Shulou(Shulou.com)06/03 Report--

Computer nodes and users who join the Fabric federation chain must register and obtain certificates issued by CA before they can operate in the federation chain. The following functions can be provided by a certification authority:

Registration of identity or connection to LDAP (Lightweight Directory Access Protocol, lightweight Directory access Protocol) as a user registry

Issue Certificate of Registration (ECerts) (Enrollment Certificates)

Issue a transaction certificate (TCerts) (Transaction Certificates) to provide anonymity and unlinkability when trading on Hyperledger Fabric blockchain.

Certificate renewal and revocation

Fabric1.1 can use native or third-party certificate authorities. Take registering users in the federation chain as an example. For all operations in the federation chain, users must hold the Token generated by the user registration certificate to authorize the operation. Without Token, nothing can be done in the federation chain. Therefore, the first step for users to register to the federation chain is to generate Token. The user registration process is as follows:

The final result of successful registration is that CA issues a certificate, then generates Token through the certificate, and finally sends Token to the user for adding and querying identity credentials in the federation chain.

The architecture of CA is as follows:

The Fabric Server side consists of a server cluster that organizes CA Server nodes in a tree structure, including a Root node and multiple intermediate nodes. Each CA is either a root CA or an intermediate CA. Each intermediate CA has a parent CA, which is either the root CA or another intermediate CA.

You can interact with CA servers in a server cluster through Client or SDK. The client is first routed to the HA agent, which performs load balancing and connects the client to the cluster members of a server.

It includes a highly available proxy server at the front end, connected to several CA Server clusters, which store data together on the same data server. The database may be MySQL, LDAP, PostgresSQL, or SQLite (SQLite is not recommended in a clustered environment).

All CA servers in the cluster share the same database to track identities and certificates. If LDAP is configured, the identity information is saved in LDAP instead of in the database.

The Fabric Server side consists of a server cluster that organizes CA Server nodes in a tree structure, including a Root node and multiple intermediate nodes. Each CA is either a root CA or an intermediate CA. Each intermediate CA has a parent CA, which is either the root CA or another intermediate CA.

You can interact with CA servers in a server cluster through Client or SDK. The client is first routed to the HA agent, which performs load balancing and connects the client to the cluster members of a server.

It includes a highly available proxy server at the front end, connected to several CA Server clusters, which store data together on the same data server. The database may be MySQL, LDAP, PostgresSQL.

All CA servers in the cluster share the same database to track identities and certificates. If LDAP is configured, the identity information is saved in LDAP instead of in the database.

The process of issuing a certificate and verifying a digital signature is as follows:

1. The certificate contains three elements: plaintext, ciphertext and encryption algorithm.

2. Send an express message to CA,CA to sign the certificate with his own private key. The specific algorithm is that CA does a hash operation (SHA256) on the plaintext of the certificate to get H2. Then use your own private key to encrypt H2 with RSA algorithm to get the ciphertext F'. At this point there is a complete set of certificates.

3. When verifying the digital certificate, we first decrypt the ciphertext Franks with the public key of CA to get a hash value of h3. Then use the certificate plaintext F to calculate the SHA256, and get the ciphertext H2. Compare the values of H2 and H3. If equal, the certificate verification passes, indicating that the client holds a certificate issued by CA.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.