[FAB-6927] Generate TLS client certs for users

Now tha that both the peer and the orderer support mutual TLS, cryptogen needs to generate TLS client certificates for the users it generates. All of the material was already being generated, but all TLS certs were name server.* and it is more appropriate / more clear to name TLS certs intended for client usage client.*. So internally a new parameter is added which specifies the type of node and maps node type to client or server as appropriate. Change-Id: I510a07335f4c685367ff941ab6c63a0203a04bd1 Signed-off-by: Gari Singh <[email protected]>
hyperledger · Nov 12, 2017 · b9bc349 · b9bc349
1 parent 6778439
commit b9bc349
Show file tree

Hide file tree

Showing 3 changed files with 51 additions and 16 deletions.
diff --git a/common/tools/cryptogen/main.go b/common/tools/cryptogen/main.go
@@ -423,7 +423,7 @@ func generatePeerOrg(baseDir string, orgSpec OrgSpec) {
 		os.Exit(1)
 	}
 
-	generateNodes(peersDir, orgSpec.Specs, signCA, tlsCA)
+	generateNodes(peersDir, orgSpec.Specs, signCA, tlsCA, msp.PEER)
 
 	// TODO: add ability to specify usernames
 	users := []NodeSpec{}
@@ -440,7 +440,7 @@ func generatePeerOrg(baseDir string, orgSpec OrgSpec) {
 	}
 
 	users = append(users, adminUser)
-	generateNodes(usersDir, users, signCA, tlsCA)
+	generateNodes(usersDir, users, signCA, tlsCA, msp.CLIENT)
 
 	// copy the admin cert to the org's MSP admincerts
 	err = copyAdminCert(usersDir, adminCertsDir, adminUser.CommonName)
@@ -483,11 +483,11 @@ func copyAdminCert(usersDir, adminCertsDir, adminUserName string) error {
 
 }
 
-func generateNodes(baseDir string, nodes []NodeSpec, signCA *ca.CA, tlsCA *ca.CA) {
+func generateNodes(baseDir string, nodes []NodeSpec, signCA *ca.CA, tlsCA *ca.CA, nodeType int) {
 
 	for _, node := range nodes {
 		nodeDir := filepath.Join(baseDir, node.CommonName)
-		err := msp.GenerateLocalMSP(nodeDir, node.CommonName, node.SANS, signCA, tlsCA)
+		err := msp.GenerateLocalMSP(nodeDir, node.CommonName, node.SANS, signCA, tlsCA, nodeType)
 		if err != nil {
 			fmt.Printf("Error generating local MSP for %s:\n%v\n", node, err)
 			os.Exit(1)
@@ -526,7 +526,7 @@ func generateOrdererOrg(baseDir string, orgSpec OrgSpec) {
 		os.Exit(1)
 	}
 
-	generateNodes(orderersDir, orgSpec.Specs, signCA, tlsCA)
+	generateNodes(orderersDir, orgSpec.Specs, signCA, tlsCA, msp.ORDERER)
 
 	adminUser := NodeSpec{
 		CommonName: fmt.Sprintf("%s@%s", adminBaseName, orgName),
@@ -536,7 +536,7 @@ func generateOrdererOrg(baseDir string, orgSpec OrgSpec) {
 	users := []NodeSpec{}
 	// add an admin user
 	users = append(users, adminUser)
-	generateNodes(usersDir, users, signCA, tlsCA)
+	generateNodes(usersDir, users, signCA, tlsCA, msp.CLIENT)
 
 	// copy the admin cert to the org's MSP admincerts
 	err = copyAdminCert(usersDir, adminCertsDir, adminUser.CommonName)

diff --git a/common/tools/cryptogen/msp/generator.go b/common/tools/cryptogen/msp/generator.go
@@ -29,8 +29,14 @@ import (
 	"github.com/hyperledger/fabric/common/tools/cryptogen/csp"
 )
 
+const (
+	CLIENT = iota
+	ORDERER
+	PEER
+)
+
 func GenerateLocalMSP(baseDir, name string, sans []string, signCA *ca.CA,
-	tlsCA *ca.CA) error {
+	tlsCA *ca.CA, nodeType int) error {
 
 	// create folder structure
 	mspDir := filepath.Join(baseDir, "msp")
@@ -122,13 +128,17 @@ func GenerateLocalMSP(baseDir, name string, sans []string, signCA *ca.CA,
 	}
 
 	// rename the generated TLS X509 cert
+	tlsFilePrefix := "server"
+	if nodeType == CLIENT {
+		tlsFilePrefix = "client"
+	}
 	err = os.Rename(filepath.Join(tlsDir, x509Filename(name)),
-		filepath.Join(tlsDir, "server.crt"))
+		filepath.Join(tlsDir, tlsFilePrefix+".crt"))
 	if err != nil {
 		return err
 	}
 
-	err = keyExport(tlsDir, filepath.Join(tlsDir, "server.key"), tlsPrivKey)
+	err = keyExport(tlsDir, filepath.Join(tlsDir, tlsFilePrefix+".key"), tlsPrivKey)
 	if err != nil {
 		return err
 	}

diff --git a/common/tools/cryptogen/msp/msp_test.go b/common/tools/cryptogen/msp/msp_test.go
@@ -44,12 +44,13 @@ func TestGenerateLocalMSP(t *testing.T) {
 
 	cleanup(testDir)
 
-	err := msp.GenerateLocalMSP(testDir, testName, nil, &ca.CA{}, &ca.CA{})
+	err := msp.GenerateLocalMSP(testDir, testName, nil, &ca.CA{}, &ca.CA{}, msp.PEER)
 	assert.Error(t, err, "Empty CA should have failed")
 
 	caDir := filepath.Join(testDir, "ca")
 	tlsCADir := filepath.Join(testDir, "tlsca")
 	mspDir := filepath.Join(testDir, "msp")
+	tlsDir := filepath.Join(testDir, "tls")
 
 	// generate signing CA
 	signCA, err := ca.NewCA(caDir, testCAOrg, testCAName, testCountry, testProvince, testLocality, testOrganizationalUnit, testStreetAddress, testPostalCode)
@@ -71,20 +72,44 @@ func TestGenerateLocalMSP(t *testing.T) {
 	assert.NotEmpty(t, signCA.SignCert.Subject.PostalCode, "postalCode cannot be empty.")
 	assert.Equal(t, testPostalCode, signCA.SignCert.Subject.PostalCode[0], "Failed to match postalCode")
 
-	// generate local MSP
-	err = msp.GenerateLocalMSP(testDir, testName, nil, signCA, tlsCA)
+	// generate local MSP for nodeType=PEER
+	err = msp.GenerateLocalMSP(testDir, testName, nil, signCA, tlsCA, msp.PEER)
 	assert.NoError(t, err, "Failed to generate local MSP")
 
 	// check to see that the right files were generated/saved
-	files := []string{
+	mspFiles := []string{
 		filepath.Join(mspDir, "admincerts", testName+"-cert.pem"),
 		filepath.Join(mspDir, "cacerts", testCAName+"-cert.pem"),
 		filepath.Join(mspDir, "tlscacerts", testCAName+"-cert.pem"),
 		filepath.Join(mspDir, "keystore"),
 		filepath.Join(mspDir, "signcerts", testName+"-cert.pem"),
 	}
+	tlsFiles := []string{
+		filepath.Join(tlsDir, "ca.crt"),
+		filepath.Join(tlsDir, "server.key"),
+		filepath.Join(tlsDir, "server.crt"),
+	}
 
-	for _, file := range files {
+	for _, file := range mspFiles {
+		assert.Equal(t, true, checkForFile(file),
+			"Expected to find file "+file)
+	}
+	for _, file := range tlsFiles {
+		assert.Equal(t, true, checkForFile(file),
+			"Expected to find file "+file)
+	}
+
+	// generate local MSP for nodeType=CLIENT
+	err = msp.GenerateLocalMSP(testDir, testName, nil, signCA, tlsCA, msp.CLIENT)
+	assert.NoError(t, err, "Failed to generate local MSP")
+	//only need to check for the TLS certs
+	tlsFiles = []string{
+		filepath.Join(tlsDir, "ca.crt"),
+		filepath.Join(tlsDir, "client.key"),
+		filepath.Join(tlsDir, "client.crt"),
+	}
+
+	for _, file := range tlsFiles {
 		assert.Equal(t, true, checkForFile(file),
 			"Expected to find file "+file)
 	}
@@ -98,10 +123,10 @@ func TestGenerateLocalMSP(t *testing.T) {
 	assert.NoError(t, err, "Error setting up local MSP")
 
 	tlsCA.Name = "test/fail"
-	err = msp.GenerateLocalMSP(testDir, testName, nil, signCA, tlsCA)
+	err = msp.GenerateLocalMSP(testDir, testName, nil, signCA, tlsCA, msp.CLIENT)
 	assert.Error(t, err, "Should have failed with CA name 'test/fail'")
 	signCA.Name = "test/fail"
-	err = msp.GenerateLocalMSP(testDir, testName, nil, signCA, tlsCA)
+	err = msp.GenerateLocalMSP(testDir, testName, nil, signCA, tlsCA, msp.ORDERER)
 	assert.Error(t, err, "Should have failed with CA name 'test/fail'")
 	t.Log(err)
 	cleanup(testDir)