Uploaded image for project: 'Fabric'
  1. Fabric
  2. FAB-18364

Not possible to use Idemix ADMIN credentials with "peer chaincode invoke"



    • Bug
    • Status: Unverified
    • Low
    • Resolution: Unresolved
    • v2.1.0
    • v2.2.0
    • fabric-peer
    • None
    • (Please add steps to reproduce)


      *Passing idemix admin MSP credentials to "*peer chaincode invoke" leads to an error.


      That happens only when I register the admin with the attribute role=2 **(as indicated in fabric docs).


      I assume that this happens because "peer chaincode invoke" is not expecting admin credentials and rules it as invalid.


      Steps to bug:


      1) Registering in the fabric-ca-server 1.4.9 like:

      fabric-ca-client register -id.name admin13-idemixorg id.secret admin13-idemixorg  id.type admin id.affiliation idemixorg -id.attrs '"hf.Registrar.Roles=aclient,peer,orderer",hf.Registrar.Attributes=*,hf.Revoker=true,hf.GenCRL=true,admin=true:ecert,abac.init=true:ecert,role=2:ecert' -u
      fabric-ca-client register -id.name admin13-idemixorg id.secret admin13-idemixorg  id.type admin id.affiliation idemixorg -id.attrs '"hf.Registrar.Roles=aclient,peer,orderer",hf.Registrar.Attributes=*,hf.Revoker=true,hf.GenCRL=true,admin=true:ecert,abac.init=true:ecert,role=2' -u
      PS: Whenever I register without the "role=2" attribute, everything works regularly with a member idemix credential.
      2) **Enrolling with the fabric-ca-server with:
      fabric-ca-client enroll https://admin13-idemixorg:admin13-idemixorg@ -enrollment.type idemix 
      PS: this command returns a JSON idemix credential, as mentioned here
      3) Converting the JSON Idemix SignerConfig to Protobuf using fabric-java-sdk 1.4 with the attached source code:

          • I parse the JSON idemix SignerConfig file
      • Decode the base 64 fields ("Cred", "Sk" and "credential_revocation_information")
      • From the fields, I build the proto Class IdemixMSPSignerConfig.
      • Write the proto Class object to file.
        4) Call "cli-idemixorg peer chaincode invoke"

      docker exec e CORE_PEER_LOCALMSPID=IDEMIXORG -e CORE_PEER_ADDRESS=peer1-ufsc:7051 -e CORE_PEER_LOCALMSPTYPE=idemix -e CORE_PEER_MSPCONFIGPATH=/tmp/hyperledger/idemixorg/admin1/msp -e CORE_PEER_TLS_ENABLED=true -e CORE_PEER_TLS_ROOTCERT_FILE=/tmp/hyperledger/idemixorg/admin1/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem cli-idemixorg peer chaincode invoke -o orderer1-ufsc:7050 channelID canal name abac tls cafile /tmp/hyperledger/idemixorg/admin1/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem  tlsRootCertFiles /tmp/hyperledger/idemixorg/admin1/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem -peerAddresses peer1-ufsc:7051 -c '{"function":"query","Args":["A"]}'
      5) Error message:
      2020-12-03 11:19:32.390 UTC [main] InitCmd -> ERRO 008 Cannot run peer because error when setting up MSP of type idemix from directory /tmp/hyperledger/idemixorg/admin1/msp: Credential is not cryptographically valid: Failed verifing with opts [&{[

      {1 [105 100 101 109 105 120 111 114 103]}

      {2 1} {1 [97 100 109 105 110 49 50 45 105 100 101 109 105 120 111 114 103]} {0 <nil>}] 0xc000195c00 0}]: credential does not contain the correct attribute value at position [1]
      PS: As I said in the beginning, this behavior only happens with admin credentials with role=2. Without that attribute, I was successful using idemix.




            Unassigned Unassigned
            johannwest Johann Westphall
            0 Vote for this issue
            1 Start watching this issue