[FAB-10370] change format for storing revocationpk

We store the revocation key as encoded PEM bytes to
be consistent with how x509 certs are stored.

Change-Id: Iee8373b1ceaa00095b0dcf72ecca4a92ab0bcc6f
Signed-off-by: Manu Drijvers <mdr@zurich.ibm.com>

Author: Manu Drijvers

common/tools/idemixgen/idemixca/idemixca_test.go

@@ -12,7 +12,9 @@ import (
 	"path/filepath"
 	"testing"
 
-	"crypto/elliptic"
+	"crypto/x509"
+
+	"encoding/pem"
 
 	"github.com/golang/protobuf/proto"
 	"github.com/hyperledger/fabric/idemix"
@@ -37,7 +39,11 @@ func TestIdemixCa(t *testing.T) {
 	err = proto.Unmarshal(ipkBytes, ipk)
 	assert.NoError(t, err)
 
-	writeVerifierToFile(ipkBytes, elliptic.Marshal(elliptic.P384(), revocationkey.X, revocationkey.Y))
+	encodedRevocationPK, err := x509.MarshalPKIXPublicKey(revocationkey.Public())
+	assert.NoError(t, err)
+	pemEncodedRevocationPK := pem.EncodeToMemory(&pem.Block{Type: "PUBLIC KEY", Bytes: encodedRevocationPK})
+
+	writeVerifierToFile(ipkBytes, pemEncodedRevocationPK)
 
 	key := &idemix.IssuerKey{Isk: isk, Ipk: ipk}
 

common/tools/idemixgen/idemixgen.go

@@ -18,10 +18,10 @@ import (
 	"os"
 	"path/filepath"
 
-	"crypto/elliptic"
-
 	"crypto/ecdsa"
 
+	"encoding/pem"
+
 	"github.com/golang/protobuf/proto"
 	"github.com/hyperledger/fabric/common/tools/idemixgen/idemixca"
 	"github.com/hyperledger/fabric/common/tools/idemixgen/metadata"
@@ -64,9 +64,13 @@ func main() {
 
 		revocationKey, err := idemix.GenerateLongTermRevocationKey()
 		handleError(err)
-		revocationKeyBytes, err := x509.MarshalECPrivateKey(revocationKey)
+		encodedRevocationSK, err := x509.MarshalECPrivateKey(revocationKey)
+		handleError(err)
+		pemEncodedRevocationSK := pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Bytes: encodedRevocationSK})
 		handleError(err)
-		revocationPkBytes := elliptic.Marshal(elliptic.P384(), revocationKey.X, revocationKey.Y)
+		encodedRevocationPK, err := x509.MarshalPKIXPublicKey(revocationKey.Public())
+		handleError(err)
+		pemEncodedRevocationPK := pem.EncodeToMemory(&pem.Block{Type: "PUBLIC KEY", Bytes: encodedRevocationPK})
 
 		// Prevent overwriting the existing key
 		path := filepath.Join(*outputDir, IdemixDirIssuer)
@@ -79,9 +83,9 @@ func main() {
 		handleError(os.MkdirAll(filepath.Join(*outputDir, IdemixDirIssuer), 0770))
 		handleError(os.MkdirAll(filepath.Join(*outputDir, msp.IdemixConfigDirMsp), 0770))
 		writeFile(filepath.Join(*outputDir, IdemixDirIssuer, IdemixConfigIssuerSecretKey), isk)
-		writeFile(filepath.Join(*outputDir, IdemixDirIssuer, IdemixConfigRevocationKey), revocationKeyBytes)
+		writeFile(filepath.Join(*outputDir, IdemixDirIssuer, IdemixConfigRevocationKey), pemEncodedRevocationSK)
 		writeFile(filepath.Join(*outputDir, IdemixDirIssuer, msp.IdemixConfigFileIssuerPublicKey), ipk)
-		writeFile(filepath.Join(*outputDir, msp.IdemixConfigDirMsp, msp.IdemixConfigFileRevocationPublicKey), revocationPkBytes)
+		writeFile(filepath.Join(*outputDir, msp.IdemixConfigDirMsp, msp.IdemixConfigFileRevocationPublicKey), pemEncodedRevocationPK)
 		writeFile(filepath.Join(*outputDir, msp.IdemixConfigDirMsp, msp.IdemixConfigFileIssuerPublicKey), ipk)
 
 	case genSignerConfig.FullCommand():
@@ -134,7 +138,12 @@ func readRevocationKey() *ecdsa.PrivateKey {
 	if err != nil {
 		handleError(errors.Wrapf(err, "failed to open revocation secret key file: %s", path))
 	}
-	key, err := x509.ParseECPrivateKey(keyBytes)
+
+	block, _ := pem.Decode(keyBytes)
+	if block == nil {
+		handleError(errors.Errorf("failed to decode ECDSA private key"))
+	}
+	key, err := x509.ParseECPrivateKey(block.Bytes)
 	handleError(err)
 
 	return key

msp/idemixmsp.go

@@ -13,7 +13,11 @@ import (
 
 	"crypto/ecdsa"
 
-	"crypto/elliptic"
+	"crypto/x509"
+
+	"encoding/pem"
+
+	"reflect"
 
 	"github.com/golang/protobuf/proto"
 	"github.com/hyperledger/fabric-amcl/amcl"
@@ -129,12 +133,19 @@ func (msp *idemixmsp) Setup(conf1 *m.MSPConfig) error {
 	msp.rng = rng
 
 	// get the revocation public key from the config
-	revPkX, revPkY := elliptic.Unmarshal(elliptic.P384(), conf.RevocationPk)
-	msp.revocationPK = &ecdsa.PublicKey{
-		Curve: elliptic.P384(),
-		X:     revPkX,
-		Y:     revPkY,
+	blockPub, _ := pem.Decode(conf.RevocationPk)
+	if blockPub == nil {
+		return errors.New("Failed to decode revocation ECDSA public key")
+	}
+	revocationPk, err := x509.ParsePKIXPublicKey(blockPub.Bytes)
+	if err != nil {
+		return errors.Wrap(err, "Failed to parse revocation ECDSA public key bytes")
+	}
+	ecdsaPublicKey, isECDSA := revocationPk.(*ecdsa.PublicKey)
+	if !isECDSA {
+		return errors.Errorf("key is of type %v, not of type ECDSA", reflect.TypeOf(revocationPk))
 	}
+	msp.revocationPK = ecdsaPublicKey
 
 	if conf.Signer == nil {
 		// No credential in config, so we don't setup a default signer