Shulou(Shulou.com)06/01 Report--

This article shares with you the content of a sample analysis of the mechanism for creating users in Fabric CA. The editor thinks it is very practical, so share it with you as a reference and follow the editor to have a look.

While studying Fabric CA to create users, I found a lot of implicit rules.

Through the official documentation, we know that fabric-ca can come with the following hf. The initial attribute, let's call it the system attribute for the time being.

NameTypeDescriptionhf.Registrar.RolesListList of roles that the registrar is allowed to managehf.Registrar.DelegateRolesListList of roles that the registrar is allowed to give to a registree for its' hf.Registrar.Roles' attributehf.Registrar.AttributesListList of attributes that registrar is allowed to registerhf.GenCRLBooleanIdentity is able to generate CRL if attribute value is truehf.RevokerBooleanIdentity is able to revoke a user and/or certificates if attribute value is truehf.AffiliationMgrBooleanIdentity is able to manage affiliations if attribute value is truehf.IntermediateCABooleanIdentity is able to enroll as an intermediate CA if attribute value is true phenomenon 1: Boolean type system properties

First, we use admin to create an account test_a

The command is as follows:

Fabric-ca-client register-d\-id.name test_a\-id.secret test_a_pw\-id.type client\-id.affiliation easypay.fabric\-id.attrs'"hf.Registrar.Roles=client,user"\-- id.attrs'"hf.Registrar.DelegateRoles=client" User "'--id.attrs'" hf.Registrar.Attributes=* "\-- id.attrs hf.Revoker=true\-- id.attrs hf.AffiliationMgr=true\-- id.attrs hf.IntermediateCA=true\-- id.attrs hf.GenCRL=false

That is, set the test_a user hf.GenCRL=false, and the result is as follows:

Then we try to create the following accounts with the test_a account (note that the test_a account is used instead of the admin account)

Test_a_a, set test_a_a user hf.GenCRL=true:

Fabric-ca-client register-d\-id.name test_a_a\-id.secret test_a_a_pw\-id.type client\-id.affiliation easypay.fabric\-id.attrs'"hf.Registrar.Roles=client,user"\-- id.attrs'"hf.Registrar.DelegateRoles=client" User "'--id.attrs'" hf.Registrar.Attributes=* "\-- id.attrs hf.Revoker=true\-- id.attrs hf.AffiliationMgr=true\-- id.attrs hf.IntermediateCA=true\-- id.attrs hf.GenCRL=true

If the creation fails, a permission error is reported, as shown below:

Test_a_b, set test_a_b user hf.GenCRL=false:

Fabric-ca-client register-d\-id.name test_a_b\-id.secret test_a_b_pw\-id.type client\-id.affiliation easypay.fabric\-id.attrs'"hf.Registrar.Roles=client,user"\-- id.attrs'"hf.Registrar.DelegateRoles=client" User "'--id.attrs'" hf.Registrar.Attributes=* "\-- id.attrs hf.Revoker=true\-- id.attrs hf.AffiliationMgr=true\-- id.attrs hf.IntermediateCA=true\-- id.attrs hf.GenCRL=false

The results are the same as above:

Test_a_c, do not set the test_a_c user hf.GenCRL attribute:

Fabric-ca-client register-d\-id.name test_a_c\-id.secret test_a_c_pw\-id.type client\-id.affiliation easypay.fabric\-id.attrs'"hf.Registrar.Roles=client,user"\-- id.attrs'"hf.Registrar.DelegateRoles=client,user"\-- id.attrs'"hf.Registrar.Attributes=*"\-- id.attrs hf.Revoker=true\-- id.attrs hf.AffiliationMgr=true\-- id.attrs hf.IntermediateCA=true

The result is created successfully, as follows:

Several other properties of Boolean type, hf.Revoker,hf.AffiliationMgr,hf.IntermediateCA, have a similar phenomenon, that is, if these Boolean properties of the superior id are set to false (or not), then the created subordinate id cannot have the corresponding system properties of this Boolean type.

Phenomenon 2: the constraint of hf.Registrar.Roles

The test_a identity we just created, id.type=client, hf.Registrar.Roles=client,user, what happens if we register an id.type=peer or id.type=orderer identity with test_a? Everyone should think of it, it must be a failure, so I won't do the test here.

Note: only four hf.Registrar.Roles attributes are supported in fabric-ca version 1.1. Custom roles will be supported in version 1.2. For more information, please see https://jira.hyperledger.org/browse/FAB-7882

Screenshot of related information:

Create a test_a_d identity with the test_a user and set the test_a_d attribute hf.Registrar.Roles=client,user,peer, as follows:

Fabric-ca-client register-d\-id.name test_a_d\-id.secret test_a_d_pw\-id.type client\-id.affiliation easypay.fabric\-id.attrs'"hf.Registrar.Roles=client,user,peer"\-- id.attrs'"hf.Registrar.DelegateRoles=client,user,peer"\-- id.attrs'"hf.Registrar.Attributes=*"\-- id.attrs hf.Revoker=true\-- id.attrs hf.AffiliationMgr=true\-- id.attrs hf.IntermediateCA=true

As a result, creation failed, as follows:

You can continue to test, and you can find that when the attribute hf.Registrar.Roles=client,user of the test_a identity, the f.Registrar.Roles attribute value of the sub-identity created with the test_a identity cannot exceed the range of client,user

Then create a test_a_e identity with the test_a user, and set the test_a_e attribute id.type=peer, as follows:

Fabric-ca-client register-d\-id.name test_a_e\-id.secret test_a_e_pw\-id.type peer\-id.affiliation easypay.fabric\-id.attrs'"hf.Registrar.Roles=client,user"\-- id.attrs'"hf.Registrar.DelegateRoles=client,user"\-- id.attrs'"hf.Registrar.Attributes=*"\-- id.attrs hf.Revoker=true\-- id.attrs hf.AffiliationMgr=true\-- id.attrs hf.IntermediateCA=true

As a result, the creation failed. The error message is as follows:

The id.type attribute value of the child id is also constrained by the hf.Registrar.Roles attribute value of the superior id.

Phenomenon 3: the constraint of hf.Registrar.Attributes attribute

Try to create test_b with admin identity and add hf.key=value

Fabric-ca-client register-d\-id.name test_b\-- id.secret test_b_pw\-- id.type client\-- id.attrs hf.key=value

Even if the admin identity hf.Registrar.Attributes=*, fails to be created, the result is shown in the figure.

Then try to create test_c with admin identity and add hf=value

Fabric-ca-client register-d\-id.name test_c\-- id.secret test_c_pw\-- id.type client\-- id.attrs hf=value

Created successfully, the result is as shown in the figure

To sum up, there are the following rules:

The hf. Registrar. Attributes value of the parent id can constrain the attributes that can be added by the child id it creates, but with hf. Except for those with hf. The first one is treated differently as a system attribute.

From the superior down, the attribute constraints can only be converged gradually, not divergent.

Related code

If you are interested, you can study the source code in detail. The relevant parts of the code can be found in: https://github.com/hyperledger/fabric-ca/blob/release-1.1/lib/attr/attribute.go

Thank you for reading! This is the end of the article on "sample Analysis of the user creation Mechanism of Fabric CA". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, you can share it for more people to see!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.