From b17fd0343acc16b6758ef8909f8864b793dca2cc Mon Sep 17 00:00:00 2001
From: andrew-coleman <andrew_coleman@uk.ibm.com>
Date: Fri, 11 Feb 2022 11:08:32 +0000
Subject: [PATCH] Add Intermediate CA certs to dial options

The gateway was omitting to include TLS intermediate certificates in the dial options when connecting to other nodes.
This commit appends them to the splice of root certs in the endpoint config.

Signed-off-by: andrew-coleman <andrew_coleman@uk.ibm.com>
---
 internal/pkg/gateway/registry.go      | 10 +++++++---
 internal/pkg/gateway/registry_test.go | 11 ++++++++---
 2 files changed, 15 insertions(+), 6 deletions(-)

diff --git a/internal/pkg/gateway/registry.go b/internal/pkg/gateway/registry.go
index 8a8f5a5f7bd..4544d2bc1ca 100644
--- a/internal/pkg/gateway/registry.go
+++ b/internal/pkg/gateway/registry.go
@@ -353,7 +353,8 @@ func (reg *registry) connectChannelPeers(channel string, force bool) error {
 	for mspid, infoset := range reg.discovery.IdentityInfo().ByOrg() {
 		var tlsRootCerts [][]byte
 		if mspInfo, ok := config.GetMsps()[mspid]; ok {
-			tlsRootCerts = mspInfo.GetTlsRootCerts()
+			tlsRootCerts = append(tlsRootCerts, mspInfo.GetTlsRootCerts()...)
+			tlsRootCerts = append(tlsRootCerts, mspInfo.GetTlsIntermediateCerts()...)
 		}
 		for _, info := range infoset {
 			pkiid := info.PKIId
@@ -402,7 +403,8 @@ func (reg *registry) config(channel string) ([]*endpointConfig, error) {
 	for mspid, eps := range config.GetOrderers() {
 		var tlsRootCerts [][]byte
 		if mspInfo, ok := config.GetMsps()[mspid]; ok {
-			tlsRootCerts = mspInfo.GetTlsRootCerts()
+			tlsRootCerts = append(tlsRootCerts, mspInfo.GetTlsRootCerts()...)
+			tlsRootCerts = append(tlsRootCerts, mspInfo.GetTlsIntermediateCerts()...)
 		}
 		for _, ep := range eps.Endpoint {
 			address := fmt.Sprintf("%s:%d", ep.Host, ep.Port)
@@ -420,7 +422,9 @@ func (reg *registry) configUpdate(bundle *channelconfig.Bundle) {
 		var channelOrderers []*endpointConfig
 		for _, org := range ordererConfig.Organizations() {
 			mspid := org.MSPID()
-			tlsRootCerts := org.MSP().GetTLSRootCerts()
+			msp := org.MSP()
+			tlsRootCerts := append([][]byte{}, msp.GetTLSRootCerts()...)
+			tlsRootCerts = append(tlsRootCerts, msp.GetTLSIntermediateCerts()...)
 			for _, address := range org.Endpoints() {
 				channelOrderers = append(channelOrderers, &endpointConfig{address: address, mspid: mspid, tlsRootCerts: tlsRootCerts})
 				reg.logger.Debugw("Channel orderer", "address", address, "mspid", mspid)
diff --git a/internal/pkg/gateway/registry_test.go b/internal/pkg/gateway/registry_test.go
index c535f3ca955..c9ea4690c96 100644
--- a/internal/pkg/gateway/registry_test.go
+++ b/internal/pkg/gateway/registry_test.go
@@ -32,6 +32,7 @@ func TestOrdererCache(t *testing.T) {
 	orderers, err := test.server.registry.orderers(channelName)
 	require.NoError(t, err)
 	require.Len(t, orderers, 1)
+	require.Len(t, orderers[0].tlsRootCerts, 3) // 1 tlsrootCA + 2 tlsintermediateCAs
 
 	// trigger the config update callback, updating the orderers
 	bundle, err := createChannelConfigBundle(channelName, []string{"orderer1:7050", "orderer2:7050", "orderer3:7050"})
@@ -40,6 +41,7 @@ func TestOrdererCache(t *testing.T) {
 	orderers, err = test.server.registry.orderers(channelName)
 	require.NoError(t, err)
 	require.Len(t, orderers, 3)
+	require.Len(t, orderers[2].tlsRootCerts, 2) // 1 tlsrootCA + 1 tlsintermediateCA from sampleconfig folder
 }
 
 func TestStaleOrdererConnections(t *testing.T) {
@@ -75,8 +77,6 @@ func TestStaleOrdererConnections(t *testing.T) {
 
 func TestStaleMultiChannelOrdererConnections(t *testing.T) {
 	channel1 := "channel1"
-	// channel2 := "channel2"
-	// channel3 := "channel3"
 
 	def := &testDef{
 		config: buildConfig(t, []string{"orderer1", "orderer2"}),
@@ -121,6 +121,10 @@ func TestStaleMultiChannelOrdererConnections(t *testing.T) {
 func buildConfig(t *testing.T, orderers []string) *dp.ConfigResult {
 	ca, err := tlsgen.NewCA()
 	require.NoError(t, err)
+	ica1, err := ca.NewIntermediateCA()
+	require.NoError(t, err)
+	ica2, err := ica1.NewIntermediateCA()
+	require.NoError(t, err)
 	var endpoints []*dp.Endpoint
 	for _, o := range orderers {
 		endpoints = append(endpoints, &dp.Endpoint{Host: o, Port: 7050})
@@ -134,7 +138,8 @@ func buildConfig(t *testing.T, orderers []string) *dp.ConfigResult {
 		},
 		Msps: map[string]*msp.FabricMSPConfig{
 			"msp1": {
-				TlsRootCerts: [][]byte{ca.CertBytes()},
+				TlsRootCerts:         [][]byte{ca.CertBytes()},
+				TlsIntermediateCerts: [][]byte{ica1.CertBytes(), ica2.CertBytes()},
 			},
 		},
 	}