fabric-sdk-go icon indicating copy to clipboard operation
fabric-sdk-go copied to clipboard

Published 20 hours ago verified publisher icon hyperledger

add HSM Identity proposal

Open js-ms opened this issue 4 years ago • 4 comments

Hello, we are trying to use HSM with the GO SDK, our objective is to use it with a wallet, some kind of identityprovider, we are creating this PR to interact with you, so you can guide us further:

  • Is this the right approach for this project?
  • Using Cryptosuite with PKCS11 interface is not as clear as we wanted it to be.
  • Using identitymanager or using the mspwallet to create a manager is not explained thoroughly

We want to do something like this(inspired by the node SDK): https://github.com/hyperledger/fabric-sdk-node/blob/main/fabric-network/src/impl/wallet/hsmx509identity.ts

We have some of the possible interfaces and some of the functions, but when we think how to link everything with a wallet, we just don't know if the path we are following is correct

Hope you can guide us, thanks a lot!

js-ms avatar May 25 '21 14:05 js-ms

@bstasyszyn can you give us some guidance? thanks in advance

js-ms avatar May 26 '21 16:05 js-ms

Hi @jsebastianms1 - sure, I think you are on the right path, but the current wallet framework might need extending a bit to support HSM. I guess (but I haven't tried) you can create a new wallet implementation that stores the HSM configuration and user certificate, and pass that down to the underlying PKCS11 via BCCSP.

Example configuration for the pkcs11 integration test: https://github.com/hyperledger/fabric-sdk-go/blob/main/test/fixtures/config/config_e2e_pkcs11.yaml#L42-L53

This is how PKCS11 cryptosuite is loaded: https://github.com/hyperledger/fabric-sdk-go/blob/main/test/integration/e2e/pkcs11/e2e_test.go

andrew-coleman avatar Jun 03 '21 10:06 andrew-coleman

Hi @andrew-coleman I have a doubt, i did the thing you suggested, like this:

  • hsm wallet implementation that stores HSM configuration and user certificate
  • hsmx509identity that stores type,version,mspid and credentials that are composed only by the Public Certificate
  • When i call the function WithIdentity from gateway.go im trying to recreate the new identity, switching based on the type (X509 and Hsmx509) like this:
switch creds.idType() {
		case x509Type:
			enrollmentCertificate = []byte(creds.(*X509Identity).Certificate())
			privateKey, _ = fabricCaUtil.ImportBCCSPKeyFromPEMBytes([]byte(creds.(*X509Identity).Key()), cryptosuite.GetDefault(), true)
		case Hsmx509type:
			enrollmentCertificate = []byte(creds.(*Hsmx509Identity).Certificate())
			conf := wallet.(*Wallet).store.(*hsmWalletStore).hsmConf
			print(string(conf))
			sdk, _ := fabsdk.New(config.FromFile(conf))
			configBackend, _ := sdk.Config()
			cryptoSuiteConfig := cryptosuite.ConfigFromBackend(configBackend)
			csp, _ := pkcs11.GetSuiteByConfig(cryptoSuiteConfig)
			certPubK, _ := csp.KeyImport(creds.(*Hsmx509Identity).Credentials.Certificate, &bccsp.ECDSAGoPublicKeyImportOpts{Temporary: true})
			// Get the key given the SKI value
			ski := certPubK.SKI()
			privateKey, _ = csp.GetKey(ski)
		}

Right now, i really dont know if this is the path that you were trying to lead me to or if im totally lost, im having trouble obtaining the sdk from the path of the wallet, i used a similar file like the yaml you showed me.

i have a new fork, the other one was recently deleted, what can you suggest me to push this new implementation?

Thanks in advance

js-ms avatar Sep 15 '21 13:09 js-ms

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Mar 30 '22 19:03 stale[bot]