A simple repo to demonstrate integration with dfns using java. We will use service accounts, i.e., machines to interact with dfns
- Dashboard: to create assets, add public keys, ...
- API: for API interaction
- Dfns docs: official documentation
- Typescript SDK
- Generate a key pair :depending on your set-up, this would be handled by a HSM.
I will use RSA for this part as I tend to use a cryptographic algorithm not linked to the ones used in public blockchains (typically ECDSA & EdDSA), but obviously, either of those would work.
# Generate RSA Private Key
openssl genrsa -out rsa2048.pem 2048
# Generate the Public Key
openssl pkey -in rsa2048.pem -pubout -out rsa2048.public.pemIn the folder keys you will find both the private and public keys.
Next step is to add this public key, associated with a machine id to https://app.dfns.ninja/settings/service-accounts/new.
Finally, we just need to make sure we can read the PEM and re-create a private key.
See CryptoUtils.java.
We need to provide request headers:
- X-DFNS-APPID: ap-5cjd0-gkpc0-8vbreg28vehsungm (Under https://app.dfns.ninja/settings/apps)
- X-DFNS-NONCE: a json formatted object with uuid and a time in ISO format
- The authorization bearer token
See ListServiceAccounts and the result.
Next step is to create an action that modifies the system's state.
For this we will create an Ethereum wallet on Goerli.
First we need to invoke DFNS in order to get a signature associated with the call we would like to make.
The flow looks like:
We want to create an ETH wallet, the payload is:
{
"network": "EthereumGoerli",
"name": "tj-eth-wallet-a"
}- Get the challenge with no issue : See dfns-challenge.json
- From the challenge, extract: the 'challenge', the 'challengeIdentifier' and the 'key.id'
- The next step is to build the UserActionSignature.
- First is to create the UserActionSignature: See user-action-sig.json
- The ClientData is 'type' = 'key.get', challenge from (2) above, origin = 'http://localhost:3000', and 'crossOrigin' = false
- Convert the ClientData into a stringified json
- Sign (6) with the private key (SHA256withRSA)
- ClientData is converted to base64url
- The signature is converted to base64url
- CredentialAssertion is created with credId from (2) 'key.id', client data from (8) and the signature from (9)
- First Factor is created with 'kind' = 'Key' and the credential assertion (10)
- UserActionSignature is created with the identifier (2) and the assertion (10)
- UserActionSignature is converted to JSON and sent over
- You should get dfns-user-action-sig-result.json back
All the steps are coded in the class NeoDfnsInvoker
Policies are a critical piece of any system: they enforce rules and set controls on actions.
Permissions allows the control of API access.
That's it for now. You can re-use the code in this repo, modify it at will for your own projects. A big thank you to https://www.dfns.co/ for allowing me to use their test env.