文章目錄

• Fabric證書是什么
• Fabric證書服務(wù)器：Fabric-ca
• • fabric-ca-server的初始化
  • fabric-ca-server 配置文件
  • fabric-ca-client 使用
• 將Fabric-ca-server綁定到現(xiàn)有項目中
• • 綁定Fabric-ca-server到現(xiàn)有組織
  • 通過客戶端從已經(jīng)綁定的fabric-ca-server中生成賬號

Fabric證書是什么

我們知道Fabric包含了MSP，也表明其是聯(lián)盟鏈溃肪，用戶在非授權(quán)的情況下不得接入?yún)^(qū)塊鏈拷呆。因此Fabric包含一套授權(quán)體系医增。

Fabric賬號實際上就是根據(jù)PKI規(guī)范生成的一組證書和密鑰文件。在之前Fabric模塊命令之cryptogen就已經(jīng)介紹過了酸舍。

什么地方需要使用Fabric證書呢审洞？
Fabric中Orderer、Peer嘿期、客戶端SDK、CLI接口等操作都需要用到證書埋合。Fabric中的每個具體的動作备徐，創(chuàng)建通道、部署chaincode甚颂、調(diào)用chaincode等都需要指定證書蜜猾。

一般是通過環(huán)境變量來指定，具體到K8s振诬，分享一段我的K8s創(chuàng)建容器的文件：

...
          env:
            - name: GOPATH
              value: /opt/gopath
            - name: CORE_VM_ENDPOINT
              value: 'unix:///host/var/run/docker.sock'
            # - name: CORE_PEER_ID
            #   value: fabric-cli
            - name: CORE_PEER_ADDRESS
              value: "peer0-org1:7051"
            - name: CORE_PEER_LOCALMSPID
              value: "Org1MSP"
            - name: CORE_PEER_TLS_ENABLED
              value: "false"
            - name: CORE_PEER_TLS_CERT_FILE
              value: "/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.crt"
            - name: CORE_PEER_TLS_KEY_FILE
              value: "/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.key"
            - name: CORE_PEER_TLS_ROOTCERT_FILE
              value: "/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt"
            - name: CORE_PEER_MSPCONFIGPATH
              value: "/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp"
...

通過env來配置cryptogen生成的證書即可蹭睡，細心的小朋友可能看到了，如果需要增加組織中的節(jié)點或者用戶的數(shù)目怎么辦呢赶么，證書能不能動態(tài)增加呢肩豁？目前最新的Fabric版本中并沒有提供相關(guān)的功能。下面將介紹專門為了解決證書問題而發(fā)起的項目Fabric-ca辫呻。

Fabric證書服務(wù)器：Fabric-ca

fabric-ca-server的命令如下：

root@cloud-fabric-ca-5bd689b8dd-9kjp2:/# fabric-ca-server --help
Hyperledger Fabric Certificate Authority Server

Usage:
  fabric-ca-server [command]

Available Commands:
  init        Initialize the fabric-ca server
  start       Start the fabric-ca server
  version     Prints Fabric CA Server version

Flags:
....Flags太長了清钥，可以通過配置文件進行參數(shù)化的配置
Use "fabric-ca-server [command] --help" for more information about a command.

fabric-ca-server的初始化

fabric-ca-server初始化的命令如下(如果使用docker-compose或者k8s只需要初始化容器的時候執(zhí)行命令fabric-ca-server start -b <username:password>)：

# 啟動服務(wù)器，開發(fā)環(huán)境可以使用簡單的賬號密碼
root@cloud-fabric-ca-5bd689b8dd-9kjp2:/opt/hyperledger/fabric-ca-server# fabric-ca-server init -b kexin228:kexin228
2019/11/18 06:57:24 [INFO] Created default configuration file at /etc/hyperledger/fabric-ca-server/fabric-ca-server-config.yaml
2019/11/18 06:57:24 [INFO] Server Version: 1.4.3
2019/11/18 06:57:24 [INFO] Server Levels: &{Identity:2 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1}
2019/11/18 06:57:24 [INFO] The CA key and certificate files already exist
2019/11/18 06:57:24 [INFO] Key file location: /etc/hyperledger/fabric-ca-server/ca-key.pem
2019/11/18 06:57:24 [INFO] Certificate file location: /etc/hyperledger/fabric-ca-server/ca-cert.pem
2019/11/18 06:57:25 [INFO] Initialized sqlite3 database at /etc/hyperledger/fabric-ca-server/fabric-ca-server.db
2019/11/18 06:57:25 [INFO] The issuer key was successfully stored. The public key is at: /etc/hyperledger/fabric-ca-server/IssuerPublicKey, secret key is at: /etc/hyperledger/fabric-ca-server/msp/keystore/IssuerSecretKey
2019/11/18 06:57:25 [INFO] Idemix issuer revocation public and secret keys were generated for CA ''
2019/11/18 06:57:25 [INFO] The revocation key was successfully stored. The public key is at: /etc/hyperledger/fabric-ca-server/IssuerRevocationPublicKey, private key is at: /etc/hyperledger/fabric-ca-server/msp/keystore/IssuerRevocationPrivateKey
2019/11/18 06:57:25 [INFO] Home directory for default CA: /etc/hyperledger/fabric-ca-server
2019/11/18 06:57:25 [INFO] Initialization was successful

根據(jù)輸出的信息放闺，可以看出在目錄/etc/hyperledger/fabric-ca-server下生成了如下的配置文件：

root@kexin228-lab:~/containers_volume/fabric/ca# tree -L 4
.
├── ca-cert.pem     # 證書文件
├── fabric-ca-server-config.yaml    # 配置文件祟昭，代替初始化--flag參數(shù)
├── fabric-ca-server.db     # 數(shù)據(jù)庫文件（數(shù)據(jù)庫選擇sqlite3有效，默認為sqlite3）
├── IssuerPublicKey
├── IssuerRevocationPublicKey
└── msp     # 私鑰文件夾
    └── keystore
        ├── 35e2aee01c0b37dce74e9c9ef27eeadc1b201f561d5a2bf3a1ded15f8879caee_sk
        ├── IssuerRevocationPrivateKey
        └── IssuerSecretKey

2 directories, 8 files

fabric-ca-server 配置文件

這里重點說明fabric-ca-server的配置文件怖侦，該配置文件可以分為11個部分cat fabric-ca-server-config.yaml篡悟，由于太長了谜叹，這里簡單說下兩個部分：

• 通用配置部分
  包括系統(tǒng)的公用屬性：端口、運行模式之類的恰力。

# Version of config file
version: 1.4.3

# Server's listening port (default: 7054)
port: 7054

# Cross-Origin Resource Sharing (CORS)
cors:
    enabled: false
    origins:
      - "*"

# Enables debug logging (default: false)
debug: false

# Size limit of an acceptable CRL in bytes (default: 512000)
crlsizelimit: 512000

• affiliations部分
  包含了組織中部分的相關(guān)配置信息叉谜，在客戶端SDK調(diào)用時相關(guān)的參數(shù)必須保持一致旗吁，否則無法正確訪問踩萎。

affiliations:
   org1:
      - department1
      - department2
   org2:
      - department1

fabric-ca-client 使用

fabric-ca-server提供了一組Restful API接口供第三方應(yīng)用程序調(diào)用，fabric-ca-client對這些API進行了封裝很钓，只需要簡單的參數(shù)就可以完成賬號注冊香府、賬號授權(quán)等操作。

root@cloud-fabric-ca-5c87d6784c-js2xt:/# fabric-ca-client --help
Hyperledger Fabric Certificate Authority Client

Usage:
  fabric-ca-client [command]

Available Commands:
  affiliation Manage affiliations
  certificate Manage certificates
  enroll      Enroll an identity
  gencrl      Generate a CRL
  gencsr      Generate a CSR
  getcainfo   Get CA certificate chain and Idemix public key
  identity    Manage identities
  reenroll    Reenroll an identity
  register    Register an identity
  revoke      Revoke an identity
  version     Prints Fabric CA Client version

Flags:
....省略眾多的flags码倦，后面會提到
Use "fabric-ca-client [command] --help" for more information about a command.

這里介紹幾個常用命令：
（1）注冊新賬號peer1:peer1wd和peer2:peer2wd

# 如果要注冊一個新賬號企孩，可能需要用到以下的flag
      --id.affiliation string          The identity's affiliation
      --id.attrs stringSlice           A list of comma-separated attributes of the form <name>=<value> (e.g. foo=foo1,bar=bar1)
      --id.maxenrollments int          The maximum number of times the secret can be reused to enroll (default CA's Max Enrollment)
      --id.name string                 Unique name of the identity
      --id.secret string               The enrollment secret for the identity being registered
      --id.type string                 Type of identity being registered (e.g. 'peer, app, user') (default "client")
      -u, --url string                 URL of fabric-ca-server (default "http://localhost:7054")
      -H, --home string                Client's home directory (default "/etc/hyperledger/fabric-ca-server")

由于地址和url我們都是用默認的，我們使用下面的命令：

root@cloud-fabric-ca-5c87d6784c-js2xt:/# fabric-ca-client register --id.name peer2 --id.type peer --id.affiliation org1.department1 --id.secret peer2wd                                  
2019/11/18 07:46:30 [INFO] Configuration file location: /etc/hyperledger/fabric-ca-server/fabric-ca-client-config.yaml
2019/11/18 07:46:30 [ERROR] Enrollment check failed: Idemix enrollment information does not exist
Error: Enrollment information does not exist. Please execute enroll command first. Example: fabric-ca-client enroll -u http://user:userpw@serverAddr:serverPort

報錯了袁稽，應(yīng)該是要先載入賬號信息

root@cloud-fabric-ca-5c87d6784c-js2xt:/# fabric-ca-client enroll -u http://kexin228:kexin228@localhost:7054 
2019/11/18 07:51:04 [INFO] generating key: &{A:ecdsa S:256}
2019/11/18 07:51:04 [INFO] encoded CSR
2019/11/18 07:51:04 [INFO] Stored client certificate at /etc/hyperledger/fabric-ca-server/msp/signcerts/cert.pem
2019/11/18 07:51:04 [INFO] Stored root CA certificate at /etc/hyperledger/fabric-ca-server/msp/cacerts/localhost-7054.pem
2019/11/18 07:51:04 [INFO] Stored Issuer public key at /etc/hyperledger/fabric-ca-server/msp/IssuerPublicKey
2019/11/18 07:51:04 [INFO] Stored Issuer revocation public key at /etc/hyperledger/fabric-ca-server/msp/IssuerRevocationPublicKey

然后才注冊新賬號：

root@cloud-fabric-ca-5c87d6784c-js2xt:/# fabric-ca-client register --id.name peer2 --id.type peer --id.affiliation org1.department1 --id.secret peer2wd -u http://kexin228@kexin228@localhost:7054
2019/11/18 07:51:55 [INFO] Configuration file location: /etc/hyperledger/fabric-ca-server/fabric-ca-client-config.yaml
Password: peer2wd
root@cloud-fabric-ca-5c87d6784c-js2xt:/# fabric-ca-client register --id.name peer1 --id.type peer --id.affiliation org1.department1 --id.secret peer1wd -u http://kexin228@kexin228@localhost:7054
2019/11/18 07:52:10 [INFO] Configuration file location: /etc/hyperledger/fabric-ca-server/fabric-ca-client-config.yaml
Password: peer1wd

(2)載入賬號信息peer1:peer1wd和peer2:peer2wd：

root@cloud-fabric-ca-5c87d6784c-js2xt:/# fabric-ca-client enroll -u http://peer1:peer1wd@localhost:7054
2019/11/18 07:54:05 [INFO] generating key: &{A:ecdsa S:256}
2019/11/18 07:54:05 [INFO] encoded CSR
2019/11/18 07:54:05 [INFO] Stored client certificate at /etc/hyperledger/fabric-ca-server/msp/signcerts/cert.pem
2019/11/18 07:54:05 [INFO] Stored root CA certificate at /etc/hyperledger/fabric-ca-server/msp/cacerts/localhost-7054.pem
2019/11/18 07:54:05 [INFO] Stored Issuer public key at /etc/hyperledger/fabric-ca-server/msp/IssuerPublicKey
2019/11/18 07:54:05 [INFO] Stored Issuer revocation public key at /etc/hyperledger/fabric-ca-server/msp/IssuerRevocationPublicKey
root@cloud-fabric-ca-5c87d6784c-js2xt:/# fabric-ca-client enroll -u http://peer2:peer2wd@localhost:7054
2019/11/18 07:54:12 [INFO] generating key: &{A:ecdsa S:256}
2019/11/18 07:54:12 [INFO] encoded CSR
2019/11/18 07:54:13 [INFO] Stored client certificate at /etc/hyperledger/fabric-ca-server/msp/signcerts/cert.pem
2019/11/18 07:54:13 [INFO] Stored root CA certificate at /etc/hyperledger/fabric-ca-server/msp/cacerts/localhost-7054.pem
2019/11/18 07:54:13 [INFO] Stored Issuer public key at /etc/hyperledger/fabric-ca-server/msp/IssuerPublicKey
2019/11/18 07:54:13 [INFO] Stored Issuer revocation public key at /etc/hyperledger/fabric-ca-server/msp/IssuerRevocationPublicKey

(3)獲取CA服務(wù)器證書

root@cloud-fabric-ca-5c87d6784c-js2xt:/etc/hyperledger/fabric-ca-server# fabric-ca-client getcacert -u http://localhost:7054 
2019/11/18 08:00:21 [INFO] Configuration file location: /etc/hyperledger/fabric-ca-server/fabric-ca-client-config.yaml
2019/11/18 08:00:21 [INFO] Stored root CA certificate at /etc/hyperledger/fabric-ca-server/msp/cacerts/localhost-7054.pem
2019/11/18 08:00:21 [INFO] Stored Issuer public key at /etc/hyperledger/fabric-ca-server/msp/IssuerPublicKey
2019/11/18 08:00:21 [INFO] Stored Issuer revocation public key at /etc/hyperledger/fabric-ca-server/msp/IssuerRevocationPublicKey
root@cloud-fabric-ca-5c87d6784c-js2xt:/etc/hyperledger/fabric-ca-server# fabric-ca-client getcacert -u http://localhost:7054 
2019/11/18 08:00:26 [INFO] Configuration file location: /etc/hyperledger/fabric-ca-server/fabric-ca-client-config.yaml
2019/11/18 08:00:26 [INFO] Stored root CA certificate at /etc/hyperledger/fabric-ca-server/msp/cacerts/localhost-7054.pem
2019/11/18 08:00:26 [INFO] Stored Issuer public key at /etc/hyperledger/fabric-ca-server/msp/IssuerPublicKey
2019/11/18 08:00:26 [INFO] Stored Issuer revocation public key at /etc/hyperledger/fabric-ca-server/msp/IssuerRevocationPublicKey

將Fabric-ca-server綁定到現(xiàn)有項目中

fabric-ca是對Fabric的cryptogen模塊的有力補充勿璃，在Fabric項目中一般采用cryptogen模塊生成組織、Peer節(jié)點推汽、Orderer節(jié)點等模塊的賬號文件补疑，但是如果需要動態(tài)的生成賬號文件，這時候就需要Fabric-ca的幫助歹撒。

綁定Fabric-ca-server到現(xiàn)有組織

首先在fabric-ca中的配置文件fabric-ca-server-config.yaml中找到以下內(nèi)容：

ca:
  # Name of this CA
  name:
  # Key file (is only used to import a private key into BCCSP)
  keyfile:
  # Certificate file (default: ca-cert.pem)
  certfile:
  # Chain file
  chainfile:

然后莲组，找到之前用cryptogen生成的證書的文件夾，執(zhí)行命令tree -L 2查看結(jié)構(gòu)：

root@kexin228-lab:~/containers_volume/fabric/tools/crypto-config/peerOrganizations# tree -L 2 org1.example.com/ 
org1.example.com/
├── ca
│   ├── 981446ead484bad518eccca5bc95b9ea1a4a971715c739f2e6cb9cf0c497e8f7_sk
│   └── ca.org1.example.com-cert.pem
├── msp
│   ├── admincerts
│   ├── cacerts
│   └── tlscacerts
├── peers
│   ├── peer0.org1.example.com
│   └── peer1.org1.example.com
├── tlsca
│   ├── 799ef8047b060cdd556260e4af82810c8e40180b3611f09b870c2b246eec04cd_sk
│   └── tlsca.org1.example.com-cert.pem
└── users
    ├── Admin@org1.example.com
    └── User1@org1.example.com

在ca文件夾中存放org1.example.com組織相關(guān)的文件暖夭，這需要將該文件夾外掛到容器fabric-ca上锹杈。

在這里插入圖片描述

外掛后的路徑如下：

root@cloud-fabric-ca-58cbdf7fb4-rl8v4:/etc/hyperledger/fabric-tools/config/peerOrganizations/org1.
example.com# pwd
/etc/hyperledger/fabric-tools/config/peerOrganizations/org1.example.com
root@cloud-fabric-ca-58cbdf7fb4-rl8v4:/etc/hyperledger/fabric-tools/config/peerOrganizations/org1.
example.com/ca# ls
981446ead484bad518eccca5bc95b9ea1a4a971715c739f2e6cb9cf0c497e8f7_sk  ca.org1.example.com-cert.pem

現(xiàn)在可以綁定這些文件了，綁定之后fabric-ca-server-config.yaml文件如下：

ca:
  name: org1.example.com
  # keyfile對應(yīng)后綴為_sk的文件
  keyfile: /etc/hyperledger/fabric-tools/config/peerOrganizations/org1.example.com/ca/981446ead484bad518eccca5bc95b9ea1a4a971715c739f2e6cb9cf0c497e8f7_sk
  # certfile對應(yīng).pem文件
  certfile: /etc/hyperledger/fabric-tools/config/peerOrganizations/org1.example.com/ca/ca.org1.example.com-cert.pem
  chainfile: ca-chain.pem

通過上述步驟 fabric-ca-server就已經(jīng)被綁定到組織org1.example.com中了迈着。

通過客戶端從已經(jīng)綁定的fabric-ca-server中生成賬號

現(xiàn)在我們通過一個例子來演示如何通過fabric-ca-client從已經(jīng)綁定到指定組織中的fabric-ca-server中獲取一個新的用戶賬號竭望。

第一步登記管理員賬號密碼(msp)到指定目錄中：

# 創(chuàng)建一個fabric-ca-client來存儲賬號的msp文件
root@cloud-fabric-ca-58cbdf7fb4-rl8v4:/etc/hyperledger# mkdir fabric-ca-client
# 將管理員賬號enroll，獲取管理員賬號msp的證書文件
root@cloud-fabric-ca-58cbdf7fb4-rl8v4:/etc/hyperledger# fabric-ca-client enroll -u http://kexin228:kexin228@localhost:7054 -M /etc/hyperledger/fabric-ca-client/
2019/11/18 11:22:10 [INFO] Created a default configuration file at /etc/hyperledger/fabric-ca-server/fabric-ca-client-config.yaml
2019/11/18 11:22:10 [INFO] generating key: &{A:ecdsa S:256}
2019/11/18 11:22:10 [INFO] encoded CSR
2019/11/18 11:22:10 [INFO] Stored client certificate at /etc/hyperledger/fabric-ca-client/signcerts/cert.pem
2019/11/18 11:22:10 [INFO] Stored root CA certificate at /etc/hyperledger/fabric-ca-client/cacerts/localhost-7054.pem
2019/11/18 11:22:10 [INFO] Stored Issuer public key at /etc/hyperledger/fabric-ca-client/IssuerPublicKey
2019/11/18 11:22:10 [INFO] Stored Issuer revocation public key at /etc/hyperledger/fabric-ca-client/IssuerRevocationPublicKey

第二步注冊賬號：賬號名為user1裕菠，密碼為user1wd市框，注冊命令如下所示：

root@cloud-fabric-ca-58cbdf7fb4-rl8v4:/etc/hyperledger/fabric-ca-client# fabric-ca-client register --id.name user1 --id.type user --id.affiliation org1.department1 --id.secret user1wd -u http://localhost:7054
2019/11/18 11:27:31 [INFO] Configuration file location: /etc/hyperledger/fabric-ca-server/fabric-ca-client-config.yaml
Password: user1wd

第三步載入賬號，將上一步注冊的賬號user1家在到本地糕韧，首先需要在本地創(chuàng)建存放從服務(wù)器下載的證書的目錄枫振。我存放的目錄如下：

root@cloud-fabric-ca-58cbdf7fb4-rl8v4:/etc/hyperledger/user# pwd
/etc/hyperledger/user

在上述目錄中登記賬號user1，并將相關(guān)文件保存到目錄中：

root@cloud-fabric-ca-58cbdf7fb4-rl8v4:/etc/hyperledger/user# fabric-ca-client enroll -u http://user1:user1wd@localhost:7054 -M /etc/hyperledger/user/msp
2019/11/18 11:31:00 [INFO] generating key: &{A:ecdsa S:256}
2019/11/18 11:31:01 [INFO] encoded CSR
2019/11/18 11:31:01 [INFO] Stored client certificate at /etc/hyperledger/user/msp/signcerts/cert.pem
2019/11/18 11:31:01 [INFO] Stored root CA certificate at /etc/hyperledger/user/msp/cacerts/localhost-7054.pem
2019/11/18 11:31:01 [INFO] Stored Issuer public key at /etc/hyperledger/user/msp/IssuerPublicKey
2019/11/18 11:31:01 [INFO] Stored Issuer revocation public key at /etc/hyperledger/user/msp/IssuerRevocationPublicKey

第四步復(fù)制管理員簽名和公用的TLS證書文件萤彩。
復(fù)制管理賬號的簽名的命令如下：

# 創(chuàng)建admincerts文件夾
root@cloud-fabric-ca-58cbdf7fb4-rl8v4:/:# mkdir -p /etc/hyperledger/user/msp/admincerts/
# 復(fù)制管理賬號的簽名
root@cloud-fabric-ca-58cbdf7fb4-rl8v4:/# cp  /etc/hyperledger/fabric-tools/config/peerOrganizations/org1.example.com/users/Admin\@org1.example.com/msp/signcerts/* /etc/hyperledger/user/msp/admincerts/

然后復(fù)制公用TLS證書文件的命令如下：

# 創(chuàng)建tls文件夾
root@cloud-fabric-ca-58cbdf7fb4-rl8v4:/# mkdir -p /etc/hyperledger/user/tls
# 復(fù)制tls簽名證書
root@cloud-fabric-ca-58cbdf7fb4-rl8v4:/etc/hyperledger/user# cp /etc/hyperledger/fabric-tools/config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/* /etc/hyperledger/user/tls

第五步粪滤，查看賬號。
進入文件夾通過tree命令查看：

root@cloud-fabric-ca-58cbdf7fb4-rl8v4:/etc/hyperledger/user# tree -L 4
.
|-- msp
|   |-- IssuerPublicKey
|   |-- IssuerRevocationPublicKey
|   |-- admincerts
|   |   `-- Admin@org1.example.com-cert.pem
|   |-- cacerts
|   |   `-- localhost-7054.pem
|   |-- keystore
|   |   `-- a34acf5c4c53e67d12193ac28a57a21b1cd05190d0bb64b29e0f6a9299e52d72_sk
|   |-- signcerts
|   |   `-- cert.pem
|   |-- tls
|   `-- user
`-- tls
    |-- ca.crt
    |-- server.crt
    `-- server.key

8 directories, 9 files

通過觀察雀扶，我們知道杖小，這與cryptogen生成的賬號文件格式是一致的肆汹。

Fabric項目中更多的應(yīng)用場景是客戶端程序通過fabric-ca-server提供的Restful API接口完成賬號的注冊、登記等操作予权，以后會再詳細說明昂勉。