Update auth header token for CA #813
Conversation
denyeart
force-pushed
the
ca_auth_header
branch
from
22172ce to
1ddc3f8
Compare
When interacting with Fabric CA REST services, utilize the updated auth header token format that includes the URL path and method. The old format has been deprecated for a long time since the new format is more secure. For reference see similar change in legacy Node SDK: hyperledger/fabric-sdk-node@602f557 Signed-off-by: David Enyeart <[email protected]>
denyeart
force-pushed
the
ca_auth_header
branch
from
1ddc3f8 to
a0ce88a
Compare
| // get the auth token (csr) | ||
| const auth_token = t.fabric_utils.generateAuthToken(reenrollCSR, t.signingIdentity); |
There was a problem hiding this comment.
I assume that passing t.signingIdentity was a leftover from an old implementation, so I've removed it. The current generateAuthToken() implementation already accesses t.signingIdentity internally.
There was a problem hiding this comment.
+1 looks good to me.
if you could though just comment on this PR the minimum version of a CA the console needs.
note that i'm not able to run this project anymore, so i didn't run anything.. though we do have tests, even on this file.
https://github.com/hyperledger-labs/fabric-operations-console/blob/main/packages/athena/test/test-suites/lib/ca_lib.test.js
i think you can run these tests with npm run test from the ./package/athena directory. there's also a curiously named script of npm run test:local that might be the one to do...
| let sig = t.signing_lib.sign(bodyAndCert, { hashFunction: t.cryptoSuite.hash.bind(t.cryptoSuite), signingIdentity: t.signingIdentity }); | ||
| if (path && method) { | ||
| const s = Buffer.from(path).toString('base64'); | ||
| signString = method + '.' + s + '.' + signString; |
There was a problem hiding this comment.
this line is the real/main change right? the "new method" is to sign over a string that has the method and path. make sense!
so seems like once we merge this there will be some ancient CA versions that will no longer work with the latest console. CA's that are too old for the new way... for the sake of traceability could you jot down in this PR what min CA version the console needs now?
There was a problem hiding this comment.
Yes, this is the main change, it is consistent with how all the other Fabric CA clients were updated back in 2019.
I've updated the Description with the Fabric CA versions.
When interacting with Fabric CA REST services,
utilize the updated auth header token format
that includes the URL path and method.
The old format has been deprecated for a long time (since Fabric CA v1.4.0) since the new format is more secure. New versions of Fabric CA (v1.5.14 and later) will not support the old format by default (although they can still support the old format by setting
FABRIC_CA_SERVER_COMPATIBILITY_MODE_V1_3=true).For reference see similar change in legacy Node SDK that never got propagated to the console Fabric CA client:
hyperledger/fabric-sdk-node@602f557
And the original change in Fabric CA that is driving this change:
hyperledger/fabric-ca@99517e9
Note that the new format became effective in Fabric CA v1.4.0 (2019), therefore console will require Fabric CA v1.4.0 or later, which should not be a problem at this stage.