1.Fabric-CA简介
Fabric 设计中考虑了三种类型的证书:登记证书(Enrollment Certificate)、交易证书(Transaction Certificate),以及保障通信链路安全的 TLS 证书。证书的默认签名算法为 ECDSA,Hash 算法为 SHA-256。
- 登记证书(ECert):颁发给提供了注册凭证的用户或节点等实体,代表网络中身份。一般长期有效。
- 交易证书(TCert):颁发给用户,控制每个交易的权限,不同交易可以不同,实现匿名性。短期有效。
- 通信证书(TLSCert):控制对网络层的接入访问,可以对远端实体身份进行校验,防止窃听。
目前,在实现上,主要通过 ECert 来对实体身份进行检验,通过检查签名来实现权限管理。TCert 功能暂未实现,用户可以使用 idemix 机制来实现部分匿名性。
而Fabric CA是超级账本的数字证书认证中心,它提供了如下功能:
- 用户信息的注册
- 数字证书的发行
- 数字证书的延期与吊销
并且,Fabric CA服务端提供了RESTful的接口供客户端工具和HFC SDK访问。
在fabric中,节点需要以下证书。
.
├── msp
│ ├── admincerts
│ │ └── Admin@org1.example.com-cert.pem
│ ├── cacerts
│ │ └── ca.org1.example.com-cert.pem
│ ├── config.yaml
│ ├── keystore
│ │ └── 648c7f8bcbf86557bc472bd638c7b1b126c48697c1e806e53dca16dd0f125014_sk
│ ├── signcerts
│ │ └── peer0.org1.example.com-cert.pem
│ └── tlscacerts
│ └── tlsca.org1.example.com-cert.pem
└── tls
├── ca.crt
├── server.crt
└── server.key
2. 使用Fabric CA
2.1 准备
- 克隆仓库
git clone https://github.com/hyperledger/fabric-ca.git
- 切换分支
git checkout v1.4.3
- make客户端/服务端
cd fabric-ca
make fabric-ca-server
make fabric-ca-client
- 启动fabric-ca-server
此处采取docker启动,可以参考fabric-sample/first-network/docker-compose-cli-ca.yaml
docker-compose -f docker-compose-cli-ca.yaml up -d ca0
或者命令行启动
fabric-ca-server init -b admin:adminpw
fabric-ca-server start -b admin:adminpw
2.2 操作
主要通过调用Fabric CA的客户端来测试Fabric相关功能。对外提供的接口如下:
enroll:登记账号
gencrl:撤销证书
gencsr:创建证书签名
cainfo:获取CA信息
reenroll:重新登记账号
register:注册一个新账号
revoke:撤销一个账号
version:显示版本信息
fabric-ca-client 提供的操作命令如下:
➜ fabric-ca git:(4af7a27) ✗ ./bin/fabric-ca-client --help
Hyperledger Fabric Certificate Authority Client
Usage:
fabric-ca-client [command]
Available Commands:
affiliation Manage affiliations
certificate Manage certificates
enroll Enroll an identity
gencrl Generate a CRL
gencsr Generate a CSR
getcainfo Get CA certificate chain and Idemix public key
identity Manage identities
reenroll Reenroll an identity
register Register an identity
revoke Revoke an identity
version Prints Fabric CA Client version
2.2.1 获取CA信息
- 操作命令
fabric-ca-client getcainfo -u http://admin:adminpw@localhost:7054
- 结果
2020/02/19 11:31:23 [INFO] Configuration file location: /Users/eggsy/.fabric-ca-client/fabric-ca-client-config.yaml
2020/02/19 11:31:23 [INFO] Stored root CA certificate at /Users/eggsy/.fabric-ca-client/msp/cacerts/localhost-7054.pem
2020/02/19 11:31:23 [INFO] Stored Issuer public key at /Users/eggsy/.fabric-ca-client/msp/IssuerPublicKey
2020/02/19 11:31:23 [INFO] Stored Issuer revocation public key at /Users/eggsy/.fabric-ca-client/msp/IssuerRevocationPublicKey
2.2.2 登记用户
- 操作命令
fabric-ca-client enroll -u http://admin:adminpw@localhost:7054
- 结果
2020/02/19 11:14:48 [INFO] generating key: &{A:ecdsa S:256}
2020/02/19 11:14:48 [INFO] encoded CSR
2020/02/19 11:14:48 [INFO] Stored client certificate at /Users/eggsy/.fabric-ca-client/msp/signcerts/cert.pem
2020/02/19 11:14:48 [INFO] Stored root CA certificate at /Users/eggsy/.fabric-ca-client/msp/cacerts/localhost-7054.pem
2020/02/19 11:14:48 [INFO] Stored Issuer public key at /Users/eggsy/.fabric-ca-client/msp/IssuerPublicKey
2020/02/19 11:14:48 [INFO] Stored Issuer revocation public key at /Users/eggsy/.fabric-ca-client/msp/IssuerRevocationPublicKey
enroll 命令访问指定的 Fabric-CA 服务,采用 admin 用户进行注册。 在 Fabric-CA 客户端主目录下创建配置文件 fabric-ca-clien-config.yaml 和 msp 子目录,存储注册证书(ECert),相应的私钥和 CA 证书 PEM 文件。
├── fabric-ca-client-config.yaml
└── msp
├── IssuerPublicKey
├── IssuerRevocationPublicKey
├── cacerts
│ └── localhost-7054.pem
├── keystore
│ └── e8de7b1d9545ccdb7f1b98e7304f80c31f804fe48e0fa79f64f4056df427f4f1_sk
├── signcerts
│ └── cert.pem
└── user
2.2.3 注册用户
admin用户是enroll成功的,接下来用admin作为登记员(Register)来注册(register)一个新用户。
- 操作命令
fabric-ca-client register --id.name Eric --id.type user --id.affiliation org1.department1 --id.attrs 'hf.Revoker=true,foo=bar'
- 结果
2020/02/19 14:12:17 [INFO] Configuration file location: /Users/eggsy/.fabric-ca-client/fabric-ca-client-config.yaml
Password: axZEySLKDchv
2.3 生成peer/orderer节点msp/tls信息
创建fabric-ca-client配置文件环境变量:
export FABRIC_CA_CLIENT_HOME=/etc/hyperledger/fabric-ca-client
创建fabric-ca-client-msp配置文件路径:
mkdir -p /etc/hyperledger/fabric-ca-client
从fabric-ca源码中复制fabric-ca客户端配置文件:
cp $GOPATH/src/github.com/hyperledger/fabric-ca/testdata/fabric-ca-client-config.yaml /etc/hyperledger/fabric-ca-client
登记admin用户
fabric-ca-client enroll -u http://admin:adminpw@localhost:7054
2.3.1 msp信息
注册ordere节点
fabric-ca-client register --id.name orderer --id.type orderer --id.affiliation org1.department1 --id.secret orderer-password
注册peer节点
fabric-ca-client register --id.name peer --id.type peer --id.affiliation org1.department1 --id.secret peer-password
登记orderer节点
fabric-ca-client enroll -u http://orderer:orderer-password@localhost:7054 -c fabric-ca-client-config-orderer.yaml -M $FABRIC_CA_CLIENT_HOME/orderer/msp
登记peer节点
fabric-ca-client enroll -u http://peer:peer-password@localhost:7054 -c fabric-ca-client-config-peer.yaml -M $FABRIC_CA_CLIENT_HOME/peer/msp
查看文件目录
orderer
└── msp
├── IssuerPublicKey
├── IssuerRevocationPublicKey
├── cacerts
│ └── localhost-7054.pem
├── keystore
│ └── f2e22f79d62e472ec8d2411fc68e0ad3e04bbc90cd790844a3d7b94eff7c87c4_sk
├── signcerts
│ └── cert.pem
└── user
peer
└── msp
├── IssuerPublicKey
├── IssuerRevocationPublicKey
├── cacerts
│ └── localhost-7054.pem
├── keystore
│ ├── 19ddee56c9329bbee0ba2fc3c3ca8c87c1d774921d898fa6d701e0a1f98fc92e_sk
│ └── c35641cd14d0b73e80d057c37a0568c78c474a22af5993b642f2c8312549e824_sk
├── signcerts
│ └── cert.pem
└── user
2.3.2 tls信息
注册ordere节点
fabric-ca-client register --id.name orderer --id.type orderer --id.affiliation org1.department1 --id.secret orderer-password
注册peer节点
fabric-ca-client register --id.name peer --id.type peer --id.affiliation org1.department1 --id.secret peer-password
登记orderer节点
fabric-ca-client enroll -d --enrollment.profile tls -u http://orderer:orderer-password@localhost:7054 -c fabric-ca-client-config-orderer.yaml -M $FABRIC_CA_CLIENT_HOME/orderer/tls
登记peer节点
fabric-ca-client enroll -d --enrollment.profile tls -u http://peer:peer-password@localhost:7054 -c fabric-ca-client-config-peer.yaml -M $FABRIC_CA_CLIENT_HOME/peer/tls
查看文件目录
├── orderer
│ ├── msp
│ │ ├── IssuerPublicKey
│ │ ├── IssuerRevocationPublicKey
│ │ ├── cacerts
│ │ │ └── localhost-7054.pem
│ │ ├── keystore
│ │ │ └── f2e22f79d62e472ec8d2411fc68e0ad3e04bbc90cd790844a3d7b94eff7c87c4_sk
│ │ ├── signcerts
│ │ │ └── cert.pem
│ │ └── user
│ └── tls
│ ├── IssuerPublicKey
│ ├── IssuerRevocationPublicKey
│ ├── cacerts
│ ├── keystore
│ │ └── ea475ad15a721a7657d987474089e5ed609274e5e52147035cda93aac00ad5a2_sk
│ ├── signcerts
│ │ └── cert.pem
│ ├── tlscacerts
│ │ └── tls-localhost-7054.pem
│ └── user
└── peer
├── msp
│ ├── IssuerPublicKey
│ ├── IssuerRevocationPublicKey
│ ├── cacerts
│ │ └── localhost-7054.pem
│ ├── keystore
│ │ ├── 19ddee56c9329bbee0ba2fc3c3ca8c87c1d774921d898fa6d701e0a1f98fc92e_sk
│ │ └── c35641cd14d0b73e80d057c37a0568c78c474a22af5993b642f2c8312549e824_sk
│ ├── signcerts
│ │ └── cert.pem
│ └── user
└── tls
├── IssuerPublicKey
├── IssuerRevocationPublicKey
├── cacerts
├── keystore
│ └── c0cbf324a6da6ee7aded979c0a0ada3377cb26054c34c73d19ab809518f71d46_sk
├── signcerts
│ └── cert.pem
├── tlscacerts
│ └── tls-localhost-7054.pem
└── user