当前位置:网站首页>Practice: fabric user certificate revocation operation process
Practice: fabric user certificate revocation operation process
2022-07-05 22:12:00 【BSN Institute】
background : stay fabric In the frame ,Orderer、Peer、 client SDK、CLI Certificates are required for operations such as interfaces , Users are not allowed to access blockchain without authorization . However, due to various reasons in reality ( Certificate disclosure 、 Employee turnover, etc ) The user certificate needs to be revoked .
Please note that , The revoked certificate is completely different from the certificate expiration . The revoked certificate has not expired , In other ways , They are fully valid certificates .
The goal is : Revoke the target certificate
Use object : fabric Framework Developer
Premise : The creation has been completed fabric chain , And the chain code package has been installed ;
Example , Already in k8s Build in the environment fabric-hll004, And in the passage bsnchannel Deployment chain code sacc.
1. Use fabric-ca Generate user4 Certificate
## Get into fabric-ca
> kubectl exec -it -n hll004 ca-shenzhen-6888d45db-vdhwp bash
## register user3 New identity
bash-5.1# fabric-ca-client register --id.name user4 --id.type client --id.secret user4pw --id.attrs "hf.Registrar.Roles=client,hf.Registrar.Attributes=*" --tls.certfiles /certs/root-ca/shenzhen/tls-cert.pem
## registration user4 identity
bash-5.1# fabric-ca-client enroll -u https://user4:[email protected]:7054 -M /certs/peerOrganizations/shenzhen.hll004.bsnbase.com/users/[email protected]/msp --tls.certfiles /certs/root-ca/shenzhen/tls-cert.pem
## take user4 Rename certificate to [email protected]
bash-5.1# cp /certs/peerOrganizations/shenzhen.hll004.bsnbase.com/users/[email protected]/msp/signcerts/cert.pem /certs/peerOrganizations/shenzhen.hll004.bsnbase.com/users/[email protected]/msp/signcerts/[email protected]
## take config.yaml The file is assigned to user4 Of msp Next
bash-5.1# cp /certs/peerOrganizations/shenzhen.hll004.bsnbase.com/users/[email protected]/msp/config.yaml /certs/peerOrganizations/shenzhen.hll004.bsnbase.com/users/[email protected]/msp/config.yaml
2. Call chain code before logout
> kubectl exec -it -n hll004 peer1-shenzhen-ffd89f897-b7hkj -c peer1-shenzhen-cli bash
## Switching users user4
bash-5.1# export CORE_PEER_MSPCONFIGPATH=/certs/peerOrganizations/shenzhen.hll004.bsnbase.com/users/[email protected]/msp
## Call chain code
bash-5.1# peer chaincode invoke -o orderer1.orderer.hll004.bsnbase.com:7050 -C bsnchannel -n sacc -c '{"Args":["set","d","4"]}' --tls --cafile /certs/ordererOrganizations/orderer.hll004.bsnbase.com/orderers/orderer1.orderer.hll004.bsnbase.com/tls/server.crt
## Query chain code
bash-5.1# peer chaincode query -C bsnchannel -n sacc -c '{"Args":["get","b"]}'
3. Revoke user user4 And generate CRL
## Get into fabric-ca
> kubectl exec -it -n hll004 ca-shenzhen-6888d45db-vdhwp bash
## Revoke the certificate and generate CRL In the current home Lower generation crl: /certs/peerOrganizations/shenzhen.hll004.bsnbase.com/msp/crls/crl.pem
bash-5.1# fabric-ca-client revoke -e user4 -r unspecified --gencrl --tls.certfiles /certs/root-ca/shenzhen/tls-cert.pem
cat /certs/peerOrganizations/shenzhen.hll004.bsnbase.com/msp/crls/crl.pem
-----BEGIN X509 CRL-----
MIIBZTCCAQwCAQEwCgYIKoZIzj0EAwIwaDELMAkGA1UEBhMCVVMxFzAVBgNVBAgT
Dk5vcnRoIENhcm9saW5hMRQwEgYDVQQKEwtIeXBlcmxlZGdlcjEPMA0GA1UECxMG
RmFicmljMRkwFwYDVQQDExBmYWJyaWMtY2Etc2VydmVyFw0yMjA2MTExNDM5MDha
Fw0yMjA2MTIxNDM5MDhaME4wJQIUYC7Dg4/6Ewn9mOh0Pus2bsMB0qIXDTIyMDYx
MTA2MDA0NlowJQIUYareqlvuL/vtyLnktwD94fbhNtwXDTIyMDYxMTE0MzkwN1qg
IzAhMB8GA1UdIwQYMBaAFO9fRc1RAhuTAzZQ+NF11GWVcoVRMAoGCCqGSM49BAMC
A0cAMEQCIASpL269XJF1nIk2KBHu0jzuImtbARaNYUe0n7SaojzWAiBuvJUmuXfe
KmT0dT5BKQtq7ZXJP6/ZXob7uTBtiLV0Xw==
-----END X509 CRL-----
## On the top base code ( We'll use that later ): LS0tLS1CRUdJTiBYNTA5IENSTC0tLS0tCk1JSUJaVENDQVF3Q0FRRXdDZ1lJS29aSXpqMEVBd0l3YURFTE1Ba0dBMVVFQmhNQ1ZWTXhGekFWQmdOVkJBZ1QKRGs1dmNuUm9JRU5oY205c2FXNWhNUlF3RWdZRFZRUUtFd3RJZVhCbGNteGxaR2RsY2pFUE1BMEdBMVVFQ3hNRwpSbUZpY21sak1Sa3dGd1lEVlFRREV4Qm1ZV0p5YVdNdFkyRXRjMlZ5ZG1WeUZ3MHlNakEyTVRFeE5ETTVNRGhhCkZ3MHlNakEyTVRJeE5ETTVNRGhhTUU0d0pRSVVZQzdEZzQvNkV3bjltT2gwUHVzMmJzTUIwcUlYRFRJeU1EWXgKTVRBMk1EQTBObG93SlFJVVlhcmVxbHZ1TC92dHlMbmt0d0Q5NGZiaE50d1hEVEl5TURZeE1URTBNemt3TjFxZwpJekFoTUI4R0ExVWRJd1FZTUJhQUZPOWZSYzFSQWh1VEF6WlErTkYxMUdXVmNvVlJNQW9HQ0NxR1NNNDlCQU1DCkEwY0FNRVFDSUFTcEwyNjlYSkYxbklrMktCSHUwanp1SW10YkFSYU5ZVWUwbjdTYW9qeldBaUJ1dkpVbXVYZmUKS21UMGRUNUJLUXRxN1pYSlA2L1pYb2I3dVRCdGlMVjBYdz09Ci0tLS0tRU5EIFg1MDkgQ1JMLS0tLS0=
4 . modify bsnchannel Channel file
## Login organization shenzhen Of peer1 node cli
> kubectl exec -it -n hll004 peer1-shenzhen-gs3465-ds bash
bash-5.1# export ORDERER_CA=/certs/ordererOrganizations/orderer.hll004.bsnbase.com/orderers/orderer1.orderer.hll004.bsnbase.com/tls/ca.crt
bash-5.1# export CHANNEL_NAME=bsnchannel
## Use peer channel fetch Command to get the information of the application channel
bash-5.1# peer channel fetch config config_block.pb -o orderer1.orderer.hll004.bsnbase.com:7050 -c $CHANNEL_NAME --tls --cafile $ORDERER_CA
2022-06-11 14:57:23.127 UTC [channelCmd] InitCmdFactory -> INFO 001 Endorser and orderer connections initialized
2022-06-11 14:57:23.145 UTC [cli.common] readBlock -> INFO 002 Received block: 11
2022-06-11 14:57:23.145 UTC [channelCmd] fetch -> INFO 003 Retrieving last config block: 7
2022-06-11 14:57:23.155 UTC [cli.common] readBlock -> INFO 004 Received block: 7
## Convert the contents of the channel file into JSON And trim it
bash-5.1# configtxlator proto_decode --input config_block.pb --type common.Block | jq .data.data[0].payload.data.config > sys_config.json
bash-5.1# cp sys_config.json sys_config_new.json
## take sys_config_new.json Medium channel_group.groups.Application.groups.ShenzhenMSP Under the revocation_list The field value is changed to CRL Of base64 Encoded string
bash-5.1# vi sys_config_new.json
## Will be generated by the above two steps JSON file Recode into PB file
bash-5.1# configtxlator proto_encode --input sys_config.json --type common.Config --output sys_config.pb
bash-5.1# configtxlator proto_encode --input sys_config_new.json --type common.Config --output sys_modified_config.pb
## Calculate two PB Document differences Output new PB file
bash-5.1# configtxlator compute_update --channel_id $CHANNEL_NAME --original sys_config.pb --updated sys_modified_config.pb --output sys_crl_update.pb
## Take the last step PB turn JSON In order to seal the envelope, use
bash-5.1# configtxlator proto_decode --input sys_crl_update.pb --type common.ConfigUpdate | jq . > sys_crl_update.json
## Seal the envelope
bash-5.1# echo '{"payload":{"header":{"channel_header":{"channel_id":"'$CHANNEL_NAME'", "type":2}},"data":{"config_update":'$(cat sys_crl_update.json)'}}}' | jq . > sys_crl_update_in_envelope.json
## JSON turn PB Finally, generate the ready submission file
bash-5.1# configtxlator proto_encode --input sys_crl_update_in_envelope.json --type common.Envelope --output sys_crl_update_in_envelope.pb
## The organization that completes the final signature may execute the transaction proposal to order
bash-5.1# peer channel update -f sys_crl_update_in_envelope.pb -c $CHANNEL_NAME -o orderer1.orderer.hll004.bsnbase.com:7050 --tls --cafile $ORDERER_CA
2022-06-11 15:03:11.600 UTC [channelCmd] InitCmdFactory -> INFO 001 Endorser and orderer connections initialized
2022-06-11 15:03:11.648 UTC [channelCmd] update -> INFO 002 Successfully submitted channel update
5. Call chain code after logout
## Sign in peer-cli
[[email protected] ~]# kubectl exec -it -n hll004 peer1-shenzhen-ffd89f897-b7hkj -c peer1-shenzhen-cli bash
## First use Admin User call chain code
bash-5.1# peer chaincode invoke -o orderer1.orderer.hll004.bsnbase.com:7050 -C bsnchannel -n sacc -c '{"Args":["set","e","4"]}' --tls --cafile /certs/ordererOrganizations/orderer.hll004.bsnbase.com/orderers/orderer1.orderer.hll004.bsnbase.com/tls/server.crt
2022-06-11 15:05:05.500 UTC [chaincodeCmd] chaincodeInvokeOrQuery -> INFO 001 Chaincode invoke successful. result: status:200 payload:"4"
## ## First use Admin The user queries the chain code
bash-5.1# peer chaincode query -C bsnchannel -n sacc -c '{"Args":["get","e"]}'
4
## Switch user4 user
bash-5.1# export CORE_PEER_MSPCONFIGPATH=/certs/peerOrganizations/shenzhen.hll004.bsnbase.com/users/[email protected]/msp
## First use user4 The user queries the chain code
bash-5.1# peer chaincode query -C bsnchannel -n sacc -c '{"Args":["get","e"]}'
Error: error endorsing query: rpc error: code = Unknown desc = error validating proposal: access denied: channel [bsnchannel] creator org [ShenzhenMSP] - proposal response: <nil>
## ## First use user4 User call chain code
bash-5.1# peer chaincode invoke -o orderer1.orderer.hll004.bsnbase.com:7050 -C bsnchannel -n sacc -c '{"Args":["set","f","4"]}' --tls --cafile /certs/ordererOrganizations/orderer.hll004.bsnbase.com/orderers/orderer1.orderer.hll004.bsnbase.com/tls/server.crt
Error: error endorsing invoke: rpc error: code = Unknown desc = error validating proposal: access denied: channel [bsnchannel] creator org [ShenzhenMSP] - proposal response: <nil>
id:BSN_2021 official account :BSN Workshop author : Jujube technology he Lailiang
边栏推荐
- Wonderful review of the digital Expo | highlight scientific research strength, and Zhongchuang computing power won the digital influence enterprise award
- Leetcode simple question: the minimum cost of buying candy at a discount
- NET中小型企业项目开发框架系列(一个)
- What changes has Web3 brought to the Internet?
- C language knowledge points link
- Ad637 notes d'utilisation
- Blocking of concurrency control
- Shell script, awk uses if, for process control
- Poj 3237 Tree (Tree Chain Split)
- database mirroring
猜你喜欢
"Chris Richardson microservices series" uses API gateway to build microservices
Interprocess communication in the "Chris Richardson microservice series" microservice architecture
The Blue Bridge Cup web application development simulation competition is open for the first time! Contestants fast forward!
Shell script, awk condition judgment and logic comparison &||
Serializability of concurrent scheduling
Reptile practice
Search: Future Vision (moving sword)
MySQL服务莫名宕机的解决方案
Oracle hint understanding
2022-07-05:给定一个数组,想随时查询任何范围上的最大值。 如果只是根据初始数组建立、并且以后没有修改, 那么RMQ方法比线段树方法好实现,时间复杂度O(N*logN),额外空间复杂度O(N*
随机推荐
Oracle checkpoint queue - Analysis of the principle of instance crash recovery
Advantages and disadvantages of the "Chris Richardson microservice series" microservice architecture
Alternating merging strings of leetcode simple questions
1.3 years of work experience, double non naked resignation agency face-to-face experience [already employed]
Sub total of Pico development
MySQL服务莫名宕机的解决方案
Implementing Lmax disruptor queue from scratch (IV) principle analysis of multithreaded producer multiproducersequencer
How can Bluetooth in notebook computer be used to connect headphones
K210 learning notes (IV) k210 runs multiple models at the same time
Multiplexing of Oracle control files
Text组件新增内容通过tag_config设置前景色、背景色
MySQL disconnection reports an error MySQL ldb_ exceptions. OperationalError 4031, The client was disconnected by the server
Learning of mall permission module
Understand the basic concept of datastore in Android kotlin and why SharedPreferences should be stopped in Android
DataGrid directly edits and saves "design defects"
POJ 3237 tree (tree chain splitting)
Poj3414 extensive search
Blocking protocol for concurrency control
Win11缺少dll文件怎么办?Win11系统找不到dll文件修复方法
Analyse des risques liés aux liaisons de microservices