zoukankan      html  css  js  c++  java
  • 菜鸟系列Fabric —— Fabric-CA

    有兴趣的关注IT程序员客栈哦

    1.Fabric-CA简介

    Fabric 设计中考虑了三种类型的证书:登记证书(Enrollment Certificate)、交易证书(Transaction Certificate),以及保障通信链路安全的 TLS 证书。证书的默认签名算法为 ECDSA,Hash 算法为 SHA-256。

    • 登记证书(ECert):颁发给提供了注册凭证的用户或节点等实体,代表网络中身份。一般长期有效。
    • 交易证书(TCert):颁发给用户,控制每个交易的权限,不同交易可以不同,实现匿名性。短期有效。
    • 通信证书(TLSCert):控制对网络层的接入访问,可以对远端实体身份进行校验,防止窃听。

    目前,在实现上,主要通过 ECert 来对实体身份进行检验,通过检查签名来实现权限管理。TCert 功能暂未实现,用户可以使用 idemix 机制来实现部分匿名性。

    而Fabric CA是超级账本的数字证书认证中心,它提供了如下功能:

    • 用户信息的注册
    • 数字证书的发行
    • 数字证书的延期与吊销

    并且,Fabric CA服务端提供了RESTful的接口供客户端工具和HFC SDK访问。

    在fabric中,节点需要以下证书。

    .
    ├── msp
    │   ├── admincerts
    │   │   └── Admin@org1.example.com-cert.pem
    │   ├── cacerts
    │   │   └── ca.org1.example.com-cert.pem
    │   ├── config.yaml
    │   ├── keystore
    │   │   └── 648c7f8bcbf86557bc472bd638c7b1b126c48697c1e806e53dca16dd0f125014_sk
    │   ├── signcerts
    │   │   └── peer0.org1.example.com-cert.pem
    │   └── tlscacerts
    │       └── tlsca.org1.example.com-cert.pem
    └── tls
        ├── ca.crt
        ├── server.crt
        └── server.key
    

    2. 使用Fabric CA

    2.1 准备

    • 克隆仓库
    git clone https://github.com/hyperledger/fabric-ca.git
    
    • 切换分支
    git checkout v1.4.3
    
    • make客户端/服务端
    cd fabric-ca
    make fabric-ca-server
    make fabric-ca-client
    
    • 启动fabric-ca-server
      此处采取docker启动,可以参考fabric-sample/first-network/docker-compose-cli-ca.yaml
    docker-compose -f docker-compose-cli-ca.yaml up -d ca0
    

    或者命令行启动

    fabric-ca-server init -b admin:adminpw 
    fabric-ca-server start -b admin:adminpw             
    

    2.2 操作

    主要通过调用Fabric CA的客户端来测试Fabric相关功能。对外提供的接口如下:

    enroll:登记账号
    gencrl:撤销证书
    gencsr:创建证书签名
    cainfo:获取CA信息
    reenroll:重新登记账号
    register:注册一个新账号
    revoke:撤销一个账号
    version:显示版本信息
    

    fabric-ca-client 提供的操作命令如下:

    ➜  fabric-ca git:(4af7a27) ✗ ./bin/fabric-ca-client --help
    Hyperledger Fabric Certificate Authority Client
    
    Usage:
      fabric-ca-client [command]
    
    Available Commands:
      affiliation Manage affiliations
      certificate Manage certificates
      enroll      Enroll an identity
      gencrl      Generate a CRL
      gencsr      Generate a CSR
      getcainfo   Get CA certificate chain and Idemix public key
      identity    Manage identities
      reenroll    Reenroll an identity
      register    Register an identity
      revoke      Revoke an identity
      version     Prints Fabric CA Client version
    
    

    2.2.1 获取CA信息

    • 操作命令
    fabric-ca-client getcainfo -u http://admin:adminpw@localhost:7054
    
    • 结果
    2020/02/19 11:31:23 [INFO] Configuration file location: /Users/eggsy/.fabric-ca-client/fabric-ca-client-config.yaml
    2020/02/19 11:31:23 [INFO] Stored root CA certificate at /Users/eggsy/.fabric-ca-client/msp/cacerts/localhost-7054.pem
    2020/02/19 11:31:23 [INFO] Stored Issuer public key at /Users/eggsy/.fabric-ca-client/msp/IssuerPublicKey
    2020/02/19 11:31:23 [INFO] Stored Issuer revocation public key at /Users/eggsy/.fabric-ca-client/msp/IssuerRevocationPublicKey
    

    2.2.2 登记用户

    • 操作命令
    fabric-ca-client enroll -u http://admin:adminpw@localhost:7054
    
    • 结果
    2020/02/19 11:14:48 [INFO] generating key: &{A:ecdsa S:256}
    2020/02/19 11:14:48 [INFO] encoded CSR
    2020/02/19 11:14:48 [INFO] Stored client certificate at /Users/eggsy/.fabric-ca-client/msp/signcerts/cert.pem
    2020/02/19 11:14:48 [INFO] Stored root CA certificate at /Users/eggsy/.fabric-ca-client/msp/cacerts/localhost-7054.pem
    2020/02/19 11:14:48 [INFO] Stored Issuer public key at /Users/eggsy/.fabric-ca-client/msp/IssuerPublicKey
    2020/02/19 11:14:48 [INFO] Stored Issuer revocation public key at /Users/eggsy/.fabric-ca-client/msp/IssuerRevocationPublicKey
    

    enroll 命令访问指定的 Fabric-CA 服务,采用 admin 用户进行注册。 在 Fabric-CA 客户端主目录下创建配置文件 fabric-ca-clien-config.yaml 和 msp 子目录,存储注册证书(ECert),相应的私钥和 CA 证书 PEM 文件。

    ├── fabric-ca-client-config.yaml
    └── msp
        ├── IssuerPublicKey
        ├── IssuerRevocationPublicKey
        ├── cacerts
        │   └── localhost-7054.pem
        ├── keystore
        │   └── e8de7b1d9545ccdb7f1b98e7304f80c31f804fe48e0fa79f64f4056df427f4f1_sk
        ├── signcerts
        │   └── cert.pem
        └── user
    

    2.2.3 注册用户

    admin用户是enroll成功的,接下来用admin作为登记员(Register)来注册(register)一个新用户。

    • 操作命令
    fabric-ca-client register --id.name Eric --id.type user --id.affiliation org1.department1 --id.attrs 'hf.Revoker=true,foo=bar'
    
    • 结果
    2020/02/19 14:12:17 [INFO] Configuration file location: /Users/eggsy/.fabric-ca-client/fabric-ca-client-config.yaml
    Password: axZEySLKDchv
    

    2.3 生成peer/orderer节点msp/tls信息

    创建fabric-ca-client配置文件环境变量:

    export FABRIC_CA_CLIENT_HOME=/etc/hyperledger/fabric-ca-client
    

    创建fabric-ca-client-msp配置文件路径:

    mkdir -p /etc/hyperledger/fabric-ca-client
    

    从fabric-ca源码中复制fabric-ca客户端配置文件:

    cp $GOPATH/src/github.com/hyperledger/fabric-ca/testdata/fabric-ca-client-config.yaml /etc/hyperledger/fabric-ca-client
    

    登记admin用户

    fabric-ca-client enroll -u http://admin:adminpw@localhost:7054
    
    2.3.1 msp信息

    注册ordere节点

    fabric-ca-client register --id.name orderer --id.type orderer --id.affiliation org1.department1 --id.secret orderer-password
    

    注册peer节点

    fabric-ca-client register --id.name peer --id.type peer --id.affiliation org1.department1 --id.secret peer-password
    

    登记orderer节点

    fabric-ca-client enroll -u http://orderer:orderer-password@localhost:7054 -c fabric-ca-client-config-orderer.yaml  -M $FABRIC_CA_CLIENT_HOME/orderer/msp
    

    登记peer节点

    fabric-ca-client enroll -u http://peer:peer-password@localhost:7054 -c fabric-ca-client-config-peer.yaml -M $FABRIC_CA_CLIENT_HOME/peer/msp
    

    查看文件目录

        orderer
        └── msp
            ├── IssuerPublicKey
            ├── IssuerRevocationPublicKey
            ├── cacerts
            │   └── localhost-7054.pem
            ├── keystore
            │   └── f2e22f79d62e472ec8d2411fc68e0ad3e04bbc90cd790844a3d7b94eff7c87c4_sk
            ├── signcerts
            │   └── cert.pem
            └── user
        peer
        └── msp
            ├── IssuerPublicKey
            ├── IssuerRevocationPublicKey
            ├── cacerts
            │   └── localhost-7054.pem
            ├── keystore
            │   ├── 19ddee56c9329bbee0ba2fc3c3ca8c87c1d774921d898fa6d701e0a1f98fc92e_sk
            │   └── c35641cd14d0b73e80d057c37a0568c78c474a22af5993b642f2c8312549e824_sk
            ├── signcerts
            │   └── cert.pem
            └── user
    
    2.3.2 tls信息

    注册ordere节点

    fabric-ca-client register --id.name orderer --id.type orderer --id.affiliation org1.department1 --id.secret orderer-password
    

    注册peer节点

    fabric-ca-client register --id.name peer --id.type peer --id.affiliation org1.department1 --id.secret peer-password
    

    登记orderer节点

    fabric-ca-client enroll -d --enrollment.profile tls -u http://orderer:orderer-password@localhost:7054 -c fabric-ca-client-config-orderer.yaml  -M $FABRIC_CA_CLIENT_HOME/orderer/tls
    

    登记peer节点

    fabric-ca-client enroll -d --enrollment.profile tls -u http://peer:peer-password@localhost:7054 -c fabric-ca-client-config-peer.yaml -M $FABRIC_CA_CLIENT_HOME/peer/tls
    

    查看文件目录

     ├── orderer
        │   ├── msp
        │   │   ├── IssuerPublicKey
        │   │   ├── IssuerRevocationPublicKey
        │   │   ├── cacerts
        │   │   │   └── localhost-7054.pem
        │   │   ├── keystore
        │   │   │   └── f2e22f79d62e472ec8d2411fc68e0ad3e04bbc90cd790844a3d7b94eff7c87c4_sk
        │   │   ├── signcerts
        │   │   │   └── cert.pem
        │   │   └── user
        │   └── tls
        │       ├── IssuerPublicKey
        │       ├── IssuerRevocationPublicKey
        │       ├── cacerts
        │       ├── keystore
        │       │   └── ea475ad15a721a7657d987474089e5ed609274e5e52147035cda93aac00ad5a2_sk
        │       ├── signcerts
        │       │   └── cert.pem
        │       ├── tlscacerts
        │       │   └── tls-localhost-7054.pem
        │       └── user
        └── peer
            ├── msp
            │   ├── IssuerPublicKey
            │   ├── IssuerRevocationPublicKey
            │   ├── cacerts
            │   │   └── localhost-7054.pem
            │   ├── keystore
            │   │   ├── 19ddee56c9329bbee0ba2fc3c3ca8c87c1d774921d898fa6d701e0a1f98fc92e_sk
            │   │   └── c35641cd14d0b73e80d057c37a0568c78c474a22af5993b642f2c8312549e824_sk
            │   ├── signcerts
            │   │   └── cert.pem
            │   └── user
            └── tls
                ├── IssuerPublicKey
                ├── IssuerRevocationPublicKey
                ├── cacerts
                ├── keystore
                │   └── c0cbf324a6da6ee7aded979c0a0ada3377cb26054c34c73d19ab809518f71d46_sk
                ├── signcerts
                │   └── cert.pem
                ├── tlscacerts
                │   └── tls-localhost-7054.pem
                └── user
    
    如果你觉得写的不错,请移步www.itkezhan.top或者关注公众号IT程序员客栈
  • 相关阅读:
    浅谈模块化开发
    用gulp搭建并发布自己的cli脚手架
    取值运算符新用法
    vue双向绑定之简易版
    获取对象属性之括号方式
    前端格式化工具之Prettier
    git操作之摘樱桃
    Sort
    MongoDB
    项目使用本地的包
  • 原文地址:https://www.cnblogs.com/i-dandan/p/12331347.html
Copyright © 2011-2022 走看看