Merge "[FAB-6927] Generate TLS client certs for users"

common/tools/cryptogen/main.go

@@ -423,7 +423,7 @@ func generatePeerOrg(baseDir string, orgSpec OrgSpec) {
 		os.Exit(1)
 	}
 
-	generateNodes(peersDir, orgSpec.Specs, signCA, tlsCA)
+	generateNodes(peersDir, orgSpec.Specs, signCA, tlsCA, msp.PEER)
 
 	// TODO: add ability to specify usernames
 	users := []NodeSpec{}
@@ -440,7 +440,7 @@ func generatePeerOrg(baseDir string, orgSpec OrgSpec) {
 	}
 
 	users = append(users, adminUser)
-	generateNodes(usersDir, users, signCA, tlsCA)
+	generateNodes(usersDir, users, signCA, tlsCA, msp.CLIENT)
 
 	// copy the admin cert to the org's MSP admincerts
 	err = copyAdminCert(usersDir, adminCertsDir, adminUser.CommonName)
@@ -483,11 +483,11 @@ func copyAdminCert(usersDir, adminCertsDir, adminUserName string) error {
 
 }
 
-func generateNodes(baseDir string, nodes []NodeSpec, signCA *ca.CA, tlsCA *ca.CA) {
+func generateNodes(baseDir string, nodes []NodeSpec, signCA *ca.CA, tlsCA *ca.CA, nodeType int) {
 
 	for _, node := range nodes {
 		nodeDir := filepath.Join(baseDir, node.CommonName)
-		err := msp.GenerateLocalMSP(nodeDir, node.CommonName, node.SANS, signCA, tlsCA)
+		err := msp.GenerateLocalMSP(nodeDir, node.CommonName, node.SANS, signCA, tlsCA, nodeType)
 		if err != nil {
 			fmt.Printf("Error generating local MSP for %s:\n%v\n", node, err)
 			os.Exit(1)
@@ -526,7 +526,7 @@ func generateOrdererOrg(baseDir string, orgSpec OrgSpec) {
 		os.Exit(1)
 	}
 
-	generateNodes(orderersDir, orgSpec.Specs, signCA, tlsCA)
+	generateNodes(orderersDir, orgSpec.Specs, signCA, tlsCA, msp.ORDERER)
 
 	adminUser := NodeSpec{
 		CommonName: fmt.Sprintf("%s@%s", adminBaseName, orgName),
@@ -536,7 +536,7 @@ func generateOrdererOrg(baseDir string, orgSpec OrgSpec) {
 	users := []NodeSpec{}
 	// add an admin user
 	users = append(users, adminUser)
-	generateNodes(usersDir, users, signCA, tlsCA)
+	generateNodes(usersDir, users, signCA, tlsCA, msp.CLIENT)
 
 	// copy the admin cert to the org's MSP admincerts
 	err = copyAdminCert(usersDir, adminCertsDir, adminUser.CommonName)

common/tools/cryptogen/msp/generator.go

@@ -29,8 +29,14 @@ import (
 	"github.com/hyperledger/fabric/common/tools/cryptogen/csp"
 )
 
+const (
+	CLIENT = iota
+	ORDERER
+	PEER
+)
+
 func GenerateLocalMSP(baseDir, name string, sans []string, signCA *ca.CA,
-	tlsCA *ca.CA) error {
+	tlsCA *ca.CA, nodeType int) error {
 
 	// create folder structure
 	mspDir := filepath.Join(baseDir, "msp")
@@ -122,13 +128,17 @@ func GenerateLocalMSP(baseDir, name string, sans []string, signCA *ca.CA,
 	}
 
 	// rename the generated TLS X509 cert
+	tlsFilePrefix := "server"
+	if nodeType == CLIENT {
+		tlsFilePrefix = "client"
+	}
 	err = os.Rename(filepath.Join(tlsDir, x509Filename(name)),
-		filepath.Join(tlsDir, "server.crt"))
+		filepath.Join(tlsDir, tlsFilePrefix+".crt"))
 	if err != nil {
 		return err
 	}
 
-	err = keyExport(tlsDir, filepath.Join(tlsDir, "server.key"), tlsPrivKey)
+	err = keyExport(tlsDir, filepath.Join(tlsDir, tlsFilePrefix+".key"), tlsPrivKey)
 	if err != nil {
 		return err
 	}

common/tools/cryptogen/msp/msp_test.go

@@ -44,12 +44,13 @@ func TestGenerateLocalMSP(t *testing.T) {
 
 	cleanup(testDir)
 
-	err := msp.GenerateLocalMSP(testDir, testName, nil, &ca.CA{}, &ca.CA{})
+	err := msp.GenerateLocalMSP(testDir, testName, nil, &ca.CA{}, &ca.CA{}, msp.PEER)
 	assert.Error(t, err, "Empty CA should have failed")
 
 	caDir := filepath.Join(testDir, "ca")
 	tlsCADir := filepath.Join(testDir, "tlsca")
 	mspDir := filepath.Join(testDir, "msp")
+	tlsDir := filepath.Join(testDir, "tls")
 
 	// generate signing CA
 	signCA, err := ca.NewCA(caDir, testCAOrg, testCAName, testCountry, testProvince, testLocality, testOrganizationalUnit, testStreetAddress, testPostalCode)
@@ -71,20 +72,44 @@ func TestGenerateLocalMSP(t *testing.T) {
 	assert.NotEmpty(t, signCA.SignCert.Subject.PostalCode, "postalCode cannot be empty.")
 	assert.Equal(t, testPostalCode, signCA.SignCert.Subject.PostalCode[0], "Failed to match postalCode")
 
-	// generate local MSP
-	err = msp.GenerateLocalMSP(testDir, testName, nil, signCA, tlsCA)
+	// generate local MSP for nodeType=PEER
+	err = msp.GenerateLocalMSP(testDir, testName, nil, signCA, tlsCA, msp.PEER)
 	assert.NoError(t, err, "Failed to generate local MSP")
 
 	// check to see that the right files were generated/saved
-	files := []string{
+	mspFiles := []string{
 		filepath.Join(mspDir, "admincerts", testName+"-cert.pem"),
 		filepath.Join(mspDir, "cacerts", testCAName+"-cert.pem"),
 		filepath.Join(mspDir, "tlscacerts", testCAName+"-cert.pem"),
 		filepath.Join(mspDir, "keystore"),
 		filepath.Join(mspDir, "signcerts", testName+"-cert.pem"),
 	}
+	tlsFiles := []string{
+		filepath.Join(tlsDir, "ca.crt"),
+		filepath.Join(tlsDir, "server.key"),
+		filepath.Join(tlsDir, "server.crt"),
+	}
 
-	for _, file := range files {
+	for _, file := range mspFiles {
+		assert.Equal(t, true, checkForFile(file),
+			"Expected to find file "+file)
+	}
+	for _, file := range tlsFiles {
+		assert.Equal(t, true, checkForFile(file),
+			"Expected to find file "+file)
+	}
+
+	// generate local MSP for nodeType=CLIENT
+	err = msp.GenerateLocalMSP(testDir, testName, nil, signCA, tlsCA, msp.CLIENT)
+	assert.NoError(t, err, "Failed to generate local MSP")
+	//only need to check for the TLS certs
+	tlsFiles = []string{
+		filepath.Join(tlsDir, "ca.crt"),
+		filepath.Join(tlsDir, "client.key"),
+		filepath.Join(tlsDir, "client.crt"),
+	}
+
+	for _, file := range tlsFiles {
 		assert.Equal(t, true, checkForFile(file),
 			"Expected to find file "+file)
 	}
@@ -98,10 +123,10 @@ func TestGenerateLocalMSP(t *testing.T) {
 	assert.NoError(t, err, "Error setting up local MSP")
 
 	tlsCA.Name = "test/fail"
-	err = msp.GenerateLocalMSP(testDir, testName, nil, signCA, tlsCA)
+	err = msp.GenerateLocalMSP(testDir, testName, nil, signCA, tlsCA, msp.CLIENT)
 	assert.Error(t, err, "Should have failed with CA name 'test/fail'")
 	signCA.Name = "test/fail"
-	err = msp.GenerateLocalMSP(testDir, testName, nil, signCA, tlsCA)
+	err = msp.GenerateLocalMSP(testDir, testName, nil, signCA, tlsCA, msp.ORDERER)
 	assert.Error(t, err, "Should have failed with CA name 'test/fail'")
 	t.Log(err)
 	cleanup(testDir)