how can i delegate cryptographic operations to the hashicorp vault?

You can’t, at least not all cryptographic operations.

Fabric nodes delegate cryptographic operations such as signing, to a component called BCCSP (Block Chain Cryptography Service Provider). It comes in two flavors:

  • Software (embedded in the node, as code)
  • PKCS11 (Uses a protocol called PKCS11 to communicate with a driver which might have an HSM on its end, but might simply have a software based HSM used for testing)

PKCS11 approach:

You will probably need to find some sort of connector which translates PKCS11 calls from Fabric to vault. In theory, I guess it’s possible to implement an .so file of softhsm by cloning the repository and making it talk to vault instead of HSM.

Software approach:

  • In Fabric 1.4 there was some initial work for BCCSP plugins based on Golang’s native plugins, but it was removed.

Fabric peers sign two types of messages:

  1. P2P messages that are broadcasted and disseminated transitively among peers, such as membership information and heartbeats.
  2. Endorsements, that end up as part of transactions.

While both signing operations use BCCSP, the latter uses it indirectly via another layer which can be altered using a Go plugin.

So this means that you cannot make a peer not hold a private key (unless, you use PKCS11), but you might be able to have a single private key for the peer to use for P2P messages, and a different private key to be used for endorsing transactions.

There are 2 challenges here, though:

  1. If you make a custom endorsement plugin, you need a matching validation plugin, to check that the transaction was indeed properly endorsed by the private key you require to be used.
  2. You need to keep in mind, that if the applications are configured to use service discovery, then you need to ensure that they are still able to find peers according to the certificates that the peers are aware of (not the ones that are used by the endorsement plugin).

CLICK HERE to find out more related problems solutions.

Leave a Comment

Your email address will not be published.

Scroll to Top