18.104.22.168 Keys and Certificate Modes
1. Key Trust Mode
As described in chapter 5, DApp participants require two sets of key pairs to access the DApp: DApp access key pair and user transaction key pair. With key trust mode, the pairs are generated and hosted by BSN. The participants only need to download the private key (DApp access key) from the BSN portal.
DApp Access Key Pair: After the participant has successfully joined the DApp, BSN will generate one key pair (private and public keys) that corresponds to the DApp’s framework algorithms under the Key Trust Mode. The participant can download the private key from the “My Certificates” section of the BSN global portal and use it to sign the request message sent to the PCN gateway. The gateway will use the hosted public key from the generated key pair to validate the signature.
User Transaction Key Pair: This is the identity of a participant used to invoke the chaincodes. Under the Key Trust Mode, after successfully joining a DApp, a participant’s user transaction key pair will be created automatically by BSN by default. The participant’s off-BSN system can use the participant’s UserCode to invoke the certificate generated by the key pair. If the participant’s off-BSN system has multiple sub-users, the off-BSN system can invoke the gateway’s “User Registration API” to register the sub-users and generate separate user transaction key pair for each sub-user. The sub-users can use their UserCode to connect to the DApp to execute transactions.
2. Public Key Upload Mode
As described in chapter 5, DApp participants require two sets of key pairs to fully access the DApp: DApp access key pair and user transaction key pair. With public-key upload mode, the key pairs are generated and stored locally by the participants. The participants only need to upload the public keys to BSN via the BSN portal or gateway APIs.
- DApp Access Key Pair: The DApp participant must generate the DApp access key pair locally according to the DApp framework algorithm after successfully joining the DApp. The participant stores the private key locally and uploads the public key to BSN via the BSN global portal. The participant’s off-BSN system uses the private key to sign the transaction messages when invoking the PCN gateway. The PCN gateway will use the public key uploaded by the participant to verify the signature and validate the legality of the transaction.
- User Transaction Key Pair: This is the identity of a participant to invoke the chaincodes. Under the Key Trust Mode, the participant must generate the user transaction key pair locally and use the public key to generate the “public key registration application.”, then from the participant’s off-BSN system to submit the registration application to BSN by invoking the “Public Key Upload Mode user certification registration” API on the PCN gateway to receive the public key certificate. If the off-BSN system has sub-users, it should first invoke the “User Registration” API to register the sub-users before sending their public key registration applications.