github.com/defanghe/fabric@v2.1.1+incompatible/msp/mspwithintermediatecas_test.go

github.com/defanghe/fabric@v2.1.1+incompatible/msp/mspwithintermediatecas_test.go (about)

     1  /*
     2  Copyright IBM Corp. 2017 All Rights Reserved.
     3  
     4  Licensed under the Apache License, Version 2.0 (the "License");
     5  you may not use this file except in compliance with the License.
     6  You may obtain a copy of the License at
     7  
     8  		 http://www.apache.org/licenses/LICENSE-2.0
     9  
    10  Unless required by applicable law or agreed to in writing, software
    11  distributed under the License is distributed on an "AS IS" BASIS,
    12  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13  See the License for the specific language governing permissions and
    14  limitations under the License.
    15  */
    16  
    17  package msp
    18  
    19  import (
    20  	"path/filepath"
    21  	"testing"
    22  
    23  	"github.com/stretchr/testify/assert"
    24  )
    25  
    26  func TestMSPWithIntermediateCAs(t *testing.T) {
    27  	// testdata/intermediate contains the credentials for a test MSP setup that has
    28  	// 1) a key and a signcert (used to populate the default signing identity);
    29  	//    signcert is not signed by a CA directly but by an intermediate CA
    30  	// 2) intermediatecert is an intermediate CA, signed by the CA
    31  	// 3) cacert is the CA that signed the intermediate
    32  	thisMSP := getLocalMSP(t, "testdata/intermediate")
    33  
    34  	// This MSP will trust any cert signed by the CA directly OR by the intermediate
    35  
    36  	sid, err := thisMSP.GetDefaultSigningIdentity()
    37  	assert.NoError(t, err)
    38  	sidBytes, err := sid.Serialize()
    39  	assert.NoError(t, err)
    40  	id, err := thisMSP.DeserializeIdentity(sidBytes)
    41  	assert.NoError(t, err)
    42  
    43  	// ensure that we validate correctly the identity
    44  	err = thisMSP.Validate(id)
    45  	assert.NoError(t, err)
    46  
    47  	id, err = thisMSP.DeserializeIdentity(sidBytes)
    48  	assert.NoError(t, err)
    49  
    50  	// ensure that validation of an identity of the MSP with intermediate CAs
    51  	// fails with the local MSP
    52  	err = localMsp.Validate(id)
    53  	assert.Error(t, err)
    54  
    55  	id, err = thisMSP.DeserializeIdentity(sidBytes)
    56  	assert.NoError(t, err)
    57  
    58  	// ensure that validation of an identity of the local MSP
    59  	// fails with the MSP with intermediate CAs
    60  	localMSPID, err := localMsp.GetDefaultSigningIdentity()
    61  	assert.NoError(t, err)
    62  	err = thisMSP.Validate(localMSPID)
    63  	assert.Error(t, err)
    64  }
    65  
    66  func TestMSPWithExternalIntermediateCAs(t *testing.T) {
    67  	// testdata/external contains the credentials for a test MSP setup
    68  	// identical to testdata/intermediate with the exception that it has
    69  	// been generated independently of the fabric environment using
    70  	// openssl.  Sanitizing certificates may cause a change in the
    71  	// signature algorithm used from that used in original
    72  	// certificate file.  Hashes of raw certificate bytes and
    73  	// byte to byte comparisons between the raw certificate and the
    74  	// one imported into the MSP could falsely fail.
    75  
    76  	thisMSP := getLocalMSP(t, "testdata/external")
    77  
    78  	// This MSP will trust any cert signed only by the intermediate
    79  
    80  	id, err := thisMSP.GetDefaultSigningIdentity()
    81  	assert.NoError(t, err)
    82  
    83  	// ensure that we validate correctly the identity
    84  	err = thisMSP.Validate(id.GetPublicVersion())
    85  	assert.NoError(t, err)
    86  }
    87  
    88  func TestIntermediateCAIdentityValidity(t *testing.T) {
    89  	// testdata/intermediate contains the credentials for a test MSP setup that has
    90  	// 1) a key and a signcert (used to populate the default signing identity);
    91  	//    signcert is not signed by a CA directly but by an intermediate CA
    92  	// 2) intermediatecert is an intermediate CA, signed by the CA
    93  	// 3) cacert is the CA that signed the intermediate
    94  	thisMSP := getLocalMSP(t, "testdata/intermediate")
    95  
    96  	id := thisMSP.(*bccspmsp).intermediateCerts[0]
    97  	assert.Error(t, id.Validate())
    98  }
    99  
   100  func TestMSPWithIntermediateCAs2(t *testing.T) {
   101  	// testdata/intermediate2 contains the credentials for a test MSP setup that has
   102  	// 1) a key and a signcert (used to populate the default signing identity);
   103  	//    signcert is not signed by a CA directly but by an intermediate CA
   104  	// 2) intermediatecert is an intermediate CA, signed by the CA
   105  	// 3) cacert is the CA that signed the intermediate
   106  	// 4) user2-cert is the certificate of an identity signed directly by the CA
   107  	//    therefore validation should fail.
   108  	thisMSP := getLocalMSP(t, filepath.Join("testdata", "intermediate2"))
   109  
   110  	// the default signing identity is signed by the intermediate CA,
   111  	// the validation should return no error
   112  	id, err := thisMSP.GetDefaultSigningIdentity()
   113  	assert.NoError(t, err)
   114  	err = thisMSP.Validate(id.GetPublicVersion())
   115  	assert.NoError(t, err)
   116  
   117  	// user2-cert has been signed by the root CA, validation must fail
   118  	pem, err := readPemFile(filepath.Join("testdata", "intermediate2", "users", "user2-cert.pem"))
   119  	assert.NoError(t, err)
   120  	id2, _, err := thisMSP.(*bccspmsp).getIdentityFromConf(pem)
   121  	assert.NoError(t, err)
   122  	err = thisMSP.Validate(id2)
   123  	assert.Error(t, err)
   124  	assert.Contains(t, err.Error(), "invalid validation chain. Parent certificate should be a leaf of the certification tree ")
   125  }