Date   

Re: Peer failed getting private key from HSM

Carlos Eduardo Matos Ellery
 

Thank you Brett, Gari and Ashutosh for the support!

We tried the AltID approach, but found that the key manually generated by the HSM team didn't have a CKA_ID too. We then modified this attribute of the key to match the hex of the AltID we defined. Indeed, Fabric found the private key, but turns out that it searched for the public key too (pkcs11.go:145)! As the HSM didn't have the public key (and we couldn't import it to the HSM), the peer still failed to start :(

Finnaly, we had the idea to use the Fabric-CA server init process to create a whole new key pair on the HSM the way Fabric likes. Our external CA then issued a new certificate based on that new key pair. This is working fine on Fabric 1.4.4! But we are trying to use 1.4.7, because we had issues with invalid HSM sessions (bug solved on 1.4.7).

So, the peer starts on 1.4.4 but don't on 1.4.7. The new problem that arises is the following (complete log available at https://pastebin.com/AfNGd2JW):

panic: Failed putting our own identity into the identity mapper: failed classifying identity: Unable to extract msp.Identity from peer Identity: identity is not well formed: failed unmashalling signature [asn1: structure error: tags don't match (16 vs {class:1 tag:27 length:64 isCompound:true}) {optional:false explicit:false application:false private:false defaultValue:<nil> tag:<nil> stringType:0 timeType:0 set:false omitEmpty:false} ECDSASignature @2]

Any hints?

Thanks in advance!

Carlos Eduardo Matos Ellery

Em 25/06/2020 07:22, Gari Singh escreveu:

The easiest thing to do is to find the CKA_ID attribute of the private key stored in the HSM and then set the AltID property for the PKCS11 BCCSP.
AltID was added in 1.4.6 as I recall to help facilitate this type of config.

-----------------------------------------
Gari Singh
Distinguished Engineer, CTO - IBM Blockchain
IBM Middleware
550 King St
Littleton, MA 01460
Cell: 978-846-7499
garis@...
-----------------------------------------

-----fabric@... wrote: -----
To: carlos.ellery@...
From: "Brett T Logan"
Sent by: fabric@...
Date: 06/24/2020 07:57PM
Cc: fabric@...
Subject: [EXTERNAL] Re: [Hyperledger Fabric] Peer failed getting private key from HSM

Are you setting up the peer and orderer to communicate with the external CA's HSM?
Did you generate the CSR yourself, and thus you have the private key and you provided it to them for import, or did the external CA provider generate everything and they fully own the private key? BCCSP doesn't use the SKI extension of the cert, it computes its own SKI by doing a SHA256 over the private key, the corresponding public signing cert is named with this SKI (SHA256) of the private key. If you had the private key (or access to it via PKCS11) you could perform the same operation BCCSP does to compute the SHA256 SKI.
Brett Logan
Software Engineer, IBM Blockchain
Phone: 1-984-242-6890
E-mail: brett.t.logan@...
----- Original message -----
From: "Carlos Eduardo Matos Ellery" <carlos.ellery@...>
Sent by: fabric@...
To: fabric@...
Cc:
Subject: [EXTERNAL] [Hyperledger Fabric] Peer failed getting private key from HSM
Date: Wed, Jun 24, 2020 7:11 PM
Hi everyone,

I'm trying to use a certificate issued by an external CA trough an HSM integration but it's not working. The peer node (v1.4.7) doesn't start and gives the following output (complete log available at https://pastebin.com/J6npgd6G):

...
2020-06-24 22:32:42.176 UTC [bccsp_p11] getSession -> DEBU 038 Reusing existing pkcs11 session 1 on slot 1
2020-06-24 22:32:42.231 UTC [msp] getSigningIdentityFromConf -> DEBU 039 Could not find SKI [d69fe5487378e0914e8d65870128a8d4b55d05a502c45daddea30c7452a1fe2c], trying KeyMaterial field: Key with SKI d69fe5487378e0914e8d65870128a8d4b55d05a502c45daddea30c7452a1fe2c not found in msp/keystoreFailed getting key for SKI [[214 159 229 72 115 120 224 145 78 141 101 135 1 40 168 212 181 93 5 165 2 196 93 173 222 163 12 116 82 161 254 44]]
...
2020-06-24 22:32:42.231 UTC [main] InitCmd -> ERRO 03a Cannot run peer because error when setting up MSP of type bccsp from directory /etc/hyperledger/fabric/msp: KeyMaterial not found in SigningIdentityInfo

I've found that my certificate (located at msp/signcerts) doesn't have the SKID extension (https://tools.ietf.org/html/rfc3280#section-4.2.1.2) and the CA tech support have the excuse that this is a non-critical extension for end certificates. Now, is there a way BCCSP can find the corresponding private key of my certificate on the HSM?


Thanks for the help,


Re: etcdraft architecture question

Chris Davidson
 

Gari,
Thanks a lot. I did have a look at the RFC - FAB-17712. This is exactly what was wanted.
Will take this into consideration in the architecture.
Regards,
CD


Sent with ProtonMail Secure Email.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐

On Monday, June 29, 2020 6:36 PM, Gari Singh <garis@...> wrote:

Currently, you'd add Node D to the system channel. The system channel essentially tracks all potential cluster members for application channels.
We have an RFC approved and development underway to remove the need to use a system channel for Raft and still allow individual Raft nodes to join multiple channels.

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Gari Singh
Distinguished Engineer, CTO - IBM Blockchain
IBM Middleware
550 King St
Littleton, MA 01460
Cell: 978-846-7499
garis@...

-------------------------------------------------------------------------------------------------------------------------------------------

-----fabric@... wrote: -----
To: "fabric@..." fabric@...
From: "Chris Davidson via lists.hyperledger.org"
Sent by: fabric@...
Date: 06/29/2020 08:55AM
Subject: [EXTERNAL] [Hyperledger Fabric] etcdraft architecture question

Hi,
We are currently evaluating multiple blockchain solutions for a large FSI customer. There is one open issue that I was unable to find an answer to.
Let's say that there are 3 orgs participating in a channel. To setup a RAFT based ordering system,

1. I create a system channel and generate the genesis block using configtxgen. This is defined in configtx.yaml. I also add the addresses of all the orgs particpating in the channel as consenters. (All the orgs will also have an orderer). This is generated on one node say Node A.
2. This block is now manually copied to other nodes - Node B and Node C.
3. Orderer is started and things work fine.
Now, if a second channel needs to be created with the following participants: Node A, Node C and Node D.
I would prefer that there is only one orderer per Node. So
a) Should the system channel be modified to include Node D also (or) should we create a different system channel?
Architecturally what is the recommended approach when there are multiple channels and different participants for every channel?
Thanks in advance
CD

Sent with ProtonMail Secure Email.



Re: etcdraft architecture question

Gari Singh <garis@...>
 

Currently, you'd add Node D to the system channel. The system channel essentially tracks all potential cluster members for application channels.
We have an RFC approved and development underway to remove the need to use a system channel for Raft and still allow individual Raft nodes to join multiple channels.

-----------------------------------------
Gari Singh
Distinguished Engineer, CTO - IBM Blockchain
IBM Middleware
550 King St
Littleton, MA 01460
Cell: 978-846-7499
garis@...
-----------------------------------------

-----fabric@... wrote: -----
To: "fabric@..." <fabric@...>
From: "Chris Davidson via lists.hyperledger.org"
Sent by: fabric@...
Date: 06/29/2020 08:55AM
Subject: [EXTERNAL] [Hyperledger Fabric] etcdraft architecture question

Hi,
We are currently evaluating multiple blockchain solutions for a large FSI customer. There is one open issue that I was unable to find an answer to.
Let's say that there are 3 orgs participating in a channel. To setup a RAFT based ordering system,
1. I create a system channel and generate the genesis block using configtxgen. This is defined in configtx.yaml. I also add the addresses of all the orgs particpating in the channel as consenters. (All the orgs will also have an orderer). This is generated on one node say Node A.
2. This block is now manually copied to other nodes - Node B and Node C.
3. Orderer is started and things work fine.
Now, if a second channel needs to be created with the following participants: Node A, Node C and Node D.
I would prefer that there is only one orderer per Node. So
a) Should the system channel be modified to include Node D also (or) should we create a different system channel?
Architecturally what is the recommended approach when there are multiple channels and different participants for every channel?
Thanks in advance
CD


Sent with ProtonMail Secure Email.


etcdraft architecture question

Chris Davidson
 

Hi,
We are currently evaluating multiple blockchain solutions for a large FSI customer. There is one open issue that I was unable to find an answer to.
Let's say that there are 3 orgs participating in a channel. To setup a RAFT based ordering system,
1. I create a system channel and generate the genesis block using configtxgen. This is defined in configtx.yaml. I also add the addresses of all the orgs particpating in the channel as consenters. (All the orgs will also have an orderer). This is generated on one node say Node A.
2. This block is now manually copied to other nodes - Node B and Node C.
3. Orderer is started and things work fine.
Now, if a second channel needs to be created with the following participants: Node A, Node C and Node D.
I would prefer that there is only one orderer per Node. So
a) Should the system channel be modified to include Node D also (or) should we create a different system channel?
Architecturally what is the recommended approach when there are multiple channels and different participants for every channel?
Thanks in advance
CD


Sent with ProtonMail Secure Email.


Re: hyperledger composer installation on ubuntu 18.04 #blockchain-explorer

Rob Murgai <murgai@...>
 

Hi Priyanka, 
 
Can you share what you were looking to do with composer?
 
Best,

S Rob Murgai
Program Director - Hyperledger Fabric 
IBM Blockchain
Raleigh-Durham, NC
M: 919.342.8432 LinkedIn: Rob-Murgai
 
 

----- Original message -----
From: "Kamlesh Nagware" <kamlesh.nagware@...>
Sent by: fabric@...
To: fabric@...
Cc:
Subject: [EXTERNAL] Re: [Hyperledger Fabric] hyperledger composer installation on ubuntu 18.04 #blockchain-explorer
Date: Sun, Jun 28, 2020 9:57 PM
 
Hi Priyanka, Hyperledger fabric composer project is deprecated and no longer active for use. I would recommend to use native Hyperledger fabric.
--

Thanks & Regards,

Kamlesh Nagware

VP Blockchain

Snapper Future Tech

Mobile : +91 9511 2213 01

Web: http://www.snapperfuturetech.com/

 


Fast way of restarting Fabric v2 network for development? #fabric #docker

dobroslaw.zybort@...
 

Hello,

I would like to know what is the fastest way of developing chaincode and fabric-node-sdk with fabric v2 at the same time?

For now we are using `fabric-samples/test-network` but it's starting over 3 minutes (using CouchDB, with some sed-ing in `test-network/scripts/deployCC.sh` for pointing it to our folder with chaincode, and copying generated certificate files to our rest api folder).

I would like to have really fast restart of our whole backend for development, we are using typescript for rest api to communicate between frontend and blockchain.
Now we simply restart only rest api on its code change (with ts-node-dev) but I would like to restart everything every time (so also restart everything on chaincode change).
So I'm looking for fast way of starting whole blockchain part (something that start in under 10 seconds).

I see there is `fabric-samples/chaincode-docker-devmode` but as I can see it's only for developing chaincode part (so not good for my needs, but it's starting fast).
There is also Network Launcher (https://github.com/hyperledger/fabric-test/tree/master/tools/NL) but it's only for Fabric v1 so also not useful for me.

Is there any other way for developing everything and that is fast to restart?

With best regards,

Dobroslaw Zybort


Re: hyperledger composer installation on ubuntu 18.04 #blockchain-explorer

Kamlesh Nagware
 

Hi Priyanka, Hyperledger fabric composer project is deprecated and no longer active for use. I would recommend to use native Hyperledger fabric.
--

Thanks & Regards,

Kamlesh Nagware

VP Blockchain

Snapper Future Tech

Mobile : +91 9511 2213 01

Web: http://www.snapperfuturetech.com/


hyperledger composer installation on ubuntu 18.04 #blockchain-explorer

goyal.priyanka777@...
 

Hey, I am new in blockchain. I was searching for hyperledger fabric composer installation guide for ubuntu 18.04 but I am not able to find one which actually works. Can anyone help me out? I will be thankful to you.


Hyperledger Fabric Documentation Workgroup call - Western hemisphere - Fri, 06/26/2020 #cal-notice

fabric@lists.hyperledger.org Calendar <noreply@...>
 

Hyperledger Fabric Documentation Workgroup call - Western hemisphere

When:
Friday, 26 June 2020
4:00pm to 5:00pm
(GMT+01:00) Europe/London

Where:
https://zoom.us/j/6223336701

Organizer:
a_o-dowd@... +441962816761

Description:
Documentation workgroup call.
Agenda, minutes and recordings :https://wiki.hyperledger.org/display/fabric/Documentation+Working+Group


Upcoming Event: Hyperledger Fabric Documentation Workgroup call - Western hemisphere - Fri, 06/26/2020 4:00pm-5:00pm #cal-reminder

fabric@lists.hyperledger.org Calendar <fabric@...>
 

Reminder: Hyperledger Fabric Documentation Workgroup call - Western hemisphere

When: Friday, 26 June 2020, 4:00pm to 5:00pm, (GMT+01:00) Europe/London

Where:https://zoom.us/j/6223336701

View Event

Organizer: Anthony O'Dowd a_o-dowd@... +441962816761

Description: Documentation workgroup call.
Agenda, minutes and recordings :https://wiki.hyperledger.org/display/fabric/Documentation+Working+Group


Re: How to verify RAFT health in HLF version 1.4.4 #raft

Jason Yellick <jyellick@...>
 

Not in Fabric v1.4.x.  There is a recently approved RFC for an Orderer Channel Participation API.  https://github.com/hyperledger/fabric-rfcs/pull/24

This new API will enable easier and more direct management of channels and ordering, but this is still a work in progress.

~Jason
 

----- Original message -----
From: "shrugupt via lists.hyperledger.org" <shrugupt=microsoft.com@...>
Sent by: fabric@...
To: fabric@...
Cc:
Subject: [EXTERNAL] Re: [Hyperledger Fabric] How to verify RAFT health in HLF version 1.4.4 #raft
Date: Fri, Jun 26, 2020 5:25 AM
 
On Fri, Jun 19, 2020 at 06:14 AM, Jason Yellick wrote:
OSN
Thanks Jason for the response. This information is useful.

Is there any way to identify application channel(s) that OSN is part of? In Fabric NodeJsSDK, there is "queryChannels" API but it work only for peer nodes. I could not find any such API for orderer node.
 


Removal of BYFN from Fabric 2.2 release

Pam Andrejko
 

As many of you know, BYFN has been **deprecated** since Fabric 2.0 and has been replaced with the very successful Test Network and the Production Network Deployment Guide. For the next Fabric 2.2 release, we plan to completely remove the instructions from the Fabric Documentation and Samples. If you've bookmarked a BYFN URL, in Fabric v2.2 you will see a message that the sample has been removed with links pointing you to the Getting Started with the Test Network and Deployment Guide. We've also updated all tutorials to use the Test Network instead of BYFN, removing all references to it from the Documentation.

BYFN will still be available in the Fabric v1.2, 2.0, and 2.1 branches in case anyone still needs to access it.

If you have any concerns about the removal, please comment now.

Pam Andrejko


Re: How to verify RAFT health in HLF version 1.4.4 #raft

shrugupt@...
 

On Fri, Jun 19, 2020 at 06:14 AM, Jason Yellick wrote:
OSN
Thanks Jason for the response. This information is useful.

Is there any way to identify application channel(s) that OSN is part of? In Fabric NodeJsSDK, there is "queryChannels" API but it work only for peer nodes. I could not find any such API for orderer node.


Hyperledger Fabric Documentation Workgroup call - Eastern hemisphere - Fri, 06/26/2020 #cal-notice

fabric@lists.hyperledger.org Calendar <noreply@...>
 

Hyperledger Fabric Documentation Workgroup call - Eastern hemisphere

When:
Friday, 26 June 2020
6:00am to 7:00am
(GMT+01:00) Europe/London

Where:
https://zoom.us/j/6223336701

Organizer:
a_o-dowd@... +441962816761

Description:
Documentation workgroup call.
Agenda, minutes and recordings: https://wiki.hyperledger.org/display/fabric/Documentation+Working+Group


Documentation Workgroup: Agenda for Friday, 26 June

Anthony O'Dowd <a_o-dowd@...>
 

Hi All,

We will hold the documentation workgroup calls this Friday -- with both an Eastern hemisphere and Western hemisphere call. Please feel free to come along, you're always very welcome.

The whole workgroup would like to thank Nik Gupta for his amazing work over the recent years on Hyperledger Fabric documentation.  Nik has taken a new role in IBM which means that unfortunately he'll no be able to contribute to the workgroup, both in terms of technical content and direction.  We wish Nik the very best in his new role and thank him again for his outstanding contributions. Thank you Nik.

You can read about last week's calls at https://wiki.hyperledger.org/display/fabric/2020+06+19+DWG+Agenda You'll see significant minutes for both the Eastern and Western hemisphere calls, and recordings for both sessions. Our Eastern and Western hemisphere calls are very well attended at the moment -- thanks to all for your contributions and collaboration.

Our Eastern hemisphere had excellent contributions from the Japanese and Malayalam working group teams.  We reviewed the new i18n repository structure and how to use it. Our Japanese, Brazilian, Malayalam and Chinese language teams are now populating this repository, which is great to see.  You will see that the language workgroups are already starting to grow: https://wiki.hyperledger.org/display/fabric/International+groups Please feel free to connect with these teams if you're interested in language translations.

Our Western hemisphere call kept us up to date with these as we approach 2.2! Pam and Joe always give us a great release summary, allow you to quickly get a perspective on the new release. The i18n language repository was discussed, and after the maintainers meeting this week, we'll be discussing translation processes in more detail tomorrow, both on the western and eastern hemisphere calls.  Renato shared excellent progress on Brazilian Portuguese. David led a great discussion on when we can start a Contribution campaign to encourage more writers to start to contribute, which could include a contribute-a-thon, videos and more:
https://wiki.hyperledger.org/display/events/Contribute-a-thon+Marketing+Campaign+Outline There was a lively discussion on deprecated content and how it might be best structured in the docs with great suggestions from Jim, Pam and Chris.

You can catch up with the full recordings and other sessions: https://wiki.hyperledger.org/display/fabric/Recordings

See https://wiki.hyperledger.org/display/fabric/2020+06+26+DWG+Agenda for this week's agenda for the eastern and western hemisphere calls.

Please feel free to contribute using the wiki, including helping to build next week's agenda: https://wiki.hyperledger.org/display/fabric/2020+07+03+DWG+Agenda

Thanks!

Pam, Anthony,  Joe

Meeting Details
-------------
Please use the following link to attend the meeting:  https://zoom.us/j/6223336701

The meeting times are as follows: https://wiki.hyperledger.org/display/fabric/Documentation+Working+Group

Meeting 134A: Friday 26 June
                   1130 India Standard Time
                   1400 China Standard Time
                   1500 Japan Standard Time
                   1700 Australia Eastern Time
                   1400 Singapore Time
                   1100 Gulf Standard Time
                   1000 Moscow Standard Time
                   0700 Greenwich Mean Time
                   0800 Central European Time    

Meeting 134B: Friday 26 June
              1100 Central Daylight Time
                   1200 Eastern Daylight Time
                   0900 Pacific Daylight Time
                   1400 Brasil Time (BRT)
                   1600 Greenwich Mean Time
                   1700 Central European Time
                   1800 Moscow Standard Time

Unless stated otherwise above:
IBM United Kingdom Limited - Registered in England and Wales with number 741598.
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU


Time based trigger in Chaincode

Hritik Gupta <hritikgupta9@...>
 

Hi all!

This is an extension to one of the ideas discussed about a seller-bidder architecture in the following link: https://lists.hyperledger.org/g/fabric/message/7554.

I have used a similar paradigm for bidding as suggested by David. Since, in this case, the seller has to invoke the chaincode to close the auction, I wonder if this closure can be automated/triggered by passing a end-time timestamp along with the other metadata while starting the auction. Or if there exists a better workaround to accomplish this ? (rather than having to constantly poll for the current-time and compare it with the end-time to decide on closure)

Appreciate any help!

Thanks and regards.

--

Hritik Gupta

B.Tech, Computer Science and Engineering

Indian Institute of Technology

Mandi, Himachal Pradesh – 175005

+91-7838869482 | b16097@...



Homebrew Fabric Archival Proposal

Brett T Logan <brett.t.logan@...>
 

Hello Everyone,
 
As analytics tell us, most of you probably DON'T know, but Fabric has a repository github.com/hyperledger/homebrew-fabric which hosts a homebrew tap for installing the fabric-binaries. This has existed for years, though we haven't advertised it. We recently took a look at the homebrew analytics for it and discovered since its inception it has only been installed less than a dozen times.
 
We've are proposing to retire the repository due to its low traction. We are proposing a two-week grace-period that would see the repo archived on July 9th. If you want to voice opinions on this archival, please do so now so we can discuss compelling reasons why we might keep this around.
 
Thank you,
 
Brett Logan
Software Engineer, IBM Blockchain
Phone: 1-984-242-6890
 


Hyperledger Fabric Application Developer Community call -- today's call (Thursday 25th June) has been CANCELLED please note

Paul O'Mahoney <mahoney@...>
 

please note that today's call has been cancelled - the next call planned is on 9th July.

best regards Paul

Paul O'Mahony
Community Lead - Hyperledger Fabric Developer Community
RocketChat:  mahoney1
mahoney@...

----- Forwarded by Paul O'Mahoney/UK/IBM on 25/06/2020 14:37 -----

From:        Paul O'Mahoney/UK/IBM
To:        fabric@...
Date:        22/06/2020 09:49
Subject:        Next Hyperledger Fabric Application Developer Community call  -- this Thursday 25th June @ 3pm UTC time: 4pm UK, 11am ET, 8am PT




dear Fabric Application Developer,


the next  Fabric Application Developer community call is: Thursday 25th June - 3pm UTC,  4pm UK time (+1), 11am ET (-5 hrs), 8am PT (-8 hrs)  - other time zones here.   It lasts approx 30-60 mins FYI.

The agenda will be posted here -> https://wiki.hyperledger.org/display/fabric/Agendas%3A+Fabric+Application+Developer+Community+Call+Meetings  

This community call is held bi-weekly via Zoom webconference and is aimed at :

- helping the worldwide Hyperledger Fabric Application Developer community grow (eg. developing applications, smart contracts, client apps using the SDKs, tutorials/demos etc -  eg using NodeJS/TypeScript, Java, Go etc etc) 
- helping app developers understand / hear more about exciting new things in Fabric, eg. features upcoming or work in progress - ie things that appeal to the developer
- foster more interest, best practices etc in developing applications (eg developing solutions, use cases) with Hyperledger Fabric. 
- opportunity to ask questions of the Fabric team eg. you may have feedback/questions on your experiences developing solutions with Fabric
- to share stuff you've done with the community, eg sample code / sample use cases that others may be interested in

If you wish to share content on a call, just let me know via email direct or DM me on Rocketchat (ID: mahoney1) and I'll put an item on the agenda. Provide the following:
- the topic (state whether its presentation, or demo etc)
- the full name of the presenter, and 
- approx length of your pitch in minutes


The Zoom webconference ID is https://zoom.us/my/hyperledger.community   

More information can be found on the community page -> https://wiki.hyperledger.org/display/fabric/Fabric+Application+Developer+Community+Calls

You can get calendar invites (eg iCal) here

many thanks for your time - feel free to forward this email if you think it is of interest to a colleague.

Paul O'Mahony
Community Lead - Hyperledger Fabric Developer Community
RocketChat:  mahoney1

mahoney@...


Unless stated otherwise above:
IBM United Kingdom Limited - Registered in England and Wales with number 741598.
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU


Unless stated otherwise above:
IBM United Kingdom Limited - Registered in England and Wales with number 741598.
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU


Re: Peer failed getting private key from HSM

Gari Singh <garis@...>
 

The easiest thing to do is to find the CKA_ID attribute of the private key stored in the HSM and then set the AltID property for the PKCS11 BCCSP.
AltID was added in 1.4.6 as I recall to help facilitate this type of config.

-----------------------------------------
Gari Singh
Distinguished Engineer, CTO - IBM Blockchain
IBM Middleware
550 King St
Littleton, MA 01460
Cell: 978-846-7499
garis@...
-----------------------------------------

-----fabric@... wrote: -----
To: carlos.ellery@...
From: "Brett T Logan"
Sent by: fabric@...
Date: 06/24/2020 07:57PM
Cc: fabric@...
Subject: [EXTERNAL] Re: [Hyperledger Fabric] Peer failed getting private key from HSM

Are you setting up the peer and orderer to communicate with the external CA's HSM?

Did you generate the CSR yourself, and thus you have the private key and you provided it to them for import, or did the external CA provider generate everything and they fully own the private key? BCCSP doesn't use the SKI extension of the cert, it computes its own SKI by doing a SHA256 over the private key, the corresponding public signing cert is named with this SKI (SHA256) of the private key. If you had the private key (or access to it via PKCS11) you could perform the same operation BCCSP does to compute the SHA256 SKI.

Brett Logan
Software Engineer, IBM Blockchain
Phone: 1-984-242-6890
E-mail: brett.t.logan@...

----- Original message -----
From: "Carlos Eduardo Matos Ellery" <carlos.ellery@...>
Sent by: fabric@...
To: fabric@...
Cc:
Subject: [EXTERNAL] [Hyperledger Fabric] Peer failed getting private key from HSM
Date: Wed, Jun 24, 2020 7:11 PM

Hi everyone,

I'm trying to use a certificate issued by an external CA trough an HSM integration but it's not working. The peer node (v1.4.7) doesn't start and gives the following output (complete log available at https://pastebin.com/J6npgd6G):

...
2020-06-24 22:32:42.176 UTC [bccsp_p11] getSession -> DEBU 038 Reusing existing pkcs11 session 1 on slot 1
2020-06-24 22:32:42.231 UTC [msp] getSigningIdentityFromConf -> DEBU 039 Could not find SKI [d69fe5487378e0914e8d65870128a8d4b55d05a502c45daddea30c7452a1fe2c], trying KeyMaterial field: Key with SKI d69fe5487378e0914e8d65870128a8d4b55d05a502c45daddea30c7452a1fe2c not found in msp/keystoreFailed getting key for SKI [[214 159 229 72 115 120 224 145 78 141 101 135 1 40 168 212 181 93 5 165 2 196 93 173 222 163 12 116 82 161 254 44]]
...
2020-06-24 22:32:42.231 UTC [main] InitCmd -> ERRO 03a Cannot run peer because error when setting up MSP of type bccsp from directory /etc/hyperledger/fabric/msp: KeyMaterial not found in SigningIdentityInfo

I've found that my certificate (located at msp/signcerts) doesn't have the SKID extension (https://tools.ietf.org/html/rfc3280#section-4.2.1.2) and the CA tech support have the excuse that this is a non-critical extension for end certificates. Now, is there a way BCCSP can find the corresponding private key of my certificate on the HSM?


Thanks for the help,
--
Carlos Eduardo Matos Ellery


Upcoming Event: Hyperledger Fabric Documentation Workgroup call - Eastern hemisphere - Fri, 06/26/2020 6:00am-7:00am #cal-reminder

fabric@lists.hyperledger.org Calendar <fabric@...>
 

Reminder: Hyperledger Fabric Documentation Workgroup call - Eastern hemisphere

When: Friday, 26 June 2020, 6:00am to 7:00am, (GMT+01:00) Europe/London

Where:https://zoom.us/j/6223336701

View Event

Organizer: Anthony O'Dowd a_o-dowd@... +441962816761

Description: Documentation workgroup call.
Agenda, minutes and recordings: https://wiki.hyperledger.org/display/fabric/Documentation+Working+Group