i am building simple dapp application where i want to verify something and then only make contract interaction but right now i am struggling to put a middleware which will act like user will make txn through metamask and then this txn or something will go to backend server on any language probably node js , and i will do some checking and if all good then Send it to block chain.
Any suggestion?
Right now its all in react Frontend and metamask browser extension.. and i can not make client side code restricted
And i can not ask for private key even.
Not possible by design. A transaction needs to be signed by the sender's private key. So unless the users are willing to give you their private key (so that you could sign the transaction for them on the backend), you'll need to change your approach.
If you need to allow interaction with the contract only to users authorized by your app, the contract needs to hold the list of authorized addresses. And the list can be updated by your app (that holds the private key to the owner address). Example:
pragma solidity ^0.8;
contract MyContract {
address public owner = address(0x123);
mapping(address => bool) public isAuthorized;
function setAuthorized(address _address, bool _isAuthorized) external {
require(msg.sender == owner, 'Only the contract owner can set authorized addresses');
isAuthorized[_address] = _isAuthorized;
}
function foo() external {
require(isAuthorized[msg.sender], 'Only authorized addresses can execute this function');
// ...
}
}
I want to aquire a token from an Azure app registration with a certificate.
I followed the instructions here and generated a self signed certificate with Powershell. I also imported the public key into the portal.
But if I want to access the app via .NET, I need to provide the following MSAL configuration:
The CertificateFileContents is just the public key I exported from the certgmgr. But what should I put as the CertificatePass? Is this a hash? Or a private key? I could not find anything in the docs and also the link above does not give me any advice...
Also I do not really understand why the private key is not imported to the portal?
In my experience, CertificatePass should be required when you export a private key.
This document has such content before:
Export the private key, specify a password for the cert file, and
export to a file.
But now it only tells you to export a public key. You can see details from this issue.
So based on the SharePoint document, if you are reading a PFX file from your local machine, I think you should use private key with a password.
Okay, the CertificatePass was the password for the certificate itself.
The Azure Portal itself only holds the public key.
The client application needs to provide the whole certificate with private and public key.
If you export a private/public key from certificate manager in Windows 10, you will not be able to directly export this as base64, but you can create a pfx file.
Those files can later be encoded to Base64 with a tool of your choice. For example this.
The password for your certificate has to be the CertificatePass, the FileContents are the Base64 public and private key, but decrypted with the password.
This is of course only an approach for testing purpose. In a production environment you would rather use key vault or something similar to not have any secrets in your appsettings.json.
I am trying to get this project to work: https://didproject.azurewebsites.net/docs/install-extension.html
The user agent states that it generates keys and that the private key is stored on my local pc. I can see the public key in the identities tab but i cannot find the private key anywhere. The user agent is not in the 'extensions' folder of chrome. I need the private key to read/write data to the hub.
By the way tried to create a DID manually but this (https://didproject.azurewebsites.net/docs/registration-test.html) explanation seems to be incomplete/incorrect so i must use the user agent.
I am working on a basic-network project on Hyperledeger Fabric V-1.4.1. I have enrolled an admin and created a user using enrollAdmin.js and registerUser.js. A public Key and a private key is generated for user1. Now I want to use that private key to sign simple data and later verify using the public Key. I have tried using URSA node module which works fine with RSA keys generated through OpenSSL but isn't working with these two keys. Probably because these keys are not RSA, they are ECDSA keys. I have also read the documentation of the Crypto node module and it seems I need to have .pem files as keys to use in Crypto module. But In fabric, I have key files as -priv and -pub format.
Is there any node module that can encrypt decrypt using ECDSA keys?
Is there any specific way in hyperledger fabric to do this?
Or is there any other way I can do this thing? Please ask any questions if necessary.
Thank you.
The two formats you see
priv
pub
Are wallet formate of filestorage
Try to register an identity and enroll with fabric-CA by importing identity service then you will receive certificate and private key just put it in a file and mark the extension as pem and it will work
I am working on a project where we are going to be using different services in a microservice architecture, and we would like to also use some Firebase services. I am working on an auth server that is going to mint custom JWT's for use in both Firebase, as well as the other API projects.
We would like to use the Firebase Auth SDK to easily integrate with FB, Google, Twitter etc, but we need to enrich the user's token with more data. Therefore, my thought process is that I'd create a Node.JS auth server that uses the Firebase Admin SDK to do this. The flow would be as follows:
User logs in with favourite provider on client
If login is succesful, the user receives a JWT from Firebase. This is sent to the auth server for validation
If the auth server can validate the token using the admin SDK, create a new custom token enriched with more data, and return this new custom token to the client
Have client re-authenticate with the new custom token, and use it for communication with both Firebase as well as our other API projects (which will mainly be in .NET Core)
Step 1-3 works fine. The problem arises when trying to verify the custom token on the other services.
TL;DR : There are two questions inhere:
When validating custom tokens issued using the Firebase Node.JS Admin SDK, what should I use as the public key? A key extracted from Google's exposed JWK's, or a key extracted from the private key that is used to sign?
In case of the JWK approach, how should I construct the custom token with a kid header?
First, I am in doubt of the proper way to verify it. (Please excuse me, I'm not that experienced creating OAuth flows.) The algorithm used is RS256, so I should be able to verify the token using a public key. As I see it, there are two ways to get this key:
Extract the public key from the private key and verify using this. I can do this and verify successfully on a test endpoint on my auth server, however I feel this is the incorrect way to do it
The other, and more correct way I think, is to use the values from the token to find the JWK's on Google's "/.well-known/openid-configuration/" endpoint for my project, , i.e.
https: //securetoken.google.com/[PROJECT ID]/.well-known/openid-configuration
to retrieve the exponent and modulus for the correct kid (key ID) and create the public key from those.
The token generated from the admin SDK by doing
admin.auth().createCustomToken(uid, additionalClaims).then(function(customToken)
with some custom claims looks something like this:
headers:
{
"alg": "RS256",
"typ": "JWT"
}
payload:
{
"claims": {
"premiumAccount": true,
"someRandomInnerObject": {
"something": "somethingRandom"
}
},
"uid": "<uid for the user>",
"iat": 1488454663,
"exp": 1488458263,
"aud": "https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit",
"iss": "firebase-adminsdk-le7ge#<PROJECT ID>.iam.gserviceaccount.com",
"sub": "firebase-adminsdk-le7ge#<PROJECT ID>.iam.gserviceaccount.com"
}
I can't seem to get method 2 to work, though. One problem is that the generated token does not have a kid header, and so does not conform to the OpenID spec (AFAIK), which leads to one of two options:
Go with the first approach above. This leads to problems though - if I for some reason need to revoke or reset the private key on the auth server, I need to do it and deploy the changes on all the other services too, making the solution less dynamic and more error-prone.
Generate a similar token manually using one of the libs mentioned at jwt.io, and add the kid from the original Firebase ID token to it's headers.
Problems with number 2:
What should I put as iss, aud and sub, then? The same values as the admin SDK does? If so, isn't that 'cheating', as they are no longer the issuer?
I've tried it (generating a similar copy of the token, but adding the kid of the original token), and I can't seem to verify the generated token using the created PEM key for the kid.
The way I do the latter is this (following a blog guide on the subject):
Go to https://www.googleapis.com/service_accounts/v1/jwk/securetoken#system.gserviceaccount.com and retrieve the modulus (n) and exponent (e) for the relevant kid
Generate the public key using a lib (rsa-pem-from-mod-exp)
Use the key to verify using the 'official' jwt lib
The above results in a public key as such:
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAxXpo7ChLMnv1QTovmm9DkAnYgINO1WFBWGAVRt93ajftPpVNcxMT
MAQI4Jf06OxFCQib94GyHxKDNOYiweVrHVYH9j/STF+xbQwiPF/8L7+haC2WXMl2
tkTgmslVewWuYwpfm4CoQFV29OVGWCqwEcbCaycWVddm1ykdryXzNTqfzCyrSZdZ
k0yoE0Q1GDcuUl/6tjH1gAfzN6c8wPvI2YDhc5gIHm04BcLVVMBXnC0hxgjbJbN4
zg2QafiUpICZzonOUbK6+rrIFGfHpcv8mWG1Awsu5qs33aFu1Qx/4LdMAuEsvX9f
EmFZCUS8+trilqJbcsd/AQ9eOZLAB0BdKwIDAQAB
-----END RSA PUBLIC KEY-----
Two things seem to be wrong. One is that the key is different from the one I can extract from the private key. The other is that the one I extract from the private key has these comments instead:
-----BEGIN PUBLIC KEY-----
-----END PUBLIC KEY-----
with no 'RSA'. Does this matter? In any case, it doesn't verify.
Finally, did I misunderstand the OpenID flow completely? Are the JWKs generated from a private key that I need as well to verify my JWTs? Should I expose my own JWKs on my auth server for the other services to contact and use instead of Google's? I'm a bit confused as to what the Firebase Admin SDK does and doesn't do, I think :-)
I know this is a lot of questions, but I think they're all related.
Some resources I've relied on in my research (besides the official admin sdk docs ofcourse):
jwt.io
Is it still possible to do server side verification of tokens in Firebase 3?
https://ncona.com/2015/02/consuming-a-google-id-token-from-a-server/
https://stackoverflow.com/a/42410233/1409779
https://andrewlock.net/a-look-behind-the-jwt-bearer-authentication-middleware-in-asp-net-core/
After re-authenticating the Firebase client SDK with the custom token, the client actually generates a new ID token with the claims from the custom token. This ID token is what you should use to verify requests made to your different microservices (documented here). So yes, your original ID token is discarded, but a new one is created in its place. And that ID token will be automatically refreshed every hour. So, you should be able to just call user.getToken() to get a valid ID token whenever you need it. That method handles all the caching on your behalf.