Idemix Schema Manager support (#1144)

Signed-off-by: Angelo De Caro <adc@zurich.ibm.com>
Co-authored-by: Marcus Brandenburger <bur@zurich.ibm.com>

Author: adecaro

go.mod

@@ -12,7 +12,7 @@ require (
 	github.com/gin-gonic/gin v1.10.0
 	github.com/gobuffalo/packr/v2 v2.7.1
 	github.com/hashicorp/go-uuid v1.0.3
-	github.com/hyperledger-labs/fabric-smart-client v0.5.1-0.20250717092234-498fe9f61b5f
+	github.com/hyperledger-labs/fabric-smart-client v0.5.1-0.20250717111311-f6c3bf731689
 	github.com/hyperledger/fabric-chaincode-go/v2 v2.3.0
 	github.com/hyperledger/fabric-lib-go v1.1.3-0.20240523144151-25edd1eaf5f5
 	github.com/hyperledger/fabric-protos-go-apiv2 v0.3.7

go.sum

@@ -1057,8 +1057,8 @@ github.com/huin/goupnp v1.3.0 h1:UvLUlWDNpoUdYzb2TCn+MuTWtcjXKSza2n6CBdQ0xXc=
 github.com/huin/goupnp v1.3.0/go.mod h1:gnGPsThkYa7bFi/KWmEysQRf48l2dvR5bxr2OFckNX8=
 github.com/hyperledger-labs/SmartBFT v0.0.0-20250503203013-eb005eef8866 h1:Mu/6NJsfl9g3wM15Ue7hqPq4LtgYDoABh8MO4u8aW4g=
 github.com/hyperledger-labs/SmartBFT v0.0.0-20250503203013-eb005eef8866/go.mod h1:9aNHNXsCVy/leGz2gpTC1eOL5QecxbSAGjqsLh4T1LM=
-github.com/hyperledger-labs/fabric-smart-client v0.5.1-0.20250717092234-498fe9f61b5f h1:ZXZ7qfT4m/tXqVhDoSrMwX7g2oRJtobN9lG90rKzSno=
-github.com/hyperledger-labs/fabric-smart-client v0.5.1-0.20250717092234-498fe9f61b5f/go.mod h1:34dRgLomeTQYI7fffCYDTiSQSRo9LBsPuq0aWBU5EOA=
+github.com/hyperledger-labs/fabric-smart-client v0.5.1-0.20250717111311-f6c3bf731689 h1:yR1Fv/9fVNtHNMfGO/9HDDd0Rx4LTQzUCDZsWwgVwwo=
+github.com/hyperledger-labs/fabric-smart-client v0.5.1-0.20250717111311-f6c3bf731689/go.mod h1:34dRgLomeTQYI7fffCYDTiSQSRo9LBsPuq0aWBU5EOA=
 github.com/hyperledger/aries-bbs-go v0.0.0-20240528084656-761671ea73bc h1:3Ykk6MtyfnlzMOQry9zkxsoLWpCWZwDPqehO/BJwArM=
 github.com/hyperledger/aries-bbs-go v0.0.0-20240528084656-761671ea73bc/go.mod h1:Kofn6A6WWea1ZM8Rys5aBW9dszwJ7Ywa0kyyYL0TPYw=
 github.com/hyperledger/fabric v1.4.0-rc1.0.20250510200036-435a7f1a780a h1:l9dE3iuE+mKj7K8Tcx904cF8zJpaNQONh3GNZdXnnyc=

integration/ports.go

@@ -37,26 +37,26 @@ var (
 		CommType:          fsc.WebSocket,
 		ReplicationFactor: token.None,
 	}
-	LibP2PNoReplication = &InfrastructureType{
-		Label:             ginkgo.Label("libp2p"),
-		CommType:          fsc.LibP2P,
-		ReplicationFactor: token.None,
-	}
 	WebSocketWithReplication = &InfrastructureType{
 		Label:             ginkgo.Label("replicas"),
 		CommType:          fsc.WebSocket,
 		ReplicationFactor: 3,
 	}
+	LibP2PNoReplication = &InfrastructureType{
+		Label:             ginkgo.Label("libp2p"),
+		CommType:          fsc.LibP2P,
+		ReplicationFactor: token.None,
+	}
 
 	WebSocketNoReplicationOnly = []*InfrastructureType{
 		WebSocketNoReplication,
 	}
-	LibP2PNoReplicationOnly = []*InfrastructureType{
-		LibP2PNoReplication,
-	}
 	WebSocketWithReplicationOnly = []*InfrastructureType{
 		WebSocketWithReplication,
 	}
+	LibP2PNoReplicationOnly = []*InfrastructureType{
+		LibP2PNoReplication,
+	}
 
 	AllTestTypes = []*InfrastructureType{
 		WebSocketNoReplication,

token/services/identity/idemix/crypto/audit.go

@@ -13,12 +13,27 @@ import (
 	"github.com/pkg/errors"
 )
 
+type Schema = string
+
+// SchemaManager handles the various credential schemas. A credential schema
+// contains information about the number of attributes, which attributes
+// must be disclosed when creating proofs, the format of the attributes etc.
+type SchemaManager interface {
+	// EidNymAuditOpts returns the options that `sid` must use to audit an EIDNym
+	EidNymAuditOpts(schema string, attrs [][]byte) (*csp.EidNymAuditOpts, error)
+	// RhNymAuditOpts returns the options that `sid` must use to audit an RhNym
+	RhNymAuditOpts(schema string, attrs [][]byte) (*csp.RhNymAuditOpts, error)
+}
+
 type AuditInfo struct {
 	EidNymAuditData *csp.AttrNymAuditData
 	RhNymAuditData  *csp.AttrNymAuditData
 	Attributes      [][]byte
-	Csp             csp.BCCSP `json:"-"`
-	IssuerPublicKey csp.Key   `json:"-"`
+
+	Csp             csp.BCCSP     `json:"-"`
+	IssuerPublicKey csp.Key       `json:"-"`
+	SchemaManager   SchemaManager `json:"-"`
+	Schema          string
 }
 
 func (a *AuditInfo) Bytes() ([]byte, error) {
@@ -44,16 +59,18 @@ func (a *AuditInfo) Match(id []byte) error {
 		return errors.Wrap(err, "could not deserialize a SerializedIdemixIdentity")
 	}
 
+	eidAuditOpts, err := a.SchemaManager.EidNymAuditOpts(a.Schema, a.Attributes)
+	if err != nil {
+		return errors.Wrap(err, "error while getting a RhNymAuditOpts")
+	}
+	eidAuditOpts.RNymEid = a.EidNymAuditData.Rand
+
 	// Audit EID
 	valid, err := a.Csp.Verify(
 		a.IssuerPublicKey,
 		serialized.Proof,
 		nil,
-		&csp.EidNymAuditOpts{
-			EidIndex:     EIDIndex,
-			EnrollmentID: string(a.Attributes[EIDIndex]),
-			RNymEid:      a.EidNymAuditData.Rand,
-		},
+		eidAuditOpts,
 	)
 	if err != nil {
 		return errors.Wrap(err, "error while verifying the nym eid")
@@ -62,16 +79,18 @@ func (a *AuditInfo) Match(id []byte) error {
 		return errors.New("invalid nym rh")
 	}
 
+	rhAuditOpts, err := a.SchemaManager.RhNymAuditOpts(a.Schema, a.Attributes)
+	if err != nil {
+		return errors.Wrap(err, "error while getting a RhNymAuditOpts")
+	}
+	rhAuditOpts.RNymRh = a.RhNymAuditData.Rand
+
 	// Audit RH
 	valid, err = a.Csp.Verify(
 		a.IssuerPublicKey,
 		serialized.Proof,
 		nil,
-		&csp.RhNymAuditOpts{
-			RhIndex:          RHIndex,
-			RevocationHandle: string(a.Attributes[RHIndex]),
-			RNymRh:           a.RhNymAuditData.Rand,
-		},
+		rhAuditOpts,
 	)
 	if err != nil {
 		return errors.Wrap(err, "error while verifying the nym rh")

token/services/identity/idemix/crypto/config.go

@@ -42,12 +42,14 @@ type SignerConfig struct {
 	Role int `protobuf:"varint,4,opt,name=role,json=role" json:"role,omitempty"`
 	// EnrollmentID contains the enrollment id of this signer
 	EnrollmentID string `protobuf:"bytes,5,opt,name=enrollment_id,json=enrollmentId" json:"enrollment_id,omitempty"`
-	// CRI contains a serialized Credential Revocation Information
+	// CRI contains a serialized CredentialRevocationInformation
 	CredentialRevocationInformation []byte `protobuf:"bytes,6,opt,name=credential_revocation_information,json=credentialRevocationInformation,proto3" json:"credential_revocation_information,omitempty"`
 	// RevocationHandle is the handle used to single out this credential and determine its revocation status
 	RevocationHandle string `protobuf:"bytes,7,opt,name=revocation_handle,json=revocationHandle,proto3" json:"revocation_handle,omitempty"`
 	// CurveID specifies the name of the Idemix curve to use, defaults to 'amcl.Fp256bn'
 	CurveID string `protobuf:"bytes,8,opt,name=curve_id,json=curveID" json:"curveID,omitempty"`
+	// Schema contains the version of the schema used by this credential
+	Schema string `protobuf:"bytes,9,opt,name=schema,json=schema" json:"schema,omitempty"`
 }
 
 const (
@@ -145,6 +147,7 @@ func NewFabricCAIdemixConfig(issuerPublicKey []byte, dir string) (*Config, error
 			EnrollmentId:                    si.EnrollmentID,
 			CredentialRevocationInformation: si.CredentialRevocationInformation,
 			RevocationHandle:                si.RevocationHandle,
+			Schema:                          si.Schema,
 		}
 	} else {
 		if !os.IsNotExist(errors.Cause(err)) {

token/services/identity/idemix/crypto/deserializer.go

@@ -27,13 +27,15 @@ type Deserializer struct {
 	VerType         bccsp.VerificationType
 	NymEID          []byte
 	RhNym           []byte
+	SchemaManager   SchemaManager
+	Schema          string
 }
 
-func (c *Deserializer) Deserialize(raw []byte, checkValidity bool) (*DeserializedIdentity, error) {
-	return c.DeserializeAgainstNymEID(raw, checkValidity, nil)
+func (d *Deserializer) Deserialize(raw []byte) (*DeserializedIdentity, error) {
+	return d.DeserializeAgainstNymEID(raw, nil)
 }
 
-func (c *Deserializer) DeserializeAgainstNymEID(identity []byte, checkValidity bool, nymEID []byte) (*DeserializedIdentity, error) {
+func (d *Deserializer) DeserializeAgainstNymEID(identity []byte, nymEID []byte) (*DeserializedIdentity, error) {
 	if len(identity) == 0 {
 		return nil, errors.Errorf("empty identity")
 	}
@@ -46,37 +48,41 @@ func (c *Deserializer) DeserializeAgainstNymEID(identity []byte, checkValidity b
 		return nil, errors.Errorf("unable to deserialize idemix identity: pseudonym's public key is empty")
 	}
 
+	// match schema
+	if serialized.Schema != d.Schema {
+		return nil, errors.Errorf("unable to deserialize idemix identity: schema does not match [%s]!=[%s]", serialized.Schema, d.Schema)
+	}
+
 	// Import NymPublicKey
-	NymPublicKey, err := c.Csp.KeyImport(
+	NymPublicKey, err := d.Csp.KeyImport(
 		serialized.NymPublicKey,
 		&bccsp.IdemixNymPublicKeyImportOpts{Temporary: true},
 	)
 	if err != nil {
 		return nil, errors.WithMessage(err, "failed to import nym public key")
 	}
 
-	idemix := c
+	idemix := d
 	if len(nymEID) != 0 {
 		idemix = &Deserializer{
-			Name:            c.Name,
-			Ipk:             c.Ipk,
-			Csp:             c.Csp,
-			IssuerPublicKey: c.IssuerPublicKey,
-			RevocationPK:    c.RevocationPK,
-			Epoch:           c.Epoch,
-			VerType:         c.VerType,
+			Name:            d.Name,
+			Ipk:             d.Ipk,
+			Csp:             d.Csp,
+			IssuerPublicKey: d.IssuerPublicKey,
+			RevocationPK:    d.RevocationPK,
+			Epoch:           d.Epoch,
+			VerType:         d.VerType,
 			NymEID:          nymEID,
+			SchemaManager:   d.SchemaManager,
 		}
 	}
 
-	id, err := NewIdentity(idemix, NymPublicKey, serialized.Proof, c.VerType)
+	id, err := NewIdentity(idemix, NymPublicKey, serialized.Proof, d.VerType, d.SchemaManager, d.Schema)
 	if err != nil {
 		return nil, errors.Wrap(err, "cannot deserialize")
 	}
-	if checkValidity {
-		if err := id.Validate(); err != nil {
-			return nil, errors.Wrap(err, "cannot deserialize, invalid identity")
-		}
+	if err := id.Validate(); err != nil {
+		return nil, errors.Wrap(err, "cannot deserialize, invalid identity")
 	}
 
 	return &DeserializedIdentity{
@@ -85,12 +91,14 @@ func (c *Deserializer) DeserializeAgainstNymEID(identity []byte, checkValidity b
 	}, nil
 }
 
-func (c *Deserializer) DeserializeAuditInfo(raw []byte) (*AuditInfo, error) {
+func (d *Deserializer) DeserializeAuditInfo(raw []byte) (*AuditInfo, error) {
 	ai, err := DeserializeAuditInfo(raw)
 	if err != nil {
 		return nil, errors.Wrapf(err, "failed deserializing audit info [%s]", string(raw))
 	}
-	ai.Csp = c.Csp
-	ai.IssuerPublicKey = c.IssuerPublicKey
+	ai.Csp = d.Csp
+	ai.IssuerPublicKey = d.IssuerPublicKey
+	ai.SchemaManager = d.SchemaManager
+	ai.Schema = d.Schema
 	return ai, nil
 }

token/services/identity/idemix/crypto/id.go

@@ -27,14 +27,21 @@ type Identity struct {
 	// AssociationProof contains cryptographic proof that this identity is valid.
 	AssociationProof []byte
 	VerificationType bccsp.VerificationType
+
+	// Schema related fields
+	SchemaManager SchemaManager
+	Schema        Schema
 }
 
-func NewIdentity(idemix *Deserializer, nymPublicKey bccsp.Key, proof []byte, verificationType bccsp.VerificationType) (*Identity, error) {
-	id := &Identity{}
-	id.Idemix = idemix
-	id.NymPublicKey = nymPublicKey
-	id.AssociationProof = proof
-	id.VerificationType = verificationType
+func NewIdentity(idemix *Deserializer, nymPublicKey bccsp.Key, proof []byte, verificationType bccsp.VerificationType, schemaManager SchemaManager, schema Schema) (*Identity, error) {
+	id := &Identity{
+		Idemix:           idemix,
+		NymPublicKey:     nymPublicKey,
+		AssociationProof: proof,
+		VerificationType: verificationType,
+		SchemaManager:    schemaManager,
+		Schema:           schema,
+	}
 	return id, nil
 }
 
@@ -143,9 +150,11 @@ func (id *SigningIdentity) Sign(msg []byte) ([]byte, error) {
 }
 
 type NymSignatureVerifier struct {
-	CSP   bccsp.BCCSP
-	IPK   bccsp.Key
-	NymPK bccsp.Key
+	CSP           bccsp.BCCSP
+	IPK           bccsp.Key
+	NymPK         bccsp.Key
+	SchemaManager SchemaManager
+	Schema        Schema
 }
 
 func (v *NymSignatureVerifier) Verify(message, sigma []byte) error {