stackoom
  简体   繁体   中英

Unable to Revoke a certificate or enrollment id with fabric node sdk

 原文  2017-09-25 17:08:11       node.js/ hyperledger-fabric

Question

I have tried to use the Fabric CA client Node.js SDK to revoke either

  1. an enrollment certificate
  2. an enrollment ID (and all it's certificates)

I have followed the samples on the ca tests ( https://github.com/hyperledger/fabric-sdk-node/blob/release/test/integration/fabric-ca-services-tests.js )

After the revoke function is called I can see that the response given is 

{
    "success": true,
    "result": {},
    "errors": [],
    "messages": []
}

Also, I can see that on the CA logs that revokes are successful

Revoke of certificate: 

Authorization:      LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUI4RENDQVplZ0F3SUJBZ0lVYzV3Y3M2U0xGczYxYzBDS3dHUlRVVTBXN3dFd0NnWUlLb1pJemowRUF3SXcKY3pFTE1Ba0dBMVVFQmhNQ1ZWTXhFekFSQmdOVkJBZ1RDa05oYkdsbWIzSnVhV0V4RmpBVUJnTlZCQWNURFZOaApiaUJHY21GdVkybHpZMjh4R1RBWEJnTlZCQW9URUc5eVp6RXVaWGhoYlhCc1pTNWpiMjB4SERBYUJnTlZCQU1UCkUyTmhMbTl5WnpFdVpYaGhiWEJzWlM1amIyMHdIaGNOTVRjd09USTFNVEF5TnpBd1doY05NVGd3T1RJMU1UQXkKTnpBd1dqQVFNUTR3REFZRFZRUURFd1ZoWkcxcGJqQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQQpCSmljVE1Td0hDclRBcWRGYjcwVHo2TXpKSHp1YmRqZE92ZDN5RC8yR3puNThCaFpKV243MHUxRHhxWFB6THVvClZ2KytrSjVFL1NoU1Z0bUwySVg2UEtpamJEQnFNQTRHQTFVZER3RUIvd1FFQXdJSGdEQU1CZ05WSFJNQkFmOEUKQWpBQU1CMEdBMVVkRGdRV0JCU0lFVTQzcWw0MENwU2tMZi9NT3U4b0s4QVVjREFyQmdOVkhTTUVKREFpZ0NCQwpPYW9OelhiYTdyaTZETnB3R0ZIUlJRVFRHcTBiTGQzYnJHcFhObDVKZkRBS0JnZ3Foa2pPUFFRREFnTkhBREJFCkFpQllmZWZjdzc5eTAyWVNGZzJuUCtSdklMOWVxTWh1M0Y1WWp4R2pPc0dzZlFJZ2JtZmtUTENXRisveHpEZC8KTFEwUWQzZ2hsaXBuWk1xSENVRFBDa0RKbmhRPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==.MEUCIQDlkBPmew/acbHt0o0Nm8HL9nKlo9EqCzW+REUP6Vh+SQIgcBt73ycUhYe6AT/S0aZNUCzErgsk7PNCsLo/E5La5QM=
{"aki":"4239AA0DCD76DAEEB8BA0CDA701851D14504D31AAD1B2DDDDBAC6A57365E497C","serial":"1A8C250C11C33E36752FFB4161D7E6C39AEF4F56","reason":null,"caName":"ca.example.com"}
2017/09/25 15:25:33 [DEBUG] Directing traffic to CA ca.example.com
2017/09/25 15:25:33 [DEBUG] Checking for revocation/expiration of certificate owned by 'admin'
2017/09/25 15:25:33 [DEBUG] DB: Get certificate by serial (739c1cb3a48b16ceb573408ac06453514d16ef01) and aki (4239aa0dcd76daeeb8ba0cda701851d14504d31aad1b2ddddbac6a57365e497c)
2017/09/25 15:25:33 [DEBUG] Successful authentication of 'admin'
2017/09/25 15:25:33 [DEBUG] Revoke request received
2017/09/25 15:25:33 [DEBUG] Revoke request: {RevocationRequest:{Name: Serial:1A8C250C11C33E36752FFB4161D7E6C39AEF4F56 AKI:4239AA0DCD76DAEEB8BA0CDA701851D14504D31AAD1B2DDDDBAC6A57365E497C Reason: CAName:ca.example.com}}
2017/09/25 15:25:33 [DEBUG] getUserAttrValue identity=admin, attr=hf.Revoker
2017/09/25 15:25:33 [DEBUG] DB: Getting identity admin
2017/09/25 15:25:33 [DEBUG] getUserAttrValue identity=admin, name=hf.Revoker, value=1
2017/09/25 15:25:33 [DEBUG] DB: Get certificate by serial (1a8c250c11c33e36752ffb4161d7e6c39aef4f56) and aki (4239aa0dcd76daeeb8ba0cda701851d14504d31aad1b2ddddbac6a57365e497c)
2017/09/25 15:25:33 [DEBUG] DB: Getting information for identity devorgId1-appId1
2017/09/25 15:25:33 [DEBUG] Check to see if revoker admin has affiliations to revoke: devorgId1-appId1
2017/09/25 15:25:33 [DEBUG] getUserAffilliation identity=admin
2017/09/25 15:25:33 [DEBUG] DB: Getting information for identity admin
2017/09/25 15:25:33 [DEBUG] getUserAffiliation identity=admin, aff=
2017/09/25 15:25:33 [DEBUG] Affiliation of revoker: , affiliation of identity being revoked: org1
2017/09/25 15:25:33 [DEBUG] Identity with root affiliation revoking
2017/09/25 15:25:33 [DEBUG] DB: Revoke certificate by serial (1a8c250c11c33e36752ffb4161d7e6c39aef4f56) and aki (4239aa0dcd76daeeb8ba0cda701851d14504d31aad1b2ddddbac6a57365e497c)
2017/09/25 15:25:33 [DEBUG] Revoke was successful: {RevocationRequest:{Name: Serial:1a8c250c11c33e36752ffb4161d7e6c39aef4f56 AKI:4239aa0dcd76daeeb8ba0cda701851d14504d31aad1b2ddddbac6a57365e497c Reason: CAName:ca.example.com}}

Revoke enrollment id: 

 2017/09/25 16:39:19 [DEBUG] Successful authentication of 'admin'
    2017/09/25 16:39:19 [DEBUG] Revoke request received
    2017/09/25 16:39:19 [DEBUG] Revoke request: {RevocationRequest:    {Name:devorgId1-appId1 Serial: AKI: Reason: CAName:ca.example.com}}
    2017/09/25 16:39:19 [DEBUG] getUserAttrValue identity=admin, attr=hf.Revoker
    2017/09/25 16:39:19 [DEBUG] DB: Getting identity admin
    2017/09/25 16:39:19 [DEBUG] getUserAttrValue identity=admin, name=hf.Revoker, value=1
    2017/09/25 16:39:19 [DEBUG] DB: Getting identity devorgId1-appId1
    2017/09/25 16:39:19 [DEBUG] DB: Getting information for identity devorgId1-appId1
    2017/09/25 16:39:19 [DEBUG] Check to see if revoker admin has affiliations to revoke: devorgId1-appId1
    2017/09/25 16:39:19 [DEBUG] getUserAffilliation identity=admin
    2017/09/25 16:39:19 [DEBUG] DB: Getting information for identity admin
    2017/09/25 16:39:19 [DEBUG] getUserAffiliation identity=admin, aff=
    2017/09/25 16:39:19 [DEBUG] Affiliation of revoker: , affiliation of identity being revoked: org1
    2017/09/25 16:39:19 [DEBUG] Identity with root affiliation revoking
    2017/09/25 16:39:19 [DEBUG] DB: Update identity devorgId1-appId1
    2017/09/25 16:39:19 [DEBUG] DB: Revoke certificate by ID (devorgId1-appId1)
    2017/09/25 16:39:19 [WARNING] No certificates were revoked for 'devorgId1-appId1' but the ID was disabled
    2017/09/25 16:39:19 [DEBUG] Revoked the following certificates owned by 'devorgId1-appId1': []
    2017/09/25 16:39:19 [DEBUG] Revoke was successful: {RevocationRequest:{Name:devorgId1-appId1 Serial: AKI: Reason: CAName:ca.example.com}}

However, after the revoke (whether just a certificate or the enrollment id) I am still able to perform invokes using the enrollment ID via the node.js SDK (using getUserContext and performing transactions). Is this by design? I was expecting revoked enrollment id or certificates would no longer be able to perform invokes.

More info: Using the fabcar start script to spin up a fabric v1 network: https://github.com/hyperledger/fabric-samples/tree/release/fabcar

1 answers

solution1
 0  2017-09-25 19:13:30

Yes, this is working as designed. The peers and orderers can't call out to the fabric-ca-server to get a CRL (Certificate Revocation List) because doing so would introduce non-determinism. Instead, the peers and orderers must get the CRL from the "crls" folder of the appropriate MSP (local or in channel config). This means that the MSP crls folder must be updated with a CRL. There is work underway to support getting a CRL from the fabric-ca-server (see https://jira.hyperledger.org/browse/FAB-5300 ). And a sample will also be provided which shows how to use this CRL in a channel config update. See https://gerrit.hyperledger.org/r/#/c/13687/ .

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Hyperledger Fabric: Unable to Update Certificate Attributes in Node SDK Fully revoke a user certificates in Hyperledger Fabric Node SDK Hyperledger CA ignore TLS certificate from Fabric SDK for Node unable to verify the first certificate in hyperledger node sdk? Hyperledger Fabric Node SDK Get chaincode caller ID from the function InvokeChaincode() in Hyperledger Fabric Node SDK how to use node js SDK in hyperledger Fabric? Upgrade Chaincode on hyperledger fabric using node sdk Fabric node sdk use service discovery function Can fabric-node-sdk 1.2 be used with a Fabric 1.1 network?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM