CA黑白名单

本文档描述CA黑、白名单的实践操作,建议阅读本操作文档前请先行了解《CA黑白名单介绍》

黑名单

通过配置黑名单,能够拒绝与指定的节点连接。

配置方法

编辑config.ini

  1. [certificate_blacklist]
  2.     ; crl.0 should be nodeid, nodeid's length is 128
  3.     ;crl.0=

重启节点生效

  1. $ bash stop.sh && bash start.sh

查看节点连接

  1. $ curl -X POST --data '{"jsonrpc":"2.0","method":"getPeers","params":[1],"id":1}' http://127.0.0.1:8545 |jq

白名单

通过配置白名单,能够只与指定的节点连接,拒绝与白名单之外的节点连接。

配置方法

编辑config.ini不配置表示白名单关闭,可与任意节点建立连接。

  1. [certificate_whitelist]
  2.     ; cal.0 should be nodeid, nodeid's length is 128
  3.     cal.0=7718df20f0f7e27fdab97b3d69deebb6e289b07eb7799c7ba92fe2f43d2efb4c1250dd1f11fa5b5ce687c8283d65030aae8680093275640861bc274b1b2874cb
  4.     cal.1=f306eb1066ceb9d46e3b77d2833a1bde2a9899cfc4d0433d64b01d03e79927aa60a40507c5739591b8122ee609cf5636e71b02ce5009f3b8361930ecc3a9abb0

若节点未启动,则直接启动节点,若节点已启动,可直接用脚本reload_whitelist.sh刷新白名单配置即可(暂不支持动态刷新黑名单)。

  1. # 若节点未启动
  2. $ bash start.sh
  3. # 若节点已启动
  4. $ cd scripts
  5. $ bash reload_whitelist.sh
  6. node_127.0.0.1_30300 is not running, use start.sh to start and enable whitelist directlly.

查看节点连接

  1. $ curl -X POST --data '{"jsonrpc":"2.0","method":"getPeers","params":[1],"id":1}' http://127.0.0.1:8545 |jq

使用场景:公共CA

所有用CFCA颁发证书搭的链,链的CA都是CFCA。此CA是共用的。必须启用白名单功能。使用公共CA搭的链,会存在两条链共用同一个CA的情况,造成无关的两条链的节点能彼此建立连接。此时需要配置白名单,拒绝与无关的链的节点建立连接。

搭链操作步骤

  1. 用工具搭链
  2. 查询所有节点的NodeID
  3. 将所有NodeID配置入每个节点的白名单中
  4. 启动节点或用脚本reload_whitelist.sh刷新节点白名单配置

扩容操作步骤

  1. 用工具扩容一个节点
  2. 查询此扩容节点的NodeID
  3. 将此NodeID追加到入所有节点的白名单配置中
  4. 将其他节点的白名单配置拷贝到新扩容的节点上
  5. 用脚本reload_whitelist.sh刷新已启动的所有节点的白名单配置
  6. 启动扩容节点
  7. 将扩容节点加成组员(addSealer 或 addObserver)

黑白名单操作举例

准备

搭一个四个节点的链

  1. $ bash build_chain.sh -l "127.0.0.1:4"

查看四个节点的NodeID

  1. $ cat node*/conf/node.nodeid 
  2. 219b319ba7b2b3a1ecfa7130ea314410a52c537e6e7dda9da46dec492102aa5a43bad81679b6af0cd5b9feb7cfdc0b395cfb50016f56806a2afc7ee81bbb09bf
  3. 7718df20f0f7e27fdab97b3d69deebb6e289b07eb7799c7ba92fe2f43d2efb4c1250dd1f11fa5b5ce687c8283d65030aae8680093275640861bc274b1b2874cb
  4. f306eb1066ceb9d46e3b77d2833a1bde2a9899cfc4d0433d64b01d03e79927aa60a40507c5739591b8122ee609cf5636e71b02ce5009f3b8361930ecc3a9abb0
  5. 38158ef34eb2d58ce1d31c8f3ef9f1fa829d0eb8ed1657f4b2a3ebd3265d44b243c69ffee0519c143dd67e91572ea8cb4e409144a1865f3e980c22d33d443296

可得四个节点的NodeID:

  • node0: 219b319b….
  • node1: 7718df20….
  • node2: f306eb10….
  • node3: 38158ef3….

启动所有节点

  1. $ cd node/127.0.0.1/
  2. $ bash start_all.sh

查看连接,以node0为例。(8545是node0的rpc端口)

  1. $ curl -X POST --data '{"jsonrpc":"2.0","method":"getPeers","params":[1],"id":1}' http://127.0.0.1:8545 |jq

可看到连接信息,node0连接了除自身之外的其它三个节点。

  1. {
  2.   "id": 1,
  3.   "jsonrpc": "2.0",
  4.   "result": [
  5.     {
  6.       "Agency": "agency",
  7.       "IPAndPort": "127.0.0.1:62774",
  8.       "Node": "node3",
  9.       "NodeID": "38158ef34eb2d58ce1d31c8f3ef9f1fa829d0eb8ed1657f4b2a3ebd3265d44b243c69ffee0519c143dd67e91572ea8cb4e409144a1865f3e980c22d33d443296",
  10.       "Topic": []
  11.     },
  12.     {
  13.       "Agency": "agency",
  14.       "IPAndPort": "127.0.0.1:62766",
  15.       "Node": "node1",
  16.       "NodeID": "7718df20f0f7e27fdab97b3d69deebb6e289b07eb7799c7ba92fe2f43d2efb4c1250dd1f11fa5b5ce687c8283d65030aae8680093275640861bc274b1b2874cb",
  17.       "Topic": []
  18.     },
  19.     {
  20.       "Agency": "agency",
  21.       "IPAndPort": "127.0.0.1:30302",
  22.       "Node": "node2",
  23.       "NodeID": "f306eb1066ceb9d46e3b77d2833a1bde2a9899cfc4d0433d64b01d03e79927aa60a40507c5739591b8122ee609cf5636e71b02ce5009f3b8361930ecc3a9abb0",
  24.       "Topic": []
  25.     }
  26.   ]
  27. }

配置黑名单:node0拒绝node1的连接

将node1的NodeID写入node0的配置中

  1. vim node0/config.ini

需要进行的配置如下,白名单为空(默认关闭)

  1. [certificate_blacklist]
  2.     ; crl.0 should be nodeid, nodeid's length is 128
  3.     crl.0=7718df20f0f7e27fdab97b3d69deebb6e289b07eb7799c7ba92fe2f43d2efb4c1250dd1f11fa5b5ce687c8283d65030aae8680093275640861bc274b1b2874cb
  4.  
  5. [certificate_whitelist]
  6.     ; cal.0 should be nodeid, nodeid's length is 128
  7.     ; cal.0=

重启节点生效

  1. $ cd node0
  2. $ bash stop.sh && bash start.sh

查看节点连接

  1. $ curl -X POST --data '{"jsonrpc":"2.0","method":"getPeers","params":[1],"id":1}' http://127.0.0.1:8545 |jq

可看到只与两个节点建立的连接,未与node1建立连接

  1. {
  2.   "id": 1,
  3.   "jsonrpc": "2.0",
  4.   "result": [
  5.     {
  6.       "Agency": "agency",
  7.       "IPAndPort": "127.0.0.1:30303",
  8.       "Node": "node3",
  9.       "NodeID": "38158ef34eb2d58ce1d31c8f3ef9f1fa829d0eb8ed1657f4b2a3ebd3265d44b243c69ffee0519c143dd67e91572ea8cb4e409144a1865f3e980c22d33d443296",
  10.       "Topic": []
  11.     },
  12.     {
  13.       "Agency": "agency",
  14.       "IPAndPort": "127.0.0.1:30302",
  15.       "Node": "node2",
  16.       "NodeID": "f306eb1066ceb9d46e3b77d2833a1bde2a9899cfc4d0433d64b01d03e79927aa60a40507c5739591b8122ee609cf5636e71b02ce5009f3b8361930ecc3a9abb0",
  17.       "Topic": []
  18.     }
  19.   ]
  20. }

配置白名单:node0拒绝与node1,node2之外的节点连接

将node1和node2的NodeID写入node0的配置中

  1. $ vim node0/config.ini

需要进行的配置如下,黑名单置空,白名单配置上node1,node2

  1. [certificate_blacklist]
  2.     ; crl.0 should be nodeid, nodeid's length is 128
  3.     ;crl.0=
  4.  
  5. [certificate_whitelist]
  6.     ; cal.0 should be nodeid, nodeid's length is 128
  7.     cal.0=7718df20f0f7e27fdab97b3d69deebb6e289b07eb7799c7ba92fe2f43d2efb4c1250dd1f11fa5b5ce687c8283d65030aae8680093275640861bc274b1b2874cb
  8.     cal.1=f306eb1066ceb9d46e3b77d2833a1bde2a9899cfc4d0433d64b01d03e79927aa60a40507c5739591b8122ee609cf5636e71b02ce5009f3b8361930ecc3a9abb0

重启节点生效

  1. $ bash stop.sh && bash start.sh

查看节点连接

  1. $ curl -X POST --data '{"jsonrpc":"2.0","method":"getPeers","params":[1],"id":1}' http://127.0.0.1:8545 |jq

可看到只与两个节点建立的连接,未与node1建立连接

  1. {
  2.   "id": 1,
  3.   "jsonrpc": "2.0",
  4.   "result": [
  5.     {
  6.       "Agency": "agency",
  7.       "IPAndPort": "127.0.0.1:30302",
  8.       "Node": "node2",
  9.       "NodeID": "f306eb1066ceb9d46e3b77d2833a1bde2a9899cfc4d0433d64b01d03e79927aa60a40507c5739591b8122ee609cf5636e71b02ce5009f3b8361930ecc3a9abb0",
  10.       "Topic": []
  11.     },
  12.     {
  13.       "Agency": "agency",
  14.       "IPAndPort": "127.0.0.1:30301",
  15.       "Node": "node1",
  16.       "NodeID": "7718df20f0f7e27fdab97b3d69deebb6e289b07eb7799c7ba92fe2f43d2efb4c1250dd1f11fa5b5ce687c8283d65030aae8680093275640861bc274b1b2874cb",
  17.       "Topic": []
  18.     }
  19.   ]
  20. }

黑名单与白名单混合配置:黑名单优先级高于白名单,白名单配置的基础上拒绝与node1建立连接

编辑node0的配置

  1. $ vim node0/config.ini

需要进行的配置如下,黑名单配置上node1,白名单配置上node1,node2

  1. [certificate_blacklist]
  2.     ; crl.0 should be nodeid, nodeid's length is 128
  3.     crl.0=7718df20f0f7e27fdab97b3d69deebb6e289b07eb7799c7ba92fe2f43d2efb4c1250dd1f11fa5b5ce687c8283d65030aae8680093275640861bc274b1b2874cb
  4.  
  5. [certificate_whitelist]
  6.     ; cal.0 should be nodeid, nodeid's length is 128
  7.     cal.0=7718df20f0f7e27fdab97b3d69deebb6e289b07eb7799c7ba92fe2f43d2efb4c1250dd1f11fa5b5ce687c8283d65030aae8680093275640861bc274b1b2874cb
  8.     cal.1=f306eb1066ceb9d46e3b77d2833a1bde2a9899cfc4d0433d64b01d03e79927aa60a40507c5739591b8122ee609cf5636e71b02ce5009f3b8361930ecc3a9abb0

重启节点生效

  1. $ bash stop.sh && bash start.sh

查看节点连接

  1. $ curl -X POST --data '{"jsonrpc":"2.0","method":"getPeers","params":[1],"id":1}' http://127.0.0.1:8545 |jq

可看到虽然白名单上配置了node1,但由于node1在黑名单中也有配置,node0也不能与node1建立连接

  1. {
  2.   "id": 1,
  3.   "jsonrpc": "2.0",
  4.   "result": [
  5.     {
  6.       "Agency": "agency",
  7.       "IPAndPort": "127.0.0.1:30302",
  8.       "Node": "node2",
  9.       "NodeID": "f306eb1066ceb9d46e3b77d2833a1bde2a9899cfc4d0433d64b01d03e79927aa60a40507c5739591b8122ee609cf5636e71b02ce5009f3b8361930ecc3a9abb0",
  10.       "Topic": []
  11.     }
  12.   ]
  13. }