一、介紹
在前面分析了MSP的基本的流程和源碼,但是還是有些疏漏,這裏補充一下,同時把相關的BCCSP的部分分析一下,充實整個的加密系統。在MSP中主要對配置管理和證書驗證進行一下分析;BCCSP則從整體流程和相關源碼進行一下分析。
二、MSP的補遺
1、配置管理
在前面的Peer節點的啓動裏,從主函數裏mainCmd.AddCommand(node.Cmd()),而在node.Cmd()中會有:
var nodeCmd = &cobra.Command{
Use: nodeFuncName,
Short: fmt.Sprint(nodeCmdDes),
Long: fmt.Sprint(nodeCmdDes),
PersistentPreRun: common.InitCmd,
}
在PersistentPreRun(即common.Initcmd)中調用InitCrypto(mspMgrConfigDir, mspID, mspType)。
其流程爲:調用mainCmd.Execute(),從這裏開始其實已經是第三方的命令庫cobra,會逐次調用ExecuteC–>cmd.execute,在這個函數裏調用PersistentPreRun(common.InitCmd)。其又會調用InitCrypto這個函數:
看一下這個函數:
//fabric\peer\common\common.go
// InitCrypto initializes crypto for this peer
func InitCrypto(mspMgrConfigDir, localMSPID, localMSPType string) error {
var err error
// Check whether msp folder exists
fi, err := os.Stat(mspMgrConfigDir)
if os.IsNotExist(err) || !fi.IsDir() {
// No need to try to load MSP from folder which is not available
return errors.Errorf("cannot init crypto, folder \"%s\" does not exist", mspMgrConfigDir)
}
// Check whether localMSPID exists
if localMSPID == "" {
return errors.New("the local MSP must have an ID")
}
// Init the BCCSP
SetBCCSPKeystorePath()
var bccspConfig *factory.FactoryOpts
err = viperutil.EnhancedExactUnmarshalKey("peer.BCCSP", &bccspConfig)
if err != nil {
return errors.WithMessage(err, "could not parse YAML config")
}
err = mspmgmt.LoadLocalMspWithType(mspMgrConfigDir, bccspConfig, localMSPID, localMSPType)
if err != nil {
return errors.WithMessage(err, fmt.Sprintf("error when setting up MSP of type %s from directory %s", localMSPType, mspMgrConfigDir))
}
return nil
}
這個函數其實就是開始了加密的初始化,這其中肯定會包括相關的配置:
// LoadLocalMspWithType loads the local MSP with the specified type from the specified directory
func LoadLocalMspWithType(dir string, bccspConfig *factory.FactoryOpts, mspID, mspType string) error {
if mspID == "" {
return errors.New("the local MSP must have an ID")
}
conf, err := msp.GetLocalMspConfigWithType(dir, bccspConfig, mspID, mspType)
if err != nil {
return err
}
return GetLocalMSP().Setup(conf)
}
// GetLocalMspConfigWithType returns a local MSP
// configuration for the MSP in the specified
// directory, with the specified ID and type
func GetLocalMspConfigWithType(dir string, bccspConfig *factory.FactoryOpts, ID, mspType string) (*msp.MSPConfig, error) {
switch mspType {
case ProviderTypeToString(FABRIC):
return GetLocalMspConfig(dir, bccspConfig, ID)
case ProviderTypeToString(IDEMIX):
return GetIdemixMspConfig(dir, ID)
default:
return nil, errors.Errorf("unknown MSP type '%s'", mspType)
}
}
最後都會調用:
func GetLocalMspConfig(dir string, bccspConfig *factory.FactoryOpts, ID string) (*msp.MSPConfig, error) {
//簽名者身份證書文件路徑
signcertDir := filepath.Join(dir, signcerts)
//私鑰存儲文件路徑
keystoreDir := filepath.Join(dir, keystore)
//基於私鑰文件位置來創建BCCSP配置對象
bccspConfig = SetupBCCSPKeystoreConfig(bccspConfig, keystoreDir)
//由創建的BCCSP對象來初始化BCCSP工廠組件
err := factory.InitFactories(bccspConfig)
if err != nil {
return nil, errors.WithMessage(err, "could not initialize BCCSP Factories")
}
//從指定的路徑讀取簽名身份證書文件列表
signcert, err := getPemMaterialFromDir(signcertDir)
if err != nil || len(signcert) == 0 {
return nil, errors.Wrapf(err, "could not load a valid signer certificate from directory %s", signcertDir)
}
/* FIXME: for now we're making the following assumptions
1) there is exactly one signing cert
2) BCCSP's KeyStore has the private key that matches SKI of
signing cert
*/
//基於只有一個身份證書構建簽名者身份ID信息
sigid := &msp.SigningIdentityInfo{PublicSigner: signcert[0], PrivateSigner: nil}
//構建MSP配置對象
return getMspConfig(dir, ID, sigid)
}
這個函數在前面已經分析過了。看一下最後一個函數:
func getMspConfig(dir string, ID string, sigid *msp.SigningIdentityInfo) (*msp.MSPConfig, error) {
//CA證書路徑
cacertDir := filepath.Join(dir, cacerts)
//Administration證書路徑
admincertDir := filepath.Join(dir, admincerts)
//中間CA證書路徑
intermediatecertsDir := filepath.Join(dir, intermediatecerts)
//CRL可撤銷證書路徑
crlsDir := filepath.Join(dir, crlsfolder)
//配置文件路徑
configile := filepath.Join(dir, configfilename)
//TLS認證CA證書路徑
tlscacertDir := filepath.Join(dir, tlscacerts)
//TLS中間CA證書路徑
tlsintermediatecertsDir := filepath.Join(dir, tlsintermediatecerts)
cacerts, err := getPemMaterialFromDir(cacertDir)
if err != nil || len(cacerts) == 0 {
return nil, errors.WithMessage(err, fmt.Sprintf("could not load a valid ca certificate from directory %s", cacertDir))
}
admincert, err := getPemMaterialFromDir(admincertDir)
if err != nil && !os.IsNotExist(err) {
return nil, errors.WithMessage(err, fmt.Sprintf("could not load a valid admin certificate from directory %s", admincertDir))
}
intermediatecerts, err := getPemMaterialFromDir(intermediatecertsDir)
if os.IsNotExist(err) {
mspLogger.Debugf("Intermediate certs folder not found at [%s]. Skipping. [%s]", intermediatecertsDir, err)
} else if err != nil {
return nil, errors.WithMessage(err, fmt.Sprintf("failed loading intermediate ca certs at [%s]", intermediatecertsDir))
}
//根據指定的路徑來讀取身份證書上所有的簽名者身份證書文件列表Signcert(格式可能隨版本變化 )
tlsCACerts, err := getPemMaterialFromDir(tlscacertDir)
tlsIntermediateCerts := [][]byte{}
if os.IsNotExist(err) {
mspLogger.Debugf("TLS CA certs folder not found at [%s]. Skipping and ignoring TLS intermediate CA folder. [%s]", tlsintermediatecertsDir, err)
} else if err != nil {
return nil, errors.WithMessage(err, fmt.Sprintf("failed loading TLS ca certs at [%s]", tlsintermediatecertsDir))
} else if len(tlsCACerts) != 0 {
tlsIntermediateCerts, err = getPemMaterialFromDir(tlsintermediatecertsDir)
if os.IsNotExist(err) {
mspLogger.Debugf("TLS intermediate certs folder not found at [%s]. Skipping. [%s]", tlsintermediatecertsDir, err)
} else if err != nil {
return nil, errors.WithMessage(err, fmt.Sprintf("failed loading TLS intermediate ca certs at [%s]", tlsintermediatecertsDir))
}
} else {
mspLogger.Debugf("TLS CA certs folder at [%s] is empty. Skipping.", tlsintermediatecertsDir)
}
crls, err := getPemMaterialFromDir(crlsDir)
if os.IsNotExist(err) {
mspLogger.Debugf("crls folder not found at [%s]. Skipping. [%s]", crlsDir, err)
} else if err != nil {
return nil, errors.WithMessage(err, fmt.Sprintf("failed loading crls at [%s]", crlsDir))
}
// Load configuration file
// if the configuration file is there then load it
// otherwise skip it
var ouis []*msp.FabricOUIdentifier
var nodeOUs *msp.FabricNodeOUs
_, err = os.Stat(configFile)
if err == nil {
// load the file, if there is a failure in loading it then
// return an error
raw, err := ioutil.ReadFile(configFile)
if err != nil {
return nil, errors.Wrapf(err, "failed loading configuration file at [%s]", configFile)
}
configuration := Configuration{}
err = yaml.Unmarshal(raw, &configuration)
if err != nil {
return nil, errors.Wrapf(err, "failed unmarshalling configuration file at [%s]", configFile)
}
// Prepare OrganizationalUnitIdentifiers =OUS
if len(configuration.OrganizationalUnitIdentifiers) > 0 {
for _, ouID := range configuration.OrganizationalUnitIdentifiers {
f := filepath.Join(dir, ouID.Certificate)
raw, err = readFile(f)
if err != nil {
return nil, errors.Wrapf(err, "failed loading OrganizationalUnit certificate at [%s]", f)
}
oui := &msp.FabricOUIdentifier{
Certificate: raw,
OrganizationalUnitIdentifier: ouID.OrganizationalUnitIdentifier,
}
ouis = append(ouis, oui)
}
}
// Prepare NodeOUs
if configuration.NodeOUs != nil && configuration.NodeOUs.Enable {
mspLogger.Debug("Loading NodeOUs")
nodeOUs = &msp.FabricNodeOUs{
Enable: true,
}
if configuration.NodeOUs.ClientOUIdentifier != nil && len(configuration.NodeOUs.ClientOUIdentifier.OrganizationalUnitIdentifier) != 0 {
nodeOUs.ClientOuIdentifier = &msp.FabricOUIdentifier{OrganizationalUnitIdentifier: configuration.NodeOUs.ClientOUIdentifier.OrganizationalUnitIdentifier}
}
if configuration.NodeOUs.PeerOUIdentifier != nil && len(configuration.NodeOUs.PeerOUIdentifier.OrganizationalUnitIdentifier) != 0 {
nodeOUs.PeerOuIdentifier = &msp.FabricOUIdentifier{OrganizationalUnitIdentifier: configuration.NodeOUs.PeerOUIdentifier.OrganizationalUnitIdentifier}
}
if configuration.NodeOUs.AdminOUIdentifier != nil && len(configuration.NodeOUs.AdminOUIdentifier.OrganizationalUnitIdentifier) != 0 {
nodeOUs.AdminOuIdentifier = &msp.FabricOUIdentifier{OrganizationalUnitIdentifier: configuration.NodeOUs.AdminOUIdentifier.OrganizationalUnitIdentifier}
}
if configuration.NodeOUs.OrdererOUIdentifier != nil && len(configuration.NodeOUs.OrdererOUIdentifier.OrganizationalUnitIdentifier) != 0 {
nodeOUs.OrdererOuIdentifier = &msp.FabricOUIdentifier{OrganizationalUnitIdentifier: configuration.NodeOUs.OrdererOUIdentifier.OrganizationalUnitIdentifier}
}
// Read certificates, if defined
// ClientOU
if nodeOUs.ClientOuIdentifier != nil {
nodeOUs.ClientOuIdentifier.Certificate = loadCertificateAt(dir, configuration.NodeOUs.ClientOUIdentifier.Certificate, "ClientOU")
}
// PeerOU
if nodeOUs.PeerOuIdentifier != nil {
nodeOUs.PeerOuIdentifier.Certificate = loadCertificateAt(dir, configuration.NodeOUs.PeerOUIdentifier.Certificate, "PeerOU")
}
// AdminOU
if nodeOUs.AdminOuIdentifier != nil {
nodeOUs.AdminOuIdentifier.Certificate = loadCertificateAt(dir, configuration.NodeOUs.AdminOUIdentifier.Certificate, "AdminOU")
}
// OrdererOU
if nodeOUs.OrdererOuIdentifier != nil {
nodeOUs.OrdererOuIdentifier.Certificate = loadCertificateAt(dir, configuration.NodeOUs.OrdererOUIdentifier.Certificate, "OrdererOU")
}
}
} else {
mspLogger.Debugf("MSP configuration file not found at [%s]: [%s]", configFile, err)
}
// Set FabricCryptoConfig密碼配置對象
cryptoConfig := &msp.FabricCryptoConfig{
SignatureHashFamily: bccsp.SHA2,
IdentityIdentifierHashFunction: bccsp.SHA256,
}
// Compose FabricMSPConfig
fmspconf := &msp.FabricMSPConfig{
Admins: admincert,
RootCerts: cacerts,
IntermediateCerts: intermediatecerts,
SigningIdentity: sigid,
Name: ID,
OrganizationalUnitIdentifiers: ouis,
RevocationList: crls,
CryptoConfig: cryptoConfig,
TlsRootCerts: tlsCACerts,
TlsIntermediateCerts: tlsIntermediateCerts,
FabricNodeOus: nodeOUs,
}
fmpsjs, _ := proto.Marshal(fmspconf)
mspconf := &msp.MSPConfig{Config: fmpsjs, Type: int32(FABRIC)}
return mspconf, nil
}
這裏其實重點要搞明白OU,節點組織單元對象:一個文件 config.yaml 用來包含已經考慮過的 OU 的信息;他們會在之後被定義爲一組在被稱爲 OrganizationalUnitIdentifiers 的yaml數組中的實體,也即 <Certificate, OrganizationalUnitIdentifier>,其中的 Certificate 代表着到證書機構的證書(root 的或者 intermediate 的)的相對路徑。這些證書是被認爲是組織單元(organizational unit 也就是 OU)中的已證明成員說擁有的。而 OrganizationalUnitIdentifier 代表着理應在 X.509 證書中的 OU-field 中出現的實際字符串。
getMspConfig這個函數,首先得到基本的信息如各種證書的路徑,並通過這些路徑來得到相關的對象(列表)。然後對MSP組件的節點組織單元對象進行處理,最後設置密碼配置對象,包括相關的簽名和生成ID的哈希函數(前者爲SHA2,後者爲SHA256)。
2、身份證書的驗證
身份證書的驗證在前面MSP源碼分析newBccspMsp中看到過驗證的初始化函數,theMsp.internalValidateIdentityOusFunc = theMsp.validateIdentityOUsV1類似這些代碼。看下面提供的驗證流程代碼:
//msp/mspimpl.go
func (msp *bccspmsp) Validate(id Identity) error {
mspLogger.Debugf("MSP %s validating identity", msp.name)
switch id := id.(type) {
// If this identity is of this specific type,
// this is how I can validate it given the
// root of trust this MSP has
case *identity:
return msp.validateIdentity(id)
default:
return errors.New("identity type not recognized")
}
}
//msp/mspimplvalidate.go
func (msp *bccspmsp) validateIdentity(id *identity) error {
//獲得身份驗證的證書的驗證鏈,也就是創建所有從根證書池認證簽發路徑上的證書所組成的有序證書鏈
validationChain, err := msp.getCertificationChainForBCCSPIdentity(id)
if err != nil {
return errors.WithMessage(err, "could not obtain certification chain")
}
//驗證是不是屬於CRL,證書撤銷列表中的項,從而判斷其有效性
err = msp.validateIdentityAgainstChain(id, validationChain)
if err != nil {
return errors.WithMessage(err, "could not validate identity against certification chain")
}
//驗證身份證書的組織單元 和MSP組件包含的組織單元是否有交集
err = msp.internalValidateIdentityOusFunc(id)
if err != nil {
return errors.WithMessage(err, "could not validate identity's OUs")
}
return nil
}
下來分別看一看validateIdentity中調用的三個函數:
// getCertificationChainForBCCSPIdentity returns the certification chain of the passed bccsp identity within this msp
func (msp *bccspmsp) getCertificationChainForBCCSPIdentity(id *identity) ([]*x509.Certificate, error) {
if id == nil {
return nil, errors.New("Invalid bccsp identity. Must be different from nil.")
}
// we expect to have a valid VerifyOptions instance
if msp.opts == nil {
return nil, errors.New("Invalid msp instance")
}
// CAs cannot be directly used as identities..
if id.cert.IsCA {
return nil, errors.New("An X509 certificate with Basic Constraint: " +
"Certificate Authority equals true cannot be used as an identity")
}
return msp.getValidationChain(id.cert, false)
}
func (msp *bccspmsp) getValidationChain(cert *x509.Certificate, isIntermediateChain bool) ([]*x509.Certificate, error) {
//獲取證書驗證選項
validationChain, err := msp.getUniqueValidationChain(cert, msp.getValidityOptsForCert(cert))
if err != nil {
return nil, errors.WithMessage(err, "failed getting validation chain")
}
// we expect a chain of length at least 2
//長度至少爲2,因爲一定不會用根證書去驗證
if len(validationChain) < 2 {
return nil, errors.Errorf("expected a chain of length at least 2, got %d", len(validationChain))
}
// check that the parent is a leaf of the certification tree
// if validating an intermediate chain, the first certificate will the parent
parentPosition := 1
if isIntermediateChain {
parentPosition = 0
}
//檢查父證書是否是證書樹的一個葉子節點
//true表示爲中間節點證書,false表示是葉子節點證書,MSP的簽名必須爲false,即葉子節點,否則報錯
if msp.certificationTreeInternalNodesMap[string(validationChain[parentPosition].Raw)] {
return nil, errors.Errorf("invalid validation chain. Parent certificate should be a leaf of the certification tree [%v]", cert.Raw)
}
return validationChain, nil
}
func (msp *bccspmsp) getUniqueValidationChain(cert *x509.Certificate, opts x509.VerifyOptions) ([]*x509.Certificate, error) {
// ask golang to validate the cert for us based on the options that we've built at setup time
if msp.opts == nil {
return nil, errors.New("the supplied identity has no verify options")
}
validationChains, err := cert.Verify(opts)
if err != nil {
return nil, errors.WithMessage(err, "the supplied identity is not valid")
}
// we only support a single validation chain;
// if there's more than one then there might
// be unclarity about who owns the identity
if len(validationChains) != 1 {
return nil, errors.Errorf("this MSP only supports a single validation chain, got %d", len(validationChains))
}
return validationChains[0], nil
}
第一個函數主要是用來獲取身份證書鏈,也就是從根CA到中間CA到應用CA的所有證書。它最後又調用了getValidationChain這個函數,它纔是真正獲取證書鏈的函數。在這個函數裏,首先調用getUniqueValidationChain來得到證書鏈,certificationTreeInternalNodesMap表示由中間證書和根證書組成的樹形結構,而中間證書都是葉子節點,這也是前面說必須爲葉子節點簽名纔可以。
下面來看第二個函數:
func (msp *bccspmsp) validateIdentityAgainstChain(id *identity, validationChain []*x509.Certificate) error {
return msp.validateCertAgainstChain(id.cert, validationChain)
}
func (msp *bccspmsp) validateCertAgainstChain(cert *x509.Certificate, validationChain []*x509.Certificate) error {
// here we know that the identity is valid; now we have to check whether it has been revoked
// identify the SKI of the CA that signed this cert
SKI, err := getSubjectKeyIdentifierFromCert(validationChain[1])
if err != nil {
return errors.WithMessage(err, "could not obtain Subject Key Identifier for signer cert")
}
// check whether one of the CRLs we have has this cert's
// SKI as its AuthorityKeyIdentifier
for _, crl := range msp.CRL {
aki, err := getAuthorityKeyIdentifierFromCrl(crl)
if err != nil {
return errors.WithMessage(err, "could not obtain Authority Key Identifier for crl")
}
// check if the SKI of the cert that signed us matches the AKI of any of the CRLs
if bytes.Equal(aki, SKI) {
// we have a CRL, check whether the serial number is revoked
for _, rc := range crl.TBSCertList.RevokedCertificates {
if rc.SerialNumber.Cmp(cert.SerialNumber) == 0 {
// We have found a CRL whose AKI matches the SKI of
// the CA (root or intermediate) that signed the
// certificate that is under validation. As a
// precaution, we verify that said CA is also the
// signer of this CRL.
err = validationChain[1].CheckCRLSignature(crl)
if err != nil {
// the CA cert that signed the certificate
// that is under validation did not sign the
// candidate CRL - skip
mspLogger.Warningf("Invalid signature over the identified CRL, error %+v", err)
continue
}
// A CRL also includes a time of revocation so that
// the CA can say "this cert is to be revoked starting
// from this time"; however here we just assume that
// revocation applies instantaneously from the time
// the MSP config is committed and used so we will not
// make use of that field
return errors.New("The certificate has been revoked")
}
}
}
}
return nil
}
第二個函數主要調用validateCertAgainstChain函數來驗證證書是否存在於CRL可撤銷證書列表中。它首先獲取上級簽發的CA證書的使用者密鑰標識符SKI,遍歷MSP組件所有的證書列表msp.CRL,獲取每個CRL的頒發機構密鑰標識符AKI,然後基於字節比較SKI 、AKI是否相同,如果二者匹配,則繼續檢查CRL中撤銷證書的序列號rc.SerialNumber。如果該序列號與指定的身份證書的序列號cert.SerialNumber相同,則調用CheckCRLSignature方法繼續級簽發CA節點是否爲該CRL的簽名者,如果確定仍然爲同一個簽名者,則說明指定身份證書cert已經被撤銷。
再看第三個函數,在前面的newBccspMsp函數中,發現不同的MSP版本,提供了不同的internalValidateIdentityOusFunc,來看一下最新的:
func (msp *bccspmsp) validateIdentityOUsV143(id *identity) error {
// Run the same checks as per V1
err := msp.validateIdentityOUsV1(id)
if err != nil {
return err
}
// -- Check for OU enforcement
if !msp.ouEnforcement {
// No enforcement required
return nil
}
// Make sure that the identity has only one of the special OUs
// used to tell apart clients, peers and admins.
counter := 0
validOUs := make(map[string]*OUIdentifier)
if msp.clientOU != nil {
validOUs[msp.clientOU.OrganizationalUnitIdentifier] = msp.clientOU
}
if msp.peerOU != nil {
validOUs[msp.peerOU.OrganizationalUnitIdentifier] = msp.peerOU
}
if msp.adminOU != nil {
validOUs[msp.adminOU.OrganizationalUnitIdentifier] = msp.adminOU
}
if msp.ordererOU != nil {
validOUs[msp.ordererOU.OrganizationalUnitIdentifier] = msp.ordererOU
}
for _, OU := range id.GetOrganizationalUnits() {
// Is OU.OrganizationalUnitIdentifier one of the special OUs?
nodeOU := validOUs[OU.OrganizationalUnitIdentifier]
if nodeOU == nil {
continue
}
// Yes. Then, enforce the certifiers identifier in this is specified.
// If is not specified, it means that any certification path is fine.
if len(nodeOU.CertifiersIdentifier) != 0 && !bytes.Equal(nodeOU.CertifiersIdentifier, OU.CertifiersIdentifier) {
return errors.Errorf("certifiersIdentifier does not match: [%v], MSP: [%s]", id.GetOrganizationalUnits(), msp.name)
}
//保證證書只能爲客戶端、PEER、ORDER或者Admin中的一個。
counter++
if counter > 1 {
break
}
}
if counter != 1 {
return errors.Errorf("the identity must be a client, a peer, an orderer or an admin identity to be valid, not a combination of them. OUs: [%v], MSP: [%s]", id.GetOrganizationalUnits(), msp.name)
}
return nil
}
func (msp *bccspmsp) validateIdentityOUsV1(id *identity) error {
// Check that the identity's OUs are compatible with those recognized by this MSP,
// meaning that the intersection is not empty.
if len(msp.ouIdentifiers) > 0 {
found := false
//遍歷組織單元標識列表
for _, OU := range id.GetOrganizationalUnits() {
certificationIDs, exists := msp.ouIdentifiers[OU.OrganizationalUnitIdentifier]
if exists {
//遍歷證書標識符ID列表
for _, certificationID := range certificationIDs {
if bytes.Equal(certificationID, OU.CertifiersIdentifier) {
found = true
break
}
}
}
}
if !found {
if len(id.GetOrganizationalUnits()) == 0 {
return errors.New("the identity certificate does not contain an Organizational Unit (OU)")
}
return errors.Errorf("none of the identity's organizational units [%v] are in MSP %s", id.GetOrganizationalUnits(), msp.name)
}
}
return nil
}
其它的驗證還有包括類似諸如零知識證明等的方式,有興趣可以看一看源碼。
二、BCCSP
1、整體架構
BCCSP是整個Fabric中的基礎的模塊,所有的加密簽名部分基本都需要從這裏來支持。看一下他的基礎的類圖:
包圖:
2、啓動流程
BCCSP是整個Fabric中的基礎模塊之一加密模塊,整個系統運行需要的加密、解密、簽名及驗證、哈希以及相關的零知識證明以及後續的迭代演進,諸如支持國密或者其它加密算法的接口都在這個模塊之中。它主要提供了兩大類的加密方式即硬件加密方式(PKCS11,基於HSM硬件安全模塊)和SM類型的軟件加密服務(使用的GO本身提供的算法庫)。在提供的這兩類加密算法的基礎上,抽象出來了相關的對象工廠以及相關的加密函數接口。
在Fabric中很多地方都會啓動對BCCSP包的調用,這裏在分析MSP,所以就把其相關的factory和BCCSP包啓動看一下:
BCCSP工廠啓動和初始化的過程:
函數調用GetLocalMspConfig()->InitFactories()
func InitFactories(config *FactoryOpts) error {
factoriesInitOnce.Do(func() {
setFactories(config)
})
return factoriesInitError
}
func setFactories(config *FactoryOpts) error {
// Take some precautions on default opts
if config == nil {
config = GetDefaultOpts()
}
if config.ProviderName == "" {
config.ProviderName = "SW"
}
if config.SwOpts == nil {
config.SwOpts = GetDefaultOpts().SwOpts
}
// Initialize factories map
bccspMap = make(map[string]bccsp.BCCSP)
// Software-Based BCCSP
if config.SwOpts != nil {
f := &SWFactory{}
err := initBCCSP(f, config)
if err != nil {
factoriesInitError = errors.Wrap(err, "Failed initializing SW.BCCSP")
}
}
// PKCS11-Based BCCSP
if config.Pkcs11Opts != nil {
f := &PKCS11Factory{}
err := initBCCSP(f, config)
if err != nil {
factoriesInitError = errors.Wrapf(err, "Failed initializing PKCS11.BCCSP %s", factoriesInitError)
}
}
// BCCSP Plugin
if config.PluginOpts != nil {
f := &PluginFactory{}
err := initBCCSP(f, config)
if err != nil {
factoriesInitError = errors.Wrapf(err, "Failed initializing PKCS11.BCCSP %s", factoriesInitError)
}
}
var ok bool
defaultBCCSP, ok = bccspMap[config.ProviderName]
if !ok {
factoriesInitError = errors.Errorf("%s\nCould not find default `%s` BCCSP", factoriesInitError, config.ProviderName)
}
return factoriesInitError
}
func initBCCSP(f BCCSPFactory, config *FactoryOpts) error {
//在此處其實是實現了三個工廠類即:pck11,plugin,sw
csp, err := f.Get(config)
if err != nil {
return errors.Errorf("Could not initialize BCCSP %s [%s]", f.Name(), err)
}
logger.Debugf("Initialize BCCSP [%s]", f.Name())
//csp的映射存儲,在以後就可以通過工廠Name來得到相應的BCCSP操作對象
bccspMap[f.Name()] = csp
return nil
}
BCCSP的啓動和初始化過程:
函數調用的順序:GetLocalMSP()->LoadLocalMsp()->New()->newBccspMsp():
unc newBccspMsp(version MSPVersion) (MSP, error) {
mspLogger.Debugf("Creating BCCSP-based MSP instance")
bccsp := factory.GetDefault()
......
return theMsp, nil
}
這個函數中前面提到好多次,這個函數一開始就創建相關的BCCSP對象實例。調用相關工廠類的默認創建函數。看一下他的實現:
func GetDefault() bccsp.BCCSP {
if defaultBCCSP == nil {
logger.Debug("Before using BCCSP, please call InitFactories(). Falling back to bootBCCSP.")
bootBCCSPInitOnce.Do(func() {
var err error
f := &SWFactory{}
bootBCCSP, err = f.Get(GetDefaultOpts())
if err != nil {
panic("BCCSP Internal error, failed initialization with GetDefaultOpts!")
}
})
return bootBCCSP
}
return defaultBCCSP
}
直接就跳到了BCCSP模塊的factory包下,在下面的源碼分析中將對其進行展開分析。
三、源碼
順着上面的初始啓動代碼分析相關的數據結構和相關的代碼:
type BCCSP interface {
// KeyGen generates a key using opts.
KeyGen(opts KeyGenOpts) (k Key, err error)
// KeyDeriv derives a key from k using opts.
// The opts argument should be appropriate for the primitive used.
KeyDeriv(k Key, opts KeyDerivOpts) (dk Key, err error)
// KeyImport imports a key from its raw representation using opts.
// The opts argument should be appropriate for the primitive used.
KeyImport(raw interface{}, opts KeyImportOpts) (k Key, err error)
// GetKey returns the key this CSP associates to
// the Subject Key Identifier ski.
GetKey(ski []byte) (k Key, err error)
// Hash hashes messages msg using options opts.
// If opts is nil, the default hash function will be used.
Hash(msg []byte, opts HashOpts) (hash []byte, err error)
// GetHash returns and instance of hash.Hash using options opts.
// If opts is nil, the default hash function will be returned.
GetHash(opts HashOpts) (h hash.Hash, err error)
// Sign signs digest using key k.
// The opts argument should be appropriate for the algorithm used.
//
// Note that when a signature of a hash of a larger message is needed,
// the caller is responsible for hashing the larger message and passing
// the hash (as digest).
Sign(k Key, digest []byte, opts SignerOpts) (signature []byte, err error)
// Verify verifies signature against key k and digest
// The opts argument should be appropriate for the algorithm used.
Verify(k Key, signature, digest []byte, opts SignerOpts) (valid bool, err error)
// Encrypt encrypts plaintext using key k.
// The opts argument should be appropriate for the algorithm used.
Encrypt(k Key, plaintext []byte, opts EncrypterOpts) (ciphertext []byte, err error)
// Decrypt decrypts ciphertext using key k.
// The opts argument should be appropriate for the algorithm used.
Decrypt(k Key, ciphertext []byte, opts DecrypterOpts) (plaintext []byte, err error)
}
type BCCSPFactory interface {
// Name returns the name of this factory
Name() string
// Get returns an instance of BCCSP using opts.
Get(opts *FactoryOpts) (bccsp.BCCSP, error)
}
func (f *SWFactory) Get(config *FactoryOpts) (bccsp.BCCSP, error) {
// Validate arguments
if config == nil || config.SwOpts == nil {
return nil, errors.New("Invalid config. It must not be nil.")
}
swOpts := config.SwOpts
var ks bccsp.KeyStore
if swOpts.Ephemeral == true {
//虛擬存儲路徑--密鑰並不被加載和保存
ks = sw.NewDummyKeyStore()
} else if swOpts.FileKeystore != nil {
//設置私鑰的路徑
fks, err := sw.NewFileBasedKeyStore(nil, swOpts.FileKeystore.KeyStorePath, false)
if err != nil {
return nil, errors.Wrapf(err, "Failed to initialize software key store")
}
ks = fks
} else if swOpts.InmemKeystore != nil {
//內存存儲密鑰
ks = sw.NewInMemoryKeyStore()
} else {
// Default to ephemeral key store
//默認爲臨時存儲
ks = sw.NewDummyKeyStore()
}
return sw.NewWithParams(swOpts.SecLevel, swOpts.HashFamily, ks)
}
//默認是使用軟件的SW加密方式
func GetDefaultOpts() *FactoryOpts {
return &FactoryOpts{
ProviderName: "SW",
SwOpts: &SwOpts{
HashFamily: "SHA2",
SecLevel: 256,
Ephemeral: true,
},
}
}
看一看最後的NewWithParams:
func NewWithParams(securityLevel int, hashFamily string, keyStore bccsp.KeyStore) (bccsp.BCCSP, error) {
// Init config
conf := &config{}
err := conf.setSecurityLevel(securityLevel, hashFamily)
if err != nil {
return nil, errors.Wrapf(err, "Failed initializing configuration at [%v,%v]", securityLevel, hashFamily)
}
//生成一個CSP提供者,看下面的詳細代碼分析
swbccsp, err := New(keyStore)
if err != nil {
return nil, err
}
// Notice that errors are ignored here because some test will fail if one
// of the following call fails.
// Set the Encryptors設置加密器
swbccsp.AddWrapper(reflect.TypeOf(&aesPrivateKey{}), &aescbcpkcs7Encryptor{})
// Set the Decryptors設置解密器
swbccsp.AddWrapper(reflect.TypeOf(&aesPrivateKey{}), &aescbcpkcs7Decryptor{})
// Set the Signers設置簽名器
swbccsp.AddWrapper(reflect.TypeOf(&ecdsaPrivateKey{}), &ecdsaSigner{})
swbccsp.AddWrapper(reflect.TypeOf(&rsaPrivateKey{}), &rsaSigner{})
// Set the Verifiers
swbccsp.AddWrapper(reflect.TypeOf(&ecdsaPrivateKey{}), &ecdsaPrivateKeyVerifier{})
swbccsp.AddWrapper(reflect.TypeOf(&ecdsaPublicKey{}), &ecdsaPublicKeyKeyVerifier{})
swbccsp.AddWrapper(reflect.TypeOf(&rsaPrivateKey{}), &rsaPrivateKeyVerifier{})
swbccsp.AddWrapper(reflect.TypeOf(&rsaPublicKey{}), &rsaPublicKeyKeyVerifier{})
// Set the Hashers
swbccsp.AddWrapper(reflect.TypeOf(&bccsp.SHAOpts{}), &hasher{hash: conf.hashFunction})
swbccsp.AddWrapper(reflect.TypeOf(&bccsp.SHA256Opts{}), &hasher{hash: sha256.New})
swbccsp.AddWrapper(reflect.TypeOf(&bccsp.SHA384Opts{}), &hasher{hash: sha512.New384})
swbccsp.AddWrapper(reflect.TypeOf(&bccsp.SHA3_256Opts{}), &hasher{hash: sha3.New256})
swbccsp.AddWrapper(reflect.TypeOf(&bccsp.SHA3_384Opts{}), &hasher{hash: sha3.New384})
// Set the key generators
swbccsp.AddWrapper(reflect.TypeOf(&bccsp.ECDSAKeyGenOpts{}), &ecdsaKeyGenerator{curve: conf.ellipticCurve})
swbccsp.AddWrapper(reflect.TypeOf(&bccsp.ECDSAP256KeyGenOpts{}), &ecdsaKeyGenerator{curve: elliptic.P256()})
swbccsp.AddWrapper(reflect.TypeOf(&bccsp.ECDSAP384KeyGenOpts{}), &ecdsaKeyGenerator{curve: elliptic.P384()})
swbccsp.AddWrapper(reflect.TypeOf(&bccsp.AESKeyGenOpts{}), &aesKeyGenerator{length: conf.aesBitLength})
swbccsp.AddWrapper(reflect.TypeOf(&bccsp.AES256KeyGenOpts{}), &aesKeyGenerator{length: 32})
swbccsp.AddWrapper(reflect.TypeOf(&bccsp.AES192KeyGenOpts{}), &aesKeyGenerator{length: 24})
swbccsp.AddWrapper(reflect.TypeOf(&bccsp.AES128KeyGenOpts{}), &aesKeyGenerator{length: 16})
swbccsp.AddWrapper(reflect.TypeOf(&bccsp.RSAKeyGenOpts{}), &rsaKeyGenerator{length: conf.rsaBitLength})
swbccsp.AddWrapper(reflect.TypeOf(&bccsp.RSA1024KeyGenOpts{}), &rsaKeyGenerator{length: 1024})
swbccsp.AddWrapper(reflect.TypeOf(&bccsp.RSA2048KeyGenOpts{}), &rsaKeyGenerator{length: 2048})
swbccsp.AddWrapper(reflect.TypeOf(&bccsp.RSA3072KeyGenOpts{}), &rsaKeyGenerator{length: 3072})
swbccsp.AddWrapper(reflect.TypeOf(&bccsp.RSA4096KeyGenOpts{}), &rsaKeyGenerator{length: 4096})
// Set the key generators
swbccsp.AddWrapper(reflect.TypeOf(&ecdsaPrivateKey{}), &ecdsaPrivateKeyKeyDeriver{})
swbccsp.AddWrapper(reflect.TypeOf(&ecdsaPublicKey{}), &ecdsaPublicKeyKeyDeriver{})
swbccsp.AddWrapper(reflect.TypeOf(&aesPrivateKey{}), &aesPrivateKeyKeyDeriver{conf: conf})
// Set the key importers
swbccsp.AddWrapper(reflect.TypeOf(&bccsp.AES256ImportKeyOpts{}), &aes256ImportKeyOptsKeyImporter{})
swbccsp.AddWrapper(reflect.TypeOf(&bccsp.HMACImportKeyOpts{}), &hmacImportKeyOptsKeyImporter{})
swbccsp.AddWrapper(reflect.TypeOf(&bccsp.ECDSAPKIXPublicKeyImportOpts{}), &ecdsaPKIXPublicKeyImportOptsKeyImporter{})
swbccsp.AddWrapper(reflect.TypeOf(&bccsp.ECDSAPrivateKeyImportOpts{}), &ecdsaPrivateKeyImportOptsKeyImporter{})
swbccsp.AddWrapper(reflect.TypeOf(&bccsp.ECDSAGoPublicKeyImportOpts{}), &ecdsaGoPublicKeyImportOptsKeyImporter{})
swbccsp.AddWrapper(reflect.TypeOf(&bccsp.RSAGoPublicKeyImportOpts{}), &rsaGoPublicKeyImportOptsKeyImporter{})
swbccsp.AddWrapper(reflect.TypeOf(&bccsp.X509PublicKeyImportOpts{}), &x509PublicKeyImportOptsKeyImporter{bccsp: swbccsp})
return swbccsp, nil
}
這個函數通過相關的參數配置來新建BCCSP。在這個函數裏出現了CSP這個加密提供者,看一下相關的代碼:
type CSP struct {
ks bccsp.KeyStore
KeyGenerators map[reflect.Type]KeyGenerator
KeyDerivers map[reflect.Type]KeyDeriver
KeyImporters map[reflect.Type]KeyImporter
Encryptors map[reflect.Type]Encryptor
Decryptors map[reflect.Type]Decryptor
Signers map[reflect.Type]Signer
Verifiers map[reflect.Type]Verifier
Hashers map[reflect.Type]Hasher
}
//在這個函數裏,設置上在CPS結構中相應的各種操作者的對象
func New(keyStore bccsp.KeyStore) (*CSP, error) {
if keyStore == nil {
return nil, errors.Errorf("Invalid bccsp.KeyStore instance. It must be different from nil.")
}
encryptors := make(map[reflect.Type]Encryptor)
decryptors := make(map[reflect.Type]Decryptor)
signers := make(map[reflect.Type]Signer)
verifiers := make(map[reflect.Type]Verifier)
hashers := make(map[reflect.Type]Hasher)
keyGenerators := make(map[reflect.Type]KeyGenerator)
keyDerivers := make(map[reflect.Type]KeyDeriver)
keyImporters := make(map[reflect.Type]KeyImporter)
csp := &CSP{keyStore,
keyGenerators, keyDerivers, keyImporters, encryptors,
decryptors, signers, verifiers, hashers}
return csp, nil
}
在New函數中創建了CSP結構中的相關操作集合,這些集合分別實現了一些相應的接口,比如:
// Encryptor is a BCCSP-like interface that provides encryption algorithms
type Encryptor interface {
// Encrypt encrypts plaintext using key k.
// The opts argument should be appropriate for the algorithm used.
Encrypt(k bccsp.Key, plaintext []byte, opts bccsp.EncrypterOpts) (ciphertext []byte, err error)
}
// Decryptor is a BCCSP-like interface that provides decryption algorithms
type Decryptor interface {
// Decrypt decrypts ciphertext using key k.
// The opts argument should be appropriate for the algorithm used.
Decrypt(k bccsp.Key, ciphertext []byte, opts bccsp.DecrypterOpts) (plaintext []byte, err error)
}
// Signer is a BCCSP-like interface that provides signing algorithms
type Signer interface {
// Sign signs digest using key k.
// The opts argument should be appropriate for the algorithm used.
//
// Note that when a signature of a hash of a larger message is needed,
// the caller is responsible for hashing the larger message and passing
// the hash (as digest).
Sign(k bccsp.Key, digest []byte, opts bccsp.SignerOpts) (signature []byte, err error)
}
在CSP這個類中提供了AddWrapers這個增加打包器函數,用來綁定各種類型的數據結構。
// AddWrapper binds the passed type to the passed wrapper.
// Notice that that wrapper must be an instance of one of the following interfaces:
// KeyGenerator, KeyDeriver, KeyImporter, Encryptor, Decryptor, Signer, Verifier, Hasher.
func (csp *CSP) AddWrapper(t reflect.Type, w interface{}) error {
if t == nil {
return errors.Errorf("type cannot be nil")
}
if w == nil {
return errors.Errorf("wrapper cannot be nil")
}
switch dt := w.(type) {
case KeyGenerator:
csp.KeyGenerators[t] = dt
case KeyImporter:
csp.KeyImporters[t] = dt
case KeyDeriver:
csp.KeyDerivers[t] = dt
case Encryptor:
csp.Encryptors[t] = dt
case Decryptor:
csp.Decryptors[t] = dt
case Signer:
csp.Signers[t] = dt
case Verifier:
csp.Verifiers[t] = dt
case Hasher:
csp.Hashers[t] = dt
default:
return errors.Errorf("wrapper type not valid, must be on of: KeyGenerator, KeyDeriver, KeyImporter, Encryptor, Decryptor, Signer, Verifier, Hasher")
}
return nil
}
來分析一下這個AddlWrapper的作用,隨便取一個增加函數代碼:
swbccsp.AddWrapper(reflect.TypeOf(&bccsp.ECDSAP256KeyGenOpts{}), &ecdsaKeyGenerator{curve: elliptic.P256()})
可以看出:
key(t) = reflect.TypeOf(&bccsp.ECDSAP256KeyGenOpts{})
value(dt) = ecdsaKeyGenerator{curve: elliptic.P256()}
前面是類型,後面是類型的實例對象,針對這個對象看一下定義:
type ecdsaKeyGenerator struct {
curve elliptic.Curve
}
func (kg *ecdsaKeyGenerator) KeyGen(opts bccsp.KeyGenOpts) (bccsp.Key, error) {
privKey, err := ecdsa.GenerateKey(kg.curve, rand.Reader)
if err != nil {
return nil, fmt.Errorf("Failed generating ECDSA key for [%v]: [%s]", kg.curve, err)
}
return &ecdsaPrivateKey{privKey}, nil
}
這樣,它就和CSP類中實現的相關接口對應上了,還是看這個接口,其在CSP中實現爲:
func (csp *CSP) KeyGen(opts bccsp.KeyGenOpts) (k bccsp.Key, err error) {
// Validate arguments
if opts == nil {
return nil, errors.New("Invalid Opts parameter. It must not be nil.")
}
//這裏得到上面的KV中的產生器
keyGenerator, found := csp.KeyGenerators[reflect.TypeOf(opts)]
if !found {
return nil, errors.Errorf("Unsupported 'KeyGenOpts' provided [%v]", opts)
}
//開始調用真正的ecdsaKeyGenerator.KeyGen()函數
k, err = keyGenerator.KeyGen(opts)
if err != nil {
return nil, errors.Wrapf(err, "Failed generating key with opts [%v]", opts)
}
// If the key is not Ephemeral, store it.
if !opts.Ephemeral() {
// Store the key
err = csp.ks.StoreKey(k)
if err != nil {
return nil, errors.Wrapf(err, "Failed storing key [%s]", opts.Algorithm())
}
}
return k, nil
}
BCCSP內部的加密算法,會開闢專門的一節來分析。這裏就不再展開了。
四、總結
通過上述分析可以看到,做爲基礎模塊,其實BCCSP在整個Fabric是非常重要的,從另外一個角度來看,如果沒有密碼學做爲基礎,區塊鏈的安全性肯定會極大的降低。密碼學其實就是整個BCCSP的核心,包括對稱的、非對稱的等等,這些都構成了整個Fabric安全應用的基石。