Fabric ca學習筆記
阿新 • • 發佈:2018-12-25
一、為什麼要有fabric-ca
1.1 Fabric賬號
1.1.1 為什麼要有Fabric賬號
不同於傳統的賬號體系(由賬號和密碼兩個屬性組成,賬號和密碼只是獲取操作許可權的工具)
區塊鏈系統的一個特點:記錄在區塊鏈中的資料具有不可逆、不可篡改的特性。 根據這一特性,Fabric中每條交易都會加上發起者的標籤(簽名證書),同時用發起人的私鑰進行加密。如果交易需要其他租住的節點提供背書功能,背書節點也會在交易中加入自己的簽名。這樣每一筆交易的操作過程會非常清晰且不可篡改。
為了完成上面的功能,Fabric設計了基於PKI規範(Public Key Infrastructure,公鑰基礎設施)的賬號系統滿足這樣的要求
1.1.2 一個完整的Fabric賬號:
├── msp
│ ├── admincerts
│ ├── cacerts
│ ├── keystore
│ ├── signcerts
│ └── tlscacerts
└── tls
├── ca.crt
├── server.crt
└── server.key
- msp中主要存放簽名用的證書檔案和加密用的私鑰檔案
- admincerts: 管理員證書
- cacerts: 根CA伺服器的證書
- keystore:節點或賬號的私鑰
- signcerts:符合X.509的節點或者使用者證書檔案
- tlscacerts:TLS根CA的證書
- tls資料夾中存放加密通訊相關的證書檔案
- ca.crt: 組織的根證書
- server.crt:管理員身份的證書
- server.key: 管理員的私鑰
1.1.3 Fabric賬號使用場景
- Fabric中Orderer、Peer、客戶端SDK、CLI介面等所有操作都需要賬號
- Fabric中每個具體動作,建立通道、部署chaincode、呼叫chaincode等都需要指定的賬號
- 每個Peer向Orderer傳送請求的時候也需要Peer的賬號
- 在Fabric中如果需要新增加一個Peer節點,首先做的事情是給這個Peer建立賬號
1.2 使用cryptogen管理賬號
可以參見fabric五大模組來學習cryptogen的使用方法
使用crtyptogen增加peer節點:
- tree命令檢視當前org1組織內有兩個peer節點的賬號:
...
└── peerOrganizations
├── org1.testcryptogen.com
│ ├── ca
│ │ ├── 0b272c0067147eb26fe0ef41366bd8e841d41062df6209b0943dfaa4e67264f7_sk
│ │ └── ca.org1.testcryptogen.com-cert.pem
│ ├── msp
│ │ ├── admincerts
│ │ ├── cacerts
│ │ └── tlscacerts
│ ├── peers
│ │ ├── peer0.org1.testcryptogen.com
│ │ └── peer1.org1.testcryptogen.com
│ ├── tlsca
│ │ ├── fe340ca55a6bec7593be46883c9aca164a007fea19dc6a07459a3099dd4e132f_sk
│ │ └── tlsca.org1.testcryptogen.com-cert.pem
│ └── users
│ ├── [email protected]
│ ├── [email protected]
│ ├── [email protected]
│ └── [email protected]
...
- 通過如下配置檔案,向org1組織內增加兩個peer節點:
extend.yaml:
PeerOrgs:
- Name: Org1
Domain: org1.testcryptogen.com
EnableNodeOUs: false
Template:
Count: 2
Start: 2
執行:
cryptogen extend --config=/opt/hyperledger/fabricconfig/extend.yaml --output /opt/hyperledger/fabricconfig/crypto-config
- 可以看到生成了2個Peer節點賬號檔案:
├── org1.testcryptogen.com
│ ├── ca
│ │ ├── 0b272c0067147eb26fe0ef41366bd8e841d41062df6209b0943dfaa4e67264f7_sk
│ │ └── ca.org1.testcryptogen.com-cert.pem
│ ├── msp
│ │ ├── admincerts
│ │ ├── cacerts
│ │ └── tlscacerts
│ ├── peers
│ │ ├── peer0.org1.testcryptogen.com
│ │ ├── peer1.org1.testcryptogen.com
│ │ ├── peer2.org1.testcryptogen.com
│ │ └── peer3.org1.testcryptogen.com
│ ├── tlsca
│ │ ├── fe340ca55a6bec7593be46883c9aca164a007fea19dc6a07459a3099dd4e132f_sk
│ │ └── tlsca.org1.testcryptogen.com-cert.pem
│ └── users
│ ├── [email protected]
│ ├── [email protected]
│ ├── [email protected]
│ └── [email protected]
1.3 fabric-ca 的來由
可以看到上面通過使用cryptogen模組和配置檔案增加了三個Peer節點的配置檔案,但是如果我們想要動態地增加使用者賬號該怎麼辦?而且這樣每次增加使用者賬號就要寫一遍配置檔案,非常麻煩。
所以為了專門解決Fabric賬號問題,hyperledger專案組發起了Fabric-ca專案
二、Fabric CA
2.1 Fabric CA簡介
2.1.1 Fabric CA的功能
Fabric CA為Hyperledger Fabric提供證書機構功能,主要功能:
- 身份註冊,或者將連線到LDAP作為使用者註冊
- 頒發登入證書
- 證書續期與撤銷
2.2.2 Fabric CA適應整個Hyperledger Fabric架構
- 樹形結構的CA伺服器,一個根CA伺服器(Root Server),多箇中間CA伺服器(Intermediate CA)
- 每個中間CA伺服器可以是一個CA伺服器群,通過HA Proxy實現負載均衡
- 兩種方式與Fabric CA服務端進行互動,client或者SDK
- 與Fabric CA伺服器通訊都是通過REST API進行的
2.2 Fabric CA入門
2.2.1 安裝
(1) 前置條件:
- go 1.10+
- GOPATH環境變數設定正確
- libtool和libtdhl-dev兩個包安裝好
sudo apt install libtool libltdl-dev
(2) 安裝
go get -u github.com/hyperledger/fabric-ca/cmd/...
或者git下來原始檔編譯,最終生成fabric-ca-server和fabric-ca-client
(3) 啟動伺服器
原生啟動伺服器,(預設配置):
fabric-ca-server start -b admin:adminpw
- -b選項來提供管理員登入ID和密碼
- 預設配置檔案fabric-ca-server-config.yaml會自動在本地目錄建立
通過docker啟動伺服器:
- 修改$GOPATH/src/github.com/hyperledger/fabric-ca/docker/server/docker-compose.yml檔案,image一行修改成對應的映象
docker-compose.yml
fabric-ca-server:
image: hyperledger/fabric-ca:1.3.0
container_name: fabric-ca-server
ports:
- "7054:7054"
environment:
- FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server
volumes:
- "./fabric-ca-server:/etc/hyperledger/fabric-ca-server"
command: sh -c 'fabric-ca-server start -b admin:adminpw'
- 執行:
docker-compose up -d
- 結果:
通過docker ps 看到服務已經起了:
[email protected]:/home/admin/src/github.com/hyperledger/fabric-ca/docker/server# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
e00e0eda9afd hyperledger/fabric-ca:1.3.0 "sh -c 'fabric-ca-se…" 4 seconds ago Up 3 seconds 0.0.0.0:7054->7054/tcp fabric-ca-server
(4) Fabric CA命令
使用–help可以檢視fabric-ca-server和fabric-ca-client的使用幫助
# ./fabric-ca-server --help
Hyperledger Fabric Certificate Authority Server
Usage:
fabric-ca-server [command]
Available Commands:
init Initialize the fabric-ca server
start Start the fabric-ca server
version Prints Fabric CA Server version
Flags:
--address string Listening address of fabric-ca-server (default "0.0.0.0")
-b, --boot string The user:pass for bootstrap admin which is required to build default config file
--ca.certfile string PEM-encoded CA certificate file (default "ca-cert.pem")
--ca.chainfile string PEM-encoded CA chain file (default "ca-chain.pem")
--ca.keyfile string PEM-encoded CA key file
-n, --ca.name string Certificate Authority name
--cacount int Number of non-default CA instances
--cafiles stringSlice A list of comma-separated CA configuration files
--cfg.affiliations.allowremove Enables removal of affiliations dynamically
--cfg.identities.allowremove Enables removal of identities dynamically
--crl.expiry duration Expiration for the CRL generated by the gencrl request (default 24h0m0s)
--crlsizelimit int Size limit of an acceptable CRL in bytes (default 512000)
--csr.cn string The common name field of the certificate signing request to a parent fabric-ca-server
--csr.hosts stringSlice A list of space-separated host names in a certificate signing request to a parent fabric-ca-server
--csr.keyrequest.algo string Specify key algorithm
--csr.keyrequest.size int Specify key size
--csr.serialnumber string The serial number in a certificate signing request to a parent fabric-ca-server
--db.datasource string Data source which is database specific (default "fabric-ca-server.db")
--db.tls.certfiles stringSlice A list of comma-separated PEM-encoded trusted certificate files (e.g. root1.pem,root2.pem)
--db.tls.client.certfile string PEM-encoded certificate file when mutual authenticate is enabled
--db.tls.client.keyfile string PEM-encoded key file when mutual authentication is enabled
--db.type string Type of database; one of: sqlite3, postgres, mysql (default "sqlite3")
-d, --debug Enable debug level logging
-H, --home string Server's home directory (default ".")
--idemix.nonceexpiration string Duration after which a nonce expires (default "15s")
--idemix.noncesweepinterval string Interval at which expired nonces are deleted (default "15m")
--idemix.rhpoolsize int Specifies revocation handle pool size (default 100)
--intermediate.enrollment.label string Label to use in HSM operations
--intermediate.enrollment.profile string Name of the signing profile to use in issuing the certificate
--intermediate.enrollment.type string The type of enrollment request: 'x509' or 'idemix' (default "x509")
--intermediate.parentserver.caname string Name of the CA to connect to on fabric-ca-server
-u, --intermediate.parentserver.url string URL of the parent fabric-ca-server (e.g. http://<username>:<password>@<address>:<port)
--intermediate.tls.certfiles stringSlice A list of comma-separated PEM-encoded trusted certificate files (e.g. root1.pem,root2.pem)
--intermediate.tls.client.certfile string PEM-encoded certificate file when mutual authenticate is enabled
--intermediate.tls.client.keyfile string PEM-encoded key file when mutual authentication is enabled
--ldap.attribute.names stringSlice The names of LDAP attributes to request on an LDAP search
--ldap.enabled Enable the LDAP client for authentication and attributes
--ldap.groupfilter string The LDAP group filter for a single affiliation group (default "(memberUid=%s)")
--ldap.tls.certfiles stringSlice A list of comma-separated PEM-encoded trusted certificate files (e.g. root1.pem,root2.pem)
--ldap.tls.client.certfile string PEM-encoded certificate file when mutual authenticate is enabled
--ldap.tls.client.keyfile string PEM-encoded key file when mutual authentication is enabled
--ldap.url string LDAP client URL of form ldap://adminDN:[email protected][:port]/base
--ldap.userfilter string The LDAP user filter to use when searching for users (default "(uid=%s)")
-p, --port int Listening port of fabric-ca-server (default 7054)
--registry.maxenrollments int Maximum number of enrollments; valid if LDAP not enabled (default -1)
--tls.certfile string PEM-encoded TLS certificate file for server's listening port (default "tls-cert.pem")
--tls.clientauth.certfiles stringSlice A list of comma-separated PEM-encoded trusted certificate files (e.g. root1.pem,root2.pem)
--tls.clientauth.type string Policy the server will follow for TLS Client Authentication. (default "noclientcert")
--tls.enabled Enable TLS on the listening port
--tls.keyfile string PEM-encoded TLS key for server's listening port
Use "fabric-ca-server [command] --help" for more information about a command.
2.3 Fabric-CA-Server
通過help可以得到幫助資訊
- fabric-ca-server的命令列選項:
- init:初始化fabric-ca伺服器
- start:啟動fabric-ca伺服器
- version:顯示版本
- fabric-ca-server的選項(太多了,略):
初始化並啟動fabric-ca-server
fabric-ca-server init -b admin:adminpw
fabric-ca-server start -H /opt/hyperledger/fabric-ca --boot admin :adminpw
2.4 Fabric-CA-Client
fabric-ca-server提供了一組REST API介面工第三方應用程式呼叫,fabric-ca-client對這些RESTAPI介面進行了封裝,通過設定引數可以完成賬號註冊、賬號授權等操作。
help檢視幫助,大概的命令如下:
- enroll:登記賬號
- gencrl:撤銷證書
- gencsr:建立證書籤名
- getcainfo:獲取CA鏈證書
- reenroll:重新登記賬號
- register:註冊一個新賬號
- revoke:撤銷一個賬號
- version:顯示版本資訊
fabric-ca-client使用:
- 載入賬號資訊:
./fabric-ca-client enroll -M ./msp -u http:peer1:[email protected]:7054
- 註冊新賬號
./fabric-ca-client register --id.name peer2 --id.type peer --id.affiliation org1.department1 --id.secret peer2wd
- 獲取CA伺服器的證書
./fabric-ca-client getcacert -u http://localhost:7054 -M ./my/msp