM-Blockchain/fabric-operator@v1.0.4/pkg/initializer/common/config/crypto.go (about) 1 /* 2 * Copyright contributors to the Hyperledger Fabric Operator project 3 * 4 * SPDX-License-Identifier: Apache-2.0 5 * 6 * Licensed under the Apache License, Version 2.0 (the "License"); 7 * you may not use this file except in compliance with the License. 8 * You may obtain a copy of the License at: 9 * 10 * http://www.apache.org/licenses/LICENSE-2.0 11 * 12 * Unless required by applicable law or agreed to in writing, software 13 * distributed under the License is distributed on an "AS IS" BASIS, 14 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 * See the License for the specific language governing permissions and 16 * limitations under the License. 17 */ 18 19 package config 20 21 import ( 22 "fmt" 23 "strings" 24 25 "github.com/pkg/errors" 26 27 "github.com/IBM-Blockchain/fabric-operator/pkg/util" 28 ) 29 30 //go:generate counterfeiter -o mocks/crypto.go -fake-name Crypto . Crypto 31 32 type Crypto interface { 33 GetCrypto() (*Response, error) 34 PingCA() error 35 Validate() error 36 } 37 38 // TODO: Next refactor should move this outside of config package into cryptogen package 39 // along with the Response struct, which is required to avoid cyclical dependencies 40 func GenerateCrypto(generator Crypto) (*Response, error) { 41 if err := generator.PingCA(); err != nil { 42 return nil, errors.Wrap(err, "ca is not reachable") 43 } 44 45 if err := generator.Validate(); err != nil { 46 return nil, errors.Wrap(err, "invalid crypto") 47 } 48 49 return generator.GetCrypto() 50 } 51 52 type Cryptos struct { 53 Enrollment Crypto 54 TLS Crypto 55 ClientAuth Crypto 56 } 57 58 func (c *Cryptos) GenerateCryptoResponse() (*CryptoResponse, error) { 59 response := &CryptoResponse{} 60 61 if c.Enrollment != nil { 62 resp, err := GenerateCrypto(c.Enrollment) 63 if err != nil { 64 return nil, err 65 } 66 67 response.Enrollment = resp 68 } 69 70 if c.TLS != nil { 71 resp, err := GenerateCrypto(c.TLS) 72 if err != nil { 73 return nil, err 74 } 75 76 response.TLS = resp 77 } 78 79 if c.ClientAuth != nil { 80 resp, err := GenerateCrypto(c.ClientAuth) 81 if err != nil { 82 return nil, err 83 } 84 85 response.ClientAuth = resp 86 } 87 88 return response, nil 89 } 90 91 type CryptoResponse struct { 92 Enrollment *Response 93 TLS *Response 94 ClientAuth *Response 95 } 96 97 func (c *CryptoResponse) VerifyCertOU(crType string) error { 98 if c.Enrollment != nil { 99 err := c.Enrollment.VerifyCertOU(crType) 100 if err != nil { 101 return errors.Wrapf(err, "invalid OU for %s identity", crType) 102 } 103 } 104 return nil 105 } 106 107 type Response struct { 108 CACerts [][]byte 109 IntermediateCerts [][]byte 110 AdminCerts [][]byte 111 SignCert []byte 112 Keystore []byte 113 } 114 115 func (r *Response) VerifyCertOU(crType string) error { 116 if r.SignCert == nil || len(r.SignCert) == 0 { 117 return nil 118 } 119 120 crType = strings.ToLower(crType) 121 122 err := verifyCertOU(r.SignCert, crType) 123 if err != nil { 124 return errors.Wrap(err, "invalid OU for signcert") 125 } 126 127 if r.AdminCerts == nil { 128 return nil 129 } 130 131 return nil 132 } 133 134 func verifyCertOU(pemBytes []byte, ou string) error { 135 cert, err := util.GetCertificateFromPEMBytes(pemBytes) 136 if err != nil { 137 return err 138 } 139 140 if cert.Subject.OrganizationalUnit == nil { 141 return errors.New("OU not defined") 142 } 143 144 if !util.FindStringInArray(ou, cert.Subject.OrganizationalUnit) { 145 return errors.New(fmt.Sprintf("cert does not have right OU, expecting '%s'", ou)) 146 } 147 148 return nil 149 }