encryption

package
v0.4.3 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Mar 18, 2019 License: MIT Imports: 12 Imported by: 0

README

Hyperledger Fabric chaincode kit (CCKit) - Encryption extension

Allows to encrypt all data in ledger. Based on example

Using ECDH for establishing secret key

ECDH (Elliptic curve Diffie-Hellman): both parties can establish a secret value by sending only the public key of their ephemeral or static key pair to the other party. If the key pair of one of the parties is trusted by the other party then that key pair may also be used for authentication.

Flow of a CHAINCODE transaction

1. Sending proposal from client to peer

The proposal is basically a request to do something on a chaincode, that will result on some action - some change in the state of a chaincode and/or some data to be committed to the ledger.

SignedProposal
|\_ Signature                                    (signature on the Proposal message by the creator specified in the header)
 \_ Proposal
    |\_ Header                                  
    |\_ ChaincodeProposalPayload             
    |   |\_ ChaincodeInvocationSpec
    |   |    \_ ChaincodeSpec
    |   |        |\_ Chaincode_id 
    |   |         \_ Input 
    |   |             \_ Args
    |    \_ TransiendMap
     \_ ChaincodeAction                          (the actions for this proposal - optional for a proposal)

Proposal contains:

 * `Signature` is a signature of the client over the Proposal.
 * `ChannelId` - name of the fabric channel that is the target of this transaction 
 * `ChaincodeName` and `ChaincodeVersion` - the name and version of the chaincode that is being invoked by this proposal.
 * `TxId` -  the transaction identifier, computed as the hash of SignatureHeader.
 * `Creator` - is the serialized identity of the client.
 * `Nonce` - an array of random bytes.
 * `Args` - the set of arguments for this chaincode invocation.

For encrypting data can be used contents of Trasient Map field - data (e.g. cryptographic material) that might be used to implement some form of application-level confidentiality.

The contents of this field are supposed to always be omitted from the transaction and excluded from the ledger.

2. Peer sends proposal response back to client

The proposal response contains an endorser's response to a client's proposal. A proposal response contains a success/error code, a response payload and a signature (also referred to as endorsement) over the response payload.

The response payload contains a hash of the proposal (to securely link this response to the corresponding proposal) and an opaque extension field that depends on the type specified in the header of the corresponding proposal. A proposal response contains the following messages:

ProposalResponse
|\_ Endorsement                                  (the endorser's signature over the whole response payload)
 \_ ProposalResponsePayload                      (the payload of the proposal response)
3. Client assembles endorsements into a transaction

A transaction message assembles one or more proposals and corresponding responses into a message to be sent to orderers. After ordering, (batches of) transactions are delivered to committing peers for validation and final delivery into the ledger. A transaction contains one or more actions. Each of them contains a header (same as that of the proposal that requested it) and an opaque payload that depends on the type specified in the header.

SignedTransaction
|\_ Signature                                    (signature on the Transaction message by the creator specified in the header)
 \_ Transaction
     \_ TransactionAction (1...n)
        |\_ Header (1)                           (the header of the proposal that requested this action)
         \_ Payload (1)                          (the payload for this action)

Chaincode state encryption

Encrypter entity from chaincode/shim/entities package is capable of performing AES 256 bit encryption using PKCS#7 padding. Optionally, the IV can be provided in which case it is used during the encryption; othjerwise, a random one is generated.

Documentation

Index

Constants

View Source
const TransientMapKey = `ENCODE_KEY`

Variables

View Source
var (
	// ErrKeyNotDefinedInTransientMap occurs when key not defined in transient map
	ErrKeyNotDefinedInTransientMap = errors.New(`encryption key is not defined in transient map`)
)

Functions

func ArgsDecrypt added in v0.3.1

func ArgsDecrypt(next router.ContextHandlerFunc, pos ...int) router.ContextHandlerFunc

ArgsDecryptIfKeyProvided - pre middleware, decrypts chaincode method arguments, key must be provided in transient map

func ArgsDecryptExcept added in v0.4.3

func ArgsDecryptExcept(exceptMethod ...string) router.ContextMiddlewareFunc

func ArgsDecryptIfKeyProvided

func ArgsDecryptIfKeyProvided(next router.ContextHandlerFunc, pos ...int) router.ContextHandlerFunc

ArgsDecryptIfKeyProvided - pre middleware, decrypts chaincode method arguments if key provided in transient map

func Decrypt

func Decrypt(key, value []byte) ([]byte, error)

Decrypt decrypts value with key

func DecryptArgs

func DecryptArgs(key []byte, args [][]byte) ([][]byte, error)

DecryptArgs decrypt args

func EncStateContext added in v0.4.1

func EncStateContext(next router.HandlerFunc, pos ...int) router.HandlerFunc

EncStateContext replaces default state with encrypted state

func EncStateContextIfKeyProvided added in v0.4.3

func EncStateContextIfKeyProvided(next router.HandlerFunc, pos ...int) router.HandlerFunc

EncStateContext replaces default state with encrypted state

func Encrypt

func Encrypt(key []byte, value interface{}) ([]byte, error)

Encrypt converts value to []byte and encrypts its with key

func EncryptArgs

func EncryptArgs(key []byte, args ...interface{}) ([][]byte, error)

EncryptArgs encrypt args

func EncryptEvent added in v0.4.1

func EncryptEvent(encKey []byte, event *peer.ChaincodeEvent) (encrypted *peer.ChaincodeEvent, err error)

EncryptEvent encrypts event payload and event name. Event name also base64 encoded. ChaincodeId and TxId remains unencrypted

func EncryptWithTransientKey added in v0.4.1

func EncryptWithTransientKey(c router.Context, val interface{}) (encrypted []byte, err error)

EncryptWithTransientKey encrypts val with key from transient map

func Event added in v0.4.1

func Event(c router.Context, key []byte) (state.Event, error)

Event encrypting the events before setEvent()

func EventWithTransientKey added in v0.4.1

func EventWithTransientKey(c router.Context) (state.Event, error)

EventWithTransientKey creates encrypted event wrapper with provided key for symmetric encryption/decryption

func FromBytesDecryptor added in v0.4.1

func FromBytesDecryptor(key []byte) state.FromBytesTransformer

DecryptTransformer returns state.FromBytesTransformer - used for decrypting data after reading from state

func InvokeChaincode added in v0.4.3

func InvokeChaincode(
	stub shim.ChaincodeStubInterface, encKey []byte, chaincodeName string,
	args []interface{}, channel string, target interface{}) (interface{}, error)

InvokeChaincode decrypts received payload

func KeyFromTransient

func KeyFromTransient(c router.Context) ([]byte, error)

KeyFromTransient gets key for encrypting/decrypting from transient map

func KeyPartsEncryptor added in v0.4.1

func KeyPartsEncryptor(encryptKey []byte) state.KeyTransformer

KeyPartsEncryptedWith encrypts key parts

func MockInvoke added in v0.4.1

func MockInvoke(cc *testing.MockStub, encKey []byte, args ...interface{}) peer.Response

MockInvoke helper for invoking MockStub with transient key and encrypted args

func MockQuery added in v0.4.1

func MockQuery(cc *testing.MockStub, encKey []byte, args ...interface{}) peer.Response

MockQuery helper for querying MockStub with transient key and encrypted args

func MustEncryptEvent added in v0.4.1

func MustEncryptEvent(encKey []byte, event *peer.ChaincodeEvent) (encrypted *peer.ChaincodeEvent)

MustEncryptEvent helper for EncryptEvent. Panics in case of error.

func State

func State(c router.Context, key []byte) (state.State, error)

State wrapper, encrypts the data before putting to state and decrypts the data after getting from state

func StateWithTransientKey

func StateWithTransientKey(c router.Context) (state.State, error)

StateWithTransientKey creates encrypted state state with provided key for symmetric encryption/decryption

func StateWithTransientKeyIfProvided added in v0.3.1

func StateWithTransientKeyIfProvided(c router.Context) (state.State, error)

StateWithTransientKeyIfProvided creates encrypted state wrapper with provided key for symmetric encryption/decryption if key provided, otherwise - standard state wrapper without encryption

func StringEncryptor added in v0.4.1

func StringEncryptor(key []byte) state.StringTransformer

EncryptStringWith returns state.StringTransformer encrypting string with provided key

func ToBytesEncryptor added in v0.4.1

func ToBytesEncryptor(key []byte) state.ToBytesTransformer

EncryptTransformer returns state.ToBytesTransformer - used for encrypting data for state

func TransientMapWithKey

func TransientMapWithKey(key []byte) map[string][]byte

TransientMapWithKey creates transient map with encrypting/decrypting key

Types

type MockStub added in v0.4.1

type MockStub struct {
	MockStub *testing.MockStub
	//EncKey key for encrypt data before query/invoke
	EncKey []byte

	// DecryptInvokeResponse decrypts invoker responses
	DecryptInvokeResponse bool
}

MockStub wrapper for querying and invoking encrypted chaincode

func NewMockStub added in v0.4.1

func NewMockStub(mockStub *testing.MockStub, encKey []byte) *MockStub

NewMockStub creates wrapper for querying and invoking encrypted chaincode

func (*MockStub) From added in v0.4.1

func (s *MockStub) From(args ...interface{}) *MockStub

func (*MockStub) Invoke added in v0.4.1

func (s *MockStub) Invoke(args ...interface{}) (response peer.Response)

func (*MockStub) Query added in v0.4.1

func (s *MockStub) Query(args ...interface{}) peer.Response

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL