Reputation: 79
I want to implement a chaincode level access control to some method. So, for example, I want that the chaincode method called can be executed only if the user that has performed the request has a certein identity that match a field of the asset requested in the world state.
In https://hyperledger-fabric.readthedocs.io/en/release-1.4/chaincode4ade.html, the official documentation say:
"Chaincode can utilize the client (submitter) certificate for access control decisions by calling the GetCreator() function. Additionally the Go shim provides extension APIs that extract client identity from the submitter’s certificate that can be used for access control decisions, whether that is based on client identity itself, or the org identity, or on a client identity attribute.
For example an asset that is represented as a key/value may include the client’s identity as part of the value (for example as a JSON attribute indicating that asset owner), and only this client may be authorized to make updates to the key/value in the future. The client identity library extension APIs can be used within chaincode to retrieve this submitter information to make such access control decisions."
This reflect perfectly my case: my assets contain a field owner and I want that the remove method can be performed on an asset only by an user that is the owner of this asset, i.e. if his identity - user name - match the owner field.
My problem is that the solution provided in the official documentation describe the possibility to use the "client identity (cid) library"(https://github.com/hyperledger/fabric/tree/master/core/chaincode/shim/ext/cid) to extract users information from the certificate. But in my case, I have chaincodes in Java and Javascript and (I think) I only can use the GetCreator() method, that give as output the user certificate as an array of bytes.
How can I extract the information that I need from the certificate? Is it possible? Is it possible to use the CID library from my Java and Javascript chaincodes?
Upvotes: 3
Views: 975
Reputation: 810
I was looking for this functionality too, however it now seems to have been added. FAB-15895 added ClientIdentity.java to Java chaincode (see commit), which allows to query the certificate for information. Expect it to be part of the next release of Fabric - v1.4.4.
Upvotes: 1
Reputation: 41232
CID library is only a syntax sugar wrapper which helps to operate with identity within a chaincode, essentially what is done or the way to extract the information in GoLang, is:
serializedID, _ := stub.GetCreator()
sId := &msp.SerializedIdentity{}
err := proto.Unmarshal(serializedID, sId)
if err != nil {
return shim.Error(fmt.Sprintf("Could not deserialize a SerializedIdentity, err %s", err))
}
bl, _ := pem.Decode(sId.IdBytes)
if bl == nil {
return shim.Error(fmt.Sprintf("Could not decode the PEM structure"))
}
cert, err := x509.ParseCertificate(bl.Bytes)
if err != nil {
return shim.Error(fmt.Sprintf("ParseCertificate failed %s", err))
}
fmt.Println(cert)
which could be done in Java in along following lines:
try {
Identities.SerializedIdentity identity = Identities.SerializedIdentity.parseFrom(stub.getCreator());
StringReader reader = new StringReader(identity.getIdBytes().toStringUtf8());
PemReader pr = new PemReader(reader);
byte[] x509Data = pemReader.readPemObject().getContent();
CertificateFactory factory = CertificateFactory.getInstance("X509");
X509Certificate certificate = factory.generateCertificate(new ByteArrayInputStream(x509Data));
} catch (InvalidProtocolBufferException e) {
e.printStackTrace();
}
Upvotes: 4