What is the difference between ImplicitMeta and Signature? I'm trying to understand how hyperledger policy works, but I find it hard to understand.. What excactly is the difference between the next two code blocks?:
Policies:
Readers:
Type: Signature
Rule: "OR('Org2MSP.admin', 'Org2MSP.peer', 'Org2MSP.client')"
Writers:
Type: Signature
Rule: "OR('Org2MSP.admin', 'Org2MSP.client')"
Admins:
Type: Signature
Rule: "OR('Org2MSP.admin')"
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
A Signature policy is a low-level policy and specifies the particular roles whose signature can satisfy the policy. It can be applied to all levels from organization related to channel related policies.
There are some default Signature policies in Fabric: Readers, Writes, Admin. Readers defines which principal can read the ledger, Writes defines which principal can write in the channel ledger and Admins defines which principal can perform administrator actions (organization/channel update). Also, custom policies can be created according to the needs.
Rules in Signature policies involve expressions which consist of operations and principals. For example the statement:
Admins:
Type: Signature
Rule: "OR('Org2MSP.admin')"
Declare that every admin of Organization 2 can perform administrative tasks.
An ImplicitMeta policy stands higher in configuration level. ImplicitMeta policies avoid duplicate records and the multiple changes when a policy is updated. Rule here is linked with other ImplicitMeta or Signatures policies, but the final decision will be evaluated by a Signature policy. In contrast to Signature, an ImplicitMeta can be applied only in channel configuration level.
For example:
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
Admins is the Signature policy named Admins that specified the admins in organization level. Hence, in order to edit application-related parameter such as adding a new organization in the application channel, the majority of the organizations admins that participate in the channel must agree with that change.
For more please study: https://hyperledger-fabric.readthedocs.io/en/release-1.4/access_control.html
Related
I want to look at libraries that can implement crypto functions to validate digital signatures.
There's no built-in function to validate signatures in Daml. All signature validation happens through the signatory declaration on templates which should be flexible enough via various patterns to handle signatures validation however you need.
It would be helpful to understand what you're trying to achieve with signature verification.
In cryptocurrencies, public cryptographic primitives are needed since public keys define the identity, in other words the signatures need to be verifiable publicly. In Daml this is usually not needed, since party defines the identity and most information is inherently private to some group. As such, public verification isn't a common use case.
One way to use cryptographic primitives alongside Daml is to have clients of the Ledger API(s) sign and verify signatures. For example, if I want to authenticate that a specific human is performing an action based on a smart card in their possession, part of the workflow could include:
a party verifier create a random nonce as a challenge which is written to a contract
a party alice use her smart card to sign the nonce and submitting the signature as a choice parameter
party verifier validate the signature in order to progress the workflow
If you are using DAML, below is the code to accept crypto coin issued, here you can add your conditional verify or check coinAgreement.issuer go here
For e.g. verify he is both issuer and owner
coinIssuerVerify <- queryFilter #coinIssuerVerify issuer
(\cI -> (cI.issuer == issuer) && (cI.owner == owner))
template CoinIssue
with
coinAgreement: CoinIssueAgreement
where
signatory coinAgreement.issuer
controller coinAgreement.owner can
AcceptCoinProposal
: ContractId CoinIssueAgreement
do create coinAgreement
We were trying to implement a policy in azure to restrict role based assignment. We referenced below github policy, but during testing we observed it's not evaluating the roledefinitionIds defined in the parameter.
https://github.com/Azure/azure-policy/blob/master/samples/Authorization/allowed-role-definitions/azurepolicy.json
Tested with below roleIDs parameter -
b24988ac-6180-42a0-ab88-20f7382dd24c (Contributor Role)
acdd72a7-3385-48ef-bd42-f606fba81ae7 (Reader Role)
Ideally, it should whitelist the role IDs defined in the parameter, and deny the role assignment for other role IDs. But for some reason, during evaluation Azure policy service is not taking into account those role IDs defined in the parameter and instead restricting role based assignment for all the roles.
Need help in troubleshooting this.
I tried with this Role Definition ID and worked for me:
/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c
And if you are assigning the policy from Azure Portal and you want to provide multiple values, you need to put (;) semi-colon between the values.
You may input an invalid id. A valid Role definition id look like:
/subscriptions/%YOUR_SUBSCRIPTION_ID%/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c
we are working on an Instant Messaging app based on XMPP handling members-only persistent groups using XEP-0045 and MucSub.
We have some issues with room occupancy and we didn't find a way to let users abandon a room permanently: we tried several approaches and none of them led to successful behavior.
The behavior we are looking for is very similar to WhatsApp and other similar mobile apps.
The first thing we had to think about is: which users we consider as participants?
The parameters we can use are:
Affiliation
Role
Subscription
To consider it as a working solution, we need that:
All the standard and obvious features of group conversations
Members can join and leave the group
If a member leaves a group, he cannot rejoin without invitation
Members can see the list of members and their privileges
Membership should not be affected by the member’s connection status
The member list and privileges must be persistent across server reboots
Our test environment:
Ejabberd 19.09 with mucsub enabled
PostgreSQL DB
We explored the following approaches:
Approach 1:
We can use affiliation to determine if a user is a participant, and consider him as a non-participant when the affiliation is none, outcast or not affiliated.
Who we consider as a participant:
Affiliation: member (or owner or admin)
Role: any
Subscription: any
How to abandon a room:
a. Sending a presence unavailable
<presence to='roomX#conference.x.com/test2' from='test2#x.com' type='unavailable'>
<status>leave</status>
</presence>
b. changing your own affiliation
<iq from='test2#x.com/app'
id='1234'
to='roomX#conference.x.com'
type='set'>
<query xmlns='http://jabber.org/protocol/muc#admin'>
<item affiliation='none' jid='test2#x.com'/>
</query>
</iq>
New attributes of ex participants:
Affiliation: none (or outcast if the user has been banned)
Role: any
Subscription: any (more probably the user will be unsubscribed, but this parameter is not checked to determine participants)
Issues:
Sending a presence unavailable is not affecting the affiliation. (It’s not reflecting anywhere in the DB)
Sending a presence unavailable sometimes does not obtain a response from the server (related issue opened here: Ejabberd MucSub: When a member sends a presence unavailable, the service does not respond)
Setting an affiliation for yourself does not work (as per specs: only admins can change affiliations)
Approach 2:
We can use subscriptions status to determine if a user is a participant, and consider him as a non-participant when the he unsubscribes.
Who we consider as a participant:
Affiliation: member (or owner or admin)
Role: any
Subscription: subscribed to all kind of events
How to abandon a room:
The user will abandon a room by unsubscribing.
<iq from='test2#x.com'
to='roomX#conference.x.com'
type='set'
id='12345'>
<unsubscribe xmlns='urn:xmpp:mucsub:0' />
</iq>
New attributes of ex participants:
Affiliation: member (or owner or admin)
Role: any
Subscription: not subscribed
Issues:
The ex participant can rejoin subscribe again without invitation, and following this approach will lead that he will be considered as a participant again (with no invitation)
I have looked everywhere for an example of a QSealC signed message, and I could not find any info.
I need to verify the signature of a QsealC signed payload AND I need to sign the responding payload but I understand that the payload is all in json,
Are there examples out there of QSealC signed payloads?
thanks
You will do both the signing and validation as detailed by IETF's draft-cavage-http-signatures, where you should pay special attention to section 4.1.1 for constructing and section 2.5 for verifying the Signature header.
This draft is referenced by both Berlin Group's XS2A NextGenPSD2 Framework Implementation Guidelines and Stet (France). However, note that it's normal that each unique implementation imposes additional requirements on the HTTP Message Signing standard, e.g. by requiring specific headers to be signed or using a specially formatted keyId. I am not sure whether other standardizations such as Open Banking (UK) reference it.
Take note that you do not need actual QsealC PSD2 certificates to begin your implementation work of the neither the signing nor validation process, as you can create your own self-issued certificates, e.g. using OpenSSL, by adding the OID's found in the ASN.1 profile described in ETSI TS 119 495.
However, I strongly recommend you find a QTSP in your region and order certificates both for development and testing, and for use in production when the time comes.
I won't go into details on the actual process of creating the signature itself, as it's very well detailed in draft-cavage-http-signatures, but consider the following example;
You're requesting GET https://api.bank.eu/v1/accounts, and after processing your outgoing request you end up with the following signing string;
date: Sun, 12 May 2019 17:03:04 GMT
x-request-id: 69df69c1-76d0-4590-8f28-50449a21d0d8
psu-id: 289da2e6-5a01-430d-8075-8f7af71f6d2b
tpp-redirect-uri: https://httpbin.org/get
The resulting Signature could look something like this;
keyId=\"SN=D9EA5432EA92D254,CA=CN=Buypass Class 3 CA 3,O=Buypass AS-983163327,C=NO\",
algorithm=\"rsa-sha256\",
headers=\"date x-request-id psu-id tpp-redirect-uri\",
signature=\"base64(rsa-sha256(signing_string))\"
The above signature adheres to Berlin Group requirements as detailed in Section 12.2 in their implementation guidelines (per. v1.3), except some linebreaks added for readability, which in short are ;
the keyId must be formatted as SN={serial},CA={issuer}, but note that it seems to be up to the ASPSP to decide how the serial and issuer is formatted. However, most are likely to require the serial to be in uppercase hexadecimal representation and issuer formatting in conformance with RFC 2253 or RFC 4514.
The algorithm used must be either rsa-sha256 or rsa-sha512
The following headers must be part of the signing string if present in the request; date, digest, x-request-id, psu-id, psu-corporate-id, tpp-redirect-uri
The signature must be base-64 encoded
As developers have just begun to adopt this way of signing messages, you'll likely have you implement this yourself - but it's not too difficult if you just carefully read the above mentioned draft.
However, vendors have begun supporting the scheme, e.g. Apache CXF currently supports both signing and validation from v3.3.0 in their cxf-rt-rs-security-http-signature module as mentioned in the Apache CXF 3.3 Migration Guide. Surely, others will follow.
Validating the actual signature is easy enough, but validating the actual QsealC PSD2 certificate is a bit more cumbersome, but you'll likely have to integrate with EU's List of Trusted Lists to retrieve root- and intermediate certificates used to issued these certificates, and form a chain of trust together with e.g. Java's cacerts and Microsoft Trusted Root Certificate Program. I personally have good experiences using difi-certvalidator (Java) for the actual validation process, as it proved very easy to extend to our needs, but there are surely many other good tools and libraries out there.
You'll also need to pay special attention the certificate's organizationIdentifier (OID: 2.5.4.97) and qcStatements (OID: 1.3.6.1.5.5.7.1.3). You should check the certificate's organizationIdentifier against the Preta directory, as there might be instances where a TPP's authorization is revoked by it's NCA, but a CRL revocation hasn't yet been published by it's QTSP.
DISCLAIMER: When it comes to the whole QsealC PSD2 certificate signing and validation process, I find both Berlin Group and EBA to be very diffuse, leaving several aspects open to interpretation.
This is a rough explanation, but hopefully it give you enough to get started.
I've deployed an application based on Fiware generic enablers, in Docker. The versions are:
Orion 1.14
Cygnus 1.9.0
Authzforce 5.4.1
Keyrock: the latest
Pep-proxy: 7.0.1
but, when I want to create a permission in keyrock I can't find a specific syntax or character sequence to enter a dynamic resource in the resource field like: /resource1/<user>/info, or to specify only the resource prefix like: /resource2/<whatever>.
Really exists the syntax for the dynamic resource and authzforce can create a permissions asociated to a dynamic resource or is necessary create a XACML rule?
Yes, it is necessary to create an Advanced XACML Rule. For example, you may look at the XACML Rule template in the IDM source code, which is used to generate a basic Rule (for a static resource path); you would have to customize it (besides removing the template code <%...%>), especially modify the Target and the Condition elements (use XACML function string-concatenate to create the string /resource1/{param}/info dynamically).
Another difficulty is to get the {param} value in the PEP, and make sure it is sent in the XACML Request to AuthzForce PDP. The Pep-proxy only gets/sends the following XACML attributes as you can see from the Pep's Authzforce client code (names shortened for conciseness): resource-id, sub-resource-id, action-id, subject-role. Therefore, if you want the user-id as {param} for example, you have to modify the Pep code I just mentioned, i.e. extract the user ID from the userInfo variable and add the corresponding XACML Attribute (subject-id) in the Request. Or use your own Pep and do whatever you want of course.