fabric-ca icon indicating copy to clipboard operation
fabric-ca copied to clipboard
verified publisher icon hyperledger

Idemix "Role" is shadowed by marshalled interface

Open johannww opened this issue 8 months ago • 5 comments

Role is supposed to be an int:

https://github.com/hyperledger/fabric-ca/blob/b3ae5fc317baf5306aa690bbab4113c78e606e3d/lib/client.go#L517

However, probably due to the marshalling of the attrMap (map[string]interface{}), the role becomes a float64 (/golang reddit discussion)

https://github.com/hyperledger/fabric-ca/blob/b3ae5fc317baf5306aa690bbab4113c78e606e3d/lib/server/idemix/enroll.go#L156-L160

Possible solutions

  1. Cast to float64 before converting to int
	roleFloat, _ := result.Attrs["Role"].(float64) // marshalling interface makes number float64
	role := int(roleFloat)
  1. Plus: test for errors
	roleFloat, ok := result.Attrs["Role"].(float64) // marshalling interface makes number float64
	if !ok {
		return nil, errors.New("Failed to convert role to float64")
	}
	role := int(roleFloat)

Replicate

  1. Add log messages:
	// Create SignerConfig object with credential bytes from the response
	// and secret key
	role, _ := result.Attrs["Role"].(int)
	ou, _ := result.Attrs["OU"].(string)
	enrollmentID, _ := result.Attrs["EnrollmentID"].(string)
	revocationHandle := result.Attrs[sidemix.AttrRevocationHandle].(string)
	signerConfig := &idemixcred.SignerConfig{
		CurveID:                         cidemix.Curves.ByID(c.curveID),
		Cred:                            credBytes,
		Sk:                              sk.Bytes(),
		Role:                            role,
		OrganizationalUnitIdentifier:    ou,
		EnrollmentID:                    enrollmentID,
		CredentialRevocationInformation: criBytes,
		RevocationHandle:                revocationHandle,
	}

	kind := reflect.TypeOf(result.Attrs["Role"]).Kind()
	log.Infof("kind: %s", kind)
	log.Infof("Attrs: %v", result.Attrs)
	log.Infof("Attrs in signer config: %d", signerConfig.Role)
  1. Register and enroll with role 1:
fabric-ca-client register -u http://localhost:27054 --id.name alice --id.secret password --id.type client  --enrollment.type idemix --id.attrs 'role=1' --id.affiliation "org1.department1"
fabric-ca-client enroll -u http://alice:password@localhost:27054  -M "$(pwd)/keys/owner1/wallet/alice/msp" --enrollment.type idemix
  1. Verify that the saved SignerConfig has no "role" attribute:
{
    "Cred": "CkQKIC6o6Uz33XosEntANagpoJQdyfpbnacbk/dsW4z3JKqxEiCvo//GIXRKgIi4yt6x3RxwpEXzECXo4mVdqb2DGnYgfxJECiCX+RCJq4l7A75be2pgs0La/ZV6cXpeEHaJlDMkscSVnRIg42VQR/OGpuMOCD2la7VhcBW6BQnPZO0UWtlvER3rCW4aIBWUPW8xgTNI/RTZey6UrfJDd2dExig1hxaO9uS0cRrcIiDEW8biruxGd6vGW97CeznZd1wU0fmxyTv14cXnXBiX2CogO9JiNVuB+erB4v8Cf7ch+8j/aCf59RgcDd5f662qAcUqIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABKiAr2AbJfw4ArxofwzKPp2OpJpcjyNuPrE+Tr3HbGG1ukCoga4ayc/80/OGda4BO/1o/V0etpOqiLx1JwB5S3beHW0s=",
    "Sk": "mcT93zqYeXq+pUgQUZd9E7ryQbUPI/u4DIUkPvgSSb4=",
    "organizational_unit_identifier": "org1.department1",
    "enrollment_id": "alice",
    "credential_revocation_information": "CAESiAEKIP4MM1C0yWwgKFYPV3wokTrOHFOaEr+EPNImFraJwJ77EiBOpmBXc4rAVNta4cY32BO5JN144ofQNYnSae00o35qKxogcCBG58VCo7N2dw11Ek4+Ue/LJHWNYVhI6Qm0gb7cJ/8iIAVU47zTiMKQQu6mSSl+sp+LTL6AghqYs+ASgRFKrQSbGmcwZQIxAJm8eXfyNWdShXp0p1VDLiI+B2Z9sey/udSO51VsCBeYJ8yU0yT48urhM4QuRX01dQIwCm7cbPuN4v60kRpCIYZ0+0ZTLbUo1PJGZAEGbRKx5jSiMalDjlrWDQ641KBpAYT4",
    "curveID": "amcl.Fp256bn",
    "revocation_handle": "1"
}

Context

I was trying to generate testing credentials for the implementation of idemix on fabric-gateway: https://github.com/hyperledger/fabric-gateway/issues/242

johannww avatar May 17 '25 06:05 johannww

Furthermore, the json tag for CurveId differes from the one defined in https://github.com/IBM/idemix:

https://github.com/hyperledger/fabric-ca/blob/b3ae5fc317baf5306aa690bbab4113c78e606e3d/lib/client/credential/idemix/signerconfig.go#L24

https://github.com/IBM/idemix/blob/832db18b94785ad2657d91da96dd6c3401af1616/idemixmsp/msp_config.pb.go#L134

	// curve_id indicates which Elliptic Curve should be used
	CurveId string `protobuf:"bytes,8,opt,name=curve_id,json=curveId,proto3" json:"curve_id,omitempty"`

johannww avatar May 19 '25 23:05 johannww

There is an incompatibility between the CA and IDEMIX lib regarding the issuer revocation public key file location:

https://github.com/hyperledger/fabric/blob/435a7f1a780a128756fb2f72bf4cad164bf13fbb/vendor/github.com/IBM/idemix/idemixmsp.go#L722:

	IdemixConfigFileRevocationPublicKey = "RevocationPublicKey"

https://github.com/hyperledger/fabric-ca/blob/b3ae5fc317baf5306aa690bbab4113c78e606e3d/lib/server/idemix/config.go#L23

johannww avatar May 21 '25 19:05 johannww

The Fabric CA stores SignerConfig at (msp/user/SignerConfig) a different folder than the one expected by the idemix msp (msp/../user/SignerConfig) :

Also, the Fabric CA exports SignerConfig as json, while the idemix msp expects a proto.

https://github.com/hyperledger/fabric-ca/blob/b3ae5fc317baf5306aa690bbab4113c78e606e3d/lib/client.go#L127-L134

https://github.com/IBM/idemix/blob/832db18b94785ad2657d91da96dd6c3401af1616/idemixmsp.go#L733-L749

	ipkBytes, err := readFile(filepath.Join(dir, IdemixConfigDirMsp, IdemixConfigFileIssuerPublicKey))
...
	revocationPkBytes, err := readFile(filepath.Join(dir, IdemixConfigDirMsp, IdemixConfigFileRevocationPublicKey))       
...
	signerBytes, err := readFile(filepath.Join(dir, IdemixConfigDirUser, IdemixConfigFileSigner))

johannww avatar May 21 '25 21:05 johannww

At least some of the issues highlighted here look common to the ones described in #303. That issue has accompanying commits that were subsequently reverted due to breaking incompatibility with legacy client SDKs. The legacy SDKs are no longer supported so we might be in a position to re-apply those commits.

bestbeforetoday avatar Nov 25 '25 12:11 bestbeforetoday