IT程序员客栈

菜鸟系列Fabric —— Fabric-CA

有兴趣的关注IT程序员客栈哦

1.Fabric-CA简介

Fabric 设计中考虑了三种类型的证书:登记证书(Enrollment Certificate)、交易证书(Transaction Certificate),以及保障通信链路安全的 TLS 证书。证书的默认签名算法为 ECDSA,Hash 算法为 SHA-256。

  • 登记证书(ECert):颁发给提供了注册凭证的用户或节点等实体,代表网络中身份。一般长期有效。
  • 交易证书(TCert):颁发给用户,控制每个交易的权限,不同交易可以不同,实现匿名性。短期有效。
  • 通信证书(TLSCert):控制对网络层的接入访问,可以对远端实体身份进行校验,防止窃听。

目前,在实现上,主要通过 ECert 来对实体身份进行检验,通过检查签名来实现权限管理。TCert 功能暂未实现,用户可以使用 idemix 机制来实现部分匿名性。

而Fabric CA是超级账本的数字证书认证中心,它提供了如下功能:

  • 用户信息的注册
  • 数字证书的发行
  • 数字证书的延期与吊销

并且,Fabric CA服务端提供了RESTful的接口供客户端工具和HFC SDK访问。

在fabric中,节点需要以下证书。

.
├── msp
│   ├── admincerts
│   │   └── Admin@org1.example.com-cert.pem
│   ├── cacerts
│   │   └── ca.org1.example.com-cert.pem
│   ├── config.yaml
│   ├── keystore
│   │   └── 648c7f8bcbf86557bc472bd638c7b1b126c48697c1e806e53dca16dd0f125014_sk
│   ├── signcerts
│   │   └── peer0.org1.example.com-cert.pem
│   └── tlscacerts
│       └── tlsca.org1.example.com-cert.pem
└── tls
    ├── ca.crt
    ├── server.crt
    └── server.key

2. 使用Fabric CA

2.1 准备

  • 克隆仓库
git clone https://github.com/hyperledger/fabric-ca.git
  • 切换分支
git checkout v1.4.3
  • make客户端/服务端
cd fabric-ca
make fabric-ca-server
make fabric-ca-client
  • 启动fabric-ca-server
    此处采取docker启动,可以参考fabric-sample/first-network/docker-compose-cli-ca.yaml
docker-compose -f docker-compose-cli-ca.yaml up -d ca0

或者命令行启动

fabric-ca-server init -b admin:adminpw 
fabric-ca-server start -b admin:adminpw             

2.2 操作

主要通过调用Fabric CA的客户端来测试Fabric相关功能。对外提供的接口如下:

enroll:登记账号
gencrl:撤销证书
gencsr:创建证书签名
cainfo:获取CA信息
reenroll:重新登记账号
register:注册一个新账号
revoke:撤销一个账号
version:显示版本信息

fabric-ca-client 提供的操作命令如下:

➜  fabric-ca git:(4af7a27) ✗ ./bin/fabric-ca-client --help
Hyperledger Fabric Certificate Authority Client

Usage:
  fabric-ca-client [command]

Available Commands:
  affiliation Manage affiliations
  certificate Manage certificates
  enroll      Enroll an identity
  gencrl      Generate a CRL
  gencsr      Generate a CSR
  getcainfo   Get CA certificate chain and Idemix public key
  identity    Manage identities
  reenroll    Reenroll an identity
  register    Register an identity
  revoke      Revoke an identity
  version     Prints Fabric CA Client version

2.2.1 获取CA信息

  • 操作命令
fabric-ca-client getcainfo -u http://admin:adminpw@localhost:7054
  • 结果
2020/02/19 11:31:23 [INFO] Configuration file location: /Users/eggsy/.fabric-ca-client/fabric-ca-client-config.yaml
2020/02/19 11:31:23 [INFO] Stored root CA certificate at /Users/eggsy/.fabric-ca-client/msp/cacerts/localhost-7054.pem
2020/02/19 11:31:23 [INFO] Stored Issuer public key at /Users/eggsy/.fabric-ca-client/msp/IssuerPublicKey
2020/02/19 11:31:23 [INFO] Stored Issuer revocation public key at /Users/eggsy/.fabric-ca-client/msp/IssuerRevocationPublicKey

2.2.2 登记用户

  • 操作命令
fabric-ca-client enroll -u http://admin:adminpw@localhost:7054
  • 结果
2020/02/19 11:14:48 [INFO] generating key: &{A:ecdsa S:256}
2020/02/19 11:14:48 [INFO] encoded CSR
2020/02/19 11:14:48 [INFO] Stored client certificate at /Users/eggsy/.fabric-ca-client/msp/signcerts/cert.pem
2020/02/19 11:14:48 [INFO] Stored root CA certificate at /Users/eggsy/.fabric-ca-client/msp/cacerts/localhost-7054.pem
2020/02/19 11:14:48 [INFO] Stored Issuer public key at /Users/eggsy/.fabric-ca-client/msp/IssuerPublicKey
2020/02/19 11:14:48 [INFO] Stored Issuer revocation public key at /Users/eggsy/.fabric-ca-client/msp/IssuerRevocationPublicKey

enroll 命令访问指定的 Fabric-CA 服务,采用 admin 用户进行注册。 在 Fabric-CA 客户端主目录下创建配置文件 fabric-ca-clien-config.yaml 和 msp 子目录,存储注册证书(ECert),相应的私钥和 CA 证书 PEM 文件。

├── fabric-ca-client-config.yaml
└── msp
    ├── IssuerPublicKey
    ├── IssuerRevocationPublicKey
    ├── cacerts
    │   └── localhost-7054.pem
    ├── keystore
    │   └── e8de7b1d9545ccdb7f1b98e7304f80c31f804fe48e0fa79f64f4056df427f4f1_sk
    ├── signcerts
    │   └── cert.pem
    └── user

2.2.3 注册用户

admin用户是enroll成功的,接下来用admin作为登记员(Register)来注册(register)一个新用户。

  • 操作命令
fabric-ca-client register --id.name Eric --id.type user --id.affiliation org1.department1 --id.attrs 'hf.Revoker=true,foo=bar'
  • 结果
2020/02/19 14:12:17 [INFO] Configuration file location: /Users/eggsy/.fabric-ca-client/fabric-ca-client-config.yaml
Password: axZEySLKDchv

2.3 生成peer/orderer节点msp/tls信息

创建fabric-ca-client配置文件环境变量:

export FABRIC_CA_CLIENT_HOME=/etc/hyperledger/fabric-ca-client

创建fabric-ca-client-msp配置文件路径:

mkdir -p /etc/hyperledger/fabric-ca-client

从fabric-ca源码中复制fabric-ca客户端配置文件:

cp $GOPATH/src/github.com/hyperledger/fabric-ca/testdata/fabric-ca-client-config.yaml /etc/hyperledger/fabric-ca-client

登记admin用户

fabric-ca-client enroll -u http://admin:adminpw@localhost:7054
2.3.1 msp信息

注册ordere节点

fabric-ca-client register --id.name orderer --id.type orderer --id.affiliation org1.department1 --id.secret orderer-password

注册peer节点

fabric-ca-client register --id.name peer --id.type peer --id.affiliation org1.department1 --id.secret peer-password

登记orderer节点

fabric-ca-client enroll -u http://orderer:orderer-password@localhost:7054 -c fabric-ca-client-config-orderer.yaml  -M $FABRIC_CA_CLIENT_HOME/orderer/msp

登记peer节点

fabric-ca-client enroll -u http://peer:peer-password@localhost:7054 -c fabric-ca-client-config-peer.yaml -M $FABRIC_CA_CLIENT_HOME/peer/msp

查看文件目录

    orderer
    └── msp
        ├── IssuerPublicKey
        ├── IssuerRevocationPublicKey
        ├── cacerts
        │   └── localhost-7054.pem
        ├── keystore
        │   └── f2e22f79d62e472ec8d2411fc68e0ad3e04bbc90cd790844a3d7b94eff7c87c4_sk
        ├── signcerts
        │   └── cert.pem
        └── user
    peer
    └── msp
        ├── IssuerPublicKey
        ├── IssuerRevocationPublicKey
        ├── cacerts
        │   └── localhost-7054.pem
        ├── keystore
        │   ├── 19ddee56c9329bbee0ba2fc3c3ca8c87c1d774921d898fa6d701e0a1f98fc92e_sk
        │   └── c35641cd14d0b73e80d057c37a0568c78c474a22af5993b642f2c8312549e824_sk
        ├── signcerts
        │   └── cert.pem
        └── user
2.3.2 tls信息

注册ordere节点

fabric-ca-client register --id.name orderer --id.type orderer --id.affiliation org1.department1 --id.secret orderer-password

注册peer节点

fabric-ca-client register --id.name peer --id.type peer --id.affiliation org1.department1 --id.secret peer-password

登记orderer节点

fabric-ca-client enroll -d --enrollment.profile tls -u http://orderer:orderer-password@localhost:7054 -c fabric-ca-client-config-orderer.yaml  -M $FABRIC_CA_CLIENT_HOME/orderer/tls

登记peer节点

fabric-ca-client enroll -d --enrollment.profile tls -u http://peer:peer-password@localhost:7054 -c fabric-ca-client-config-peer.yaml -M $FABRIC_CA_CLIENT_HOME/peer/tls

查看文件目录

 ├── orderer
    │   ├── msp
    │   │   ├── IssuerPublicKey
    │   │   ├── IssuerRevocationPublicKey
    │   │   ├── cacerts
    │   │   │   └── localhost-7054.pem
    │   │   ├── keystore
    │   │   │   └── f2e22f79d62e472ec8d2411fc68e0ad3e04bbc90cd790844a3d7b94eff7c87c4_sk
    │   │   ├── signcerts
    │   │   │   └── cert.pem
    │   │   └── user
    │   └── tls
    │       ├── IssuerPublicKey
    │       ├── IssuerRevocationPublicKey
    │       ├── cacerts
    │       ├── keystore
    │       │   └── ea475ad15a721a7657d987474089e5ed609274e5e52147035cda93aac00ad5a2_sk
    │       ├── signcerts
    │       │   └── cert.pem
    │       ├── tlscacerts
    │       │   └── tls-localhost-7054.pem
    │       └── user
    └── peer
        ├── msp
        │   ├── IssuerPublicKey
        │   ├── IssuerRevocationPublicKey
        │   ├── cacerts
        │   │   └── localhost-7054.pem
        │   ├── keystore
        │   │   ├── 19ddee56c9329bbee0ba2fc3c3ca8c87c1d774921d898fa6d701e0a1f98fc92e_sk
        │   │   └── c35641cd14d0b73e80d057c37a0568c78c474a22af5993b642f2c8312549e824_sk
        │   ├── signcerts
        │   │   └── cert.pem
        │   └── user
        └── tls
            ├── IssuerPublicKey
            ├── IssuerRevocationPublicKey
            ├── cacerts
            ├── keystore
            │   └── c0cbf324a6da6ee7aded979c0a0ada3377cb26054c34c73d19ab809518f71d46_sk
            ├── signcerts
            │   └── cert.pem
            ├── tlscacerts
            │   └── tls-localhost-7054.pem
            └── user
posted @ 2020-02-19 15:07  IT程序员客栈  阅读(889)  评论(0编辑  收藏  举报
IT程序员客栈