MSP is the abbreviation of Membership service provider, the personal custom literal translation is the member relation service provider. The role is similar to having a large number of participants in a running fabric system network, which is designed to manage these participants, identify who is qualified, who are ineligible, maintain the rights of one participant, and maintain relationships between participants. For more professional concepts of MSP, see the fabric documentation.
Here to say a digression, recently these several articles actually feel uncomfortable, because some modules are interrelated, put together to say the article is too complex, the subject is not clear, separate said and feel not deep, form a system, such as MSP and BCCSP between this. After the start. Go end, there will be chaincode installation, such as more operational articles, in these articles, with specific examples, through the original data in the system by the various services received, processing, transmission, in order to form a more systematic understanding.
The core code of MSP is in/fabric/msp, the related code is distributed in/fabric/common/config/msp,/fabric/protos/msp,/fabric/sampleconfig/msp. The main directory structure is as follows: MSP
Msp.go-defines msp,mspmanager,identity,signingidentity and other major interfaces Mspimpl.go-implements the MSP interface, the structure is Bccspmsp mspmgrimpl.go- Implementation of the Mspmanager interface, the structure of the Mspmanagerimpl Identities.go-Implementation Identity,signingidentity interface Configbuilder.go- Provides the data structure to read and assemble the certificate file into an interface required by the MSP, and the Management Code directory of the Transformation configuration structure (by Factoryopts->mspconfig) and other tool functions Mgmt-msp
Mgmt.go-Main files, Localmsp and Mspmap are all in this file, and there are multiple admin functions common
Config
Msp/config.go-Implements the Mspmanager interface, which is Mspconfighandler, and is used to configure MSP for CONFIGTX tools Protos
MSP-Original MSP configuration (mspconfig), definitions, and corresponding generated. Go file sampleconfig
Msp-msp an instance of the required certificate file, etc.
Structure Chart:
Endorsement Test
FABIRC Source Analysis 11 involves the endorser service used to the MSP to receive the signedproposal message for inspection, this will be detailed inspection process.
Function Retrospective process: processproposal-> validation. Validateproposalmessage-> Checksignaturefromcreator. In the Checksignaturefromcreator function, the following validation is done:
The parameters received are:
creator
Sig-Signedproposal in Creatorbytes-signatureheader- signature
msg - Proposalbytes Chainid in Signedproposal -Channelheader channelid
// Obtain the implementation Identitydeserializer object Mspobj according to Chainid
: = Mspmgmt. Getidentitydeserializer (Chainid)
///using the acquired object, obtain creator object creator based on binary creatorbytes data
, err: = Mspobj.deserializeidentity (creatorbytes)
//Validate err = Creator using the Creator method
. Validate ()
err = Creator. Verify (msg, SIG)
1 2 3 4 5 6 7 8 9 10 11 12 13 1 2 3 4 5 6 7 8 9 10 11 The 12 13
Getidentitydeserializer, defined in Mgmt.go, returns a Identitydeserializer interface object that actually returns BCCSPMSP objects or mspmanagerimpl/ The Mspconfighandler object, because the Identitydeserializer interface can be seen from the annotation at the definition point to the two interfaces of bonding MSP and Mspmanager. Both interfaces require the implementation of the Identitydeserializer interface. The corresponding, when return is the Bccspmsp object, is through the GETLOCALMSP function, its essence returns is the LOCALMSP variable, when returns is the Mspmanagerimpl/mspconfighandler object, is through the Getmanagerforchain function, whose essence returns the value of the Chainid of the Mspmap map.
Here to say another is the Mspconfighandler object, in the/fabric/common/config/msp/ Config.go definition, the object will Mspmanager interface as a member, nature should also implement the Identitydeserializer interface, but the conflict is, search source, and did not find its implementation of the Mspmanager interface code, it must be for the user to implement or in the specific use of the time to Give the specific Mspmanager implementation object. In the Getmanagerforchain function, if the member of the Mspconfighandler is Mspmanager empty, the nil is returned directly, and the Checksignaturefromcreator function is returned directly. In some test code, such as Mgmt_test.go, when the Mspconfighandler object is instantiated, its Mspmanager members are directly initialized to the mspmanagerimpl of the system implementation or directly to the nil. This object is placed in the first place, and then the code in the following can be found in the interpretation of the complement.
Therefore, Mspobj is a Bccspmsp object or Mspmanagerimpl object, which is represented by a and B, respectively. The Deserializeidentity method of realizing Identitydeserializer interface of two kinds of objects is slightly different, because of the difference of their own structure, but the same way. A is a MSP, and B to implement Mspmanager, naturally shoulder the task of managing MSP, so its members have a MSP mapping Mspsmap, is a heap of MSP.
Both A and B unmarshal the received creatorbytes parameters into serializedidentity structure objects defined in the fabric/protos/msp/ Identities.pb.go, and its members Mspid and idbytes will be used for subsequent validation of A and B.
A verifies that the mspid is consistent with its own stored name, idbytes into the tune function Deserializeidentityinternal for further verification, and B verifies that mappings with Mspid key values exist after their own mspsmap , using the switch to judge the type of MSP object mapped, if the system implements the Bccspmsp, then the same to call Deserializeidentityinternal, if the user implemented MSP, Then we invoke the user-implemented Deserializeidentity method, which we leave out of the MSP that the user himself implements.
The operation of the Deserializeidentityinternal function involves the BCCSP BCCSP in the Mspobj object. BCCSP member, which is a BCCSP service object, and BCCSP is the provider of cryptographic services for the entire system, detailed in the topic article. The Deserializeidentityinternal function receives idbytes and, according to Idbytes, invokes a series of functions provided by BCCSP, such as Gethashopt, Hash, and Keyimport, to generate the data required for the identity object , the identity object is eventually generated and returned. The identity object implements the identity interface, defined in Msp/identities.go, represents an identity object, and also provides authentication capabilities (functions). The identity is used to indicate the identity of a member, including the name of the member, the use of the certificate, encryption algorithm, public key and MSP objects themselves, such as information, authentication capability refers to the validate and verify provided by the two functions.
Authenticate and confirm using the identity object, which is the value received by creator. Retrospective validate and verify two functions, all defined in/fabric/msp/identities.go, we will find that we end up using the BCCSP function of the Verify object contained in the MSP object that it contains validate and MSP objects. Here and the 3rd step, like the use of BCCSP services, this is no longer repeat. Identity validation (with certificate validation is an idea that the concept of certificates and identities is overlapping, certificates represent identities) and signature Verification These two phrases are proprietary in the fabric document, corresponding to two functions validate and verify, that is, the former verifies identity and the latter confirms the signature.
To understand a service module, basically the problem is focused on two points: what the Service module can do itself. How the system uses this module. Here's how to include when to use and how to use two meanings.
Let's start with this idea to learn about MSP services. Here is a description of the metaphor and an explanation of the certificate:
To make an analogy:
A group of large companies, may have a corporate headquarters, the group under a number of subgroups, respectively, covering different areas of business (such as construction group, business Development Group, investment group, such as sub-group), each group has a number of branches throughout the country, branch offices under the Department, part of the staff, The staff is divided between the manager and the general Staff. **
About the certificate (the fabric inside the use of the X509 Certificate): The certificate itself is to carry the public key to the container, the most important is the public key, and some authentication information. When comparing certificates, nature compares public spoons. Ski is the identifier of the current certificate, the so-called identifier, is generally a hash of the public key to get a piece of character identification. Ski is the identifier of the current certificate, Aki is the ski of the signatory, which is the public key identifier of the signer. A certificate is trusted at a level, such as a CA's key that signed your key and generated your certificate, that is, the CA certified your certificate, that is, your certificate is the next level of certificate of the CA certificate. The original CA certificate of its own identifier is also ski, and for you this certificate, CA that certificate identifier is your signer identifier, that is, Aki. That is, the ski at the upper level becomes the next level of Aki. X509 is a type of certificate that can be specified in the Admincerts,cacerts file under/fabric/sampleconfig. # # Identity and Signingidentity interface identity
Type identity struct {//instance identity, such as Mspid ID *identityidentifier//instance corresponding to the X509 certificate, representing the identity cert *x509. Certificate//instance of the identity of the public key PK BCCSP. Key///"owns" MSP instance MSP *bccspmsp}//Call MSP Satisfiesprincipal interface check if identity instance matches the type described in principal///if match, return nil func (ID *identity) Satisfiesprincipal (Principal *msp. Mspprincipal) error{return Id.msp.SatisfiesPrincipal (ID, principal)}//Call MSP Validate interface Verify this identity instance func (ID *identity) V Alidate () Error {return id.msp.Validate (ID)}///Call MSP Member BCCSP verify interface to confirm that signature SIG matches message msg, or verify signature validity func (ID *identity Verify (msg []byte, sig []byte) Error {... digest, err: = Id.msp.bccsp.Hash (msg, hashopt) ... valid, err
: = Id.msp.bccsp.Verify (id.pk, SIG, Digest, nil) ...} Call the MSP's serializedidentity interface to convert this identity instance to byte func (ID *identity) Serialize () ([]byte, error) {... sId: = &msp.s Erializedidentity{mspid:id.id.mspid, idbytes:pembytes} idbytes, err: = Proto.
Marshal (sId) ...} An interface implementation that is not listed is either useless (not implemented, just returns directlyError or print a sentence), or the GetXXX series ...
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18-------------19 20 21 22 23 24 25 26 27-28 29 30 31, 32 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37
In this omission of the identity interface GetXXX related implementation, which is to obtain identity information, is not a functional interface, and compared to obtain identity information this relatively simple implementation, we would like to know how the identity of the data is formed and what this data can do. Identity is the representative of system membership, and the X509 certificate contained in it can represent this identity in the system, which is "owned" and managed by MSP. Identity actually does not really realize what function, but more essential to represent a member of the role (enough), this can be from satisfiesprincipal,validate,verify, The implementation of a functional interface such as serialize shows that these implementations are implemented by invoking the interface of the MSP that manages this identity instance, while the identity instance itself provides only identity data. Identity in the system, can represent a peer node identity, can represent an organization's identity, and other identity objects. Also, if an identity contains information about the organization in which it belongs (which means that the identity may not have organized information), the organization information is included in the X509 certificate.
From Satisfiesprincipal this interface implementation, can draw out the type of identity. The original definition of the type is defined in the/fabric/protos/common of the Msp_principal.proto and corresponding generated msp_principal.pb.go. The structure is Mspprincipal and has the following three types of identities: role, representing a character, with members member and manager admin. Similar to a company, the general staff and managers. Organization_unit, representing the organizational unit. It's similar to a department in a company. Identity, it means an ordinary identity. is relative to the organization_unit, similar to a company, an individual. signingidentity
Type signingidentity struct {
//Signer Identity instance identity
//crypto the
"Private signature pen" signer crypto in the library
. Signer
}
//signature on MSG
func (id *signingidentity) Sign (msg []byte) ([]byte, error) {
// Gets the hash option for the signature (which hash technique is used to sign)
hashopt, err: = Id.gethashopt (id.msp.cryptoConfig.SignatureHashFamily)
...
//Get hash Value
Digest, err: = Id.msp.bccsp.Hash (msg, hashopt)
...
Signed with a private signature return
Id.signer.Sign (rand. Reader, Digest, nil)
}
//Other implementations are not substantively implemented (just return an error) ...
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
Signer identity is a "special signature pen" identity. Naturally, it is also used for signature. In all identity objects that are managed by MSP, you can specify that some members are used to sign the message. In the sign implementation, the use of the "dedicated signature pen" Crypto standard library signer objects, while using some of the MSP features as a signature auxiliary.
The
can think of identity as a department or an individual employee, when it is a department, it is the type of organization, when it is an individual, there is the division between the manager and the general Staff. MSP and Mspmanager interfaces MSP
type bccspmsp struct {//root cas rootcerts []identity//intermediate cas intermediatecerts []identity Signature Identity Signer signingidentity//admin Identity List Admins []identity//Cryptographic algorithm BCCSP BCCSP. BCCSP//msp Name string//validation option opts *x509. Verifyoptions//abolition of CAs CRL []*pkix. Certificatelist//Organization list Ouidentifiers Map[string][][]byte//encryption option CryptoConfig *m.fabriccryptoconfig}//Under
Configuration information Conf1 The MSP object, that is, to populate the fields in this Bccspmsp instance with Conf1 func (MSP *bccspmsp) Setup (conf1 *m.mspconfig) error {...}//Verify that the given identity ID is valid Func (MSP *bccspmsp) Validate (ID Identity) error {...}//Verify that the given identity ID matches the type described in the given principal Func (MSP *bccspmsp) SATISFI Esprincipal (id Identity, principal *m.mspprincipal) error{...}//Others are GETXXX series and auxiliary tune functions
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18-------------19 20 21 22 23 24 25 26 27-28 29 30 1, 2 18 19 20 21 22 23 24 25 26 27 28 29-30
For the fields in the BCCSPMSP structure, it is easy to understand what data the MSP needs to specify in the MSP configuration section of the MSP of 9--document translation against FABIRC source code. This is named Bccspmsp, which means that the implementation uses BCCSP as the provider of its cryptographic technology, just as it has a member BCCSP. As the identity interface says, MSP essentially hosts the task of authentication and administration. MSP can be imagined as a subsidiary whose members are either an individual of the company or a department of the company, an individual is either a manager or an ordinary employee, and these bodies are represented by a common identity interface.
The Setup:setup process will, as you might imagine, use the data that is carried in the parameter Conf1, and then populate the Bccspmsp fields, using the BCCSP encryption technique, or the default value if some of the required data conf1 are not available. That is to say, CONF1 has the data we need, so how does this conf1 form, and where does it come from? If you do not want to search the source code to see when and where the interface is invoked (since you are sure to have the data ready for the call, so you can find out how CONF1 is formed), you can look at the test or mock file directly, and here, the simpler, more straightforward and the/fabric/msp. /mspwithintermediatecas_test.go This test file, inside a simple look at the setup call before the Conf data assembly, you can know how the Conf came.
Validate: Verify the identity is valid, the main authentication (satisfies) three points: the identity carries the X509 certificate to exist in Bccsmsp rootcerts or the intermediatecerts. This requires you to be familiar with the X509 Certificate certificate Method Verify usage (trace validate function can be found), the prototype is func (c *certificate) Verify (opts verifyoptions) (chains [][]*certificate, err Error], here the parameter opts is BCCSMSP member opts, this member is quite with a certificate map, that indicates the function goes to which certificate pool (Certpool) to compare with C this certificate. OPTs was initialized in Bccsmsp's setup implementation to include Rootcerts and intermediatecerts two certificate pools. The X509 certificate that is carried in the identity is not in the CRL. The contrast here is not directly contrasted with the certificate itself, because the corresponding structure of the CRL is pkix.certificatelist. The organization information carried in the identity is valid.
Satisfiesprincipal: Verifies that the given identity ID matches the type described in the given principal. The process is based on the identity of the type of a switch-case branch of the process of judgment, the decision is to extract the ID and the corresponding principal in the field information comparison. Mspmanager
type mspmanagerimpl struct {//MSP mapping, containing all established MSP, added MSP Mspsmap MAP[STRING]MSP//is normally enabled for identity up bool}/ /MSPs the Mspsmap func (Mgr *mspmanagerimpl) Setup (MSPs []msp) error {...}///////////////////////////////According to the given byte format, return its corresponding identity structure fu NC (Mgr *mspmanagerimpl) deserializeidentity (Serializedid []byte) (Identity, error) {