Apply Asymmetric Encryption in Chaincode

In this blog, we’ll learn how to implement simple asymmetric key encryption with public and private key in chaincode app in SAP Hyperledger Fabric. Using the example in this blog  may not be an ideal solution to implement in the real scenario, but let’s test and see the functionality.

The functionality and code structures are based on the SAP help Use End-to-End Encryption in Chaincode with slight modifications.

Create chaincode app

Create a chaincode app in Go to handle the encryption-description with Go RSA lib.

I have prepared the chaincode app to perform the encrypt/decrypt with the supplied public and private key from the transient field.

case "ENCRYPT":
        if _, in := tMap[ENCKEY]; !in {
           return shim.Error(fmt.Sprintf("Expected transient encryption key %s", ENCKEY))
        }

	encKey := string(tMap[ENCKEY])

        if _, ok := tMap[KEY]; !ok {
           return Error(http.StatusBadRequest, "Cannot find state key")
        }
        if _, ok := tMap[VALUE]; !ok {
   	   return Error(http.StatusBadRequest, "Cannot find state value")
        }

	args := []string{string(tMap[KEY]), string(tMap[VALUE])}

	return cc.RsaEncrypt(stub, args[0:], encKey)

      case "DECRYPT":
        if _, in := tMap[DECKEY]; !in {
           return shim.Error(fmt.Sprintf("Expected transient decryption key %s", DECKEY))
        }
	decKey := string(tMap[DECKEY])

        if _, ok := tMap[KEY]; !ok {
	   return Error(http.StatusBadRequest, "Cannot find state key")
        }

        args := []string{string(tMap[KEY])}

        return cc.RsaDecrypt(stub, args[0:], decKey)

Install the chaincode

Install  chaincode.zip and instantiate.

Call the chaincode with SAP API Hub

• Navigate to Channel and select Service Key.
• Expand the Service Key and write down the clientId, clientSecret and identityZone.
• Navigate to Chaincode and write down the Chaincode ID.
  
• Navigate to API.
  
• On the SAP API Business Hub screen, select Configure Environments.
  
• From the information we gathered, fill in the required information below and save it.
  
• Select the environment that we just created and select POST /chaincodes/{chaincodeId}/{version}/invoke.
  
• Select Try out.
  
• To generate public and private key, install the openSSL command line and run the following to generate:
  Private key:

  openssl genrsa 2048 | openssl pkcs8 -topk8 -nocrypt -out key.pem​

  Public key:

  openssl rsa -in key.pem  -pubout > key-pub.pem​

  

• Open the generated file pem files and replace the new line characters with \r\n.

Perform Encryption

Fill in the required information:

• chaincodeId,
• version (we can just put with “latest”).
• Body with this JSON object. Fill in the ENCKEY field with the information from public key key-pub.pem.

  {
    "function": "ENCRYPT",
    "arguments": [],
    "transient": {
      "key": "10008",
      "value": "Hello RSA Encryption",
      "ENCKEY": "<!!Replace with data from key-pub.pem!!>"
    }
  }​

  

• Click Execute, if there is no error, you will see the transaction Id and response code “OK”.
  
• Navigate to Explore and verify the transaction ID.
  

Perform Decryption

Fill in the required information:

• chaincodeId,
• version (we can just put with “latest”).
• Body with this JSON object. Fill in the ENCKEY field with the information from private key key.pem.

  {
    "function": "DECRYPT",
    "arguments": [],
    "transient": {
      "key": "10008",
      "DECKEY": <!!Replace with data from key.pem!!>"
    }
  }​

  

• Click Execute, if no error, you will get the decrypted message.
  
• Verify the transaction id created in Explorer.
  

References:

• Use End-to-End Encryption in Chaincode
• How to use encryption in chaincode
• Controlling Smart Bulb with Blockchain