Uploaded image for project: 'Fabric'
  1. Fabric
  2. FAB-17969

Cannot enable HSM for peer CLI with environment variables

    XMLWordPrintable

Details

    • (Please add steps to reproduce)

    Description

      According to this documentation: https://hyperledger-fabric.readthedocs.io/en/release-2.0/hsm.html

      You should be able to enable the use of HSM by setting the following environment variables:

      CORE_PEER_BCCSP_DEFAULT=PKCS11 CORE_PEER_BCCSP_PKCS11_LIBRARY=/etc/hyperledger/fabric/libsofthsm2.so CORE_PEER_BCCSP_PKCS11_PIN=71811222
      CORE_PEER_BCCSP_PKCS11_LABEL=fabric

       
      This works in Fabric v1.4.7 but does not work in master.

      Looking at changes that might have caused this, FAB-15951 looks like a good candidate: https://github.com/hyperledger/fabric/commit/4f7e4755fa7abc0d49a479e795923b587272cba4

      It calls factory.GetDefault() very early on, before factory.InitFactories() is called. This results in the "boot BCCSP" (SW) being used and then being passed into the commands. You can see this in the log messages:

      2020-06-08 15:53:45.200 BST [bccsp] GetDefault -> DEBU 001 Before using BCCSP, please call InitFactories(). Falling back to bootBCCSP.
      2020-06-08 15:53:45.212 BST [bccsp] GetDefault -> DEBU 002 Before using BCCSP, please call InitFactories(). Falling back to bootBCCSP.

      (Side note, if you want to enforce call orders like that, maybe it should be a panic instead of a debug level log message?)

      The end result is that the SW implementation is used instead of PKCS11, and failures occur later on as there are no private keys in the file system for the SW implementation to use.

      sykesm dereckluo could you take a look please?

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              sstone1 Simon Stone
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated: