/** * Create Idemix Identity from a Serialized Identity * * @param proto */ public IdemixIdentity(SerializedIdentity proto) { if (proto == null) { throw new ArgumentException("Input must not be null"); } mspId = proto.Mspid; try { logger.Trace("Fetching Idemix Proto"); SerializedIdemixIdentity idemixProto = SerializedIdemixIdentity.Parser.ParseFrom(proto.IdBytes); if (idemixProto == null) { throw new ArgumentException("The identity does not contain a serialized idemix identity"); } logger.Trace("Deserializing Nym and attribute values"); pseudonym = new ECP(BIG.FromBytes(idemixProto.NymX.ToByteArray()), BIG.FromBytes(idemixProto.NymY.ToByteArray())); OrganizationUnit ou = OrganizationUnit.Parser.ParseFrom(idemixProto.Ou); MSPRole role = MSPRole.Parser.ParseFrom(idemixProto.Role); Ou = ou.OrganizationalUnitIdentifier; RoleMask = role.Role.ToIdemixRole(); ipkHash = ou.CertifiersIdentifier.ToByteArray(); logger.Trace("Deserializing Proof"); associationProof = new IdemixSignature(Signature.Parser.ParseFrom(idemixProto.Proof.ToByteArray())); } catch (InvalidProtocolBufferException e) { throw new CryptoException("Cannot deserialize MSP ID", e); } }
// Token: 0x06001274 RID: 4724 RVA: 0x0003B65C File Offset: 0x0003985C internal static PswsAuthZUserToken GetAuthZPluginUserToken(UserToken userToken) { ExAssert.RetailAssert(userToken != null, "[PswsAuthorization.GetAuthZPluginUserToken] userToken can't be null."); Microsoft.Exchange.Configuration.Core.AuthenticationType authenticationType = userToken.AuthenticationType; SecurityIdentifier userSid = userToken.UserSid; DelegatedPrincipal delegatedPrincipal = userToken.DelegatedPrincipal; ExAssert.RetailAssert(userSid != null, "The user sid is invalid (null)."); PartitionId partitionId = userToken.PartitionId; string text = AuthenticatedUserCache.CreateKeyForPsws(userSid, userToken.AuthenticationType, partitionId); ExTraceGlobals.PublicPluginAPITracer.TraceDebug <string>(0L, "[PswsAuthZHelper.GetAuthZPluginUserToken] User cache key = \"{0}\".", text); AuthZPluginUserToken authZPluginUserToken; if (!AuthenticatedUserCache.Instance.TryGetValue(text, out authZPluginUserToken)) { ExTraceGlobals.PublicPluginAPITracer.TraceDebug(0L, "[PswsAuthZHelper.GetAuthZPluginUserToken] User not found in cache."); IIdentity identity = HttpContext.Current.Items["X-Psws-CurrentLogonUser"] as IIdentity; SerializedIdentity serializedIdentity = null; if (identity is WindowsTokenIdentity) { serializedIdentity = ((WindowsTokenIdentity)identity).ToSerializedIdentity(); } ADRawEntry adrawEntry = ExchangeAuthorizationPlugin.FindUserEntry(userSid, null, serializedIdentity, partitionId); ExAssert.RetailAssert(adrawEntry != null, "UnAuthorized. Unable to find the user."); bool condition = (adrawEntry is MiniRecipient || adrawEntry is ADUser) && (bool)adrawEntry[ADRecipientSchema.RemotePowerShellEnabled]; ExAssert.RetailAssert(condition, "UnAuthorized. PSWS not enabled user."); authZPluginUserToken = new AuthZPluginUserToken(delegatedPrincipal, adrawEntry, authenticationType, userSid.Value); AuthenticatedUserCache.Instance.AddUserToCache(text, authZPluginUserToken); } return(new PswsAuthZUserToken(authZPluginUserToken.DelegatedPrincipal, authZPluginUserToken.UserEntry, authenticationType, authZPluginUserToken.DefaultUserName, userToken.UserName)); }
/** * Serialize Idemix Identity */ public SerializedIdentity CreateSerializedIdentity() { OrganizationUnit ou = new OrganizationUnit(); ou.CertifiersIdentifier = ByteString.CopyFrom(ipkHash); ou.MspIdentifier = mspId; ou.OrganizationalUnitIdentifier = Ou; //Warning, this does not support multi-roleMask. //Serialize the bitmask is the correct way to support multi-roleMask in the future MSPRole role = new MSPRole(); role.Role = RoleMask.ToMSPRoleTypes().First(); role.MspIdentifier = mspId; SerializedIdemixIdentity serializedIdemixIdentity = new SerializedIdemixIdentity(); serializedIdemixIdentity.Proof = ByteString.CopyFrom(associationProof.ToProto().ToByteArray()); serializedIdemixIdentity.Ou = ByteString.CopyFrom(ou.ToByteArray()); serializedIdemixIdentity.Role = ByteString.CopyFrom(role.ToByteArray()); serializedIdemixIdentity.NymY = ByteString.CopyFrom(pseudonym.Y.ToBytes()); serializedIdemixIdentity.NymX = ByteString.CopyFrom(pseudonym.X.ToBytes()); SerializedIdentity serializedIdentity = new SerializedIdentity(); serializedIdentity.IdBytes = ByteString.CopyFrom(serializedIdemixIdentity.ToByteArray()); serializedIdentity.Mspid = mspId; return(serializedIdentity); }
public static ByteString GetSignatureHeaderAsByteString(IUser user, TransactionContext transactionContext) { SerializedIdentity identity = transactionContext.Identity; if (isDebugLevel) { IEnrollment enrollment = user.Enrollment; string cert = enrollment.Cert; string hexcert = cert == null ? "null" : cert.ToBytes().ToHexString(); logger.Debug($" User: {user.Name} Certificate: {hexcert}"); if (enrollment is X509Enrollment) { cert = transactionContext.CryptoPrimitives.Hash(Certificate.Create(cert).ExtractDER()).ToHexString(); // logger.debug(format(" User: %s Certificate:\n%s", user.getName(), cert)); logger.Debug($"SignatureHeader: nonce: {transactionContext.Nonce.ToHexString()}, User:{user.Name}, MSPID: {user.MspId}, idBytes: {cert}"); } } return((new SignatureHeader { Creator = identity.ToByteString(), Nonce = transactionContext.Nonce }).ToByteString()); }
private void ParseIdentity(Protos.Discovery.Peer peerRet) { try { SerializedIdentity serializedIdentity = SerializedIdentity.Parser.ParseFrom(peerRet.Identity); MspId = serializedIdentity.Mspid; } catch (Exception e) { throw new InvalidProtocolBufferRuntimeException(e); } }
public void TestSerializingAndDeserializingIdentity() { SerializedIdentity proto = signingIdentity.CreateSerializedIdentity(); Assert.IsNotNull(proto); SerializedIdemixIdentity idemixProto = null; try { idemixProto = SerializedIdemixIdentity.Parser.ParseFrom(proto.IdBytes); } catch (InvalidProtocolBufferException e) { Assert.Fail("Could not parse Idemix Serialized Identity" + e.Message); } if (idemixProto != null) { new ECP(BIG.FromBytes(idemixProto.NymX.ToByteArray()), BIG.FromBytes(idemixProto.NymY.ToByteArray())); idemixProto.Ou.ToByteArray(); idemixProto.Role.ToByteArray(); try { new IdemixSignature(Signature.Parser.ParseFrom(idemixProto.Proof.ToByteArray())); } catch (InvalidProtocolBufferException e) { Assert.Fail("Cannot deserialize proof" + e.Message); } } try { new IdemixIdentity(proto); } catch (System.Exception e) when(e is CryptoException || e is ArgumentException) { Assert.Fail("Cannot create Idemix Identity from Proto" + e.Message); } }
internal static ADRawEntry FindUserEntry(SecurityIdentifier userSid, WindowsIdentity windowsIdentity, SerializedIdentity serializedIdentity, PartitionId partitionId) { ADRawEntry result; using (new MonitoredScope("FindUserEntry", "FindUserEntry", AuthZLogHelper.AuthZPerfMonitors)) { ADSessionSettings sessionSettings; if (partitionId != null) { sessionSettings = ADSessionSettings.FromAllTenantsPartitionId(partitionId); } else { sessionSettings = ADSessionSettings.FromRootOrgScopeSet(); } IRecipientSession tenantOrRootOrgRecipientSession = DirectorySessionFactory.Default.GetTenantOrRootOrgRecipientSession(ConsistencyMode.IgnoreInvalid, sessionSettings, 817, "FindUserEntry", "f:\\15.00.1497\\sources\\dev\\Configuration\\src\\ObjectModel\\rbac\\ExchangeAuthorizationPlugin.cs"); ADRawEntry adrawEntry = tenantOrRootOrgRecipientSession.FindMiniRecipientBySid <MiniRecipient>(userSid, ExchangeRunspaceConfiguration.userPropertyArray); if (adrawEntry == null && VariantConfiguration.InvariantNoFlightingSnapshot.CmdletInfra.ServiceAccountForest.Enabled) { adrawEntry = PartitionDataAggregator.GetMiniRecipientFromUserId(userSid, ExchangeRunspaceConfiguration.userPropertyArray, ConsistencyMode.IgnoreInvalid); } if (adrawEntry == null) { ExTraceGlobals.AccessDeniedTracer.TraceWarning <SecurityIdentifier, string>(0L, "EAP.FindUserEntry user {0} could not be found in AD, partitionId: {1}", userSid, (partitionId == null) ? "null" : partitionId.ToString()); adrawEntry = ExchangeRunspaceConfiguration.TryFindComputer(userSid); } if (adrawEntry == null && (windowsIdentity != null || serializedIdentity != null)) { ExTraceGlobals.AccessDeniedTracer.TraceWarning <SecurityIdentifier>(0L, "EAP.FindUserEntry computer {0} could not be found in AD", userSid); IIdentity identity = (windowsIdentity != null) ? windowsIdentity : serializedIdentity; ICollection <SecurityIdentifier> groupAccountsSIDs = identity.GetGroupAccountsSIDs(); tenantOrRootOrgRecipientSession = DirectorySessionFactory.Default.GetTenantOrRootOrgRecipientSession(ConsistencyMode.IgnoreInvalid, ADSessionSettings.FromRootOrgScopeSet(), 850, "FindUserEntry", "f:\\15.00.1497\\sources\\dev\\Configuration\\src\\ObjectModel\\rbac\\ExchangeAuthorizationPlugin.cs"); List <ADObjectId> list = null; if (ExchangeRunspaceConfiguration.TryFindLinkedRoleGroupsBySidList(tenantOrRootOrgRecipientSession, groupAccountsSIDs, identity.Name, out list)) { adrawEntry = new ADUser { RemotePowerShellEnabled = true }; } } result = adrawEntry; } return(result); }
public IdentitiesInfo(SerializedIdentity identity) { Mspid = identity.Mspid; Id = identity.IdBytes.ToStringUtf8(); }
/* * Verifies that a Proposal response is properly signed. The payload is the * concatenation of the response payload byte string and the endorsement The * certificate (public key) is gotten from the Endorsement.Endorser.IdBytes * field * * @param crypto the CryptoPrimitives instance to be used for signing and * verification * * @return true/false depending on result of signature verification */ public bool Verify(ICryptoSuite crypto) { logger.Trace($"{Peer} verifying transaction: {TransactionID} endorsement."); if (HasBeenVerified) { // check if this proposalResponse was already verified by client code logger.Trace($"{Peer} transaction: {TransactionID} was already verified returned {IsVerified}"); return(IsVerified); } try { if (IsInvalid) { IsVerified = false; logger.Debug($"{Peer} for transaction {TransactionID} returned invalid. Setting verify to false"); return(false); } Endorsement endorsement = ProtoProposalResponse.Endorsement; ByteString sig = endorsement.Signature; byte[] endorserCertifcate = null; byte[] signature = null; byte[] data = null; try { SerializedIdentity endorser = SerializedIdentity.Parser.ParseFrom(endorsement.Endorser); ByteString plainText = ByteString.CopyFrom(ProtoProposalResponse.Payload.Concat(endorsement.Endorser).ToArray()); if (Config.Instance.ExtraLogLevel(10)) { if (null != diagnosticFileDumper) { StringBuilder sb = new StringBuilder(10000); sb.AppendLine("payload TransactionBuilder bytes in hex: " + ProtoProposalResponse.Payload.ToByteArray().ToHexString()); sb.AppendLine("endorser bytes in hex: " + endorsement.ToByteArray().ToHexString()); sb.Append("plainText bytes in hex: " + plainText.ToByteArray().ToHexString()); logger.Trace("payload TransactionBuilder bytes: " + diagnosticFileDumper.CreateDiagnosticFile(sb.ToString())); } } if (sig == null || sig.IsEmpty) { // we shouldn't get here ... logger.Warn($"{Peer} {TransactionID} returned signature is empty verify set to false."); IsVerified = false; } else { endorserCertifcate = endorser.IdBytes.ToByteArray(); signature = sig.ToByteArray(); data = plainText.ToByteArray(); IsVerified = crypto.Verify(endorserCertifcate, Config.Instance.GetSignatureAlgorithm(), signature, data); if (!IsVerified) { logger.Warn($"{Peer} transaction: {TransactionID} verify: Failed to verify. Endorsers certificate: {endorserCertifcate.ToHexString()}, signature: {signature.ToHexString()}, signing algorithm: {Config.Instance.GetSignatureAlgorithm()}, signed data: {data.ToHexString()}."); } } } catch (Exception e) { logger.ErrorException($"{Peer} transaction: {TransactionID} verify: Failed to verify. Endorsers certificate: {endorserCertifcate.ToHexString()}, signature: {signature.ToHexString()}, signing algorithm: {Config.Instance.GetSignatureAlgorithm()}, signed data: {data.ToHexString()}.", e); logger.Error($"{Peer} transaction: {TransactionID} verify: Cannot retrieve peer identity from ProposalResponse. Error is: {e.Message}"); logger.ErrorException("verify: Cannot retrieve peer identity from ProposalResponse. Error is: " + e.Message, e); IsVerified = false; } logger.Debug($"{Peer} finished verify for transaction {TransactionID} returning {IsVerified}"); return(IsVerified); } finally { HasBeenVerified = true; } } // verify