Fabric Source Parsing 12--peer MSP service
MSP is the abbreviation for Membership service Provider , and the personal custom is a member relationship service provider . The role is similar to having a large number of participants in a running fabric system network, in order to manage these participants, identify who is qualified, who is ineligible, maintain the rights of one participant, and maintain the relationship between participants. For more professional concepts on MSP, see the fabric documentation.
Here say a digression, recently these articles actually feel very awkward, because some modules are interrelated, put together to say the article is too complex, the subject is unclear, separate said and feel not deep, form a system, such as MSP and BCCSP between. After the end of the start.go, there will be Chaincode installation and other highly operational articles, in these articles, with specific examples, through the original data in the system by the various services received, processed, transmitted, in order to form a comparative system understanding.
The core code for MSP is in /fabric/msp , where the relevant code is distributed in /fabric/common/config/msp,/fabric/protos/msp,/fabric/sampleconfig/ MSP. The main directory structure is as follows: MSP
Msp.go-Defines the main interface such as Msp,mspmanager,identity,signingidentity Mspimpl.go-implements the MSP interface, the structure is Bccspmsp mspmgrimpl.go- Implements the Mspmanager interface, the structure is Mspmanagerimpl Identities.go-implements the Identity,signingidentity interface Configbuilder.go- Provides a data structure that reads the certificate file and assembles it into an interface required by an MSP, transforms the configuration structure (by Factoryopts->mspconfig) and other tool functions Mgmt-msp the Management code directory
Mgmt.go-Main files, Localmsp and Mspmap are in this file, and there are multiple administrative functions common
Config
Msp/config.go-Implements the Mspmanager interface, the structure is Mspconfighandler, is used to configure the MSP, for the CONFIGTX tool Protos
MSP-the original MSP configuration (mspconfig), definitions, and corresponding generated. Go Files sampleconfig
Msp-msp an instance of the required certificate file, etc.
structure diagram :
Endorsement Inspection
FABIRC Source Resolution 11 involves the endorser service used to the MSP to receive the Signedproposal message to test, in this will be detailed inspection process.
function Tracing Process: processproposal---validation. Validateproposalmessage, Checksignaturefromcreator. In the Checksignaturefromcreator function, the following validation is performed:
The parameters received are:
creator sig in Creatorbytes-signatureheader -Signature msg in Signedproposal - Signedproposal in Proposalbytes
chainid -Channelheader channelid
// Identitydeserializer Object Mspobj is implemented according to Chainid
: = Mspmgmt. Getidentitydeserializer (Chainid)
//Use the acquired object to get the Creator Object creator, based on the binary creatorbytes data
, err: = Mspobj.deserializeidentity (creatorbytes)
//Use Creator method to verify
err = Creator. Validate ()
err = Creator. Verify (msg, SIG)
Getidentitydeserializer is defined in mgmt.go , and returns a Identitydeserializer interface object, which in effect eventually returns Bccspmsp object or mspmanagerimpl/mspconfighandler object, Since the Identitydeserializer interface can be seen from the annotations at the definition, it is important to note that both interfaces are bonded MSP and Mspmanager, both of which require the implementation of the Identitydeserializer interface. The corresponding, when returned is the Bccspmsp object, is through the Getlocalmsp function, its essence returns is the localmsp variable; mspmanagerimpl/is returned. The Mspconfighandler object is passed through the getmanagerforchain function, which essentially returns the Chainid value of the mspmap map.
Here is another Mspconfighandler object, in/fabric/common/config/msp/ Config.go in the definition, the object will Mspmanager interface as a member, nature should also implement the Identitydeserializer interface, but the conflict is that the search source, and did not find its implementation of Mspmanager interface code, presumably to allow users to implement their own or in the specific use of the time and then Assigns a specific Mspmanager implementation object. In the Getmanagerforchain function, if the member Mspmanager of the Mspconfighandler is empty, nil is returned directly, and the Checksignaturefromcreator function returns directly. In some test code, such as Mgmt_test.go, when instantiating a Mspconfighandler object, its Mspmanager members are initialized directly to the mspmanagerimpl of the system implementation or to nil directly. This object will be shelved first, and so on after the code encountered can be found in the re-fill.
Therefore,mspobj is a Bccspmsp object or Mspmanagerimpl object, which is represented by a and B, respectively. The Deserializeidentity method for implementing the Identitydeserializer interface is slightly different for the two objects because of the differences in their structure, but the same result. A is an MSP, and B implements Mspmanager, naturally shouldering the task of managing MSP, so its members have an MSP mapping Mspsmap, which is considered a bunch of MSP.
Both A and B unmarshal the received creatorbytes parameter into a serializedidentity structure object, which is defined in the fabric/protos/msp/ Identities.pb.go, and its members Mspid and idbytes will be used for subsequent validation of A and B.
A after verifying that the mspid is consistent with the name stored by itself, the idbytes passed into the deserializeidentityinternalof the tune function, For further verification; B verifies that a mapping with mspid as a key value exists in its own Mspsmap , and uses switch to determine the type of the mapped MSP object, if the system implements BCCSPMSP, The same as a to call deserializeidentityinternal, if the user's own implementation of the MSP, then to call the user implementation of the Deserializeidentity method, We leave this situation for the MSP that the user implements themselves.
The operation of the Deserializeidentityinternal function involves the BCCSP BCCSP in the mspobj object . BCCSP member, which is a BCCSP service object , and BCCSP is the provider of the cryptographic service for the entire system of the fabric, which is detailed in the topic article. The deserializeidentityinternal function receives idbytesand invokes a series of functions provided by BCCSP, such as Gethashopt, Hash, Keyimport, according to Idbytes , generate the data required for the identity object , and eventually the identity object is generated and returned. The identity object implements the identity interface, which is defined in Msp/identities.go, represents an identity object, and also provides validation capabilities (functions). This identity is used to indicate the identity of a member, including the name of the member, the certificate used, the encryption algorithm, the public key and the MSP object itself, and other information, the authentication capability refers to the Validate and Verify two functions provided by it.
Use the identity object , which is the value received by creator, to verify and confirm. Trace Validate and Verify two functions, all in/fabric/msp/ As defined in Identities.go, we will find that the final use is the Verify function of the BCCSP object contained in the validate and MSP objects of the MSP object it contains. Here and the 3rd step, the use of BCCSP services, not to repeat this. Identity validation (with certificate validation is a meaning that the concept of certificates and identities is overlapping, certificates represent identities) and signature Verification These two phrases are dedicated in the fabric document, corresponding to two functions validate and verify, i.e., the former verifies the identity, the latter confirms the signature.
To understand a service module, basically the problem is to focus on two points: what the Service module can do itself . how the system uses this module . Here's how to include when to use and how to use two meanings.
Let's start with this idea and learn about MSP services. Here is a description of the analogy and the explanation of the certificate:
To make an analogy:
A group of large companies, there may be a corporate headquarters, the group of sub-groups, respectively, involved in different business areas (such as construction group, business Development Group, investment group and other sub-groups), each group under each country has a number of branches, branches under the department, some of the staff, Staff members are divided between managers and ordinary staff. **
about the certificate (X509 certificate is used in fabric): The certificate itself is a container carrying the public key, the most important thing is the public key, and some authentication information. When comparing certificates, naturally compare the public keys. The ski is the identifier of the current certificate, the so-called identifier, which is generally a hash of the public key, the resulting character identifier. The ski is the identifier for the current certificate, and Aki is the signer's ski, which is the key identifier of the signatory party. A certificate is a level of trust, such as a CA's key signed your key, generated your certificate, that is, the CA certified your certificate, that is, your certificate is the next level certificate of the CA certificate. The original CA certificate's own identifier is also the ski, and for you this certificate, CA that certificate identifier is your signer identifier, that is, Aki. The ski at the upper level becomes the next level of Aki. X509 is a type of certificate, which can be described in the Admincerts,cacerts file under/fabric/sampleconfig. # # Identity and Signingidentity interface identity
The identity of the type identity struct {//instance, such as Mspid, ID *identityidentifier//instance corresponding to the X509 certificate, represents the identity Cert *x509. Certificate//instance of the identity of the public key PK BCCSP. Key//"Owning" MSP instance MSP *bccspmsp}//Call MSP's Satisfiesprincipal interface to check if the identity instance matches the type described in principal//if matching, returns nil Func (ID *identity) Satisfiesprincipal (Principal *msp. Mspprincipal) error{return Id.msp.SatisfiesPrincipal (ID, principal)}//Call MSP's validate interface to verify this identity instance func (ID *identity) V Alidate () Error {return id.msp.Validate (ID)}//The Verify interface of the member BCCSP of the calling MSP confirms that the signature sig matches the message MSG, which also verifies the validity of the signature func (ID *identity ) Verify (msg []byte, sig []byte) Error {... digest, err: = Id.msp.bccsp.Hash (msg, hashopt) ... valid, err
: = Id.msp.bccsp.Verify (id.pk, SIG, Digest, nil) ...} Call the MSP's serializedidentity interface to convert this identity instance to byte form func (ID *identity) Serialize () ([]byte, error) {... sId: = &msp.s Erializedidentity{mspid:id.id.mspid, idbytes:pembytes} idbytes, err: = Proto.
Marshal (sId) ...} An interface implementation that is not listed is either useless (not implemented, just returned directlyError or print a word), or the GetXXX series ...
This omits the identity interface GetXXX related implementations, which are the acquisition of identity information, not a functional interface, and compared to the acquisition of identity information this relatively simple implementation, We are more interested in knowing how the data in identity is formed and what these data can do. Identity is the representative of the system member Identity , and the X509 certificate that it contains can represent that identity in the system, which is "owned" and managed by the MSP. The identity actually does not really realize what function, just the more essential to represent a member of the role (enough), this can be from the satisfiesprincipal,validate,verify, The implementation of a functional interface such as serialize shows that these implementations are implemented by invoking an interface that manages the MSP of this identity instance, while the identity instance itself provides only identity data. identity in the system, can represent the identity of a peer node, can represent an organization's identity, and other identity objects. Also, if an identity contains organization information (which means that the identity may not have organization information), the organization information is included in the X509 certificate.
The
is implemented from the Satisfiesprincipal interface, which can lead to the type of the identity. The original definition of the type is Msp_principal.proto and the corresponding build in /fabric/protos/common msp_ Principal.pb.go . The struct is Mspprincipal and has the following three types of identities: role , which represents a role with members member and Manager Admin points. Similar to a company, general staff and managers. Organization_unit , which represents the organizational unit . Similar to a company, a department. Identity , which represents a normal identity . is relative to Organization_unit, similar to a company, an individual. signingidentity
Type signingidentity struct {
//Signer Identity instance identity
//crypto "Dedicated signature pen" signer crypto in the library
. Signer
}
//signature func on MSG (
ID *signingidentity) sign (msg []byte) ([]byte, error) {
// Gets the hash option for signing (signed with which hash technique)
hashopt, err: = Id.gethashopt (id.msp.cryptoConfig.SignatureHashFamily) ...
//Get hash Value
Digest, err: = Id.msp.bccsp.Hash (msg, hashopt) ...
Use a dedicated signature pen to sign the
return Id.signer.Sign (rand. Reader, Digest, nil)
}
//Other implementations are not substantively implemented (just returning an error) ...
The signer identity is an identity with a " dedicated signature pen ". Naturally, it is also used for signing. In all of the identity objects managed by the MSP, you can specify that some members are used to sign the message. In the sign implementation, the "dedicated signature pen" is used to crypto the signer object in the standard library, and some functions of the MSP are used as auxiliary for signing.
The identity can be imagined as a department or an individual employee, when it is a department, it is the type of organization, when an individual, there are managers and ordinary staff points. MSP and Mspmanager interface MSP
type bccspmsp struct {//root cas rootcerts []identity//intermediate cas Interme Diatecerts []identity///Signing Identity signer signingidentity//Administrator Identity List Admins []identity//encryption Algorithm BCCSP BCCSP . BCCSP//msp's name is named string//Validation option opts *x509. Verifyoptions//Revoke CAS CRL []*pkix. Certificatelist//Organization list Ouidentifiers Map[string][][]byte//Encryption options CryptoConfig *m.fabriccryptoconfig}//Based on
Configuration information Conf1 Create an MSP object that uses CONF1 to populate the field in this Bccspmsp instance, func (MSP *bccspmsp) Setup (conf1 *m.mspconfig) error {...}//Verify that the given identity ID is valid Func (MSP *bccspmsp) Validate (ID Identity) error {...}//Verify that the given identity ID matches the type described in the given principal Func (MSP *bccspmsp) SATISFI Esprincipal (id Identity, principal *m.mspprincipal) error{...}//the remainder are GETXXX series and auxiliary tune function
As for the fields in the BCCSPMSP structure, it is easy to understand what data the MSP needs to specify in the MSP Configuration section of the 9--document translator, which can be parsed against the FABIRC source code . This is named Bccspmsp, which means that the implementation uses BCCSP as the provider of its cryptographic technology, just as it has a member BCCSP. The MSP essentially carries the tasks of authentication and management, as described by the identity interface. The MSP can be imagined as a subsidiary, each of whom is either an individual of the company, a department of the company, an individual manager, or an ordinary employee, and these principals are represented by a common identity interface identity.
Setup: The setup process, as you might expect, is to clearly lunchbox the data carried in the parameter conf1 and populate the Bccspmsp fields, which uses the BCCSP encryption technique, If some of the required data conf1 are not available, the default value is set. That is to say,Conf1 has the data we need, so how does this conf1 form, and where does the data come from? If you do not want to search the source code to see when and where the interface is called (since it is going to be called, it will certainly be ready for the data, so you can find out how the CONF1 is formed), then you can directly see the test or mock file, here, more simple and straightforward and can explain the problem is/fabric/msp /mspwithintermediatecas_test.go This test file, a simple look inside the setup call before the Conf data assembly, you can know how the Conf.
Validate: Verify identity valid, main authentication (meet) three points: the identity of the X509 certificate that is present in Bccsmsp rootcerts or intermediatecerts. This requires you to be more familiar with the X509 certificate Certificate method Verify usage (traceability validate function can be found), the prototype is func (c *certificate) Verify (opts verifyoptions) (chains [][]*certificate, err Error], the parameter used here is opts is BCCSMSP member opts, this member is quite with a certificate map, that is, indicating the function to which certificate pool (Certpool) In contrast to the C certificate. OPTs is initialized to include Rootcerts and intermediatecerts two certificate pools in the Bccsmsp Setup implementation. The X509 certificate that is carried in the identity is not in the CRL. The contrast here is not directly compared to the certificate itself, because the structure of the CRL is pkix.certificatelist. The organization information carried in the identity is valid.
Satisfiesprincipal: Verifies that the given identity ID matches the type described in the given principal. Process is a process of switch-case branching judgment based on the type of identity, which is a comparison of the corresponding field information in the ID and principal respectively. Mspmanager
Type Mspmanagerimpl struct {
//MSP mapping, contains all established MSP, added MSP
mspsmap Map[string]msp
//Whether the identity up is normally enabled
BOOL
}
//Populates the instance with Mspsmap
func (Mgr *mspmanagerimpl) Setup (MSPs []msp) error {...}
according to the given MSPs. Returns its corresponding identity struct,
func (Mgr *mspmanagerimpl) deserializeidentity (Serializedid []byte), based on the identity of the given byte format ( Identity, error) {...}
GETXXX Series
func (Mgr *mspmanagerimpl) Getmsps () (Map[string]msp, error) {
return mgr.mspsmap, nil
}
Mspmanager can be imagined as a sub-group of subsidiaries of its management group, and these subsidiaries are represented by an MSP interface . Mgmt
The local MSP instance object is
var Localmsp msp. MSP
//Mspmanager mapping var mspmap map[string]msp that is stored locally by Chaincodeid key
. Mspmanager = Make (Map[string]msp. Mspmanager)
//Load local MSP
func Loadlocalmsp (dir string, Bccspconfig *factory from directory dir. Factoryopts, mspid String) error {
...
Call Getlocalmspconfig in Configbuilder.go to convert factoryopts to Mspconfig
conf, err: = MSP. Getlocalmspconfig (dir, Bccspconfig, mspid) ...
Localmsp return Getlocalmsp () is populated according to the setup of Conf call Localmsp
. Setup (conf)
}
//Gets the Mspmanager of the specified Chaincodeid, and if not, creates a
func Getmanagerforchain (Chainid string) MSP. Mspmanager {...}
Other public functions, GETXXX series and temporary substitutes Xxxsetmspmanager ...
MGMT is the abbreviation of management, which is the meaning of management. The local point here is the peer node, and Mgmt is not a specific object. It can be said that the functions that are often called and used by peer other modules are the functions provided here, that is, MGMT is the window that provides the MSP service externally. The body of the MSP data store isLocalmspAndMspmap。Localmsp, local MSP, which manages all local identities.Loadlocalmspis to Localmsp read the MSP data, step by step, save the configuration options, and then call the setup to populate the Localmsp. In the GetXXX series, LOCALMSP is related to providing this local MSP to the outside world. In5–kvledger initialization of fabric source analysisThe left of theInitcryptoQuestion, it can be explained here that Initcrypto is called in the main function in/fabric/peer/main.go and is defined in/fabric/peer/common/common.go. And in the Initcrypto, it calls theLoadlocalmsp, the peer node local MSP is initialized. In/fabric/orderer/main.go, it also calls theLoadlocalmsp, the local MSP for the Orderer node is initialized.Mspmapis a Chaincodeid-key mapping, which can treat each chaincode as a different business domain, and Mspmap as a set of subsets of each chaincode on a chaincode basis, These sub-groups manage this own subsidiary (MSP) in their respective business areas.GetmanagerforchainThe function is both the data giver and the data donor, and when the given Chaincodeid does not exist, a Mspmanager object is automatically created, and the corresponding Mspmanager is returned when the given Chaincodeid is present. As in the Checkinstantiationpolicy function in/fabric/core/scc/lscc/lscc.go, call theGetmanagerforchain, gets the mspmanager of the chaincode of the specified chainname for use.
Mgmt can be imagined as a group company headquarters, management of the various sub-groups (Mspmanager) and unified to the outside world to provide their own management of member data and information, which is called MSP Services.