A byzantine fault-tolerant state machine replication algorithm and threshold signature scheme that in conjunction perform the basic functionalities of a Certificate Authority (CA). It adds these layers of complexity in order to be more resilient against process failures and malicious attacks. The certification process can be abstracted to sign any piece of data (not just a X509 Certificate) like access tokens (macaroons) or JWTs and through that act as a sort of Authentication Server.
This is really just a proof-of-concept I built as part of my Bachelor's thesis so it still has bugs and needs major refactoring (it doesn't even have a database and stores everything in-memory!!).
An example configuration of a cluster of four HotCertification nodes can be found in hotcertification.toml
.
Compile the binaries by calling make
.
Create the cryptographic material like private keys and TLS certificates with:
mkdir keys
./cmd/keygen/keygen -n $NUM_NODES -t $THRESHOLD --key-size 512 keys
Run the cluster of four nodes locally by executing run_servers_localhost.sh
.
Test the cluster with an example client with:
./cmd/client/client client.crt
client.crt
is the name of file to write the X509 certificate to that has been requested from the CA.
- rename coordinator struct
- merge/put in same dir coordinator.go and options.go (Because they outline how hotcertification works)
- add database or interface to database or check out sqlite
- add a Makefile, see here for help
- make event-driven architecture? -> more lightweight; look at Flow implementation
- instead of ClientID and Sequence Number just use Hash of CSR to identify request (replaces CMDID data structure) -> use HashMap
- slow down consensus rounds?
- go run with SIGNALS
- add a custom level to the log -> APPLICATION/CERTIFICATION; refactor code accordingly
- find out how to show logs from internal consensus protocol and client facing server; pipe HS log into my logger
- change hotstuff.toml to hotstuff.yml see here
- merge internal/cli into main
- define curve parameters somewhere (CURVE, G, N) wiki
- recycle PartialCert from Hotstuff for Certification Service crypto
- add error checks to threshold.go
- other cool go library repos
- execute compile command in proto folder
protoc -I=/Users/raphael/.go/pkg/mod/github.com/relab/gorums@v0.3.0. --go_out=paths=source_relative:. --gorums_out=paths=source_relative:. certification.proto
- this command finds the absolute path with versioning for gorums package
go list -m -f {{.Dir}} github.com/relab/gorums