You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 36 Next »

Abstract

Implement client side security for the Climate SIG's Hyperledger Fabric application, so that transactions could be signed using Metamask through TrustId.

Mentor and Mentee

MentorMentorMentorMentorMentee

Si Chen

US PST 

sichen@opensourcestrategies.com

Vatsal Mishra

IST 

mevatsal@gmail.com

Maria Teresa Nieto

CEST 

mariateresa.nietogalan@telefonica.com

Kamlesh Nagware

IST 

kamlesh.nagware@gmail.com

Bertrand WILLIAMSRIOUX

AST (UTC +3)

bertrand.rioux@gmail.com


Communication channel: Email + Github 

Project repo: https://github.com/hyperledger-labs/blockchain-carbon-accounting/tree/mentorship-trustid

Deliverables

  • 1 Integrate TrustID with Fabric utility emissions channel (dropped)
  • 2 Web socket based identity provider for fabric network :
  • 3 Integration of web-socket identity provider into Blockchain carbon accounting using Cactus as fabric identity/security package -  
  • 4 Web-socket client wallet application that handles the actual private keys and signing (Node.js/CLI server application) + implementation docs and use case justification decision tree

Report (Presented Nov. 17, 2021)

Milestones

Eval 1:

  • a Integrate TrustID with Fabric
  • b Demonstrate how to sign transactions with offline private key stored in clients browser session

Eval 2:

  • c Create WebSocket identity server
  • d WebSocket client wallet

Eval 3:

  • e. Integrate web socket into blockchain carbon accounting
  • f. Command line scripts to generate keys, register and enroll users, invoke, and query Fabric chain code

Eval 4:

  • g. Demo full cycle of generating security keys at client, registering and enrolling users, and invoking and querying on Fabric chain code.
  • h. Documentation of  identity solutions to access Fabric application with third party key management toolsEstablish authentication protocol to connect client application (e.g., mobile app and cyrpto wallet) to Fabric application.

Timeline

WeekTask/PlanStatus
May 24 - May 28Set up project plan.  
May 31 - June 11Review TrustID from our previous call.  Develop plan for integrating Fabric, TrustID, and Metamask.  Integrate TrustID with Fabric.
June 14 - June 25

Finish integration of TrustID with Fabric.  Integrate Metamask into TrustID to sign Fabric transactions.

This Task has been revised as these weeks I have simply been understanding how to sign transactions on Fabric with private key and csr generated by the client offline (not the Fabrik SDK).   The key only needs to be stored on the client wallet ( metamask), as singing can be done off the server.

We could also share the pKey generated by the Fabric (TrustID app) with the client to upload to their wallet. However, the key generator must be compatible with the client Wallet. In the case of Ethreum (e.g. Metamask) we need to generate secp256k1 key, however fabric certificate signer does not support this EC.

Trust ID is a good solution as it can register a public key (DID) generated from custom private key that is authorized by Fabric CA to commit endorsements to the chaincode. Note, Trust ID currently only supports infra EC P-521, but this should be easy to update.

Based on discussion with the mentors, the first task was reframed as completing the offline signing of transactions on Fabric using a private key (secp256k1 for ethereum compatibility) generated by the client and store on their wallet (not on the server). The next task Next we want to use the private key to establish a DID (e.g. using TrustID) that can be used to access other networks

June 28 - July 2

Get ready for first Evaluation.

Return to TrustID integration to register secp256k1 DID to execute transactions on Fabric.


July 5 - July 9

Integrate Hardware Security Module (HSM) into utility emission channel client app using softHSM. Include softHSM libraries when building API docker image. Initialize softHSm token to be used when enrolling new users.

Update register and enrol typescript to save HSMX.509 identity to local filesystem.

Complete


July 12 - July 23

Prepare schematic for HSM integration with fabric node. Research HSM cloud integration. Understand how to create a proxy pod that connects the client app/service to the HSM device. I.e., the HSM device (e.g. softHSM) is not part of the same container image as the hyper-ledger Fabric node. E.g., see https://developer.ibm.com/articles/leverage-ibm-cloud-hsm-in-your-ibp-network/


Complete
July 26 - August 6Implement proxy to link external HSM device (e.g., softHSM) to fabric client app. Understand how to configure HSMoptions to setup and add external HSMprovider to a wallet with HSMX509 types.Abandoned
August 9 - August 13

Shift focus from HSM to implementing web-socket based identity provider for fabric client security.

Review web-socket functionality. Understand how to run test with web-socket. 

Complete
August 16 - August 27

Set-up severs side logic for web-socket identity provider.

Client that handles communication with the external key client (e.g. browser extension).

Server key file that handles crypto logic like generating CSR files and requesting client signature

Identity provider logic that establishes the web socket server and wait for incoming connection from external client that will handle the signing. 

Complete


August 30 - Sept 13

Integrate web socket into blockchain carbon accountin

Command line scripts to generate keys, register and enroll users, invoke, and query Fabric chain code


complete

Sept 13 - Sept 27Eval 3 on October 1complete
Sept 27 - Oct 11

Demo full cycle of generating security keys at client, registering and enrolling users, and invoking and querying on Fabric chain code.

Develop documentation for 3rd party identity management and key storage solutions

complete
Oct 11 - Oct 25

Establish authentication protocol to connect client application to Fabric typescript app (e.g. utility emissions channel), and authenticate Fabric app to access client's external private key signing tools.



Complete

Oct 25 - Nov 8



Nov 8 - Nov 12

Wrap up of the project

Final evaluation and presentation of project on November 12

Complete

Tasks

An error occured while executinng macro:

Access token 4 not found

Icon

Explanation

This project originally targeted using TrustID to registed ID credentials used to access the fabric utility emissions channel, and storing private keys for these ID's in a clientwallet (e.g. Metamask). The project has since changed track. While TrustID offers interesting features, it implements a proxy contract that can be used to connect an external DID with a fabric network (e.g. utility emission channel) using its own Farbic Admin (or user) IDs. Instead of creating a new set of proxy identities, we want to create an identity management solution for the actual Fabric IDs registered with the utility emission channel. Two strategies are being explored as described in the methodology.

Methodology: offline signing of transactions using private keys stored in the client browser.  

  1. See the simple demo hosted here: https://github.com/brioux/fabric-client-signer. It simulates how a browser based wallet like Metamask would work
    1. Note: Metamask supports elleptic curve signatures using the secp256k1 algorithm, which, is not supported by Fabric. Fabric has a tutorial using offline private keys and CSR files provided by the client. While this was investigated as a quick solution to integrating Metamask with utility emissions channel, Fabric CA does not support secp256k1 keys used by Ethereum/Bitcoin. A

  2. This demo illustrates the process for offline signing and could be extended to implement a browser signer extension (something like Metamask) for a Fabric network.

    1. generate a csr using some client provided private key / encryption algorithm. (e.g. ECDSA prime256v1);
    2. include the self-signed csr generated from the private key when enrolling new user with the fabric CA client;
    3. build endorsement proposal with transaction payload and sign using the private keys encryption algorithm;
    4. send signed proposal to required peers and check responses;
    5. if valid build a new commit with the endorsement from (2), sign commit with the private key encryption and send to peers;
  3. A better approach to achieve off-line signing is to create a custom identity provider that extends (implements?) the fabric-network IdentityProvider class.
  4. This project is developing a web-socket based identity provider. A secure web-socket connection handles the sending of digests from a fabric network server/application to be signed by an external client. The components fo the web-socket identity provider can be found here. The include
    1. A ws-identity server that relays signature requests made to fabric network as digest to the external client
    2. A ws-wallet that signs digests using a key-file stored on the clients external device (e.g. encrypted keyfile or HSM). The wallet handles the generation and management of key files. The ws-wallet can also be configured to store certificates (i.e. CSR pem files) signed by the external client when enrolling with the Fabric application. 
    3. The fabric application that requests signatures from the external ws-wallet client. It requres API keys to access the session tickets opened on the ws-identity server iwth an external client
    4. A custom identity provider that setup the connection between the Fabric app, the ws-identity server and the external clients ws-wallet.
    5. A dedicated ws-identity-client is used to handle html requests between the identity provider of the Fabric app or the ws-wallet instance and the ws-identity server
  5. A web-socket based identity provider is being built with typescript as an extension of the IdentityProvider interface of the Fabric network nodes.js SDK
  6. The identity provider can be used to conect to any external client, suchas a browser, mobile app or IoT device . For example, something  like the fabric based chrome extension but with the singing actually handled an external key file, not keys stored on the fabric app. In this project the fabric middle-wear still handles the private key storage and singing, with the extension just telling the user what fabric network they are interacting with, and buttons to submit transactions.


Another effort in this project is to integrate a Hardware Security Module (HSM) using the HSMX509Provider class. A first attempt using the Utility Emissions Channel was started here https://github.com/brioux/blockchain-carbon-accounting. It uses softHSM2 as a virtual HSM. The HSM is accessed by the Fabric client app using a token label and pin to initialize the HSMprovider. However, in the original implementation the HSM lives on the same server as the fabric application, so this is does not support the singing of transactions by an external client application. Instead a secure proxy server, similar to the ws-identity server described above, is needed to relay requests between the Fabric app and the external HSM. Infact, ws-wallet could be setup to use an HSM for local key storage.





  • No labels