problem with proving identity using X.509 certificate


Siddharth Jain
 

Hello - If I am not mistaken, Fabric chaincode uses the X.509 certificate of the caller to ID the caller. But the public certificate is meant to be shared and not a secret so what prevents someone (tom) from impersonating as someone else (jerry) using their X.509 certificate?


Gari Singh <garis@...>
 

The only way to call chaincode is through the peer. When a client submits a proposal, the peer authenticates the caller by verifying the signature on the proposal using the identity extracted from the creator field in the proposal. The signature can only be verified if the caller possesses the private key which matches the public key in the creator field. The peer then calls the chaincode and the GetCreator() function is a convenience mechanism for getting the identity of the caller. If you are super paranoid, the signed proposal is also available within chaincode so you could again verify the signature, but this would be overkill in my opinion.

-----------------------------------------
Gari Singh
Distinguished Engineer, CTO - IBM Blockchain
IBM Middleware
550 King St
Littleton, MA 01460
Cell: 978-846-7499
garis@...
-----------------------------------------

-----fabric@... wrote: -----
To: "fabric@..." <fabric@...>
From: "Siddharth Jain"
Sent by: fabric@...
Date: 03/27/2020 12:27AM
Subject: [EXTERNAL] [Hyperledger Fabric] problem with proving identity using X.509 certificate


Hello - If I am not mistaken, Fabric chaincode uses the X.509 certificate of the caller to ID the caller. But the public certificate is meant to be shared and not a secret so what prevents someone (tom) from impersonating as someone else (jerry) using their X.509 certificate?