stackoom
  简体   繁体   中英

Hyperledger CA ignore TLS certificate from Fabric SDK for Node

 原文  2020-05-06 13:22:32       node.js/ ssl/ hyperledger-fabric/ hyperledger/ ca

Question

I have the CA for my organization. This is setting for CA's docker container:

version: '2'
services:
  ca.org1.example.com:
    container_name: ca.org1.example.com
    image: hyperledger/fabric-ca
    command: /bin/bash -c 'fabric-ca-server start -b rca-org-admin:rca-org-adminpw --port 6053'
    environment:
      - FABRIC_CA_SERVER_HOME=/tmp/hyperledger/fabric-ca/crypto
      - FABRIC_CA_SERVER_TLS_ENABLED=true
      - FABRIC_CA_SERVER_CSR_CN=ca.org1.example.com
      - FABRIC_CA_SERVER_CSR_HOSTS=0.0.0.0
      - FABRIC_CA_SERVER_DEBUG=true
      - ADMIN_CREDS=rca-org-admin:rca-org-adminpw
      - PORT=6053
    volumes:
      - /home/user/go/src/network/crypto-config/org1/ca/server:/tmp/hyperledger/fabric-ca
    ports:
      - 6053:6053
    networks:
      - basic
networks:
    basic:

I have a connectionProfile.yaml with url and TLS certificate of my CA:

certificateAuthorities:
  ca.org1.examlple.com:
    url: https://localhost:6053
    tlsCACerts:
      pem: |
        -----BEGIN CERTIFICATE-----
        MIICMzCCAdqgAwIBAgIUYj0f4V+ms+xjSSx73MYurypAwGUwCgYIKoZIzj0EAwIw
        bjELMAkGA1UEBhMCVVMxFzAVBgNVBAgTDk5vcnRoIENhcm9saW5hMRQwEgYDVQQK
        EwtIeXBlcmxlZGdlcjEPMA0GA1UECxMGRmFicmljMR8wHQYDVQQDExZjYS5xcHIu
        Zm9vdGJhbGxuZXQuY29tMB4XDTIwMDUwNjA5NTgwMFoXDTM1MDUwMzA5NTgwMFow
        bjELMAkGA1UEBhMCVVMxFzAVBgNVBAgTDk5vcnRoIENhcm9saW5hMRQwEgYDVQQK
        EwtIeXBlcmxlZGdlcjEPMA0GA1UECxMGRmFicmljMR8wHQYDVQQDExZjYS5xcHIu
        Zm9vdGJhbGxuZXQuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE2q06YuK7
        L6K2kwl5HPwW1exdxBoEwiQ+denvNtoq1hvo4f6zwtlD6+aVwfnu9CvLlriPEJy3
        KSbM8/IuszlKyqNWMFQwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8C
        AQEwHQYDVR0OBBYEFG4G17iqYS0wCNskmsFC8pUtXf8zMA8GA1UdEQQIMAaHBAAA
        AAAwCgYIKoZIzj0EAwIDRwAwRAIgZMIAjEyB9aeqSJuvBqPBkJAddOCTEdsPwbzb
        Bql46DICIAl998KlBM23r4iRYPoZTX8/8njPfXpi5a8lX85Skpme
        -----END CERTIFICATE-----
    httpOptions:
      verify: false

I load this connectionProfile.yaml to my nodeJS application and try to enroll user. See code below:

      const caInfo = ccp.certificateAuthorities['ca.org1.example.com'];
      const caTLSCACerts = caInfo.tlsCACerts.pem;
      const ca = new FabricCAServices(caInfo.url, { trustedRoots: caTLSCACerts, verify: false }, caInfo.caName);
​
      // Create a new file system based wallet for managing identities.
      const walletPath = path.join(process.cwd(), 'wallet');
      const wallet = new FileSystemWallet(`${__dirname}/../hyperledger/wallet`);
      console.log(`Wallet path: ${walletPath}`);
​
      // Check to see if we've already enrolled the admin user.
      const identityLabel = 'admin.org1.example.com'
      const identity = await wallet.exists(identityLabel);
      if (!identity) {
        // Enroll the admin user, and import the new identity into the wallet.
        const enrollment = await ca.enroll({ enrollmentID: 'rca-org-admin', enrollmentSecret: 'rca-org-adminpw' });
        const x509Identity = {
            certificate: enrollment.certificate,
            privateKey: enrollment.key.toBytes(),
            mspId: 'org1MSP',
            type: 'X.509',
        };​
        await wallet.import('admin.org1.example.com', x509Identity);
        console.log('Successfully enrolled admin user "admin" and imported it into the wallet');
      }

I guess tlsCACerts.pem needs for TLS connection with CA. User enroll was successful by this code. But if I change this certificate(tlsCACerts.pem) to some other one(any certificate, even randomly generated) and clean my wallet and try to make an enroll, it will still succeed. Logs of the container CA confirm this. It seems to me that it does not use this TLS certificate, but why, if the TLS certification is turned on on the CA server.

Version of fabric-ca-server is 1.4.6

Version of Fabric SDK for Node is 1.4.8

Maybe someone has thoughts on this issue. Maybe I'm doing something wrong?

1 answers

solution1
 0  2020-10-01 10:28:08

Despite the fact that the question is 4 months old and you probably found the solution I try to answer.

I think the problem is on the line 3 of your code:

const ca = new FabricCAServices(caInfo.url, { trustedRoots: caTLSCACerts, verify: false }, caInfo.caName);

TLS option verify is false , so certificate is not actually verifying.

Try to set verify to true , I think this should work:

const ca = new FabricCAServices(caInfo.url, { trustedRoots: caTLSCACerts, verify: true }, caInfo.caName);

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Hyperledger Fabric Node SDK Hyperledger Fabric: Unable to Update Certificate Attributes in Node SDK How to query Hyperledger Fabric Go Chaincode by using the node.js SDK and TLS? Upgrade Chaincode on hyperledger fabric using node sdk how to use node js SDK in hyperledger Fabric? Hyperledger - Fabric Node SDK - Curve property error Hyperledger Fabric 1.4 : How to test and verify registerChaincodeEvent function from the Fabric Node SDK? unable to verify the first certificate in hyperledger node sdk? Get chaincode caller ID from the function InvokeChaincode() in Hyperledger Fabric Node SDK How to add anchor peers on channel using node sdk hyperledger fabric
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM