CODEWITHSUNDEEP
hyperledger-fabrichyperledger-fabric-sdk-js
itochterman
itochterman

Reputation: 11

When trying to access Hyperledger Fabric identity provider context, roles and affiliation are null

My application flow requires that I am able to check an identity's role on the network end. When I register a new user, I set that user's role, affiliation, etc. via the Fabric CA. The role I set does seem to determine chaincode invocation rights, but I can't seem to figure out how to access that role later on. I tried getting the user's context from provider, but it seems that the fields for role affiliation, and even enrollmentSecret are coming up as null. I've attached relevant code.

I'm using the Node SDK for Fabric version 2.1.

Here's my code to get user context:

 const pword = await ca.register({enrollmentID: userName, enrollmentSecret: password, role: "client", affiliation: "org1.department1"}, adminUser);
            const enrollment = await ca.enroll({enrollmentID: userName, enrollmentSecret: pword});
            const x509Identity = {
                credentials: {
                    certificate: enrollment.certificate,
                    privateKey: enrollment.key.toBytes(),
                },
                mspId: 'org0-example-com',
                type: 'X.509',
            };
            await wallet.put(userName, x509Identity);
            const targ = await wallet.get(userName);
            const user= wallet.getProviderRegistry().getProvider(targ.type);
            const targetUser = await user.getUserContext(targ, userName);
            console.log("Roles are: "+targetUser);

And this is the relevant console output:

Roles are: {"name":"dave","mspid":"org0-example-com","roles":null,"affiliation":"","enrollmentSecret":"","enrollment":_____ (Certificate, signingKey…)

Upvotes: 1

Views: 473

Answers (1)

Kartik Chauhan
Kartik Chauhan

Reputation: 3068

A Fabric identity's encoded x509 certificate looks something like this:

{"name":"user1","mspid":"Org1MSP","roles":null,"affiliation":"","enrollmentSecret":"","enrollment":{"signingIdentity":"3a18bb4555dc58717b0eaf658646ae3fd3cddf67af8b30c22880","identity":{"certificate":"-----BEGIN CERTIFICATE-----
MIICyzCCAnKgAwIBAgIUf52V2QcJWyKi2rK6FSvk/R4xnoIwCgYIKoZIzj0EA
czELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTD
biBGcmFuY2lzY28xGTAXBgNVBAoTEG9yZzEuZXhhbXBsZS5jb20xHDAaBgNVB
E2NhLm9yZzEuZXhhbXBsZS5jb20wHhcNMjAwNzE1MTAzODAwWhcNMjEwNzE1M
MzAwWjBgMS8wDAYDVQQLEwVhZG1pbjALBgNVBAsTBG9yZzEwEgYDVQQLEwtkZ
cnRtZW50MTEtMCsGA1UEAxMkMDAxY2EyYjEtYzY4OC0xMWVhLTk0ODItOWRlZ
MmY3MTQyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEhpg1gJvE2pXahJm4d
EerQS3Z6qQ58UvFZx1l6Xa/PMeO/M1n7LUoU4BBFfrai+iH1rGDdkNFhkmfnC
lqOB9jCB8zAOBgNVHQ8BAf8EBAMCB4AwDAYDVR0TAQH/BAIwADAdBgNVHQ4EF
3j1nyj0qVHWpXHLlhLdrKCV+ek4wKwYDVR0jBCQwIoAg9KIF18lr4q4BA6CIq
qIpfKcbeWbm26XKFOZ5fLNQwgYYGCCoDBAUGBwgBBHp7ImF0dHJzIjp7ImhmL
ZmlsaWF0aW9uIjoib3JnMS5kZXBhcnRtZW50MSIsImhmLkVucm9sbG1lbnRJR
IjAwMWNhMmIxLWM2ODgtMTFlYS05NDgyLTlkZWZmMDJmNzE0MiIsImhmLlR5c
OiJhZG1pbiJ9fTAKBggqhkjOPQQDAgNHADBEAiBURkhpQzHNxEz1OzqAM+eYY
nmiw+bktNnpUEySSZwIgLkcmYhJ2tNTHGMe/ArkcRdyvY2fG8gO/UAU3FKbgD
-----END CERTIFICATE-----
"}}}

I've replaced \n with newline character only for the purpose of clarity.

If you notice it, then you'd find that values of fields roles, affiliation, enrollmentSecret is either null or ""(empty string).

Now, this is a just a speculation and I might be wrong on this, but I think when we try to get the value of any of these fields using the methods getRoles, getEnrollmentSecret, getAffiliation, we get the value from the certificate that we've in our local directory or fabric-store.

I don't know why these methods are even in the SDK in the first place if they don't provide any useful output.

I faced a similar issue where I was trying to get the enrollmentSecret value of a fabric identity but got the same output as you have, an empty string. You can see that thread here, but, I'm not sure if you can take away anything from it.

One thing that I've observed is that when we decode the pem certificate of any identoty using openssl utility and we get the decoded x509 certificate.

openssl x509 -in user1 -noout -text

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            3a:2e:95:d9:07:09:5b:22:a2:da:2b:e4:fd:1e:31:9e:82
    Signature Algorithm: ecdsa-with-SHA256
        Issuer: C=US, ST=California, L=San Francisco, O=org1.example.com, CN=ca.org1.example.com
        Validity
            Not Before: Jul 15 10:38:00 2020 GMT
            Not After : Jul 15 10:43:00 2021 GMT
        Subject: OU=admin, OU=org1, OU=department1, CN=user1
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:86:98:35:80:9b:c4:da:95:da:84:99:b8:76:33:
                    b0:11:ea:d0:4b:76:7a:a9:0e:7c:52:f1:59:c7:59:
                    e7:09:6b:0c:96
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier:
                DE:3D:67:CA:3D:84:B7:6B:28:25:7E:7A:4E
            X509v3 Authority Key Identifier:
                keyid:F4:A2:05:14:BF:A8:8A:5F:29:C6:DE:59:B9:B6:E9:72:85:39:9E:5F:2C:D4

            1.2.3.4.5.6.7.8.1:
                {"attrs":{"hf.Affiliation":"org1.department1","hf.EnrollmentID":"user1","hf.Type":"admin"}}
    Signature Algorithm: ecdsa-with-SHA256
         30:44:02:20:54:46:48:69:43:31:cd:c4:4c:f5:3b:3a:80:33:
         02:20:2e:47:26:62:12:76:b4:d4:c7:18:c7:bf:02:b9:1c:45:
         dc:af:63:67:c6:f2:07:14:a6:e0:0f:98

we can see the affiliation and role in the Abstract Syntax notation, ASN.1(1.2.3.4.5.6.7.8.1) in the form of hf.affiliation and hf.type respectively.

Now, unless we decode the x509 certificate and read these values from the certificate in our code, I don't think we've any way to get these values. Of course, if you just want to read the values statically, you can do so using fabric-ca-client utility but I'm assuming that's not the case here.

This issue has been faced in SDK v1.4 as well. Now I don't know whether this was a deliberate action to avert some security flaws or something else, but strangely enough, I never saw any fabric maintainer commenting on this.

In my research, I found this link where the person faced the exact same issue, but this is unanswered as well.

Upvotes: 0

Related Questions