hyperledger · Oct 2, 2017
diff --git a/‎core/chaincode/lib/cid/README.md
+214 b/‎core/chaincode/lib/cid/README.md
+214
diff --git a/‎core/chaincode/lib/cid/cid.go
+244 b/‎core/chaincode/lib/cid/cid.go
+244
diff --git a/‎core/chaincode/lib/cid/cid_test.go
+151 b/‎core/chaincode/lib/cid/cid_test.go
+151
diff --git a/‎core/chaincode/lib/cid/interfaces.go
+55 b/‎core/chaincode/lib/cid/interfaces.go
+55
diff --git a/‎msp/identities.go
+1-1 b/‎msp/identities.go
+1-1
@@ -0,0 +1,214 @@
+# Client Identity Chaincode Library
+
+The client identity chaincode library enables you to write chaincode which
+makes access control decisions based on the identity of the client
+(i.e. the invoker of the chaincode).  In particular, you may make access
+control decisions based on either or both of the following associated with
+the client:
+
+* the client identity's MSP (Membership Service Provider) ID
+* an attribute associated with the client identity
+
+Attributes are simply name and value pairs associated with an identity.
+For example, `email=me@gmail.com` indicates an identity has the `email`
+attribute with a value of `me@gmail.com`.
+
+
+## Using the client identity chaincode library
+
+This section describes how to use the client identity chaincode library.
+
+All code samples below assume two things:
+1. The type of the `stub` variable is `ChaincodeStubInterface` as passed
+   to your chaincode.
+2. You have added the following import statement to your chaincode.
+    ```
+    import "github.com/hyperledger/fabric/core/chaincode/lib/cid"
+    ```
+#### Getting the client's ID
+
+The following demonstrates how to get an ID for the client which is guaranteed
+to be unique within the MSP:
+
+```
+id, err := cid.GetID(stub)
+```
+
+#### Getting the MSP ID
+
+The following demonstrates how to get the MSP ID of the client's identity:
+
+```
+mspid, err := cid.GetMSPID(stub)
+```
+
+#### Getting an attribute value
+
+The following demonstrates how to get the value of the *attr1* attribute:
+
+```
+val, ok, err := cid.GetAttributeValue(stub, "attr1")
+if err != nil {
+   // There was an error trying to retrieve the attribute
+}
+if !ok {
+   // The client identity does not possess the attribute
+}
+// Do something with the value of 'val'
+```
+
+#### Asserting an attribute value
+
+Often all you want to do is to make an access control decision based on the value
+of an attribute, i.e. to assert the value of an attribute.  For example, the following
+will return an error if the client does not have the `myapp.admin` attribute
+with a value of `true`:
+
+```
+err := cid.AssertAttributeValue(stub, "myapp.admin", "true")
+if err != nil {
+   // Return an error
+}
+```
+
+This is effectively using attributes to implement role-based access control,
+or RBAC for short.
+
+#### Getting the client's X509 certificate
+
+The following demonstrates how to get the X509 certificate of the client, or
+nil if the client's identity was not based on an X509 certificate:
+
+```
+cert, err := cid.GetX509Certificate(stub)
+```
+
+Note that both `cert` and `err` may be nil as will be the case if the identity
+is not using an X509 certificate.
+
+#### Performing multiple operations more efficiently
+
+Sometimes you may need to perform multiple operations in order to make an access
+decision.  For example, the following demonstrates how to grant access to
+identities with MSP *org1MSP* and *attr1* OR with MSP *org1MSP* and *attr2*.
+
+```
+// Get the client ID object
+id, err := cid.New(stub)
+if err != nil {
+   // Handle error
+}
+mspid, err := id.GetMSPID()
+if err != nil {
+   // Handle error
+}
+switch mspid {
+   case "org1MSP":
+      err = id.AssertAttributeValue("attr1", "true")
+   case "org2MSP":
+      err = id.AssertAttributeValue("attr2", "true")
+   default:
+      err = errors.New("Wrong MSP")
+}
+```
+Although it is not required, it is more efficient to make the `cid.New` call
+to get the ClientIdentity object if you need to perform multiple operations,
+as demonstrated above.
+
+## Adding Attributes to Identities
+
+This section describes how to add custom attributes to certificates when
+using Hyperledger Fabric CA as well as when using an external CA.
+
+#### Managing attributes with Fabric CA
+
+There are two methods of adding attributes to an enrollment certificate
+with fabric-ca:
+
+  1. When you register an identity, you can specify that an enrollment certificate
+     issued for the identity should by default contain an attribute.  This behavior
+     can be overridden at enrollment time, but this is useful for establishing
+     default behavior and, assuming registration occurs outside of your application,
+     does not require any application change.
+
+     The following shows how to register *user1* with two attributes:
+     *app1Admin* and *email*.
+     The ":ecert" suffix causes the *appAdmin* attribute to be inserted into user1's
+     enrollment certificate by default.  The *email* attribute is not added
+     to the enrollment certificate by default.
+
+     ```
+     fabric-ca-client register --id.name user1 --id.secret user1pw --id.type user --id.affiliation org1 --id.attrs 'app1Admin=true:ecert,email=user1@gmail.com'
+     ```
+
+  2. When you enroll an identity, you may request that one or more attributes
+     be added to the certificate.
+     For each attribute requested, you may specify whether the attribute is
+     optional or not.  If it is not optional but does not exist for the identity,
+     enrollment fails.
+
+     The following shows how to enroll *user1* with the *email* attribute,
+     without the *app1Admin* attribute and optionally with the *phone* attribute
+     (if the user possesses *phone* attribute).
+     ```
+     fabric-ca-client enroll -u http://user1:user1pw@localhost:7054 --enrollment.attrs "email,phone:opt"
+     ```
+#### Attribute format in a certificate
+
+Attributes are stored inside an X509 certificate as an extension with an
+ASN.1 OID (Abstract Syntax Notation Object IDentifier)
+of `1.2.3.4.5.6.7.8.1`.  The value of the extension is a JSON string of the
+form `{"attrs":{<attrName>:<attrValue}}`.  The following is a sample of a
+certificate which contains the `attr1` attribute with a value of `val1`.
+See the final entry in the *X509v3 extensions* section.  Note also that the JSON
+entry could contain multiple attributes, though this sample shows only one.
+
+```
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            1e:49:98:e9:f4:4f:d0:03:53:bf:36:81:c0:a0:a4:31:96:4f:52:75
+        Signature Algorithm: ecdsa-with-SHA256
+        Issuer: CN=fabric-ca-server
+        Validity
+            Not Before: Sep  8 03:42:00 2017 GMT
+            Not After : Sep  8 03:42:00 2018 GMT
+        Subject: CN=MyTestUserWithAttrs
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+            EC Public Key:
+                pub:
+                    04:e6:07:5a:f7:09:d5:af:38:e3:f7:a2:90:77:0e:
+                    32:67:5b:70:a7:37:ca:b5:c9:d8:91:77:39:ae:03:
+                    a0:36:ad:72:b3:3c:89:6d:1e:f6:1b:6d:2a:88:49:
+                    92:6e:6e:cc:bc:81:52:fa:19:88:18:5c:d7:6e:eb:
+                    d4:73:cc:51:79
+                ASN1 OID: prime256v1
+        X509v3 extensions:
+            X509v3 Key Usage: critical
+                Certificate Sign
+            X509v3 Basic Constraints: critical
+                CA:FALSE
+            X509v3 Subject Key Identifier:
+                D8:28:B4:C0:BC:92:4A:D3:C3:8C:54:6C:08:86:33:10:A6:8D:83:AE
+            X509v3 Authority Key Identifier:
+                keyid:C4:B3:FE:76:0D:E2:DE:3C:FC:75:FB:AE:55:86:04:F0:BB:7F:F6:01
+
+            X509v3 Subject Alternative Name:
+                DNS:Anils-MacBook-Pro.local
+            1.2.3.4.5.6.7.8.1:
+                {"attrs":{"attr1":"val1"}}
+    Signature Algorithm: ecdsa-with-SHA256
+        30:45:02:21:00:fb:84:a9:65:29:b2:f4:d3:bc:1a:8b:47:92:
+        5e:41:27:2d:26:ec:f7:cd:aa:86:46:a4:ac:da:25:be:40:1d:
+        c5:02:20:08:3f:49:86:58:a7:20:48:64:4c:30:1b:da:a9:a2:
+        f2:b4:16:28:f6:fd:e1:46:dd:6b:f2:3f:2f:37:4a:4c:72
+```
+
+If you want to use the client identity library to extract or assert attribute
+values as described previously but you are not using Hyperledger Fabric CA,
+then you must ensure that the certificates which are issued by your external CA
+contain attributes of the form shown above.  In particular, the certificates
+must contain the `1.2.3.4.5.6.7.8.1` X509v3 extension with a JSON value
+containing the attribute names and values for the identity.
@@ -0,0 +1,244 @@
+/*
+Copyright IBM Corp. 2017 All Rights Reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+                 http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package cid
+
+import (
+	"crypto/x509"
+	"encoding/asn1"
+	"encoding/hex"
+	"encoding/pem"
+	"fmt"
+
+	"github.com/golang/protobuf/proto"
+	"github.com/hyperledger/fabric/common/attrmgr"
+	"github.com/hyperledger/fabric/protos/msp"
+	"github.com/pkg/errors"
+)
+
+// GetID returns the ID associated with the invoking identity.  This ID
+// is guaranteed to be unique within the MSP.
+func GetID(stub ChaincodeStubInterface) (string, error) {
+	c, err := New(stub)
+	if err != nil {
+		return "", err
+	}
+	return c.GetID()
+}
+
+// GetMSPID returns the ID of the MSP associated with the identity that
+// submitted the transaction
+func GetMSPID(stub ChaincodeStubInterface) (string, error) {
+	c, err := New(stub)
+	if err != nil {
+		return "", err
+	}
+	return c.GetMSPID()
+}
+
+// GetAttributeValue returns value of the specified attribute
+func GetAttributeValue(stub ChaincodeStubInterface, attrName string) (value string, found bool, err error) {
+	c, err := New(stub)
+	if err != nil {
+		return "", false, err
+	}
+	return c.GetAttributeValue(attrName)
+}
+
+// AssertAttributeValue checks to see if an attribute value equals the specified value
+func AssertAttributeValue(stub ChaincodeStubInterface, attrName, attrValue string) error {
+	c, err := New(stub)
+	if err != nil {
+		return err
+	}
+	return c.AssertAttributeValue(attrName, attrValue)
+}
+
+// GetX509Certificate returns the X509 certificate associated with the client,
+// or nil if it was not identified by an X509 certificate.
+func GetX509Certificate(stub ChaincodeStubInterface) (*x509.Certificate, error) {
+	c, err := New(stub)
+	if err != nil {
+		return nil, err
+	}
+	return c.GetX509Certificate()
+}
+
+// ClientIdentityImpl implements the ClientIdentity interface
+type clientIdentityImpl struct {
+	stub  ChaincodeStubInterface
+	mspID string
+	cert  *x509.Certificate
+	attrs *attrmgr.Attributes
+}
+
+// New returns an instance of ClientIdentity
+func New(stub ChaincodeStubInterface) (ClientIdentity, error) {
+	c := &clientIdentityImpl{stub: stub}
+	err := c.init()
+	if err != nil {
+		return nil, err
+	}
+	return c, nil
+}
+
+// GetID returns the ID associated with the invoking identity.  This ID
+// is guaranteed to be unique within the MSP.
+func (c *clientIdentityImpl) GetID() (string, error) {
+	return getDN(c.cert), nil
+}
+
+// GetMSPID returns the ID of the MSP associated with the identity that
+// submitted the transaction
+func (c *clientIdentityImpl) GetMSPID() (string, error) {
+	return c.mspID, nil
+}
+
+// GetAttributeValue returns value of the specified attribute
+func (c *clientIdentityImpl) GetAttributeValue(attrName string) (value string, found bool, err error) {
+	if c.attrs == nil {
+		return "", false, nil
+	}
+	return c.attrs.Value(attrName)
+}
+
+// AssertAttributeValue checks to see if an attribute value equals the specified value
+func (c *clientIdentityImpl) AssertAttributeValue(attrName, attrValue string) error {
+	val, ok, err := c.GetAttributeValue(attrName)
+	if err != nil {
+		return err
+	}
+	if !ok {
+		return errors.Errorf("Attribute '%s' was not found", attrName)
+	}
+	if val != attrValue {
+		return errors.Errorf("Attribute '%s' equals '%s', not '%s'", attrName, val, attrValue)
+	}
+	return nil
+}
+
+// GetX509Certificate returns the X509 certificate associated with the client,
+// or nil if it was not identified by an X509 certificate.
+func (c *clientIdentityImpl) GetX509Certificate() (*x509.Certificate, error) {
+	return c.cert, nil
+}
+
+// Initialize the client
+func (c *clientIdentityImpl) init() error {
+	signingID, err := c.getIdentity()
+	if err != nil {
+		return err
+	}
+	c.mspID = signingID.GetMspid()
+	idbytes := signingID.GetIdBytes()
+	block, _ := pem.Decode(idbytes)
+	if block == nil || block.Type != "CERTIFICATE" {
+		bt := "none"
+		if block != nil {
+			bt = block.Type
+		}
+		return errors.Errorf("unexpected PEM block found. Expected a certificate but found a block of type: %s", bt)
+	}
+	cert, err := x509.ParseCertificate(block.Bytes)
+	if err != nil {
+		return errors.Wrap(err, "failed to parse certificate")
+	}
+	c.cert = cert
+	attrs, err := attrmgr.New().GetAttributesFromCert(cert)
+	if err != nil {
+		return errors.WithMessage(err, "failed to get attributes from the transaction invoker's certificate")
+	}
+	c.attrs = attrs
+	return nil
+}
+
+// Unmarshals the bytes returned by ChaincodeStubInterface.GetCreator method and
+// returns the resulting msp.SerializedIdentity object
+func (c *clientIdentityImpl) getIdentity() (*msp.SerializedIdentity, error) {
+	sid := &msp.SerializedIdentity{}
+	creator, err := c.stub.GetCreator()
+	if err != nil || creator == nil {
+		return nil, errors.WithMessage(err, "failed to get transaction invoker's identity from the chaincode stub")
+	}
+	err = proto.Unmarshal(creator, sid)
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to unmarshal transaction invoker's identity")
+	}
+	return sid, nil
+}
+
+// Get the DN (distinquished name) associated with the subject of the certificate.
+// NOTE: This code is almost a direct copy of the String() function in
+// https://go-review.googlesource.com/c/go/+/67270/1/src/crypto/x509/pkix/pkix.go#26
+// which returns a DN as defined by RFC 2253.
+func getDN(cert *x509.Certificate) string {
+	r := cert.Subject.ToRDNSequence()
+	s := ""
+	for i := 0; i < len(r); i++ {
+		rdn := r[len(r)-1-i]
+		if i > 0 {
+			s += ","
+		}
+		for j, tv := range rdn {
+			if j > 0 {
+				s += "+"
+			}
+			typeString := tv.Type.String()
+			typeName, ok := attributeTypeNames[typeString]
+			if !ok {
+				derBytes, err := asn1.Marshal(tv.Value)
+				if err == nil {
+					s += typeString + "=#" + hex.EncodeToString(derBytes)
+					continue // No value escaping necessary.
+				}
+				typeName = typeString
+			}
+			valueString := fmt.Sprint(tv.Value)
+			escaped := ""
+			begin := 0
+			for idx, c := range valueString {
+				if (idx == 0 && (c == ' ' || c == '#')) ||
+					(idx == len(valueString)-1 && c == ' ') {
+					escaped += valueString[begin:idx]
+					escaped += "\\" + string(c)
+					begin = idx + 1
+					continue
+				}
+				switch c {
+				case ',', '+', '"', '\\', '<', '>', ';':
+					escaped += valueString[begin:idx]
+					escaped += "\\" + string(c)
+					begin = idx + 1
+				}
+			}
+			escaped += valueString[begin:]
+			s += typeName + "=" + escaped
+		}
+	}
+	return s
+}
+
+var attributeTypeNames = map[string]string{
+	"2.5.4.6":  "C",
+	"2.5.4.10": "O",
+	"2.5.4.11": "OU",
+	"2.5.4.3":  "CN",
+	"2.5.4.5":  "SERIALNUMBER",
+	"2.5.4.7":  "L",
+	"2.5.4.8":  "ST",
+	"2.5.4.9":  "STREET",
+	"2.5.4.17": "POSTALCODE",
+}
@@ -0,0 +1,151 @@
+/*
+Copyright IBM Corp. 2017 All Rights Reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+                 http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+package cid_test
+
+import (
+	"testing"
+
+	"github.com/golang/protobuf/proto"
+	"github.com/hyperledger/fabric/core/chaincode/lib/cid"
+	"github.com/hyperledger/fabric/protos/msp"
+	"github.com/stretchr/testify/assert"
+)
+
+const certWithOutAttrs = `-----BEGIN CERTIFICATE-----
+MIICXTCCAgSgAwIBAgIUeLy6uQnq8wwyElU/jCKRYz3tJiQwCgYIKoZIzj0EAwIw
+eTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNh
+biBGcmFuY2lzY28xGTAXBgNVBAoTEEludGVybmV0IFdpZGdldHMxDDAKBgNVBAsT
+A1dXVzEUMBIGA1UEAxMLZXhhbXBsZS5jb20wHhcNMTcwOTA4MDAxNTAwWhcNMTgw
+OTA4MDAxNTAwWjBdMQswCQYDVQQGEwJVUzEXMBUGA1UECBMOTm9ydGggQ2Fyb2xp
+bmExFDASBgNVBAoTC0h5cGVybGVkZ2VyMQ8wDQYDVQQLEwZGYWJyaWMxDjAMBgNV
+BAMTBWFkbWluMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFq/90YMuH4tWugHa
+oyZtt4Mbwgv6CkBSDfYulVO1CVInw1i/k16DocQ/KSDTeTfgJxrX1Ree1tjpaodG
+1wWyM6OBhTCBgjAOBgNVHQ8BAf8EBAMCB4AwDAYDVR0TAQH/BAIwADAdBgNVHQ4E
+FgQUhKs/VJ9IWJd+wer6sgsgtZmxZNwwHwYDVR0jBBgwFoAUIUd4i/sLTwYWvpVr
+TApzcT8zv/kwIgYDVR0RBBswGYIXQW5pbHMtTWFjQm9vay1Qcm8ubG9jYWwwCgYI
+KoZIzj0EAwIDRwAwRAIgCoXaCdU8ZiRKkai0QiXJM/GL5fysLnmG2oZ6XOIdwtsC
+IEmCsI8Mhrvx1doTbEOm7kmIrhQwUVDBNXCWX1t3kJVN
+-----END CERTIFICATE-----
+`
+const certWithAttrs = `-----BEGIN CERTIFICATE-----
+MIIB6TCCAY+gAwIBAgIUHkmY6fRP0ANTvzaBwKCkMZZPUnUwCgYIKoZIzj0EAwIw
+GzEZMBcGA1UEAxMQZmFicmljLWNhLXNlcnZlcjAeFw0xNzA5MDgwMzQyMDBaFw0x
+ODA5MDgwMzQyMDBaMB4xHDAaBgNVBAMTE015VGVzdFVzZXJXaXRoQXR0cnMwWTAT
+BgcqhkjOPQIBBggqhkjOPQMBBwNCAATmB1r3CdWvOOP3opB3DjJnW3CnN8q1ydiR
+dzmuA6A2rXKzPIltHvYbbSqISZJubsy8gVL6GYgYXNdu69RzzFF5o4GtMIGqMA4G
+A1UdDwEB/wQEAwICBDAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTYKLTAvJJK08OM
+VGwIhjMQpo2DrjAfBgNVHSMEGDAWgBTEs/52DeLePPx1+65VhgTwu3/2ATAiBgNV
+HREEGzAZghdBbmlscy1NYWNCb29rLVByby5sb2NhbDAmBggqAwQFBgcIAQQaeyJh
+dHRycyI6eyJhdHRyMSI6InZhbDEifX0wCgYIKoZIzj0EAwIDSAAwRQIhAPuEqWUp
+svTTvBqLR5JeQSctJuz3zaqGRqSs2iW+QB3FAiAIP0mGWKcgSGRMMBvaqaLytBYo
+9v3hRt1r8j8vN0pMcg==
+-----END CERTIFICATE-----
+`
+
+func TestClient(t *testing.T) {
+	stub, err := getMockStub()
+	assert.NoError(t, err, "Failed to get mock submitter")
+	sinfo, err := cid.New(stub)
+	assert.NoError(t, err, "Error getting submitter of the transaction")
+	id, err := cid.GetID(stub)
+	assert.NoError(t, err, "Error getting ID of the submitter of the transaction")
+	assert.NotEmpty(t, id, "Transaction submitter ID should not be empty")
+	t.Logf("The client's ID is: %s", id)
+	cert, err := cid.GetX509Certificate(stub)
+	assert.NoError(t, err, "Error getting X509 certificate of the submitter of the transaction")
+	assert.NotNil(t, cert, "Transaction submitter certificate should not be nil")
+	mspid, err := cid.GetMSPID(stub)
+	assert.NoError(t, err, "Error getting MSP ID of the submitter of the transaction")
+	assert.NotEmpty(t, mspid, "Transaction submitter MSP ID should not be empty")
+	_, found, err := sinfo.GetAttributeValue("foo")
+	assert.NoError(t, err, "Error getting Unique ID of the submitter of the transaction")
+	assert.False(t, found, "Attribute 'foo' should not be found in the submitter cert")
+	err = cid.AssertAttributeValue(stub, "foo", "")
+	assert.Error(t, err, "AssertAttributeValue should have returned an error with no attribute")
+
+	stub, err = getMockStubWithAttrs()
+	assert.NoError(t, err, "Failed to get mock submitter")
+	sinfo, err = cid.New(stub)
+	assert.NoError(t, err, "Failed to new client")
+	attrVal, found, err := sinfo.GetAttributeValue("attr1")
+	assert.NoError(t, err, "Error getting Unique ID of the submitter of the transaction")
+	assert.True(t, found, "Attribute 'attr1' should be found in the submitter cert")
+	assert.Equal(t, attrVal, "val1", "Value of attribute 'attr1' should be 'val1'")
+	attrVal, found, err = cid.GetAttributeValue(stub, "attr1")
+	assert.NoError(t, err, "Error getting Unique ID of the submitter of the transaction")
+	assert.True(t, found, "Attribute 'attr1' should be found in the submitter cert")
+	assert.Equal(t, attrVal, "val1", "Value of attribute 'attr1' should be 'val1'")
+	err = cid.AssertAttributeValue(stub, "attr1", "val1")
+	assert.NoError(t, err, "Error in AssertAttributeValue")
+	err = cid.AssertAttributeValue(stub, "attr1", "val2")
+	assert.Error(t, err, "Assert should have failed; value was val1, not val2")
+
+	// Error case1
+	stub, err = getMockStubWithNilCreator()
+	assert.NoError(t, err, "Failed to get mock submitter")
+	sinfo, err = cid.New(stub)
+	assert.Error(t, err, "NewSubmitterInfo should have returned an error when submitter with nil creator is passed")
+
+	// Error case2
+	stub, err = getMockStubWithFakeCreator()
+	assert.NoError(t, err, "Failed to get mock submitter")
+	sinfo, err = cid.New(stub)
+	assert.Error(t, err, "NewSubmitterInfo should have returned an error when submitter with fake creator is passed")
+}
+
+func getMockStub() (cid.ChaincodeStubInterface, error) {
+	stub := &mockStub{}
+	sid := &msp.SerializedIdentity{Mspid: "DEFAULT",
+		IdBytes: []byte(certWithOutAttrs)}
+	b, err := proto.Marshal(sid)
+	if err != nil {
+		return nil, err
+	}
+	stub.creator = b
+	return stub, nil
+}
+
+func getMockStubWithAttrs() (cid.ChaincodeStubInterface, error) {
+	stub := &mockStub{}
+	sid := &msp.SerializedIdentity{Mspid: "DEFAULT",
+		IdBytes: []byte(certWithAttrs)}
+	b, err := proto.Marshal(sid)
+	if err != nil {
+		return nil, err
+	}
+	stub.creator = b
+	return stub, nil
+}
+
+func getMockStubWithNilCreator() (cid.ChaincodeStubInterface, error) {
+	c := &mockStub{}
+	c.creator = nil
+	return c, nil
+}
+
+func getMockStubWithFakeCreator() (cid.ChaincodeStubInterface, error) {
+	c := &mockStub{}
+	c.creator = []byte("foo")
+	return c, nil
+}
+
+type mockStub struct {
+	creator []byte
+}
+
+func (s *mockStub) GetCreator() ([]byte, error) {
+	return s.creator, nil
+}
@@ -0,0 +1,55 @@
+/*
+Copyright IBM Corp. 2017 All Rights Reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+                 http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package cid
+
+import "crypto/x509"
+
+// ChaincodeStubInterface is used by deployable chaincode apps to get identity
+// of the  agent (or user) submitting the transaction.
+type ChaincodeStubInterface interface {
+	// GetCreator returns `SignatureHeader.Creator` (e.g. an identity)
+	// of the `SignedProposal`. This is the identity of the agent (or user)
+	// submitting the transaction.
+	GetCreator() ([]byte, error)
+}
+
+// ClientIdentity represents information about the identity that submitted the
+// transaction
+type ClientIdentity interface {
+
+	// GetID returns the ID associated with the invoking identity.  This ID
+	// is guaranteed to be unique within the MSP.
+	GetID() (string, error)
+
+	// Return the MSP ID of the client
+	GetMSPID() (string, error)
+
+	// GetAttributeValue returns the value of the client's attribute named `attrName`.
+	// If the client possesses the attribute, `found` is true and `value` equals the
+	// value of the attribute.
+	// If the client does not possess the attribute, `found` is false and `value`
+	// equals "".
+	GetAttributeValue(attrName string) (value string, found bool, err error)
+
+	// AssertAttributeValue verifies that the client has the attribute named `attrName`
+	// with a value of `attrValue`; otherwise, an error is returned.
+	AssertAttributeValue(attrName, attrValue string) error
+
+	// GetX509Certificate returns the X509 certificate associated with the client,
+	// or nil if it was not identified by an X509 certificate.
+	GetX509Certificate() (*x509.Certificate, error)
+}
@@ -178,7 +178,7 @@ func (id *identity) Verify(msg []byte, sig []byte) error {
 func (id *identity) Serialize() ([]byte, error) {
 	// mspIdentityLogger.Infof("Serializing identity %s", id.id)
 
-	pb := &pem.Block{Bytes: id.cert.Raw}
+	pb := &pem.Block{Bytes: id.cert.Raw, Type: "CERTIFICATE"}
 	pemBytes := pem.EncodeToMemory(pb)
 	if pemBytes == nil {
 		return nil, fmt.Errorf("Encoding of identitiy failed")