[FAB-6927] Generate TLS client certs for users

mastersingh24 · mastersingh24 · commit b9bc349cbc94 · 2017-11-12T14:38:28.000Z
Now tha that both the peer and the orderer
support mutual TLS, cryptogen needs to
generate TLS client certificates for the
users it generates.

All of the material was already being generated,
but all TLS certs were name server.* and it is
more appropriate / more clear to name TLS
certs intended for client usage client.*.
So internally a new parameter is added
which specifies the type of node and maps
node type to client or server as appropriate.

Change-Id: I510a07335f4c685367ff941ab6c63a0203a04bd1
Signed-off-by: Gari Singh &lt;gari.r.singh@gmail.com&gt;
diff --git a/common/tools/cryptogen/main.go b/common/tools/cryptogen/main.go
@@ -423,7 +423,7 @@ func generatePeerOrg(baseDir string, orgSpec OrgSpec) {
 		os.Exit(1)
 	}
 
-	generateNodes(peersDir, orgSpec.Specs, signCA, tlsCA)
+	generateNodes(peersDir, orgSpec.Specs, signCA, tlsCA, msp.PEER)
 
 	// TODO: add ability to specify usernames
 	users := []NodeSpec{}
@@ -440,7 +440,7 @@ func generatePeerOrg(baseDir string, orgSpec OrgSpec) {
 	}
 
 	users = append(users, adminUser)
-	generateNodes(usersDir, users, signCA, tlsCA)
+	generateNodes(usersDir, users, signCA, tlsCA, msp.CLIENT)
 
 	// copy the admin cert to the org's MSP admincerts
 	err = copyAdminCert(usersDir, adminCertsDir, adminUser.CommonName)
@@ -483,11 +483,11 @@ func copyAdminCert(usersDir, adminCertsDir, adminUserName string) error {
 
 }
 
-func generateNodes(baseDir string, nodes []NodeSpec, signCA *ca.CA, tlsCA *ca.CA) {
+func generateNodes(baseDir string, nodes []NodeSpec, signCA *ca.CA, tlsCA *ca.CA, nodeType int) {
 
 	for _, node := range nodes {
 		nodeDir := filepath.Join(baseDir, node.CommonName)
-		err := msp.GenerateLocalMSP(nodeDir, node.CommonName, node.SANS, signCA, tlsCA)
+		err := msp.GenerateLocalMSP(nodeDir, node.CommonName, node.SANS, signCA, tlsCA, nodeType)
 		if err != nil {
 			fmt.Printf("Error generating local MSP for %s:\n%v\n", node, err)
 			os.Exit(1)
@@ -526,7 +526,7 @@ func generateOrdererOrg(baseDir string, orgSpec OrgSpec) {
 		os.Exit(1)
 	}
 
-	generateNodes(orderersDir, orgSpec.Specs, signCA, tlsCA)
+	generateNodes(orderersDir, orgSpec.Specs, signCA, tlsCA, msp.ORDERER)
 
 	adminUser := NodeSpec{
 		CommonName: fmt.Sprintf("%s@%s", adminBaseName, orgName),
@@ -536,7 +536,7 @@ func generateOrdererOrg(baseDir string, orgSpec OrgSpec) {
 	users := []NodeSpec{}
 	// add an admin user
 	users = append(users, adminUser)
-	generateNodes(usersDir, users, signCA, tlsCA)
+	generateNodes(usersDir, users, signCA, tlsCA, msp.CLIENT)
 
 	// copy the admin cert to the org's MSP admincerts
 	err = copyAdminCert(usersDir, adminCertsDir, adminUser.CommonName)
diff --git a/common/tools/cryptogen/msp/generator.go b/common/tools/cryptogen/msp/generator.go
@@ -29,8 +29,14 @@ import (
 	"github.com/hyperledger/fabric/common/tools/cryptogen/csp"
 )
 
+const (
+	CLIENT = iota
+	ORDERER
+	PEER
+)
+
 func GenerateLocalMSP(baseDir, name string, sans []string, signCA *ca.CA,
-	tlsCA *ca.CA) error {
+	tlsCA *ca.CA, nodeType int) error {
 
 	// create folder structure
 	mspDir := filepath.Join(baseDir, "msp")
@@ -122,13 +128,17 @@ func GenerateLocalMSP(baseDir, name string, sans []string, signCA *ca.CA,
 	}
 
 	// rename the generated TLS X509 cert
+	tlsFilePrefix := "server"
+	if nodeType == CLIENT {
+		tlsFilePrefix = "client"
+	}
 	err = os.Rename(filepath.Join(tlsDir, x509Filename(name)),
-		filepath.Join(tlsDir, "server.crt"))
+		filepath.Join(tlsDir, tlsFilePrefix+".crt"))
 	if err != nil {
 		return err
 	}
 
-	err = keyExport(tlsDir, filepath.Join(tlsDir, "server.key"), tlsPrivKey)
+	err = keyExport(tlsDir, filepath.Join(tlsDir, tlsFilePrefix+".key"), tlsPrivKey)
 	if err != nil {
 		return err
 	}
diff --git a/common/tools/cryptogen/msp/msp_test.go b/common/tools/cryptogen/msp/msp_test.go
@@ -44,12 +44,13 @@ func TestGenerateLocalMSP(t *testing.T) {
 
 	cleanup(testDir)
 
-	err := msp.GenerateLocalMSP(testDir, testName, nil, &ca.CA{}, &ca.CA{})
+	err := msp.GenerateLocalMSP(testDir, testName, nil, &ca.CA{}, &ca.CA{}, msp.PEER)
 	assert.Error(t, err, "Empty CA should have failed")
 
 	caDir := filepath.Join(testDir, "ca")
 	tlsCADir := filepath.Join(testDir, "tlsca")
 	mspDir := filepath.Join(testDir, "msp")
+	tlsDir := filepath.Join(testDir, "tls")
 
 	// generate signing CA
 	signCA, err := ca.NewCA(caDir, testCAOrg, testCAName, testCountry, testProvince, testLocality, testOrganizationalUnit, testStreetAddress, testPostalCode)
@@ -71,20 +72,44 @@ func TestGenerateLocalMSP(t *testing.T) {
 	assert.NotEmpty(t, signCA.SignCert.Subject.PostalCode, "postalCode cannot be empty.")
 	assert.Equal(t, testPostalCode, signCA.SignCert.Subject.PostalCode[0], "Failed to match postalCode")
 
-	// generate local MSP
-	err = msp.GenerateLocalMSP(testDir, testName, nil, signCA, tlsCA)
+	// generate local MSP for nodeType=PEER
+	err = msp.GenerateLocalMSP(testDir, testName, nil, signCA, tlsCA, msp.PEER)
 	assert.NoError(t, err, "Failed to generate local MSP")
 
 	// check to see that the right files were generated/saved
-	files := []string{
+	mspFiles := []string{
 		filepath.Join(mspDir, "admincerts", testName+"-cert.pem"),
 		filepath.Join(mspDir, "cacerts", testCAName+"-cert.pem"),
 		filepath.Join(mspDir, "tlscacerts", testCAName+"-cert.pem"),
 		filepath.Join(mspDir, "keystore"),
 		filepath.Join(mspDir, "signcerts", testName+"-cert.pem"),
 	}
+	tlsFiles := []string{
+		filepath.Join(tlsDir, "ca.crt"),
+		filepath.Join(tlsDir, "server.key"),
+		filepath.Join(tlsDir, "server.crt"),
+	}
 
-	for _, file := range files {
+	for _, file := range mspFiles {
+		assert.Equal(t, true, checkForFile(file),
+			"Expected to find file "+file)
+	}
+	for _, file := range tlsFiles {
+		assert.Equal(t, true, checkForFile(file),
+			"Expected to find file "+file)
+	}
+
+	// generate local MSP for nodeType=CLIENT
+	err = msp.GenerateLocalMSP(testDir, testName, nil, signCA, tlsCA, msp.CLIENT)
+	assert.NoError(t, err, "Failed to generate local MSP")
+	//only need to check for the TLS certs
+	tlsFiles = []string{
+		filepath.Join(tlsDir, "ca.crt"),
+		filepath.Join(tlsDir, "client.key"),
+		filepath.Join(tlsDir, "client.crt"),
+	}
+
+	for _, file := range tlsFiles {
 		assert.Equal(t, true, checkForFile(file),
 			"Expected to find file "+file)
 	}
@@ -98,10 +123,10 @@ func TestGenerateLocalMSP(t *testing.T) {
 	assert.NoError(t, err, "Error setting up local MSP")
 
 	tlsCA.Name = "test/fail"
-	err = msp.GenerateLocalMSP(testDir, testName, nil, signCA, tlsCA)
+	err = msp.GenerateLocalMSP(testDir, testName, nil, signCA, tlsCA, msp.CLIENT)
 	assert.Error(t, err, "Should have failed with CA name 'test/fail'")
 	signCA.Name = "test/fail"
-	err = msp.GenerateLocalMSP(testDir, testName, nil, signCA, tlsCA)
+	err = msp.GenerateLocalMSP(testDir, testName, nil, signCA, tlsCA, msp.ORDERER)
 	assert.Error(t, err, "Should have failed with CA name 'test/fail'")
 	t.Log(err)
 	cleanup(testDir)
