We Keep Coding

Advantage/Disadvantage between Chainlink VRF and an off-chain random number transaction performed by your server?

As I understand it Chainlink VRF uses the request-response approach for providing contracts with a "trusted random number". You (the developer) create a smart contract and inherit the Chainlink VRFConsumerBase contract, declare a storage variable that will hold your random number result, then initialize some keyhash & chainlink oracle address, and implement a function ( lets say abc() ) that calls Chainlinks "requestRandomness()" function. You then override the internal "fulfillRandomness()" function and set the returned random number on your storage variable.
Short flow:
Fund your smart contract with LINK, make a transaction call to abc()
Wait for Chainlinks Oracle to make a transaction call to your contract "fulfillRandomness()" and set the random number result on your storage variable.
Rather than using this approach wouldn’t it be sufficient to just write a smart contract that emits a "RequestRandom" Event and have a personal server running that listens for the RequestRandom event of your contract and have that server then generate a random number and make an authorized transaction to my contract to set that generated random number on it.
contract MyRandom {
event RequestRandom(uint seed);
address public myServerWallet;
uint public myRandomNumber;
constructor(address a) {
myServerWallet = a;
}
function makeRandomRequest(uint seed) external {
emit RequestRandom(seed);
}
function setRandomResult(uint result) external {
require(msg.sender == myServerWallet, "Only server may call");
myRandomNumber = result;
}
}
What would be the difference between this approach vs Chainlink VRF? Am I sacrificing some type of security by using this approach?
Tried the server approach above. It does work but still curious on advantage/disadvantage.

Best practice for protecting sensitive information on solidity?

I have a field in my contract. It's something like this:
contract MyContract {
string private secretField
}
function getSecretField() public view returns {
... some controls here...
return secretField;
}
I want to reach that secretField from my backend server and protect it from any other requester. What is the best practice for this?

If it's on a public blockchain (mainnet, ropsten testnet, ...), it's always going to be accessible by querying the storage slot containing the secretField value from an off-chain app. No matter the Solidity private visibility modifier because the storage query is performed on a lower layer.
Example: If secretField is the first property of the first defined contract (on this address), its value is stored in storage slot 0.
But if you only want to hide it from on-chain requesters, you can keep the property private and require the getter to be accessed only from a certain address.
// removed `view` because it's going to interact with the transaction data
function getSecretField() public returns {
// reverts if the sender address is not 0x123
require(msg.sender == address(0x123);
return secretField;
}
Note that your backend app is going to have to send a transaction from the 0x123 address in order to access the data. Simple call won't return anything because the getSecretField() is not a view function anymore.

Writing Ethereum Smart Contracts for Role based permission

How can I write a smart contract to give role based permission for a transaction to take place.
Say there are five people A, B, C, D and E. A wants to send some ethers to B. But the transaction will not take place until and unless C, D and E give confirmation/approve.
Is it possible to do with ethereum smart contracts? Can someone give me sample code for the same?
Thanks in advance.

you can create such smart contract although using a multisig account would be better for this case.
you could write a simple contract which validate a transaction after receiving the different needed signatures.
e..g :
contract C{
address A;
address B;
address C;
mapping (address=>bool) permission;
function send_permission(address _to, uint value)
{
if(permission[A]&&permission[A]&&permission[A])
_to.transfer(value);
}
function set_permission(bool state)
{
permission[msg.sender]=state;
}
}

For a dynamic solution you will need to create 2 mappings one for the user who can approve transactions (lets call them moderator for simplicity) and one for the permissions
the logic will be when a user sends a transaction we see if he is approved in the approval mapping if yes go though with the transaction otherwise revert.
you will need to make a function for a user to get approved.
and a function which allows a moderator to approve an address in which we will check if a moderator is present in the moderators mapping. if yes he can add the non-approved user to the approved mapping.
remember in this solution once an address is approved that address can send multiple transactions with no checks but if you want to limit what address can send which transaction you'll have to modify the second mapping to a nested one in which youll keep a track of the address, the transaction number and a bool value

computeRsaSha256Signature() returns Invalid argument: key error when key is public key or rsa private key

I need to sign a message using RSA-SHA256 and a public key in my Google Apps Script.
I am trying to use Utilities.computeRsaSha256Signature(value, key) for this, but I just get an Invalid argument: key error.
For the purpose of this question I have generated a key-pair like this:
openssl genrsa -out private.pem 32
openssl rsa -in private.pem -out public.pem -outform PEM -pubout
My script looks like this:
function test() {
var privKey = "-----BEGIN RSA PRIVATE KEY-----\nMCwCAQACBQC6fs8xAgMBAAECBQCxyL35AgMA3ecCAwDXJwICKLcCAnF9AgIbnA==\n-----END RSA PRIVATE KEY-----\n";
var pubKey = "-----BEGIN PUBLIC KEY-----\nMCAwDQYJKoZIhvcNAQEBBQADDwAwDAIFALp+zzECAwEAAQ==\n-----END PUBLIC KEY-----\n";
Utilities.computeRsaSha256Signature("value", pubKey);
Utilities.computeRsaSha256Signature("value", privKey);
}
When I run this I get an Invalid argument: key error on the first call to computeRsaSha256Signature.
The error suggests there is something wrong with they key, but I can't figure out what the problem is. I've tried with both the public and the private key and I've tried to strip the newlines but everything fails with the same message.
My code looks very similar to the example in the documentation so I'm not sure what I am doing wrong.
How can Utilities.computeRsaSha256Signature() be used successfully?

Keys starting with BEGIN PRIVATE KEY have a different format than the ones with BEGIN RSA PRIVATE KEY.
I was starting from a key in the "RSA" format but the computeRsaSha256Signature needs a key in the non-RSA format.
You can convert from the latter to the former with:
openssl pkcs8 -topk8 -inform pem -in private.pem -outform pem -nocrypt -out newPrivate.pem
Source:
https://plus.google.com/106009755685055488206/posts/bYuPM6MGwsU

There are at least three different types of keys that can be used when doing a rsa sha256 signature:
BEGIN PRIVATE KEY
BEGIN RSA PRIVATE KEY
BEGIN PUBLIC KEY
As indicated by the accepted answer and based on my own testing it seems like computeRsaSha256Signature only supports the BEGIN PRIVATE KEY type.
As the accepted answer explains it is possible to convert a RSA PRIVATE KEY to a PRIVATE KEY however when all you have is the public key it's more complicated.
In this scenario an external library like JSEncrypt can be useful. However this assumes that the window and navigator objects exist which they do in normal JavaScript environments but doesn't in Google Apps Scripts.
But with some modification it's possible to get JSEncrypt to work good enough with Google Apps Scripts to sign messages using a public key.

How to change Subject property of Certificate Signing Request programmatically?

I am implementing Windows MDM. In this, Device sends CSR which is PKCS#10 Certificate request.
When I go to http://certlogik.com/decoder, and decode this CSR,I get Subject as
"CN=B1C43CD0-1624-5FBB-8E54-34CF17DFD3A1\00"
This "\00", we want to remove from subject property.Because of this we are not able to install company hub app during enrolment.
I want to change this subject to any value such as "CN=myMDM".How can I change Subject property of CSR?

It is permissible to have a certificate subject differ from the subject of the PKCS#10 (i.e. CSR). See the -subj option to OpenSSL's 'req' command.
For reasons behind this ability, consider this; Your CSR is signed by your private key. The signature is used to verify that the contents of the CSR have not been modified (this includes the subject). Your public key is included in the CSR. A CA creates your cert and uses whatever parts of the CSR subject it sees fit. The cert, along with the CA-specified subject and the public key from your CSR is signed by the private key of the CA. This signature is used to verify that the contents of your cert have not been modified (this includes the CA-specified subject).

You cannot change it once you have the certificate request, as CSR's should be signed with your private key, and the signing is definitely including the subject line.
So if you change anything you need to resign, which requires you to parse the CSR. So basically you should rebuild your CSR and simply strip off the character with value 00 (null terminator character) when you supply your common name (CN).
You are left with the following options:
correctly generate the CSR, as explained above,
change the CSR, removing the zero valued byte and recalculating all the lengths, and skip verification,
create a special certificate creator that puts the correct subject like out of the CSR after verifying or skipping the signature verification of the CSR;