5.2 BSN Keys and Certificates Mechanism
5.2.1 BSN Keys and Certificates Mechanism
Once a publisher deploys a permissioned DApp on BSN, the off-BSN systems of all participants (including the publisher) connects to the DApp via the PCN gateways to execute and record transactions based on the DApp’s smart contracts. During this process, the participants need two key pairs to complete all steps: the DApp Access Key Pair and User Transaction Key Pair. When publishing and deploying a DApp on BSN, its publisher can choose from two modes to manage the DApp’s keys and certificates: Key Trust Mode and Public Key Upload Mode. The key trust mode means that the two key pairs and related certificates will be generated and hosted by BSN when a participant joins the DApp. The participant can then download the private keys from the BSN portal, and use them to access BSN and sign transactions sent to the DApp from the off-BSN systems. The public key upload mode means that the two key pairs will be generated and stored locally on the participant’s off-BSN system, and the public key is uploaded via the BSN portal or PCN gateway API, to BSN to generate the certificates. Once a mode is selected for the DApp, it cannot be changed. We strongly suggest all developers use the public key upload mode which is much more flexible and secure.
1. DApp Access Key Pair based on Key Trust Mode: DApp access key pair is used to generate the certificate to access the PCN gateway. If the DApp is on Key Trust Mode, the key pair can be generated on the BSN portal, and the private key can be downloaded. Please refer to the BSN Help Manual’s service participation section.
2. User Transaction Key Pair based on Key Trust Mode: User transaction key pair is used to verify the requests and transactions sent to the DApp. If the DApp is on Key Trust mode, the key pair can be generated via the PCN gateway APIs by executing requests from the off-BSN systems. If the off-BSN systems have sub-users, it can even generate different key pairs for different sub-users. Refer to the API sections in this document for Hyperledger Fabric and FISCO BCOS frameworks to see how to generate the key pairs and use them to verify the transactions.
3. DApp Access Key Pair based on Public Key Upload Mode: In this mode, the DApp access key pair is generated and stored locally. The participant must upload the public key to BSN via the BSN portal to generate the access certificate to the PCN gateway. Please refer to section 5.2.2 below to see how to generate the key pair locally. Please refer to the “Public Key Upload” section of this document to learn how to upload the public key to BSN via the portal.
4. User Transaction Key Pair based on Public Key Upload Mode: In this mode, the user transaction key pair is also generated and stored locally. Instead of using the BSN portal, the user transaction public key (one of the pair) is sent and registered on BSN via the PCN gateway certificate registration API. If the off-BSN systems have sub-users, they can also upload different public keys to generate different transaction certificates for different sub-users by using the API. Please refer to section 5.2.2 or the instructions inside the gateway SDK package about generating the key pair locally. Refer to the API sections in this document for registering the certificate via gateway APIs.
Please click the link to download the PCN Gateway SDK Package:
Currently, both permissioned frameworks Hyperledger Fabric and FISCO BCOS DApps support both Key Trust Mode and Public Key Upload Mode.