diff --git a/internal/github.com/hyperledger/fabric-ca/lib/client.go b/internal/github.com/hyperledger/fabric-ca/lib/client.go index 90282b91d7..22e9aef5bc 100644 --- a/internal/github.com/hyperledger/fabric-ca/lib/client.go +++ b/internal/github.com/hyperledger/fabric-ca/lib/client.go @@ -112,11 +112,6 @@ func (c *Client) initHTTPClient() error { if c.Config.TLS.Enabled { log.Info("TLS Enabled") - err := tls.AbsTLSClient(&c.Config.TLS, c.HomeDir) - if err != nil { - return err - } - tlsConfig, err2 := tls.GetClientTLSConfig(&c.Config.TLS, c.csp) if err2 != nil { return fmt.Errorf("Failed to get client TLS config: %s", err2) diff --git a/internal/github.com/hyperledger/fabric-ca/lib/tls/tls.go b/internal/github.com/hyperledger/fabric-ca/lib/tls/tls.go index b48beb203b..c834118c3b 100644 --- a/internal/github.com/hyperledger/fabric-ca/lib/tls/tls.go +++ b/internal/github.com/hyperledger/fabric-ca/lib/tls/tls.go @@ -23,7 +23,6 @@ package tls import ( "crypto/tls" "crypto/x509" - "io/ioutil" "time" "github.com/pkg/errors" @@ -34,31 +33,17 @@ import ( "github.com/hyperledger/fabric-sdk-go/pkg/common/providers/core" ) -// ServerTLSConfig defines key material for a TLS server -type ServerTLSConfig struct { - Enabled bool `help:"Enable TLS on the listening port"` - CertFile string `def:"tls-cert.pem" help:"PEM-encoded TLS certificate file for server's listening port"` - KeyFile string `help:"PEM-encoded TLS key for server's listening port"` - ClientAuth ClientAuth -} - -// ClientAuth defines the key material needed to verify client certificates -type ClientAuth struct { - Type string `def:"noclientcert" help:"Policy the server will follow for TLS Client Authentication."` - CertFiles []string `help:"A list of comma-separated PEM-encoded trusted certificate files (e.g. root1.pem,root2.pem)"` -} - // ClientTLSConfig defines the key material for a TLS client type ClientTLSConfig struct { Enabled bool `skip:"true"` - CertFiles []string `help:"A list of comma-separated PEM-encoded trusted certificate files (e.g. root1.pem,root2.pem)"` + CertFiles [][]byte `help:"A list of comma-separated PEM-encoded trusted certificate bytes"` Client KeyCertFiles } // KeyCertFiles defines the files need for client on TLS type KeyCertFiles struct { - KeyFile string `help:"PEM-encoded key file when mutual authentication is enabled"` - CertFile string `help:"PEM-encoded certificate file when mutual authenticate is enabled"` + KeyFile []byte `help:"PEM-encoded key bytes when mutual authentication is enabled"` + CertFile []byte `help:"PEM-encoded certificate bytes when mutual authenticate is enabled"` } // GetClientTLSConfig creates a tls.Config object from certs and roots @@ -69,11 +54,7 @@ func GetClientTLSConfig(cfg *ClientTLSConfig, csp core.CryptoSuite) (*tls.Config csp = factory.GetDefault() } - log.Debugf("CA Files: %+v\n", cfg.CertFiles) - log.Debugf("Client Cert File: %s\n", cfg.Client.CertFile) - log.Debugf("Client Key File: %s\n", cfg.Client.KeyFile) - - if cfg.Client.CertFile != "" { + if cfg.Client.CertFile != nil { err := checkCertDates(cfg.Client.CertFile) if err != nil { return nil, err @@ -94,13 +75,9 @@ func GetClientTLSConfig(cfg *ClientTLSConfig, csp core.CryptoSuite) (*tls.Config } for _, cacert := range cfg.CertFiles { - caCert, err := ioutil.ReadFile(cacert) - if err != nil { - return nil, errors.Wrapf(err, "Failed to read '%s'", cacert) - } - ok := rootCAPool.AppendCertsFromPEM(caCert) + ok := rootCAPool.AppendCertsFromPEM(cacert) if !ok { - return nil, errors.Errorf("Failed to process certificate from file %s", cacert) + return nil, errors.New("Failed to process certificate") } } @@ -112,37 +89,8 @@ func GetClientTLSConfig(cfg *ClientTLSConfig, csp core.CryptoSuite) (*tls.Config return config, nil } -// AbsTLSClient makes TLS client files absolute -func AbsTLSClient(cfg *ClientTLSConfig, configDir string) error { - var err error - - for i := 0; i < len(cfg.CertFiles); i++ { - cfg.CertFiles[i], err = util.MakeFileAbs(cfg.CertFiles[i], configDir) - if err != nil { - return err - } - - } - - cfg.Client.CertFile, err = util.MakeFileAbs(cfg.Client.CertFile, configDir) - if err != nil { - return err - } - - cfg.Client.KeyFile, err = util.MakeFileAbs(cfg.Client.KeyFile, configDir) - if err != nil { - return err - } - - return nil -} - -func checkCertDates(certFile string) error { +func checkCertDates(certPEM []byte) error { log.Debug("Check client TLS certificate for valid dates") - certPEM, err := ioutil.ReadFile(certFile) - if err != nil { - return errors.Wrapf(err, "Failed to read file '%s'", certFile) - } cert, err := util.GetX509CertificateFromPEM(certPEM) if err != nil { diff --git a/internal/github.com/hyperledger/fabric-ca/util/csp.go b/internal/github.com/hyperledger/fabric-ca/util/csp.go index 7d81540cb9..8435205a60 100644 --- a/internal/github.com/hyperledger/fabric-ca/util/csp.go +++ b/internal/github.com/hyperledger/fabric-ca/util/csp.go @@ -142,6 +142,7 @@ func ImportBCCSPKeyFromPEM(keyFile string, myCSP core.CryptoSuite, temporary boo // ImportBCCSPKeyFromPEMBytes attempts to create a private BCCSP key from a pem byte slice func ImportBCCSPKeyFromPEMBytes(keyBuff []byte, myCSP core.CryptoSuite, temporary bool) (core.Key, error) { keyFile := "pem bytes" + key, err := factory.PEMtoPrivateKey(keyBuff, nil) if err != nil { return nil, errors.WithMessage(err, fmt.Sprintf("Failed parsing private key from %s", keyFile)) @@ -172,12 +173,9 @@ func ImportBCCSPKeyFromPEMBytes(keyBuff []byte, myCSP core.CryptoSuite, temporar // // This function originated from crypto/tls/tls.go and was adapted to use a // BCCSP Signer -func LoadX509KeyPair(certFile, keyFile string, csp core.CryptoSuite) (*tls.Certificate, error) { +func LoadX509KeyPair(certFile, keyFile []byte, csp core.CryptoSuite) (*tls.Certificate, error) { - certPEMBlock, err := ioutil.ReadFile(certFile) - if err != nil { - return nil, err - } + certPEMBlock := certFile cert := &tls.Certificate{} var skippedBlockTypes []string @@ -196,10 +194,10 @@ func LoadX509KeyPair(certFile, keyFile string, csp core.CryptoSuite) (*tls.Certi if len(cert.Certificate) == 0 { if len(skippedBlockTypes) == 0 { - return nil, errors.Errorf("Failed to find PEM block in file %s", certFile) + return nil, errors.New("Failed to find PEM block in bytes") } if len(skippedBlockTypes) == 1 && strings.HasSuffix(skippedBlockTypes[0], "PRIVATE KEY") { - return nil, errors.Errorf("Failed to find certificate PEM data in file %s, but did find a private key; PEM inputs may have been switched", certFile) + return nil, errors.New("Failed to find certificate PEM data in bytes, but did find a private key; PEM inputs may have been switched") } return nil, errors.Errorf("Failed to find \"CERTIFICATE\" PEM block in file %s after skipping PEM blocks of the following types: %v", certFile, skippedBlockTypes) } @@ -211,10 +209,10 @@ func LoadX509KeyPair(certFile, keyFile string, csp core.CryptoSuite) (*tls.Certi _, cert.PrivateKey, err = GetSignerFromCert(x509Cert, csp) if err != nil { - if keyFile != "" { + if keyFile != nil { log.Debugf("Could not load TLS certificate with BCCSP: %s", err) log.Debugf("Attempting fallback with certfile %s and keyfile %s", certFile, keyFile) - fallbackCerts, err := tls.LoadX509KeyPair(certFile, keyFile) + fallbackCerts, err := tls.X509KeyPair(certFile, keyFile) if err != nil { return nil, errors.Wrapf(err, "Could not get the private key %s that matches %s", keyFile, certFile) } diff --git a/pkg/common/providers/msp/provider.go b/pkg/common/providers/msp/provider.go index d75b72534d..c25a218604 100644 --- a/pkg/common/providers/msp/provider.go +++ b/pkg/common/providers/msp/provider.go @@ -27,12 +27,9 @@ type IdentityManagerProvider interface { type IdentityConfig interface { Client() (*ClientConfig, error) CAConfig(org string) (*CAConfig, error) - CAServerCertPems(org string) ([]string, error) - CAServerCertPaths(org string) ([]string, error) - CAClientKeyPem(org string) (string, error) - CAClientKeyPath(org string) (string, error) - CAClientCertPem(org string) (string, error) - CAClientCertPath(org string) (string, error) + CAServerCerts(org string) ([][]byte, error) + CAClientKey(org string) ([]byte, error) + CAClientCert(org string) ([]byte, error) CAKeyStorePath() string CredentialStorePath() string } diff --git a/pkg/common/providers/test/mockmsp/mockmsp.gen.go b/pkg/common/providers/test/mockmsp/mockmsp.gen.go index dd9cbba1c6..90928cf666 100644 --- a/pkg/common/providers/test/mockmsp/mockmsp.gen.go +++ b/pkg/common/providers/test/mockmsp/mockmsp.gen.go @@ -34,56 +34,30 @@ func (m *MockIdentityConfig) EXPECT() *MockIdentityConfigMockRecorder { return m.recorder } -// CAClientCertPath mocks base method -func (m *MockIdentityConfig) CAClientCertPath(arg0 string) (string, error) { - ret := m.ctrl.Call(m, "CAClientCertPath", arg0) - ret0, _ := ret[0].(string) - ret1, _ := ret[1].(error) - return ret0, ret1 -} - -// CAClientCertPath indicates an expected call of CAClientCertPath -func (mr *MockIdentityConfigMockRecorder) CAClientCertPath(arg0 interface{}) *gomock.Call { - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CAClientCertPath", reflect.TypeOf((*MockIdentityConfig)(nil).CAClientCertPath), arg0) -} - -// CAClientCertPem mocks base method -func (m *MockIdentityConfig) CAClientCertPem(arg0 string) (string, error) { - ret := m.ctrl.Call(m, "CAClientCertPem", arg0) - ret0, _ := ret[0].(string) - ret1, _ := ret[1].(error) - return ret0, ret1 -} - -// CAClientCertPem indicates an expected call of CAClientCertPem -func (mr *MockIdentityConfigMockRecorder) CAClientCertPem(arg0 interface{}) *gomock.Call { - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CAClientCertPem", reflect.TypeOf((*MockIdentityConfig)(nil).CAClientCertPem), arg0) -} - -// CAClientKeyPath mocks base method -func (m *MockIdentityConfig) CAClientKeyPath(arg0 string) (string, error) { - ret := m.ctrl.Call(m, "CAClientKeyPath", arg0) - ret0, _ := ret[0].(string) +// CAClientCert mocks base method +func (m *MockIdentityConfig) CAClientCert(arg0 string) ([]byte, error) { + ret := m.ctrl.Call(m, "CAClientCert", arg0) + ret0, _ := ret[0].([]byte) ret1, _ := ret[1].(error) return ret0, ret1 } -// CAClientKeyPath indicates an expected call of CAClientKeyPath -func (mr *MockIdentityConfigMockRecorder) CAClientKeyPath(arg0 interface{}) *gomock.Call { - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CAClientKeyPath", reflect.TypeOf((*MockIdentityConfig)(nil).CAClientKeyPath), arg0) +// CAClientCert indicates an expected call of CAClientCert +func (mr *MockIdentityConfigMockRecorder) CAClientCert(arg0 interface{}) *gomock.Call { + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CAClientCert", reflect.TypeOf((*MockIdentityConfig)(nil).CAClientCert), arg0) } -// CAClientKeyPem mocks base method -func (m *MockIdentityConfig) CAClientKeyPem(arg0 string) (string, error) { - ret := m.ctrl.Call(m, "CAClientKeyPem", arg0) - ret0, _ := ret[0].(string) +// CAClientKey mocks base method +func (m *MockIdentityConfig) CAClientKey(arg0 string) ([]byte, error) { + ret := m.ctrl.Call(m, "CAClientKey", arg0) + ret0, _ := ret[0].([]byte) ret1, _ := ret[1].(error) return ret0, ret1 } -// CAClientKeyPem indicates an expected call of CAClientKeyPem -func (mr *MockIdentityConfigMockRecorder) CAClientKeyPem(arg0 interface{}) *gomock.Call { - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CAClientKeyPem", reflect.TypeOf((*MockIdentityConfig)(nil).CAClientKeyPem), arg0) +// CAClientKey indicates an expected call of CAClientKey +func (mr *MockIdentityConfigMockRecorder) CAClientKey(arg0 interface{}) *gomock.Call { + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CAClientKey", reflect.TypeOf((*MockIdentityConfig)(nil).CAClientKey), arg0) } // CAConfig mocks base method @@ -111,30 +85,17 @@ func (mr *MockIdentityConfigMockRecorder) CAKeyStorePath() *gomock.Call { return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CAKeyStorePath", reflect.TypeOf((*MockIdentityConfig)(nil).CAKeyStorePath)) } -// CAServerCertPaths mocks base method -func (m *MockIdentityConfig) CAServerCertPaths(arg0 string) ([]string, error) { - ret := m.ctrl.Call(m, "CAServerCertPaths", arg0) - ret0, _ := ret[0].([]string) - ret1, _ := ret[1].(error) - return ret0, ret1 -} - -// CAServerCertPaths indicates an expected call of CAServerCertPaths -func (mr *MockIdentityConfigMockRecorder) CAServerCertPaths(arg0 interface{}) *gomock.Call { - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CAServerCertPaths", reflect.TypeOf((*MockIdentityConfig)(nil).CAServerCertPaths), arg0) -} - -// CAServerCertPems mocks base method -func (m *MockIdentityConfig) CAServerCertPems(arg0 string) ([]string, error) { - ret := m.ctrl.Call(m, "CAServerCertPems", arg0) - ret0, _ := ret[0].([]string) +// CAServerCerts mocks base method +func (m *MockIdentityConfig) CAServerCerts(arg0 string) ([][]byte, error) { + ret := m.ctrl.Call(m, "CAServerCerts", arg0) + ret0, _ := ret[0].([][]byte) ret1, _ := ret[1].(error) return ret0, ret1 } -// CAServerCertPems indicates an expected call of CAServerCertPems -func (mr *MockIdentityConfigMockRecorder) CAServerCertPems(arg0 interface{}) *gomock.Call { - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CAServerCertPems", reflect.TypeOf((*MockIdentityConfig)(nil).CAServerCertPems), arg0) +// CAServerCerts indicates an expected call of CAServerCerts +func (mr *MockIdentityConfigMockRecorder) CAServerCerts(arg0 interface{}) *gomock.Call { + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CAServerCerts", reflect.TypeOf((*MockIdentityConfig)(nil).CAServerCerts), arg0) } // Client mocks base method diff --git a/pkg/fab/mocks/mockconfig.go b/pkg/fab/mocks/mockconfig.go index 4707b93cb4..4fa886534f 100644 --- a/pkg/fab/mocks/mockconfig.go +++ b/pkg/fab/mocks/mockconfig.go @@ -97,34 +97,19 @@ func (c *MockConfig) CAConfig(org string) (*msp.CAConfig, error) { return &caConfig, nil } -//CAServerCertPems Read configuration option for the server certificate embedded pems -func (c *MockConfig) CAServerCertPems(org string) ([]string, error) { +//CAServerCerts Read configuration option for the server certificates for given org +func (c *MockConfig) CAServerCerts(org string) ([][]byte, error) { return nil, nil } -//CAServerCertPaths Read configuration option for the server certificate files -func (c *MockConfig) CAServerCertPaths(org string) ([]string, error) { +//CAClientKey Read configuration option for the fabric CA client key for given org +func (c *MockConfig) CAClientKey(org string) ([]byte, error) { return nil, nil } -//CAClientKeyPem Read configuration option for the fabric CA client key from a string -func (c *MockConfig) CAClientKeyPem(org string) (string, error) { - return "", nil -} - -//CAClientKeyPath Read configuration option for the fabric CA client key file -func (c *MockConfig) CAClientKeyPath(org string) (string, error) { - return "", nil -} - -//CAClientCertPem Read configuration option for the fabric CA client cert from a string -func (c *MockConfig) CAClientCertPem(org string) (string, error) { - return "", nil -} - -//CAClientCertPath Read configuration option for the fabric CA client cert file -func (c *MockConfig) CAClientCertPath(org string) (string, error) { - return "", nil +//CAClientCert Read configuration option for the fabric CA client cert for given org +func (c *MockConfig) CAClientCert(org string) ([]byte, error) { + return nil, nil } //TimeoutOrDefault not implemented diff --git a/pkg/msp/caclient_test.go b/pkg/msp/caclient_test.go index 79a648b812..c65e109fcd 100644 --- a/pkg/msp/caclient_test.go +++ b/pkg/msp/caclient_test.go @@ -327,7 +327,7 @@ func TestCAServerCertPathsError(t *testing.T) { mockIdentityConfig := mockmspApi.NewMockIdentityConfig(mockCtrl) mockIdentityConfig.EXPECT().CAConfig(org1).Return(&msp.CAConfig{}, nil).AnyTimes() mockIdentityConfig.EXPECT().CredentialStorePath().Return(dummyUserStorePath).AnyTimes() - mockIdentityConfig.EXPECT().CAServerCertPaths(org1).Return(nil, errors.New("CAServerCertPaths error")) + mockIdentityConfig.EXPECT().CAServerCerts(org1).Return(nil, errors.New("CAServerCerts error")) mockContext := mockcontext.NewMockClient(mockCtrl) mockContext.EXPECT().EndpointConfig().Return(f.endpointConfig).AnyTimes() @@ -336,7 +336,7 @@ func TestCAServerCertPathsError(t *testing.T) { mockContext.EXPECT().CryptoSuite().Return(f.cryptoSuite).AnyTimes() _, err := NewCAClient(org1, mockContext) - if err == nil || !strings.Contains(err.Error(), "CAServerCertPaths error") { + if err == nil || !strings.Contains(err.Error(), "CAServerCerts error") { t.Fatalf("Expected error from CAServerCertPaths. Got: %v", err) } } @@ -353,8 +353,8 @@ func TestCAClientCertPathError(t *testing.T) { mockIdentityConfig := mockmspApi.NewMockIdentityConfig(mockCtrl) mockIdentityConfig.EXPECT().CAConfig(org1).Return(&msp.CAConfig{}, nil).AnyTimes() mockIdentityConfig.EXPECT().CredentialStorePath().Return(dummyUserStorePath).AnyTimes() - mockIdentityConfig.EXPECT().CAServerCertPaths(org1).Return([]string{"test"}, nil) - mockIdentityConfig.EXPECT().CAClientCertPath(org1).Return("", errors.New("CAClientCertPath error")) + mockIdentityConfig.EXPECT().CAServerCerts(org1).Return([][]byte{[]byte("test")}, nil) + mockIdentityConfig.EXPECT().CAClientCert(org1).Return(nil, errors.New("CAClientCertPath error")) mockContext := mockcontext.NewMockClient(mockCtrl) mockContext.EXPECT().EndpointConfig().Return(f.endpointConfig).AnyTimes() @@ -381,9 +381,9 @@ func TestCAClientKeyPathError(t *testing.T) { mockIdentityConfig := mockmspApi.NewMockIdentityConfig(mockCtrl) mockIdentityConfig.EXPECT().CAConfig(org1).Return(&msp.CAConfig{}, nil).AnyTimes() mockIdentityConfig.EXPECT().CredentialStorePath().Return(dummyUserStorePath).AnyTimes() - mockIdentityConfig.EXPECT().CAServerCertPaths(org1).Return([]string{"test"}, nil) - mockIdentityConfig.EXPECT().CAClientCertPath(org1).Return("", nil) - mockIdentityConfig.EXPECT().CAClientKeyPath(org1).Return("", errors.New("CAClientKeyPath error")) + mockIdentityConfig.EXPECT().CAServerCerts(org1).Return([][]byte{[]byte("test")}, nil) + mockIdentityConfig.EXPECT().CAClientCert(org1).Return([]byte(""), nil) + mockIdentityConfig.EXPECT().CAClientKey(org1).Return(nil, errors.New("CAClientKeyPath error")) mockContext := mockcontext.NewMockClient(mockCtrl) mockContext.EXPECT().EndpointConfig().Return(f.endpointConfig).AnyTimes() @@ -472,13 +472,13 @@ func getNoRegistrarBackend() (*mocks.MockConfigBackend, error) { } //tamper URLs - ca1Config := networkConfig.CertificateAuthorities["ca.org1.example.com"] + ca1Config := networkConfig.CertificateAuthorities["local.ca.org1.example.com"] ca1Config.Registrar = msp.EnrollCredentials{} - ca2Config := networkConfig.CertificateAuthorities["ca.org2.example.com"] + ca2Config := networkConfig.CertificateAuthorities["local.ca.org2.example.com"] ca1Config.Registrar = msp.EnrollCredentials{} - networkConfig.CertificateAuthorities["ca.org1.example.com"] = ca1Config - networkConfig.CertificateAuthorities["ca.org2.example.com"] = ca2Config + networkConfig.CertificateAuthorities["local.ca.org1.example.com"] = ca1Config + networkConfig.CertificateAuthorities["local.ca.org2.example.com"] = ca2Config //Override backend with this new CertificateAuthorities config mockConfigBackend.KeyValueMap["certificateAuthorities"] = networkConfig.CertificateAuthorities diff --git a/pkg/msp/fabcaadapter.go b/pkg/msp/fabcaadapter.go index 3b7f219a6d..b9fc0bab6d 100644 --- a/pkg/msp/fabcaadapter.go +++ b/pkg/msp/fabcaadapter.go @@ -171,18 +171,18 @@ func createFabricCAClient(org string, cryptoSuite core.CryptoSuite, config msp.I //set server URL c.Config.URL = endpoint.ToAddress(conf.URL) //certs file list - c.Config.TLS.CertFiles, err = config.CAServerCertPaths(org) + c.Config.TLS.CertFiles, err = config.CAServerCerts(org) if err != nil { return nil, err } // set key file and cert file - c.Config.TLS.Client.CertFile, err = config.CAClientCertPath(org) + c.Config.TLS.Client.CertFile, err = config.CAClientCert(org) if err != nil { return nil, err } - c.Config.TLS.Client.KeyFile, err = config.CAClientKeyPath(org) + c.Config.TLS.Client.KeyFile, err = config.CAClientKey(org) if err != nil { return nil, err } diff --git a/pkg/msp/identityconfig.go b/pkg/msp/identityconfig.go index 866b7fad54..7b9a2cb600 100644 --- a/pkg/msp/identityconfig.go +++ b/pkg/msp/identityconfig.go @@ -17,6 +17,8 @@ import ( "regexp" + "io/ioutil" + "github.com/hyperledger/fabric-sdk-go/pkg/common/errors/status" "github.com/hyperledger/fabric-sdk-go/pkg/common/providers/core" "github.com/hyperledger/fabric-sdk-go/pkg/common/providers/fab" @@ -71,52 +73,6 @@ func (c *IdentityConfig) CAConfig(org string) (*msp.CAConfig, error) { return &caConfig, nil } -// CAServerCertPems Read configuration option for the server certificates -// will send a list of cert pem contents directly from the config bytes array -func (c *IdentityConfig) CAServerCertPems(org string) ([]string, error) { - config, err := c.networkConfig() - if err != nil { - return nil, err - } - caName, err := c.getCAName(org) - if err != nil { - return nil, err - } - if _, ok := config.CertificateAuthorities[strings.ToLower(caName)]; !ok { - return nil, errors.Errorf("CA Server Name '%s' not found", caName) - } - certFilesPem := config.CertificateAuthorities[caName].TLSCACerts.Pem - certPems := make([]string, len(certFilesPem)) - copy(certPems, certFilesPem) - - return certPems, nil -} - -// CAServerCertPaths Read configuration option for the server certificates -// will send a list of cert file paths -func (c *IdentityConfig) CAServerCertPaths(org string) ([]string, error) { - config, err := c.networkConfig() - if err != nil { - return nil, err - } - caName, err := c.getCAName(org) - if err != nil { - return nil, err - } - if _, ok := config.CertificateAuthorities[strings.ToLower(caName)]; !ok { - return nil, errors.Errorf("CA Server Name '%s' not found", caName) - } - - certFiles := strings.Split(config.CertificateAuthorities[caName].TLSCACerts.Path, ",") - - certFileModPath := make([]string, len(certFiles)) - for i, v := range certFiles { - certFileModPath[i] = pathvar.Subst(v) - } - - return certFileModPath, nil -} - func (c *IdentityConfig) getCAName(org string) (string, error) { config, err := c.networkConfig() if err != nil { @@ -149,85 +105,91 @@ func (c *IdentityConfig) getCAName(org string) (string, error) { return certAuthorityName, nil } -// CAClientKeyPem Read configuration option for the fabric CA client key pem embedded in the client config -func (c *IdentityConfig) CAClientKeyPem(org string) (string, error) { +//CAClientCert read configuration for the fabric CA client cert bytes for given org +func (c *IdentityConfig) CAClientCert(org string) ([]byte, error) { config, err := c.networkConfig() if err != nil { - return "", err + return nil, err } caName, err := c.getCAName(org) if err != nil { - return "", err - } - if _, ok := config.CertificateAuthorities[strings.ToLower(caName)]; !ok { - return "", errors.Errorf("CA Server Name '%s' not found", caName) + return nil, err } - ca := config.CertificateAuthorities[strings.ToLower(caName)] - if len(ca.TLSCACerts.Client.Key.Pem) == 0 { - return "", errors.New("Empty Client Key Pem") + caConfig, ok := config.CertificateAuthorities[strings.ToLower(caName)] + if !ok { + return nil, errors.Errorf("CA Server Name %s not found", caName) } - return ca.TLSCACerts.Client.Key.Pem, nil + //subst path + caConfig.TLSCACerts.Client.Cert.Path = pathvar.Subst(caConfig.TLSCACerts.Client.Cert.Path) + + return caConfig.TLSCACerts.Client.Cert.Bytes() } -// CAClientKeyPath Read configuration option for the fabric CA client key file -func (c *IdentityConfig) CAClientKeyPath(org string) (string, error) { +//CAClientKey read configuration for the fabric CA client key bytes for given org +func (c *IdentityConfig) CAClientKey(org string) ([]byte, error) { config, err := c.networkConfig() if err != nil { - return "", err + return nil, err } caName, err := c.getCAName(org) if err != nil { - return "", err + return nil, err } - if _, ok := config.CertificateAuthorities[strings.ToLower(caName)]; !ok { - return "", errors.Errorf("CA Server Name '%s' not found", caName) + + caConfig, ok := config.CertificateAuthorities[strings.ToLower(caName)] + if !ok { + return nil, errors.Errorf("CA Server Name %s not found", caName) } - return pathvar.Subst(config.CertificateAuthorities[strings.ToLower(caName)].TLSCACerts.Client.Key.Path), nil + + //subst path + caConfig.TLSCACerts.Client.Key.Path = pathvar.Subst(caConfig.TLSCACerts.Client.Key.Path) + + return caConfig.TLSCACerts.Client.Key.Bytes() } -// CAClientCertPem Read configuration option for the fabric CA client cert pem embedded in the client config -func (c *IdentityConfig) CAClientCertPem(org string) (string, error) { +// CAServerCerts Read configuration option for the server certificates +// will send a list of cert bytes for given org +func (c *IdentityConfig) CAServerCerts(org string) ([][]byte, error) { config, err := c.networkConfig() if err != nil { - return "", err + return nil, err } - caName, err := c.getCAName(org) if err != nil { - return "", err - } - - if _, ok := config.CertificateAuthorities[strings.ToLower(caName)]; !ok { - return "", errors.Errorf("CA Server Name '%s' not found", caName) + return nil, err } - - ca := config.CertificateAuthorities[strings.ToLower(caName)] - if len(ca.TLSCACerts.Client.Cert.Pem) == 0 { - return "", errors.New("Empty Client Cert Pem") + caConfig, ok := config.CertificateAuthorities[strings.ToLower(caName)] + if !ok { + return nil, errors.Errorf("CA Server Name '%s' not found", caName) } - return ca.TLSCACerts.Client.Cert.Pem, nil -} + var serverCerts [][]byte -// CAClientCertPath Read configuration option for the fabric CA client cert file -func (c *IdentityConfig) CAClientCertPath(org string) (string, error) { - config, err := c.networkConfig() - if err != nil { - return "", err + //check for pems first + pems := caConfig.TLSCACerts.Pem + if len(pems) > 0 { + serverCerts = make([][]byte, len(pems)) + for i, pem := range pems { + serverCerts[i] = []byte(pem) + } + return serverCerts, nil } - caName, err := c.getCAName(org) - if err != nil { - return "", err - } - if _, ok := config.CertificateAuthorities[strings.ToLower(caName)]; !ok { - return "", errors.Errorf("CA Server Name %s not found", caName) + //check for files if pems not found + certFiles := strings.Split(config.CertificateAuthorities[caName].TLSCACerts.Path, ",") + serverCerts = make([][]byte, len(certFiles)) + for i, certPath := range certFiles { + bytes, err := ioutil.ReadFile(pathvar.Subst(certPath)) + if err != nil { + return nil, errors.Wrapf(err, "failed to load pem bytes from path %s", certPath) + } + serverCerts[i] = bytes } - return pathvar.Subst(config.CertificateAuthorities[strings.ToLower(caName)].TLSCACerts.Client.Cert.Path), nil + return serverCerts, nil } // CAKeyStorePath returns the same path as KeyStorePath() without the diff --git a/pkg/msp/identityconfig_test.go b/pkg/msp/identityconfig_test.go index 300df89fe1..88e5f2b4dd 100644 --- a/pkg/msp/identityconfig_test.go +++ b/pkg/msp/identityconfig_test.go @@ -9,8 +9,6 @@ package msp import ( "testing" - "fmt" - "os" "strings" @@ -41,7 +39,6 @@ func TestCAConfigFailsByNetworkConfig(t *testing.T) { backendMap := make(map[string]interface{}) backendMap["client"], _ = configBackend.Lookup("client") backendMap["certificateAuthorities"], _ = configBackend.Lookup("certificateAuthorities") - fmt.Println(configBackend.Lookup("certificateAuthorities")) backendMap["entityMatchers"], _ = configBackend.Lookup("entityMatchers") backendMap["peers"], _ = configBackend.Lookup("peers") backendMap["organizations"], _ = configBackend.Lookup("organizations") @@ -68,15 +65,14 @@ func TestCAConfigFailsByNetworkConfig(t *testing.T) { customBackend.KeyValueMap["certificateAuthorities"] = "" //Test CA client cert file failure scenario - certfile, err := sampleIdentityConfig.CAClientCertPath("peerorg1") - fmt.Println(err) - if certfile != "" || err == nil { + certfile, err := sampleIdentityConfig.CAClientCert("peerorg1") + if certfile != nil || err == nil { t.Fatal("CA Cert file location read supposed to fail") } //Test CA client cert file failure scenario - keyFile, err := sampleIdentityConfig.CAClientKeyPath("peerorg1") - if keyFile != "" || err == nil { + keyFile, err := sampleIdentityConfig.CAClientKey("peerorg1") + if keyFile != nil || err == nil { t.Fatal("CA Key file location read supposed to fail") } @@ -89,7 +85,7 @@ func TestCAConfigFailsByNetworkConfig(t *testing.T) { } func testCAServerCertFailureScenario(sampleIdentityConfig *IdentityConfig, t *testing.T) { - sCertFiles, err := sampleIdentityConfig.CAServerCertPaths("peerorg1") + sCertFiles, err := sampleIdentityConfig.CAServerCerts("peerorg1") if len(sCertFiles) > 0 || err == nil { t.Fatal("Getting CA server cert files supposed to fail") } @@ -115,8 +111,8 @@ func TestTLSCAConfigFromPems(t *testing.T) { } identityConfig := config.(*IdentityConfig) - certPem, _ := identityConfig.CAClientCertPem(org1) - certConfig := endpoint.TLSConfig{Pem: certPem} + certPem, _ := identityConfig.CAClientCert(org1) + certConfig := endpoint.TLSConfig{Pem: string(certPem)} cert, err := certConfig.TLSCert() @@ -144,9 +140,9 @@ func TestTLSCAConfigFromPems(t *testing.T) { t.Fatalf("TLSCACertPool failed %v", err) } - keyPem, _ := identityConfig.CAClientKeyPem(org1) + keyPem, _ := identityConfig.CAClientKey(org1) - keyConfig := endpoint.TLSConfig{Pem: keyPem} + keyConfig := endpoint.TLSConfig{Pem: string(keyPem)} _, err = keyConfig.TLSCert() if err == nil { @@ -214,22 +210,22 @@ SQtE5YgdxkUCIHReNWh/pluHTxeGu2jNCH1eh6o2ajSGeeizoapvdJbN checkPeerPem(org1, idConfig, peer0, t) // get CA Server cert pems (embedded) for org1 - checkCAServerCertPems("org1", idConfig, t) + checkCAServerCerts("org1", idConfig, t) // get the client cert pem (embedded) for org1 - checkClientCertPem(idConfig, "org1", t) + checkClientCert(idConfig, "org1", t) // get CA Server certs paths for org1 - checkCAServerCertsPath("org1", idConfig, t) + checkCAServerCerts("org1", idConfig, t) // get the client cert path for org1 - checkClientCertPath(idConfig, "org1", t) + checkClientCert(idConfig, "org1", t) // get the client key pem (embedded) for org1 - checkClientKeyPem(idConfig, "org1", t) + checkClientKey(idConfig, "org1", t) // get the client key file path for org1 - checkClientKeyFilePath(idConfig, "org1", t) + checkClientKey(idConfig, "org1", t) } func checkPeerPem(org string, idConfig *IdentityConfig, peer string, t *testing.T) { @@ -262,8 +258,8 @@ O94CDp7l2k7hMQI0zQ== } } -func checkCAServerCertPems(org string, idConfig *IdentityConfig, t *testing.T) { - certs, err := idConfig.CAServerCertPems(org) +func checkCAServerCerts(org string, idConfig *IdentityConfig, t *testing.T) { + certs, err := idConfig.CAServerCerts(org) if err != nil { t.Fatalf("Failed to load CAServerCertPems from config. Error: %s", err) } @@ -272,42 +268,20 @@ func checkCAServerCertPems(org string, idConfig *IdentityConfig, t *testing.T) { } } -func checkClientCertPem(idConfig *IdentityConfig, org string, t *testing.T) { - _, err := idConfig.CAClientCertPem(org) +func checkClientCert(idConfig *IdentityConfig, org string, t *testing.T) { + cert, err := idConfig.CAClientCert(org) if err != nil { t.Fatalf("Failed to load CAClientCertPem from config. Error: %s", err) } + assert.True(t, len(cert) > 0, "Invalid cert") } -func checkCAServerCertsPath(org string, idConfig *IdentityConfig, t *testing.T) { - certs, err := idConfig.CAServerCertPaths(org) - if err != nil { - t.Fatalf("Failed to load CAServerCertPaths from config. Error: %s", err) - } - if len(certs) == 0 { - t.Fatalf("Got empty cert file paths for CAServerCertPaths") - } -} - -func checkClientCertPath(idConfig *IdentityConfig, org string, t *testing.T) { - _, err := idConfig.CAClientCertPath(org) - if err != nil { - t.Fatalf("Failed to load CAClientCertPath from config. Error: %s", err) - } -} - -func checkClientKeyPem(idConfig *IdentityConfig, org string, t *testing.T) { - _, err := idConfig.CAClientKeyPem(org) +func checkClientKey(idConfig *IdentityConfig, org string, t *testing.T) { + key, err := idConfig.CAClientKey(org) if err != nil { t.Fatalf("Failed to load CAClientKeyPem from config. Error: %s", err) } -} - -func checkClientKeyFilePath(idConfig *IdentityConfig, org string, t *testing.T) { - _, err := idConfig.CAClientKeyPath(org) - if err != nil { - t.Fatalf("Failed to load CAClientKeyPath from config. Error: %s", err) - } + assert.True(t, len(key) > 0, "Invalid key") } func loadConfigBytesFromFile(t *testing.T, filePath string) ([]byte, error) { @@ -333,7 +307,7 @@ func loadConfigBytesFromFile(t *testing.T, filePath string) ([]byte, error) { return cBytes, err } -func TestCAConfig(t *testing.T) { +func TestCAConfigCryptoFiles(t *testing.T) { //Test config backend, err := config.FromFile(configTestFilePath)() if err != nil { @@ -345,67 +319,68 @@ func TestCAConfig(t *testing.T) { t.Fatal("Failed to get identity config") } identityConfig := config.(*IdentityConfig) - //Test Crypto config path - val, ok := backend.Lookup("client.cryptoconfig.path") - if !ok || val == nil { - t.Fatal("expected valid value") - } + //Testing CA Client File Location + certfile, err := identityConfig.CAClientCert(org1) + assert.Nil(t, err, "CA Cert file location read failed ") + assert.True(t, len(certfile) > 0) - assert.True(t, pathvar.Subst(val.(string)) == identityConfig.endpointConfig.CryptoConfigPath(), "Incorrect crypto config path", t) + //Testing CA Key File Location + keyFile, err := identityConfig.CAClientKey(org1) + assert.Nil(t, err, "CA Key file location read failed ") + assert.True(t, len(keyFile) > 0) - //Testing CA Client File Location - certfile, err := identityConfig.CAClientCertPath(org1) + //Testing CA Server Cert Files + sCertFiles, err := identityConfig.CAServerCerts(org1) + assert.Nil(t, err, "Getting CA server cert files failed") + assert.True(t, len(sCertFiles) > 0) + +} - if certfile == "" || err != nil { - t.Fatalf("CA Cert file location read failed %s", err) +func TestCAConfig(t *testing.T) { + //Test config + backend, err := config.FromFile(configTestFilePath)() + if err != nil { + t.Fatal("Failed to get config backend") } - //Testing CA Key File Location - keyFile, err := identityConfig.CAClientKeyPath(org1) + config, err := ConfigFromBackend(backend) + if err != nil { + t.Fatal("Failed to get identity config") + } + identityConfig := config.(*IdentityConfig) + //Test Crypto config path - if keyFile == "" || err != nil { - t.Fatal("CA Key file location read failed") + val, ok := backend.Lookup("client.cryptoconfig.path") + if !ok || val == nil { + t.Fatal("expected valid value") } - //Testing CA Server Cert Files - testCAServerCertFiles(identityConfig, t, org1) + assert.True(t, pathvar.Subst(val.(string)) == identityConfig.endpointConfig.CryptoConfigPath(), "Incorrect crypto config path", t) //Testing MSPID - testMSPID(identityConfig, t, org1) + mspID, err := identityConfig.endpointConfig.MSPID(org1) + assert.Nil(t, err, "Get MSP ID failed") + assert.True(t, mspID == "Org1MSP", "Get MSP ID failed") + + // testing empty OrgMSP + _, err = identityConfig.endpointConfig.MSPID("dummyorg1") + assert.NotNil(t, err, "Get MSP ID did not fail for dummyorg1") + assert.True(t, err.Error() == "MSP ID is empty for org: dummyorg1", "Get MSP ID did not fail for dummyorg1") //Testing CAConfig - testCAConfig(identityConfig, t, org1) + caConfig, err := identityConfig.CAConfig(org1) + assert.Nil(t, err, "Get CA Config failed") + assert.NotNil(t, caConfig, "Get CA Config failed") // Test CA KeyStore Path testCAKeyStorePath(backend, t, identityConfig) // test Client - testClient(identityConfig, t) - - // testing empty OrgMSP - testEmptyOrgMsp(identityConfig, t) -} - -func testCAServerCertFiles(identityConfig *IdentityConfig, t *testing.T, org string) { - sCertFiles, err := identityConfig.CAServerCertPaths(org) - if len(sCertFiles) == 0 || err != nil { - t.Fatal("Getting CA server cert files failed") - } -} - -func testMSPID(identityConfig *IdentityConfig, t *testing.T, org string) { - mspID, err := identityConfig.endpointConfig.MSPID(org) - if mspID != "Org1MSP" || err != nil { - t.Fatal("Get MSP ID failed") - } -} + c, err := identityConfig.Client() + assert.Nil(t, err, "Received error when fetching Client info") + assert.NotNil(t, c, "Received error when fetching Client info") -func testCAConfig(identityConfig *IdentityConfig, t *testing.T, org string) { - caConfig, err := identityConfig.CAConfig(org) - if caConfig == nil || err != nil { - t.Fatal("Get CA Config failed") - } } func testCAKeyStorePath(backend core.ConfigBackend, t *testing.T, identityConfig *IdentityConfig) { @@ -426,19 +401,35 @@ func testCAKeyStorePath(backend core.ConfigBackend, t *testing.T, identityConfig } } -func testClient(identityConfig *IdentityConfig, t *testing.T) { - c, err := identityConfig.Client() +func TestCACertAndKeys(t *testing.T) { + + backend, err := config.FromFile(configEmbeddedUsersTestFilePath)() if err != nil { - t.Fatalf("Received error when fetching Client info, error is %s", err) + t.Fatal("Failed to get config backend") } - if c == nil { - t.Fatal("Received empty client when fetching Client info") + orgIDs := []string{"org1", "org2"} + + config, err := ConfigFromBackend(backend) + if err != nil { + t.Fatal("Failed to get identity config") } -} + identityConfig := config.(*IdentityConfig) -func testEmptyOrgMsp(identityConfig *IdentityConfig, t *testing.T) { - _, err := identityConfig.endpointConfig.MSPID("dummyorg1") - if err == nil { - t.Fatal("Get MSP ID did not fail for dummyorg1") + for _, orgID := range orgIDs { + val, err := identityConfig.CAClientCert(orgID) + assert.Nil(t, err, "identityConfig.CAClientCert not supposed to return error") + assert.True(t, len(val) > 0, "identityConfig.CAClientCert supposed to return valid cert") + + val, err = identityConfig.CAClientKey(orgID) + assert.Nil(t, err, "identityConfig.CAClientKey not supposed to return error") + assert.True(t, len(val) > 0, "identityConfig.CAClientKey supposed to return valid key") + + vals, err := identityConfig.CAServerCerts(orgID) + assert.Nil(t, err, "identityConfig.CAClientKey not supposed to return error") + assert.True(t, len(vals) > 0, "identityConfig.CAClientKey supposed to return server certs") + for _, v := range vals { + assert.True(t, len(v) > 0, "identityConfig.CAClientKey supposed to return valid server cert") + } } + } diff --git a/scripts/third_party_pins/fabric-ca/apply_fabric_ca_client_utils.sh b/scripts/third_party_pins/fabric-ca/apply_fabric_ca_client_utils.sh index 9772189d03..35d981d441 100755 --- a/scripts/third_party_pins/fabric-ca/apply_fabric_ca_client_utils.sh +++ b/scripts/third_party_pins/fabric-ca/apply_fabric_ca_client_utils.sh @@ -86,6 +86,11 @@ for i in {1..4} do sed -i'' -e ${START_LINE}'d' "${TMP_PROJECT_PATH}/${FILTER_FILENAME}" done +START_LINE=`grep -n "err := tls.AbsTLSClient(&c.Config.TLS, c.HomeDir)" "${TMP_PROJECT_PATH}/${FILTER_FILENAME}" | head -n 1 | awk -F':' '{print $1}'` +for i in {1..4} +do + sed -i'' -e ${START_LINE}'d' "${TMP_PROJECT_PATH}/${FILTER_FILENAME}" +done FILTER_FILENAME="lib/identity.go" FILTER_FN="newIdentity,Revoke,Post,addTokenAuthHdr,GetECert,Reenroll,Register,GetName" @@ -116,13 +121,37 @@ FILTER_FN="GetCertID,BytesToX509Cert,addQueryParm" gofilter FILTER_FILENAME="lib/tls/tls.go" -FILTER_FN="GetClientTLSConfig,AbsTLSClient,checkCertDates" +FILTER_FN="GetClientTLSConfig,checkCertDates" gofilter sed -i'' -e '/log "github.com\// a\ "github.com\/hyperledger\/fabric-sdk-go\/pkg\/common\/providers\/core"\ ' "${TMP_PROJECT_PATH}/${FILTER_FILENAME}" sed -i'' -e 's/bccsp.BCCSP/core.CryptoSuite/g' "${TMP_PROJECT_PATH}/${FILTER_FILENAME}" - +START_LINE=`grep -n "// ServerTLSConfig defines key material for a TLS server" "${TMP_PROJECT_PATH}/${FILTER_FILENAME}" | head -n 1 | awk -F':' '{print $1}'` +for i in {1..14} +do + sed -i'' -e ${START_LINE}'d' "${TMP_PROJECT_PATH}/${FILTER_FILENAME}" +done +sed -i'' -e 's/CertFiles \[\]string `help:"A list of comma-separated PEM-encoded trusted certificate files (e.g. root1.pem,root2.pem)"`/CertFiles \[\]\[\]byte `help:"A list of comma-separated PEM-encoded trusted certificate bytes"`/g' "${TMP_PROJECT_PATH}/${FILTER_FILENAME}" +sed -i'' -e 's/KeyFile string `help:"PEM-encoded key file when mutual authentication is enabled"`/KeyFile []byte `help:"PEM-encoded key bytes when mutual authentication is enabled"`/g' "${TMP_PROJECT_PATH}/${FILTER_FILENAME}" +sed -i'' -e 's/CertFile string `help:"PEM-encoded certificate file when mutual authenticate is enabled"`/CertFile []byte `help:"PEM-encoded certificate bytes when mutual authenticate is enabled"`/g' "${TMP_PROJECT_PATH}/${FILTER_FILENAME}" +sed -i'' -e '/\log.Debugf("Client Cert File:/d' "${TMP_PROJECT_PATH}/${FILTER_FILENAME}" +sed -i'' -e '/\log.Debugf("Client Key File:/d' "${TMP_PROJECT_PATH}/${FILTER_FILENAME}" +sed -i'' -e '/\log.Debugf("CA Files:/d' "${TMP_PROJECT_PATH}/${FILTER_FILENAME}" +sed -i'' -e 's/cfg.Client.CertFile != ""/cfg.Client.CertFile != nil/g' "${TMP_PROJECT_PATH}/${FILTER_FILENAME}" +START_LINE=`grep -n "caCert, err := ioutil.ReadFile(cacert)" "${TMP_PROJECT_PATH}/${FILTER_FILENAME}" | head -n 1 | awk -F':' '{print $1}'` +for i in {1..4} +do + sed -i'' -e ${START_LINE}'d' "${TMP_PROJECT_PATH}/${FILTER_FILENAME}" +done +sed -i'' -e 's/caCert/cacert/g' "${TMP_PROJECT_PATH}/${FILTER_FILENAME}" +sed -i'' -e 's/errors.Errorf("Failed to process certificate from file %s", cacert)/errors.New("Failed to process certificate")/g' "${TMP_PROJECT_PATH}/${FILTER_FILENAME}" +sed -i'' -e 's/func checkCertDates(certFile string) error {/func checkCertDates(certPEM []byte) error {/g' "${TMP_PROJECT_PATH}/${FILTER_FILENAME}" +START_LINE=`grep -n "certPEM, err := ioutil.ReadFile(certFile)" "${TMP_PROJECT_PATH}/${FILTER_FILENAME}" | head -n 1 | awk -F':' '{print $1}'` +for i in {1..4} +do + sed -i'' -e ${START_LINE}'d' "${TMP_PROJECT_PATH}/${FILTER_FILENAME}" +done FILTER_FILENAME="util/csp.go" FILTER_FN=",getBCCSPKeyOpts,ImportBCCSPKeyFromPEM,LoadX509KeyPair,GetSignerFromCert,BCCSPKeyRequestGenerate" @@ -160,6 +189,20 @@ sed -i'' -e '/key, err := factory.PEMtoPrivateKey(keyBuff, nil)/ i\ func ImportBCCSPKeyFromPEMBytes(keyBuff []byte, myCSP core.CryptoSuite, temporary bool) (core.Key, error) { \ keyFile := "pem bytes" \ ' "${TMP_PROJECT_PATH}/${FILTER_FILENAME}" +sed -i'' -e 's/LoadX509KeyPair(certFile, keyFile string, csp core.CryptoSuite)/LoadX509KeyPair(certFile, keyFile []byte, csp core.CryptoSuite)/g' "${TMP_PROJECT_PATH}/${FILTER_FILENAME}" +sed -i'' -e '/certPEMBlock, err := ioutil.ReadFile(certFile)/ i\ + certPEMBlock := certFile\ + ' "${TMP_PROJECT_PATH}/${FILTER_FILENAME}" +START_LINE=`grep -n "certPEMBlock, err := ioutil.ReadFile(certFile)" "${TMP_PROJECT_PATH}/${FILTER_FILENAME}" | head -n 1 | awk -F':' '{print $1}'` +for i in {1..4} +do + sed -i'' -e ${START_LINE}'d' "${TMP_PROJECT_PATH}/${FILTER_FILENAME}" +done +sed -i'' -e 's/errors.Errorf("Failed to find PEM block in file %s", certFile)/errors.New("Failed to find PEM block in bytes")/g' "${TMP_PROJECT_PATH}/${FILTER_FILENAME}" +sed -i'' -e 's/errors.Errorf("Failed to find certificate PEM data in file %s, but did find a private key; PEM inputs may have been switched", certFile)/errors.New("Failed to find certificate PEM data in bytes, but did find a private key; PEM inputs may have been switched")/g' "${TMP_PROJECT_PATH}/${FILTER_FILENAME}" +sed -i'' -e 's/errors.Errorf("Failed to find \"CERTIFICATE\" PEM block in file %s after skipping PEM blocks of the following types: %v", certFile, skippedBlockTypes)/errors.Errorf("Failed to find \"CERTIFICATE\" PEM block in bytes after skipping PEM blocks of the following types: %v", skippedBlockTypes)/g' "${TMP_PROJECT_PATH}/${FILTER_FILENAME}" +sed -i'' -e 's/keyFile != ""/keyFile != nil/g' "${TMP_PROJECT_PATH}/${FILTER_FILENAME}" +sed -i'' -e 's/tls.LoadX509KeyPair(certFile, keyFile)/tls.X509KeyPair(certFile, keyFile)/g' "${TMP_PROJECT_PATH}/${FILTER_FILENAME}" FILTER_FILENAME="util/util.go"