[FAB-3455] cryptogen: Use a FQDN for CA artifacts

This patch does two primary things:

1) It formulates a real CN for the CA rather than assigning it the
   same name as the organiazation.  E.g. "ca.example.com" rather than
   "example.com"

2) It adds the ability to override the default ("ca.{{ .Domain }}") using
   the template system.

Fixes FAB-3455

Change-Id: I5c8085e338b5d11e236d517e275a817eb89760a5
Signed-off-by: Greg Haskins <[email protected]>

Author: ghaskins

common/tools/cryptogen/ca/ca_test.go

@@ -38,7 +38,7 @@ var testDir = filepath.Join(os.TempDir(), "ca-test")
 func TestNewCA(t *testing.T) {
 
 	caDir := filepath.Join(testDir, "ca")
-	rootCA, err := ca.NewCA(caDir, testCAName)
+	rootCA, err := ca.NewCA(caDir, testCAName, testCAName)
 	assert.NoError(t, err, "Error generating CA")
 	assert.NotNil(t, rootCA, "Failed to return CA")
 	assert.NotNil(t, rootCA.Signer,
@@ -68,7 +68,7 @@ func TestGenerateSignCertificate(t *testing.T) {
 	assert.NotNil(t, ecPubKey, "Failed to generate signed certificate")
 
 	// create our CA
-	rootCA, err := ca.NewCA(caDir, testCA2Name)
+	rootCA, err := ca.NewCA(caDir, testCA2Name, testCA2Name)
 	assert.NoError(t, err, "Error generating CA")
 
 	_, err = rootCA.SignCertificate(certDir, testName, ecPubKey)

common/tools/cryptogen/ca/generator.go

@@ -40,7 +40,7 @@ type CA struct {
 
 // NewCA creates an instance of CA and saves the signing key pair in
 // baseDir/name
-func NewCA(baseDir, name string) (*CA, error) {
+func NewCA(baseDir, org, name string) (*CA, error) {
 
 	var response error
 	var ca *CA
@@ -62,7 +62,7 @@ func NewCA(baseDir, name string) (*CA, error) {
 
 				//set the organization for the subject
 				subject := subjectTemplate()
-				subject.Organization = []string{name}
+				subject.Organization = []string{org}
 				subject.CommonName = name
 
 				template.Subject = subject

common/tools/cryptogen/main.go

@@ -70,6 +70,7 @@ type UsersSpec struct {
 type OrgSpec struct {
 	Name     string       `yaml:"Name"`
 	Domain   string       `yaml:"Domain"`
+	CA       NodeSpec     `yaml:"CA"`
 	Template NodeTemplate `yaml:"Template"`
 	Specs    []NodeSpec   `yaml:"Specs"`
 	Users    UsersSpec    `yaml:"Users"`
@@ -107,6 +108,15 @@ PeerOrgs:
   - Name: Org1
     Domain: org1.example.com
 
+    # ---------------------------------------------------------------------------
+    # "CA"
+    # ---------------------------------------------------------------------------
+    # Uncomment this section to enable the explicit definition of the CA for this
+    # organization.  This entry is a Spec.  See "Specs" section below for details.
+    # ---------------------------------------------------------------------------
+    # CA:
+    #    Hostname: ca # implicitly ca.org1.example.com
+
     # ---------------------------------------------------------------------------
     # "Specs"
     # ---------------------------------------------------------------------------
@@ -263,6 +273,15 @@ func parseTemplate(input, defaultInput string, data interface{}) (string, error)
 	return output.String(), nil
 }
 
+func renderCN(domain string, spec NodeSpec) (string, error) {
+	data := CommonNameData{
+		Hostname: spec.Hostname,
+		Domain:   domain,
+	}
+
+	return parseTemplate(spec.CommonName, defaultCNTemplate, data)
+}
+
 func generateNodeSpec(orgSpec *OrgSpec, prefix string) error {
 	// First process all of our templated nodes
 	for i := 0; i < orgSpec.Template.Count; i++ {
@@ -281,21 +300,26 @@ func generateNodeSpec(orgSpec *OrgSpec, prefix string) error {
 		orgSpec.Specs = append(orgSpec.Specs, spec)
 	}
 
-	// And finally touch up all specs to add the domain
+	// Touch up all general node-specs to add the domain
 	for idx, spec := range orgSpec.Specs {
-		data := CommonNameData{
-			Hostname: spec.Hostname,
-			Domain:   orgSpec.Domain,
-		}
-
-		finalCN, err := parseTemplate(spec.CommonName, defaultCNTemplate, data)
+		finalCN, err := renderCN(orgSpec.Domain, spec)
 		if err != nil {
 			return err
 		}
 
 		orgSpec.Specs[idx].CommonName = finalCN
 	}
 
+	// Process the CA node-spec in the same manner
+	if len(orgSpec.CA.Hostname) == 0 {
+		orgSpec.CA.Hostname = "ca"
+	}
+	finalCN, err := renderCN(orgSpec.Domain, orgSpec.CA)
+	if err != nil {
+		return err
+	}
+	orgSpec.CA.CommonName = finalCN
+
 	return nil
 }
 
@@ -311,7 +335,7 @@ func generatePeerOrg(baseDir string, orgSpec OrgSpec) {
 	peersDir := filepath.Join(orgDir, "peers")
 	usersDir := filepath.Join(orgDir, "users")
 	adminCertsDir := filepath.Join(mspDir, "admincerts")
-	rootCA, err := ca.NewCA(caDir, orgName)
+	rootCA, err := ca.NewCA(caDir, orgName, orgSpec.CA.CommonName)
 	if err != nil {
 		fmt.Printf("Error generating CA for org %s:\n%v\n", orgName, err)
 		os.Exit(1)
@@ -407,7 +431,7 @@ func generateOrdererOrg(baseDir string, orgSpec OrgSpec) {
 	orderersDir := filepath.Join(orgDir, "orderers")
 	usersDir := filepath.Join(orgDir, "users")
 	adminCertsDir := filepath.Join(mspDir, "admincerts")
-	rootCA, err := ca.NewCA(caDir, orgName)
+	rootCA, err := ca.NewCA(caDir, orgName, orgSpec.CA.CommonName)
 	if err != nil {
 		fmt.Printf("Error generating CA for org %s:\n%v\n", orgName, err)
 		os.Exit(1)

common/tools/cryptogen/msp/msp_test.go

@@ -27,7 +27,8 @@ import (
 )
 
 const (
-	testCAName = "root0"
+	testCAOrg  = "example.com"
+	testCAName = "ca" + "." + testCAOrg
 	testName   = "peer0"
 )
 
@@ -42,7 +43,7 @@ func TestGenerateLocalMSP(t *testing.T) {
 
 	caDir := filepath.Join(testDir, "ca")
 	mspDir := filepath.Join(testDir, "msp")
-	rootCA, err := ca.NewCA(caDir, testCAName)
+	rootCA, err := ca.NewCA(caDir, testCAOrg, testCAName)
 	assert.NoError(t, err, "Error generating CA")
 	err = msp.GenerateLocalMSP(testDir, testName, rootCA)
 	assert.NoError(t, err, "Failed to generate local MSP")
@@ -80,7 +81,7 @@ func TestGenerateVerifyingMSP(t *testing.T) {
 
 	caDir := filepath.Join(testDir, "ca")
 	mspDir := filepath.Join(testDir, "msp")
-	rootCA, err := ca.NewCA(caDir, testCAName)
+	rootCA, err := ca.NewCA(caDir, testCAOrg, testCAName)
 	assert.NoError(t, err, "Failed to create new CA")
 
 	err = msp.GenerateVerifyingMSP(mspDir, rootCA)