FAB-2430 Compare certs' ASN.1 bytes

This change set makes sure that byte-by-byte comparison of certificates is
performed on the ASN.1 raw encoding (which is guaranteed to be deterministic)
as opposed to its protobuf serialization (which isn't).

Change-Id: Id9ab15faccd7aa30e5f15ce1e2cf976e1b85cb01
Signed-off-by: Alessandro Sorniotti <[email protected]>

Author: ale-linux

msp/msp_test.go

@@ -309,6 +309,57 @@ func TestAdminPolicyPrincipalFails(t *testing.T) {
 	assert.Error(t, err)
 }
 
+func TestIdentityPolicyPrincipal(t *testing.T) {
+	id, err := localMsp.GetDefaultSigningIdentity()
+	assert.NoError(t, err)
+
+	idSerialized, err := id.Serialize()
+	assert.NoError(t, err)
+
+	principal := &msp.MSPPrincipal{
+		PrincipalClassification: msp.MSPPrincipal_IDENTITY,
+		Principal:               idSerialized}
+
+	err = id.SatisfiesPrincipal(principal)
+	assert.NoError(t, err)
+}
+
+const othercert = `-----BEGIN CERTIFICATE-----
+MIIDAzCCAqigAwIBAgIBAjAKBggqhkjOPQQDAjBsMQswCQYDVQQGEwJHQjEQMA4G
+A1UECAwHRW5nbGFuZDEOMAwGA1UECgwFQmFyMTkxDjAMBgNVBAsMBUJhcjE5MQ4w
+DAYDVQQDDAVCYXIxOTEbMBkGCSqGSIb3DQEJARYMQmFyMTktY2xpZW50MB4XDTE3
+MDIwOTE2MDcxMFoXDTE4MDIxOTE2MDcxMFowfDELMAkGA1UEBhMCR0IxEDAOBgNV
+BAgMB0VuZ2xhbmQxEDAOBgNVBAcMB0lwc3dpY2gxDjAMBgNVBAoMBUJhcjE5MQ4w
+DAYDVQQLDAVCYXIxOTEOMAwGA1UEAwwFQmFyMTkxGTAXBgkqhkiG9w0BCQEWCkJh
+cjE5LXBlZXIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQlRSnAyD+ND6qmaRV7
+AS/BPJKX5dZt3gBe1v/RewOpc1zJeXQNWACAk0ae3mv5u9l0HxI6TXJIAQSwJACu
+Rqsyo4IBKTCCASUwCQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBkAwMwYJYIZI
+AYb4QgENBCYWJE9wZW5TU0wgR2VuZXJhdGVkIFNlcnZlciBDZXJ0aWZpY2F0ZTAd
+BgNVHQ4EFgQUwHzbLJQMaWd1cpHdkSaEFxdKB1owgYsGA1UdIwSBgzCBgIAUYxFe
++cXOD5iQ223bZNdOuKCRiTKhZaRjMGExCzAJBgNVBAYTAkdCMRAwDgYDVQQIDAdF
+bmdsYW5kMRAwDgYDVQQHDAdJcHN3aWNoMQ4wDAYDVQQKDAVCYXIxOTEOMAwGA1UE
+CwwFQmFyMTkxDjAMBgNVBAMMBUJhcjE5ggEBMA4GA1UdDwEB/wQEAwIFoDATBgNV
+HSUEDDAKBggrBgEFBQcDATAKBggqhkjOPQQDAgNJADBGAiEAuMq65lOaie4705Ol
+Ow52DjbaO2YuIxK2auBCqNIu0gECIQCDoKdUQ/sa+9Ah1mzneE6iz/f/YFVWo4EP
+HeamPGiDTQ==
+-----END CERTIFICATE-----
+`
+
+func TestIdentityPolicyPrincipalFails(t *testing.T) {
+	id, err := localMsp.GetDefaultSigningIdentity()
+	assert.NoError(t, err)
+
+	sid, err := NewSerializedIdentity("DEFAULT", []byte(othercert))
+	assert.NoError(t, err)
+
+	principal := &msp.MSPPrincipal{
+		PrincipalClassification: msp.MSPPrincipal_IDENTITY,
+		Principal:               sid}
+
+	err = id.SatisfiesPrincipal(principal)
+	assert.Error(t, err)
+}
+
 var conf *msp.MSPConfig
 var localMsp MSP
 var mspMgr MSPManager

msp/mspimpl.go

@@ -551,19 +551,8 @@ func (msp *bccspmsp) SatisfiesPrincipal(id Identity, principal *m.MSPPrincipal)
 		case m.MSPRole_ADMIN:
 			// in the case of admin, we check that the
 			// id is exactly one of our admins
-			idBytes, err := id.Serialize()
-			if err != nil {
-				return fmt.Errorf("Could not serialize this identity instance, err %s", err)
-			}
-
 			for _, admincert := range msp.admins {
-				adBytes, err := admincert.Serialize()
-				if err != nil {
-					return fmt.Errorf("Could not serialize admin cert, err %s", err)
-				}
-
-				rv := bytes.Compare(idBytes, adBytes)
-				if rv == 0 {
+				if bytes.Equal(id.(*identity).cert.Raw, admincert.(*identity).cert.Raw) {
 					return nil
 				}
 			}
@@ -572,20 +561,19 @@ func (msp *bccspmsp) SatisfiesPrincipal(id Identity, principal *m.MSPPrincipal)
 		default:
 			return fmt.Errorf("Invalid MSP role type %d", int32(mspRole.Role))
 		}
-	// in this case we have to serialize this instance
-	// and compare it byte-by-byte with Principal
 	case m.MSPPrincipal_IDENTITY:
-		idBytes, err := id.Serialize()
+		// in this case we have to deserialize the principal's identity
+		// and compare it byte-by-byte with our cert
+		principalId, err := msp.DeserializeIdentity(principal.Principal)
 		if err != nil {
-			return fmt.Errorf("Could not serialize this identity instance, err %s", err)
+			return fmt.Errorf("Invalid identity principal, not a certificate. Error %s", err)
 		}
 
-		rv := bytes.Compare(idBytes, principal.Principal)
-		if rv == 0 {
+		if bytes.Equal(id.(*identity).cert.Raw, principalId.(*identity).cert.Raw) {
 			return nil
-		} else {
-			return errors.New("The identities do not match")
 		}
+
+		return errors.New("The identities do not match")
 	case m.MSPPrincipal_ORGANIZATION_UNIT:
 		// Principal contains the OrganizationUnit
 		OU := &m.OrganizationUnit{}