ChainMaker 兼容第三方ca
2021-09-14 本文已影响0人
冰冰大象
ChainMaker v2版本新添加了一个兼容第三方ca的功能,现有如下问题
- 第三方ca兼容是怎么实现的
- 第三方ca是如何验证的
- 第三方ca有没有使用限制
带着问题看源码,在SDK中 当设置好公私钥等参数,创建客户端时有一个压缩证书的方法func (cc *ChainClient) EnableCertHash()
同时也提供证书验证
EnableCertHash里包含一个获取链配置的RPC方法
func (cc *ChainClient) GetChainConfig() (*config.ChainConfig, error) {
//省略
...
// 这里看出这是一个调用invoke rpc的方法同时 交易类型还是TxType_QUERY_CONTRACT
payload := cc.createPayload("", common.TxType_QUERY_CONTRACT, syscontract.SystemContract_CHAIN_CONFIG.String(),
syscontract.ChainConfigFunction_GET_CHAIN_CONFIG.String(), nil, defaultSeq)
resp, err := cc.proposalRequest(payload, nil)
if err != nil {
return nil, fmt.Errorf("send %s failed, %s", payload.TxType.String(), err.Error())
}
//省略
...
}
看一下服务端的invoke
方法实现
### module/rpcserver/api_service.go
// invoke contract according to TxType
func (s *ApiService) invoke(tx *commonPb.Transaction, source protocol.TxSource) *commonPb.TxResponse {
...
if tx.Payload.ChainId != SYSTEM_CHAIN {
// 这里 如果不是系统链 我们就需要验证一下交易
errCode, errMsg = s.validate(tx)
if errCode != commonErr.ERR_CODE_OK {
resp.Code = commonPb.TxStatusCode_INTERNAL_ERROR
resp.Message = errMsg
resp.TxId = tx.Payload.TxId
return resp
}
}
...
}
// validate tx
func (s *ApiService) validate(tx *commonPb.Transaction) (errCode commonErr.ErrCode, errMsg string) {
...
/// 获取区块配置
bc, err = s.chainMakerServer.GetBlockchain(tx.Payload.ChainId)
if err != nil {
errCode = commonErr.ERR_CODE_GET_BLOCKCHAIN
errMsg = s.getErrMsg(errCode, err)
s.log.Error(errMsg)
return
}
// 验证交易 GetAccessControl()访问控制权限等
if err = utils.VerifyTxWithoutPayload(tx, tx.Payload.ChainId, bc.GetAccessControl()); err != nil {
errCode = commonErr.ERR_CODE_TX_VERIFY_FAILED
errMsg = fmt.Sprintf("%s, %s, txId:%s, sender:%s", errCode.String(), err.Error(), tx.Payload.TxId,
hex.EncodeToString(tx.Sender.Signer.MemberInfo))
s.log.Error(errMsg)
return
}
return commonErr.ERR_CODE_OK, ""
}
下一步 就到交易验证的工具模块utils
### module/utils/transaction.go
// VerifyTxWithoutPayload verify a transaction with access control provider. The payload of the transaction will not be verified.
func VerifyTxWithoutPayload(tx *commonPb.Transaction, chainId string, ac protocol.AccessControlProvider) error {
if tx == nil {
return errors.New("tx is nil")
}
// 验证交易头部
if err := verifyTxHeader(tx.Payload, chainId); err != nil {
return fmt.Errorf("verify tx header failed, %s", err)
}
// 验证发送者身份
if err := verifyTxAuth(tx, ac); err != nil {
return fmt.Errorf("verify tx authentation failed, %s", err)
}
return nil
}
// verify transaction sender's authentication (include signature verification, cert-chain verification, access verification)
func verifyTxAuth(t *commonPb.Transaction, ac protocol.AccessControlProvider) error {
...
endorsements := []*commonPb.EndorsementEntry{t.Sender}
txType := t.Payload.TxType
principal, err := ac.CreatePrincipal(txType.String(), endorsements, txBytes)
if err != nil {
return fmt.Errorf("fail to construct authentication principal: %s", err)
}
// 这里套了一层
ok, err := ac.VerifyPrincipal(principal)
if err != nil {
return fmt.Errorf("authentication error, %s", err)
}
if !ok {
return fmt.Errorf("authentication failed")
}
...
}
转到权限控制模块accesscontrol
###module/accesscontrol/cert_ac.go
// VerifyPrincipal verifies if the principal for the resource is met
func (cp *certACProvider) VerifyPrincipal(principal protocol.Principal) (bool, error) {
...
// 包装一层
refinedPrincipal, err := cp.refinePrincipal(principal)
if err != nil {
return false, fmt.Errorf("authentication failed, [%s]", err.Error())
}
...
}
// all-in-one validation for signing members: certificate chain/whitelist, signature, policies
func (cp *certACProvider) refinePrincipal(principal protocol.Principal) (protocol.Principal, error) {
// 获取背书
endorsements := principal.GetEndorsement()
// 获取消息
msg := principal.GetMessage()
// 完善 背书信息
refinedEndorsement := cp.refineEndorsements(endorsements, msg)
if len(refinedEndorsement) <= 0 {
return nil, fmt.Errorf("refine endorsements failed, all endorsers have failed verification")
}
refinedPrincipal, err := cp.CreatePrincipal(principal.GetResourceName(), refinedEndorsement, msg)
if err != nil {
return nil, fmt.Errorf("create principal failed: [%s]", err.Error())
}
return refinedPrincipal, nil
}
接着看一下refineEndorsements
方法,这里分为2种情况,证书已经存储在缓存中,证书没有存储在缓存中
func (cp *certACProvider) refineEndorsements(endorsements []*common.EndorsementEntry,
msg []byte) []*common.EndorsementEntry {
refinedSigners := map[string]bool{}
// 组装后返回新的背书数据
var refinedEndorsement []*common.EndorsementEntry
var memInfo string
for _, endorsementEntry := range endorsements {
// 开始创建新数据
endorsement := &common.EndorsementEntry{
Signer: &pbac.Member{
OrgId: endorsementEntry.Signer.OrgId,
MemberInfo: endorsementEntry.Signer.MemberInfo,
MemberType: endorsementEntry.Signer.MemberType,
},
Signature: endorsementEntry.Signature,
}
// 链上证书存储 分为MemberType_CERT 全证书 和 MemberType_CERT_HASH 证书哈希值两种
if endorsement.Signer.MemberType == pbac.MemberType_CERT {
cp.log.Debugf("target endorser uses full certificate")
memInfo = string(endorsement.Signer.MemberInfo)
}
if endorsement.Signer.MemberType == pbac.MemberType_CERT_HASH {
cp.log.Debugf("target endorser uses compressed certificate")
memInfoBytes, ok := cp.lookUpCertCache(endorsement.Signer.MemberInfo)
if !ok {
cp.log.Infof("authentication failed, unknown signer, the provided certificate ID is not registered")
continue
}
memInfo = string(memInfoBytes)
endorsement.Signer.MemberInfo = memInfoBytes
}
// 从缓存中查找证书
signerInfo, ok := cp.acService.lookUpMemberInCache(memInfo)
if !ok {
// 没有在缓存中,表示SDK第一次使用
remoteMember, certChain, ok, err := cp.verifyPrincipalSignerNotInCache(endorsement, msg, memInfo)
...
signerInfo = &cachedMember{
member: remoteMember,
certChain: certChain,
}
//加入缓存
cp.acService.addMemberToCache(memInfo, signerInfo)
} else {
// 如果证书已经存在,则验证证书
flat, err := cp.verifyPrincipalSignerInCache(signerInfo, endorsement, msg, memInfo)
...
}
...
}
return refinedEndorsement
}
先说简单一点的 已经加入缓存了的证书 验证
func (cp *certACProvider) verifyPrincipalSignerInCache(signerInfo *cachedMember, endorsement *common.EndorsementEntry,
msg []byte, memInfo string) (bool, error) {
// check CRL and certificate frozen list
// 先判断当前证书的内容是否存在于第三方列表中trust_members中
isTrustMember := false
for _, v := range cp.acService.trustMembers {
if v.MemberInfo == memInfo {
isTrustMember = true
break
}
}
// 如果不存在则使用ChainMaker 自己的证书验证逻辑
if !isTrustMember {
...
}
// 如果存在则用第三方的证书公钥来验证 SDK上传上来的 由改私钥签名的数据
if err := signerInfo.member.Verify(cp.hashType, msg, endorsement.Signature); err != nil {
...
return false, err
}
return true, nil
}
最终使用公钥来验签
### module/accesscontrol/cert_member.go
func (cm *certMember) Verify(hashType string, msg []byte, sig []byte) error {
hashAlgo, err := bcx509.GetHashFromSignatureAlgorithm(cm.cert.SignatureAlgorithm)
if err != nil {
return fmt.Errorf("cert member verify failed: get hash from signature algorithm failed: [%s]", err.Error())
}
// 公钥验签
ok, err := cm.cert.PublicKey.VerifyWithOpts(msg, sig, &bccrypto.SignOpts{
Hash: hashAlgo,
UID: bccrypto.CRYPTO_DEFAULT_UID,
})
if err != nil {
return fmt.Errorf("cert member verify signature failed: [%s]", err.Error())
}
if !ok {
return fmt.Errorf("cert member verify signature failed: invalid signature")
}
return nil
}
此时验证完毕
未加入缓存的证书 验证
### module/accesscontrol/cert_ac.go
func (cp *certACProvider) verifyPrincipalSignerNotInCache(endorsement *common.EndorsementEntry, msg []byte,
memInfo string) (remoteMember protocol.Member, certChain []*bcx509.Certificate, ok bool, err error) {
// 根据发送者创建新Member
remoteMember, err = cp.acService.newMember(endorsement.Signer)
if err != nil {
err = fmt.Errorf("new member failed: [%s]", err.Error())
ok = false
return
}
// 验证certMember 是否符合x509协议 是否具有相同的算法
certChain, err = cp.verifyMember(remoteMember)
if err != nil {
err = fmt.Errorf("verify member failed: [%s]", err.Error())
ok = false
return
}
// 验证交易签名 也就是sdk 发出的交易签名 能否使用remoteMember的公钥验签
if err = remoteMember.Verify(cp.hashType, msg, endorsement.Signature); err != nil {
...
ok = false
return
}
ok = true
return
}
### module/accesscontrol/ac_server.go
// 创建新Member
func (acs *accessControlService) newMember(member *pbac.Member) (protocol.Member, error) {
// 从Cache中获取
memberCached, ok := acs.lookUpMemberInCache(m(member.MemberInfo))
if ok && memberCached.member.GetOrgId() == member.OrgId {
acs.log.Debugf("member found in local cache")
return memberCached.member, nil
}
// 没有则新增
memberFactory := MemberFactory()
return memberFactory.NewMember(member, acs)
}
### module/accesscontrol/member_factory.go
func (mf *memberFactory) NewMember(pbMember *pbac.Member, acs *accessControlService) (protocol.Member, error) {
switch pbMember.MemberType {
case pbac.MemberType_CERT, pbac.MemberType_CERT_HASH:
// 创建Member
return newCertMemberFromPb(pbMember, acs)
}
return nil, fmt.Errorf("new member failed: the member type is not supported")
}
### module/accesscontrol/cert_member.go
func newCertMemberFromPb(member *pbac.Member, acs *accessControlService) (*certMember, error) {
// 先判断是否在外部兼容trust_members
for _, v := range acs.trustMembers {
certBlock, _ := pem.Decode([]byte(v.MemberInfo))
if certBlock == nil {
return nil, fmt.Errorf("new member failed, the trsut member cert is not PEM")
}
// 注意采用的是证书内容来比对是否相等
if v.MemberInfo == string(member.MemberInfo) {
var isCompressed bool
if member.MemberType == pbac.MemberType_CERT {
isCompressed = false
}
//生成 certMember
return newCertMember(v.OrgId, v.Role, acs.hashType, isCompressed, []byte(v.MemberInfo))
}
}
// 如果不在 则按照ChainMaker 规则生成 certMember
if member.MemberType == pbac.MemberType_CERT {
certBlock, rest := pem.Decode(member.MemberInfo)
if certBlock == nil {
return newMemberFromCertPem(member.OrgId, acs.hashType, rest, false)
}
return newMemberFromCertPem(member.OrgId, acs.hashType, certBlock.Bytes, false)
}
if member.MemberType == pbac.MemberType_CERT_HASH {
return newMemberFromCertPem(member.OrgId, acs.hashType, member.MemberInfo, true)
}
return nil, fmt.Errorf("setup member failed, unsupport cert member type")
}
至此整个证书验签 流程都简要看了一遍
1.第三方ca兼容是怎么实现的
答:通过代码梳理基本了解chainmaker 证书验证流程,如果是启用了trust_members,则优先使用第三方证书
2.第三方ca是如何验证的
答:sdk创建客户端时 用私钥签名,服务端用第三方证书公钥 验签
3.第三方ca有没有使用限制
答:没有任何限制,只要trust_members 上传的证书和SDK使用的私钥配对即可