Fabric CA架构以及整体流程
1. 整体概览
在Fabric 1.0版本中,原0.6版本中的“Membership Service”已经被“Fabric CA”所替代。
Fabric CA是Hyperledger Fabric的证书颁发机构,它提供的功能如下:
1)身份的注册,或连接到LDAP作为用户注册表;
2)发放登记证书(ECerts);
3)发布交易证书(TCerts),在Hyperledger Fabric blockchain上进行交易时提供匿名性和不可链接性;
4)证书更新和撤销。
Fabric CA包含一个client端和一个server端。在Fabric 1.0版本中,CA可以脱离Docker镜像,作为一个独立的服务来运行。若使用docker启动,所有的CA服务都是在一个专门的镜像(名称类似于“ca”)中进行执行。
Fabric CA提供了两种访问方式调用Server服务,一种是通过Client调用,另一种是通过SDK调用。两种调用都是REST风格的。SDK的API接口位于fabric-ca工程的 fabric-ca/swagger/swagger-fabric-ca.json。本文使用的是通过Client调用。
1.1 Fabric CA整体架构图
image
[1]
Server端由一个集群组成,包括前端的一个高可用的代理服务器,连接着若干个CA Server集群,这些集群将数据共同存放在同一个数据服务器上。数据库可能是MySQL、LDAP、PostgresSQL或者SQLite。
1.2 Fabric CA运行流程的时序图
image
具体步骤包括:
-
Server端初始化
-
CA根证书生成
-
Server端启动服务
-
Client端向Server端请求登记
-
Server端向Client端返回登记证书ECert
-
Client端向Server端请求注册节点
-
Server端向Client端返回节点注册信息结果
-
Client端向Server端请求登记节点
-
Server端生成TCert,存入数据库
-
Server端向Client端返回登记结果
2. 安装
2.1 Dokcer启动
2.1.1 拉取镜像
docker pull hyperledger/fabric-ca:x86_64-1.0.0-alpha
2.1.2 使用Docker-Compose启动
将下部分代码添加到 docker-compose.yaml 中的service中,使用 docker-compose up 启动ca服务节点
ca:
image: hyperledger/fabric-ca:x86_64-1.0.0-alpha
container_name: fabric-ca
ports:
- "8888:8888"
environment:
- FABRIC_CA_HOME=/etc/hyperledger/fabric-ca
volumes:
- "./fabric-ca:/etc/hyperledger/fabric-ca"
command: sh -c 'fabric-ca-server start -b admin:adminpw'
2.2 Native启动
2.2.1前提条件
-
Go 1.7版本或以上
-
GOPATH环境配置正确
-
安装libtool和libtdhl-dev
2.2.2 安装方法
可直接使用“go get”命令进行安装。“go get”相当于“git clone”+“go install”
go get -u github.com/hyperledger/fabric-ca/cmd/...
后续的操作和在Docker中类似,这里我们主要讲Docker启动的情况。
3. Fabric-CA-Server
官方说明如下:
Hyperledger Fabric Certificate Authority Server
Usage:
fabric-ca-server [command]
Available Commands:
init Initialize the fabric-ca server
start Start the fabric-ca server
Flags:
--address string Listening address of fabric-ca-server (default "0.0.0.0")
-b, --boot string The user:pass for bootstrap admin which is required to build default config file
--ca.certfile string PEM-encoded CA certificate file (default "ca-cert.pem")
--ca.chainfile string PEM-encoded CA chain file (default "ca-chain.pem")
--ca.keyfile string PEM-encoded CA key file (default "ca-key.pem")
-n, --ca.name string Certificate Authority name
-c, --config string Configuration file (default "fabric-ca-server-config.yaml")
--csr.cn string The common name field of the certificate signing request to a parent fabric-ca-server
--csr.serialnumber string The serial number in a certificate signing request to a parent fabric-ca-server
--db.datasource string Data source which is database specific (default "fabric-ca-server.db")
--db.tls.certfiles string PEM-encoded comma separated list of trusted certificate files (e.g. root1.pem, root2.pem)
--db.tls.client.certfile string PEM-encoded certificate file when mutual authenticate is enabled
--db.tls.client.keyfile string PEM-encoded key file when mutual authentication is enabled
--db.tls.enabled Enable TLS for client connection
--db.type string Type of database; one of: sqlite3, postgres, mysql (default "sqlite3")
-d, --debug Enable debug level logging
--ldap.enabled Enable the LDAP client for authentication and attributes
--ldap.groupfilter string The LDAP group filter for a single affiliation group (default "(memberUid=%s)")
--ldap.url string LDAP client URL of form ldap://adminDN:adminPassword@host[:port]/base
--ldap.userfilter string The LDAP user filter to use when searching for users (default "(uid=%s)")
-p, --port int Listening port of fabric-ca-server (default 7054)
--registry.maxenrollments int Maximum number of enrollments; valid if LDAP not enabled
--tls.certfile string PEM-encoded TLS certificate file for server's listening port (default "ca-cert.pem")
--tls.enabled Enable TLS on the listening port
--tls.keyfile string PEM-encoded TLS key for server's listening port (default "ca-key.pem")
-u, --url string URL of the parent fabric-ca-server
Use "fabric-ca-server [command] --help" for more information about a command.
3.1 初始化Server服务
3.1.1 指令介绍
fabric-ca-server init -b admin:adminpw
-b在这里指的是bootstrap,也就是启动加载状态。
有一个名为 fabric-ca-server-config.yaml 的配置文件会在节点启动时自动生成。我们也可以根据里面的内容自定义配置CSR信息,使用 --config 文件名来进行启动配置。
CSR为“Certificate Signing Request”的缩写,即证书签名请求。
目前在keys中支持的算法和相关长度如下:
image
Fabric-CA 1.0支持MySQL、LDAP、PostgresSQL和SQLite,这里配置用的是默认的SQLite。其他配置方法暂且不表。
3.1.2 示例
root@0f86c3e1cf15:/etc/hyperledger/fabric-ca# fabric-ca-server init -b admin:adminpw
2017/03/21 08:54:23 [INFO] Configuration file location: /etc/hyperledger/fabric-ca/fabric-ca-server-config.yaml
2017/03/21 08:54:23 Initialize BCCSP [SW]
2017/03/21 08:54:23 [INFO] The CA key and certificate files already exist
2017/03/21 08:54:23 [INFO] Key file location: /etc/hyperledger/fabric-ca/ca-key.pem
2017/03/21 08:54:23 [INFO] Certificate file location: /etc/hyperledger/fabric-ca/ca-cert.pem
2017/03/21 08:54:23 [INFO] Initialized sqlite3 data base at /etc/hyperledger/fabric-ca/fabric-ca-server.db
2017/03/21 08:54:23 [INFO] Initialization was successful
3.2 启动Server服务
3.2.1 指令介绍
fabric-ca-server start -b <admin style="box-sizing: border-box;">:<adminpw style="box-sizing: border-box;"></adminpw></admin>
这里,默认调用的启动配置文件为fabric-ca-server-config.yaml,如果需要自定义配置,还是使用 --config 文件名来进行启动配置。
成功后,server端会在预先配置的环境路径下生成相应的ca证书文件,并在配置的端口号上进行服务监听。这里我们在端口8888上进行监听。
3.2.2 示例
root@0f86c3e1cf15:/etc/hyperledger/fabric-ca# fabric-ca-server start -b admin:adminpw
2017/03/21 08:54:50 [INFO] Configuration file location: /etc/hyperledger/fabric-ca/fabric-ca-server-config.yaml
2017/03/21 08:54:50 Initialize BCCSP [SW]
2017/03/21 08:54:50 [INFO] The CA key and certificate files already exist
2017/03/21 08:54:50 [INFO] Key file location: /etc/hyperledger/fabric-ca/ca-key.pem
2017/03/21 08:54:50 [INFO] Certificate file location: /etc/hyperledger/fabric-ca/ca-cert.pem
2017/03/21 08:54:50 [INFO] Initialized sqlite3 data base at /etc/hyperledger/fabric-ca/fabric-ca-server.db
2017/03/21 08:54:50 [INFO] Listening at http://0.0.0.0:8888
4. Fabric-CA-Client
官方说明如下:
Hyperledger Fabric Certificate Authority Client
Usage:
fabric-ca-client [command]
Available Commands:
enroll Enroll user
getcacert Get CA certificate chain
reenroll Reenroll user
register Register user
revoke Revoke user
Flags:
-c, --config string Configuration file (default "/etc/hyperledger/fabric-ca/clients/admin/fabric-ca-client-config.yaml")
--csr.cn string The common name field of the certificate signing request to a parent fabric-ca-server
--csr.serialnumber string The serial number in a certificate signing request to a parent fabric-ca-server
-d, --debug Enable debug level logging
--enrollment.hosts string Comma-separated host list
--enrollment.label string Label to use in HSM operations
--enrollment.profile string Name of the signing profile to use in issuing the certificate
--id.affiliation string The identity's affiliation
--id.attr string Attributes associated with this identity (e.g. hf.Revoker=true)
--id.maxenrollments int The maximum number of times the secret can be reused to enroll.
--id.name string Unique name of the identity
--id.secret string The enrollment secret for the identity being registered
--id.type string Type of identity being registered (e.g. 'peer, app, user')
-M, --mspdir string Membership Service Provider directory (default "msp")
-m, --myhost string Hostname to include in the certificate signing request during enrollment (default "0f86c3e1cf15")
--tls.certfiles string PEM-encoded comma separated list of trusted certificate files (e.g. root1.pem, root2.pem)
--tls.client.certfile string PEM-encoded certificate file when mutual authenticate is enabled
--tls.client.keyfile string PEM-encoded key file when mutual authentication is enabled
--tls.enabled Enable TLS for client connection
-u, --url string URL of fabric-ca-server (default "http://localhost:7054")
Use "fabric-ca-client [command] --help" for more information about a command.
4.1启动用户登记
4.1.1 指令介绍
fabric-ca-client enroll -u http://admin:adminpw@localhost:8888
登记启动用户会在用户的home路径下生成登记证书文件ECert。
4.1.2 示例
root@0f86c3e1cf15:/etc/hyperledger/fabric-ca# fabric-ca-client enroll -u http://admin:adminpw@localhost:8888
2017/03/21 08:59:09 [INFO] User provided config file: /etc/hyperledger/fabric-ca/fabric-ca-client-config.yaml
2017/03/21 08:59:09 [INFO] Configuration file location: /etc/hyperledger/fabric-ca/fabric-ca-client-config.yaml
2017/03/21 08:59:09 Initialize BCCSP [SW]
2017/03/21 08:59:09 [INFO] received CSR
2017/03/21 08:59:09 [INFO] generating key: ecdsa-256
2017/03/21 08:59:09 [INFO] encoded CSR
2017/03/21 08:59:09 [INFO] Stored client key at /etc/hyperledger/fabric-ca/msp/keystore/key.pem
2017/03/21 08:59:09 [INFO] Stored client certificate at /etc/hyperledger/fabric-ca/msp/signcerts/cert.pem
2017/03/21 08:59:09 [INFO] Stored CA certificate chain at /etc/hyperledger/fabric-ca/msp/cacerts/.pem
4.2 新身份注册
4.2.1 指令介绍
fabric-ca-client register
在注册阶段,server端需要检查被注册对象的两方面内容:
1 被注册的对象的角色一定要在预先配置的“hf.Registrar.Roles”属性中约定的范围内。比如,如果“hf.Registrar.Roles”约定的角色包括“peer”和“client”,那么被注册对象就只能是这两个角色中的一个,如果被注册对象的角色为“user”,那么注册就不能被通过。
2 被注册对象的从属关系参数一定要归属于预先配置的组织属性。换句话说,被注册对象的affiliation参数一定要是预先配置的affiliation参数的一个前缀。例如,假设预先配置的组织关系为:“a.b.c”,那么新注册的对象的affiliation属性可以是“a.b.c”,也可以是“a.b”,但“a.c”就不能通过注册。
下面是id配置的一个示例:
id:
name: MyPeer1
type: peer
affiliation: org1.department1
attributes:
- name: SomeAttrName
value: SomeAttrValue
- name: foo
value: bar
如果想要在后面允许对这个ID进行注销,在这里配置的attributes中要包含“hf.Revoker”,即:
attributes:
- name: hf.Revoker
value: true
4.2.2 示例
root@0f86c3e1cf15:/etc/hyperledger/fabric-ca# fabric-ca-client register --id.name cliTest00
2017/03/21 09:05:16 [INFO] User provided config file: /etc/hyperledger/fabric-ca/clients/admin/fabric-ca-client-config.yaml
2017/03/21 09:05:16 Initialize BCCSP [SW]
2017/03/21 09:05:16 [INFO] Configuration file location: /etc/hyperledger/fabric-ca/clients/admin/fabric-ca-client-config.yaml
Password: oLtPkJRCzdTH
这里随机生成了一个Password,将在后面的节点登记中用到。
在指令中使用flag来临时自定义用户名和密码:--id.name <用户名> --id.secret <密码>
4.3 节点身份登记
4.3.1 指令介绍
官方文档上说,在节点身份登记之前,要先指定FABRIC_CA_CERT_FILE和FABRIC_CA_KEY_FILE两个环境变量,生成的peer.pem和key.pem两个证书文件作为TCert。但是我的试验中,生成的证书文件路径仍然是在FABRIC_CA_CLIENT_HOME相应的路径下,不知是否是仍然存在的bug。
export FABRIC_CA_CERT_FILE=$MSP_DIR/signcerts/peer.pem
export FABRIC_CA_KEY_FILE=$MSP_DIR/keystore/key.pem
fabric-ca client enroll -u http://<peer id="" style="box-sizing: border-box;">:<password style="box-sizing: border-box;">@localhost:port</password></peer>
这里Peer ID为注册时的id name,password为上文提到的注册时生成的密码。
4.3.2 示例
root@0f86c3e1cf15:/etc/hyperledger/fabric-ca# fabric-ca-client enroll -u http://cliTest00:oLtPkJRCzdTH@localhost:8888
2017/03/21 09:07:48 [INFO] User provided config file: /etc/hyperledger/fabric-ca/clients/admin/fabric-ca-client-config.yaml
2017/03/21 09:07:48 [INFO] Configuration file location: /etc/hyperledger/fabric-ca/clients/admin/fabric-ca-client-config.yaml
2017/03/21 09:07:48 Initialize BCCSP [SW]
2017/03/21 09:07:48 [INFO] received CSR
2017/03/21 09:07:48 [INFO] generating key: ecdsa-256
2017/03/21 09:07:48 [INFO] encoded CSR
2017/03/21 09:07:48 [INFO] Stored client key at /etc/hyperledger/fabric-ca/clients/admin/msp/keystore/key.pem
2017/03/21 09:07:48 [INFO] Stored client certificate at /etc/hyperledger/fabric-ca/clients/admin/msp/signcerts/cert.pem
2017/03/21 09:07:48 [INFO] Stored CA certificate chain at /etc/hyperledger/fabric-ca/clients/admin/msp/cacerts/.pem
4.4 身份重登记
4.4.1 指令介绍
fabric-ca-client reenroll
当登记的身份过期时,可以利用reenroll命令对身份进行重新登记。注意,这个指令后面不能添加登记的名称和密码,只是按照之前配置好的内容进行重新登记。
4.4.2 示例
root@0f86c3e1cf15:/etc/hyperledger/fabric-ca# fabric-ca-client reenroll
2017/03/21 10:11:36 [INFO] User provided config file: /etc/hyperledger/fabric-ca/clients/admin/fabric-ca-client-config.yaml
2017/03/21 10:11:36 Initialize BCCSP [SW]
2017/03/21 10:11:36 [INFO] Configuration file location: /etc/hyperledger/fabric-ca/clients/admin/fabric-ca-client-config.yaml
2017/03/21 10:11:36 [INFO] received CSR
2017/03/21 10:11:36 [INFO] generating key: ecdsa-256
2017/03/21 10:11:37 [INFO] encoded CSR
2017/03/21 10:11:37 [INFO] Stored client key at /etc/hyperledger/fabric-ca/clients/admin/msp/keystore/key.pem
2017/03/21 10:11:37 [INFO] Stored client certificate at /etc/hyperledger/fabric-ca/clients/admin/msp/signcerts/cert.pem
2017/03/21 10:11:37 [INFO] Stored CA certificate chain at /etc/hyperledger/fabric-ca/clients/admin/msp/cacerts/.pem
4.5 证书或身份撤销
4.5.1 指令介绍
Usage:
fabric-ca-client revoke [flags]
Flags:
-a, --aki string AKI
-e, --eid string Enrollment ID (Optional)
-r, --reason string Reason for revoking
-s, --serial string Serial Number
官方给出的说明有些错误,被标(Optional)的应该是“Reason for revoking”部分。实际上,要求指令后面的flag内容为下面两种格式中的一种:
fabric-ca-client revoke -a xxx -s yyy -r<reason style="box-sizing: border-box;"></reason>
或
fabric-ca-client revoke -e <enrollment_id style="box-sizing: border-box;">-r<reason style="box-sizing: border-box;"></reason></enrollment_id>
支持的<reason style="box-sizing: border-box;">包括:</reason>
Reasons:
-
unspecified
-
keycompromise
-
cacompromise
-
affiliationchange
-
superseded
-
cessationofoperation
-
certificatehold
-
removefromcrl
-
privilegewithdrawn
-
aacompromise
AKI(Authority Key Identifier)和Serial Number都是在身份登记后生成的cert.pem文件中。我们需要对这个文件进行解析。可以使用OpenSSL进行解析:
root@xiao-virtual-machine:/home/xiao/test/fabric-ca/clients/admin/msp/signcerts# openssl x509 -in cert.pem -text -noout -serial
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
4a:ad:ce:89:16:9d:36:23:99:c5:37:7a:e9:2b:06:d7:8a:f3:f3:da
Signature Algorithm: ecdsa-with-SHA256
Issuer: C=US, ST=North Carolina, O=Hyperledger, OU=Fabric, CN=fabric-ca-server
Validity
Not Before: Mar 21 09:21:00 2017 GMT
Not After : Feb 17 17:21:00 2018 GMT
Subject: C=US, ST=North Carolina, O=Hyperledger, OU=Fabric, CN=test001
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:8a:ff:a4:44:2c:10:e5:4c:4e:7d:7d:0f:bb:28:
aa:c0:30:b8:53:2c:0d:1d:26:92:c9:85:7c:0d:24:
7a:c0:25:5c:18:c9:f7:fa:d2:53:e9:00:00:99:d1:
04:30:a1:d5:dd:a1:3c:30:37:5a:f9:70:e5:aa:6e:
89:6c:54:ad:18
ASN1 OID: prime256v1
X509v3 extensions:
X509v3 Key Usage: critical
Certificate Sign
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
6F:76:CA:12:7D:20:5F:27:6F:93:55:15:48:F1:32:6C:83:2A:F6:03
X509v3 Authority Key Identifier:
keyid:A5:1F:27:F8:09:78:46:4D:63:A8:23:48:B3:B4:01:1D:FB:FF:C9:43
X509v3 Subject Alternative Name:
DNS:38cdca9067ac
Signature Algorithm: ecdsa-with-SHA256
30:46:02:21:00:a6:3e:33:78:e2:59:8c:e2:ba:6f:0f:7b:01:
66:5d:67:08:af:81:de:1b:47:20:c1:00:e5:11:ba:1e:7a:f1:
f2:02:21:00:95:1a:31:06:6e:ab:cd:91:85:02:38:8c:72:87:
70:8e:e5:bc:7d:a8:0f:05:a1:55:60:c9:49:a0:72:1d:a1:11
serial=4AADCE89169D362399C5377AE92B06D78AF3F3DA
这里,AKI为
A5:1F:27:F8:09:78:46:4D:63:A8:23:48:B3:B4:01:1D:FB:FF:C9:43
(需要去除冒号),Serial Number为
4AADCE89169D362399C5377AE92B06D78AF3F3DA
4.5.2 示例
root@0f86c3e1cf15:/etc/hyperledger/fabric-ca# fabric-ca-client revoke -e test01
2017/03/21 11:11:05 [INFO] User provided config file: /etc/hyperledger/fabric-ca/clients/admin/fabric-ca-client-config.yaml
2017/03/21 11:11:05 Initialize BCCSP [SW]
2017/03/21 11:11:05 [INFO] Configuration file location: /etc/hyperledger/fabric-ca/clients/admin/fabric-ca-client-config.yaml
2017/03/21 11:11:05 [INFO] Revocation was successful
这里只是表述了通过eid进行撤销的方式,另一种方法总是不能成功,与Hyperledger项目组的成员沟通后,说是存在bug,目前仍在修复中。所以这里暂且不表。
5. 其他
5.1 优先级
命令执行的优先级从高到低依次是:
1 命令行flag
2 环境变量
3 配置文件
References
[1] https://github.com/hyperledger/fabric/blob/master/docs/source/Setup/ca-setup.rst
