Organizational Unit Certification Path Support

This change-set does the following:
1. It changes the msp identity's GetOrganizationalUnit method
to return an array of FabricOUIdentifiers. A FabricOUIdentifier
carries information about an organization unit and
its corresponding certification chain identifier.
2. It updates the msp principal ORGANIZATION_UNIT check to
take in account also the certification chain identifier.

This comes in the context of the following FAB:
1. https://jira.hyperledger.org/browse/FAB-2400

Change-Id: I007ff7f5a588a99103751e8454157b0b95eb2bcc
Signed-off-by: Angelo De Caro <[email protected]>

Author: adecaro

common/cauthdsl/cauthdsl_test.go

@@ -54,8 +54,8 @@ func (id *mockIdentity) Validate() error {
 	return nil
 }
 
-func (id *mockIdentity) GetOrganizationalUnits() []string {
-	return []string{"dunno"}
+func (id *mockIdentity) GetOrganizationalUnits() []mb.FabricOUIdentifier {
+	return nil
 }
 
 func (id *mockIdentity) Verify(msg []byte, sig []byte) error {

core/policy/mocks.go

@@ -111,8 +111,8 @@ func (id *MockIdentity) Validate() error {
 	return nil
 }
 
-func (id *MockIdentity) GetOrganizationalUnits() []string {
-	return []string{"dunno"}
+func (id *MockIdentity) GetOrganizationalUnits() []mspproto.FabricOUIdentifier {
+	return nil
 }
 
 func (id *MockIdentity) Verify(msg []byte, sig []byte) error {

msp/identities.go

@@ -71,12 +71,27 @@ func (id *identity) Validate() error {
 }
 
 // GetOrganizationalUnits returns the OU for this instance
-func (id *identity) GetOrganizationalUnits() []string {
+func (id *identity) GetOrganizationalUnits() []msp.FabricOUIdentifier {
 	if id.cert == nil {
 		return nil
 	}
 
-	return id.cert.Subject.OrganizationalUnit
+	cid, err := id.msp.getCertificationChainIdentifier(id)
+	if err != nil {
+		mspLogger.Errorf("Failed getting certification chain identifier for [%v]: [%s]", id, err)
+
+		return nil
+	}
+
+	res := []msp.FabricOUIdentifier{}
+	for _, unit := range id.cert.Subject.OrganizationalUnit {
+		res = append(res, msp.FabricOUIdentifier{
+			OrganizationalUnitIdentifier: unit,
+			CertifiersIdentifier:         cid,
+		})
+	}
+
+	return res
 }
 
 // NewSerializedIdentity returns a serialized identity

msp/msp.go

@@ -137,7 +137,7 @@ type Identity interface {
 	// TODO: For X.509 based identities, check if we need a dedicated type
 	//       for OU where the Certificate OU is properly namespaced by the
 	//       signer's identity
-	GetOrganizationalUnits() []string
+	GetOrganizationalUnits() []msp.FabricOUIdentifier
 
 	// Verify a signature over some message using this identity as reference
 	Verify(msg []byte, sig []byte) error

msp/msp_test.go

@@ -256,14 +256,21 @@ func TestGetOU(t *testing.T) {
 		return
 	}
 
-	assert.Equal(t, "COP", id.GetOrganizationalUnits()[0])
+	assert.Equal(t, "COP", id.GetOrganizationalUnits()[0].OrganizationalUnitIdentifier)
 }
 
 func TestOUPolicyPrincipal(t *testing.T) {
 	id, err := localMsp.GetDefaultSigningIdentity()
 	assert.NoError(t, err)
 
-	ou := &msp.OrganizationUnit{OrganizationalUnitIdentifier: "COP", MspIdentifier: "DEFAULT"}
+	cid, err := localMsp.(*bccspmsp).getCertificationChainIdentifier(id.GetPublicVersion())
+	assert.NoError(t, err)
+
+	ou := &msp.OrganizationUnit{
+		OrganizationalUnitIdentifier: "COP",
+		MspIdentifier:                "DEFAULT",
+		CertifiersIdentifier:         cid,
+	}
 	bytes, err := proto.Marshal(ou)
 	assert.NoError(t, err)
 
@@ -276,6 +283,43 @@ func TestOUPolicyPrincipal(t *testing.T) {
 	assert.NoError(t, err)
 }
 
+func TestOUPolicyPrincipalBadPath(t *testing.T) {
+	id, err := localMsp.GetDefaultSigningIdentity()
+	assert.NoError(t, err)
+
+	ou := &msp.OrganizationUnit{
+		OrganizationalUnitIdentifier: "COP",
+		MspIdentifier:                "DEFAULT",
+		CertifiersIdentifier:         nil,
+	}
+	bytes, err := proto.Marshal(ou)
+	assert.NoError(t, err)
+
+	principal := &msp.MSPPrincipal{
+		PrincipalClassification: msp.MSPPrincipal_ORGANIZATION_UNIT,
+		Principal:               bytes,
+	}
+
+	err = id.SatisfiesPrincipal(principal)
+	assert.Error(t, err)
+
+	ou = &msp.OrganizationUnit{
+		OrganizationalUnitIdentifier: "COP",
+		MspIdentifier:                "DEFAULT",
+		CertifiersIdentifier:         []byte{0, 1, 2, 3, 4},
+	}
+	bytes, err = proto.Marshal(ou)
+	assert.NoError(t, err)
+
+	principal = &msp.MSPPrincipal{
+		PrincipalClassification: msp.MSPPrincipal_ORGANIZATION_UNIT,
+		Principal:               bytes,
+	}
+
+	err = id.SatisfiesPrincipal(principal)
+	assert.Error(t, err)
+}
+
 func TestAdminPolicyPrincipal(t *testing.T) {
 	id, err := localMsp.GetDefaultSigningIdentity()
 	assert.NoError(t, err)

msp/mspimpl.go

@@ -382,49 +382,15 @@ func (msp *bccspmsp) Validate(id Identity) error {
 	// this is how I can validate it given the
 	// root of trust this MSP has
 	case *identity:
-		// we expect to have a valid VerifyOptions instance
-		if msp.opts == nil {
-			return errors.New("Invalid msp instance")
-		}
-
-		// CAs cannot be directly used as identities..
-		if id.cert.IsCA {
-			return errors.New("A CA certificate cannot be used directly by this MSP")
-		}
-
-		// at this point we might want to perform some
-		// more elaborate validation. We do not do this
-		// yet because we do not want to impose any
-		// constraints without knowing the exact requirements,
-		// but we at least list the kind of extra validation that we might perform:
-		// 1) we might only allow a single verification chain (e.g. we expect the
-		//    cert to be signed exactly only by the CA or only by the intermediate)
-		// 2) we might want to let golang find any path, and then have a blacklist
-		//    of paths (e.g. it can be signed by CA -> iCA1 -> iCA2 and it can be
-		//    signed by CA but not by CA -> iCA1)
-
-		// ask golang to validate the cert for us based on the options that we've built at setup time
-		validationChain, err := id.cert.Verify(*(msp.opts))
+		validationChain, err := msp.getCertificationChainForBCCSPIdentity(id)
 		if err != nil {
-			return fmt.Errorf("The supplied identity is not valid, Verify() returned %s", err)
-		}
-
-		// we only support a single validation chain;
-		// if there's more than one then there might
-		// be unclarity about who owns the identity
-		if len(validationChain) != 1 {
-			return fmt.Errorf("This MSP only supports a single validation chain, got %d", len(validationChain))
-		}
-
-		// we expect a chain of length at least 2
-		if len(validationChain[0]) < 2 {
-			return fmt.Errorf("Expected a chain of length at least 2, got %d", len(validationChain))
+			return fmt.Errorf("Could not obtain certification chain, err %s", err)
 		}
 
 		// here we know that the identity is valid; now we have to check whether it has been revoked
 
 		// identify the SKI of the CA that signed this cert
-		SKI, err := getSubjectKeyIdentifierFromCert(validationChain[0][1])
+		SKI, err := getSubjectKeyIdentifierFromCert(validationChain[1])
 		if err != nil {
 			return fmt.Errorf("Could not obtain Subject Key Identifier for signer cert, err %s", err)
 		}
@@ -447,7 +413,7 @@ func (msp *bccspmsp) Validate(id Identity) error {
 						// certificate that is under validation. As a
 						// precaution, we verify that said CA is also the
 						// signer of this CRL.
-						err = validationChain[0][1].CheckCRLSignature(crl)
+						err = validationChain[1].CheckCRLSignature(crl)
 						if err != nil {
 							// the CA cert that signed the certificate
 							// that is under validation did not sign the
@@ -609,7 +575,8 @@ func (msp *bccspmsp) SatisfiesPrincipal(id Identity, principal *m.MSPPrincipal)
 
 		// now we check whether any of this identity's OUs match the requested one
 		for _, ou := range id.GetOrganizationalUnits() {
-			if ou == OU.OrganizationalUnitIdentifier {
+			if ou.OrganizationalUnitIdentifier == OU.OrganizationalUnitIdentifier &&
+				bytes.Equal(ou.CertifiersIdentifier, OU.CertifiersIdentifier) {
 				return nil
 			}
 		}
@@ -620,3 +587,86 @@ func (msp *bccspmsp) SatisfiesPrincipal(id Identity, principal *m.MSPPrincipal)
 		return fmt.Errorf("Invalid principal type %d", int32(principal.PrincipalClassification))
 	}
 }
+
+// getCertificationChain returns the certification chain of the passed identity within this msp
+func (msp *bccspmsp) getCertificationChain(id Identity) ([]*x509.Certificate, error) {
+	mspLogger.Debugf("MSP %s getting certification chain", msp.name)
+
+	switch id := id.(type) {
+	// If this identity is of this specific type,
+	// this is how I can validate it given the
+	// root of trust this MSP has
+	case *identity:
+		return msp.getCertificationChainForBCCSPIdentity(id)
+	default:
+		return nil, fmt.Errorf("Identity type not recognized")
+	}
+}
+
+// getCertificationChainForBCCSPIdentity returns the certification chain of the passed bccsp identity within this msp
+func (msp *bccspmsp) getCertificationChainForBCCSPIdentity(id *identity) ([]*x509.Certificate, error) {
+	if id == nil {
+		return nil, errors.New("Invalid bccsp identity. Must be different from nil.")
+	}
+
+	// we expect to have a valid VerifyOptions instance
+	if msp.opts == nil {
+		return nil, errors.New("Invalid msp instance")
+	}
+
+	// CAs cannot be directly used as identities..
+	if id.cert.IsCA {
+		return nil, errors.New("A CA certificate cannot be used directly by this MSP")
+	}
+
+	// at this point we might want to perform some
+	// more elaborate validation. We do not do this
+	// yet because we do not want to impose any
+	// constraints without knowing the exact requirements,
+	// but we at least list the kind of extra validation that we might perform:
+	// 1) we might only allow a single verification chain (e.g. we expect the
+	//    cert to be signed exactly only by the CA or only by the intermediate)
+	// 2) we might want to let golang find any path, and then have a blacklist
+	//    of paths (e.g. it can be signed by CA -> iCA1 -> iCA2 and it can be
+	//    signed by CA but not by CA -> iCA1)
+
+	// ask golang to validate the cert for us based on the options that we've built at setup time
+	validationChain, err := id.cert.Verify(*(msp.opts))
+	if err != nil {
+		return nil, fmt.Errorf("The supplied identity is not valid, Verify() returned %s", err)
+	}
+
+	// we only support a single validation chain;
+	// if there's more than one then there might
+	// be unclarity about who owns the identity
+	if len(validationChain) != 1 {
+		return nil, fmt.Errorf("This MSP only supports a single validation chain, got %d", len(validationChain))
+	}
+
+	// we expect a chain of length at least 2
+	if len(validationChain[0]) < 2 {
+		return nil, fmt.Errorf("Expected a chain of length at least 2, got %d", len(validationChain))
+	}
+
+	return validationChain[0], nil
+}
+
+// getCertificationChainIdentifier returns the certification chain identifier of the passed identity within this msp.
+// The identifier is computes as the SHA256 of the concatenation of the certificates in the chain.
+func (msp *bccspmsp) getCertificationChainIdentifier(id Identity) ([]byte, error) {
+	chain, err := msp.getCertificationChain(id)
+	if err != nil {
+		return nil, fmt.Errorf("Failed getting certification chain for [%v]: [%s]", id, err)
+	}
+
+	// Hash the chain
+	hf, err := msp.bccsp.GetHash(&bccsp.SHA256Opts{})
+	if err != nil {
+		return nil, fmt.Errorf("Failed getting hash function when computing certification chain identifier for [%v]: [%s]", id, err)
+	}
+
+	for i := 0; i < len(chain); i++ {
+		hf.Write(chain[i].Raw)
+	}
+	return hf.Sum(nil), nil
+}

msp/noopmsp.go

@@ -101,8 +101,8 @@ func (id *noopidentity) Validate() error {
 	return nil
 }
 
-func (id *noopidentity) GetOrganizationalUnits() []string {
-	return []string{"dunno"}
+func (id *noopidentity) GetOrganizationalUnits() []msp.FabricOUIdentifier {
+	return nil
 }
 
 func (id *noopidentity) Verify(msg []byte, sig []byte) error {

peer/gossip/mcs/mocks.go

@@ -131,8 +131,8 @@ func (id *mockIdentity) Validate() error {
 	return nil
 }
 
-func (id *mockIdentity) GetOrganizationalUnits() []string {
-	return []string{"dunno"}
+func (id *mockIdentity) GetOrganizationalUnits() []mspproto.FabricOUIdentifier {
+	return nil
 }
 
 func (id *mockIdentity) Verify(msg []byte, sig []byte) error {