Platform installation and usage

General platform configuration: cryptography

The type and parameters of the cryptographic algorithm used in the blockchain are set in the crypto section of the node configuration file. The crypto section is used to initialize the cryptography before reading the complete node configuration file.

crypto {
  # Possible values: [WAVES, GOST]
  type = WAVES
  pki {
     # Possible values: [OFF, ON, TEST]
     # Could be enabled with GOST crypto type only
     mode = OFF
     required-oids = []
     crl-checks-enabled = false
  }
}

  • typecryptography type; available values are WAVES for Waves cryptography algorithms and GOST for GOST cryptography with PKI. If the waves-crypto parameter is present in the configuration file and is set to yes, then the type parameter is assigned the WAVES value; if the waves-crypto parameter is set to no, then the type parameter is assigned the GOST value;

  • pki – group of ref:PKI configuration<cryptography-general-pki> fields:

    • mode – valid values are: on, off, test; on and test values are valid only if the waves-crypto parameter is missing or is set to no and the type parameter is set to GOST. If the mode parameter is set to on, a check is performed that TLS is enabled on the network layer, i.e. the node.network.tls parameter is set to true.

    • required-oids – a whitelist of OIDs that the node expects to see in the ExtendedKeyUsage certificate extension. This list makes it possible to distinguish among all the users who issued a certificate on the same Certification Authority those users to whom this CA assigned an OID for use with the blockchain platform specifically. The list can be empty. If the list is not empty, it must be an array of strings consisting of numbers separated by dots. For example:

    required-oids = ["1.2.3.4.5.6.7.8.9", "192.168.0.1.255.255.255.0"]

    • crl-checks-enabled – enable or disable certificate revocation list check (CRL) during certificate validation. If the parameter is set to true, the cryptoprovider checks with the certification authority (CA) whether the certificate is revoked or not. The node, which synchronizes with the network, verifies the entire leger to make sure its integrity is intact, i.e. checks the correctness of each block’s ES. When checking certificates, the node uses CRL lists that are valid at the time the block is signed. If a node has been out of the network for some time, or a new node joins the network, it asks other nodes for previously downloaded CRLs.

    Important

    pki group of fields is used only with GOST cryptography (i.e. when the type field is assigned the GOST value). When using Waves cryptography (i.e. when the type field is assigned the WAVES value) this group of fields should not be in the node configuration file. If no PKI parameters are specified, the PKI is disabled.

Note

The node.waves-crypto field with yes and no values is still supported, but it is not planned to use it in the platform future versions. Instead, the type field in the crypto section will be used.

See also