hyperledger
diff --git a/‎common/tools/cryptogen/ca/ca_test.go
+93 b/‎common/tools/cryptogen/ca/ca_test.go
+93
diff --git a/‎common/tools/cryptogen/ca/generator.go
+181 b/‎common/tools/cryptogen/ca/generator.go
+181
diff --git a/‎common/tools/cryptogen/csp/csp.go
+79 b/‎common/tools/cryptogen/csp/csp.go
+79
@@ -0,0 +1,93 @@
+/*
+Copyright IBM Corp. 2017 All Rights Reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+		 http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+package ca_test
+
+import (
+	"crypto/x509"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/hyperledger/fabric/common/tools/cryptogen/ca"
+	"github.com/hyperledger/fabric/common/tools/cryptogen/csp"
+	"github.com/stretchr/testify/assert"
+)
+
+const (
+	testCAName  = "root0"
+	testCA2Name = "root1"
+	testName    = "cert0"
+)
+
+var testDir = filepath.Join(os.TempDir(), "ca-test")
+
+func TestNewCA(t *testing.T) {
+
+	caDir := filepath.Join(testDir, "ca")
+	rootCA, err := ca.NewCA(caDir, testCAName)
+	assert.NoError(t, err, "Error generating CA")
+	assert.NotNil(t, rootCA, "Failed to return CA")
+	assert.NotNil(t, rootCA.Signer,
+		"rootCA.Signer should not be empty")
+	assert.IsType(t, &x509.Certificate{}, rootCA.SignCert,
+		"rootCA.SignCert should be type x509.Certificate")
+
+	// check to make sure the root public key was stored
+	pemFile := filepath.Join(caDir, testCAName+"-cert.pem")
+	assert.Equal(t, true, checkForFile(pemFile),
+		"Expected to find file "+pemFile)
+	cleanup(testDir)
+
+}
+
+func TestGenerateSignedCertificate(t *testing.T) {
+
+	caDir := filepath.Join(testDir, "ca")
+	certDir := filepath.Join(testDir, "certs")
+	// generate private key
+	priv, _, err := csp.GeneratePrivateKey(certDir)
+	assert.NoError(t, err, "Failed to generate signed certificate")
+
+	// get EC public key
+	ecPubKey, err := csp.GetECPublicKey(priv)
+	assert.NoError(t, err, "Failed to generate signed certificate")
+	assert.NotNil(t, ecPubKey, "Failed to generate signed certificate")
+
+	// create our CA
+	rootCA, err := ca.NewCA(caDir, testCA2Name)
+	assert.NoError(t, err, "Error generating CA")
+
+	err = rootCA.SignCertificate(certDir, testName, ecPubKey)
+	assert.NoError(t, err, "Failed to generate signed certificate")
+
+	// check to make sure the signed public key was stored
+	pemFile := filepath.Join(certDir, testName+"-cert.pem")
+	assert.Equal(t, true, checkForFile(pemFile),
+		"Expected to find file "+pemFile)
+	cleanup(testDir)
+
+}
+
+func cleanup(dir string) {
+	os.RemoveAll(dir)
+}
+
+func checkForFile(file string) bool {
+	if _, err := os.Stat(file); os.IsNotExist(err) {
+		return false
+	}
+	return true
+}
@@ -0,0 +1,181 @@
+/*
+Copyright IBM Corp. 2017 All Rights Reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+		 http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+package ca
+
+import (
+	"crypto"
+	"crypto/ecdsa"
+	"crypto/rand"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
+	"math/big"
+	"os"
+	"time"
+
+	"path/filepath"
+
+	"github.com/hyperledger/fabric/common/tools/cryptogen/csp"
+)
+
+type CA struct {
+	Name string
+	//SignKey  *ecdsa.PrivateKey
+	Signer   crypto.Signer
+	SignCert *x509.Certificate
+}
+
+// NewCA creates an instance of CA and saves the signing key pair in
+// baseDir/name
+func NewCA(baseDir, name string) (*CA, error) {
+
+	err := os.MkdirAll(baseDir, 0755)
+	if err != nil {
+		return nil, err
+	}
+
+	//key, err := genKeyECDSA(caDir, name)
+	priv, signer, err := csp.GeneratePrivateKey(baseDir)
+	// get public signing certificate
+	ecPubKey, err := csp.GetECPublicKey(priv)
+	if err != nil {
+		return nil, err
+	}
+
+	template, err := x509Template()
+
+	if err != nil {
+		return nil, err
+	}
+
+	//this is a CA
+	template.IsCA = true
+	template.KeyUsage |= x509.KeyUsageCertSign | x509.KeyUsageCRLSign
+	template.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageAny}
+
+	//set the organization for the subject
+	subject := subjectTemplate()
+	subject.Organization = []string{name}
+	subject.CommonName = name
+
+	template.Subject = subject
+	template.SubjectKeyId = priv.SKI()
+
+	x509Cert, err := genCertificateECDSA(baseDir, name, &template, &template,
+		ecPubKey, signer)
+
+	if err != nil {
+		return nil, err
+	}
+
+	ca := &CA{
+		Name:     name,
+		Signer:   signer,
+		SignCert: x509Cert,
+	}
+
+	return ca, nil
+}
+
+// SignCertificate creates a signed certificate based on a built-in template
+// and saves it in baseDir/name
+func (ca *CA) SignCertificate(baseDir, name string, pub *ecdsa.PublicKey) error {
+
+	template, err := x509Template()
+
+	if err != nil {
+		return err
+	}
+
+	template.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}
+
+	//set the organization for the subject
+	subject := subjectTemplate()
+	subject.CommonName = name
+
+	template.Subject = subject
+
+	_, err = genCertificateECDSA(baseDir, name, &template, ca.SignCert,
+		pub, ca.Signer)
+
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// default template for X509 subject
+func subjectTemplate() pkix.Name {
+	return pkix.Name{
+		Country:  []string{"US"},
+		Locality: []string{"San Francisco"},
+		Province: []string{"California"},
+	}
+}
+
+// default template for X509 certificates
+func x509Template() (x509.Certificate, error) {
+
+	//generate a serial number
+	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
+	serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
+	if err != nil {
+		return x509.Certificate{}, err
+	}
+
+	now := time.Now()
+	//basic template to use
+	x509 := x509.Certificate{
+		SerialNumber:          serialNumber,
+		NotBefore:             now,
+		NotAfter:              now.Add(3650 * 24 * time.Hour), //~ten years
+		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
+		BasicConstraintsValid: true,
+	}
+	return x509, nil
+
+}
+
+// generate a signed X509 certficate using ECDSA
+func genCertificateECDSA(baseDir, name string, template, parent *x509.Certificate, pub *ecdsa.PublicKey,
+	priv interface{}) (*x509.Certificate, error) {
+
+	//create the x509 public cert
+	certBytes, err := x509.CreateCertificate(rand.Reader, template, parent, pub, priv)
+	if err != nil {
+		return nil, err
+	}
+
+	//write cert out to file
+	fileName := filepath.Join(baseDir, name+"-cert.pem")
+	certFile, err := os.Create(fileName)
+	if err != nil {
+		return nil, err
+	}
+	//pem encode the cert
+	err = pem.Encode(certFile, &pem.Block{Type: "CERTIFICATE", Bytes: certBytes})
+	certFile.Close()
+	if err != nil {
+		return nil, err
+	}
+
+	x509Cert, err := x509.ParseCertificate(certBytes)
+	if err != nil {
+		return nil, err
+	}
+	return x509Cert, nil
+}
@@ -0,0 +1,79 @@
+/*
+Copyright IBM Corp. 2017 All Rights Reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+		 http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+package csp
+
+import (
+	"crypto"
+	"crypto/ecdsa"
+	"crypto/x509"
+
+	"github.com/hyperledger/fabric/bccsp"
+	"github.com/hyperledger/fabric/bccsp/factory"
+	"github.com/hyperledger/fabric/bccsp/signer"
+	"github.com/hyperledger/fabric/bccsp/sw"
+)
+
+// GeneratePrivateKey creates a private key and stores it in keystorePath
+func GeneratePrivateKey(keystorePath string) (bccsp.Key,
+	crypto.Signer, error) {
+
+	csp := factory.GetDefault()
+
+	// generate a key
+	priv, err := csp.KeyGen(&bccsp.ECDSAP256KeyGenOpts{Temporary: true})
+	if err != nil {
+		return nil, nil, err
+	}
+	// write it to the keystore
+	ks, err := sw.NewFileBasedKeyStore(nil, keystorePath, false)
+	if err != nil {
+		return nil, nil, err
+	}
+	err = ks.StoreKey(priv)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	// create a crypto.Signer
+	signer := &signer.CryptoSigner{}
+	err = signer.Init(csp, priv)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return priv, signer, nil
+
+}
+
+func GetECPublicKey(priv bccsp.Key) (*ecdsa.PublicKey, error) {
+
+	// get the public key
+	pubKey, err := priv.PublicKey()
+	if err != nil {
+		return nil, err
+	}
+	// marshal to bytes
+	pubKeyBytes, err := pubKey.Bytes()
+	if err != nil {
+		return nil, err
+	}
+	// unmarshal using pkix
+	ecPubKey, err := x509.ParsePKIXPublicKey(pubKeyBytes)
+	if err != nil {
+		return nil, err
+	}
+	return ecPubKey.(*ecdsa.PublicKey), nil
+}