[ FAB-6452 ] fabric-ca CSR to external CA

Test the creation of CSR's in conjuction with remote signers. Test each supported request object both from file and using command-line options. Change-Id: Id9bf23193d7269368fb22d039bcad64bb3cf7bae Signed-off-by: Allen Bailey <[email protected]>
hyperledger · Dec 13, 2017 · be05c87 · be05c87
1 parent f5af79b
commit be05c87
Show file tree

Hide file tree

Showing 5 changed files with 112 additions and 6 deletions.
diff --git a/images/fabric-ca-fvt/payload/openssl.cnf.base b/images/fabric-ca-fvt/payload/openssl.cnf.base
@@ -70,6 +70,7 @@ stateOrProvinceName     = optional      # Must be the same as the CA
 organizationName        = optional      # Must be the same as the CA
 organizationalUnitName  = optional      # not required
 commonName              = supplied      # must be there, whatever it is
+serialNumber            = optional      # not required
 emailAddress            = optional      # not required
 
 ####################################################################
@@ -83,6 +84,7 @@ localityName            = optional
 organizationName        = optional
 organizationalUnitName  = optional
 commonName              = supplied
+serialNumber            = optional      # not required
 emailAddress            = optional
 
 ####################################################################
@@ -289,7 +291,7 @@ fullname=URI:http://localhost:$HTTP_PORT/$DOMAIN/crl/crl.der
 #onlysomereasons=$IDPREASON
 
 [ cdp_section ]
-fullname=URI:http://localhost:$HTTP_PORT/$DOMAIN/crl/crl.der
+fullname=URI:http://localhost:$HTTP_PORT/$DOMAIN/crl/crl.pem
 # revocation reason, where reason is one of:
 #    unspecified
 #    keyCompromise

diff --git a/images/fabric-ca-fvt/payload/pki b/images/fabric-ca-fvt/payload/pki
@@ -621,7 +621,7 @@ id_kp_ipsecIKE="1.3.6.1.5.5.7.3.17"
 anyExtendedKeyUsage="2.5.29.37.0"
 certout="$HOME/${prefix}cert"
 keyout="$HOME/${prefix}key"
-reqout="$HOME/${prefix}req.pem"
+: ${reqout:="$HOME/${prefix}req.pem"}
 pkcs12out="$HOME/${prefix}pkcs12.p12"
 tmpcertlist="$HOME/${prefix}certlist.in"
 

diff --git a/scripts/fvt/backwards_comp_test.sh b/scripts/fvt/backwards_comp_test.sh
@@ -133,13 +133,13 @@ function loadUsers {
       psql -d $DBNAME -c "INSERT INTO users (id, token, type, affiliation, attributes, state, max_enrollments) VALUES ('notregistrar', '', 'user', 'org2', '[{\"name\": \"hf.Revoker\", \"value\": \"true\"}]', '0', '-1')"
 
       sed -i "s/type: mysql/type: postgres/
-          s/datasource:.*/datasource: host=localhost port=$POSTGRES_PORT user=postgres password=postgres dbname=$DBNAME $postgresTls/" $TESTCONFIG 
+          s/datasource:.*/datasource: host=localhost port=$POSTGRES_PORT user=postgres password=postgres dbname=$DBNAME $postgresTls/" $TESTCONFIG
       ;;
     mysql)
       mysql --host=localhost --user=root --password=mysql -e "CREATE DATABASE $DBNAME"
       mysql --host=localhost --user=root --password=mysql --database=$DBNAME -e "CREATE TABLE IF NOT EXISTS users (id VARCHAR(255) NOT NULL, token blob, type VARCHAR(256), affiliation VARCHAR(1024), attributes TEXT, state INTEGER, max_enrollments INTEGER, PRIMARY KEY (id)) DEFAULT CHARSET=utf8 COLLATE utf8_bin"
       mysql --host=localhost --user=root --password=mysql --database=$DBNAME -e "INSERT INTO users (id, token, type, affiliation, attributes, state, max_enrollments) VALUES ('registrar', '', 'user', 'org2', '[{\"name\": \"hf.Registrar.Roles\", \"value\": \"user,peer,client\"},{\"name\": \"hf.Revoker\", \"value\": \"true\"}]', '0', '-1')"
-      mysql --host=localhost --user=root --password=mysql --database=$DBNAME -e "INSERT INTO users (id, token, type, affiliation, attributes, state, max_enrollments) VALUES ('notregistrar', '', 'user', 'org2', '[{\"name\": \"hf.Revoker\", \"value\": \"true\"}]', '0', '-1')" 
+      mysql --host=localhost --user=root --password=mysql --database=$DBNAME -e "INSERT INTO users (id, token, type, affiliation, attributes, state, max_enrollments) VALUES ('notregistrar', '', 'user', 'org2', '[{\"name\": \"hf.Revoker\", \"value\": \"true\"}]', '0', '-1')"
       ;;
     *)
       echo "Invalid database type"
@@ -286,4 +286,4 @@ for driver in sqlite3 postgres mysql; do
 done
 
 CleanUp $RC
-exit $RC
+exit $RC
diff --git a/scripts/fvt/gencsr_test.sh b/scripts/fvt/gencsr_test.sh
@@ -0,0 +1,102 @@
+#!/bin/bash
+
+: ${TESTCASE:=gencsr}
+FABRIC_CA="$GOPATH/src/github.com/hyperledger/fabric-ca"
+SCRIPTDIR="$FABRIC_CA/scripts/fvt"
+CA_CFG_PATH="/tmp/$TESTCASE"
+ADMINUSER="admin"
+USERDIR="$CA_CFG_PATH/$ADMINUSER"
+CONFIGFILE="$USERDIR/fabric-ca-client-config.yaml"
+ADMINCERT="$USERDIR/admincert.pem"
+CSR=$CA_CFG_PATH/$ADMINUSER/msp/signcerts/$ADMINUSER.csr
+. $SCRIPTDIR/fabric-ca_utils
+RC=0
+export CA_CFG_PATH
+rm -rf /tmp/${TESTCASE}
+rm -rf /tmp/CAs/${TESTCASE}
+
+function signReq() {
+   # sign CSR
+   HOME=$CA_CFG_PATH/$ADMINUSER reqout=$CSR \
+   /etc/hyperledger/fabric-ca/pki -f signreq -a $TESTCASE -p $ADMINUSER <<EOF
+y
+y
+EOF
+}
+
+function verifyResult() {
+   artifact="$1"
+   expected_subject="$2"
+   case $artifact in
+      cert)  actual_subject="$(openssl x509 -in $ADMINCERT -noout -subject -nameopt rfc2253 |sed 's/subject= //')"
+      ;;
+      csr) actual_subject="$(openssl req -in $CSR -noout -subject -nameopt rfc2253 |sed 's/subject=//')"
+      ;;
+   esac
+   echo expected_subject: $expected_subject
+   test "$expected_subject" = "$actual_subject" || ErrorMsg "expected \n\"$expected_subject\"\n found \"$actual_subject\""
+}
+
+# Create a new external PKI CA
+/etc/hyperledger/fabric-ca/pki -f newca -a $TESTCASE
+
+# supply CN at the command line
+expected="CN=$ADMINUSER,OU=Fabric,O=Hyperledger,ST=North Carolina,C=US"
+fabric-ca-client gencsr --csr.cn "$ADMINUSER" -H $CA_CFG_PATH/$ADMINUSER
+openssl req -noout -in /tmp/gencsr/admin/msp/signcerts/admin.csr -subject | sed 's/subject=//'
+openssl req -noout -in $CSR -subject | sed 's/subject=//'
+verifyResult csr "$expected"
+signReq
+verifyResult cert "$expected"
+
+# supply CN from a file
+sed -i "s/cn:.*/cn: $ADMINUSER/" $USERDIR/fabric-ca-client-config.yaml | grep cn:
+fabric-ca-client gencsr -H $CA_CFG_PATH/$ADMINUSER
+openssl req -noout -in /tmp/gencsr/admin/msp/signcerts/admin.csr -subject | sed 's/subject=//'
+openssl req -noout -in $CSR -subject | sed 's/subject=//'
+verifyResult csr "$expected"
+signReq
+verifyResult cert "$expected"
+
+# CN from command line overrides file
+CSR=$CA_CFG_PATH/$ADMINUSER/msp/signcerts/new$ADMINUSER.csr
+expected="CN=new$ADMINUSER,OU=Fabric,O=Hyperledger,ST=North Carolina,C=US"
+fabric-ca-client gencsr --csr.cn "new$ADMINUSER" -H $CA_CFG_PATH/$ADMINUSER
+openssl req -noout -in /tmp/gencsr/admin/msp/signcerts/admin.csr -subject | sed 's/subject=//'
+openssl req -noout -in $CSR -subject | sed 's/subject=//'
+verifyResult csr "$expected"
+signReq
+verifyResult cert "$expected"
+
+## Supply names from file
+sed -i "s/C:.*/C: FR/
+        s/ST:.*/ST: Cantal/
+        s/ST:.*/ST: Cantal/
+        s/L:.*/L: Salers/
+        s/O:.*/O: Gourmet/
+        s/serialnumber:.*/serialnumber: ABCDEFGHIJKLMNOPQRSTUVWXYZ/" $USERDIR/fabric-ca-client-config.yaml
+CSR=$CA_CFG_PATH/$ADMINUSER/msp/signcerts/$ADMINUSER.csr
+expected="serialNumber=ABCDEFGHIJKLMNOPQRSTUVWXYZ,CN=admin,OU=Fabric,O=Gourmet,L=Salers,ST=Cantal,C=FR"
+fabric-ca-client gencsr -H $CA_CFG_PATH/$ADMINUSER
+openssl req -noout -in /tmp/gencsr/admin/msp/signcerts/admin.csr -subject | sed 's/subject=//'
+openssl req -noout -in $CSR -subject | sed 's/subject=//'
+verifyResult csr "$expected"
+signReq
+verifyResult cert "$expected"
+cat  $USERDIR/fabric-ca-client-config.yaml
+# Names from command line overrides file
+CSR=$CA_CFG_PATH/$ADMINUSER/msp/signcerts/$ADMINUSER.csr
+expected='serialNumber=0123456789,CN=admin,OU=Vieux,O=Moulin,L=Charleville-M\C3\A9zi\C3\A8rs,ST=Ardennes,C=FR'
+fabric-ca-client gencsr --csr.names C=FR,ST=Ardennes,L=Charleville-Mézièrs,O=Moulin,OU=Vieux \
+                        --csr.hosts 1.1.1.1,::1,example.com,[email protected] \
+                        --csr.serialnumber "0123456789" \
+                        --csr.cn admin \
+                        -H $CA_CFG_PATH/$ADMINUSER
+openssl req -noout -in /tmp/gencsr/admin/msp/signcerts/admin.csr -subject | sed 's/subject=//'
+openssl req -noout -in $CSR -subject | sed 's/subject=//'
+verifyResult csr "$expected"
+signReq
+verifyResult cert "$expected"
+
+CleanUp $RC
+exit $RC
diff --git a/testdata/openssl.cnf.base b/testdata/openssl.cnf.base
@@ -70,6 +70,7 @@ stateOrProvinceName     = optional      # Must be the same as the CA
 organizationName        = optional      # Must be the same as the CA
 organizationalUnitName  = optional      # not required
 commonName              = supplied      # must be there, whatever it is
+serialNumber            = optional      # not required
 emailAddress            = optional      # not required
 
 ####################################################################
@@ -83,6 +84,7 @@ localityName            = optional
 organizationName        = optional
 organizationalUnitName  = optional
 commonName              = supplied
+serialNumber            = optional      # not required
 emailAddress            = optional
 
 ####################################################################
@@ -290,7 +292,7 @@ fullname=URI:http://localhost:$HTTP_PORT/$DOMAIN/crl/crl.der
 
 [ cdp_section ]
 fullname=URI:http://localhost:$HTTP_PORT/$DOMAIN/crl/crl.pem
-# revocation reason, where reason is one of: 
+# revocation reason, where reason is one of:
 #    unspecified
 #    keyCompromise
 #    CACompromise