Uploaded image for project: 'Fabric'
  1. Fabric
  2. FAB-14641

Chaincode Attribute-based Access Control failing with OpenSSL user certificate

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Medium
    • Resolution: Won't Do
    • v1.4.0
    • None
    • fabric-crypto

    Description

      We have a chaincode that uses the cid package ( https://github.com/hyperledger/fabric/tree/release-1.4/core/chaincode/lib/cid ) to get the custom attributes from the caller certificate.

      When using certs created with OpenSSL we get the following error: 

      failed to get attributes from the transaction invoker's certificate: Failed to unmarshal attributes from certificate: invalid character '\\f' looking for beginning of value
      

       The error is thrown in the attrmgr component  https://github.com/hyperledger/fabric/blob/eca1b14b7e3453a5d32296af79cc7bad10c7673b/core/chaincode/shim/ext/attrmgr/attrmgr.go#L129 

       When comparing openssl output of a fabric ca and an openssl cert I can see the following difference: 

       

      Fabric CA certificate OpenSSL certificate
      X509v3 extensions:
       [..] 
        1.2.3.4.5.6.7.8.1:       
            {"attrs":{}}
      
      X509v3 extensions: 
        [..]
        1.2.3.4.5.6.7.8.1: 
            .d{"attrs":{}}
      

       The custom extension of the openSSL cert seems to be prefixed with some characters which is causing the json.Unmarshal to fail. The custom attributes are generated like shown in the OpenSSL docs for Arbitrary Extensions https://www.openssl.org/docs/man1.0.2/man5/x509v3_config.html#ARBITRARY-EXTENSIONS 

       

      Quick fix:

      If I change the attrmgr code to remove the first to bytes of the value input byte array the unmarshal works as expected. However, the fabric ca certs will not work with this fix anymore...

      err := json.Unmarshal(buf[2:], attrs)

       

      Please also add support for certificates created with OpenSSL.

       

       

      Attachments

        Activity

          People

            Unassigned Unassigned
            chrisf Christopher Fries
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: