Idemix Schema Manager

Signed-off-by: Angelo De Caro <[email protected]>

Author: adecaro

go.mod

@@ -3,8 +3,8 @@ module github.com/hyperledger-labs/fabric-token-sdk
 go 1.21
 
 require (
-	github.com/IBM/idemix v0.0.2-0.20240613141508-82a5e092849a
-	github.com/IBM/idemix/bccsp/types v0.0.0-20240613141508-82a5e092849a
+	github.com/IBM/idemix v0.0.2-0.20240614151806-1a543779efde
+	github.com/IBM/idemix/bccsp/types v0.0.0-20240614151806-1a543779efde
 	github.com/IBM/mathlib v0.0.3-0.20231011094432-44ee0eb539da
 	github.com/dgraph-io/badger/v3 v3.2103.2
 	github.com/hashicorp/go-uuid v1.0.2
@@ -59,8 +59,8 @@ require (
 	dario.cat/mergo v1.0.0 // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
 	github.com/BurntSushi/toml v1.2.1 // indirect
-	github.com/IBM/idemix/bccsp/schemes/aries v0.0.0-20240613141508-82a5e092849a // indirect
-	github.com/IBM/idemix/bccsp/schemes/weak-bb v0.0.0-20240613141508-82a5e092849a // indirect
+	github.com/IBM/idemix/bccsp/schemes/aries v0.0.0-20240614151806-1a543779efde // indirect
+	github.com/IBM/idemix/bccsp/schemes/weak-bb v0.0.0-20240614151806-1a543779efde // indirect
 	github.com/Knetic/govaluate v3.0.1-0.20171022003610-9aa49832a739+incompatible // indirect
 	github.com/Microsoft/go-winio v0.6.1 // indirect
 	github.com/Microsoft/hcsshim v0.11.4 // indirect

go.sum

@@ -30,14 +30,14 @@ github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03
 github.com/BurntSushi/toml v1.2.1 h1:9F2/+DoOYIOksmaJFPw1tGFy1eDnIJXg+UHjuD8lTak=
 github.com/BurntSushi/toml v1.2.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
-github.com/IBM/idemix v0.0.2-0.20240613141508-82a5e092849a h1:N2YIhHUNHABHfoOA5cVV00xaL09Pc8Ikji/6GEJsr6I=
-github.com/IBM/idemix v0.0.2-0.20240613141508-82a5e092849a/go.mod h1:46iNIkGm/8hQBo8ziI4oxiVW3WQkkxIqEbq+VbJviR8=
-github.com/IBM/idemix/bccsp/schemes/aries v0.0.0-20240613141508-82a5e092849a h1:c3E1cDamIZdj9zLNGyDbCOue1W6HNFEgKna5Y4l7bY4=
-github.com/IBM/idemix/bccsp/schemes/aries v0.0.0-20240613141508-82a5e092849a/go.mod h1:ldQeOz5oa0iJicd2FFEd2jToS9XNncKSvFnUVNjTjRk=
-github.com/IBM/idemix/bccsp/schemes/weak-bb v0.0.0-20240613141508-82a5e092849a h1:JLtm1020NbMrtRPZRDS5vPn4eBIJvWLAPEnYgcjC0vk=
-github.com/IBM/idemix/bccsp/schemes/weak-bb v0.0.0-20240613141508-82a5e092849a/go.mod h1:FC0vVgNI6bv8GH0VTwjup+arwJ8Tau1iEhroWZ1oPwU=
-github.com/IBM/idemix/bccsp/types v0.0.0-20240613141508-82a5e092849a h1:96D1gepUlk1oTWWMOeGw5EfJnBqT9ZhpdGNos1I9QMs=
-github.com/IBM/idemix/bccsp/types v0.0.0-20240613141508-82a5e092849a/go.mod h1:IMIJ8WcUpBmV4gcOO/BYKuFYpdXCPYZjpNhFSUlO9b8=
+github.com/IBM/idemix v0.0.2-0.20240614151806-1a543779efde h1:3pdSyTNhDTQcx9spTgXGeWwTPx2SPLYZqI9m8TRfxIo=
+github.com/IBM/idemix v0.0.2-0.20240614151806-1a543779efde/go.mod h1:46iNIkGm/8hQBo8ziI4oxiVW3WQkkxIqEbq+VbJviR8=
+github.com/IBM/idemix/bccsp/schemes/aries v0.0.0-20240614151806-1a543779efde h1:3W6Vi6/p6biN5bbBnTum747oPW5cw4D/0GKK4cyRO5Y=
+github.com/IBM/idemix/bccsp/schemes/aries v0.0.0-20240614151806-1a543779efde/go.mod h1:ldQeOz5oa0iJicd2FFEd2jToS9XNncKSvFnUVNjTjRk=
+github.com/IBM/idemix/bccsp/schemes/weak-bb v0.0.0-20240614151806-1a543779efde h1:WQRp4JspTrBiP5+qihCI7ZcgCznPsjBdfxoBWYw5y74=
+github.com/IBM/idemix/bccsp/schemes/weak-bb v0.0.0-20240614151806-1a543779efde/go.mod h1:FC0vVgNI6bv8GH0VTwjup+arwJ8Tau1iEhroWZ1oPwU=
+github.com/IBM/idemix/bccsp/types v0.0.0-20240614151806-1a543779efde h1:XSatatyDWYDYxwqxtiCA9hdwaadIqrGf23g/gq9T900=
+github.com/IBM/idemix/bccsp/types v0.0.0-20240614151806-1a543779efde/go.mod h1:IMIJ8WcUpBmV4gcOO/BYKuFYpdXCPYZjpNhFSUlO9b8=
 github.com/IBM/mathlib v0.0.3-0.20231011094432-44ee0eb539da h1:qqGozq4tF6EOVnWoTgBoJGudRKKZXSAYnEtDggzTnsw=
 github.com/IBM/mathlib v0.0.3-0.20231011094432-44ee0eb539da/go.mod h1:Tco9QzE3fQzjMS7nPbHDeFfydAzctStf1Pa8hsh6Hjs=
 github.com/Knetic/govaluate v3.0.0+incompatible/go.mod h1:r7JcOSlj0wfOMncg0iLm8Leh48TZaKVeNIfJntJ2wa0=

token/core/zkatdlog/crypto/audit/auditor_test.go

@@ -30,6 +30,7 @@ import (
 	"github.com/hyperledger-labs/fabric-token-sdk/token/services/identity/msp"
 	"github.com/hyperledger-labs/fabric-token-sdk/token/services/identity/msp/idemix"
 	msp3 "github.com/hyperledger-labs/fabric-token-sdk/token/services/identity/msp/idemix/msp"
+	"github.com/hyperledger-labs/fabric-token-sdk/token/services/identity/msp/idemix/schema"
 	"github.com/hyperledger-labs/fabric-token-sdk/token/services/identity/sig"
 	msp2 "github.com/hyperledger/fabric/msp"
 	. "github.com/onsi/ginkgo/v2"
@@ -49,7 +50,7 @@ var _ = Describe("Auditor", func() {
 		Expect(err).NotTo(HaveOccurred())
 		pp, err = crypto.Setup(32, ipk, math.FP256BN_AMCL)
 		Expect(err).NotTo(HaveOccurred())
-		des, err := idemix.NewDeserializer(pp.IdemixIssuerPK, math.FP256BN_AMCL)
+		des, err := idemix.NewDeserializer(&schema.DefaultManager{}, "", pp.IdemixIssuerPK, math.FP256BN_AMCL)
 		Expect(err).NotTo(HaveOccurred())
 		auditor = audit.NewAuditor(flogging.MustGetLogger("auditor"), des, pp.PedersenGenerators, nil, fakeSigningIdentity, math.Curves[pp.Curve])
 		fakeSigningIdentity.SignReturns([]byte("auditor-signature"), nil)
@@ -252,7 +253,7 @@ func getIdemixInfo(dir string) (driver.Identity, *msp3.AuditInfo) {
 	Expect(err).NotTo(HaveOccurred())
 	cryptoProvider, err := msp3.NewBCCSP(keyStore, math.FP256BN_AMCL, false)
 	Expect(err).NotTo(HaveOccurred())
-	p, err := idemix.NewProvider(config, sigService, types.EidNymRhNym, cryptoProvider)
+	p, err := idemix.NewProvider(config, sigService, types.EidNymRhNym, cryptoProvider, &schema.DefaultManager{}, "")
 	Expect(err).NotTo(HaveOccurred())
 	Expect(p).NotTo(BeNil())
 

token/core/zkatdlog/crypto/validator/validator_test.go

@@ -35,6 +35,7 @@ import (
 	"github.com/hyperledger-labs/fabric-token-sdk/token/services/identity/msp"
 	"github.com/hyperledger-labs/fabric-token-sdk/token/services/identity/msp/idemix"
 	msp3 "github.com/hyperledger-labs/fabric-token-sdk/token/services/identity/msp/idemix/msp"
+	"github.com/hyperledger-labs/fabric-token-sdk/token/services/identity/msp/idemix/schema"
 	"github.com/hyperledger-labs/fabric-token-sdk/token/services/identity/sig"
 	msp2 "github.com/hyperledger/fabric/msp"
 	. "github.com/onsi/ginkgo/v2"
@@ -72,7 +73,7 @@ var _ = Describe("validator", func() {
 		c := math.Curves[pp.Curve]
 
 		asigner, _ := prepareECDSASigner()
-		des, err := idemix.NewDeserializer(pp.IdemixIssuerPK, math.FP256BN_AMCL)
+		des, err := idemix.NewDeserializer(&schema.DefaultManager{}, "", pp.IdemixIssuerPK, math.FP256BN_AMCL)
 		Expect(err).NotTo(HaveOccurred())
 		auditor = audit.NewAuditor(flogging.MustGetLogger("auditor"), des, pp.PedersenGenerators, pp.IdemixIssuerPK, asigner, c)
 		araw, err := asigner.Serialize()
@@ -384,7 +385,7 @@ func getIdemixInfo(dir string) (driver.Identity, *msp3.AuditInfo, driver.Signing
 	Expect(err).NotTo(HaveOccurred())
 	cryptoProvider, err := msp3.NewBCCSP(keyStore, math.FP256BN_AMCL, false)
 	Expect(err).NotTo(HaveOccurred())
-	p, err := idemix.NewProvider(config, sigService, types.EidNymRhNym, cryptoProvider)
+	p, err := idemix.NewProvider(config, sigService, types.EidNymRhNym, cryptoProvider, &schema.DefaultManager{}, "")
 	Expect(err).NotTo(HaveOccurred())
 	Expect(p).NotTo(BeNil())
 

token/core/zkatdlog/nogh/driver/deserializer.go

@@ -14,6 +14,7 @@ import (
 	"github.com/hyperledger-labs/fabric-token-sdk/token/services/identity/interop/htlc"
 	"github.com/hyperledger-labs/fabric-token-sdk/token/services/identity/msp"
 	"github.com/hyperledger-labs/fabric-token-sdk/token/services/identity/msp/idemix"
+	"github.com/hyperledger-labs/fabric-token-sdk/token/services/identity/msp/idemix/schema"
 	"github.com/hyperledger-labs/fabric-token-sdk/token/services/identity/msp/x509"
 	htlc2 "github.com/hyperledger-labs/fabric-token-sdk/token/services/interop/htlc"
 	"github.com/pkg/errors"
@@ -29,7 +30,7 @@ func NewDeserializer(pp *crypto.PublicParams) (*Deserializer, error) {
 	if pp == nil {
 		return nil, errors.New("failed to get deserializer: nil public parameters")
 	}
-	idemixDes, err := idemix.NewDeserializer(pp.IdemixIssuerPK, pp.IdemixCurveID)
+	idemixDes, err := idemix.NewDeserializer(&schema.DefaultManager{}, "", pp.IdemixIssuerPK, pp.IdemixCurveID)
 	if err != nil {
 		return nil, errors.Wrapf(err, "failed getting idemix deserializer for passed public params [%d]", pp.IdemixCurveID)
 	}

token/services/identity/msp/idemix/deserializer.go

@@ -9,7 +9,6 @@ package idemix
 import (
 	"fmt"
 
-	msp "github.com/IBM/idemix"
 	csp "github.com/IBM/idemix/bccsp/types"
 	math "github.com/IBM/mathlib"
 	"github.com/hyperledger-labs/fabric-smart-client/platform/view/services/hash"
@@ -24,43 +23,61 @@ type Deserializer struct {
 }
 
 // NewDeserializer returns a new deserializer for the idemix ExpectEidNymRhNym verification strategy
-func NewDeserializer(ipk []byte, curveID math.CurveID) (*Deserializer, error) {
+func NewDeserializer(
+	sm SchemaManager,
+	schema string,
+	ipk []byte,
+	curveID math.CurveID,
+) (*Deserializer, error) {
 	logger.Debugf("new deserialized for dlog idemix")
 	cryptoProvider, err := msp2.NewBCCSPWithDummyKeyStore(curveID, curveID == math.BLS12_381_BBS)
 	if err != nil {
 		return nil, errors.WithMessagef(err, "failed to instantiate crypto provider for curve [%d]", curveID)
 	}
-	return NewDeserializerWithProvider(ipk, csp.ExpectEidNymRhNym, nil, cryptoProvider)
+	return NewDeserializerWithProvider(sm, schema, ipk, csp.ExpectEidNymRhNym, nil, cryptoProvider)
 }
 
 // NewDeserializerWithProvider returns a new serialized for the passed arguments
 func NewDeserializerWithProvider(
+	sm SchemaManager,
+	schema string,
 	ipk []byte,
 	verType csp.VerificationType,
 	nymEID []byte,
 	cryptoProvider csp.BCCSP,
 ) (*Deserializer, error) {
-	return NewDeserializerWithBCCSP(ipk, verType, nymEID, cryptoProvider)
+	return NewDeserializerWithBCCSP(
+		sm,
+		schema,
+		ipk,
+		verType,
+		nymEID,
+		cryptoProvider,
+	)
 }
 
-func NewDeserializerWithBCCSP(ipk []byte, verType csp.VerificationType, nymEID []byte, cryptoProvider csp.BCCSP) (*Deserializer, error) {
+func NewDeserializerWithBCCSP(
+	sm SchemaManager,
+	schema string,
+	ipk []byte,
+	verType csp.VerificationType,
+	nymEID []byte,
+	cryptoProvider csp.BCCSP,
+) (*Deserializer, error) {
 	logger.Debugf("Setting up Idemix-based MSP instance")
 
 	// Import Issuer Public Key
 	var issuerPublicKey csp.Key
-	var err error
 	if len(ipk) != 0 {
+		// get the opts from the schema manager
+		opts, err := sm.PublicKeyImportOpts(schema)
+		if err != nil {
+			return nil, errors.Wrapf(err, "could not obtain PublicKeyImportOpts for schema '%s'", schema)
+		}
 		issuerPublicKey, err = cryptoProvider.KeyImport(
 			ipk,
-			&csp.IdemixIssuerPublicKeyImportOpts{
-				Temporary: true,
-				AttributeNames: []string{
-					msp.AttributeNameOU,
-					msp.AttributeNameRole,
-					msp.AttributeNameEnrollmentId,
-					msp.AttributeNameRevocationHandle,
-				},
-			})
+			opts,
+		)
 		if err != nil {
 			return nil, err
 		}
@@ -73,58 +90,64 @@ func NewDeserializerWithBCCSP(ipk []byte, verType csp.VerificationType, nymEID [
 			IssuerPublicKey: issuerPublicKey,
 			VerType:         verType,
 			NymEID:          nymEID,
+			SchemaManager:   sm,
+			Schema:          schema,
 		},
 	}, nil
 }
 
-func (i *Deserializer) DeserializeVerifier(raw driver.Identity) (driver.Verifier, error) {
-	identity, err := i.Deserialize(raw, true)
+func (d *Deserializer) DeserializeVerifier(raw driver.Identity) (driver.Verifier, error) {
+	identity, err := d.Deserialize(raw, true)
 	if err != nil {
 		return nil, err
 	}
 
 	return &msp2.NymSignatureVerifier{
-		CSP:   i.Deserializer.Csp,
-		IPK:   i.Deserializer.IssuerPublicKey,
-		NymPK: identity.NymPublicKey,
+		CSP:           d.Deserializer.Csp,
+		IPK:           d.Deserializer.IssuerPublicKey,
+		NymPK:         identity.NymPublicKey,
+		SchemaManager: d.SchemaManager,
+		Schema:        d.Schema,
 	}, nil
 }
 
-func (i *Deserializer) DeserializeVerifierAgainstNymEID(raw []byte, nymEID []byte) (driver.Verifier, error) {
-	identity, err := i.Deserializer.DeserializeAgainstNymEID(raw, true, nymEID)
+func (d *Deserializer) DeserializeVerifierAgainstNymEID(raw []byte, nymEID []byte) (driver.Verifier, error) {
+	identity, err := d.Deserializer.DeserializeAgainstNymEID(raw, true, nymEID)
 	if err != nil {
 		return nil, err
 	}
 
 	return &msp2.NymSignatureVerifier{
-		CSP:   i.Deserializer.Csp,
-		IPK:   i.Deserializer.IssuerPublicKey,
-		NymPK: identity.NymPublicKey,
+		CSP:           d.Deserializer.Csp,
+		IPK:           d.Deserializer.IssuerPublicKey,
+		NymPK:         identity.NymPublicKey,
+		SchemaManager: d.SchemaManager,
+		Schema:        d.Schema,
 	}, nil
 }
 
-func (i *Deserializer) DeserializeSigner(raw []byte) (driver.Signer, error) {
+func (d *Deserializer) DeserializeSigner(raw []byte) (driver.Signer, error) {
 	return nil, errors.New("not supported")
 }
 
-func (i *Deserializer) DeserializeAuditInfo(raw []byte) (driver2.AuditInfo, error) {
-	return i.Deserializer.DeserializeAuditInfo(raw)
+func (d *Deserializer) DeserializeAuditInfo(raw []byte) (driver2.AuditInfo, error) {
+	return d.Deserializer.DeserializeAuditInfo(raw)
 }
 
-func (i *Deserializer) GetOwnerMatcher(raw []byte) (driver.Matcher, error) {
-	return i.Deserializer.DeserializeAuditInfo(raw)
+func (d *Deserializer) GetOwnerMatcher(raw []byte) (driver.Matcher, error) {
+	return d.Deserializer.DeserializeAuditInfo(raw)
 }
 
-func (i *Deserializer) GetOwnerAuditInfo(raw []byte, p driver.AuditInfoProvider) ([][]byte, error) {
+func (d *Deserializer) GetOwnerAuditInfo(raw []byte, p driver.AuditInfoProvider) ([][]byte, error) {
 	auditInfo, err := p.GetAuditInfo(raw)
 	if err != nil {
 		return nil, errors.Wrapf(err, "failed getting audit info for recipient identity [%s]", driver.Identity(raw).String())
 	}
 	return [][]byte{auditInfo}, nil
 }
 
-func (i *Deserializer) Info(raw []byte, auditInfo []byte) (string, error) {
-	r, err := i.Deserialize(raw, false)
+func (d *Deserializer) Info(raw []byte, auditInfo []byte) (string, error) {
+	r, err := d.Deserialize(raw, false)
 	if err != nil {
 		return "", err
 	}
@@ -135,6 +158,8 @@ func (i *Deserializer) Info(raw []byte, auditInfo []byte) (string, error) {
 		if err != nil {
 			return "", err
 		}
+		ai.SchemaManager = d.Deserializer.SchemaManager
+		ai.Schema = d.Deserializer.Schema
 		if err := ai.Match(raw); err != nil {
 			return "", err
 		}
@@ -144,8 +169,8 @@ func (i *Deserializer) Info(raw []byte, auditInfo []byte) (string, error) {
 	return fmt.Sprintf("MSP.Idemix: [%s][%s][%s][%s][%s]", eid, driver.Identity(raw).UniqueID(), r.SerializedIdentity.Mspid, r.OU.OrganizationalUnitIdentifier, r.Role.Role.String()), nil
 }
 
-func (i *Deserializer) String() string {
-	return fmt.Sprintf("Idemix with IPK [%s]", hash.Hashable(i.Ipk).String())
+func (d *Deserializer) String() string {
+	return fmt.Sprintf("Idemix with IPK [%s]", hash.Hashable(d.Ipk).String())
 }
 
 type AuditInfoDeserializer struct{}

token/services/identity/msp/idemix/lm.go

@@ -11,6 +11,8 @@ import (
 	"path/filepath"
 	"sync"
 
+	"github.com/hyperledger-labs/fabric-token-sdk/token/services/identity/msp/idemix/schema"
+
 	bccsp "github.com/IBM/idemix/bccsp/types"
 	math "github.com/IBM/mathlib"
 	"github.com/hyperledger-labs/fabric-smart-client/platform/view/services/hash"
@@ -246,7 +248,7 @@ func (l *LocalMembership) registerProvider(identityConfig driver.IdentityConfigu
 	if err != nil {
 		return errors.WithMessage(err, "failed to instantiate crypto provider")
 	}
-	provider, err := NewProvider(conf, l.signerService, bccsp.EidNymRhNym, cryptoProvider)
+	provider, err := NewProvider(conf, l.signerService, bccsp.EidNymRhNym, cryptoProvider, &schema.DefaultManager{}, "")
 	if err != nil {
 		return errors.Wrapf(err, "failed instantiating idemix msp provider from [%s]", identityConfig.URL)
 	}

token/services/identity/msp/idemix/msp/audit.go

@@ -20,8 +20,11 @@ type AuditInfo struct {
 	EidNymAuditData *csp.AttrNymAuditData
 	RhNymAuditData  *csp.AttrNymAuditData
 	Attributes      [][]byte
-	Csp             csp.BCCSP `json:"-"`
-	IssuerPublicKey csp.Key   `json:"-"`
+
+	Csp             csp.BCCSP     `json:"-"`
+	IssuerPublicKey csp.Key       `json:"-"`
+	SchemaManager   SchemaManager `json:"-"`
+	Schema          string
 }
 
 func (a *AuditInfo) Bytes() ([]byte, error) {
@@ -53,16 +56,18 @@ func (a *AuditInfo) Match(id []byte) error {
 		return errors.Wrap(err, "could not deserialize a SerializedIdemixIdentity")
 	}
 
+	eidAuditOpts, err := a.SchemaManager.EidNymAuditOpts(a.Schema, a.Attributes)
+	if err != nil {
+		return errors.Wrap(err, "error while getting a RhNymAuditOpts")
+	}
+	eidAuditOpts.RNymEid = a.EidNymAuditData.Rand
+
 	// Audit EID
 	valid, err := a.Csp.Verify(
 		a.IssuerPublicKey,
 		serialized.Proof,
 		nil,
-		&csp.EidNymAuditOpts{
-			EidIndex:     EIDIndex,
-			EnrollmentID: string(a.Attributes[EIDIndex]),
-			RNymEid:      a.EidNymAuditData.Rand,
-		},
+		eidAuditOpts,
 	)
 	if err != nil {
 		return errors.Wrap(err, "error while verifying the nym eid")
@@ -71,16 +76,18 @@ func (a *AuditInfo) Match(id []byte) error {
 		return errors.New("invalid nym rh")
 	}
 
+	rhAuditOpts, err := a.SchemaManager.RhNymAuditOpts(a.Schema, a.Attributes)
+	if err != nil {
+		return errors.Wrap(err, "error while getting a RhNymAuditOpts")
+	}
+	rhAuditOpts.RNymRh = a.RhNymAuditData.Rand
+
 	// Audit RH
 	valid, err = a.Csp.Verify(
 		a.IssuerPublicKey,
 		serialized.Proof,
 		nil,
-		&csp.RhNymAuditOpts{
-			RhIndex:          RHIndex,
-			RevocationHandle: string(a.Attributes[RHIndex]),
-			RNymRh:           a.RhNymAuditData.Rand,
-		},
+		rhAuditOpts,
 	)
 	if err != nil {
 		return errors.Wrap(err, "error while verifying the nym rh")