Skip to content

raphjaph/hotcertification

Repository files navigation

HotCertification: A distributed Certificate Authority

A byzantine fault-tolerant state machine replication algorithm and threshold signature scheme that in conjunction perform the basic functionalities of a Certificate Authority (CA). It adds these layers of complexity in order to be more resilient against process failures and malicious attacks. The certification process can be abstracted to sign any piece of data (not just a X509 Certificate) like access tokens (macaroons) or JWTs and through that act as a sort of Authentication Server.

Using it

This is really just a proof-of-concept I built as part of my Bachelor's thesis so it still has bugs and needs major refactoring (it doesn't even have a database and stores everything in-memory!!). An example configuration of a cluster of four HotCertification nodes can be found in hotcertification.toml. Compile the binaries by calling make. Create the cryptographic material like private keys and TLS certificates with:

mkdir keys
./cmd/keygen/keygen -n $NUM_NODES -t $THRESHOLD --key-size 512 keys

Run the cluster of four nodes locally by executing run_servers_localhost.sh. Test the cluster with an example client with:

./cmd/client/client client.crt

client.crt is the name of file to write the X509 certificate to that has been requested from the CA.

TODO

  • rename coordinator struct
  • merge/put in same dir coordinator.go and options.go (Because they outline how hotcertification works)
  • add database or interface to database or check out sqlite
  • add a Makefile, see here for help
  • make event-driven architecture? -> more lightweight; look at Flow implementation
  • instead of ClientID and Sequence Number just use Hash of CSR to identify request (replaces CMDID data structure) -> use HashMap
  • slow down consensus rounds?
  • go run with SIGNALS

Testing

Logging and Configuration

  • add a custom level to the log -> APPLICATION/CERTIFICATION; refactor code accordingly
  • find out how to show logs from internal consensus protocol and client facing server; pipe HS log into my logger
  • change hotstuff.toml to hotstuff.yml see here
  • merge internal/cli into main

Crypto/Threshold library

  • define curve parameters somewhere (CURVE, G, N) wiki
  • recycle PartialCert from Hotstuff for Certification Service crypto
  • add error checks to threshold.go

Miscellaneous

  • other cool go library repos

Protocol Buffers (protoc)

  • execute compile command in proto folder
  • protoc -I=/Users/raphael/.go/pkg/mod/github.com/relab/gorums@v0.3.0. --go_out=paths=source_relative:. --gorums_out=paths=source_relative:. certification.proto
  • this command finds the absolute path with versioning for gorums package
  • go list -m -f {{.Dir}} github.com/relab/gorums