Add checking for getKey(ski) returning pub key

FAB-2093 Now that keyImport supports public keys and private keys, there could be a scenario that for a given SKI only the public key exists, so for the calls to getKey(ski) the caller must verify that the result is a private key or public key, and in some scenarios where a private key is required, like when constructing a signing identity, it must throw an Error Change-Id: I7fc7ef66d4200b411eac649ba2e51cd46ca01c0d Signed-off-by: Jim Zhang <[email protected]>
hyperledger · Feb 7, 2017 · e64871f · e64871f
1 parent dfbf9be
commit e64871f
Show file tree

Hide file tree

Showing 3 changed files with 42 additions and 8 deletions.
diff --git a/fabric-client/lib/User.js b/fabric-client/lib/User.js
@@ -221,14 +221,20 @@ var User = class {
 			// swap out that for the real key from the crypto provider
 			return self.cryptoPrimitives.getKey(state.enrollment.signingIdentity);
 		}).then((privateKey) => {
-			self._signingIdentity = new SigningIdentity(
-				state.enrollment.identity.id,
-				state.enrollment.identity.certificate,
-				pubKey,
-				self.mspImpl,
-				new Signer(self.mspImpl.cryptoSuite, privateKey));
-
-			return self;
+			// the key retrieved from the key store using the SKI could be a public key
+			// or a private key, check to make sure it's a private key
+			if (privateKey.isPrivate()) {
+				self._signingIdentity = new SigningIdentity(
+					state.enrollment.identity.id,
+					state.enrollment.identity.certificate,
+					pubKey,
+					self.mspImpl,
+					new Signer(self.mspImpl.cryptoSuite, privateKey));
+
+				return self;
+			} else {
+				throw new Error(util.format('Private key missing from key store. Can not establish the signing identity for user %s', state.name));
+			}
 		});
 	}
 

diff --git a/package.json b/package.json
@@ -22,6 +22,7 @@
     "elliptic": "^6.3.2",
     "fabric-ca-client": "file:./fabric-ca-client",
     "fabric-client": "file:./fabric-client",
+    "fs-extra": "^2.0.0",
     "gulp": "^3.9.1",
     "gulp-debug": "^3.0.0",
     "gulp-eslint": "^3.0.1",

diff --git a/test/unit/headless-tests.js b/test/unit/headless-tests.js
@@ -1443,6 +1443,20 @@ var TEST_KEY_PRIVATE_CERT_PEM = '-----BEGIN CERTIFICATE-----' +
 'BAHpeA==' +
 '-----END CERTIFICATE-----';
 
+var TEST_USER_ENROLLMENT = {
+	'name': 'admin2',
+	'roles':null,
+	'affiliation':'',
+	'enrollmentSecret':'',
+	'enrollment': {
+		'signingIdentity': '0e67f7fa577fd76e487ea3b660e1a3ff15320dbc95e396d8b0ff616c87f8c81a',
+		'identity': {
+			'id': 'testIdentity',
+			'certificate': TEST_KEY_PRIVATE_CERT_PEM
+		}
+	}
+};
+
 var jsrsa = require('jsrsasign');
 var KEYUTIL = jsrsa.KEYUTIL;
 var ECDSA = jsrsa.ECDSA;
@@ -1683,6 +1697,19 @@ test('\n\n ** CryptoSuite_ECDSA_AES - function tests **\n\n', function (t) {
 					cryptoUtils.verify(privKey.getPublicKey(), testSig, TEST_MSG),
 					true,
 					'Check that the imported private key can properly sign messages');
+
+				// manufacture an error condition where the private key does not exist for the SKI, and only the public key does
+				return cryptoUtils.importKey(TEST_KEY_PRIVATE_CERT_PEM);
+			}).then((pubKey) => {
+				fs.removeSync(path.join(CryptoSuite_ECDSA_AES.getKeyStorePath(), '0e67f7fa577fd76e487ea3b660e1a3ff15320dbc95e396d8b0ff616c87f8c81a-priv'));
+
+				var poorUser = new User('admin2', _client);
+				poorUser.fromString(JSON.stringify(TEST_USER_ENROLLMENT))
+				.then(() => {
+					t.fail('Failed to catch missing private key expected from a user enrollment object');
+				}).catch((err) => {
+					t.pass('Successfully caught missing private key expected from a user enrollment object');
+				});
 			});
 
 			t.end();