func (t *AssetManagementChaincode) isCaller(stub shim.ChaincodeStubInterface, certificate []byte) (bool, error) { myLogger.Debug("Check caller...") // In order to enforce access control, we require that the // metadata contains the signature under the signing key corresponding // to the verification key inside certificate of // the payload of the transaction (namely, function name and args) and // the transaction binding (to avoid copying attacks) // Verify \sigma=Sign(certificate.sk, tx.Payload||tx.Binding) against certificate.vk // \sigma is in the metadata sigma, err := stub.GetCallerMetadata() if err != nil { return false, errors.New("Failed getting metadata") } payload, err := stub.GetPayload() if err != nil { return false, errors.New("Failed getting payload") } binding, err := stub.GetBinding() if err != nil { return false, errors.New("Failed getting binding") } myLogger.Debugf("passed certificate [% x]", certificate) myLogger.Debugf("passed sigma [% x]", sigma) myLogger.Debugf("passed payload [% x]", payload) myLogger.Debugf("passed binding [% x]", binding) ok, err := stub.VerifySignature( certificate, sigma, append(payload, binding...), ) if err != nil { myLogger.Errorf("Failed checking signature [%s]", err) return ok, err } if !ok { myLogger.Error("Invalid signature") } myLogger.Debug("Check caller...Verified!") return ok, err }
func (t *RBACChaincode) hasInvokerRole(stub shim.ChaincodeStubInterface, role string) (bool, []byte, error) { // In order to enforce access control, we require that the // metadata contains the following items: // 1. a certificate Cert // 2. a signature Sigma under the signing key corresponding // to the verification key inside Cert of : // (a) Cert; // (b) The payload of the transaction (namely, function name and args) and // (c) the transaction binding. // Verify Sigma=Sign(certificate.sk, Cert||tx.Payload||tx.Binding) against Cert.vk // Unmarshall metadata metadata, err := stub.GetCallerMetadata() rbacMetadata := new(RBACMetadata) _, err = asn1.Unmarshal(metadata, rbacMetadata) if err != nil { return false, nil, fmt.Errorf("Failed unmarshalling metadata [%s]", err) } // Verify signature payload, err := stub.GetPayload() if err != nil { return false, nil, errors.New("Failed getting payload") } binding, err := stub.GetBinding() if err != nil { return false, nil, errors.New("Failed getting binding") } myLogger.Debug("passed certificate [% x]", rbacMetadata.Cert) myLogger.Debug("passed sigma [% x]", rbacMetadata.Sigma) myLogger.Debug("passed payload [% x]", payload) myLogger.Debug("passed binding [% x]", binding) ok, err := stub.VerifySignature( rbacMetadata.Cert, rbacMetadata.Sigma, append(rbacMetadata.Cert, append(payload, binding...)...), ) if err != nil { return false, nil, fmt.Errorf("Failed verifying signature [%s]", err) } if !ok { return false, nil, fmt.Errorf("Signature is not valid!") } myLogger.Debug("Signature verified. Check for role...") myLogger.Debug("ID [% x]", rbacMetadata.Cert) // Check role var columns []shim.Column idCol := shim.Column{Value: &shim.Column_Bytes{Bytes: rbacMetadata.Cert}} columns = append(columns, idCol) row, err := stub.GetRow("RBAC", columns) if err != nil { return false, nil, fmt.Errorf("Failed retrieveing RBAC row [%s]", err) } if len(row.GetColumns()) == 0 { return false, nil, fmt.Errorf("Failed retrieveing RBAC row [%s]", err) } myLogger.Debug("#Columns: [%d]", len(row.Columns)) roles := row.Columns[1].GetString_() result := strings.Split(roles, " ") for i := range result { if result[i] == role { myLogger.Debug("Role found.") return true, rbacMetadata.Cert, nil } } myLogger.Debug("Role not found.") return false, nil, nil }