public static IdemixRoles ToIdemixRoles(this IEnumerable <MSPRole.Types.MSPRoleType> roles)
{
IdemixRoles mask = 0;
foreach (MSPRole.Types.MSPRoleType role in roles)
{
mask |= (IdemixRoles)(1 << (int)role);
}
return(mask);
}
public IdemixEnrollment(IdemixIssuerPublicKey ipk, KeyPair revocationPk, string mspId, BIG sk, IdemixCredential cred, CredentialRevocationInformation cri, string ou, IdemixRoles roleMask)
{
Ipk = ipk;
RevocationPk = revocationPk;
MspId = mspId;
Sk = sk;
Cred = cred;
Cri = cri;
Ou = ou;
RoleMask = roleMask;
}
public void TestIdemixRoles()
{
IdemixRoles role = IdemixRoles.ADMIN | IdemixRoles.CLIENT;
Assert.IsTrue(role.CheckRole(IdemixRoles.ADMIN));
Assert.IsFalse(role.CheckRole(IdemixRoles.PEER));
Assert.IsFalse(role.CheckRole(IdemixRoles.MEMBER));
Assert.IsTrue(role.CheckRole(IdemixRoles.CLIENT));
Assert.AreEqual(MSPRole.Types.MSPRoleType.Member.ToIdemixRole(), IdemixRoles.MEMBER);
Assert.AreEqual(IdemixRoles.ADMIN.ToMSPRoleTypes().First(), MSPRole.Types.MSPRoleType.Admin);
}
public static List <MSPRole.Types.MSPRoleType> ToMSPRoleTypes(this IdemixRoles roles)
{
List <MSPRole.Types.MSPRoleType> ls = new List <MSPRole.Types.MSPRoleType>();
int pos = 0;
foreach (IdemixRoles r in Enum.GetValues(typeof(IdemixRoles)))
{
if ((r & roles) == r)
{
ls.Add((MSPRole.Types.MSPRoleType)pos);
}
pos++;
}
return(ls);
}
/**
* Create Idemix Identity from the following inputs:
*
* @param mspId is MSP ID sting
* @param nym is Identity Mixer Pseudonym
* @param ou is OU attribute
* @param roleMask is a bitmask that represent all the roles attached to this identity
* @param proof is Proof
*/
public IdemixIdentity(string mspId, IdemixIssuerPublicKey ipk, ECP nym, string ou, IdemixRoles roleMask, IdemixSignature proof)
{
if (mspId == null)
{
throw new ArgumentException("MSP ID must not be null");
}
if (string.IsNullOrEmpty(mspId))
{
throw new ArgumentException("MSP ID must not be empty");
}
if (ipk == null)
{
throw new ArgumentException("Issuer Public Key must not be empty");
}
if (nym == null)
{
throw new ArgumentException("Identity Mixer Pseudonym (nym) must not be null");
}
if (ou == null)
{
throw new ArgumentException("OU attribute must not be null");
}
if (string.IsNullOrEmpty(ou))
{
throw new ArgumentException("OU attribute must not be empty");
}
if (proof == null)
{
throw new ArgumentException("Proof must not be null");
}
this.mspId = mspId;
ipkHash = ipk.Hash;
pseudonym = nym;
Ou = ou;
RoleMask = roleMask;
associationProof = proof;
}
public static bool CheckRole(this IdemixRoles roles, IdemixRoles searchRole)
{
return((roles & searchRole) == searchRole);
}
/**
* Create new Idemix Signing Identity with a fresh pseudonym
*
* @param ipk issuer public key
* @param revocationPk the issuer's long term revocation public key
* @param mspId MSP identifier
* @param sk user's secret
* @param cred idemix credential
* @param cri the credential revocation information
* @param ou is OU attribute
* @param role is role attribute
* @throws CryptoException
* @throws InvalidArgumentException
*/
public IdemixSigningIdentity(IdemixIssuerPublicKey ipk, KeyPair revocationPk, string mspId, BIG sk, IdemixCredential cred, CredentialRevocationInformation cri, string ou, IdemixRoles role)
{
// input checks
if (ipk == null)
{
throw new ArgumentException("Issuer Public Key (IPK) must not be null");
}
if (revocationPk == null)
{
throw new ArgumentException("Revocation PK must not be null");
}
if (mspId == null)
{
throw new ArgumentException("MSP ID must not be null");
}
if (string.IsNullOrEmpty(mspId))
{
throw new ArgumentException("MSP ID must not be empty");
}
if (ou == null)
{
throw new ArgumentException("OU must not be null");
}
if (string.IsNullOrEmpty(ou))
{
throw new ArgumentException("OU must not be empty");
}
if (sk == null)
{
throw new ArgumentException("SK must not be null");
}
if (cred == null)
{
throw new ArgumentException("Credential must not be null");
}
if (cri == null)
{
throw new ArgumentException("Credential revocation information must not be null");
}
logger.Trace($"Verifying public key with hash: [{BitConverter.ToString(ipk.Hash).Replace("-", "")}] \nAttributes: [{string.Join(",", ipk.AttributeNames)}]");
if (!ipk.Check())
{
CryptoException e = new CryptoException("Issuer public key is not valid");
logger.Error("", e);
throw e;
}
this.ipk = ipk;
this.sk = sk;
this.cri = cri;
logger.Trace("Verifying the credential");
// cryptographically verify credential
// (check if the issuer's signature is valid)
if (!cred.Verify(sk, ipk))
{
CryptoException e = new CryptoException("Credential is not cryptographically valid");
logger.Error("", e);
throw e;
}
logger.Trace("Checking attributes");
// attribute checks
// 4 attributes are expected:
// - organization unit (disclosed)
// - role: admin or member (disclosed)
// - enrollment id (hidden, for future auditing feature and authorization with CA)
// - revocation handle (hidden, for future revocation support)
if (cred.Attrs.Length != 4)
{
throw new CryptoException($"Error: There are {cred.Attrs.Length} attributes and the expected are 4");
}
byte[] ouBytes = cred.Attrs[0];
byte[] roleBytes = cred.Attrs[1];
byte[] eIdBytes = cred.Attrs[2];
byte[] rHBytes = cred.Attrs[3];
BIG[] attributes = new BIG[4];
attributes[0] = BIG.FromBytes(ouBytes);
attributes[1] = BIG.FromBytes(roleBytes);
attributes[2] = BIG.FromBytes(eIdBytes);
attributes[3] = BIG.FromBytes(rHBytes);
// check that the OU string matches the credential's attribute value
if (!ou.ToBytes().HashModOrder().ToBytes().SequenceEqual(ouBytes))
{
throw new ArgumentException("the OU string does not match the credential");
}
// check that the role matches the credential's attribute value
if (!new BIG((int)role).ToBytes().SequenceEqual(roleBytes))
{
throw new ArgumentException("the role does not match the credential");
}
logger.Trace("Generating fresh pseudonym and proof");
// generate a fresh pseudonym
Pseudonym = new IdemixPseudonym(this.sk, this.ipk);
// generate a fresh proof of possession of a credential
// with respect to a freshly generated pseudonym
Proof = new IdemixSignature(cred, this.sk, Pseudonym, this.ipk, disclosedFlags, msgEmpty, rhIndex, cri);
logger.Trace("Verifying the proof");
// verify the proof
if (!Proof.Verify(disclosedFlags, this.ipk, msgEmpty, attributes, rhIndex, revocationPk, (int)cri.Epoch))
{
throw new CryptoException("Generated proof of identity is not valid");
}
logger.Trace("Generating the Identity Object");
// generate a fresh identity with new pseudonym
idemixIdentity = new IdemixIdentity(mspId, this.ipk, Pseudonym.Nym, ou, role, Proof);
logger.Trace(idemixIdentity.ToString());
}
