实战:fabric 用户证书吊销操作流程
作者:BSN研习社
- 2022 年 7 月 04 日
本文字数:4149 字
阅读完需:约 14 分钟
# fabric 用户证书吊销操作流程
背景:在 fabric 框架中,Orderer、Peer、客户端 SDK、CLI 接口等操作都需要用到证书,用户在非授权的情况下不得接入区块链。但是由于现实多种原因(证书泄露、员工离职等)需要撤销用户证书。请注意,被撤销的证书与证书过期完全不同。撤销的证书尚未过期,按其他方式来说,它们是完全有效的证书。
目标: 撤销目标证书
使用对象: fabric 框架开发者
前提: 已经搭建创建完 fabric 链,并且已经安装好链码包;
示例中,已经在 k8s 环境中搭建 fabric-hll004,并在通道 bsnchannel 部署链码 sacc。
1. 使用 fabric-ca 生成 user4 的证书
##进入fabric-ca
> kubectl exec -it -n hll004 ca-shenzhen-6888d45db-vdhwp bash
## 注册user3新身份
bash-5.1# fabric-ca-client register --id.name user4 --id.type client --id.secret user4pw --id.attrs "hf.Registrar.Roles=client,hf.Registrar.Attributes=*" --tls.certfiles /certs/root-ca/shenzhen/tls-cert.pem
## 登记user4身份
bash-5.1# fabric-ca-client enroll -u https://user4:user4pw@ca.shenzhen.hll004.bsnbase.com:7054 -M /certs/peerOrganizations/shenzhen.hll004.bsnbase.com/users/user4@shenzhen.hll004.bsnbase.com/msp --tls.certfiles /certs/root-ca/shenzhen/tls-cert.pem
## 将user4证书重命名为user4@shenzhen.hll004.bsnbase.com-cert.pem
bash-5.1# cp /certs/peerOrganizations/shenzhen.hll004.bsnbase.com/users/user4@shenzhen.hll004.bsnbase.com/msp/signcerts/cert.pem /certs/peerOrganizations/shenzhen.hll004.bsnbase.com/users/user4@shenzhen.hll004.bsnbase.com/msp/signcerts/user4@shenzhen.hll004.bsnbase.com-cert.pem
## 将 config.yaml文件赋值到user4的msp下
bash-5.1# cp /certs/peerOrganizations/shenzhen.hll004.bsnbase.com/users/Admin@shenzhen.hll004.bsnbase.com/msp/config.yaml /certs/peerOrganizations/shenzhen.hll004.bsnbase.com/users/user4@shenzhen.hll004.bsnbase.com/msp/config.yaml
复制代码
2. 注销前调用链码
> kubectl exec -it -n hll004 peer1-shenzhen-ffd89f897-b7hkj -c peer1-shenzhen-cli bash
## 切换用户user4
bash-5.1# export CORE_PEER_MSPCONFIGPATH=/certs/peerOrganizations/shenzhen.hll004.bsnbase.com/users/user4@shenzhen.hll004.bsnbase.com/msp
## 调用链码
bash-5.1# peer chaincode invoke -o orderer1.orderer.hll004.bsnbase.com:7050 -C bsnchannel -n sacc -c '{"Args":["set","d","4"]}' --tls --cafile /certs/ordererOrganizations/orderer.hll004.bsnbase.com/orderers/orderer1.orderer.hll004.bsnbase.com/tls/server.crt
## 查询链码
bash-5.1# peer chaincode query -C bsnchannel -n sacc -c '{"Args":["get","b"]}'
复制代码
3.吊销用户 user4 并生成 CRL
##进入fabric-ca
> kubectl exec -it -n hll004 ca-shenzhen-6888d45db-vdhwp bash
## 吊销证书并生成CRL 会在当前home下生成crl: /certs/peerOrganizations/shenzhen.hll004.bsnbase.com/msp/crls/crl.pem
bash-5.1# fabric-ca-client revoke -e user4 -r unspecified --gencrl --tls.certfiles /certs/root-ca/shenzhen/tls-cert.pem
cat /certs/peerOrganizations/shenzhen.hll004.bsnbase.com/msp/crls/crl.pem
-----BEGIN X509 CRL-----
MIIBZTCCAQwCAQEwCgYIKoZIzj0EAwIwaDELMAkGA1UEBhMCVVMxFzAVBgNVBAgT
Dk5vcnRoIENhcm9saW5hMRQwEgYDVQQKEwtIeXBlcmxlZGdlcjEPMA0GA1UECxMG
RmFicmljMRkwFwYDVQQDExBmYWJyaWMtY2Etc2VydmVyFw0yMjA2MTExNDM5MDha
Fw0yMjA2MTIxNDM5MDhaME4wJQIUYC7Dg4/6Ewn9mOh0Pus2bsMB0qIXDTIyMDYx
MTA2MDA0NlowJQIUYareqlvuL/vtyLnktwD94fbhNtwXDTIyMDYxMTE0MzkwN1qg
IzAhMB8GA1UdIwQYMBaAFO9fRc1RAhuTAzZQ+NF11GWVcoVRMAoGCCqGSM49BAMC
A0cAMEQCIASpL269XJF1nIk2KBHu0jzuImtbARaNYUe0n7SaojzWAiBuvJUmuXfe
KmT0dT5BKQtq7ZXJP6/ZXob7uTBtiLV0Xw==
-----END X509 CRL-----
##对上面进行base编码 (后面会用到): LS0tLS1CRUdJTiBYNTA5IENSTC0tLS0tCk1JSUJaVENDQVF3Q0FRRXdDZ1lJS29aSXpqMEVBd0l3YURFTE1Ba0dBMVVFQmhNQ1ZWTXhGekFWQmdOVkJBZ1QKRGs1dmNuUm9JRU5oY205c2FXNWhNUlF3RWdZRFZRUUtFd3RJZVhCbGNteGxaR2RsY2pFUE1BMEdBMVVFQ3hNRwpSbUZpY21sak1Sa3dGd1lEVlFRREV4Qm1ZV0p5YVdNdFkyRXRjMlZ5ZG1WeUZ3MHlNakEyTVRFeE5ETTVNRGhhCkZ3MHlNakEyTVRJeE5ETTVNRGhhTUU0d0pRSVVZQzdEZzQvNkV3bjltT2gwUHVzMmJzTUIwcUlYRFRJeU1EWXgKTVRBMk1EQTBObG93SlFJVVlhcmVxbHZ1TC92dHlMbmt0d0Q5NGZiaE50d1hEVEl5TURZeE1URTBNemt3TjFxZwpJekFoTUI4R0ExVWRJd1FZTUJhQUZPOWZSYzFSQWh1VEF6WlErTkYxMUdXVmNvVlJNQW9HQ0NxR1NNNDlCQU1DCkEwY0FNRVFDSUFTcEwyNjlYSkYxbklrMktCSHUwanp1SW10YkFSYU5ZVWUwbjdTYW9qeldBaUJ1dkpVbXVYZmUKS21UMGRUNUJLUXRxN1pYSlA2L1pYb2I3dVRCdGlMVjBYdz09Ci0tLS0tRU5EIFg1MDkgQ1JMLS0tLS0=
复制代码
4 . 修改 bsnchannel 通道文件
## 登录组织shenzhen的peer1节点cli
> kubectl exec -it -n hll004 peer1-shenzhen-gs3465-ds bash
bash-5.1# export ORDERER_CA=/certs/ordererOrganizations/orderer.hll004.bsnbase.com/orderers/orderer1.orderer.hll004.bsnbase.com/tls/ca.crt
bash-5.1# export CHANNEL_NAME=bsnchannel
## 使用peer channel fetch命令获取应用通道的信息
bash-5.1# peer channel fetch config config_block.pb -o orderer1.orderer.hll004.bsnbase.com:7050 -c $CHANNEL_NAME --tls --cafile $ORDERER_CA
2022-06-11 14:57:23.127 UTC [channelCmd] InitCmdFactory -> INFO 001 Endorser and orderer connections initialized
2022-06-11 14:57:23.145 UTC [cli.common] readBlock -> INFO 002 Received block: 11
2022-06-11 14:57:23.145 UTC [channelCmd] fetch -> INFO 003 Retrieving last config block: 7
2022-06-11 14:57:23.155 UTC [cli.common] readBlock -> INFO 004 Received block: 7
## 将通道文件中的内容转换成JSON并对其进行修剪
bash-5.1# configtxlator proto_decode --input config_block.pb --type common.Block | jq .data.data[0].payload.data.config > sys_config.json
bash-5.1# cp sys_config.json sys_config_new.json
## 将sys_config_new.json中的 channel_group.groups.Application.groups.ShenzhenMSP下的revocation_list字段值改为CRL的base64编码字符串
bash-5.1# vi sys_config_new.json
## 将上面两步产生的 JSON文件 重新编码成PB文件
bash-5.1# configtxlator proto_encode --input sys_config.json --type common.Config --output sys_config.pb
bash-5.1# configtxlator proto_encode --input sys_config_new.json --type common.Config --output sys_modified_config.pb
## 计算两个PB文件差异 输出新的PB文件
bash-5.1# configtxlator compute_update --channel_id $CHANNEL_NAME --original sys_config.pb --updated sys_modified_config.pb --output sys_crl_update.pb
## 把上一步PB转JSON 为了封装信封使用
bash-5.1# configtxlator proto_decode --input sys_crl_update.pb --type common.ConfigUpdate | jq . > sys_crl_update.json
## 封装信封
bash-5.1# echo '{"payload":{"header":{"channel_header":{"channel_id":"'$CHANNEL_NAME'", "type":2}},"data":{"config_update":'$(cat sys_crl_update.json)'}}}' | jq . > sys_crl_update_in_envelope.json
## JSON 转PB 最后生成准备提交文件
bash-5.1# configtxlator proto_encode --input sys_crl_update_in_envelope.json --type common.Envelope --output sys_crl_update_in_envelope.pb
## 完成最后签名的组织可执行交易提案至order
bash-5.1# peer channel update -f sys_crl_update_in_envelope.pb -c $CHANNEL_NAME -o orderer1.orderer.hll004.bsnbase.com:7050 --tls --cafile $ORDERER_CA
2022-06-11 15:03:11.600 UTC [channelCmd] InitCmdFactory -> INFO 001 Endorser and orderer connections initialized
2022-06-11 15:03:11.648 UTC [channelCmd] update -> INFO 002 Successfully submitted channel update
复制代码
5. 注销后调用链码
## 登录peer-cli
[root@master3 ~]# kubectl exec -it -n hll004 peer1-shenzhen-ffd89f897-b7hkj -c peer1-shenzhen-cli bash
## 先使用Admin用户调用链码
bash-5.1# peer chaincode invoke -o orderer1.orderer.hll004.bsnbase.com:7050 -C bsnchannel -n sacc -c '{"Args":["set","e","4"]}' --tls --cafile /certs/ordererOrganizations/orderer.hll004.bsnbase.com/orderers/orderer1.orderer.hll004.bsnbase.com/tls/server.crt
2022-06-11 15:05:05.500 UTC [chaincodeCmd] chaincodeInvokeOrQuery -> INFO 001 Chaincode invoke successful. result: status:200 payload:"4"
## ## 先使用Admin用户查询链码
bash-5.1# peer chaincode query -C bsnchannel -n sacc -c '{"Args":["get","e"]}'
4
## 切换user4用户
bash-5.1# export CORE_PEER_MSPCONFIGPATH=/certs/peerOrganizations/shenzhen.hll004.bsnbase.com/users/user4@shenzhen.hll004.bsnbase.com/msp
## 先使用user4用户查询链码
bash-5.1# peer chaincode query -C bsnchannel -n sacc -c '{"Args":["get","e"]}'
Error: error endorsing query: rpc error: code = Unknown desc = error validating proposal: access denied: channel [bsnchannel] creator org [ShenzhenMSP] - proposal response: <nil>
## ## 先使用user4用户调用链码
bash-5.1# peer chaincode invoke -o orderer1.orderer.hll004.bsnbase.com:7050 -C bsnchannel -n sacc -c '{"Args":["set","f","4"]}' --tls --cafile /certs/ordererOrganizations/orderer.hll004.bsnbase.com/orderers/orderer1.orderer.hll004.bsnbase.com/tls/server.crt
Error: error endorsing invoke: rpc error: code = Unknown desc = error validating proposal: access denied: channel [bsnchannel] creator org [ShenzhenMSP] - proposal response: <nil>
复制代码
划线
评论
复制
发布于: 刚刚阅读数: 4
BSN研习社
关注
还未添加个人签名 2021.11.05 加入
还未添加个人简介
评论