forked from hyperledger/fabric
-
Notifications
You must be signed in to change notification settings - Fork 3
/
msp.go
253 lines (198 loc) · 8.85 KB
/
msp.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
/*
Copyright IBM Corp. 2016 All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package msp
import (
"github.com/hyperledger/fabric/protos/common"
"github.com/hyperledger/fabric/protos/msp"
)
// FIXME: we need better comments on the interfaces!!
// FIXME: we need better comments on the interfaces!!
// FIXME: we need better comments on the interfaces!!
// IdentityDeserializer is implemented by both MSPManger and MSP
type IdentityDeserializer interface {
// DeserializeIdentity deserializes an identity.
// Deserialization will fail if the identity is associated to
// an msp that is different from this one that is performing
// the deserialization.
DeserializeIdentity(serializedIdentity []byte) (Identity, error)
}
// Membership service provider APIs for Hyperledger Fabric:
//
// By "membership service provider" we refer to an abstract component of the
// system that would provide (anonymous) credentials to clients, and peers for
// them to participate in Hyperledger/fabric network. Clients use these
// credentials to authenticate their transactions, and peers use these credentials
// to authenticate transaction processing results (endorsements). While
// strongly connected to the transaction processing components of the systems,
// this interface aims to have membership services components defined, in such
// a way such that alternate implementations of this can be smoothly plugged in
// without modifying the core of transaction processing components of the system.
//
// This file includes Membership service provider interface that covers the
// needs of a peer membership service provider interface.
// MSPManager is an interface defining a manager of one or more MSPs. This
// essentially acts as a mediator to MSP calls and routes MSP related calls
// to the appropriate MSP.
// This object is immutable, it is initialized once and never changed.
type MSPManager interface {
// IdentityDeserializer interface needs to be implemented by MSPManager
IdentityDeserializer
// Setup the MSP manager instance according to configuration information
Setup(msps []MSP) error
// GetMSPs Provides a list of Membership Service providers
GetMSPs() (map[string]MSP, error)
}
// MSP is the minimal Membership Service Provider Interface to be implemented
// to accommodate peer functionality
type MSP interface {
// IdentityDeserializer interface needs to be implemented by MSP
IdentityDeserializer
// Setup the MSP instance according to configuration information
Setup(config *msp.MSPConfig) error
// GetType returns the provider type
GetType() ProviderType
// GetIdentifier returns the provider identifier
GetIdentifier() (string, error)
// GetSigningIdentity returns a signing identity corresponding to the provided identifier
GetSigningIdentity(identifier *IdentityIdentifier) (SigningIdentity, error)
// GetDefaultSigningIdentity returns the default signing identity
GetDefaultSigningIdentity() (SigningIdentity, error)
// GetRootCerts returns the root certificates for this MSP
GetRootCerts() []Identity
// GetIntermediateCerts returns the intermediate root certificates for this MSP
GetIntermediateCerts() []Identity
// Validate checks whether the supplied identity is valid
Validate(id Identity) error
// SatisfiesPrincipal checks whether the identity matches
// the description supplied in MSPPrincipal. The check may
// involve a byte-by-byte comparison (if the principal is
// a serialized identity) or may require MSP validation
SatisfiesPrincipal(id Identity, principal *common.MSPPrincipal) error
}
// From this point on, there are interfaces that are shared within the peer and client API
// of the membership service provider.
// Identity interface defining operations associated to a "certificate".
// That is, the public part of the identity could be thought to be a certificate,
// and offers solely signature verification capabilities. This is to be used
// at the peer side when verifying certificates that transactions are signed
// with, and verifying signatures that correspond to these certificates.///
type Identity interface {
// GetIdentifier returns the identifier of that identity
GetIdentifier() *IdentityIdentifier
// GetMSPIdentifier returns the MSP Id for this instance
GetMSPIdentifier() string
// Validate uses the rules that govern this identity to validate it.
// E.g., if it is a fabric TCert implemented as identity, validate
// will check the TCert signature against the assumed root certificate
// authority.
Validate() error
// GetOrganizationalUnits returns zero or more organization units or
// divisions this identity is related to as long as this is public
// information. Certain MSP implementations may use attributes
// that are publicly associated to this identity, or the identifier of
// the root certificate authority that has provided signatures on this
// certificate.
// Examples:
// - if the identity is an x.509 certificate, this function returns one
// or more string which is encoded in the Subject's Distinguished Name
// of the type OU
// TODO: For X.509 based identities, check if we need a dedicated type
// for OU where the Certificate OU is properly namespaced by the
// signer's identity
GetOrganizationalUnits() []string
// Verify a signature over some message using this identity as reference
Verify(msg []byte, sig []byte) error
// VerifyOpts a signature over some message using this identity as reference
VerifyOpts(msg []byte, sig []byte, opts SignatureOpts) error
// VerifyAttributes verifies attributes given a proof
VerifyAttributes(proof []byte, spec *AttributeProofSpec) error
// Serialize converts an identity to bytes
Serialize() ([]byte, error)
// SatisfiesPrincipal checks whether this instance matches
// the description supplied in MSPPrincipal. The check may
// involve a byte-by-byte comparison (if the principal is
// a serialized identity) or may require MSP validation
SatisfiesPrincipal(principal *common.MSPPrincipal) error
}
// SigningIdentity is an extension of Identity to cover signing capabilities.
// E.g., signing identity should be requested in the case of a client who wishes
// to sign transactions, or fabric endorser who wishes to sign proposal
// processing outcomes.
type SigningIdentity interface {
// Extends Identity
Identity
// Sign the message
Sign(msg []byte) ([]byte, error)
// SignOpts the message with options
SignOpts(msg []byte, opts SignatureOpts) ([]byte, error)
// GetAttributeProof creates a proof for a set of attributes
GetAttributeProof(spec *AttributeProofSpec) (proof []byte, err error)
// GetPublicVersion returns the public parts of this identity
GetPublicVersion() Identity
// Renew this identity
Renew() error
}
// ImportRequest is data required when importing a member or
// enrollment identity that was created off-band
type ImportRequest struct {
// IdentityProvider to enroll with
Idp string
// The certificate to import
IdentityDesc []byte
// Key reference associated to the key of the imported member
KeyReference []string
}
// SignatureOpts are signature options
type SignatureOpts struct {
Policy []string
Label string
}
// Attribute is an arbitrary name/value pair
type Attribute interface {
Key() AttributeName
Value() []byte
Serialise() []byte
}
// AttributeName defines the name of an attribute assuming a
// namespace defined by the entity that certifies this attributes'
// ownership.
type AttributeName struct {
// provider/guarantor of a certain attribute; this can be
// expressed by the enrollment identifier of the entity that
// issues/certifies possession of such attributes.
provider string
// the actual name of the attribute; should be unique for a given
// provider
name string
}
type AttributeProofSpec struct {
Attributes []Attribute
Message []byte
}
// Structures defining the identifiers for identity providers and members
// and members that belong to them.
// IdentityIdentifier is a holder for the identifier of a specific
// identity, naturally namespaced, by its provider identifier.
type IdentityIdentifier struct {
// The identifier of the associated membership service provider
Mspid string
// The identifier for an identity within a provider
Id string
}
// ProviderType indicates the type of an identity provider
type ProviderType int
// The ProviderType of a member relative to the member API
const (
FABRIC ProviderType = iota // MSP is of FABRIC type
OTHER // MSP is of OTHER TYPE
)