[FAB-3315] Certificate sanitization

In order to address the FAB, this change-set
does the following:
1. When an msp identity is created, the corresponding
x509 certificate gets sanitized first.
Sanitization means the following: In case of
certificate signed with ECDSA, the sanitization
checks that the signature is in low-S, if this is not
the case, a clone of the certificate is created
with the new signature.

Change-Id: I0ca6938d26dcc98352ccd1b5498a68cd670afdea
Signed-off-by: Angelo De Caro <[email protected]>

Author: adecaro

bccsp/sw/ecdsa.go

@@ -27,7 +27,7 @@ import (
 	"github.com/hyperledger/fabric/bccsp"
 )
 
-type ecdsaSignature struct {
+type ECDSASignature struct {
 	R, S *big.Int
 }
 
@@ -44,13 +44,13 @@ var (
 	}
 )
 
-func marshalECDSASignature(r, s *big.Int) ([]byte, error) {
-	return asn1.Marshal(ecdsaSignature{r, s})
+func MarshalECDSASignature(r, s *big.Int) ([]byte, error) {
+	return asn1.Marshal(ECDSASignature{r, s})
 }
 
-func unmarshalECDSASignature(raw []byte) (*big.Int, *big.Int, error) {
+func UnmarshalECDSASignature(raw []byte) (*big.Int, *big.Int, error) {
 	// Unmarshal
-	sig := new(ecdsaSignature)
+	sig := new(ECDSASignature)
 	_, err := asn1.Unmarshal(raw, sig)
 	if err != nil {
 		return nil, nil, fmt.Errorf("Failed unmashalling signature [%s]", err)
@@ -80,40 +80,76 @@ func signECDSA(k *ecdsa.PrivateKey, digest []byte, opts bccsp.SignerOpts) (signa
 		return nil, err
 	}
 
-	// check for low-S
-	halfOrder, ok := curveHalfOrders[k.Curve]
-	if !ok {
-		return nil, fmt.Errorf("Curve not recognized [%s]", k.Curve)
-	}
-
-	// is s > halfOrder Then
-	if s.Cmp(halfOrder) == 1 {
-		// Set s to N - s that will be then in the lower part of signature space
-		// less or equal to half order
-		s.Sub(k.Params().N, s)
+	s, _, err = ToLowS(&k.PublicKey, s)
+	if err != nil {
+		return nil, err
 	}
 
-	return marshalECDSASignature(r, s)
+	return MarshalECDSASignature(r, s)
 }
 
 func verifyECDSA(k *ecdsa.PublicKey, signature, digest []byte, opts bccsp.SignerOpts) (valid bool, err error) {
-	r, s, err := unmarshalECDSASignature(signature)
+	r, s, err := UnmarshalECDSASignature(signature)
 	if err != nil {
 		return false, fmt.Errorf("Failed unmashalling signature [%s]", err)
 	}
 
-	// check for low-S
+	lowS, err := IsLowS(k, s)
+	if err != nil {
+		return false, err
+	}
+
+	if !lowS {
+		return false, fmt.Errorf("Invalid S. Must be smaller than half the order [%s][%s].", s, curveHalfOrders[k.Curve])
+	}
+
+	return ecdsa.Verify(k, digest, r, s), nil
+}
+
+func SignatureToLowS(k *ecdsa.PublicKey, signature []byte) ([]byte, error) {
+	r, s, err := UnmarshalECDSASignature(signature)
+	if err != nil {
+		return nil, err
+	}
+
+	s, modified, err := ToLowS(k, s)
+	if err != nil {
+		return nil, err
+	}
+
+	if modified {
+		return MarshalECDSASignature(r, s)
+	}
+
+	return signature, nil
+}
+
+// IsLow checks that s is a low-S
+func IsLowS(k *ecdsa.PublicKey, s *big.Int) (bool, error) {
 	halfOrder, ok := curveHalfOrders[k.Curve]
 	if !ok {
 		return false, fmt.Errorf("Curve not recognized [%s]", k.Curve)
 	}
 
-	// If s > halfOrder Then
-	if s.Cmp(halfOrder) == 1 {
-		return false, fmt.Errorf("Invalid S. Must be smaller than half the order [%s][%s].", s, halfOrder)
+	return s.Cmp(halfOrder) != 1, nil
+
+}
+
+func ToLowS(k *ecdsa.PublicKey, s *big.Int) (*big.Int, bool, error) {
+	lowS, err := IsLowS(k, s)
+	if err != nil {
+		return nil, false, err
+	}
+
+	if !lowS {
+		// Set s to N - s that will be then in the lower part of signature space
+		// less or equal to half order
+		s.Sub(k.Params().N, s)
+
+		return s, true, nil
 	}
 
-	return ecdsa.Verify(k, digest, r, s), nil
+	return s, false, nil
 }
 
 type ecdsaSigner struct{}

bccsp/sw/ecdsa_test.go

@@ -29,45 +29,45 @@ import (
 )
 
 func TestUnmarshalECDSASignature(t *testing.T) {
-	_, _, err := unmarshalECDSASignature(nil)
+	_, _, err := UnmarshalECDSASignature(nil)
 	assert.Error(t, err)
 	assert.Contains(t, err.Error(), "Failed unmashalling signature [")
 
-	_, _, err = unmarshalECDSASignature([]byte{})
+	_, _, err = UnmarshalECDSASignature([]byte{})
 	assert.Error(t, err)
 	assert.Contains(t, err.Error(), "Failed unmashalling signature [")
 
-	_, _, err = unmarshalECDSASignature([]byte{0})
+	_, _, err = UnmarshalECDSASignature([]byte{0})
 	assert.Error(t, err)
 	assert.Contains(t, err.Error(), "Failed unmashalling signature [")
 
-	sigma, err := marshalECDSASignature(big.NewInt(-1), big.NewInt(1))
+	sigma, err := MarshalECDSASignature(big.NewInt(-1), big.NewInt(1))
 	assert.NoError(t, err)
-	_, _, err = unmarshalECDSASignature(sigma)
+	_, _, err = UnmarshalECDSASignature(sigma)
 	assert.Error(t, err)
 	assert.Contains(t, err.Error(), "Invalid signature. R must be larger than zero")
 
-	sigma, err = marshalECDSASignature(big.NewInt(0), big.NewInt(1))
+	sigma, err = MarshalECDSASignature(big.NewInt(0), big.NewInt(1))
 	assert.NoError(t, err)
-	_, _, err = unmarshalECDSASignature(sigma)
+	_, _, err = UnmarshalECDSASignature(sigma)
 	assert.Error(t, err)
 	assert.Contains(t, err.Error(), "Invalid signature. R must be larger than zero")
 
-	sigma, err = marshalECDSASignature(big.NewInt(1), big.NewInt(0))
+	sigma, err = MarshalECDSASignature(big.NewInt(1), big.NewInt(0))
 	assert.NoError(t, err)
-	_, _, err = unmarshalECDSASignature(sigma)
+	_, _, err = UnmarshalECDSASignature(sigma)
 	assert.Error(t, err)
 	assert.Contains(t, err.Error(), "Invalid signature. S must be larger than zero")
 
-	sigma, err = marshalECDSASignature(big.NewInt(1), big.NewInt(-1))
+	sigma, err = MarshalECDSASignature(big.NewInt(1), big.NewInt(-1))
 	assert.NoError(t, err)
-	_, _, err = unmarshalECDSASignature(sigma)
+	_, _, err = UnmarshalECDSASignature(sigma)
 	assert.Error(t, err)
 	assert.Contains(t, err.Error(), "Invalid signature. S must be larger than zero")
 
-	sigma, err = marshalECDSASignature(big.NewInt(1), big.NewInt(1))
+	sigma, err = MarshalECDSASignature(big.NewInt(1), big.NewInt(1))
 	assert.NoError(t, err)
-	R, S, err := unmarshalECDSASignature(sigma)
+	R, S, err := UnmarshalECDSASignature(sigma)
 	assert.NoError(t, err)
 	assert.Equal(t, big.NewInt(1), R)
 	assert.Equal(t, big.NewInt(1), S)
@@ -126,10 +126,10 @@ func TestVerifyECDSA(t *testing.T) {
 	assert.Error(t, err)
 	assert.Contains(t, err.Error(), "Failed unmashalling signature [")
 
-	R, S, err := unmarshalECDSASignature(sigma)
+	R, S, err := UnmarshalECDSASignature(sigma)
 	assert.NoError(t, err)
 	S.Add(curveHalfOrders[elliptic.P256()], big.NewInt(1))
-	sigmaWrongS, err := marshalECDSASignature(R, S)
+	sigmaWrongS, err := MarshalECDSASignature(R, S)
 	assert.NoError(t, err)
 	_, err = verifyECDSA(&lowLevelKey.PublicKey, sigmaWrongS, msg, nil)
 	assert.Error(t, err)
@@ -236,3 +236,52 @@ func TestEcdsaPublicKey(t *testing.T) {
 	assert.Error(t, err)
 	assert.Contains(t, err.Error(), "Failed marshalling key [")
 }
+
+func TestIsLowS(t *testing.T) {
+	lowLevelKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	assert.NoError(t, err)
+
+	lowS, err := IsLowS(&lowLevelKey.PublicKey, big.NewInt(0))
+	assert.NoError(t, err)
+	assert.True(t, lowS)
+
+	s := new(big.Int)
+	s = s.Set(curveHalfOrders[elliptic.P256()])
+
+	lowS, err = IsLowS(&lowLevelKey.PublicKey, s)
+	assert.NoError(t, err)
+	assert.True(t, lowS)
+
+	s = s.Add(s, big.NewInt(1))
+	lowS, err = IsLowS(&lowLevelKey.PublicKey, s)
+	assert.NoError(t, err)
+	assert.False(t, lowS)
+	s, modified, err := ToLowS(&lowLevelKey.PublicKey, s)
+	assert.NoError(t, err)
+	assert.True(t, modified)
+	lowS, err = IsLowS(&lowLevelKey.PublicKey, s)
+	assert.NoError(t, err)
+	assert.True(t, lowS)
+}
+
+func TestSignatureToLowS(t *testing.T) {
+	lowLevelKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	assert.NoError(t, err)
+
+	s := new(big.Int)
+	s = s.Set(curveHalfOrders[elliptic.P256()])
+	s = s.Add(s, big.NewInt(1))
+
+	lowS, err := IsLowS(&lowLevelKey.PublicKey, s)
+	assert.NoError(t, err)
+	assert.False(t, lowS)
+	sigma, err := MarshalECDSASignature(big.NewInt(1), s)
+	assert.NoError(t, err)
+	sigma2, err := SignatureToLowS(&lowLevelKey.PublicKey, sigma)
+	assert.NoError(t, err)
+	_, s, err = UnmarshalECDSASignature(sigma2)
+	assert.NoError(t, err)
+	lowS, err = IsLowS(&lowLevelKey.PublicKey, s)
+	assert.NoError(t, err)
+	assert.True(t, lowS)
+}

bccsp/sw/impl_test.go

@@ -1039,35 +1039,35 @@ func TestKeyImportFromX509ECDSAPublicKey(t *testing.T) {
 
 func TestECDSASignatureEncoding(t *testing.T) {
 	v := []byte{0x30, 0x07, 0x02, 0x01, 0x8F, 0x02, 0x02, 0xff, 0xf1}
-	_, err := asn1.Unmarshal(v, &ecdsaSignature{})
+	_, err := asn1.Unmarshal(v, &ECDSASignature{})
 	if err == nil {
 		t.Fatalf("Unmarshalling should fail for [% x]", v)
 	}
 	t.Logf("Unmarshalling correctly failed for [% x] [%s]", v, err)
 
 	v = []byte{0x30, 0x07, 0x02, 0x01, 0x8F, 0x02, 0x02, 0x00, 0x01}
-	_, err = asn1.Unmarshal(v, &ecdsaSignature{})
+	_, err = asn1.Unmarshal(v, &ECDSASignature{})
 	if err == nil {
 		t.Fatalf("Unmarshalling should fail for [% x]", v)
 	}
 	t.Logf("Unmarshalling correctly failed for [% x] [%s]", v, err)
 
 	v = []byte{0x30, 0x07, 0x02, 0x01, 0x8F, 0x02, 0x81, 0x01, 0x01}
-	_, err = asn1.Unmarshal(v, &ecdsaSignature{})
+	_, err = asn1.Unmarshal(v, &ECDSASignature{})
 	if err == nil {
 		t.Fatalf("Unmarshalling should fail for [% x]", v)
 	}
 	t.Logf("Unmarshalling correctly failed for [% x] [%s]", v, err)
 
 	v = []byte{0x30, 0x07, 0x02, 0x01, 0x8F, 0x02, 0x81, 0x01, 0x8F}
-	_, err = asn1.Unmarshal(v, &ecdsaSignature{})
+	_, err = asn1.Unmarshal(v, &ECDSASignature{})
 	if err == nil {
 		t.Fatalf("Unmarshalling should fail for [% x]", v)
 	}
 	t.Logf("Unmarshalling correctly failed for [% x] [%s]", v, err)
 
 	v = []byte{0x30, 0x0A, 0x02, 0x01, 0x8F, 0x02, 0x05, 0x00, 0x00, 0x00, 0x00, 0x8F}
-	_, err = asn1.Unmarshal(v, &ecdsaSignature{})
+	_, err = asn1.Unmarshal(v, &ECDSASignature{})
 	if err == nil {
 		t.Fatalf("Unmarshalling should fail for [% x]", v)
 	}
@@ -1094,7 +1094,7 @@ func TestECDSALowS(t *testing.T) {
 		t.Fatalf("Failed generating ECDSA signature [%s]", err)
 	}
 
-	_, S, err := unmarshalECDSASignature(signature)
+	_, S, err := UnmarshalECDSASignature(signature)
 	if err != nil {
 		t.Fatalf("Failed unmarshalling signature [%s]", err)
 	}
@@ -1124,7 +1124,7 @@ func TestECDSALowS(t *testing.T) {
 		}
 	}
 
-	sig, err := marshalECDSASignature(R, S)
+	sig, err := MarshalECDSASignature(R, S)
 	if err != nil {
 		t.Fatalf("Failing unmarshalling signature [%s]", err)
 	}