This plugin enhances Hashicorp Vault Service with cryptographic operations to create, import and sign using different type of keypairs and Ethereum wallets, including signing operation for public ethereum transaction, EEA and Quorum

Website Website CircleCI

Quorum Hashicorp Vault plugin

The Quorum plugin enhances Hashicorp Vault Service with cryptographic operations under Vault engine, such as:

  • Create and import keys with the following supported eliptic curve and signing algorithm: ecdsa+sepc256k1 or eddsa+babyjubjub
  • Sign with every supported key pair.
  • Create and import Ethereum wallets
  • Sign Ethereum transactions
  • Sign EEA private transaction
  • Sign Quorum Tessera private transaction
  • Create and import ZKP accounts
  • ZKP signing operation

Development

Pre-requirements

  • Go >= 1.15
  • Makefile
  • docker-compose

Development mode

To run our plugin in development mode you have to first build the plugin using:

$> make dev

Test using Curl

Now you have your Vault running on port :8200. Open a new terminal to run the following command to enable Orchestrate plugin:

$> curl --header "X-Vault-Token: DevVaultToken" --request POST \
  --data '{"type": "plugin", "plugin_name": "quorum-hashicorp-vault-plugin", "config": {"force_no_cache": true, "passthrough_request_headers": ["X-Vault-Namespace"]} }' \
  ${VAULT_ADDR}/v1/sys/mounts/quorum

Now you already have your Vault running with Orchestrate plugin enable. The best way to understand the new integrate APIs is to use the help feature. To list a description of all the available endpoints you can run:

$> curl -H "X-Vault-Token: DevVaultToken" http://127.0.0.1:8200/v1/quorum?help=1

alternatively you can list only ethereum endpoints by using:

$> curl -H "X-Vault-Token: DevVaultToken" http://127.0.0.1:8200/v1/quorum/ethereum/accounts?help=1

Production mode

Running Quorum Hashicorp Vault Plugin plugin in production:

$> make prod

Contributing

How to Contribute

Owner
ConsenSys Software
ConsenSys is the software engineering leader of the blockchain space. Our full-stack Ethereum products help developers build next-generation networks.
ConsenSys Software
https://github.com/ConsenSys/quorum-hashicorp-vault-plugin
Comments
  • Build arm64 compatible images

    Build arm64 compatible images

    PR Description

    Fixed Issue(s)

    Documentation

    • [ ] I thought about documentation and added the documentation label to this PR if updates are required.
  • Permission Denied with Non-Root Tokens

    Permission Denied with Non-Root Tokens

    Is there an example policy file for accessing quorum plugin? I am getting permission denied error with the following policy:

    path "quorum/*" {
  capabilities = ["create", "read", "update", "delete", "list"]
}
  • Incompatible with Vault 1.9.3

    Incompatible with Vault 1.9.3

    I am getting the following error from calling quorum plugin mounts with Vault v1.9.3

    {"errors":["1 error occurred:\n\t* Unrecognized remote plugin message: \n\nThis usually means that the plugin is either invalid or simply\nneeds to be recompiled to support the latest protocol.\n\n"]}
  • 12 plugin checksum

    12 plugin checksum

    PR Description

    Fixed Issue(s)

    Documentation

    • [ ] I thought about documentation and added the documentation label to this PR if updates are required.
  • Add setcap cmd at image level

    Add setcap cmd at image level

    PR Description

    Addition of the setcap cmd at Container level

    Will avoid running it at the Pod level in k8s clusters and also fixes an issue in Azure environment

    Documentation

    • [ ] I thought about documentation and added the documentation label to this PR if updates are required.
  • Codecov

    Codecov

    PR Description

    Fixed Issue(s)

    Documentation

    • [ ] I thought about documentation and added the documentation label to this PR if updates are required.
  • Publish plugin checksum included in dockerhub images

    Publish plugin checksum included in dockerhub images

    Every compilation of the binary provides different outputs the value included in the github artifact (SHA256SUM) and the actual value for the plugin included in the built image does not match.

    The goal of this ticket is to make available a version of the SHA256SUM included in the dockerhub image so it can be used in the k8s operator.

  • Signing arbitrary data doesn't support prehashed payloads

    Signing arbitrary data doesn't support prehashed payloads

    Signing arbitrary data doesn't seem to support custom prehashed payloads. It seems that the plugin internally hashes it with keccak256? This makes it harder to recover public keys when other hashing algorithms are used as a client (i.e, sha256, blake2b, blake2s, etc )

    I know that the plugin is very ethereum specific, but is there a chance to have a more by-the-book ECDSA that allows prehashed payloads instead of assuming keccak256?

    Or, is there an endpoint that doesn't do that?

    Thanks!

  • Incorrect ECDSA Format for arbitrary data signing

    Incorrect ECDSA Format for arbitrary data signing

    • When singing arbitrary data with the endpoint /sign; the description says Signs an arbitrary message using ECDSA

    • The standard format for ECDSA should be comply with RFC6979.

      • Quote : The pair (r, s) is the signature. How a signature is to be encoded is not covered by the DSA and ECDSA standards themselves; a common way is to use a DER-encoded ASN.1 structure (a SEQUENCE of two INTEGERs, for r and s, in that order).

    • The signature length should be of 64 bytes (R - 32 bytes, S - 32 bytes). But the signature returned in the endpoint is of 65 bytes.

    • sample responses :

      • 0x0866a9ebb23cc4b047e398d7ede52b718a067c0d7f40595baa6b0d0c395152557a578887b7295152a2b9aeb01f96b11a28757b9f3722ddf4998353b643a4ecb900
      • 0xc1bdd9d097a131434115b563706bb94367fdb7c412f677b5fe8c26e181c579ae642ae3a8287bcc75add88932fe48d956aaf3cba5913ee8d185266d88b7ecd4ec00

    The last trailing 00's i'm assuming are part of Ethereum's signature scheme for transactions specifically and as part of EIP-155 (Replay protection). Which is of the following format (r, s, v). Which would make send when using sign-transaction , but not for arbitrary data?

    V is always 00 / 01 in this case and not part of standard ECDSA and as a client if we want to verify signatures without the private key; it means that we have to manually cut the last byte.

  • add support for ssl mode on init script

    add support for ssl mode on init script

    PR Description

    Fixed Issue(s)

    Documentation

    • [ ] I thought about documentation and added the documentation label to this PR if updates are required.
  • Setcap on plugin file within image

    Setcap on plugin file within image

    In order to have an image compliant with Azure expectations it would be good to have the following setcap command run when building the Docker image

    setcap cap_ipc_lock=+ep /vault/plugins/quorum-hashicorp-vault-plugin

Related tags
Cryptography plugin security ethereum quorum hashicorp-vault consensys
A simple, secure self-destructing message service, using HashiCorp Vault product as a backend
 A simple, secure self-destructing message service, using HashiCorp Vault product as a backend

sup3rS3cretMes5age! A simple, secure self-destructing message service, using Has

Mar 5, 2022
A plugin that turn hashicorp vault into blockchain wallet.
 A plugin that turn hashicorp vault into blockchain wallet.

dq-vault - Hashicorp vault BTC/ETH plugin This vault plugin stores a user's mnemonic inside vault in an encrypted manner. The plugin uses this stored

Dec 7, 2022
Signature-server - stores transaction blobs and uses predefined secret key to sign and verify those transactions

Signature Server Signature server stores transaction blobs and uses predefined s

Feb 14, 2022
Ekliptic - Primitives for cryptographic operations on the secp256k1 curve, with zero dependencies and excellent performance

Ekliptic This package provides primitives for cryptographic operations on the se

Sep 7, 2022
Rei chain fork from quorum using raft consensus
 Rei chain fork from quorum using raft consensus

GoQuorum is an Ethereum-based distributed ledger protocol with transaction/contract privacy and new consensus mechanisms. GoQuorum is a fork of go-eth

Aug 8, 2022
Sidecar container for injecting secrets into configuration files from Hashicorp Vault

talebearer noun A person who spreads scandal or tells secrets; gossip Note This code is not being actively developed, and has not seen substantial cha

Nov 1, 2021
Outil (en ligne de commande pour l'instant) vous permettant de rassembler toutes les transactions de vos différents échanges et wallets afin de constituer votre portefeuille global et ainsi vous aider à la déclaration fiscale française.

CryptoFiscaFacile Cet outil veut vous aider à déclarer vos cryptos aux impôts ! Gardez en tête que la loi n'étant pas encore définie sur tous les poin

Dec 27, 2022
A multiformat-inspired go module for working with multiple kinds of keypairs.

A multiformat-inspired go module for working with multiple kinds of keypairs.

Apr 4, 2022
Create @tailscale authentication tokens using vault

Vault Secrets Plugin - Tailscale Vault secrets plugins to simplying creation, ma

Nov 21, 2022
Ethereum go-ethereum - Official Golang implementation of the Ethereum protocol

Go Ethereum Official Golang implementation of the Ethereum protocol. Automated b

Feb 17, 2022
Signing, Keystore and RLP encoding utilities for EVM / Ethereum / secp256k1 based blockchains

Signing, Keystore and RLP encoding utilities for EVM / Ethereum / secp256k1 based blockchains. Written in Go with an enterprise friendly Apache 2.0 license, and a runtime JSON/RPC proxy server. Part of the Hyperledger FireFly project

Aug 9, 2022
A Go implementation of EIP-4361 Sign In With Ethereum verification

Sign-In with Ethereum This go module provides a pure Go implementation of EIP-4361: Sign In With Ethereum. Installation go get github.com/jiulongw/siw

Apr 24, 2022
A drop-in replacement to any Writer type, which also calculates a hash using the provided hash type.

writehasher A drop-in replacement to any Writer type, which also calculates a hash using the provided hash type. Example package main import ( "fmt"

Jan 10, 2022
docker plugin use vault as secret provider.

docker plugin vault docker secret plugin for vault provider how to build docker plugin rm -fr plugin/rootfs/.dockerenv plugin/rootfs/* docker build -

Aug 12, 2022
goKryptor is a small and portable cryptographic tool for encrypting and decrypting files.

goKryptor goKryptor is a small and portable cryptographic tool for encrypting and decrypting files. This tool supports XOR and AES-CTR (Advanced Encry

Dec 6, 2021
Easy to use cryptographic framework for data protection: secure messaging with forward secrecy and secure data storage. Has unified APIs across 14 platforms.
 Easy to use cryptographic framework for data protection: secure messaging with forward secrecy and secure data storage. Has unified APIs across 14 platforms.

Themis provides strong, usable cryptography for busy people General purpose cryptographic library for storage and messaging for iOS (Swift, Obj-C), An

Jan 9, 2023
Go implementation of BLAKE2 (b) cryptographic hash function (optimized for 64-bit platforms).

Go implementation of BLAKE2b collision-resistant cryptographic hash function created by Jean-Philippe Aumasson, Samuel Neves, Zooko Wilcox-O'Hearn, an

Jul 11, 2022
whirlpool cryptographic hashing library

whirlpool.go A whirlpool hashing library for go Build status Setup $ go get github.com/jzelinskie/whirlpool Example package main import ( "fmt" "

Oct 12, 2022
Cryptographic Addition Chain Generation in Go

Cryptographic Addition Chain Generation in Go addchain generates short addition chains for exponents of cryptographic interest with results rivaling t

Dec 5, 2022