Currently, an idemix signature leaks the organisation the credential's owner belongs to.
In many situations this is not desirable.
The MSP code to validate an Idemix Identity should be able to validate Idemix identity with hidden organizations.
In more details, the function verfiyProof (
func (id *Idemixidentity) verifyProof() error {
if id.OU == nil {
// Verify signature with hidden organization
valid, err := id.msp.csp.Verify(
id.msp.ipk,
id.associationProof,
nil,
&bccsp.IdemixSignerOpts{
RevocationPublicKey: id.msp.revocationPK,
Attributes: []bccsp.IdemixAttribute{
{Type: bccsp.IdemixHiddenAttribute},
{Type: bccsp.IdemixIntAttribute, Value: getIdemixRoleFromMSPRole(id.Role)},
{Type: bccsp.IdemixHiddenAttribute},
{Type: bccsp.IdemixHiddenAttribute},
},
RhIndex: rhIndex,
EidIndex: eidIndex,
Epoch: id.msp.epoch,
},
)
if err == nil && !valid {
panic("unexpected condition, an error should be returned for an invalid signature")
}
}
// Verify signature with organization
valid, err := id.msp.csp.Verify(
id.msp.ipk,
id.associationProof,
nil,
&bccsp.IdemixSignerOpts{
RevocationPublicKey: id.msp.revocationPK,
Attributes: []bccsp.IdemixAttribute{
{Type: bccsp.IdemixBytesAttribute, Value: []byte(id.OU.OrganizationalUnitIdentifier)},
{Type: bccsp.IdemixIntAttribute, Value: getIdemixRoleFromMSPRole(id.Role)},
{Type: bccsp.IdemixHiddenAttribute},
{Type: bccsp.IdemixHiddenAttribute},
},
RhIndex: rhIndex,
EidIndex: eidIndex,
Epoch: id.msp.epoch,
},
)
if err == nil && !valid {
panic("unexpected condition, an error should be returned for an invalid signature")
}
return err
}
Currently, an idemix signature leaks the organisation the credential's owner belongs to.
In many situations this is not desirable.
The MSP code to validate an Idemix Identity should be able to validate Idemix identity with hidden organizations.
In more details, the function
verfiyProof(idemix/idemixmsp.go
Line 350 in a765818