export function generateEndorsedCert()

in src/governance/ccf-app/js/src/endpoints/ca/cakey.ts [32:128]

• 84 lines of code
• 7 McCabe index (conditional complexity)

export function generateEndorsedCert(
  request: ccfapp.Request<GenerateEndorsedCertRequest>
): ccfapp.Response | ErrorResponse {
  const contractId = request.params.contractId;
  const body = request.body.json();
  if (!body.attestation) {
    return {
      statusCode: 400,
      body: new ErrorResponse(
        "AttestationMissing",
        "Attestation payload must be supplied."
      )
    };
  }

  if (!body.encrypt) {
    return {
      statusCode: 400,
      body: new ErrorResponse(
        "EncryptionMissing",
        "Encrypt payload must be supplied."
      )
    };
  }

  // First validate attestation report.
  let snpAttestationResult: SnpAttestationResult;
  try {
    snpAttestationResult = verifySnpAttestation(contractId, body.attestation);
  } catch (e) {
    return {
      statusCode: 400,
      body: new ErrorResponse("VerifySnpAttestationFailed", e.message)
    };
  }

  //  Then validate the report data value.
  try {
    verifyReportData(snpAttestationResult, body.encrypt.publicKey);
  } catch (e) {
    return {
      statusCode: 400,
      body: new ErrorResponse("ReportDataMismatch", e.message)
    };
  }

  // Attestation report and report data values are verified. Now check the signature.
  const data: ArrayBuffer = b64ToBuf(body.data);
  try {
    verifySignature(body.sign, data);
  } catch (e) {
    return {
      statusCode: 400,
      body: new ErrorResponse("SignatureMismatch", e.message)
    };
  }

  // All verifications pass. Genereate the endorsed certificate.
  const item = getCASigningKey(contractId);
  if (item === null) {
    return {
      statusCode: 404,
      body: new ErrorResponse(
        "NoCASigningKey",
        "Cannot generate endorsed certificate as there is no CA signing key for this contract."
      )
    };
  }

  const requestData: GenerateEndorsedCertRequestData = JSON.parse(
    ccf.bufToStr(data)
  );

  const endorsed_cert = cleanroom.crypto.generateEndorsedCert(
    requestData.publicKey,
    requestData.subjectName,
    requestData.subjectAlternateNames,
    requestData.validityPeriodDays,
    item.privateKey,
    item.caCert,
    false
  );

  // Wrap the response before returning it.
  const serializedItem = JSON.stringify(endorsed_cert);
  const wrapAlgo = {
    name: "RSA-OAEP-AES-KWP",
    aesKeySize: 256
  } as RsaOaepAesKwpParams;
  const wrapped: ArrayBuffer = ccf.crypto.wrapKey(
    ccf.strToBuf(serializedItem),
    ccf.strToBuf(Base64.decode(body.encrypt.publicKey)),
    wrapAlgo
  );
  const wrappedBase64 = Base64.fromUint8Array(new Uint8Array(wrapped));
  return { body: { value: wrappedBase64 } };
}