Commit 74f1a17e authored by Gari Singh's avatar Gari Singh Committed by Gerrit Code Review
Browse files

Merge "[FAB-4364] [FAB-5352] Support IP SANs in cryptogen"

parents d7884505 b250acad
......@@ -18,6 +18,7 @@ package ca_test
import (
"crypto/ecdsa"
"crypto/x509"
"net"
"os"
"path/filepath"
"testing"
......@@ -31,6 +32,8 @@ const (
testCAName = "root0"
testCA2Name = "root1"
testName = "cert0"
testName2 = "cert1"
testIP = "172.16.10.31"
)
var testDir = filepath.Join(os.TempDir(), "ca-test")
......@@ -85,6 +88,13 @@ func TestGenerateSignCertificate(t *testing.T) {
assert.NoError(t, err, "Failed to generate signed certificate")
assert.Equal(t, 0, len(cert.ExtKeyUsage))
// make sure sans are correctly set
sans := []string{testName2, testIP}
cert, err = rootCA.SignCertificate(certDir, testName, sans, ecPubKey,
x509.KeyUsageDigitalSignature, []x509.ExtKeyUsage{})
assert.Contains(t, cert.DNSNames, testName2)
assert.Contains(t, cert.IPAddresses, net.ParseIP(testIP).To4())
// check to make sure the signed public key was stored
pemFile := filepath.Join(certDir, testName+"-cert.pem")
assert.Equal(t, true, checkForFile(pemFile),
......
......@@ -23,6 +23,7 @@ import (
"crypto/x509/pkix"
"encoding/pem"
"math/big"
"net"
"os"
"time"
......@@ -100,7 +101,15 @@ func (ca *CA) SignCertificate(baseDir, name string, sans []string, pub *ecdsa.Pu
subject.CommonName = name
template.Subject = subject
template.DNSNames = sans
for _, san := range sans {
// try to parse as an IP address first
ip := net.ParseIP(san)
if ip != nil {
template.IPAddresses = append(template.IPAddresses, ip)
} else {
template.DNSNames = append(template.DNSNames, san)
}
}
cert, err := genCertificateECDSA(baseDir, name, &template, ca.SignCert,
pub, ca.Signer)
......
......@@ -136,8 +136,10 @@ PeerOrgs:
# which obtains its values from the Spec.Hostname and
# Org.Domain, respectively.
# - SANS: (Optional) Specifies one or more Subject Alternative Names
# the be set in the resulting x509. Accepts template
# variables {{.Hostname}}, {{.Domain}}, {{.CommonName}}
# to be set in the resulting x509. Accepts template
# variables {{.Hostname}}, {{.Domain}}, {{.CommonName}}. IP
# addresses provided here will be properly recognized. Other
# values will be taken as DNS names.
# NOTE: Two implicit entries are created for you:
# - {{ .CommonName }}
# - {{ .Hostname }}
......@@ -149,6 +151,7 @@ PeerOrgs:
# - "bar.{{.Domain}}"
# - "altfoo.{{.Domain}}"
# - "{{.Hostname}}.org6.net"
# - 172.16.10.31
# - Hostname: bar
# - Hostname: baz
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment