Commit b250acad authored by Tony Yang's avatar Tony Yang
Browse files

[FAB-4364] [FAB-5352] Support IP SANs in cryptogen



No matter what is provided as SANS in crypto-config.yaml, current code
logic of cryptogen takes them as host names, resulting in failed
communication if fabric network is configured with IP addresses.

The change proposes to examine the content of SANS, setting them as IP
SANs in the generated certificates if they are IP addresses.

Change-Id: Ie9cbc341ab21ec5966fdabcd48d79a9d05d7b961
Signed-off-by: default avatarTony Yang <tony@arxanfintech.com>
parent e5b46d1c
......@@ -18,6 +18,7 @@ package ca_test
import (
"crypto/ecdsa"
"crypto/x509"
"net"
"os"
"path/filepath"
"testing"
......@@ -31,6 +32,8 @@ const (
testCAName = "root0"
testCA2Name = "root1"
testName = "cert0"
testName2 = "cert1"
testIP = "172.16.10.31"
)
var testDir = filepath.Join(os.TempDir(), "ca-test")
......@@ -85,6 +88,13 @@ func TestGenerateSignCertificate(t *testing.T) {
assert.NoError(t, err, "Failed to generate signed certificate")
assert.Equal(t, 0, len(cert.ExtKeyUsage))
// make sure sans are correctly set
sans := []string{testName2, testIP}
cert, err = rootCA.SignCertificate(certDir, testName, sans, ecPubKey,
x509.KeyUsageDigitalSignature, []x509.ExtKeyUsage{})
assert.Contains(t, cert.DNSNames, testName2)
assert.Contains(t, cert.IPAddresses, net.ParseIP(testIP).To4())
// check to make sure the signed public key was stored
pemFile := filepath.Join(certDir, testName+"-cert.pem")
assert.Equal(t, true, checkForFile(pemFile),
......
......@@ -23,6 +23,7 @@ import (
"crypto/x509/pkix"
"encoding/pem"
"math/big"
"net"
"os"
"time"
......@@ -100,7 +101,15 @@ func (ca *CA) SignCertificate(baseDir, name string, sans []string, pub *ecdsa.Pu
subject.CommonName = name
template.Subject = subject
template.DNSNames = sans
for _, san := range sans {
// try to parse as an IP address first
ip := net.ParseIP(san)
if ip != nil {
template.IPAddresses = append(template.IPAddresses, ip)
} else {
template.DNSNames = append(template.DNSNames, san)
}
}
cert, err := genCertificateECDSA(baseDir, name, &template, ca.SignCert,
pub, ca.Signer)
......
......@@ -136,8 +136,10 @@ PeerOrgs:
# which obtains its values from the Spec.Hostname and
# Org.Domain, respectively.
# - SANS: (Optional) Specifies one or more Subject Alternative Names
# the be set in the resulting x509. Accepts template
# variables {{.Hostname}}, {{.Domain}}, {{.CommonName}}
# to be set in the resulting x509. Accepts template
# variables {{.Hostname}}, {{.Domain}}, {{.CommonName}}. IP
# addresses provided here will be properly recognized. Other
# values will be taken as DNS names.
# NOTE: Two implicit entries are created for you:
# - {{ .CommonName }}
# - {{ .Hostname }}
......@@ -149,6 +151,7 @@ PeerOrgs:
# - "bar.{{.Domain}}"
# - "altfoo.{{.Domain}}"
# - "{{.Hostname}}.org6.net"
# - 172.16.10.31
# - Hostname: bar
# - Hostname: baz
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment