注册成员请求失败,签名验证
[英]enroll member request fails with signature verification
问题描述
when I tried to enroll the "admin" user, the second call to CreateCertificatePair failed with the "Signature verification failed" message.
当我尝试注册“admin”用户时,第二次调用 CreateCertificatePair 失败并显示“签名验证失败”消息。 BTW, I copied the enrollUser function from the eca_test.go.顺便说一句,我从 eca_test.go 复制了 enrollUser 函数。 And those tests under membersrvc/ca package can be passed.而membersrvc/ca 包下的那些测试是可以通过的。
//Phase 2 of the protocol
spi := ecies.NewSPI()
eciesKey, err := spi.NewPrivateKey(nil, encPriv)
if err != nil {
return err
}
ecies, err := spi.NewAsymmetricCipherFromPublicKey(eciesKey)
if err != nil {
return err
}
out, err := ecies.Process(resp.Tok.Tok)
if err != nil {
return err
}
req.Tok.Tok = out
req.Sig = nil
hash := primitives.NewHash()
raw, _ := proto.Marshal(req)
hash.Write(raw)
r, s, err := ecdsa.Sign(rand.Reader, signPriv, hash.Sum(nil))
if err != nil {
return err
}
R, _ := r.MarshalText()
S, _ := s.MarshalText()
req.Sig = &pb.Signature{Type: pb.CryptoType_ECDSA, R: R, S: S}
resp, err = ecapCient.CreateCertificatePair(context.Background(), req)
2 个解决方案
解决方案1
1 2016-09-26 12:10:45
As Sergey mentioned, CreateCertificatePair requests the creation of a new certificate pair,正如 Sergey 提到的, CreateCertificatePair请求创建一个新的证书对,
and according to the documentation,并根据文件,
During registration, the application sends a request to the certificate authority to verify the user registration and if successful, the CA responds with the user certificates and keys.在注册期间,应用程序向证书颁发机构发送请求以验证用户注册,如果成功,CA 将使用用户证书和密钥进行响应。
Upon successful user authentication, the application will perform user registration with the CA exactly once.用户身份验证成功后,应用程序将向 CA 执行一次用户注册。 If registration is attempted a second time for the same user, an error will result.如果为同一用户再次尝试注册,则会导致错误。 This is the reason why the second call to CreateCertificatePair is failing.这就是第二次调用CreateCertificatePair失败的原因。 If you really want to register a user who has already been registered previously, you need to remove the temporary files ( the client enrollment certificate, enrollment key, transaction certificate chain, etc.) that were created by the CA server process, and to do that, run the following command,如果你真的要注册一个之前已经注册过的用户,你需要删除CA服务器进程创建的临时文件(客户端注册证书、注册密钥、交易证书链等),并做运行以下命令,
rm -rf /var/hyperledger/production
/var/hyperledger/production is the directory where the certificates received from CA are stored. /var/hyperledger/production是存放从 CA 收到的证书的目录。
Souce: Note on security functionality来源: 关于安全功能的注意事项
解决方案2
0 2016-09-26 11:30:25
CreateCertificatePair requests the creation of a new enrolment certificate pair by the ECA. CreateCertificatePair 请求 ECA 创建新的注册证书对。 "enrolment" certificate is unique and can be created just once per user by ECA “注册”证书是唯一的,每个用户只能由 ECA 创建一次
Second call to CreateCertificatePair for the same user will lead to error.为同一用户第二次调用CreateCertificatePair将导致错误。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.