实操Hyperledger Fabric——Fabric的证书(账号)体系

文章目录

  • Fabric证书是什么
  • Fabric证书服务器:Fabric-ca
    • fabric-ca-server的初始化
    • fabric-ca-server 配置文件
    • fabric-ca-client 使用
  • 将Fabric-ca-server绑定到现有项目中
    • 绑定Fabric-ca-server到现有组织
    • 通过客户端从已经绑定的fabric-ca-server中生成账号

Fabric证书是什么

我们知道Fabric包含了MSP,也表明其是联盟链,用户在非授权的情况下不得接入区块链。因此Fabric包含一套授权体系。

Fabric账号实际上就是根据PKI规范生成的一组证书和密钥文件。在之前Fabric模块命令之cryptogen就已经介绍过了。

什么地方需要使用Fabric证书呢?
Fabric中Orderer、Peer、客户端SDK、CLI接口等操作都需要用到证书。Fabric中的每个具体的动作,创建通道、部署chaincode、调用chaincode等都需要指定证书。

一般是通过环境变量来指定,具体到K8s,分享一段我的K8s创建容器的文件:

...
          env:
            - name: GOPATH
              value: /opt/gopath
            - name: CORE_VM_ENDPOINT
              value: 'unix:///host/var/run/docker.sock'
            # - name: CORE_PEER_ID
            #   value: fabric-cli
            - name: CORE_PEER_ADDRESS
              value: "peer0-org1:7051"
            - name: CORE_PEER_LOCALMSPID
              value: "Org1MSP"
            - name: CORE_PEER_TLS_ENABLED
              value: "false"
            - name: CORE_PEER_TLS_CERT_FILE
              value: "/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.crt"
            - name: CORE_PEER_TLS_KEY_FILE
              value: "/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.key"
            - name: CORE_PEER_TLS_ROOTCERT_FILE
              value: "/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt"
            - name: CORE_PEER_MSPCONFIGPATH
              value: "/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/users/[email protected]/msp"
...

通过env来配置cryptogen生成的证书即可,细心的小朋友可能看到了,如果需要增加组织中的节点或者用户的数目怎么办呢,证书能不能动态增加呢?目前最新的Fabric版本中并没有提供相关的功能。下面将介绍专门为了解决证书问题而发起的项目Fabric-ca。

Fabric证书服务器:Fabric-ca

fabric-ca-server的命令如下:

root@cloud-fabric-ca-5bd689b8dd-9kjp2:/# fabric-ca-server --help
Hyperledger Fabric Certificate Authority Server

Usage:
  fabric-ca-server [command]

Available Commands:
  init        Initialize the fabric-ca server
  start       Start the fabric-ca server
  version     Prints Fabric CA Server version

Flags:
....Flags太长了,可以通过配置文件进行参数化的配置
Use "fabric-ca-server [command] --help" for more information about a command.

fabric-ca-server的初始化

fabric-ca-server初始化的命令如下(如果使用docker-compose或者k8s只需要初始化容器的时候执行命令fabric-ca-server start -b ):

# 启动服务器,开发环境可以使用简单的账号密码
root@cloud-fabric-ca-5bd689b8dd-9kjp2:/opt/hyperledger/fabric-ca-server# fabric-ca-server init -b kexin228:kexin228
2019/11/18 06:57:24 [INFO] Created default configuration file at /etc/hyperledger/fabric-ca-server/fabric-ca-server-config.yaml
2019/11/18 06:57:24 [INFO] Server Version: 1.4.3
2019/11/18 06:57:24 [INFO] Server Levels: &{Identity:2 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1}
2019/11/18 06:57:24 [INFO] The CA key and certificate files already exist
2019/11/18 06:57:24 [INFO] Key file location: /etc/hyperledger/fabric-ca-server/ca-key.pem
2019/11/18 06:57:24 [INFO] Certificate file location: /etc/hyperledger/fabric-ca-server/ca-cert.pem
2019/11/18 06:57:25 [INFO] Initialized sqlite3 database at /etc/hyperledger/fabric-ca-server/fabric-ca-server.db
2019/11/18 06:57:25 [INFO] The issuer key was successfully stored. The public key is at: /etc/hyperledger/fabric-ca-server/IssuerPublicKey, secret key is at: /etc/hyperledger/fabric-ca-server/msp/keystore/IssuerSecretKey
2019/11/18 06:57:25 [INFO] Idemix issuer revocation public and secret keys were generated for CA ''
2019/11/18 06:57:25 [INFO] The revocation key was successfully stored. The public key is at: /etc/hyperledger/fabric-ca-server/IssuerRevocationPublicKey, private key is at: /etc/hyperledger/fabric-ca-server/msp/keystore/IssuerRevocationPrivateKey
2019/11/18 06:57:25 [INFO] Home directory for default CA: /etc/hyperledger/fabric-ca-server
2019/11/18 06:57:25 [INFO] Initialization was successful

根据输出的信息,可以看出在目录/etc/hyperledger/fabric-ca-server下生成了如下的配置文件:

root@kexin228-lab:~/containers_volume/fabric/ca# tree -L 4
.
├── ca-cert.pem     # 证书文件
├── fabric-ca-server-config.yaml    # 配置文件,代替初始化--flag参数
├── fabric-ca-server.db     # 数据库文件(数据库选择sqlite3有效,默认为sqlite3)
├── IssuerPublicKey
├── IssuerRevocationPublicKey
└── msp     # 私钥文件夹
    └── keystore
        ├── 35e2aee01c0b37dce74e9c9ef27eeadc1b201f561d5a2bf3a1ded15f8879caee_sk
        ├── IssuerRevocationPrivateKey
        └── IssuerSecretKey

2 directories, 8 files

fabric-ca-server 配置文件

这里重点说明fabric-ca-server的配置文件,该配置文件可以分为11个部分cat fabric-ca-server-config.yaml,由于太长了,这里简单说下两个部分:


  • 通用配置部分
    包括系统的公用属性:端口、运行模式之类的。
# Version of config file
version: 1.4.3

# Server's listening port (default: 7054)
port: 7054

# Cross-Origin Resource Sharing (CORS)
cors:
    enabled: false
    origins:
      - "*"

# Enables debug logging (default: false)
debug: false

# Size limit of an acceptable CRL in bytes (default: 512000)
crlsizelimit: 512000


  • affiliations部分
    包含了组织中部分的相关配置信息,在客户端SDK调用时相关的参数必须保持一致,否则无法正确访问。
affiliations:
   org1:
      - department1
      - department2
   org2:
      - department1

fabric-ca-client 使用

fabric-ca-server提供了一组Restful API接口供第三方应用程序调用,fabric-ca-client对这些API进行了封装,只需要简单的参数就可以完成账号注册、账号授权等操作。

root@cloud-fabric-ca-5c87d6784c-js2xt:/# fabric-ca-client --help
Hyperledger Fabric Certificate Authority Client

Usage:
  fabric-ca-client [command]

Available Commands:
  affiliation Manage affiliations
  certificate Manage certificates
  enroll      Enroll an identity
  gencrl      Generate a CRL
  gencsr      Generate a CSR
  getcainfo   Get CA certificate chain and Idemix public key
  identity    Manage identities
  reenroll    Reenroll an identity
  register    Register an identity
  revoke      Revoke an identity
  version     Prints Fabric CA Client version

Flags:
....省略众多的flags,后面会提到
Use "fabric-ca-client [command] --help" for more information about a command.

这里介绍几个常用命令:
(1)注册新账号peer1:peer1wd和peer2:peer2wd

# 如果要注册一个新账号,可能需要用到以下的flag
      --id.affiliation string          The identity's affiliation
      --id.attrs stringSlice           A list of comma-separated attributes of the form = (e.g. foo=foo1,bar=bar1)
      --id.maxenrollments int          The maximum number of times the secret can be reused to enroll (default CA's Max Enrollment)
      --id.name string                 Unique name of the identity
      --id.secret string               The enrollment secret for the identity being registered
      --id.type string                 Type of identity being registered (e.g. 'peer, app, user') (default "client")
      -u, --url string                 URL of fabric-ca-server (default "http://localhost:7054")
      -H, --home string                Client's home directory (default "/etc/hyperledger/fabric-ca-server")

由于地址和url我们都是用默认的,我们使用下面的命令:

root@cloud-fabric-ca-5c87d6784c-js2xt:/# fabric-ca-client register --id.name peer2 --id.type peer --id.affiliation org1.department1 --id.secret peer2wd                                  
2019/11/18 07:46:30 [INFO] Configuration file location: /etc/hyperledger/fabric-ca-server/fabric-ca-client-config.yaml
2019/11/18 07:46:30 [ERROR] Enrollment check failed: Idemix enrollment information does not exist
Error: Enrollment information does not exist. Please execute enroll command first. Example: fabric-ca-client enroll -u http://user:userpw@serverAddr:serverPort

报错了,应该是要先载入账号信息

root@cloud-fabric-ca-5c87d6784c-js2xt:/# fabric-ca-client enroll -u http://kexin228:kexin228@localhost:7054 
2019/11/18 07:51:04 [INFO] generating key: &{A:ecdsa S:256}
2019/11/18 07:51:04 [INFO] encoded CSR
2019/11/18 07:51:04 [INFO] Stored client certificate at /etc/hyperledger/fabric-ca-server/msp/signcerts/cert.pem
2019/11/18 07:51:04 [INFO] Stored root CA certificate at /etc/hyperledger/fabric-ca-server/msp/cacerts/localhost-7054.pem
2019/11/18 07:51:04 [INFO] Stored Issuer public key at /etc/hyperledger/fabric-ca-server/msp/IssuerPublicKey
2019/11/18 07:51:04 [INFO] Stored Issuer revocation public key at /etc/hyperledger/fabric-ca-server/msp/IssuerRevocationPublicKey

然后才注册新账号:

root@cloud-fabric-ca-5c87d6784c-js2xt:/# fabric-ca-client register --id.name peer2 --id.type peer --id.affiliation org1.department1 --id.secret peer2wd -u http://kexin228@kexin228@localhost:7054
2019/11/18 07:51:55 [INFO] Configuration file location: /etc/hyperledger/fabric-ca-server/fabric-ca-client-config.yaml
Password: peer2wd
root@cloud-fabric-ca-5c87d6784c-js2xt:/# fabric-ca-client register --id.name peer1 --id.type peer --id.affiliation org1.department1 --id.secret peer1wd -u http://kexin228@kexin228@localhost:7054
2019/11/18 07:52:10 [INFO] Configuration file location: /etc/hyperledger/fabric-ca-server/fabric-ca-client-config.yaml
Password: peer1wd

(2)载入账号信息peer1:peer1wd和peer2:peer2wd:

root@cloud-fabric-ca-5c87d6784c-js2xt:/# fabric-ca-client enroll -u http://peer1:peer1wd@localhost:7054
2019/11/18 07:54:05 [INFO] generating key: &{A:ecdsa S:256}
2019/11/18 07:54:05 [INFO] encoded CSR
2019/11/18 07:54:05 [INFO] Stored client certificate at /etc/hyperledger/fabric-ca-server/msp/signcerts/cert.pem
2019/11/18 07:54:05 [INFO] Stored root CA certificate at /etc/hyperledger/fabric-ca-server/msp/cacerts/localhost-7054.pem
2019/11/18 07:54:05 [INFO] Stored Issuer public key at /etc/hyperledger/fabric-ca-server/msp/IssuerPublicKey
2019/11/18 07:54:05 [INFO] Stored Issuer revocation public key at /etc/hyperledger/fabric-ca-server/msp/IssuerRevocationPublicKey
root@cloud-fabric-ca-5c87d6784c-js2xt:/# fabric-ca-client enroll -u http://peer2:peer2wd@localhost:7054
2019/11/18 07:54:12 [INFO] generating key: &{A:ecdsa S:256}
2019/11/18 07:54:12 [INFO] encoded CSR
2019/11/18 07:54:13 [INFO] Stored client certificate at /etc/hyperledger/fabric-ca-server/msp/signcerts/cert.pem
2019/11/18 07:54:13 [INFO] Stored root CA certificate at /etc/hyperledger/fabric-ca-server/msp/cacerts/localhost-7054.pem
2019/11/18 07:54:13 [INFO] Stored Issuer public key at /etc/hyperledger/fabric-ca-server/msp/IssuerPublicKey
2019/11/18 07:54:13 [INFO] Stored Issuer revocation public key at /etc/hyperledger/fabric-ca-server/msp/IssuerRevocationPublicKey

(3)获取CA服务器证书

root@cloud-fabric-ca-5c87d6784c-js2xt:/etc/hyperledger/fabric-ca-server# fabric-ca-client getcacert -u http://localhost:7054 
2019/11/18 08:00:21 [INFO] Configuration file location: /etc/hyperledger/fabric-ca-server/fabric-ca-client-config.yaml
2019/11/18 08:00:21 [INFO] Stored root CA certificate at /etc/hyperledger/fabric-ca-server/msp/cacerts/localhost-7054.pem
2019/11/18 08:00:21 [INFO] Stored Issuer public key at /etc/hyperledger/fabric-ca-server/msp/IssuerPublicKey
2019/11/18 08:00:21 [INFO] Stored Issuer revocation public key at /etc/hyperledger/fabric-ca-server/msp/IssuerRevocationPublicKey
root@cloud-fabric-ca-5c87d6784c-js2xt:/etc/hyperledger/fabric-ca-server# fabric-ca-client getcacert -u http://localhost:7054 
2019/11/18 08:00:26 [INFO] Configuration file location: /etc/hyperledger/fabric-ca-server/fabric-ca-client-config.yaml
2019/11/18 08:00:26 [INFO] Stored root CA certificate at /etc/hyperledger/fabric-ca-server/msp/cacerts/localhost-7054.pem
2019/11/18 08:00:26 [INFO] Stored Issuer public key at /etc/hyperledger/fabric-ca-server/msp/IssuerPublicKey
2019/11/18 08:00:26 [INFO] Stored Issuer revocation public key at /etc/hyperledger/fabric-ca-server/msp/IssuerRevocationPublicKey

将Fabric-ca-server绑定到现有项目中

fabric-ca是对Fabric的cryptogen模块的有力补充,在Fabric项目中一般采用cryptogen模块生成组织、Peer节点、Orderer节点等模块的账号文件,但是如果需要动态的生成账号文件,这时候就需要Fabric-ca的帮助。

绑定Fabric-ca-server到现有组织

首先在fabric-ca中的配置文件fabric-ca-server-config.yaml中找到以下内容:

ca:
  # Name of this CA
  name:
  # Key file (is only used to import a private key into BCCSP)
  keyfile:
  # Certificate file (default: ca-cert.pem)
  certfile:
  # Chain file
  chainfile:

然后,找到之前用cryptogen生成的证书的文件夹,执行命令tree -L 2查看结构:

root@kexin228-lab:~/containers_volume/fabric/tools/crypto-config/peerOrganizations# tree -L 2 org1.example.com/ 
org1.example.com/
├── ca
│   ├── 981446ead484bad518eccca5bc95b9ea1a4a971715c739f2e6cb9cf0c497e8f7_sk
│   └── ca.org1.example.com-cert.pem
├── msp
│   ├── admincerts
│   ├── cacerts
│   └── tlscacerts
├── peers
│   ├── peer0.org1.example.com
│   └── peer1.org1.example.com
├── tlsca
│   ├── 799ef8047b060cdd556260e4af82810c8e40180b3611f09b870c2b246eec04cd_sk
│   └── tlsca.org1.example.com-cert.pem
└── users
    ├── [email protected]
    └── [email protected]

在ca文件夹中存放org1.example.com组织相关的文件,这需要将该文件夹外挂到容器fabric-ca上。


在这里插入图片描述

外挂后的路径如下:

root@cloud-fabric-ca-58cbdf7fb4-rl8v4:/etc/hyperledger/fabric-tools/config/peerOrganizations/org1.
example.com# pwd
/etc/hyperledger/fabric-tools/config/peerOrganizations/org1.example.com
root@cloud-fabric-ca-58cbdf7fb4-rl8v4:/etc/hyperledger/fabric-tools/config/peerOrganizations/org1.
example.com/ca# ls
981446ead484bad518eccca5bc95b9ea1a4a971715c739f2e6cb9cf0c497e8f7_sk  ca.org1.example.com-cert.pem

现在可以绑定这些文件了,绑定之后fabric-ca-server-config.yaml文件如下:

ca:
  name: org1.example.com
  # keyfile对应后缀为_sk的文件
  keyfile: /etc/hyperledger/fabric-tools/config/peerOrganizations/org1.example.com/ca/981446ead484bad518eccca5bc95b9ea1a4a971715c739f2e6cb9cf0c497e8f7_sk
  # certfile对应.pem文件
  certfile: /etc/hyperledger/fabric-tools/config/peerOrganizations/org1.example.com/ca/ca.org1.example.com-cert.pem
  chainfile: ca-chain.pem

通过上述步骤 fabric-ca-server就已经被绑定到组织org1.example.com中了。

通过客户端从已经绑定的fabric-ca-server中生成账号

现在我们通过一个例子来演示如何通过fabric-ca-client从已经绑定到指定组织中的fabric-ca-server中获取一个新的用户账号。

第一步登记管理员账号密码(msp)到指定目录中:

# 创建一个fabric-ca-client来存储账号的msp文件
root@cloud-fabric-ca-58cbdf7fb4-rl8v4:/etc/hyperledger# mkdir fabric-ca-client
# 将管理员账号enroll,获取管理员账号msp的证书文件
root@cloud-fabric-ca-58cbdf7fb4-rl8v4:/etc/hyperledger# fabric-ca-client enroll -u http://kexin228:kexin228@localhost:7054 -M /etc/hyperledger/fabric-ca-client/
2019/11/18 11:22:10 [INFO] Created a default configuration file at /etc/hyperledger/fabric-ca-server/fabric-ca-client-config.yaml
2019/11/18 11:22:10 [INFO] generating key: &{A:ecdsa S:256}
2019/11/18 11:22:10 [INFO] encoded CSR
2019/11/18 11:22:10 [INFO] Stored client certificate at /etc/hyperledger/fabric-ca-client/signcerts/cert.pem
2019/11/18 11:22:10 [INFO] Stored root CA certificate at /etc/hyperledger/fabric-ca-client/cacerts/localhost-7054.pem
2019/11/18 11:22:10 [INFO] Stored Issuer public key at /etc/hyperledger/fabric-ca-client/IssuerPublicKey
2019/11/18 11:22:10 [INFO] Stored Issuer revocation public key at /etc/hyperledger/fabric-ca-client/IssuerRevocationPublicKey

第二步注册账号:账号名为user1,密码为user1wd,注册命令如下所示:

root@cloud-fabric-ca-58cbdf7fb4-rl8v4:/etc/hyperledger/fabric-ca-client# fabric-ca-client register --id.name user1 --id.type user --id.affiliation org1.department1 --id.secret user1wd -u http://localhost:7054
2019/11/18 11:27:31 [INFO] Configuration file location: /etc/hyperledger/fabric-ca-server/fabric-ca-client-config.yaml
Password: user1wd

第三步载入账号,将上一步注册的账号user1家在到本地,首先需要在本地创建存放从服务器下载的证书的目录。我存放的目录如下:

root@cloud-fabric-ca-58cbdf7fb4-rl8v4:/etc/hyperledger/user# pwd
/etc/hyperledger/user

在上述目录中登记账号user1,并将相关文件保存到目录中:

root@cloud-fabric-ca-58cbdf7fb4-rl8v4:/etc/hyperledger/user# fabric-ca-client enroll -u http://user1:user1wd@localhost:7054 -M /etc/hyperledger/user/msp
2019/11/18 11:31:00 [INFO] generating key: &{A:ecdsa S:256}
2019/11/18 11:31:01 [INFO] encoded CSR
2019/11/18 11:31:01 [INFO] Stored client certificate at /etc/hyperledger/user/msp/signcerts/cert.pem
2019/11/18 11:31:01 [INFO] Stored root CA certificate at /etc/hyperledger/user/msp/cacerts/localhost-7054.pem
2019/11/18 11:31:01 [INFO] Stored Issuer public key at /etc/hyperledger/user/msp/IssuerPublicKey
2019/11/18 11:31:01 [INFO] Stored Issuer revocation public key at /etc/hyperledger/user/msp/IssuerRevocationPublicKey

第四步复制管理员签名和公用的TLS证书文件。
复制管理账号的签名的命令如下:

# 创建admincerts文件夹
root@cloud-fabric-ca-58cbdf7fb4-rl8v4:/:# mkdir -p /etc/hyperledger/user/msp/admincerts/
# 复制管理账号的签名
root@cloud-fabric-ca-58cbdf7fb4-rl8v4:/# cp  /etc/hyperledger/fabric-tools/config/peerOrganizations/org1.example.com/users/Admin\@org1.example.com/msp/signcerts/* /etc/hyperledger/user/msp/admincerts/

然后复制公用TLS证书文件的命令如下:

# 创建tls文件夹
root@cloud-fabric-ca-58cbdf7fb4-rl8v4:/# mkdir -p /etc/hyperledger/user/tls
# 复制tls签名证书
root@cloud-fabric-ca-58cbdf7fb4-rl8v4:/etc/hyperledger/user# cp /etc/hyperledger/fabric-tools/config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/* /etc/hyperledger/user/tls

第五步,查看账号。
进入文件夹通过tree命令查看:

root@cloud-fabric-ca-58cbdf7fb4-rl8v4:/etc/hyperledger/user# tree -L 4
.
|-- msp
|   |-- IssuerPublicKey
|   |-- IssuerRevocationPublicKey
|   |-- admincerts
|   |   `-- [email protected]
|   |-- cacerts
|   |   `-- localhost-7054.pem
|   |-- keystore
|   |   `-- a34acf5c4c53e67d12193ac28a57a21b1cd05190d0bb64b29e0f6a9299e52d72_sk
|   |-- signcerts
|   |   `-- cert.pem
|   |-- tls
|   `-- user
`-- tls
    |-- ca.crt
    |-- server.crt
    `-- server.key

8 directories, 9 files

通过观察,我们知道,这与cryptogen生成的账号文件格式是一致的。

Fabric项目中更多的应用场景是客户端程序通过fabric-ca-server提供的Restful API接口完成账号的注册、登记等操作,以后会再详细说明。

你可能感兴趣的:(实操Hyperledger Fabric——Fabric的证书(账号)体系)