[FAB-5203] Store hash of password in DB

Rather than storing the actual enrollment secret in the DB, store the hash of the secret. We then compare the hash values when checking to see if the user provided the correct enrollment secret. Change-Id: I6e2f18ebdfe4d5d7f970bee086f69b285b89c998 Signed-off-by: Keith Smith <[email protected]>
hyperledger · Jul 7, 2017 · 2a65467 · 2a65467
1 parent e52c670
commit 2a65467
Show file tree

Hide file tree

Showing 7 changed files with 816 additions and 7 deletions.
diff --git a/lib/dbaccessor.go b/lib/dbaccessor.go
@@ -25,6 +25,7 @@ import (
 	"github.com/cloudflare/cfssl/log"
 	"github.com/hyperledger/fabric-ca/api"
 	"github.com/hyperledger/fabric-ca/lib/spi"
+	"golang.org/x/crypto/bcrypt"
 
 	"github.com/jmoiron/sqlx"
 	"github.com/kisielk/sqlstruct"
@@ -114,9 +115,17 @@ func (d *Accessor) InsertUser(user spi.UserInfo) error {
 		return err
 	}
 
+	// Hash the password before storing it
+	pwd := []byte(user.Pass)
+	pwd, err = bcrypt.GenerateFromPassword(pwd, bcrypt.DefaultCost)
+	if err != nil {
+		return fmt.Errorf("Failed to hash password: %s", err)
+	}
+
+	// Store the user record in the DB
 	res, err := d.db.NamedExec(insertUser, &UserRecord{
 		Name:           user.Name,
-		Pass:           []byte(user.Pass),
+		Pass:           pwd,
 		Type:           user.Type,
 		Affiliation:    user.Affiliation,
 		Attributes:     string(attrBytes),
@@ -177,9 +186,17 @@ func (d *Accessor) UpdateUser(user spi.UserInfo) error {
 		return err
 	}
 
+	// Hash the password before storing it
+	pwd := []byte(user.Pass)
+	pwd, err = bcrypt.GenerateFromPassword(pwd, bcrypt.DefaultCost)
+	if err != nil {
+		return fmt.Errorf("Failed to hash password: %s", err)
+	}
+
+	// Store the updated user entry
 	res, err := d.db.NamedExec(updateUser, &UserRecord{
 		Name:           user.Name,
-		Pass:           []byte(user.Pass),
+		Pass:           pwd,
 		Type:           user.Type,
 		Affiliation:    user.Affiliation,
 		Attributes:     string(attributes),
@@ -245,7 +262,6 @@ func (d *Accessor) GetUserInfo(id string) (spi.UserInfo, error) {
 	json.Unmarshal([]byte(userRec.Attributes), &attributes)
 
 	userInfo.Name = userRec.Name
-	userInfo.Pass = string(userRec.Pass)
 	userInfo.Type = userRec.Type
 	userInfo.Affiliation = userRec.Affiliation
 	userInfo.State = userRec.State
@@ -308,7 +324,7 @@ func (d *Accessor) GetAffiliation(name string) (spi.Affiliation, error) {
 func (d *Accessor) newDBUser(userRec *UserRecord) *DBUser {
 	var user = new(DBUser)
 	user.Name = userRec.Name
-	user.Pass = string(userRec.Pass)
+	user.pass = userRec.Pass
 	user.State = userRec.State
 	user.MaxEnrollments = userRec.MaxEnrollments
 	user.Affiliation = userRec.Affiliation
@@ -330,6 +346,7 @@ func (d *Accessor) newDBUser(userRec *UserRecord) *DBUser {
 // DBUser is the databases representation of a user
 type DBUser struct {
 	spi.UserInfo
+	pass  []byte
 	attrs map[string]string
 	db    *sqlx.DB
 }
@@ -346,9 +363,10 @@ func (u *DBUser) Login(pass string, caMaxEnrollments int) error {
 
 	log.Debugf("DB: Login user %s with max enrollments of %d and state of %d", u.Name, u.MaxEnrollments, u.State)
 
-	// Check the password
-	if u.Pass != pass {
-		return errors.New("Incorrect password")
+	// Check the password by comparing to stored hash
+	err := bcrypt.CompareHashAndPassword(u.pass, []byte(pass))
+	if err != nil {
+		return fmt.Errorf("Password mismatch: %s", err)
 	}
 
 	if u.MaxEnrollments == 0 {

diff --git a/vendor/golang.org/x/crypto/bcrypt/base64.go b/vendor/golang.org/x/crypto/bcrypt/base64.go