-
Notifications
You must be signed in to change notification settings - Fork 516
/
FabricCAServices.js
428 lines (371 loc) · 15.5 KB
/
FabricCAServices.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
/*
Copyright 2017, 2018 IBM All Rights Reserved.
SPDX-License-Identifier: Apache-2.0
*/
'use strict';
const {Utils: utils, BaseClient} = require('fabric-common');
const FabricCAClient = require('./FabricCAClient');
const {normalizeX509} = BaseClient;
const path = require('path');
const {parseURL, checkRegistrar, getSubjectCommonName} = require('./helper');
const logger = utils.getLogger('FabricCAClientService.js');
// setup the location of the default config shipped with code
const default_config = path.resolve(__dirname, '../config/default.json');
utils.getConfig().reorderFileStores(default_config, true);
/**
* @typedef {Object} TLSOptions
* @property {string[]} trustedRoots Array of PEM-encoded trusted root certificates
* @property {boolean} [verify=true] Determines whether or not to verify the server certificate when using TLS
*/
/**
* This is an implementation of the member service client which communicates with the Fabric CA server.
* @class
* @extends BaseClient
*/
const FabricCAServices = class extends BaseClient {
/**
* constructor
*
* @param {string | object} url The endpoint URL for Fabric CA services of the form: "http://host:port" or "https://host:port"
When this parameter is an object then it must include the parameters listed as key value pairs.
* @param {TLSOptions} [tlsOptions] The TLS settings to use when the Fabric CA services endpoint uses "https"
* @param {string} [caName] The optional name of the CA. Fabric-ca servers support multiple Certificate Authorities from
* a single server. If omitted or null or an empty string, then the default CA is the target of requests
* @param {CryptoSuite|ICryptoSuite} [cryptoSuite] The optional cryptoSuite instance to be used if options other than defaults are needed.
* If not specified, an instance of {@link CryptoSuite} will be constructed based on the current configuration settings:
* <br> - crypto-hsm: use an implementation for Hardware Security Module (if set to true) or software-based key management (if set to false)
* <br> - crypto-keysize: security level, or key size, to use with the digital signature public key algorithm. Currently ECDSA
* is supported and the valid key sizes are 256 and 384
* <br> - crypto-hash-algo: hashing algorithm
*/
constructor(url, tlsOptions, caName, cryptoSuite) {
super();
let _url, _tlsOptions, _caName, _cryptoSuite;
if (typeof url === 'object') {
_url = url.url;
_tlsOptions = url.tlsOptions;
_caName = url.caName;
_cryptoSuite = url.cryptoSuite;
} else {
_url = url;
_tlsOptions = tlsOptions;
_caName = caName;
_cryptoSuite = cryptoSuite;
}
this.caName = _caName;
const endpoint = parseURL(_url);
if (_cryptoSuite) {
this.setCryptoSuite(_cryptoSuite);
} else {
this.setCryptoSuite(utils.newCryptoSuite());
this.getCryptoSuite().setCryptoKeyStore(utils.newCryptoKeyStore());
}
this._fabricCAClient = new FabricCAClient({
caname: _caName,
protocol: endpoint.protocol,
hostname: endpoint.hostname,
port: endpoint.port,
tlsOptions: _tlsOptions
}, this.getCryptoSuite());
logger.debug('Successfully constructed Fabric CA service client: endpoint - %j', endpoint);
}
/**
* Returns the name of the certificate authority.
*
* @returns {string} caName
*/
getCaName() {
return this.caName;
}
/**
* @typedef {Object} RegisterRequest
* @property {string} enrollmentID - ID which will be used for enrollment
* @property {string} enrollmentSecret - Optional enrollment secret to set for the registered user.
* If not provided, the server will generate one.
* @property {string} role - Optional arbitrary string representing a role value for the user
* @property {string} affiliation - Affiliation with which this user will be associated,
* like a company or an organization
* @property {number} maxEnrollments - The maximum number of times this user will be permitted to enroll
* @property {KeyValueAttribute[]} attrs - Array of {@link KeyValueAttribute} attributes to assign to the user
*/
/**
* Register the member and return an enrollment secret.
* @param {RegisterRequest} req - The {@link RegisterRequest}
* @param registrar {User}. The identity of the registrar (i.e. who is performing the registration)
* @returns {Promise} The enrollment secret to use when this user enrolls
*/
async register(req, registrar) {
if (!req) {
throw new Error('Missing required argument "request"');
}
if (!req.enrollmentID) {
throw new Error('Missing required argument "request.enrollmentID"');
}
if (typeof req.maxEnrollments === 'undefined' || req.maxEnrollments === null) {
// set maxEnrollments to 1
req.maxEnrollments = 1;
}
checkRegistrar(registrar);
return this._fabricCAClient.register(req.enrollmentID, req.enrollmentSecret, req.role, req.affiliation, req.maxEnrollments, req.attrs,
registrar.getSigningIdentity());
}
/**
* @typedef {Object} EnrollmentRequest
* @property {string} enrollmentID - The registered ID to use for enrollment
* @property {string} enrollmentSecret - The secret associated with the enrollment ID
* @property {string} profile - The profile name. Specify the 'tls' profile for a TLS certificate;
* otherwise, an enrollment certificate is issued.
* @property {string} csr - Optional. PEM-encoded PKCS#10 Certificate Signing Request. The message sent from client side to
* Fabric-ca for the digital identity certificate.
* @property {AttributeRequest[]} attr_reqs - An array of {@link AttributeRequest}
*/
/**
* @typedef {Object} Enrollment
* @property {Object} key - the private key
* @property {string} certificate - The enrollment certificate in base 64 encoded PEM format
* @property {string} rootCertificate - Base 64 encoded PEM-encoded certificate chain of the CA's signing certificate
*/
/**
* Enroll the member and return an opaque member object.
*
* @param req the {@link EnrollmentRequest} If the request contains the field "csr", this csr will be used for
* getting the certificate from Fabric-CA. Otherwise , a new private key will be generated and be used to
* generate a csr later.
* @returns {Promise<Enrollment>} If the request does not contain the field "csr", the returned promise resolves an
* {@link Enrollment} object with "key" for the new generated private key. If the request contains the field "csr",
* the resolved {@link Enrollment} object does not contain the property "key".
*/
async enroll(req) {
if (!req) {
logger.error('enroll() missing required argument "request"');
throw new Error('Missing required argument "request"');
}
if (!req.enrollmentID) {
logger.error('Invalid enroll request, missing enrollmentID');
throw new Error('req.enrollmentID is not set');
}
if (!req.enrollmentSecret) {
logger.error('Invalid enroll request, missing enrollmentSecret');
throw new Error('req.enrollmentSecret is not set');
}
if (req.attr_reqs) {
if (!Array.isArray(req.attr_reqs)) {
logger.error('Invalid enroll request, attr_reqs must be an array of AttributeRequest objects');
throw new Error('req.attr_reqs is not an array');
}
for (const attr_req of req.attr_reqs) {
if (!attr_req.name) {
logger.error('Invalid enroll request, attr_reqs object is missing the name of the attribute');
throw new Error('req.att_regs is missing the attribute name');
}
}
}
const storeKey = !!this.getCryptoSuite()._cryptoKeyStore;
try {
let csr;
let privateKey;
if (req.csr) {
logger.debug('try to enroll with a csr');
csr = req.csr;
} else {
try {
if (storeKey) {
privateKey = await this.getCryptoSuite().generateKey();
} else {
privateKey = this.getCryptoSuite().generateEphemeralKey({persist: true});
}
logger.debug('successfully generated key pairs');
} catch (err) {
throw new Error(`Failed to generate key for enrollment due to error [${err}]: ${err.stack}`);
}
try {
csr = privateKey.generateCSR('CN=' + req.enrollmentID);
logger.debug('successfully generated csr');
} catch (err) {
throw new Error(`Failed to generate CSR for enrollment due to error [${err}]: ${err.stack}`);
}
}
const enrollResponse = await this._fabricCAClient.enroll(req.enrollmentID, req.enrollmentSecret, csr, req.profile, req.attr_reqs);
logger.debug('successfully enrolled %s', req.enrollmentID);
const enrollment = {
certificate: enrollResponse.enrollmentCert,
rootCertificate: enrollResponse.caCertChain
};
if (!req.csr) {
enrollment.key = privateKey;
}
return enrollment;
} catch (error) {
logger.error('Failed to enroll %s, error:%o', req.enrollmentID, error);
throw error;
}
}
/**
* Re-enroll the member in cases such as the existing enrollment certificate is about to expire, or
* it has been compromised
* @param {User} currentUser The identity of the current user that holds the existing enrollment certificate
* @param {AttributeRequest[]} [attrReqs] An array of {@link AttributeRequest} that indicate attributes to
* be included in the certificate
* @returns Promise for an object with "key" for private key and "certificate" for the signed certificate
*/
async reenroll(currentUser, attrReqs) {
if (!currentUser) {
logger.error('Invalid re-enroll request, missing argument "currentUser"');
throw new Error('Invalid re-enroll request, missing argument "currentUser"');
}
if (!currentUser.constructor || currentUser.constructor.name !== 'User') {
logger.error('Invalid re-enroll request, "currentUser" is not a valid User object');
throw new Error('Invalid re-enroll request, "currentUser" is not a valid User object');
}
if (attrReqs) {
if (!Array.isArray(attrReqs)) {
logger.error('Invalid re-enroll request, attr_reqs must be an array of AttributeRequest objects');
throw new Error('Invalid re-enroll request, attr_reqs must be an array of AttributeRequest objects');
}
for (const attr_req of attrReqs) {
if (!attr_req.name) {
logger.error('Invalid re-enroll request, attr_reqs object is missing the name of the attribute');
throw new Error('Invalid re-enroll request, attr_reqs object is missing the name of the attribute');
}
}
}
const cert = currentUser.getIdentity()._certificate;
let subject = null;
try {
subject = getSubjectCommonName(normalizeX509(cert));
} catch (err) {
logger.error(`Failed to parse enrollment certificate ${cert} for Subject. \nError: ${err}`);
}
if (!subject) {
throw new Error('Failed to parse the enrollment certificate of the current user for its subject');
}
// generate enrollment certificate pair for signing
let privateKey;
try {
privateKey = await this.getCryptoSuite().generateKey();
} catch (e) {
throw Error(`Failed to generate key for enrollment due to error [${e}]: ${e.stack}`);
}
// generate CSR using the subject of the current user's certificate
let csr;
try {
csr = privateKey.generateCSR('CN=' + subject);
} catch (e) {
throw Error(`Failed to generate CSR for enrollment due to error [${e}]`);
}
const response = await this._fabricCAClient.reenroll(csr, currentUser.getSigningIdentity(), attrReqs);
return {
key: privateKey,
certificate: Buffer.from(response.result.Cert, 'base64').toString(),
rootCertificate: Buffer.from(response.result.ServerInfo.CAChain, 'base64').toString()
};
}
/**
* Revoke an existing certificate (enrollment certificate or transaction certificate), or revoke
* all certificates issued to an enrollment id. If revoking a particular certificate, then both
* the Authority Key Identifier and serial number are required. If revoking by enrollment id,
* then all future requests to enroll this id will be rejected.
* @param {Object} request Request object with the following fields:
* <br> - enrollmentID {string}. ID to revoke
* <br> - aki {string}. Authority Key Identifier string, hex encoded, for the specific certificate to revoke
* <br> - serial {string}. Serial number string, hex encoded, for the specific certificate to revoke
* <br> - reason {string}. The reason for revocation. See https://godoc.org/golang.org/x/crypto/ocsp
* <br> - gencrl {bool}. GenCRL specifies whether to generate a CRL
* for valid values. The default value is 0 (ocsp.Unspecified).
* @param {User} registrar The identity of the registrar (i.e. who is performing the revocation)
* @returns {Promise} The revocation results
*/
async revoke(request, registrar) {
if (!request) {
throw new Error('Missing required argument "request"');
}
if (!request.enrollmentID || request.enrollmentID === '') {
if (!request.aki || request.aki === '' || !request.serial || request.serial === '') {
throw new Error('Enrollment ID is empty, thus both "aki" and "serial" must have non-empty values');
}
}
checkRegistrar(registrar);
return this._fabricCAClient.revoke(
request.enrollmentID,
request.aki,
request.serial,
(request.reason) ? request.reason : null,
(request.gencrl) ? request.gencrl : false,
registrar.getSigningIdentity());
}
/**
* @typedef {Object} Restriction
* @property {Date} revokedBefore - Include certificates that were revoked before this UTC timestamp (in RFC3339 format) in the CRL
* @property {Date} revokedAfter - Include certificates that were revoked after this UTC timestamp (in RFC3339 format) in the CRL
* @property {Date} expireBefore - Include revoked certificates that expire before this UTC timestamp (in RFC3339 format) in the CRL
* @property {Date} expireAfter - Include revoked certificates that expire after this UTC timestamp (in RFC3339 format) in the CRL
*/
/**
*
* @param {Restriction} request
* @param {User} registrar The identity of the registrar (i.e. who is performing the revocation)
* @returns {Promise} The Certificate Revocation List (CRL)
*/
async generateCRL(request, registrar) {
if (!request) {
throw new Error('Missing required argument "request"');
}
checkRegistrar(registrar);
return this._fabricCAClient.generateCRL(
request.revokedBefore ? request.revokedBefore.toISOString() : null,
request.revokedAfter ? request.revokedAfter.toISOString() : null,
request.expireBefore ? request.expireBefore.toISOString() : null,
request.expireAfter ? request.expireAfter.toISOString() : null,
registrar.getSigningIdentity());
}
/**
* Create a new {@link CertificateService} instance
*
* @returns {CertificateService} object
*/
newCertificateService() {
return this._fabricCAClient.newCertificateService();
}
/**
* Creates a new {@link IdentityService} object
*
* @returns {IdentityService} object
*/
newIdentityService() {
return this._fabricCAClient.newIdentityService();
}
/**
* Create a new {@link AffiliationService} object
*
* @returns {AffiliationService} object
*/
newAffiliationService() {
return this._fabricCAClient.newAffiliationService();
}
/**
* @typedef {Object} HTTPEndpoint
* @property {string} hostname
* @property {number} port
* @property {string} protocol
*/
/**
* return a printable representation of this object
*/
toString() {
return 'FabricCAServices : {' +
'hostname: ' + this._fabricCAClient._hostname +
', port: ' + this._fabricCAClient._port +
'}';
}
/**
* Utility function that exposes the helper.parseURL() function
* @param {string} url HTTP or HTTPS url including protocol, host and port
* @returns {HTTPEndpoint}
* @throws InvalidURL for malformed URLs
* @ignore
*/
static _parseURL(url) {
return parseURL(url);
}
};
module.exports = FabricCAServices;