From f2d52f5c110640016cdac9ae6caf62baf5fa2913 Mon Sep 17 00:00:00 2001 From: yacovm Date: Thu, 10 Aug 2017 18:22:10 +0300 Subject: [PATCH] [FAB-5713] properly log x509 certs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Whenever new identity instances are created while the msp log module is configured with DEBUG level - the peer outputs gibberish such as: California1^V0^T^F^CU^D^G^S^MSan Francisco1^_0^]^F^CU^D^C^S^Vpe ^]^O^A^A�^D^D^C^B^G�0^L^F^CU^]^S^A^A�^D^B0^@0+^F^CU^]#^D$0"� m5��� ^�4^Pn$^U)c�z^L^M0 This not only makes it useless, but also might make text parsing utilities not work properly when parsing log files. With this, it logs: 2017-08-10 15:32:52.262 UTC [msp/identity] newIdentity -> DEBU 034 Creating identity instance for cert -----BEGIN CERTIFICATE----- MIICGTCCAb+gAwIBAgIQf9Nof+8cN6zuUYM/pHibLjAKBggqhkjOPQQDAjBzMQsw CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZy YW5jaXNjbzEZMBcGA1UEChMQb3JnMS5leGFtcGxlLmNvbTEcMBoGA1UEAxMTY2Eu b3JnMS5leGFtcGxlLmNvbTAeFw0xNzA4MTAxNTMyNDlaFw0yNzA4MDgxNTMyNDla MFsxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T YW4gRnJhbmNpc2NvMR8wHQYDVQQDExZwZWVyMC5vcmcxLmV4YW1wbGUuY29tMFkw EwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAElrov/lsUPTequQmGlpXEWaGns9q+LVtI 4igu+6DZxE1OYPfT9SoOvNyEYl4kj2xTjwuFaONH8K01moeeCsuQwaNNMEswDgYD VR0PAQH/BAQDAgeAMAwGA1UdEwEB/wQCMAAwKwYDVR0jBCQwIoAgaJ7EjSXkGtFT IO81qYkZh2hj0w7MkHTty+UU4KMiUQUwCgYIKoZIzj0EAwIDSAAwRQIhAMoz2r0Y l9kdpALKAOOAgkuUf7h8OPmNERvachWqAR52AiA/NbGl5yeAsQYukxaOHUPz3/xr EZpIfwconq/5ASnnNA== -----END CERTIFICATE----- Change-Id: I3e1e5d2ddfc13ec3d83bf2cfa675071159f65eeb Signed-off-by: yacovm (cherry picked from commit 82f0bd94c9ef489ade6075d3e322a7cbac4bbb0d) Signed-off-by: Gari Singh --- msp/cert.go | 55 ++++++++++++++++++++++++++++++++++------------- msp/identities.go | 16 +++----------- 2 files changed, 43 insertions(+), 28 deletions(-) diff --git a/msp/cert.go b/msp/cert.go index d7bfc7d183b..0df594b79e9 100644 --- a/msp/cert.go +++ b/msp/cert.go @@ -1,17 +1,7 @@ /* -Copyright IBM Corp. 2017 All Rights Reserved. +Copyright IBM Corp. All Rights Reserved. -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. +SPDX-License-Identifier: Apache-2.0 */ package msp @@ -22,11 +12,12 @@ import ( "crypto/x509" "crypto/x509/pkix" "encoding/asn1" + "encoding/pem" + "errors" + "fmt" "math/big" "time" - "errors" - "github.com/hyperledger/fabric/bccsp/sw" ) @@ -101,7 +92,7 @@ func sanitizeECDSASignedCert(cert *x509.Certificate, parentCert *x509.Certificat // the lower level interface that represent an x509 certificate // encoding var newCert certificate - _, err = asn1.Unmarshal(cert.Raw, &newCert) + newCert, err = certFromX509Cert(cert) if err != nil { return nil, err } @@ -119,3 +110,37 @@ func sanitizeECDSASignedCert(cert *x509.Certificate, parentCert *x509.Certificat // 4. parse newRaw to get an x509 certificate return x509.ParseCertificate(newRaw) } + +func certFromX509Cert(cert *x509.Certificate) (certificate, error) { + var newCert certificate + _, err := asn1.Unmarshal(cert.Raw, &newCert) + if err != nil { + return certificate{}, err + } + return newCert, nil +} + +// String returns a PEM representation of a certificate +func (c certificate) String() string { + b, err := asn1.Marshal(c) + if err != nil { + return fmt.Sprintf("Failed marshaling cert: %v", err) + } + block := &pem.Block{ + Bytes: b, + Type: "CERTIFICATE", + } + b = pem.EncodeToMemory(block) + return string(b) +} + +// certToPEM converts the given x509.Certificate to a PEM +// encoded string +func certToPEM(certificate *x509.Certificate) string { + cert, err := certFromX509Cert(certificate) + if err != nil { + mspIdentityLogger.Warning("Failed converting certificate to asn1", err) + return "" + } + return cert.String() +} diff --git a/msp/identities.go b/msp/identities.go index dd11f49baa6..a2cc9f3da58 100644 --- a/msp/identities.go +++ b/msp/identities.go @@ -1,17 +1,7 @@ /* -Copyright IBM Corp. 2016 All Rights Reserved. +Copyright IBM Corp. All Rights Reserved. -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. +SPDX-License-Identifier: Apache-2.0 */ package msp @@ -49,7 +39,7 @@ type identity struct { } func newIdentity(id *IdentityIdentifier, cert *x509.Certificate, pk bccsp.Key, msp *bccspmsp) (Identity, error) { - mspIdentityLogger.Debugf("Creating identity instance for ID %s", id) + mspIdentityLogger.Debugf("Creating identity instance for ID %s", certToPEM(cert)) // Sanitize first the certificate cert, err := msp.sanitizeCert(cert)