Platform installation and usage
General platform configuration: cryptography¶
The type and parameters of the cryptographic algorithm used in the blockchain are set in the crypto
section of the node configuration file. The crypto
section is used to initialize the cryptography before reading the complete node configuration file.
crypto {
# Possible values: [WAVES, GOST]
type = WAVES
pki {
# Possible values: [OFF, ON, TEST]
# Could be enabled with GOST crypto type only
mode = OFF
required-oids = []
crl-checks-enabled = false
}
}
type
– cryptography type; available values areWAVES
for Waves cryptography algorithms andGOST
for GOST cryptography with PKI. If thewaves-crypto
parameter is present in the configuration file and is set toyes
, then thetype
parameter is assigned theWAVES
value; if thewaves-crypto
parameter is set tono
, then thetype
parameter is assigned theGOST
value;pki
– group of ref:PKI configuration<cryptography-general-pki> fields:mode
– valid values are:on
,off
,test
;on
andtest
values are valid only if thewaves-crypto
parameter is missing or is set tono
and thetype
parameter is set toGOST
. If themode
parameter is set toon
, a check is performed that TLS is enabled on the network layer, i.e. thenode.network.tls
parameter is set totrue
.required-oids
– a whitelist of OIDs that the node expects to see in the ExtendedKeyUsage certificate extension. This list makes it possible to distinguish among all the users who issued a certificate on the same Certification Authority those users to whom this CA assigned an OID for use with the blockchain platform specifically. The list can be empty. If the list is not empty, it must be an array of strings consisting of numbers separated by dots. For example:
required-oids = ["1.2.3.4.5.6.7.8.9", "192.168.0.1.255.255.255.0"]
crl-checks-enabled
– enable or disable certificate revocation list check (CRL) during certificate validation. If the parameter is set totrue
, the cryptoprovider checks with the certification authority (CA) whether the certificate is revoked or not. The node, which synchronizes with the network, verifies the entire leger to make sure its integrity is intact, i.e. checks the correctness of each block’s ES. When checking certificates, the node uses CRL lists that are valid at the time the block is signed. If a node has been out of the network for some time, or a new node joins the network, it asks other nodes for previously downloaded CRLs.
Important
pki
group of fields is used only with GOST cryptography (i.e. when thetype
field is assigned theGOST
value). When using Waves cryptography (i.e. when thetype
field is assigned theWAVES
value) this group of fields should not be in the node configuration file. If no PKI parameters are specified, the PKI is disabled.
Note
The node.waves-crypto
field with yes
and no
values is still supported, but it is not planned to use it in the platform future versions. Instead, the type
field in the crypto
section will be used.