github.com/renegr87/renegr87@v2.1.1+incompatible/msp/mspimplsetup.go (about) 1 /* 2 Copyright IBM Corp. All Rights Reserved. 3 4 SPDX-License-Identifier: Apache-2.0 5 */ 6 7 package msp 8 9 import ( 10 "bytes" 11 "crypto/x509" 12 "crypto/x509/pkix" 13 "fmt" 14 "time" 15 16 "github.com/golang/protobuf/proto" 17 m "github.com/hyperledger/fabric-protos-go/msp" 18 "github.com/hyperledger/fabric/bccsp" 19 errors "github.com/pkg/errors" 20 ) 21 22 func (msp *bccspmsp) getCertifiersIdentifier(certRaw []byte) ([]byte, error) { 23 // 1. check that certificate is registered in msp.rootCerts or msp.intermediateCerts 24 cert, err := msp.getCertFromPem(certRaw) 25 if err != nil { 26 return nil, fmt.Errorf("Failed getting certificate for [%v]: [%s]", certRaw, err) 27 } 28 29 // 2. Sanitize it to ensure like for like comparison 30 cert, err = msp.sanitizeCert(cert) 31 if err != nil { 32 return nil, fmt.Errorf("sanitizeCert failed %s", err) 33 } 34 35 found := false 36 root := false 37 // Search among root certificates 38 for _, v := range msp.rootCerts { 39 if v.(*identity).cert.Equal(cert) { 40 found = true 41 root = true 42 break 43 } 44 } 45 if !found { 46 // Search among root intermediate certificates 47 for _, v := range msp.intermediateCerts { 48 if v.(*identity).cert.Equal(cert) { 49 found = true 50 break 51 } 52 } 53 } 54 if !found { 55 // Certificate not valid, reject configuration 56 return nil, fmt.Errorf("Failed adding OU. Certificate [%v] not in root or intermediate certs.", cert) 57 } 58 59 // 3. get the certification path for it 60 var certifiersIdentifier []byte 61 var chain []*x509.Certificate 62 if root { 63 chain = []*x509.Certificate{cert} 64 } else { 65 chain, err = msp.getValidationChain(cert, true) 66 if err != nil { 67 return nil, fmt.Errorf("Failed computing validation chain for [%v]. [%s]", cert, err) 68 } 69 } 70 71 // 4. compute the hash of the certification path 72 certifiersIdentifier, err = msp.getCertificationChainIdentifierFromChain(chain) 73 if err != nil { 74 return nil, fmt.Errorf("Failed computing Certifiers Identifier for [%v]. [%s]", certRaw, err) 75 } 76 77 return certifiersIdentifier, nil 78 79 } 80 81 func (msp *bccspmsp) setupCrypto(conf *m.FabricMSPConfig) error { 82 msp.cryptoConfig = conf.CryptoConfig 83 if msp.cryptoConfig == nil { 84 // Move to defaults 85 msp.cryptoConfig = &m.FabricCryptoConfig{ 86 SignatureHashFamily: bccsp.SHA2, 87 IdentityIdentifierHashFunction: bccsp.SHA256, 88 } 89 mspLogger.Debugf("CryptoConfig was nil. Move to defaults.") 90 } 91 if msp.cryptoConfig.SignatureHashFamily == "" { 92 msp.cryptoConfig.SignatureHashFamily = bccsp.SHA2 93 mspLogger.Debugf("CryptoConfig.SignatureHashFamily was nil. Move to defaults.") 94 } 95 if msp.cryptoConfig.IdentityIdentifierHashFunction == "" { 96 msp.cryptoConfig.IdentityIdentifierHashFunction = bccsp.SHA256 97 mspLogger.Debugf("CryptoConfig.IdentityIdentifierHashFunction was nil. Move to defaults.") 98 } 99 100 return nil 101 } 102 103 func (msp *bccspmsp) setupCAs(conf *m.FabricMSPConfig) error { 104 // make and fill the set of CA certs - we expect them to be there 105 if len(conf.RootCerts) == 0 { 106 return errors.New("expected at least one CA certificate") 107 } 108 109 // pre-create the verify options with roots and intermediates. 110 // This is needed to make certificate sanitation working. 111 // Recall that sanitization is applied also to root CA and intermediate 112 // CA certificates. After their sanitization is done, the opts 113 // will be recreated using the sanitized certs. 114 msp.opts = &x509.VerifyOptions{Roots: x509.NewCertPool(), Intermediates: x509.NewCertPool()} 115 for _, v := range conf.RootCerts { 116 cert, err := msp.getCertFromPem(v) 117 if err != nil { 118 return err 119 } 120 msp.opts.Roots.AddCert(cert) 121 } 122 for _, v := range conf.IntermediateCerts { 123 cert, err := msp.getCertFromPem(v) 124 if err != nil { 125 return err 126 } 127 msp.opts.Intermediates.AddCert(cert) 128 } 129 130 // Load root and intermediate CA identities 131 // Recall that when an identity is created, its certificate gets sanitized 132 msp.rootCerts = make([]Identity, len(conf.RootCerts)) 133 for i, trustedCert := range conf.RootCerts { 134 id, _, err := msp.getIdentityFromConf(trustedCert) 135 if err != nil { 136 return err 137 } 138 139 msp.rootCerts[i] = id 140 } 141 142 // make and fill the set of intermediate certs (if present) 143 msp.intermediateCerts = make([]Identity, len(conf.IntermediateCerts)) 144 for i, trustedCert := range conf.IntermediateCerts { 145 id, _, err := msp.getIdentityFromConf(trustedCert) 146 if err != nil { 147 return err 148 } 149 150 msp.intermediateCerts[i] = id 151 } 152 153 // root CA and intermediate CA certificates are sanitized, they can be re-imported 154 msp.opts = &x509.VerifyOptions{Roots: x509.NewCertPool(), Intermediates: x509.NewCertPool()} 155 for _, id := range msp.rootCerts { 156 msp.opts.Roots.AddCert(id.(*identity).cert) 157 } 158 for _, id := range msp.intermediateCerts { 159 msp.opts.Intermediates.AddCert(id.(*identity).cert) 160 } 161 162 return nil 163 } 164 165 func (msp *bccspmsp) setupAdmins(conf *m.FabricMSPConfig) error { 166 return msp.internalSetupAdmin(conf) 167 } 168 169 func (msp *bccspmsp) setupAdminsPreV142(conf *m.FabricMSPConfig) error { 170 // make and fill the set of admin certs (if present) 171 msp.admins = make([]Identity, len(conf.Admins)) 172 for i, admCert := range conf.Admins { 173 id, _, err := msp.getIdentityFromConf(admCert) 174 if err != nil { 175 return err 176 } 177 178 msp.admins[i] = id 179 } 180 181 return nil 182 } 183 184 func (msp *bccspmsp) setupAdminsV142(conf *m.FabricMSPConfig) error { 185 // make and fill the set of admin certs (if present) 186 if err := msp.setupAdminsPreV142(conf); err != nil { 187 return err 188 } 189 190 if len(msp.admins) == 0 && (!msp.ouEnforcement || msp.adminOU == nil) { 191 return errors.New("administrators must be declared when no admin ou classification is set") 192 } 193 194 return nil 195 } 196 197 func (msp *bccspmsp) setupCRLs(conf *m.FabricMSPConfig) error { 198 // setup the CRL (if present) 199 msp.CRL = make([]*pkix.CertificateList, len(conf.RevocationList)) 200 for i, crlbytes := range conf.RevocationList { 201 crl, err := x509.ParseCRL(crlbytes) 202 if err != nil { 203 return errors.Wrap(err, "could not parse RevocationList") 204 } 205 206 // TODO: pre-verify the signature on the CRL and create a map 207 // of CA certs to respective CRLs so that later upon 208 // validation we can already look up the CRL given the 209 // chain of the certificate to be validated 210 211 msp.CRL[i] = crl 212 } 213 214 return nil 215 } 216 217 func (msp *bccspmsp) finalizeSetupCAs() error { 218 // ensure that our CAs are properly formed and that they are valid 219 for _, id := range append(append([]Identity{}, msp.rootCerts...), msp.intermediateCerts...) { 220 if !id.(*identity).cert.IsCA { 221 return errors.Errorf("CA Certificate did not have the CA attribute, (SN: %x)", id.(*identity).cert.SerialNumber) 222 } 223 if _, err := getSubjectKeyIdentifierFromCert(id.(*identity).cert); err != nil { 224 return errors.WithMessagef(err, "CA Certificate problem with Subject Key Identifier extension, (SN: %x)", id.(*identity).cert.SerialNumber) 225 } 226 227 if err := msp.validateCAIdentity(id.(*identity)); err != nil { 228 return errors.WithMessagef(err, "CA Certificate is not valid, (SN: %s)", id.(*identity).cert.SerialNumber) 229 } 230 } 231 232 // populate certificationTreeInternalNodesMap to mark the internal nodes of the 233 // certification tree 234 msp.certificationTreeInternalNodesMap = make(map[string]bool) 235 for _, id := range append([]Identity{}, msp.intermediateCerts...) { 236 chain, err := msp.getUniqueValidationChain(id.(*identity).cert, msp.getValidityOptsForCert(id.(*identity).cert)) 237 if err != nil { 238 return errors.WithMessagef(err, "failed getting validation chain, (SN: %s)", id.(*identity).cert.SerialNumber) 239 } 240 241 // Recall chain[0] is id.(*identity).id so it does not count as a parent 242 for i := 1; i < len(chain); i++ { 243 msp.certificationTreeInternalNodesMap[string(chain[i].Raw)] = true 244 } 245 } 246 247 return nil 248 } 249 250 func (msp *bccspmsp) setupNodeOUs(config *m.FabricMSPConfig) error { 251 if config.FabricNodeOus != nil { 252 253 msp.ouEnforcement = config.FabricNodeOus.Enable 254 255 if config.FabricNodeOus.ClientOuIdentifier == nil || len(config.FabricNodeOus.ClientOuIdentifier.OrganizationalUnitIdentifier) == 0 { 256 return errors.New("Failed setting up NodeOUs. ClientOU must be different from nil.") 257 } 258 259 if config.FabricNodeOus.PeerOuIdentifier == nil || len(config.FabricNodeOus.PeerOuIdentifier.OrganizationalUnitIdentifier) == 0 { 260 return errors.New("Failed setting up NodeOUs. PeerOU must be different from nil.") 261 } 262 263 // ClientOU 264 msp.clientOU = &OUIdentifier{OrganizationalUnitIdentifier: config.FabricNodeOus.ClientOuIdentifier.OrganizationalUnitIdentifier} 265 if len(config.FabricNodeOus.ClientOuIdentifier.Certificate) != 0 { 266 certifiersIdentifier, err := msp.getCertifiersIdentifier(config.FabricNodeOus.ClientOuIdentifier.Certificate) 267 if err != nil { 268 return err 269 } 270 msp.clientOU.CertifiersIdentifier = certifiersIdentifier 271 } 272 273 // PeerOU 274 msp.peerOU = &OUIdentifier{OrganizationalUnitIdentifier: config.FabricNodeOus.PeerOuIdentifier.OrganizationalUnitIdentifier} 275 if len(config.FabricNodeOus.PeerOuIdentifier.Certificate) != 0 { 276 certifiersIdentifier, err := msp.getCertifiersIdentifier(config.FabricNodeOus.PeerOuIdentifier.Certificate) 277 if err != nil { 278 return err 279 } 280 msp.peerOU.CertifiersIdentifier = certifiersIdentifier 281 } 282 283 } else { 284 msp.ouEnforcement = false 285 } 286 287 return nil 288 } 289 290 func (msp *bccspmsp) setupNodeOUsV142(config *m.FabricMSPConfig) error { 291 if config.FabricNodeOus == nil { 292 msp.ouEnforcement = false 293 return nil 294 } 295 296 msp.ouEnforcement = config.FabricNodeOus.Enable 297 298 counter := 0 299 // ClientOU 300 if config.FabricNodeOus.ClientOuIdentifier != nil { 301 msp.clientOU = &OUIdentifier{OrganizationalUnitIdentifier: config.FabricNodeOus.ClientOuIdentifier.OrganizationalUnitIdentifier} 302 if len(config.FabricNodeOus.ClientOuIdentifier.Certificate) != 0 { 303 certifiersIdentifier, err := msp.getCertifiersIdentifier(config.FabricNodeOus.ClientOuIdentifier.Certificate) 304 if err != nil { 305 return err 306 } 307 msp.clientOU.CertifiersIdentifier = certifiersIdentifier 308 } 309 counter++ 310 } else { 311 msp.clientOU = nil 312 } 313 314 // PeerOU 315 if config.FabricNodeOus.PeerOuIdentifier != nil { 316 msp.peerOU = &OUIdentifier{OrganizationalUnitIdentifier: config.FabricNodeOus.PeerOuIdentifier.OrganizationalUnitIdentifier} 317 if len(config.FabricNodeOus.PeerOuIdentifier.Certificate) != 0 { 318 certifiersIdentifier, err := msp.getCertifiersIdentifier(config.FabricNodeOus.PeerOuIdentifier.Certificate) 319 if err != nil { 320 return err 321 } 322 msp.peerOU.CertifiersIdentifier = certifiersIdentifier 323 } 324 counter++ 325 } else { 326 msp.peerOU = nil 327 } 328 329 // AdminOU 330 if config.FabricNodeOus.AdminOuIdentifier != nil { 331 msp.adminOU = &OUIdentifier{OrganizationalUnitIdentifier: config.FabricNodeOus.AdminOuIdentifier.OrganizationalUnitIdentifier} 332 if len(config.FabricNodeOus.AdminOuIdentifier.Certificate) != 0 { 333 certifiersIdentifier, err := msp.getCertifiersIdentifier(config.FabricNodeOus.AdminOuIdentifier.Certificate) 334 if err != nil { 335 return err 336 } 337 msp.adminOU.CertifiersIdentifier = certifiersIdentifier 338 } 339 counter++ 340 } else { 341 msp.adminOU = nil 342 } 343 344 // OrdererOU 345 if config.FabricNodeOus.OrdererOuIdentifier != nil { 346 msp.ordererOU = &OUIdentifier{OrganizationalUnitIdentifier: config.FabricNodeOus.OrdererOuIdentifier.OrganizationalUnitIdentifier} 347 if len(config.FabricNodeOus.OrdererOuIdentifier.Certificate) != 0 { 348 certifiersIdentifier, err := msp.getCertifiersIdentifier(config.FabricNodeOus.OrdererOuIdentifier.Certificate) 349 if err != nil { 350 return err 351 } 352 msp.ordererOU.CertifiersIdentifier = certifiersIdentifier 353 } 354 counter++ 355 } else { 356 msp.ordererOU = nil 357 } 358 359 if counter == 0 { 360 // Disable NodeOU 361 msp.ouEnforcement = false 362 } 363 364 return nil 365 } 366 367 func (msp *bccspmsp) setupSigningIdentity(conf *m.FabricMSPConfig) error { 368 if conf.SigningIdentity != nil { 369 sid, err := msp.getSigningIdentityFromConf(conf.SigningIdentity) 370 if err != nil { 371 return err 372 } 373 374 expirationTime := sid.ExpiresAt() 375 now := time.Now() 376 if expirationTime.After(now) { 377 mspLogger.Debug("Signing identity expires at", expirationTime) 378 } else if expirationTime.IsZero() { 379 mspLogger.Debug("Signing identity has no known expiration time") 380 } else { 381 return errors.Errorf("signing identity expired %v ago", now.Sub(expirationTime)) 382 } 383 384 msp.signer = sid 385 } 386 387 return nil 388 } 389 390 func (msp *bccspmsp) setupOUs(conf *m.FabricMSPConfig) error { 391 msp.ouIdentifiers = make(map[string][][]byte) 392 for _, ou := range conf.OrganizationalUnitIdentifiers { 393 394 certifiersIdentifier, err := msp.getCertifiersIdentifier(ou.Certificate) 395 if err != nil { 396 return errors.WithMessagef(err, "failed getting certificate for [%v]", ou) 397 } 398 399 // Check for duplicates 400 found := false 401 for _, id := range msp.ouIdentifiers[ou.OrganizationalUnitIdentifier] { 402 if bytes.Equal(id, certifiersIdentifier) { 403 mspLogger.Warningf("Duplicate found in ou identifiers [%s, %v]", ou.OrganizationalUnitIdentifier, id) 404 found = true 405 break 406 } 407 } 408 409 if !found { 410 // No duplicates found, add it 411 msp.ouIdentifiers[ou.OrganizationalUnitIdentifier] = append( 412 msp.ouIdentifiers[ou.OrganizationalUnitIdentifier], 413 certifiersIdentifier, 414 ) 415 } 416 } 417 418 return nil 419 } 420 421 func (msp *bccspmsp) setupTLSCAs(conf *m.FabricMSPConfig) error { 422 423 opts := &x509.VerifyOptions{Roots: x509.NewCertPool(), Intermediates: x509.NewCertPool()} 424 425 // Load TLS root and intermediate CA identities 426 msp.tlsRootCerts = make([][]byte, len(conf.TlsRootCerts)) 427 rootCerts := make([]*x509.Certificate, len(conf.TlsRootCerts)) 428 for i, trustedCert := range conf.TlsRootCerts { 429 cert, err := msp.getCertFromPem(trustedCert) 430 if err != nil { 431 return err 432 } 433 434 rootCerts[i] = cert 435 msp.tlsRootCerts[i] = trustedCert 436 opts.Roots.AddCert(cert) 437 } 438 439 // make and fill the set of intermediate certs (if present) 440 msp.tlsIntermediateCerts = make([][]byte, len(conf.TlsIntermediateCerts)) 441 intermediateCerts := make([]*x509.Certificate, len(conf.TlsIntermediateCerts)) 442 for i, trustedCert := range conf.TlsIntermediateCerts { 443 cert, err := msp.getCertFromPem(trustedCert) 444 if err != nil { 445 return err 446 } 447 448 intermediateCerts[i] = cert 449 msp.tlsIntermediateCerts[i] = trustedCert 450 opts.Intermediates.AddCert(cert) 451 } 452 453 // ensure that our CAs are properly formed and that they are valid 454 for _, cert := range append(append([]*x509.Certificate{}, rootCerts...), intermediateCerts...) { 455 if cert == nil { 456 continue 457 } 458 459 if !cert.IsCA { 460 return errors.Errorf("CA Certificate did not have the CA attribute, (SN: %x)", cert.SerialNumber) 461 } 462 if _, err := getSubjectKeyIdentifierFromCert(cert); err != nil { 463 return errors.WithMessagef(err, "CA Certificate problem with Subject Key Identifier extension, (SN: %x)", cert.SerialNumber) 464 } 465 466 if err := msp.validateTLSCAIdentity(cert, opts); err != nil { 467 return errors.WithMessagef(err, "CA Certificate is not valid, (SN: %s)", cert.SerialNumber) 468 } 469 } 470 471 return nil 472 } 473 474 func (msp *bccspmsp) setupV1(conf1 *m.FabricMSPConfig) error { 475 err := msp.preSetupV1(conf1) 476 if err != nil { 477 return err 478 } 479 480 err = msp.postSetupV1(conf1) 481 if err != nil { 482 return err 483 } 484 485 return nil 486 } 487 488 func (msp *bccspmsp) preSetupV1(conf *m.FabricMSPConfig) error { 489 // setup crypto config 490 if err := msp.setupCrypto(conf); err != nil { 491 return err 492 } 493 494 // Setup CAs 495 if err := msp.setupCAs(conf); err != nil { 496 return err 497 } 498 499 // Setup Admins 500 if err := msp.setupAdmins(conf); err != nil { 501 return err 502 } 503 504 // Setup CRLs 505 if err := msp.setupCRLs(conf); err != nil { 506 return err 507 } 508 509 // Finalize setup of the CAs 510 if err := msp.finalizeSetupCAs(); err != nil { 511 return err 512 } 513 514 // setup the signer (if present) 515 if err := msp.setupSigningIdentity(conf); err != nil { 516 return err 517 } 518 519 // setup TLS CAs 520 if err := msp.setupTLSCAs(conf); err != nil { 521 return err 522 } 523 524 // setup the OUs 525 if err := msp.setupOUs(conf); err != nil { 526 return err 527 } 528 529 return nil 530 } 531 532 func (msp *bccspmsp) preSetupV142(conf *m.FabricMSPConfig) error { 533 // setup crypto config 534 if err := msp.setupCrypto(conf); err != nil { 535 return err 536 } 537 538 // Setup CAs 539 if err := msp.setupCAs(conf); err != nil { 540 return err 541 } 542 543 // Setup CRLs 544 if err := msp.setupCRLs(conf); err != nil { 545 return err 546 } 547 548 // Finalize setup of the CAs 549 if err := msp.finalizeSetupCAs(); err != nil { 550 return err 551 } 552 553 // setup the signer (if present) 554 if err := msp.setupSigningIdentity(conf); err != nil { 555 return err 556 } 557 558 // setup TLS CAs 559 if err := msp.setupTLSCAs(conf); err != nil { 560 return err 561 } 562 563 // setup the OUs 564 if err := msp.setupOUs(conf); err != nil { 565 return err 566 } 567 568 // setup NodeOUs 569 if err := msp.setupNodeOUsV142(conf); err != nil { 570 return err 571 } 572 573 // Setup Admins 574 if err := msp.setupAdmins(conf); err != nil { 575 return err 576 } 577 578 return nil 579 } 580 581 func (msp *bccspmsp) postSetupV1(conf *m.FabricMSPConfig) error { 582 // make sure that admins are valid members as well 583 // this way, when we validate an admin MSP principal 584 // we can simply check for exact match of certs 585 for i, admin := range msp.admins { 586 err := admin.Validate() 587 if err != nil { 588 return errors.WithMessagef(err, "admin %d is invalid", i) 589 } 590 } 591 592 return nil 593 } 594 595 func (msp *bccspmsp) setupV11(conf *m.FabricMSPConfig) error { 596 err := msp.preSetupV1(conf) 597 if err != nil { 598 return err 599 } 600 601 // setup NodeOUs 602 if err := msp.setupNodeOUs(conf); err != nil { 603 return err 604 } 605 606 err = msp.postSetupV11(conf) 607 if err != nil { 608 return err 609 } 610 611 return nil 612 } 613 614 func (msp *bccspmsp) setupV142(conf *m.FabricMSPConfig) error { 615 err := msp.preSetupV142(conf) 616 if err != nil { 617 return err 618 } 619 620 err = msp.postSetupV142(conf) 621 if err != nil { 622 return err 623 } 624 625 return nil 626 } 627 628 func (msp *bccspmsp) postSetupV11(conf *m.FabricMSPConfig) error { 629 // Check for OU enforcement 630 if !msp.ouEnforcement { 631 // No enforcement required. Call post setup as per V1 632 return msp.postSetupV1(conf) 633 } 634 635 // Check that admins are clients 636 principalBytes, err := proto.Marshal(&m.MSPRole{Role: m.MSPRole_CLIENT, MspIdentifier: msp.name}) 637 if err != nil { 638 return errors.Wrapf(err, "failed creating MSPRole_CLIENT") 639 } 640 principal := &m.MSPPrincipal{ 641 PrincipalClassification: m.MSPPrincipal_ROLE, 642 Principal: principalBytes} 643 for i, admin := range msp.admins { 644 err = admin.SatisfiesPrincipal(principal) 645 if err != nil { 646 return errors.WithMessagef(err, "admin %d is invalid", i) 647 } 648 } 649 650 return nil 651 } 652 653 func (msp *bccspmsp) postSetupV142(conf *m.FabricMSPConfig) error { 654 // Check for OU enforcement 655 if !msp.ouEnforcement { 656 // No enforcement required. Call post setup as per V1 657 return msp.postSetupV1(conf) 658 } 659 660 // Check that admins are clients or admins 661 for i, admin := range msp.admins { 662 err1 := msp.hasOURole(admin, m.MSPRole_CLIENT) 663 err2 := msp.hasOURole(admin, m.MSPRole_ADMIN) 664 if err1 != nil && err2 != nil { 665 return errors.Errorf("admin %d is invalid [%s,%s]", i, err1, err2) 666 } 667 } 668 669 return nil 670 }