Versions Compared

Old Version 39

changes.mady.by.user Bertrand WILLIAMSRIOUX

Saved on

compared with

New Version Current

changes.mady.by.user Bertrand WILLIAMSRIOUX

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Project repo: https://github.com/hyperledger-labs/blockchain-carbon-accounting/tree/mentorship-trustid

Explanation

This project originally targeted using TrustID to registed ID credentials used to access the fabric utility emissions channel, and storing private keys for these ID's in a clientwallet (e.g. Metamask). While TrustID offers interesting features, it implements a proxy contract that can be used to connect an external DID with a fabric network using its own Admin (or user) IDs. Instead of creating a new set of admin proxy identities to access the Fabric app using exernal keys, we want to create an integrated client side identity management solution for the actual Fabric crednetials registered with the utility emission channel (i.e. private key associated with the identity crednetial are not stored on the fabric app). To achieve this we set up a custom WsX509 identity provider using the fabric node.jd sdk, that uses a ws-identity proxy server that connects a fabric app (e.g. Utility Emissions Channel) to a clients secure external ws-wallet where private keys are stored. See methodology below for more details.

Deliverables

  •  1 Integrate TrustID with Fabric utility emissions channel (dropped)
  •  2 Web socket based identity provider for fabric network :
  •  3 Integration of web-socket identity provider into Blockchain carbon accounting using Cactus as fabric identity/security package -  
  •  4 Web-socket client wallet application that handles the actual private keys and signing (Node.js/CLI server application) + implementation docs and use case justification decision tree

...

Github issues macro
querylabels=mentorship-trustid
repoblockchain-carbon-accounting
userhyperledger-labs
token4

Explanation

...

Methodology: offline signing of transactions using private keys stored in the client browser.  

  1. See the simple demo hosted here: https://github.com/brioux/fabric-client-signer. It simulates how a browser based wallet like Metamask would work
    1. Note: Metamask supports elleptic curve signatures using the secp256k1 algorithm, which, is not supported by Fabric. Fabric has a tutorial using offline private keys and CSR files provided by the client. While this was investigated as a quick solution to integrating Metamask with utility emissions channel, Fabric CA does not support secp256k1 keys used by Ethereum/Bitcoin. A

  2. This demo illustrates the process for offline signing and could be extended to implement a browser signer extension (something like Metamask) for a Fabric network.

    1. generate a csr using some client provided private key / encryption algorithm. (e.g. ECDSA prime256v1);
    2. include the self-signed csr generated from the private key when enrolling new user with the fabric CA client;
    3. build endorsement proposal with transaction payload and sign using the private keys encryption algorithm;
    4. send signed proposal to required peers and check responses;
    5. if valid build a new commit with the endorsement from (2), sign commit with the private key encryption and send to peers;
  3. A better approach to achieve off-line signing is to create a custom identity provider that extends ( implements ?) the fabric-network IdentityProvider class.
  4. This project is developing In this project we developed a web-socket based identity provider for WsX509 identity credential types. A secure web-socket connection handles the sending of digests from a fabric network server/application to be signed by an external client. The components fo the web-socket identity provider can be found here. The include:
    1. A ws-identity server that relays signature requests made to fabric network as digest to the external client
    2. A ws-wallet that signs digests using a key-file stored on the clients external device (e.g. encrypted keyfile or HSM). The wallet handles the generation and management of key files. The ws-wallet can also be configured to store certificates (i.e. CSR pem files) signed by the external client when enrolling with the Fabric application. 
    3. The fabric application that requests signatures from the external ws-wallet client. It requres API keys to access the session tickets opened on the ws-identity server iwth with an external client
    4. A custom identity provider that setup setups the connection between the Fabric app, the ws-identity server and the external clients ws-wallet. An identity provider has been setup in using the cactus fabric connector in cactus PR 293.
    5. A dedicated ws-identity-client is used to handle html requests between the identity provider of the Fabric app or the ws-wallet instance and the ws-identity server. However, this could be replaced by promise based http client like axios 
  5. A web-socket based identity provider is being built with typescript as an extension of the IdentityProvider interface of the Fabric network nodes.js SDK
  6. The identity provider can be used to conect connect to any external client, suchas such as a browser, mobile app or IoT device . For example, something  like the fabric based chrome extension but with the singing actually handled an external key file, not keys stored on the fabric app. In this project the fabric middle-wear still handles the private key storage and singing, with the extension just telling the user what fabric network they are interacting with, and buttons to submit transactions, client wallet operating on a dedicated server or IoT devicep.


Entity-control-boundary for ws-identity sessions

...