revoker | Java implementation of a CRL Distribution Point | TLS library
kandi X-RAY | revoker Summary
kandi X-RAY | revoker Summary
This app is a Dropwizard app that can respond to CRL requests and OCSP requests for a given CA. You need to provide the app with access to the index file of the CA, which is effectively the database for the CA, the crl file, and a Java KeyStore containing the key and certificate chain to sign the OCSP responses with. This is all done within the conf.yml file.
Support
Quality
Security
License
Reuse
Top functions reviewed by kandi - BETA
- Parse certificate index line
- Returns a new builder
- Returns the RevocationReason with the given name
- Converts the certificate status into a certificate status
- Checks that all CRL files are readable
- Create a CRL from a file
- Make sure all the CRL files are readable
- Gets the file path
- Checks that the service is healthy
- Verifies that a given signing certificate chain is valid
- Check if certificate manager is healthy
- Read an OCSP request from an input stream
- Returns the OCSP error response
- Process an OCSP request over a POST request
- Returns true if this X509CRL is writable
- Returns true if this instance represents a X509CRL
- Start the scheduler
- Override this method to be overridden in subclasses
- Process an OCSP request
- Get CRL by name
- Returns the RevocationReason for the given CRL
- Serialize the OCSP response to the output stream
- Writes the response to the output stream
- Writes the CRL to the output stream
- Reads a CRL from an entity stream
- The main entry point
revoker Key Features
revoker Examples and Code Snippets
Community Discussions
Trending Discussions on revoker
QUESTION
Based on Hyperledger Fabric First Network (v1.4) i changed names to peers, Orgs, CAs etc. There is no problem on the containers or to generate certificates the channel works fine.
...ANSWER
Answered 2020-Dec-17 at 10:57I can see Affiliations:map[org1:[department1 department2] org2:[department1]], which is the default value set when affiliation is not set in fabric-ca.
QUESTION
I have a Hyperledger Fabric Blockchain using V1.4, I am connected through LDAP to my organization's Active Directory and I want to be able to change the roles of my users from my AD.
Basically I need two roles: user and admin, a user can run contracts and an admin can install and upgrade contracts.
So what I'm trying to do its to add a converter in my ldap configuration on fabric-ca-server-config.yaml and a map that changes my "memberOf" AD property to hf.Registrar.Roles like this:
...ANSWER
Answered 2020-Sep-10 at 17:03The certificate needs to have the OU that defines the admin. Look at the config.yaml in your MSP folder (in the peer - MSPCONFIGPATH) and see what OU defines the administrator.
You can also try to put the certificate that you use in the admincerts folder of the MSP of the peer, it should also make it an admin.
QUESTION
I'm attempting to make an administration role within firebase using claims and check the role in onCall methods within the Cloud Functions environment. I was under the assumption that the context.auth.token would be verified, but it seems that a user, when changed from admin to regular user (or any other edit on a user, which revokes the auth token using admin.auth().revokeRefreshTokens(uid)) doesn't actually revoke the rights immediately, OR the token isn't verified on the subsequent onCall by the edited user:
ANSWER
Answered 2020-Jun-04 at 13:46The admin in your token is a custom claim, which the client sends to the Cloud Function with each request as part of its ID token. The ID token on the client is refreshed once per hour. So after you add/remove the custom claim, it may take up to an hour before the client gets it, and passes it along to Cloud Functions.
When an ID token is minted, it gets an expiration timestamp. Until that timestamp has passed, the ID token is assumed to be valid. Since the ID tokens of Firebase are typically valid for one hour, they can still be used for up to an hour after you make changes to the underlying user profile.
You can force the client to refresh its ID token before that, by calling the getIDToken(true) API (Android link, but other platforms have a similar API). Also see the section in the documentation on propagating custom claims to the client. But this depends on the client, so isn't good enough for security.
To ensure that updated tokens can no longer be used, you'll want to create a list of such "revoked" tokens. Then have your Cloud Function check against the list of revoked tokens, and reject the request if the token has been invalidated there. See for an example of this the example in the Firebase documentation on detecting ID token revocation.
QUESTION
While reading the Fabric CA Operations Guide I noticed that the admins of the Org 1 and 2 were not assigned the type of admin when registering them in the corresponding CA as shown below:
...ANSWER
Answered 2020-Apr-14 at 06:13If you set up NodeOUs in your MSP, you must specify "admin" (or another identifier you specify in your config.yaml). This way, OU is set suitably in the enrolled certificate so that it is considered an admin.
If you don't set up NodeOUs in your MSP, then only certificates under admincerts in the MSP folder are considered admins. It does not matter its type or OU.
https://hyperledger-fabric.readthedocs.io/en/release-1.4/msp.html#organizational-units
QUESTION
I'm trying to enroll & register an admin to perform peer operations. This is the bash code:
...ANSWER
Answered 2020-Apr-13 at 08:23This is what is happening:
You created a system channel (which is the orderer genesis block) by creating the MAIN consortium. Now the system channel was created with the peer organization MSPs at that moment. Followed by this, after the network was up, you went into org1/users and created an admin identity. You update local MSP of peer but the already existing system channel was never updated.
Possible solutions:
- Update the admin credentials within
org1/usersbefore the network is set up. - Update the system channel configuration with the
admin2credentials post deployment by creating achannel updatetransaction. - Enable NodeOUs so that any admin identity generated dynamically post the network deployment can perform
adminrelated transactions.
QUESTION
I am trying to setup a fabric-ca with tls enabled. Started the server, enrolled the admin with tls enabled successfully. But when I try to register the user, I'm getting the error
ANSWER
Answered 2019-Dec-10 at 11:25First, your CA must have TLS_ENABLES=true and mapped the path with tls certificates.
Next, in the command you are probably missing
--tls true
and
--clientauth
I have a cli running with TLS enabled and a CA with TLS enabled, when I want to register a new user I use these options in the command line, adding keyfile and certfiles too.
QUESTION
So, I am trying to create a fabric network with a root CA, and several intermediate CAs, one for each org, everything with TLS enabled and self signed certs (no cryptogen). After running the root CA, I enroll the admin for it, and create affiliations and register identities for the intermediate CAs using the flag hf.IntermediateCA=true. Then I copy the tls-cert.pem from the root CA to the volume to be used by the intermediate CA, and then I try to start the intermediate CA issuing:
ANSWER
Answered 2019-Oct-29 at 12:58Mmm... The parent root CA TLS certificate (the trusted root certificates) should be specified with --intermediate.tls.certfiles. --tls.certfile and --tls.keyfile define the intermediate CA TLS certificate and key respect to its children/clients.
Set --loglevel debug to get more information (and share it).
Edit: To answer to your edition (I have no reputation to comment your post), when you talk about --tls.keyfile. I don't mean that you must use it. I mean that, if you use --tls.certfile, you must also use --tls.keyfile, as they are intended to serve your intermediate CA services via TLS, not to trust your parent root CA's TLS certificate. For your purpose, you have --intermediate.tls.certfiles.
Your command should look like:
QUESTION
I know the problem "This identity is not an admin" is widely reported, but this is a specific case. I have read a lot of issues here and at Jira and I see no problem close to mine.
What I am trying to do is to join a channel from a peer in a full custom Hyperledger 1.4 network where I have not used cryptogen. The problem I am getting is exactly this one:
...ANSWER
Answered 2019-Sep-27 at 10:58Are you sure that the admin's certificate is really in the peer's admin folder?
QUESTION
I have enabled the PKCS11 in fabric ca , but when starting the fabric-ca-server natively then throwing below error. Please note it works fine with default SW option.
- Checkout the fabric-ca v1.3.0
- Update BCCSP property as below
bccsp: default: PKCS11 pkcs11: library: /usr/local/lib/softhsm/libsofthsm2.so pin: daily123 label: org1label hash: SHA2 security: 256 filekeystore: # The directory used for the software file-based keystore keystore: msp/keystore
- Run server with command ./fabric-ca-server start -b admin:adminpw -d
Error2018/10/12 07:27:01 [INFO] Configuration file location: /opt/gopath/bin/fabric-ca-server-config.yaml
2018/10/12 07:27:01 [INFO] Starting server in home directory: /opt/gopath/bin
2018/10/12 07:27:01 [INFO] Server Version: 1.3.0
2018/10/12 07:27:01 [INFO] Server Levels: &{Identity:1 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1}
2018/10/12 07:27:01 [DEBUG] Making server filenames absolute
2018/10/12 07:27:01 [DEBUG] Initializing default CA in directory /opt/gopath/bin
2018/10/12 07:27:01 [DEBUG] Init CA with home /opt/gopath/bin and config {Version:1.3.0 Cfg:{Identities:{AllowRemove:false} Affiliations:{AllowRemove:false}} CA:{Name: Keyfile: Certfile:ca-cert.pem Chainfile:ca-chain.pem} Signing:0xc4204ce7d0 CSR:{CN:fabric-ca-server Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[safenet localhost] KeyRequest:0xc4204b1ac0 CA:0xc4204b1b40 SerialNumber:} Registry:{MaxEnrollments:-1 Identities:[{ Name:**** Pass:**** Type:client Affiliation: MaxEnrollments:0 Attrs:map[hf.Registrar.Roles:* hf.Registrar.DelegateRoles:* hf.Revoker:1 hf.IntermediateCA:1 hf.GenCRL:1 hf.Registrar.Attributes:* hf.AffiliationMgr:1] }]} Affiliations:map[org2:[department1] org1:[department1 department2]] LDAP:{ Enabled:false URL:ldap://****:****@:/ UserFilter:(uid=%s) GroupFilter:(memberUid=%s) Attribute:{[uid member] [{ }] map[groups:[{ }]]} TLS:{false [] { }} } DB:{ Type:sqlite3 Datasource:fabric-ca-server.db TLS:{false [] { }} } CSP:0xc4204de060 Client: Intermediate:{ParentServer:{ URL: CAName: } TLS:{Enabled:false CertFiles:[] Client:{KeyFile: CertFile:}} Enrollment:{ Name: Secret:**** CAName: AttrReqs:[] Profile: Label: CSR: Type:x509 }} CRL:{Expiry:24h0m0s} Idemix:{IssuerPublicKeyfile: IssuerSecretKeyfile: RevocationPublicKeyfile: RevocationPrivateKeyfile: RHPoolSize:1000 NonceExpiration:15s NonceSweepInterval:15m}}
2018/10/12 07:27:01 [DEBUG] CA Home Directory: /opt/gopath/bin
2018/10/12 07:27:01 [DEBUG] Checking configuration file version '1.3.0' against server version: '1.3.0'
2018/10/12 07:27:01 [DEBUG] Initializing BCCSP: &{ProviderName:PKCS11 SwOpts: PluginOpts:}
2018/10/12 07:27:01 [DEBUG] Closing server DBs
Error: Failed to initialize BCCSP Factories: %!s()
Could not find defaultPKCS11BCCSP
ANSWER
Answered 2018-Oct-16 at 07:07It works fine with latest fabric-ca images (as of now latest 1.4.0-snapshot-cb7353f).
QUESTION
I'm trying to set some property in user metadata. I'm trying to do this using https://firebase.google.com/docs/auth/admin/manage-sessions#revoke_refresh_tokens and then https://firebase.google.com/docs/auth/admin/manage-sessions#update_user-specific_metadata_in.
Probably I'm doing something wrong, because it's not working. If I do this like in this article, and then call auth().listUsers to get the users data, 'metadata' has only default properties: creationTime and lastSignInTime, but without the new property revokeTime, any idea?
Edit:
My revoke function:
...ANSWER
Answered 2019-Jul-13 at 14:08The documentation you linked describes how to revoke access for a user to the database, without waiting for that user's ID token to expire. To accomplish this, it uses two products: Firebase Authentication, and Firebase Realtime Database.
But the two products have no knowledge of each other, so the revokeTime you write to the database won't show up in the user's authentication record.
Community Discussions, Code Snippets contain sources that include Stack Exchange Network
Vulnerabilities
No vulnerabilities reported
Install revoker
You can use revoker like any standard Java library. Please include the the jar files in your classpath. You can also use any IDE and you can run and debug the revoker component as you would do with any other Java program. Best practice is to use a build tool that supports dependency management such as Maven or Gradle. For Maven installation, please refer maven.apache.org. For Gradle installation, please refer gradle.org .
Support
Reuse Trending Solutions
Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items
Find more librariesStay Updated
Subscribe to our newsletter for trending solutions and developer bootcamps
Share this Page
