Practice: fabric user certificate revocation operation process

background ： stay fabric In the frame ,Orderer、Peer、 client SDK、CLI Certificates are required for operations such as interfaces , Users are not allowed to access blockchain without authorization . However, due to various reasons in reality ( Certificate disclosure 、 Employee turnover, etc ) The user certificate needs to be revoked . Please note that , The revoked certificate is completely different from the certificate expiration . The revoked certificate has not expired , In other ways , They are fully valid certificates .

The goal is ： Revoke the target certificate

Use object ： fabric Framework Developer

Premise ： The creation has been completed fabric chain , And the chain code package has been installed ;

​ Example , Already in k8s Build in the environment fabric-hll004, And in the passage bsnchannel Deployment chain code sacc.

1. Use fabric-ca Generate user4 Certificate

## Get into fabric-ca
> kubectl exec -it -n hll004 ca-shenzhen-6888d45db-vdhwp bash
##  register user3 New identity  
bash-5.1# fabric-ca-client register --id.name user4 --id.type client --id.secret user4pw --id.attrs "hf.Registrar.Roles=client,hf.Registrar.Attributes=*" --tls.certfiles /certs/root-ca/shenzhen/tls-cert.pem 

##  registration user4 identity 
bash-5.1# fabric-ca-client enroll -u https://user4:[email protected]:7054 -M /certs/peerOrganizations/shenzhen.hll004.bsnbase.com/users/[email protected]/msp --tls.certfiles /certs/root-ca/shenzhen/tls-cert.pem 

##  take user4 Rename certificate to [email protected]
bash-5.1# cp /certs/peerOrganizations/shenzhen.hll004.bsnbase.com/users/[email protected]/msp/signcerts/cert.pem  /certs/peerOrganizations/shenzhen.hll004.bsnbase.com/users/[email protected]/msp/signcerts/[email protected]

##  take  config.yaml The file is assigned to user4 Of msp Next 
bash-5.1# cp /certs/peerOrganizations/shenzhen.hll004.bsnbase.com/users/[email protected]/msp/config.yaml /certs/peerOrganizations/shenzhen.hll004.bsnbase.com/users/[email protected]/msp/config.yaml

2. Call chain code before logout

> kubectl exec -it -n hll004 peer1-shenzhen-ffd89f897-b7hkj -c peer1-shenzhen-cli bash
##  Switching users user4
bash-5.1# export CORE_PEER_MSPCONFIGPATH=/certs/peerOrganizations/shenzhen.hll004.bsnbase.com/users/[email protected]/msp

##  Call chain code 
bash-5.1# peer chaincode invoke  -o orderer1.orderer.hll004.bsnbase.com:7050 -C bsnchannel -n sacc -c '{"Args":["set","d","4"]}' --tls  --cafile /certs/ordererOrganizations/orderer.hll004.bsnbase.com/orderers/orderer1.orderer.hll004.bsnbase.com/tls/server.crt

##  Query chain code 
bash-5.1# peer chaincode query -C bsnchannel -n sacc -c '{"Args":["get","b"]}'

3. Revoke user user4 And generate CRL

## Get into fabric-ca
> kubectl exec -it -n hll004 ca-shenzhen-6888d45db-vdhwp bash

##  Revoke the certificate and generate CRL  In the current home Lower generation crl:  /certs/peerOrganizations/shenzhen.hll004.bsnbase.com/msp/crls/crl.pem
bash-5.1# fabric-ca-client revoke -e user4 -r unspecified --gencrl --tls.certfiles /certs/root-ca/shenzhen/tls-cert.pem

cat /certs/peerOrganizations/shenzhen.hll004.bsnbase.com/msp/crls/crl.pem
-----BEGIN X509 CRL-----
MIIBZTCCAQwCAQEwCgYIKoZIzj0EAwIwaDELMAkGA1UEBhMCVVMxFzAVBgNVBAgT
Dk5vcnRoIENhcm9saW5hMRQwEgYDVQQKEwtIeXBlcmxlZGdlcjEPMA0GA1UECxMG
RmFicmljMRkwFwYDVQQDExBmYWJyaWMtY2Etc2VydmVyFw0yMjA2MTExNDM5MDha
Fw0yMjA2MTIxNDM5MDhaME4wJQIUYC7Dg4/6Ewn9mOh0Pus2bsMB0qIXDTIyMDYx
MTA2MDA0NlowJQIUYareqlvuL/vtyLnktwD94fbhNtwXDTIyMDYxMTE0MzkwN1qg
IzAhMB8GA1UdIwQYMBaAFO9fRc1RAhuTAzZQ+NF11GWVcoVRMAoGCCqGSM49BAMC
A0cAMEQCIASpL269XJF1nIk2KBHu0jzuImtbARaNYUe0n7SaojzWAiBuvJUmuXfe
KmT0dT5BKQtq7ZXJP6/ZXob7uTBtiLV0Xw==
-----END X509 CRL-----

## On the top base code  （ We'll use that later ）： LS0tLS1CRUdJTiBYNTA5IENSTC0tLS0tCk1JSUJaVENDQVF3Q0FRRXdDZ1lJS29aSXpqMEVBd0l3YURFTE1Ba0dBMVVFQmhNQ1ZWTXhGekFWQmdOVkJBZ1QKRGs1dmNuUm9JRU5oY205c2FXNWhNUlF3RWdZRFZRUUtFd3RJZVhCbGNteGxaR2RsY2pFUE1BMEdBMVVFQ3hNRwpSbUZpY21sak1Sa3dGd1lEVlFRREV4Qm1ZV0p5YVdNdFkyRXRjMlZ5ZG1WeUZ3MHlNakEyTVRFeE5ETTVNRGhhCkZ3MHlNakEyTVRJeE5ETTVNRGhhTUU0d0pRSVVZQzdEZzQvNkV3bjltT2gwUHVzMmJzTUIwcUlYRFRJeU1EWXgKTVRBMk1EQTBObG93SlFJVVlhcmVxbHZ1TC92dHlMbmt0d0Q5NGZiaE50d1hEVEl5TURZeE1URTBNemt3TjFxZwpJekFoTUI4R0ExVWRJd1FZTUJhQUZPOWZSYzFSQWh1VEF6WlErTkYxMUdXVmNvVlJNQW9HQ0NxR1NNNDlCQU1DCkEwY0FNRVFDSUFTcEwyNjlYSkYxbklrMktCSHUwanp1SW10YkFSYU5ZVWUwbjdTYW9qeldBaUJ1dkpVbXVYZmUKS21UMGRUNUJLUXRxN1pYSlA2L1pYb2I3dVRCdGlMVjBYdz09Ci0tLS0tRU5EIFg1MDkgQ1JMLS0tLS0=

4 . modify bsnchannel Channel file

##  Login organization shenzhen Of peer1 node cli
>  kubectl exec -it -n hll004 peer1-shenzhen-gs3465-ds bash
bash-5.1# export ORDERER_CA=/certs/ordererOrganizations/orderer.hll004.bsnbase.com/orderers/orderer1.orderer.hll004.bsnbase.com/tls/ca.crt
bash-5.1# export CHANNEL_NAME=bsnchannel

##  Use peer channel fetch Command to get the information of the application channel 
bash-5.1# peer channel fetch config config_block.pb -o orderer1.orderer.hll004.bsnbase.com:7050 -c $CHANNEL_NAME --tls --cafile $ORDERER_CA

2022-06-11 14:57:23.127 UTC [channelCmd] InitCmdFactory -> INFO 001 Endorser and orderer connections initialized
2022-06-11 14:57:23.145 UTC [cli.common] readBlock -> INFO 002 Received block: 11
2022-06-11 14:57:23.145 UTC [channelCmd] fetch -> INFO 003 Retrieving last config block: 7
2022-06-11 14:57:23.155 UTC [cli.common] readBlock -> INFO 004 Received block: 7

##  Convert the contents of the channel file into JSON And trim it 
bash-5.1# configtxlator proto_decode --input config_block.pb --type common.Block | jq .data.data[0].payload.data.config > sys_config.json


bash-5.1# cp sys_config.json sys_config_new.json 

##  take sys_config_new.json Medium  channel_group.groups.Application.groups.ShenzhenMSP Under the revocation_list The field value is changed to CRL Of base64 Encoded string 
bash-5.1# vi sys_config_new.json 

##  Will be generated by the above two steps  JSON file   Recode into PB file 
bash-5.1# configtxlator proto_encode --input sys_config.json --type common.Config --output sys_config.pb
bash-5.1# configtxlator proto_encode --input sys_config_new.json --type common.Config --output sys_modified_config.pb

##  Calculate two PB Document differences   Output new PB file 
bash-5.1# configtxlator compute_update --channel_id $CHANNEL_NAME --original sys_config.pb --updated sys_modified_config.pb --output sys_crl_update.pb

##  Take the last step PB turn JSON  In order to seal the envelope, use 
bash-5.1# configtxlator proto_decode --input sys_crl_update.pb --type common.ConfigUpdate | jq . > sys_crl_update.json

##  Seal the envelope 
bash-5.1# echo '{"payload":{"header":{"channel_header":{"channel_id":"'$CHANNEL_NAME'", "type":2}},"data":{"config_update":'$(cat sys_crl_update.json)'}}}' | jq . > sys_crl_update_in_envelope.json

##  JSON  turn PB  Finally, generate the ready submission file 
bash-5.1# configtxlator proto_encode --input sys_crl_update_in_envelope.json --type common.Envelope --output sys_crl_update_in_envelope.pb

##  The organization that completes the final signature may execute the transaction proposal to order
bash-5.1# peer channel update -f sys_crl_update_in_envelope.pb -c $CHANNEL_NAME -o orderer1.orderer.hll004.bsnbase.com:7050 --tls --cafile $ORDERER_CA
2022-06-11 15:03:11.600 UTC [channelCmd] InitCmdFactory -> INFO 001 Endorser and orderer connections initialized
2022-06-11 15:03:11.648 UTC [channelCmd] update -> INFO 002 Successfully submitted channel update

5. Call chain code after logout

##  Sign in peer-cli
[[email protected] ~]# kubectl exec -it -n hll004 peer1-shenzhen-ffd89f897-b7hkj -c peer1-shenzhen-cli bash

##  First use Admin User call chain code 
bash-5.1# peer chaincode invoke  -o orderer1.orderer.hll004.bsnbase.com:7050 -C bsnchannel -n sacc -c '{"Args":["set","e","4"]}' --tls  --cafile /certs/ordererOrganizations/orderer.hll004.bsnbase.com/orderers/orderer1.orderer.hll004.bsnbase.com/tls/server.crt
2022-06-11 15:05:05.500 UTC [chaincodeCmd] chaincodeInvokeOrQuery -> INFO 001 Chaincode invoke successful. result: status:200 payload:"4" 

## ##  First use Admin The user queries the chain code 
bash-5.1#  peer chaincode query -C bsnchannel -n sacc -c '{"Args":["get","e"]}'
4

##  Switch user4 user 
bash-5.1# export CORE_PEER_MSPCONFIGPATH=/certs/peerOrganizations/shenzhen.hll004.bsnbase.com/users/[email protected]/msp

##  First use user4 The user queries the chain code 
bash-5.1#  peer chaincode query -C bsnchannel -n sacc -c '{"Args":["get","e"]}'
Error: error endorsing query: rpc error: code = Unknown desc = error validating proposal: access denied: channel [bsnchannel] creator org [ShenzhenMSP] - proposal response: <nil>

## ##  First use user4 User call chain code 
bash-5.1# peer chaincode invoke  -o orderer1.orderer.hll004.bsnbase.com:7050 -C bsnchannel -n sacc -c '{"Args":["set","f","4"]}' --tls  --cafile /certs/ordererOrganizations/orderer.hll004.bsnbase.com/orderers/orderer1.orderer.hll004.bsnbase.com/tls/server.crt
Error: error endorsing invoke: rpc error: code = Unknown desc = error validating proposal: access denied: channel [bsnchannel] creator org [ShenzhenMSP] - proposal response: <nil>

id:BSN_2021 official account ：BSN Workshop author ： Jujube technology he Lailiang