identity service: protobuf protocol verion

Signed-off-by: Angelo De Caro <adc@zurich.ibm.com>

Author: adecaro

token/services/identity/idemix/crypto/config.go

@@ -26,6 +26,8 @@ type (
 
 const (
 	ExtraPathElement = "msp"
+
+	ProtobufProtocolVersionV1 uint64 = 1
 )
 
 // SignerConfig contains the crypto material to set up an idemix signing identity
@@ -162,13 +164,19 @@ func NewConfigFromRaw(issuerPublicKey []byte, configRaw []byte) (*Config, error)
 	if !bytes.Equal(issuerPublicKey, config.Ipk) {
 		return nil, errors.Errorf("public key does not match [%s]=[%s]", hash.Hashable(config.Ipk), hash.Hashable(issuerPublicKey))
 	}
+	// match version, supported are: ProtobufProtocolVersionV1
+	if config.Version != ProtobufProtocolVersionV1 {
+		return nil, errors.Errorf("unsupported protocol version: %d", config.Version)
+	}
+
 	return config, nil
 }
 
 func assembleConfig(issuerPublicKey []byte, signer *config.IdemixSignerConfig) (*Config, error) {
 	idemixConfig := &config.IdemixConfig{
-		Ipk:    issuerPublicKey,
-		Signer: signer,
+		Version: ProtobufProtocolVersionV1,
+		Ipk:     issuerPublicKey,
+		Signer:  signer,
 	}
 	return idemixConfig, nil
 }

token/services/identity/idemix/crypto/protos-go/config/idemix_config.pb.go

@@ -25,23 +25,26 @@ message SerializedIdemixIdentity {
 }
 
 message IdemixConfig {
+  // Version indicates message protocol version
+  uint64 version = 1;
+
   // Name holds the identifier of the
-  string name = 1;
+  string name = 2;
 
   // ipk represents the (serialized) issuer public key
-  bytes ipk = 2;
+  bytes ipk = 3;
 
   // signer may contain crypto material to configure a default signer
-  IdemixSignerConfig signer = 3;
+  IdemixSignerConfig signer = 4;
 
   // revocation_pk is the public key used for revocation of credentials
-  bytes revocation_pk = 4;
+  bytes revocation_pk = 5;
 
   // epoch represents the current epoch (time interval) used for revocation
-  int64 epoch = 5;
+  int64 epoch = 6;
 
   // curve_id indicates which Elliptic Curve should be used
-  string curve_id = 6;
+  string curve_id = 7;
 }
 
 // IdemixSignerConfig contains the crypto material to set up an idemix signing identity
@@ -68,5 +71,5 @@ message IdemixSignerConfig {
   string revocation_handle = 7;
 
   // is the identifier of the secret key sk
-  bytes ski = 9;
+  bytes ski = 8;
 }

token/services/identity/idemix/crypto/protos/idemix_config.proto

@@ -47,6 +47,10 @@ func NewKeyManager(conf *crypto2.Config, signerService SignerService, sigType bc
 	if conf == nil {
 		return nil, errors.New("no idemix config provided")
 	}
+	if conf.Version != crypto2.ProtobufProtocolVersionV1 {
+		return nil, errors.Errorf("unsupported protocol version [%d]", conf.Version)
+	}
+
 	logger.Debugf("setting up Idemix key manager instance %s", conf.Name)
 
 	// Import Issuer Public Key

token/services/identity/idemix/km.go

@@ -45,6 +45,13 @@ func testNewKeyManager(t *testing.T, configPath string, curveID math.CurveID, ar
 	cryptoProvider, err := crypto2.NewBCCSP(keyStore, curveID, aries)
 	assert.NoError(t, err)
 
+	// check that version is enforced
+	config.Version = 0
+	_, err = NewKeyManager(config, sigService, types.EidNymRhNym, cryptoProvider)
+	assert.Error(t, err)
+	assert.EqualError(t, err, "unsupported protocol version [0]")
+	config.Version = crypto2.ProtobufProtocolVersionV1
+
 	// new key manager loaded from file
 	assert.Empty(t, config.Signer.Ski)
 	keyManager, err := NewKeyManager(config, sigService, types.EidNymRhNym, cryptoProvider)

token/services/identity/idemix/km_test.go

@@ -10,6 +10,7 @@ import (
 	"testing"
 
 	math "github.com/IBM/mathlib"
+	"github.com/hyperledger-labs/fabric-smart-client/pkg/utils/proto"
 	"github.com/hyperledger-labs/fabric-token-sdk/token"
 	"github.com/hyperledger-labs/fabric-token-sdk/token/services/identity/driver"
 	"github.com/hyperledger-labs/fabric-token-sdk/token/services/identity/idemix/crypto"
@@ -87,6 +88,17 @@ func testNewKeyManagerProvider(t *testing.T, configPath string, curveID math.Cur
 	signAndVerify(t, km)
 	checkRawContent(t, config.Ipk, idConfig.Raw)
 	assert.Equal(t, configRaw, idConfig.Raw)
+
+	// change the version in the configuration, it must fail now
+	config2, err := crypto.NewConfigFromRaw(config.Ipk, idConfig.Raw)
+	assert.NoError(t, err)
+	config2.Version = 0
+	config2Raw, err := proto.Marshal(config2)
+	assert.NoError(t, err)
+	idConfig.Raw = config2Raw
+	_, err = kmp.Get(idConfig)
+	assert.Error(t, err)
+	assert.EqualError(t, err, "unsupported protocol version: 0")
 }
 
 func signAndVerify(t *testing.T, km membership.KeyManager) {

token/services/identity/idemix/kmp_test.go

@@ -18,6 +18,8 @@ const (
 	SignCertsDirName = "signcerts"
 	KeyStoreDirName  = "keystore"
 	PrivSKFileName   = "priv_sk"
+
+	ProtobufProtocolVersionV1 uint64 = 1
 )
 
 func LoadConfig(dir string, keyStoreDirName string) (*Config, error) {
@@ -49,6 +51,7 @@ func LoadConfig(dir string, keyStoreDirName string) (*Config, error) {
 
 func LoadConfigWithIdentityInfo(signingIdentityInfo *SigningIdentityInfo) (*Config, error) {
 	config := &Config{
+		Version:         ProtobufProtocolVersionV1,
 		SigningIdentity: signingIdentityInfo,
 		CryptoConfig: &CryptoConfig{
 			SignatureHashFamily: bccsp.SHA2,