hfc.fabric_ca.caservice

Module Contents

Classes

Enrollment(private_key, enrollmentCert, caCertChain=None, service=None)	Class represents enrollment.
CAClient(target=DEFAULT_CA_ENDPOINT, ca_certs_path=None, base_url=DEFAULT_CA_BASE_URL, ca_name=’‘, cryptoPrimitives=ecies())	Client for communicating with the Fabric CA APIs.
CAService(target=DEFAULT_CA_ENDPOINT, ca_certs_path=None, crypto=ecies(), ca_name=’‘)	This is a ca server delegate.

Functions

ca_service(target=DEFAULT_CA_ENDPOINT, ca_certs_path=None, crypto=ecies(), ca_name=’‘)

Create ca service

hfc.fabric_ca.caservice.DEFAULT_CA_ENDPOINT = http://localhost:7054

hfc.fabric_ca.caservice.DEFAULT_CA_BASE_URL = /api/v1/

hfc.fabric_ca.caservice._logger

hfc.fabric_ca.caservice.reasons = [[1, 'unspecified'], [2, 'keycompromise'], [3, 'cacompromise'], [4, 'affiliationchange'], [5, 'superseded'], [6, 'cessationofoperation'], [7, 'certificatehold'], [8, 'removefromcrl'], [9, 'privilegewithdrawn'], [10, 'aacompromise']]

class hfc.fabric_ca.caservice.Enrollment(private_key, enrollmentCert, caCertChain=None, service=None)

Bases: object

Class represents enrollment.

property private_key(self)

Get private key

Returns

private key

property cert(self)

Get cert

Returns

cert

property caCert(self)

Get caCert

Returns

caCert

get_attrs(self)

register(self, enrollmentID, enrollmentSecret=None, role=None, affiliation=None, maxEnrollments=1, attrs=None)

revoke(self, enrollmentID=None, aki=None, serial=None, reason=None, gencrl=False)

generateCRL(self, revokedBefore=None, revokedAfter=None, expireBefore=None, expireAfter=None)

__str__(self)

Return str(self).

class hfc.fabric_ca.caservice.CAClient(target=DEFAULT_CA_ENDPOINT, ca_certs_path=None, base_url=DEFAULT_CA_BASE_URL, ca_name='', cryptoPrimitives=ecies())

Bases: object

Client for communicating with the Fabric CA APIs.

generateAuthToken(self, req, registrar)

Generate authorization token required for accessing fabric-ca APIs

Parameters

• req (dict) – request body

• registrar – Required. The identity of the registrar

(i.e. who is performing the request) :type registrar: Enrollment :return: auth token

_send_ca_post(self, path, **param)

Send a post request to the ca service

Parameters

• path – sub path after the base_url

• **param –

  post request params

Returns

the response body in json

_send_ca_get(self, path, **param)

Send a get request to the ca service

Parameters

• path – sub path after the base_url

• **param –

  get request params

Returns

the response body in json

_send_ca_delete(self, path, **param)

Send a delete request to the ca service

Parameters

• path – sub path after the base_url

• **param –

  delete request params

Returns

the response body in json

_send_ca_update(self, path, **param)

Send a update request to the ca service

Parameters

• path – sub path after the base_url

• **param –

  update request params

Returns

the response body in json

get_cainfo(self)

Query the ca service information.

Returns

The base64 encoded CA PEM file content for the caname

enroll(self, enrollment_id, enrollment_secret, csr, profile='', attr_reqs=None)

register(self, req, registrar)

reenroll(self, req, registrar)

revoke(self, req, registrar)

generateCRL(self, req, registrar)

newIdentityService(self)

newAffiliationService(self)

newCertificateService(self)

class hfc.fabric_ca.caservice.CAService(target=DEFAULT_CA_ENDPOINT, ca_certs_path=None, crypto=ecies(), ca_name='')

Bases: object

This is a ca server delegate.

enroll(self, enrollment_id, enrollment_secret, csr=None, profile='', attr_reqs=None)

Enroll a registered user in order to receive a signed X509

certificate

Parameters

• enrollment_id (str) – The registered ID to use for enrollment

• enrollment_secret (str) – The secret associated with the enrollment ID

• profile (str) – The profile name. Specify the ‘tls’ profile for a TLS certificate; otherwise, an enrollment certificate is issued. (Default value = ‘’)

• csr (str) –

  Optional. PEM-encoded PKCS#10 Certificate Signing Request. The message sent from client side to Fabric-ca for the

  digital identity certificate. (Default value = None)

• attr_reqs (list) – An array of AttributeRequest

Returns

PEM-encoded X509 certificate (Default value = None)

Raises

• RequestException – errors in requests.exceptions

• ValueError – Failed response, json parse error, args missing

reenroll(self, currentUser, attr_reqs=None)

Re-enroll the member in cases such as the existing enrollment

certificate is about to expire, or it has been compromised

Parameters

• currentUser (Enrollment) – The identity of the current user that holds the existing enrollment certificate

• attr_reqs (list) – Optional. An array of AttributeRequest that indicate attributes to be included in the certificate

Returns

PEM-encoded X509 certificate (Default value = None)

Raises

• RequestException – errors in requests.exceptions

• ValueError – Failed response, json parse error, args missing

register(self, enrollmentID, enrollmentSecret, role, affiliation, maxEnrollments, attrs, registrar)

Register a user in order to receive a secret

Parameters

• registrar (Enrollment) – The registrar

• enrollmentID (str) – enrollmentID ID which will be used for enrollment

• enrollmentSecret (str) – enrollmentSecret Optional enrollment secret to set for the registered user. If not provided, the server will generate one. When not including, use a null for this parameter.

• role (str) – Optional type of role for this user. When not including, use a null for this parameter.

• affiliation (str) – Affiliation with which this user will be associated

• maxEnrollments (number) – The maximum number of times the user is permitted to enroll

• attrs – Array of key/value attributes to assign to the user

:return The enrollment secret to use when this user

enrolls

Raises

• RequestException – errors in requests.exceptions

• ValueError – Failed response, json parse error, args missing

revoke(self, enrollmentID, aki, serial, reason, gencrl, registrar)

Revoke an existing certificate (enrollment certificate or

transaction certificate), or revoke all certificates issued to an

enrollment id. If revoking a particular certificate, then both the

Authority Key Identifier and serial number are required. If

revoking by enrollment id, then all future requests to enroll this

id will be rejected.

Parameters

• registrar (Enrollment) – The registrar

• enrollmentID (str) – enrollmentID ID to revoke

• aki (str) – Authority Key Identifier string, hex encoded, for the specific certificate to revoke

• serial (str) – Serial number string, hex encoded, for the specific certificate to revoke

• reason (str) – The reason for revocation. See https://godoc.org/golang.org/x/crypto/ocsp for valid values

• gencrl (bool) – GenCRL specifies whether to generate a CRL

Returns

The revocation results

Raises

• RequestException – errors in requests.exceptions

• ValueError – Failed response, json parse error, args missing

generateCRL(self, revokedBefore, revokedAfter, expireBefore, expireAfter, registrar)

Generate CRL

Parameters

• revokedBefore – Include certificates that were revoked before this UTC timestamp (in RFC3339 format) in the CRL

• revokedAfter – Include certificates that were revoked after this UTC timestamp (in RFC3339 format) in the CRL

• expireBefore – Include revoked certificates that expire before this UTC timestamp (in RFC3339 format) in the CRL

• expireAfter – Include revoked certificates that expire after this UTC timestamp (in RFC3339 format) in the CRL

• registrar – registrar

Returns

The Certificate Revocation List (CRL)

newIdentityService(self)

newAffiliationService(self)

newCertificateService(self)

hfc.fabric_ca.caservice.ca_service(target=DEFAULT_CA_ENDPOINT, ca_certs_path=None, crypto=ecies(), ca_name='')

Create ca service

Parameters

• target – url (Default value = DEFAULT_CA_ENDPOINT)

• ca_certs_path – certs path (Default value = None)

• crypto – crypto (Default value = ecies())

• ca_name – CA name

Returns

ca service instance (Default value = “”)