注册成员请求在签名验证时失败

huangapple go评论101阅读模式
英文:

enroll member request fails with signature verification

问题

当我尝试注册"admin"用户时,第二次调用CreateCertificatePair时出现了"Signature verification failed"的错误消息。顺便说一下,我是从eca_test.go中复制的enrollUser函数。而且,在membersrvc/ca包下的那些测试是通过的。

// 协议的第二阶段
spi := ecies.NewSPI()
eciesKey, err := spi.NewPrivateKey(nil, encPriv)
if err != nil {
return err
}

ecies, err := spi.NewAsymmetricCipherFromPublicKey(eciesKey)
if err != nil {
return err
}

out, err := ecies.Process(resp.Tok.Tok)
if err != nil {
return err
}

req.Tok.Tok = out
req.Sig = nil

hash := primitives.NewHash()
raw, _ := proto.Marshal(req)
hash.Write(raw)

r, s, err := ecdsa.Sign(rand.Reader, signPriv, hash.Sum(nil))
if err != nil {
return err
}
R, _ := r.MarshalText()
S, _ := s.MarshalText()
req.Sig = &pb.Signature{Type: pb.CryptoType_ECDSA, R: R, S: S}

resp, err = ecapCient.CreateCertificatePair(context.Background(), req)

英文:

when I tried to enroll the "admin" user, the second call to CreateCertificatePair failed with the "Signature verification failed" message. BTW, I copied the enrollUser function from the eca_test.go. And those tests under membersrvc/ca package can be passed.

//Phase 2 of the protocol
spi := ecies.NewSPI()
eciesKey, err := spi.NewPrivateKey(nil, encPriv)
if err != nil {
	return err
}

ecies, err := spi.NewAsymmetricCipherFromPublicKey(eciesKey)
if err != nil {
	return err
}

out, err := ecies.Process(resp.Tok.Tok)
if err != nil {
	return err
}

req.Tok.Tok = out
req.Sig = nil

hash := primitives.NewHash()
raw, _ := proto.Marshal(req)
hash.Write(raw)

r, s, err := ecdsa.Sign(rand.Reader, signPriv, hash.Sum(nil))
if err != nil {
	return err
}
R, _ := r.MarshalText()
S, _ := s.MarshalText()
req.Sig = &pb.Signature{Type: pb.CryptoType_ECDSA, R: R, S: S}

resp, err = ecapCient.CreateCertificatePair(context.Background(), req)

答案1

得分: 1

正如Sergey提到的,CreateCertificatePair请求创建一个新的证书对,并根据文档,

在注册过程中,应用程序向证书颁发机构发送请求以验证用户注册,如果成功,CA将以用户证书和密钥的形式响应。

在成功的用户身份验证之后,应用程序将与CA进行一次用户注册。如果尝试为同一用户再次进行注册,将导致错误。 这就是为什么第二次调用CreateCertificatePair失败的原因。
如果您确实想要注册已经注册过的用户,您需要删除由CA服务器进程创建的临时文件(客户端注册证书、注册密钥、事务证书链等),为此,请运行以下命令:

rm -rf /var/hyperledger/production

/var/hyperledger/production是存储从CA接收到的证书的目录。

来源:关于安全功能的说明

英文:

As Sergey mentioned, CreateCertificatePair requests the creation of a new certificate pair,
and according to the documentation,

During registration, the application sends a request to the certificate authority to verify the user registration and if successful, the CA responds with the user certificates and keys.

Upon successful user authentication, the application will perform user registration with the CA exactly once. If registration is attempted a second time for the same user, an error will result.
This is the reason why the second call to CreateCertificatePair is failing.
If you really want to register a user who has already been registered previously, you need to remove the temporary files ( the client enrollment certificate, enrollment key, transaction certificate chain, etc.) that were created by the CA server process, and to do that, run the following command,

rm -rf /var/hyperledger/production

/var/hyperledger/production is the directory where the certificates received from CA are stored.

Souce: Note on security functionality

答案2

得分: 0

CreateCertificatePair 请求 ECA 创建新的注册证书对。
“注册”证书是唯一的,每个用户只能由 ECA 创建一次。

对同一用户进行第二次 CreateCertificatePair 调用将导致错误。

英文:

CreateCertificatePair requests the creation of a new enrolment certificate pair by the ECA.
"enrolment" certificate is unique and can be created just once per user by ECA

Second call to CreateCertificatePair for the same user will lead to error.

huangapple
  • 本文由 发表于 2016年9月26日 19:06:57
  • 转载请务必保留本文链接:https://go.coder-hub.com/39701198.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定