Remove bccsp from cryptogen

cryptogen is a simple tool for generating
sample crypto material to use during
development and test.  It only generates
EC keys/certs with fixed parameters so
does not need to use the bccsp package
as it can use Go's built-in crypto.

FAB-14738 #done

Change-Id: Ie39bf958ec5fc283a7a8903305f7435ae5bae193
Signed-off-by: Gari Singh <gari.r.singh@gmail.com>

Author: mastersingh24

cmd/cryptogen/main.go

@@ -18,8 +18,9 @@ import (
 	"github.com/hyperledger/fabric/internal/cryptogen/csp"
 	"github.com/hyperledger/fabric/internal/cryptogen/metadata"
 	"github.com/hyperledger/fabric/internal/cryptogen/msp"
-	"gopkg.in/alecthomas/kingpin.v2"
-	"gopkg.in/yaml.v2"
+
+	kingpin "gopkg.in/alecthomas/kingpin.v2"
+	yaml "gopkg.in/yaml.v2"
 )
 
 const (
@@ -698,12 +699,12 @@ func printVersion() {
 }
 
 func getCA(caDir string, spec OrgSpec, name string) *ca.CA {
-	_, signer, _ := csp.LoadPrivateKey(caDir)
+	priv, _ := csp.LoadPrivateKey(caDir)
 	cert, _ := ca.LoadCertificateECDSA(caDir)
 
 	return &ca.CA{
 		Name:               name,
-		Signer:             signer,
+		Signer:             priv,
 		SignCert:           cert,
 		Country:            spec.CA.Country,
 		Province:           spec.CA.Province,

internal/cryptogen/ca/generator.go renamed to internal/cryptogen/ca/ca.go

@@ -8,7 +8,9 @@ package ca
 import (
 	"crypto"
 	"crypto/ecdsa"
+	"crypto/elliptic"
 	"crypto/rand"
+	"crypto/sha256"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/pem"
@@ -20,7 +22,6 @@ import (
 	"strings"
 	"time"
 
-	"github.com/hyperledger/fabric/bccsp/utils"
 	"github.com/hyperledger/fabric/internal/cryptogen/csp"
 	"github.com/pkg/errors"
 )
@@ -33,96 +34,131 @@ type CA struct {
 	OrganizationalUnit string
 	StreetAddress      string
 	PostalCode         string
-	//SignKey  *ecdsa.PrivateKey
-	Signer   crypto.Signer
-	SignCert *x509.Certificate
+	Signer             crypto.Signer
+	SignCert           *x509.Certificate
 }
 
 // NewCA creates an instance of CA and saves the signing key pair in
 // baseDir/name
-func NewCA(baseDir, org, name, country, province, locality, orgUnit, streetAddress, postalCode string) (*CA, error) {
+func NewCA(
+	baseDir,
+	org,
+	name,
+	country,
+	province,
+	locality,
+	orgUnit,
+	streetAddress,
+	postalCode string,
+) (*CA, error) {
 
-	var response error
 	var ca *CA
 
 	err := os.MkdirAll(baseDir, 0755)
-	if err == nil {
-		priv, signer, err := csp.GeneratePrivateKey(baseDir)
-		response = err
-		if err == nil {
-			// get public signing certificate
-			ecPubKey, err := csp.GetECPublicKey(priv)
-			response = err
-			if err == nil {
-				template := x509Template()
-				//this is a CA
-				template.IsCA = true
-				template.KeyUsage |= x509.KeyUsageDigitalSignature |
-					x509.KeyUsageKeyEncipherment | x509.KeyUsageCertSign |
-					x509.KeyUsageCRLSign
-				template.ExtKeyUsage = []x509.ExtKeyUsage{
-					x509.ExtKeyUsageClientAuth,
-					x509.ExtKeyUsageServerAuth,
-				}
-
-				//set the organization for the subject
-				subject := subjectTemplateAdditional(country, province, locality, orgUnit, streetAddress, postalCode)
-				subject.Organization = []string{org}
-				subject.CommonName = name
-
-				template.Subject = subject
-				template.SubjectKeyId = priv.SKI()
-
-				x509Cert, err := genCertificateECDSA(baseDir, name, &template, &template,
-					ecPubKey, signer)
-				response = err
-				if err == nil {
-					ca = &CA{
-						Name:               name,
-						Signer:             signer,
-						SignCert:           x509Cert,
-						Country:            country,
-						Province:           province,
-						Locality:           locality,
-						OrganizationalUnit: orgUnit,
-						StreetAddress:      streetAddress,
-						PostalCode:         postalCode,
-					}
-				}
-			}
-		}
+	if err != nil {
+		return nil, err
+	}
+
+	priv, err := csp.GeneratePrivateKey(baseDir)
+	if err != nil {
+		return nil, err
+	}
+
+	template := x509Template()
+	//this is a CA
+	template.IsCA = true
+	template.KeyUsage |= x509.KeyUsageDigitalSignature |
+		x509.KeyUsageKeyEncipherment | x509.KeyUsageCertSign |
+		x509.KeyUsageCRLSign
+	template.ExtKeyUsage = []x509.ExtKeyUsage{
+		x509.ExtKeyUsageClientAuth,
+		x509.ExtKeyUsageServerAuth,
+	}
+
+	//set the organization for the subject
+	subject := subjectTemplateAdditional(country, province, locality, orgUnit, streetAddress, postalCode)
+	subject.Organization = []string{org}
+	subject.CommonName = name
+
+	template.Subject = subject
+	template.SubjectKeyId = computeSKI(priv)
+
+	x509Cert, err := genCertificateECDSA(
+		baseDir,
+		name,
+		&template,
+		&template,
+		&priv.PublicKey,
+		priv,
+	)
+	if err != nil {
+		return nil, err
+	}
+	ca = &CA{
+		Name: name,
+		Signer: &csp.ECDSASigner{
+			PrivateKey: priv,
+		},
+		SignCert:           x509Cert,
+		Country:            country,
+		Province:           province,
+		Locality:           locality,
+		OrganizationalUnit: orgUnit,
+		StreetAddress:      streetAddress,
+		PostalCode:         postalCode,
 	}
-	return ca, response
+
+	return ca, err
 }
 
 // SignCertificate creates a signed certificate based on a built-in template
 // and saves it in baseDir/name
-func (ca *CA) SignCertificate(baseDir, name string, ous, sans []string, pub *ecdsa.PublicKey,
-	ku x509.KeyUsage, eku []x509.ExtKeyUsage) (*x509.Certificate, error) {
+func (ca *CA) SignCertificate(
+	baseDir,
+	name string,
+	orgUnits,
+	alternateNames []string,
+	pub *ecdsa.PublicKey,
+	ku x509.KeyUsage,
+	eku []x509.ExtKeyUsage,
+) (*x509.Certificate, error) {
 
 	template := x509Template()
 	template.KeyUsage = ku
 	template.ExtKeyUsage = eku
 
 	//set the organization for the subject
-	subject := subjectTemplateAdditional(ca.Country, ca.Province, ca.Locality, ca.OrganizationalUnit, ca.StreetAddress, ca.PostalCode)
+	subject := subjectTemplateAdditional(
+		ca.Country,
+		ca.Province,
+		ca.Locality,
+		ca.OrganizationalUnit,
+		ca.StreetAddress,
+		ca.PostalCode,
+	)
 	subject.CommonName = name
 
-	subject.OrganizationalUnit = append(subject.OrganizationalUnit, ous...)
+	subject.OrganizationalUnit = append(subject.OrganizationalUnit, orgUnits...)
 
 	template.Subject = subject
-	for _, san := range sans {
+	for _, san := range alternateNames {
 		// try to parse as an IP address first
 		ip := net.ParseIP(san)
 		if ip != nil {
 			template.IPAddresses = append(template.IPAddresses, ip)
 		} else {
-			template.DNSNames = append(template.DNSNames, san)
+			template.DNSNames = append(template.DNSNames, alternateNames...)
 		}
 	}
 
-	cert, err := genCertificateECDSA(baseDir, name, &template, ca.SignCert,
-		pub, ca.Signer)
+	cert, err := genCertificateECDSA(
+		baseDir,
+		name,
+		&template,
+		ca.SignCert,
+		pub,
+		ca.Signer,
+	)
 
 	if err != nil {
 		return nil, err
@@ -131,6 +167,16 @@ func (ca *CA) SignCertificate(baseDir, name string, ous, sans []string, pub *ecd
 	return cert, nil
 }
 
+// compute Subject Key Identifier
+func computeSKI(privKey *ecdsa.PrivateKey) []byte {
+	// Marshall the public key
+	raw := elliptic.Marshal(privKey.Curve, privKey.PublicKey.X, privKey.PublicKey.Y)
+
+	// Hash it
+	hash := sha256.Sum256(raw)
+	return hash[:]
+}
+
 // default template for X509 subject
 func subjectTemplate() pkix.Name {
 	return pkix.Name{
@@ -141,7 +187,14 @@ func subjectTemplate() pkix.Name {
 }
 
 // Additional for X509 subject
-func subjectTemplateAdditional(country, province, locality, orgUnit, streetAddress, postalCode string) pkix.Name {
+func subjectTemplateAdditional(
+	country,
+	province,
+	locality,
+	orgUnit,
+	streetAddress,
+	postalCode string,
+) pkix.Name {
 	name := subjectTemplate()
 	if len(country) >= 1 {
 		name.Country = []string{country}
@@ -189,8 +242,14 @@ func x509Template() x509.Certificate {
 }
 
 // generate a signed X509 certificate using ECDSA
-func genCertificateECDSA(baseDir, name string, template, parent *x509.Certificate, pub *ecdsa.PublicKey,
-	priv interface{}) (*x509.Certificate, error) {
+func genCertificateECDSA(
+	baseDir,
+	name string,
+	template,
+	parent *x509.Certificate,
+	pub *ecdsa.PublicKey,
+	priv interface{},
+) (*x509.Certificate, error) {
 
 	//create the x509 public cert
 	certBytes, err := x509.CreateCertificate(rand.Reader, template, parent, pub, priv)
@@ -233,7 +292,7 @@ func LoadCertificateECDSA(certPath string) (*x509.Certificate, error) {
 			if block == nil || block.Type != "CERTIFICATE" {
 				return errors.Errorf("%s: wrong PEM encoding", path)
 			}
-			cert, err = utils.DERToX509Certificate(block.Bytes)
+			cert, err = x509.ParseCertificate(block.Bytes)
 			if err != nil {
 				return errors.Errorf("%s: wrong DER encoding", path)
 			}