当前位置:网站首页>实战:fabric 用户证书吊销操作流程
实战:fabric 用户证书吊销操作流程
2022-07-05 22:11:00 【BSN研习社】
背景:在fabric框架中,Orderer、Peer、客户端SDK、CLI接口等操作都需要用到证书,用户在非授权的情况下不得接入区块链。但是由于现实多种原因(证书泄露、员工离职等)需要撤销用户证书。
请注意,被撤销的证书与证书过期完全不同。撤销的证书尚未过期,按其他方式来说,它们是完全有效的证书。
目标: 撤销目标证书
使用对象: fabric框架开发者
前提: 已经搭建创建完fabric链,并且已经安装好链码包;
示例中,已经在k8s环境中搭建 fabric-hll004,并在通道bsnchannel部署链码sacc。
1. 使用fabric-ca 生成 user4的证书
##进入fabric-ca
> kubectl exec -it -n hll004 ca-shenzhen-6888d45db-vdhwp bash
## 注册user3新身份
bash-5.1# fabric-ca-client register --id.name user4 --id.type client --id.secret user4pw --id.attrs "hf.Registrar.Roles=client,hf.Registrar.Attributes=*" --tls.certfiles /certs/root-ca/shenzhen/tls-cert.pem
## 登记user4身份
bash-5.1# fabric-ca-client enroll -u https://user4:[email protected]:7054 -M /certs/peerOrganizations/shenzhen.hll004.bsnbase.com/users/[email protected]/msp --tls.certfiles /certs/root-ca/shenzhen/tls-cert.pem
## 将user4证书重命名为[email protected]
bash-5.1# cp /certs/peerOrganizations/shenzhen.hll004.bsnbase.com/users/[email protected]/msp/signcerts/cert.pem /certs/peerOrganizations/shenzhen.hll004.bsnbase.com/users/[email protected]/msp/signcerts/[email protected]
## 将 config.yaml文件赋值到user4的msp下
bash-5.1# cp /certs/peerOrganizations/shenzhen.hll004.bsnbase.com/users/[email protected]/msp/config.yaml /certs/peerOrganizations/shenzhen.hll004.bsnbase.com/users/[email protected]/msp/config.yaml
2. 注销前调用链码
> kubectl exec -it -n hll004 peer1-shenzhen-ffd89f897-b7hkj -c peer1-shenzhen-cli bash
## 切换用户user4
bash-5.1# export CORE_PEER_MSPCONFIGPATH=/certs/peerOrganizations/shenzhen.hll004.bsnbase.com/users/[email protected]/msp
## 调用链码
bash-5.1# peer chaincode invoke -o orderer1.orderer.hll004.bsnbase.com:7050 -C bsnchannel -n sacc -c '{"Args":["set","d","4"]}' --tls --cafile /certs/ordererOrganizations/orderer.hll004.bsnbase.com/orderers/orderer1.orderer.hll004.bsnbase.com/tls/server.crt
## 查询链码
bash-5.1# peer chaincode query -C bsnchannel -n sacc -c '{"Args":["get","b"]}'
3.吊销用户user4 并生成CRL
##进入fabric-ca
> kubectl exec -it -n hll004 ca-shenzhen-6888d45db-vdhwp bash
## 吊销证书并生成CRL 会在当前home下生成crl: /certs/peerOrganizations/shenzhen.hll004.bsnbase.com/msp/crls/crl.pem
bash-5.1# fabric-ca-client revoke -e user4 -r unspecified --gencrl --tls.certfiles /certs/root-ca/shenzhen/tls-cert.pem
cat /certs/peerOrganizations/shenzhen.hll004.bsnbase.com/msp/crls/crl.pem
-----BEGIN X509 CRL-----
MIIBZTCCAQwCAQEwCgYIKoZIzj0EAwIwaDELMAkGA1UEBhMCVVMxFzAVBgNVBAgT
Dk5vcnRoIENhcm9saW5hMRQwEgYDVQQKEwtIeXBlcmxlZGdlcjEPMA0GA1UECxMG
RmFicmljMRkwFwYDVQQDExBmYWJyaWMtY2Etc2VydmVyFw0yMjA2MTExNDM5MDha
Fw0yMjA2MTIxNDM5MDhaME4wJQIUYC7Dg4/6Ewn9mOh0Pus2bsMB0qIXDTIyMDYx
MTA2MDA0NlowJQIUYareqlvuL/vtyLnktwD94fbhNtwXDTIyMDYxMTE0MzkwN1qg
IzAhMB8GA1UdIwQYMBaAFO9fRc1RAhuTAzZQ+NF11GWVcoVRMAoGCCqGSM49BAMC
A0cAMEQCIASpL269XJF1nIk2KBHu0jzuImtbARaNYUe0n7SaojzWAiBuvJUmuXfe
KmT0dT5BKQtq7ZXJP6/ZXob7uTBtiLV0Xw==
-----END X509 CRL-----
##对上面进行base编码 (后面会用到): LS0tLS1CRUdJTiBYNTA5IENSTC0tLS0tCk1JSUJaVENDQVF3Q0FRRXdDZ1lJS29aSXpqMEVBd0l3YURFTE1Ba0dBMVVFQmhNQ1ZWTXhGekFWQmdOVkJBZ1QKRGs1dmNuUm9JRU5oY205c2FXNWhNUlF3RWdZRFZRUUtFd3RJZVhCbGNteGxaR2RsY2pFUE1BMEdBMVVFQ3hNRwpSbUZpY21sak1Sa3dGd1lEVlFRREV4Qm1ZV0p5YVdNdFkyRXRjMlZ5ZG1WeUZ3MHlNakEyTVRFeE5ETTVNRGhhCkZ3MHlNakEyTVRJeE5ETTVNRGhhTUU0d0pRSVVZQzdEZzQvNkV3bjltT2gwUHVzMmJzTUIwcUlYRFRJeU1EWXgKTVRBMk1EQTBObG93SlFJVVlhcmVxbHZ1TC92dHlMbmt0d0Q5NGZiaE50d1hEVEl5TURZeE1URTBNemt3TjFxZwpJekFoTUI4R0ExVWRJd1FZTUJhQUZPOWZSYzFSQWh1VEF6WlErTkYxMUdXVmNvVlJNQW9HQ0NxR1NNNDlCQU1DCkEwY0FNRVFDSUFTcEwyNjlYSkYxbklrMktCSHUwanp1SW10YkFSYU5ZVWUwbjdTYW9qeldBaUJ1dkpVbXVYZmUKS21UMGRUNUJLUXRxN1pYSlA2L1pYb2I3dVRCdGlMVjBYdz09Ci0tLS0tRU5EIFg1MDkgQ1JMLS0tLS0=
4 . 修改bsnchannel通道文件
## 登录组织shenzhen的peer1节点cli
> kubectl exec -it -n hll004 peer1-shenzhen-gs3465-ds bash
bash-5.1# export ORDERER_CA=/certs/ordererOrganizations/orderer.hll004.bsnbase.com/orderers/orderer1.orderer.hll004.bsnbase.com/tls/ca.crt
bash-5.1# export CHANNEL_NAME=bsnchannel
## 使用peer channel fetch命令获取应用通道的信息
bash-5.1# peer channel fetch config config_block.pb -o orderer1.orderer.hll004.bsnbase.com:7050 -c $CHANNEL_NAME --tls --cafile $ORDERER_CA
2022-06-11 14:57:23.127 UTC [channelCmd] InitCmdFactory -> INFO 001 Endorser and orderer connections initialized
2022-06-11 14:57:23.145 UTC [cli.common] readBlock -> INFO 002 Received block: 11
2022-06-11 14:57:23.145 UTC [channelCmd] fetch -> INFO 003 Retrieving last config block: 7
2022-06-11 14:57:23.155 UTC [cli.common] readBlock -> INFO 004 Received block: 7
## 将通道文件中的内容转换成JSON并对其进行修剪
bash-5.1# configtxlator proto_decode --input config_block.pb --type common.Block | jq .data.data[0].payload.data.config > sys_config.json
bash-5.1# cp sys_config.json sys_config_new.json
## 将sys_config_new.json中的 channel_group.groups.Application.groups.ShenzhenMSP下的revocation_list字段值改为CRL的base64编码字符串
bash-5.1# vi sys_config_new.json
## 将上面两步产生的 JSON文件 重新编码成PB文件
bash-5.1# configtxlator proto_encode --input sys_config.json --type common.Config --output sys_config.pb
bash-5.1# configtxlator proto_encode --input sys_config_new.json --type common.Config --output sys_modified_config.pb
## 计算两个PB文件差异 输出新的PB文件
bash-5.1# configtxlator compute_update --channel_id $CHANNEL_NAME --original sys_config.pb --updated sys_modified_config.pb --output sys_crl_update.pb
## 把上一步PB转JSON 为了封装信封使用
bash-5.1# configtxlator proto_decode --input sys_crl_update.pb --type common.ConfigUpdate | jq . > sys_crl_update.json
## 封装信封
bash-5.1# echo '{"payload":{"header":{"channel_header":{"channel_id":"'$CHANNEL_NAME'", "type":2}},"data":{"config_update":'$(cat sys_crl_update.json)'}}}' | jq . > sys_crl_update_in_envelope.json
## JSON 转PB 最后生成准备提交文件
bash-5.1# configtxlator proto_encode --input sys_crl_update_in_envelope.json --type common.Envelope --output sys_crl_update_in_envelope.pb
## 完成最后签名的组织可执行交易提案至order
bash-5.1# peer channel update -f sys_crl_update_in_envelope.pb -c $CHANNEL_NAME -o orderer1.orderer.hll004.bsnbase.com:7050 --tls --cafile $ORDERER_CA
2022-06-11 15:03:11.600 UTC [channelCmd] InitCmdFactory -> INFO 001 Endorser and orderer connections initialized
2022-06-11 15:03:11.648 UTC [channelCmd] update -> INFO 002 Successfully submitted channel update
5. 注销后调用链码
## 登录peer-cli
[[email protected] ~]# kubectl exec -it -n hll004 peer1-shenzhen-ffd89f897-b7hkj -c peer1-shenzhen-cli bash
## 先使用Admin用户调用链码
bash-5.1# peer chaincode invoke -o orderer1.orderer.hll004.bsnbase.com:7050 -C bsnchannel -n sacc -c '{"Args":["set","e","4"]}' --tls --cafile /certs/ordererOrganizations/orderer.hll004.bsnbase.com/orderers/orderer1.orderer.hll004.bsnbase.com/tls/server.crt
2022-06-11 15:05:05.500 UTC [chaincodeCmd] chaincodeInvokeOrQuery -> INFO 001 Chaincode invoke successful. result: status:200 payload:"4"
## ## 先使用Admin用户查询链码
bash-5.1# peer chaincode query -C bsnchannel -n sacc -c '{"Args":["get","e"]}'
4
## 切换user4用户
bash-5.1# export CORE_PEER_MSPCONFIGPATH=/certs/peerOrganizations/shenzhen.hll004.bsnbase.com/users/[email protected]/msp
## 先使用user4用户查询链码
bash-5.1# peer chaincode query -C bsnchannel -n sacc -c '{"Args":["get","e"]}'
Error: error endorsing query: rpc error: code = Unknown desc = error validating proposal: access denied: channel [bsnchannel] creator org [ShenzhenMSP] - proposal response: <nil>
## ## 先使用user4用户调用链码
bash-5.1# peer chaincode invoke -o orderer1.orderer.hll004.bsnbase.com:7050 -C bsnchannel -n sacc -c '{"Args":["set","f","4"]}' --tls --cafile /certs/ordererOrganizations/orderer.hll004.bsnbase.com/orderers/orderer1.orderer.hll004.bsnbase.com/tls/server.crt
Error: error endorsing invoke: rpc error: code = Unknown desc = error validating proposal: access denied: channel [bsnchannel] creator org [ShenzhenMSP] - proposal response: <nil>
id:BSN_2021 公众号:BSN 研习社 作者:红枣科技何来亮
边栏推荐
- 微服务入门(RestTemplate、Eureka、Nacos、Feign、Gateway)
- Database tuning solution
- Installation of VMware Workstation
- Livelocks and deadlocks of concurrency control
- MySQL连接断开报错MySQLdb._exceptions.OperationalError 4031, The client was disconnected by the server
- Create a virtual machine on VMware (system not installed)
- 笔记本电脑蓝牙怎么用来连接耳机
- How to add new fields to mongodb with code (all)
- Meituan dynamic thread pool practice ideas, open source
- A trip to Suzhou during the Dragon Boat Festival holiday
猜你喜欢
AD637 usage notes
Pl/sql basic case
Oracle triggers
Interprocess communication in the "Chris Richardson microservice series" microservice architecture
[Yugong series] go teaching course 003-ide installation and basic use in July 2022
Oracle hint understanding
Overview of concurrency control
MySQL连接断开报错MySQLdb._exceptions.OperationalError 4031, The client was disconnected by the server
MySQL actual combat 45 lecture learning (I)
极狐公司官方澄清声明
随机推荐
AD637使用筆記
Reptile practice
AD637 usage notes
Sentinel production environment practice (I)
Business learning of mall commodity module
Net small and medium-sized enterprise project development framework series (one)
Oracle checkpoint queue - Analysis of the principle of instance crash recovery
CA certificate trampled pit
数据泄露怎么办?'华生·K'7招消灭安全威胁
Code bug correction, char is converted to int high-order symbol extension, resulting in changes in positivity and negativity and values. Int num = (int) (unsigned int) a, which will occur in older com
Huawei game multimedia service calls the method of shielding the voice of the specified player, and the error code 3010 is returned
MySQL服务莫名宕机的解决方案
Leetcode simple question ring and rod
Server optimization of performance tuning methodology
Search: Future Vision (moving sword)
如何开发引入小程序插件
What changes has Web3 brought to the Internet?
Serializability of concurrent scheduling
EBS Oracle 11g cloning steps (single node)
Leetcode simple question: check whether each row and column contain all integers