Abstract
Implement client side security for the Climate SIG's Hyperledger Fabric application, so that transactions could be signed using Metamask through TrustId.
...
- WsX509 identity provider in Cactus PR 1333
- Add WsX509 support in blockchain carbon accounting project PR 293
- restAPI to reach external ws-wallet (node.js server) from blockchain carbon accounting app - PR 361
- Other PRs for carbon accounting app
- Secure identities directory with documentation and subdirectories for
- ws-identity docker image (github package)
- Peer programming sessions highlighting progress on WSX509 implementation
...
- g. Demo full cycle of generating security keys at client, registering and enrolling users, and invoking and querying on Fabric chain code.
- h. Documentation of identity solutions to access Fabric application with third party key management toolsEstablish authentication protocol to connect client application (e.g., mobile app and cyrpto wallet) to Fabric application.
Timeline
| Week | Task/Plan | Status |
|---|---|---|
| May 24 - May 28 | Set up project plan. | |
| May 31 - June 11 | Review TrustID from our previous call. Develop plan for integrating Fabric, TrustID, and Metamask. Integrate TrustID with Fabric. | |
| June 14 - June 25 | Finish integration of TrustID with Fabric. Integrate Metamask into TrustID to sign Fabric transactions. This Task has been revised as these weeks I have simply been understanding how to sign transactions on Fabric with private key and csr generated by the client offline (not the Fabrik SDK). The key only needs to be stored on the client wallet ( metamask), as singing can be done off the server. We could also share the pKey generated by the Fabric (TrustID app) with the client to upload to their wallet. However, the key generator must be compatible with the client Wallet. In the case of Ethreum (e.g. Metamask) we need to generate secp256k1 key, however fabric certificate signer does not support this EC. Trust ID is a good solution as it can register a public key (DID) generated from custom private key that is authorized by Fabric CA to commit endorsements to the chaincode. Note, Trust ID currently only supports infra EC P-521, but this should be easy to update. | Based on discussion with the mentors, the first task was reframed as completing the offline signing of transactions on Fabric using a private key (secp256k1 for ethereum compatibility) generated by the client and store on their wallet (not on the server). The next task Next we want to use the private key to establish a DID (e.g. using TrustID) that can be used to access other networks |
| June 28 - July 2 | Get ready for first Evaluation. Return to TrustID integration to register secp256k1 DID to execute transactions on Fabric. | |
| July 5 - July 9 | Integrate Hardware Security Module (HSM) into utility emission channel client app using softHSM. Include softHSM libraries when building API docker image. Initialize softHSm token to be used when enrolling new users. Update register and enrol typescript to save HSMX.509 identity to local filesystem. | Complete |
| July 12 - July 23 | Prepare schematic for HSM integration with fabric node. Research HSM cloud integration. Understand how to create a proxy pod that connects the client app/service to the HSM device. I.e., the HSM device (e.g. softHSM) is not part of the same container image as the hyper-ledger Fabric node. E.g., see https://developer.ibm.com/articles/leverage-ibm-cloud-hsm-in-your-ibp-network/ | Complete |
| July 26 - August 6 | Implement proxy to link external HSM device (e.g., softHSM) to fabric client app. Understand how to configure HSMoptions to setup and add external HSMprovider to a wallet with HSMX509 types. | Abandoned |
| August 9 - August 13 | Shift focus from HSM to implementing web-socket based identity provider for fabric client security. Review web-socket functionality. Understand how to run test with web-socket. | Complete |
| August 16 - August 27 | Set-up severs side logic for web-socket identity provider. Client that handles communication with the external key client (e.g. browser extension). Server key file that handles crypto logic like generating CSR files and requesting client signature Identity provider logic that establishes the web socket server and wait for incoming connection from external client that will handle the signing. | Complete |
| August 30 - Sept 13 | Integrate web socket into blockchain carbon accountin Command line scripts to generate keys, register and enroll users, invoke, and query Fabric chain code | complete |
| Sept 13 - Sept 27 | Eval 3 on October 1 | complete |
| Sept 27 - Oct 11 | Demo full cycle of generating security keys at client, registering and enrolling users, and invoking and querying on Fabric chain code. Develop documentation for 3rd party identity management and key storage solutions | complete |
| Oct 11 - Oct 25 | Establish authentication protocol to connect client application to Fabric typescript app (e.g. utility emissions channel), and authenticate Fabric app to access client's external private key signing tools. | Complete |
| Oct 25 - Nov 8 | ||
| Nov 8 - Nov 12 | Wrap up of the project Final evaluation and presentation of project on November 12 | Complete |
...