[FAB-4626] Solution 1 implementation

This change-set implements solution 1) as
described in FAB-4626.
This change-set only touches the MSP part.

Change-Id: Iff72a77d65472ceb7dd52b819e5c7811946a0abc
Signed-off-by: Angelo De Caro <[email protected]>

Author: adecaro

common/mocks/msp/noopmsp.go

@@ -61,6 +61,16 @@ func (msp *noopmsp) GetIntermediateCerts() []m.Identity {
 	return nil
 }
 
+// GetTLSRootCerts returns the root certificates for this MSP
+func (msp *noopmsp) GetTLSRootCerts() [][]byte {
+	return nil
+}
+
+// GetTLSIntermediateCerts returns the intermediate root certificates for this MSP
+func (msp *noopmsp) GetTLSIntermediateCerts() [][]byte {
+	return nil
+}
+
 func (msp *noopmsp) DeserializeIdentity(serializedID []byte) (m.Identity, error) {
 	id, _ := newNoopIdentity()
 	return id, nil

docs/source/msp.rst

@@ -61,6 +61,12 @@ verification. These parameters are deduced by
 - A list of certificate revocation lists (CRLs) each corresponding to
   exactly one of the listed (intermediate or root) MSP Certificate
   Authorities; this is an optional parameter
+- A list of self-signed (X.509) certificates to constitute the *TLS root of
+  trust* for TLS certificate.
+- A list of X.509 certificates to represent intermediate TLS CAs this provider
+  considers; these certificates ought to be
+  certified by exactly one of the certificates in the TLS root of trust;
+  intermediate CAs are optional parameters.
 
 *Valid*  identities for this MSP instance are required to satisfy the following conditions:
 
@@ -82,6 +88,10 @@ specify:
 - The node's X.509 certificate, that is a valid identity under the
   verification parameters of this MSP
 
+It is important to note that MSP identities never expire, they can only be revoked
+by adding them the appropriate CRLs. In addition, for TLS certificates,
+fabric does not offer support for revocation.
+
 How to generate MSP certificates and their signing keys?
 --------------------------------------------------------
 
@@ -120,6 +130,10 @@ and a file:
 6. a folder ``keystore`` to include a PEM file with the node's signing key
 7. a folder ``signcerts`` to include a PEM file with the node's X.509
    certificate
+8. (optional) a folder ``tlscacerts`` to include PEM files each corresponding to a TLS root
+   CA's certificate
+9. (optional) a folder ``tlsintermediatecerts`` to include PEM files each
+   corresponding to an intermediate TLS CA's certificate
 
 In the configuration file of the node (core.yaml file for the peer, and
 orderer.yaml for the orderer), one needs to specify the path to the
@@ -286,5 +300,13 @@ considered for that MSP's identity validation:
 In the current MSP implementation we only support method (1) as it is simpler
 and does not require blacklisting the no longer considered intermediate CA.
 
+**5) CAs and TLS CAs
+
+MSP identities' root CAs and MSP TLS certificates' root CAs (and relative intermediate CAs)
+need to be declared in different folders. This is to avoid confusion between
+different classes of certificates. Fabric does not forbid to reuse the same
+CAs for both MSP identities and TLS certificates but best practices suggest
+to avoid this in production.
+
 .. Licensed under Creative Commons Attribution 4.0 International License
    https://creativecommons.org/licenses/by/4.0/

msp/cert_test.go

@@ -104,21 +104,21 @@ func TestCertExpiration(t *testing.T) {
 	_, cert := generateSelfSignedCert(t, time.Now().Add(24*time.Hour))
 	msp.opts.Roots = x509.NewCertPool()
 	msp.opts.Roots.AddCert(cert)
-	_, err := msp.getUniqueValidationChain(cert)
+	_, err := msp.getUniqueValidationChain(cert, msp.getValidityOptsForCert(cert))
 	assert.NoError(t, err)
 
 	// Certificate is in the past
 	_, cert = generateSelfSignedCert(t, time.Now().Add(-24*time.Hour))
 	msp.opts.Roots = x509.NewCertPool()
 	msp.opts.Roots.AddCert(cert)
-	_, err = msp.getUniqueValidationChain(cert)
+	_, err = msp.getUniqueValidationChain(cert, msp.getValidityOptsForCert(cert))
 	assert.NoError(t, err)
 
 	// Certificate is in the middle
 	_, cert = generateSelfSignedCert(t, time.Now())
 	msp.opts.Roots = x509.NewCertPool()
 	msp.opts.Roots.AddCert(cert)
-	_, err = msp.getUniqueValidationChain(cert)
+	_, err = msp.getUniqueValidationChain(cert, msp.getValidityOptsForCert(cert))
 	assert.NoError(t, err)
 }
 

msp/configbuilder.go

@@ -100,13 +100,15 @@ func getPemMaterialFromDir(dir string) ([][]byte, error) {
 }
 
 const (
-	cacerts           = "cacerts"
-	admincerts        = "admincerts"
-	signcerts         = "signcerts"
-	keystore          = "keystore"
-	intermediatecerts = "intermediatecerts"
-	crlsfolder        = "crls"
-	configfilename    = "config.yaml"
+	cacerts              = "cacerts"
+	admincerts           = "admincerts"
+	signcerts            = "signcerts"
+	keystore             = "keystore"
+	intermediatecerts    = "intermediatecerts"
+	crlsfolder           = "crls"
+	configfilename       = "config.yaml"
+	tlscacerts           = "tlscacerts"
+	tlsintermediatecerts = "tlsintermediatecerts"
 )
 
 func SetupBCCSPKeystoreConfig(bccspConfig *factory.FactoryOpts, keystoreDir string) *factory.FactoryOpts {
@@ -166,6 +168,8 @@ func getMspConfig(dir string, ID string, sigid *msp.SigningIdentityInfo) (*msp.M
 	intermediatecertsDir := filepath.Join(dir, intermediatecerts)
 	crlsDir := filepath.Join(dir, crlsfolder)
 	configFile := filepath.Join(dir, configfilename)
+	tlscacertDir := filepath.Join(dir, tlscacerts)
+	tlsintermediatecertsDir := filepath.Join(dir, tlsintermediatecerts)
 
 	cacerts, err := getPemMaterialFromDir(cacertDir)
 	if err != nil || len(cacerts) == 0 {
@@ -177,18 +181,35 @@ func getMspConfig(dir string, ID string, sigid *msp.SigningIdentityInfo) (*msp.M
 		return nil, fmt.Errorf("Could not load a valid admin certificate from directory %s, err %s", admincertDir, err)
 	}
 
-	intermediatecert, err := getPemMaterialFromDir(intermediatecertsDir)
+	intermediatecerts, err := getPemMaterialFromDir(intermediatecertsDir)
 	if os.IsNotExist(err) {
-		mspLogger.Infof("intermediate certs folder not found at [%s]. Skipping.: [%s]", intermediatecertsDir, err)
+		mspLogger.Warningf("Intermediate certs folder not found at [%s]. Skipping. [%s]", intermediatecertsDir, err)
 	} else if err != nil {
 		return nil, fmt.Errorf("Failed loading intermediate ca certs at [%s]: [%s]", intermediatecertsDir, err)
 	}
 
+	tlsCACerts, err := getPemMaterialFromDir(tlscacertDir)
+	tlsIntermediateCerts := [][]byte{}
+	if os.IsNotExist(err) {
+		mspLogger.Warningf("TLS CA certs folder not found at [%s]. Skipping and ignoring TLS intermediate CA folder. [%s]", tlsintermediatecertsDir, err)
+	} else if err != nil {
+		return nil, fmt.Errorf("Failed loading TLS ca certs at [%s]: [%s]", tlsintermediatecertsDir, err)
+	} else if len(tlsCACerts) != 0 {
+		tlsIntermediateCerts, err = getPemMaterialFromDir(tlsintermediatecertsDir)
+		if os.IsNotExist(err) {
+			mspLogger.Warningf("TLS intermediate certs folder not found at [%s]. Skipping. [%s]", tlsintermediatecertsDir, err)
+		} else if err != nil {
+			return nil, fmt.Errorf("Failed loading TLS intermediate ca certs at [%s]: [%s]", tlsintermediatecertsDir, err)
+		}
+	} else {
+		mspLogger.Warningf("TLS CA certs folder at [%s] is empty. Skipping.", tlsintermediatecertsDir)
+	}
+
 	crls, err := getPemMaterialFromDir(crlsDir)
 	if os.IsNotExist(err) {
-		mspLogger.Infof("crls folder not found at [%s]. Skipping.: [%s]", intermediatecertsDir, err)
+		mspLogger.Warningf("crls folder not found at [%s]. Skipping. [%s]", crlsDir, err)
 	} else if err != nil {
-		return nil, fmt.Errorf("Failed loading crls ca certs at [%s]: [%s]", intermediatecertsDir, err)
+		return nil, fmt.Errorf("Failed loading crls at [%s]: [%s]", crlsDir, err)
 	}
 
 	// Load configuration file
@@ -239,12 +260,15 @@ func getMspConfig(dir string, ID string, sigid *msp.SigningIdentityInfo) (*msp.M
 	fmspconf := &msp.FabricMSPConfig{
 		Admins:            admincert,
 		RootCerts:         cacerts,
-		IntermediateCerts: intermediatecert,
+		IntermediateCerts: intermediatecerts,
 		SigningIdentity:   sigid,
 		Name:              ID,
 		OrganizationalUnitIdentifiers: ouis,
 		RevocationList:                crls,
-		CryptoConfig:                  cryptoConfig}
+		CryptoConfig:                  cryptoConfig,
+		TlsRootCerts:                  tlsCACerts,
+		TlsIntermediateCerts:          tlsIntermediateCerts,
+	}
 
 	fmpsjs, _ := proto.Marshal(fmspconf)
 

msp/msp.go

@@ -92,6 +92,12 @@ type MSP interface {
 	// GetIntermediateCerts returns the intermediate root certificates for this MSP
 	GetIntermediateCerts() []Identity
 
+	// GetTLSRootCerts returns the TLS root certificates for this MSP
+	GetTLSRootCerts() [][]byte
+
+	// GetTLSIntermediateCerts returns the TLS intermediate root certificates for this MSP
+	GetTLSIntermediateCerts() [][]byte
+
 	// Validate checks whether the supplied identity is valid
 	Validate(id Identity) error
 

msp/msp_test.go

@@ -122,8 +122,8 @@ func TestMSPSetupNoCryptoConf(t *testing.T) {
 func TestGetters(t *testing.T) {
 	typ := localMsp.GetType()
 	assert.Equal(t, typ, FABRIC)
-	assert.NotNil(t, localMsp.GetRootCerts())
-	assert.NotNil(t, localMsp.GetIntermediateCerts())
+	assert.NotNil(t, localMsp.GetTLSRootCerts())
+	assert.NotNil(t, localMsp.GetTLSIntermediateCerts())
 }
 
 func TestMSPSetupBad(t *testing.T) {