fabric@lists.hyperledger.org

Re: Major security hole in Hyperledger Fabric - Private Data is not private #fabric-chaincode #ssl #fabric #fabric-questions #fabric-dstorage

Yacov

#7091

My point with 7051 was merely to say that there is only a single port that you need to map via a port forwarding rule in a firewall, not several.

From: "email4tong@..." <email4tong@...>
To:
Cc: fabric@...
Date: 10/31/2019 04:21 PM
Subject: [EXTERNAL] Re: [Hyperledger Fabric] Major security hole in Hyperledger Fabric - Private Data is not private #fabric #fabric-questions #fabric-dstorage #database #dstorage #dstorage-fabric #fabric-chaincode #ssl
Sent by: fabric@...

Yacov,
When get stuff running on k8s and behind load balancer or proxy, you do not get chance to use port 7051. As a matter of fact, on k8s in majority of cases your port wont be 7051, that does not mean other ports are not open. Just saying that we should not assume that it will be always port 7051.

On Thursday, October 31, 2019, 9:33:59 AM EDT, Yacov <yacovm@...> wrote:

If you have trouble opening ports between companies, you shouldn't use a Blockchain at all, since Blockchain is a decentralized peer to peer protocol.

All peer to peer communication works through the same port (7051 by default), it's not like you need to open extra ports.

From: arnes_chuzf@...
To: fabric@...
Date: 10/31/2019 03:27 PM
Subject: [EXTERNAL] Re: [Hyperledger Fabric] Major security hole in Hyperledger Fabric - Private Data is not private #fabric #fabric-questions #fabric-dstorage #database #dstorage #dstorage-fabric #fabric-chaincode #ssl
Sent by: fabric@...

Hi Dave, Alexandre, Yacov, Ivan

I think private data’s p2p connection is a real problem (partially agree with Ivan).

In some commercial scenario, we need to open firewalls for every company connecting to each other, which is a disaster for project deployment.

And that is not the end of story. When a new company needs to join the existing fabric network, it needs to connect to each company. Again, we need to open firewalls, not only for the one newly joining, but also for those already joined. Hard to explain to everyone why a new company joining leads to such a tremendous configuration change. You don’t know how terrible it is you get challenged by IT departments of those companies ONE BY ONE, and you have no solution.

Do you have solution for such issue?

Thank you all

Re: Major security hole in Hyperledger Fabric - Private Data is not private #fabric-chaincode #ssl #fabric #fabric-questions #fabric-dstorage

email4tong@gmail.com

#7090

Yacov,
  When get stuff running on k8s and behind load balancer or proxy, you do not get chance to use port 7051. As a matter of fact, on k8s in majority of cases your port wont be 7051, that does not mean other ports are not open. Just saying that we should not assume that it will be always port 7051.

On Thursday, October 31, 2019, 9:33:59 AM EDT, Yacov <yacovm@...> wrote:

If you have trouble opening ports between companies, you shouldn't use a Blockchain at all, since Blockchain is a decentralized peer to peer protocol.

All peer to peer communication works through the same port (7051 by default), it's not like you need to open extra ports.

From: arnes_chuzf@...
To: fabric@...
Date: 10/31/2019 03:27 PM
Subject: [EXTERNAL] Re: [Hyperledger Fabric] Major security hole in Hyperledger Fabric - Private Data is not private #fabric #fabric-questions #fabric-dstorage #database #dstorage #dstorage-fabric #fabric-chaincode #ssl
Sent by: fabric@...

Hi Dave, Alexandre, Yacov, Ivan

I think private data’s p2p connection is a real problem (partially agree with Ivan).

In some commercial scenario, we need to open firewalls for every company connecting to each other, which is a disaster for project deployment.

And that is not the end of story. When a new company needs to join the existing fabric network, it needs to connect to each company. Again, we need to open firewalls, not only for the one newly joining, but also for those already joined. Hard to explain to everyone why a new company joining leads to such a tremendous configuration change. You don’t know how terrible it is you get challenged by IT departments of those companies ONE BY ONE, and you have no solution.

Do you have solution for such issue?

Thank you all

Re: Major security hole in Hyperledger Fabric - Private Data is not private #fabric-chaincode #ssl #fabric #fabric-questions #fabric-dstorage

Yacov

#7089

If you have trouble opening ports between companies, you shouldn't use a Blockchain at all, since Blockchain is a decentralized peer to peer protocol.

All peer to peer communication works through the same port (7051 by default), it's not like you need to open extra ports.

From: arnes_chuzf@...
To: fabric@...
Date: 10/31/2019 03:27 PM
Subject: [EXTERNAL] Re: [Hyperledger Fabric] Major security hole in Hyperledger Fabric - Private Data is not private #fabric #fabric-questions #fabric-dstorage #database #dstorage #dstorage-fabric #fabric-chaincode #ssl
Sent by: fabric@...

Hi Dave, Alexandre, Yacov, Ivan

I think private data’s p2p connection is a real problem (partially agree with Ivan).

In some commercial scenario, we need to open firewalls for every company connecting to each other, which is a disaster for project deployment.

And that is not the end of story. When a new company needs to join the existing fabric network, it needs to connect to each company. Again, we need to open firewalls, not only for the one newly joining, but also for those already joined. Hard to explain to everyone why a new company joining leads to such a tremendous configuration change. You don’t know how terrible it is you get challenged by IT departments of those companies ONE BY ONE, and you have no solution.

Do you have solution for such issue?

Thank you all

Re: Major security hole in Hyperledger Fabric - Private Data is not private #fabric-chaincode #ssl #fabric #fabric-questions #fabric-dstorage

arnes_chuzf@...

#7088

Hi Dave, Alexandre, Yacov, Ivan

I think private data’s p2p connection is a real problem (partially agree with Ivan).

In some commercial scenario, we need to open firewalls for every company connecting to each other, which is a disaster for project deployment.

And that is not the end of story. When a new company needs to join the existing fabric network, it needs to connect to each company. Again, we need to open firewalls, not only for the one newly joining, but also for those already joined. Hard to explain to everyone why a new company joining leads to such a tremendous configuration change. You don’t know how terrible it is you get challenged by IT departments of those companies ONE BY ONE, and you have no solution.

Do you have solution for such issue?

Thank you all

Docker Image Pulling - ERROR: Get https://registry-1.docker.io/v2/: x509: certificate signed by unknown authority #fabric #docker

soumya nayak <soumyarjnnayak@...>

#7087

Hi Team,

While pulling the orderer image i am getting the below issue . Any idea ?

Environment - Azure - Ubuntu VM - 16.04 LTS

```
Pulling orderer3 (hyperledger/fabric-orderer:1.4.3)...
ERROR: Get https://registry-1.docker.io/v2/: x509: certificate signed by unknown authority

Channel Registration Failed

White, Spencer (S.)

#7086

Hello,

I am getting "channel registration failed" when running peer chaincode instantiate, a similar error identified in these two JIRA issues:

Any advice? The issues are closed. I am able to deploy a go chaincode in the network, but not a node chaincode.

Node Version: 10.15.3

NPM Version: 6.4.1

Go Version: go1.11 darwin/amd64

Spencer

Invitation to a research oriented blockchain developer conference - Genesis DevCon

Suzana Joel <suzana.joel@...>

#7085

Hi,

I am Suzana Joel from IBC Media. I'd like to invite you to Genesis DevCon - a blockchain developer conference on the 24th & 25th of November at NSSC, IISc, Bengaluru.

The objective of Genesis DevCon is to educate developers on recent developments in blockchain technology by bringing in some of the brilliant minds from India & across the globe.

There's a special discount for members of the Hyperledger Fabric community.

Coupon Code: GENESIS250

Buy Now

Coupon Code: GENESIS250

Buy Now

I really hope to see you at the conference.

Thanks & regards,
Suzana Joel

ᐧ

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

This message and any files or text attached to it are intended only for the recipients named above, contain information that is confidential or privileged. If you are not an intended recipient, you must not read, copy, use or disclose this communication. Please also notify the sender by replying to this message, and then delete all copies of it from your system.

Update: Hyperledger Fabric Node/Java Chaincode/SDK Repository moves

heatherp@...

#7084

Morning,

Here's an update on moving the node/java chaincode/sdk repositories over to Github for code changes and Azure Pipelines for CI.

		Jira
fabric-sdk-java	Move complete	FABJ-486
fabric-gateway-java	Move complete	FGJ-48
fabric-sdk-node	In progress	FABN-1386
fabric-chaincode-java	Move complete	FAB-16712
fabric-chaincode-node	Move complete	FAB-16711

We are working towards moving fabric-sdk-node across this week, and we'll be in touch with the owners of open CRs in Gerrit to merge these changes, or request them to be re-opened in Githhub as pull requests. We are also in the process of cleaning up any migration issues across the other repositories (e.g. removing Jenkins files, publishing using Azure Pipelines etc) but please let us know if you have issues/spot anything related to the migration via the above jiras, which will be closed when this is complete.

We've also been working through the Jira backlog on all of these repositories to clean up old issues, close duplicates etc - please reach out to me if you need to discuss this further.

Thanks,
Heather

Software Engineer, IBM Blockchain
Autism Ambassador

Unless stated otherwise above:
IBM United Kingdom Limited - Registered in England and Wales with number 741598.
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU

Re: Testing nodejs smart contracts without deploying to a network

Ross Tang <tangross@...>

#7083

Using Jest is very good option, you can easily mocking the context object of contract-api, something like.

const ctx: any = {
  stub: {
    createCompositeKey: jest.fn(),
    deleteState: jest.fn(),
    getState: jest.fn(),
    putState: jest.fn(),
    setEvent: jest.fn(),
    getStateByPartialCompositeKey: jest.fn()
  }
};
const context = {
  stateList: new StateList(ctx, 'entities'),
  ...ctx
};

ctx.stub.createCompositeKey.mockResolvedValue('entities"en""entId""2019"');
ctx.stub.putState.mockResolvedValue(Buffer.from(''));

And, you can run unit like by directly invoke the transactions, calling the function.

describe('Chaincode Tests', () => {
  it('should instantiate', async () =>
    cc
      .instantiate(context)
      .then<any[]>((response: any) => JSON.parse(response))
      .then(json =>

That save me great amount of time, in chaincode development.

Besides, the manual mocking of Jest is very useful, to create mock database. Imagine you are using Commercial Paper example, the stateliest implementation can replaced by mocked database, in json format.

jest.mock('../ledger-api/statelist');

const context: any = {
  clientIdentity: {
    getMSPID: jest.fn(),
    getID: jest.fn(),
    getX509Certificate: jest.fn()
  },

Show quoted text

On 30 Oct 2019, at 5:17 AM, Siddharth Jain <siddjain@...> wrote:

What is the best way to test smart contracts written in nodejs using the fabric-contract-api and without having to deploy to a running network? https://github.com/wearetheledger/fabric-mock-stub seems to be geared towards smart contracts developed using the old fabric-shim API.

Testing nodejs smart contracts without deploying to a network

Siddharth Jain

#7082

What is the best way to test smart contracts written in nodejs using the fabric-contract-api and without having to deploy to a running network? https://github.com/wearetheledger/fabric-mock-stub seems to be geared towards smart contracts developed using the old fabric-shim API.

Re: CA Keys

Nye Liu <nye@...>

#7081

Out of band (ssh, scp etc) or via curl/wget http to a non-fabric public CA (e.g. letsencrypt) identified https endpoint.

On 10/29/2019 6:22 AM, Trevor Lee Oakley wrote:

Show quoted text

If keys are generated by the CA then what is the best way to distribute these keys?

Thanks

Trevor

Attribute 'abac.init' was not found #fabric #fabricca #fabric-ca #fabric-chaincode #fabric-questions

suresh <tedlasuresh@...>

#7080

Hi all,

While Instantiating the chaincode I am getting following Error

2019-10-29 13:14:40.559 UTC [msp.identity] Sign -> DEBU 04a Sign: plaintext: 0ADE080A6708031A0C08C0F6E0ED0510...30300A000A04657363630A0476736363

2019-10-29 13:14:40.559 UTC [msp.identity] Sign -> DEBU 04b Sign: digest: 2BEDE393711AA4E8F46F56AB235E79EDC7933B5B8FF8610C9ACFFB3B65390612

Error: could not assemble transaction, err proposal response was not successful, error code 500, msg transaction returned with failure: Attribute 'abac.init' was not found

#

But I gave abac.init as true Please find below attachment

Name: admin-org0, Type: admin, Affiliation: , Max Enrollments: -1, Attributes: [{Name:hf.GenCRL Value:true ECert:false} {Name:admin Value:true ECert:true} {Name:abac.init Value:true ECert:true} {Name:hf.Registrar.Roles Value:client ECert:false} {Name:hf.Registrar.Attributes Value:* ECert:false} {Name:hf.Revoker Value:true ECert:false} {Name:hf.EnrollmentID Value:admin-org0 ECert:true} {Name:hf.Type Value:admin ECert:true} {Name:hf.Affiliation Value: ECert:true}]

Can anyone help me out regarding this issue

Thanks
Suresh

CA Keys

Trevor Lee Oakley <trevor@...>

#7079

If keys are generated by the CA then what is the best way to distribute these keys?

Thanks

Trevor

Regarding Fabric Raft Ordering Service #raft #tsc-project-update

Akshay Soni

#7078

I'm able to create the channel. But while joining the channel, I'm getting the error given below:

[2019-10-24 09:34:38.049] [DEBUG] Join-Channel - Join Channel R E S P O N S E : [ [ { "status": 500, "payload": { "type": "Buffer", "data": [] }, "peer": { "url": "grpcs://104.211.89.242:51018", "name": "oodjaeuen108-peer0.swap.com", "options": { "grpc.max_receive_message_length": -1, "grpc.max_send_message_length": -1, "grpc.keepalive_time_ms": 120000, "grpc.http2.min_time_between_pings_ms": 120000, "grpc.keepalive_timeout_ms": 20000, "grpc.http2.max_pings_without_data": 0, "grpc.keepalive_permit_without_calls": 1, "name": "oodjaeuen108-peer0.swap.com", "grpc.ssl_target_name_override": "oodjaeuen108-peer0.swap.com", "grpc.default_authority": "oodjaeuen108-peer0.swap.com" } }, "isProposalResponse": true } ] ] [2019-10-24 09:34:38.050] [ERROR] Join-Channel - Failed to joined peer to the channel swapchannel [2019-10-24 09:34:38.050] [ERROR] Join-Channel - Failed to join all peers to channel. cause:Failed to joined peer to the channel swapchannel

And the peer logs:

2019-10-24 09:34:38.045 UTC [endorser] callChaincode -> INFO 022 [][b8e9f45a] Entry chaincode: name:"cscc"

2019-10-24 09:34:38.048 UTC [endorser] callChaincode -> INFO 023 [][b8e9f45a] Exit chaincode: name:"cscc" (2ms)

2019-10-24 09:34:38.048 UTC [endorser] ProcessProposal -> ERRO 024 [][b8e9f45a] simulateProposal() resulted in chaincode name:"cscc" response status 500 for txid: b8e9f45ab01d86a76e9f6427ec0da4fb2dc940e4f6b060a0c49c294a32efcb73

2019-10-24 09:34:38.048 UTC [comm.grpc.server] 1 -> INFO 025 unary call completed grpc.service=protos.Endorser grpc.method=ProcessProposal grpc.peer_address=104.211.89.242:48362 grpc.code=OK grpc.call_duration=4.193058ms

PFA for all the configuration file along with genesis.block and channel.tx

channel.tx

cryptogen_Orderer.yaml

cryptogen_Org.yaml

docker-compose-orderer.yaml

docker-compose-org.yaml

swapchannel-configtx.yaml

Re: Persisting world state

Mr.Phuwanai Thummavet

#7077

Check out my article: https://medium.com/coinmonks/demystifying-hyperledger-fabric-1-3-fabric-architecture-a2fdb587f6cb#4573

Show quoted text

On Mon, Oct 28, 2019 at 11:27 PM Abhijeet Bhowmik <abhijeet@...> wrote:

Hello Everyone,

I have some confusions regarding how state ledgers are persisted across multiple ledgers. I have an intuition that every org's peers have a copy of the ledger from where they generate read set and write set and also validate commitment of transactions to ledger. My big confusion is, who has the master copy. I mean what if one complete non endorsing peer was down for sometime and then it rejoins, from where does it syncs it's ledger since a lot must have happened in the block chain since it's shut down.

Thanks and Regards
Abhijeet Bhomwik

--

Best Regards,

Phuwanai Thummavet
Blockchain Architect and Full-Stack Developer

Re: Persisting world state

Ben Taylor

#7076

https://hyperledger-fabric.readthedocs.io/en/release-1.4/gossip.html

Ben Taylor, CEO

LedgerDomain

212.332.4466

Show quoted text

On Mon, Oct 28, 2019 at 9:27 AM Abhijeet Bhowmik <abhijeet@...> wrote:

Hello Everyone,

I have some confusions regarding how state ledgers are persisted across multiple ledgers. I have an intuition that every org's peers have a copy of the ledger from where they generate read set and write set and also validate commitment of transactions to ledger. My big confusion is, who has the master copy. I mean what if one complete non endorsing peer was down for sometime and then it rejoins, from where does it syncs it's ledger since a lot must have happened in the block chain since it's shut down.

Thanks and Regards
Abhijeet Bhomwik

Persisting world state

Abhijeet Bhowmik <abhijeet@...>

#7075

Hello Everyone,

I have some confusions regarding how state ledgers are persisted across multiple ledgers. I have an intuition that every org's peers have a copy of the ledger from where they generate read set and write set and also validate commitment of transactions to ledger. My big confusion is, who has the master copy. I mean what if one complete non endorsing peer was down for sometime and then it rejoins, from where does it syncs it's ledger since a lot must have happened in the block chain since it's shut down.

Thanks and Regards

Abhijeet Bhomwik

Next Hyperledger Fabric Application Developer Community call - Thursday Oct 31st @ 4pm UTC (4pm UK, 11am ET, 8am PT)

Paul O'Mahoney <mahoney@...>

#7074

dear Fabric Application Developer,

the next Fabric Application Developer community call is scheduled for this Thursday Oct 31st @ 4pm UTC (4pm UK, 11am ET, 8am PT) . It lasts approx 30-60 mins FYI. Note: it is now begins one hour earlier.

The agenda will be posted here -> https://wiki.hyperledger.org/display/fabric/Meeting+Agendas%3A+Fabric+Application+Developer+Community+Call

This community call is held bi-weekly via Zoom webconference and is aimed at :

- helping the worldwide Hyperledger Fabric Application Developer community grow in their development journey (eg. developing applications, smart contracts, chaincode, developing clients, using the SDK, tutorials/demos etc - eg. whether its NodeJS, Java, Go etc etc)
- helping app developers understand / hear more about exciting new things in Fabric, eg. features upcoming or work in progress - ie things that appeal to the developer
- to foster more interest, best practices etc in developing applications (eg developing solutions, use cases) with Hyperledger Fabric.
- opportunity to ask questions of the Fabric team eg. you may have feedback/questions on your experiences developing solutions with Fabric
- to share stuff you've done with the community, eg sample code / sample use cases that others may be interested in

If you wish to share content on a call, just let me know via email direct or DM me on Rocketchat (ID: mahoney1) and I'll put an item on the agenda. Provide the following:
- the topic (state whether its presentation, or demo etc)
- the full name of the presenter, and
- approx length of your pitch in minutes

The Zoom webconference ID is https://zoom.us/my/hyperledger.community

More information can be found on the community page -> https://wiki.hyperledger.org/display/fabric/Fabric+Application+Developer+Community+Calls

You can get calendar invites (eg iCal) here

many thanks for your time - feel free to forward this email if you think it is of interest to a colleague.

Paul O'Mahony
Community Lead - Hyperledger Fabric Developer Community
RocketChat: mahoney1
mahoney@...

Unless stated otherwise above:
IBM United Kingdom Limited - Registered in England and Wales with number 741598.
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU

Re: Hyperledger Fabric release v2.0 update

Xiang Dong Hu <huxd@...>

#7073

Hi Dave,

One quick question, does the support for " external chaincode " include support to run chaincode as a remote grpc server?

Hu Xiang Dong (胡香冬)
IBM Blockchain Platform development

China Systems Lab
Email: huxd@...

Show quoted text

----- Original message -----
From: "David Enyeart" <enyeart@...>
Sent by: fabric@...
To: fabric <fabric@...>
Cc:
Subject: [EXTERNAL] [Hyperledger Fabric] Hyperledger Fabric release v2.0 update
Date: Fri, Oct 25, 2019 8:14 PM

We discussed configuration updates for Fabric peer and orderer in the last contributors meetings. See proposal at https://jira.hyperledger.org/browse/FAB-16753.

The maintainers have been discussing further - we feel it would be more valuable to get release v2.0 out to the community rather than wait for the configuration updates. Therefore we would like to prepare for a code-complete v2.0 beta release in the December timeframe, which would set the stage for a v2.0 release early next year.

The largest user-facing changes in v2.0 that we'd like to get feedback on during the beta are the new decentralized chaincode lifecycle, and support for external chaincode (documentation updates are in the works). Additionally there have been large improvements in the Fabric codebase, test suites, and CI infrastructure, that will help us deliver the next series of v2.x enhancements. The configuration updates would likely be deferred until the next major release (v3.0).

Please join us at the contributor meeting next Wednesday for additional discussion. We also plan to walk through planned updates to the Fabric samples next Wednesday. As always, topics for the contributor's meeting can be proposed on this mailing list or on RocketChat at https://chat.hyperledger.org/channel/fabric-maintainers.
Meeting details can be found at: https://wiki.hyperledger.org/display/fabric/Contributor+Meetings

Thanks,

Dave Enyeart

Re: Major security hole in Hyperledger Fabric - Private Data is not private #fabric-chaincode #ssl #fabric #fabric-questions #fabric-dstorage

Ivan Ch <acizlan@...>

#7072

Hi jeroiraz

Oct:

:

In the example above, if peers do not have a way to validate your national ID, peers may never claim the provided or stored data is valid. This scenario is not limited to HF or Blockchain but to any procedure

there are actually quite a few ways to validate anything including national ID using ZKP or ZKP like technique (e.g. I can design my crypto to validate if the two text data encrypted by different keys are actually the same text), but you can't do anything with hashes

Dave, Jay.

The chaincode can require that the transaction submitter include the private data in the transient field when invoking the chaincode. Any party that endorses the chaincode execution will have the private data, and it will also be disseminated to all other collection members. If the transaction submitter does not provide the private data at chaincode invocation time, they will not be able to gather sufficient endorsements, and the transaction will not be validated.

as you said "Any party that endorses the chaincode execution will have the private data". here is the dilemma , you either make the private data known (whoever can endorse it must know your data), or allow adversaries to take advantage of it and trick others with unverifiable blockchain data.

sure, this is not a fabric problem but a methodology problem, but fabric makes it a feature for people no-so-educated-on-security to use it and use it wrong.