[FAB-6986] cryptogen support for NodeOUs

Since cryptogen is used to generate MSPs used in many of the samples as well as by clients to bootstrap their test networks, it makes sense to add support for testing the NodeOU support added in FAB-5664. In order to keep things simple, crypotgen now provides an option to enable NodeOU support and uses a fixed set of OUs to avoid unnecessary confusion and complexity. Change-Id: I40745caa1761113c1358efc4c6ff05dda64e3ee9 Signed-off-by: Gari Singh <gari.r.singh@gmail.com>
hyperledger · Feb 8, 2018 · 16e209b · 16e209b
1 parent 9c54ba3
commit 16e209b
Show file tree

Hide file tree

Showing 8 changed files with 166 additions and 123 deletions.
diff --git a/common/tools/cryptogen/ca/ca_test.go b/common/tools/cryptogen/ca/ca_test.go
@@ -1,17 +1,7 @@
 /*
-Copyright IBM Corp. 2017 All Rights Reserved.
+Copyright IBM Corp. All Rights Reserved.
 
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
+SPDX-License-Identifier: Apache-2.0
 */
 package ca_test
 
@@ -62,7 +52,7 @@ func TestLoadCertificateECDSA(t *testing.T) {
  rootCA, err := ca.NewCA(caDir, testCA3Name, testCA3Name, testCountry, testProvince, testLocality, testOrganizationalUnit, testStreetAddress, testPostalCode)
  assert.NoError(t, err, "Error generating CA")
 
- cert, err := rootCA.SignCertificate(certDir, testName3, nil, ecPubKey,
+ cert, err := rootCA.SignCertificate(certDir, testName3, nil, nil, ecPubKey,
  x509.KeyUsageDigitalSignature|x509.KeyUsageKeyEncipherment,
  []x509.ExtKeyUsage{x509.ExtKeyUsageAny})
  assert.NoError(t, err, "Failed to generate signed certificate")
@@ -128,7 +118,7 @@ func TestGenerateSignCertificate(t *testing.T) {
  rootCA, err := ca.NewCA(caDir, testCA2Name, testCA2Name, testCountry, testProvince, testLocality, testOrganizationalUnit, testStreetAddress, testPostalCode)
  assert.NoError(t, err, "Error generating CA")
 
- cert, err := rootCA.SignCertificate(certDir, testName, nil, ecPubKey,
+ cert, err := rootCA.SignCertificate(certDir, testName, nil, nil, ecPubKey,
  x509.KeyUsageDigitalSignature|x509.KeyUsageKeyEncipherment,
  []x509.ExtKeyUsage{x509.ExtKeyUsageAny})
  assert.NoError(t, err, "Failed to generate signed certificate")
@@ -137,14 +127,21 @@ func TestGenerateSignCertificate(t *testing.T) {
  cert.KeyUsage)
  assert.Contains(t, cert.ExtKeyUsage, x509.ExtKeyUsageAny)
 
- cert, err = rootCA.SignCertificate(certDir, testName, nil, ecPubKey,
+ cert, err = rootCA.SignCertificate(certDir, testName, nil, nil, ecPubKey,
  x509.KeyUsageDigitalSignature, []x509.ExtKeyUsage{})
  assert.NoError(t, err, "Failed to generate signed certificate")
  assert.Equal(t, 0, len(cert.ExtKeyUsage))
 
+ // make sure ous are correctly set
+ ous := []string{"TestOU", "PeerOU"}
+ cert, err = rootCA.SignCertificate(certDir, testName, ous, nil, ecPubKey,
+ x509.KeyUsageDigitalSignature, []x509.ExtKeyUsage{})
+ assert.Contains(t, cert.Subject.OrganizationalUnit, ous[0])
+ assert.Contains(t, cert.Subject.OrganizationalUnit, ous[1])
+
  // make sure sans are correctly set
  sans := []string{testName2, testIP}
- cert, err = rootCA.SignCertificate(certDir, testName, sans, ecPubKey,
+ cert, err = rootCA.SignCertificate(certDir, testName, nil, sans, ecPubKey,
  x509.KeyUsageDigitalSignature, []x509.ExtKeyUsage{})
  assert.Contains(t, cert.DNSNames, testName2)
  assert.Contains(t, cert.IPAddresses, net.ParseIP(testIP).To4())
@@ -154,7 +151,7 @@ func TestGenerateSignCertificate(t *testing.T) {
  assert.Equal(t, true, checkForFile(pemFile),
  "Expected to find file "+pemFile)
 
- _, err = rootCA.SignCertificate(certDir, "empty/CA", nil, ecPubKey,
+ _, err = rootCA.SignCertificate(certDir, "empty/CA", nil, nil, ecPubKey,
  x509.KeyUsageKeyEncipherment, []x509.ExtKeyUsage{x509.ExtKeyUsageAny})
  assert.Error(t, err, "Bad name should fail")
 
@@ -163,7 +160,7 @@ func TestGenerateSignCertificate(t *testing.T) {
  Name: "badCA",
  SignCert: &x509.Certificate{},
  }
- _, err = badCA.SignCertificate(certDir, testName, nil, &ecdsa.PublicKey{},
+ _, err = badCA.SignCertificate(certDir, testName, nil, nil, &ecdsa.PublicKey{},
  x509.KeyUsageKeyEncipherment, []x509.ExtKeyUsage{x509.ExtKeyUsageAny})
  assert.Error(t, err, "Empty CA should not be able to sign")
  cleanup(testDir)

diff --git a/common/tools/cryptogen/ca/generator.go b/common/tools/cryptogen/ca/generator.go
@@ -1,17 +1,7 @@
 /*
-Copyright IBM Corp. 2017 All Rights Reserved.
+Copyright IBM Corp. All Rights Reserved.
 
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
+SPDX-License-Identifier: Apache-2.0
 */
 package ca
 
@@ -103,7 +93,7 @@ func NewCA(baseDir, org, name, country, province, locality, orgUnit, streetAddre
 
 // SignCertificate creates a signed certificate based on a built-in template
 // and saves it in baseDir/name
-func (ca *CA) SignCertificate(baseDir, name string, sans []string, pub *ecdsa.PublicKey,
+func (ca *CA) SignCertificate(baseDir, name string, ous, sans []string, pub *ecdsa.PublicKey,
  ku x509.KeyUsage, eku []x509.ExtKeyUsage) (*x509.Certificate, error) {
 
  template := x509Template()
@@ -114,6 +104,8 @@ func (ca *CA) SignCertificate(baseDir, name string, sans []string, pub *ecdsa.Pu
  subject := subjectTemplateAdditional(ca.Country, ca.Province, ca.Locality, ca.OrganizationalUnit, ca.StreetAddress, ca.PostalCode)
  subject.CommonName = name
 
+ subject.OrganizationalUnit = append(subject.OrganizationalUnit, ous...)
+
  template.Subject = subject
  for _, san := range sans {
  // try to parse as an IP address first

diff --git a/common/tools/cryptogen/csp/csp.go b/common/tools/cryptogen/csp/csp.go
@@ -1,17 +1,7 @@
 /*
-Copyright IBM Corp. 2017 All Rights Reserved.
+Copyright IBM Corp. All Rights Reserved.
 
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
+SPDX-License-Identifier: Apache-2.0
 */
 package csp
 

diff --git a/common/tools/cryptogen/csp/csp_test.go b/common/tools/cryptogen/csp/csp_test.go
@@ -1,17 +1,7 @@
 /*
-Copyright IBM Corp. 2017 All Rights Reserved.
+Copyright IBM Corp. All Rights Reserved.
 
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
+SPDX-License-Identifier: Apache-2.0
 */
 package csp_test
 

diff --git a/common/tools/cryptogen/main.go b/common/tools/cryptogen/main.go
@@ -1,17 +1,7 @@
 /*
-Copyright IBM Corp. 2017 All Rights Reserved.
+Copyright IBM Corp. All Rights Reserved.
 
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
+SPDX-License-Identifier: Apache-2.0
 */
 package main
 
@@ -75,12 +65,13 @@ type UsersSpec struct {
 }
 
 type OrgSpec struct {
- Name string `yaml:"Name"`
- Domain string `yaml:"Domain"`
- CA NodeSpec `yaml:"CA"`
- Template NodeTemplate `yaml:"Template"`
- Specs []NodeSpec `yaml:"Specs"`
- Users UsersSpec `yaml:"Users"`
+ Name string `yaml:"Name"`
+ Domain string `yaml:"Domain"`
+ EnableNodeOUs bool `yaml:"EnableNodeOUs"`
+ CA NodeSpec `yaml:"CA"`
+ Template NodeTemplate `yaml:"Template"`
+ Specs []NodeSpec `yaml:"Specs"`
+ Users UsersSpec `yaml:"Users"`
 }
 
 type Config struct {
@@ -114,6 +105,7 @@ PeerOrgs:
  # ---------------------------------------------------------------------------
  - Name: Org1
  Domain: org1.example.com
+ EnableNodeOUs: false
 
  # ---------------------------------------------------------------------------
  # "CA"
@@ -197,6 +189,7 @@ PeerOrgs:
  # ---------------------------------------------------------------------------
  - Name: Org2
  Domain: org2.example.com
+ EnableNodeOUs: false
  Template:
  Count: 1
  Users:
@@ -315,7 +308,7 @@ func extendPeerOrg(orgSpec OrgSpec) {
  signCA := getCA(caDir, orgSpec, orgSpec.CA.CommonName)
  tlsCA := getCA(tlscaDir, orgSpec, "tls"+orgSpec.CA.CommonName)
 
- generateNodes(peersDir, orgSpec.Specs, signCA, tlsCA, msp.PEER)
+ generateNodes(peersDir, orgSpec.Specs, signCA, tlsCA, msp.PEER, orgSpec.EnableNodeOUs)
 
  adminUser := NodeSpec{
  CommonName: fmt.Sprintf("%s@%s", adminBaseName, orgName),
@@ -341,7 +334,7 @@ func extendPeerOrg(orgSpec OrgSpec) {
  users = append(users, user)
  }
 
- generateNodes(usersDir, users, signCA, tlsCA, msp.CLIENT)
+ generateNodes(usersDir, users, signCA, tlsCA, msp.CLIENT, orgSpec.EnableNodeOUs)
 }
 
 func extendOrdererOrg(orgSpec OrgSpec) {
@@ -360,7 +353,7 @@ func extendOrdererOrg(orgSpec OrgSpec) {
  signCA := getCA(caDir, orgSpec, orgSpec.CA.CommonName)
  tlsCA := getCA(tlscaDir, orgSpec, "tls"+orgSpec.CA.CommonName)
 
- generateNodes(orderersDir, orgSpec.Specs, signCA, tlsCA, msp.ORDERER)
+ generateNodes(orderersDir, orgSpec.Specs, signCA, tlsCA, msp.ORDERER, false)
 
  adminUser := NodeSpec{
  CommonName: fmt.Sprintf("%s@%s", adminBaseName, orgName),
@@ -533,13 +526,13 @@ func generatePeerOrg(baseDir string, orgSpec OrgSpec) {
  os.Exit(1)
  }
 
- err = msp.GenerateVerifyingMSP(mspDir, signCA, tlsCA)
+ err = msp.GenerateVerifyingMSP(mspDir, signCA, tlsCA, orgSpec.EnableNodeOUs)
  if err != nil {
  fmt.Printf("Error generating MSP for org %s:\n%v\n", orgName, err)
  os.Exit(1)
  }
 
- generateNodes(peersDir, orgSpec.Specs, signCA, tlsCA, msp.PEER)
+ generateNodes(peersDir, orgSpec.Specs, signCA, tlsCA, msp.PEER, orgSpec.EnableNodeOUs)
 
  // TODO: add ability to specify usernames
  users := []NodeSpec{}
@@ -556,7 +549,7 @@ func generatePeerOrg(baseDir string, orgSpec OrgSpec) {
  }
 
  users = append(users, adminUser)
- generateNodes(usersDir, users, signCA, tlsCA, msp.CLIENT)
+ generateNodes(usersDir, users, signCA, tlsCA, msp.CLIENT, orgSpec.EnableNodeOUs)
 
  // copy the admin cert to the org's MSP admincerts
  err = copyAdminCert(usersDir, adminCertsDir, adminUser.CommonName)
@@ -603,12 +596,12 @@ func copyAdminCert(usersDir, adminCertsDir, adminUserName string) error {
 
 }
 
-func generateNodes(baseDir string, nodes []NodeSpec, signCA *ca.CA, tlsCA *ca.CA, nodeType int) {
+func generateNodes(baseDir string, nodes []NodeSpec, signCA *ca.CA, tlsCA *ca.CA, nodeType int, nodeOUs bool) {
 
  for _, node := range nodes {
  nodeDir := filepath.Join(baseDir, node.CommonName)
  if _, err := os.Stat(nodeDir); os.IsNotExist(err) {
- err := msp.GenerateLocalMSP(nodeDir, node.CommonName, node.SANS, signCA, tlsCA, nodeType)
+ err := msp.GenerateLocalMSP(nodeDir, node.CommonName, node.SANS, signCA, tlsCA, nodeType, nodeOUs)
  if err != nil {
  fmt.Printf("Error generating local MSP for %s:\n%v\n", node, err)
  os.Exit(1)
@@ -642,13 +635,13 @@ func generateOrdererOrg(baseDir string, orgSpec OrgSpec) {
  os.Exit(1)
  }
 
- err = msp.GenerateVerifyingMSP(mspDir, signCA, tlsCA)
+ err = msp.GenerateVerifyingMSP(mspDir, signCA, tlsCA, false)
  if err != nil {
  fmt.Printf("Error generating MSP for org %s:\n%v\n", orgName, err)
  os.Exit(1)
  }
 
- generateNodes(orderersDir, orgSpec.Specs, signCA, tlsCA, msp.ORDERER)
+ generateNodes(orderersDir, orgSpec.Specs, signCA, tlsCA, msp.ORDERER, false)
 
  adminUser := NodeSpec{
  CommonName: fmt.Sprintf("%s@%s", adminBaseName, orgName),
@@ -658,7 +651,7 @@ func generateOrdererOrg(baseDir string, orgSpec OrgSpec) {
  users := []NodeSpec{}
  // add an admin user
  users = append(users, adminUser)
- generateNodes(usersDir, users, signCA, tlsCA, msp.CLIENT)
+ generateNodes(usersDir, users, signCA, tlsCA, msp.CLIENT, false)
 
  // copy the admin cert to the org's MSP admincerts
  err = copyAdminCert(usersDir, adminCertsDir, adminUser.CommonName)