github.com/true-sqn/fabric@v2.1.1+incompatible/msp/mspwithintermediatecas_test.go (about) 1 /* 2 Copyright IBM Corp. 2017 All Rights Reserved. 3 4 Licensed under the Apache License, Version 2.0 (the "License"); 5 you may not use this file except in compliance with the License. 6 You may obtain a copy of the License at 7 8 http://www.apache.org/licenses/LICENSE-2.0 9 10 Unless required by applicable law or agreed to in writing, software 11 distributed under the License is distributed on an "AS IS" BASIS, 12 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 See the License for the specific language governing permissions and 14 limitations under the License. 15 */ 16 17 package msp 18 19 import ( 20 "path/filepath" 21 "testing" 22 23 "github.com/stretchr/testify/assert" 24 ) 25 26 func TestMSPWithIntermediateCAs(t *testing.T) { 27 // testdata/intermediate contains the credentials for a test MSP setup that has 28 // 1) a key and a signcert (used to populate the default signing identity); 29 // signcert is not signed by a CA directly but by an intermediate CA 30 // 2) intermediatecert is an intermediate CA, signed by the CA 31 // 3) cacert is the CA that signed the intermediate 32 thisMSP := getLocalMSP(t, "testdata/intermediate") 33 34 // This MSP will trust any cert signed by the CA directly OR by the intermediate 35 36 sid, err := thisMSP.GetDefaultSigningIdentity() 37 assert.NoError(t, err) 38 sidBytes, err := sid.Serialize() 39 assert.NoError(t, err) 40 id, err := thisMSP.DeserializeIdentity(sidBytes) 41 assert.NoError(t, err) 42 43 // ensure that we validate correctly the identity 44 err = thisMSP.Validate(id) 45 assert.NoError(t, err) 46 47 id, err = thisMSP.DeserializeIdentity(sidBytes) 48 assert.NoError(t, err) 49 50 // ensure that validation of an identity of the MSP with intermediate CAs 51 // fails with the local MSP 52 err = localMsp.Validate(id) 53 assert.Error(t, err) 54 55 id, err = thisMSP.DeserializeIdentity(sidBytes) 56 assert.NoError(t, err) 57 58 // ensure that validation of an identity of the local MSP 59 // fails with the MSP with intermediate CAs 60 localMSPID, err := localMsp.GetDefaultSigningIdentity() 61 assert.NoError(t, err) 62 err = thisMSP.Validate(localMSPID) 63 assert.Error(t, err) 64 } 65 66 func TestMSPWithExternalIntermediateCAs(t *testing.T) { 67 // testdata/external contains the credentials for a test MSP setup 68 // identical to testdata/intermediate with the exception that it has 69 // been generated independently of the fabric environment using 70 // openssl. Sanitizing certificates may cause a change in the 71 // signature algorithm used from that used in original 72 // certificate file. Hashes of raw certificate bytes and 73 // byte to byte comparisons between the raw certificate and the 74 // one imported into the MSP could falsely fail. 75 76 thisMSP := getLocalMSP(t, "testdata/external") 77 78 // This MSP will trust any cert signed only by the intermediate 79 80 id, err := thisMSP.GetDefaultSigningIdentity() 81 assert.NoError(t, err) 82 83 // ensure that we validate correctly the identity 84 err = thisMSP.Validate(id.GetPublicVersion()) 85 assert.NoError(t, err) 86 } 87 88 func TestIntermediateCAIdentityValidity(t *testing.T) { 89 // testdata/intermediate contains the credentials for a test MSP setup that has 90 // 1) a key and a signcert (used to populate the default signing identity); 91 // signcert is not signed by a CA directly but by an intermediate CA 92 // 2) intermediatecert is an intermediate CA, signed by the CA 93 // 3) cacert is the CA that signed the intermediate 94 thisMSP := getLocalMSP(t, "testdata/intermediate") 95 96 id := thisMSP.(*bccspmsp).intermediateCerts[0] 97 assert.Error(t, id.Validate()) 98 } 99 100 func TestMSPWithIntermediateCAs2(t *testing.T) { 101 // testdata/intermediate2 contains the credentials for a test MSP setup that has 102 // 1) a key and a signcert (used to populate the default signing identity); 103 // signcert is not signed by a CA directly but by an intermediate CA 104 // 2) intermediatecert is an intermediate CA, signed by the CA 105 // 3) cacert is the CA that signed the intermediate 106 // 4) user2-cert is the certificate of an identity signed directly by the CA 107 // therefore validation should fail. 108 thisMSP := getLocalMSP(t, filepath.Join("testdata", "intermediate2")) 109 110 // the default signing identity is signed by the intermediate CA, 111 // the validation should return no error 112 id, err := thisMSP.GetDefaultSigningIdentity() 113 assert.NoError(t, err) 114 err = thisMSP.Validate(id.GetPublicVersion()) 115 assert.NoError(t, err) 116 117 // user2-cert has been signed by the root CA, validation must fail 118 pem, err := readPemFile(filepath.Join("testdata", "intermediate2", "users", "user2-cert.pem")) 119 assert.NoError(t, err) 120 id2, _, err := thisMSP.(*bccspmsp).getIdentityFromConf(pem) 121 assert.NoError(t, err) 122 err = thisMSP.Validate(id2) 123 assert.Error(t, err) 124 assert.Contains(t, err.Error(), "invalid validation chain. Parent certificate should be a leaf of the certification tree ") 125 }