diff --git a/accesscontrol/api.go b/accesscontrol/api.go deleted file mode 100644 index af943656b66..00000000000 --- a/accesscontrol/api.go +++ /dev/null @@ -1,31 +0,0 @@ -/* -Copyright IBM Corp. 2016 All Rights Reserved. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ -package accesscontrol - -// Attribute defines a name, value pair to be verified. -type Attribute struct { - Name string - Value []byte -} - -// AttributesManager can be used to verify and read attributes. -type AttributesManager interface { - ReadCertAttribute(attributeName string) ([]byte, error) - - VerifyAttribute(attributeName string, attributeValue []byte) (bool, error) - - VerifyAttributes(attrs ...*Attribute) (bool, error) -} diff --git a/accesscontrol/api/authshim.go b/accesscontrol/api/authshim.go deleted file mode 100644 index c6f88f52992..00000000000 --- a/accesscontrol/api/authshim.go +++ /dev/null @@ -1,48 +0,0 @@ -package authshim - -import "github.com/hyperledger/fabric/msp" - -/* -Copyright IBM Corp. 2017 All Rights Reserved. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -// AttributeAuthShim is an interface based on top of the chaincode shim -// to offer invocation access control based on identity attributes -// TODO: Add NewAuthShimByTransientDataKey function -// TODO: Make it later generic enough by providing as input the MSP identity -type AttributeAuthShim interface { - - // ReadAttributeValue would return the value of an attribute - ReadAttributeValue(attName string) ([]byte, error) - - // Verify a proof of ownership of attribute atts using invocation - // data as the message to prove possession of attributes on - VerifyAttribute(atts []msp.Attribute) -} - -// IdentityAuthShim is an interface based on top of the chaincode shim -// to offer invocation access control based on identities -// TODO: Add NewAuthShimByTransientDataKey -// TODO: Add as setup parameter also ApplicationMSP -type IdentityAuthShim interface { - - // Verify a proof of ownership of an identity using the input - // message to prove possession of identity ownership on - VerifyIdentityOnMessage(identity msp.Identity, message string) - - // Verify a proof of ownership of an identity using invocation - // data as the message to prove possession of attributes on - VerifyIdentity(identity msp.Identity) -} diff --git a/accesscontrol/attributes/attributes.go b/accesscontrol/attributes/attributes.go deleted file mode 100644 index 9ccca5536ab..00000000000 --- a/accesscontrol/attributes/attributes.go +++ /dev/null @@ -1,274 +0,0 @@ -/* -Copyright IBM Corp. 2016 All Rights Reserved. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package attributes - -import ( - "bytes" - "crypto/x509" - "encoding/asn1" - "errors" - "fmt" - "strconv" - "strings" - - pb "github.com/hyperledger/fabric/accesscontrol/attributes/proto" - "github.com/hyperledger/fabric/core/crypto/primitives" - - "github.com/golang/protobuf/proto" - "github.com/hyperledger/fabric/accesscontrol/crypto/utils" -) - -var ( - // TCertEncAttributesBase is the base ASN1 object identifier for attributes. - // When generating an extension to include the attribute an index will be - // appended to this Object Identifier. - TCertEncAttributesBase = asn1.ObjectIdentifier{1, 2, 3, 4, 5, 6} - - // TCertAttributesHeaders is the ASN1 object identifier of attributes header. - TCertAttributesHeaders = asn1.ObjectIdentifier{1, 2, 3, 4, 5, 6, 9} - - padding = []byte{255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255} - - //headerPrefix is the prefix used in the header extension of the certificate. - headerPrefix = "00HEAD" - - //HeaderAttributeName is the name used to derive the K used to encrypt/decrypt the header. - HeaderAttributeName = "attributeHeader" -) - -//ParseAttributesHeader parses a string and returns a map with the attributes. -func ParseAttributesHeader(header string) (map[string]int, error) { - if !strings.HasPrefix(header, headerPrefix) { - return nil, errors.New("Invalid header") - } - headerBody := strings.Replace(header, headerPrefix, "", 1) - tokens := strings.Split(headerBody, "#") - result := make(map[string]int) - - for _, token := range tokens { - pair := strings.Split(token, "->") - - if len(pair) == 2 { - key := pair[0] - valueStr := pair[1] - value, err := strconv.Atoi(valueStr) - if err != nil { - return nil, err - } - result[key] = value - } - } - - return result, nil -} - -//ReadAttributeHeader read the header of the attributes. -func ReadAttributeHeader(tcert *x509.Certificate, headerKey []byte) (map[string]int, bool, error) { - var err error - var headerRaw []byte - encrypted := false - if headerRaw, err = utils.GetCriticalExtension(tcert, TCertAttributesHeaders); err != nil { - return nil, encrypted, err - } - headerStr := string(headerRaw) - var header map[string]int - header, err = ParseAttributesHeader(headerStr) - if err != nil { - if headerKey == nil { - return nil, false, errors.New("Is not possible read an attribute encrypted without the headerKey") - } - headerRaw, err = DecryptAttributeValue(headerKey, headerRaw) - - if err != nil { - return nil, encrypted, errors.New("error decrypting header value '" + err.Error() + "''") - } - headerStr = string(headerRaw) - header, err = ParseAttributesHeader(headerStr) - if err != nil { - return nil, encrypted, err - } - encrypted = true - } - return header, encrypted, nil -} - -//ReadTCertAttributeByPosition read the attribute stored in the position "position" of the tcert. -func ReadTCertAttributeByPosition(tcert *x509.Certificate, position int) ([]byte, error) { - if position <= 0 { - return nil, fmt.Errorf("Invalid attribute position. Received [%v]", position) - } - - oid := asn1.ObjectIdentifier{1, 2, 3, 4, 5, 6, 9 + position} - value, err := utils.GetCriticalExtension(tcert, oid) - if err != nil { - return nil, err - } - return value, nil -} - -//ReadTCertAttribute read the attribute with name "attributeName" and returns the value and a boolean indicating if the returned value is encrypted or not. -func ReadTCertAttribute(tcert *x509.Certificate, attributeName string, headerKey []byte) ([]byte, bool, error) { - header, encrypted, err := ReadAttributeHeader(tcert, headerKey) - if err != nil { - return nil, false, err - } - position := header[attributeName] - if position == 0 { - return nil, encrypted, errors.New("Failed attribute '" + attributeName + "' doesn't exists in the TCert.") - } - value, err := ReadTCertAttributeByPosition(tcert, position) - if err != nil { - return nil, encrypted, err - } - return value, encrypted, nil -} - -//EncryptAttributeValue encrypts "attributeValue" using "attributeKey" -func EncryptAttributeValue(attributeKey []byte, attributeValue []byte) ([]byte, error) { - value := append(attributeValue, padding...) - return utils.CBCPKCS7Encrypt(attributeKey, value) -} - -//getAttributeKey returns the attributeKey derived from the preK0 to the attributeName. -func getAttributeKey(preK0 []byte, attributeName string) []byte { - return primitives.HMACTruncated(preK0, []byte(attributeName), 32) -} - -//EncryptAttributeValuePK0 encrypts "attributeValue" using a key derived from preK0. -func EncryptAttributeValuePK0(preK0 []byte, attributeName string, attributeValue []byte) ([]byte, error) { - attributeKey := getAttributeKey(preK0, attributeName) - return EncryptAttributeValue(attributeKey, attributeValue) -} - -//DecryptAttributeValue decrypts "encryptedValue" using "attributeKey" and return the decrypted value. -func DecryptAttributeValue(attributeKey []byte, encryptedValue []byte) ([]byte, error) { - value, err := utils.CBCPKCS7Decrypt(attributeKey, encryptedValue) - if err != nil { - return nil, err - } - lenPadding := len(padding) - lenValue := len(value) - if lenValue < lenPadding { - return nil, errors.New("Error invalid value. Decryption verification failed.") - } - lenWithoutPadding := lenValue - lenPadding - if bytes.Compare(padding[0:lenPadding], value[lenWithoutPadding:lenValue]) != 0 { - return nil, errors.New("Error generating decryption key for value. Decryption verification failed.") - } - value = value[0:lenWithoutPadding] - return value, nil -} - -//getKAndValueForAttribute derives K for the attribute "attributeName", checks the value padding and returns both key and decrypted value -func getKAndValueForAttribute(attributeName string, preK0 []byte, cert *x509.Certificate) ([]byte, []byte, error) { - headerKey := getAttributeKey(preK0, HeaderAttributeName) - value, encrypted, err := ReadTCertAttribute(cert, attributeName, headerKey) - if err != nil { - return nil, nil, err - } - - attributeKey := getAttributeKey(preK0, attributeName) - if encrypted { - value, err = DecryptAttributeValue(attributeKey, value) - if err != nil { - return nil, nil, err - } - } - return attributeKey, value, nil -} - -//GetKForAttribute derives the K for the attribute "attributeName" and returns the key -func GetKForAttribute(attributeName string, preK0 []byte, cert *x509.Certificate) ([]byte, error) { - key, _, err := getKAndValueForAttribute(attributeName, preK0, cert) - return key, err -} - -//GetValueForAttribute derives the K for the attribute "attributeName" and returns the value -func GetValueForAttribute(attributeName string, preK0 []byte, cert *x509.Certificate) ([]byte, error) { - _, value, err := getKAndValueForAttribute(attributeName, preK0, cert) - return value, err -} - -func createAttributesHeaderEntry(preK0 []byte) *pb.AttributesMetadataEntry { - attKey := getAttributeKey(preK0, HeaderAttributeName) - return &pb.AttributesMetadataEntry{AttributeName: HeaderAttributeName, AttributeKey: attKey} -} - -func createAttributesMetadataEntry(attributeName string, preK0 []byte) *pb.AttributesMetadataEntry { - attKey := getAttributeKey(preK0, attributeName) - return &pb.AttributesMetadataEntry{AttributeName: attributeName, AttributeKey: attKey} -} - -//CreateAttributesMetadataObjectFromCert creates an AttributesMetadata object from certificate "cert", metadata and the attributes keys. -func CreateAttributesMetadataObjectFromCert(cert *x509.Certificate, metadata []byte, preK0 []byte, attributeKeys []string) *pb.AttributesMetadata { - var entries []*pb.AttributesMetadataEntry - for _, key := range attributeKeys { - if len(key) == 0 { - continue - } - - entry := createAttributesMetadataEntry(key, preK0) - entries = append(entries, entry) - } - headerEntry := createAttributesHeaderEntry(preK0) - entries = append(entries, headerEntry) - - return &pb.AttributesMetadata{Metadata: metadata, Entries: entries} -} - -//CreateAttributesMetadataFromCert creates the AttributesMetadata from the original metadata and certificate "cert". -func CreateAttributesMetadataFromCert(cert *x509.Certificate, metadata []byte, preK0 []byte, attributeKeys []string) ([]byte, error) { - attributesMetadata := CreateAttributesMetadataObjectFromCert(cert, metadata, preK0, attributeKeys) - - return proto.Marshal(attributesMetadata) -} - -//CreateAttributesMetadata create the AttributesMetadata from the original metadata -func CreateAttributesMetadata(raw []byte, metadata []byte, preK0 []byte, attributeKeys []string) ([]byte, error) { - cert, err := utils.DERToX509Certificate(raw) - if err != nil { - return nil, err - } - - return CreateAttributesMetadataFromCert(cert, metadata, preK0, attributeKeys) -} - -//GetAttributesMetadata object from the original metadata "metadata". -func GetAttributesMetadata(metadata []byte) (*pb.AttributesMetadata, error) { - attributesMetadata := &pb.AttributesMetadata{} - err := proto.Unmarshal(metadata, attributesMetadata) - return attributesMetadata, err -} - -//BuildAttributesHeader builds a header attribute from a map of attribute names and positions. -func BuildAttributesHeader(attributesHeader map[string]int) ([]byte, error) { - var header []byte - var headerString string - var positions = make(map[int]bool) - - for k, v := range attributesHeader { - if positions[v] { - return nil, errors.New("Duplicated position found in attributes header") - } - positions[v] = true - - vStr := strconv.Itoa(v) - headerString = headerString + k + "->" + vStr + "#" - } - header = []byte(headerPrefix + headerString) - return header, nil -} diff --git a/accesscontrol/attributes/attributes_test.go b/accesscontrol/attributes/attributes_test.go deleted file mode 100644 index 03715f5102e..00000000000 --- a/accesscontrol/attributes/attributes_test.go +++ /dev/null @@ -1,545 +0,0 @@ -/* -Copyright IBM Corp. 2016 All Rights Reserved. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package attributes - -import ( - "bytes" - "crypto/x509" - "encoding/pem" - "fmt" - - "io/ioutil" - "os" - "strings" - "testing" - - "github.com/golang/protobuf/proto" - pb "github.com/hyperledger/fabric/accesscontrol/attributes/proto" - "github.com/hyperledger/fabric/core/crypto/primitives" -) - -func TestMain(m *testing.M) { - if err := primitives.InitSecurityLevel("SHA3", 256); err != nil { - fmt.Printf("Failed setting security level: %v", err) - } - - ret := m.Run() - os.Exit(ret) -} - -func TestEncryptDecryptAttributeValuePK0(t *testing.T) { - expected := "ACompany" - - preK0 := []byte{ - 91, 206, 163, 104, 247, 74, 149, 209, 91, 137, 215, 236, - 84, 135, 9, 70, 160, 138, 89, 163, 240, 223, 83, 164, 58, - 208, 199, 23, 221, 123, 53, 220, 15, 41, 28, 111, 166, - 28, 29, 187, 97, 229, 117, 117, 49, 192, 134, 31, 151} - - encryptedAttribute, err := EncryptAttributeValuePK0(preK0, "company", []byte(expected)) - if err != nil { - t.Error(err) - } - - attributeKey := getAttributeKey(preK0, "company") - - attribute, err := DecryptAttributeValue(attributeKey, encryptedAttribute) - if err != nil { - t.Error(err) - } - - if string(attribute) != expected { - t.Errorf("Failed decrypting attribute. Expected: %v, Actual: %v", expected, attribute) - } -} - -func TestGetKAndValueForAttribute(t *testing.T) { - expected := "Software Engineer" - - tcert, prek0, err := loadTCertAndPreK0() - if err != nil { - t.Error(err) - } - - _, attribute, err := getKAndValueForAttribute("position", prek0, tcert) - if err != nil { - t.Error(err) - } - - if string(attribute) != expected { - t.Errorf("Failed retrieving attribute value from TCert. Expected: %v, Actual: %v", expected, string(attribute)) - } -} - -func TestGetKAndValueForAttribute_MissingAttribute(t *testing.T) { - tcert, prek0, err := loadTCertAndPreK0() - if err != nil { - t.Error(err) - } - - _, _, err = getKAndValueForAttribute("business_unit", prek0, tcert) - if err == nil { - t.Errorf("Trying to read an attribute that is not part of the TCert should produce an error") - } -} - -func TestGetValueForAttribute(t *testing.T) { - expected := "Software Engineer" - - tcert, prek0, err := loadTCertAndPreK0() - if err != nil { - t.Error(err) - } - - value, err := GetValueForAttribute("position", prek0, tcert) - if err != nil { - t.Error(err) - } - - if string(value) != expected { - t.Errorf("Failed retrieving attribute value from TCert. Expected: %v, Actual: %v", expected, string(value)) - } -} - -func TestGetValueForAttribute_MissingAttribute(t *testing.T) { - tcert, prek0, err := loadTCertAndPreK0() - if err != nil { - t.Error(err) - } - - _, err = GetValueForAttribute("business_unit", prek0, tcert) - if err == nil { - t.Errorf("Trying to read an attribute that is not part of the TCert should produce an error") - } -} - -func TestGetKForAttribute(t *testing.T) { - expected := "Software Engineer" - - tcert, prek0, err := loadTCertAndPreK0() - if err != nil { - t.Error(err) - } - - key, err := GetKForAttribute("position", prek0, tcert) - if err != nil { - t.Error(err) - } - - encryptedValue, err := EncryptAttributeValuePK0(prek0, "position", []byte(expected)) - if err != nil { - t.Error(err) - } - - decryptedValue, err := DecryptAttributeValue(key, encryptedValue) - if err != nil { - t.Error(err) - } - - if string(decryptedValue) != expected { - t.Errorf("Failed decrypting attribute used calculated key. Expected: %v, Actual: %v", expected, string(decryptedValue)) - } -} - -func TestGetKForAttribute_MissingAttribute(t *testing.T) { - tcert, prek0, err := loadTCertAndPreK0() - if err != nil { - t.Error(err) - } - - _, err = GetKForAttribute("business_unit", prek0, tcert) - if err == nil { - t.Errorf("Trying to get a key for an attribute that is not part of the TCert should produce an error") - } -} - -func TestParseEmptyAttributesHeader(t *testing.T) { - _, err := ParseAttributesHeader("") - if err == nil { - t.Error("Empty header should produce a parsing error") - } -} - -func TestParseAttributesHeader_NotNumberPosition(t *testing.T) { - _, err := ParseAttributesHeader(headerPrefix + "position->a#") - if err == nil { - t.Error("Not number position in the header should produce a parsing error") - } -} - -func TestBuildAndParseAttributesHeader(t *testing.T) { - attributes := make(map[string]int) - attributes["company"] = 1 - attributes["position"] = 2 - - headerRaw, err := BuildAttributesHeader(attributes) - if err != nil { - t.Error(err) - } - header := string(headerRaw[:]) - - components, err := ParseAttributesHeader(header) - if err != nil { - t.Error(err) - } - - if len(components) != 2 { - t.Errorf("Error parsing header. Expecting two entries in header, found %v instead", len(components)) - } - - if components["company"] != 1 { - t.Errorf("Error parsing header. Expected %v with value %v, found %v instead", "company", 1, components["company"]) - } - - if components["position"] != 2 { - t.Errorf("Error parsing header. Expected %v with value %v, found %v instead", "position", 2, components["position"]) - } -} - -func TestReadAttributeHeader(t *testing.T) { - tcert, prek0, err := loadTCertAndPreK0() - if err != nil { - t.Error(err) - } - - headerKey := getAttributeKey(prek0, HeaderAttributeName) - - header, encrypted, err := ReadAttributeHeader(tcert, headerKey) - - if err != nil { - t.Error(err) - } - - if !encrypted { - t.Errorf("Error parsing header. Expecting encrypted header.") - } - - if len(header) != 1 { - t.Errorf("Error parsing header. Expecting %v entries in header, found %v instead", 1, len(header)) - } - - if header["position"] != 1 { - t.Errorf("Error parsing header. Expected %v with value %v, found %v instead", "position", 1, header["position"]) - } -} - -func TestReadAttributeHeader_WithoutHeaderKey(t *testing.T) { - tcert, _, err := loadTCertAndPreK0() - if err != nil { - t.Error(err) - } - - _, _, err = ReadAttributeHeader(tcert, nil) - - if err == nil { - t.Error(err) - } -} - -func TestReadAttributeHeader_InvalidHeaderKey(t *testing.T) { - tcert, prek0, err := loadTCertAndPreK0() - if err != nil { - t.Error(err) - } - - headerKey := getAttributeKey(prek0, HeaderAttributeName+"_invalid") - - _, _, err = ReadAttributeHeader(tcert, headerKey) - - if err == nil { - t.Error(err) - } -} - -func TestReadTCertAttributeByPosition(t *testing.T) { - expected := "Software Engineer" - - tcert, prek0, err := loadTCertAndPreK0() - if err != nil { - t.Error(err) - } - - encryptedAttribute, err := ReadTCertAttributeByPosition(tcert, 1) - - if err != nil { - t.Error(err) - } - - attributeKey := getAttributeKey(prek0, "position") - - attribute, err := DecryptAttributeValue(attributeKey, encryptedAttribute) - - if err != nil { - t.Error(err) - } - - if string(attribute) != expected { - t.Errorf("Failed retrieving attribute value from TCert. Expected: %v, Actual: %v", expected, string(attribute)) - } -} - -func TestGetAttributesMetadata(t *testing.T) { - metadata := []byte{255, 255, 255, 255} - entries := make([]*pb.AttributesMetadataEntry, 1) - var entry pb.AttributesMetadataEntry - entry.AttributeName = "position" - entry.AttributeKey = []byte{0, 0, 0, 0} - entries[0] = &entry - attributesMetadata := pb.AttributesMetadata{Metadata: metadata, Entries: entries} - raw, err := proto.Marshal(&attributesMetadata) - if err != nil { - t.Error(err) - } - resultMetadata, err := GetAttributesMetadata(raw) - if err != nil { - t.Error(err) - } - if bytes.Compare(resultMetadata.Metadata, attributesMetadata.Metadata) != 0 { - t.Fatalf("Invalid metadata expected %v result %v", attributesMetadata.Metadata, resultMetadata.Metadata) - } - if resultMetadata.Entries[0].AttributeName != attributesMetadata.Entries[0].AttributeName { - t.Fatalf("Invalid first entry attribute name expected %v result %v", attributesMetadata.Entries[0].AttributeName, resultMetadata.Entries[0].AttributeName) - } - if bytes.Compare(resultMetadata.Entries[0].AttributeKey, attributesMetadata.Entries[0].AttributeKey) != 0 { - t.Fatalf("Invalid first entry attribute key expected %v result %v", attributesMetadata.Entries[0].AttributeKey, resultMetadata.Entries[0].AttributeKey) - } -} - -func TestReadTCertAttributeByPosition_InvalidPositions(t *testing.T) { - tcert, _, err := loadTCertAndPreK0() - if err != nil { - t.Error(err) - } - - _, err = ReadTCertAttributeByPosition(tcert, 2) - - if err == nil { - t.Error("Test should have failed since there is no attribute in the position 2 of the TCert") - } - - _, err = ReadTCertAttributeByPosition(tcert, -2) - - if err == nil { - t.Error("Test should have failed since attribute positions should be positive integer values") - } -} - -func TestCreateAttributesMetadataObjectFromCert(t *testing.T) { - tcert, preK0, err := loadTCertAndPreK0() - if err != nil { - t.Error(err) - } - - metadata := []byte{255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255} - attributeKeys := []string{"position"} - metadataObj := CreateAttributesMetadataObjectFromCert(tcert, metadata, preK0, attributeKeys) - if bytes.Compare(metadataObj.Metadata, metadata) != 0 { - t.Errorf("Invalid metadata result %v but expected %v", metadataObj.Metadata, metadata) - } - - entries := metadataObj.GetEntries() - if len(entries) != 2 { - t.Errorf("Invalid entries in metadata result %v but expected %v", len(entries), 3) - } - - firstEntry := entries[0] - if firstEntry.AttributeName != "position" { - t.Errorf("Invalid first attribute name, this has to be %v but is %v", "position", firstEntry.AttributeName) - } - firstKey, err := GetKForAttribute("position", preK0, tcert) - if err != nil { - t.Error(err) - } - - if bytes.Compare(firstKey, firstEntry.AttributeKey) != 0 { - t.Errorf("Invalid K for first attribute expected %v but returned %v", firstKey, firstEntry.AttributeKey) - } -} - -func TestCreateAttributesMetadata(t *testing.T) { - tcert, preK0, err := loadTCertAndPreK0() - - if err != nil { - t.Error(err) - } - tcertRaw := tcert.Raw - metadata := []byte{255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255} - attributeKeys := []string{"position"} - metadataObjRaw, err := CreateAttributesMetadata(tcertRaw, metadata, preK0, attributeKeys) - if err != nil { - t.Error(err) - } - - var metadataObj pb.AttributesMetadata - err = proto.Unmarshal(metadataObjRaw, &metadataObj) - if err != nil { - t.Error(err) - } - - if bytes.Compare(metadataObj.Metadata, metadata) != 0 { - t.Errorf("Invalid metadata result %v but expected %v", metadataObj.Metadata, metadata) - } - - entries := metadataObj.GetEntries() - if len(entries) != 2 { - t.Errorf("Invalid entries in metadata result %v but expected %v", len(entries), 3) - } - - firstEntry := entries[0] - if firstEntry.AttributeName != "position" { - t.Errorf("Invalid first attribute name, this has to be %v but is %v", "position", firstEntry.AttributeName) - } - firstKey, err := GetKForAttribute("position", preK0, tcert) - if err != nil { - t.Error(err) - } - - if bytes.Compare(firstKey, firstEntry.AttributeKey) != 0 { - t.Errorf("Invalid K for first attribute expected %v but returned %v", firstKey, firstEntry.AttributeKey) - } -} - -func TestCreateAttributesMetadata_AttributeNotFound(t *testing.T) { - tcert, preK0, err := loadTCertAndPreK0() - - if err != nil { - t.Error(err) - } - tcertRaw := tcert.Raw - metadata := []byte{255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255} - attributeKeys := []string{"company"} - metadataObjRaw, err := CreateAttributesMetadata(tcertRaw, metadata, preK0, attributeKeys) - if err != nil { - t.Error(err) - } - - var metadataObj pb.AttributesMetadata - err = proto.Unmarshal(metadataObjRaw, &metadataObj) - if err != nil { - t.Error(err) - } - if bytes.Compare(metadataObj.Metadata, metadata) != 0 { - t.Errorf("Invalid metadata result %v but expected %v", metadataObj.Metadata, metadata) - } - - entries := metadataObj.GetEntries() - if len(entries) != 2 { - t.Errorf("Invalid entries in metadata result %v but expected %v", len(entries), 3) - } - - firstEntry := entries[0] - if firstEntry.AttributeName != "company" { - t.Errorf("Invalid first attribute name, this has to be %v but is %v", "position", firstEntry.AttributeName) - } - _, err = GetKForAttribute("company", preK0, tcert) - if err == nil { - t.Fatalf("Test should faild because company is not included within the TCert.") - } -} - -func TestCreateAttributesMetadataObjectFromCert_AttributeNotFound(t *testing.T) { - tcert, preK0, err := loadTCertAndPreK0() - if err != nil { - t.Error(err) - } - - metadata := []byte{255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255} - attributeKeys := []string{"company"} - metadataObj := CreateAttributesMetadataObjectFromCert(tcert, metadata, preK0, attributeKeys) - if bytes.Compare(metadataObj.Metadata, metadata) != 0 { - t.Errorf("Invalid metadata result %v but expected %v", metadataObj.Metadata, metadata) - } - - entries := metadataObj.GetEntries() - if len(entries) != 2 { - t.Errorf("Invalid entries in metadata result %v but expected %v", len(entries), 3) - } - - firstEntry := entries[0] - if firstEntry.AttributeName != "company" { - t.Errorf("Invalid first attribute name, this has to be %v but is %v", "position", firstEntry.AttributeName) - } - _, err = GetKForAttribute("company", preK0, tcert) - if err == nil { - t.Fatalf("Test should faild because company is not included within the TCert.") - } -} - -func TestBuildAttributesHeader(t *testing.T) { - attributes := make(map[string]int) - attributes["company"] = 0 - attributes["position"] = 1 - attributes["country"] = 2 - result, err := BuildAttributesHeader(attributes) - if err != nil { - t.Error(err) - } - - resultStr := string(result) - - if !strings.HasPrefix(resultStr, headerPrefix) { - t.Fatalf("Invalid header prefix expected %v result %v", headerPrefix, resultStr) - } - - if !strings.Contains(resultStr, "company->0#") { - t.Fatalf("Invalid header shoud include '%v'", "company->0#") - } - - if !strings.Contains(resultStr, "position->1#") { - t.Fatalf("Invalid header shoud include '%v'", "position->1#") - } - - if !strings.Contains(resultStr, "country->2#") { - t.Fatalf("Invalid header shoud include '%v'", "country->2#") - } -} - -func TestBuildAttributesHeader_DuplicatedPosition(t *testing.T) { - attributes := make(map[string]int) - attributes["company"] = 0 - attributes["position"] = 0 - attributes["country"] = 1 - _, err := BuildAttributesHeader(attributes) - if err == nil { - t.Fatalf("Error this tests should fail because header has two attributes with the same position") - } -} - -func loadTCertAndPreK0() (*x509.Certificate, []byte, error) { - preKey0, err := ioutil.ReadFile("./test_resources/prek0.dump") - if err != nil { - return nil, nil, err - } - - if err != nil { - return nil, nil, err - } - - tcertRaw, err := ioutil.ReadFile("./test_resources/tcert.dump") - if err != nil { - return nil, nil, err - } - - tcertDecoded, _ := pem.Decode(tcertRaw) - - tcert, err := x509.ParseCertificate(tcertDecoded.Bytes) - if err != nil { - return nil, nil, err - } - - return tcert, preKey0, nil -} diff --git a/accesscontrol/attributes/proto/attributes.pb.go b/accesscontrol/attributes/proto/attributes.pb.go deleted file mode 100644 index 727e3b954bd..00000000000 --- a/accesscontrol/attributes/proto/attributes.pb.go +++ /dev/null @@ -1,85 +0,0 @@ -// Code generated by protoc-gen-go. -// source: attributes.proto -// DO NOT EDIT! - -/* -Package proto is a generated protocol buffer package. - -It is generated from these files: - attributes.proto - -It has these top-level messages: - AttributesMetadataEntry - AttributesMetadata -*/ -package proto - -import proto1 "github.com/golang/protobuf/proto" -import fmt "fmt" -import math "math" - -// Reference imports to suppress errors if they are not otherwise used. -var _ = proto1.Marshal -var _ = fmt.Errorf -var _ = math.Inf - -// This is a compile-time assertion to ensure that this generated file -// is compatible with the proto package it is being compiled against. -// A compilation error at this line likely means your copy of the -// proto package needs to be updated. -const _ = proto1.ProtoPackageIsVersion2 // please upgrade the proto package - -// AttributesMetadataEntry is an entry within the metadata that store an attribute name with its respective key. -type AttributesMetadataEntry struct { - AttributeName string `protobuf:"bytes,1,opt,name=AttributeName" json:"AttributeName,omitempty"` - AttributeKey []byte `protobuf:"bytes,2,opt,name=AttributeKey,proto3" json:"AttributeKey,omitempty"` -} - -func (m *AttributesMetadataEntry) Reset() { *m = AttributesMetadataEntry{} } -func (m *AttributesMetadataEntry) String() string { return proto1.CompactTextString(m) } -func (*AttributesMetadataEntry) ProtoMessage() {} -func (*AttributesMetadataEntry) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{0} } - -// AttributesMetadata holds both the original metadata bytes and the metadata required to access attributes. -type AttributesMetadata struct { - // Original metadata bytes - Metadata []byte `protobuf:"bytes,1,opt,name=Metadata,proto3" json:"Metadata,omitempty"` - // Entries for each attributes considered. - Entries []*AttributesMetadataEntry `protobuf:"bytes,2,rep,name=Entries" json:"Entries,omitempty"` -} - -func (m *AttributesMetadata) Reset() { *m = AttributesMetadata{} } -func (m *AttributesMetadata) String() string { return proto1.CompactTextString(m) } -func (*AttributesMetadata) ProtoMessage() {} -func (*AttributesMetadata) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{1} } - -func (m *AttributesMetadata) GetEntries() []*AttributesMetadataEntry { - if m != nil { - return m.Entries - } - return nil -} - -func init() { - proto1.RegisterType((*AttributesMetadataEntry)(nil), "protos.AttributesMetadataEntry") - proto1.RegisterType((*AttributesMetadata)(nil), "protos.AttributesMetadata") -} - -func init() { proto1.RegisterFile("attributes.proto", fileDescriptor0) } - -var fileDescriptor0 = []byte{ - // 206 bytes of a gzipped FileDescriptorProto - 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x09, 0x6e, 0x88, 0x02, 0xff, 0xe2, 0x12, 0x48, 0x2c, 0x29, 0x29, - 0xca, 0x4c, 0x2a, 0x2d, 0x49, 0x2d, 0xd6, 0x2b, 0x28, 0xca, 0x2f, 0xc9, 0x17, 0x62, 0x03, 0x53, - 0xc5, 0x4a, 0xc9, 0x5c, 0xe2, 0x8e, 0x70, 0x39, 0xdf, 0xd4, 0x92, 0xc4, 0x94, 0xc4, 0x92, 0x44, - 0xd7, 0xbc, 0x92, 0xa2, 0x4a, 0x21, 0x15, 0x2e, 0x5e, 0xb8, 0x94, 0x5f, 0x62, 0x6e, 0xaa, 0x04, - 0xa3, 0x02, 0xa3, 0x06, 0x67, 0x10, 0xaa, 0xa0, 0x90, 0x12, 0x17, 0x0f, 0x5c, 0xc0, 0x3b, 0xb5, - 0x52, 0x82, 0x49, 0x81, 0x51, 0x83, 0x27, 0x08, 0x45, 0x4c, 0x29, 0x9b, 0x4b, 0x08, 0xd3, 0x12, - 0x21, 0x29, 0x2e, 0x0e, 0x18, 0x1b, 0x6c, 0x34, 0x4f, 0x10, 0x9c, 0x2f, 0x64, 0xc9, 0xc5, 0x0e, - 0x72, 0x44, 0x66, 0x6a, 0xb1, 0x04, 0x93, 0x02, 0xb3, 0x06, 0xb7, 0x91, 0x3c, 0xc4, 0xdd, 0xc5, - 0x7a, 0x38, 0x5c, 0x1b, 0x04, 0x53, 0xef, 0x64, 0x17, 0x65, 0x93, 0x9e, 0x59, 0x92, 0x51, 0x9a, - 0xa4, 0x97, 0x9c, 0x9f, 0xab, 0x9f, 0x51, 0x59, 0x90, 0x5a, 0x94, 0x93, 0x9a, 0x92, 0x9e, 0x5a, - 0xa4, 0x9f, 0x96, 0x98, 0x54, 0x94, 0x99, 0xac, 0x9f, 0x98, 0x9c, 0x9c, 0x5a, 0x5c, 0x9c, 0x9c, - 0x9f, 0x57, 0x52, 0x94, 0x9f, 0xa3, 0x8f, 0x08, 0x19, 0x7d, 0xb0, 0x0d, 0x49, 0x90, 0x90, 0x31, - 0x06, 0x04, 0x00, 0x00, 0xff, 0xff, 0x75, 0xf7, 0x00, 0x7d, 0x34, 0x01, 0x00, 0x00, -} diff --git a/accesscontrol/attributes/proto/attributes.proto b/accesscontrol/attributes/proto/attributes.proto deleted file mode 100644 index f3eab459013..00000000000 --- a/accesscontrol/attributes/proto/attributes.proto +++ /dev/null @@ -1,35 +0,0 @@ -/* -Copyright IBM Corp. 2016 All Rights Reserved. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -syntax = "proto3"; - -option go_package = "github.com/hyperledger/fabric/accesscontrol/attributes/proto" ; - -package protos; - -//AttributesMetadataEntry is an entry within the metadata that store an attribute name with its respective key. -message AttributesMetadataEntry { - string AttributeName = 1; - bytes AttributeKey = 2; -} - -//AttributesMetadata holds both the original metadata bytes and the metadata required to access attributes. -message AttributesMetadata { - //Original metadata bytes - bytes Metadata = 1; - //Entries for each attributes considered. - repeated AttributesMetadataEntry Entries = 2; -} diff --git a/accesscontrol/attributes/test_resources/prek0.dump b/accesscontrol/attributes/test_resources/prek0.dump deleted file mode 100644 index 442dfea6ca2..00000000000 --- a/accesscontrol/attributes/test_resources/prek0.dump +++ /dev/null @@ -1 +0,0 @@ -ýA>ø0`ñËÕ›=)»á*¨®­g&V'ù aÅàkâJ \ No newline at end of file diff --git a/accesscontrol/attributes/test_resources/tcert.dump b/accesscontrol/attributes/test_resources/tcert.dump deleted file mode 100644 index 95c9862125f..00000000000 --- a/accesscontrol/attributes/test_resources/tcert.dump +++ /dev/null @@ -1,18 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIC2TCCAn+gAwIBAgIQBq019NJETm+JnM9pUFY5fDAKBggqhkjOPQQDAzAxMQsw -CQYDVQQGEwJVUzEUMBIGA1UEChMLSHlwZXJsZWRnZXIxDDAKBgNVBAMTA3RjYTAe -Fw0xNjA1MjYxODU4MjBaFw0xNjA4MjQxODU4MjBaMDMxCzAJBgNVBAYTAlVTMRQw -EgYDVQQKEwtIeXBlcmxlZGdlcjEOMAwGA1UEAxMFZGllZ28wWTATBgcqhkjOPQIB -BggqhkjOPQMBBwNCAARv37sk17/Yq6Ata16fj1CacV3uvYzCwgWx2hearwfEBbEh -+lfmQXYUEu7pcaEaPh+9dNVEeqyHWGqFu2mo5tufo4IBdTCCAXEwDgYDVR0PAQH/ -BAQDAgeAMAwGA1UdEwEB/wQCMAAwDQYDVR0OBAYEBAECAwQwDwYDVR0jBAgwBoAE -AQIDBDBKBgYqAwQFBgoEQLb0qP6OU62xQQewx5PhpJu9cnLp54+aOpSptE78GNyd -vh7xNtSHD1GTouEK2RFx1YwJZHAM7OS48JTDZoPr1L4wTQYGKgMEBQYHAQH/BEDv -kl2JEP0f8OQRch84Hd3o3oGJbOrUBA5eYP0TaQLzpbGop4Z3Uun2Iyllfhixr+Gq -2Xv1vuSDsbNDpObuQthJMEoGBioDBAUGCARALLtd0x7G/yc2WSSo6ag0nntWayud -kaIW7NOJiWGJaOFtP+fufzIUPzYvBAuQIk3nYeOLBH/948ZyKsJQWW/LtzBKBgYq -AwQFBgkEQAXgSabQSC5xHa/YXQi7nlStN81eiG/VhGfTeLvkHXPMDcULAGyKHtax -l2IaAap9QetXi6pkN78lO048IhFTFCswCgYIKoZIzj0EAwMDSAAwRQIhAMSY4g4E -hWh7Ey4sOpPYfJwfM82nZHboLEUzrWFwuZ+KAiBf2V0OoXPt2I2MaV1+2OQIaHcJ -BF8oB65Ox67VENMNUg== ------END CERTIFICATE----- diff --git a/accesscontrol/crypto/attr/attr_support.go b/accesscontrol/crypto/attr/attr_support.go deleted file mode 100644 index 54fd1878e54..00000000000 --- a/accesscontrol/crypto/attr/attr_support.go +++ /dev/null @@ -1,209 +0,0 @@ -/* -Copyright IBM Corp. 2016 All Rights Reserved. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package attr - -import ( - "bytes" - "crypto/x509" - "errors" - - "github.com/hyperledger/fabric/accesscontrol" - "github.com/hyperledger/fabric/accesscontrol/attributes" - "github.com/hyperledger/fabric/accesscontrol/crypto/utils" -) - -// chaincodeHolder is the struct that hold the certificate and the metadata. An implementation is ChaincodeStub -type chaincodeHolder interface { - // GetCreator returns caller certificate - GetCreator() ([]byte, error) - - // GetCallerMetadata returns caller metadata - /* - TODO: ##attributes-keys-pending This code have be redefined to avoid use of metadata field. - GetCallerMetadata() ([]byte, error) - */ -} - -//AttributesHandler is an entity can be used to both verify and read attributes. -// The functions declared can be used to access the attributes stored in the transaction certificates from the application layer. Can be used directly from the ChaincodeStub API but -// if you need multiple access create a hanlder is better: -// Multiple accesses -// If multiple calls to the functions above are required, a best practice is to create an AttributesHandler instead of calling the functions multiple times, this practice will avoid creating a new AttributesHandler for each of these calls thus eliminating an unnecessary overhead. -// Example: -// -// AttributesHandler, err := ac.NewAttributesHandlerImpl(stub) -// if err != nil { -// return false, err -// } -// AttributesHandler.VerifyAttribute(attributeName, attributeValue) -// ... you can make other verifications and/or read attribute values by using the AttributesHandler -type AttributesHandler interface { - - //VerifyAttributes does the same as VerifyAttribute but it checks for a list of attributes and their respective values instead of a single attribute/value pair - // Example: - // containsAttrs, error:= handler.VerifyAttributes(&ac.Attribute{"position", "Software Engineer"}, &ac.Attribute{"company", "ACompany"}) - VerifyAttributes(attrs ...*accesscontrol.Attribute) (bool, error) - - //VerifyAttribute is used to verify if the transaction certificate has an attribute with name *attributeName* and value *attributeValue* which are the input parameters received by this function. - //Example: - // containsAttr, error := handler.VerifyAttribute("position", "Software Engineer") - VerifyAttribute(attributeName string, attributeValue []byte) (bool, error) - - //GetValue is used to read an specific attribute from the transaction certificate, *attributeName* is passed as input parameter to this function. - // Example: - // attrValue,error:=handler.GetValue("position") - GetValue(attributeName string) ([]byte, error) -} - -//AttributesHandlerImpl is an implementation of AttributesHandler interface. -type AttributesHandlerImpl struct { - cert *x509.Certificate - cache map[string][]byte - keys map[string][]byte - header map[string]int - encrypted bool -} - -type chaincodeHolderImpl struct { - Certificate []byte -} - -// GetCreator returns caller certificate -func (holderImpl *chaincodeHolderImpl) GetCreator() ([]byte, error) { - return holderImpl.Certificate, nil -} - -//GetValueFrom returns the value of 'attributeName0' from a cert. -func GetValueFrom(attributeName string, cert []byte) ([]byte, error) { - handler, err := NewAttributesHandlerImpl(&chaincodeHolderImpl{Certificate: cert}) - if err != nil { - return nil, err - } - return handler.GetValue(attributeName) -} - -//NewAttributesHandlerImpl creates a new AttributesHandlerImpl from a pb.ChaincodeSecurityContext object. -func NewAttributesHandlerImpl(holder chaincodeHolder) (*AttributesHandlerImpl, error) { - // Getting certificate - certRaw, err := holder.GetCreator() - if err != nil { - return nil, err - } - if certRaw == nil { - return nil, errors.New("The certificate can't be nil.") - } - var tcert *x509.Certificate - tcert, err = utils.DERToX509Certificate(certRaw) - if err != nil { - return nil, err - } - - keys := make(map[string][]byte) - - /* - TODO: ##attributes-keys-pending This code have be redefined to avoid use of metadata field. - - //Getting Attributes Metadata from security context. - var attrsMetadata *attributespb.AttributesMetadata - var rawMetadata []byte - rawMetadata, err = holder.GetCallerMetadata() - if err != nil { - return nil, err - } - - if rawMetadata != nil { - attrsMetadata, err = attributes.GetAttributesMetadata(rawMetadata) - if err == nil { - for _, entry := range attrsMetadata.Entries { - keys[entry.AttributeName] = entry.AttributeKey - } - } - }*/ - - cache := make(map[string][]byte) - return &AttributesHandlerImpl{tcert, cache, keys, nil, false}, nil -} - -func (attributesHandler *AttributesHandlerImpl) readHeader() (map[string]int, bool, error) { - if attributesHandler.header != nil { - return attributesHandler.header, attributesHandler.encrypted, nil - } - header, encrypted, err := attributes.ReadAttributeHeader(attributesHandler.cert, attributesHandler.keys[attributes.HeaderAttributeName]) - if err != nil { - return nil, false, err - } - attributesHandler.header = header - attributesHandler.encrypted = encrypted - return header, encrypted, nil -} - -//GetValue is used to read an specific attribute from the transaction certificate, *attributeName* is passed as input parameter to this function. -// Example: -// attrValue,error:=handler.GetValue("position") -func (attributesHandler *AttributesHandlerImpl) GetValue(attributeName string) ([]byte, error) { - if attributesHandler.cache[attributeName] != nil { - return attributesHandler.cache[attributeName], nil - } - header, encrypted, err := attributesHandler.readHeader() - if err != nil { - return nil, err - } - value, err := attributes.ReadTCertAttributeByPosition(attributesHandler.cert, header[attributeName]) - if err != nil { - return nil, errors.New("Error reading attribute value '" + err.Error() + "'") - } - - if encrypted { - if attributesHandler.keys[attributeName] == nil { - return nil, errors.New("Cannot find decryption key for attribute") - } - - value, err = attributes.DecryptAttributeValue(attributesHandler.keys[attributeName], value) - if err != nil { - return nil, errors.New("Error decrypting value '" + err.Error() + "'") - } - } - attributesHandler.cache[attributeName] = value - return value, nil -} - -//VerifyAttribute is used to verify if the transaction certificate has an attribute with name *attributeName* and value *attributeValue* which are the input parameters received by this function. -// Example: -// containsAttr, error := handler.VerifyAttribute("position", "Software Engineer") -func (attributesHandler *AttributesHandlerImpl) VerifyAttribute(attributeName string, attributeValue []byte) (bool, error) { - valueHash, err := attributesHandler.GetValue(attributeName) - if err != nil { - return false, err - } - return bytes.Compare(valueHash, attributeValue) == 0, nil -} - -//VerifyAttributes does the same as VerifyAttribute but it checks for a list of attributes and their respective values instead of a single attribute/value pair -// Example: -// containsAttrs, error:= handler.VerifyAttributes(&ac.Attribute{"position", "Software Engineer"}, &ac.Attribute{"company", "ACompany"}) -func (attributesHandler *AttributesHandlerImpl) VerifyAttributes(attrs ...*accesscontrol.Attribute) (bool, error) { - for _, attribute := range attrs { - val, err := attributesHandler.VerifyAttribute(attribute.Name, attribute.Value) - if err != nil { - return false, err - } - if !val { - return val, nil - } - } - return true, nil -} diff --git a/accesscontrol/crypto/attr/attr_support_test.go b/accesscontrol/crypto/attr/attr_support_test.go deleted file mode 100644 index 01b72caef67..00000000000 --- a/accesscontrol/crypto/attr/attr_support_test.go +++ /dev/null @@ -1,682 +0,0 @@ -/* -Copyright IBM Corp. 2016 All Rights Reserved. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package attr - -import ( - "bytes" - "crypto/x509" - "encoding/pem" - "errors" - "io/ioutil" - "testing" - - "github.com/hyperledger/fabric/accesscontrol" - "github.com/hyperledger/fabric/core/crypto/primitives" -) - -var ( - attributeNames = []string{"company", "position"} -) - -type chaincodeStubMock struct { - callerCert []byte - /* - TODO: ##attributes-keys-pending This code have be redefined to avoid use of metadata field. - metadata []byte - */ -} - -// GetCreator returns caller certificate -func (shim *chaincodeStubMock) GetCreator() ([]byte, error) { - return shim.callerCert, nil -} - -/* - TODO: ##attributes-keys-pending This code have be redefined to avoid use of metadata field. -// GetCallerMetadata returns caller metadata -func (shim *chaincodeStubMock) GetCallerMetadata() ([]byte, error) { - return shim.metadata, nil -} -*/ - -type certErrorMock struct { - /* - TODO: ##attributes-keys-pending This code have be redefined to avoid use of metadata field. - metadata []byte - */ -} - -// GetCreator returns caller certificate -func (shim *certErrorMock) GetCreator() ([]byte, error) { - return nil, errors.New("GetCreator error") -} - -/* - TODO: ##attributes-keys-pending This code have be redefined to avoid use of metadata field. -// GetCallerMetadata returns caller metadata -func (shim *certErrorMock) GetCallerMetadata() ([]byte, error) { - return shim.metadata, nil -}*/ - -type metadataErrorMock struct { - callerCert []byte -} - -// GetCreator returns caller certificate -func (shim *metadataErrorMock) GetCreator() ([]byte, error) { - return shim.callerCert, nil -} - -/* - TODO: ##attributes-keys-pending This code have be redefined to avoid use of metadata field. -// GetCallerMetadata returns caller metadata -func (shim *metadataErrorMock) GetCallerMetadata() ([]byte, error) { - return nil, errors.New("GetCreator error") -}*/ - -func TestVerifyAttribute(t *testing.T) { - primitives.SetSecurityLevel("SHA3", 256) - - /* - TODO: ##attributes-keys-pending This code have be redefined to avoid use of metadata field. - tcert, prek0, err := loadTCertAndPreK0() */ - tcert, err := loadTCertClear() - if err != nil { - t.Error(err) - } - tcertder := tcert.Raw - /* - TODO: ##attributes-keys-pending This code have be redefined to avoid use of metadata field. - metadata := []byte{32, 64} - - attributeMetadata, err := attributes.CreateAttributesMetadata(tcertder, metadata, prek0, attributeNames) - if err != nil { - t.Error(err) - } - stub := &chaincodeStubMock{callerCert: tcertder, metadata: attributeMetadata}*/ - stub := &chaincodeStubMock{callerCert: tcertder} - handler, err := NewAttributesHandlerImpl(stub) - if err != nil { - t.Error(err) - } - - isOk, err := handler.VerifyAttribute("position", []byte("Software Engineer")) - if err != nil { - t.Error(err) - } - - if !isOk { - t.Fatal("Attribute not verified.") - } -} - -/* - TODO: ##attributes-keys-pending This code have be redefined to avoid use of metadata field. -func TestVerifyAttribute_InvalidAttributeMetadata(t *testing.T) { - primitives.SetSecurityLevel("SHA3", 256) - - tcert, _, err := loadTCertAndPreK0() - if err != nil { - t.Error(err) - } - - tcertder := tcert.Raw - - attributeMetadata := []byte{123, 22, 34, 56, 78, 44} - - stub := &chaincodeStubMock{callerCert: tcertder, metadata: attributeMetadata} - handler, err := NewAttributesHandlerImpl(stub) - if err != nil { - t.Error(err) - } - keySize := len(handler.keys) - if keySize != 0 { - t.Errorf("Test failed expected [%v] keys but found [%v]", keySize, 0) - } -}*/ - -func TestNewAttributesHandlerImpl_CertificateError(t *testing.T) { - primitives.SetSecurityLevel("SHA3", 256) - - /* - TODO: ##attributes-keys-pending This code have be redefined to avoid use of metadata field. - tcert, prek0, err := loadTCertAndPreK0() - tcert, err := loadTCertClear() - if err != nil { - t.Error(err) - } - tcertder := tcert.Raw - metadata := []byte{32, 64} - attributeMetadata, err := attributes.CreateAttributesMetadata(tcertder, metadata, prek0, attributeNames) - if err != nil { - t.Error(err) - } - stub := &certErrorMock{metadata: attributeMetadata}*/ - stub := &certErrorMock{} - _, err := NewAttributesHandlerImpl(stub) - if err == nil { - t.Fatal("Error shouldn't be nil") - } -} - -/* - TODO: ##attributes-keys-pending This code have be redefined to avoid use of metadata field. -func TestNewAttributesHandlerImpl_MetadataError(t *testing.T) { - primitives.SetSecurityLevel("SHA3", 256) - - tcert, _, err := loadTCertAndPreK0() - if err != nil { - t.Error(err) - } - tcertder := tcert.Raw - if err != nil { - t.Error(err) - } - stub := &metadataErrorMock{callerCert: tcertder} - _, err = NewAttributesHandlerImpl(stub) - if err == nil { - t.Fatal("Error shouldn't be nil") - } -}*/ - -func TestNewAttributesHandlerImpl_InvalidCertificate(t *testing.T) { - primitives.SetSecurityLevel("SHA3", 256) - tcert, _, err := loadTCertAndPreK0() - if err != nil { - t.Error(err) - } - tcertder := tcert.Raw - if err != nil { - t.Error(err) - } - tcertder[0] = tcertder[0] + 1 - stub := &metadataErrorMock{callerCert: tcertder} - _, err = NewAttributesHandlerImpl(stub) - if err == nil { - t.Fatal("Error shouldn't be nil") - } -} - -func TestNewAttributesHandlerImpl_NullCertificate(t *testing.T) { - primitives.SetSecurityLevel("SHA3", 256) - - /* - TODO: ##attributes-keys-pending This code have be redefined to avoid use of metadata field. - tcert, prek0, err := loadTCertAndPreK0() - tcert, err := loadTCertClear() - if err != nil { - t.Error(err) - } - metadata := []byte{32, 64} - tcertder := tcert.Raw - attributeMetadata, err := attributes.CreateAttributesMetadata(tcertder, metadata, prek0, attributeNames) - if err != nil { - t.Error(err) - } - stub := &chaincodeStubMock{callerCert: nil, metadata: attributeMetadata}*/ - stub := &chaincodeStubMock{callerCert: nil} - _, err := NewAttributesHandlerImpl(stub) - if err == nil { - t.Fatal("Error can't be nil.") - } -} - -/* - TODO: ##attributes-keys-pending This code have be redefined to avoid use of metadata field. -func TestNewAttributesHandlerImpl_NullMetadata(t *testing.T) { - primitives.SetSecurityLevel("SHA3", 256) - - tcert, _, err := loadTCertAndPreK0() - if err != nil { - t.Error(err) - } - tcertder := tcert.Raw - if err != nil { - t.Error(err) - } - stub := &chaincodeStubMock{callerCert: tcertder, metadata: nil} - handler, err := NewAttributesHandlerImpl(stub) - if err != nil { - t.Error(err) - } - keySize := len(handler.keys) - if keySize != 0 { - t.Errorf("Test failed expected [%v] keys but found [%v]", keySize, 0) - } -}*/ - -func TestVerifyAttributes(t *testing.T) { - primitives.SetSecurityLevel("SHA3", 256) - - /* - TODO: ##attributes-keys-pending This code have be redefined to avoid use of metadata field. - tcert, prek0, err := loadTCertAndPreK0() */ - tcert, err := loadTCertClear() - if err != nil { - t.Error(err) - } - tcertder := tcert.Raw - - /* - TODO: ##attributes-keys-pending This code have be redefined to avoid use of metadata field. - metadata := []byte{32,64} - attributeMetadata, err := attributes.CreateAttributesMetadata(tcertder, metadata, prek0, attributeNames) - if err != nil { - t.Error(err) - } - stub := &chaincodeStubMock{callerCert: tcertder, metadata: attributeMetadata} */ - stub := &chaincodeStubMock{callerCert: tcertder} - handler, err := NewAttributesHandlerImpl(stub) - if err != nil { - t.Error(err) - } - - isOk, err := handler.VerifyAttributes(&accesscontrol.Attribute{Name: "position", Value: []byte("Software Engineer")}) - if err != nil { - t.Error(err) - } - - if !isOk { - t.Fatal("Attribute not verified.") - } -} - -func TestVerifyAttributes_Invalid(t *testing.T) { - primitives.SetSecurityLevel("SHA3", 256) - - /* - TODO: ##attributes-keys-pending This code have be redefined to avoid use of metadata field. - tcert, prek0, err := loadTCertAndPreK0() */ - tcert, err := loadTCertClear() - if err != nil { - t.Error(err) - } - - tcertder := tcert.Raw - /* - TODO: ##attributes-keys-pending This code have be redefined to avoid use of metadata field. - metadata := []byte{32,64} - attributeMetadata, err := attributes.CreateAttributesMetadata(tcertder, metadata, prek0, attributeNames) - if err != nil { - t.Error(err) - } - stub := &chaincodeStubMock{callerCert: tcertder, metadata: attributeMetadata}*/ - stub := &chaincodeStubMock{callerCert: tcertder} - handler, err := NewAttributesHandlerImpl(stub) - if err != nil { - t.Error(err) - } - - isOk, err := handler.VerifyAttributes(&accesscontrol.Attribute{Name: "position", Value: []byte("Software Engineer")}, &accesscontrol.Attribute{Name: "position", Value: []byte("18")}) - if err != nil { - t.Error(err) - } - - if isOk { - t.Fatal("Attribute position=18 should have failed") - } -} - -func TestVerifyAttributes_InvalidHeader(t *testing.T) { - primitives.SetSecurityLevel("SHA3", 256) - - /* - TODO: ##attributes-keys-pending This code have be redefined to avoid use of metadata field. - tcert, prek0, err := loadTCertAndPreK0() */ - tcert, err := loadTCertClear() - if err != nil { - t.Error(err) - } - - //Change header extensions - tcert.Raw[583] = tcert.Raw[583] + 124 - - tcertder := tcert.Raw - /* - TODO: ##attributes-keys-pending This code have be redefined to avoid use of metadata field. - metadata := []byte{32,64} - attributeMetadata, err := attributes.CreateAttributesMetadata(tcertder, metadata, prek0, attributeNames) - if err != nil { - t.Error(err) - } - stub := &chaincodeStubMock{callerCert: tcertder, metadata: attributeMetadata}*/ - stub := &chaincodeStubMock{callerCert: tcertder} - handler, err := NewAttributesHandlerImpl(stub) - if err != nil { - t.Error(err) - } - - _, err = handler.VerifyAttributes(&accesscontrol.Attribute{Name: "position", Value: []byte("Software Engineer")}) - if err == nil { - t.Fatal("Error can't be nil.") - } -} - -func TestVerifyAttributes_InvalidAttributeValue(t *testing.T) { - primitives.SetSecurityLevel("SHA3", 256) - - /* - TODO: ##attributes-keys-pending This code have be redefined to avoid use of metadata field. - tcert, prek0, err := loadTCertAndPreK0() */ - tcert, err := loadTCertClear() - if err != nil { - t.Error(err) - } - - //Change header extensions - /* - TODO: ##attributes-keys-pending This code have be redefined to avoid use of metadata field. 337 is the offset in encrypted tcert. - tcert.Raw[371] = tcert.Raw[371] + 124*/ - tcert.Raw[558] = tcert.Raw[558] + 124 - - tcertder := tcert.Raw - /* - TODO: ##attributes-keys-pending This code have be redefined to avoid use of metadata field. - metadata := []byte{32,64} - attributeMetadata, err := attributes.CreateAttributesMetadata(tcertder, metadata, prek0, attributeNames) - if err != nil { - t.Error(err) - } - stub := &chaincodeStubMock{callerCert: tcertder, metadata: attributeMetadata} */ - stub := &chaincodeStubMock{callerCert: tcertder} - handler, err := NewAttributesHandlerImpl(stub) - if err != nil { - t.Fatalf("Error creating attribute handlder %v", err) - } - - v, err := handler.GetValue("position") - if err == nil { - t.Fatal("Error can't be nil." + string(v)) - } -} - -func TestVerifyAttributes_Null(t *testing.T) { - primitives.SetSecurityLevel("SHA3", 256) - - /* - TODO: ##attributes-keys-pending This code have be redefined to avoid use of metadata field. - tcert, prek0, err := loadTCertAndPreK0() */ - tcert, err := loadTCertClear() - if err != nil { - t.Error(err) - } - tcertder := tcert.Raw - - /* - TODO: ##attributes-keys-pending This code have be redefined to avoid use of metadata field. - metadata := []byte{32,64} - attributeMetadata, err := attributes.CreateAttributesMetadata(tcertder, metadata, prek0, attributeNames) - if err != nil { - t.Error(err) - } - stub := &chaincodeStubMock{callerCert: tcertder, metadata: attributeMetadata}*/ - stub := &chaincodeStubMock{callerCert: tcertder} - handler, err := NewAttributesHandlerImpl(stub) - if err != nil { - t.Error(err) - } - - isOk, err := handler.VerifyAttribute("position", nil) - if err != nil { - t.Error(err) - } - - if isOk { - t.Fatal("Attribute null is ok.") - } -} - -func TestGetValue(t *testing.T) { - primitives.SetSecurityLevel("SHA3", 256) - - /* - TODO: ##attributes-keys-pending This code have be redefined to avoid use of metadata field. - tcert, prek0, err := loadTCertAndPreK0() */ - tcert, err := loadTCertClear() - if err != nil { - t.Error(err) - } - tcertder := tcert.Raw - /* - TODO: ##attributes-keys-pending This code have be redefined to avoid use of metadata field. - metadata := []byte{32, 64} - - attributeMetadata, err := attributes.CreateAttributesMetadata(tcertder, metadata, prek0, attributeNames) - if err != nil { - t.Error(err) - } - stub := &chaincodeStubMock{callerCert: tcertder, metadata: attributeMetadata}*/ - stub := &chaincodeStubMock{callerCert: tcertder} - handler, err := NewAttributesHandlerImpl(stub) - if err != nil { - t.Error(err) - } - - value, err := handler.GetValue("position") - if err != nil { - t.Error(err) - } - - if bytes.Compare(value, []byte("Software Engineer")) != 0 { - t.Fatalf("Value expected was [%v] and result was [%v].", []byte("Software Engineer"), value) - } - - //Second time read from cache. - value, err = handler.GetValue("position") - if err != nil { - t.Error(err) - } - - if bytes.Compare(value, []byte("Software Engineer")) != 0 { - t.Fatalf("Value expected was [%v] and result was [%v].", []byte("Software Engineer"), value) - } -} - -func TestGetValue_Clear(t *testing.T) { - primitives.SetSecurityLevel("SHA3", 256) - - tcert, err := loadTCertClear() - if err != nil { - t.Error(err) - } - tcertder := tcert.Raw - value, err := GetValueFrom("position", tcertder) - if err != nil { - t.Error(err) - } - - if bytes.Compare(value, []byte("Software Engineer")) != 0 { - t.Fatalf("Value expected was [%v] and result was [%v].", []byte("Software Engineer"), value) - } - - //Second time read from cache. - value, err = GetValueFrom("position", tcertder) - if err != nil { - t.Error(err) - } - - if bytes.Compare(value, []byte("Software Engineer")) != 0 { - t.Fatalf("Value expected was [%v] and result was [%v].", []byte("Software Engineer"), value) - } -} - -func TestGetValue_BadHeaderTCert(t *testing.T) { - primitives.SetSecurityLevel("SHA3", 256) - - tcert, err := loadTCertFromFile("./test_resources/tcert_bad.dump") - if err != nil { - t.Error(err) - } - tcertder := tcert.Raw - _, err = GetValueFrom("position", tcertder) - if err == nil { - t.Fatal("Test should be fail due TCert has an invalid header.") - } -} - -func TestGetValue_Clear_NullTCert(t *testing.T) { - primitives.SetSecurityLevel("SHA3", 256) - _, err := GetValueFrom("position", nil) - if err == nil { - t.Error(err) - } -} - -func TestGetValue_InvalidAttribute(t *testing.T) { - primitives.SetSecurityLevel("SHA3", 256) - - /* - TODO: ##attributes-keys-pending This code have be redefined to avoid use of metadata field. - tcert, prek0, err := loadTCertAndPreK0() */ - tcert, err := loadTCertClear() - if err != nil { - t.Error(err) - } - tcertder := tcert.Raw - /* - TODO: ##attributes-keys-pending This code have be redefined to avoid use of metadata field. - metadata := []byte{32, 64} - attributeMetadata, err := attributes.CreateAttributesMetadata(tcertder, metadata, prek0, attributeNames) - if err != nil { - t.Error(err) - } - stub := &chaincodeStubMock{callerCert: tcertder, metadata: attributeMetadata}*/ - stub := &chaincodeStubMock{callerCert: tcertder} - handler, err := NewAttributesHandlerImpl(stub) - if err != nil { - t.Error(err) - } - - _, err = handler.GetValue("age") - if err == nil { - t.Error(err) - } - - //Force invalid key - handler.keys["position"] = nil - _, err = handler.GetValue("positions") - if err == nil { - t.Error(err) - } -} - -func TestGetValue_Clear_InvalidAttribute(t *testing.T) { - primitives.SetSecurityLevel("SHA3", 256) - - tcert, err := loadTCertClear() - if err != nil { - t.Error(err) - } - tcertder := tcert.Raw - /* - TODO: ##attributes-keys-pending This code have be redefined to avoid use of metadata field. - metadata := []byte{32, 64} - attributeMetadata, err := attributes.CreateAttributesMetadata(tcertder, metadata, prek0, attributeNames) - if err != nil { - t.Error(err) - } - stub := &chaincodeStubMock{callerCert: tcertder, metadata: attributeMetadata}*/ - stub := &chaincodeStubMock{callerCert: tcertder} - handler, err := NewAttributesHandlerImpl(stub) - if err != nil { - t.Error(err) - } - - value, err := handler.GetValue("age") - if value != nil || err == nil { - t.Fatalf("Test should fail [%v] \n", string(value)) - } -} - -func TestGetValue_InvalidAttribute_ValidAttribute(t *testing.T) { - primitives.SetSecurityLevel("SHA3", 256) - - /* - TODO: ##attributes-keys-pending This code have be redefined to avoid use of metadata field. - tcert, prek0, err := loadTCertAndPreK0() */ - tcert, err := loadTCertClear() - if err != nil { - t.Error(err) - } - tcertder := tcert.Raw - /* - TODO: ##attributes-keys-pending This code have be redefined to avoid use of metadata field. - metadata := []byte{32, 64} - attributeMetadata, err := attributes.CreateAttributesMetadata(tcertder, metadata, prek0, attributeNames) - if err != nil { - t.Error(err) - } - stub := &chaincodeStubMock{callerCert: tcertder, metadata: attributeMetadata}*/ - stub := &chaincodeStubMock{callerCert: tcertder} - handler, err := NewAttributesHandlerImpl(stub) - if err != nil { - t.Error(err) - } - - _, err = handler.GetValue("age") - if err == nil { - t.Error(err) - } - - //Second time read a valid attribute from the TCert. - value, err := handler.GetValue("position") - if err != nil { - t.Error(err) - } - - if bytes.Compare(value, []byte("Software Engineer")) != 0 { - t.Fatalf("Value expected was [%v] and result was [%v].", []byte("Software Engineer"), value) - } -} - -func loadTCertFromFile(filepath string) (*x509.Certificate, error) { - tcertRaw, err := ioutil.ReadFile(filepath) - if err != nil { - return nil, err - } - - tcertDecoded, _ := pem.Decode(tcertRaw) - - tcert, err := x509.ParseCertificate(tcertDecoded.Bytes) - if err != nil { - return nil, err - } - - return tcert, nil -} - -func loadTCertAndPreK0() (*x509.Certificate, []byte, error) { - preKey0, err := ioutil.ReadFile("./test_resources/prek0.dump") - if err != nil { - return nil, nil, err - } - - if err != nil { - return nil, nil, err - } - - tcert, err := loadTCertFromFile("./test_resources/tcert.dump") - if err != nil { - return nil, nil, err - } - - return tcert, preKey0, nil -} - -func loadTCertClear() (*x509.Certificate, error) { - return loadTCertFromFile("./test_resources/tcert_clear.dump") -} diff --git a/accesscontrol/crypto/attr/test_resources/prek0.dump b/accesscontrol/crypto/attr/test_resources/prek0.dump deleted file mode 100644 index 442dfea6ca2..00000000000 --- a/accesscontrol/crypto/attr/test_resources/prek0.dump +++ /dev/null @@ -1 +0,0 @@ -ýA>ø0`ñËÕ›=)»á*¨®­g&V'ù aÅàkâJ \ No newline at end of file diff --git a/accesscontrol/crypto/attr/test_resources/tcert.dump b/accesscontrol/crypto/attr/test_resources/tcert.dump deleted file mode 100644 index 95c9862125f..00000000000 --- a/accesscontrol/crypto/attr/test_resources/tcert.dump +++ /dev/null @@ -1,18 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIC2TCCAn+gAwIBAgIQBq019NJETm+JnM9pUFY5fDAKBggqhkjOPQQDAzAxMQsw -CQYDVQQGEwJVUzEUMBIGA1UEChMLSHlwZXJsZWRnZXIxDDAKBgNVBAMTA3RjYTAe -Fw0xNjA1MjYxODU4MjBaFw0xNjA4MjQxODU4MjBaMDMxCzAJBgNVBAYTAlVTMRQw -EgYDVQQKEwtIeXBlcmxlZGdlcjEOMAwGA1UEAxMFZGllZ28wWTATBgcqhkjOPQIB -BggqhkjOPQMBBwNCAARv37sk17/Yq6Ata16fj1CacV3uvYzCwgWx2hearwfEBbEh -+lfmQXYUEu7pcaEaPh+9dNVEeqyHWGqFu2mo5tufo4IBdTCCAXEwDgYDVR0PAQH/ -BAQDAgeAMAwGA1UdEwEB/wQCMAAwDQYDVR0OBAYEBAECAwQwDwYDVR0jBAgwBoAE -AQIDBDBKBgYqAwQFBgoEQLb0qP6OU62xQQewx5PhpJu9cnLp54+aOpSptE78GNyd -vh7xNtSHD1GTouEK2RFx1YwJZHAM7OS48JTDZoPr1L4wTQYGKgMEBQYHAQH/BEDv -kl2JEP0f8OQRch84Hd3o3oGJbOrUBA5eYP0TaQLzpbGop4Z3Uun2Iyllfhixr+Gq -2Xv1vuSDsbNDpObuQthJMEoGBioDBAUGCARALLtd0x7G/yc2WSSo6ag0nntWayud -kaIW7NOJiWGJaOFtP+fufzIUPzYvBAuQIk3nYeOLBH/948ZyKsJQWW/LtzBKBgYq -AwQFBgkEQAXgSabQSC5xHa/YXQi7nlStN81eiG/VhGfTeLvkHXPMDcULAGyKHtax -l2IaAap9QetXi6pkN78lO048IhFTFCswCgYIKoZIzj0EAwMDSAAwRQIhAMSY4g4E -hWh7Ey4sOpPYfJwfM82nZHboLEUzrWFwuZ+KAiBf2V0OoXPt2I2MaV1+2OQIaHcJ -BF8oB65Ox67VENMNUg== ------END CERTIFICATE----- diff --git a/accesscontrol/crypto/attr/test_resources/tcert_bad.dump b/accesscontrol/crypto/attr/test_resources/tcert_bad.dump deleted file mode 100644 index ac61d3bdfa2..00000000000 --- a/accesscontrol/crypto/attr/test_resources/tcert_bad.dump +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICoDCCAkagAwIBAgIRALdvx2997k0el4M6q7FoSYswCgYIKoZIzj0EAwMwMTEL -MAkGA1UEBhMCVVMxFDASBgNVBAoTC0h5cGVybGVkZ2VyMQwwCgYDVQQDEwN0Y2Ew -HhcNMTYwNjExMDI1NzIzWhcNMTYwOTA5MDI1NzIzWjAzMQswCQYDVQQGEwJVUzEU -MBIGA1UEChMLSHlwZXJsZWRnZXIxDjAMBgNVBAMTBWRpZWdvMFkwEwYHKoZIzj0C -AQYIKoZIzj0DAQcDQgAETkdTO8tIQhNbm4k01RUIRV+vfqV7cCiEe/he209CoL9w -ykpkNpLWDvuuaPngwiQ3XoBpR5KkV11WLEkm6YgO/KOCATswggE3MA4GA1UdDwEB -/wQEAwIHgDAMBgNVHRMBAf8EAjAAMA0GA1UdDgQGBAQBAgMEMA8GA1UdIwQIMAaA -BAECAwQwGwYGKgMEBQYKBBFTb2Z0d2FyZSBFbmdpbmVlcjASBgYqAwQFBgsECEFD -b21wYW55ME0GBioDBAUGBwEB/wRA3Fw686SYs3vBtSGe+NhpnLjJMXNDgTrYO8qi -Q4gFvNvPZvrU+QDgBnzS/YRUSP8FS/d8NA3ur5QWyafuFeRatzBKBgYqAwQFBggE -QIb+dQuwRhrYXRvJmpVDcZMacvQtPJYRX/rI0SwC9mcylgUhypfs7bbXleskX4cW -Oi/WC2ntOW9MN4g2usDrCOMwKwYGKgMEBQYJBCEwMEhFQURwb3NpdGlvbi0+MTAw -I2NvbXBhbnktPjEwMCMwCgYIKoZIzj0EAwMDSAAwRQIhANtfRCq+wkaSDfhpASA6 -0oyUcMQWSyVaOvMfWnmRJAJAAiBcnczAputMeGMWbHdpI2aVR7yn4o+MqRVzEBy3 -odOIQw== ------END CERTIFICATE----- diff --git a/accesscontrol/crypto/attr/test_resources/tcert_clear.dump b/accesscontrol/crypto/attr/test_resources/tcert_clear.dump deleted file mode 100644 index 2c39b6df4a4..00000000000 --- a/accesscontrol/crypto/attr/test_resources/tcert_clear.dump +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICnDCCAkGgAwIBAgIQDeV68dFWTbaf9Z5CElzSPjAKBggqhkjOPQQDAzAxMQsw -CQYDVQQGEwJVUzEUMBIGA1UEChMLSHlwZXJsZWRnZXIxDDAKBgNVBAMTA3RjYTAe -Fw0xNjA2MTEwMTIwNDlaFw0xNjA5MDkwMTIwNDlaMDMxCzAJBgNVBAYTAlVTMRQw -EgYDVQQKEwtIeXBlcmxlZGdlcjEOMAwGA1UEAxMFZGllZ28wWTATBgcqhkjOPQIB -BggqhkjOPQMBBwNCAAT8PV1TuE63bFhpDpStyT1oi1sQBg1mcqgAZ8VKiHdyqE/j -tihuHuMJv8fEDLB56GwfTZNGAO0NJOykou3QVLBTo4IBNzCCATMwDgYDVR0PAQH/ -BAQDAgeAMAwGA1UdEwEB/wQCMAAwDQYDVR0OBAYEBAECAwQwDwYDVR0jBAgwBoAE -AQIDBDAbBgYqAwQFBgoEEVNvZnR3YXJlIEVuZ2luZWVyMBIGBioDBAUGCwQIQUNv -bXBhbnkwTQYGKgMEBQYHAQH/BECHkB85vxvL+vE5aGVvbclE6A8hthYo15KSARz/ -ZF5wc2JJfHIMs+M4MV00kExRitvVsOXVxYqMGHZcsyzT56jaMEoGBioDBAUGCARA -9DXfVKvsohk/E4J1UUxeELM1EMhCeTpkOFPs0mLUytGyQlL9Wuj7SAKHF3GP3Pkj -AX9wZaw26RrNYRTIa0azwTAnBgYqAwQFBgkEHTAwSEVBRHBvc2l0aW9uLT4xI2Nv -bXBhbnktPjIjMAoGCCqGSM49BAMDA0kAMEYCIQCw/3c2dA3KEU9jfGkPbwYxX1UK -BuQzK2hmoD+CUEGtpgIhAPW+4/+IL+6A367zTuqpI//6e75pSdj43Wn2rKuhSbF9 ------END CERTIFICATE----- diff --git a/accesscontrol/crypto/crypto.go b/accesscontrol/crypto/crypto.go deleted file mode 100644 index 4fb850bde06..00000000000 --- a/accesscontrol/crypto/crypto.go +++ /dev/null @@ -1,24 +0,0 @@ -/* -Copyright IBM Corp. 2016 All Rights Reserved. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package crypto - -// SignatureVerifier verifies signatures -type SignatureVerifier interface { - - // Verify verifies signature sig against verification key vk and message msg. - Verify(vk, sig, msg []byte) (bool, error) -} diff --git a/accesscontrol/crypto/ecdsa/ecdsa.go b/accesscontrol/crypto/ecdsa/ecdsa.go deleted file mode 100644 index 1b25ddf50ef..00000000000 --- a/accesscontrol/crypto/ecdsa/ecdsa.go +++ /dev/null @@ -1,67 +0,0 @@ -/* -Copyright IBM Corp. 2016 All Rights Reserved. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package ecdsa - -import ( - "crypto/ecdsa" - "encoding/asn1" - "math/big" - - "github.com/hyperledger/fabric/accesscontrol/crypto" -) - -type x509ECDSASignatureVerifierImpl struct { -} - -// ECDSASignature represents an ECDSA signature -type ECDSASignature struct { - R, S *big.Int -} - -func (sv *x509ECDSASignatureVerifierImpl) Verify(certificate, signature, message []byte) (bool, error) { - // Interpret vk as an x509 certificate - cert, err := derToX509Certificate(certificate) - if err != nil { - return false, err - } - - // TODO: verify certificate - - // Interpret signature as an ECDSA signature - vk := cert.PublicKey.(*ecdsa.PublicKey) - - return sv.verifyImpl(vk, signature, message) -} - -func (sv *x509ECDSASignatureVerifierImpl) verifyImpl(vk *ecdsa.PublicKey, signature, message []byte) (bool, error) { - ecdsaSignature := new(ECDSASignature) - _, err := asn1.Unmarshal(signature, ecdsaSignature) - if err != nil { - return false, err - } - - h, err := computeHash(message, vk.Params().BitSize) - if err != nil { - return false, err - } - - return ecdsa.Verify(vk, h, ecdsaSignature.R, ecdsaSignature.S), nil -} - -func NewX509ECDSASignatureVerifier() crypto.SignatureVerifier { - return &x509ECDSASignatureVerifierImpl{} -} diff --git a/accesscontrol/crypto/ecdsa/ecdsa_test.go b/accesscontrol/crypto/ecdsa/ecdsa_test.go deleted file mode 100644 index dbf533be1a0..00000000000 --- a/accesscontrol/crypto/ecdsa/ecdsa_test.go +++ /dev/null @@ -1,192 +0,0 @@ -/* -Copyright IBM Corp. 2016 All Rights Reserved. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package ecdsa - -import ( - "testing" - - "github.com/hyperledger/fabric/accesscontrol/crypto/utils" - "github.com/hyperledger/fabric/core/crypto/primitives" -) - -func TestSignatureVerifier(t *testing.T) { - // Create a signature - primitives.SetSecurityLevel("SHA3", 256) - - cert, key, err := utils.NewSelfSignedCert() - if err != nil { - t.Fatal(err) - } - - message := []byte("Hello World!") - signature, err := utils.ECDSASign(key, message) - if err != nil { - t.Fatal(err) - } - - // Instantiate a new SignatureVerifier - sv := NewX509ECDSASignatureVerifier() - - // Verify the signature - ok, err := sv.Verify(cert, signature, message) - if err != nil { - t.Fatal(err) - } - if !ok { - t.Fatal("Signature does not verify") - } -} - -func TestSignatureVerifierSHA2(t *testing.T) { - // Create a signature - primitives.SetSecurityLevel("SHA2", 256) - - cert, key, err := utils.NewSelfSignedCert() - if err != nil { - t.Fatal(err) - } - - message := []byte("Hello World!") - signature, err := utils.ECDSASign(key, message) - if err != nil { - t.Fatal(err) - } - - // Instantiate a new SignatureVerifier - sv := NewX509ECDSASignatureVerifier() - - // Verify the signature - ok, err := sv.Verify(cert, signature, message) - if err != nil { - t.Fatal(err) - } - if !ok { - t.Fatal("Signature does not verify") - } -} - -func TestSignatureVerifierSHA2_384(t *testing.T) { - // Create a signature - primitives.SetSecurityLevel("SHA2", 384) - - cert, key, err := utils.NewSelfSignedCert() - if err != nil { - t.Fatal(err) - } - - message := []byte("Hello World!") - signature, err := utils.ECDSASign(key, message) - if err != nil { - t.Fatal(err) - } - - // Instantiate a new SignatureVerifier - sv := NewX509ECDSASignatureVerifier() - - // Verify the signature - ok, err := sv.Verify(cert, signature, message) - if err != nil { - t.Fatal(err) - } - if !ok { - t.Fatal("Signature does not verify") - } -} - -func TestSignatureVerifierSHA3_384(t *testing.T) { - // Create a signature - primitives.SetSecurityLevel("SHA3", 384) - - cert, key, err := utils.NewSelfSignedCert() - if err != nil { - t.Fatal(err) - } - - message := []byte("Hello World!") - signature, err := utils.ECDSASign(key, message) - if err != nil { - t.Fatal(err) - } - - // Instantiate a new SignatureVerifier - sv := NewX509ECDSASignatureVerifier() - - // Verify the signature - ok, err := sv.Verify(cert, signature, message) - if err != nil { - t.Fatal(err) - } - if !ok { - t.Fatal("Signature does not verify") - } -} - -func TestSignatureVerifierSHA2_512(t *testing.T) { - // Create a signature - primitives.SetSecurityLevel("SHA2", 512) - - cert, key, err := utils.NewSelfSignedCert() - if err != nil { - t.Fatal(err) - } - - message := []byte("Hello World!") - signature, err := utils.ECDSASign(key, message) - if err != nil { - t.Fatal(err) - } - - // Instantiate a new SignatureVerifier - sv := NewX509ECDSASignatureVerifier() - - // Verify the signature - ok, err := sv.Verify(cert, signature, message) - if err != nil { - t.Fatal(err) - } - if !ok { - t.Fatal("Signature does not verify") - } -} - -func TestSignatureVerifierSHA3_512(t *testing.T) { - // Create a signature - primitives.SetSecurityLevel("SHA3", 512) - - cert, key, err := utils.NewSelfSignedCert() - if err != nil { - t.Fatal(err) - } - - message := []byte("Hello World!") - signature, err := utils.ECDSASign(key, message) - if err != nil { - t.Fatal(err) - } - - // Instantiate a new SignatureVerifier - sv := NewX509ECDSASignatureVerifier() - - // Verify the signature - ok, err := sv.Verify(cert, signature, message) - if err != nil { - t.Fatal(err) - } - if !ok { - t.Fatal("Signature does not verify") - } -} diff --git a/accesscontrol/crypto/ecdsa/hash.go b/accesscontrol/crypto/ecdsa/hash.go deleted file mode 100644 index 696fd2ae1b7..00000000000 --- a/accesscontrol/crypto/ecdsa/hash.go +++ /dev/null @@ -1,82 +0,0 @@ -/* -Copyright IBM Corp. 2016 All Rights Reserved. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package ecdsa - -import ( - "crypto/sha256" - "crypto/sha512" - "fmt" - "hash" - - "golang.org/x/crypto/sha3" - - "github.com/hyperledger/fabric/core/crypto/primitives" -) - -func getHashSHA2(bitsize int) (hash.Hash, error) { - switch bitsize { - case 224: - return sha256.New224(), nil - case 256: - return sha256.New(), nil - case 384: - return sha512.New384(), nil - case 512: - return sha512.New(), nil - case 521: - return sha512.New(), nil - default: - return nil, fmt.Errorf("Invalid bitsize. It was [%d]. Expected [224, 256, 384, 512, 521]", bitsize) - } -} - -func getHashSHA3(bitsize int) (hash.Hash, error) { - switch bitsize { - case 224: - return sha3.New224(), nil - case 256: - return sha3.New256(), nil - case 384: - return sha3.New384(), nil - case 512: - return sha3.New512(), nil - case 521: - return sha3.New512(), nil - default: - return nil, fmt.Errorf("Invalid bitsize. It was [%d]. Expected [224, 256, 384, 512, 521]", bitsize) - } -} - -func computeHash(msg []byte, bitsize int) ([]byte, error) { - var hash hash.Hash - var err error - switch primitives.GetHashAlgorithm() { - case "SHA2": - hash, err = getHashSHA2(bitsize) - case "SHA3": - hash, err = getHashSHA3(bitsize) - default: - return nil, fmt.Errorf("Invalid hash algorithm %s", primitives.GetHashAlgorithm()) - } - - if err != nil { - return nil, err - } - - hash.Write(msg) - return hash.Sum(nil), nil -} diff --git a/accesscontrol/crypto/ecdsa/x509.go b/accesscontrol/crypto/ecdsa/x509.go deleted file mode 100644 index d65f0cc6fee..00000000000 --- a/accesscontrol/crypto/ecdsa/x509.go +++ /dev/null @@ -1,25 +0,0 @@ -/* -Copyright IBM Corp. 2016 All Rights Reserved. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package ecdsa - -import ( - "crypto/x509" -) - -func derToX509Certificate(asn1Data []byte) (*x509.Certificate, error) { - return x509.ParseCertificate(asn1Data) -} diff --git a/accesscontrol/crypto/utils/aes.go b/accesscontrol/crypto/utils/aes.go deleted file mode 100644 index 08a8d83b415..00000000000 --- a/accesscontrol/crypto/utils/aes.go +++ /dev/null @@ -1,156 +0,0 @@ -/* -Copyright IBM Corp. 2016 All Rights Reserved. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package utils - -import ( - "bytes" - "crypto/aes" - "crypto/cipher" - "crypto/rand" - "errors" - "fmt" - "io" - - "github.com/hyperledger/fabric/core/crypto/primitives" -) - -const ( - // AESKeyLength is the default AES key length - AESKeyLength = 32 - - // NonceSize is the default NonceSize - NonceSize = 24 -) - -// GenAESKey returns a random AES key of length AESKeyLength -func GenAESKey() ([]byte, error) { - return primitives.GetRandomBytes(AESKeyLength) -} - -// PKCS7Padding pads as prescribed by the PKCS7 standard -func PKCS7Padding(src []byte) []byte { - padding := aes.BlockSize - len(src)%aes.BlockSize - padtext := bytes.Repeat([]byte{byte(padding)}, padding) - return append(src, padtext...) -} - -// PKCS7UnPadding unpads as prescribed by the PKCS7 standard -func PKCS7UnPadding(src []byte) ([]byte, error) { - length := len(src) - unpadding := int(src[length-1]) - - if unpadding > aes.BlockSize || unpadding == 0 { - return nil, fmt.Errorf("invalid padding") - } - - pad := src[len(src)-unpadding:] - for i := 0; i < unpadding; i++ { - if pad[i] != byte(unpadding) { - return nil, fmt.Errorf("invalid padding") - } - } - - return src[:(length - unpadding)], nil -} - -// CBCEncrypt encrypts using CBC mode -func CBCEncrypt(key, s []byte) ([]byte, error) { - // CBC mode works on blocks so plaintexts may need to be padded to the - // next whole block. For an example of such padding, see - // https://tools.ietf.org/html/rfc5246#section-6.2.3.2. Here we'll - // assume that the plaintext is already of the correct length. - if len(s)%aes.BlockSize != 0 { - return nil, errors.New("plaintext is not a multiple of the block size") - } - - block, err := aes.NewCipher(key) - if err != nil { - return nil, err - } - - // The IV needs to be unique, but not secure. Therefore it's common to - // include it at the beginning of the ciphertext. - ciphertext := make([]byte, aes.BlockSize+len(s)) - iv := ciphertext[:aes.BlockSize] - if _, err := io.ReadFull(rand.Reader, iv); err != nil { - return nil, err - } - - mode := cipher.NewCBCEncrypter(block, iv) - mode.CryptBlocks(ciphertext[aes.BlockSize:], s) - - // It's important to remember that ciphertexts must be authenticated - // (i.e. by using crypto/hmac) as well as being encrypted in order to - // be secure. - return ciphertext, nil -} - -// CBCDecrypt decrypts using CBC mode -func CBCDecrypt(key, src []byte) ([]byte, error) { - block, err := aes.NewCipher(key) - if err != nil { - return nil, err - } - - // The IV needs to be unique, but not secure. Therefore it's common to - // include it at the beginning of the ciphertext. - if len(src) < aes.BlockSize { - return nil, errors.New("ciphertext too short") - } - iv := src[:aes.BlockSize] - src = src[aes.BlockSize:] - - // CBC mode always works in whole blocks. - if len(src)%aes.BlockSize != 0 { - return nil, errors.New("ciphertext is not a multiple of the block size") - } - - mode := cipher.NewCBCDecrypter(block, iv) - - // CryptBlocks can work in-place if the two arguments are the same. - mode.CryptBlocks(src, src) - - // If the original plaintext lengths are not a multiple of the block - // size, padding would have to be added when encrypting, which would be - // removed at this point. For an example, see - // https://tools.ietf.org/html/rfc5246#section-6.2.3.2. However, it's - // critical to note that ciphertexts must be authenticated (i.e. by - // using crypto/hmac) before being decrypted in order to avoid creating - // a padding oracle. - - return src, nil -} - -// CBCPKCS7Encrypt combines CBC encryption and PKCS7 padding -func CBCPKCS7Encrypt(key, src []byte) ([]byte, error) { - return CBCEncrypt(key, PKCS7Padding(src)) -} - -// CBCPKCS7Decrypt combines CBC decryption and PKCS7 unpadding -func CBCPKCS7Decrypt(key, src []byte) ([]byte, error) { - pt, err := CBCDecrypt(key, src) - if err != nil { - return nil, err - } - - original, err := PKCS7UnPadding(pt) - if err != nil { - return nil, err - } - - return original, nil -} diff --git a/accesscontrol/crypto/utils/aes_test.go b/accesscontrol/crypto/utils/aes_test.go deleted file mode 100644 index 7f7b0bea01b..00000000000 --- a/accesscontrol/crypto/utils/aes_test.go +++ /dev/null @@ -1,481 +0,0 @@ -/* -Copyright IBM Corp. 2016 All Rights Reserved. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -// This package contains unit-tests for the -// github.com/hyperledger/fabric/core/crypto/primitives package -package utils - -import ( - "bytes" - "crypto/aes" - "crypto/rand" - "math/big" - "testing" - - "github.com/hyperledger/fabric/core/crypto/primitives" -) - -// TestCBCPKCS7EncryptCBCPKCS7Decrypt encrypts using CBCPKCS7Encrypt and decrypts using CBCPKCS7Decrypt. -func TestCBCPKCS7EncryptCBCPKCS7Decrypt(t *testing.T) { - - // Note: The purpose of this test is not to test AES-256 in CBC mode's strength - // ... but rather to verify the code wrapping/unwrapping the cipher. - key := make([]byte, AESKeyLength) - rand.Reader.Read(key) - - // 123456789012345678901234567890123456789012 - var ptext = []byte("a message with arbitrary length (42 bytes)") - - encrypted, encErr := CBCPKCS7Encrypt(key, ptext) - if encErr != nil { - t.Fatalf("Error encrypting '%s': %s", ptext, encErr) - } - - decrypted, dErr := CBCPKCS7Decrypt(key, encrypted) - if dErr != nil { - t.Fatalf("Error decrypting the encrypted '%s': %v", ptext, dErr) - } - - if string(ptext[:]) != string(decrypted[:]) { - t.Fatal("Decrypt( Encrypt( ptext ) ) != ptext: Ciphertext decryption with the same key must result in the original plaintext!") - } - -} - -// TestPKCS7Padding verifies the PKCS#7 padding, using a human readable plaintext. -func TestPKCS7Padding(t *testing.T) { - - // 0 byte/length ptext - ptext := []byte("") - expected := []byte{16, 16, 16, 16, - 16, 16, 16, 16, - 16, 16, 16, 16, - 16, 16, 16, 16} - result := PKCS7Padding(ptext) - - if !bytes.Equal(expected, result) { - t.Fatal("Padding error! Expected: ", expected, "', received: '", result, "'") - } - - // 1 byte/length ptext - ptext = []byte("1") - expected = []byte{'1', 15, 15, 15, - 15, 15, 15, 15, - 15, 15, 15, 15, - 15, 15, 15, 15} - result = PKCS7Padding(ptext) - - if !bytes.Equal(expected, result) { - t.Fatal("Padding error! Expected: '", expected, "', received: '", result, "'") - } - - // 2 byte/length ptext - ptext = []byte("12") - expected = []byte{'1', '2', 14, 14, - 14, 14, 14, 14, - 14, 14, 14, 14, - 14, 14, 14, 14} - result = PKCS7Padding(ptext) - - if !bytes.Equal(expected, result) { - t.Fatal("Padding error! Expected: '", expected, "', received: '", result, "'") - } - - // 3 to aes.BlockSize-1 byte plaintext - ptext = []byte("1234567890ABCDEF") - for i := 3; i < aes.BlockSize; i++ { - result := PKCS7Padding(ptext[:i]) - - padding := aes.BlockSize - i - expectedPadding := bytes.Repeat([]byte{byte(padding)}, padding) - expected = append(ptext[:i], expectedPadding...) - - if !bytes.Equal(result, expected) { - t.Fatal("Padding error! Expected: '", expected, "', received: '", result, "'") - } - - } - - // aes.BlockSize length ptext - ptext = bytes.Repeat([]byte{byte('x')}, aes.BlockSize) - result = PKCS7Padding(ptext) - - expectedPadding := bytes.Repeat([]byte{byte(aes.BlockSize)}, aes.BlockSize) - expected = append(ptext, expectedPadding...) - - if len(result) != 2*aes.BlockSize { - t.Fatal("Padding error: expected the length of the returned slice to be 2 times aes.BlockSize") - } - - if !bytes.Equal(expected, result) { - t.Fatal("Padding error! Expected: '", expected, "', received: '", result, "'") - } - -} - -// TestPKCS7UnPadding verifies the PKCS#7 unpadding, using a human readable plaintext. -func TestPKCS7UnPadding(t *testing.T) { - - // 0 byte/length ptext - expected := []byte("") - ptext := []byte{16, 16, 16, 16, - 16, 16, 16, 16, - 16, 16, 16, 16, - 16, 16, 16, 16} - - result, _ := PKCS7UnPadding(ptext) - - if !bytes.Equal(expected, result) { - t.Fatal("UnPadding error! Expected: '", expected, "', received: '", result, "'") - } - - // 1 byte/length ptext - expected = []byte("1") - ptext = []byte{'1', 15, 15, 15, - 15, 15, 15, 15, - 15, 15, 15, 15, - 15, 15, 15, 15} - - result, _ = PKCS7UnPadding(ptext) - - if !bytes.Equal(expected, result) { - t.Fatal("UnPadding error! Expected: '", expected, "', received: '", result, "'") - } - - // 2 byte/length ptext - expected = []byte("12") - ptext = []byte{'1', '2', 14, 14, - 14, 14, 14, 14, - 14, 14, 14, 14, - 14, 14, 14, 14} - - result, _ = PKCS7UnPadding(ptext) - - if !bytes.Equal(expected, result) { - t.Fatal("UnPadding error! Expected: '", expected, "', received: '", result, "'") - } - - // 3 to aes.BlockSize-1 byte plaintext - base := []byte("1234567890ABCDEF") - for i := 3; i < aes.BlockSize; i++ { - iPad := aes.BlockSize - i - padding := bytes.Repeat([]byte{byte(iPad)}, iPad) - ptext = append(base[:i], padding...) - - expected := base[:i] - result, _ := PKCS7UnPadding(ptext) - - if !bytes.Equal(result, expected) { - t.Fatal("UnPadding error! Expected: '", expected, "', received: '", result, "'") - } - - } - - // aes.BlockSize length ptext - expected = bytes.Repeat([]byte{byte('x')}, aes.BlockSize) - padding := bytes.Repeat([]byte{byte(aes.BlockSize)}, aes.BlockSize) - ptext = append(expected, padding...) - - result, _ = PKCS7UnPadding(ptext) - - if !bytes.Equal(expected, result) { - t.Fatal("UnPadding error! Expected: '", expected, "', received: '", result, "'") - } -} - -// TestCBCEncryptCBCPKCS7Decrypt_BlockSizeLengthPlaintext verifies that CBCPKCS7Decrypt returns an error -// when attempting to decrypt ciphertext of an irreproducible length. -func TestCBCEncryptCBCPKCS7Decrypt_BlockSizeLengthPlaintext(t *testing.T) { - - // One of the purposes of this test is to also document and clarify the expected behavior, i.e., that an extra - // block is appended to the message at the padding stage, as per the spec of PKCS#7 v1.5 [see RFC-2315 p.21] - key := make([]byte, AESKeyLength) - rand.Reader.Read(key) - - // 1234567890123456 - var ptext = []byte("a 16 byte messag") - - encrypted, encErr := CBCEncrypt(key, ptext) - if encErr != nil { - t.Fatalf("Error encrypting '%s': %v", ptext, encErr) - } - - decrypted, dErr := CBCPKCS7Decrypt(key, encrypted) - if dErr == nil { - t.Fatalf("Expected an error decrypting ptext '%s'. Decrypted to '%v'", dErr, decrypted) - } -} - -// TestCBCPKCS7EncryptCBCDecrypt_ExpectingCorruptMessage verifies that CBCDecrypt can decrypt the unpadded -// version of the ciphertext, of a message of BlockSize length. -func TestCBCPKCS7EncryptCBCDecrypt_ExpectingCorruptMessage(t *testing.T) { - - // One of the purposes of this test is to also document and clarify the expected behavior, i.e., that an extra - // block is appended to the message at the padding stage, as per the spec of PKCS#7 v1.5 [see RFC-2315 p.21] - key := make([]byte, AESKeyLength) - rand.Reader.Read(key) - - // 0123456789ABCDEF - var ptext = []byte("a 16 byte messag") - - encrypted, encErr := CBCPKCS7Encrypt(key, ptext) - if encErr != nil { - t.Fatalf("Error encrypting ptext %v", encErr) - } - - decrypted, dErr := CBCDecrypt(key, encrypted) - if dErr != nil { - t.Fatalf("Error encrypting ptext %v, %v", dErr, decrypted) - } - - if string(ptext[:]) != string(decrypted[:aes.BlockSize]) { - t.Log("ptext: ", ptext) - t.Log("decrypted: ", decrypted[:aes.BlockSize]) - t.Fatal("Encryption->Decryption with same key should result in original ptext") - } - - if !bytes.Equal(decrypted[aes.BlockSize:], bytes.Repeat([]byte{byte(aes.BlockSize)}, aes.BlockSize)) { - t.Fatal("Expected extra block with padding in encrypted ptext", decrypted) - } - -} - -// TestCBCPKCS7Encrypt_EmptyPlaintext encrypts and pad an empty ptext. Verifying as well that the ciphertext length is as expected. -func TestCBCPKCS7Encrypt_EmptyPlaintext(t *testing.T) { - - key := make([]byte, AESKeyLength) - rand.Reader.Read(key) - - t.Log("Generated key: ", key) - - var emptyPlaintext = []byte("") - t.Log("Plaintext length: ", len(emptyPlaintext)) - - ciphertext, encErr := CBCPKCS7Encrypt(key, emptyPlaintext) - if encErr != nil { - t.Fatalf("Error encrypting '%v'", encErr) - } - - // Expected ciphertext length: AESKeyLength (=32) - // As part of the padding, at least one block gets encrypted (while the first block is the IV) - const expectedLength = aes.BlockSize + aes.BlockSize - if len(ciphertext) != expectedLength { - t.Fatalf("Wrong ciphertext length. Expected %d, recieved %d", expectedLength, len(ciphertext)) - } - - t.Log("Ciphertext length: ", len(ciphertext)) - t.Log("Cipher: ", ciphertext) -} - -// TestCBCEncrypt_EmptyPlaintext encrypts an empty message. Verifying as well that the ciphertext length is as expected. -func TestCBCEncrypt_EmptyPlaintext(t *testing.T) { - - key := make([]byte, AESKeyLength) - rand.Reader.Read(key) - t.Log("Generated key: ", key) - - var emptyPlaintext = []byte("") - t.Log("Message length: ", len(emptyPlaintext)) - - ciphertext, encErr := CBCEncrypt(key, emptyPlaintext) - if encErr != nil { - } - - t.Log("Ciphertext length: ", len(ciphertext)) - - // Expected cipher length: aes.BlockSize, the first and only block is the IV - var expectedLength = aes.BlockSize - - if len(ciphertext) != expectedLength { - t.Fatalf("Wrong ciphertext length. Expected: '%d', received: '%d'", expectedLength, len(ciphertext)) - } - t.Log("Ciphertext: ", ciphertext) -} - -// TestCBCPKCS7Encrypt_VerifyRandomIVs encrypts twice with same key. The first 16 bytes should be different if IV is generated randomly. -func TestCBCPKCS7Encrypt_VerifyRandomIVs(t *testing.T) { - - key := make([]byte, aes.BlockSize) - rand.Reader.Read(key) - t.Log("Key 1", key) - - var ptext = []byte("a message to encrypt") - - ciphertext1, err := CBCPKCS7Encrypt(key, ptext) - if err != nil { - t.Fatalf("Error encrypting '%s': %s", ptext, err) - } - - // Expecting a different IV if same message is encrypted with same key - ciphertext2, err := CBCPKCS7Encrypt(key, ptext) - if err != nil { - t.Fatalf("Error encrypting '%s': %s", ptext, err) - } - - iv1 := ciphertext1[:aes.BlockSize] - iv2 := ciphertext2[:aes.BlockSize] - - t.Log("Ciphertext1: ", iv1) - t.Log("Ciphertext2: ", iv2) - t.Log("bytes.Equal: ", bytes.Equal(iv1, iv2)) - - if bytes.Equal(iv1, iv2) { - t.Fatal("Error: ciphertexts contain identical initialization vectors (IVs)") - } -} - -// TestCBCPKCS7Encrypt_CorrectCiphertextLengthCheck verifies that the returned ciphertext lengths are as expected. -func TestCBCPKCS7Encrypt_CorrectCiphertextLengthCheck(t *testing.T) { - - key := make([]byte, aes.BlockSize) - rand.Reader.Read(key) - - // length of message (in bytes) == aes.BlockSize (16 bytes) - // The expected cipher length = IV length (1 block) + 1 block message - - var ptext = []byte("0123456789ABCDEF") - - for i := 1; i < aes.BlockSize; i++ { - ciphertext, err := CBCPKCS7Encrypt(key, ptext[:i]) - if err != nil { - t.Fatal("Error encrypting '", ptext, "'") - } - - expectedLength := aes.BlockSize + aes.BlockSize - if len(ciphertext) != expectedLength { - t.Fatalf("Incorrect ciphertext incorrect: expected '%d', received '%d'", expectedLength, len(ciphertext)) - } - } -} - -// TestCBCEncryptCBCDecrypt_KeyMismatch attempts to decrypt with a different key than the one used for encryption. -func TestCBCEncryptCBCDecrypt_KeyMismatch(t *testing.T) { - - // Generate a random key - key := make([]byte, aes.BlockSize) - rand.Reader.Read(key) - - // Clone & tamper with the key - wrongKey := make([]byte, aes.BlockSize) - copy(wrongKey, key[:]) - wrongKey[0] = key[0] + 1 - - var ptext = []byte("1234567890ABCDEF") - encrypted, encErr := CBCEncrypt(key, ptext) - if encErr != nil { - t.Fatalf("Error encrypting '%s': %v", ptext, encErr) - } - - decrypted, decErr := CBCDecrypt(wrongKey, encrypted) - if decErr != nil { - t.Fatalf("Error decrypting '%s': %v", ptext, decErr) - } - - if string(ptext[:]) == string(decrypted[:]) { - t.Fatal("Decrypting a ciphertext with a different key than the one used for encrypting it - should not result in the original plaintext.") - } -} - -// TestCBCEncryptCBCDecrypt encrypts with CBCEncrypt and decrypt with CBCDecrypt. -func TestCBCEncryptCBCDecrypt(t *testing.T) { - - key := make([]byte, AESKeyLength) - rand.Reader.Read(key) - - // 1234567890123456 - var ptext = []byte("a 16 byte messag") - - encrypted, encErr := CBCEncrypt(key, ptext) - if encErr != nil { - t.Fatalf("Error encrypting '%s': %v", ptext, encErr) - } - - decrypted, decErr := CBCDecrypt(key, encrypted) - if decErr != nil { - t.Fatalf("Error decrypting '%s': %v", ptext, decErr) - } - - if string(ptext[:]) != string(decrypted[:]) { - t.Fatal("Encryption->Decryption with same key should result in the original plaintext.") - } -} - -// TestAESRelatedUtilFunctions tests various functions commonly used in fabric wrt AES -func TestAESRelatedUtilFunctions(t *testing.T) { - - key, err := GenAESKey() - if err != nil { - t.Fatalf("Failed generating AES key [%s]", err) - } - - for i := 1; i < 100; i++ { - len, err := rand.Int(rand.Reader, big.NewInt(1024)) - if err != nil { - t.Fatalf("Failed generating AES key [%s]", err) - } - msg, err := primitives.GetRandomBytes(int(len.Int64()) + 1) - if err != nil { - t.Fatalf("Failed generating AES key [%s]", err) - } - - ct, err := CBCPKCS7Encrypt(key, msg) - if err != nil { - t.Fatalf("Failed encrypting [%s]", err) - } - - msg2, err := CBCPKCS7Decrypt(key, ct) - if err != nil { - t.Fatalf("Failed decrypting [%s]", err) - } - - if 0 != bytes.Compare(msg, msg2) { - t.Fatalf("Wrong decryption output [%x][%x]", msg, msg2) - } - - } - -} - -// TestVariousAESKeyEncoding tests some AES <-> PEM conversions -func TestVariousAESKeyEncoding(t *testing.T) { - key, err := GenAESKey() - if err != nil { - t.Fatalf("Failed generating AES key [%s]", err) - } - - // PEM format - pem := AEStoPEM(key) - keyFromPEM, err := PEMtoAES(pem, nil) - if err != nil { - t.Fatalf("Failed converting PEM to AES key [%s]", err) - } - if 0 != bytes.Compare(key, keyFromPEM) { - t.Fatalf("Failed converting PEM to AES key. Keys are different [%x][%x]", key, keyFromPEM) - } - - // Encrypted PEM format - pem, err = AEStoEncryptedPEM(key, []byte("passwd")) - if err != nil { - t.Fatalf("Failed converting AES key to Encrypted PEM [%s]", err) - } - keyFromPEM, err = PEMtoAES(pem, []byte("passwd")) - if err != nil { - t.Fatalf("Failed converting encrypted PEM to AES key [%s]", err) - } - if 0 != bytes.Compare(key, keyFromPEM) { - t.Fatalf("Failed converting encrypted PEM to AES key. Keys are different [%x][%x]", key, keyFromPEM) - } -} diff --git a/accesscontrol/crypto/utils/ecdsa.go b/accesscontrol/crypto/utils/ecdsa.go deleted file mode 100644 index ef9fdc28665..00000000000 --- a/accesscontrol/crypto/utils/ecdsa.go +++ /dev/null @@ -1,58 +0,0 @@ -/* -Copyright IBM Corp. 2016 All Rights Reserved. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package utils - -import ( - "crypto/ecdsa" - "crypto/rand" - "encoding/asn1" - "math/big" - - "github.com/hyperledger/fabric/core/crypto/primitives" -) - -// ECDSASignature represents an ECDSA signature -type ECDSASignature struct { - R, S *big.Int -} - -// NewECDSAKey generates a new ECDSA Key -func NewECDSAKey() (*ecdsa.PrivateKey, error) { - return ecdsa.GenerateKey(primitives.GetDefaultCurve(), rand.Reader) -} - -// ECDSASign signs -func ECDSASign(signKey interface{}, msg []byte) ([]byte, error) { - temp := signKey.(*ecdsa.PrivateKey) - h := primitives.Hash(msg) - r, s, err := ecdsa.Sign(rand.Reader, temp, h) - if err != nil { - return nil, err - } - - // R, _ := r.MarshalText() - // S, _ := s.MarshalText() - // - // fmt.Printf("r [%s], s [%s]\n", R, S) - - raw, err := asn1.Marshal(ECDSASignature{r, s}) - if err != nil { - return nil, err - } - - return raw, nil -} diff --git a/accesscontrol/crypto/utils/io.go b/accesscontrol/crypto/utils/io.go deleted file mode 100644 index 0b4e1df95c9..00000000000 --- a/accesscontrol/crypto/utils/io.go +++ /dev/null @@ -1,30 +0,0 @@ -/* -Copyright IBM Corp. 2016 All Rights Reserved. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package utils - -// IntArrayEquals checks if the arrays of ints are the same -func IntArrayEquals(a []int, b []int) bool { - if len(a) != len(b) { - return false - } - for i, v := range a { - if v != b[i] { - return false - } - } - return true -} diff --git a/accesscontrol/crypto/utils/keys.go b/accesscontrol/crypto/utils/keys.go deleted file mode 100644 index 2bfb4de2c00..00000000000 --- a/accesscontrol/crypto/utils/keys.go +++ /dev/null @@ -1,78 +0,0 @@ -/* -Copyright IBM Corp. 2016 All Rights Reserved. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package utils - -import ( - "crypto/rand" - "crypto/x509" - "encoding/pem" - "errors" - "fmt" -) - -// PEMtoAES extracts from the PEM an AES key -func PEMtoAES(raw []byte, pwd []byte) ([]byte, error) { - if len(raw) == 0 { - return nil, errors.New("Invalid PEM. It must be different from nil") - } - block, _ := pem.Decode(raw) - if block == nil { - return nil, fmt.Errorf("Failed decoding [% x]", raw) - } - - if x509.IsEncryptedPEMBlock(block) { - if len(pwd) == 0 { - return nil, errors.New("Encrypted Key. Need a password!!!") - } - - decrypted, err := x509.DecryptPEMBlock(block, pwd) - if err != nil { - return nil, err - } - return decrypted, nil - } - - return block.Bytes, nil -} - -// AEStoPEM encapsulates an AES key in the PEM format -func AEStoPEM(raw []byte) []byte { - return pem.EncodeToMemory(&pem.Block{Type: "AES PRIVATE KEY", Bytes: raw}) -} - -// AEStoEncryptedPEM encapsulates an AES key in the encrypted PEM format -func AEStoEncryptedPEM(raw []byte, pwd []byte) ([]byte, error) { - if len(raw) == 0 { - return nil, errors.New("Invalid key. It must be different from nil") - } - if len(pwd) == 0 { - return AEStoPEM(raw), nil - } - - block, err := x509.EncryptPEMBlock( - rand.Reader, - "AES PRIVATE KEY", - raw, - pwd, - x509.PEMCipherAES256) - - if err != nil { - return nil, err - } - - return pem.EncodeToMemory(block), nil -} diff --git a/accesscontrol/crypto/utils/x509.go b/accesscontrol/crypto/utils/x509.go deleted file mode 100644 index 5b2c022acbf..00000000000 --- a/accesscontrol/crypto/utils/x509.go +++ /dev/null @@ -1,140 +0,0 @@ -/* -Copyright IBM Corp. 2016 All Rights Reserved. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package utils - -import ( - "crypto/rand" - "crypto/x509" - "crypto/x509/pkix" - "encoding/asn1" - "errors" - "math/big" - "net" - "time" -) - -var ( - // TCertEncTCertIndex oid for TCertIndex - TCertEncTCertIndex = asn1.ObjectIdentifier{1, 2, 3, 4, 5, 6, 7} - - // TCertEncEnrollmentID is the ASN1 object identifier of the TCert index. - TCertEncEnrollmentID = asn1.ObjectIdentifier{1, 2, 3, 4, 5, 6, 8} - - // TCertEncAttributesBase is the base ASN1 object identifier for attributes. - // When generating an extension to include the attribute an index will be - // appended to this Object Identifier. - TCertEncAttributesBase = asn1.ObjectIdentifier{1, 2, 3, 4, 5, 6} - - // TCertAttributesHeaders is the ASN1 object identifier of attributes header. - TCertAttributesHeaders = asn1.ObjectIdentifier{1, 2, 3, 4, 5, 6, 9} -) - -// DERToX509Certificate converts der to x509 -func DERToX509Certificate(asn1Data []byte) (*x509.Certificate, error) { - return x509.ParseCertificate(asn1Data) -} - -// GetCriticalExtension returns a requested critical extension. It also remove it from the list -// of unhandled critical extensions -func GetCriticalExtension(cert *x509.Certificate, oid asn1.ObjectIdentifier) ([]byte, error) { - for i, ext := range cert.UnhandledCriticalExtensions { - if IntArrayEquals(ext, oid) { - cert.UnhandledCriticalExtensions = append(cert.UnhandledCriticalExtensions[:i], cert.UnhandledCriticalExtensions[i+1:]...) - - break - } - } - - for _, ext := range cert.Extensions { - if IntArrayEquals(ext.Id, oid) { - return ext.Value, nil - } - } - - return nil, errors.New("Failed retrieving extension.") -} - -// NewSelfSignedCert create a self signed certificate -func NewSelfSignedCert() ([]byte, interface{}, error) { - privKey, err := NewECDSAKey() - if err != nil { - return nil, nil, err - } - - testExtKeyUsage := []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth} - testUnknownExtKeyUsage := []asn1.ObjectIdentifier{[]int{1, 2, 3}, []int{2, 59, 1}} - extraExtensionData := []byte("extra extension") - commonName := "test.example.com" - template := x509.Certificate{ - SerialNumber: big.NewInt(1), - Subject: pkix.Name{ - CommonName: commonName, - Organization: []string{"Σ Acme Co"}, - Country: []string{"US"}, - ExtraNames: []pkix.AttributeTypeAndValue{ - { - Type: []int{2, 5, 4, 42}, - Value: "Gopher", - }, - // This should override the Country, above. - { - Type: []int{2, 5, 4, 6}, - Value: "NL", - }, - }, - }, - NotBefore: time.Now().Add(-1 * time.Hour), - NotAfter: time.Now().Add(1 * time.Hour), - - SignatureAlgorithm: x509.ECDSAWithSHA384, - - SubjectKeyId: []byte{1, 2, 3, 4}, - KeyUsage: x509.KeyUsageCertSign, - - ExtKeyUsage: testExtKeyUsage, - UnknownExtKeyUsage: testUnknownExtKeyUsage, - - BasicConstraintsValid: true, - IsCA: true, - - OCSPServer: []string{"http://ocsp.example.com"}, - IssuingCertificateURL: []string{"http://crt.example.com/ca1.crt"}, - - DNSNames: []string{"test.example.com"}, - EmailAddresses: []string{"gopher@golang.org"}, - IPAddresses: []net.IP{net.IPv4(127, 0, 0, 1).To4(), net.ParseIP("2001:4860:0:2001::68")}, - - PolicyIdentifiers: []asn1.ObjectIdentifier{[]int{1, 2, 3}}, - PermittedDNSDomains: []string{".example.com", "example.com"}, - - CRLDistributionPoints: []string{"http://crl1.example.com/ca1.crl", "http://crl2.example.com/ca1.crl"}, - - ExtraExtensions: []pkix.Extension{ - { - Id: []int{1, 2, 3, 4}, - Value: extraExtensionData, - }, - }, - } - - cert, err := x509.CreateCertificate(rand.Reader, &template, &template, &privKey.PublicKey, privKey) - if err != nil { - return nil, nil, err - } - - return cert, privKey, nil -} diff --git a/accesscontrol/impl/chaincode.go b/accesscontrol/impl/chaincode.go deleted file mode 100644 index 7a255a56e05..00000000000 --- a/accesscontrol/impl/chaincode.go +++ /dev/null @@ -1,70 +0,0 @@ -package impl - -import ( - "github.com/hyperledger/fabric/accesscontrol" - "github.com/hyperledger/fabric/accesscontrol/crypto/attr" - "github.com/hyperledger/fabric/accesscontrol/crypto/ecdsa" - "github.com/hyperledger/fabric/core/chaincode/shim" - "github.com/hyperledger/fabric/core/crypto/primitives" -) - -// NewAccessControlShim create a new AccessControlShim instance -func NewAccessControlShim(stub shim.ChaincodeStubInterface) *AccessControlShim { - // TODO: The package accesscontrol still depends on the initialization - // of the primitives package. - // This has to be removed by using the BCCSP which will carry this information. - // A similar approach has been used to remove the calls - // to InitSecurityLevel and SetSecurityLevel from the core. - primitives.SetSecurityLevel("SHA2", 256) - - return &AccessControlShim{stub} -} - -// AccessControlShim wraps the object passed to chaincode for shim side handling of -// APIs to provide access control capabilities. -type AccessControlShim struct { - stub shim.ChaincodeStubInterface -} - -//ReadCertAttribute is used to read an specific attribute from the transaction certificate, *attributeName* is passed as input parameter to this function. -// Example: -// attrValue,error:=stub.ReadCertAttribute("position") -func (shim *AccessControlShim) ReadCertAttribute(attributeName string) ([]byte, error) { - attributesHandler, err := attr.NewAttributesHandlerImpl(shim.stub) - if err != nil { - return nil, err - } - return attributesHandler.GetValue(attributeName) -} - -//VerifyAttribute is used to verify if the transaction certificate has an attribute with name *attributeName* and value *attributeValue* which are the input parameters received by this function. -//Example: -// containsAttr, error := stub.VerifyAttribute("position", "Software Engineer") -func (shim *AccessControlShim) VerifyAttribute(attributeName string, attributeValue []byte) (bool, error) { - attributesHandler, err := attr.NewAttributesHandlerImpl(shim.stub) - if err != nil { - return false, err - } - return attributesHandler.VerifyAttribute(attributeName, attributeValue) -} - -//VerifyAttributes does the same as VerifyAttribute but it checks for a list of attributes and their respective values instead of a single attribute/value pair -// Example: -// containsAttrs, error:= stub.VerifyAttributes(&attr.Attribute{"position", "Software Engineer"}, &attr.Attribute{"company", "ACompany"}) -func (shim *AccessControlShim) VerifyAttributes(attrs ...*accesscontrol.Attribute) (bool, error) { - attributesHandler, err := attr.NewAttributesHandlerImpl(shim.stub) - if err != nil { - return false, err - } - return attributesHandler.VerifyAttributes(attrs...) -} - -// VerifySignature verifies the transaction signature and returns `true` if -// correct and `false` otherwise -func (shim *AccessControlShim) VerifySignature(certificate, signature, message []byte) (bool, error) { - // Instantiate a new SignatureVerifier - sv := ecdsa.NewX509ECDSASignatureVerifier() - - // Verify the signature - return sv.Verify(certificate, signature, message) -} diff --git a/core/crypto/primitives/random.go b/common/crypto/random.go similarity index 98% rename from core/crypto/primitives/random.go rename to common/crypto/random.go index d81a7ed5405..35bc766b35b 100644 --- a/core/crypto/primitives/random.go +++ b/common/crypto/random.go @@ -14,7 +14,7 @@ See the License for the specific language governing permissions and limitations under the License. */ -package primitives +package crypto import "crypto/rand" diff --git a/common/localmsp/signer.go b/common/localmsp/signer.go index 8c6b530b92a..fe0070f0284 100644 --- a/common/localmsp/signer.go +++ b/common/localmsp/signer.go @@ -20,7 +20,6 @@ import ( "fmt" "github.com/hyperledger/fabric/common/crypto" - "github.com/hyperledger/fabric/core/crypto/primitives" mspmgmt "github.com/hyperledger/fabric/msp/mgmt" cb "github.com/hyperledger/fabric/protos/common" ) @@ -47,7 +46,7 @@ func (s *mspSigner) NewSignatureHeader() (*cb.SignatureHeader, error) { return nil, fmt.Errorf("Failed serializing creator public identity [%s]", err) } - nonce, err := primitives.GetRandomNonce() + nonce, err := crypto.GetRandomNonce() if err != nil { return nil, fmt.Errorf("Failed creating nonce [%s]", err) } diff --git a/common/localmsp/signer_test.go b/common/localmsp/signer_test.go index e018a07d52b..7328a5b9e0d 100644 --- a/common/localmsp/signer_test.go +++ b/common/localmsp/signer_test.go @@ -20,7 +20,7 @@ import ( "os" "testing" - "github.com/hyperledger/fabric/core/crypto/primitives" + "github.com/hyperledger/fabric/common/crypto" mspmgmt "github.com/hyperledger/fabric/msp/mgmt" "github.com/stretchr/testify/assert" ) @@ -58,7 +58,7 @@ func TestMspSigner_NewSignatureHeader(t *testing.T) { } assert.NotNil(t, sh, "SignatureHeader must be different from nil") - assert.Len(t, sh.Nonce, primitives.NonceSize, "SignatureHeader.Nonce must be of length %d", primitives.NonceSize) + assert.Len(t, sh.Nonce, crypto.NonceSize, "SignatureHeader.Nonce must be of length %d", crypto.NonceSize) mspIdentity, err := mspmgmt.GetLocalMSP().GetDefaultSigningIdentity() assert.NoError(t, err, "Failed getting default MSP Identity") diff --git a/core/crypto/primitives/elliptic.go b/core/crypto/primitives/elliptic.go deleted file mode 100644 index e9e88cd6f0d..00000000000 --- a/core/crypto/primitives/elliptic.go +++ /dev/null @@ -1,30 +0,0 @@ -/* -Copyright IBM Corp. 2016 All Rights Reserved. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package primitives - -import ( - "crypto/elliptic" -) - -var ( - defaultCurve elliptic.Curve -) - -// GetDefaultCurve returns the default elliptic curve used by the crypto layer -func GetDefaultCurve() elliptic.Curve { - return defaultCurve -} diff --git a/core/crypto/primitives/hash.go b/core/crypto/primitives/hash.go deleted file mode 100644 index 36b287e00ff..00000000000 --- a/core/crypto/primitives/hash.go +++ /dev/null @@ -1,57 +0,0 @@ -/* -Copyright IBM Corp. 2016 All Rights Reserved. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package primitives - -import ( - "crypto/hmac" - "hash" -) - -var ( - defaultHash func() hash.Hash - defaultHashAlgorithm string -) - -// GetDefaultHash returns the default hash function used by the crypto layer -func GetDefaultHash() func() hash.Hash { - return defaultHash -} - -// GetHashAlgorithm return the default hash algorithm -func GetHashAlgorithm() string { - return defaultHashAlgorithm -} - -// NewHash returns a new hash function -func NewHash() hash.Hash { - return GetDefaultHash()() -} - -// Hash hashes the msh using the predefined hash function -func Hash(msg []byte) []byte { - h := NewHash() - h.Write(msg) - return h.Sum(nil) -} - -// HMACTruncated hmacs x using key key and truncate to truncation -func HMACTruncated(key, x []byte, truncation int) []byte { - mac := hmac.New(GetDefaultHash(), key) - mac.Write(x) - - return mac.Sum(nil)[:truncation] -} diff --git a/core/crypto/primitives/init.go b/core/crypto/primitives/init.go deleted file mode 100644 index b42a4f5f57f..00000000000 --- a/core/crypto/primitives/init.go +++ /dev/null @@ -1,87 +0,0 @@ -/* -Copyright IBM Corp. 2016 All Rights Reserved. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package primitives - -import ( - "crypto/elliptic" - "crypto/sha256" - "crypto/sha512" - "fmt" - "sync" - - "golang.org/x/crypto/sha3" -) - -var ( - initOnce sync.Once -) - -// Init SHA2 -func initSHA2(level int) (err error) { - switch level { - case 256: - defaultCurve = elliptic.P256() - defaultHash = sha256.New - case 384: - defaultCurve = elliptic.P384() - defaultHash = sha512.New384 - default: - err = fmt.Errorf("Security level not supported [%d]", level) - } - return -} - -// Init SHA3 -func initSHA3(level int) (err error) { - switch level { - case 256: - defaultCurve = elliptic.P256() - defaultHash = sha3.New256 - case 384: - defaultCurve = elliptic.P384() - defaultHash = sha3.New384 - default: - err = fmt.Errorf("Security level not supported [%d]", level) - } - return -} - -// SetSecurityLevel sets the security configuration with the hash length and the algorithm -func SetSecurityLevel(algorithm string, level int) (err error) { - switch algorithm { - case "SHA2": - err = initSHA2(level) - case "SHA3": - err = initSHA3(level) - default: - err = fmt.Errorf("Algorithm not supported [%s]", algorithm) - } - if err == nil { - // TODO: what's this - defaultHashAlgorithm = algorithm - //hashLength = level - } - return -} - -// InitSecurityLevel initialize the crypto layer at the given security level -func InitSecurityLevel(algorithm string, level int) (err error) { - initOnce.Do(func() { - err = SetSecurityLevel(algorithm, level) - }) - return -} diff --git a/examples/chaincode/go/asset_management/README.md b/examples/chaincode/go/asset_management/README.md deleted file mode 100644 index 8919c3eb838..00000000000 --- a/examples/chaincode/go/asset_management/README.md +++ /dev/null @@ -1,69 +0,0 @@ -# Hyperledger Fabric - Asset Management - -## Overview - -The *asset management* chaincode (*asset_management.go*) is a very simple chaincode designed to show how to exercise *access control* at the chaincode level as described in this document: [https://github.com/hyperledger/fabric/blob/master/docs/tech/application-ACL.md](https://github.com/hyperledger/fabric/blob/master/docs/tech/application-ACL.md) - -The chaincode exposes the following functions: - -1. *init(user)*: Initialize the chaincode assigning to *user* the role of *administrator*; -2. *assign(asset, user)*: Assigns the ownership of *asset* to *user*. -Notice that, this function can be invoked only by an administrator; -3. *transfer(asset, user)*: Transfer the ownership of *asset* to *user* -Notice that this function ca be invoked only by the owner of *asset*; -4. *query(asset)*: Returns the identifier of the owner of *asset* - -In the following subsections, we will describe in more detail each function. - -## *init(user)* - -This function initialize the chaincode by assigning to *user* the role of administrator. The function is invoked automatically at deploy time. - -When generating the deploy transaction, the chaincode deployer must specify the administrator of the chaincode by setting the transaction metadata to -the DER (Distinguished Encoding Rules) certificate encoding of one of the administrator ECert/TCert. - -For simplicity, there is only one administrator. - -A possible work-flow could be the following: - -1. Alice is the deployer of the chaincode; -2. Alice wants to assign the administrator role to Bob; -3. Alice obtains, via an out-of-band channel, a TCert of Bob, let us call this certificate *BobCert*; -4. Alice constructs a deploy transaction, as described in *application-ACL.md*, setting the transaction metadata to *BobCert*. -5. Alice submits the transaction to the fabric network. - -Notice that Alice can assign to herself the role of administrator. - -## *assign(asset, user)* - -This function assigns the ownership of *asset* to *user*. For simplicity, *asset* can be any string (the identifier of the asset, for example) and *user* is a TCert/ECert of the party the ownership of *asset* is assigned to. - -Notice that, this function can only be invoked by the administrator of the chaincode that has been defined at deploy time during the chaincode initialization. - -A possible work-flow could be the following: - -1. Bob is the administrator of the chaincode; -2. Bob wants to assign the asset 'Picasso' to Charlie; -3. Bob obtains, via an out-of-band channel, a TCert of Charlie, let us call this certificate *CharlieCert*; -4. Bob constructs an invoke transaction, as described in *application-ACL.md*, to invoke the *assign* function passing as parameters *('Picasso', Base64(DER(CharlieCert)))*. -5. Bob submits the transaction to the fabric network. - -## *transfer(asset, user)* - -This function transfers the ownership of *asset* to *user*. As for the *assign* function, *asset* is a string representing the asset and *user* is an ECert/TCert of the party the ownership of *asset* is assigned to. - -Notice that, this function can only be invoked by the owner of *asset* who obtained the ownership via ans *assign* call or via a chain of *assign* and *transfer* calls. - -A possible work-flow could be the following: - -1. Charlie is the owner of 'Picasso'; -2. Charlie wants to transfer the ownership of 'Picasso' to Dave; -3. Charlie obtains, via an out-of-band channel, a TCert of Dave, let us call this certificate *DaveCert*; -4. Charlie constructs an invoke transaction, as described in *application-ACL.md*, to invoke the *transfer* function passing as parameters *('Picasso', Base64(DER(DaveCert)))*. -5. Charlie submits the transaction to the fabric network. - -## *query(asset)* - -This function returns the owner of *asset* as the DER certificate encoding of his certificate the ownership was acquired with. - -Notice that, this function can be invoked by anyone. No access control is in place in this example. No one forbids to enhance the chaincode to have access control also for *query* function. \ No newline at end of file diff --git a/examples/chaincode/go/asset_management/asset_management.go b/examples/chaincode/go/asset_management/asset_management.go deleted file mode 100644 index ccc6b54afd5..00000000000 --- a/examples/chaincode/go/asset_management/asset_management.go +++ /dev/null @@ -1,265 +0,0 @@ -/* -Copyright IBM Corp. 2016 All Rights Reserved. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package main - -import ( - "encoding/base64" - "errors" - "fmt" - - "github.com/hyperledger/fabric/accesscontrol/impl" - "github.com/hyperledger/fabric/core/chaincode/shim" - "github.com/hyperledger/fabric/core/crypto/primitives" - pb "github.com/hyperledger/fabric/protos/peer" - "github.com/op/go-logging" -) - -var myLogger = logging.MustGetLogger("asset_mgmt") - -// AssetManagementChaincode is simple chaincode implementing a basic Asset Management system -// with access control enforcement at chaincode level. -// Look here for more information on how to implement access control at chaincode level: -// https://github.com/hyperledger/fabric/blob/master/docs/tech/application-ACL.md -// An asset is simply represented by a string. -type AssetManagementChaincode struct { -} - -// Init method will be called during deployment. -// The deploy transaction metadata is supposed to contain the administrator cert -func (t *AssetManagementChaincode) Init(stub shim.ChaincodeStubInterface) pb.Response { - _, args := stub.GetFunctionAndParameters() - myLogger.Debug("Init Chaincode...") - if len(args) != 0 { - return shim.Error("Incorrect number of arguments. Expecting 0") - } - - // Set the admin - // The metadata will contain the certificate of the administrator - adminCert, err := stub.GetCallerMetadata() - if err != nil { - myLogger.Debug("Failed getting metadata") - return shim.Error("Failed getting metadata.") - } - if len(adminCert) == 0 { - myLogger.Debug("Invalid admin certificate. Empty.") - return shim.Error("Invalid admin certificate. Empty.") - } - - myLogger.Debug("The administrator is [%x]", adminCert) - - stub.PutState("admin", adminCert) - - myLogger.Debug("Init Chaincode...done") - - return shim.Success(nil) -} - -func (t *AssetManagementChaincode) assign(stub shim.ChaincodeStubInterface, args []string) pb.Response { - myLogger.Debug("Assign...") - - if len(args) != 2 { - return shim.Error("Incorrect number of arguments. Expecting 2") - } - - asset := args[0] - owner, err := base64.StdEncoding.DecodeString(args[1]) - if err != nil { - return shim.Error("Failed decodinf owner") - } - - // Verify the identity of the caller - // Only an administrator can invoker assign - adminCertificate, err := stub.GetState("admin") - if err != nil { - return shim.Error("Failed fetching admin identity") - } - - ok, err := t.isCaller(stub, adminCertificate) - if err != nil { - return shim.Error("Failed checking admin identity") - } - if !ok { - return shim.Error("The caller is not an administrator") - } - - currentOwner, err := stub.GetState(asset) - if len(currentOwner) > 0 && err == nil { - return shim.Error("Asset was already assigned.") - } - - // Register assignment - myLogger.Debugf("New owner of [%s] is [% x]", asset, owner) - err = stub.PutState(asset, owner) - - myLogger.Debug("Assign...done!") - - return shim.Success(nil) -} - -func (t *AssetManagementChaincode) transfer(stub shim.ChaincodeStubInterface, args []string) pb.Response { - myLogger.Debug("Transfer...") - - if len(args) != 2 { - return shim.Error("Incorrect number of arguments. Expecting 2") - } - - asset := args[0] - newOwner, err := base64.StdEncoding.DecodeString(args[1]) - if err != nil { - return shim.Error("Failed decoding owner") - } - - // Verify the identity of the caller - // Only the owner can transfer one of his assets - prvOwner, err := stub.GetState(asset) - if err != nil { - return shim.Error(fmt.Sprintf("Failed retrieving asset [%s]: [%s]", asset, err)) - } - - myLogger.Debugf("Previous owener of [%s] is [% x]", asset, prvOwner) - if len(prvOwner) == 0 { - return shim.Error("Invalid previous owner. Nil") - } - - // Verify ownership - ok, err := t.isCaller(stub, prvOwner) - if err != nil { - return shim.Error("Failed checking asset owner identity") - } - if !ok { - return shim.Error("The caller is not the owner of the asset") - } - - // At this point, the proof of ownership is valid, then register transfer - err = stub.PutState(asset, newOwner) - if err != nil { - return shim.Error("Failed inserting row.") - } - - myLogger.Debug("New owner of [%s] is [% x]", asset, newOwner) - - myLogger.Debug("Transfer...done") - - return shim.Success(nil) -} - -func (t *AssetManagementChaincode) isCaller(stub shim.ChaincodeStubInterface, certificate []byte) (bool, error) { - myLogger.Debug("Check caller...") - - // In order to enforce access control, we require that the - // metadata contains the signature under the signing key corresponding - // to the verification key inside certificate of - // the payload of the transaction (namely, function name and args) and - // the transaction binding (to avoid copying attacks) - - // Verify \sigma=Sign(certificate.sk, tx.Payload||tx.Binding) against certificate.vk - // \sigma is in the metadata - - sigma, err := stub.GetCallerMetadata() - if err != nil { - return false, errors.New("Failed getting metadata") - } - payload, err := stub.GetArgsSlice() - if err != nil { - return false, errors.New("Failed getting payload") - } - binding, err := stub.GetBinding() - if err != nil { - return false, errors.New("Failed getting binding") - } - - myLogger.Debugf("passed certificate [% x]", certificate) - myLogger.Debugf("passed sigma [% x]", sigma) - myLogger.Debugf("passed payload [% x]", payload) - myLogger.Debugf("passed binding [% x]", binding) - - ok, err := impl.NewAccessControlShim(stub).VerifySignature( - certificate, - sigma, - append(payload, binding...), - ) - if err != nil { - myLogger.Errorf("Failed checking signature [%s]", err) - return ok, err - } - if !ok { - myLogger.Error("Invalid signature") - } - - myLogger.Debug("Check caller...Verified!") - - return ok, err -} - -// Invoke will be called for every transaction. -// Supported functions are the following: -// "assign(asset, owner)": to assign ownership of assets. An asset can be owned by a single entity. -// Only an administrator can call this function. -// "transfer(asset, newOwner)": to transfer the ownership of an asset. Only the owner of the specific -// asset can call this function. -// An asset is any string to identify it. An owner is representated by one of his ECert/TCert. -func (t *AssetManagementChaincode) Invoke(stub shim.ChaincodeStubInterface) pb.Response { - function, args := stub.GetFunctionAndParameters() - // Handle different functions - if function == "assign" { - // Assign ownership - return t.assign(stub, args) - } else if function == "transfer" { - // Transfer ownership - return t.transfer(stub, args) - } else if function == "query" { - // Query owner - return t.query(stub, args) - } - - return shim.Error("Received unknown function invocation") -} - -// Supported functions are the following: -// "query(asset)": returns the owner of the asset. -// Anyone can invoke this function. -func (t *AssetManagementChaincode) query(stub shim.ChaincodeStubInterface, args []string) pb.Response { - var err error - - if len(args) != 1 { - myLogger.Debug("Incorrect number of arguments. Expecting name of an asset to query") - return shim.Error("Incorrect number of arguments. Expecting name of an asset to query") - } - - // Who is the owner of the asset? - asset := args[0] - - myLogger.Debugf("Query [%s]", string(asset)) - - owner, err := stub.GetState(asset) - if err != nil { - myLogger.Debugf("Failed retriving asset [%s]: [%s]", string(asset), err) - return shim.Error(fmt.Sprintf("Failed retriving asset [%s]: [%s]", string(asset), err)) - } - - myLogger.Debugf("Query done [% x]", owner) - - return shim.Success([]byte(base64.StdEncoding.EncodeToString(owner))) -} - -func main() { - primitives.SetSecurityLevel("SHA3", 256) - err := shim.Start(new(AssetManagementChaincode)) - if err != nil { - fmt.Printf("Error starting AssetManagementChaincode: %s", err) - } -} diff --git a/examples/chaincode/go/asset_management02/README.md b/examples/chaincode/go/asset_management02/README.md deleted file mode 100644 index 66b0307ed88..00000000000 --- a/examples/chaincode/go/asset_management02/README.md +++ /dev/null @@ -1,416 +0,0 @@ -# Hyperledger Fabric - Asset Management 02 - -  - -## Overview - - - -The *Asset Management 02* chaincode demonstrates two sample usages of leveraging tcert-attributes in an blockchain based asset depository - - - - - -Multiple Account IDs per user: - - - -With tcert-attribute support, users can select which attribute to include inside their TCert. This capability allows users to embed attested account IDs inside their TCerts, and for obfuscation purposes, each user may own many account IDs to mask their trading activities on a blockchain network. - - - -Attribute Based Access Control: - - - -With tcert-attribute based access control mechanism, chaincode owners can create restricted APIs that can only be invoked by users with specific roles (shown as an attested attribute value insider TCerts). For example, a chaincode could have an API to allow the issuer of an asset type to allocate assets to their investors. - - - - - -## Chaincode Files - - - -#### Asset.yaml - -

- - - -Asset.yaml is a modified version of membersrvc.yaml that contains the attributes values used to test this chaincode example with ```go test```. - - - -User roles are defined as attributes. User roles must be attested before they can be loaded into membership service module. Entries below show that user Admin has the "issuer" role and Alice has the "client" role: - - - - - -``` - -attribute-entry-0: admin;bank_a;role;issuer;2015-01-01T00:00:00-03:00;; - -attribute-entry-1: alice;bank_a;role;client;2016-01-01T00:00:00-03:00;; - -``` - - - -All of Alice's account IDs (account1, account2, account3 ...) are also declared as separate attribute values inside this config file, Alice will be able to select which attested account ID(s) to include in her TCerts (more on this later): - - - -- Note: In the future version of the fabric, users should be able to use APIs to dynamically send/load attribute values to the membership service module - - - -``` - -attribute-entry-2: alice;bank_a;account1;22222-00001;2016-01-01T00:00:00-03:00;; - -attribute-entry-3: alice;bank_a;account2;22222-00002;2016-01-01T00:00:00-03:00;; - -attribute-entry-4: alice;bank_a;account3;22222-00003;2016-01-01T00:00:00-03:00;; - -attribute-entry-5: alice;bank_a;account4;22222-00004;2016-01-01T00:00:00-03:00;; - -attribute-entry-6: alice;bank_a;contactInfo;alice@gmail.com;2016-01-01T00:00:00-03:00;; - -``` - - - -Attributes can also be used to store/proof attested information of an individual, such as an investor's contact and payment information. - - - -- Note: Ideally such information shall be encrypted so that only authorized parties can read them (e.g. an investor probably wouldn't want his payment information to be exposed to everyone owning a copy of this asset ledger) - - - -``` - -attribute-entry-6: alice;bank_a;contactInfo;alice@gmail.com;2016-01-01T00:00:00-03:00;; - -``` - - - -  - - - -#### asset_management02.go - -

- - - - - -Defines AssetManagementChaincode struct which declares the high level APIs that users of a blockchain network can invoke. This chaincode exposes the following APIs to invokers: - - - - - -- Init - this method will initialize the asset depository table in its chaincode state - - - -- assignOwnership - assigns assets to a given account ID, only entities with the "issuer" role are allowed to call this function - - - -- transferOwnership - moves x number of assets from account A to account B - - - -- getOwnerContactInformation - retrieves the contact information of the investor that owns a particular account ID - - - -- getBalance - retrieves the account balance information of the investor that owns a particular account ID - - - -Note: TCert related logics are delegated to CertHandler (cert\_handler.go) and chaincode state operation are delegated to DepositoryHandler (depository\_handler.go) - - - - - -#### cert_handler.go - -

- - - -Defines the CertHandler struct which provides the APIs used to perform operations on incoming TCerts, such as to extracting attribute values from incoming TCerts and verify if the invoker has the required role. - - - -- isAuthorized - check if the transaction invoker has the appropriate role, return false if it doesn't - - - -- getContactInfo - retrieves the contact info stored as an attribute in a Tcert - - - -- getAccountIDsFromAttribute - retrieves account IDs stored in the TCert param (attributes values) - - - - - -#### depository_handler.go - -

- - - -Defines the DepositoryHandler struct which provides APIs used to perform operations on Chaincode's Key Value store, such as to initiate the asset depository table and perform operations on its record rows. - - - -- createTable - initiates a new asset depository table in the chaincode state - - - -- assign - assign allocates assets to account IDs in the chaincode state for each of the - - - -- updateAccountBalance - updateAccountBalance updates the balance amount of an account ID - - - -- deleteAccountRecord - deletes the record row associated with an account ID on the chaincode state table - - - -- transfer - transfers X amount of assets from "from account IDs" to a new account ID - - - -- queryContactInfo - queries the contact information matching a correponding account ID on the chaincode state table - - - -- queryBalance - queries the balance information matching a correponding account ID on the chaincode state table - - - -- queryAccount - queries the balance and contact information matching a correponding account ID on the chaincode state table - - - -- queryTable - returns the record row matching a correponding account ID on the chaincode state table - - - - - - - -## Go Test & Workflow - - - -asset\_management\_02\_test.go is the go test file for this asset management chaincode. Most of the codes inside the test file are used to launch membership service (which uses the asset.yaml config file included this example folder), initialize peer nodes, create test users (admin, alice, and bob), and package/sign chaincode transactions. - - - -These boiler plate logics are necessary to launch the unit tests included in this file, but are largely unimportant for the purpose of understanding this chaincode example, so they will not be covered in the following sections. - - - -Three test users will be created to simulate the business workflows to be carries out by this test file: - - - -- Admin - role: issuer - -- Alice - role: client - -- Bob - role: client - - - -#### TestChaincodeDeploy - - - -Test if the asset management chaincode can be succsessfully deployed - - - -Workflow - - - -1) Create a TCert for Admin, note this Admin TCert does not carry any attribute inside its body - - - -``` - -administrator.GetTCertificateHandlerNext() - -``` - - - -2) Use admin's TCert to create a deployment transaction to deploy asset management chaincode - - - -3) Verify the results of the previous steps - - - - - -  - - - -#### TestAuthorization - - - - - -TestAuthorization tests attribute based role access control by making sure that only callers with "issuer" role are allowed to invoke the ```assign``` method and allocate assets to investors. - - - -Workflow - - - -1) create a TCert for Alice carrying her role, account ID(s), and contact information - - - -``` - -alice.GetTCertificateHandlerNext("role", "account1", "contactInfo") - -``` - - - -2) Use Alice's client to invoke ```assign``` function (since Alice does not have the "issuer" role, this operation must fail.) - - - -3) Verify the results of the previous steps - - - -  - - - -#### TestAssigningAssets - - - -TestAssigningAssets tests the ```assign``` method by making sure authorized users (callers with 'issuer' role) can use the ```assign``` method to allocate assets to its investors - - - -Workflow - - - -1) Create three TCerts for Alice, each carrying one of Alice's account IDs - - - -``` - -aliceCert1, err := alice.GetTCertificateHandlerNext("role", "account1", "contactInfo") - -aliceCert2, err := alice.GetTCertificateHandlerNext("role", "account2", "contactInfo") - -aliceCert3, err := alice.GetTCertificateHandlerNext("role", "account3", "contactInfo") - -``` - -2) Create a TCert for Bob, - - - -``` - -bobCert1, err := bob.GetTCertificateHandlerNext("role", "account1", "contactInfo") - -``` - -3) Assign balances to Alice and Bobs' account IDs, and record Alice and Bobs' contact information to the record rows storing their account information (Note: Each static attribute value within each TCert must be encrypted with a unique secret key per attribute per TCert, so that malicious users cannot link user records by looking at static user properties such as their email address) - - - -- Alice's account1 = 100 - - - -- Alice's account2 = 200 - - - -- Alice's account3 = 300 - - - -- Bob's account1 = 1,000 - - - -4) Verify the results of the previous steps - - - -  - - -#### TestAssetTransfer - - -Test the ability for asset owners to transfer their assets to other owners. - - -Workflow - - -1) Create a new TCert for Alice. The number of account IDs to be embedded into this TCert depends on the total amount of assets Alice needs to transfer. That is, the sum of account balances of account IDs included in this TCert must be greater than the total amount that Alice will transfer to Bob in this transaction - - -``` - -aliceCert, err := alice.GetTCertificateHandlerNext("role", "account1", "account2", "account3") - -``` - - -2) Create a new TCert for Bob. Note that for obfuscation purpose, Bob must pick a new account ID (Bob's account2) that was never used before. - - -``` -bobCert, err := bob.GetTCertificateHandlerNext("role", "account2", "contactInfo") -``` - -3) Transfer X amount of assets from Alice to Bob - -4) Verify the results of the previous steps - - - - diff --git a/examples/chaincode/go/asset_management02/asset.yaml b/examples/chaincode/go/asset_management02/asset.yaml deleted file mode 100644 index 809ad8e3d85..00000000000 --- a/examples/chaincode/go/asset_management02/asset.yaml +++ /dev/null @@ -1,490 +0,0 @@ -# CA server parameters -# -server: - # current version of the CA - version: "0.1" - - # limits the number of operating system threads used by the CA - gomaxprocs: 2 - - # path to the OBC state directory and CA state subdirectory - rootpath: "/tmp/hyperledger/production" - cadir: ".membersrvc" - - # port the CA services are listening on - port: ":7054" - - # TLS certificate and key file paths - tls: -# certfile: "/var/hyperledger/production/.ca/tlsca.cert" -# keyfile: "/var/hyperledger/production/.ca/tlsca.priv" - -security: - # Can be 256 or 384 - # Must be the same as in core.yaml - level: 256 - -# Enabling/disabling different logging levels of the CA. -# -logging: - trace: 0 - info: 1 - warning: 1 - error: 1 - panic: 1 - -# TCA configuration for attribute encryption -tca: - # Enabling/disabling attributes encryption, if is enabled attributes within the certificate will be encrypted using a specific key for each attribute, - # in otherwise cleartext attribute value will be added into the certificate. - attribute-encryption: - enabled: false - -# Default attributes for Attribute Certificate Authority -aca: - attributes: - attribute-entry-0: admin;bank_a;role;issuer;2015-01-01T00:00:00-03:00;; - attribute-entry-1: alice;bank_a;role;client;2016-01-01T00:00:00-03:00;; - attribute-entry-2: alice;bank_a;account1;22222-00001;2016-01-01T00:00:00-03:00;; - attribute-entry-3: alice;bank_a;account2;22222-00002;2016-01-01T00:00:00-03:00;; - attribute-entry-4: alice;bank_a;account3;22222-00003;2016-01-01T00:00:00-03:00;; - attribute-entry-5: alice;bank_a;account4;22222-00004;2016-01-01T00:00:00-03:00;; - attribute-entry-6: alice;bank_a;contactInfo;alice@gmail.com;2016-01-01T00:00:00-03:00;; - attribute-entry-7: bob;bank_a;role;client;2015-02-02T00:00:00-03:00;; - attribute-entry-8: bob;bank_a;account1;11111-00001;2016-01-01T00:00:00-03:00;; - attribute-entry-9: bob;bank_a;account2;11111-00002;2015-02-02T00:00:00-03:00;; - attribute-entry-10: bob;bank_a;account3;11111-00003;2015-02-02T00:00:00-03:00;; - attribute-entry-11: bob;bank_a;contactInfo;bob@yahoo.com;2015-02-02T00:00:00-03:00;; - - address: localhost:7054 - server-name: acap - enabled: true - -# Default users to be registered with the CA on first launch. The role is a binary OR -# of the different roles a user can have: -# -# - simple client such as a wallet: CLIENT -# - non-validating peer: PEER -# - validating client: VALIDATOR -# - auditing client: AUDITOR -# -eca: - affiliations: - banks_and_institutions: - banks: - - bank_a - - bank_b - - bank_c - institutions: - - institution_a - users: - # : - alice: 1 NPKYL39uKbkj bank_a - bob: 1 DRJ23pEQl16a bank_a - admin: 1 6avZQLwcUe9b bank_a - - vp: 4 f3489fy98ghf - -pki: - validity-period: - # Setting the update property will prevent the invocation of the update_validity_period system chaincode to update the validity period. - update: false - chaincodeHash: 6091c3abd07c18edd6ef48ae24cfe409522f7defb51e4103dfa61ca3012386380c1b179f904375e253f20f4b2c5c848299988e65d8b80cb3f6b3d848b6fb2230 - # TLS Settings for communications to update the validity period - tls: - enabled: false - cert: - file: testdata/server1.pem - key: - file: testdata/server1.key - # The server name use to verify the hostname returned by TLS handshake - server-host-override: - devops-address: 0.0.0.0:40404 - - -############################################################################### -# -# CLI section -# -############################################################################### -cli: - - # The address that the cli process will use for callbacks from chaincodes - address: 0.0.0.0:7052 - - - -############################################################################### -# -# REST section -# -############################################################################### -rest: - - # Enable/disable setting for the REST service. It is recommended to disable - # REST service on validators in production deployment and use non-validating - # nodes to host REST service - enabled: true - - # The address that the REST service will listen on for incoming requests. - address: 0.0.0.0:7050 - - -############################################################################### -# -# LOGGING section -# -############################################################################### -logging: - - # Valid logging levels are case-insensitive strings chosen from - - # CRITICAL | ERROR | WARNING | NOTICE | INFO | DEBUG - - # Logging 'module' names are also strings, however valid module names are - # defined at runtime and are not checked for validity during option - # processing. - - # Default logging levels are specified here for each of the obc-peer - # commands. For commands that have subcommands, the defaults also apply to - # all subcommands of the command. These logging levels can be overridden - # on the command line using the --logging-level command-line option, or by - # setting the CORE_LOGGING_LEVEL environment variable. - - # The logging level specification is of the form - - # [[,...]=][:[[,...]=]...] - - # A logging level by itself is taken as the overall default. Otherwise, - # overrides for individual or groups of modules can be specified using the - # [,...]= syntax. - - # Examples: - # info - Set default to INFO - # warning:main,db=debug:chaincode=info - Override default WARNING in main,db,chaincode - # chaincode=info:main=debug:db=debug:warning - Same as above - peer: debug - crypto: debug - status: warning - stop: warning - login: warning - vm: warning - chaincode: warning - - -############################################################################### -# -# Peer section -# -############################################################################### -peer: - - # Peer Version following version semantics as described here http://semver.org/ - # The Peer supplies this version in communications with other Peers - version: 0.1.0 - - # The Peer id is used for identifying this Peer instance. - id: jdoe - - # The privateKey to be used by this peer - # privateKey: 794ef087680e2494fa4918fd8fb80fb284b50b57d321a31423fe42b9ccf6216047cea0b66fe8365a8e3f2a8140c6866cc45852e63124668bee1daa9c97da0c2a - - # The networkId allows for logical seperation of networks - # networkId: dev - # networkId: test - networkId: dev - - Dockerfile: | - from golang:1.7 - # Install RocksDB - RUN cd /opt && git clone --branch v4.1 --single-branch --depth 1 https://github.com/facebook/rocksdb.git && cd rocksdb - WORKDIR /opt/rocksdb - RUN make shared_lib - ENV LD_LIBRARY_PATH=/opt/rocksdb:$LD_LIBRARY_PATH - RUN apt-get update && apt-get install -y libsnappy-dev zlib1g-dev libbz2-dev - # Copy GOPATH src and install Peer - COPY src $GOPATH/src - RUN mkdir -p /var/hyperledger/db - WORKDIR $GOPATH/src/github.com/hyperledger/fabric/ - RUN CGO_CFLAGS="-I/opt/rocksdb/include" CGO_LDFLAGS="-L/opt/rocksdb -lrocksdb -lstdc++ -lm -lz -lbz2 -lsnappy" go install && cp $GOPATH/src/github.com/hyperledger/fabric/core.yaml $GOPATH/bin - - # The Address this Peer will listen on - listenAddress: 0.0.0.0:40404 - # The Address this Peer will bind to for providing services - address: 0.0.0.0:40404 - # Whether the Peer should programmatically determine the address to bind to. - # This case is useful for docker containers. - addressAutoDetect: true - - # Peer port to accept connections on - port: 40404 - # Peer's setting for GOMAXPROCS - gomaxprocs: 2 - workers: 2 - - # Sync related configuration - sync: - blocks: - # Channel size for readonly SyncBlocks messages channel for receiving - # blocks from oppositie Peer Endpoints. - # NOTE: currently messages are not stored and forwarded, but rather - # lost if the channel write blocks. - channelSize: 10 - state: - snapshot: - # Channel size for readonly syncStateSnapshot messages channel - # for receiving state deltas for snapshot from oppositie Peer Endpoints. - # NOTE: currently messages are not stored and forwarded, but - # rather lost if the channel write blocks. - channelSize: 50 - deltas: - # Channel size for readonly syncStateDeltas messages channel for - # receiving state deltas for a syncBlockRange from oppositie - # Peer Endpoints. - # NOTE: currently messages are not stored and forwarded, - # but rather lost if the channel write blocks. - channelSize: 20 - - # Validator defines whether this peer is a validating peer or not, and if - # it is enabled, what consensus plugin to load - validator: - enabled: true - - # Consensus plugin to use. The value is the name of the plugin, e.g. pbft, noops - # if the given value is not recognized, we will default to noops - consensus: noops - - events: - # The address that the Event service will be enabled on the validator - address: 0.0.0.0:7053 - - # total number of events that could be buffered without blocking the - # validator sends - buffersize: 100 - - # milliseconds timeout for producer to send an event. - # if < 0, if buffer full, unblocks immediately and not send - # if 0, if buffer full, will block and guarantee the event will be sent out - # if > 0, if buffer full, blocks till timeout - timeout: 10 - # Setting the validity-period.verification to false will disable the verification - # of the validity period in the validator - validity-period: - verification: false - - # TLS Settings for p2p communications - tls: - enabled: false - cert: - file: testdata/server1.pem - key: - file: testdata/server1.key - # The server name use to verify the hostname returned by TLS handshake - server-host-override: - - # PKI member services properties - pki: - eca: - paddr: localhost:7054 - tca: - paddr: localhost:7054 - tlsca: - paddr: localhost:7054 - tls: - enabled: false - rootcert: - file: tlsca.cert - # The server name use to verify the hostname returned by TLS handshake - server-host-override: - - # Peer discovery settings. Controls how this peer discovers other peers - discovery: - - # The root nodes are used for bootstrapping purposes, and generally - # supplied through ENV variables - rootnode: - - # The duration of time between attempts to asks peers for their connected peers - period: 5s - - ## leaving this in for example of sub map entry - # testNodes: - # - node : 1 - # ip : 127.0.0.1 - # port : 40404 - # - node : 2 - # ip : 127.0.0.1 - # port : 40404 - - # Should the discovered nodes and their reputations - # be stored in DB and persisted between restarts - persist: true - - # if peer discovery is off - # the peer window will show - # only what retrieved by active - # peer [true/false] - enabled: true - - # number of workers that - # tastes the peers for being - # online [1..10] - workers: 8 - - # the period in seconds with which the discovery - # tries to reconnect to successful nodes - # 0 means the nodes are not reconnected - touchPeriod: 600 - - # the maximum nuber of nodes to reconnect to - # -1 for unlimited - touchMaxNodes: 100 - - # Path on the file system where peer will store data - # fileSystemPath: .hyperledger/production - - # Path on the file system where peer will store data - fileSystemPath: /tmp/hyperledger/production - -############################################################################### -# -# VM section -# -############################################################################### -vm: - - # Endpoint of the vm management system. For docker can be one of the following in general - # unix:///var/run/docker.sock - # http://localhost:2375 - # https://localhost:2376 - endpoint: unix:///var/run/docker.sock - - # settings for docker vms - docker: - tls: - enabled: false - cert: - file: /path/to/server.pem - ca: - file: /path/to/ca.pem - key: - file: /path/to/server-key.pem - -############################################################################### -# -# Chaincode section -# -############################################################################### -chaincode: - - # The id is used by the Chaincode stub to register the executing Chaincode - # ID with the Peerand is generally supplied through ENV variables - # the Path form of ID is provided when deploying the chaincode. The name is - # used for all other requests. The name is really a hashcode - # returned by the system in response to the deploy transaction. In - # development mode where user runs the chaincode, the name can be any string - id: - path: - name: mycc - - golang: - - # This is the basis for the Golang Dockerfile. Additional commands will - # be appended depedendent upon the chaincode specification. - Dockerfile: | - from golang:1.7 - COPY src $GOPATH/src - WORKDIR $GOPATH - - # timeout in millisecs for starting up a container and waiting for Register - # to come through. 1sec should be plenty for chaincode unit tests - startuptimeout: 1000 - - #timeout in millisecs for deploying chaincode from a remote repository. - deploytimeout: 30000 - - #mode - options are "dev", "net" - #dev - in dev mode, user runs the chaincode after starting validator from - # command line on local machine - #net - in net mode validator will run chaincode in a docker container - - mode: net - - installpath: /go/bin/ - -############################################################################### -# -# Ledger section - ledger configuration encompases both the blockchain -# and the state -# -############################################################################### -ledger: - - blockchain: - - # Setting the deploy-system-chaincode property to false will prevent the - # deploying of system chaincode at genesis time. - deploy-system-chaincode: false - - state: - - # Control the number state deltas that are maintained. This takes additional - # disk space, but allow the state to be rolled backwards and forwards - # without the need to replay transactions. - deltaHistorySize: 500 - - # The data structure in which the state will be stored. Different data - # structures may offer different performance characteristics. Options are - # 'buckettree' and 'trie'. If not set, the default data structure is the - # 'buckettree'. This CANNOT be changed after the DB has been created. - dataStructure: - # The name of the data structure is for storing the state - name: buckettree - # The data structure specific configurations - configs: - # configurations for 'bucketree'. These CANNOT be changed after the DB - # has been created. 'numBuckets' defines the number of bins that the - # state key-values are to be divided - numBuckets: 10009 - # 'maxGroupingAtEachLevel' defines the number of bins that are grouped - #together to construct next level of the merkle-tree (this is applied - # repeatedly for constructing the entire tree). - maxGroupingAtEachLevel: 10 - - # configurations for 'trie' - # 'tire' has no additional configurations exposed as yet - - -############################################################################### -# -# Security section - Applied to all entities (client, NVP, VP) -# -############################################################################### -security: - # Enable security will force every entity on the network to enroll with obc-ca - # and maintain a valid set of certificates in order to communicate with - # other peers - enabled: true - # To enroll NVP or VP with membersrvc. These parameters are for 1 time use. - # They will not be valid on subsequent times without un-enroll first. - # The values come from off-line registration with obc-ca. For testing, make - # sure the values are in membersrvc/membersrvc.yaml file eca.users - enrollID: vp - enrollSecret: f3489fy98ghf - # To enable privacy of transactions (requires security to be enabled). This - # encrypts the transaction content during transit and at rest. The state - # data is also encrypted - privacy: true - - # Can be 256 or 384. If you change here, you have to change also - # the same property in membersrvc.yaml to the same value - level: 256 - - # TCerts related configuration - tcert: - batch: - # The size of the batch of TCerts - size: 2 - - attributes: - enabled: true diff --git a/examples/chaincode/go/asset_management02/asset_management02.go b/examples/chaincode/go/asset_management02/asset_management02.go deleted file mode 100644 index 115b2d3cba8..00000000000 --- a/examples/chaincode/go/asset_management02/asset_management02.go +++ /dev/null @@ -1,245 +0,0 @@ -/* -Copyright IBM Corp. 2016 All Rights Reserved. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package main - -import ( - "encoding/base64" - "encoding/binary" - "strconv" - "strings" - - "github.com/hyperledger/fabric/core/chaincode/shim" - pb "github.com/hyperledger/fabric/protos/peer" - "github.com/op/go-logging" -) - -var myLogger = logging.MustGetLogger("asset_mgm") - -var cHandler = NewCertHandler() -var dHandler = NewDepositoryHandler() - -//AssetManagementChaincode APIs exposed to chaincode callers -type AssetManagementChaincode struct { -} - -// assignOwnership assigns assets to a given account ID, only entities with the "issuer" are allowed to call this function -// Note: this issuer can only allocate balance to one account ID at a time -// args[0]: investor's TCert -// args[1]: attribute name inside the investor's TCert that contains investor's account ID -// args[2]: amount to be assigned to this investor's account ID -func (t *AssetManagementChaincode) assignOwnership(stub shim.ChaincodeStubInterface, args []string) pb.Response { - myLogger.Debugf("+++++++++++++++++++++++++++++++++++assignOwnership+++++++++++++++++++++++++++++++++") - - if len(args) != 3 { - return shim.Error("Incorrect number of arguments. Expecting 0") - } - - //check is invoker has the correct role, only invokers with the "issuer" role is allowed to - //assign asset to owners - isAuthorized, err := cHandler.isAuthorized(stub, "issuer") - if !isAuthorized { - myLogger.Errorf("system error %v", err) - return shim.Error("user is not aurthorized to assign assets") - } - - owner, err := base64.StdEncoding.DecodeString(args[0]) - if err != nil { - myLogger.Errorf("system error %v", err) - return shim.Error("Failed decoding owner") - } - accountAttribute := args[1] - - amount, err := strconv.ParseUint(args[2], 10, 64) - if err != nil { - myLogger.Errorf("system error %v", err) - return shim.Error("Unable to parse amount" + args[2]) - } - - //retrieve account IDs from investor's TCert - accountIDs, err := cHandler.getAccountIDsFromAttribute(owner, []string{accountAttribute}) - if err != nil { - myLogger.Errorf("system error %v", err) - return shim.Error("Unable to retrieve account Ids from user certificate " + args[1]) - } - - //retreive investors' contact info (e.g. phone number, email, home address) - //from investors' TCert. Ideally, this information shall be encrypted with issuer's pub key or KA key - //between investor and issuer, so that only issuer can view such information - contactInfo, err := cHandler.getContactInfo(owner) - if err != nil { - return shim.Error("Unable to retrieve contact info from user certificate " + args[1]) - } - - //call DeposistoryHandler.assign function to put the "amount" and "contact info" under this account ID - err = dHandler.assign(stub, accountIDs[0], contactInfo, amount) - if err != nil { - return shim.Error(err.Error()) - } - - return shim.Success(nil) -} - -// transferOwnership moves x number of assets from account A to account B -// args[0]: Investor TCert that has account IDs which will their balances deducted -// args[1]: attribute names inside TCert (arg[0]) that countain the account IDs -// args[2]: Investor TCert that has account IDs which will have their balances increased -// args[3]: attribute names inside TCert (arg[2]) that countain the account IDs -func (t *AssetManagementChaincode) transferOwnership(stub shim.ChaincodeStubInterface, args []string) pb.Response { - myLogger.Debugf("+++++++++++++++++++++++++++++++++++transferOwnership+++++++++++++++++++++++++++++++++") - - if len(args) != 5 { - return shim.Error("Incorrect number of arguments. Expecting 0") - } - - fromOwner, err := base64.StdEncoding.DecodeString(args[0]) - if err != nil { - myLogger.Errorf("system error %v", err) - return shim.Error("Failed decoding fromOwner") - } - fromAccountAttributes := strings.Split(args[1], ",") - - toOwner, err := base64.StdEncoding.DecodeString(args[2]) - if err != nil { - myLogger.Errorf("system error %v", err) - return shim.Error("Failed decoding owner") - } - toAccountAttributes := strings.Split(args[3], ",") - - amount, err := strconv.ParseUint(args[4], 10, 64) - if err != nil { - myLogger.Errorf("system error %v", err) - return shim.Error("Unable to parse amount" + args[4]) - } - - // retrieve account IDs from "transfer from" TCert - fromAccountIds, err := cHandler.getAccountIDsFromAttribute(fromOwner, fromAccountAttributes) - if err != nil { - myLogger.Errorf("system error %v", err) - return shim.Error("Unable to retrieve contact info from user certificate" + args[1]) - } - - // retrieve account IDs from "transfer to" TCert - toAccountIds, err := cHandler.getAccountIDsFromAttribute(toOwner, toAccountAttributes) - if err != nil { - myLogger.Errorf("system error %v", err) - return shim.Error("Unable to retrieve contact info from user certificate" + args[3]) - } - - // retrieve contact info from "transfer to" TCert - contactInfo, err := cHandler.getContactInfo(toOwner) - if err != nil { - myLogger.Errorf("system error %v received", err) - return shim.Error("Unable to retrieve contact info from user certificate" + args[4]) - } - - // call dHandler.transfer to transfer to transfer "amount" from "from account" IDs to "to account" IDs - err = dHandler.transfer(stub, fromAccountIds, toAccountIds[0], contactInfo, amount) - if err != nil { - return shim.Error(err.Error()) - } - - return shim.Success(nil) -} - -// getOwnerContactInformation retrieves the contact information of the investor that owns a particular account ID -// Note: user contact information shall be encrypted with issuer's pub key or KA key -// between investor and issuer, so that only issuer can decrypt such information -// args[0]: one of the many account IDs owned by "some" investor -func (t *AssetManagementChaincode) getOwnerContactInformation(stub shim.ChaincodeStubInterface, args []string) pb.Response { - myLogger.Debugf("+++++++++++++++++++++++++++++++++++getOwnerContactInformation+++++++++++++++++++++++++++++++++") - - if len(args) != 1 { - return shim.Error("Incorrect number of arguments. Expecting 0") - } - - accountID := args[0] - - email, err := dHandler.queryContactInfo(stub, accountID) - if err != nil { - return shim.Error(err.Error()) - } - - return shim.Success([]byte(email)) -} - -// getBalance retrieves the account balance information of the investor that owns a particular account ID -// args[0]: one of the many account IDs owned by "some" investor -func (t *AssetManagementChaincode) getBalance(stub shim.ChaincodeStubInterface, args []string) pb.Response { - myLogger.Debugf("+++++++++++++++++++++++++++++++++++getBalance+++++++++++++++++++++++++++++++++") - - if len(args) != 1 { - return shim.Error("Incorrect number of arguments. Expecting 0") - } - - accountID := args[0] - - balance, err := dHandler.queryBalance(stub, accountID) - if err != nil { - return shim.Error(err.Error()) - } - - //convert balance (uint64) to []byte (Big Endian) - ret := make([]byte, 8) - binary.BigEndian.PutUint64(ret, balance) - - return shim.Success(ret) -} - -// Init initialization, this method will create asset despository in the chaincode state -func (t *AssetManagementChaincode) Init(stub shim.ChaincodeStubInterface) pb.Response { - _, args := stub.GetFunctionAndParameters() - myLogger.Debugf("********************************Init****************************************") - - myLogger.Info("[AssetManagementChaincode] Init") - if len(args) != 0 { - return shim.Error("Incorrect number of arguments. Expecting 0") - } - - return shim.Success(nil) -} - -// Invoke method is the interceptor of all invocation transactions, its job is to direct -// invocation transactions to intended APIs -func (t *AssetManagementChaincode) Invoke(stub shim.ChaincodeStubInterface) pb.Response { - function, args := stub.GetFunctionAndParameters() - myLogger.Debugf("********************************Invoke****************************************") - - // Handle different functions - if function == "assignOwnership" { - // Assign ownership - return t.assignOwnership(stub, args) - } else if function == "transferOwnership" { - // Transfer ownership - return t.transferOwnership(stub, args) - } else if function == "getOwnerContactInformation" { - return t.getOwnerContactInformation(stub, args) - } else if function == "getBalance" { - return t.getBalance(stub, args) - } - - return shim.Error("Received unknown function invocation") -} - -func main() { - - // primitives.SetSecurityLevel("SHA3", 256) - err := shim.Start(new(AssetManagementChaincode)) - if err != nil { - myLogger.Debugf("Error starting AssetManagementChaincode: %s", err) - } - -} diff --git a/examples/chaincode/go/asset_management02/cert_handler.go b/examples/chaincode/go/asset_management02/cert_handler.go deleted file mode 100644 index a2bf3a041f2..00000000000 --- a/examples/chaincode/go/asset_management02/cert_handler.go +++ /dev/null @@ -1,93 +0,0 @@ -/* -Copyright IBM Corp. 2016 All Rights Reserved. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package main - -import ( - "errors" - - "github.com/hyperledger/fabric/accesscontrol/crypto/attr" - "github.com/hyperledger/fabric/accesscontrol/impl" - "github.com/hyperledger/fabric/core/chaincode/shim" -) - -// consts associated with TCert -const ( - role = "role" - contactInfo = "contactInfo" -) - -//CertHandler provides APIs used to perform operations on incoming TCerts -type certHandler struct { -} - -// NewCertHandler creates a new reference to CertHandler -func NewCertHandler() *certHandler { - return &certHandler{} -} - -// isAuthorized checks if the transaction invoker has the appropriate role -// stub: chaincodestub -// requiredRole: required role; this function will return true if invoker has this role -func (t *certHandler) isAuthorized(stub shim.ChaincodeStubInterface, requiredRole string) (bool, error) { - //read transaction invoker's role, and verify that is the same as the required role passed in - return impl.NewAccessControlShim(stub).VerifyAttribute(role, []byte(requiredRole)) -} - -// getContactInfo retrieves the contact info stored as an attribute in a Tcert -// cert: TCert -func (t *certHandler) getContactInfo(cert []byte) (string, error) { - if len(cert) == 0 { - return "", errors.New("cert is empty") - } - - contactInfo, err := attr.GetValueFrom(contactInfo, cert) - if err != nil { - myLogger.Errorf("system error %v", err) - return "", errors.New("unable to find user contact information") - } - - return string(contactInfo), err -} - -// getAccountIDsFromAttribute retrieves account IDs stored in TCert attributes -// cert: TCert to read account IDs from -// attributeNames: attribute names inside TCert that stores the entity's account IDs -func (t *certHandler) getAccountIDsFromAttribute(cert []byte, attributeNames []string) ([]string, error) { - if cert == nil || attributeNames == nil { - return nil, errors.New("cert or accountIDs list is empty") - } - - //decleare return object (slice of account IDs) - var acctIds []string - - // for each attribute name, look for that attribute name inside TCert, - // the correspounding value of that attribute is the account ID - for _, attributeName := range attributeNames { - myLogger.Debugf("get value from attribute = v%", attributeName) - //get the attribute value from the corresbonding attribute name - accountID, err := attr.GetValueFrom(attributeName, cert) - if err != nil { - myLogger.Errorf("system error %v", err) - return nil, errors.New("unable to find user contact information") - } - - acctIds = append(acctIds, string(accountID)) - } - - myLogger.Debugf("ids = %v", acctIds) - return acctIds, nil -} diff --git a/examples/chaincode/go/asset_management02/depository_handler.go b/examples/chaincode/go/asset_management02/depository_handler.go deleted file mode 100644 index 0d42d6b8cc3..00000000000 --- a/examples/chaincode/go/asset_management02/depository_handler.go +++ /dev/null @@ -1,229 +0,0 @@ -/* -Copyright IBM Corp. 2016 All Rights Reserved. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package main - -import ( - "errors" - - "encoding/json" - "fmt" - - "github.com/hyperledger/fabric/core/chaincode/shim" -) - -//DepositoryHandler provides APIs used to perform operations on CC's KV store -type depositoryHandler struct { -} - -// NewDepositoryHandler create a new reference to CertHandler -func NewDepositoryHandler() *depositoryHandler { - return &depositoryHandler{} -} - -type depositoryAccount struct { - AccountID string `json:"account_id"` - ContactInfo string `json:"contact_info"` - Amount uint64 `json:"amount"` -} - -// assign allocates assets to account IDs in the chaincode state for each of the -// account ID passed in. -// accountID: account ID to be allocated with requested amount -// contactInfo: contact information of the owner of the account ID passed in -// amount: amount to be allocated to this account ID -func (t *depositoryHandler) assign(stub shim.ChaincodeStubInterface, - accountID string, - contactInfo string, - amount uint64) error { - - myLogger.Debugf("insert accountID= %v", accountID) - - // you can only assign balances to new account IDs - accountBytes, err := stub.GetState(accountID) - if err == nil && len(accountBytes) > 0 { - myLogger.Errorf("system error %v", err) - return errors.New("Asset was already assigned.") - } - - account := depositoryAccount{ - AccountID: accountID, - ContactInfo: contactInfo, - Amount: amount, - } - accountBytes, err = json.Marshal(account) - if err != nil { - myLogger.Errorf("account marshaling error %v", err) - return errors.New("Failed to serialize account info." + err.Error()) - } - - //update this account that includes contact information and balance - err = stub.PutState(accountID, accountBytes) - return err -} - -// updateAccountBalance updates the balance amount of an account ID -// stub: chaincodestub -// accountID: account will be updated with the new balance -// contactInfo: contact information associated with the account owner (chaincode table does not allow me to perform updates on specific columns) -// amount: new amount to be udpated with -func (t *depositoryHandler) updateAccountBalance(stub shim.ChaincodeStubInterface, - accountID string, - contactInfo string, - amount uint64) error { - - myLogger.Debugf("insert accountID= %v", accountID) - - //replace the old record row associated with the account ID with the new record row - account := depositoryAccount{ - AccountID: accountID, - ContactInfo: contactInfo, - Amount: amount, - } - accountBytes, err := json.Marshal(account) - if err != nil { - myLogger.Errorf("account marshaling error %v", err) - return errors.New("Failed to serialize account info." + err.Error()) - } - - //update this account that includes contact information and balance - err = stub.PutState(accountID, accountBytes) - return err -} - -// deleteAccountRecord deletes the record row associated with an account ID on the chaincode state table -// stub: chaincodestub -// accountID: account ID (record matching this account ID will be deleted after calling this method) -func (t *depositoryHandler) deleteAccountRecord(stub shim.ChaincodeStubInterface, accountID string) error { - - myLogger.Debugf("insert accountID= %v", accountID) - - //delete record matching account ID passed in - err := stub.DelState(accountID) - - if err != nil { - myLogger.Errorf("system error %v", err) - return errors.New("error in deleting account record") - } - return nil -} - -// transfer transfers X amount of assets from "from account IDs" to a new account ID -// stub: chaincodestub -// fromAccounts: from account IDs with assets to be transferred -// toAccount: a new account ID on the table that will get assets transfered to -// toContact: contact information of the owner of "to account ID" -func (t *depositoryHandler) transfer(stub shim.ChaincodeStubInterface, fromAccounts []string, toAccount string, toContact string, amount uint64) error { - - myLogger.Debugf("insert params= %v , %v , %v , %v ", fromAccounts, toAccount, toContact, amount) - - //collecting assets need to be transfered - remaining := amount - for i := range fromAccounts { - contactInfo, acctBalance, err := t.queryAccount(stub, fromAccounts[i]) - if err != nil { - myLogger.Errorf("system error %v", err) - return errors.New("error in deleting account record") - } - - if remaining > 0 { - //check if this account need to be spent entirely; if so, delete the - //account record row, otherwise just take out what' needed - if remaining >= acctBalance { - remaining -= acctBalance - //delete accounts with 0 balance, this step is optional - t.deleteAccountRecord(stub, fromAccounts[i]) - } else { - acctBalance -= remaining - remaining = 0 - t.updateAccountBalance(stub, fromAccounts[i], contactInfo, acctBalance) - break - } - } - } - - //check if toAccount already exist - acctBalance, err := t.queryBalance(stub, toAccount) - if err == nil || acctBalance > 0 { - myLogger.Errorf("system error %v", err) - return errors.New("error in deleting account record") - } - - //create new toAccount in the Chaincode state table, and assign the total amount - //to its balance - return t.assign(stub, toAccount, toContact, amount) - -} - -// queryContactInfo queries the contact information matching a correponding account ID on the chaincode state table -// stub: chaincodestub -// accountID: account ID -func (t *depositoryHandler) queryContactInfo(stub shim.ChaincodeStubInterface, accountID string) (string, error) { - account, err := t.queryTable(stub, accountID) - if err != nil { - return "", err - } - - return account.ContactInfo, nil -} - -// queryBalance queries the balance information matching a correponding account ID on the chaincode state table -// stub: chaincodestub -// accountID: account ID -func (t *depositoryHandler) queryBalance(stub shim.ChaincodeStubInterface, accountID string) (uint64, error) { - - myLogger.Debugf("insert accountID= %v", accountID) - - account, err := t.queryTable(stub, accountID) - if err != nil { - return 0, err - } - - return account.Amount, nil -} - -// queryAccount queries the balance and contact information matching a correponding account ID on the chaincode state table -// stub: chaincodestub -// accountID: account ID -func (t *depositoryHandler) queryAccount(stub shim.ChaincodeStubInterface, accountID string) (string, uint64, error) { - account, err := t.queryTable(stub, accountID) - if err != nil { - return "", 0, err - } - - return account.ContactInfo, account.Amount, nil -} - -// queryTable returns the record row matching a correponding account ID on the chaincode state table -// stub: chaincodestub -// accountID: account ID -func (t *depositoryHandler) queryTable(stub shim.ChaincodeStubInterface, accountID string) (*depositoryAccount, error) { - - accountBytes, err := stub.GetState(accountID) - if err != nil { - return nil, errors.New("Failed to get account." + err.Error()) - } - if len(accountBytes) == 0 { - return nil, fmt.Errorf("Account %s not exists.", accountID) - } - - account := &depositoryAccount{} - err = json.Unmarshal(accountBytes, account) - if err != nil { - return nil, errors.New("Failed to parse account Info. " + err.Error()) - } - return account, nil -} diff --git a/examples/chaincode/go/asset_management_interactive/README.md b/examples/chaincode/go/asset_management_interactive/README.md deleted file mode 100644 index 833e9ba2486..00000000000 --- a/examples/chaincode/go/asset_management_interactive/README.md +++ /dev/null @@ -1,169 +0,0 @@ -# Hyperledger Fabric - Interactive Asset Management App - -## Overview - -The *Interactive Asset Management App* consists of three separate applications which test the behavior of the standard *asset management* chaincode example. The apps each bootstrap a non-validating peer and construct fabric confidential transactions to deploy, invoke, and/or query the asset management chaincode as described below. - -In particular, we consider a scenario in which we have the following parties: - -1. *Alice* is the chaincode deployer, represented by `app1` -2. *Bob* is the chaincode administrator, represented by `app2` -3. *Charlie*, *Dave*, and *Edwina* are asset owners, each represented by a separate instance of `app3` - -that interact in the following way: - -1. *Alice* deploys and assigns the administrator role to *Bob* -2. *Bob* assigns the assets listed in [assets.txt](app2/assets.txt) to *Charlie*, *Dave*, and *Edwina* -3. *Charlie*, *Dave*, and *Edwina* can transfer the ownership of their assets between each other - -In the following sections, we describe in more detail the interactions -described above that the asset management app exercises. - -### Alice deploys and assigns the administrator role to Bob via `app1` - -The following actions take place: - -1. *Alice* obtains, via an out-of-band channel, the ECert of Bob, let us call these certificates *BobCert* -2. Alice constructs a deploy transaction, as described in *application-ACL.md*, setting the transaction metadata to *DER(BobCert)* -3. Alice submits the deploy transaction to the fabric network - -*Bob* is now the administrator of the chaincode. - -### Bob assigns ownership of all the assets via `app2` - -1. *Bob* obtains, via out-of-band channels, the ECerts of *Charlie*, *Dave*, and *Edwina*; let us call these certificates *CharlieCert*, *DaveCert*, and *EdwinaCert*, respectively -2. *Bob* constructs an invoke transaction, as described in *application-ACL.md* using *BobCert* to gain access, to invoke the *assign* function passing as parameters *('ASSET_NAME_HERE', Base64(DER(CharlieCert)))* -3. *Bob* submits the transaction to the fabric network -4. *Bob* repeates the above steps for every asset listed in [assets.txt](app2/assets.txt), rotating between *Charlie*, *Dave*, and *Edwina* as the assigned owner - -*Charlie*, *Dave*, and *Edwina* are now each the owners of 1/3 of the assets. - -Notice that, to assign ownership of assets, *Bob* has to use *BobCert* to authenticate his invocations. - -### Charlie, Dave, and Edwina transfer the ownership of their assets between each other via separate instances of `app3` - -1. *Charlie*, *Dave*, and *Edwina* each obtain, via out-of-band channels, the ECerts of the other owners; let us call these certificates *CharlieCert*, *DaveCert*, and *EdwinaCert*, respectively -2. Owner *X* constructs an invoke transaction, as described in *application-ACL.md* using *XCert*, to invoke the *transfer* function passing as parameters *('ASSET_NAME_HERE', Base64(DER(YCert)))*. -3. *X* submits the transaction to the fabric network. -4. These steps can be repeated for any asset to be transferred between any two users *X* -> *Y*, if and only if *X* is the current owner of the asset - -*Y* is now the owner of the asset. - -Notice that, to transfer the ownership of a given asset, user *X* has to use *XCert* to authenticate his/her invocations. - -## How To run the Interactive Asset Management App - -In order to run the Interactive Asset Management App, the following steps are required. - -### Setup the fabric network and create app's configuration file - -Follow the [create](https://github.com/hyperledger/fabric/blob/master/examples/chaincode/go/asset_management/app/README.md#create-apps-configuration-file) and [setup](https://github.com/hyperledger/fabric/blob/master/examples/chaincode/go/asset_management/app/README.md#setup-the-fabric-network) steps from the original asset management demo instructions. Note that the `core.yaml` that is described should be placed in this directory on the CLI node. - -### Build the apps - -Follow the first two instructions of the [run step](https://github.com/hyperledger/fabric/blob/master/examples/chaincode/go/asset_management/app/README.md#run-the-app) from the original asset management demo instructions, but change into the following directory instead: - -``` -cd $GOPATH/src/github.com/hyperldger/fabric/examples/chaincode/go/asset_management_interactive -``` - -Then build all three applications by issuing the following command: - -``` -./build.sh -``` - -### Run `app1` - -Run `app1` by issuing the following command: - -``` -cd app1 -./app1 -``` - -Wait for `app1` to complete, and note the output value of `ChaincodeName`, which needs to be supplied to the following applications. For the rest of these instructions, we will use `8bc69f84aa55195b9eba6aed6261a01ba528acd3413f37b34df580f96e0d8a525e0fe8d41f967b38f192f7a731d63596eedcbd08ee636afdadb96be02d5d150d` as the `ChaincodeName` value. - -### Run `app2` - -Run `app2` by issuing the following command: - -``` -cd ../app2 -./app2 8bc69f84aa55195b9eba6aed6261a01ba528acd3413f37b34df580f96e0d8a525e0fe8d41f967b38f192f7a731d63596eedcbd08ee636afdadb96be02d5d150d -``` - -### Run `app3` for each owner - -Run `app3` for each owner by issuing the following commands (note that a separate terminal window for each owner is recommended): - -``` -cd ../app3 -``` - -Run as *Charlie*: - -``` -./app3 8bc69f84aa55195b9eba6aed6261a01ba528acd3413f37b34df580f96e0d8a525e0fe8d41f967b38f192f7a731d63596eedcbd08ee636afdadb96be02d5d150d charlie -``` - -Run as *Dave*: - -``` -./app3 8bc69f84aa55195b9eba6aed6261a01ba528acd3413f37b34df580f96e0d8a525e0fe8d41f967b38f192f7a731d63596eedcbd08ee636afdadb96be02d5d150d dave -``` - -Run as *Edwina*: - -``` -./app3 8bc69f84aa55195b9eba6aed6261a01ba528acd3413f37b34df580f96e0d8a525e0fe8d41f967b38f192f7a731d63596eedcbd08ee636afdadb96be02d5d150d edwina -``` - -Each app will then provide a simple console interface for perfoming one of two actions: listing owned assets and transferring an asset to another owner. - -#### List Assets - -List an owner's assets by issuing the `list` command. For example, this is the expected output of *Charlie's* first `list`: - -``` -charlie$ list -... -'charlie' owns the following 16 assets: -'Lot01: BERNARD LEACH VASE WITH 'LEAPING FISH' DESIGN' -'Lot04: PETER LANYON TREVALGAN' -'Lot07: DAVID BOMBERG MOORISH RONDA, ANDALUCIA' -'Lot10: HAROLD GILMAN INTERIOR (MRS MOUNTER)' -'Lot13: WILLIAM SCOTT, R.A. GIRL SEATED AT A TABLE' -'Lot16: JACK BUTLER YEATS, R.H.A. SLEEP SOUND' -'Lot19: SIR EDUARDO PAOLOZZI, R.A. WEDDING OF THE ROCK AND DYNAMO' -'Lot22: JEAN-MICHEL BASQUIAT AIR POWER' -'Lot25: KENNETH ARMITAGE, R.A. MODEL FOR DIARCHY (SMALL VERSION)' -'Lot28: FRANK AUERBACH E.O.W'S RECLINING HEAD' -'Lot31: SIR EDUARDO PAOLOZZI, R.A. FORMS ON A BOW NO. 2' -'Lot34: MARCEL DUCHAMP WITH HIDDEN NOISE (A BRUIT SECRET)' -'Lot37: FRANCIS PICABIA MENDICA' -'Lot40: DAVID BOMBERG PLAZUELA DE LA PAZ, RONDA' -'Lot43: PATRICK CAULFIELD, R.A., C.B.E. FOYER' -'Lot46: DAMIEN HIRST UNTITLED FISH FOR DAVID' -``` - -#### Transfer Assets - -Transfer an asset to another owner by issuing the `transfer LotXX owner_here` command. For example, this is the command to transfer *Lot01* from *Charlie* to *Dave*. - -``` -charlie$ transfer Lot01 dave -... -'dave' is the new owner of 'Lot01: BERNARD LEACH VASE WITH 'LEAPING FISH' DESIGN'! -------------- Done! -``` - -## Compatibility - -This demo application has been successfully tested against the -[v0.6.0-preview](https://github.com/hyperledger/fabric/releases/tag/v0.6.0-preview) and -[v0.6.1-preview](https://github.com/hyperledger/fabric/releases/tag/v0.6.1-preview) releases. - -## Copyright Note - -The new source code files retain `Copyright IBM Corp.` because they are closely adopted from a preexisting example that contains an IBM copyright. \ No newline at end of file diff --git a/examples/chaincode/go/asset_management_interactive/app1/app1.go b/examples/chaincode/go/asset_management_interactive/app1/app1.go deleted file mode 100644 index f2e88075c5a..00000000000 --- a/examples/chaincode/go/asset_management_interactive/app1/app1.go +++ /dev/null @@ -1,103 +0,0 @@ -/* -Copyright IBM Corp. 2016 All Rights Reserved. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package main - -import ( - "os" - "time" - - "github.com/hyperledger/fabric/core/crypto" - pb "github.com/hyperledger/fabric/protos" - "github.com/op/go-logging" - "google.golang.org/grpc" -) - -var ( - // Logging - appLogger = logging.MustGetLogger("app") - - // NVP related objects - peerClientConn *grpc.ClientConn - serverClient pb.PeerClient - - // Alice is the deployer - alice crypto.Client - - // Bob is the administrator - bob crypto.Client - bobCert crypto.CertificateHandler -) - -func deploy() (err error) { - appLogger.Debug("------------- Alice wants to assign the administrator role to Bob;") - // Deploy: - // 1. Alice is the deployer of the chaincode; - // 2. Alice wants to assign the administrator role to Bob; - // 3. Alice obtains, via an out-of-band channel, the ECert of Bob, let us call this certificate *BobCert*; - // 4. Alice constructs a deploy transaction, as described in *application-ACL.md*, setting the transaction - // metadata to *DER(CharlieCert)*. - // 5. Alice submits th e transaction to the fabric network. - - resp, err := deployInternal(alice, bobCert) - if err != nil { - appLogger.Errorf("Failed deploying [%s]", err) - return - } - appLogger.Debugf("Resp [%s]", resp.String()) - appLogger.Debugf("Chaincode NAME: [%s]-[%s]", chaincodeName, string(resp.Msg)) - - appLogger.Debug("Wait 60 seconds") - time.Sleep(60 * time.Second) - - appLogger.Debug("------------- Done!") - return -} - -func testAssetManagementChaincode() (err error) { - // Deploy - err = deploy() - if err != nil { - appLogger.Errorf("Failed deploying [%s]", err) - return - } - - appLogger.Debug("Deployed!") - - closeCryptoClient(alice) - closeCryptoClient(bob) - - return -} - -func main() { - // Initialize a non-validating peer whose role is to submit - // transactions to the fabric network. - // A 'core.yaml' file is assumed to be available in the working directory. - if err := initNVP(); err != nil { - appLogger.Debugf("Failed initiliazing NVP [%s]", err) - os.Exit(-1) - } - - // Enable fabric 'confidentiality' - confidentiality(true) - - // Exercise the 'asset_management' chaincode - if err := testAssetManagementChaincode(); err != nil { - appLogger.Debugf("Failed testing asset management chaincode [%s]", err) - os.Exit(-2) - } -} diff --git a/examples/chaincode/go/asset_management_interactive/app1/app1_internal.go b/examples/chaincode/go/asset_management_interactive/app1/app1_internal.go deleted file mode 100644 index 6d6e73df0a7..00000000000 --- a/examples/chaincode/go/asset_management_interactive/app1/app1_internal.go +++ /dev/null @@ -1,312 +0,0 @@ -/* -Copyright IBM Corp. 2016 All Rights Reserved. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package main - -import ( - "encoding/base64" - "errors" - "fmt" - - "github.com/golang/protobuf/proto" - "github.com/hyperledger/fabric/common/util" - "github.com/hyperledger/fabric/core/chaincode" - "github.com/hyperledger/fabric/core/chaincode/platforms" - "github.com/hyperledger/fabric/core/config" - "github.com/hyperledger/fabric/core/container" - "github.com/hyperledger/fabric/core/crypto" - "github.com/hyperledger/fabric/core/peer" - pb "github.com/hyperledger/fabric/protos" - "github.com/op/go-logging" - "github.com/spf13/viper" - "golang.org/x/net/context" -) - -var ( - confidentialityOn bool - - chaincodeName string -) - -func initNVP() (err error) { - if err = initPeerClient(); err != nil { - appLogger.Debugf("Failed deploying [%s]", err) - return - - } - if err = initCryptoClients(); err != nil { - appLogger.Debugf("Failed deploying [%s]", err) - return - } - - return -} - -func initPeerClient() (err error) { - config.SetupTestConfig(".") - viper.Set("ledger.blockchain.deploy-system-chaincode", "false") - viper.Set("peer.validator.validity-period.verification", "false") - - peerClientConn, err = peer.NewPeerClientConnection() - if err != nil { - fmt.Printf("error connection to server at host:port = %s\n", viper.GetString("peer.address")) - return - } - serverClient = pb.NewPeerClient(peerClientConn) - - // Logging - var formatter = logging.MustStringFormatter( - `%{color}[%{module}] %{shortfunc} [%{shortfile}] -> %{level:.4s} %{id:03x}%{color:reset} %{message}`, - ) - logging.SetFormatter(formatter) - - return -} - -func initCryptoClients() error { - crypto.Init() - - // Initialize the clients mapping alice, bob, charlie and dave - // to identities already defined in 'membersrvc.yaml' - - // Alice as jim - if err := crypto.RegisterClient("jim", nil, "jim", "6avZQLwcUe9b"); err != nil { - return err - } - var err error - alice, err = crypto.InitClient("jim", nil) - if err != nil { - return err - } - - // Bob as lukas - if err := crypto.RegisterClient("lukas", nil, "lukas", "NPKYL39uKbkj"); err != nil { - return err - } - bob, err = crypto.InitClient("lukas", nil) - if err != nil { - return err - } - - bobCert, err = bob.GetEnrollmentCertificateHandler() - if err != nil { - appLogger.Errorf("Failed getting Bob TCert [%s]", err) - return err - } - - return nil -} - -func closeCryptoClient(client crypto.Client) { - crypto.CloseClient(client) -} - -func processTransaction(tx *pb.Transaction) (*pb.Response, error) { - return serverClient.ProcessTransaction(context.Background(), tx) -} - -func confidentiality(enabled bool) { - confidentialityOn = enabled -} - -func deployInternal(deployer crypto.Client, adminCert crypto.CertificateHandler) (resp *pb.Response, err error) { - // Prepare the spec. The metadata includes the identity of the administrator - spec := &pb.ChaincodeSpec{ - Type: 1, - ChaincodeId: &pb.ChaincodeID{Path: "github.com/hyperledger/fabric/examples/chaincode/go/asset_management"}, - //ChaincodeID: &pb.ChaincodeID{Name: chaincodeName}, - Input: &pb.ChaincodeInput{Args: util.ToChaincodeArgs("init")}, - Metadata: adminCert.GetCertificate(), - } - - // First build the deployment spec - cds, err := getChaincodeBytes(spec) - if err != nil { - return nil, fmt.Errorf("Error getting deployment spec: %s ", err) - } - - // Now create the Transactions message and send to Peer. - transaction, err := deployer.NewChaincodeDeployTransaction(cds, cds.ChaincodeSpec.ChaincodeId.Name) - if err != nil { - return nil, fmt.Errorf("Error deploying chaincode: %s ", err) - } - - resp, err = processTransaction(transaction) - - appLogger.Debugf("resp [%s]", resp.String()) - - chaincodeName = cds.ChaincodeSpec.ChaincodeId.Name - appLogger.Debugf("ChaincodeName [%s]", chaincodeName) - - return -} - -func assignOwnershipInternal(invoker crypto.Client, invokerCert crypto.CertificateHandler, asset string, newOwnerCert crypto.CertificateHandler) (resp *pb.Response, err error) { - // Get a transaction handler to be used to submit the execute transaction - // and bind the chaincode access control logic using the binding - submittingCertHandler, err := invoker.GetTCertificateHandlerNext() - if err != nil { - return nil, err - } - txHandler, err := submittingCertHandler.GetTransactionHandler() - if err != nil { - return nil, err - } - binding, err := txHandler.GetBinding() - if err != nil { - return nil, err - } - - chaincodeInput := &pb.ChaincodeInput{ - Args: util.ToChaincodeArgs("assign", asset, base64.StdEncoding.EncodeToString(newOwnerCert.GetCertificate())), - } - chaincodeInputRaw, err := proto.Marshal(chaincodeInput) - if err != nil { - return nil, err - } - - // Access control. Administrator signs chaincodeInputRaw || binding to confirm his identity - sigma, err := invokerCert.Sign(append(chaincodeInputRaw, binding...)) - if err != nil { - return nil, err - } - - // Prepare spec and submit - spec := &pb.ChaincodeSpec{ - Type: 1, - ChaincodeId: &pb.ChaincodeID{Name: chaincodeName}, - CtorMsg: chaincodeInput, - Metadata: sigma, // Proof of identity - } - - chaincodeInvocationSpec := &pb.ChaincodeInvocationSpec{ChaincodeSpec: spec} - - // Now create the Transactions message and send to Peer. - transaction, err := txHandler.NewChaincodeExecute(chaincodeInvocationSpec, util.GenerateUUID()) - if err != nil { - return nil, fmt.Errorf("Error deploying chaincode: %s ", err) - } - - return processTransaction(transaction) -} - -func transferOwnershipInternal(owner crypto.Client, ownerCert crypto.CertificateHandler, asset string, newOwnerCert crypto.CertificateHandler) (resp *pb.Response, err error) { - // Get a transaction handler to be used to submit the execute transaction - // and bind the chaincode access control logic using the binding - - submittingCertHandler, err := owner.GetTCertificateHandlerNext() - if err != nil { - return nil, err - } - txHandler, err := submittingCertHandler.GetTransactionHandler() - if err != nil { - return nil, err - } - binding, err := txHandler.GetBinding() - if err != nil { - return nil, err - } - - chaincodeInput := &pb.ChaincodeInput{ - Args: util.ToChaincodeArgs("transfer", asset, base64.StdEncoding.EncodeToString(newOwnerCert.GetCertificate())), - } - chaincodeInputRaw, err := proto.Marshal(chaincodeInput) - if err != nil { - return nil, err - } - - // Access control. Owner signs chaincodeInputRaw || binding to confirm his identity - sigma, err := ownerCert.Sign(append(chaincodeInputRaw, binding...)) - if err != nil { - return nil, err - } - - // Prepare spec and submit - spec := &pb.ChaincodeSpec{ - Type: 1, - ChaincodeId: &pb.ChaincodeID{Name: chaincodeName}, - CtorMsg: chaincodeInput, - Metadata: sigma, // Proof of identity - } - - chaincodeInvocationSpec := &pb.ChaincodeInvocationSpec{ChaincodeSpec: spec} - - // Now create the Transactions message and send to Peer. - transaction, err := txHandler.NewChaincodeExecute(chaincodeInvocationSpec, util.GenerateUUID()) - if err != nil { - return nil, fmt.Errorf("Error deploying chaincode: %s ", err) - } - - return processTransaction(transaction) - -} - -func whoIsTheOwner(invoker crypto.Client, asset string) (transaction *pb.Transaction, resp *pb.Response, err error) { - chaincodeInput := &pb.ChaincodeInput{Args: util.ToChaincodeArgs("query", asset)} - - // Prepare spec and submit - spec := &pb.ChaincodeSpec{ - Type: 1, - ChaincodeId: &pb.ChaincodeID{Name: chaincodeName}, - CtorMsg: chaincodeInput, - } - - chaincodeInvocationSpec := &pb.ChaincodeInvocationSpec{ChaincodeSpec: spec} - - // Now create the Transactions message and send to Peer. - transaction, err = invoker.NewChaincodeQuery(chaincodeInvocationSpec, util.GenerateUUID()) - if err != nil { - return nil, nil, fmt.Errorf("Error deploying chaincode: %s ", err) - } - - resp, err = processTransaction(transaction) - return -} - -func getChaincodeBytes(spec *pb.ChaincodeSpec) (*pb.ChaincodeDeploymentSpec, error) { - mode := viper.GetString("chaincode.mode") - var codePackageBytes []byte - if mode != chaincode.DevModeUserRunsChaincode { - appLogger.Debugf("Received build request for chaincode spec: %v", spec) - var err error - if err = checkSpec(spec); err != nil { - return nil, err - } - - codePackageBytes, err = container.GetChaincodePackageBytes(spec) - if err != nil { - err = fmt.Errorf("Error getting chaincode package bytes: %s", err) - appLogger.Errorf("%s", err) - return nil, err - } - } - chaincodeDeploymentSpec := &pb.ChaincodeDeploymentSpec{ChaincodeSpec: spec, CodePackage: codePackageBytes} - return chaincodeDeploymentSpec, nil -} - -func checkSpec(spec *pb.ChaincodeSpec) error { - // Don't allow nil value - if spec == nil { - return errors.New("Expected chaincode specification, nil received") - } - - platform, err := platforms.Find(spec.Type) - if err != nil { - return fmt.Errorf("Failed to determine platform type: %s", err) - } - - return platform.ValidateSpec(spec) -} diff --git a/examples/chaincode/go/asset_management_interactive/app2/app2.go b/examples/chaincode/go/asset_management_interactive/app2/app2.go deleted file mode 100644 index 997801ee528..00000000000 --- a/examples/chaincode/go/asset_management_interactive/app2/app2.go +++ /dev/null @@ -1,134 +0,0 @@ -/* -Copyright IBM Corp. 2016 All Rights Reserved. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package main - -import ( - "os" - "time" - - "github.com/hyperledger/fabric/core/crypto" - pb "github.com/hyperledger/fabric/protos" - "github.com/op/go-logging" - "google.golang.org/grpc" -) - -var ( - // Logging - appLogger = logging.MustGetLogger("app") - - // NVP related objects - peerClientConn *grpc.ClientConn - serverClient pb.PeerClient - - // Bob is the administrator - bob crypto.Client - bobCert crypto.CertificateHandler - - // Charlie, Dave, and Edwina are owners - charlie crypto.Client - charlieCert crypto.CertificateHandler - - dave crypto.Client - daveCert crypto.CertificateHandler - - edwina crypto.Client - edwinaCert crypto.CertificateHandler - - assets map[string]string - lotNums []string -) - -func assignOwnership() (err error) { - appLogger.Debug("------------- Bob wants to assign the asset owners to all of the assets...") - - i := 0 - var ownerCert crypto.CertificateHandler - - for _, lotNum := range lotNums { - assetName := assets[lotNum] - - if i%3 == 0 { - appLogger.Debugf("Assigning ownership of asset '[%s]: [%s]' to '[%s]'", lotNum, assetName, "Charlie") - ownerCert = charlieCert - } else if i%3 == 1 { - appLogger.Debugf("Assigning ownership of asset '[%s]: [%s]' to '[%s]'", lotNum, assetName, "Dave") - ownerCert = daveCert - } else { - appLogger.Debugf("Assigning ownership of asset '[%s]: [%s]' to '[%s]'", lotNum, assetName, "Edwina") - ownerCert = edwinaCert - } - - resp, err := assignOwnershipInternal(bob, bobCert, assetName, ownerCert) - if err != nil { - appLogger.Errorf("Failed assigning ownership [%s]", err) - return err - } - appLogger.Debugf("Resp [%s]", resp.String()) - - i++ - } - - appLogger.Debug("Wait 60 seconds...") - time.Sleep(60 * time.Second) - - appLogger.Debug("------------- Done!") - return -} - -func testAssetManagementChaincode() (err error) { - // Assign - err = assignOwnership() - if err != nil { - appLogger.Errorf("Failed assigning ownership [%s]", err) - return - } - - appLogger.Debug("Assigned ownership!") - - closeCryptoClient(bob) - closeCryptoClient(charlie) - closeCryptoClient(dave) - closeCryptoClient(edwina) - - return -} - -func main() { - if len(os.Args) != 2 { - appLogger.Errorf("Error -- A ChaincodeName must be specified.") - os.Exit(-1) - } - - chaincodeName = os.Args[1] - - // Initialize a non-validating peer whose role is to submit - // transactions to the fabric network. - // A 'core.yaml' file is assumed to be available in the working directory. - if err := initNVP(); err != nil { - appLogger.Debugf("Failed initiliazing NVP [%s]", err) - os.Exit(-1) - } - - // Enable fabric 'confidentiality' - confidentiality(true) - - // Exercise the 'asset_management' chaincode - if err := testAssetManagementChaincode(); err != nil { - appLogger.Debugf("Failed testing asset management chaincode [%s]", err) - os.Exit(-2) - } -} diff --git a/examples/chaincode/go/asset_management_interactive/app2/app2_internal.go b/examples/chaincode/go/asset_management_interactive/app2/app2_internal.go deleted file mode 100644 index 51e29c2c7d4..00000000000 --- a/examples/chaincode/go/asset_management_interactive/app2/app2_internal.go +++ /dev/null @@ -1,386 +0,0 @@ -/* -Copyright IBM Corp. 2016 All Rights Reserved. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package main - -import ( - "bufio" - "encoding/base64" - "errors" - "fmt" - "os" - - "strings" - - "github.com/golang/protobuf/proto" - "github.com/hyperledger/fabric/common/util" - "github.com/hyperledger/fabric/core/chaincode" - "github.com/hyperledger/fabric/core/chaincode/platforms" - "github.com/hyperledger/fabric/core/config" - "github.com/hyperledger/fabric/core/container" - "github.com/hyperledger/fabric/core/crypto" - "github.com/hyperledger/fabric/core/peer" - pb "github.com/hyperledger/fabric/protos" - "github.com/op/go-logging" - "github.com/spf13/viper" - "golang.org/x/net/context" -) - -var ( - confidentialityOn bool - - chaincodeName string -) - -func initNVP() (err error) { - if err = initPeerClient(); err != nil { - appLogger.Debugf("Failed deploying [%s]", err) - return - - } - if err = initCryptoClients(); err != nil { - appLogger.Debugf("Failed deploying [%s]", err) - return - } - - if err = readAssets(); err != nil { - appLogger.Debugf("Failed reading assets [%s]", err) - return - } - - return -} - -func initPeerClient() (err error) { - config.SetupTestConfig(".") - viper.Set("ledger.blockchain.deploy-system-chaincode", "false") - viper.Set("peer.validator.validity-period.verification", "false") - - peerClientConn, err = peer.NewPeerClientConnection() - if err != nil { - fmt.Printf("error connection to server at host:port = %s\n", viper.GetString("peer.address")) - return - } - serverClient = pb.NewPeerClient(peerClientConn) - - // Logging - var formatter = logging.MustStringFormatter( - `%{color}[%{module}] %{shortfunc} [%{shortfile}] -> %{level:.4s} %{id:03x}%{color:reset} %{message}`, - ) - logging.SetFormatter(formatter) - - return -} - -func initCryptoClients() error { - crypto.Init() - - // Initialize the clients mapping bob, charlie, dave, and edwina - // to identities already defined in 'membersrvc.yaml' - - // Bob as lukas - if err := crypto.RegisterClient("lukas", nil, "lukas", "NPKYL39uKbkj"); err != nil { - return err - } - var err error - bob, err = crypto.InitClient("lukas", nil) - if err != nil { - return err - } - - // Charlie as diego - if err := crypto.RegisterClient("diego", nil, "diego", "DRJ23pEQl16a"); err != nil { - return err - } - charlie, err = crypto.InitClient("diego", nil) - if err != nil { - return err - } - - // Dave as binhn - if err := crypto.RegisterClient("binhn", nil, "binhn", "7avZQLwcUe9q"); err != nil { - return err - } - dave, err = crypto.InitClient("binhn", nil) - if err != nil { - return err - } - - // Edwina as test_user0 - if err := crypto.RegisterClient("test_user0", nil, "test_user0", "MS9qrN8hFjlE"); err != nil { - return err - } - edwina, err = crypto.InitClient("test_user0", nil) - if err != nil { - return err - } - - bobCert, err = bob.GetEnrollmentCertificateHandler() - if err != nil { - appLogger.Errorf("Failed getting Bob ECert [%s]", err) - return err - } - - charlieCert, err = charlie.GetEnrollmentCertificateHandler() - if err != nil { - appLogger.Errorf("Failed getting Charlie ECert [%s]", err) - return err - } - - daveCert, err = dave.GetEnrollmentCertificateHandler() - if err != nil { - appLogger.Errorf("Failed getting Dave ECert [%s]", err) - return err - } - - edwinaCert, err = edwina.GetEnrollmentCertificateHandler() - if err != nil { - appLogger.Errorf("Failed getting Edwina ECert [%s]", err) - return err - } - - return nil -} - -func readAssets() error { - assets = make(map[string]string) - lotNums = make([]string, 0, 47) - - file, err := os.Open("assets.txt") - if err != nil { - return err - } - defer file.Close() - - scanner := bufio.NewScanner(file) - for scanner.Scan() { - assetLine := scanner.Text() - assetParts := strings.Split(assetLine, ";") - - lotNum := assetParts[0] - assetName := assetParts[1] - - assets[lotNum] = assetName - lotNums = append(lotNums, lotNum) - } - - if err := scanner.Err(); err != nil { - return err - } - - return nil -} - -func closeCryptoClient(client crypto.Client) { - crypto.CloseClient(client) -} - -func processTransaction(tx *pb.Transaction) (*pb.Response, error) { - return serverClient.ProcessTransaction(context.Background(), tx) -} - -func confidentiality(enabled bool) { - confidentialityOn = enabled -} - -func deployInternal(deployer crypto.Client, adminCert crypto.CertificateHandler) (resp *pb.Response, err error) { - // Prepare the spec. The metadata includes the identity of the administrator - spec := &pb.ChaincodeSpec{ - Type: 1, - ChaincodeId: &pb.ChaincodeID{Path: "github.com/hyperledger/fabric/examples/chaincode/go/asset_management"}, - //ChaincodeID: &pb.ChaincodeID{Name: chaincodeName}, - Input: &pb.ChaincodeInput{Args: util.ToChaincodeArgs("init")}, - Metadata: adminCert.GetCertificate(), - } - - // First build the deployment spec - cds, err := getChaincodeBytes(spec) - if err != nil { - return nil, fmt.Errorf("Error getting deployment spec: %s ", err) - } - - // Now create the Transactions message and send to Peer. - transaction, err := deployer.NewChaincodeDeployTransaction(cds, cds.ChaincodeSpec.ChaincodeId.Name) - if err != nil { - return nil, fmt.Errorf("Error deploying chaincode: %s ", err) - } - - resp, err = processTransaction(transaction) - - appLogger.Debugf("resp [%s]", resp.String()) - - chaincodeName = cds.ChaincodeSpec.ChaincodeId.Name - appLogger.Debugf("ChaincodeName [%s]", chaincodeName) - - return -} - -func assignOwnershipInternal(invoker crypto.Client, invokerCert crypto.CertificateHandler, asset string, newOwnerCert crypto.CertificateHandler) (resp *pb.Response, err error) { - // Get a transaction handler to be used to submit the execute transaction - // and bind the chaincode access control logic using the binding - submittingCertHandler, err := invoker.GetTCertificateHandlerNext() - if err != nil { - return nil, err - } - txHandler, err := submittingCertHandler.GetTransactionHandler() - if err != nil { - return nil, err - } - binding, err := txHandler.GetBinding() - if err != nil { - return nil, err - } - - chaincodeInput := &pb.ChaincodeInput{ - Args: util.ToChaincodeArgs("assign", asset, base64.StdEncoding.EncodeToString(newOwnerCert.GetCertificate())), - } - chaincodeInputRaw, err := proto.Marshal(chaincodeInput) - if err != nil { - return nil, err - } - - // Access control. Administrator signs chaincodeInputRaw || binding to confirm his identity - sigma, err := invokerCert.Sign(append(chaincodeInputRaw, binding...)) - if err != nil { - return nil, err - } - - // Prepare spec and submit - spec := &pb.ChaincodeSpec{ - Type: 1, - ChaincodeId: &pb.ChaincodeID{Name: chaincodeName}, - Input: chaincodeInput, - Metadata: sigma, // Proof of identity - } - - chaincodeInvocationSpec := &pb.ChaincodeInvocationSpec{ChaincodeSpec: spec} - - // Now create the Transactions message and send to Peer. - transaction, err := txHandler.NewChaincodeExecute(chaincodeInvocationSpec, util.GenerateUUID()) - if err != nil { - return nil, fmt.Errorf("Error deploying chaincode: %s ", err) - } - - return processTransaction(transaction) -} - -func transferOwnershipInternal(owner crypto.Client, ownerCert crypto.CertificateHandler, asset string, newOwnerCert crypto.CertificateHandler) (resp *pb.Response, err error) { - // Get a transaction handler to be used to submit the execute transaction - // and bind the chaincode access control logic using the binding - - submittingCertHandler, err := owner.GetTCertificateHandlerNext() - if err != nil { - return nil, err - } - txHandler, err := submittingCertHandler.GetTransactionHandler() - if err != nil { - return nil, err - } - binding, err := txHandler.GetBinding() - if err != nil { - return nil, err - } - - chaincodeInput := &pb.ChaincodeInput{ - Args: util.ToChaincodeArgs("transfer", asset, base64.StdEncoding.EncodeToString(newOwnerCert.GetCertificate())), - } - chaincodeInputRaw, err := proto.Marshal(chaincodeInput) - if err != nil { - return nil, err - } - - // Access control. Owner signs chaincodeInputRaw || binding to confirm his identity - sigma, err := ownerCert.Sign(append(chaincodeInputRaw, binding...)) - if err != nil { - return nil, err - } - - // Prepare spec and submit - spec := &pb.ChaincodeSpec{ - Type: 1, - ChaincodeId: &pb.ChaincodeID{Name: chaincodeName}, - Input: chaincodeInput, - Metadata: sigma, // Proof of identity - } - - chaincodeInvocationSpec := &pb.ChaincodeInvocationSpec{ChaincodeSpec: spec} - - // Now create the Transactions message and send to Peer. - transaction, err := txHandler.NewChaincodeExecute(chaincodeInvocationSpec, util.GenerateUUID()) - if err != nil { - return nil, fmt.Errorf("Error deploying chaincode: %s ", err) - } - - return processTransaction(transaction) - -} - -func whoIsTheOwner(invoker crypto.Client, asset string) (transaction *pb.Transaction, resp *pb.Response, err error) { - chaincodeInput := &pb.ChaincodeInput{Args: util.ToChaincodeArgs("query", asset)} - - // Prepare spec and submit - spec := &pb.ChaincodeSpec{ - Type: 1, - ChaincodeId: &pb.ChaincodeID{Name: chaincodeName}, - Input: chaincodeInput, - } - - chaincodeInvocationSpec := &pb.ChaincodeInvocationSpec{ChaincodeSpec: spec} - - // Now create the Transactions message and send to Peer. - transaction, err = invoker.NewChaincodeQuery(chaincodeInvocationSpec, util.GenerateUUID()) - if err != nil { - return nil, nil, fmt.Errorf("Error deploying chaincode: %s ", err) - } - - resp, err = processTransaction(transaction) - return -} - -func getChaincodeBytes(spec *pb.ChaincodeSpec) (*pb.ChaincodeDeploymentSpec, error) { - mode := viper.GetString("chaincode.mode") - var codePackageBytes []byte - if mode != chaincode.DevModeUserRunsChaincode { - appLogger.Debugf("Received build request for chaincode spec: %v", spec) - var err error - if err = checkSpec(spec); err != nil { - return nil, err - } - - codePackageBytes, err = container.GetChaincodePackageBytes(spec) - if err != nil { - err = fmt.Errorf("Error getting chaincode package bytes: %s", err) - appLogger.Errorf("%s", err) - return nil, err - } - } - chaincodeDeploymentSpec := &pb.ChaincodeDeploymentSpec{ChaincodeSpec: spec, CodePackage: codePackageBytes} - return chaincodeDeploymentSpec, nil -} - -func checkSpec(spec *pb.ChaincodeSpec) error { - // Don't allow nil value - if spec == nil { - return errors.New("Expected chaincode specification, nil received") - } - - platform, err := platforms.Find(spec.Type) - if err != nil { - return fmt.Errorf("Failed to determine platform type: %s", err) - } - - return platform.ValidateSpec(spec) -} diff --git a/examples/chaincode/go/asset_management_interactive/app2/assets.txt b/examples/chaincode/go/asset_management_interactive/app2/assets.txt deleted file mode 100644 index 298c9910348..00000000000 --- a/examples/chaincode/go/asset_management_interactive/app2/assets.txt +++ /dev/null @@ -1,47 +0,0 @@ -Lot01;BERNARD LEACH VASE WITH 'LEAPING FISH' DESIGN -Lot02;WINIFRED NICHOLSON ST IVES HARBOUR -Lot03;WILHELMINA BARNS-GRAHAM GLACIER (BONE) -Lot04;PETER LANYON TREVALGAN -Lot05;DAMIEN HIRST WITH DAVID BOWIE BEAUTIFUL, HALLO, SPACE-BOY PAINTING -Lot06;PERCY WYNDHAM LEWIS FUTURIST FIGURE -Lot07;DAVID BOMBERG MOORISH RONDA, ANDALUCIA -Lot08;PERCY WYNDHAM LEWIS CIRCUS SCENE -Lot09;HENRY LAMB STUDY FOR PORTRAIT OF LYTTON STRACHEY -Lot10;HAROLD GILMAN INTERIOR (MRS MOUNTER) -Lot11;SIR JACOB EPSTEIN LES FLEURS DU MAL - HYMNE LA BEAUT -Lot12;HENRY MOORE, O.M., C.H. FAMILY GROUP -Lot13;WILLIAM SCOTT, R.A. GIRL SEATED AT A TABLE -Lot14;IVON HITCHENS THE BOATHOUSE NO. 3 -Lot15;KENNETH ARMITAGE, R.A. FIGURE LYING ON ITS SIDE (VERSION 3) -Lot16;JACK BUTLER YEATS, R.H.A. SLEEP SOUND -Lot17;DAVID BOMBERG SUNRISE IN THE MOUNTAINS, PICOS DE ASTURIAS -Lot18;FRANK AUERBACH HEAD OF GERDA BOEHM -Lot19;SIR EDUARDO PAOLOZZI, R.A. WEDDING OF THE ROCK AND DYNAMO -Lot20;PETER LANYON WITNESS -Lot21;JEAN-MICHEL BASQUIAT UNTITLED -Lot22;JEAN-MICHEL BASQUIAT AIR POWER -Lot23;ALAN DAVIE PETER'S JOY-PIT -Lot24;BRYAN WYNTER IN THE STREAM'S PATH -Lot25;KENNETH ARMITAGE, R.A. MODEL FOR DIARCHY (SMALL VERSION) -Lot26;LEON KOSSOFF DALSTON JUNCTION NO.3, JUNE 1973 -Lot27;WILLIAM SCOTT, R.A. WINTER STILL LIFE NO.2 -Lot28;FRANK AUERBACH E.O.W'S RECLINING HEAD -Lot29;PETER LANYON INSHORE FISHING -Lot30;GRAHAM SUTHERLAND, O.M. THORN BUSH -Lot31;SIR EDUARDO PAOLOZZI, R.A. FORMS ON A BOW NO. 2 -Lot32;EDWARD WADSWORTH AU REVOIR -Lot33;LOUIS LE BROCQUY, H.R.H.A. IMAGE OF JAMES JOYCE -Lot34;MARCEL DUCHAMP WITH HIDDEN NOISE (A BRUIT SECRET) -Lot35;MARCEL DUCHAMP NUDE DESCENDING A STAIRCASE, NO. 2 -Lot36;MERET OPPENHEIM LA CONDITION HUMAINE -Lot37;FRANCIS PICABIA MENDICA -Lot38;JACOPO ROBUSTI, CALLED JACOPO TINTORETTO AND STUDIO THE ANGEL FORETELLING SAINT CATHERINE OF ALEXANDRIA OF HER MARTYRDOM -Lot39;SIR STANLEY SPENCER, R.A. CARRYING MATTRESSES -Lot40;DAVID BOMBERG PLAZUELA DE LA PAZ, RONDA -Lot41;WILLIAM TURNBULL LARGE IDOL -Lot42;PATRICK HUGHES LIQUORICE ALLSORTS -Lot43;PATRICK CAULFIELD, R.A., C.B.E. FOYER -Lot44;VICTOR PASMORE ABSTRACT IN WHITE, BLACK, GREEN AND CRIMSON -Lot45;GILBERT & GEORGE LEAF -Lot46;DAMIEN HIRST UNTITLED FISH FOR DAVID -Lot47;DAMIEN HIRST BEAUTIFUL, SHATTERING, SLASHING, VIOLENT, PINKY, HACKING, SPHINCTER PAINTING \ No newline at end of file diff --git a/examples/chaincode/go/asset_management_interactive/app3/app3.go b/examples/chaincode/go/asset_management_interactive/app3/app3.go deleted file mode 100644 index 61075515905..00000000000 --- a/examples/chaincode/go/asset_management_interactive/app3/app3.go +++ /dev/null @@ -1,195 +0,0 @@ -/* -Copyright IBM Corp. 2016 All Rights Reserved. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package main - -import ( - "bufio" - "fmt" - "os" - "reflect" - - "strings" - - "github.com/hyperledger/fabric/core/crypto" - pb "github.com/hyperledger/fabric/protos" - "github.com/op/go-logging" - "google.golang.org/grpc" -) - -var ( - // Logging - appLogger = logging.MustGetLogger("app") - - // NVP related objects - peerClientConn *grpc.ClientConn - serverClient pb.PeerClient - - // Charlie, Dave, and Edwina are owners - charlie crypto.Client - charlieCert crypto.CertificateHandler - - dave crypto.Client - daveCert crypto.CertificateHandler - - edwina crypto.Client - edwinaCert crypto.CertificateHandler - - assets map[string]string - lotNums []string - - clients map[string]crypto.Client - certs map[string]crypto.CertificateHandler - - myClient crypto.Client - myCert crypto.CertificateHandler -) - -func transferOwnership(lotNum string, newOwner string) (err error) { - if !isAssetKnown(lotNum) { - appLogger.Errorf("Error -- asset '%s' does not exist.", lotNum) - return - } - - if !isUserKnown(newOwner) { - appLogger.Errorf("Error -- user '%s' is not known.", newOwner) - return - } - - assetName := assets[lotNum] - - appLogger.Debugf("------------- '%s' wants to transfer the ownership of '%s: %s' to '%s'...", user, lotNum, assetName, newOwner) - - if !isOwner(assetName, user) { - appLogger.Debugf("'%s' is not the owner of '%s: %s' -- transfer not allowed.", user, lotNum, assetName) - return - } - - resp, err := transferOwnershipInternal(myClient, myCert, assetName, certs[newOwner]) - if err != nil { - appLogger.Debugf("Failed to transfer '%s: %s' to '%s'", lotNum, assetName, newOwner) - return err - } - appLogger.Debugf("Resp [%s]", resp.String()) - - appLogger.Debugf("'%s' is the new owner of '%s: %s'!", newOwner, lotNum, assetName) - appLogger.Debug("------------- Done!") - return -} - -func listOwnedAssets() { - ownedAssets := make([]string, 0, len(assets)) - - for _, lotNum := range lotNums { - assetName := assets[lotNum] - - if isOwner(assetName, user) { - ownedAsset := "'" + lotNum + ": " + assetName + "'" - ownedAssets = append(ownedAssets, ownedAsset) - } - } - - appLogger.Debugf("'%s' owns the following %d assets:", user, len(ownedAssets)) - - for _, asset := range ownedAssets { - appLogger.Debug(asset) - } -} - -func isOwner(assetName string, user string) (isOwner bool) { - appLogger.Debug("Query....") - queryTx, theOwnerIs, err := whoIsTheOwner(myClient, assetName) - if err != nil { - return false - } - appLogger.Debugf("Resp [%s]", theOwnerIs.String()) - appLogger.Debug("Query....done") - - var res []byte - if confidentialityOn { - // Decrypt result - res, err = myClient.DecryptQueryResult(queryTx, theOwnerIs.Msg) - if err != nil { - appLogger.Errorf("Failed decrypting result [%s]", err) - return false - } - } else { - res = theOwnerIs.Msg - } - - if !reflect.DeepEqual(res, certs[user].GetCertificate()) { - appLogger.Errorf("'%s' is not the owner.", user) - - appLogger.Debugf("Query result : [% x]", res) - appLogger.Debugf("%s's cert: [% x]", certs[user].GetCertificate(), user) - - return false - } else { - return true - } -} - -func isUserKnown(userName string) (ok bool) { - _, ok = clients[userName] - return ok -} - -func isAssetKnown(assetName string) (ok bool) { - _, ok = assets[assetName] - return ok -} - -func main() { - if len(os.Args) != 3 { - appLogger.Error("Error -- A ChaincodeName and username must be specified.") - os.Exit(-1) - } - - chaincodeName = os.Args[1] - user = os.Args[2] - - // Initialize a non-validating peer whose role is to submit - // transactions to the fabric network. - // A 'core.yaml' file is assumed to be available in the working directory. - if err := initNVP(); err != nil { - appLogger.Debugf("Failed initiliazing NVP [%s]", err) - os.Exit(-1) - } - - if !isUserKnown(user) { - appLogger.Errorf("Error -- user '%s' is not known.", user) - os.Exit(-1) - } - - // Enable fabric 'confidentiality' - confidentiality(true) - - reader := bufio.NewReader(os.Stdin) - - for { - fmt.Printf("%s$ ", user) - line, _ := reader.ReadString('\n') - command := strings.Split(strings.TrimRight(line, "\n"), " ") - - if command[0] == "transfer" { - transferOwnership(command[1], command[2]) - } else if command[0] == "list" { - listOwnedAssets() - } else if command[0] == "exit" { - os.Exit(0) - } - } -} diff --git a/examples/chaincode/go/asset_management_interactive/app3/app3_internal.go b/examples/chaincode/go/asset_management_interactive/app3/app3_internal.go deleted file mode 100644 index 1e39b266c32..00000000000 --- a/examples/chaincode/go/asset_management_interactive/app3/app3_internal.go +++ /dev/null @@ -1,374 +0,0 @@ -/* -Copyright IBM Corp. 2016 All Rights Reserved. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package main - -import ( - "bufio" - "encoding/base64" - "errors" - "fmt" - "os" - - "strings" - - "github.com/golang/protobuf/proto" - "github.com/hyperledger/fabric/common/util" - "github.com/hyperledger/fabric/core/chaincode" - "github.com/hyperledger/fabric/core/chaincode/platforms" - "github.com/hyperledger/fabric/core/config" - "github.com/hyperledger/fabric/core/container" - "github.com/hyperledger/fabric/core/crypto" - "github.com/hyperledger/fabric/core/peer" - pb "github.com/hyperledger/fabric/protos" - "github.com/op/go-logging" - "github.com/spf13/viper" - "golang.org/x/net/context" -) - -var ( - confidentialityOn bool - - chaincodeName string - user string -) - -func initNVP() (err error) { - if err = initPeerClient(); err != nil { - appLogger.Debugf("Failed deploying [%s]", err) - return - - } - if err = initCryptoClients(); err != nil { - appLogger.Debugf("Failed deploying [%s]", err) - return - } - - if err = readAssets(); err != nil { - appLogger.Debugf("Failed reading assets [%s]", err) - return - } - - return -} - -func initPeerClient() (err error) { - config.SetupTestConfig(".") - viper.Set("ledger.blockchain.deploy-system-chaincode", "false") - viper.Set("peer.validator.validity-period.verification", "false") - - peerClientConn, err = peer.NewPeerClientConnection() - if err != nil { - fmt.Printf("error connection to server at host:port = %s\n", viper.GetString("peer.address")) - return - } - serverClient = pb.NewPeerClient(peerClientConn) - - // Logging - var formatter = logging.MustStringFormatter( - `%{color}[%{module}] %{shortfunc} [%{shortfile}] -> %{level:.4s} %{id:03x}%{color:reset} %{message}`, - ) - logging.SetFormatter(formatter) - - return -} - -func initCryptoClients() error { - crypto.Init() - - // Initialize the clients mapping charlie, dave, and edwina - // to identities already defined in 'membersrvc.yaml' - - // Charlie as diego - if err := crypto.RegisterClient("diego", nil, "diego", "DRJ23pEQl16a"); err != nil { - return err - } - var err error - charlie, err = crypto.InitClient("diego", nil) - if err != nil { - return err - } - - // Dave as binhn - if err := crypto.RegisterClient("binhn", nil, "binhn", "7avZQLwcUe9q"); err != nil { - return err - } - dave, err = crypto.InitClient("binhn", nil) - if err != nil { - return err - } - - // Edwina as test_user0 - if err := crypto.RegisterClient("test_user0", nil, "test_user0", "MS9qrN8hFjlE"); err != nil { - return err - } - edwina, err = crypto.InitClient("test_user0", nil) - if err != nil { - return err - } - - charlieCert, err = charlie.GetEnrollmentCertificateHandler() - if err != nil { - appLogger.Errorf("Failed getting Charlie ECert [%s]", err) - return err - } - - daveCert, err = dave.GetEnrollmentCertificateHandler() - if err != nil { - appLogger.Errorf("Failed getting Dave ECert [%s]", err) - return err - } - - edwinaCert, err = edwina.GetEnrollmentCertificateHandler() - if err != nil { - appLogger.Errorf("Failed getting Edwina ECert [%s]", err) - return err - } - - clients = map[string]crypto.Client{"charlie": charlie, "dave": dave, "edwina": edwina} - certs = map[string]crypto.CertificateHandler{"charlie": charlieCert, "dave": daveCert, "edwina": edwinaCert} - - myClient = clients[user] - myCert = certs[user] - - return nil -} - -func readAssets() error { - assets = make(map[string]string) - lotNums = make([]string, 0, 47) - - file, err := os.Open("assets.txt") - if err != nil { - return err - } - defer file.Close() - - scanner := bufio.NewScanner(file) - for scanner.Scan() { - assetLine := scanner.Text() - assetParts := strings.Split(assetLine, ";") - - lotNum := assetParts[0] - assetName := assetParts[1] - - assets[lotNum] = assetName - lotNums = append(lotNums, lotNum) - } - - if err := scanner.Err(); err != nil { - return err - } - - return nil -} - -func processTransaction(tx *pb.Transaction) (*pb.Response, error) { - return serverClient.ProcessTransaction(context.Background(), tx) -} - -func confidentiality(enabled bool) { - confidentialityOn = enabled -} - -func deployInternal(deployer crypto.Client, adminCert crypto.CertificateHandler) (resp *pb.Response, err error) { - // Prepare the spec. The metadata includes the identity of the administrator - spec := &pb.ChaincodeSpec{ - Type: 1, - ChaincodeId: &pb.ChaincodeID{Path: "github.com/hyperledger/fabric/examples/chaincode/go/asset_management"}, - //ChaincodeID: &pb.ChaincodeID{Name: chaincodeName}, - Input: &pb.ChaincodeInput{Args: util.ToChaincodeArgs("init")}, - Metadata: adminCert.GetCertificate(), - } - - // First build the deployment spec - cds, err := getChaincodeBytes(spec) - if err != nil { - return nil, fmt.Errorf("Error getting deployment spec: %s ", err) - } - - // Now create the Transactions message and send to Peer. - transaction, err := deployer.NewChaincodeDeployTransaction(cds, cds.ChaincodeSpec.ChaincodeId.Name) - if err != nil { - return nil, fmt.Errorf("Error deploying chaincode: %s ", err) - } - - resp, err = processTransaction(transaction) - - appLogger.Debugf("resp [%s]", resp.String()) - - chaincodeName = cds.ChaincodeSpec.ChaincodeId.Name - appLogger.Debugf("ChaincodeName [%s]", chaincodeName) - - return -} - -func assignOwnershipInternal(invoker crypto.Client, invokerCert crypto.CertificateHandler, asset string, newOwnerCert crypto.CertificateHandler) (resp *pb.Response, err error) { - // Get a transaction handler to be used to submit the execute transaction - // and bind the chaincode access control logic using the binding - submittingCertHandler, err := invoker.GetTCertificateHandlerNext() - if err != nil { - return nil, err - } - txHandler, err := submittingCertHandler.GetTransactionHandler() - if err != nil { - return nil, err - } - binding, err := txHandler.GetBinding() - if err != nil { - return nil, err - } - - chaincodeInput := &pb.ChaincodeInput{ - Args: util.ToChaincodeArgs("assign", asset, base64.StdEncoding.EncodeToString(newOwnerCert.GetCertificate())), - } - chaincodeInputRaw, err := proto.Marshal(chaincodeInput) - if err != nil { - return nil, err - } - - // Access control. Administrator signs chaincodeInputRaw || binding to confirm his identity - sigma, err := invokerCert.Sign(append(chaincodeInputRaw, binding...)) - if err != nil { - return nil, err - } - - // Prepare spec and submit - spec := &pb.ChaincodeSpec{ - Type: 1, - ChaincodeId: &pb.ChaincodeID{Name: chaincodeName}, - Input: chaincodeInput, - Metadata: sigma, // Proof of identity - } - - chaincodeInvocationSpec := &pb.ChaincodeInvocationSpec{ChaincodeSpec: spec} - - // Now create the Transactions message and send to Peer. - transaction, err := txHandler.NewChaincodeExecute(chaincodeInvocationSpec, util.GenerateUUID()) - if err != nil { - return nil, fmt.Errorf("Error deploying chaincode: %s ", err) - } - - return processTransaction(transaction) -} - -func transferOwnershipInternal(owner crypto.Client, ownerCert crypto.CertificateHandler, asset string, newOwnerCert crypto.CertificateHandler) (resp *pb.Response, err error) { - // Get a transaction handler to be used to submit the execute transaction - // and bind the chaincode access control logic using the binding - - submittingCertHandler, err := owner.GetTCertificateHandlerNext() - if err != nil { - return nil, err - } - txHandler, err := submittingCertHandler.GetTransactionHandler() - if err != nil { - return nil, err - } - binding, err := txHandler.GetBinding() - if err != nil { - return nil, err - } - - chaincodeInput := &pb.ChaincodeInput{ - Args: util.ToChaincodeArgs("transfer", asset, base64.StdEncoding.EncodeToString(newOwnerCert.GetCertificate())), - } - chaincodeInputRaw, err := proto.Marshal(chaincodeInput) - if err != nil { - return nil, err - } - - // Access control. Owner signs chaincodeInputRaw || binding to confirm his identity - sigma, err := ownerCert.Sign(append(chaincodeInputRaw, binding...)) - if err != nil { - return nil, err - } - - // Prepare spec and submit - spec := &pb.ChaincodeSpec{ - Type: 1, - ChaincodeId: &pb.ChaincodeID{Name: chaincodeName}, - Input: chaincodeInput, - Metadata: sigma, // Proof of identity - } - - chaincodeInvocationSpec := &pb.ChaincodeInvocationSpec{ChaincodeSpec: spec} - - // Now create the Transactions message and send to Peer. - transaction, err := txHandler.NewChaincodeExecute(chaincodeInvocationSpec, util.GenerateUUID()) - if err != nil { - return nil, fmt.Errorf("Error deploying chaincode: %s ", err) - } - - return processTransaction(transaction) - -} - -func whoIsTheOwner(invoker crypto.Client, asset string) (transaction *pb.Transaction, resp *pb.Response, err error) { - chaincodeInput := &pb.ChaincodeInput{Args: util.ToChaincodeArgs("query", asset)} - - // Prepare spec and submit - spec := &pb.ChaincodeSpec{ - Type: 1, - ChaincodeId: &pb.ChaincodeID{Name: chaincodeName}, - Input: chaincodeInput, - } - - chaincodeInvocationSpec := &pb.ChaincodeInvocationSpec{ChaincodeSpec: spec} - - // Now create the Transactions message and send to Peer. - transaction, err = invoker.NewChaincodeQuery(chaincodeInvocationSpec, util.GenerateUUID()) - if err != nil { - return nil, nil, fmt.Errorf("Error deploying chaincode: %s ", err) - } - - resp, err = processTransaction(transaction) - return -} - -func getChaincodeBytes(spec *pb.ChaincodeSpec) (*pb.ChaincodeDeploymentSpec, error) { - mode := viper.GetString("chaincode.mode") - var codePackageBytes []byte - if mode != chaincode.DevModeUserRunsChaincode { - appLogger.Debugf("Received build request for chaincode spec: %v", spec) - var err error - if err = checkSpec(spec); err != nil { - return nil, err - } - - codePackageBytes, err = container.GetChaincodePackageBytes(spec) - if err != nil { - err = fmt.Errorf("Error getting chaincode package bytes: %s", err) - appLogger.Errorf("%s", err) - return nil, err - } - } - chaincodeDeploymentSpec := &pb.ChaincodeDeploymentSpec{ChaincodeSpec: spec, CodePackage: codePackageBytes} - return chaincodeDeploymentSpec, nil -} - -func checkSpec(spec *pb.ChaincodeSpec) error { - // Don't allow nil value - if spec == nil { - return errors.New("Expected chaincode specification, nil received") - } - - platform, err := platforms.Find(spec.Type) - if err != nil { - return fmt.Errorf("Failed to determine platform type: %s", err) - } - - return platform.ValidateSpec(spec) -} diff --git a/examples/chaincode/go/asset_management_interactive/app3/assets.txt b/examples/chaincode/go/asset_management_interactive/app3/assets.txt deleted file mode 100644 index 298c9910348..00000000000 --- a/examples/chaincode/go/asset_management_interactive/app3/assets.txt +++ /dev/null @@ -1,47 +0,0 @@ -Lot01;BERNARD LEACH VASE WITH 'LEAPING FISH' DESIGN -Lot02;WINIFRED NICHOLSON ST IVES HARBOUR -Lot03;WILHELMINA BARNS-GRAHAM GLACIER (BONE) -Lot04;PETER LANYON TREVALGAN -Lot05;DAMIEN HIRST WITH DAVID BOWIE BEAUTIFUL, HALLO, SPACE-BOY PAINTING -Lot06;PERCY WYNDHAM LEWIS FUTURIST FIGURE -Lot07;DAVID BOMBERG MOORISH RONDA, ANDALUCIA -Lot08;PERCY WYNDHAM LEWIS CIRCUS SCENE -Lot09;HENRY LAMB STUDY FOR PORTRAIT OF LYTTON STRACHEY -Lot10;HAROLD GILMAN INTERIOR (MRS MOUNTER) -Lot11;SIR JACOB EPSTEIN LES FLEURS DU MAL - HYMNE LA BEAUT -Lot12;HENRY MOORE, O.M., C.H. FAMILY GROUP -Lot13;WILLIAM SCOTT, R.A. GIRL SEATED AT A TABLE -Lot14;IVON HITCHENS THE BOATHOUSE NO. 3 -Lot15;KENNETH ARMITAGE, R.A. FIGURE LYING ON ITS SIDE (VERSION 3) -Lot16;JACK BUTLER YEATS, R.H.A. SLEEP SOUND -Lot17;DAVID BOMBERG SUNRISE IN THE MOUNTAINS, PICOS DE ASTURIAS -Lot18;FRANK AUERBACH HEAD OF GERDA BOEHM -Lot19;SIR EDUARDO PAOLOZZI, R.A. WEDDING OF THE ROCK AND DYNAMO -Lot20;PETER LANYON WITNESS -Lot21;JEAN-MICHEL BASQUIAT UNTITLED -Lot22;JEAN-MICHEL BASQUIAT AIR POWER -Lot23;ALAN DAVIE PETER'S JOY-PIT -Lot24;BRYAN WYNTER IN THE STREAM'S PATH -Lot25;KENNETH ARMITAGE, R.A. MODEL FOR DIARCHY (SMALL VERSION) -Lot26;LEON KOSSOFF DALSTON JUNCTION NO.3, JUNE 1973 -Lot27;WILLIAM SCOTT, R.A. WINTER STILL LIFE NO.2 -Lot28;FRANK AUERBACH E.O.W'S RECLINING HEAD -Lot29;PETER LANYON INSHORE FISHING -Lot30;GRAHAM SUTHERLAND, O.M. THORN BUSH -Lot31;SIR EDUARDO PAOLOZZI, R.A. FORMS ON A BOW NO. 2 -Lot32;EDWARD WADSWORTH AU REVOIR -Lot33;LOUIS LE BROCQUY, H.R.H.A. IMAGE OF JAMES JOYCE -Lot34;MARCEL DUCHAMP WITH HIDDEN NOISE (A BRUIT SECRET) -Lot35;MARCEL DUCHAMP NUDE DESCENDING A STAIRCASE, NO. 2 -Lot36;MERET OPPENHEIM LA CONDITION HUMAINE -Lot37;FRANCIS PICABIA MENDICA -Lot38;JACOPO ROBUSTI, CALLED JACOPO TINTORETTO AND STUDIO THE ANGEL FORETELLING SAINT CATHERINE OF ALEXANDRIA OF HER MARTYRDOM -Lot39;SIR STANLEY SPENCER, R.A. CARRYING MATTRESSES -Lot40;DAVID BOMBERG PLAZUELA DE LA PAZ, RONDA -Lot41;WILLIAM TURNBULL LARGE IDOL -Lot42;PATRICK HUGHES LIQUORICE ALLSORTS -Lot43;PATRICK CAULFIELD, R.A., C.B.E. FOYER -Lot44;VICTOR PASMORE ABSTRACT IN WHITE, BLACK, GREEN AND CRIMSON -Lot45;GILBERT & GEORGE LEAF -Lot46;DAMIEN HIRST UNTITLED FISH FOR DAVID -Lot47;DAMIEN HIRST BEAUTIFUL, SHATTERING, SLASHING, VIOLENT, PINKY, HACKING, SPHINCTER PAINTING \ No newline at end of file diff --git a/examples/chaincode/go/asset_management_interactive/asset_management.go b/examples/chaincode/go/asset_management_interactive/asset_management.go deleted file mode 100644 index c1c2ba5d86d..00000000000 --- a/examples/chaincode/go/asset_management_interactive/asset_management.go +++ /dev/null @@ -1,311 +0,0 @@ -/* -Copyright IBM Corp. 2016 All Rights Reserved. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package main - -import ( - "encoding/base64" - "errors" - "fmt" - - "github.com/hyperledger/fabric/accesscontrol/impl" - "github.com/hyperledger/fabric/core/chaincode/shim" - "github.com/hyperledger/fabric/core/crypto/primitives" - pb "github.com/hyperledger/fabric/protos/peer" - "github.com/op/go-logging" -) - -var myLogger = logging.MustGetLogger("asset_mgm") - -// AssetManagementChaincode is simple chaincode implementing a basic Asset Management system -// with access control enforcement at chaincode level. -// Look here for more information on how to implement access control at chaincode level: -// https://github.com/hyperledger/fabric/blob/master/docs/tech/application-ACL.md -// An asset is simply represented by a string. -type AssetManagementChaincode struct { -} - -// Init method will be called during deployment. -// The deploy transaction metadata is supposed to contain the administrator cert -func (t *AssetManagementChaincode) Init(stub shim.ChaincodeStubInterface) pb.Response { - _, args := stub.GetFunctionAndParameters() - myLogger.Debug("Init Chaincode...") - if len(args) != 0 { - return shim.Error("Incorrect number of arguments. Expecting 0") - } - - // Create ownership table - err := stub.CreateTable("AssetsOwnership", []*shim.ColumnDefinition{ - &shim.ColumnDefinition{Name: "Asset", Type: shim.ColumnDefinition_STRING, Key: true}, - &shim.ColumnDefinition{Name: "Owner", Type: shim.ColumnDefinition_BYTES, Key: false}, - }) - if err != nil { - return shim.Error("Failed creating AssetsOnwership table.") - } - - // Set the admin - // The metadata will contain the certificate of the administrator - adminCert, err := stub.GetCallerMetadata() - if err != nil { - myLogger.Debug("Failed getting metadata") - return shim.Error("Failed getting metadata.") - } - if len(adminCert) == 0 { - myLogger.Debug("Invalid admin certificate. Empty.") - return shim.Error("Invalid admin certificate. Empty.") - } - - myLogger.Debug("The administrator is [%x]", adminCert) - - stub.PutState("admin", adminCert) - - myLogger.Debug("Init Chaincode...done") - - return shim.Success(nil) -} - -func (t *AssetManagementChaincode) assign(stub shim.ChaincodeStubInterface, args []string) pb.Response { - myLogger.Debug("Assign...") - - if len(args) != 2 { - return shim.Error("Incorrect number of arguments. Expecting 2") - } - - asset := args[0] - owner, err := base64.StdEncoding.DecodeString(args[1]) - if err != nil { - return shim.Error("Failed decodinf owner") - } - - // Verify the identity of the caller - // Only an administrator can invoker assign - adminCertificate, err := stub.GetState("admin") - if err != nil { - return shim.Error("Failed fetching admin identity") - } - - ok, err := t.isCaller(stub, adminCertificate) - if err != nil { - return shim.Error("Failed checking admin identity") - } - if !ok { - return shim.Error("The caller is not an administrator") - } - - // Register assignment - myLogger.Debugf("New owner of [%s] is [% x]", asset, owner) - - ok, err = stub.InsertRow("AssetsOwnership", shim.Row{ - Columns: []*shim.Column{ - &shim.Column{Value: &shim.Column_String_{String_: asset}}, - &shim.Column{Value: &shim.Column_Bytes{Bytes: owner}}}, - }) - - if !ok && err == nil { - return shim.Error("Asset was already assigned.") - } - - if err != nil { - return shim.Error(err.Error()) - } - - myLogger.Debug("Assign...done!") - - return shim.Success(nil) -} - -func (t *AssetManagementChaincode) transfer(stub shim.ChaincodeStubInterface, args []string) pb.Response { - myLogger.Debug("Transfer...") - - if len(args) != 2 { - return shim.Error("Incorrect number of arguments. Expecting 2") - } - - asset := args[0] - newOwner, err := base64.StdEncoding.DecodeString(args[1]) - if err != nil { - return shim.Error("Failed decoding owner") - } - - // Verify the identity of the caller - // Only the owner can transfer one of his assets - var columns []shim.Column - col1 := shim.Column{Value: &shim.Column_String_{String_: asset}} - columns = append(columns, col1) - - row, err := stub.GetRow("AssetsOwnership", columns) - if err != nil { - return shim.Error(fmt.Sprintf("Failed retrieving asset [%s]: [%s]", asset, err)) - } - - prvOwner := row.Columns[1].GetBytes() - myLogger.Debugf("Previous owener of [%s] is [% x]", asset, prvOwner) - if len(prvOwner) == 0 { - return shim.Error("Invalid previous owner. Nil") - } - - // Verify ownership - ok, err := t.isCaller(stub, prvOwner) - if err != nil { - return shim.Error("Failed checking asset owner identity") - } - if !ok { - return shim.Error("The caller is not the owner of the asset") - } - - // At this point, the proof of ownership is valid, then register transfer - err = stub.DeleteRow( - "AssetsOwnership", - []shim.Column{shim.Column{Value: &shim.Column_String_{String_: asset}}}, - ) - if err != nil { - return shim.Error("Failed deliting row.") - } - - _, err = stub.InsertRow( - "AssetsOwnership", - shim.Row{ - Columns: []*shim.Column{ - &shim.Column{Value: &shim.Column_String_{String_: asset}}, - &shim.Column{Value: &shim.Column_Bytes{Bytes: newOwner}}, - }, - }) - if err != nil { - return shim.Error("Failed inserting row.") - } - - myLogger.Debug("New owner of [%s] is [% x]", asset, newOwner) - - myLogger.Debug("Transfer...done") - - return shim.Success(nil) -} - -func (t *AssetManagementChaincode) isCaller(stub shim.ChaincodeStubInterface, certificate []byte) (bool, error) { - myLogger.Debug("Check caller...") - - // In order to enforce access control, we require that the - // metadata contains the signature under the signing key corresponding - // to the verification key inside certificate of - // the payload of the transaction (namely, function name and args) and - // the transaction binding (to avoid copying attacks) - - // Verify \sigma=Sign(certificate.sk, tx.Payload||tx.Binding) against certificate.vk - // \sigma is in the metadata - - sigma, err := stub.GetCallerMetadata() - if err != nil { - return false, errors.New("Failed getting metadata") - } - payload, err := stub.GetArgsSlice() - if err != nil { - return false, errors.New("Failed getting payload") - } - binding, err := stub.GetBinding() - if err != nil { - return false, errors.New("Failed getting binding") - } - - myLogger.Debugf("passed certificate [% x]", certificate) - myLogger.Debugf("passed sigma [% x]", sigma) - myLogger.Debugf("passed payload [% x]", payload) - myLogger.Debugf("passed binding [% x]", binding) - - ok, err := impl.NewAccessControlShim(stub).VerifySignature( - certificate, - sigma, - append(payload, binding...), - ) - if err != nil { - myLogger.Errorf("Failed checking signature [%s]", err) - return ok, err - } - if !ok { - myLogger.Error("Invalid signature") - } - - myLogger.Debug("Check caller...Verified!") - - return ok, err -} - -// Invoke will be called for every transaction. -// Supported functions are the following: -// "assign(asset, owner)": to assign ownership of assets. An asset can be owned by a single entity. -// Only an administrator can call this function. -// "transfer(asset, newOwner)": to transfer the ownership of an asset. Only the owner of the specific -// asset can call this function. -// An asset is any string to identify it. An owner is representated by one of his ECert/TCert. -func (t *AssetManagementChaincode) Invoke(stub shim.ChaincodeStubInterface) pb.Response { - function, args := stub.GetFunctionAndParameters() - // Handle different functions - if function == "assign" { - // Assign ownership - return t.assign(stub, args) - } else if function == "transfer" { - // Transfer ownership - return t.transfer(stub, args) - } - - return shim.Error("Received unknown function invocation") -} - -// Query callback representing the query of a chaincode -// Supported functions are the following: -// "query(asset)": returns the owner of the asset. -// Anyone can invoke this function. -func (t *AssetManagementChaincode) Query(stub shim.ChaincodeStubInterface) pb.Response { - function, args := stub.GetFunctionAndParameters() - myLogger.Debugf("Query [%s]", function) - - if function != "query" { - return shim.Error("Invalid query function name. Expecting 'query' but found '" + function + "'") - } - - var err error - - if len(args) != 1 { - myLogger.Debug("Incorrect number of arguments. Expecting name of an asset to query") - return shim.Error("Incorrect number of arguments. Expecting name of an asset to query") - } - - // Who is the owner of the asset? - asset := args[0] - - myLogger.Debugf("Arg [%s]", string(asset)) - - var columns []shim.Column - col1 := shim.Column{Value: &shim.Column_String_{String_: asset}} - columns = append(columns, col1) - - row, err := stub.GetRow("AssetsOwnership", columns) - if err != nil { - myLogger.Debugf("Failed retriving asset [%s]: [%s]", string(asset), err) - return shim.Error(fmt.Sprintf("Failed retriving asset [%s]: [%s]", string(asset), err)) - } - - myLogger.Debugf("Query done [% x]", row.Columns[1].GetBytes()) - - return shim.Success(row.Columns[1].GetBytes()) -} - -func main() { - primitives.SetSecurityLevel("SHA3", 256) - err := shim.Start(new(AssetManagementChaincode)) - if err != nil { - fmt.Printf("Error starting AssetManagementChaincode: %s", err) - } -} diff --git a/examples/chaincode/go/asset_management_interactive/build.sh b/examples/chaincode/go/asset_management_interactive/build.sh deleted file mode 100755 index 863d8bc268a..00000000000 --- a/examples/chaincode/go/asset_management_interactive/build.sh +++ /dev/null @@ -1,13 +0,0 @@ -cd app1 -cp ../core.yaml . -go build - -cd ../app2 -cp ../core.yaml . -go build - -cd ../app3 -cp ../core.yaml . -go build - -cd .. diff --git a/examples/chaincode/go/asset_management_with_roles/asset.yaml b/examples/chaincode/go/asset_management_with_roles/asset.yaml deleted file mode 100644 index 5491af6f6c5..00000000000 --- a/examples/chaincode/go/asset_management_with_roles/asset.yaml +++ /dev/null @@ -1,465 +0,0 @@ -# CA server parameters -# -server: - # current version of the CA - version: "0.1" - - # limits the number of operating system threads used by the CA - gomaxprocs: 2 - - # path to the OBC state directory and CA state subdirectory - rootpath: "/tmp/hyperledger/production" - cadir: ".membersrvc" - - # port the CA services are listening on - port: ":7054" - - # TLS certificate and key file paths - tls: - cert: -# file: "/var/hyperledger/production/.ca/tlsca.cert" - key: -# file: "/var/hyperledger/production/.ca/tlsca.priv" - -security: - # Can be 256 or 384 - # Must be the same as in core.yaml - level: 256 - -# Enabling/disabling different logging levels of the CA. -# -logging: - trace: 0 - info: 1 - warning: 1 - error: 1 - panic: 1 - -# TCA configuration for attribute encryption -tca: - # Enabling/disabling attributes encryption, if is enabled attributes within the certificate will be encrypted using a specific key for each attribute, - # in otherwise cleartext attribute value will be added into the certificate. - attribute-encryption: - enabled: false - -# Default attributes for Attribute Certificate Authority -aca: - attributes: - attribute-entry-0: alice;bank_a;role;client;2016-01-01T00:00:00-03:00;; - attribute-entry-1: bob;bank_a;role;client;2015-02-02T00:00:00-03:00;; - attribute-entry-2: admin;bank_a;role;assigner;2015-01-01T00:00:00-03:00;; - attribute-entry-3: alice;bank_a;account;12345-56789;2016-01-01T00:00:00-03:00;; - attribute-entry-4: bob;bank_a;account;23456-67890;2015-02-02T00:00:00-03:00;; - address: localhost:7054 - server-name: acap - enabled: true - -# Default users to be registered with the CA on first launch. The role is a binary OR -# of the different roles a user can have: -# -# - simple client such as a wallet: CLIENT -# - non-validating peer: PEER -# - validating client: VALIDATOR -# - auditing client: AUDITOR -# -eca: - affiliations: - banks_and_institutions: - banks: - - bank_a - - bank_b - - bank_c - institutions: - - institution_a - users: - # : - alice: 1 NPKYL39uKbkj bank_a - bob: 1 DRJ23pEQl16a bank_a - admin: 1 6avZQLwcUe9b bank_a - - vp: 4 f3489fy98ghf - - -############################################################################### -# -# CLI section -# -############################################################################### -cli: - - # The address that the cli process will use for callbacks from chaincodes - address: 0.0.0.0:7052 - - - -############################################################################### -# -# REST section -# -############################################################################### -rest: - - # Enable/disable setting for the REST service. It is recommended to disable - # REST service on validators in production deployment and use non-validating - # nodes to host REST service - enabled: true - - # The address that the REST service will listen on for incoming requests. - address: 0.0.0.0:7050 - - -############################################################################### -# -# LOGGING section -# -############################################################################### -logging: - - # Valid logging levels are case-insensitive strings chosen from - - # CRITICAL | ERROR | WARNING | NOTICE | INFO | DEBUG - - # Logging 'module' names are also strings, however valid module names are - # defined at runtime and are not checked for validity during option - # processing. - - # Default logging levels are specified here for each of the obc-peer - # commands. For commands that have subcommands, the defaults also apply to - # all subcommands of the command. These logging levels can be overridden - # on the command line using the --logging-level command-line option, or by - # setting the CORE_LOGGING_LEVEL environment variable. - - # The logging level specification is of the form - - # [[,...]=][:[[,...]=]...] - - # A logging level by itself is taken as the overall default. Otherwise, - # overrides for individual or groups of modules can be specified using the - # [,...]= syntax. - - # Examples: - # info - Set default to INFO - # warning:main,db=debug:chaincode=info - Override default WARNING in main,db,chaincode - # chaincode=info:main=debug:db=debug:warning - Same as above - peer: debug - crypto: debug - status: warning - stop: warning - login: warning - vm: warning - chaincode: warning - - -############################################################################### -# -# Peer section -# -############################################################################### -peer: - - # Peer Version following version semantics as described here http://semver.org/ - # The Peer supplies this version in communications with other Peers - version: 0.1.0 - - # The Peer id is used for identifying this Peer instance. - id: jdoe - - # The privateKey to be used by this peer - # privateKey: 794ef087680e2494fa4918fd8fb80fb284b50b57d321a31423fe42b9ccf6216047cea0b66fe8365a8e3f2a8140c6866cc45852e63124668bee1daa9c97da0c2a - - # The networkId allows for logical seperation of networks - # networkId: dev - # networkId: test - networkId: dev - - Dockerfile: | - from golang:1.7 - # Install RocksDB - RUN cd /opt && git clone --branch v4.1 --single-branch --depth 1 https://github.com/facebook/rocksdb.git && cd rocksdb - WORKDIR /opt/rocksdb - RUN make shared_lib - ENV LD_LIBRARY_PATH=/opt/rocksdb:$LD_LIBRARY_PATH - RUN apt-get update && apt-get install -y libsnappy-dev zlib1g-dev libbz2-dev - # Copy GOPATH src and install Peer - COPY src $GOPATH/src - RUN mkdir -p /var/hyperledger/db - WORKDIR $GOPATH/src/github.com/hyperledger/fabric/ - RUN CGO_CFLAGS="-I/opt/rocksdb/include" CGO_LDFLAGS="-L/opt/rocksdb -lrocksdb -lstdc++ -lm -lz -lbz2 -lsnappy" go install && cp $GOPATH/src/github.com/hyperledger/fabric/core.yaml $GOPATH/bin - - # The Address this Peer will listen on - listenAddress: 0.0.0.0:40404 - # The Address this Peer will bind to for providing services - address: 0.0.0.0:40404 - # Whether the Peer should programmatically determine the address to bind to. - # This case is useful for docker containers. - addressAutoDetect: true - - # Peer port to accept connections on - port: 40404 - # Peer's setting for GOMAXPROCS - gomaxprocs: 2 - workers: 2 - - # Sync related configuration - sync: - blocks: - # Channel size for readonly SyncBlocks messages channel for receiving - # blocks from oppositie Peer Endpoints. - # NOTE: currently messages are not stored and forwarded, but rather - # lost if the channel write blocks. - channelSize: 10 - state: - snapshot: - # Channel size for readonly syncStateSnapshot messages channel - # for receiving state deltas for snapshot from oppositie Peer Endpoints. - # NOTE: currently messages are not stored and forwarded, but - # rather lost if the channel write blocks. - channelSize: 50 - deltas: - # Channel size for readonly syncStateDeltas messages channel for - # receiving state deltas for a syncBlockRange from oppositie - # Peer Endpoints. - # NOTE: currently messages are not stored and forwarded, - # but rather lost if the channel write blocks. - channelSize: 20 - - # Validator defines whether this peer is a validating peer or not, and if - # it is enabled, what consensus plugin to load - validator: - enabled: true - - # Consensus plugin to use. The value is the name of the plugin, e.g. pbft, noops - # if the given value is not recognized, we will default to noops - consensus: noops - - events: - # The address that the Event service will be enabled on the validator - address: 0.0.0.0:7053 - - # total number of events that could be buffered without blocking the - # validator sends - buffersize: 100 - - # milliseconds timeout for producer to send an event. - # if < 0, if buffer full, unblocks immediately and not send - # if 0, if buffer full, will block and guarantee the event will be sent out - # if > 0, if buffer full, blocks till timeout - timeout: 10 - - - # TLS Settings for p2p communications - tls: - enabled: false - cert: - file: testdata/server1.pem - key: - file: testdata/server1.key - # The server name use to verify the hostname returned by TLS handshake - server-host-override: - - # PKI member services properties - pki: - eca: - paddr: localhost:7054 - tca: - paddr: localhost:7054 - tlsca: - paddr: localhost:7054 - tls: - enabled: false - rootcert: - file: tlsca.cert - # The server name use to verify the hostname returned by TLS handshake - server-host-override: - - # Peer discovery settings. Controls how this peer discovers other peers - discovery: - - # The root nodes are used for bootstrapping purposes, and generally - # supplied through ENV variables - rootnode: - - # The duration of time between attempts to asks peers for their connected peers - period: 5s - - ## leaving this in for example of sub map entry - # testNodes: - # - node : 1 - # ip : 127.0.0.1 - # port : 40404 - # - node : 2 - # ip : 127.0.0.1 - # port : 40404 - - # Should the discovered nodes and their reputations - # be stored in DB and persisted between restarts - persist: true - - # if peer discovery is off - # the peer window will show - # only what retrieved by active - # peer [true/false] - enabled: true - - # number of workers that - # tastes the peers for being - # online [1..10] - workers: 8 - - # the period in seconds with which the discovery - # tries to reconnect to successful nodes - # 0 means the nodes are not reconnected - touchPeriod: 600 - - # the maximum nuber of nodes to reconnect to - # -1 for unlimited - touchMaxNodes: 100 - - # Path on the file system where peer will store data - # fileSystemPath: .hyperledger/production - - # Path on the file system where peer will store data - fileSystemPath: /tmp/hyperledger/production - -############################################################################### -# -# VM section -# -############################################################################### -vm: - - # Endpoint of the vm management system. For docker can be one of the following in general - # unix:///var/run/docker.sock - # http://localhost:2375 - # https://localhost:2376 - endpoint: unix:///var/run/docker.sock - - # settings for docker vms - docker: - tls: - enabled: false - cert: - file: /path/to/server.pem - ca: - file: /path/to/ca.pem - key: - file: /path/to/server-key.pem - -############################################################################### -# -# Chaincode section -# -############################################################################### -chaincode: - - # The id is used by the Chaincode stub to register the executing Chaincode - # ID with the Peerand is generally supplied through ENV variables - # the Path form of ID is provided when deploying the chaincode. The name is - # used for all other requests. The name is really a hashcode - # returned by the system in response to the deploy transaction. In - # development mode where user runs the chaincode, the name can be any string - id: - path: - name: mycc - - golang: - - # This is the basis for the Golang Dockerfile. Additional commands will - # be appended depedendent upon the chaincode specification. - Dockerfile: | - from golang:1.7 - COPY src $GOPATH/src - WORKDIR $GOPATH - - # timeout in millisecs for starting up a container and waiting for Register - # to come through. 1sec should be plenty for chaincode unit tests - startuptimeout: 1000 - - #timeout in millisecs for deploying chaincode from a remote repository. - deploytimeout: 30000 - - #mode - options are "dev", "net" - #dev - in dev mode, user runs the chaincode after starting validator from - # command line on local machine - #net - in net mode validator will run chaincode in a docker container - - mode: net - - installpath: /go/bin/ - -############################################################################### -# -# Ledger section - ledger configuration encompases both the blockchain -# and the state -# -############################################################################### -ledger: - - blockchain: - - # Setting the deploy-system-chaincode property to false will prevent the - # deploying of system chaincode at genesis time. - deploy-system-chaincode: false - - state: - - # Control the number state deltas that are maintained. This takes additional - # disk space, but allow the state to be rolled backwards and forwards - # without the need to replay transactions. - deltaHistorySize: 500 - - # The data structure in which the state will be stored. Different data - # structures may offer different performance characteristics. Options are - # 'buckettree' and 'trie'. If not set, the default data structure is the - # 'buckettree'. This CANNOT be changed after the DB has been created. - dataStructure: - # The name of the data structure is for storing the state - name: buckettree - # The data structure specific configurations - configs: - # configurations for 'bucketree'. These CANNOT be changed after the DB - # has been created. 'numBuckets' defines the number of bins that the - # state key-values are to be divided - numBuckets: 10009 - # 'maxGroupingAtEachLevel' defines the number of bins that are grouped - #together to construct next level of the merkle-tree (this is applied - # repeatedly for constructing the entire tree). - maxGroupingAtEachLevel: 10 - - # configurations for 'trie' - # 'tire' has no additional configurations exposed as yet - - -############################################################################### -# -# Security section - Applied to all entities (client, NVP, VP) -# -############################################################################### -security: - # Enable security will force every entity on the network to enroll with obc-ca - # and maintain a valid set of certificates in order to communicate with - # other peers - enabled: true - # To enroll NVP or VP with membersrvc. These parameters are for 1 time use. - # They will not be valid on subsequent times without un-enroll first. - # The values come from off-line registration with obc-ca. For testing, make - # sure the values are in membersrvc/membersrvc.yaml file eca.users - enrollID: vp - enrollSecret: f3489fy98ghf - # To enable privacy of transactions (requires security to be enabled). This - # encrypts the transaction content during transit and at rest. The state - # data is also encrypted - privacy: true - - # Can be 256 or 384. If you change here, you have to change also - # the same property in membersrvc.yaml to the same value - level: 256 - - # TCerts related configuration - tcert: - batch: - # The size of the batch of TCerts - size: 2 - - attributes: - enabled: true diff --git a/examples/chaincode/go/asset_management_with_roles/asset_management_with_roles.go b/examples/chaincode/go/asset_management_with_roles/asset_management_with_roles.go deleted file mode 100644 index 677b5686e9a..00000000000 --- a/examples/chaincode/go/asset_management_with_roles/asset_management_with_roles.go +++ /dev/null @@ -1,250 +0,0 @@ -/* -Copyright IBM Corp. 2016 All Rights Reserved. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package main - -import ( - "bytes" - "encoding/base64" - "fmt" - - "github.com/hyperledger/fabric/accesscontrol/crypto/attr" - "github.com/hyperledger/fabric/accesscontrol/impl" - "github.com/hyperledger/fabric/core/chaincode/shim" - pb "github.com/hyperledger/fabric/protos/peer" - "github.com/op/go-logging" -) - -var myLogger = logging.MustGetLogger("asset_mgmt") - -// AssetManagementChaincode example simple Asset Management Chaincode implementation -// with access control enforcement at chaincode level. -// -// This example implements asset transfer using attributes support and specifically Attribute Based Access Control (ABAC). -// There are three users in this example: -// - alice -// - bob -// - admin -// -// This users are defined in the section "eca" of asset.yaml file. -// In the section "aca" of asset.yaml file two attributes are defined to this users: -// The first attribute is called 'role' with this values: -// - alice has role = client -// - bob has role = client -// - admin has role = assigner -// -// The second attribute is called 'account' with this values: -// - alice has account = 12345-56789 -// - bob has account = 23456-67890 -// -// In the present example only users with role 'assigner' can associate an 'asset' as is implemented in function 'assign' and -// user with role 'client' can transfers theirs assets to other clients as is implemented in function 'transfer'. -// Asset ownership is stored in the ledger state and is linked to the client account. -// Attribute 'account' is used to associate transaction certificates with account owner. -type AssetManagementChaincode struct { -} - -// Init initialization -func (t *AssetManagementChaincode) Init(stub shim.ChaincodeStubInterface) pb.Response { - _, args := stub.GetFunctionAndParameters() - myLogger.Info("[AssetManagementChaincode] Init") - if len(args) != 0 { - return shim.Error("Incorrect number of arguments. Expecting 0") - } - - // Set the role of the users that are allowed to assign assets - // The metadata will contain the role of the users that are allowed to assign assets - assignerRole, err := stub.GetCallerMetadata() - fmt.Printf("Assiger role is %v\n", string(assignerRole)) - - if err != nil { - return shim.Error(fmt.Sprintf("Failed getting metadata, [%v]", err)) - } - - if len(assignerRole) == 0 { - return shim.Error("Invalid assigner role. Empty.") - } - - stub.PutState("assignerRole", assignerRole) - - return shim.Success(nil) -} - -func (t *AssetManagementChaincode) assign(stub shim.ChaincodeStubInterface, args []string) pb.Response { - fmt.Println("Assigning Asset...") - - if len(args) != 2 { - return shim.Error("Incorrect number of arguments. Expecting 2") - } - - asset := args[0] - owner, err := base64.StdEncoding.DecodeString(args[1]) - if err != nil { - fmt.Printf("Error decoding [%v] \n", err) - return shim.Error("Failed decodinf owner") - } - - // Recover the role that is allowed to make assignments - assignerRole, err := stub.GetState("assignerRole") - if err != nil { - fmt.Printf("Error getting role [%v] \n", err) - return shim.Error("Failed fetching assigner role") - } - - callerRole, err := impl.NewAccessControlShim(stub).ReadCertAttribute("role") - if err != nil { - fmt.Printf("Error reading attribute 'role' [%v] \n", err) - return shim.Error(fmt.Sprintf("Failed fetching caller role. Error was [%v]", err)) - } - - caller := string(callerRole[:]) - assigner := string(assignerRole[:]) - - if caller != assigner { - fmt.Printf("Caller is not assigner - caller %v assigner %v\n", caller, assigner) - return shim.Error(fmt.Sprintf("The caller does not have the rights to invoke assign. Expected role [%v], caller role [%v]", assigner, caller)) - } - - account, err := attr.GetValueFrom("account", owner) - if err != nil { - fmt.Printf("Error reading account [%v] \n", err) - return shim.Error(fmt.Sprintf("Failed fetching recipient account. Error was [%v]", err)) - } - - // Register assignment - // 1.check if the Asset exists, if exists, return error - myLogger.Debugf("New owner of [%s] is [% x]", asset, owner) - - value, err := stub.GetState(asset) - if err != nil { - return shim.Error(err.Error()) - } - if value != nil { - return shim.Error(fmt.Sprintf("Asset %s is already assigned.", asset)) - } - - // 2.insert into state - err = stub.PutState(asset, account) - if err != nil { - return shim.Error(err.Error()) - } - - return shim.Success(nil) -} - -func (t *AssetManagementChaincode) transfer(stub shim.ChaincodeStubInterface, args []string) pb.Response { - if len(args) != 2 { - return shim.Error("Incorrect number of arguments. Expecting 2") - } - - asset := args[0] - - newOwner, err := base64.StdEncoding.DecodeString(args[1]) - if err != nil { - fmt.Printf("Error decoding [%v] \n", err) - return shim.Error("Failed decoding owner") - } - - // Verify the identity of the caller - // Only the owner can transfer one of his assets - prvOwner, err := stub.GetState(asset) - if err != nil { - return shim.Error(err.Error()) - } - if prvOwner == nil { - return shim.Error("Invalid previous owner. Nil") - } - myLogger.Debugf("Previous owener of [%s] is [% x]", asset, prvOwner) - - // Verify ownership - callerAccount, err := impl.NewAccessControlShim(stub).ReadCertAttribute("account") - if err != nil { - return shim.Error(fmt.Sprintf("Failed fetching caller account. Error was [%v]", err)) - } - - if bytes.Compare(prvOwner, callerAccount) != 0 { - return shim.Error("Failed verifying caller ownership.") - } - - newOwnerAccount, err := attr.GetValueFrom("account", newOwner) - if err != nil { - return shim.Error(fmt.Sprintf("Failed fetching new owner account. Error was [%v]", err)) - } - - // At this point, the proof of ownership is valid, then register transfer - err = stub.DelState(asset) - if err != nil { - return shim.Error(err.Error()) - } - - err = stub.PutState(asset, newOwnerAccount) - if err != nil { - return shim.Error(err.Error()) - } - - return shim.Success(nil) -} - -// Invoke runs callback representing the invocation of a chaincode -func (t *AssetManagementChaincode) Invoke(stub shim.ChaincodeStubInterface) pb.Response { - function, args := stub.GetFunctionAndParameters() - // Handle different functions - if function == "assign" { - // Assign ownership - return t.assign(stub, args) - } else if function == "transfer" { - // Transfer ownership - return t.transfer(stub, args) - } else if function == "query" { - // Query asset - return t.query(stub, args) - } - - return shim.Error("Received unknown function invocation") -} - -func (t *AssetManagementChaincode) query(stub shim.ChaincodeStubInterface, args []string) pb.Response { - var err error - - if len(args) != 1 { - return shim.Error("Incorrect number of arguments. Expecting name of an asset to query") - } - - // Who is the owner of the asset? - asset := args[0] - - fmt.Printf("ASSET: %v", string(asset)) - - owner, err := stub.GetState(asset) - if err != nil { - return shim.Error("{\"Error\":\"Failed retrieving asset " + asset + ". Error " + err.Error() + ". \"}") - } - if owner == nil { - return shim.Error(fmt.Sprintf("{\"Error\":\"Failed retrieving owner for " + asset + ". \"}")) - } - - jsonResp := "{\"Owner\":\"" + string(owner) + "\"}" - fmt.Printf("Query Response:%s\n", jsonResp) - - return shim.Success(owner) -} - -func main() { - err := shim.Start(new(AssetManagementChaincode)) - if err != nil { - fmt.Printf("Error starting AssetManagementChaincode: %s", err) - } -} diff --git a/examples/chaincode/go/attributes_to_state/attributes_to_state.go b/examples/chaincode/go/attributes_to_state/attributes_to_state.go deleted file mode 100644 index f57622b32b1..00000000000 --- a/examples/chaincode/go/attributes_to_state/attributes_to_state.go +++ /dev/null @@ -1,137 +0,0 @@ -/* -Copyright IBM Corp. 2016 All Rights Reserved. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package main - -import ( - "fmt" - - "github.com/hyperledger/fabric/accesscontrol/crypto/attr" - "github.com/hyperledger/fabric/accesscontrol/impl" - "github.com/hyperledger/fabric/core/chaincode/shim" - pb "github.com/hyperledger/fabric/protos/peer" -) - -// Attributes2State demonstrates how to read attributes from TCerts. -type Attributes2State struct { -} - -func (t *Attributes2State) setStateToAttributes(stub shim.ChaincodeStubInterface, args []string) pb.Response { - attrHandler, err := attr.NewAttributesHandlerImpl(stub) - if err != nil { - return shim.Error(err.Error()) - } - for _, att := range args { - fmt.Println("Writing attribute " + att) - attVal, err := attrHandler.GetValue(att) - if err != nil { - return shim.Error(err.Error()) - } - err = stub.PutState(att, attVal) - if err != nil { - return shim.Error(err.Error()) - } - } - return shim.Success(nil) -} - -// Init intializes the chaincode by reading the transaction attributes and storing -// the attrbute values in the state -func (t *Attributes2State) Init(stub shim.ChaincodeStubInterface) pb.Response { - _, args := stub.GetFunctionAndParameters() - return t.setStateToAttributes(stub, args) -} - -func (t *Attributes2State) Invoke(stub shim.ChaincodeStubInterface) pb.Response { - function, args := stub.GetFunctionAndParameters() - if function == "delete" { - return t.delete(stub, args) - } else if function == "submit" { - return t.setStateToAttributes(stub, args) - } else if function == "read" { - return t.query(stub, args) - } - - return shim.Error("Invalid invoke function name. Expecting either \"delete\" or \"submit\" or \"read\"") -} - -// delete Deletes an entity from the state, returning error if the entity was not found in the state. -func (t *Attributes2State) delete(stub shim.ChaincodeStubInterface, args []string) pb.Response { - if len(args) != 1 { - return shim.Error("Incorrect number of arguments. Expecting only 1 (attributeName)") - } - - attributeName := args[0] - fmt.Printf("Deleting attribute %v", attributeName) - valBytes, err := stub.GetState(attributeName) - if err != nil { - return shim.Error(err.Error()) - } - - if valBytes == nil { - return shim.Error("Attribute '" + attributeName + "' not found.") - } - - isOk, err := impl.NewAccessControlShim(stub).VerifyAttribute(attributeName, valBytes) - if err != nil { - return shim.Error(err.Error()) - } - if isOk { - // Delete the key from the state in ledger - err = stub.DelState(attributeName) - if err != nil { - return shim.Error("Failed to delete state") - } - } - return shim.Success(nil) -} - -func (t *Attributes2State) query(stub shim.ChaincodeStubInterface, args []string) pb.Response { - var attributeName string // Name of the attributeName to query. - var err error - - if len(args) != 1 { - return shim.Error("Incorrect number of arguments. Expecting only 1 (attributeName)") - } - - attributeName = args[0] - fmt.Printf("Reading attribute %v", attributeName) - - // Get the state from the ledger - Avalbytes, err := stub.GetState(attributeName) - if err != nil { - jsonResp := "{\"Error\":\"Failed to get state for " + attributeName + "\"}" - fmt.Printf("Query Response:%s\n", jsonResp) - return shim.Error(jsonResp) - } - - if Avalbytes == nil { - jsonResp := "{\"Error\":\"Nil amount for " + attributeName + "\"}" - fmt.Printf("Query Response:%s\n", jsonResp) - return shim.Error(jsonResp) - } - - jsonResp := "{\"Name\":\"" + attributeName + "\",\"Amount\":\"" + string(Avalbytes) + "\"}" - fmt.Printf("Query Response:%s\n", jsonResp) - return shim.Success([]byte(jsonResp)) -} - -func main() { - err := shim.Start(new(Attributes2State)) - if err != nil { - fmt.Printf("Error running Attributes2State chaincode: %s", err) - } -} diff --git a/examples/chaincode/go/authorizable_counter/authorizable_counter.go b/examples/chaincode/go/authorizable_counter/authorizable_counter.go deleted file mode 100644 index a257f9d2ee9..00000000000 --- a/examples/chaincode/go/authorizable_counter/authorizable_counter.go +++ /dev/null @@ -1,104 +0,0 @@ -/* -Copyright IBM Corp. 2016 All Rights Reserved. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package main - -import ( - "fmt" - "strconv" - - "github.com/hyperledger/fabric/accesscontrol/impl" - "github.com/hyperledger/fabric/core/chaincode/shim" - pb "github.com/hyperledger/fabric/protos/peer" -) - -// AuthorizableCounterChaincode is an example that use Attribute Based Access Control to control the access to a counter by users with an specific role. -// In this case only users which TCerts contains the attribute position with the value "Software Engineer" will be able to increment the counter. -type AuthorizableCounterChaincode struct { -} - -//Init the chaincode asigned the value "0" to the counter in the state. -func (t *AuthorizableCounterChaincode) Init(stub shim.ChaincodeStubInterface) pb.Response { - err := stub.PutState("counter", []byte("0")) - if err != nil { - return shim.Error(err.Error()) - } - - return shim.Success(nil) -} - -//Invoke makes increment counter -func (t *AuthorizableCounterChaincode) increment(stub shim.ChaincodeStubInterface, args []string) pb.Response { - val, err := impl.NewAccessControlShim(stub).ReadCertAttribute("position") - fmt.Printf("Position => %v error %v \n", string(val), err) - isOk, _ := impl.NewAccessControlShim(stub).VerifyAttribute("position", []byte("Software Engineer")) // Here the ABAC API is called to verify the attribute, just if the value is verified the counter will be incremented. - if isOk { - counter, err := stub.GetState("counter") - if err != nil { - return shim.Error(err.Error()) - } - var cInt int - cInt, err = strconv.Atoi(string(counter)) - if err != nil { - return shim.Error(err.Error()) - } - cInt = cInt + 1 - counter = []byte(strconv.Itoa(cInt)) - stub.PutState("counter", counter) - } - return shim.Success(nil) -} - -func (t *AuthorizableCounterChaincode) read(stub shim.ChaincodeStubInterface, args []string) pb.Response { - var err error - - // Get the state from the ledger - Avalbytes, err := stub.GetState("counter") - if err != nil { - jsonResp := "{\"Error\":\"Failed to get state for counter\"}" - return shim.Error(jsonResp) - } - - if Avalbytes == nil { - jsonResp := "{\"Error\":\"Nil amount for counter\"}" - return shim.Error(jsonResp) - } - - jsonResp := "{\"Name\":\"counter\",\"Amount\":\"" + string(Avalbytes) + "\"}" - fmt.Printf("Query Response:%s\n", jsonResp) - return shim.Success(Avalbytes) -} - -// Invoke method is the interceptor of all invocation transactions, its job is to direct -// invocation transactions to intended APIs -func (t *AuthorizableCounterChaincode) Invoke(stub shim.ChaincodeStubInterface) pb.Response { - function, args := stub.GetFunctionAndParameters() - - // Handle different functions - if function == "increment" { - return t.increment(stub, args) - } else if function == "read" { - return t.read(stub, args) - } - return shim.Error("Received unknown function invocation, Expecting \"increment\" \"read\"") -} - -func main() { - err := shim.Start(new(AuthorizableCounterChaincode)) - if err != nil { - fmt.Printf("Error starting Simple chaincode: %s", err) - } -} diff --git a/examples/chaincode/go/rbac_tcerts_no_attrs/rbac.go b/examples/chaincode/go/rbac_tcerts_no_attrs/rbac.go deleted file mode 100644 index 7ede6eb6903..00000000000 --- a/examples/chaincode/go/rbac_tcerts_no_attrs/rbac.go +++ /dev/null @@ -1,308 +0,0 @@ -/* - Copyright IBM Corp All Rights Reserved. - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. -*/ - -package main - -import ( - "errors" - "fmt" - - "encoding/asn1" - "encoding/base64" - "strings" - - "github.com/hyperledger/fabric/accesscontrol/impl" - "github.com/hyperledger/fabric/core/chaincode/shim" - pb "github.com/hyperledger/fabric/protos/peer" - "github.com/op/go-logging" -) - -var myLogger = logging.MustGetLogger("rbac_chaincode") - -// RBACMetadata metadata structure for RBAC information -type RBACMetadata struct { - Cert []byte - Sigma []byte -} - -// RBACChaincode RBAC chaincode structure -type RBACChaincode struct { -} - -// Init method will be called during deployment -func (t *RBACChaincode) Init(stub shim.ChaincodeStubInterface) pb.Response { - myLogger.Info("Init") - - myLogger.Debug("Creating RBAC Table...") - - // Create RBAC table - err := stub.CreateTable("RBAC", []*shim.ColumnDefinition{ - &shim.ColumnDefinition{Name: "ID", Type: shim.ColumnDefinition_BYTES, Key: true}, - &shim.ColumnDefinition{Name: "Roles", Type: shim.ColumnDefinition_STRING, Key: false}, - }) - if err != nil { - return shim.Error("Failed creating RBAC table.") - } - - myLogger.Debug("Assign 'admin' role...") - - // Give to the deployer the role 'admin' - deployer, err := stub.GetCallerMetadata() - if err != nil { - return shim.Error("Failed getting metadata.") - } - if len(deployer) == 0 { - return shim.Error("Invalid admin certificate. Empty.") - } - - myLogger.Debug("Add admin [% x][%s]", deployer, "admin") - ok, err := stub.InsertRow("RBAC", shim.Row{ - Columns: []*shim.Column{ - &shim.Column{Value: &shim.Column_Bytes{Bytes: deployer}}, - &shim.Column{Value: &shim.Column_String_{String_: "admin"}}, - }, - }) - if !ok && err == nil { - return shim.Error("Failed initiliazing RBAC entries.") - } - if err != nil { - return shim.Error(fmt.Sprintf("Failed initiliazing RBAC entries [%s]", err)) - } - - myLogger.Debug("Done.") - - return shim.Success(nil) -} - -// Invoke Run callback representing the invocation of a chaincode -func (t *RBACChaincode) Invoke(stub shim.ChaincodeStubInterface) pb.Response { - function, args := stub.GetFunctionAndParameters() - // Handle different functions - switch function { - case "addRole": - return t.addRole(stub, args) - case "write": - return t.write(stub, args) - case "read": - return t.read(stub, args) - } - - return shim.Error(fmt.Sprintf("Received unknown function invocation [%s]", function)) -} - -func (t *RBACChaincode) addRole(stub shim.ChaincodeStubInterface, args []string) pb.Response { - if len(args) != 2 { - return shim.Error("Incorrect number of arguments. Expecting 2") - } - id, err := base64.StdEncoding.DecodeString(args[0]) - if err != nil { - return shim.Error(fmt.Sprintf("Failed decoding tcert: %s", err)) - } - //id := []byte(args[0]) - role := args[1] - - myLogger.Debug("Add role [% x][%s]", id, role) - - // Verify that the invoker has the 'admin' role - ok, _, err := t.hasInvokerRole(stub, "admin") - if err != nil { - return shim.Error(fmt.Sprintf("Failed checking role [%s]", err)) - } - if !ok { - return shim.Error("The invoker does not have the required roles.") - } - - // Add role to id - myLogger.Debug("Permission granted to the invoker") - - // Retrieve id's row - var columns []shim.Column - idCol := shim.Column{Value: &shim.Column_Bytes{Bytes: id}} - columns = append(columns, idCol) - row, err := stub.GetRow("RBAC", columns) - if err != nil { - return shim.Error(fmt.Sprintf("Failed retriving associated row [%s]", err)) - } - if len(row.Columns) == 0 { - // Insert row - ok, err = stub.InsertRow("RBAC", shim.Row{ - Columns: []*shim.Column{ - &shim.Column{Value: &shim.Column_Bytes{Bytes: id}}, - &shim.Column{Value: &shim.Column_String_{String_: role}}, - }, - }) - if err != nil { - return shim.Error(fmt.Sprintf("Failed inserting row [%s]", err)) - } - if !ok { - return shim.Error("Failed inserting row.") - } - - } else { - // Update row - ok, err = stub.ReplaceRow("RBAC", shim.Row{ - Columns: []*shim.Column{ - &shim.Column{Value: &shim.Column_Bytes{Bytes: id}}, - &shim.Column{Value: &shim.Column_String_{String_: row.Columns[1].GetString_() + " " + role}}, - }, - }) - if err != nil { - return shim.Error(fmt.Sprintf("Failed replacing row [%s]", err)) - } - if !ok { - return shim.Error("Failed replacing row.") - } - } - - return shim.Success(nil) -} - -func (t *RBACChaincode) read(stub shim.ChaincodeStubInterface, args []string) pb.Response { - if len(args) != 0 { - return shim.Error("Incorrect number of arguments. Expecting 0") - } - myLogger.Debug("Read...") - - // Verify that the invoker has the 'reader' role - ok, _, err := t.hasInvokerRole(stub, "reader") - if err != nil { - return shim.Error(fmt.Sprintf("Failed checking role [%s]", err)) - } - if !ok { - return shim.Error("The invoker does not have the required roles") - } - - res, err := stub.GetState("state") - if err != nil { - return shim.Error(fmt.Sprintf("Failed getting state [%s]", err)) - } - - myLogger.Debug("State [%s]", string(res)) - - return shim.Success(res) -} - -func (t *RBACChaincode) write(stub shim.ChaincodeStubInterface, args []string) pb.Response { - if len(args) != 1 { - return shim.Error("Incorrect number of arguments. Expecting 1") - } - - value := args[0] - - myLogger.Debug("Write [%s]", value) - - // Verify that the invoker has the 'writer' role - ok, _, err := t.hasInvokerRole(stub, "writer") - if err != nil { - return shim.Error(fmt.Sprintf("Failed checking role [%s]", err)) - } - if !ok { - return shim.Error("The invoker does not have the required roles.") - } - - err = stub.PutState("state", []byte(value)) - if err != nil { - return shim.Error(err.Error()) - } - - return shim.Success(nil) -} - -func (t *RBACChaincode) hasInvokerRole(stub shim.ChaincodeStubInterface, role string) (bool, []byte, error) { - // In order to enforce access control, we require that the - // metadata contains the following items: - // 1. a certificate Cert - // 2. a signature Sigma under the signing key corresponding - // to the verification key inside Cert of : - // (a) Cert; - // (b) The payload of the transaction (namely, function name and args) and - // (c) the transaction binding. - - // Verify Sigma=Sign(certificate.sk, Cert||tx.Payload||tx.Binding) against Cert.vk - - // Unmarshall metadata - metadata, err := stub.GetCallerMetadata() - rbacMetadata := new(RBACMetadata) - _, err = asn1.Unmarshal(metadata, rbacMetadata) - if err != nil { - return false, nil, fmt.Errorf("Failed unmarshalling metadata [%s]", err) - } - - // Verify signature - payload, err := stub.GetArgsSlice() - if err != nil { - return false, nil, errors.New("Failed getting payload") - } - binding, err := stub.GetBinding() - if err != nil { - return false, nil, errors.New("Failed getting binding") - } - - myLogger.Debug("passed certificate [% x]", rbacMetadata.Cert) - myLogger.Debug("passed sigma [% x]", rbacMetadata.Sigma) - myLogger.Debug("passed payload [% x]", payload) - myLogger.Debug("passed binding [% x]", binding) - - ok, err := impl.NewAccessControlShim(stub).VerifySignature( - rbacMetadata.Cert, - rbacMetadata.Sigma, - append(rbacMetadata.Cert, append(payload, binding...)...), - ) - if err != nil { - return false, nil, fmt.Errorf("Failed verifying signature [%s]", err) - } - if !ok { - return false, nil, fmt.Errorf("Signature is not valid!") - } - - myLogger.Debug("Signature verified. Check for role...") - - myLogger.Debug("ID [% x]", rbacMetadata.Cert) - - // Check role - var columns []shim.Column - idCol := shim.Column{Value: &shim.Column_Bytes{Bytes: rbacMetadata.Cert}} - columns = append(columns, idCol) - row, err := stub.GetRow("RBAC", columns) - if err != nil { - return false, nil, fmt.Errorf("Failed retrieveing RBAC row [%s]", err) - } - if len(row.GetColumns()) == 0 { - return false, nil, fmt.Errorf("Failed retrieveing RBAC row [%s]", err) - } - - myLogger.Debug("#Columns: [%d]", len(row.Columns)) - roles := row.Columns[1].GetString_() - - result := strings.Split(roles, " ") - for i := range result { - if result[i] == role { - myLogger.Debug("Role found.") - return true, rbacMetadata.Cert, nil - } - } - - myLogger.Debug("Role not found.") - - return false, nil, nil -} - -func main() { - err := shim.Start(new(RBACChaincode)) - if err != nil { - fmt.Printf("Error starting AssetManagementChaincode: %s", err) - } -} diff --git a/protos/utils/commonutils.go b/protos/utils/commonutils.go index 0a63dc8de22..76aad6e8d28 100644 --- a/protos/utils/commonutils.go +++ b/protos/utils/commonutils.go @@ -20,7 +20,6 @@ import ( "fmt" "time" - "github.com/hyperledger/fabric/core/crypto/primitives" cb "github.com/hyperledger/fabric/protos/common" "errors" @@ -44,19 +43,19 @@ func Marshal(pb proto.Message) ([]byte, error) { return proto.Marshal(pb) } -// CreateNonceOrPanic generates a nonce using the crypto/primitives package +// CreateNonceOrPanic generates a nonce using the common/crypto package // and panics if this operation fails. func CreateNonceOrPanic() []byte { - nonce, err := primitives.GetRandomNonce() + nonce, err := crypto.GetRandomNonce() if err != nil { panic(fmt.Errorf("Cannot generate random nonce: %s", err)) } return nonce } -// CreateNonce generates a nonce using the crypto/primitives package. +// CreateNonce generates a nonce using the common/crypto package. func CreateNonce() ([]byte, error) { - nonce, err := primitives.GetRandomNonce() + nonce, err := crypto.GetRandomNonce() if err != nil { return nil, fmt.Errorf("Cannot generate random nonce: %s", err) } diff --git a/protos/utils/commonutils_test.go b/protos/utils/commonutils_test.go index 100c0d30341..78cc021cae4 100644 --- a/protos/utils/commonutils_test.go +++ b/protos/utils/commonutils_test.go @@ -20,9 +20,8 @@ import ( "bytes" "testing" - "github.com/hyperledger/fabric/core/crypto/primitives" - "github.com/golang/protobuf/proto" + "github.com/hyperledger/fabric/common/crypto" cb "github.com/hyperledger/fabric/protos/common" ) @@ -46,7 +45,7 @@ func TestNonceLength(t *testing.T) { t.Fatal(err) } actual := len(n) - expected := primitives.NonceSize + expected := crypto.NonceSize if actual != expected { t.Fatalf("Expected nonce to be of size %d, got %d instead", expected, actual) } diff --git a/protos/utils/proputils.go b/protos/utils/proputils.go index e563b405102..c822be851d3 100644 --- a/protos/utils/proputils.go +++ b/protos/utils/proputils.go @@ -27,9 +27,9 @@ import ( "github.com/golang/protobuf/proto" "github.com/hyperledger/fabric/bccsp" "github.com/hyperledger/fabric/bccsp/factory" + "github.com/hyperledger/fabric/common/crypto" "github.com/hyperledger/fabric/common/util" "github.com/hyperledger/fabric/core/chaincode/platforms" - "github.com/hyperledger/fabric/core/crypto/primitives" "github.com/hyperledger/fabric/protos/common" "github.com/hyperledger/fabric/protos/peer" ) @@ -325,7 +325,7 @@ func CreateChaincodeProposal(typ common.HeaderType, chainID string, cis *peer.Ch // It returns the proposal and the transaction id associated to the proposal func CreateChaincodeProposalWithTransient(typ common.HeaderType, chainID string, cis *peer.ChaincodeInvocationSpec, creator []byte, transientMap map[string][]byte) (*peer.Proposal, string, error) { // generate a random nonce - nonce, err := primitives.GetRandomNonce() + nonce, err := crypto.GetRandomNonce() if err != nil { return nil, "", err } diff --git a/scripts/golinter.sh b/scripts/golinter.sh index 3fe7e79c166..8a90bb026b0 100755 --- a/scripts/golinter.sh +++ b/scripts/golinter.sh @@ -3,7 +3,6 @@ set -e declare -a arr=( -"./accesscontrol" "./bccsp" "./common" "./core"