英文:
enroll member request fails with signature verification
问题
当我尝试注册"admin"用户时,第二次调用CreateCertificatePair时出现了"Signature verification failed"的错误消息。顺便说一下,我是从eca_test.go中复制的enrollUser函数。而且,在membersrvc/ca包下的那些测试是通过的。
// 协议的第二阶段
spi := ecies.NewSPI()
eciesKey, err := spi.NewPrivateKey(nil, encPriv)
if err != nil {
return err
}
ecies, err := spi.NewAsymmetricCipherFromPublicKey(eciesKey)
if err != nil {
return err
}
out, err := ecies.Process(resp.Tok.Tok)
if err != nil {
return err
}
req.Tok.Tok = out
req.Sig = nil
hash := primitives.NewHash()
raw, _ := proto.Marshal(req)
hash.Write(raw)
r, s, err := ecdsa.Sign(rand.Reader, signPriv, hash.Sum(nil))
if err != nil {
return err
}
R, _ := r.MarshalText()
S, _ := s.MarshalText()
req.Sig = &pb.Signature{Type: pb.CryptoType_ECDSA, R: R, S: S}
resp, err = ecapCient.CreateCertificatePair(context.Background(), req)
英文:
when I tried to enroll the "admin" user, the second call to CreateCertificatePair failed with the "Signature verification failed" message. BTW, I copied the enrollUser function from the eca_test.go. And those tests under membersrvc/ca package can be passed.
//Phase 2 of the protocol
spi := ecies.NewSPI()
eciesKey, err := spi.NewPrivateKey(nil, encPriv)
if err != nil {
return err
}
ecies, err := spi.NewAsymmetricCipherFromPublicKey(eciesKey)
if err != nil {
return err
}
out, err := ecies.Process(resp.Tok.Tok)
if err != nil {
return err
}
req.Tok.Tok = out
req.Sig = nil
hash := primitives.NewHash()
raw, _ := proto.Marshal(req)
hash.Write(raw)
r, s, err := ecdsa.Sign(rand.Reader, signPriv, hash.Sum(nil))
if err != nil {
return err
}
R, _ := r.MarshalText()
S, _ := s.MarshalText()
req.Sig = &pb.Signature{Type: pb.CryptoType_ECDSA, R: R, S: S}
resp, err = ecapCient.CreateCertificatePair(context.Background(), req)
答案1
得分: 1
正如Sergey提到的,CreateCertificatePair请求创建一个新的证书对,并根据文档,
在注册过程中,应用程序向证书颁发机构发送请求以验证用户注册,如果成功,CA将以用户证书和密钥的形式响应。
在成功的用户身份验证之后,应用程序将与CA进行一次用户注册。如果尝试为同一用户再次进行注册,将导致错误。 这就是为什么第二次调用CreateCertificatePair失败的原因。
如果您确实想要注册已经注册过的用户,您需要删除由CA服务器进程创建的临时文件(客户端注册证书、注册密钥、事务证书链等),为此,请运行以下命令:
rm -rf /var/hyperledger/production
/var/hyperledger/production是存储从CA接收到的证书的目录。
来源:关于安全功能的说明
英文:
As Sergey mentioned, CreateCertificatePair requests the creation of a new certificate pair,
and according to the documentation,
During registration, the application sends a request to the certificate authority to verify the user registration and if successful, the CA responds with the user certificates and keys.
Upon successful user authentication, the application will perform user registration with the CA exactly once. If registration is attempted a second time for the same user, an error will result.
This is the reason why the second call to CreateCertificatePair is failing.
If you really want to register a user who has already been registered previously, you need to remove the temporary files ( the client enrollment certificate, enrollment key, transaction certificate chain, etc.) that were created by the CA server process, and to do that, run the following command,
rm -rf /var/hyperledger/production
/var/hyperledger/production is the directory where the certificates received from CA are stored.
答案2
得分: 0
CreateCertificatePair 请求 ECA 创建新的注册证书对。
“注册”证书是唯一的,每个用户只能由 ECA 创建一次。
对同一用户进行第二次 CreateCertificatePair 调用将导致错误。
英文:
CreateCertificatePair requests the creation of a new enrolment certificate pair by the ECA.
"enrolment" certificate is unique and can be created just once per user by ECA
Second call to CreateCertificatePair for the same user will lead to error.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论