1. 26 Jul, 2017 1 commit
    • Tony Yang's avatar
      [FAB-4364] [FAB-5352] Support IP SANs in cryptogen · b250acad
      Tony Yang authored
      No matter what is provided as SANS in crypto-config.yaml, current code
      logic of cryptogen takes them as host names, resulting in failed
      communication if fabric network is configured with IP addresses.
      The change proposes to examine the content of SANS, setting them as IP
      SANs in the generated certificates if they are IP addresses.
      Change-Id: Ie9cbc341ab21ec5966fdabcd48d79a9d05d7b961
      Signed-off-by: default avatarTony Yang <tony@arxanfintech.com>
  2. 22 Jun, 2017 1 commit
    • Gari Singh's avatar
      [FAB-4904] Modify peer to use MSP tls structure · ea3528e1
      Gari Singh authored
      With FAB-4626, the X509 MSP impl now separates
      the root/intermediate certs for signing from the
      root/intermediates used for TLS.  This change modifies
      the peer to use the updated TLS certs rather than the
      signing certs.  The following changes were made:
      - Use GetTLSRootCerts and GetTLSIntermediateCerts
      functions provided by the msp impl
      - remove the GetRootCerts and GetIntermediateCerts
      methods from the msp impl
      - modify examples/cluster (includes adding a
      separate TLS CA)
      Change-Id: I820b658aac9ca43f766a728f0f9b37194d8c7a7a
      Signed-off-by: default avatarGari Singh <gari.r.singh@gmail.com>
  3. 21 Jun, 2017 1 commit
    • Gari Singh's avatar
      [FAB-4903] Use separate CA for TLS certs · ec94ba57
      Gari Singh authored
      FAB-4626 separates out the trusted roots
      for identity (signing) and for TLS.
      cryptogen currently uses the same CA for
      both.  With this change, cryptogen will
      now create the updated MSP structure which
      includes tlscacerts folder and adds support
      for using separate CAs to generate identity
      and TLS certs.
      There is a TODO to actually leverage the
      tlsCA but we cannot enable that until
      we get FAB-4626 and this change merged
      Change-Id: I32de28e2489fd8554274b9379c2572945569fc63
      Signed-off-by: default avatarGari Singh <gari.r.singh@gmail.com>
  4. 05 Jun, 2017 1 commit
    • Gari Singh's avatar
      [FAB-4351] Add version cmd to cryptogen · e776adc1
      Gari Singh authored
      We need to print out the version info
      for cryptogen.  This adds a version
      command:  cryptogen version
      Note that the metadata package is
      self-contained in case we decide to
      move cryptogen to its own repo in
      the future.
      Change-Id: Icce83bb125cd9b8c7b8b6ae534fe330cf151e115
      Signed-off-by: default avatarGari Singh <gari.r.singh@gmail.com>
  5. 28 Apr, 2017 3 commits
    • Gregory Haskins's avatar
      [FAB-3456] cryptogen: Add support for x509 SANs · 5031b0a9
      Gregory Haskins authored
      The "What"
      This patch adds support for defining x509 "Subject Alternative
      Names" (SAN) (https://en.wikipedia.org/wiki/Subject_Alternative_Name
      This feature allows an x509 to present multiple valid identities.
      For example, multiple DNS names representing one key-pair/cert.
      By default, all x509s generated are populated with two default
      SAN entries: CommonName and Hostname.  Users may extend this with
      additional definitions via the template engine.  See "cryptogen
      showtemplate" for details.
      The "Why"
      Peers deployed in certain contexts such as container orchastration
      platforms may find certain DNS relationships that can be complex.
      For instance, two containers "foo" and "bar" might have FDQNs
      "foo.baz.cluster.local" and "bar.baz.cluster.local" within Kubernetes,
      just "foo" or "bar" from within the "baz.cluster.local" domain, or
      a completely different DNS name if the services are mapped outside
      of the Kubernetes platform.  Different schemes may sometimes be easy
      to use in one context, and difficult to use in another.  SAN extentions
      to x509 means that we don't have to choose.  We can simply annotate the
      x509 for all the valid scenarios while still offering full security.
      Fixes FAB-3456
      Change-Id: Ie6a3864c5675f51097e0b4348bf05ba8c4ef3870
      Signed-off-by: default avatarGreg Haskins <gregory.haskins@gmail.com>
    • Gregory Haskins's avatar
      [FAB-3455] cryptogen: Use a FQDN for CA artifacts · cef4f793
      Gregory Haskins authored
      This patch does two primary things:
      1) It formulates a real CN for the CA rather than assigning it the
         same name as the organiazation.  E.g. "ca.example.com" rather than
      2) It adds the ability to override the default ("ca.{{ .Domain }}") using
         the template system.
      Fixes FAB-3455
      Change-Id: I5c8085e338b5d11e236d517e275a817eb89760a5
      Signed-off-by: default avatarGreg Haskins <gregory.haskins@gmail.com>
    • Gregory Haskins's avatar
      [FAB-3453] cryptogen: generate tls artifacts · 0d8c255d
      Gregory Haskins authored
      This patch structures the cryptogen output in a way that
      makes it more directly consumable.  The output for each
      node looks like:
      └── peer4.org1
          ├── msp
          │   ├── admincerts
          │   │   └── Admin@org1-cert.pem
          │   ├── cacerts
          │   │   └── org1-cert.pem
          │   ├── keystore
          │   │   └── 0aa7a89070ce8322a4dc3fac2206fa8313b88fb625c70963934714d4129d2897_sk
          │   └── signcerts
          │       └── peer4.org1-cert.pem
          └── tls
              ├── ca.crt
              ├── server.crt
              └── server.key
      The notable differences are that we push the msp content down under ./msp, and we
      add the ./tls directory.  The crypto material under tls is simply duplicated
      content from the MSP, as appropriate, to present a consistent layout for
      consumption by the TLS layer.  We also update the default paths in the config
      to be consistent with this layout.
      Fixes FAB-3453
      Change-Id: I8e149035b92a4758d6c87c03306c08b82687683f
      Signed-off-by: default avatarGregory Haskins <gregory.haskins@gmail.com>
  6. 21 Apr, 2017 1 commit
  7. 20 Apr, 2017 1 commit
    • Gregory Haskins's avatar
      [FAB-3259] Make cryptogen output more flexible · 2ec150d4
      Gregory Haskins authored
      This patch enhances the cryptogen tool by providing a more
      flexible configuration and output operation, based on a
      YAML config file and golang templates.
      Summary of changes:
      *) Tool now has two subcommands
         *) "generate" - This takes the role of the previous top-level
                         command.  It gets rid of almost all of the
                         previous command-line switches and replaces them
             -output: specify the output directory.  defaults to
             -config: specify the input configuration file.  defaults to
                      a configuration similar to before (1 orderer, 2 peer
                      orgs, 1 peer/org
         *) "showtemplate" - Prints the built-in default template to
                             standard out, suitble for saving/editing
                             for future "generate" sessions.
      *) CommonName outputs are now much more DNS friendly.  For example: we
         now use "peer3.org1.com" in favor of "peerOrg1Peer3".  Users also gain
         total control over the generation of the CommonNames with various
         templating facilities. See "cryptogen showtemplate" for more details.
      Change-Id: I5968a794d4469ada8d3b90e112bdfe93e77c9661
      Signed-off-by: default avatarGregory Haskins <gregory.haskins@gmail.com>
  8. 17 Apr, 2017 1 commit
  9. 17 Mar, 2017 1 commit
    • Gari Singh's avatar
      Enhancements for cryptogen · dfc3077c
      Gari Singh authored
      Added a few additional features and fixed
      a minor bug
      - corrected folder name for orderer orgs to use
      captial "O" to be in line with naming convention used
      - generate an admin user for each org and properly
      populate the admincerts folder for the org MSP
      - added new command line flag "-peerOrgUsers" which
      will generate the specified number of users for each
      peer organization
      Prior to this change the root certificates generated
      for each org's CA could not be use as TLS server certs.
      This change adds the server auth useage extension to
      those certs
      Change-Id: I949d99468422c6cfd00f83f6faad9c572fc08a03
      Signed-off-by: default avatarGari Singh <gari.r.singh@gmail.com>
  10. 02 Mar, 2017 1 commit
  11. 01 Mar, 2017 1 commit
    • Gari Singh's avatar
      [FAB-2545] Add tool to create various crypto configs · be91cccd
      Gari Singh authored
      In order to get a test (or even real) system running,
      there is a lot of cryptographic material required:
      - root certificates for CAs (e.g. fabric-ca)
      - MSPs for organizations running peers
      - Local MSPs for peers
      - MSPs for ordererer organizations
      - Local MSPs for ordering nodes
      This CR adds a tool named "cryptogen" which
      will create these artifacts for you.  It allows
      you to specify the number of peer organizations,
      the number of peers per organization and the
      number of ordering nodes (shims).  It currently
      only creates a single orderer organization.
      To run, "./cryptogen" and it will display the
      command line options
      Change-Id: I15f135dc2893f7492566eb8ac5d02b2f4963ccd3
      Signed-off-by: default avatarGari Singh <gari.r.singh@gmail.com>