How to generate server and client certfile, keyfile? #6
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
If an error occurs that was not related to usage of the command, then the usage message should not be displayed rather just the error that occured is shown. However, if the problem was the usage of the command then usage message should be printed. Also, resolves the issue where an error message was being sent to client twice during revocation. https://jira.hyperledger.org/browse/FAB-2835 https://jira.hyperledger.org/browse/FAB-2839 Change-Id: I75696ce396eb4d7be09afcff631aa4195527936d Signed-off-by: Saad Karim <[email protected]>
UT test was failing due to failure to unset CA_CFG_PATH Change-Id: I0a83dec0040b33215f31122640bf8da6969bcf65 Signed-off-by: rennman <[email protected]>
Change-Id: Ic09604c6282f2545e5bf3a6295c40cd8c98c9597 Signed-off-by: rennman <[email protected]>
Change-Id: I1615c3f2937ff3306ad232178ff13f4615bf0f4f Signed-off-by: rennman <[email protected]>
1. images/fabric-ca-fvt/Dockerfile.in
a) Add bc, sqlite3, vim to docker image
b) stop postgres after install so that DB is not corrupted
2. images/fabric-ca-fvt/start.sh
a)) add mode=STRICT_TRANS_TABLES to mysql start to allow zero dates
b) change port values to variables
c) increase timeout
d) consolidate start of multiple daemons into a single loop to allow for
inclusion of addition backend DBs in the future
3. Makefile - repeat replace Makefile again to revert removed docker-fvt image
Change-Id: I268d39eb213dc295f9ceb6a963582c2687f4f5e7
Signed-off-by: rennman <[email protected]>
Change exec name from fabric-ca to
fabric-ca-server
favric-ca-client
where applicable
Move utility functions to separate file
Move gloabal variables to separate file
Change-Id: Ie8aa8406194c64c32773aea135c4638255a62223
Signed-off-by: rennman <[email protected]>
With the previous incarnation of the fabric-ca commad, configuration was only required for 'start'. With the newer version of the command, user configuration is also needed for 'init'. Modify the startup script to generate server configuration for either init' or 'start' Change-Id: I91a51e8e3a16e9ecc81860accce2bc62fe3ac96b Signed-off-by: rennman <[email protected]>
Use variable $DBNAME to simplify access to DB using various cmd-line tools Change-Id: I7880a540e6122cddaf9f3603091562ea8436471d Signed-off-by: rennman <[email protected]>
Add setTLS routine to determine whether to set proto to http or https and whether or not to pass certificate parameters Change-Id: I789da73755f2af6713c441d4846ab5e78d8cb3aa Signed-off-by: rennman <[email protected]>
Since there is now a docker image to run fvt tests, delete all of the clone, build install routines as well as install of all the pre-requsites. These are now contained in images/fabric-ca-fvt/Dockerfile.in Change-Id: I85fffa0dd30dd497f7ce5623cf9c0a63e964fdaf Signed-off-by: rennman <[email protected]>
Change-Id: I046026fa3bfdb2b60545243f0576afbc42250371 Signed-off-by: rennman <[email protected]>
Change-Id: Icb7314af7b996f2243fc980d7617703cd7c32458 Signed-off-by: rennman <[email protected]>
Change-Id: Iaa5fbf097fffe1da8c3fb0c878ba89362a601b95 Signed-off-by: rennman <[email protected]>
Change-Id: If6e2716747b3c7699b88a8038883b115a85ab530 Signed-off-by: rennman <[email protected]>
Change-Id: I2496fa3012e04eefc6c4b9a366cbb43913987f61 Signed-off-by: rennman <[email protected]>
Change-Id: If5cd625edd192251babfddaefbb953da084c40f0 Signed-off-by: Frank Han <[email protected]>
Case1: Revoke all user certificates Case2: Revoke user certificate by SN and AKI Ensure case in-sensitivity w/r/t hexadeciaml digits Ensure cross-org revocation is dis-allowed Ensure revocation is dis-allowed for user w/o revoker attribute Ensure DB user table is updated properly Ensure DB certificate table is updated properly Ensure user can revoke own certificate Also update setup script to allow for longer timeouts; The sqlite3 DB is inordinately slow in initialiaing large numbers of affiliations. Change-Id: I0040df5548210c311d1e09862bf3e99eee61a213 Signed-off-by: rennman <[email protected]>
All user's guide info for fabric-ca is in the fabric readthedocs and developer's guide info is in the fabric-ca README. This change set removes a lot of information that is now in the fabric readthedocs, and it adds some additional developer related info to README. Change-Id: I188b4df48ccaae8e363a57c77e9b4842b2306baa Signed-off-by: Keith Smith <[email protected]>
Currently, if ca.name property is not specified in the server configuration file, server's root ca cert is saved to '.pem' file, which is hidden by default. This change set will fix this problem by making ca.name property required. Change-Id: Ia1a8234a284885dc14fdd8ad97e383ff495ffa7e Signed-off-by: Anil Ambati <[email protected]>
AKI and serial are stored in the database with no leading zeros. Trim any zeros in serial number and AKI before doing a look up against the certificate table. Change-Id: Iac4932fb988f576b6726373bfae9f28db974aa3a Signed-off-by: Saad Karim <[email protected]>
See [FAB-3004]. The fabric-ca-server has extraneous flags which are not used by the runtime. This change set removes them and removes resulting dead code. Change-Id: I50843be43dfa82a98d55a843d030f974a463a874 Signed-off-by: Keith Smith <[email protected]>
Reworked the affiliation check logic during a a revococation. Now perform whole word comparison rather than just a prefix check. See [FAB-3074] for more details Change-Id: If8784830897e750511898b5a1a434feacc2b638a Signed-off-by: Saad Karim <[email protected]>
Checks added to make sure the TLS certificate being used has approprate dates, for example not being expired. Also, error handling improved to better indicate why a certificate might be rejected for use in TLS connection. https://jira.hyperledger.org/browse/FAB-2795 Change-Id: If6c047627ddda0ea66bd043f55bd2f2249134310 Signed-off-by: Saad Karim <[email protected]>
Rather than storing the actual enrollment secret in the DB, store the hash of the secret. We then compare the hash values when checking to see if the user provided the correct enrollment secret. Change-Id: I6e2f18ebdfe4d5d7f970bee086f69b285b89c998 Signed-off-by: Keith Smith <[email protected]>
- update Makefile - update release notes Change-Id: Id3c32107aaf0d98b8d93a383e92597c30d613f9c Signed-off-by: Gari Singh <[email protected]>
Change-Id: I9fa110e46216e156d02c6870ff8ca0b47f9a4004 Signed-off-by: Gari Singh <[email protected]>
Single commit which squashes commits from master for 1.0.1 release based on FAB-5470 Change-Id: I1d2e555398eebfe22b0d00c8c149fbdbe1f0d7ef Signed-off-by: Gari Singh <[email protected]> [FAB-5334] Intermediate CA does not copy BCCSP config Intermediate CA, when creating CSR with client, should pass BCCSP FactoryOpts to the client. Change-Id: I8ac47707aca33fac00ecbc49943a1a0717d11990 Signed-off-by: Volodymyr Paprotski <[email protected]> (cherry picked from commit b9e8a8e) Signed-off-by: Gari Singh <[email protected]> [FAB-4126] Convert fatal message to error log.Fatal exits the process with 1 , which is not we want to do in util function, we will let caller to decide to exit or not. Change-Id: I403a3c621e77eb40b871ab1c0afa1dc2130535e8 Signed-off-by: Anil Ambati <[email protected]> (cherry picked from commit 086cc2f) Signed-off-by: Gari Singh <[email protected]> [FAB-5434] Fix mysql config in fvt image Ubuntu 16.04.1 recently updated the default mysql-server package to version 5.7.19. This is causing fvt tests in CI to fail on x86_64 (s390x uses Debian Jessie which uses mysql 5.5.55 so is not affected). This change is based on work in the mysql images available on Dockerhub. The change basically dismisses the postInstall config and initializes the database and sets the password when the image starts up. Change-Id: Ia8cb6a7faa77a5712a8ebf4d061215186c491e5e Signed-off-by: Gari Singh <[email protected]> (cherry picked from commit bc2b642) Signed-off-by: Gari Singh <[email protected]> [FAB-4915] Fix timing bug in server stop This fixes a timing bug in server stop which could only be reproduced in CI. See [FAB-4915] for more information. Change-Id: I3fd36024ed7968b49d6f4e85a7a960f694cf1c7c Signed-off-by: Keith Smith <[email protected]> (cherry picked from commit 4e5c55f) Signed-off-by: Gari Singh <[email protected]> [FAB-3051] Input validation on CSR fields RFC 3280 specifies upper bounds for fields in the CSR. This change set enforces those bounds by doing input validation on the CSR fields. These checks will also prevents authentication issues when the DN gets too long and token authenication errors out. For more information, see [FAB-3051] Change-Id: I170b372f2732b147b3ae0811b071ad4328533d0e Signed-off-by: Saad Karim <[email protected]> (cherry picked from commit e03673c) Signed-off-by: Gari Singh <[email protected]> [FAB-5239] LDAP reconnect for idle timeout The fabric-ca-server connects to the LDAP server and caches the connection. If the LDAP server closes the connection because of inactivity, the fabric-ca-server should reconnect. That is what this change set does. The openldap server is reconfigured to close connections after 1 second of inactivity and the ldap test case to sleep for 3 seconds to hit this condition. The test case fails without the code change and passes with the code change. Change-Id: I38b06eb987fe939066acf8ebdc4f2d5b81a9b76f Signed-off-by: Keith Smith <[email protected]> (cherry picked from commit d31c0d7) Signed-off-by: Gari Singh <[email protected]> [FAB-3662] Document DB version support Fabric CA documentation updated to state supported database versions. Change-Id: Ib03a8fbea01cd4354d47f3ffcb08e37b2c772c54 Signed-off-by: Saad Karim <[email protected]> (cherry picked from commit dd60a58) Signed-off-by: Gari Singh <[email protected]> [FAB-4409] update vendored package cfssl Updated cfssl package to the latest revision cfssl to pull the changes required by fab-3026 Change-Id: I8b95769c254cacd2d58cd8442d1d601db143d475 Signed-off-by: Anil Ambati <[email protected]> (cherry picked from commit 2abc451) Signed-off-by: Gari Singh <[email protected]> [FAB-4844] Store MSP intermediatecerts The "fabric-ca-client enroll" command was not storing the intermediatecerts as expected by MSP. It was storing the entire chain in the cacerts directory. This change set splits the CA chain and stores only the 1st one in the cacerts directory and stores the rest in the intermediatecerts directory. Unit tests and FVT tests cases fail w/o this fix and pass with it. Change-Id: Iede943bad9601db08c6c18f79add5608e8dfeaae Signed-off-by: Keith Smith <[email protected]> Signed-off-by: Saad Karim <[email protected]> (cherry picked from commit 3ba0088) Signed-off-by: Gari Singh <[email protected]> [FAB-3026] OOM for very large CRLs A certificate containing a CRL URI that points to an extremely large file causes the server to crash with an out of memory exception. A config option (CRLSizeLimit) has been added to check and make sure that the requested CRL does not exceed the size specified by CRLSizeLimit. The default size limit is 512KB. This will prevent a malicious intent to crash server by pointing to a CRL that is very large. See [FAB-3026] for more information Change-Id: Ibbb0506faecf29b9a9c0a361c2ff701c9945a973 Signed-off-by: Saad Karim <[email protected]> (cherry picked from commit f54aaf2) Signed-off-by: Gari Singh <[email protected]> [ FAB-5434 ] Fix mysql internal_DB permissions Fixes the initialization error of mysql server in fvt tests. This is a problem that is exclusive to the x86 CI build machines. Change-Id: I054911218d1906e7a6ecf221e89bc9bee129ac3c Signed-off-by: rennman <[email protected]> (cherry picked from commit d24c05c) Signed-off-by: Gari Singh <[email protected]> [ FAB-5009 ] Update intermediate CA test The current intermediate test does not test using TLS, nor does it test multiple backend DBs. This adds that support, as well and add enroll/reenroll testing. Since the addition of multiple server starts, the utility files have been updated to speep up start detection. This should improve the runtime of the tests. Change-Id: I84c49878e2e17bd5ac98753b0c10c1a4d479d394 Signed-off-by: rennman <[email protected]> (cherry picked from commit 72e010e) Signed-off-by: Gari Singh <[email protected]> FAB-5530 Vendor latest version of bccsp See FAB-5407 for changes Change-Id: I7ffa1aca4e729a79290342fc4f19ae871e78da8a Signed-off-by: Gari Singh <[email protected]> (cherry picked from commit fa60287) Signed-off-by: Gari Singh <[email protected]> [FAB-5510] Mask the identity password in the log Identity password is printed in clear when CA config is printed to the log. For example in the "Init CA with home" debug statement. This change set fixes that problem. Change-Id: I1d5d73465559a468ae2be369daf41848c7c1ff5f Signed-off-by: Anil Ambati <[email protected]> Signed-off-by: Gari Singh <[email protected]> (cherry picked from commit 748467f) Signed-off-by: Gari Singh <[email protected]>
- set release to true in Makefile - updated changelog - created 1.0.1 release notes Change-Id: Ief9f477c75e0d660df8b1080bd04aaed20370b37 Signed-off-by: Gari Singh <[email protected]>
- base version = 1.0.2 - prev version = 1.0.1 - is_realse = false Change-Id: Ic911e38759e2a470f25795278aee444834a51fcf Signed-off-by: Gari Singh <[email protected]>
(backport for 1.0.2) While this would not normally have been an issue, there are several cases where 3rd party operators are hosting/running fabric-ca. In those cases, the people who monitor the service should not be able to see any credentials in the logs if they need to turn on debug logging to troubleshoot. Change-Id: I51aa67a80094278e53481a91b8a9252655bd603e Signed-off-by: Gari Singh <[email protected]>
- updated changelog - updated release notes - set is_release to true Change-Id: I83c68e2c0bf1f38a184ff869fb9cfcc834a647c8 Signed-off-by: Gari Singh <[email protected]>
Change-Id: Id2a7755a5f50fd623f09f280a1f9d64f54e6e31c Signed-off-by: Gari Singh <[email protected]>
This is a back port of changeset https://gerrit.hyperledger.org/r/c/13659/ to v1.0.2 Sanitize debug messages to filter out any sensitive information and updated password test for DB/LDAP Change-Id: I7eefe85f3268c9b18922585dc09df5e3f41e5470 Signed-off-by: Anil Ambati <[email protected]>
The license text at the bottom of the README is a bit confusing as it might imply that the entire project is licensed under Creative Commons See [FAB-6326] for details Change-Id: Idd71a53cbe82f3c95e22feaf48242e441e5a324f Signed-off-by: Gari Singh <[email protected]>
Change-Id: If3b51cac2ad3ca6cb0cd02ad625d1beb7d0ef644 Signed-off-by: Gari Singh <[email protected]>
Change-Id: I668b8329bcf14e55e0fe2679b00b6071c0304101 Signed-off-by: Gari Singh <[email protected]>
Change-Id: I8d6d352917751f79c405c98ffa030d0ded762139 Signed-off-by: Ry Jones <[email protected]>
Now that fabric has multiple branches, there is a need to set branch specific properties for CI. This can be done through the use of properties files. This CR introduces the ci.properties file and sets the first property: GO_VER Change-Id: I1c9d8cd7a48a485e8418153188e157c8c50abce3 Signed-off-by: Gari Singh <[email protected]>
In order to pick up the fix for FAB-5964 need to vendor the updated bccsp package. Change-Id: I57ffca408748d29f2b50513260e5c096273a0f45 Signed-off-by: Gari Singh <[email protected]>
There is an INFO message which was garble due to an extra variable. Change-Id: I15f234ab80319598bb625a351b16e15d8c717bfd Signed-off-by: Gari Singh <[email protected]>
- updated CHANGELOG - add release notes Change-Id: Ia8ac63932e1665853297341f13129a2354c49b43 Signed-off-by: Gari Singh <[email protected]>
Change-Id: Ifd2f00111f65c5b515786b89a630235bfa1c7261 Signed-off-by: Gari Singh <[email protected]>
Back-port FAB-5786 to Fabric CA Release branch Change-Id: I0e9da45347f0ba7afb001d995f0d50e3aeccaa0d Signed-off-by: Saad Karim <[email protected]>
The max enrollments for the bootstrap user should use the max enrollments setting of the server. This is needed in order to allow starting the server to enforce one-time passwords and also use the default bootstrap user settings. The additional test case failed prior to this change set, but now succeeds. Change-Id: I58264542689ad1589cf764696353e33924f063e5 Signed-off-by: Keith Smith <[email protected]> Signed-off-by: Gari Singh <[email protected]>
- CHANGELOG generated - v1.0.5 release notes creates - IS_RELEASE=true Change-Id: Ib48fbcb57f65d45147aa3a20c743fe96e62cda05 Signed-off-by: Gari Singh <[email protected]>
Change-Id: I64ced5838770940e5ccfa0462be7a8687589ea71 Signed-off-by: Gari Singh <[email protected]>
Tests were failing as the TLS server and client certs were expired. Regenerated new cert pairs and set the expiration for 10 years. Change-Id: I5d3ee4f387e619a681ea3397acce5411a9598689 Signed-off-by: Gari Singh <[email protected]>
Currently, fabric-ca-client enroll command does not read FABRIC_CA_CLIENT_URL environment variable when it is invoked without -u option. With this change, it will use -u parameter value if specified, else use FABRIC_CA_CLIENT_URL env variable value. If both are not specified, it will read the value from the client config file. Also updated the expired TLS certificates in the testdata folder, otherwise, test cases were failing. Same change was done in the master branch, see change set: https://gerrit.hyperledger.org/r/#/c/16285 Change-Id: Ic6ef0d6d1ba1f90ec9357593f00d6b67616fe1e0 Signed-off-by: Anil Ambati <[email protected]>
Change-Id: I664c288b163cd3db7b011163a518d0dd9f090cc9 Signed-off-by: Gari Singh <[email protected]>
Change-Id: I373cde615e771ae248e5cc96330d2e67f3c6351d Signed-off-by: Gari Singh <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
How to generate server and client certfile, keyfile,
v1.0.0