Skip to content

Commit 46e09a4

Browse files
MayRosenbaumMayRosenbaum
authored
add user signing keys (#310)
* add user signing keys Signed-off-by: May.Buzaglo <[email protected]> * re-org user dir Signed-off-by: May.Buzaglo <[email protected]> --------- Signed-off-by: May.Buzaglo <[email protected]>
1 parent f49187a commit 46e09a4

File tree

3 files changed

+111
-33
lines changed

3 files changed

+111
-33
lines changed

common/tools/armageddon/armageddon.go

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -347,8 +347,8 @@ func generateConfigAndCrypto(genConfigFile **os.File, outputDir *string, sampleC
347347
}
348348

349349
for i := range sharedConfig.PartiesConfig {
350-
userTLSPrivateKeyPath := filepath.Join(*outputDir, "crypto", "ordererOrganizations", fmt.Sprintf("org%d", i+1), "users", "user-key.pem")
351-
userTLSCertPath := filepath.Join(*outputDir, "crypto", "ordererOrganizations", fmt.Sprintf("org%d", i+1), "users", "user-tls-cert.pem")
350+
userTLSPrivateKeyPath := filepath.Join(*outputDir, "crypto", "ordererOrganizations", fmt.Sprintf("org%d", i+1), "users", "user", "tls", "user-key.pem")
351+
userTLSCertPath := filepath.Join(*outputDir, "crypto", "ordererOrganizations", fmt.Sprintf("org%d", i+1), "users", "user", "tls", "user-tls-cert.pem")
352352

353353
userConfig, err := NewUserConfig(userTLSPrivateKeyPath, userTLSCertPath, tlsCACertsBytesPartiesCollection, networkConfig)
354354
if err != nil {

common/tools/armageddon/armageddon_test.go

Lines changed: 43 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -577,13 +577,50 @@ func checkCryptoDir(outputDir string) error {
577577

578578
// check users dir
579579
usersDir := filepath.Join(orgDir, "users")
580-
files, err := os.ReadDir(usersDir)
580+
if _, err := os.Stat(usersDir); os.IsNotExist(err) {
581+
return fmt.Errorf("missing directory: %s\n", usersDir)
582+
}
583+
users, err := os.ReadDir(usersDir)
581584
if err != nil {
582585
return fmt.Errorf("error reading directory %s\n", usersDir)
583586
}
584-
for _, file := range files {
585-
if !strings.HasSuffix(file.Name(), ".pem") {
586-
return fmt.Errorf("error reading %s files, suffix file is not pem\n", filepath.Join(orgDir, usersDir))
587+
for _, user := range users {
588+
userMSPPath := filepath.Join(orgDir, "users", user.Name(), "msp")
589+
if _, err := os.Stat(userMSPPath); os.IsNotExist(err) {
590+
return fmt.Errorf("missing directory: %s\n", userMSPPath)
591+
}
592+
593+
requiredMSPSubDirs := []string{"cacerts", "intermediatecerts", "admincerts", "keystore", "signcerts", "tlscacerts", "tlsintermediatecerts"}
594+
for _, mspSubDir := range requiredMSPSubDirs {
595+
mspSubDirPath := filepath.Join(userMSPPath, mspSubDir)
596+
if _, err := os.Stat(mspSubDirPath); os.IsNotExist(err) {
597+
return fmt.Errorf("missing directory: %s\n", mspSubDirPath)
598+
}
599+
if mspSubDir == "keystore" || mspSubDir == "signcerts" {
600+
files, err := os.ReadDir(mspSubDirPath)
601+
if err != nil {
602+
return fmt.Errorf("error reading directory %s\n", mspSubDirPath)
603+
}
604+
for _, file := range files {
605+
if !strings.HasSuffix(file.Name(), ".pem") && !strings.Contains(file.Name(), "priv_sk") {
606+
return fmt.Errorf("error reading %s files, expect pem files or file name priv_sk \n", mspSubDirPath)
607+
}
608+
}
609+
}
610+
}
611+
612+
userTLSPath := filepath.Join(orgDir, "users", user.Name(), "tls")
613+
if _, err := os.Stat(userTLSPath); os.IsNotExist(err) {
614+
return fmt.Errorf("missing directory: %s\n", userTLSPath)
615+
}
616+
files, err := os.ReadDir(userTLSPath)
617+
if err != nil {
618+
return fmt.Errorf("error reading directory %s\n", userTLSPath)
619+
}
620+
for _, file := range files {
621+
if !strings.HasSuffix(file.Name(), ".pem") {
622+
return fmt.Errorf("error reading %s files, suffix file is not pem\n", userTLSPath)
623+
}
587624
}
588625
}
589626

@@ -616,7 +653,7 @@ func checkCryptoDir(outputDir string) error {
616653
return fmt.Errorf("missing directory: %s\n", mspSubDirPath)
617654
}
618655
if mspSubDir == "keystore" || mspSubDir == "signcerts" {
619-
files, err = os.ReadDir(mspSubDirPath)
656+
files, err := os.ReadDir(mspSubDirPath)
620657
if err != nil {
621658
return fmt.Errorf("error reading directory %s\n", mspSubDirPath)
622659
}
@@ -632,7 +669,7 @@ func checkCryptoDir(outputDir string) error {
632669
if _, err := os.Stat(tlsPath); os.IsNotExist(err) {
633670
return fmt.Errorf("missing directory: %s\n", tlsPath)
634671
}
635-
files, err = os.ReadDir(tlsPath)
672+
files, err := os.ReadDir(tlsPath)
636673
if err != nil {
637674
return fmt.Errorf("error reading directory %s\n", tlsPath)
638675
}

common/tools/armageddon/cryptogen.go

Lines changed: 66 additions & 25 deletions
Original file line numberDiff line numberDiff line change
@@ -45,29 +45,39 @@ const (
4545
// dir
4646
// └── crypto
4747
//
48-
// └── ordererOrganizations
49-
// └── org{partyID}
50-
// ├── ca
51-
// ├── tlsca
52-
// ├── orderers
53-
// │ └── party{partyID}
54-
// │ ├── router
55-
// │ │ ├── tls
56-
// │ │ └── msp
57-
// │ │ ├── cacerts
58-
// │ │ ├── intermediatecerts
59-
// │ │ ├── admincerts (ignored)
60-
// │ │ ├── keystore
61-
// │ │ ├── signcerts
62-
// │ │ ├── tlscacerts
63-
// │ │ └── tlsintermediatecerts
64-
// │ ├── batcher1
65-
// │ ├── batcher2
66-
// │ ├── ...
67-
// │ ├── batcher{shards}
68-
// │ ├── consenter
69-
// │ └── assembler
70-
// └── users
48+
// └── ordererOrganizations
49+
// └── org{partyID}
50+
// ├── ca
51+
// ├── tlsca
52+
// ├── orderers
53+
// │ └── party{partyID}
54+
// │ ├── router
55+
// │ │ ├── tls
56+
// │ │ └── msp
57+
// │ │ ├── cacerts
58+
// │ │ ├── intermediatecerts
59+
// │ │ ├── admincerts (ignored)
60+
// │ │ ├── keystore
61+
// │ │ ├── signcerts
62+
// │ │ ├── tlscacerts
63+
// │ │ └── tlsintermediatecerts
64+
// │ ├── batcher1
65+
// │ ├── batcher2
66+
// │ ├── ...
67+
// │ ├── batcher{shards}
68+
// │ ├── consenter
69+
// │ └── assembler
70+
// └── users
71+
// └── user (admin, orderer loadgen)
72+
// ├── tls
73+
// └── msp
74+
// ├── cacerts
75+
// ├── intermediatecerts
76+
// ├── admincerts (ignored)
77+
// ├── keystore
78+
// ├── signcerts
79+
// ├── tlscacerts
80+
// └── tlsintermediatecerts
7181
func GenerateCryptoConfig(networkConfig *genconfig.Network, outputDir string) error {
7282
// create folder structure for the crypto files
7383
err := generateNetworkCryptoConfigFolderStructure(outputDir, networkConfig)
@@ -182,6 +192,12 @@ func createNetworkCryptoMaterial(dir string, network *genconfig.Network) error {
182192
if err != nil {
183193
return err
184194
}
195+
196+
// signing crypto to user
197+
err = createUserSignCertAndPrivateKey(signCA, dir, party.ID, nil)
198+
if err != nil {
199+
return err
200+
}
185201
}
186202
return nil
187203
}
@@ -245,11 +261,11 @@ func createUserTLSCertKeyPair(ca *ca.CA, dir string, partyID types.PartyID, node
245261
return fmt.Errorf("err: %s, failed marshaling private key for user for party %d", err, partyID)
246262
}
247263

248-
ca.SignCertificate(filepath.Join(dir, "crypto", "ordererOrganizations", fmt.Sprintf("org%d", partyID), "users"), "user-tls", nil, nodesIPs, getPublicKey(privateKey), x509.KeyUsageKeyEncipherment|x509.KeyUsageDigitalSignature, []x509.ExtKeyUsage{
264+
ca.SignCertificate(filepath.Join(dir, "crypto", "ordererOrganizations", fmt.Sprintf("org%d", partyID), "users", "user", "tls"), "user-tls", nil, nodesIPs, getPublicKey(privateKey), x509.KeyUsageKeyEncipherment|x509.KeyUsageDigitalSignature, []x509.ExtKeyUsage{
249265
x509.ExtKeyUsageClientAuth,
250266
x509.ExtKeyUsageServerAuth,
251267
})
252-
err = writePEMToFile(filepath.Join(dir, "crypto", "ordererOrganizations", fmt.Sprintf("org%d", partyID), "users", "user-key.pem"), "PRIVATE KEY", privateKeyBytes)
268+
err = writePEMToFile(filepath.Join(dir, "crypto", "ordererOrganizations", fmt.Sprintf("org%d", partyID), "users", "user", "tls", "user-key.pem"), "PRIVATE KEY", privateKeyBytes)
253269
if err != nil {
254270
return err
255271
}
@@ -276,6 +292,25 @@ func createSignCertAndPrivateKeyForNode(ca *ca.CA, dir string, endpoint string,
276292
return nil
277293
}
278294

295+
// createUserSignCertAndPrivateKey creates for user a signed certificate with a corresponding private key used for signing and write them into files.
296+
func createUserSignCertAndPrivateKey(ca *ca.CA, dir string, partyID types.PartyID, nodesIPs []string) error {
297+
privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
298+
if err != nil {
299+
return fmt.Errorf("err: %s, failed creating private key for user of party %d", err, partyID)
300+
}
301+
privateKeyBytes, err := x509.MarshalPKCS8PrivateKey(privateKey)
302+
if err != nil {
303+
return fmt.Errorf("err: %s, failed marshaling private key for user of party %d", err, partyID)
304+
}
305+
306+
ca.SignCertificate(filepath.Join(dir, "crypto", "ordererOrganizations", fmt.Sprintf("org%d", partyID), "users", "user", "msp", "signcerts"), "sign", nil, nodesIPs, getPublicKey(privateKey), x509.KeyUsageDigitalSignature, []x509.ExtKeyUsage{})
307+
err = writePEMToFile(filepath.Join(dir, "crypto", "ordererOrganizations", fmt.Sprintf("org%d", partyID), "users", "user", "msp", "keystore", "priv_sk"), "PRIVATE KEY", privateKeyBytes)
308+
if err != nil {
309+
return err
310+
}
311+
return nil
312+
}
313+
279314
// generateNetworkCryptoConfigFolderStructure creates folders where the crypto material is written to.
280315
func generateNetworkCryptoConfigFolderStructure(dir string, network *genconfig.Network) error {
281316
var folders []string
@@ -333,6 +368,12 @@ func generateOrdererOrg(rootDir string, folders []string, partyID int, shards in
333368
}
334369

335370
folders = append(folders, filepath.Join(orgDir, "users"))
371+
userMSPPath := filepath.Join(orgDir, "users", "user", "msp")
372+
folders = append(folders, userMSPPath)
373+
for _, subDir := range mspSubDirs {
374+
folders = append(folders, filepath.Join(userMSPPath, subDir))
375+
}
376+
folders = append(folders, filepath.Join(orgDir, "users", "user", "tls"))
336377

337378
return folders
338379
}

0 commit comments

Comments
 (0)