I am lost on how to implement a full revoke functionality on Hyperledger Fabric Node SDK. Is there a way of grabbing a generated CRL and updating the MSP folder or configuration block in a network using Hyperledger Fabric node sdk? I am trying to revoke a certificate, generate a CRL and then update the configuration blocks, and is this last part that I am unsure on how to proceed.
As far as I know this is the flow that I should follow:
revokeFabricUser
generateCRL
fetchConfigBlock
createConfigUpdatePayloadWithCRL
updateConfigBlock
queryAsRevokedUser (this should fail)
I can find options for both revoking and generating CRL but I can´t seem to find anything about how to use the CRL to update the network. Is there a way of doing this whole process using Node SDK? Thanks for any help.
The node js SDK does not yet support the gencrl option.
https://jira.hyperledger.org/browse/FABN-1144
It is a pity, because it is very easy to add...
Related
While it is possible to use Nodejs's fabric-ca-client to perform enrollment through a REST API, this requires communication with a third party service which could compromise security as the end user's secret must be shared.
Is there a way to interact with the fabric through the web directly, bypassing the need for a REST API to ensure security? Attempts at using browserify and webpack to bundle the fabric-ca-client module have been unsuccessful as the necessary modules cannot be found or are incompatible.
Is there something crucial that I am missing in this approach? Any recommendations for secure enrollment applications for the client in other languages or architectures, such as Android applications, would be greatly appreciated.
Thank you.
fabric-ca server is not mandatory for a fabric network. You can use alternative CA services to issue private keys and certificates so long as you create the appropriate MSP definition for your organisation which could be one option for you.
fabric-ca server already supports REST style requests, all fabric-ca-client node.js module does is wrap those calls into an easy to use interface for node.js applications. It should be possible to write a mobile phone application or web based application to interact with directly with a fabric-ca-server. It may be that is how the fabric operations console in hyperledger-labs actually does it as it doesn't bundle fabric-ca-client but can still interact with fabric-ca-servers.
You will probably have to inspect the fabric-ca-client code or fabric-operations-console code to work out how it does this as the fabric-ca documentation doesn't appear to describe the interfaces to do this.
I am trying to implement a Hyperledger Fabric 2.0 network, on which users' certificates are going to be potentially revoked at some point in time. I am able to successfully revoke certificates and update local clients' msp with the new CRL.
I cannot find a clear workflow, to update either peers or channels with new CRLs, in order to prevent users with revoked certificates from invoking transactions.
Can somebody indicate a clear series of steps to achieve this on the test-network configuration?
I have question related to cryptogen and hyperledger fabric network setup. I want to explain my workflow. I wanna know this procedure can be used for production
1. I have 2organisation org1,org2.In which each organisation consist two peers,only one ordered for
both organisation and 2 fabric-ca server.
2. Generating the all the key pairs using the cryptogen tool using the crypto-config.yaml.
3. Generating genesis block and channel transaction using the configtx tool with configtx.yaml.
4. (Important Note:)I am using the CA private key and certificate ca.org1.example.com-cert.pem, which is generated using the cryptogen tool in my network docker yaml file to setup the fabric ca.
5. After setup all i am running the network its works fine.
6. I am enrolling and registering the admin and user from the outside using the fabricnodesdk.
here its good practice to use the cryptogen generate ca private key and certificate to setup and run the CA server in production. If this not good practice, Is there any other way i can implement it. Please your suggestion would be helpful for me.
Hyperledger Fabric docs suggest not to use cryptogen tool for production environment
Reason: it’s a tool and all crypto materials are generated on the fly with 10 years validity and you cannot control further with fabric-CA like revoke, reenroll, etc because fabric-ca will not have a copy in the database
Traditional way: generating crypto material with fabric-CA by registering and enrolling an identity with 1-year validity
But if you take my opinion, I have used cryptogen tool 2 years back in one production environment. There is no harm to use cryptogen tool in production unless you will need to interact with CA to make changes to the identities. It depends on the use case in our usecase we do not need to keep changing the identities it was fixed forever it was a typical usecase
But later and now I have been using fabric-CA and custom CA to
generate crypto materials leveraging more possibilities
I find it a dirty way to do it. Your Fabric-CA is working and your orderers and peers are of course working because their certificates are correct and have been suitably signed by the CA. But the fact is that the identities corresponding to the orderers, peers and clients that you generated via cryptogen have not been registered in the Fabric-CA database, so you can neither manage nor revoke those identities and their corresponding certificates via your Fabric-CA in the future.
My advice (for production environments, of course): Don't be lazy; take care of a good proper fabric-ca-server-config.yaml and fabric-ca-client-config.yaml configuration; launch safely your Fabric-CA; and script your initial identity registration, certificate enrollment and MSP/TLS folder structure creation.
I think Fabric CA is needed when client node has to enroll for using Node.js Application. So if I use Fabric-cli when I invoke or queries chaincode, does Fabric CA need?
-> I thinking Fabric CA only useful for enrolling client node. And If client node does not exist in a network, Fabric CA can be replaced with Cryptogen Tool.
To be able to do invokes and queries you need a user context. To get the user context you either need an user created by registering and enrolling an user via the CA server or you can use an already created user by the cryptogen tool.
So point is, once the user is created, you no longer need the CA Server or crytogen tool.
In fact cryptogen tool is used to generate the certs of the entire network when the network is not created in the first place.
Also, when T-Certs will be supported in the future, for each transaction that you make, you would be required to get a T-Cert from the CA server to proceed with the transaction.
.hfc-key-store wallet used by HFC SDK uses user certificates generated by Fabric-CA to connect to Fabric platform.
Is there a way to generate these certificates without Fabric-CA?
I assume it would involve re-purposing of Org user certificates generated by cryptogen. However, I would appreciate if someone can point me to a documentation that tells how to do it.