- 26 Jul, 2017 1 commit
-
-
Tony Yang authored
No matter what is provided as SANS in crypto-config.yaml, current code logic of cryptogen takes them as host names, resulting in failed communication if fabric network is configured with IP addresses. The change proposes to examine the content of SANS, setting them as IP SANs in the generated certificates if they are IP addresses. Change-Id: Ie9cbc341ab21ec5966fdabcd48d79a9d05d7b961 Signed-off-by:Tony Yang <tony@arxanfintech.com>
-
- 22 Jun, 2017 1 commit
-
-
Gari Singh authored
With FAB-4626, the X509 MSP impl now separates the root/intermediate certs for signing from the root/intermediates used for TLS. This change modifies the peer to use the updated TLS certs rather than the signing certs. The following changes were made: - Use GetTLSRootCerts and GetTLSIntermediateCerts functions provided by the msp impl - remove the GetRootCerts and GetIntermediateCerts methods from the msp impl - modify examples/cluster (includes adding a separate TLS CA) Change-Id: I820b658aac9ca43f766a728f0f9b37194d8c7a7a Signed-off-by:Gari Singh <gari.r.singh@gmail.com>
-
- 21 Jun, 2017 1 commit
-
-
Gari Singh authored
FAB-4626 separates out the trusted roots for identity (signing) and for TLS. cryptogen currently uses the same CA for both. With this change, cryptogen will now create the updated MSP structure which includes tlscacerts folder and adds support for using separate CAs to generate identity and TLS certs. There is a TODO to actually leverage the tlsCA but we cannot enable that until we get FAB-4626 and this change merged Change-Id: I32de28e2489fd8554274b9379c2572945569fc63 Signed-off-by:
-
- 05 Jun, 2017 1 commit
-
-
Gari Singh authored
We need to print out the version info for cryptogen. This adds a version command: cryptogen version Note that the metadata package is self-contained in case we decide to move cryptogen to its own repo in the future. Change-Id: Icce83bb125cd9b8c7b8b6ae534fe330cf151e115 Signed-off-by:
-
- 28 Apr, 2017 3 commits
-
-
Gregory Haskins authored
The "What" ================= This patch adds support for defining x509 "Subject Alternative Names" (SAN) (https://en.wikipedia.org/wiki/Subject_Alternative_Name ). This feature allows an x509 to present multiple valid identities. For example, multiple DNS names representing one key-pair/cert. By default, all x509s generated are populated with two default SAN entries: CommonName and Hostname. Users may extend this with additional definitions via the template engine. See "cryptogen showtemplate" for details. The "Why" ================== Peers deployed in certain contexts such as container orchastration platforms may find certain DNS relationships that can be complex. For instance, two containers "foo" and "bar" might have FDQNs "foo.baz.cluster.local" and "bar.baz.cluster.local" within Kubernetes, just "foo" or "bar" from within the "baz.cluster.local" domain, or a completely different DNS name if the services are mapped outside of the Kubernetes platform. Different schemes may sometimes be easy to use in one context, and difficult to use in another. SAN extentions to x509 means that we don't have to choose. We can simply annotate the x509 for all the valid scenarios while still offering full security. Fixes FAB-3456 Change-Id: Ie6a3864c5675f51097e0b4348bf05ba8c4ef3870 Signed-off-by:
Greg Haskins <gregory.haskins@gmail.com>
-
Gregory Haskins authored
This patch does two primary things: 1) It formulates a real CN for the CA rather than assigning it the same name as the organiazation. E.g. "ca.example.com" rather than "example.com" 2) It adds the ability to override the default ("ca.{{ .Domain }}") using the template system. Fixes FAB-3455 Change-Id: I5c8085e338b5d11e236d517e275a817eb89760a5 Signed-off-by: -
Gregory Haskins authored
This patch structures the cryptogen output in a way that makes it more directly consumable. The output for each node looks like: └── peer4.org1 ├── msp │ ├── admincerts │ │ └── Admin@org1-cert.pem │ ├── cacerts │ │ └── org1-cert.pem │ ├── keystore │ │ └── 0aa7a89070ce8322a4dc3fac2206fa8313b88fb625c70963934714d4129d2897_sk │ └── signcerts │ └── peer4.org1-cert.pem └── tls ├── ca.crt ├── server.crt └── server.key The notable differences are that we push the msp content down under ./msp, and we add the ./tls directory. The crypto material under tls is simply duplicated content from the MSP, as appropriate, to present a consistent layout for consumption by the TLS layer. We also update the default paths in the config to be consistent with this layout. Fixes FAB-3453 Change-Id: I8e149035b92a4758d6c87c03306c08b82687683f Signed-off-by:
-
- 21 Apr, 2017 1 commit
-
-
Gari Singh authored
With the added security features, peers and orderers need to have admin certs in their local MSPs. Cyrptogen generates certs for admin users but was not placing them in the MSP folder for each of the peer and orderer nodes Change-Id: I6151a2b5d103c4caf38fa636f596674af87ab49f Signed-off-by:
-
- 20 Apr, 2017 1 commit
-
-
Gregory Haskins authored
This patch enhances the cryptogen tool by providing a more flexible configuration and output operation, based on a YAML config file and golang templates. Summary of changes: ------------------------- *) Tool now has two subcommands *) "generate" - This takes the role of the previous top-level command. It gets rid of almost all of the previous command-line switches and replaces them with: -output: specify the output directory. defaults to crypto-config -config: specify the input configuration file. defaults to a configuration similar to before (1 orderer, 2 peer orgs, 1 peer/org *) "showtemplate" - Prints the built-in default template to standard out, suitble for saving/editing for future "generate" sessions. *) CommonName outputs are now much more DNS friendly. For example: we now use "peer3.org1.com" in favor of "peerOrg1Peer3". Users also gain total control over the generation of the CommonNames with various templating facilities. See "cryptogen showtemplate" for more details. Change-Id: I5968a794d4469ada8d3b90e112bdfe93e77c9661 Signed-off-by:
-
- 17 Apr, 2017 1 commit
-
-
Keith Smith authored
See [FAB-3098]. This adds the -peerOrgNames option to allow naming of the org names, and the -ordererOrgname option to allow naming of a single orderer org. For example: cryptogen -peerOrgNames A,B -ordererOrgName O Change-Id: I7207a37524bcda5f045a2aa08227e726615b051f Signed-off-by:Keith Smith <bksmith@us.ibm.com>
-
- 17 Mar, 2017 1 commit
-
-
Gari Singh authored
Added a few additional features and fixed a minor bug - corrected folder name for orderer orgs to use captial "O" to be in line with naming convention used elsewhere - generate an admin user for each org and properly populate the admincerts folder for the org MSP - added new command line flag "-peerOrgUsers" which will generate the specified number of users for each peer organization Prior to this change the root certificates generated for each org's CA could not be use as TLS server certs. This change adds the server auth useage extension to those certs Change-Id: I949d99468422c6cfd00f83f6faad9c572fc08a03 Signed-off-by:
-
- 02 Mar, 2017 1 commit
-
-
Gari Singh authored
Was accidentally using numPeerOrgs rather than numPeers Change-Id: I9aedd144b5b17eb7816abad80472e3e68e0df18c Signed-off-by:
-
- 01 Mar, 2017 1 commit
-
-
Gari Singh authored
https://jira.hyperledger.org/browse/FAB-2545 In order to get a test (or even real) system running, there is a lot of cryptographic material required: - root certificates for CAs (e.g. fabric-ca) - MSPs for organizations running peers - Local MSPs for peers - MSPs for ordererer organizations - Local MSPs for ordering nodes This CR adds a tool named "cryptogen" which will create these artifacts for you. It allows you to specify the number of peer organizations, the number of peers per organization and the number of ordering nodes (shims). It currently only creates a single orderer organization. To run, "./cryptogen" and it will display the command line options Change-Id: I15f135dc2893f7492566eb8ac5d02b2f4963ccd3 Signed-off-by:
-
