search

hyperledger-archives / fabric

THIS IS A READ-ONLY historic repository. Current development is at https://gerrit.hyperledger.org/r/#/admin/projects/fabric . pull requests not accepted
https://gerrit.hyperledger.org/
Apache License 2.0
1.17k stars 1.01k forks source link

"Identity or token does not match" even if a correct enrolment ID/secret is used. #1991

Open sachikoy opened 8 years ago

sachikoy commented 8 years ago

Description

REST API call to /registrar returns an error which says "Identity or token does not match" even if a correct enrolment ID/secret is used.

Describe How to Reproduce

An easy way to reproduce:

  1. set up a blockchain network with multiple (e.g., four) validating peers, with security enabled.
  2. access one peer's /registrar as an enrolment ID/secret (e.g., test_user0)
  3. access another peer's /registrar using the same enrolment ID/secret (e.g., test_user0)
  4. then the second attempt fails with the error mentioned above.

Is this intended by design? A problem is there seems to be no way to allow the user to access to validating peers, or switch from one to another. In addition, the same problem seems to occur when a validating peer crashes and rebooted. The enrolment ID that was used before can never be used.

angrbrd commented 8 years ago

Hi @sachikoy,

The enrollmentID and enrollmentSecret pair that is used to perform the enrollment with the membership service server is indeed a one-time-use set of credentials. Once you have performed the enrollment one time on one peer, it will fail on subsequent enrollments. This is elaborated on here:

https://github.com/hyperledger/fabric/blob/master/docs/API/SandboxSetup.md#note-on-security-functionality

If you must you send your transaction to one of the other peer IP addresses, not the original peer IP that performed the user enrollment, that second peer will not have the appropriate user cert/tokens to transact. The current approach to transacting through multiple peers was to configure the application and peer nodes to replicate the location of the stored crypto among themselves. This was the approach that was discussed quite some time ago. @adecaro and @elli-androulaki, I assume that is still the suggested approach at this time?

Though I appreciate you bringing this issue back up to our attention as we need to document a more straight forward way of actually going through the procedure above.

sachikoy commented 8 years ago

Hi @angrbrd So I think the current design assumes that when a user performed enrolment on one peer, the peer is trusted by the user, and maintains the security tokens (especially the private key of Ecert) for the user, retrieve Tcerts and sign transaction using the Tcert keys. But on the other hand, when one access the REST API, he can easily impersonate another user by specifying the enrolment ID in the REST request. I raised the issue before. https://github.com/hyperledger/fabric/issues/1459

I still cannot understand what is the best practice for using the REST API with security.

smithbk commented 8 years ago

@sachikoy The REST API is not secure. You should use the new node SDK API. This will keep the ecert's private key in the local KeyValStore, which means it doesn't matter which peer you connect to. See fabric/sdk/node/README.md for more info.

kishansagathiya commented 7 years ago

@angrbrd @sachikoy I am also getting the same error(dentity or token does not match) even though I am using correct enrollID and enrollSecret. I have gone through all the discussion here and also https://github.com/hyperledger-archives/fabric/issues/2004, but I am not able to figure out how to rectify this.

Below is the command that is causing the error 

kishan@kishan-Inspiron-3542:~/composer-sample-app$ composer archive create --archiveFile digitalproperty-network.bna --sourceType module --sourceName digitalproperty-network && composer network deploy --archiveFile  digitalproperty-network.bna  --enrollId admin --enrollSecret Xurw3yU9zI0l

Creating Business Network Archive

Node module search path : 
undefined 

Not found in main node_module search path, trying current directory :/home/kishan/composer-sample-app/node_modules/digitalproperty-network
Looking for package.json of Business Network Definition in /home/kishan/composer-sample-app/node_modules/digitalproperty-network

Found:
Description:Digital Property Network
Name:digitalproperty-network
Identifier:digitalproperty-network@0.0.7

Written Business Network Definition Archive file to digitalproperty-network.bna
Command completed successfully.

Command succeeded

Deploying business network from archive: digitalproperty-network.bna
Business network definition:
    Identifier: digitalproperty-network@0.0.7
    Description: Digital Property Network

Error: Identity or token does not match.
Command failed

kishan@kishan-Inspiron-3542:~/composer-sample-app$

Also @angrbrd https://github.com/hyperledger/fabric/blob/master/docs/API/SandboxSetup.md#note-on-security-functionality link does not exist if there is some other link where this material is available, plz post the link here.