ca cert from client, js fs/os access? #3231
-
Hi, I currently have a nodejs client making requests to a CCF network. I can make unauthorized requests without a network certificate just fine. Currently in order to make authorized request I'm downloading the net_cert off my server so I can use it on my client. I was wondering if there is a better way of getting the ca than to download it and whether the JS app has os/fs access once it's in the network? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
Hi @mAlyanak. You can retrieve the network cert automatically from the service from the
The
This turns off any checking of the server identity, allowing you to make client commands when you don't know the server identity (for instance when the server is brand new, and you want to fetch the network certificate). The problem is that anything which can intercept that curl command (ie - can appear to your client like it is serving on the network address you requested), can serve you its own certificate like this, so if you don't trust the network stack between you and the server, you shouldn't use this cert. In other words, it's an acceptable way of retrieving the network cert when you start up your own service (assuming that For the second part; no, applications running inside CCF (in either JS or C++) do not have direct access to the filesystem or operating system. They are a sandboxed HTTP server running inside an SGX enclave, and their only communication is via HTTP RPCs and storing things on the distributed KV-store. The goal here is that all data which flows into the system comes over protected streams from a verifiable identity, rather than from the untrusted host. So rather than the application code trying to read from the local machine's untrusted file system, it can receive any state it needs over TLS from a member or client. To respond to changes in the KV, other systems should either poll the system or follow the ledger. |
Beta Was this translation helpful? Give feedback.
Hi @mAlyanak.
You can retrieve the network cert automatically from the service from the
/node/network
endpoint, but it's risky to do since it could be spoofed.