[FAB-4364] [FAB-5352] Support IP SANs in cryptogen

Tony Yang · Tony Yang · commit b250acad072a · 2017-07-26T16:21:48.000+08:00
No matter what is provided as SANS in crypto-config.yaml, current code
logic of cryptogen takes them as host names, resulting in failed
communication if fabric network is configured with IP addresses.

The change proposes to examine the content of SANS, setting them as IP
SANs in the generated certificates if they are IP addresses.

Change-Id: Ie9cbc341ab21ec5966fdabcd48d79a9d05d7b961
Signed-off-by: Tony Yang &lt;tony@arxanfintech.com&gt;
diff --git a/common/tools/cryptogen/ca/ca_test.go b/common/tools/cryptogen/ca/ca_test.go
@@ -18,6 +18,7 @@ package ca_test
 import (
 	"crypto/ecdsa"
 	"crypto/x509"
+	"net"
 	"os"
 	"path/filepath"
 	"testing"
@@ -31,6 +32,8 @@ const (
 	testCAName  = "root0"
 	testCA2Name = "root1"
 	testName    = "cert0"
+	testName2   = "cert1"
+	testIP      = "172.16.10.31"
 )
 
 var testDir = filepath.Join(os.TempDir(), "ca-test")
@@ -85,6 +88,13 @@ func TestGenerateSignCertificate(t *testing.T) {
 	assert.NoError(t, err, "Failed to generate signed certificate")
 	assert.Equal(t, 0, len(cert.ExtKeyUsage))
 
+	// make sure sans are correctly set
+	sans := []string{testName2, testIP}
+	cert, err = rootCA.SignCertificate(certDir, testName, sans, ecPubKey,
+		x509.KeyUsageDigitalSignature, []x509.ExtKeyUsage{})
+	assert.Contains(t, cert.DNSNames, testName2)
+	assert.Contains(t, cert.IPAddresses, net.ParseIP(testIP).To4())
+
 	// check to make sure the signed public key was stored
 	pemFile := filepath.Join(certDir, testName+"-cert.pem")
 	assert.Equal(t, true, checkForFile(pemFile),
diff --git a/common/tools/cryptogen/ca/generator.go b/common/tools/cryptogen/ca/generator.go
@@ -23,6 +23,7 @@ import (
 	"crypto/x509/pkix"
 	"encoding/pem"
 	"math/big"
+	"net"
 	"os"
 	"time"
 
@@ -100,7 +101,15 @@ func (ca *CA) SignCertificate(baseDir, name string, sans []string, pub *ecdsa.Pu
 	subject.CommonName = name
 
 	template.Subject = subject
-	template.DNSNames = sans
+	for _, san := range sans {
+		// try to parse as an IP address first
+		ip := net.ParseIP(san)
+		if ip != nil {
+			template.IPAddresses = append(template.IPAddresses, ip)
+		} else {
+			template.DNSNames = append(template.DNSNames, san)
+		}
+	}
 
 	cert, err := genCertificateECDSA(baseDir, name, &template, ca.SignCert,
 		pub, ca.Signer)
diff --git a/common/tools/cryptogen/main.go b/common/tools/cryptogen/main.go
@@ -136,8 +136,10 @@ PeerOrgs:
     #                 which obtains its values from the Spec.Hostname and
     #                 Org.Domain, respectively.
     #   - SANS:       (Optional) Specifies one or more Subject Alternative Names
-    #                 the be set in the resulting x509.  Accepts template
-    #                 variables {{.Hostname}}, {{.Domain}}, {{.CommonName}}
+    #                 to be set in the resulting x509. Accepts template
+    #                 variables {{.Hostname}}, {{.Domain}}, {{.CommonName}}. IP
+    #                 addresses provided here will be properly recognized. Other
+    #                 values will be taken as DNS names.
     #                 NOTE: Two implicit entries are created for you:
     #                     - {{ .CommonName }}
     #                     - {{ .Hostname }}
@@ -149,6 +151,7 @@ PeerOrgs:
     #       - "bar.{{.Domain}}"
     #       - "altfoo.{{.Domain}}"
     #       - "{{.Hostname}}.org6.net"
+    #       - 172.16.10.31
     #   - Hostname: bar
     #   - Hostname: baz
 
