[FAB-4904] Modify peer to use MSP tls structure

With FAB-4626, the X509 MSP impl now separates
the root/intermediate certs for signing from the
root/intermediates used for TLS.  This change modifies
the peer to use the updated TLS certs rather than the
signing certs.  The following changes were made:

- Use GetTLSRootCerts and GetTLSIntermediateCerts
functions provided by the msp impl
- remove the GetRootCerts and GetIntermediateCerts
methods from the msp impl
- modify examples/cluster (includes adding a
separate TLS CA)

Change-Id: I820b658aac9ca43f766a728f0f9b37194d8c7a7a
Signed-off-by: Gari Singh <[email protected]>

Author: mastersingh24

common/tools/cryptogen/main.go

@@ -401,8 +401,7 @@ func generatePeerOrg(baseDir string, orgSpec OrgSpec) {
 		fmt.Printf("Error generating tlsCA for org %s:\n%v\n", orgName, err)
 		os.Exit(1)
 	}
-	// TODO remove the following line once MSP and peer changes are done
-	tlsCA = signCA
+
 	err = msp.GenerateVerifyingMSP(mspDir, signCA, tlsCA)
 	if err != nil {
 		fmt.Printf("Error generating MSP for org %s:\n%v\n", orgName, err)
@@ -505,8 +504,7 @@ func generateOrdererOrg(baseDir string, orgSpec OrgSpec) {
 		fmt.Printf("Error generating tlsCA for org %s:\n%v\n", orgName, err)
 		os.Exit(1)
 	}
-	// TODO remove the following line once MSP and peer changes are done
-	tlsCA = signCA
+
 	err = msp.GenerateVerifyingMSP(mspDir, signCA, tlsCA)
 	if err != nil {
 		fmt.Printf("Error generating MSP for org %s:\n%v\n", orgName, err)

core/peer/peer.go

@@ -1,17 +1,7 @@
 /*
-Copyright IBM Corp. 2016 All Rights Reserved.
+Copyright IBM Corp. All Rights Reserved.
 
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-		 http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
+SPDX-License-Identifier: Apache-2.0
 */
 
 package peer
@@ -22,7 +12,6 @@ import (
 	"net"
 	"sync"
 
-	"github.com/golang/protobuf/proto"
 	"github.com/hyperledger/fabric/common/config"
 	"github.com/hyperledger/fabric/common/configtx"
 	configtxapi "github.com/hyperledger/fabric/common/configtx/api"
@@ -41,7 +30,6 @@ import (
 	"github.com/hyperledger/fabric/msp"
 	mspmgmt "github.com/hyperledger/fabric/msp/mgmt"
 	"github.com/hyperledger/fabric/protos/common"
-	mspprotos "github.com/hyperledger/fabric/protos/msp"
 	pb "github.com/hyperledger/fabric/protos/peer"
 	"github.com/hyperledger/fabric/protos/utils"
 	"github.com/spf13/viper"
@@ -394,7 +382,6 @@ func buildTrustedRootsForChain(cm configtxapi.Manager) {
 	appRootCAs := [][]byte{}
 	ordererRootCAs := [][]byte{}
 	appOrgMSPs := make(map[string]struct{})
-
 	ac, ok := cm.ApplicationConfig()
 	if ok {
 		//loop through app orgs and build map of MSPIDs
@@ -413,38 +400,24 @@ func buildTrustedRootsForChain(cm configtxapi.Manager) {
 		for k, v := range msps {
 			// check to see if this is a FABRIC MSP
 			if v.GetType() == msp.FABRIC {
-				for _, root := range v.GetRootCerts() {
-					sid, err := root.Serialize()
-					if err == nil {
-						id := &mspprotos.SerializedIdentity{}
-						err = proto.Unmarshal(sid, id)
-						if err == nil {
-							// check to see of this is an app org MSP
-							if _, ok := appOrgMSPs[k]; ok {
-								peerLogger.Debugf("adding app root CAs for MSP [%s]", k)
-								appRootCAs = append(appRootCAs, id.IdBytes)
-							} else {
-								peerLogger.Debugf("adding orderer root CAs for MSP [%s]", k)
-								ordererRootCAs = append(ordererRootCAs, id.IdBytes)
-							}
-						}
+				for _, root := range v.GetTLSRootCerts() {
+					// check to see of this is an app org MSP
+					if _, ok := appOrgMSPs[k]; ok {
+						peerLogger.Debugf("adding app root CAs for MSP [%s]", k)
+						appRootCAs = append(appRootCAs, root)
+					} else {
+						peerLogger.Debugf("adding orderer root CAs for MSP [%s]", k)
+						ordererRootCAs = append(ordererRootCAs, root)
 					}
 				}
-				for _, intermediate := range v.GetIntermediateCerts() {
-					sid, err := intermediate.Serialize()
-					if err == nil {
-						id := &mspprotos.SerializedIdentity{}
-						err = proto.Unmarshal(sid, id)
-						if err == nil {
-							// check to see of this is an app org MSP
-							if _, ok := appOrgMSPs[k]; ok {
-								peerLogger.Debugf("adding app root CAs for MSP [%s]", k)
-								appRootCAs = append(appRootCAs, id.IdBytes)
-							} else {
-								peerLogger.Debugf("adding orderer root CAs for MSP [%s]", k)
-								ordererRootCAs = append(ordererRootCAs, id.IdBytes)
-							}
-						}
+				for _, intermediate := range v.GetTLSIntermediateCerts() {
+					// check to see of this is an app org MSP
+					if _, ok := appOrgMSPs[k]; ok {
+						peerLogger.Debugf("adding app root CAs for MSP [%s]", k)
+						appRootCAs = append(appRootCAs, intermediate)
+					} else {
+						peerLogger.Debugf("adding orderer root CAs for MSP [%s]", k)
+						ordererRootCAs = append(ordererRootCAs, intermediate)
 					}
 				}
 			}

core/peer/pkg_test.go

@@ -1,17 +1,7 @@
 /*
-Copyright IBM Corp. 2017 All Rights Reserved.
+Copyright IBM Corp. All Rights Reserved.
 
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-		 http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
+SPDX-License-Identifier: Apache-2.0
 */
 
 package peer_test
@@ -96,13 +86,14 @@ func invokeEmptyCall(address string, dialOptions []grpc.DialOption) (*testpb.Emp
 }
 
 // helper function to build an MSPConfig given root certs
-func createMSPConfig(rootCerts, intermediateCerts [][]byte,
+func createMSPConfig(rootCerts, tlsRootCerts, tlsIntermediateCerts [][]byte,
 	mspID string) (*mspproto.MSPConfig, error) {
 
 	fmspconf := &mspproto.FabricMSPConfig{
-		RootCerts:         rootCerts,
-		IntermediateCerts: intermediateCerts,
-		Name:              mspID}
+		RootCerts:            rootCerts,
+		TlsRootCerts:         tlsRootCerts,
+		TlsIntermediateCerts: tlsIntermediateCerts,
+		Name:                 mspID}
 
 	fmpsjs, err := proto.Marshal(fmspconf)
 	if err != nil {
@@ -147,12 +138,14 @@ func TestUpdateRootsFromConfigBlock(t *testing.T) {
 	}
 
 	// create test MSPConfigs
-	org1MSPConf, err := createMSPConfig([][]byte{org1CA}, [][]byte{}, "Org1MSP")
-	org2MSPConf, err := createMSPConfig([][]byte{org2CA}, [][]byte{}, "Org2MSP")
-	org2IntermediateMSPConf, err := createMSPConfig([][]byte{org2CA},
-		[][]byte{org2IntermediateCA}, "Org2IntermediateMSP")
-	ordererOrgMSPConf, err := createMSPConfig([][]byte{ordererOrgCA},
-		[][]byte{}, "OrdererOrgMSP")
+	org1MSPConf, err := createMSPConfig([][]byte{org2CA}, [][]byte{org1CA},
+		[][]byte{}, "Org1MSP")
+	org2MSPConf, err := createMSPConfig([][]byte{org1CA}, [][]byte{org2CA},
+		[][]byte{}, "Org2MSP")
+	org2IntermediateMSPConf, err := createMSPConfig([][]byte{org1CA},
+		[][]byte{org2CA}, [][]byte{org2IntermediateCA}, "Org2IntermediateMSP")
+	ordererOrgMSPConf, err := createMSPConfig([][]byte{org1CA},
+		[][]byte{ordererOrgCA}, [][]byte{}, "OrdererOrgMSP")
 	if err != nil {
 		t.Fatalf("Failed to create MSPConfigs (%s)", err)
 	}

examples/cluster/Makefile

@@ -7,6 +7,7 @@ NODES += $(PEERS)
 NODES += orderer
 NODES += cli
 NODES += ca
+NODES += tlsca
 
 DAEMONS = $(filter-out cli,$(NODES))
 
@@ -17,6 +18,7 @@ ORDERER_ORG = $(CRYPTOOUTPUT)/ordererOrganizations/orderer.net
 PEER_ORG= $(CRYPTOOUTPUT)/peerOrganizations/org1.net
 
 CA_PATH = $(PEER_ORG)/ca
+TLSCA_PATH= $(PEER_ORG)/tlsca
 ORDERER_PATH = $(ORDERER_ORG)/orderers
 PEER_PATH = $(PEER_ORG)/peers
 USERS_PATH = $(PEER_ORG)/users
@@ -106,8 +108,15 @@ build/nodes/ca: build/nodes/ca/fabric-ca-server-config.yaml
 	cp $(CA_PATH)/*_sk $@/ca.key
 	cp $(CA_PATH)/*.pem $@/ca.crt
 
+build/nodes/tlsca: build/nodes/tlsca/fabric-tlsca-server-config.yaml
+	@mkdir -p $@
+	cp $(TLSCA_PATH)/*_sk $@/ca.key
+	cp $(TLSCA_PATH)/*.pem $@/ca.crt
+	mv $@/fabric-tlsca-server-config.yaml $@/fabric-ca-server-config.yaml
+
 build/nodes/%: build/nodes/%/msp build/nodes/%/configtx.yaml build/nodes/%/core.yaml
 	@echo "Built $@"
 
 clean: compose-down
 	rm -rf build
+	rm $(CHANNEL_NAME).block

examples/cluster/compose/docker-compose.yaml

@@ -21,6 +21,17 @@ services:
     volumes:
       - ../build/nodes/ca:/etc/hyperledger/fabric-ca-server
 
+  tlsca:
+    container_name: tlsca
+    image: hyperledger/fabric-ca
+    dns_search: .
+    environment:
+      - FABRIC_CA_SERVER_TLS_ENABLED=${TLS_ENABLED}
+    logging:
+      <<: *logging
+    volumes:
+      - ../build/nodes/tlsca:/etc/hyperledger/fabric-ca-server
+
   orderer:
     container_name: orderer
     image: hyperledger/fabric-orderer

examples/cluster/compose/report-env.sh

@@ -59,7 +59,7 @@ includefile() {
     prefix=$2
 
     echo "|"
-    
+
     while IFS= read -r line; do
         printf '%s%s\n' "$prefix" "$line"
     done < "$file"
@@ -77,7 +77,11 @@ cat <<EOF > $CONFIG
 #
 ca:
         url: $(http "ca" "7054")
-        certificate: $(includefile build/nodes/cli/tls/ca.crt "              ")
+        certificate: $(includefile build/nodes/ca/ca.crt "              ")
+
+tlsca:
+        url: $(http "tlsca" "7054")
+        certificate: $(includefile build/nodes/tlsca/ca.crt "              ")
 
 orderer:
         url:  $(grpc "orderer" "7050")

examples/cluster/config/fabric-ca-server-config.yaml

@@ -101,7 +101,7 @@ ca:
 registry:
   # Maximum number of times a password/secret can be reused for enrollment
   # (default: 0, which means there is no limit)
-  maxEnrollments: 0
+  maxEnrollments: -1
 
   # Contains identity information which is used when LDAP is disabled
   identities: