Access messages are created by Agents and includes sufficient information to authenticate and start using a service.
Access to service is granted after Agent receives notification of new channel was created for his offering:
event LogChannelCreated(address indexed _agent, address indexed _client, bytes32 indexed offering_hash, uint192 _deposit)
When Client receives Ethereum event LogChannelCreated
, he knows that he should shortly try to contact Agent and get access message
. Client queries Agent for access message
, providing channel key
compliant with smart contract method:
function getKey(address _client_address, address _agent_address, uint32 _open_block_number, bytes32 _offering_hash)
Agent than retrieves access message
from database and passed it to Client.
access message
is always encrypted using Client's public key, thus can be decrypted only by intended Client. Client's public key is reconstructed from createChannel
Ethereum transaction.
Access message (aka endpoint message) is created by Agent according to access template
.
After Agent receives event LogChannelCreated
he should process order and give access to Client for a service. Access message
is generated and then stored in Privatix core database
ready to be passed to Client on demand.
Client queries Agent for access message
via one of messaging transport
​
Access message received from Agent (job ClientAfterChannelCreate
)
Then in job AgentPreEndpointMsgCreate
​
Agent's signature verified
b. Message payload is decrypted
c. Matching access template is found in local database
d. Access message is validated to comply with access template schema
Access is granted and maybe consumed by Client. Usually processed by Client's adapter.
encrypted payload | signature |
Fill endpoint template (JSON)
Encrypt message payload using ECIES Ethereum implementation ecies.Encrypt()​
Generate keccak-256 hash of encrypted message payload (as raw bytes)
Sign hash with private key using Ethereum crypto package Sign()
function
Keccak-256 hash of access message is used to uniquely identify access message. Hash is performed on whole offering message (already encrypted and signed).
Split message encrypted payload by removing last 64 bytes of message
Generate keccak-256 hash of message payload
Use Ethereum crypto package SigToPub()
function to retrieve Agent's public key
Compare provided in offering Agent's public key to that from step (3)
Decrypt encrypted message payload using ecies.Decrypt()​
Validate message payload to corresponding template JSON scheme