github.com/bigzoro/my_simplechain@v0.0.0-20240315012955-8ad0a2a29bb9/core/access_contoller/cert_ac.go (about)

     1  package access_contoller
     2  
     3  import (
     4  	"crypto/x509"
     5  	"crypto/x509/pkix"
     6  	"errors"
     7  	"github.com/bigzoro/my_simplechain/core/access_contoller/my_lru"
     8  	"github.com/bigzoro/my_simplechain/params"
     9  	"sync/atomic"
    10  
    11  	bcx509 "github.com/bigzoro/my_simplechain/core/access_contoller/crypto/x509"
    12  
    13  	"encoding/pem"
    14  	"fmt"
    15  	"sync"
    16  )
    17  
    18  // 这个结构体的目的是提供对证书和访问控制相关数据的管理和操作,
    19  // 包括证书缓存、吊销列表、冻结列表、组织成员验证选项、本地组织信息、第三方信任的成员列表以及共识类型等
    20  type certACProvider struct {
    21  	// 一个指向 accessControlService 类型的指针,用于执行访问控制服务
    22  	acService *accessControlService
    23  
    24  	// local cache for certificates (reduce the size of block)
    25  	// 并发安全的 LRU 缓存,用于存储证书,减少区块的大小
    26  	certCache *my_lru.Cache
    27  
    28  	// local cache for certificate revocation list and frozen list
    29  	// crl 和 frozenList 是两个同步映射,分别用于存储证书吊销列表和冻结列表
    30  	crl        sync.Map
    31  	frozenList sync.Map
    32  
    33  	// verification options for organization members
    34  	// opts 是用于组织成员验证选项的 bcx509.VerifyOptions 结构
    35  	opts bcx509.VerifyOptions
    36  
    37  	// 一个指向 organization 结构的指针,表示本地组织
    38  	localOrg *organization
    39  
    40  	//third-party trusted members
    41  	// trustMembers 是一个同步映射,用于存储第三方信任的成员
    42  	trustMembers *sync.Map
    43  
    44  	// store 是一个接口类型,用于访问区块链存储
    45  	//store protocol.BlockchainStore
    46  
    47  	//consensus type
    48  	// consensusType 是一个枚举类型 consensus.ConsensusType,表示共识类型
    49  	//consensusType consensus.ConsensusType
    50  }
    51  
    52  func NewACProvider(chainConfig *params.ChainConfig, localOrgId string) (*certACProvider, error) {
    53  
    54  	// 构建一个完整的访问控制提供者实例
    55  	//certACProvider, err := newCertACProvider(chainConf.ChainConfig(), localOrgId, store, log)
    56  	certACProvider, err := newCertACProvider(chainConfig, localOrgId)
    57  	if err != nil {
    58  		return nil, err
    59  	}
    60  
    61  	//msgBus.Register(msgbus.ChainConfig, certACProvider)
    62  	//msgBus.Register(msgbus.CertManageCertsDelete, certACProvider)
    63  	//msgBus.Register(msgbus.CertManageCertsUnfreeze, certACProvider)
    64  	//msgBus.Register(msgbus.CertManageCertsFreeze, certACProvider)
    65  	//msgBus.Register(msgbus.CertManageCertsRevoke, certACProvider)
    66  	//msgBus.Register(msgbus.CertManageCertsAliasDelete, certACProvider)
    67  	//msgBus.Register(msgbus.CertManageCertsAliasUpdate, certACProvider)
    68  	//msgBus.Register(msgbus.MaxbftEpochConf, certACProvider)
    69  
    70  	//v220_compat Deprecated
    71  	//chainConf.AddWatch(certACProvider)   //nolint: staticcheck
    72  	//chainConf.AddVmWatch(certACProvider) //nolint: staticcheck
    73  	return certACProvider, nil
    74  }
    75  
    76  // 这个构造函数负责初始化 certACProvider 实例的各个字段,
    77  // 并根据链配置中的共识类型来加载相应的配置信息,从而构建一个完整的访问控制提供者实例
    78  func newCertACProvider(chainConfig *params.ChainConfig, localOrgId string) (*certACProvider, error) {
    79  
    80  	//cache, err2 := my_lru.New(10)
    81  
    82  	// 创建一个 certACProvider, 初始化各个字段
    83  	certACProvider := &certACProvider{
    84  		// 初始化为一个并发安全的 LRU 缓存
    85  		//certCache: concurrentlru.New(localconf.ChainMakerConfig.NodeConfig.CertCacheSize),
    86  
    87  		// 初始化为 sync.Map 类型的空映射
    88  		crl:        sync.Map{},
    89  		frozenList: sync.Map{},
    90  
    91  		// 初始化为包含根证书和中间证书的 bcx509.VerifyOptions 结构
    92  		//opts: bcx509.VerifyOptions{
    93  		//	Intermediates: bcx509.NewCertPool(),
    94  		//	Roots:         bcx509.NewCertPool(),
    95  		//},
    96  
    97  		// 初始化为 nil
    98  		//localOrg: nil,
    99  
   100  		//  初始化为一个空的 sync.Map
   101  		trustMembers: &sync.Map{},
   102  
   103  		// 被设置为传入的区块链存储
   104  		//store: store,
   105  	}
   106  
   107  	//var maxbftCfg *maxbft.GovernanceContract
   108  	var err error
   109  
   110  	// 被设置为传入的链配置中的共识类型
   111  	//certACProvider.consensusType = chainConfig.Consensus.Type
   112  
   113  	// 如果链配置的共识类型为 MAXBFT,则加载 MAXBFT 配置,并更新 chainConfig 为 MAXBFT 配置的链配置。
   114  	// 这一步是为了兼容 MAXBFT 合约可能对链配置的修改。
   115  	//if certACProvider.consensusType == consensus.ConsensusType_MAXBFT {
   116  	// 从治理合约中加载链配置
   117  	//maxbftCfg, err = certACProvider.loadChainConfigFromGovernance()
   118  	//if err != nil {
   119  	//	return nil, err
   120  	//}
   121  	//omit 1'st epoch, GovernanceContract don't save chainConfig in 1'st epoch
   122  	//if maxbftCfg != nil && maxbftCfg.ChainConfig != nil {
   123  	//	chainConfig = maxbftCfg.ChainConfig
   124  	//}
   125  	//}
   126  	//log.DebugDynamic(func() string {
   127  	//	return fmt.Sprintf("init ac from chainconfig: %+v", chainConfig)
   128  	//})
   129  
   130  	// 初始化信任成员列表
   131  	err = certACProvider.initTrustMembers(chainConfig.TrustMembers)
   132  	if err != nil {
   133  		return nil, err
   134  	}
   135  
   136  	// 初始化访问控制服务 (acService),
   137  	// 并设置验证选项函数为 certACProvider 的 getVerifyOptions 方法
   138  	certACProvider.acService = initAccessControlService()
   139  	certACProvider.acService.setVerifyOptionsFunc(certACProvider.getVerifyOptions)
   140  
   141  	// 初始化信任根证书列表
   142  	err = certACProvider.initTrustRoots(chainConfig.TrustRoots, localOrgId)
   143  	if err != nil {
   144  		return nil, err
   145  	}
   146  
   147  	// 初始化资源策略
   148  	certACProvider.acService.initResourcePolicy(chainConfig.ResourcePolicies, localOrgId)
   149  	certACProvider.opts.KeyUsages = make([]x509.ExtKeyUsage, 1)
   150  	certACProvider.opts.KeyUsages[0] = x509.ExtKeyUsageAny
   151  
   152  	// 根据共识类型的不同,更新证书冻结列表和证书吊销列表。
   153  	// 如果是 MAXBFT 共识类型,则从 MAXBFT 配置中获取更新;否则,从区块链存储中加载已有的列表
   154  	//if certACProvider.consensusType == consensus.ConsensusType_MAXBFT && maxbftCfg != nil {
   155  	//	err = certACProvider.updateFrozenAndCRL(maxbftCfg)
   156  	//	if err != nil {
   157  	//		return nil, err
   158  	//	}
   159  	//} else {
   160  	//	if err := certACProvider.loadCRL(); err != nil {
   161  	//		return nil, err
   162  	//	}
   163  	//	if err := certACProvider.loadCertFrozenList(); err != nil {
   164  	//		return nil, err
   165  	//	}
   166  	//}
   167  
   168  	// 返回创建的 certACProvider 实例
   169  	return certACProvider, nil
   170  }
   171  
   172  func (cp *certACProvider) initTrustMembers(trustMembers []*params.TrustMemberConfig) error {
   173  	var syncMap sync.Map
   174  	for _, member := range trustMembers {
   175  		certBlock, _ := pem.Decode([]byte(member.MemberInfo))
   176  		if certBlock == nil {
   177  			return fmt.Errorf("init trust members failed, none certificate given, memberInfo:[%s]",
   178  				member.MemberInfo)
   179  		}
   180  		trustMemberCert, err := bcx509.ParseCertificate(certBlock.Bytes)
   181  		if err != nil {
   182  			return fmt.Errorf("init trust members failed, parse certificate failed, memberInfo:[%s]",
   183  				member.MemberInfo)
   184  		}
   185  		cached := &trustMemberCached{
   186  			trustMember: member,
   187  			cert:        trustMemberCert,
   188  		}
   189  		syncMap.Store(member.MemberInfo, cached)
   190  	}
   191  	cp.trustMembers = &syncMap
   192  
   193  	return nil
   194  }
   195  
   196  // 该函数主要用于初始化证书认证提供程序的信任根证书和中级证书,并将其添加到证书池中
   197  func (cp *certACProvider) initTrustRoots(roots []*params.TrustRootConfig, localOrgId string) error {
   198  	// 遍历所有信任根证书配置
   199  	for _, orgRoot := range roots {
   200  		// 为每个组织创建一个组织结构体
   201  		org := &organization{
   202  			id: orgRoot.OrgId,
   203  			//trustedRootCerts:         map[string]*bcx509.Certificate{},
   204  			//trustedIntermediateCerts: map[string]*bcx509.Certificate{},
   205  			trustedRootCerts:         map[string]*bcx509.Certificate{},
   206  			trustedIntermediateCerts: map[string]*bcx509.Certificate{},
   207  		}
   208  
   209  		for _, root := range orgRoot.Roots {
   210  			// 构建证书链
   211  			certificateChain, err := cp.buildCertificateChain(root, orgRoot.OrgId, org)
   212  			if err != nil {
   213  				return err
   214  			}
   215  			// 如果证书链最后为空,或最后一个证书不是 CA 证书,则返回错误
   216  			if certificateChain == nil || !certificateChain[len(certificateChain)-1].IsCA {
   217  				return fmt.Errorf("the certificate configured as root for organization %s is not a CA certificate", orgRoot.OrgId)
   218  			}
   219  			// 将根证书添加到组织的根信任证书映射和证书池中
   220  			org.trustedRootCerts[string(certificateChain[len(certificateChain)-1].Raw)] =
   221  				certificateChain[len(certificateChain)-1]
   222  			cp.opts.Roots.AddCert(certificateChain[len(certificateChain)-1])
   223  			// 将中级证书添加到组织的信任中级证书映射和证书池中
   224  			for i := 0; i < len(certificateChain); i++ {
   225  				org.trustedIntermediateCerts[string(certificateChain[i].Raw)] = certificateChain[i]
   226  				cp.opts.Intermediates.AddCert(certificateChain[i])
   227  			}
   228  
   229  			/*for _, certificate := range certificateChain {
   230  				if certificate.IsCA {
   231  					org.trustedRootCerts[string(certificate.Raw)] = certificate
   232  					ac.opts.Roots.AddCert(certificate)
   233  				} else {
   234  					org.trustedIntermediateCerts[string(certificate.Raw)] = certificate
   235  					ac.opts.Intermediates.AddCert(certificate)
   236  				}
   237  			}*/
   238  
   239  			if len(org.trustedRootCerts) <= 0 {
   240  				return fmt.Errorf(
   241  					"setup organization failed, no trusted root (for %s): "+
   242  						"please configure trusted root certificate or trusted public key whitelist",
   243  					orgRoot.OrgId,
   244  				)
   245  			}
   246  		}
   247  		// 将组织添加到认证服务中
   248  		cp.acService.addOrg(orgRoot.OrgId, org)
   249  	}
   250  
   251  	// 获取本地组织信息
   252  	localOrg := cp.acService.getOrgInfoByOrgId(localOrgId)
   253  	// 如果本地组织不存在,则创建一个新的组织结构体
   254  	if localOrg == nil {
   255  		localOrg = &organization{
   256  			id:                       localOrgId,
   257  			trustedRootCerts:         map[string]*bcx509.Certificate{},
   258  			trustedIntermediateCerts: map[string]*bcx509.Certificate{},
   259  		}
   260  	}
   261  	// 将本地组织信息添加到证书认证提供程序中
   262  	cp.localOrg, _ = localOrg.(*organization)
   263  	return nil
   264  }
   265  
   266  func (cp *certACProvider) buildCertificateChain(root, orgId string, org *organization) ([]*bcx509.Certificate, error) {
   267  	var certificates, certificateChain []*bcx509.Certificate
   268  	pemBlock, rest := pem.Decode([]byte(root))
   269  	for pemBlock != nil {
   270  		cert, errCert := bcx509.ParseCertificate(pemBlock.Bytes)
   271  		if errCert != nil || cert == nil {
   272  			return nil, fmt.Errorf("invalid entry int trusted root cert list")
   273  		}
   274  		if len(cert.Signature) == 0 {
   275  			return nil, fmt.Errorf("invalid certificate [SN: %s]", cert.SerialNumber)
   276  		}
   277  		certificates = append(certificates, cert)
   278  		pemBlock, rest = pem.Decode(rest)
   279  	}
   280  	certificateChain = bcx509.BuildCertificateChain(certificates)
   281  	return certificateChain, nil
   282  }
   283  
   284  func (cp *certACProvider) loadCRL() error {
   285  	//if cp.acService.dataStore == nil {
   286  	//	return nil
   287  	//}
   288  	//
   289  	//crlAKIList, err := cp.acService.dataStore.ReadObject(syscontract.SystemContract_CERT_MANAGE.String(),
   290  	//	[]byte(protocol.CertRevokeKey))
   291  	//if err != nil {
   292  	//	return fmt.Errorf("fail to update CRL list: %v", err)
   293  	//}
   294  	//if crlAKIList == nil {
   295  	//	cp.acService.log.Debugf("empty CRL")
   296  	//	return nil
   297  	//}
   298  	//
   299  	//var crlAKIs []string
   300  	//err = json.Unmarshal(crlAKIList, &crlAKIs)
   301  	//if err != nil {
   302  	//	return fmt.Errorf("fail to update CRL list: %v", err)
   303  	//}
   304  	//
   305  	//err = cp.storeCrls(crlAKIs)
   306  	//return err
   307  
   308  	return errors.New("")
   309  }
   310  
   311  func (cp *certACProvider) getVerifyOptions() *bcx509.VerifyOptions {
   312  	return &cp.opts
   313  }
   314  
   315  // CreatePrincipal creates a principal for one time authentication
   316  func (cp *certACProvider) CreatePrincipal(resourceName string, endorsements []*EndorsementEntry,
   317  	message []byte) (Principal, error) {
   318  	return cp.acService.createPrincipal(resourceName, endorsements, message)
   319  }
   320  
   321  // VerifyPrincipal verifies if the principal for the resource is met
   322  func (cp *certACProvider) VerifyPrincipal(principal Principal) (bool, error) {
   323  
   324  	if atomic.LoadInt32(&cp.acService.orgNum) <= 0 {
   325  		return false, fmt.Errorf("authentication failed: empty organization list or trusted node list on this chain")
   326  	}
   327  
   328  	refinedPrincipal, err := cp.refinePrincipal(principal)
   329  	if err != nil {
   330  		return false, fmt.Errorf("authentication failed, [%s]", err.Error())
   331  	}
   332  
   333  	//if localconf.ChainMakerConfig.DebugConfig.IsSkipAccessControl {
   334  	//	return true, nil
   335  	//}
   336  
   337  	p, err := cp.acService.lookUpPolicyByResourceName(principal.GetResourceName())
   338  	if err != nil {
   339  		return false, fmt.Errorf("authentication failed, [%s]", err.Error())
   340  	}
   341  
   342  	return cp.acService.verifyPrincipalPolicy(principal, refinedPrincipal, p)
   343  }
   344  
   345  // all-in-one validation for signing members: certificate chain/whitelist, signature, policies
   346  func (cp *certACProvider) refinePrincipal(principal Principal) (Principal, error) {
   347  	endorsements := principal.GetEndorsement()
   348  	msg := principal.GetMessage()
   349  	refinedEndorsement := cp.RefineEndorsements(endorsements, msg)
   350  	if len(refinedEndorsement) <= 0 {
   351  		return nil, fmt.Errorf("refine endorsements failed, all endorsers have failed verification")
   352  	}
   353  
   354  	refinedPrincipal, err := cp.CreatePrincipal(principal.GetResourceName(), refinedEndorsement, msg)
   355  	if err != nil {
   356  		return nil, fmt.Errorf("create principal failed: [%s]", err.Error())
   357  	}
   358  
   359  	return refinedPrincipal, nil
   360  }
   361  
   362  func (cp *certACProvider) RefineEndorsements(endorsements []*EndorsementEntry,
   363  	msg []byte) []*EndorsementEntry {
   364  
   365  	refinedSigners := map[string]bool{}
   366  	var refinedEndorsement []*EndorsementEntry
   367  	var memInfo string
   368  
   369  	for _, endorsementEntry := range endorsements {
   370  		endorsement := &EndorsementEntry{
   371  			Signer: &Member{
   372  				OrgId:      endorsementEntry.Signer.OrgId,
   373  				MemberInfo: endorsementEntry.Signer.MemberInfo,
   374  				MemberType: endorsementEntry.Signer.MemberType,
   375  			},
   376  			Signature: endorsementEntry.Signature,
   377  		}
   378  		if endorsement.Signer.MemberType == MemberType_CERT {
   379  			//cp.acService.log.Debugf("target endorser uses full certificate")
   380  			memInfo = string(endorsement.Signer.MemberInfo)
   381  		}
   382  		if endorsement.Signer.MemberType == MemberType_CERT_HASH ||
   383  			endorsement.Signer.MemberType == MemberType_ALIAS {
   384  			//cp.acService.log.Debugf("target endorser uses compressed certificate")
   385  			memInfoBytes, ok := cp.lookUpCertCache(endorsement.Signer.MemberInfo)
   386  			if !ok {
   387  				//cp.acService.log.Warnf("authentication failed, unknown signer, the provided certificate ID is not registered")
   388  				continue
   389  			}
   390  			memInfo = string(memInfoBytes)
   391  			endorsement.Signer.MemberInfo = memInfoBytes
   392  		}
   393  
   394  		signerInfo, ok := cp.acService.lookUpMemberInCache(memInfo)
   395  		if !ok {
   396  			//cp.acService.log.Debugf("certificate not in local cache, should verify it against the trusted root certificates: "+
   397  			//	"\n%s", memInfo)
   398  			remoteMember, certChain, ok, err := cp.verifyPrincipalSignerNotInCache(endorsement, msg, memInfo)
   399  			if !ok {
   400  				//cp.acService.log.Warnf("verify principal signer not in cache failed, [endorsement: %v],[err: %s]",
   401  				//	endorsement, err.Error())
   402  				fmt.Println(err)
   403  				continue
   404  			}
   405  
   406  			signerInfo = &memberCached{
   407  				member:    remoteMember,
   408  				certChain: certChain,
   409  			}
   410  			cp.acService.addMemberToCache(memInfo, signerInfo)
   411  		} else {
   412  			flat, err := cp.verifyPrincipalSignerInCache(signerInfo, endorsement, msg, memInfo)
   413  			if !flat {
   414  				fmt.Println(err)
   415  				//cp.acService.log.Warnf("verify principal signer in cache failed, [endorsement: %v],[err: %s]",
   416  				//	endorsement, err.Error())
   417  				continue
   418  			}
   419  		}
   420  
   421  		if _, ok := refinedSigners[memInfo]; !ok {
   422  			refinedSigners[memInfo] = true
   423  			refinedEndorsement = append(refinedEndorsement, endorsement)
   424  		}
   425  	}
   426  	return refinedEndorsement
   427  }
   428  
   429  // lookUpCertCache Cache for compressed certificate
   430  func (cp *certACProvider) lookUpCertCache(certId []byte) ([]byte, bool) {
   431  	ret, ok := cp.certCache.Get(string(certId))
   432  	if !ok {
   433  		////cp.acService.log.Debugf("looking up the full certificate for the compressed one [%v]", certId)
   434  		//if cp.acService.dataStore == nil {
   435  		//	cp.acService.log.Errorf("local data storage is not set up")
   436  		//	return nil, false
   437  		//}
   438  		//certIdHex := hex.EncodeToString(certId)
   439  		//cert, err := cp.acService.dataStore.ReadObject(syscontract.SystemContract_CERT_MANAGE.String(), []byte(certIdHex))
   440  		//if err != nil {
   441  		//	cp.acService.log.Errorf("fail to load compressed certificate from local storage [%s]", certIdHex)
   442  		//	return nil, false
   443  		//}
   444  		//if cert == nil {
   445  		//	cp.acService.log.Warnf("cert id [%s] does not exist in local storage", certIdHex)
   446  		//	return nil, false
   447  		//}
   448  		//cp.addCertCache(string(certId), cert)
   449  		//cp.acService.log.Debugf("compressed certificate [%s] found and stored in cache", certIdHex)
   450  		//return cert, true
   451  	} else if ret != nil {
   452  		//cp.acService.log.Debugf("compressed certificate [%v] found in cache", []byte(certId))
   453  		return ret.([]byte), true
   454  	} else {
   455  		//cp.acService.log.Debugf("fail to look up compressed certificate [%v] due to an internal error of local cache",
   456  		//	[]byte(certId))
   457  		return nil, false
   458  	}
   459  
   460  	return nil, true
   461  }
   462  
   463  func (cp *certACProvider) verifyPrincipalSignerNotInCache(endorsement *EndorsementEntry, msg []byte,
   464  	memInfo string) (remoteMember MemberInterface, certChain []*bcx509.Certificate, ok bool, err error) {
   465  	var isTrustMember bool
   466  	remoteMember, isTrustMember, err = cp.newNoCacheMember(endorsement.Signer)
   467  	if err != nil {
   468  		err = fmt.Errorf("new member failed: [%s]", err.Error())
   469  		ok = false
   470  		return
   471  	}
   472  
   473  	if !isTrustMember {
   474  		certChain, err = cp.verifyMember(remoteMember)
   475  		if err != nil {
   476  			err = fmt.Errorf("verify member failed: [%s]", err.Error())
   477  			ok = false
   478  			return
   479  		}
   480  	}
   481  
   482  	if err = remoteMember.Verify(cp.acService.hashType, msg, endorsement.Signature); err != nil {
   483  		err = fmt.Errorf("member verify signature failed: [%s]", err.Error())
   484  		//cp.acService.log.Warnf("information for invalid signature:\norganization: %s\ncertificate: %s\nmessage: %s\n"+
   485  		//	"signature: %s", endorsement.Signer.OrgId, memInfo, hex.Dump(msg), hex.Dump(endorsement.Signature))
   486  		ok = false
   487  		return
   488  	}
   489  	ok = true
   490  	return
   491  }
   492  
   493  func (cp *certACProvider) newNoCacheMember(pbMember *Member) (member MemberInterface,
   494  	isTrustMember bool, err error) {
   495  	cached, ok := cp.loadTrustMembers(string(pbMember.MemberInfo))
   496  	if ok {
   497  		var isCompressed bool
   498  		if pbMember.MemberType == MemberType_CERT {
   499  			isCompressed = false
   500  		}
   501  		var certMember *certificateMember
   502  		certMember, err = newCertMemberFromParam(cached.trustMember.OrgId, cached.trustMember.Role,
   503  			cp.acService.hashType, isCompressed, []byte(cached.trustMember.MemberInfo))
   504  		if err != nil {
   505  			return nil, isTrustMember, err
   506  		}
   507  		isTrustMember = true
   508  		return certMember, isTrustMember, nil
   509  	}
   510  
   511  	member, err = cp.acService.newCertMember(pbMember)
   512  	if err != nil {
   513  		return nil, isTrustMember, fmt.Errorf("new member failed: %s", err.Error())
   514  	}
   515  	return member, isTrustMember, nil
   516  }
   517  
   518  func (cp *certACProvider) loadTrustMembers(memberInfo string) (*trustMemberCached, bool) {
   519  	cached, ok := cp.trustMembers.Load(string(memberInfo))
   520  	if ok {
   521  		return cached.(*trustMemberCached), ok
   522  	}
   523  	return nil, ok
   524  }
   525  
   526  func (cp *certACProvider) verifyPrincipalSignerInCache(signerInfo *memberCached, endorsement *EndorsementEntry,
   527  	msg []byte, memInfo string) (bool, error) {
   528  	// check CRL and certificate frozen list
   529  
   530  	_, isTrustMember := cp.loadTrustMembers(memInfo)
   531  
   532  	if !isTrustMember {
   533  		err := cp.checkCRL(signerInfo.certChain)
   534  		if err != nil {
   535  			return false, fmt.Errorf("check CRL, error: [%s]", err.Error())
   536  		}
   537  		err = cp.checkCertFrozenList(signerInfo.certChain)
   538  		if err != nil {
   539  			return false, fmt.Errorf("check cert forzen list, error: [%s]", err.Error())
   540  		}
   541  		//cp.acService.log.Debugf("certificate is already seen, no need to verify against the trusted root certificates")
   542  
   543  		if endorsement.Signer.OrgId != signerInfo.member.GetOrgId() {
   544  			err := fmt.Errorf("authentication failed, signer does not belong to the organization it claims "+
   545  				"[claim: %s, root cert: %s]", endorsement.Signer.OrgId, signerInfo.member.GetOrgId())
   546  			return false, err
   547  		}
   548  	}
   549  	if err := signerInfo.member.Verify(cp.acService.hashType, msg, endorsement.Signature); err != nil {
   550  		err = fmt.Errorf("signer member verify signature failed: [%s]", err.Error())
   551  		//cp.acService.log.Warnf("information for invalid signature:\norganization: %s\ncertificate: %s\nmessage: %s\n"+
   552  		//	"signature: %s", endorsement.Signer.OrgId, memInfo, hex.Dump(msg), hex.Dump(endorsement.Signature))
   553  		return false, err
   554  	}
   555  	return true, nil
   556  }
   557  
   558  func (cp *certACProvider) checkCRL(certChain []*bcx509.Certificate) error {
   559  	if len(certChain) < 1 {
   560  		return fmt.Errorf("given certificate chain is empty")
   561  	}
   562  
   563  	for _, cert := range certChain {
   564  		akiCert := cert.AuthorityKeyId
   565  
   566  		crl, ok := cp.crl.Load(string(akiCert))
   567  		if ok {
   568  			// we have ac CRL, check whether the serial number is revoked
   569  			for _, rc := range crl.(*pkix.CertificateList).TBSCertList.RevokedCertificates {
   570  				if rc.SerialNumber.Cmp(cert.SerialNumber) == 0 {
   571  					return errors.New("certificate is revoked")
   572  				}
   573  			}
   574  		}
   575  	}
   576  
   577  	return nil
   578  }
   579  
   580  func (cp *certACProvider) checkCertFrozenList(certChain []*bcx509.Certificate) error {
   581  	if len(certChain) < 1 {
   582  		return fmt.Errorf("given certificate chain is empty")
   583  	}
   584  	_, ok := cp.frozenList.Load(string(certChain[0].Raw))
   585  	if ok {
   586  		return fmt.Errorf("certificate is frozen")
   587  	}
   588  	return nil
   589  }
   590  
   591  // Check whether the provided member is a valid member of this group
   592  func (cp *certACProvider) verifyMember(mem MemberInterface) ([]*bcx509.Certificate, error) {
   593  	if mem == nil {
   594  		return nil, fmt.Errorf("invalid member: member should not be nil")
   595  	}
   596  	certMember, ok := mem.(*certificateMember)
   597  	if !ok {
   598  		return nil, fmt.Errorf("invalid member: member type err")
   599  	}
   600  
   601  	orgIdFromCert := certMember.cert.Subject.Organization[0]
   602  	org := cp.acService.getOrgInfoByOrgId(orgIdFromCert)
   603  
   604  	// the Third-party CA
   605  	if certMember.cert.IsCA && org == nil {
   606  		//cp.acService.log.Info("the Third-party CA verify the member")
   607  		certChain := []*bcx509.Certificate{certMember.cert}
   608  		err := cp.checkCRL(certChain)
   609  		if err != nil {
   610  			return nil, err
   611  		}
   612  
   613  		err = cp.checkCertFrozenList(certChain)
   614  		if err != nil {
   615  			return nil, err
   616  		}
   617  
   618  		return certChain, nil
   619  	}
   620  
   621  	if mem.GetOrgId() != orgIdFromCert {
   622  		return nil, fmt.Errorf(
   623  			"signer does not belong to the organization it claims [claim: %s, certificate: %s]",
   624  			mem.GetOrgId(),
   625  			orgIdFromCert,
   626  		)
   627  	}
   628  
   629  	if org == nil {
   630  		return nil, fmt.Errorf("no orgnization found")
   631  	}
   632  
   633  	certChains, err := certMember.cert.Verify(cp.opts)
   634  	if err != nil {
   635  		return nil, fmt.Errorf("not ac valid certificate from trusted CAs: %v", err)
   636  	}
   637  
   638  	if len(org.(*organization).trustedRootCerts) <= 0 {
   639  		return nil, fmt.Errorf("no trusted root: please configure trusted root certificate")
   640  	}
   641  
   642  	certChain := cp.findCertChain(org.(*organization), certChains)
   643  	if certChain != nil {
   644  		return certChain, nil
   645  	}
   646  	return nil, fmt.Errorf("authentication failed, signer does not belong to the organization it claims"+
   647  		" [claim: %s]", mem.GetOrgId())
   648  }
   649  
   650  func (cp *certACProvider) findCertChain(org *organization, certChains [][]*bcx509.Certificate) []*bcx509.Certificate {
   651  	for _, chain := range certChains {
   652  		rootCert := chain[len(chain)-1]
   653  		_, ok := org.trustedRootCerts[string(rootCert.Raw)]
   654  		if ok {
   655  			var err error
   656  			// check CRL and frozen list
   657  			err = cp.checkCRL(chain)
   658  			if err != nil {
   659  				//cp.acService.log.Warnf("authentication failed, CRL: %v", err)
   660  				continue
   661  			}
   662  			err = cp.checkCertFrozenList(chain)
   663  			if err != nil {
   664  				//cp.acService.log.Warnf("authentication failed, certificate frozen list: %v", err)
   665  				continue
   666  			}
   667  			return chain
   668  		}
   669  	}
   670  	return nil
   671  }