hyperledger / fabric-ca Goto Github PK
View Code? Open in Web Editor NEWHome Page: https://wiki.hyperledger.org/display/fabric
License: Apache License 2.0
Home Page: https://wiki.hyperledger.org/display/fabric
License: Apache License 2.0
We're trying to use Fortanix PKCS11 library with hyperledger.
Here is some information about the pkcs11 tool :
Cryptoki version 3.0
Manufacturer Fortanix
Library Fortanix Data Security Manager PKCS11 Library (ver 0.3)
Using slot 0 with a present token (0x1)
The hyper ledger's BCCSP is failing to initialize with Fortanix PKCS11 (Error: Failed to get BCCSP with opts: Could not initialize BCCSP PKCS11: pkcs11: instantiation failed for /etc/hyperledger/fabric/fortanix_pkcs11_4.8.2070.so)
We have modified the base image to centos, and the pkcs11 tool works with our library as well.
We have made the following changes to the fabric-ca-server-config.yaml file:
bccsp:
default: PKCS11
pkcs11:
Library: /home/ccm-user/fortanix_pkcs11/fortanix_pkcs11_4.2.1500.so
Pin: file:///home/ccm-user/fortanix_pkcs11/pkcs11.conf
label: "Fortanix Token"
hash: SHA2
security: 256
And the config file contains :
api_endpoint = "https://sdkms.fortanix.com"
api_key="xxxxxx"
app_id="xxxxxxx"
[log]
system = true # Unix only, logs to syslog
Is there any other changes that need to be done in the BCCSP section to integrate our library with the hyperledger fabric?
The orderer section in docker-compose.yaml does not have expected port number (7050) mentioned
(https://hyperledger-fabric-ca.readthedocs.io/en/latest/docker_compose.html)
orderer1-org0:
container_name: orderer1-org0
image: hyperledger/fabric-orderer:1.4.0
environment:
- ORDERER_HOME=/tmp/hyperledger/orderer
- ORDERER_HOST=orderer1-org0
- ORDERER_GENERAL_LISTENADDRESS=0.0.0.0
- ORDERER_GENERAL_GENESISMETHOD=file
- ORDERER_GENERAL_GENESISFILE=/tmp/hyperledger/org0/orderer/genesis.block
- ORDERER_GENERAL_LOCALMSPID=org0MSP
- ORDERER_GENERAL_LOCALMSPDIR=/tmp/hyperledger/org0/orderer/msp
- ORDERER_GENERAL_TLS_ENABLED=true
- ORDERER_GENERAL_TLS_CERTIFICATE=/tmp/hyperledger/org0/orderer/tls-msp/signcerts/cert.pem
- ORDERER_GENERAL_TLS_PRIVATEKEY=/tmp/hyperledger/org0/orderer/tls-msp/keystore/key.pem
- ORDERER_GENERAL_TLS_ROOTCAS=[/tmp/hyperledger/org0/orderer/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem]
- ORDERER_GENERAL_LOGLEVEL=debug
- ORDERER_DEBUG_BROADCASTTRACEDIR=data/logs
volumes:
- /tmp/hyperledger/org0/orderer:/tmp/hyperledger/org0/orderer/
networks:
- fabric-ca
When using the binary pulled from the release page in github, this error occurs.
2021/08/13 09:09:16 [ERROR] Error occurred initializing database: Failed to open sqlite3 DB: Binary was compiled with 'CGO_ENABLED=0', go-sqlite3 requires cgo to work. This is a stub
The docker image for this doesn't have the problem. Nor does rebuilding the code - that works correctly.
From either a locally build version, or from the docker image the version indicates go1.15
./bin/fabric-ca-server version
fabric-ca-server:
Version: 1.5.1-snapshot-6d7c103a
Go version: go1.15.7
OS/Arch: linux/amd64
The version from the releases tgz file gives
fabric-ca-server:
Version: 1.5.0
Go version: go1.16
OS/Arch: linux/amd64
Go 1.16 looks out-of-place as everything else is at node 1.15. Looking at the state of the repo at the time of the last release. I can't see how this would have been built with go 1.16. Of course there could be something else as well
This has been reported as well on stackoverlow
https://stackoverflow.com/questions/68221867/error-initializing-fabric-ca-server-go-sqlite3-requires-cgo-to-work
./fabric-ca-client register -d -u https://org1rootcaadmin:[email protected]:7055 --id.name org1intermediatecaadmin --id.secret org1intermediatecaadminpw --id.attrs '"hf.Registrar.Roles=user,admin","hf.Revoker=true","hf.IntermediateCA=true"' --tls.certfiles /usr/project/fabric-ca/org1-ca/tls-ca/ca-cert.pem --mspdir /usr/project/fabric-ca/org1-ca/org1-root-ca/org1rootcaadmin/msp
log content
2022/03/09 03:07:34 [INFO] 192.168.0.105:48152 POST /register 403 76 "Registration of 'org1intermediatecaadmin' failed"
2022/03/09 03:07:55 [DEBUG] Cleaning up expired nonces for CA 'org1-root-ca'
2022/03/09 03:09:27 [DEBUG] Received request for /register
2022/03/09 03:09:27 [DEBUG] Caller is using a x509 certificate
2022/03/09 03:09:27 [DEBUG] Certicate Dates: NotAfter = 2023-03-09 07:49:00 +0000 UTC NotBefore = 2022-03-09 07:41:00 +0000 UTC
2022/03/09 03:09:27 [INFO] 192.168.0.105:48154 POST /register 401 26 "Untrusted certificate: Failed to verify certificate: x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "fabric-ca-server")"
2022/03/09 03:09:45 [DEBUG] Received request for /register
2022/03/09 03:09:45 [DEBUG] Caller is using a x509 certificate
2022/03/09 03:09:45 [DEBUG] Certicate Dates: NotAfter = 2023-03-09 07:53:00 +0000 UTC NotBefore = 2022-03-09 07:47:00 +0000 UTC
2022/03/09 03:09:45 [DEBUG] Checking for revocation/expiration of certificate owned by 'org1rootcaadmin'
2022/03/09 03:09:45 [DEBUG] DB: Get certificate by serial (533f2c5a6619663debbad716a74be3cb577f1875) and aki (db3b6bd4a8420c090d3715e69803b5861391d2e7)
2022/03/09 03:09:45 [DEBUG] DB: Getting identity org1rootcaadmin
2022/03/09 03:09:45 [DEBUG] Successful token authentication of 'org1rootcaadmin'
2022/03/09 03:09:45 [DEBUG] Received registration request from org1rootcaadmin: { Name:org1intermediatecaadmin Type:client Secret:**** MaxEnrollments:0 Affiliation: Attributes:[{hf.Registrar.Roles user,admin false} {hf.Revoker true false} {hf.IntermediateCA true false}] CAName: }
2022/03/09 03:09:45 [DEBUG] No affiliation provided in registration request, will default to using registrar's affiliation of ''
2022/03/09 03:09:45 [DEBUG] canRegister - Check to see if user 'org1rootcaadmin' can register
2022/03/09 03:09:45 [DEBUG] Checking to see if caller 'org1rootcaadmin' can act on type 'client'
2022/03/09 03:09:45 [DEBUG] Checking to see if caller 'org1rootcaadmin' is a registrar
2022/03/09 03:09:45 [DEBUG] Registrar is not allowed to register user 'org1intermediatecaadmin': Failed to verify if user can act on type: 'org1rootcaadmin' is not a registrar
2022/03/09 03:09:45 [INFO] 192.168.0.105:48156 POST /register 403 76 "Registration of 'org1intermediatecaadmin' failed"
NB: Please note that this issue is in progress and will be updated.
I have decided to amalgamate these all into one list to make things easier for the Hyperledger Fabric team. @denyeart explained that JARs/dependencies with known vulnerabilities are OK to report via GitHub issue. So here we go.
Name | Found in Code | CVEs | Due Date | Status |
---|---|---|---|---|
Babel-2.3.4-py2.py3-none-any.whl | https://github.com/hyperledger/fabric-ca/blob/main/docs/requirements.txt#L9 | https://nvd.nist.gov/vuln/detail/CVE-2021-42771 | Aug 21, 2023 | #367 merged. ✅ |
Pygments-2.1.3-py2.py3-none-any.whl | https://github.com/hyperledger/fabric-ca/blob/main/docs/requirements.txt#L14 | https://nvd.nist.gov/vuln/detail/CVE-2021-27291, https://nvd.nist.gov/vuln/detail/CVE-2021-20270 | Aug 21, 2023 | #367 merged. ✅ |
Hello,
I find "Download this chaincode" link from https://github.com/hyperledger/fabric-ca/blob/main/docs/source/operations_guide.rst#install-and-instantiate-chaincode is broken and the section refers to the unavailable /chaincode/abac/go chaincode. Could you check?
Thanks.
Hi,
I would like to ask for clarification about the following.
I deployed a TLS CA, an Organization CA, and an Intermediate CA, each one in different machines.
When creating the TLS root certificate, initially I set the --csr.hosts
to the TLS CA hostname in the enroll command for the Organization CA and intermediate CA admin users. Then, following the guide, when configuring the Organization CA, I used the root TLS CA certificate in --tls.certfiles
when enrolling the admin into the Organization CA and the ORganization CA hostname csr.hosts
in the enroll command.
That, as probably expected, ended in an error like:
x509: certificate is valid for tls_ca, not org_ca
There are two ways of solving that error.
csr.hosts
list. I guess that's the way to fix it following the tutorial because it forces you to use the TLS CA root certificate when enrolling the Organization admin user into the Organization CA. So, basically, the TLS root CA cert will have been generated for the Organization CA host apart from the TLS CA host. Nevertheless, when generating that certificate, the docs say to add only the TLS CA host.csr.hosts
), and when enrolling the Organization admin into the TLS CA, use as csr.hosts
the Organization CA hostname. That way, when enrolling in the Organization CA the admin user, you can use its TLS certificate (the one generated for the Organization CA and copied from the TLS CA to the Organization CA machine) instead of the TLS CA root certificate (the docs says to use the TLS CA root cert) as --tls.certfiles
, and its hostname (the Organization CA hostname) in the csr.hosts
parameter.I tested both approaches, and both worked. Could you please clarify which one should be used?
Thank you very much.
It appears that there are some architecture conflicts here:
% make fabric-ca-client
# golang.org/x/sys/unix
vendor/golang.org/x/sys/unix/syscall_darwin.1_13.go:29:3: //go:linkname must refer to declared function or variable
vendor/golang.org/x/sys/unix/zsyscall_darwin_arm64.1_13.go:27:3: //go:linkname must refer to declared function or variable
vendor/golang.org/x/sys/unix/zsyscall_darwin_arm64.1_13.go:40:3: //go:linkname must refer to declared function or variable
vendor/golang.org/x/sys/unix/zsyscall_darwin_arm64.go:28:3: //go:linkname must refer to declared function or variable
vendor/golang.org/x/sys/unix/zsyscall_darwin_arm64.go:43:3: //go:linkname must refer to declared function or variable
vendor/golang.org/x/sys/unix/zsyscall_darwin_arm64.go:59:3: //go:linkname must refer to declared function or variable
vendor/golang.org/x/sys/unix/zsyscall_darwin_arm64.go:75:3: //go:linkname must refer to declared function or variable
vendor/golang.org/x/sys/unix/zsyscall_darwin_arm64.go:90:3: //go:linkname must refer to declared function or variable
vendor/golang.org/x/sys/unix/zsyscall_darwin_arm64.go:105:3: //go:linkname must refer to declared function or variable
vendor/golang.org/x/sys/unix/zsyscall_darwin_arm64.go:121:3: //go:linkname must refer to declared function or variable
vendor/golang.org/x/sys/unix/zsyscall_darwin_arm64.go:121:3: too many errors
I can definitely help resolve these, but would need some help to get into the code here. Can you advise as to why these arch dependencies would exist?
My environment:
GOARCH="arm64"
GOOS="darwin"
GOVERSION="go1.18.2"
CGO_ENABLED="1"
I think is an error on configtx.yaml
file At AnchorPeers should be - Port: 7051 instead of Port: 7051
- &org1
Name: org1
ID: org1MSP
MSPDir: /tmp/hyperledger/org1/msp
AnchorPeers:
- Host: peer1-org1
Port: 7051
- &org1
Name: org1
ID: org1MSP
MSPDir: /tmp/hyperledger/org1/msp
AnchorPeers:
- Host: peer1-org1
- Port: 7051
fs permission issue in docker container when attempting to run with a non-root user
docker run -d --user 1000:1000 hyperledger/fabric-ca:1.5.0
functional fabric-ca container with port 7054 exposed
container exited with following error: Error: Failed to create default configuration file: mkdir /etc/hyperledger: permission denied
due to how the image is built, directory/files required to run fabric-ca-server are owned by root
Hello,
When I use the swagger.fabric-ca.json on https://editor.swagger.io/, the tool displays many errors ( Structural & Semantic)
I put all errors below:
Structural error at definitions.identityInfo.properties.max_enrollments.type
should be equal to one of the allowed values
allowedValues: array, boolean, integer, number, object, string
Jump to line 37
Semantic error at definitions.identityInfo.properties.max_enrollments.type
Schema "type" key must be a string
Jump to line 37
Structural error at paths./api/v1/enroll.post.parameters.2.schema.properties.profile.type
should be equal to one of the allowed values
allowedValues: array, boolean, integer, number, object, string
Jump to line 262
Semantic error at paths./api/v1/enroll.post.parameters.2.schema.properties.profile.type
Schema "type" key must be a string
Jump to line 262
Structural error at paths./api/v1/enroll.post.parameters.2.schema.properties.label.type
should be equal to one of the allowed values
allowedValues: array, boolean, integer, number, object, string
Jump to line 269
Semantic error at paths./api/v1/enroll.post.parameters.2.schema.properties.label.type
Schema "type" key must be a string
Jump to line 269
Structural error at paths./api/v1/enroll.post.parameters.2.schema.properties.caname.type
should be equal to one of the allowed values
allowedValues: array, boolean, integer, number, object, string
Jump to line 276
Semantic error at paths./api/v1/enroll.post.parameters.2.schema.properties.caname.type
Schema "type" key must be a string
Jump to line 276
Structural error at paths./api/v1/idemix/cri.post.parameters.2.schema.properties.caname.type
should be equal to one of the allowed values
allowedValues: array, boolean, integer, number, object, string
Jump to line 621
Semantic error at paths./api/v1/idemix/cri.post.parameters.2.schema.properties.caname.type
Schema "type" key must be a string
Jump to line 621
Structural error at paths./api/v1/reenroll.post.parameters.2.schema.properties.profile.type
should be equal to one of the allowed values
allowedValues: array, boolean, integer, number, object, string
Jump to line 740
Semantic error at paths./api/v1/reenroll.post.parameters.2.schema.properties.profile.type
Schema "type" key must be a string
Jump to line 740
Structural error at paths./api/v1/reenroll.post.parameters.2.schema.properties.label.type
should be equal to one of the allowed values
allowedValues: array, boolean, integer, number, object, string
Jump to line 747
Semantic error at paths./api/v1/reenroll.post.parameters.2.schema.properties.label.type
Schema "type" key must be a string
Jump to line 747
Structural error at paths./api/v1/reenroll.post.parameters.2.schema.properties.caname.type
should be equal to one of the allowed values
allowedValues: array, boolean, integer, number, object, string
Jump to line 754
Semantic error at paths./api/v1/reenroll.post.parameters.2.schema.properties.caname.type
Schema "type" key must be a string
Jump to line 754
Structural error at paths./api/v1/register.post.parameters.2.schema.properties.secret.type
should be equal to one of the allowed values
allowedValues: array, boolean, integer, number, object, string
Jump to line 929
Semantic error at paths./api/v1/register.post.parameters.2.schema.properties.secret.type
Schema "type" key must be a string
Jump to line 929
Structural error at paths./api/v1/register.post.parameters.2.schema.properties.max_enrollments.type
should be equal to one of the allowed values
allowedValues: array, boolean, integer, number, object, string
Jump to line 936
Semantic error at paths./api/v1/register.post.parameters.2.schema.properties.max_enrollments.type
Schema "type" key must be a string
Jump to line 936
Structural error at paths./api/v1/register.post.parameters.2.schema.properties.caname.type
should be equal to one of the allowed values
allowedValues: array, boolean, integer, number, object, string
Jump to line 972
Semantic error at paths./api/v1/register.post.parameters.2.schema.properties.caname.type
Schema "type" key must be a string
Jump to line 972
Structural error at paths./api/v1/revoke.post.parameters.2.schema.properties.id.type
should be equal to one of the allowed values
allowedValues: array, boolean, integer, number, object, string
Jump to line 1091
Semantic error at paths./api/v1/revoke.post.parameters.2.schema.properties.id.type
Schema "type" key must be a string
Jump to line 1091
Structural error at paths./api/v1/revoke.post.parameters.2.schema.properties.aki.type
should be equal to one of the allowed values
allowedValues: array, boolean, integer, number, object, string
Jump to line 1098
Semantic error at paths./api/v1/revoke.post.parameters.2.schema.properties.aki.type
Schema "type" key must be a string
Jump to line 1098
Structural error at paths./api/v1/revoke.post.parameters.2.schema.properties.serial.type
should be equal to one of the allowed values
allowedValues: array, boolean, integer, number, object, string
Jump to line 1105
Semantic error at paths./api/v1/revoke.post.parameters.2.schema.properties.serial.type
Schema "type" key must be a string
Jump to line 1105
Structural error at paths./api/v1/revoke.post.parameters.2.schema.properties.reason.type
should be equal to one of the allowed values
allowedValues: array, boolean, integer, number, object, string
Jump to line 1112
Semantic error at paths./api/v1/revoke.post.parameters.2.schema.properties.reason.type
Schema "type" key must be a string
Jump to line 1112
Structural error at paths./api/v1/revoke.post.parameters.2.schema.properties.caname.type
should be equal to one of the allowed values
allowedValues: array, boolean, integer, number, object, string
Jump to line 1119
Semantic error at paths./api/v1/revoke.post.parameters.2.schema.properties.caname.type
Schema "type" key must be a string
Jump to line 1119
Structural error at paths./api/v1/revoke.post.parameters.2.schema.properties.gencrl.type
should be equal to one of the allowed values
allowedValues: array, boolean, integer, number, object, string
Jump to line 1126
Semantic error at paths./api/v1/revoke.post.parameters.2.schema.properties.gencrl.type
Schema "type" key must be a string
Jump to line 1126
Structural error at paths./api/v1/gencrl.post.parameters.2.schema.properties.revokedafter.type
should be equal to one of the allowed values
allowedValues: array, boolean, integer, number, object, string
Jump to line 1256
Semantic error at paths./api/v1/gencrl.post.parameters.2.schema.properties.revokedafter.type
Schema "type" key must be a string
Jump to line 1256
Structural error at paths./api/v1/gencrl.post.parameters.2.schema.properties.revokedbefore.type
should be equal to one of the allowed values
allowedValues: array, boolean, integer, number, object, string
Jump to line 1263
Semantic error at paths./api/v1/gencrl.post.parameters.2.schema.properties.revokedbefore.type
Schema "type" key must be a string
Jump to line 1263
Structural error at paths./api/v1/gencrl.post.parameters.2.schema.properties.expireafter.type
should be equal to one of the allowed values
allowedValues: array, boolean, integer, number, object, string
Jump to line 1270
Semantic error at paths./api/v1/gencrl.post.parameters.2.schema.properties.expireafter.type
Schema "type" key must be a string
Jump to line 1270
Structural error at paths./api/v1/gencrl.post.parameters.2.schema.properties.expirebefore.type
should be equal to one of the allowed values
allowedValues: array, boolean, integer, number, object, string
Jump to line 1277
Semantic error at paths./api/v1/gencrl.post.parameters.2.schema.properties.expirebefore.type
Schema "type" key must be a string
Jump to line 1277
Structural error at paths./api/v1/gencrl.post.parameters.2.schema.properties.caname.type
should be equal to one of the allowed values
allowedValues: array, boolean, integer, number, object, string
Jump to line 1284
Semantic error at paths./api/v1/gencrl.post.parameters.2.schema.properties.caname.type
Schema "type" key must be a string
Jump to line 1284
Structural error at paths./api/v1/affiliations.post.parameters.3.schema.properties.caname.type
should be equal to one of the allowed values
allowedValues: array, boolean, integer, number, object, string
Jump to line 1495
Semantic error at paths./api/v1/affiliations.post.parameters.3.schema.properties.caname.type
Schema "type" key must be a string
Jump to line 1495
Structural error at paths./api/v1/affiliations/{affiliation}.put.parameters.4.schema.properties.caname.type
should be equal to one of the allowed values
allowedValues: array, boolean, integer, number, object, string
Jump to line 1728
Semantic error at paths./api/v1/affiliations/{affiliation}.put.parameters.4.schema.properties.caname.type
Schema "type" key must be a string
Jump to line 1728
Structural error at paths./api/v1/identities.get.responses.200.schema.properties.result.properties.identities.items.properties.max_enrollments.type
should be equal to one of the allowed values
allowedValues: array, boolean, integer, number, object, string
Jump to line 1956
Semantic error at paths./api/v1/identities.get.responses.200.schema.properties.result.properties.identities.items.properties.max_enrollments.type
Schema "type" key must be a string
Jump to line 1956
Structural error at paths./api/v1/identities.post.parameters.2.schema.properties.secret.type
should be equal to one of the allowed values
allowedValues: array, boolean, integer, number, object, string
Jump to line 2093
Semantic error at paths./api/v1/identities.post.parameters.2.schema.properties.secret.type
Schema "type" key must be a string
Jump to line 2093
Structural error at paths./api/v1/identities.post.parameters.2.schema.properties.max_enrollments.type
should be equal to one of the allowed values
allowedValues: array, boolean, integer, number, object, string
Jump to line 2100
Semantic error at paths./api/v1/identities.post.parameters.2.schema.properties.max_enrollments.type
Schema "type" key must be a string
Jump to line 2100
Structural error at paths./api/v1/identities.post.parameters.2.schema.properties.caname.type
should be equal to one of the allowed values
allowedValues: array, boolean, integer, number, object, string
Jump to line 2136
Semantic error at paths./api/v1/identities.post.parameters.2.schema.properties.caname.type
Schema "type" key must be a string
Jump to line 2136
Structural error at paths./api/v1/identities.post.responses.201.schema.properties.result.properties.secret.type
should be equal to one of the allowed values
allowedValues: array, boolean, integer, number, object, string
Jump to line 2173
Semantic error at paths./api/v1/identities.post.responses.201.schema.properties.result.properties.secret.type
Schema "type" key must be a string
Jump to line 2173
Structural error at paths./api/v1/identities.post.responses.201.schema.properties.result.properties.max_enrollments.type
should be equal to one of the allowed values
allowedValues: array, boolean, integer, number, object, string
Jump to line 2180
Semantic error at paths./api/v1/identities.post.responses.201.schema.properties.result.properties.max_enrollments.type
Schema "type" key must be a string
Jump to line 2180
Structural error at paths./api/v1/identities/{id}.get.responses.200.schema.properties.result.properties.max_enrollments.type
should be equal to one of the allowed values
allowedValues: array, boolean, integer, number, object, string
Jump to line 2325
Semantic error at paths./api/v1/identities/{id}.get.responses.200.schema.properties.result.properties.max_enrollments.type
Schema "type" key must be a string
Jump to line 2325
Structural error at paths./api/v1/identities/{id}.put.parameters.3.schema.properties.secret.type
should be equal to one of the allowed values
allowedValues: array, boolean, integer, number, object, string
Jump to line 2458
Semantic error at paths./api/v1/identities/{id}.put.parameters.3.schema.properties.secret.type
Schema "type" key must be a string
Jump to line 2458
Structural error at paths./api/v1/identities/{id}.put.parameters.3.schema.properties.max_enrollments.type
should be equal to one of the allowed values
allowedValues: array, boolean, integer, number, object, string
Jump to line 2465
Semantic error at paths./api/v1/identities/{id}.put.parameters.3.schema.properties.max_enrollments.type
Schema "type" key must be a string
Jump to line 2465
Structural error at paths./api/v1/identities/{id}.put.parameters.3.schema.properties.attrs.items.properties.value.type
should be equal to one of the allowed values
allowedValues: array, boolean, integer, number, object, string
Jump to line 2486
Semantic error at paths./api/v1/identities/{id}.put.parameters.3.schema.properties.attrs.items.properties.value.type
Schema "type" key must be a string
Jump to line 2486
Structural error at paths./api/v1/identities/{id}.put.parameters.3.schema.properties.caname.type
should be equal to one of the allowed values
allowedValues: array, boolean, integer, number, object, string
Jump to line 2503
Semantic error at paths./api/v1/identities/{id}.put.parameters.3.schema.properties.caname.type
Schema "type" key must be a string
Jump to line 2503
Structural error at paths./api/v1/identities/{id}.put.responses.200.schema.properties.result.properties.secret.type
should be equal to one of the allowed values
allowedValues: array, boolean, integer, number, object, string
Jump to line 2535
Semantic error at paths./api/v1/identities/{id}.put.responses.200.schema.properties.result.properties.secret.type
Schema "type" key must be a string
Jump to line 2535
Structural error at paths./api/v1/identities/{id}.put.responses.200.schema.properties.result.properties.max_enrollments.type
should be equal to one of the allowed values
allowedValues: array, boolean, integer, number, object, string
Jump to line 2542
Semantic error at paths./api/v1/identities/{id}.put.responses.200.schema.properties.result.properties.max_enrollments.type
Schema "type" key must be a string
Jump to line 2542
Structural error at paths./api/v1/identities/{id}.delete.responses.200.schema.properties.result.properties.max_enrollments.type
should be equal to one of the allowed values
allowedValues: array, boolean, integer, number, object, string
Jump to line 2692
Semantic error at paths./api/v1/identities/{id}.delete.responses.200.schema.properties.result.properties.max_enrollments.type
Schema "type" key must be a string
Jump to line 2692
Hello,
I'm trying to setup a fabric-ca-server with AWS CloudHSM:
I use the library cloudhsm-pkcs11 v5.2.1-2 on ubuntu 18.04 (there are no more recent ubuntu versions supported by AWS cloudHSM at this time)
I configured a couple of HSM servers in an HSM cluster and added a "fabric" CU (Crypto User) with the aws HSM cli:
$ /opt/cloudhsm/bin/cloudhsm_mgmt_util /opt/cloudhsm/etc/cloudhsm_mgmt_util.cfg
aws-cloudhsm>loginHSM CO admin password
aws-cloudhsm>createUser CU fabric 12345678
I configured both fabric-ca-server-config.yaml and fabric-ca-client-config.yaml with:
bccsp:
default: PKCS11
pkcs11:
Library: /opt/cloudhsm/lib/libcloudhsm_pkcs11.so
Pin: 'fabric:12345678'
AltId: FABRIC
# it seems that the label must be the name of the HSM cluster in AWS:
Label: cluster-dzetr75hznp
hash: SHA2
security: 256
I init the CA server (the MSP key is successfully stored in the HSM):
$ fabric-ca-server init -b admin:adminpw
2021/10/07 02:46:58 [INFO] Configuration file location: /opt/hsmtest/ca.hsm/rootca/fabric-ca-server-config.yaml
2021/10/07 02:46:59 [INFO] Server Version: 1.5.2
2021/10/07 02:46:59 [INFO] Server Levels: &{Identity:2 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1}
2021/10/07 02:46:59 [WARNING] &{69 The specified CA certificate file /opt/hsmtest/ca.hsm/rootca/ca-cert.pem does not exist}
2021/10/07 02:46:59 [INFO] generating key: &{A:ecdsa S:256}
2021/10/07 02:46:59 [INFO] encoded CSR
2021/10/07 02:46:59 [INFO] signed certificate with serial number 457077676613156083610706603201870637828122354856
2021/10/07 02:46:59 [INFO] The CA key and certificate were generated for CA rootca
2021/10/07 02:46:59 [INFO] The key was stored by BCCSP provider 'PKCS11'
2021/10/07 02:46:59 [INFO] The certificate is at: /opt/hsmtest/ca.hsm/rootca/ca-cert.pem
2021/10/07 02:46:59 [INFO] Initialized sqlite3 database at /opt/hsmtest/ca.hsm/rootca/fabric-ca-server.db
2021/10/07 02:46:59 [INFO] The issuer key was successfully stored. The public key is at: /opt/hsmtest/ca.hsm/rootca/IssuerPublicKey, secret key is at: /opt/hsmtest/ca.hsm/rootca/msp/keystore/IssuerSecretKey
2021/10/07 02:46:59 [INFO] Idemix issuer revocation public and secret keys were generated for CA 'rootca'
2021/10/07 02:46:59 [INFO] The revocation key was successfully stored. The public key is at: /opt/hsmtest/ca.hsm/rootca/IssuerRevocationPublicKey, private key is at: /opt/hsmtest/ca.hsm/rootca/msp/keystore/IssuerRevocationPrivateKey
2021/10/07 02:46:59 [INFO] Home directory for default CA: /opt/hsmtest/ca.hsm/rootca
2021/10/07 02:46:59 [INFO] Initialization was successful
But then when I start the server, the TLS self-signed cert generation fails:
$ /etc/hyperledger/fabric-ca-client# fabric-ca-server start -d
2021/10/07 02:52:10 [DEBUG] Home directory: /opt/hsmtest/ca.hsm/rootca
2021/10/07 02:52:10 [INFO] Configuration file location: /opt/hsmtest/ca.hsm/rootca/fabric-ca-server-config.yaml
2021/10/07 02:52:10 [INFO] Starting server in home directory: /opt/hsmtest/ca.hsm/rootca
2021/10/07 02:52:10 [DEBUG] Set log level:
2021/10/07 02:52:10 [INFO] Server Version: 1.5.2
2021/10/07 02:52:10 [INFO] Server Levels: &{Identity:2 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1}
2021/10/07 02:52:10 [DEBUG] Making server filenames absolute
2021/10/07 02:52:10 [DEBUG] Initializing default CA in directory /opt/hsmtest/ca.hsm/rootca
2021/10/07 02:52:10 [DEBUG] CA Home Directory: /opt/hsmtest/ca.hsm/rootca
2021/10/07 02:52:10 [DEBUG] Checking configuration file version '1.4.7' against server version: '1.5.2'
2021/10/07 02:52:10 [DEBUG] Initializing BCCSP: &{ProviderName:PKCS11 SwOpts:0xc000394150 PluginOpts:<nil> Pkcs11Opts:0xc000143000}
2021/10/07 02:52:10 [DEBUG] Initializing BCCSP with software options &{SecLevel:256 HashFamily:SHA2 FileKeystore:0xc00016ccd0 DummyKeystore:<nil> InmemKeystore:<nil>}
2021/10/07 02:52:10 [DEBUG] Initializing BCCSP with PKCS11 options {SecLevel:256 HashFamily:SHA2 Ephemeral:false FileKeystore:<nil> DummyKeystore:<nil> Library:/opt/cloudhsm/lib/libcloudhsm_pkcs11.so Label:****** Pin:****** SoftVerify:false Immutable:false AltId:FABRIC}
2021/10/07 02:52:10 [DEBUG] Initialize key material
2021/10/07 02:52:10 [DEBUG] Making CA filenames absolute
2021/10/07 02:52:10 [INFO] The CA key and certificate already exist
2021/10/07 02:52:10 [INFO] The key is stored by BCCSP provider 'PKCS11'
2021/10/07 02:52:10 [INFO] The certificate is at: /opt/hsmtest/ca.hsm/rootca/ca-cert.pem
2021/10/07 02:52:10 [DEBUG] Loading CN from existing enrollment information
2021/10/07 02:52:10 [DEBUG] Initializing DB
2021/10/07 02:52:10 [DEBUG] Initializing 'sqlite3' database at '/opt/hsmtest/ca.hsm/rootca/fabric-ca-server.db'
2021/10/07 02:52:10 [DEBUG] Using sqlite database, connect to database in home (/opt/hsmtest/ca.hsm/rootca/fabric-ca-server.db) directory
2021/10/07 02:52:10 [DEBUG] Creating SQLite database (/opt/hsmtest/ca.hsm/rootca/fabric-ca-server.db) if it does not exist...
2021/10/07 02:52:10 [DEBUG] Creating users table if it does not exist
2021/10/07 02:52:10 [DEBUG] Creating affiliations table if it does not exist
2021/10/07 02:52:10 [DEBUG] Creating certificates table if it does not exist
2021/10/07 02:52:10 [DEBUG] Creating credentials table if it does not exist
2021/10/07 02:52:10 [DEBUG] Creating revocation_authority_info table if it does not exist
2021/10/07 02:52:10 [DEBUG] Creating nonces table if it does not exist
2021/10/07 02:52:10 [DEBUG] Creating properties table if it does not exist
2021/10/07 02:52:10 [DEBUG] Successfully opened sqlite3 DB
2021/10/07 02:52:10 [DEBUG] Initializing identity registry
2021/10/07 02:52:10 [DEBUG] Initialized DB identity registry
2021/10/07 02:52:10 [DEBUG] Checking database levels '&{Identity:2 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1}' against server levels '&{Identity:2 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1}'
2021/10/07 02:52:10 [DEBUG] Loading identity table
2021/10/07 02:52:10 [DEBUG] Loading identity 'admin_ca'
2021/10/07 02:52:10 [DEBUG] DB: Getting identity admin_ca
2021/10/07 02:52:10 [DEBUG] Identity 'admin_ca' already registered, loaded identity
2021/10/07 02:52:10 [DEBUG] Successfully loaded identity table
2021/10/07 02:52:10 [DEBUG] Loading affiliations table
2021/10/07 02:52:10 [DEBUG] Successfully loaded affiliations table
2021/10/07 02:52:10 [INFO] Initialized sqlite3 database at /opt/hsmtest/ca.hsm/rootca/fabric-ca-server.db
2021/10/07 02:52:10 [DEBUG] Initializing enrollment signer
2021/10/07 02:52:10 [DEBUG] validating configuration
2021/10/07 02:52:10 [DEBUG] validate local profile
2021/10/07 02:52:10 [DEBUG] profile is valid
2021/10/07 02:52:10 [DEBUG] validate local profile
2021/10/07 02:52:10 [DEBUG] profile is valid
2021/10/07 02:52:10 [DEBUG] validate local profile
2021/10/07 02:52:10 [DEBUG] profile is valid
2021/10/07 02:52:10 [DEBUG] CA initialization successful
2021/10/07 02:52:10 [DEBUG] Initializing Idemix issuer...
2021/10/07 02:52:10 [INFO] The Idemix issuer public and secret key files already exist
2021/10/07 02:52:10 [INFO] secret key file location: /opt/hsmtest/ca.hsm/rootca/msp/keystore/IssuerSecretKey
2021/10/07 02:52:10 [INFO] public key file location: /opt/hsmtest/ca.hsm/rootca/IssuerPublicKey
2021/10/07 02:52:10 [DEBUG] Intializing revocation authority for issuer 'rootca'
2021/10/07 02:52:10 [DEBUG] Initialize Idemix issuer revocation key material
2021/10/07 02:52:10 [INFO] The Idemix issuer revocation public and secret key files already exist
2021/10/07 02:52:10 [INFO] private key file location: /opt/hsmtest/ca.hsm/rootca/msp/keystore/IssuerRevocationPrivateKey
2021/10/07 02:52:10 [INFO] public key file location: /opt/hsmtest/ca.hsm/rootca/IssuerRevocationPublicKey
2021/10/07 02:52:10 [DEBUG] Intializing nonce manager for issuer 'rootca'
2021/10/07 02:52:10 [INFO] Home directory for default CA: /opt/hsmtest/ca.hsm/rootca
2021/10/07 02:52:10 [DEBUG] 1 CA instance(s) running on server
2021/10/07 02:52:10 [INFO] Operation Server Listening on 127.0.0.1:9443
2021/10/07 02:52:10 [DEBUG] TLS is enabled
2021/10/07 02:52:10 [DEBUG] TLS enabled but either certificate or key file does not exist, automatically generating TLS credentials
2021/10/07 02:52:10 [DEBUG] TLS CSR: {<PRIVATE STUFF>}
2021/10/07 02:52:10 [DEBUG] GenCSR &{<PRIVATE STUFF>}
2021/10/07 02:52:10 [DEBUG] Initializing client with config: &{URL: MSPDir: TLS:{Enabled:false CertFiles:[] Client:{KeyFile: CertFile:}} Enrollment:{ Name: Secret:**** CAName: AttrReqs:[] Profile: Label: CSR:<nil> Type: } CSR:{CN: Names:[] Hosts:[] KeyRequest:<nil> CA:<nil> SerialNumber:} ID:{Name: Type: Secret: MaxEnrollments:0 Affiliation: Attributes:[] CAName:} Revoke:{Name: Serial: AKI: Reason: CAName: GenCRL:false} CAInfo:{CAName:} CAName: CSP:0xc000147fb0 Debug:false LogLevel:}
2021/10/07 02:52:10 [DEBUG] Initializing BCCSP: &{ProviderName:PKCS11 SwOpts:0xc000394150 PluginOpts:<nil> Pkcs11Opts:0xc000143000}
2021/10/07 02:52:10 [DEBUG] Initializing BCCSP with software options &{SecLevel:256 HashFamily:SHA2 FileKeystore:0xc00016ccd0 DummyKeystore:<nil> InmemKeystore:<nil>}
2021/10/07 02:52:10 [DEBUG] Initializing BCCSP with PKCS11 options {SecLevel:256 HashFamily:SHA2 Ephemeral:false FileKeystore:<nil> DummyKeystore:<nil> Library:/opt/cloudhsm/lib/libcloudhsm_pkcs11.so Label:****** Pin:****** SoftVerify:false Immutable:false AltId:FABRIC}
2021/10/07 02:52:10 [INFO] generating key: &{A:ecdsa S:256}
2021/10/07 02:52:10 [DEBUG] generate key from request: algo=ecdsa, size=256
2021/10/07 02:52:10 [DEBUG] failed generating BCCSP key: Failed generating ECDSA P256 key: P11: keypair generate failed [pkcs11: 0x13: CKR_ATTRIBUTE_VALUE_INVALID]
2021/10/07 02:52:10 [DEBUG] Closing server DBs
Error: Failed to automatically generate TLS certificate and key: Failed to generate CSR: Failed generating ECDSA P256 key: P11: keypair generate failed [pkcs11: 0x13: CKR_ATTRIBUTE_VALUE_INVALID]
Here is the corresponding cloudhsm log:
2021-10-07T02:52:10.204+02:00 INFO [179] ThreadId(5) [cloudhsm_provider::hsm1::connection::connection_pool] Adding HSM connection to connection pool: HsmConnection { hsm_info: HSM { IP: "10.4.1.189", Port: 2223 } }
2021-10-07T02:52:10.209+02:00 INFO [179] ThreadId(5) [cloudhsm_provider::hsm1::hsm_connection::server_connection::common] Initializing new connection: HSM { IP: "10.4.1.189", Port: 2223 }
2021-10-07T02:52:10.260+02:00 INFO [179] ThreadId(5) [cloudhsm_provider::hsm1::hsm_connection::server_properties] Version handshake with server succeeded. Received version: ComponentVersion { major: 2, minor: 3 }
2021-10-07T02:52:10.260+02:00 INFO [179] ThreadId(5) [hsm1_marshaling::server_handshake] Reporting sdk version Pkcs11:5.2-1-bionic:CodeBuildBatchProject-uFu5sNXfquqK:ed9a3dbd-7172-439f-8ee3-79408d4e3f39
2021-10-07T02:52:10.304+02:00 WARN [179] ThreadId(3) [cloudhsm_provider::hsm1::hsm_connection::dispatcher_strategy] UX000: Discarding HSM response because it does not match a pending request.
2021-10-07T02:52:10.352+02:00 INFO [179] ThreadId(5) [cloudhsm_provider::hsm1::connection::connection_pool] Adding HSM connection to connection pool: HsmConnection { hsm_info: HSM { IP: "10.4.1.236", Port: 2223 } }
2021-10-07T02:52:10.355+02:00 INFO [179] ThreadId(5) [cloudhsm_provider::hsm1::hsm_connection::server_connection::common] Initializing new connection: HSM { IP: "10.4.1.236", Port: 2223 }
2021-10-07T02:52:10.401+02:00 INFO [179] ThreadId(5) [cloudhsm_provider::hsm1::hsm_connection::server_properties] Version handshake with server succeeded. Received version: ComponentVersion { major: 2, minor: 3 }
2021-10-07T02:52:10.401+02:00 INFO [179] ThreadId(5) [hsm1_marshaling::server_handshake] Reporting sdk version Pkcs11:5.2-1-bionic:CodeBuildBatchProject-uFu5sNXfquqK:ed9a3dbd-7172-439f-8ee3-79408d4e3f39
2021-10-07T02:52:10.444+02:00 WARN [179] ThreadId(1) [cloudhsm_provider::hsm1::hsm_connection::dispatcher_strategy] UX000: Discarding HSM response because it does not match a pending request.
2021-10-07T02:52:10.492+02:00 INFO [179] ThreadId(3) [cloudhsm_provider::hsm1::connection::connection_pool::cluster_info_message] Cluster version 150321984 is up to date. Ignoring cluster version received: 150321671.
2021-10-07T02:52:10.492+02:00 INFO [179] ThreadId(5) [cloudhsm_provider::hsm1::connection::device] Retrieving HSM information.
2021-10-07T02:52:10.513+02:00 INFO [179] ThreadId(5) [cloudhsm_provider::hsm1::connection::session_creation] Successfully created session with id: ProviderSessionId { inner: 1 }
2021-10-07T02:52:10.560+02:00 ERROR [179] ThreadId(6) [cloudhsm_pkcs11::general::C_Initialize] BP000: Library is already initialized.
2021-10-07T02:52:10.560+02:00 ERROR [179] ThreadId(6) [cloudhsm_pkcs11::general::C_Initialize] C_Initialize failed, returning 0x00000191
2021-10-07T02:52:10.560+02:00 INFO [179] ThreadId(6) [cloudhsm_provider::hsm1::connection::device] Retrieving HSM information.
2021-10-07T02:52:10.581+02:00 INFO [179] ThreadId(6) [cloudhsm_provider::hsm1::connection::session_creation] Successfully created session with id: ProviderSessionId { inner: 2 }
2021-10-07T02:52:10.582+02:00 ERROR [179] ThreadId(6) [cloudhsm_provider::hsm1::session::authentication] Failed to login to HSM. 2 connections failed, out of 2. Returning first error from HSM { IP: "10.4.1.236", Port: 2223 }, AlreadyLoggedIn.
2021-10-07T02:52:10.582+02:00 ERROR [179] ThreadId(6) [cloudhsm_pkcs11::session::C_Login] Error: User is already logged in
2021-10-07T02:52:10.582+02:00 ERROR [179] ThreadId(6) [cloudhsm_pkcs11::session::C_Login] C_Login failed, returning 0x00000100
2021-10-07T02:52:10.587+02:00 ERROR [179] ThreadId(6) [cloudhsm_pkcs11::keymgmt::C_GenerateKeyPair::error] Attribute Value for (Unknown) is invalid
2021-10-07T02:52:10.587+02:00 ERROR [179] ThreadId(6) [cloudhsm_pkcs11::keymgmt::C_GenerateKeyPair] C_GenerateKeyPair failed, returning 0x00000013
I had no problem with the TLS cert generation with the softhsm driver, so maybe the problem with AWS is the AltId setting which is the same here for the generated MSP CA cert and the TLS cert? Also I don't really know what to make of the "Error: User is already logged in" in the cloudhsm log...
I'm replicating this tutorial on a machine with centos and it works well till I've to start a the orderer, if I don't add a
https://hyperledger-fabric-ca.readthedocs.io/en/latest/operations_guide.html#setup-cas
If I follow the instructions as it is, when submitting to the this CLI of ORG1
peer channel create -c mychannel -f /tmp/hyperledger/org1/peer1/assets/channel.tx -o orderer1-org0:7050 --outputBlock /tmp/hyperledger/org1/peer1/assets/mychannel.block --tls --cafile /tmp/hyperledger/org1/peer1/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem
I get the error:
2022-04-24 08:24:17.756 UTC [main] InitCmd -> ERRO 03b Cannot run peer because error when setting up MSP of type bccsp from directory /tmp/hyperledger/org1/admin/msp: admin 0 is invalid [The identity does not contain OU [CLIENT], MSP: [org1MSP],The identity does not contain OU [ADMIN], MSP: [org1MSP]]
If I add a config.yaml file to the MSP folder as this https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/use_CA.html#nodeous suggest it should I cannot even initiate the orderer with this error when I try to do docker-compose up
orderer1-org0 | 2022-04-24 08:15:40.373 UTC [orderer.common.server] initializeServerConfig -> INFO 004 Starting orderer with TLS enabled
orderer1-org0 | 2022-04-24 08:15:40.445 UTC [orderer.common.server] Main -> PANI 005 Failed validating bootstrap block: initializing channelconfig failed: could not create channel Consortiums sub-group config: setting up the MSP manager failed: admin 0 is invalid [The identity does not contain OU [CLIENT], MSP: [org1MSP],The identity does not contain OU [ADMIN], MSP: [org1MSP]]
orderer1-org0 | panic: Failed validating bootstrap block: initializing channelconfig failed: could not create channel Consortiums sub-group config: setting up the MSP manager failed: admin 0 is invalid [The identity does not contain OU [CLIENT], MSP: [org1MSP],The identity does not contain OU [ADMIN], MSP: [org1MSP]]
I'm not seeing how to solve this issue.
on version 2.2 it is mentioned when deploying an orderer mention a different but possible related PANI 005:
https://hyperledger-fabric.readthedocs.io/en/release-2.2/deployorderer/ordererdeploy.html
but the solution is just creating the config.yaml and it's not working
Solution:
The system channel configuration is missing config.yaml file. If you are creating a new ordering service, the MSPDir referenced in configtx.yaml file is missing the config.yaml file. Follow instructions in the Fabric CA documentation to generate this file and then rerun configtxgen to regenerate the genesis block for the system channel.
thanks
Currently, the Identity Mixer (hereafter "idemix") implementation in fabric-CA uses an implementation from an old incarnation of Fabric.
Nowadays, Fabric doesn't contain an implementation of idemix and instead, it imports the official IBM implementation.
There are several problems with the current state of affairs:
Fabric-CA is the main tool for issuance of idemix credentials, and it currently restricts consumers of it to a specific elliptic curve and finite field package, while idemix itself can support a wider variety of credentials (for other elliptic curve and finite field packages).
What I propose is to refactor Fabric-CA such that it will use Mathlib, in alignment to the Fabric idemix implementation.
Then, Fabric-CA could issue every idemix credential that the Fabric version of idemix can consume.
Another advantage of doing this, is that the aforementioned elliptic curve implementation of gnark-crypto is much faster than the current implementation used by Fabric-CA, and consumers of idemix could get a performance boost by using a different elliptic curve implementation.
I propose to add to the idemix configuration of the Fabric-CA server (and similarly in the client) the following key which will toggle between the available curve and finite field packages.
CurveID string `def:"CurveID" skip:"true" help:"Name of the curve among {'amcl.Fp256bn', 'gurvy.Bn254', 'amcl.Fp256Miraclbn'}, defaults to 'amcl.Fp256bn'"`
The default curve, as mentioned above, will remain what Fabric-CA uses today, for backward compatibility.
/api/v1/certificates?id=&aki=&serial=&revoked_start=&revoked_end=&expired_start=&expired_end=¬expired=¬revoked=&ca= 401 25 "Invalid token in authorization header: Invalid token format; expecting 2 parts separated by '.'"
Hello,
Is there any possibility to store (and retrieve) cert files on S3 or DB instead of traditional filesystem basis?
this filesystem mechanism is neither safe and scalable.
I am trying to run fabric-ca on MacOS intel. I download zip code and open it in vscode. but there is nothing where to start. How can I start this project? There is no docker-compose file also.
The fabric-ca-server has a dependency on glibc 2.28, so when trying to run it you get
/lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.28' not found (required by bin/fabric-ca-server)
The problem is likely because the binary has been built on a much newer version of ubuntu (possibly 20.04) but by doing so means it cannot be used on older LTS versions of ubuntu and is likely to be a problem for other distros as well.
I successfully connected my Hyperledger Fabric network to an OpenLdap server running on a docker container, and I have enrolled all users, admins, and peers.
Also I created the genesis block, channel transaction and AnchorPeersUpdate.
But when I try to create my channel I get the following error :
Error: got unexpected status: BAD_REQUEST -- error validating channel creation transaction for new channel 'supply-channel', could not successfully apply update to template configuration: error authorizing update: error validating DeltaSet: policy for [Group] /Channel/Application not satisfied: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Admins' sub-policies to be satisfied
I know this error occurs when there is a problem with the identity (including MSP ID, certificate and keys) that submitted the request.
So my questions are :
Can we please remove this dependency from the Fabric CA code in the later/latest releases:
https://github.com/hyperledger/fabric-ca/blob/main/go.mod#L17
Fabric v1.4 is deprecated.
When attempting to clone or fetch the current repository at commit 8894989
the following files fail to download due to ":" being in the filename which is illegal on Windows based filesystems:
vendor/github.com/cloudflare/cfssl/vendor/github.com/cloudflare/cfssl_trust/ca-bundle/SwissSignCA(RSAIKMay6199918:00:58)_2000-11-26_SHA1WithRSA.crt
vendor/github.com/cloudflare/cfssl/vendor/github.com/cloudflare/cfssl_trust/ca-bundle/SwissSignCA(RSAIKMay6199918:00:58)_2000-11-26_SHA1WithRSA_2.crt
PR #304 introduced a regression in the Node and Java SDK client libraries, as it altered the folder structures expected by the test suites and SDK client applications.
Address this by reverting PR 304 and pushing the new folder structure updates into the Token/Smart Client SDKs.
Hi everybody ;)
I'm stuck! Lately I'm trying to get a Hyperledger Fabric Network with multiple Fabric-CA's building a Chain Of Trust running. I read the Docs, checked out multiple Blog Posts about this topic, tried out various of different kinds of approaches... But I just can't get my Network up and running!
The relevant part of the network looks something like this
The startup of the whole CA-Hierarchy is already working. And without the ca-root and ca-intermediate though, I managed to get it all running without any problems.
The error most probably lies in the Overall Generation of the TLS-Certificates or the Usage of them in the peers & orderers.
The error that I can't get rid off happens in all peers & orderers when starting them:
/etc/hyperledger/fabric/core.yaml: OK
patching file /etc/hyperledger/fabric/core.yaml
patch unexpectedly ends in middle of line
Hunk #1 succeeded at 546 with fuzz 1.
Running: peer node start
2021-11-17 14:28:33.081 CET [main] InitCmd -> ERRO 001 Cannot run peer because error when setting up MSP of type bccsp from directory /etc/hyperledger/crypto/peer/msp: the supplied identity is not valid: x509: certificate signed by unknown authority
2021-11-17 14:33:27.672 CET [orderer.common.server] loadLocalMSP -> PANI 004 Failed to setup local msp with config: the supplied identity is not valid: x509: certificate signed by unknown authority
panic: Failed to setup local msp with config: the supplied identity is not valid: x509: certificate signed by unknown authority
The project in the state described above with all the files (including Startup-Script, Config-Files, generated certificates in their MSP Structure) are to be inspected in the following repository:
When you want the project to run in your kubernetes namespace, you have to delete the /artifacts/crypto-config folder and then run the ./start.sh script.
I would be very pleased if someone could tell me what I have to change in my Script and Configs to get this thing working!
My builds of fabric-ca-client and fabric-ca-server on s390x (for both native binary and Docker image) are failing with Fabric-ca release v1.5.7. They succeeded in v.1.5.6. The builds appear to have broken after commit d575f40 which changed the mathlib dependency. (Things work with the commit immediately prior to d575f40).
Here are some commands that show my environment and the steps to reproduce the error. Error is shown for the fabric-ca-client native build failure- similar error occurs for fabric-ca-server native build and for docker image build.
barry@fabric01:~/go/src/github.com/silliman/fabric-ca$ cat /etc/os-release
NAME="Ubuntu"
VERSION="20.04.6 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.6 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal
barry@fabric01:~/go/src/github.com/silliman/fabric-ca$ uname -a
Linux fabric01 5.4.0-159-generic #176-Ubuntu SMP Mon Aug 14 12:03:34 UTC 2023 s390x s390x s390x GNU/Linux
barry@fabric01:~/go/src/github.com/silliman/fabric-ca$ go version
go version go1.20.7 linux/s390x
barry@fabric01:~/go/src/github.com/silliman/fabric-ca$ git checkout v1.5.7
Previous HEAD position was d575f40e This PR brings the following: - prepare the revocation handle as expected by the idemix lib - idemix: export revocation handle in SignerConfig - update idemix and mathlib dep - add logs to idemix issuer - doc update
HEAD is now at 86c6b463 Release commit for v1.5.7
barry@fabric01:~/go/src/github.com/silliman/fabric-ca$ make fabric-ca-client
Building fabric-ca-client in bin directory ...
# github.com/IBM/mathlib/driver/kilic
vendor/github.com/IBM/mathlib/driver/kilic/custom.go:137:2: undefined: mul
vendor/github.com/IBM/mathlib/driver/kilic/custom.go:148:2: undefined: mul
vendor/github.com/IBM/mathlib/driver/kilic/custom.go:152:2: undefined: mul
vendor/github.com/IBM/mathlib/driver/kilic/custom.go:155:2: undefined: mul
vendor/github.com/IBM/mathlib/driver/kilic/custom.go:156:2: undefined: mul
vendor/github.com/IBM/mathlib/driver/kilic/custom.go:158:2: undefined: mul
vendor/github.com/IBM/mathlib/driver/kilic/custom.go:327:2: undefined: mul
make: *** [Makefile:106: bin/fabric-ca-client] Error 1
barry@fabric01:~/go/src/github.com/silliman/fabric-ca$ git checkout v1.5.6
Previous HEAD position was 86c6b463 Release commit for v1.5.7
HEAD is now at 47a32f27 Release commit for v1.5.6 (#358)
barry@fabric01:~/go/src/github.com/silliman/fabric-ca$ make fabric-ca-client
Building fabric-ca-client in bin directory ...
Built bin/fabric-ca-client
Background. Customer is running code to test registering/enrolling operations on a daily basis. Failures began occurring after re-enrollments and could only be corrected by restarting the CA.
Log snippet from the CA:
2022-06-22T05:00:05.813188931Z 2022/06/22 05:00:05 [INFO] signed certificate with serial number 227295963368738719576295504100228910397990236259
2022-06-22T05:00:05.856018279Z 2022/06/22 05:00:05 [INFO] 172.30.14.166:60118 POST /api/v1/reenroll 201 0 "OK"
2022-06-22T05:00:06.047488264Z 2022/06/22 05:00:06 [INFO] signed certificate with serial number 443761956686633821028606532772396696503568673733
2022-06-22T05:00:06.099787377Z 2022/06/22 05:00:06 [INFO] 172.30.14.166:60120 POST /api/v1/reenroll 201 0 "OK"
2022-06-22T05:00:06.192780584Z 2022/06/22 05:00:06 [INFO] 172.30.16.22:49800 POST /api/v1/register 401 26 "Untrusted certificate: Failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2021-06-28T12:58:30Z is before 2021-11-18T08:08:00Z"
2022-06-22T05:23:28.755945128Z 2022/06/22 05:23:28 [INFO] 172.30.16.22:47926 POST /api/v1/register 401 26 "Untrusted certificate: Failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2021-06-28T12:58:30Z is before 2021-11-18T08:08:00Z"
Note in the log that when attempting to register a user, it fails with an error indicating that the current time is in the past.
This is related to the recent change to add "reenrollignorecertexpiry" to the configuration.
In fabric-ca/lib/serverrequestcontext.go:
reenrollIgnoreCertExpiry := ctx.endpoint.Path == "reenroll" && ctx.ca.Config.CA.ReenrollIgnoreCertExpiry
// Make sure the caller's cert was issued by this CA
err2 = ca.VerifyCertificate(cert, reenrollIgnoreCertExpiry)
if err2 != nil {
return "", caerrors.NewAuthenticationErr(caerrors.ErrUntrustedCertificate, "Untrusted certificate: %s", err2)
}
The reenrollIgnoreCertExpiry is set only for "reenroll".
In fabric-ca/lib/ca.go:
func (ca *CA) VerifyCertificate(cert *x509.Certificate, forceTime bool) error {
log.Debugf("Certicate Dates: NotAfter = %s NotBefore = %s \n", cert.NotAfter.String(), cert.NotBefore.String())
opts, err := ca.getVerifyOptions()
if err != nil {
return errors.WithMessage(err, "Failed to get verify options")
}
// force check time to be 30 seconds after certificate start time to ensure expiry doesn't get flagged
// this is one of the checks that is made on the certificate in Verify()
if forceTime {
opts.CurrentTime = cert.NotBefore.Add(time.Duration(time.Second * 30))
}
The opts.CurrentTime is reset to an offset time, but only for re-enrollments.
The getVerifyOptions returns the current options is they already exist.
func (ca *CA) getVerifyOptions() (*x509.VerifyOptions, error) {
if ca.verifyOptions != nil {
return ca.verifyOptions, nil
}
The problem is there is nothing that resets the opts.CurrentTime.
I am facing an issue while trying to install a new chaincode in my peer:
Server TLS handshake failed with error: tls: bad certificate server=PeerServer
My peer is running a TLSCA and a CA-Server and,
Peer version: 2.4.4
fabric-ca: latest
TLSCA: 1.5.0
I am getting the above error from organizations/peerOrganizations/organization.com/users/[email protected]/msp
I have also checked the signcerts/cert.pem and found that it has actually expired. Also the cert.pem in signcerts of the peer has also expired.
Is there any document which I can follow for renewing the certificates for my peer?
Currently, Fabric-CA generates an Idemix MSP folder structure and file content that Fabric is not able to load.
Namely:
SignerConfig
is encoded in json, Fabric expected protoRevocationPublicKey
and IdemixRevocationPublicKey
.This git issue is to fix the above issues.
In the documentation for getting started the following is defined
Go 1.10+ installation
GOPATH environment variable is set correctly
libtool and libtdhl-dev packages are installed
However Go 1.16 is now required and GOPATH doesn't need to be set
In the install section it says to use
go get -u github.com/hyperledger/fabric-ca/cmd/...
This will fail due to a breaking api change in go-kit (see https://stackoverflow.com/questions/69565838/i-encountered-an-error-while-installing-fabric-ca-with-the-go-get-command)
One solution is to remove the -u
option but I don't know if that would download, build and install a version using the exact same dependencies that the official builds use (anyone able to confirm ?)
The alternative would be to reference the official build packages instead ? (suggestions please)
Also the following text still refers to the master branch
Note: If you have already cloned the fabric-ca repository, make sure you are on the master branch before running the ‘go get’ command above. Otherwise, you might see the following error:
I have recently been trying to configure a connection between the LDAP server that we use for storing user credentials and the fabric-ca server. In our configuration, we are using NodeOUs to determine user permissions - when not using LDAP, and registering with the ca directly, we set this using the -type flag set to one of admin, peer, client or orderer. However, it seems that when using LDAP configuration, the user is always set to a default of type client, which cannot be changed through any LDAP attributes or API calls.
This makes the LDAP configuration with the ca unusable if you want to have any sort of policies set up requiring type admin/peer/orderer, as the certificate always identifies it as type client. Here is a link to a stackoverflow post where they had the same issue, for added context on the issue - https://stackoverflow.com/questions/63834220/set-admin-role-for-an-ldap-user-in-hyperledger-fabric-ca.
I'm pretty sure that this can easily be fixed by just editing the file fabric-ca/lib/server/ldap/client.go
, specifically the getType function on line 342 - just adding an attribute lookup in LDAP for an attribute Type or something similar, and then if that value exists return it, otherwise still defaulting to client.
If there is a way to set the type of a user when getting the details from LDAP, please let me know!
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22195 says "Jinja2" is where the vulnerability lies. It can be found in https://github.com/hyperledger/fabric-ca/blob/main/docs/requirements.txt#L17, which is the list of required libraries for building Hyperledger Fabric CA documentation.
This is a vulnerability, but a very low priority vulnerability because it's just documentation.
I got a issue that is my tls cert is expired . so I upgradet the CA to 1.5.7 also does not work by using following commnad to upgrade the cert fabric-ca-client reenroll --mspdir "/etc/hyperledger/fabric-ca-server/msp/" --tls.certfiles "/etc/hyperledger/fabric-ca-server/tls-cert.pem" --csr.keyrequest.reusekey
2023/12/04 12:39:28 [INFO] Configuration file location: /etc/hyperledger/fabric-ca-server/fabric-ca-client-config.yaml
2023/12/04 12:39:28 [INFO] TLS Enabled
2023/12/04 12:39:29 [INFO] TLS Enabled
2023/12/04 12:39:29 [INFO] encoded CSR
Error: Failed to reenroll 'fabric_admin': POST failure of request: POST https://emsd-ca-service:7054/reenroll
{"hosts":["start-emsd-ca-client-mlmw7"],"certificate_request":"-----BEGIN CERTIFICATE REQUEST-----\nMIIBVjCB/gIBADBkMQswCQYDVQQGEwJVUzEXMBUGA1UECBMOTm9ydGggQ2Fyb2xp\nbmExFDASBgNVBAoTC0h5cGVybGVkZ2VyMQ8wDQYDVQQLEwZGYWJyaWMxFTATBgNV\nBAMMDGZhYnJpY19hZG1pbjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABL4K56Ly\nEdz5piVDdiAjnnT84SUTXbnrqVFl0RNgX8dJCY2OnlruAhOBL3uKLpzeX/CPDRdf\nZsUmsoFeIetlNxSgODA2BgkqhkiG9w0BCQ4xKTAnMCUGA1UdEQQeMByCGnN0YXJ0\nLWVtc2QtY2EtY2xpZW50LW1sbXc3MAoGCCqGSM49BAMCA0cAMEQCIGzZVLUZg7D8\ne2jCJkrui5Sp08zgQHaSWG6r8yNp+RQ1AiAX8uQP4hRP9c198sjTWCkjVLUNVOS1\nXVsa3xFTHbOZIA==\n-----END CERTIFICATE REQUEST-----\n","profile":"","crl_override":"","label":"","NotBefore":"0001-01-01T00:00:00Z","NotAfter":"0001-01-01T00:00:00Z","ReturnPrecert":false,"CAName":""}: Post "https://emsd-ca-service:7054/reenroll": tls: failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2023-12-04T12:39:29+08:00 is after 2023-11-29T09:09:00Z ---
Incorrect password entered 10 times, max incorrect password limit of 10 reached
It seems like fabric-ca packages for linux and windows are missing in release v1.5.0
While setting fabric network using the command curl -sSL https://bit.ly/2ysbOFE | bash -s
is trying to install fabric-ca package 1.5.0 for linux and since it is not available script is throwing error
==> Cloning hyperledger/fabric-samples repo
Cloning into 'fabric-samples'...
remote: Enumerating objects: 7688, done.
remote: Total 7688 (delta 0), reused 0 (delta 0), pack-reused 7688
Receiving objects: 100% (7688/7688), 4.50 MiB | 18.43 MiB/s, done.
Resolving deltas: 100% (4020/4020), done.
fabric-samples v2.3.2 does not exist, defaulting main
Pull Hyperledger Fabric binaries
===> Downloading version 2.3.2 platform specific fabric binaries
===> Downloading: https://github.com/hyperledger/fabric/releases/download/v2.3.2/hyperledger-fabric-linux-amd64-2.3.2.tar.gz
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 649 100 649 0 0 3294 0 --:--:-- --:--:-- --:--:-- 3294
100 73.5M 100 73.5M 0 0 33.1M 0 0:00:02 0:00:02 --:--:-- 40.3M
==> Done.
===> Downloading version 1.5.0 platform specific fabric-ca-client binary
===> Downloading: https://github.com/hyperledger/fabric-ca/releases/download/v1.5.0/hyperledger-fabric-ca-linux-amd64-1.5.0.tar.gz
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 9 100 9 0 0 47 0 --:--:-- --:--:-- --:--:-- 47
gzip: stdin: not in gzip format
tar: Child returned status 1
tar: Error is not recoverable: exiting now
==> There was an error downloading the binary file.
------> 1.5.0 fabric-ca-client binary is not available to download (Available from 1.1.0-rc1) <----
Ubuntu Linux
It was working two days ago but since this morning it is suddenly stopped working. It seems the new release 1.5.1 which released on August 16 may have something to do with this
First image is 1.5.0 and second image is 1.5.1
Linux binaries for 1.5.0 were available here
https://github.com/hyperledger/fabric-ca/releases/download/v1.5.0/hyperledger-fabric-ca-linux-amd64-1.5.0.tar.gz
This link is broken now
Configuring the max lifetime for the Postgres database connection type, and likely all others, like maxLifetime in HikariCP would allow for regular connection cycling on a configured lifetime duration. I believe the default is "0" in the database/sql library, or infinite lifetimes.
PQ says it "Handles bad connections for database/sql" and line 727 func TestCloseBadConn seems to indicate PQ will recover from bad connections, that seem to last for an infinite timeframe, though I have seen in production stale connection pools not recycle stale connections. If we have access to the underlying configuration properties then we can manually configure the connection lifecycle.
The configuration properties I have in mind are as indicated in this article:
db.SetMaxOpenConns(25)
db.SetMaxIdleConns(25)
db.SetConnMaxLifetime(5*time.Minute)
Path: testdata/tls_server-cert.pem
It seems this problem happened last year and was "fixed" by this commit.
when check the testdata/ec.pem, I get
Validity
Not Before: Oct 12 19:31:00 2016 GMT
Not After : Oct 11 19:31:00 2021 GMT
which makes the unit-test fail.
And I noticed that the rsa.pem is about to expire in Oct 24 14:46:00 2021 GMT.
I did not check all the certs in testdata, maybe there is more.
We have TLS CA and Organization CA(Root CA).
Configuration of TLS CA with postgres DB instance went fine. We are able to bootstrap admin and register our identities.
When configuring Organization CA, we are connecting to the same Postgres DB instance which is used by TLS CA.
We are able to bootstrap admin.
When registering a new user, it fails with "Authorization failure".
If we configure Org CA with a different postgres DB instance then register/enroll of new user goes fine.
Is there any restriction on having dedicated postgres DB for TLS CA and Org CA servers ?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.