This PR brings the following:

- prepare the revocation handle as expected by the idemix lib
- idemix: export revocation handle in SignerConfig
- update idemix and mathlib dep
- add logs to idemix issuer
- doc update

Signed-off-by: Angelo De Caro <angelo.decaro@gmail.com>

docs/source/clientcli.rst

@@ -12,6 +12,7 @@ Fabric-CA Client's CLI
     Available Commands:
       affiliation Manage affiliations
       certificate Manage certificates
+      completion  Generate the autocompletion script for the specified shell
       enroll      Enroll an identity
       gencrl      Generate a CRL
       gencsr      Generate a CSR

docs/source/servercli.rst

@@ -10,6 +10,7 @@ Fabric-CA Server's CLI
       fabric-ca-server [command]
     
     Available Commands:
+      completion  Generate the autocompletion script for the specified shell
       help        Help about any command
       init        Initialize the fabric-ca server
       start       Start the fabric-ca server

go.mod

@@ -3,14 +3,14 @@ module github.com/hyperledger/fabric-ca
 go 1.20
 
 require (
-	github.com/IBM/idemix v0.0.0-20220113150823-80dd4cb2d74e
-	github.com/IBM/mathlib v0.0.0-20220414125002-6f78dce8f91c
+	github.com/IBM/idemix v0.0.2-0.20230510082947-a0c3ee5ebe35
+	github.com/IBM/mathlib v0.0.3-0.20230428120512-8afa4e643d4c
 	github.com/Knetic/govaluate v3.0.1-0.20171022003610-9aa49832a739+incompatible
 	github.com/cloudflare/cfssl v1.4.1
 	github.com/felixge/httpsnoop v1.0.1
 	github.com/go-kit/kit v0.9.0
 	github.com/go-sql-driver/mysql v1.5.0
-	github.com/golang/protobuf v1.4.3
+	github.com/golang/protobuf v1.5.0
 	github.com/gorilla/handlers v1.5.1
 	github.com/gorilla/mux v1.8.0
 	github.com/grantae/certinfo v0.0.0-20170412194111-59d56a35515b
@@ -28,10 +28,10 @@ require (
 	github.com/pkg/errors v0.9.1
 	github.com/pkg/profile v1.5.0
 	github.com/prometheus/client_golang v1.11.1
-	github.com/spf13/cobra v0.0.5
+	github.com/spf13/cobra v1.5.0
 	github.com/spf13/pflag v1.0.5
 	github.com/spf13/viper v1.3.2
-	github.com/stretchr/testify v1.7.1-0.20210116013205-6990a05d54c2
+	github.com/stretchr/testify v1.8.0
 	golang.org/x/crypto v0.1.0
 	gopkg.in/ldap.v2 v2.5.1
 )
@@ -40,7 +40,8 @@ require (
 	github.com/VividCortex/gohistogram v1.0.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cespare/xxhash/v2 v2.1.1 // indirect
-	github.com/consensys/gnark-crypto v0.6.0 // indirect
+	github.com/consensys/bavard v0.1.13 // indirect
+	github.com/consensys/gnark-crypto v0.9.1 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/fsnotify/fsnotify v1.4.9 // indirect
 	github.com/go-logfmt/logfmt v0.5.0 // indirect
@@ -49,6 +50,7 @@ require (
 	github.com/hyperledger/fabric-amcl v0.0.0-20210603140002-2670f91851c8 // indirect
 	github.com/inconshreveable/mousetrap v1.0.0 // indirect
 	github.com/jmhodges/clock v0.0.0-20160418191101-880ee4c33548 // indirect
+	github.com/kilic/bls12-381 v0.1.0 // indirect
 	github.com/magiconair/properties v1.8.1 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.1 // indirect
 	github.com/miekg/pkcs11 v1.0.3 // indirect
@@ -62,7 +64,7 @@ require (
 	github.com/spf13/afero v1.1.2 // indirect
 	github.com/spf13/cast v1.3.1 // indirect
 	github.com/spf13/jwalterweatherman v1.0.0 // indirect
-	github.com/stretchr/objx v0.1.1 // indirect
+	github.com/stretchr/objx v0.4.0 // indirect
 	github.com/sykesm/zap-logfmt v0.0.4 // indirect
 	github.com/weppos/publicsuffix-go v0.5.0 // indirect
 	github.com/zmap/zcrypto v0.0.0-20190729165852-9051775e6a2e // indirect
@@ -75,9 +77,10 @@ require (
 	golang.org/x/text v0.7.0 // indirect
 	golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 // indirect
 	google.golang.org/grpc v1.31.0 // indirect
-	google.golang.org/protobuf v1.26.0-rc.1 // indirect
+	google.golang.org/protobuf v1.28.1 // indirect
 	gopkg.in/asn1-ber.v1 v1.0.0-20181015200546-f715ec2f112d // indirect
 	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
-	gopkg.in/yaml.v2 v2.3.0 // indirect
-	gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+	rsc.io/tmplfunc v0.0.3 // indirect
 )

lib/client.go

@@ -12,16 +12,6 @@ import (
 	"encoding/hex"
 	"encoding/json"
 	"fmt"
-	"io/ioutil"
-	"net"
-	"net/http"
-	"net/url"
-	"os"
-	"path"
-	"path/filepath"
-	"strconv"
-	"strings"
-
 	idemix "github.com/IBM/idemix/bccsp/schemes/dlog/crypto"
 	math "github.com/IBM/mathlib"
 	cfsslapi "github.com/cloudflare/cfssl/api"
@@ -33,13 +23,23 @@ import (
 	idemixcred "github.com/hyperledger/fabric-ca/lib/client/credential/idemix"
 	x509cred "github.com/hyperledger/fabric-ca/lib/client/credential/x509"
 	cidemix "github.com/hyperledger/fabric-ca/lib/common/idemix"
+	sidemix "github.com/hyperledger/fabric-ca/lib/server/idemix"
 	"github.com/hyperledger/fabric-ca/lib/streamer"
 	"github.com/hyperledger/fabric-ca/lib/tls"
 	"github.com/hyperledger/fabric-ca/util"
 	"github.com/hyperledger/fabric/bccsp"
 	cspsigner "github.com/hyperledger/fabric/bccsp/signer"
 	"github.com/mitchellh/mapstructure"
 	"github.com/pkg/errors"
+	"io/ioutil"
+	"net"
+	"net/http"
+	"net/url"
+	"os"
+	"path"
+	"path/filepath"
+	"strconv"
+	"strings"
 )
 
 // Client is the fabric-ca client object
@@ -516,6 +516,7 @@ func (c *Client) newIdemixEnrollmentResponse(identity *Identity, result *api.Ide
 	role, _ := result.Attrs["Role"].(int)
 	ou, _ := result.Attrs["OU"].(string)
 	enrollmentID, _ := result.Attrs["EnrollmentID"].(string)
+	revocationHandle := result.Attrs[sidemix.AttrRevocationHandle].(string)
 	signerConfig := &idemixcred.SignerConfig{
 		CurveID:                         cidemix.Curves.ByID(c.curveID),
 		Cred:                            credBytes,
@@ -524,6 +525,7 @@ func (c *Client) newIdemixEnrollmentResponse(identity *Identity, result *api.Ide
 		OrganizationalUnitIdentifier:    ou,
 		EnrollmentID:                    enrollmentID,
 		CredentialRevocationInformation: criBytes,
+		RevocationHandle:                revocationHandle,
 	}
 
 	// Create IdemixCredential object

lib/client/credential/idemix/credential.go

@@ -71,6 +71,14 @@ func (cred *Credential) EnrollmentID() (string, error) {
 	return cred.val.EnrollmentID, nil
 }
 
+// RevocationHandle returns revocation handle associated with this Idemix credential
+func (cred *Credential) RevocationHandle() (string, error) {
+	if cred.val == nil {
+		return "", errors.New("Idemix credential value is not set")
+	}
+	return cred.val.RevocationHandle, nil
+}
+
 // SetVal sets *SignerConfig for this Idemix credential
 func (cred *Credential) SetVal(val interface{}) error {
 	s, ok := val.(*SignerConfig)

lib/client/credential/idemix/signerconfig.go

@@ -22,6 +22,8 @@ type SignerConfig struct {
 	CredentialRevocationInformation []byte `protobuf:"bytes,6,opt,name=credential_revocation_information,json=credentialRevocationInformation,proto3" json:"credential_revocation_information,omitempty"`
 	// CurveID specifies the name of the Idemix curve to use, defaults to 'amcl.Fp256bn'
 	CurveID string `protobuf:"bytes,7,opt,name=curve_id,json=curveID" json:"curveID,omitempty"`
+	// RevocationHandle is the handle used to single out this credential and determine its revocation status
+	RevocationHandle string `protobuf:"bytes,8,opt,name=revocation_handle,json=revocationHandle,proto3" json:"revocation_handle,omitempty"`
 }
 
 // GetCred returns credential associated with this signer config

lib/server/idemix/enroll.go

@@ -104,6 +104,13 @@ func (h *EnrollRequestHandler) HandleRequest() (*EnrollmentResponse, error) {
 		return nil, err
 	}
 
+	// convert the revocation handle rh to a string by first converting it to int64.
+	rhInt64, err := rh.Int()
+	if err != nil {
+		return nil, errors.WithMessage(err, "failed to convert RH to int64")
+	}
+	rhStr := fmt.Sprintf("%d", rhInt64)
+
 	// Get attributes for the identity
 	attrMap, attrs, err := h.GetAttributeValues(caller, ik.GetIpk(), rh)
 	if err != nil {
@@ -122,15 +129,13 @@ func (h *EnrollRequestHandler) HandleRequest() (*EnrollmentResponse, error) {
 	}
 	b64CredBytes := util.B64Encode(credBytes)
 
-	rhstr := util.B64Encode(rh.Bytes())
-
 	// Store the credential in the database
 	err = h.Issuer.CredDBAccessor().InsertCredential(CredRecord{
 		CALabel:          h.Issuer.Name(),
 		ID:               caller.GetName(),
 		Status:           "good",
 		Cred:             b64CredBytes,
-		RevocationHandle: rhstr,
+		RevocationHandle: rhStr,
 	})
 	if err != nil {
 		log.Errorf("Failed to store the Idemix credential for identity '%s' in the database: %s", caller.GetName(), err.Error())
@@ -210,8 +215,13 @@ func (h *EnrollRequestHandler) GetAttributeValues(caller user.User, ipk *idemix.
 			rc = append(rc, h.Curve.HashToZr(ouBytes))
 			attrMap[attrName] = ouVal
 		} else if attrName == AttrRevocationHandle {
-			rc = append(rc, rh)
-			attrMap[attrName] = util.B64Encode(rh.Bytes())
+			rhInt64, err := rh.Int()
+			if err != nil {
+				return nil, nil, errors.WithMessage(err, "failed to convert RH to int64")
+			}
+			rhStr := fmt.Sprintf("%d", rhInt64)
+			rc = append(rc, h.Curve.HashToZr([]byte(rhStr)))
+			attrMap[attrName] = rhStr
 		} else if attrName == AttrRole {
 			role := MEMBER.getValue()
 			attrObj, err := caller.GetAttribute("role")

lib/server/idemix/enroll_test.go

@@ -486,7 +486,7 @@ func testHandleIdemixEnrollInsertCredError(t *testing.T, curveID cidemix.CurveID
 	credAccessor := new(mocks.CredDBAccessor)
 	credAccessor.On("InsertCredential",
 		CredRecord{
-			RevocationHandle: util.B64Encode(curve.NewZrFromInt(1).Bytes()),
+			RevocationHandle: "1",
 			CALabel:          "", ID: "foo", Status: "good",
 			Cred: b64CredBytes,
 		}).Return(errors.New("Failed to add credential to DB"))
@@ -587,7 +587,7 @@ func testHandleIdemixEnrollForCredentialSuccess(t *testing.T, curveID cidemix.Cu
 	}
 	credAccessor := new(mocks.CredDBAccessor)
 	credAccessor.On("InsertCredential", CredRecord{
-		RevocationHandle: util.B64Encode(curve.NewZrFromInt(1).Bytes()),
+		RevocationHandle: "1",
 		CALabel:          "", ID: "foo", Status: "good", Cred: b64CredBytes,
 	}).Return(nil)
 

lib/server/idemix/issuer.go

@@ -301,10 +301,12 @@ func (i *issuer) initKeyMaterial(renew bool) error {
 	idemixSecretKey := i.cfg.IssuerSecretKeyfile
 	issuerCred := NewIssuerCredential(idemixPubKey, idemixSecretKey, i.idemixLib, i.curveID)
 
+	log.Debugf("renew is set to [%v]", renew)
 	if !renew {
 		pubKeyFileExists := util.FileExists(idemixPubKey)
 		privKeyFileExists := util.FileExists(idemixSecretKey)
 		// If they both exist, the CA was already initialized, load the keys from the disk
+		log.Debugf("pubKeyFileExists && privKeyFileExists : [%s:%s][%s:%s]", idemixPubKey, pubKeyFileExists, idemixSecretKey, privKeyFileExists)
 		if pubKeyFileExists && privKeyFileExists {
 			log.Info("The Idemix issuer public and secret key files already exist")
 			log.Infof("   secret key file location: %s", idemixSecretKey)
@@ -321,7 +323,7 @@ func (i *issuer) initKeyMaterial(renew bool) error {
 	if err != nil {
 		return err
 	}
-	// log.Infof("Idemix issuer public and secret keys were generated for CA '%s'", i.name)
+	log.Debugf("Idemix issuer public and secret keys were generated for CA '%s'", i.name)
 	issuerCred.SetIssuerKey(ik)
 	err = issuerCred.Store()
 	if err != nil {