idemix

package
v1.4.5 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Feb 19, 2020 License: Apache-2.0 Imports: 27 Imported by: 32

Documentation

Index

Constants

View Source
const (
	// DefaultIssuerPublicKeyFile is the default name of the file that contains issuer public key
	DefaultIssuerPublicKeyFile = "IssuerPublicKey"
	// DefaultIssuerSecretKeyFile is the default name of the file that contains issuer secret key
	DefaultIssuerSecretKeyFile = "IssuerSecretKey"
	// DefaultRevocationPublicKeyFile is the name of the file where revocation public key is stored
	DefaultRevocationPublicKeyFile = "IssuerRevocationPublicKey"
	// DefaultRevocationPrivateKeyFile is the name of the file where revocation private key is stored
	DefaultRevocationPrivateKeyFile = "IssuerRevocationPrivateKey"
	// KeystoreDir is the keystore directory where all keys are stored. It is relative to the server home directory.
	KeystoreDir = "msp/keystore"
)
View Source
const (
	// InsertCredentialSQL is the SQL to add a credential to database
	InsertCredentialSQL = `` /* 208-byte string literal not displayed */

	// SelectCredentialByIDSQL is the SQL for getting credentials of a user
	SelectCredentialByIDSQL = `
SELECT %s FROM credentials
WHERE (id = ?);`

	// SelectCredentialSQL is the SQL for getting a credential given a revocation handle
	SelectCredentialSQL = `
SELECT %s FROM credentials
WHERE (revocation_handle = ?);`

	// SelectRevokedCredentialSQL is the SQL for getting revoked credentials
	SelectRevokedCredentialSQL = `
SELECT %s FROM credentials
WHERE (status = 'revoked');`

	// UpdateRevokeCredentialSQL is the SQL for updating status of a credential to revoked
	UpdateRevokeCredentialSQL = `` /* 128-byte string literal not displayed */

	// DeleteCredentialbyID is the SQL for deleting credential of a user
	DeleteCredentialbyID = `
DELETE FROM credentials
		WHERE (id = ?);`
)
View Source
const (
	// AttrEnrollmentID is the attribute name for enrollment ID
	AttrEnrollmentID = "EnrollmentID"
	// AttrRole is the attribute name for role
	AttrRole = "Role"
	// AttrOU is the attribute name for OU
	AttrOU = "OU"
	// AttrRevocationHandle is the attribute name for revocation handle
	AttrRevocationHandle = "RevocationHandle"
)
View Source
const (
	// InsertNonce is the SQL for inserting a nonce
	InsertNonce = "INSERT into nonces(val, expiry, level) VALUES (:val, :expiry, :level)"
	// SelectNonce is query string for getting a particular nonce
	SelectNonce = "SELECT * FROM nonces WHERE (val = ?)"
	// RemoveNonce is the query string for removing a specified nonce
	RemoveNonce = "DELETE FROM nonces WHERE (val = ?)"
	// RemoveExpiredNonces is the SQL string removing expired nonces
	RemoveExpiredNonces = "DELETE FROM nonces WHERE (expiry < ?)"
	// DefaultNonceExpiration is the default value for nonce expiration
	DefaultNonceExpiration = "15s"
	// DefaultNonceSweepInterval is the default value for nonce sweep interval
	DefaultNonceSweepInterval = "15m"
)
View Source
const (
	// InsertRAInfo is the SQL for inserting revocation authority info
	InsertRAInfo = "" /* 143-byte string literal not displayed */
	// SelectRAInfo is the query string for getting revocation authority info
	SelectRAInfo = "SELECT * FROM revocation_authority_info"
	// UpdateNextAndLastHandle is the SQL for updating next and last revocation handle
	UpdateNextAndLastHandle = "UPDATE revocation_authority_info SET next_handle = ?, lasthandle_in_pool = ?, epoch = ? WHERE (epoch = ?)"
	// UpdateNextHandle s the SQL for updating next revocation handle
	UpdateNextHandle = "UPDATE revocation_authority_info SET next_handle = ? WHERE (epoch = ?)"
	// DefaultRevocationHandlePoolSize is the default revocation handle pool size
	DefaultRevocationHandlePoolSize = 1000
)

Variables

This section is empty.

Functions

func CheckRole added in v1.3.0

func CheckRole(bitmask int, role Role) bool

CheckRole Prove that the desired role is contained or not in the bitmask

func DecodeKeys

func DecodeKeys(pemEncodedPK, pemEncodedPubKey []byte) (*ecdsa.PrivateKey, *ecdsa.PublicKey, error)

DecodeKeys decodes ECDSA key pair that are pem encoded

func EncodeKeys

func EncodeKeys(privateKey *ecdsa.PrivateKey, publicKey *ecdsa.PublicKey) ([]byte, []byte, error)

EncodeKeys encodes ECDSA key pair to PEM encoding

func GetAttributeNames

func GetAttributeNames() []string

GetAttributeNames returns attribute names supported by the Fabric CA for Idemix credentials

func GetRoleMask added in v1.3.0

func GetRoleMask(roles []Role) int

GetRoleMask Receive a list of roles to combine in a single bitmask

func IsToken

func IsToken(token string) bool

IsToken returns true if the specified token has the format expected of an authorization token that is created using an Idemix credential

Types

type CRIRequestHandler

type CRIRequestHandler struct {
	Ctx    ServerRequestCtx
	Issuer MyIssuer
}

CRIRequestHandler is the handler for Idemix CRI (credential revocation information) request

func (*CRIRequestHandler) HandleRequest

func (ch *CRIRequestHandler) HandleRequest() (*api.GetCRIResponse, error)

HandleRequest handles processing for idemix/cri request

type Clock

type Clock interface {
	Now() time.Time
}

Clock provides time related functions

type Config

type Config struct {
	IssuerPublicKeyfile      string `def:"IssuerPublicKey" skip:"true" help:"Name of the file that contains marshalled bytes of CA's Idemix issuer public key"`
	IssuerSecretKeyfile      string `def:"IssuerSecretKey" skip:"true" help:"Name of the file that contains CA's Idemix issuer secret key"`
	RevocationPublicKeyfile  string `def:"IssuerRevocationPublicKey" skip:"true" help:"Name of the file that contains Idemix issuer revocation public key"`
	RevocationPrivateKeyfile string `def:"IssuerRevocationPrivateKey" skip:"true" help:"Name of the file that contains Idemix issuer revocation private key"`
	RHPoolSize               int    `def:"100" help:"Specifies revocation handle pool size"`
	NonceExpiration          string `def:"15s" help:"Duration after which a nonce expires"`
	NonceSweepInterval       string `def:"15m" help:"Interval at which expired nonces are deleted"`
}

Config encapsulates Idemix related the configuration options

type CredDBAccessor

type CredDBAccessor interface {
	// Sets reference to datastore object
	SetDB(db db.FabricCADB)
	// InsertCredential inserts specified Idemix credential record into database
	InsertCredential(cr CredRecord) error
	// GetCredential returns Idemix credential associated with the specified revocation
	// handle
	GetCredential(revocationHandle string) (*CredRecord, error)
	// GetCredentialsByID returns Idemix credentials associated with the specified
	// enrollment ID
	GetCredentialsByID(id string) ([]CredRecord, error)
	// GetRevokedCredentials returns revoked credentials
	GetRevokedCredentials() ([]CredRecord, error)
}

CredDBAccessor is the accessor for credentials database table

func NewCredentialAccessor

func NewCredentialAccessor(db db.FabricCADB, level int) CredDBAccessor

NewCredentialAccessor returns a new CredentialAccessor.

type CredRecord

type CredRecord struct {
	ID               string    `db:"id"`
	RevocationHandle string    `db:"revocation_handle"`
	Cred             string    `db:"cred"`
	CALabel          string    `db:"ca_label"`
	Status           string    `db:"status"`
	Reason           int       `db:"reason"`
	Expiry           time.Time `db:"expiry"`
	RevokedAt        time.Time `db:"revoked_at"`
	Level            int       `db:"level"`
}

CredRecord represents a credential database record

type CredentialAccessor

type CredentialAccessor struct {
	// contains filtered or unexported fields
}

CredentialAccessor implements IdemixCredDBAccessor interface

func (*CredentialAccessor) GetCredential

func (ac *CredentialAccessor) GetCredential(revocationHandle string) (*CredRecord, error)

GetCredential gets a CredentialRecord indexed by revocationHandle.

func (*CredentialAccessor) GetCredentialsByID

func (ac *CredentialAccessor) GetCredentialsByID(id string) ([]CredRecord, error)

GetCredentialsByID gets a CredentialRecord indexed by id.

func (*CredentialAccessor) GetRevokedCredentials

func (ac *CredentialAccessor) GetRevokedCredentials() ([]CredRecord, error)

GetRevokedCredentials returns revoked certificates

func (*CredentialAccessor) InsertCredential

func (ac *CredentialAccessor) InsertCredential(cr CredRecord) error

InsertCredential puts a CredentialRecord into db.

func (*CredentialAccessor) SetDB

func (ac *CredentialAccessor) SetDB(db db.FabricCADB)

SetDB changes the underlying sql.DB object Accessor is manipulating.

type EnrollRequestHandler

type EnrollRequestHandler struct {
	Ctx          ServerRequestCtx
	EnrollmentID string
	Issuer       MyIssuer
	IdmxLib      Lib
}

EnrollRequestHandler is the handler for Idemix enroll request

func (*EnrollRequestHandler) Authenticate

func (h *EnrollRequestHandler) Authenticate() error

Authenticate authenticates the Idemix enroll request

func (*EnrollRequestHandler) GenerateNonce

func (h *EnrollRequestHandler) GenerateNonce() (*fp256bn.BIG, error)

GenerateNonce generates a nonce for an Idemix enroll request

func (*EnrollRequestHandler) GetAttributeValues

func (h *EnrollRequestHandler) GetAttributeValues(caller user.User, ipk *idemix.IssuerPublicKey,
	rh *fp256bn.BIG) (map[string]interface{}, []*fp256bn.BIG, error)

GetAttributeValues returns attribute values of the caller of Idemix enroll request

func (*EnrollRequestHandler) HandleRequest

func (h *EnrollRequestHandler) HandleRequest() (*EnrollmentResponse, error)

HandleRequest handles processing for Idemix enroll

type EnrollmentResponse

type EnrollmentResponse struct {
	// Base64 encoding of idemix Credential
	Credential string
	// Attribute name-value pairs
	Attrs map[string]interface{}
	// Base64 encoding of Credential Revocation information
	CRI string
	// Base64 encoding of the issuer nonce
	Nonce string
}

EnrollmentResponse is the idemix enrollment response from the server

type Issuer

type Issuer interface {
	Init(renew bool, db db.FabricCADB, levels *dbutil.Levels) error
	IssuerPublicKey() ([]byte, error)
	RevocationPublicKey() ([]byte, error)
	IssueCredential(ctx ServerRequestCtx) (*EnrollmentResponse, error)
	GetCRI(ctx ServerRequestCtx) (*api.GetCRIResponse, error)
	VerifyToken(authHdr, method, uri string, body []byte) (string, error)
}

Issuer is the interface to the Issuer for external components

func NewIssuer

func NewIssuer(name, homeDir string, config *Config, csp bccsp.BCCSP, idemixLib Lib) Issuer

NewIssuer returns an object that implements Issuer interface

type IssuerCredential

type IssuerCredential interface {
	// Load loads the CA's Idemix credential from the disk
	Load() error
	// Store stores the CA's Idemix credential to the disk
	Store() error
	// GetIssuerKey returns *idemix.IssuerKey that represents
	// CA's Idemix public and secret key
	GetIssuerKey() (*idemix.IssuerKey, error)
	// SetIssuerKey sets issuer key
	SetIssuerKey(key *idemix.IssuerKey)
	// Returns new instance of idemix.IssuerKey
	NewIssuerKey() (*idemix.IssuerKey, error)
}

IssuerCredential represents CA's Idemix credential

func NewIssuerCredential

func NewIssuerCredential(pubKeyFile, secretKeyFile string, lib Lib) IssuerCredential

NewIssuerCredential returns an instance of an object that implements IssuerCredential interface

type Lib

type Lib interface {
	NewIssuerKey(AttributeNames []string, rng *amcl.RAND) (ik *idemix.IssuerKey, err error)
	NewCredential(key *idemix.IssuerKey, m *idemix.CredRequest, attrs []*fp256bn.BIG, rng *amcl.RAND) (cred *idemix.Credential, err error)
	CreateCRI(key *ecdsa.PrivateKey, unrevokedHandles []*fp256bn.BIG, epoch int, alg idemix.RevocationAlgorithm, rng *amcl.RAND) (cri *idemix.CredentialRevocationInformation, err error)
	GenerateLongTermRevocationKey() (pk *ecdsa.PrivateKey, err error)
	GetRand() (rand *amcl.RAND, err error)
	RandModOrder(rng *amcl.RAND) (big *fp256bn.BIG, err error)
}

Lib represents idemix library

func NewLib

func NewLib() Lib

NewLib returns an instance of an object that implements Lib interface

type MyIssuer

type MyIssuer interface {
	Name() string
	HomeDir() string
	Config() *Config
	IdemixLib() Lib
	DB() db.FabricCADB
	IdemixRand() *amcl.RAND
	IssuerCredential() IssuerCredential
	RevocationAuthority() RevocationAuthority
	NonceManager() NonceManager
	CredDBAccessor() CredDBAccessor
}

MyIssuer provides functions for accessing issuer components

type Nonce

type Nonce struct {
	Val    string    `db:"val"`
	Expiry time.Time `db:"expiry"`
	Level  int       `db:"level"`
}

Nonce represents a nonce

type NonceManager

type NonceManager interface {
	// GetNonce creates a nonce, stores it in the database and returns it
	GetNonce() (*fp256bn.BIG, error)
	// CheckNonce checks if the specified nonce exists in the database and has not expired
	CheckNonce(nonce *fp256bn.BIG) error
	// SweepExpiredNonces removes expired nonces from the database
	SweepExpiredNonces() error
}

NonceManager represents nonce manager that is responsible for getting a new nonce

func NewNonceManager

func NewNonceManager(issuer MyIssuer, clock Clock, level int) (NonceManager, error)

NewNonceManager returns an instance of an object that implements NonceManager interface

type RevocationAuthority

type RevocationAuthority interface {
	// GetNewRevocationHandle returns new revocation handle, which is required to
	// create a new Idemix credential
	GetNewRevocationHandle() (*fp256bn.BIG, error)
	// CreateCRI returns latest credential revocation information (CRI). CRI contains
	// information that allows a prover to create a proof that the revocation handle associated
	// with his credential is not revoked and by the verifier to verify the non-revocation
	// proof of the prover. Verification will fail if the version of the CRI that verifier has
	// does not match the version of the CRI that prover used to create non-revocation proof.
	// The version of the CRI is specified by the Epoch value associated with the CRI.
	CreateCRI() (*idemix.CredentialRevocationInformation, error)
	// Epoch returns epoch value of the latest CRI
	Epoch() (int, error)
	// PublicKey returns revocation authority's public key
	PublicKey() *ecdsa.PublicKey
}

RevocationAuthority is responsible for generating revocation handles and credential revocation info (CRI)

func NewRevocationAuthority

func NewRevocationAuthority(issuer MyIssuer, level int) (RevocationAuthority, error)

NewRevocationAuthority constructor for revocation authority

type RevocationAuthorityInfo

type RevocationAuthorityInfo struct {
	Epoch                int `db:"epoch"`
	NextRevocationHandle int `db:"next_handle"`
	LastHandleInPool     int `db:"lasthandle_in_pool"`
	Level                int `db:"level"`
}

RevocationAuthorityInfo is the revocation authority information record that is stored in the database

type RevocationKey

type RevocationKey interface {
	// Load loads this revocation key from the disk
	Load() error
	// Store stores this revocation key to the disk
	Store() error
	// GetKey returns *ecdsa.PrivateKey that represents revocation public and private key pair
	GetKey() *ecdsa.PrivateKey
	// SetKey sets revocation public and private key
	SetKey(key *ecdsa.PrivateKey)
	// SetNewKey creates new revocation public and private key pair and sets them in this object
	SetNewKey() error
}

RevocationKey represents issuer revocation public and private key

func NewRevocationKey

func NewRevocationKey(pubKeyFile, privateKeyFile string, lib Lib) RevocationKey

NewRevocationKey returns an instance of an object that implements RevocationKey interface

type Role added in v1.3.0

type Role int32

Role : Represents a IdemixRole

const (
	MEMBER Role = 1
	ADMIN  Role = 2
	CLIENT Role = 4
	PEER   Role = 8
)

The expected roles are 4; We can combine them using a bitmask

type ServerRequestCtx

type ServerRequestCtx interface {
	IsBasicAuth() bool
	BasicAuthentication() (string, error)
	TokenAuthentication() (string, error)
	GetCaller() (user.User, error)
	ReadBody(body interface{}) error
}

ServerRequestCtx is the server request context that Idemix enroll expects

Directories

Path Synopsis
Code generated by mockery v1.0.0.
Code generated by mockery v1.0.0.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL