Tong's Work Notes

Sunday, January 31, 2021

k8s ambassador and tls cert management

With brand new google k8s, do the followings:

1. Set up kubeconfig by using the google connect command found from google cloud console, something similar to this.


gcloud container clusters get-credentials tongedge --zone us-east1-b --project odin-network-301700

2. Run the following command to deploy Ambassador


kubectl apply -f https://www.getambassador.io/yaml/aes-crds.yaml &&
kubectl wait --for condition=established --timeout=90s crd -lproduct=aes&&
kubectl apply -f https://www.getambassador.io/yaml/aes.yaml &&
kubectl -n ambassador wait --for condition=available --timeout=90s deploy -lproduct=aes

Now, get the external ip address


 kubectl get -n ambassador service ambassador -o
 "go-template={{range .status.loadBalancer.ingress}}{{or .ip .hostname}}{{end}}"

3. Deploy kubernetes cert-manager


kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.1.0/cert-manager.yaml

Verify cert manager is working correctly


kubectl get pods --namespace cert-manager

k8s cert manager reference link https://cert-manager.io/docs/installation/kubernetes/

Now create a mapping and a service to make sure cert-manager created ingress can meet the http01 chanllenge.


---
apiVersion: getambassador.io/v2
kind: Mapping
metadata:
  name: acme-challenge-mapping
spec:
  prefix: /.well-known/acme-challenge/
  rewrite: ""
  service: acme-challenge-service
---
apiVersion: v1
kind: Service
metadata:
  name: acme-challenge-service
spec:
  ports:
  - port: 80
    targetPort: 8089
  selector:
    acme.cert-manager.io/http01-solver: "true"

The ambassador external ip now can be used to configure your dns entry via whatever the dns providers. The end result will be your domain name can be resolved into the ambassador external IP address.
To request a certificate, one has to set up an issuer first, using the follow yaml file to accomplish that.


apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    preferredChain: "ISRG Root X1"
    privateKeySecretRef:
      name: letencrypt-secret
    solvers:
    - http01:
        ingress:
          class: nginx
      selector: {}


apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: tonglitls
  namespace: default
spec:
  dnsNames:
    - tongli.myddns.me
  secretName: tonglitls-secret
  issuerRef:
    kind: ClusterIssuer
    name: letsencrypt

Friday, January 8, 2021

4K Video Download app is the tool to help everyone

We are using a lot of free online videos for study, singing. Due to network issues, sometimes it is a big distraction when we use these videos online, with 4K video download, we can download these videos before we need them, this helped us a lot, it also allowed us to skip unwanted/unexpected ads during the real session which in some cases causes big embarrassment.

4KDownload performed really well when you download videos, I have not experienced any failures downloading videos regardless the video quality or my internet speed. The user interface is extremely easy to use, there is no learning curves to overcome, as soon as you see the user interface, one who can click a mouse will be able to use it. It not only works on Windows but also on OS X so that you would not have to worry about if your computer supports such nice tool. I've been using the free version for awhile, cannot wait to experience the load of features with paid version. I highly recommend anyone to try this free app. To get more information, please follow one of the links below.

https://www.4kdownload.com/products/product-videodownloader/?r=free_license https://www.4kdownload.com/products/product-youtubetomp3/?r=free_license https://www.4kdownload.com/products/product-stogram/?r=free_license

Friday, November 13, 2020

Verify cert and private key of pair created using EC algorithm

Retrieve the public key from cert and do a md5

openssl x509 -in server.crt -pubkey -noout | openssl md5

Retrieve the public key from private key and do a md5

openssl pkey -pubout -in server.key | openssl md5

If the outputs from two commands match, then the certificate must be created from the private key.

Thursday, October 15, 2020

Hyperledger Fabric event listener

Function to listen to chaincode event

func listenEvents() {
    cnfg := config.FromFile("./connection.json")
    fmt.Println(reflect.TypeOf(cnfg))
    sdk, err := fabsdk.New(cnfg)
    if err != nil {
        fmt.Printf("Failed to create new SDK: %s", err)
    }
    defer sdk.Close()
    clientChannelContext := sdk.ChannelContext(channelID, fabsdk.WithUser(orgAdmin), fabsdk.WithOrg(orgName))
    eventClient, err := event.New(clientChannelContext, event.WithBlockEvents(),
        event.WithSeekType(seek.Oldest))
    if err != nil {
        fmt.Printf("Not be able to create new events client: %s", err)
    }

    reg, notifier, err := eventClient.RegisterChaincodeEvent("offering", "OFFERING SUBMITTED")
    defer eventClient.Unregister(reg)

    donechannel := make(chan string)
    go func() {
        // Just a function to demostrate that we can send signal to end the listening loop
        time.Sleep(1 * time.Minute)
        donechannel <- "QUIT NOW"
    }()

    defer close(donechannel)
end:
    for {
        select {
        case ccEvent := <-notifier:
            fmt.Printf("Received cc event: %#v", ccEvent)
            fmt.Printf("The payload is %v", ccEvent.Payload)
            fmt.Printf("TxID is %s", ccEvent.TxID)
        case msg := <-donechannel:
            fmt.Printf(msg)
            break end
        }
    }
    fmt.Println("Process finished")
}

Wednesday, October 14, 2020

Query Fabric transaction

func useClientQuery() {
    cnfg := config.FromFile("./connection.json")
    fmt.Println(reflect.TypeOf(cnfg))
    sdk, err := fabsdk.New(cnfg)
    if err != nil {
        fmt.Printf("Failed to create new SDK: %s", err)
    }
    defer sdk.Close()
    clientChannelContext := sdk.ChannelContext(channelID, fabsdk.WithUser(orgAdmin), fabsdk.WithOrg(orgName))
    client, err := ledger.New(clientChannelContext)
    if err != nil {
        fmt.Printf("Can not get ledger client")
    } else {
        fmt.Printf("The client is %v", client)
    }
    tx, err := client.QueryTransaction("e969096e24e768bff2df17d640404b6b72093fa008509acaa31cc8adb6c72260")
    fmt.Printf("validation code %d", tx.GetValidationCode())
    fmt.Printf("The tx is %v", tx)
    //client.QueryBlock()
    //client.QueryBlockByTxID("e969096e24e768bff2df17d640404b6b72093fa008509acaa31cc8adb6c72260")
}

Friday, September 11, 2020

Zero knowledger proof non-interactive

How to make zero-knowledge proofs non-interactive?

With earlier zero-knowledge verification systems there was one big problem. For it to work, the prover and the verifier had to be online at the same time. In other words, the process was “interactive”. This made the entire system inefficient and almost impossible to scale up. The verifiers couldn’t possibly be online at the same time as provers all the time? There needed to be a system to make this more efficient.

In 1986, Fiat and Shamir invented the Fiat-Shamir heuristic and successfully changed the interactive zero-knowledge proof to non-interactive zero knowledge proof. This helped the entire protocol work without any interaction. The procedure behind it is very simple.

So, to give you an example, this is how zero knowledge proofs used to work before Fiat and Shamir. Let’s prove this using simple discrete logarithms.

Anna wants to prove to Carl that she knows a value x such that y = g^x to a base g.

Anna picks a random value v from a set of values Z, and computes t = g^v and sends t to Carl.

Carl picks a random value c from the set Z and sends it to Anna.

Anna computes r = v-c*x and returns r to Carl.

Carl checks if t= g^r * y^c holds or not ( since r= v-c*x, y= g^x and by simple substitution, g^(v-c*x)* g ^ c*x = g^v = t).

Carl doesn’t know the value of x, by merely checking if t = g^r * y^c he can verify that Anna does indeed know the value of x.

Now while the above interaction is zero-knowledge, the problem with this is that Anna and Carl need to be online and exchanging values for it to work.

How can Anna prove to Carl that she has knowledge of something without Carl being online? She can do so by using a simple cryptographic hash function, as Fiat and Shamir theorized.

Let’s look how the example above would work in a non-interactive way:

Anna wants to prove to Carl that she knows a value x such that y = g^x to a base g.

Anna picks a random value v from a set of values Z, and computes t = g^v.

Anna computes c = H(g,y,t) where H() is a hash function.

Anna computes r = v – c*x.

Carl or anyone can then check if t = g^r * y^c.

So, as you can see, zero knowledge proofs were made non interactive. And this was what laid the foundations for Zk-Snarks.

The above content is taken from this link https://blockgeeks.com/guides/zcash/

Thursday, September 10, 2020

Create self signed certificates

################## Create root ca certificate
# Create a private key
openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-256 \
-pkeyopt ec_param_enc:named_curve -out ca.key

# Extract the public key
openssl ec -in ca.key -pubout -out ca_public.key

# Create signing certificate in one step
# Create root ca certificate
openssl req -new -days 3650 -nodes -x509 -extensions v3_req -extensions v3_ca \
-subj "/C=US/ST=North Carolina/L=Raleigh/O=org0.example.com/CN=ca1.org0.example.com" \
-addext "keyUsage=critical,digitalSignature,keyEncipherment,keyCertSign,cRLSign" \
-addext "extendedKeyUsage=serverAuth,clientAuth" \
-addext "subjectAltName=IP.1:192.168.56.32" -key ca.key \
-out ca.crt

# Inspect the certificate
openssl x509 -noout -text -in ca.crt

################ Create User certificate
# Create private key for admin
openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-256 \
-pkeyopt ec_param_enc:named_curve -out admin.key

# Extract public key for admin
openssl ec -in admin.key -pubout -out admin_public.key

# Create admin CSR
openssl req -new -key admin.key -extensions v3_req \
-subj "/C=US/ST=North Carolina/L=Raleigh/OU=admin/OU=client/CN=Admin@org0.example.com" \
-out admin.csr

# Verify CSR
openssl req -verify -text -noout -in admin.csr

# The content of v3.ext file
# keyUsage = critical,digitalSignature
# basicConstraints = critical,CA:FALSE
# authorityKeyIdentifier = keyid,issuer

# key usage can be other values as well
# keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment

# Now sign the CSR with ca key and cert
openssl x509 -req -days 3560 -extfile v3.ext -in admin.csr -CA ca.crt -CAkey ca.key \
-CAcreateserial -sha256 -out admin.crt

# Verify certificate
openssl x509 -noout -text -in admin.crt

################ Create peer and orderer certificate
# Create private key for peer1
openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-256 \
-pkeyopt ec_param_enc:named_curve -out peer1.key

# Extract public key for peer1
openssl ec -in peer1.key -pubout -out peer1_public.key

# Create peer1 CSR
openssl req -new -key peer1.key -extensions v3_req \
-subj "/C=US/ST=North Carolina/L=Raleigh/OU=peer/CN=peer1.org0.example.com" \
-out peer1.csr

# Verify CSR
openssl req -verify -text -noout -in peer1.csr

# The content of v3.ext file
# keyUsage = critical,digitalSignature
# basicConstraints = critical,CA:FALSE
# authorityKeyIdentifier = keyid,issuer

# key usage can be other values as well
# keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment

# Now sign the CSR with ca key and cert
openssl x509 -req -days 3560 -extfile v3.ext -in peer1.csr -CA ca.crt -CAkey ca.key \
-CAcreateserial -sha256 -out peer1.crt

# Verify certificate
openssl x509 -noout -text -in peer1.crt