github.com/inklabsfoundation/inkchain@v0.17.1-0.20181025012015-c3cef8062f19/msp/mspwithintermediatecas_test.go

github.com/inklabsfoundation/inkchain@v0.17.1-0.20181025012015-c3cef8062f19/msp/mspwithintermediatecas_test.go (about)

     1  /*
     2  Copyright IBM Corp. 2017 All Rights Reserved.
     3  
     4  Licensed under the Apache License, Version 2.0 (the "License");
     5  you may not use this file except in compliance with the License.
     6  You may obtain a copy of the License at
     7  
     8  		 http://www.apache.org/licenses/LICENSE-2.0
     9  
    10  Unless required by applicable law or agreed to in writing, software
    11  distributed under the License is distributed on an "AS IS" BASIS,
    12  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13  See the License for the specific language governing permissions and
    14  limitations under the License.
    15  */
    16  
    17  package msp
    18  
    19  import (
    20  	"path/filepath"
    21  	"testing"
    22  
    23  	"github.com/stretchr/testify/assert"
    24  )
    25  
    26  func TestMSPWithIntermediateCAs(t *testing.T) {
    27  	// testdata/intermediate contains the credentials for a test MSP setup that has
    28  	// 1) a key and a signcert (used to populate the default signing identity);
    29  	//    signcert is not signed by a CA directly but by an intermediate CA
    30  	// 2) intermediatecert is an intermediate CA, signed by the CA
    31  	// 3) cacert is the CA that signed the intermediate
    32  	thisMSP := getLocalMSP(t, "testdata/intermediate")
    33  
    34  	// This MSP will trust any cert signed by the CA directly OR by the intermediate
    35  
    36  	id, err := thisMSP.GetDefaultSigningIdentity()
    37  	assert.NoError(t, err)
    38  
    39  	// ensure that we validate correctly the identity
    40  	err = thisMSP.Validate(id.GetPublicVersion())
    41  	assert.NoError(t, err)
    42  
    43  	// ensure that validation of an identity of the MSP with intermediate CAs
    44  	// fails with the local MSP
    45  	err = localMsp.Validate(id.GetPublicVersion())
    46  	assert.Error(t, err)
    47  
    48  	// ensure that validation of an identity of the local MSP
    49  	// fails with the MSP with intermediate CAs
    50  	localMSPID, err := localMsp.GetDefaultSigningIdentity()
    51  	assert.NoError(t, err)
    52  	err = thisMSP.Validate(localMSPID.GetPublicVersion())
    53  	assert.Error(t, err)
    54  }
    55  
    56  func TestMSPWithExternalIntermediateCAs(t *testing.T) {
    57  	// testdata/external contains the credentials for a test MSP setup
    58  	// identical to testdata/intermediate with the exception that it has
    59  	// been generated independently of the inkchain environment using
    60  	// openssl.  Sanitizing certificates may cause a change in the
    61  	// signature algorithm used from that used in original
    62  	// certificate file.  Hashes of raw certificate bytes and
    63  	// byte to byte comparisons between the raw certificate and the
    64  	// one imported into the MSP could falsely fail.
    65  
    66  	thisMSP := getLocalMSP(t, "testdata/external")
    67  
    68  	// This MSP will trust any cert signed only by the intermediate
    69  
    70  	id, err := thisMSP.GetDefaultSigningIdentity()
    71  	assert.NoError(t, err)
    72  
    73  	// ensure that we validate correctly the identity
    74  	err = thisMSP.Validate(id.GetPublicVersion())
    75  	assert.NoError(t, err)
    76  }
    77  
    78  func TestIntermediateCAIdentityValidity(t *testing.T) {
    79  	// testdata/intermediate contains the credentials for a test MSP setup that has
    80  	// 1) a key and a signcert (used to populate the default signing identity);
    81  	//    signcert is not signed by a CA directly but by an intermediate CA
    82  	// 2) intermediatecert is an intermediate CA, signed by the CA
    83  	// 3) cacert is the CA that signed the intermediate
    84  	thisMSP := getLocalMSP(t, "testdata/intermediate")
    85  
    86  	id := thisMSP.(*bccspmsp).intermediateCerts[0]
    87  	assert.Error(t, id.Validate())
    88  }
    89  
    90  func TestMSPWithIntermediateCAs2(t *testing.T) {
    91  	// testdata/intermediate2 contains the credentials for a test MSP setup that has
    92  	// 1) a key and a signcert (used to populate the default signing identity);
    93  	//    signcert is not signed by a CA directly but by an intermediate CA
    94  	// 2) intermediatecert is an intermediate CA, signed by the CA
    95  	// 3) cacert is the CA that signed the intermediate
    96  	// 4) user2-cert is the certificate of an identity signed directly by the CA
    97  	//    therefore validation should fail.
    98  	thisMSP := getLocalMSP(t, filepath.Join("testdata", "intermediate2"))
    99  
   100  	// the default signing identity is signed by the intermediate CA,
   101  	// the validation should return no error
   102  	id, err := thisMSP.GetDefaultSigningIdentity()
   103  	assert.NoError(t, err)
   104  	err = thisMSP.Validate(id.GetPublicVersion())
   105  	assert.NoError(t, err)
   106  
   107  	// user2-cert has been signed by the root CA, validation must fail
   108  	pem, err := readPemFile(filepath.Join("testdata", "intermediate2", "users", "user2-cert.pem"))
   109  	assert.NoError(t, err)
   110  	id2, _, err := thisMSP.(*bccspmsp).getIdentityFromConf(pem)
   111  	assert.NoError(t, err)
   112  	err = thisMSP.Validate(id2)
   113  	assert.Error(t, err)
   114  	assert.Contains(t, err.Error(), "Invalid validation chain. Parent certificate should be a leaf of the certification tree ")
   115  }