[FAB-9938] Add req method and uri to sig payload

Currently, during OAuth token is of the form: <base64 encoded user's cert>.<base64 encoding of the signature> The signature is on the payload of the form: <base64 encoding of request body>.<base64 encoding of user's cert> This change changes the payload to add request method and URI to make it more secure. So, the payload is form the form: <request method>.<url path>.<base64 encoding of request body>.<base64 encoding of user's cert> Change-Id: Ieba270116de5e781179256051bab536987b170cb Signed-off-by: Saad Karim <[email protected]>
hyperledger · Oct 30, 2018 · 99517e9 · 99517e9
1 parent bd7f997
commit 99517e9
Show file tree

Hide file tree

Showing 9 changed files with 88 additions and 42 deletions.
diff --git a/docs/source/users-guide.rst b/docs/source/users-guide.rst
@@ -1023,6 +1023,18 @@ To upgrade a single instance of Fabric CA server:
 
       fabric-ca-client getcainfo -u http://<host>:7054
 
+*Upgrading server to 1.4:*
+
+The token authentication mechanism was improved to prevent token reuse. After upgrading
+to 1.4, a more secure authentication method is used. To enable both the old and new authentication
+mechanism, the following environment should be set to true::
+
+ FABRIC_CA_SERVER_COMPATIBILITY_MODE_V1.3=true
+
+All clients should be updated to release 1.4, clients in 1.4 version will generate tokens
+that are more secure. Once all the clients have been updated, the above environment variable should
+be set to 'false'.
+
 Upgrading a cluster:
 ^^^^^^^^^^^^^^^^^^^^
 To upgrade a cluster of fabric-ca-server instances using either a MySQL or Postgres database, perform the following procedure. We assume that you are using haproxy to load balance to two fabric-ca-server cluster members on host1 and host2, respectively, both listening on port 7054. After this procedure, you will be load balancing to upgraded fabric-ca-server cluster members on host3 and host4 respectively, both listening on port 7054.

diff --git a/lib/client/credential/idemix/credential.go b/lib/client/credential/idemix/credential.go
@@ -136,7 +136,9 @@ func (cred *Credential) CreateToken(req *http.Request, reqBody []byte) (string,
 	// Generate a fresh Pseudonym (and a corresponding randomness)
 	nym, randNym := idemix.MakeNym(sk, ipk, rng)
 
-	msg := util.B64Encode(reqBody)
+	b64body := util.B64Encode(reqBody)
+	b64uri := util.B64Encode([]byte(req.URL.RequestURI()))
+	msg := req.Method + "." + b64uri + "." + b64body
 
 	digest, digestError := cred.client.GetCSP().Hash([]byte(msg), &bccsp.SHAOpts{})
 	if digestError != nil {

diff --git a/lib/client/credential/x509/credential.go b/lib/client/credential/x509/credential.go
@@ -124,7 +124,7 @@ func (cred *Credential) Store() error {
 
 // CreateToken creates token based on this X509 credential
 func (cred *Credential) CreateToken(req *http.Request, reqBody []byte) (string, error) {
-	return util.CreateToken(cred.getCSP(), cred.val.certBytes, cred.val.key, reqBody)
+	return util.CreateToken(cred.getCSP(), cred.val.certBytes, cred.val.key, req.Method, req.URL.RequestURI(), reqBody)
 }
 
 // RevokeSelf revokes this X509 credential

diff --git a/lib/server/idemix/issuer.go b/lib/server/idemix/issuer.go
@@ -36,7 +36,7 @@ type Issuer interface {
 	RevocationPublicKey() ([]byte, error)
 	IssueCredential(ctx ServerRequestCtx) (*EnrollmentResponse, error)
 	GetCRI(ctx ServerRequestCtx) (*api.GetCRIResponse, error)
-	VerifyToken(authHdr string, body []byte) (string, error)
+	VerifyToken(authHdr, method, uri string, body []byte) (string, error)
 }
 
 // MyIssuer provides functions for accessing issuer components
@@ -182,7 +182,7 @@ func (i *issuer) GetCRI(ctx ServerRequestCtx) (*api.GetCRIResponse, error) {
 	return handler.HandleRequest()
 }
 
-func (i *issuer) VerifyToken(authHdr string, body []byte) (string, error) {
+func (i *issuer) VerifyToken(authHdr, method, uri string, body []byte) (string, error) {
 	if !i.isInitialized {
 		return "", errors.New("Issuer is not initialized")
 	}
@@ -210,7 +210,9 @@ func (i *issuer) VerifyToken(authHdr string, body []byte) (string, error) {
 	}
 	idBytes := []byte(enrollmentID)
 	attrs := []*fp256bn.BIG{nil, nil, idemix.HashModOrder(idBytes), nil}
-	msg := util.B64Encode(body)
+	b64body := util.B64Encode(body)
+	b64uri := util.B64Encode([]byte(uri))
+	msg := method + "." + b64uri + "." + b64body
 	digest, digestError := i.csp.Hash([]byte(msg), &bccsp.SHAOpts{})
 	if digestError != nil {
 		return "", errors.WithMessage(digestError, fmt.Sprintf("Failed to create authentication token '%s'", msg))

diff --git a/lib/server/idemix/issuer_test.go b/lib/server/idemix/issuer_test.go
@@ -192,24 +192,24 @@ func TestVerifyTokenError(t *testing.T) {
 	db, issuer := getIssuer(t, testdir, false, false)
 	assert.NotNil(t, issuer)
 
-	_, err = issuer.VerifyToken("idemix.1.foo.blah", []byte{})
+	_, err = issuer.VerifyToken("idemix.1.foo.blah", "", "", []byte{})
 	assert.Error(t, err, "VerifyToken should fail as issuer is not initialized")
 
 	err = issuer.Init(false, db, &dbutil.Levels{Credential: 1, RAInfo: 1, Nonce: 1})
 	assert.NoError(t, err)
 
-	_, err = issuer.VerifyToken("idemix.1.foo", []byte{})
+	_, err = issuer.VerifyToken("idemix.1.foo", "", "", []byte{})
 	assert.Error(t, err, "VerifyToken should fail if the auth header does not have four parts separated by '.'")
 
-	_, err = issuer.VerifyToken("idemix.2.foo.bar", []byte{})
+	_, err = issuer.VerifyToken("idemix.2.foo.bar", "", "", []byte{})
 	assert.Error(t, err, "VerifyToken should fail if the auth header does not have correct version")
 
 	db.On("Rebind", SelectCredentialByIDSQL).Return(SelectCredentialByIDSQL)
 	credRecords := []CredRecord{}
 	sqlstr := fmt.Sprintf(SelectCredentialByIDSQL, sqlstruct.Columns(CredRecord{}))
 	db.On("Select", &credRecords, sqlstr, "foo").Return(errors.New("db error getting creds for user"))
 
-	_, err = issuer.VerifyToken("idemix.1.foo.sig", []byte{})
+	_, err = issuer.VerifyToken("idemix.1.foo.sig", "", "", []byte{})
 	assert.Error(t, err, "VerifyToken should fail if there is error looking up enrollment id in the database")
 }
 
@@ -245,7 +245,7 @@ func TestVerifyTokenNoCreds(t *testing.T) {
 	f := getCredsSelectFunc(t, &credRecords, false)
 	db.On("Select", &credRecords, sqlstr, "foo").Return(f)
 
-	_, err = issuer.VerifyToken("idemix.1.foo.sig", []byte{})
+	_, err = issuer.VerifyToken("idemix.1.foo.sig", "", "", []byte{})
 	assert.Error(t, err, "VerifyToken should fail if the enrollment id does not have creds")
 }
 
@@ -281,7 +281,7 @@ func TestVerifyTokenBadSignatureEncoding(t *testing.T) {
 	f := getCredsSelectFunc(t, &credRecords, true)
 	db.On("Select", &credRecords, sqlstr, "foo").Return(f)
 
-	_, err = issuer.VerifyToken("idemix.1.foo.sig", []byte{})
+	_, err = issuer.VerifyToken("idemix.1.foo.sig", "", "", []byte{})
 	assert.Error(t, err, "VerifyToken should fail if the signature is not in base64 format")
 	assert.NotEqual(t, err.Error(), "errer")
 }
@@ -319,14 +319,14 @@ func TestVerifyTokenBadSignature(t *testing.T) {
 	db.On("Select", &credRecords, sqlstr, "admin").Return(f)
 
 	sig := util.B64Encode([]byte("hello"))
-	_, err = issuer.VerifyToken("idemix.1.admin."+sig, []byte{})
+	_, err = issuer.VerifyToken("idemix.1.admin."+sig, "", "", []byte{})
 	assert.Error(t, err, "VerifyToken should fail if the signature is not valid")
 
 	digest, err := util.GetDefaultBCCSP().Hash([]byte(sig), &bccsp.SHAOpts{})
 	if err != nil {
 		t.Fatalf("Failed to get hash of the message: %s", err.Error())
 	}
-	_, err = issuer.VerifyToken("idemix.1.admin.CkQKIAoanxNH9nO5ivQy94e+DH+SiwkkBhYeNbtyQhM1HD7FEiBbBcMVcCW9HoJe5KWMtyvO6a4UtB4xo2x/SV7xvxcVvBJECiBugYjF0AZ8lWvaeKCXtEbPvawQye7RK0m5SpQzEwcu/RIgioEuVacQR5DroKwgAZi3ALClpCLJFjlRwVv7w2zJcQQaRAogeAU3ZnfcA60kGIm6gHKGTRrI3O9sbkpdHt/UIF+Tz5sSIHGfTP5B7Ocb43q3sewpuqIjDyvFEzIeBpummJD4MPB5IiAewOhliKfwXta7pSCIMlfKqmuJbhAwhJl7vJdhfEW05iogGY6MfvsdO+HvQdSmlIexEBgl51KsFCO6MrAZbms/hLAyIHbqzC8f7sliJ6Hzn65JZKUyHXiAnOM3iydZ7gntoYXxOiClzG32BL3M4MyQGHz6SP8Aozxh3u0dATr0uxOOI6p94EIgO90ealPZ51ZXP+JsAWwLePpyX+lgegF0Gp002uFyv0tKIFRSBfhnRqm7Dk1VbG1hSsl7AJU8nzzYZJZKHRFrhdvGUiCWUu3nvjr5TEFtF5eOMp5XTPXmUNTq8k3SLckY1o35mlIgOeJtkxDc7NtKAiF+cz+cIsv1MIQ3qGXj0nwoMjnHvMJSIALGJWjFKVhK9B9P8BOkO03iMwzNJJdSeA8MIRGyk5WCWiCGix0AHQA29jHVOCaCrBZUVlqBRLa5Kzpftk0jp3LKXmJECiDheCgd36mEjsr1D4Sm+cbtE3XKAdRI2dLq5bFQZqN4/RIgNbxez4+fxVsRuGu8ooFkfem2C5/+1z3QDzyu8fu3fyVqID34eII73Km/SviYxAoHZ91HXIHXhGwid4DFO+xuGI7ycogBCiD+DDNQtMlsIChWD1d8KJE6zhxTmhK/hDzSJha2icCe+xIgTqZgV3OKwFTbWuHGN9gTuSTdeOKH0DWJ0mntNKN+aisaIHAgRufFQqOzdncNdRJOPlHvyyR1jWFYSOkJtIG+3Cf/IiAFVOO804jCkELupkkpfrKfi0y+gIIamLPgEoERSq0Em3pgkd4c0QZIUDeyRVBgwDj7aTk8J+xzdGZSCgIt8RpuKoxmfuDV2SlFfw/fVZqfPH02+jYeyqxbf7FD8vo5dstEpLHy86Yno6zr1bXLDLe34r2XIIH6KrYFI3gYAsQhzzd/gAEBigEA", digest)
+	_, err = issuer.VerifyToken("idemix.1.admin.CkQKIAoanxNH9nO5ivQy94e+DH+SiwkkBhYeNbtyQhM1HD7FEiBbBcMVcCW9HoJe5KWMtyvO6a4UtB4xo2x/SV7xvxcVvBJECiBugYjF0AZ8lWvaeKCXtEbPvawQye7RK0m5SpQzEwcu/RIgioEuVacQR5DroKwgAZi3ALClpCLJFjlRwVv7w2zJcQQaRAogeAU3ZnfcA60kGIm6gHKGTRrI3O9sbkpdHt/UIF+Tz5sSIHGfTP5B7Ocb43q3sewpuqIjDyvFEzIeBpummJD4MPB5IiAewOhliKfwXta7pSCIMlfKqmuJbhAwhJl7vJdhfEW05iogGY6MfvsdO+HvQdSmlIexEBgl51KsFCO6MrAZbms/hLAyIHbqzC8f7sliJ6Hzn65JZKUyHXiAnOM3iydZ7gntoYXxOiClzG32BL3M4MyQGHz6SP8Aozxh3u0dATr0uxOOI6p94EIgO90ealPZ51ZXP+JsAWwLePpyX+lgegF0Gp002uFyv0tKIFRSBfhnRqm7Dk1VbG1hSsl7AJU8nzzYZJZKHRFrhdvGUiCWUu3nvjr5TEFtF5eOMp5XTPXmUNTq8k3SLckY1o35mlIgOeJtkxDc7NtKAiF+cz+cIsv1MIQ3qGXj0nwoMjnHvMJSIALGJWjFKVhK9B9P8BOkO03iMwzNJJdSeA8MIRGyk5WCWiCGix0AHQA29jHVOCaCrBZUVlqBRLa5Kzpftk0jp3LKXmJECiDheCgd36mEjsr1D4Sm+cbtE3XKAdRI2dLq5bFQZqN4/RIgNbxez4+fxVsRuGu8ooFkfem2C5/+1z3QDzyu8fu3fyVqID34eII73Km/SviYxAoHZ91HXIHXhGwid4DFO+xuGI7ycogBCiD+DDNQtMlsIChWD1d8KJE6zhxTmhK/hDzSJha2icCe+xIgTqZgV3OKwFTbWuHGN9gTuSTdeOKH0DWJ0mntNKN+aisaIHAgRufFQqOzdncNdRJOPlHvyyR1jWFYSOkJtIG+3Cf/IiAFVOO804jCkELupkkpfrKfi0y+gIIamLPgEoERSq0Em3pgkd4c0QZIUDeyRVBgwDj7aTk8J+xzdGZSCgIt8RpuKoxmfuDV2SlFfw/fVZqfPH02+jYeyqxbf7FD8vo5dstEpLHy86Yno6zr1bXLDLe34r2XIIH6KrYFI3gYAsQhzzd/gAEBigEA", "", "", digest)
 	assert.Error(t, err, "VerifyToken should fail signature is valid but verification fails")
 }
 

diff --git a/lib/server_test.go b/lib/server_test.go
@@ -871,7 +871,7 @@ func addTokenAuthHeader(req *http.Request, t *testing.T) {
 		t.Fatalf("Failed importing key %s", err)
 	}
 	emptyByte := make([]byte, 0)
-	token, err := util.CreateToken(CSP, cert, key, emptyByte)
+	token, err := util.CreateToken(CSP, cert, key, req.Method, req.URL.RequestURI(), emptyByte)
 	if err != nil {
 		t.Fatalf("Failed to add token authorization header: %s", err)
 	}

diff --git a/lib/serverrequestcontext.go b/lib/serverrequestcontext.go
@@ -148,16 +148,16 @@ func (ctx *serverRequestContextImpl) TokenAuthentication() (string, error) {
 		return "", err
 	}
 	if idemix.IsToken(authHdr) {
-		return ctx.verifyIdemixToken(authHdr, body)
+		return ctx.verifyIdemixToken(authHdr, r.Method, r.URL.RequestURI(), body)
 	}
-	return ctx.verifyX509Token(ca, authHdr, body)
+	return ctx.verifyX509Token(ca, authHdr, r.Method, r.URL.RequestURI(), body)
 }
 
-func (ctx *serverRequestContextImpl) verifyIdemixToken(authHdr string, body []byte) (string, error) {
+func (ctx *serverRequestContextImpl) verifyIdemixToken(authHdr, method, uri string, body []byte) (string, error) {
 	log.Debug("Caller is using Idemix credential")
 	var err error
 
-	ctx.enrollmentID, err = ctx.ca.issuer.VerifyToken(authHdr, body)
+	ctx.enrollmentID, err = ctx.ca.issuer.VerifyToken(authHdr, method, uri, body)
 	if err != nil {
 		return "", err
 	}
@@ -174,10 +174,10 @@ func (ctx *serverRequestContextImpl) verifyIdemixToken(authHdr string, body []by
 	return ctx.enrollmentID, nil
 }
 
-func (ctx *serverRequestContextImpl) verifyX509Token(ca *CA, authHdr string, body []byte) (string, error) {
+func (ctx *serverRequestContextImpl) verifyX509Token(ca *CA, authHdr, method, uri string, body []byte) (string, error) {
 	log.Debug("Caller is using a x509 certificate")
 	// Verify the token; the signature is over the header and body
-	cert, err2 := util.VerifyToken(ca.csp, authHdr, body)
+	cert, err2 := util.VerifyToken(ca.csp, authHdr, method, uri, body)
 	if err2 != nil {
 		return "", caerrors.NewAuthenticationErr(caerrors.ErrInvalidToken, "Invalid token in authorization header: %s", err2)
 	}

diff --git a/util/util.go b/util/util.go
@@ -176,8 +176,10 @@ func Unmarshal(from []byte, to interface{}, what string) error {
 //    which is the body of an HTTP request, though could be any arbitrary bytes.
 // @param cert The pem-encoded certificate
 // @param key The pem-encoded key
+// @param method http method of the request
+// @param uri URI of the request
 // @param body The body of an HTTP request
-func CreateToken(csp bccsp.BCCSP, cert []byte, key bccsp.Key, body []byte) (string, error) {
+func CreateToken(csp bccsp.BCCSP, cert []byte, key bccsp.Key, method, uri string, body []byte) (string, error) {
 	x509Cert, err := GetX509CertificateFromPEM(cert)
 	if err != nil {
 		return "", err
@@ -196,7 +198,7 @@ func CreateToken(csp bccsp.BCCSP, cert []byte, key bccsp.Key, body []byte) (stri
 			}
 	*/
 	case *ecdsa.PublicKey:
-		token, err = GenECDSAToken(csp, cert, key, body)
+		token, err = GenECDSAToken(csp, cert, key, method, uri, body)
 		if err != nil {
 			return "", err
 		}
@@ -230,14 +232,19 @@ func GenRSAToken(csp bccsp.BCCSP, cert []byte, key []byte, body []byte) (string,
 */
 
 //GenECDSAToken signs the http body and cert with ECDSA using EC private key
-func GenECDSAToken(csp bccsp.BCCSP, cert []byte, key bccsp.Key, body []byte) (string, error) {
+func GenECDSAToken(csp bccsp.BCCSP, cert []byte, key bccsp.Key, method, uri string, body []byte) (string, error) {
 	b64body := B64Encode(body)
 	b64cert := B64Encode(cert)
-	bodyAndcert := b64body + "." + b64cert
+	b64uri := B64Encode([]byte(uri))
+	payload := method + "." + b64uri + "." + b64body + "." + b64cert
+
+	return genECDSAToken(csp, key, b64cert, payload)
+}
 
-	digest, digestError := csp.Hash([]byte(bodyAndcert), &bccsp.SHAOpts{})
+func genECDSAToken(csp bccsp.BCCSP, key bccsp.Key, b64cert, payload string) (string, error) {
+	digest, digestError := csp.Hash([]byte(payload), &bccsp.SHAOpts{})
 	if digestError != nil {
-		return "", errors.WithMessage(digestError, fmt.Sprintf("Hash failed on '%s'", bodyAndcert))
+		return "", errors.WithMessage(digestError, fmt.Sprintf("Hash failed on '%s'", payload))
 	}
 
 	ecSignature, err := csp.Sign(key, digest, nil)
@@ -257,7 +264,7 @@ func GenECDSAToken(csp bccsp.BCCSP, cert []byte, key bccsp.Key, body []byte) (st
 
 // VerifyToken verifies token signed by either ECDSA or RSA and
 // returns the associated user ID
-func VerifyToken(csp bccsp.BCCSP, token string, body []byte) (*x509.Certificate, error) {
+func VerifyToken(csp bccsp.BCCSP, token string, method, uri string, body []byte) (*x509.Certificate, error) {
 
 	if csp == nil {
 		return nil, errors.New("BCCSP instance is not present")
@@ -271,7 +278,8 @@ func VerifyToken(csp bccsp.BCCSP, token string, body []byte) (*x509.Certificate,
 		return nil, errors.WithMessage(err, "Invalid base64 encoded signature in token")
 	}
 	b64Body := B64Encode(body)
-	sigString := b64Body + "." + b64Cert
+	b64uri := B64Encode([]byte(uri))
+	sigString := method + "." + b64uri + "." + b64Body + "." + b64Cert
 
 	pk2, err := csp.KeyImport(x509Cert, &bccsp.X509PublicKeyImportOpts{Temporary: true})
 	if err != nil {
@@ -280,6 +288,10 @@ func VerifyToken(csp bccsp.BCCSP, token string, body []byte) (*x509.Certificate,
 	if pk2 == nil {
 		return nil, errors.New("Public Key Cannot be imported into BCCSP")
 	}
+
+	compMode := os.Getenv("FABRIC_CA_SERVER_COMPATIBILITY_MODE_V1.3")
+	compMode = "true" // TODO: Remove this default setting once all the SDKs have been updated to use the new authorization header
+
 	//bccsp.X509PublicKeyImportOpts
 	//Using default hash algo
 	digest, digestError := csp.Hash([]byte(sigString), &bccsp.SHAOpts{})
@@ -288,6 +300,15 @@ func VerifyToken(csp bccsp.BCCSP, token string, body []byte) (*x509.Certificate,
 	}
 
 	valid, validErr := csp.Verify(pk2, sig, digest, nil)
+	if strings.ToLower(compMode) == "true" && !valid {
+		log.Debugf("Failed to verify token based on new authentication header requirements: %s", err)
+		sigString := b64Body + "." + b64Cert
+		digest, digestError := csp.Hash([]byte(sigString), &bccsp.SHAOpts{})
+		if digestError != nil {
+			return nil, errors.WithMessage(digestError, "Message digest failed")
+		}
+		valid, validErr = csp.Verify(pk2, sig, digest, nil)
+	}
 
 	if validErr != nil {
 		return nil, errors.WithMessage(validErr, "Token signature validation failure")

diff --git a/util/util_test.go b/util/util_test.go
@@ -66,44 +66,44 @@ func TestECCreateToken(t *testing.T) {
 	}
 	body := []byte("request byte array")
 
-	ECtoken, err := CreateToken(bccsp, cert, privKey, body)
+	ECtoken, err := CreateToken(bccsp, cert, privKey, "GET", "/enroll", body)
 	if err != nil {
 		t.Fatalf("CreatToken failed: %s", err)
 	}
 
-	_, err = VerifyToken(bccsp, ECtoken, body)
+	_, err = VerifyToken(bccsp, ECtoken, "GET", "/enroll", body)
 	if err != nil {
 		t.Fatalf("VerifyToken failed: %s", err)
 	}
 
-	_, err = VerifyToken(nil, ECtoken, body)
+	_, err = VerifyToken(nil, ECtoken, "GET", "/enroll", body)
 	if err == nil {
 		t.Fatal("VerifyToken should have failed as no instance of csp is passed")
 	}
 
-	_, err = VerifyToken(bccsp, "", body)
+	_, err = VerifyToken(bccsp, "", "GET", "/enroll", body)
 	if err == nil {
 		t.Fatal("VerifyToken should have failed as no EC Token is passed")
 	}
 
-	_, err = VerifyToken(bccsp, ECtoken, nil)
+	_, err = VerifyToken(bccsp, ECtoken, "GET", "/enroll", nil)
 	if err == nil {
 		t.Fatal("VerifyToken should have failed as no body is passed")
 	}
 
-	_, err = VerifyToken(bccsp, ECtoken, nil)
+	_, err = VerifyToken(bccsp, ECtoken, "POST", "/enroll", nil)
 	if err == nil {
 		t.Fatal("VerifyToken should have failed as method was tampered")
 	}
 
-	_, err = VerifyToken(bccsp, ECtoken, nil)
+	_, err = VerifyToken(bccsp, ECtoken, "GET", "/affiliations", nil)
 	if err == nil {
 		t.Fatal("VerifyToken should have failed as path was tampered")
 	}
 
 	verifiedByte := []byte("TEST")
 	body = append(body, verifiedByte[0])
-	_, err = VerifyToken(bccsp, ECtoken, body)
+	_, err = VerifyToken(bccsp, ECtoken, "GET", "/enroll", body)
 	if err == nil {
 		t.Fatal("VerifyToken should have failed as body was tampered")
 	}
@@ -112,10 +112,19 @@ func TestECCreateToken(t *testing.T) {
 	if skierror != nil {
 		t.Fatalf("SKI File Read failed with error : %s", skierror)
 	}
-	ECtoken, err = CreateToken(bccsp, ski, privKey, body)
+	ECtoken, err = CreateToken(bccsp, ski, privKey, "GET", "/enroll", body)
 	if (err == nil) || (ECtoken != "") {
 		t.Fatal("CreatToken should have failed as certificate passed is not correct")
 	}
+
+	os.Setenv("FABRIC_CA_SERVER_AUTHHDR_COMPATIBILITY", "true")
+	defer os.Unsetenv("FABRIC_CA_SERVER_AUTHHDR_COMPATIBILITY")
+	b64Cert := B64Encode(cert)
+	payload := B64Encode(body) + "." + b64Cert
+	oldToken, err := genECDSAToken(bccsp, privKey, b64Cert, payload)
+	FatalError(t, err, "Failed to create token")
+	_, err = VerifyToken(bccsp, oldToken, "GET", "/enroll", body)
+	assert.NoError(t, err, "Failed to verify token using old token type")
 }
 
 func TestDecodeToken(t *testing.T) {
@@ -214,7 +223,7 @@ func TestCreateTokenDiffKey(t *testing.T) {
 	bccsp := GetDefaultBCCSP()
 	privKey, _ := ImportBCCSPKeyFromPEM(getPath("rsa-key.pem"), bccsp, true)
 	body := []byte("request byte array")
-	_, err := CreateToken(bccsp, cert, privKey, body)
+	_, err := CreateToken(bccsp, cert, privKey, "POST", "/enroll", body)
 	if err == nil {
 		t.Fatalf("TestCreateTokenDiffKey passed but should have failed")
 	}
@@ -241,7 +250,7 @@ func TestEmptyToken(t *testing.T) {
 	body := []byte("request byte array")
 
 	csp := factory.GetDefault()
-	_, err := VerifyToken(csp, "", body)
+	_, err := VerifyToken(csp, "", "POST", "/enroll", body)
 	if err == nil {
 		t.Fatalf("TestEmptyToken passed but should have failed")
 	}
@@ -252,7 +261,7 @@ func TestEmptyCert(t *testing.T) {
 	body := []byte("request byte array")
 
 	csp := factory.GetDefault()
-	_, err := CreateToken(csp, cert, nil, body)
+	_, err := CreateToken(csp, cert, nil, "POST", "/enroll", body)
 	if err == nil {
 		t.Fatalf("TestEmptyCert passed but should have failed")
 	}
@@ -262,7 +271,7 @@ func TestEmptyKey(t *testing.T) {
 	bccsp := GetDefaultBCCSP()
 	privKey, _ := ImportBCCSPKeyFromPEM(getPath("ec-key.pem"), bccsp, true)
 	body := []byte("request byte array")
-	_, err := CreateToken(bccsp, []byte(""), privKey, body)
+	_, err := CreateToken(bccsp, []byte(""), privKey, "POST", "/enroll", body)
 	if err == nil {
 		t.Fatalf("TestEmptyKey passed but should have failed")
 	}
@@ -272,7 +281,7 @@ func TestEmptyBody(t *testing.T) {
 	bccsp := GetDefaultBCCSP()
 	privKey, _ := ImportBCCSPKeyFromPEM(getPath("ec-key.pem"), bccsp, true)
 	cert, _ := ioutil.ReadFile(getPath("ec.pem"))
-	_, err := CreateToken(bccsp, cert, privKey, []byte(""))
+	_, err := CreateToken(bccsp, cert, privKey, "POST", "/enroll", []byte(""))
 	if err != nil {
 		t.Fatalf("CreateToken failed: %s", err)
 	}