位置:github.com\hyperledger\fabric\msp\msp.go
MSP的作用是为客户端或peer节点提供身份证书或匿名身份证书,客户端需要使用证书进行交易签名,背书节点需要使用证书进行交易提案响应签名,fabric框架将msp功能进行组件抽象,可以自定义MSP实现逻辑,而不影响其他部分的代码。
成员服务提供者MSP提供以下接口:
1、身份的反序列化接口IdentityDeserializer
// IdentityDeserializer is implemented by both MSPManger and MSP
type IdentityDeserializer interface {
// DeserializeIdentity 反序列化一个身份,Identity是接口类型
DeserializeIdentity(serializedIdentity []byte) (Identity, error)
// IsWellFormed 验证给定的身份是否符合本MSP实例规定的身份格式,*msp.SerializedIdentity是结构体类型
IsWellFormed(identity *msp.SerializedIdentity) error
}
上面涉及的相关结构体类型在依赖包vendor\github.com\hyperledger\fabric-protos-go\msp\identities.pb.go,具体如下:
// *msp.SerializedIdentity类型,该结构体实现了对其变量进行增删改查的方法。SerializedIdentity是用于序列化或反序列化身份的结构体类型,即一个身份要进行序列化传输前(通过json或者protobuf),先把身份封装到这个*msp.SerializedIdentity结构体中,对方接收到json数据后也先将数据json反序列化到这个结构体中。
type SerializedIdentity struct {
// The identifier of the associated membership service provider
Mspid string `protobuf:"bytes,1,opt,name=mspid,proto3" json:"mspid,omitempty"`
// the Identity, serialized according to the rules of its MPS
IdBytes []byte `protobuf:"bytes,2,opt,name=id_bytes,json=idBytes,proto3" json:"id_bytes,omitempty"`
XXX_NoUnkeyedLiteral struct{} `json:"-"`
XXX_unrecognized []byte `json:"-"`
XXX_sizecache int32 `json:"-"`
}
// 这个结构体是先将匿名身份凭证封装到此结构体,然后再进行序列化,然后放到SerializedIdentity的id_bytes变量。反向同理
// This struct represents an Idemix Identity
// to be used to serialize it and deserialize it.
// The IdemixMSP will first serialize an idemix identity to bytes using
// this proto, and then uses these bytes as id_bytes in SerializedIdentity
type SerializedIdemixIdentity struct {
// nym_x is the X-component of the pseudonym elliptic curve point.
// It is a []byte representation of an amcl.BIG
// The pseudonym can be seen as a public key of the identity, it is used to verify signatures.
NymX []byte `protobuf:"bytes,1,opt,name=nym_x,json=nymX,proto3" json:"nym_x,omitempty"`
// nym_y is the Y-component of the pseudonym elliptic curve point.
// It is a []byte representation of an amcl.BIG
// The pseudonym can be seen as a public key of the identity, it is used to verify signatures.
NymY []byte `protobuf:"bytes,2,opt,name=nym_y,json=nymY,proto3" json:"nym_y,omitempty"`
// ou contains the organizational unit of the idemix identity
Ou []byte `protobuf:"bytes,3,opt,name=ou,proto3" json:"ou,omitempty"`
// role contains the role of this identity (e.g., ADMIN or MEMBER)
Role []byte `protobuf:"bytes,4,opt,name=role,proto3" json:"role,omitempty"`
// proof contains the cryptographic evidence that this identity is valid
Proof []byte `protobuf:"bytes,5,opt,name=proof,proto3" json:"proof,omitempty"`
XXX_NoUnkeyedLiteral struct{} `json:"-"`
XXX_unrecognized []byte `json:"-"`
XXX_sizecache int32 `json:"-"`
}
2、MSP管理接口MSPManager
本接口变量管理一个或者多个msp实例,实质上是提供msp路由功能,只能初始化一次
type MSPManager interface {
// IdentityDeserializer interface needs to be implemented by MSPManager
IdentityDeserializer
// Setup the MSP manager instance according to configuration information
Setup(msps []MSP) error
// GetMSPs Provides a list of Membership Service providers
GetMSPs() (map[string]MSP, error)
}
3、peer所需的最小MSP接口
// MSP定义了需要为peer功能提供的最小MSP接口
type MSP interface {
// IdentityDeserializer interface needs to be implemented by MSP
IdentityDeserializer
// Setup the MSP instance according to configuration information
Setup(config *msp.MSPConfig) error
// GetVersion returns the version of this MSP
GetVersion() MSPVersion
// GetType返回msp类型,包括FABRIC为0,IDEMIX为1,其他为3
GetType() ProviderType
// GetIdentifier 返回mspid
GetIdentifier() (string, error)
//返回一个SigningIdentity接口类型,该接口是在Identity接口的基础上增加了Sign(msg []byte) ([]byte, error)方法,开用于对消息签名。*IdentityIdentifier类型包括mspid和身份id,唯一标记一个身份。
GetSigningIdentity(identifier *IdentityIdentifier) (SigningIdentity, error)
// GetDefaultSigningIdentity returns the default signing identity
GetDefaultSigningIdentity() (SigningIdentity, error)
// GetTLSRootCerts returns the TLS root certificates for this MSP
GetTLSRootCerts() [][]byte
// GetTLSIntermediateCerts returns the TLS intermediate root certificates for this MSP
GetTLSIntermediateCerts() [][]byte
// Validate 验证身份实例Identity是否有效,身份实例是基于证书创建的携带各种方法的实例
Validate(id Identity) error
// SatisfiesPrincipal checks whether the identity matches
// the description supplied in MSPPrincipal. The check may
// involve a byte-by-byte comparison (if the principal is
// a serialized identity) or may require MSP validation
SatisfiesPrincipal(id Identity, principal *msp.MSPPrincipal) error
}
特别说明:*msp.MSPPrincipal类型是规定了本msp中的身份id是属于哪个范围的,可以选用五种维度中的一种,比如默认是通过角色,msp中的身份要是admin或者member角色;或者可以以ous维度设置,要求本msp中的身份的ous需要是哪几个;或者以identity维度,直接定义本msp中包含的身份id是哪几个。
type MSPPrincipal struct {
// Classification describes the way that one should process
// Principal. An Classification value of "ByOrganizationUnit" reflects
// that "Principal" contains the name of an organization this MSP
// handles. A Classification value "ByIdentity" means that
// "Principal" contains a specific identity. Default value
// denotes that Principal contains one of the groups by
// default supported by all MSPs ("admin" or "member").
PrincipalClassification MSPPrincipal_Classification `protobuf:"varint,1,opt,name=principal_classification,json=principalClassification,proto3,enum=common.MSPPrincipal_Classification" json:"principal_classification,omitempty"`
// Principal completes the policy principal definition. For the default
// principal types, Principal can be either "Admin" or "Member".
// For the ByOrganizationUnit/ByIdentity values of Classification,
// PolicyPrincipal acquires its value from an organization unit or
// identity, respectively.
// For the Combined Classification type, the Principal is a marshalled
// CombinedPrincipal.
Principal []byte `protobuf:"bytes,2,opt,name=principal,proto3" json:"principal,omitempty"`
XXX_NoUnkeyedLiteral struct{} `json:"-"`
XXX_unrecognized []byte `json:"-"`
XXX_sizecache int32 `json:"-"`
}
4、Indentity接口
type Identity interface {
// ExpiresAt returns the time at which the Identity expires.
// If the returned time is the zero value, it implies
// the Identity does not expire, or that its expiration
// time is unknown
ExpiresAt() time.Time
// GetIdentifier returns the identifier of that identity
GetIdentifier() *IdentityIdentifier
// GetMSPIdentifier returns the MSP Id for this instance
GetMSPIdentifier() string
// Validate uses the rules that govern this identity to validate it.
// E.g., if it is a fabric TCert implemented as identity, validate
// will check the TCert signature against the assumed root certificate
// authority.
Validate() error
// GetOrganizationalUnits returns zero or more organization units or
// divisions this identity is related to as long as this is public
// information. Certain MSP implementations may use attributes
// that are publicly associated to this identity, or the identifier of
// the root certificate authority that has provided signatures on this
// certificate.
// Examples:
// - if the identity is an x.509 certificate, this function returns one
// or more string which is encoded in the Subject's Distinguished Name
// of the type OU
// TODO: For X.509 based identities, check if we need a dedicated type
// for OU where the Certificate OU is properly namespaced by the
// signer's identity
GetOrganizationalUnits() []*OUIdentifier
// Anonymous returns true if this is an anonymous identity, false otherwise
Anonymous() bool
// Verify a signature over some message using this identity as reference
Verify(msg []byte, sig []byte) error
// Serialize converts an identity to bytes
Serialize() ([]byte, error)
// SatisfiesPrincipal checks whether this instance matches
// the description supplied in MSPPrincipal. The check may
// involve a byte-by-byte comparison (if the principal is
// a serialized identity) or may require MSP validation
SatisfiesPrincipal(principal *msp.MSPPrincipal) error
}
扫一扫
1万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
