github.com/bigzoro/my_simplechain@v0.0.0-20240315012955-8ad0a2a29bb9/core/access_contoller/cert_ac.go (about) 1 package access_contoller 2 3 import ( 4 "crypto/x509" 5 "crypto/x509/pkix" 6 "errors" 7 "github.com/bigzoro/my_simplechain/core/access_contoller/my_lru" 8 "github.com/bigzoro/my_simplechain/params" 9 "sync/atomic" 10 11 bcx509 "github.com/bigzoro/my_simplechain/core/access_contoller/crypto/x509" 12 13 "encoding/pem" 14 "fmt" 15 "sync" 16 ) 17 18 // 这个结构体的目的是提供对证书和访问控制相关数据的管理和操作, 19 // 包括证书缓存、吊销列表、冻结列表、组织成员验证选项、本地组织信息、第三方信任的成员列表以及共识类型等 20 type certACProvider struct { 21 // 一个指向 accessControlService 类型的指针,用于执行访问控制服务 22 acService *accessControlService 23 24 // local cache for certificates (reduce the size of block) 25 // 并发安全的 LRU 缓存,用于存储证书,减少区块的大小 26 certCache *my_lru.Cache 27 28 // local cache for certificate revocation list and frozen list 29 // crl 和 frozenList 是两个同步映射,分别用于存储证书吊销列表和冻结列表 30 crl sync.Map 31 frozenList sync.Map 32 33 // verification options for organization members 34 // opts 是用于组织成员验证选项的 bcx509.VerifyOptions 结构 35 opts bcx509.VerifyOptions 36 37 // 一个指向 organization 结构的指针,表示本地组织 38 localOrg *organization 39 40 //third-party trusted members 41 // trustMembers 是一个同步映射,用于存储第三方信任的成员 42 trustMembers *sync.Map 43 44 // store 是一个接口类型,用于访问区块链存储 45 //store protocol.BlockchainStore 46 47 //consensus type 48 // consensusType 是一个枚举类型 consensus.ConsensusType,表示共识类型 49 //consensusType consensus.ConsensusType 50 } 51 52 func NewACProvider(chainConfig *params.ChainConfig, localOrgId string) (*certACProvider, error) { 53 54 // 构建一个完整的访问控制提供者实例 55 //certACProvider, err := newCertACProvider(chainConf.ChainConfig(), localOrgId, store, log) 56 certACProvider, err := newCertACProvider(chainConfig, localOrgId) 57 if err != nil { 58 return nil, err 59 } 60 61 //msgBus.Register(msgbus.ChainConfig, certACProvider) 62 //msgBus.Register(msgbus.CertManageCertsDelete, certACProvider) 63 //msgBus.Register(msgbus.CertManageCertsUnfreeze, certACProvider) 64 //msgBus.Register(msgbus.CertManageCertsFreeze, certACProvider) 65 //msgBus.Register(msgbus.CertManageCertsRevoke, certACProvider) 66 //msgBus.Register(msgbus.CertManageCertsAliasDelete, certACProvider) 67 //msgBus.Register(msgbus.CertManageCertsAliasUpdate, certACProvider) 68 //msgBus.Register(msgbus.MaxbftEpochConf, certACProvider) 69 70 //v220_compat Deprecated 71 //chainConf.AddWatch(certACProvider) //nolint: staticcheck 72 //chainConf.AddVmWatch(certACProvider) //nolint: staticcheck 73 return certACProvider, nil 74 } 75 76 // 这个构造函数负责初始化 certACProvider 实例的各个字段, 77 // 并根据链配置中的共识类型来加载相应的配置信息,从而构建一个完整的访问控制提供者实例 78 func newCertACProvider(chainConfig *params.ChainConfig, localOrgId string) (*certACProvider, error) { 79 80 //cache, err2 := my_lru.New(10) 81 82 // 创建一个 certACProvider, 初始化各个字段 83 certACProvider := &certACProvider{ 84 // 初始化为一个并发安全的 LRU 缓存 85 //certCache: concurrentlru.New(localconf.ChainMakerConfig.NodeConfig.CertCacheSize), 86 87 // 初始化为 sync.Map 类型的空映射 88 crl: sync.Map{}, 89 frozenList: sync.Map{}, 90 91 // 初始化为包含根证书和中间证书的 bcx509.VerifyOptions 结构 92 //opts: bcx509.VerifyOptions{ 93 // Intermediates: bcx509.NewCertPool(), 94 // Roots: bcx509.NewCertPool(), 95 //}, 96 97 // 初始化为 nil 98 //localOrg: nil, 99 100 // 初始化为一个空的 sync.Map 101 trustMembers: &sync.Map{}, 102 103 // 被设置为传入的区块链存储 104 //store: store, 105 } 106 107 //var maxbftCfg *maxbft.GovernanceContract 108 var err error 109 110 // 被设置为传入的链配置中的共识类型 111 //certACProvider.consensusType = chainConfig.Consensus.Type 112 113 // 如果链配置的共识类型为 MAXBFT,则加载 MAXBFT 配置,并更新 chainConfig 为 MAXBFT 配置的链配置。 114 // 这一步是为了兼容 MAXBFT 合约可能对链配置的修改。 115 //if certACProvider.consensusType == consensus.ConsensusType_MAXBFT { 116 // 从治理合约中加载链配置 117 //maxbftCfg, err = certACProvider.loadChainConfigFromGovernance() 118 //if err != nil { 119 // return nil, err 120 //} 121 //omit 1'st epoch, GovernanceContract don't save chainConfig in 1'st epoch 122 //if maxbftCfg != nil && maxbftCfg.ChainConfig != nil { 123 // chainConfig = maxbftCfg.ChainConfig 124 //} 125 //} 126 //log.DebugDynamic(func() string { 127 // return fmt.Sprintf("init ac from chainconfig: %+v", chainConfig) 128 //}) 129 130 // 初始化信任成员列表 131 err = certACProvider.initTrustMembers(chainConfig.TrustMembers) 132 if err != nil { 133 return nil, err 134 } 135 136 // 初始化访问控制服务 (acService), 137 // 并设置验证选项函数为 certACProvider 的 getVerifyOptions 方法 138 certACProvider.acService = initAccessControlService() 139 certACProvider.acService.setVerifyOptionsFunc(certACProvider.getVerifyOptions) 140 141 // 初始化信任根证书列表 142 err = certACProvider.initTrustRoots(chainConfig.TrustRoots, localOrgId) 143 if err != nil { 144 return nil, err 145 } 146 147 // 初始化资源策略 148 certACProvider.acService.initResourcePolicy(chainConfig.ResourcePolicies, localOrgId) 149 certACProvider.opts.KeyUsages = make([]x509.ExtKeyUsage, 1) 150 certACProvider.opts.KeyUsages[0] = x509.ExtKeyUsageAny 151 152 // 根据共识类型的不同,更新证书冻结列表和证书吊销列表。 153 // 如果是 MAXBFT 共识类型,则从 MAXBFT 配置中获取更新;否则,从区块链存储中加载已有的列表 154 //if certACProvider.consensusType == consensus.ConsensusType_MAXBFT && maxbftCfg != nil { 155 // err = certACProvider.updateFrozenAndCRL(maxbftCfg) 156 // if err != nil { 157 // return nil, err 158 // } 159 //} else { 160 // if err := certACProvider.loadCRL(); err != nil { 161 // return nil, err 162 // } 163 // if err := certACProvider.loadCertFrozenList(); err != nil { 164 // return nil, err 165 // } 166 //} 167 168 // 返回创建的 certACProvider 实例 169 return certACProvider, nil 170 } 171 172 func (cp *certACProvider) initTrustMembers(trustMembers []*params.TrustMemberConfig) error { 173 var syncMap sync.Map 174 for _, member := range trustMembers { 175 certBlock, _ := pem.Decode([]byte(member.MemberInfo)) 176 if certBlock == nil { 177 return fmt.Errorf("init trust members failed, none certificate given, memberInfo:[%s]", 178 member.MemberInfo) 179 } 180 trustMemberCert, err := bcx509.ParseCertificate(certBlock.Bytes) 181 if err != nil { 182 return fmt.Errorf("init trust members failed, parse certificate failed, memberInfo:[%s]", 183 member.MemberInfo) 184 } 185 cached := &trustMemberCached{ 186 trustMember: member, 187 cert: trustMemberCert, 188 } 189 syncMap.Store(member.MemberInfo, cached) 190 } 191 cp.trustMembers = &syncMap 192 193 return nil 194 } 195 196 // 该函数主要用于初始化证书认证提供程序的信任根证书和中级证书,并将其添加到证书池中 197 func (cp *certACProvider) initTrustRoots(roots []*params.TrustRootConfig, localOrgId string) error { 198 // 遍历所有信任根证书配置 199 for _, orgRoot := range roots { 200 // 为每个组织创建一个组织结构体 201 org := &organization{ 202 id: orgRoot.OrgId, 203 //trustedRootCerts: map[string]*bcx509.Certificate{}, 204 //trustedIntermediateCerts: map[string]*bcx509.Certificate{}, 205 trustedRootCerts: map[string]*bcx509.Certificate{}, 206 trustedIntermediateCerts: map[string]*bcx509.Certificate{}, 207 } 208 209 for _, root := range orgRoot.Roots { 210 // 构建证书链 211 certificateChain, err := cp.buildCertificateChain(root, orgRoot.OrgId, org) 212 if err != nil { 213 return err 214 } 215 // 如果证书链最后为空,或最后一个证书不是 CA 证书,则返回错误 216 if certificateChain == nil || !certificateChain[len(certificateChain)-1].IsCA { 217 return fmt.Errorf("the certificate configured as root for organization %s is not a CA certificate", orgRoot.OrgId) 218 } 219 // 将根证书添加到组织的根信任证书映射和证书池中 220 org.trustedRootCerts[string(certificateChain[len(certificateChain)-1].Raw)] = 221 certificateChain[len(certificateChain)-1] 222 cp.opts.Roots.AddCert(certificateChain[len(certificateChain)-1]) 223 // 将中级证书添加到组织的信任中级证书映射和证书池中 224 for i := 0; i < len(certificateChain); i++ { 225 org.trustedIntermediateCerts[string(certificateChain[i].Raw)] = certificateChain[i] 226 cp.opts.Intermediates.AddCert(certificateChain[i]) 227 } 228 229 /*for _, certificate := range certificateChain { 230 if certificate.IsCA { 231 org.trustedRootCerts[string(certificate.Raw)] = certificate 232 ac.opts.Roots.AddCert(certificate) 233 } else { 234 org.trustedIntermediateCerts[string(certificate.Raw)] = certificate 235 ac.opts.Intermediates.AddCert(certificate) 236 } 237 }*/ 238 239 if len(org.trustedRootCerts) <= 0 { 240 return fmt.Errorf( 241 "setup organization failed, no trusted root (for %s): "+ 242 "please configure trusted root certificate or trusted public key whitelist", 243 orgRoot.OrgId, 244 ) 245 } 246 } 247 // 将组织添加到认证服务中 248 cp.acService.addOrg(orgRoot.OrgId, org) 249 } 250 251 // 获取本地组织信息 252 localOrg := cp.acService.getOrgInfoByOrgId(localOrgId) 253 // 如果本地组织不存在,则创建一个新的组织结构体 254 if localOrg == nil { 255 localOrg = &organization{ 256 id: localOrgId, 257 trustedRootCerts: map[string]*bcx509.Certificate{}, 258 trustedIntermediateCerts: map[string]*bcx509.Certificate{}, 259 } 260 } 261 // 将本地组织信息添加到证书认证提供程序中 262 cp.localOrg, _ = localOrg.(*organization) 263 return nil 264 } 265 266 func (cp *certACProvider) buildCertificateChain(root, orgId string, org *organization) ([]*bcx509.Certificate, error) { 267 var certificates, certificateChain []*bcx509.Certificate 268 pemBlock, rest := pem.Decode([]byte(root)) 269 for pemBlock != nil { 270 cert, errCert := bcx509.ParseCertificate(pemBlock.Bytes) 271 if errCert != nil || cert == nil { 272 return nil, fmt.Errorf("invalid entry int trusted root cert list") 273 } 274 if len(cert.Signature) == 0 { 275 return nil, fmt.Errorf("invalid certificate [SN: %s]", cert.SerialNumber) 276 } 277 certificates = append(certificates, cert) 278 pemBlock, rest = pem.Decode(rest) 279 } 280 certificateChain = bcx509.BuildCertificateChain(certificates) 281 return certificateChain, nil 282 } 283 284 func (cp *certACProvider) loadCRL() error { 285 //if cp.acService.dataStore == nil { 286 // return nil 287 //} 288 // 289 //crlAKIList, err := cp.acService.dataStore.ReadObject(syscontract.SystemContract_CERT_MANAGE.String(), 290 // []byte(protocol.CertRevokeKey)) 291 //if err != nil { 292 // return fmt.Errorf("fail to update CRL list: %v", err) 293 //} 294 //if crlAKIList == nil { 295 // cp.acService.log.Debugf("empty CRL") 296 // return nil 297 //} 298 // 299 //var crlAKIs []string 300 //err = json.Unmarshal(crlAKIList, &crlAKIs) 301 //if err != nil { 302 // return fmt.Errorf("fail to update CRL list: %v", err) 303 //} 304 // 305 //err = cp.storeCrls(crlAKIs) 306 //return err 307 308 return errors.New("") 309 } 310 311 func (cp *certACProvider) getVerifyOptions() *bcx509.VerifyOptions { 312 return &cp.opts 313 } 314 315 // CreatePrincipal creates a principal for one time authentication 316 func (cp *certACProvider) CreatePrincipal(resourceName string, endorsements []*EndorsementEntry, 317 message []byte) (Principal, error) { 318 return cp.acService.createPrincipal(resourceName, endorsements, message) 319 } 320 321 // VerifyPrincipal verifies if the principal for the resource is met 322 func (cp *certACProvider) VerifyPrincipal(principal Principal) (bool, error) { 323 324 if atomic.LoadInt32(&cp.acService.orgNum) <= 0 { 325 return false, fmt.Errorf("authentication failed: empty organization list or trusted node list on this chain") 326 } 327 328 refinedPrincipal, err := cp.refinePrincipal(principal) 329 if err != nil { 330 return false, fmt.Errorf("authentication failed, [%s]", err.Error()) 331 } 332 333 //if localconf.ChainMakerConfig.DebugConfig.IsSkipAccessControl { 334 // return true, nil 335 //} 336 337 p, err := cp.acService.lookUpPolicyByResourceName(principal.GetResourceName()) 338 if err != nil { 339 return false, fmt.Errorf("authentication failed, [%s]", err.Error()) 340 } 341 342 return cp.acService.verifyPrincipalPolicy(principal, refinedPrincipal, p) 343 } 344 345 // all-in-one validation for signing members: certificate chain/whitelist, signature, policies 346 func (cp *certACProvider) refinePrincipal(principal Principal) (Principal, error) { 347 endorsements := principal.GetEndorsement() 348 msg := principal.GetMessage() 349 refinedEndorsement := cp.RefineEndorsements(endorsements, msg) 350 if len(refinedEndorsement) <= 0 { 351 return nil, fmt.Errorf("refine endorsements failed, all endorsers have failed verification") 352 } 353 354 refinedPrincipal, err := cp.CreatePrincipal(principal.GetResourceName(), refinedEndorsement, msg) 355 if err != nil { 356 return nil, fmt.Errorf("create principal failed: [%s]", err.Error()) 357 } 358 359 return refinedPrincipal, nil 360 } 361 362 func (cp *certACProvider) RefineEndorsements(endorsements []*EndorsementEntry, 363 msg []byte) []*EndorsementEntry { 364 365 refinedSigners := map[string]bool{} 366 var refinedEndorsement []*EndorsementEntry 367 var memInfo string 368 369 for _, endorsementEntry := range endorsements { 370 endorsement := &EndorsementEntry{ 371 Signer: &Member{ 372 OrgId: endorsementEntry.Signer.OrgId, 373 MemberInfo: endorsementEntry.Signer.MemberInfo, 374 MemberType: endorsementEntry.Signer.MemberType, 375 }, 376 Signature: endorsementEntry.Signature, 377 } 378 if endorsement.Signer.MemberType == MemberType_CERT { 379 //cp.acService.log.Debugf("target endorser uses full certificate") 380 memInfo = string(endorsement.Signer.MemberInfo) 381 } 382 if endorsement.Signer.MemberType == MemberType_CERT_HASH || 383 endorsement.Signer.MemberType == MemberType_ALIAS { 384 //cp.acService.log.Debugf("target endorser uses compressed certificate") 385 memInfoBytes, ok := cp.lookUpCertCache(endorsement.Signer.MemberInfo) 386 if !ok { 387 //cp.acService.log.Warnf("authentication failed, unknown signer, the provided certificate ID is not registered") 388 continue 389 } 390 memInfo = string(memInfoBytes) 391 endorsement.Signer.MemberInfo = memInfoBytes 392 } 393 394 signerInfo, ok := cp.acService.lookUpMemberInCache(memInfo) 395 if !ok { 396 //cp.acService.log.Debugf("certificate not in local cache, should verify it against the trusted root certificates: "+ 397 // "\n%s", memInfo) 398 remoteMember, certChain, ok, err := cp.verifyPrincipalSignerNotInCache(endorsement, msg, memInfo) 399 if !ok { 400 //cp.acService.log.Warnf("verify principal signer not in cache failed, [endorsement: %v],[err: %s]", 401 // endorsement, err.Error()) 402 fmt.Println(err) 403 continue 404 } 405 406 signerInfo = &memberCached{ 407 member: remoteMember, 408 certChain: certChain, 409 } 410 cp.acService.addMemberToCache(memInfo, signerInfo) 411 } else { 412 flat, err := cp.verifyPrincipalSignerInCache(signerInfo, endorsement, msg, memInfo) 413 if !flat { 414 fmt.Println(err) 415 //cp.acService.log.Warnf("verify principal signer in cache failed, [endorsement: %v],[err: %s]", 416 // endorsement, err.Error()) 417 continue 418 } 419 } 420 421 if _, ok := refinedSigners[memInfo]; !ok { 422 refinedSigners[memInfo] = true 423 refinedEndorsement = append(refinedEndorsement, endorsement) 424 } 425 } 426 return refinedEndorsement 427 } 428 429 // lookUpCertCache Cache for compressed certificate 430 func (cp *certACProvider) lookUpCertCache(certId []byte) ([]byte, bool) { 431 ret, ok := cp.certCache.Get(string(certId)) 432 if !ok { 433 ////cp.acService.log.Debugf("looking up the full certificate for the compressed one [%v]", certId) 434 //if cp.acService.dataStore == nil { 435 // cp.acService.log.Errorf("local data storage is not set up") 436 // return nil, false 437 //} 438 //certIdHex := hex.EncodeToString(certId) 439 //cert, err := cp.acService.dataStore.ReadObject(syscontract.SystemContract_CERT_MANAGE.String(), []byte(certIdHex)) 440 //if err != nil { 441 // cp.acService.log.Errorf("fail to load compressed certificate from local storage [%s]", certIdHex) 442 // return nil, false 443 //} 444 //if cert == nil { 445 // cp.acService.log.Warnf("cert id [%s] does not exist in local storage", certIdHex) 446 // return nil, false 447 //} 448 //cp.addCertCache(string(certId), cert) 449 //cp.acService.log.Debugf("compressed certificate [%s] found and stored in cache", certIdHex) 450 //return cert, true 451 } else if ret != nil { 452 //cp.acService.log.Debugf("compressed certificate [%v] found in cache", []byte(certId)) 453 return ret.([]byte), true 454 } else { 455 //cp.acService.log.Debugf("fail to look up compressed certificate [%v] due to an internal error of local cache", 456 // []byte(certId)) 457 return nil, false 458 } 459 460 return nil, true 461 } 462 463 func (cp *certACProvider) verifyPrincipalSignerNotInCache(endorsement *EndorsementEntry, msg []byte, 464 memInfo string) (remoteMember MemberInterface, certChain []*bcx509.Certificate, ok bool, err error) { 465 var isTrustMember bool 466 remoteMember, isTrustMember, err = cp.newNoCacheMember(endorsement.Signer) 467 if err != nil { 468 err = fmt.Errorf("new member failed: [%s]", err.Error()) 469 ok = false 470 return 471 } 472 473 if !isTrustMember { 474 certChain, err = cp.verifyMember(remoteMember) 475 if err != nil { 476 err = fmt.Errorf("verify member failed: [%s]", err.Error()) 477 ok = false 478 return 479 } 480 } 481 482 if err = remoteMember.Verify(cp.acService.hashType, msg, endorsement.Signature); err != nil { 483 err = fmt.Errorf("member verify signature failed: [%s]", err.Error()) 484 //cp.acService.log.Warnf("information for invalid signature:\norganization: %s\ncertificate: %s\nmessage: %s\n"+ 485 // "signature: %s", endorsement.Signer.OrgId, memInfo, hex.Dump(msg), hex.Dump(endorsement.Signature)) 486 ok = false 487 return 488 } 489 ok = true 490 return 491 } 492 493 func (cp *certACProvider) newNoCacheMember(pbMember *Member) (member MemberInterface, 494 isTrustMember bool, err error) { 495 cached, ok := cp.loadTrustMembers(string(pbMember.MemberInfo)) 496 if ok { 497 var isCompressed bool 498 if pbMember.MemberType == MemberType_CERT { 499 isCompressed = false 500 } 501 var certMember *certificateMember 502 certMember, err = newCertMemberFromParam(cached.trustMember.OrgId, cached.trustMember.Role, 503 cp.acService.hashType, isCompressed, []byte(cached.trustMember.MemberInfo)) 504 if err != nil { 505 return nil, isTrustMember, err 506 } 507 isTrustMember = true 508 return certMember, isTrustMember, nil 509 } 510 511 member, err = cp.acService.newCertMember(pbMember) 512 if err != nil { 513 return nil, isTrustMember, fmt.Errorf("new member failed: %s", err.Error()) 514 } 515 return member, isTrustMember, nil 516 } 517 518 func (cp *certACProvider) loadTrustMembers(memberInfo string) (*trustMemberCached, bool) { 519 cached, ok := cp.trustMembers.Load(string(memberInfo)) 520 if ok { 521 return cached.(*trustMemberCached), ok 522 } 523 return nil, ok 524 } 525 526 func (cp *certACProvider) verifyPrincipalSignerInCache(signerInfo *memberCached, endorsement *EndorsementEntry, 527 msg []byte, memInfo string) (bool, error) { 528 // check CRL and certificate frozen list 529 530 _, isTrustMember := cp.loadTrustMembers(memInfo) 531 532 if !isTrustMember { 533 err := cp.checkCRL(signerInfo.certChain) 534 if err != nil { 535 return false, fmt.Errorf("check CRL, error: [%s]", err.Error()) 536 } 537 err = cp.checkCertFrozenList(signerInfo.certChain) 538 if err != nil { 539 return false, fmt.Errorf("check cert forzen list, error: [%s]", err.Error()) 540 } 541 //cp.acService.log.Debugf("certificate is already seen, no need to verify against the trusted root certificates") 542 543 if endorsement.Signer.OrgId != signerInfo.member.GetOrgId() { 544 err := fmt.Errorf("authentication failed, signer does not belong to the organization it claims "+ 545 "[claim: %s, root cert: %s]", endorsement.Signer.OrgId, signerInfo.member.GetOrgId()) 546 return false, err 547 } 548 } 549 if err := signerInfo.member.Verify(cp.acService.hashType, msg, endorsement.Signature); err != nil { 550 err = fmt.Errorf("signer member verify signature failed: [%s]", err.Error()) 551 //cp.acService.log.Warnf("information for invalid signature:\norganization: %s\ncertificate: %s\nmessage: %s\n"+ 552 // "signature: %s", endorsement.Signer.OrgId, memInfo, hex.Dump(msg), hex.Dump(endorsement.Signature)) 553 return false, err 554 } 555 return true, nil 556 } 557 558 func (cp *certACProvider) checkCRL(certChain []*bcx509.Certificate) error { 559 if len(certChain) < 1 { 560 return fmt.Errorf("given certificate chain is empty") 561 } 562 563 for _, cert := range certChain { 564 akiCert := cert.AuthorityKeyId 565 566 crl, ok := cp.crl.Load(string(akiCert)) 567 if ok { 568 // we have ac CRL, check whether the serial number is revoked 569 for _, rc := range crl.(*pkix.CertificateList).TBSCertList.RevokedCertificates { 570 if rc.SerialNumber.Cmp(cert.SerialNumber) == 0 { 571 return errors.New("certificate is revoked") 572 } 573 } 574 } 575 } 576 577 return nil 578 } 579 580 func (cp *certACProvider) checkCertFrozenList(certChain []*bcx509.Certificate) error { 581 if len(certChain) < 1 { 582 return fmt.Errorf("given certificate chain is empty") 583 } 584 _, ok := cp.frozenList.Load(string(certChain[0].Raw)) 585 if ok { 586 return fmt.Errorf("certificate is frozen") 587 } 588 return nil 589 } 590 591 // Check whether the provided member is a valid member of this group 592 func (cp *certACProvider) verifyMember(mem MemberInterface) ([]*bcx509.Certificate, error) { 593 if mem == nil { 594 return nil, fmt.Errorf("invalid member: member should not be nil") 595 } 596 certMember, ok := mem.(*certificateMember) 597 if !ok { 598 return nil, fmt.Errorf("invalid member: member type err") 599 } 600 601 orgIdFromCert := certMember.cert.Subject.Organization[0] 602 org := cp.acService.getOrgInfoByOrgId(orgIdFromCert) 603 604 // the Third-party CA 605 if certMember.cert.IsCA && org == nil { 606 //cp.acService.log.Info("the Third-party CA verify the member") 607 certChain := []*bcx509.Certificate{certMember.cert} 608 err := cp.checkCRL(certChain) 609 if err != nil { 610 return nil, err 611 } 612 613 err = cp.checkCertFrozenList(certChain) 614 if err != nil { 615 return nil, err 616 } 617 618 return certChain, nil 619 } 620 621 if mem.GetOrgId() != orgIdFromCert { 622 return nil, fmt.Errorf( 623 "signer does not belong to the organization it claims [claim: %s, certificate: %s]", 624 mem.GetOrgId(), 625 orgIdFromCert, 626 ) 627 } 628 629 if org == nil { 630 return nil, fmt.Errorf("no orgnization found") 631 } 632 633 certChains, err := certMember.cert.Verify(cp.opts) 634 if err != nil { 635 return nil, fmt.Errorf("not ac valid certificate from trusted CAs: %v", err) 636 } 637 638 if len(org.(*organization).trustedRootCerts) <= 0 { 639 return nil, fmt.Errorf("no trusted root: please configure trusted root certificate") 640 } 641 642 certChain := cp.findCertChain(org.(*organization), certChains) 643 if certChain != nil { 644 return certChain, nil 645 } 646 return nil, fmt.Errorf("authentication failed, signer does not belong to the organization it claims"+ 647 " [claim: %s]", mem.GetOrgId()) 648 } 649 650 func (cp *certACProvider) findCertChain(org *organization, certChains [][]*bcx509.Certificate) []*bcx509.Certificate { 651 for _, chain := range certChains { 652 rootCert := chain[len(chain)-1] 653 _, ok := org.trustedRootCerts[string(rootCert.Raw)] 654 if ok { 655 var err error 656 // check CRL and frozen list 657 err = cp.checkCRL(chain) 658 if err != nil { 659 //cp.acService.log.Warnf("authentication failed, CRL: %v", err) 660 continue 661 } 662 err = cp.checkCertFrozenList(chain) 663 if err != nil { 664 //cp.acService.log.Warnf("authentication failed, certificate frozen list: %v", err) 665 continue 666 } 667 return chain 668 } 669 } 670 return nil 671 }