cryptogen是hyperleder fabric提供的为网络实体生成加密材料(公私钥/证书等)的实用程序。简单来说就是一个生成认证证书(x509 certs)的工具。这些证书代表一个身份,并允许在网络实体间通信和交易时进行签名和身份认证。
cryptogen使用一个包含网络拓扑的crypto-config.yaml文件,为文件中定义的组织和属于这些组织的实体生成一组证书和密钥。每个组织都配置唯一的根证书(ca-cert),并包含了特定的实体(peer和orders),这就形成李一种典型的网络结构--每个成员都有所属杜CA。hyperleder fabric
网络中的交易和通信都使用实体杜私钥签名,使用公钥验证。
1 编译生成cryptogen
cryptogen
源码在fabric/common/tools/cryptogen/中,是一个独立杜可执行程序。
生成cryptogen
可执行程序有两种方式。
1)在fabric/下执行make cryptogen,如果正常执行,则会在fabric/build/bin/下生成可执行文件cryprogen。
make cryptogen
命令会生
build/bin/cryptogen
里边生成crytogen工具。
2)直接在fabric/common/tools/cryptogen/下执行go build。
2 crypto-config.yaml文件解析
官网提供了一份使用cryptogen的配置文件crypto-config.yaml。但该文件名字并非固定,也可以自己定义,只需要在cryptogen generate 命令中指定对应文件即可。
文件中包含了需要生成证书和公私钥的Orderer与peer配置(官网文档中提的是组织Organization的概念)。这些证书代表了身份,用来在实体间进行通信以及交易的时候进行签名与验证身份。配置文件内容如下:
- #
- # Copyright IBM Corp. All Rights Reserved.
- #
- # SPDX-License-Identifier: Apache-2.0
- #
- # ---------------------------------------------------------------------------
- # "OrdererOrgs" - Definition of organizations managing orderer nodes
- # ---------------------------------------------------------------------------
- OrdererOrgs:
- # ---------------------------------------------------------------------------
- # Orderer
- # ---------------------------------------------------------------------------
- - Name: Orderer
- Domain: example.com
- # ---------------------------------------------------------------------------
- # "Specs" - See PeerOrgs below for complete description
- # ---------------------------------------------------------------------------
- Specs:
- - Hostname: orderer
- # ---------------------------------------------------------------------------
- # "PeerOrgs" - Definition of organizations managing peer nodes
- # ---------------------------------------------------------------------------
- PeerOrgs:
- # ---------------------------------------------------------------------------
- # Org1
- # ---------------------------------------------------------------------------
- - Name: Org1
- Domain: org1.example.com
- # ---------------------------------------------------------------------------
- # "Specs"
- # ---------------------------------------------------------------------------
- # Uncomment this section to enable the explicit definition of hosts in your
- # configuration. Most users will want to use Template, below
- #
- # Specs is an array of Spec entries. Each Spec entry consists of two fields:
- # - Hostname: (Required) The desired hostname, sans the domain.
- # - CommonName: (Optional) Specifies the template or explicit override for
- # the CN. By default, this is the template:
- #
- # "{{.Hostname}}.{{.Domain}}"
- #
- # which obtains its values from the Spec.Hostname and
- # Org.Domain, respectively.
- # ---------------------------------------------------------------------------
- # Specs:
- # - Hostname: foo # implicitly "foo.org1.example.com"
- # CommonName: foo27.org5.example.com # overrides Hostname-based FQDN set above
- # - Hostname: bar
- # - Hostname: baz
- # ---------------------------------------------------------------------------
- # "Template"
- # ---------------------------------------------------------------------------
- # Allows for the definition of 1 or more hosts that are created sequentially
- # from a template. By default, this looks like "peer%d" from 0 to Count-1.
- # You may override the number of nodes (Count), the starting index (Start)
- # or the template used to construct the name (Hostname).
- #
- # Note: Template and Specs are not mutually exclusive. You may define both
- # sections and the aggregate nodes will be created for you. Take care with
- # name collisions
- # ---------------------------------------------------------------------------
- Template:
- Count: 2
- # Start: 5
- # Hostname: {{.Prefix}}{{.Index}} # default
- # ---------------------------------------------------------------------------
- # "Users"
- # ---------------------------------------------------------------------------
- # Count: The number of user accounts _in addition_ to Admin
- # ---------------------------------------------------------------------------
- Users:
- Count: 1
- # ---------------------------------------------------------------------------
- # Org2: See "Org1" for full specification
- # ---------------------------------------------------------------------------
- - Name: Org2
- Domain: org2.example.com
- Template:
- Count: 2
- Users:
- Count: 1
里边主要包含Orderer组织的配置(包含1个Orderer)和peer组织的配置(包含2个peer组织org1,org2)。
Name:定义名称
Domain与Hostname:组合成为节点的名称,也是生成后的文件夹的名称。
Count:用来指定每个org下边所拥有的节点数,这里配置的是每个org各2个peer
Users:用来指定添加进节点的默认用户数
3 cryptogen命令说明
使用如下命令,生成证书文件:
cryptogen generate --config=./crypto-config.yaml
保存在crypto-config目录下