const (
// DefaultIssuerPublicKeyFile is the default name of the file that contains issuer public key
DefaultIssuerPublicKeyFile = "IssuerPublicKey"
// DefaultIssuerSecretKeyFile is the default name of the file that contains issuer secret key
DefaultIssuerSecretKeyFile = "IssuerSecretKey"
// DefaultRevocationPublicKeyFile is the name of the file where revocation public key is stored
DefaultRevocationPublicKeyFile = "IssuerRevocationPublicKey"
// DefaultRevocationPrivateKeyFile is the name of the file where revocation private key is stored
DefaultRevocationPrivateKeyFile = "IssuerRevocationPrivateKey"
// KeystoreDir is the keystore directory where all keys are stored. It is relative to the server home directory.
KeystoreDir = "msp/keystore"
)
const (
// InsertCredentialSQL is the SQL to add a credential to database
InsertCredentialSQL = `
INSERT INTO credentials (id, revocation_handle, cred, ca_label, status, reason, expiry, revoked_at, level)
VALUES (:id, :revocation_handle, :cred, :ca_label, :status, :reason, :expiry, :revoked_at, :level);`
// SelectCredentialByIDSQL is the SQL for getting credentials of a user
SelectCredentialByIDSQL = `
SELECT %s FROM credentials
WHERE (id = ?);`
// SelectCredentialSQL is the SQL for getting a credential given a revocation handle
SelectCredentialSQL = `
SELECT %s FROM credentials
WHERE (revocation_handle = ?);`
// SelectRevokedCredentialSQL is the SQL for getting revoked credentials
SelectRevokedCredentialSQL = `
SELECT %s FROM credentials
WHERE (status = 'revoked');`
// UpdateRevokeCredentialSQL is the SQL for updating status of a credential to revoked
UpdateRevokeCredentialSQL = `
UPDATE credentials
SET status='revoked', revoked_at=CURRENT_TIMESTAMP, reason=:reason
WHERE (id = :id AND status != 'revoked');`
// DeleteCredentialbyID is the SQL for deleting credential of a user
DeleteCredentialbyID = `
DELETE FROM credentials
WHERE (id = ?);`
)
const (
// AttrEnrollmentID is the attribute name for enrollment ID
AttrEnrollmentID = "EnrollmentID"
// AttrRole is the attribute name for role
AttrRole = "Role"
// AttrOU is the attribute name for OU
AttrOU = "OU"
// AttrRevocationHandle is the attribute name for revocation handle
AttrRevocationHandle = "RevocationHandle"
)
const (
// InsertNonce is the SQL for inserting a nonce
InsertNonce = "INSERT into nonces(val, expiry, level) VALUES (:val, :expiry, :level)"
// SelectNonce is query string for getting a particular nonce
SelectNonce = "SELECT * FROM nonces WHERE (val = ?)"
// RemoveNonce is the query string for removing a specified nonce
RemoveNonce = "DELETE FROM nonces WHERE (val = ?)"
// RemoveExpiredNonces is the SQL string removing expired nonces
RemoveExpiredNonces = "DELETE FROM nonces WHERE (expiry < ?)"
// DefaultNonceExpiration is the default value for nonce expiration
DefaultNonceExpiration = "15s"
// DefaultNonceSweepInterval is the default value for nonce sweep interval
DefaultNonceSweepInterval = "15m"
)
const (
// InsertRAInfo is the SQL for inserting revocation authority info
InsertRAInfo = "INSERT into revocation_authority_info(epoch, next_handle, lasthandle_in_pool, level) VALUES (:epoch, :next_handle, :lasthandle_in_pool, :level)"
// SelectRAInfo is the query string for getting revocation authority info
SelectRAInfo = "SELECT * FROM revocation_authority_info"
// UpdateNextAndLastHandle is the SQL for updating next and last revocation handle
UpdateNextAndLastHandle = "UPDATE revocation_authority_info SET next_handle = ?, lasthandle_in_pool = ?, epoch = ? WHERE (epoch = ?)"
// UpdateNextHandle s the SQL for updating next revocation handle
UpdateNextHandle = "UPDATE revocation_authority_info SET next_handle = ? WHERE (epoch = ?)"
// DefaultRevocationHandlePoolSize is the default revocation handle pool size
DefaultRevocationHandlePoolSize = 1000
)
func CheckRole(bitmask int, role Role) bool
CheckRole Prove that the desired role is contained or not in the bitmask
func DecodeKeys(pemEncodedPK, pemEncodedPubKey []byte) (*ecdsa.PrivateKey, *ecdsa.PublicKey, error)
DecodeKeys decodes ECDSA key pair that are pem encoded
func EncodeKeys(privateKey *ecdsa.PrivateKey, publicKey *ecdsa.PublicKey) ([]byte, []byte, error)
EncodeKeys encodes ECDSA key pair to PEM encoding
func GetAttributeNames() []string
GetAttributeNames returns attribute names supported by the Fabric CA for Idemix credentials
func GetRoleMask(roles []Role) int
GetRoleMask Receive a list of roles to combine in a single bitmask
func IsToken(token string) bool
IsToken returns true if the specified token has the format expected of an authorization token that is created using an Idemix credential
CRIRequestHandler is the handler for Idemix CRI (credential revocation information) request
type CRIRequestHandler struct {
Ctx ServerRequestCtx
Issuer MyIssuer
}
func (ch *CRIRequestHandler) HandleRequest() (*api.GetCRIResponse, error)
HandleRequest handles processing for idemix/cri request
Clock provides time related functions
type Clock interface {
Now() time.Time
}
Config encapsulates Idemix related the configuration options
type Config struct {
IssuerPublicKeyfile string `def:"IssuerPublicKey" skip:"true" help:"Name of the file that contains marshalled bytes of CA's Idemix issuer public key"`
IssuerSecretKeyfile string `def:"IssuerSecretKey" skip:"true" help:"Name of the file that contains CA's Idemix issuer secret key"`
RevocationPublicKeyfile string `def:"IssuerRevocationPublicKey" skip:"true" help:"Name of the file that contains Idemix issuer revocation public key"`
RevocationPrivateKeyfile string `def:"IssuerRevocationPrivateKey" skip:"true" help:"Name of the file that contains Idemix issuer revocation private key"`
RHPoolSize int `def:"100" help:"Specifies revocation handle pool size"`
NonceExpiration string `def:"15s" help:"Duration after which a nonce expires"`
NonceSweepInterval string `def:"15m" help:"Interval at which expired nonces are deleted"`
}
CredDBAccessor is the accessor for credentials database table
type CredDBAccessor interface {
// Sets reference to datastore object
SetDB(db db.FabricCADB)
// InsertCredential inserts specified Idemix credential record into database
InsertCredential(cr CredRecord) error
// GetCredential returns Idemix credential associated with the specified revocation
// handle
GetCredential(revocationHandle string) (*CredRecord, error)
// GetCredentialsByID returns Idemix credentials associated with the specified
// enrollment ID
GetCredentialsByID(id string) ([]CredRecord, error)
// GetRevokedCredentials returns revoked credentials
GetRevokedCredentials() ([]CredRecord, error)
}
func NewCredentialAccessor(db db.FabricCADB, level int) CredDBAccessor
NewCredentialAccessor returns a new CredentialAccessor.
CredRecord represents a credential database record
type CredRecord struct {
ID string `db:"id"`
RevocationHandle string `db:"revocation_handle"`
Cred string `db:"cred"`
CALabel string `db:"ca_label"`
Status string `db:"status"`
Reason int `db:"reason"`
Expiry time.Time `db:"expiry"`
RevokedAt time.Time `db:"revoked_at"`
Level int `db:"level"`
}
CredentialAccessor implements IdemixCredDBAccessor interface
type CredentialAccessor struct {
// contains filtered or unexported fields
}
func (ac *CredentialAccessor) GetCredential(revocationHandle string) (*CredRecord, error)
GetCredential gets a CredentialRecord indexed by revocationHandle.
func (ac *CredentialAccessor) GetCredentialsByID(id string) ([]CredRecord, error)
GetCredentialsByID gets a CredentialRecord indexed by id.
func (ac *CredentialAccessor) GetRevokedCredentials() ([]CredRecord, error)
GetRevokedCredentials returns revoked certificates
func (ac *CredentialAccessor) InsertCredential(cr CredRecord) error
InsertCredential puts a CredentialRecord into db.
func (ac *CredentialAccessor) SetDB(db db.FabricCADB)
SetDB changes the underlying sql.DB object Accessor is manipulating.
EnrollRequestHandler is the handler for Idemix enroll request
type EnrollRequestHandler struct {
Ctx ServerRequestCtx
EnrollmentID string
Issuer MyIssuer
IdmxLib Lib
}
func (h *EnrollRequestHandler) Authenticate() error
Authenticate authenticates the Idemix enroll request
func (h *EnrollRequestHandler) GenerateNonce() (*fp256bn.BIG, error)
GenerateNonce generates a nonce for an Idemix enroll request
func (h *EnrollRequestHandler) GetAttributeValues(caller user.User, ipk *idemix.IssuerPublicKey, rh *fp256bn.BIG) (map[string]interface{}, []*fp256bn.BIG, error)
GetAttributeValues returns attribute values of the caller of Idemix enroll request
func (h *EnrollRequestHandler) HandleRequest() (*EnrollmentResponse, error)
HandleRequest handles processing for Idemix enroll
EnrollmentResponse is the idemix enrollment response from the server
type EnrollmentResponse struct {
// Base64 encoding of idemix Credential
Credential string
// Attribute name-value pairs
Attrs map[string]interface{}
// Base64 encoding of Credential Revocation information
CRI string
// Base64 encoding of the issuer nonce
Nonce string
}
Issuer is the interface to the Issuer for external components
type Issuer interface {
Init(renew bool, db db.FabricCADB, levels *dbutil.Levels) error
IssuerPublicKey() ([]byte, error)
RevocationPublicKey() ([]byte, error)
IssueCredential(ctx ServerRequestCtx) (*EnrollmentResponse, error)
GetCRI(ctx ServerRequestCtx) (*api.GetCRIResponse, error)
VerifyToken(authHdr, method, uri string, body []byte) (string, error)
}
func NewIssuer(name, homeDir string, config *Config, csp bccsp.BCCSP, idemixLib Lib) Issuer
NewIssuer returns an object that implements Issuer interface
IssuerCredential represents CA's Idemix credential
type IssuerCredential interface {
// Load loads the CA's Idemix credential from the disk
Load() error
// Store stores the CA's Idemix credential to the disk
Store() error
// GetIssuerKey returns *idemix.IssuerKey that represents
// CA's Idemix public and secret key
GetIssuerKey() (*idemix.IssuerKey, error)
// SetIssuerKey sets issuer key
SetIssuerKey(key *idemix.IssuerKey)
// Returns new instance of idemix.IssuerKey
NewIssuerKey() (*idemix.IssuerKey, error)
}
func NewIssuerCredential(pubKeyFile, secretKeyFile string, lib Lib) IssuerCredential
NewIssuerCredential returns an instance of an object that implements IssuerCredential interface
Lib represents idemix library
type Lib interface {
NewIssuerKey(AttributeNames []string, rng *amcl.RAND) (ik *idemix.IssuerKey, err error)
NewCredential(key *idemix.IssuerKey, m *idemix.CredRequest, attrs []*fp256bn.BIG, rng *amcl.RAND) (cred *idemix.Credential, err error)
CreateCRI(key *ecdsa.PrivateKey, unrevokedHandles []*fp256bn.BIG, epoch int, alg idemix.RevocationAlgorithm, rng *amcl.RAND) (cri *idemix.CredentialRevocationInformation, err error)
GenerateLongTermRevocationKey() (pk *ecdsa.PrivateKey, err error)
GetRand() (rand *amcl.RAND, err error)
RandModOrder(rng *amcl.RAND) (big *fp256bn.BIG, err error)
}
func NewLib() Lib
NewLib returns an instance of an object that implements Lib interface
MyIssuer provides functions for accessing issuer components
type MyIssuer interface {
Name() string
HomeDir() string
Config() *Config
IdemixLib() Lib
DB() db.FabricCADB
IdemixRand() *amcl.RAND
IssuerCredential() IssuerCredential
RevocationAuthority() RevocationAuthority
NonceManager() NonceManager
CredDBAccessor() CredDBAccessor
}
Nonce represents a nonce
type Nonce struct {
Val string `db:"val"`
Expiry time.Time `db:"expiry"`
Level int `db:"level"`
}
NonceManager represents nonce manager that is responsible for getting a new nonce
type NonceManager interface {
// GetNonce creates a nonce, stores it in the database and returns it
GetNonce() (*fp256bn.BIG, error)
// CheckNonce checks if the specified nonce exists in the database and has not expired
CheckNonce(nonce *fp256bn.BIG) error
// SweepExpiredNonces removes expired nonces from the database
SweepExpiredNonces() error
}
func NewNonceManager(issuer MyIssuer, clock Clock, level int) (NonceManager, error)
NewNonceManager returns an instance of an object that implements NonceManager interface
RevocationAuthority is responsible for generating revocation handles and credential revocation info (CRI)
type RevocationAuthority interface {
// GetNewRevocationHandle returns new revocation handle, which is required to
// create a new Idemix credential
GetNewRevocationHandle() (*fp256bn.BIG, error)
// CreateCRI returns latest credential revocation information (CRI). CRI contains
// information that allows a prover to create a proof that the revocation handle associated
// with his credential is not revoked and by the verifier to verify the non-revocation
// proof of the prover. Verification will fail if the version of the CRI that verifier has
// does not match the version of the CRI that prover used to create non-revocation proof.
// The version of the CRI is specified by the Epoch value associated with the CRI.
CreateCRI() (*idemix.CredentialRevocationInformation, error)
// Epoch returns epoch value of the latest CRI
Epoch() (int, error)
// PublicKey returns revocation authority's public key
PublicKey() *ecdsa.PublicKey
}
func NewRevocationAuthority(issuer MyIssuer, level int) (RevocationAuthority, error)
NewRevocationAuthority constructor for revocation authority
RevocationAuthorityInfo is the revocation authority information record that is stored in the database
type RevocationAuthorityInfo struct {
Epoch int `db:"epoch"`
NextRevocationHandle int `db:"next_handle"`
LastHandleInPool int `db:"lasthandle_in_pool"`
Level int `db:"level"`
}
RevocationKey represents issuer revocation public and private key
type RevocationKey interface {
// Load loads this revocation key from the disk
Load() error
// Store stores this revocation key to the disk
Store() error
// GetKey returns *ecdsa.PrivateKey that represents revocation public and private key pair
GetKey() *ecdsa.PrivateKey
// SetKey sets revocation public and private key
SetKey(key *ecdsa.PrivateKey)
// SetNewKey creates new revocation public and private key pair and sets them in this object
SetNewKey() error
}
func NewRevocationKey(pubKeyFile, privateKeyFile string, lib Lib) RevocationKey
NewRevocationKey returns an instance of an object that implements RevocationKey interface
Role : Represents a IdemixRole
type Role int32
The expected roles are 4; We can combine them using a bitmask
const (
MEMBER Role = 1
ADMIN Role = 2
CLIENT Role = 4
PEER Role = 8
)
ServerRequestCtx is the server request context that Idemix enroll expects
type ServerRequestCtx interface {
IsBasicAuth() bool
BasicAuthentication() (string, error)
TokenAuthentication() (string, error)
GetCaller() (user.User, error)
ReadBody(body interface{}) error
}