-
- Downloads
[FAB-3456] cryptogen: Add support for x509 SANs
The "What" ================= This patch adds support for defining x509 "Subject Alternative Names" (SAN) (https://en.wikipedia.org/wiki/Subject_Alternative_Name ). This feature allows an x509 to present multiple valid identities. For example, multiple DNS names representing one key-pair/cert. By default, all x509s generated are populated with two default SAN entries: CommonName and Hostname. Users may extend this with additional definitions via the template engine. See "cryptogen showtemplate" for details. The "Why" ================== Peers deployed in certain contexts such as container orchastration platforms may find certain DNS relationships that can be complex. For instance, two containers "foo" and "bar" might have FDQNs "foo.baz.cluster.local" and "bar.baz.cluster.local" within Kubernetes, just "foo" or "bar" from within the "baz.cluster.local" domain, or a completely different DNS name if the services are mapped outside of the Kubernetes platform. Different schemes may sometimes be easy to use in one context, and difficult to use in another. SAN extentions to x509 means that we don't have to choose. We can simply annotate the x509 for all the valid scenarios while still offering full security. Fixes FAB-3456 Change-Id: Ie6a3864c5675f51097e0b4348bf05ba8c4ef3870 Signed-off-by:Greg Haskins <gregory.haskins@gmail.com>
Showing
- common/tools/cryptogen/ca/ca_test.go 3 additions, 3 deletionscommon/tools/cryptogen/ca/ca_test.go
- common/tools/cryptogen/ca/generator.go 2 additions, 1 deletioncommon/tools/cryptogen/ca/generator.go
- common/tools/cryptogen/main.go 105 additions, 66 deletionscommon/tools/cryptogen/main.go
- common/tools/cryptogen/msp/generator.go 2 additions, 2 deletionscommon/tools/cryptogen/msp/generator.go
- common/tools/cryptogen/msp/msp_test.go 3 additions, 3 deletionscommon/tools/cryptogen/msp/msp_test.go
Loading
Please register or sign in to comment