Topics In Demand
Cloud Computing | Cyber Security & Privacy | Data Science & AI | Digital Transformation | Diversity And Inclusion | Engineering Research & Design | ESG & Sustainability | Future Of Work | Product/Startups |
Notification
New
See all

No notification found.

Hyperledger Fabric Cryptogen Musing
Hyperledger Fabric Cryptogen Musing
images
DLT Labs
@DLT Labs

October 12, 2021

Blockchain

219

2

A Problem (High Load) and a Constraint (Uptime)

In my time running Fabric network, I once experienced a high transaction load on my existing peers. One of the ways to address this would have been to vertically scale my peers (which I had done earlier). Vertical scaling of peers has its own problem: it would require downtime for the peer which is getting scaled and, again, it will require downtime when we want to scale back down. The alternative was to increase the number of peers in the network. Now the real problem was how could I achieve this without affecting my running fabric network.

Initially, I had generated crypto material using the cryptogen tool of Hyperledger® Fabric. I thought there would be an option to generate new crypto material with the same tool. I came across a command of said cryptogen tool which is used for generating new crypto material.

./cryptogen extend — input=”crypto-config.yaml”

The above command could help me to generate crypto key material for a new entity. I just had to change the peer template in my crypto-config.yaml file to make it work. But I got intrigued by how this command was able to generate certificates without affecting my existing crypto. There were a few questions that were popping into my mind.

Were all the certificates being regenerated? Or only the certificates for the new entity? So to find the answer to my questions I started digging up the internal code of the cryptogen tool of Hyperledger Fabric.

Diving Into Cryptogen

Every participant who wants to interact with the network needs an identity. The CA provides the means for each entity to have a verifiable digital identity. In Hyperledger Fabric we have a built-in CA component that can be used in the blockchain network for generating identity.

The role of CA in generating the key material is very significant as CA is the default Certificate Authority (CA) for Hyperledger Fabric. Unless replaced, it is responsible for the registration of identities, issuance of Enrollment Certificates (ECerts) and certificate renewal and revocation. So the first time the key material was generated the following things happened:

  1. The SignCertificate function of CA got invoked which created a signed certificate based on the template of a crypto-config.yaml file and saved it in the base directory.
  2. The base directory by default was set to crypto-config. However, if needed it could be changed.
inputDir = ext.Flag(“input”, “The input directory in which existing network place”).Default(“crypto-config”).String()

The cryptogen tool of Hyperledger Fabric uses the CA and MSP (Membership Service Provider) package to generate the certificates of entities. Initially, the extend function of the cryptogen tool was invoked which loaded the modified crypto-config.yaml file and called the renderOrgSpec function. That function processed all the template nodes from the count field and, following this, it called the function extendPeerOrg.

func extend() {
 config, err := getConfig()
 if err != nil {
 fmt.Printf(“Error reading config: %s”, err)
 os.Exit(-1)
 } for _, orgSpec := range config.PeerOrgs {
 err = renderOrgSpec(&orgSpec, “peer”)
 if err != nil {
 fmt.Printf(“Error processing peer configuration: %s”, err)
 os.Exit(-1)
 }
 extendPeerOrg(orgSpec)
 }}

After figuring this out, still, my question was unanswered as to whether the old certificates would also be regenerated or not? So I moved to the next function which was extendPeerOrg.

Now inside this function, I found out all the things were similar to that of the generatePeerOrg function. The only differences were that when generating, NewCA was invoked and while executing the cryptogen executable binary loads the instance of the already generated CA (created during generation of certificates).

signCA := getCA(caDir, orgSpec, orgSpec.CA.CommonName)
tlsCA := getCA(tlscaDir, orgSpec, “tls”+orgSpec.CA.CommonName

My Question Answered: generateNodes

Then I reached the most fascinating part of the code because it gave the answer to the question I was looking for. The extendPeerOrg function internally calls the function generateNodes. This function decides whether the crypto material would be regenerated or not.

After looking into the code of this function, I found out that on the basis of the path it checks if the certificate material has been previously generated or not. If the path of a new peer is not present in the base directory it calls the GenerateLocalMSP function of MSP.

func generateNodes(baseDir string, nodes []NodeSpec, signCA *ca.CA, tlsCA *ca.CA, nodeType int, nodeOUs bool) { for _, node := range nodes {
 nodeDir := filepath.Join(baseDir, node.CommonName)
 if _, err := os.Stat(nodeDir); os.IsNotExist(err) {
 err := msp.GenerateLocalMSP(nodeDir, node.CommonName, node.SANS, signCA, tlsCA, nodeType, nodeOUs)
 if err != nil {
 fmt.Printf(“Error generating local MSP for %s:\n%v\n”, node, err)
 os.Exit(1)
   }
  }
 }
}

Now coming to what the GenerateLocalMSP function does. It does the following things:

  1. It creates a folder structure for the new entity.
  2. Gets the Keystore path and eventually generates the private key of the new peer by using the function GeneratePrivateKey.
  3. On the basis of the private key, the public key is extracted by using the function GetECPublicKey.
  4. After that, it generates a X509 certificate using signing CA.
  5. And lastly, the artifacts are moved to their respective MSP folders.
keystore := filepath.Join(mspDir, “keystore”) // generate private key
 priv, _, err := csp.GeneratePrivateKey(keystore)
 if err != nil {
 return err
 } // get public key
 ecPubKey, err := csp.GetECPublicKey(priv)
 if err != nil {
 return err
 }cert, err := signCA.SignCertificate(filepath.Join(mspDir, “signcerts”),
 name, ous, nil, ecPubKey, x509.KeyUsageDigitalSignature, []x509.ExtKeyUsage{})
 if err != nil {
 return err
 }

After all the above steps, admin certs are copied to the org’s peer’s MSP admin certs folder. So after digging up the code, I figured out that only new certificates are generated and the old ones are kept untouched. To support my findings I am going to share the time log of the extended certificates generation:

drwxr-xr-x 4 deepaks deepaks 4096 Jul 22 10:07 peer0.org1.example.comdrwxr-xr-x 4 deepaks deepaks 4096 Jul 22 10:20 peer1.org1.example.com

It’s quite evident from the logs that once the key material has been generated it won’t tamper with existing certificates when generating new crypto material. The above screenshot depicts when peer1 certificates were generated peer0 crypto material was not altered.

Hence it could be summarised that the cryptogen extend command allows one to extend an existing network, generating all the additional key material needed by the newly added entities without affecting the existing crypto material.

Hyperledger is a registered trademark of the Linux Foundation which hosts the Hyperledger Fabric project. Fabric code excerpts are copyright IBM Corp. 

About the Author

Deepak Singh, DLT Labs

Deepak is a blockchain expert at DLT Labs. He likes to explore software codes and algorithms at an elementary level.

#DLTLabs #hyperledgerfabric #blockchain #hyperledger

That the contents of third-party articles/blogs published here on the website, and the interpretation of all information in the article/blogs such as data, maps, numbers, opinions etc. displayed in the article/blogs and views or the opinions expressed within the content are solely of the author's; and do not reflect the opinions and beliefs of NASSCOM or its affiliates in any manner. NASSCOM does not take any liability w.r.t. content in any manner and will not be liable in any manner whatsoever for any kind of liability arising out of any act, error or omission. The contents of third-party article/blogs published, are provided solely as convenience; and the presence of these articles/blogs should not, under any circumstances, be considered as an endorsement of the contents by NASSCOM in any manner; and if you chose to access these articles/blogs , you do so at your own risk.


images
DLT Labs

DLT Labs™ is a global leader in the development and delivery of enterprise blockchain technologies and solutions, as well as a pioneer in the creation and implementation of standards for application development. With a deep track record in innovation and one of the world's largest pools of highly experienced blockchain experts, DLT Labs™ enables the transformation and innovation of complex multi-stakeholder processes.

Related blogs
See all
images

The Role of Digital Twins in Optimi...

Aeologic Technologie..

35

AI Inside
20 Sep 2024
images

Net Zero Emissions for IT companies...

Centaur Digital Pvt ..

40

AI
20 Sep 2024
images

AI-driven vulnerability scanning: A...

Opcito Technologies

15

Cyber Security ..
17 Sep 2024
images

From Diagnostics to Digital Care: H...

Dhiraj Sharma

35

Digital Transfo..
15 Sep 2024
images

Article: Forging resilient supply c...

Sigmoid

7

Data Science &a..
13 Sep 2024
images

AI for Legal Research: Use Cases, B...

Maruti Techlabs

24

Data Science &a..
13 Sep 2024
images

How Energy and Utilities Businesses...

Intelliswift Softwar..

58

Energy & Ut..
09 Sep 2024
images

How to choose the right vulnerabili...

Opcito Technologies

10

Cyber Security ..
09 Sep 2024
images

How to Manage your Data Science Pro...

Maruti Techlabs

20

Data Science &a..
06 Sep 2024
images

How Will Generative AI Affect Indus...

Bhavika

90

IT Services
03 Sep 2024
images

Part 2: Industry 5.0 beckons - Navi...

Shwetank

99

Manufacturing
02 Sep 2024
images

Explainable Root Cause Analysis in ...

Cyient

13

Mobile & We..
02 Sep 2024
images
How to launch a cryptocurrency exchange using white-label crypto solutions
images
Pooja Negi
@poojanegi

11 Jul 2024

Blockchain Fintech

  Cryptocurrency has emerged as a new asset class, particularly in light of its quick spike in value earlier this year. For the first time, the total value of the cryptocurrency market has surpassed $2 trillion. The cryptocurrency realm is…

Read More

images
Blockchain Developments Trends 2024: Unveiling The Future Of Decentralization
images
Shifali Roy
@shifali8990

11 Jul 2024

Blockchain Industry Trends

Blockchain is one of the innovations in the constantly changing field of technology that has the most potential for revolution and has captured the interest of people. Blockchain technology was first made widely known by cryptocurrency like Bitcoin…

Read More

images
Why Content Marketing is Key for Your Cryptocurrency Business Success?
images
Sneha Ahlawat
@snehawt15

11 Jul 2024

Blockchain Sales & Marketing

In the fast-evolving world of cryptocurrency, where innovation and adoption rates fluctuate daily. Establishing a robust presence and building trust are paramount for business success. One of the most effective strategies in achieving these goals is…

Read More

images
Enterprise Blockchain Development Services: Transforming Business Operations
images
Nick williams
@nickwilliams

02 Jul 2024

Blockchain Emerging Tech

In today's digital age, blockchain technology is revolutionizing industries by providing a decentralized, secure, and transparent way to record transactions. While often associated with cryptocurrencies, blockchain's potential extends far beyond…

Read More

images
The Ultimate Guide to Choosing Between White-Label and Custom Crypto Exchanges in 2024
images
Pooja Negi
@poojanegi

01 Jul 2024

Fintech Blockchain

  Gil Penchina once said, 'Mobile was Internet 2.0. It changed everything. Crypto is Internet 3.0'. It shows the importance of cryptocurrencies in the upcoming generation. This blog will teach us about the marketplace needed to buy/sell digital…

Read More

images
Localized Crypto Marketing: Tailoring Strategies for Global Markets
images
shyam singh
@shyamsingh

24 Jun 2024

Blockchain BFSI Fintech

In the rapidly evolving world of cryptocurrencies, marketing strategies need to be as dynamic and adaptable as the technology itself. One-size-fits-all approaches are increasingly ineffective in a global market characterized by diverse cultural,…

Read More

About Us
Knowledge Center
In the News

© Copyright nasscom. All Rights Reserved.