...
Github issues macro query labels=mentorship-trustid repo blockchain-carbon-accounting user hyperledger-labs token 4
| query | labels=mentorship-trustid |
|---|---|
| repo | blockchain-carbon-accounting |
| user | hyperledger-labs |
| token | 4 |
Explanation
This project will offer tools for the signing of transactions/contracts in a distributed network using trusted identity credentials that are fully controlled by private keys held by the client rather and not hosted in a password protected key-store.
Methodology
The project will enable users of the fabric utility emissions channel to use offline private key to sing transaction proposals. This includes standard crypto keys used by the Ethereum/BTC networks and as used by the Net Emissions Token network.
...
originally targeted using TrustID to registed ID credentials used to access the fabric utility emissions channel, and storing private keys for these ID's in a clientwallet (e.g. Metamask). The project has since changed track. While TrustID offers interesting features, it implements a proxy contract that can be used to connect an external DID with a fabric network (e.g. utility emission channel) using its own Farbic Admin (or user) IDs. Instead of creating a new set of proxy identities, we want to create an identity management solution for the actual Fabric IDs registered with the utility emission channel. Two strategies are being explored as described in the methodology.
Methodology
The project has taken two paths.
- Explore offline signing of transactions using private keys stored in the client browser. See the simple demo hosted here: https://github.com/brioux/fabric-client-signer. It simulates (naively) how a browser based wallet like Metamask would work. Note: Metamask supports elleptic curve signatures using the secp256k1 algorithm, which, is not supported by Fabric. Fabric has a tutorial using offline private keys and CSR files provided by the client. While this was investigated as a quick solution to integrating Metamask
...
- with utility emissions channel, Fabric CA does not support secp256k1 keys used by Ethereum/Bitcoin.
...
- Integrate a Hardware Security Module (HSM) using the HSMX509Provider class. A first attempt using the Utility Emissions Channel isprovided here: https://github.com/brioux/blockchain-carbon-accounting. It uses softHSM2 as a virtual HSM. The HSM is accessed by the Fabric client app using a token label and pin to initialize the HSMprovider. Access to the pin used to lock the HSM will be secured by an identity management system like Vault. The diagram below illustrates how the HSM is integrated into a Fabric client app.
For the first point above follow this tutorial for signing Fabric transactions with offline private key
Offline signing will be integrated into the javascript REST API using the Metamask plugin.
The first step in this project is to setup offline signing following this tutorial. This includes several steps:
- generate a csr using some client provided private key / encryption algorithm. (e.g. ECDSA prime256v1);
- include the self-signed csr generated from the private key when enrolling new user with the fabric CA client;
- build endorsement proposal with transaction payload and sign using the private keys encryption algorithm;
- send signed proposal to required peers and check responses;
- if valid build a new commit with the endorsement from (2), sign commit with the private key encryption and send to peers;
The demo illustrates this process and could be extended to implement a browser signer extension (something like Metamask) for the Utility Emissions App. The code should be packaged as a module for a new browser based identity, and integrated with the fabric-network client using the IdentityProvider interface.
TODO: Revise/delete below text.
The above process can be used for offline signing directly onto the utility emissions channels, or we can configure offline signing on TrustID. Trust ID acts as a security layer for linking DID/key pairs to a desired network where the payload is delivered. The offline signing is delegated to TrustID so that the same DID/key pairs can be used to interact with different networks.
...