fabric-sdk-node icon indicating copy to clipboard operation
fabric-sdk-node copied to clipboard
verified publisher icon hyperledger

Q: How certificate_request is used in FabricCAClient request?

Open inglkruiz opened this issue 4 years ago • 0 comments

Hello, I'm just writing to get some clarification about how requestObj.certificate_request is used here https://github.com/hyperledger/fabric-sdk-node/blob/v2.2.11/fabric-ca-client/lib/FabricCAClient.js#L236

I'm using the class FabricCAServices and instantiating the class using the following piece of code

const fabricCAServices = new FabricCAServices(
    `${url}:443`,
    {
      trustedRoots: [caInfo.caChain],
      verify: true,
    },
    caInfo.caName
  );

Then I use the method fabricCAServices.enroll passing an object that has the property csr. So, the method fabricCAServices.enroll passes the csr to fabricCAClient.enroll (here you can see it https://github.com/hyperledger/fabric-sdk-node/blob/v2.2.11/fabric-ca-client/lib/FabricCAServices.js#L219) then the method puts it in an object

const enrollRequest = {
  certificate_request: csr
};

And finally it sends enrollRequest object to the request method without a signingIdentity (here you can see the method https://github.com/hyperledger/fabric-sdk-node/blob/v2.2.11/fabric-ca-client/lib/FabricCAClient.js#L236).

Since the signingIdentity is undefined (because the method fabricCAClient.enroll set it) the Authorization header is not set,rejectUnauthorized is set to true because verify: true when I instantiated the class, therefore, I get the following error:

image

I'm asking because I coded a script to create Identities and it was working until today, the latest change in my repository was the upgrade of the SDK from 2.2.9 to 2.2.11 but TBH I cannot blame the upgrade, I reviewed the code and it seems that nothing has changed in that logic for a long time.

So the question I have is: In the fabricCAClient.request method when

  1. signingIdentity is undefined
  2. AND this._tlsOptions.verify is true
  3. AND the property certificate_request exists in requestObj How the Authorization is header is set? Or Why the certificate_request is not used if the signingIdentity is undefined?

I'm not an expert in SSL/TLS certificates and cannot not propose a fix (I tried a couple of stuff but none worked), I just want to understand if it is an edge case o something is missing in the logic. For the moment the quick fix for this is it to instantiate FabricCaServices w/o verify.

const fabricCAServices = new FabricCAServices(
    `${url}:443`,
    {
      trustedRoots: [caInfo.caChain],
      verify: false,
    },
    caInfo.caName
  );

Thanks in advance,

inglkruiz avatar Dec 27 '21 15:12 inglkruiz