github.com/extrame/fabric-ca@v2.0.0-alpha+incompatible/scripts/fvt/intermediateca_test.sh (about) 1 #!/bin/bash 2 # 3 # Copyright IBM Corp. All Rights Reserved. 4 # 5 # SPDX-License-Identifier: Apache-2.0 6 # 7 8 : ${TESTCASE:="intermediateca-test"} 9 TDIR=/tmp/$TESTCASE 10 FABRIC_CA="$GOPATH/src/github.com/hyperledger/fabric-ca" 11 SCRIPTDIR="$FABRIC_CA/scripts/fvt" 12 TESTDATA="$FABRIC_CA/testdata" 13 . $SCRIPTDIR/fabric-ca_utils 14 PROTO="http://" 15 ROOT_CA_ADDR=localhost 16 TLSDIR="$TDIR/tls" 17 NUMINTCAS=8 18 MAXENROLL=$((2*NUMINTCAS)) 19 RC=0 20 TDIR=/tmp/intermediateca-tests 21 PROTO="http://" 22 ROOT_CA_ADDR=localhost 23 CA_PORT=7054 24 TLSDIR="$TDIR/tls" 25 26 function setupTLScerts() { 27 oldhome=$HOME 28 rm -rf $TLSDIR 29 mkdir -p $TLSDIR 30 rm -rf /tmp/CAs $TLSDIR/rootTlsCa* $TLSDIR/subTlsCa* 31 export HOME=$TLSDIR 32 # Root TLS CA 33 $SCRIPTDIR/utils/pki -f newca -a rootTlsCa -t ec -l 256 -d sha256 \ 34 -n "/C=US/ST=NC/L=RTP/O=IBM/O=Hyperledger/OU=FVT/CN=localhost/" -S "IP:127.0.0.1,DNS:localhost" \ 35 -K "digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement,keyCertSign,cRLSign" \ 36 -E "serverAuth,clientAuth,codeSigning,emailProtection,timeStamping" \ 37 -e 20370101000000Z -s 20160101000000Z -p rootTlsCa- >/dev/null 2>&1 38 # Sub TLS CA 39 $SCRIPTDIR/utils/pki -f newsub -b subTlsCa -a rootTlsCa -t ec -l 256 -d sha256 \ 40 -n "/C=US/ST=NC/L=RTP/O=IBM/O=Hyperledger/OU=FVT/CN=subTlsCa/" -S "IP:127.0.0.1" \ 41 -K "digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement,keyCertSign,cRLSign" \ 42 -E "serverAuth,clientAuth,codeSigning,emailProtection,timeStamping" \ 43 -e 20370101000000Z -s 20160101000000Z -p subTlsCa- >/dev/null 2>&1 44 # EE TLS certs 45 i=0;while test $((i++)) -lt $((NUMINTCAS+1)); do 46 rm -rf $TLSDIR/intFabCaTls${i}* 47 $SCRIPTDIR/utils/pki -f newcert -a subTlsCa -t ec -l 256 -d sha512 \ 48 -n "/C=US/ST=NC/L=RTP/O=IBM/O=Hyperledger/OU=FVT/CN=intFabCaTls${i}/" -S "IP:127.0.${i}.1" \ 49 -K "digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement,keyCertSign,cRLSign" \ 50 -E "serverAuth,clientAuth,codeSigning,emailProtection,timeStamping" \ 51 -e 20370101000000Z -s 20160101000000Z -p intFabCaTls${i}- >/dev/null 2>&1 <<EOF 52 y 53 y 54 EOF 55 done 56 cat $TLSDIR/rootTlsCa-cert.pem $TLSDIR/subTlsCa-cert.pem > $TLSDIR/tlsroots.pem 57 HOME=$oldhome 58 } 59 60 function createRootCA() { 61 # Start RootCA 62 $($FABRIC_TLS) && tlsopts="--tls.enabled \ 63 --tls.certfile $TLSDIR/rootTlsCa-cert.pem \ 64 --tls.keyfile $TLSDIR/rootTlsCa-key.pem \ 65 --db.tls.certfiles $FABRIC_CA_DATA/$TLS_BUNDLE \ 66 --db.tls.client.certfile $PGSSLCERT \ 67 --db.tls.client.keyfile $PGSSLKEY" 68 mkdir -p "$TDIR/root" 69 $SCRIPTDIR/fabric-ca_setup.sh -I -x "$TDIR/root" -d $driver -m $MAXENROLL -a 70 FABRIC_CA_SERVER_HOME="$TDIR/root" fabric-ca-server start \ 71 --csr.hosts $ROOT_CA_ADDR --address $ROOT_CA_ADDR \ 72 $tlsopts -c $TDIR/root/runFabricCaFvt.yaml -d 2>&1 | 73 tee $TDIR/root/server.log & 74 pollFabricCa fabric-ca-server $ROOT_CA_ADDR $CA_DEFAULT_PORT 75 } 76 77 function createIntCA() { 78 # Start intermediate CAs 79 i=0;while test $((i++)) -lt $NUMINTCAS; do 80 mkdir -p "$TDIR/int${i}" 81 cp "$TDIR/intFabricCaFvt.yaml" "$TDIR/int${i}/runFabricCaFvt.yaml" 82 $($FABRIC_TLS) && tlsopts="--tls.enabled --tls.certfile $TLSDIR/intFabCaTls${i}-cert.pem \ 83 --tls.keyfile $TLSDIR/intFabCaTls${i}-key.pem \ 84 --db.tls.certfiles $FABRIC_CA_DATA/$TLS_BUNDLE \ 85 --db.tls.client.certfile $PGSSLCERT \ 86 --db.tls.client.keyfile $PGSSLKEY \ 87 --intermediate.tls.certfiles $TLSDIR/tlsroots.pem \ 88 --intermediate.tls.client.certfile $TLSDIR/intFabCaTls${i}-cert.pem \ 89 --intermediate.tls.client.keyfile $TLSDIR/intFabCaTls${i}-key.pem" 90 ADDR=127.0.${i}.1 91 FABRIC_CA_SERVER_HOME="$TDIR/int${i}" fabric-ca-server start --csr.hosts $ADDR -c $TDIR/int${i}/runFabricCaFvt.yaml \ 92 --address $ADDR $tlsopts -b admin:adminpw \ 93 -u ${PROTO}intermediateCa$i:intermediateCa${i}pw@$ROOT_CA_ADDR:$CA_DEFAULT_PORT -d 2>&1 | 94 tee $TDIR/int${i}/server.log & 95 done 96 i=0;while test $((i++)) -lt $NUMINTCAS; do 97 ADDR=127.0.${i}.1 98 pollFabricCa "" $ADDR $CA_DEFAULT_PORT 99 done 100 } 101 102 function createFailingCA { 103 last=$((NUMINTCAS+1)) 104 mkdir -p "$TDIR/int${last}" 105 cp "$TDIR/intFabricCaFvt.yaml" "$TDIR/int${last}/runFabricCaFvt.yaml" 106 $($FABRIC_TLS) && tlsopts="--tls.enabled --tls.certfile $TLSDIR/intFabCaTls${last}-cert.pem \ 107 --tls.keyfile $TLSDIR/intFabCaTls${last}-key.pem \ 108 --db.tls.certfiles $FABRIC_CA_DATA/$TLS_BUNDLE \ 109 --db.tls.client.certfile $PGSSLCERT \ 110 --db.tls.client.keyfile $PGSSLKEY \ 111 --intermediate.tls.certfiles $TLSDIR/tlsroots.pem \ 112 --intermediate.tls.client.certfile $TLSDIR/intFabCaTls${last}-cert.pem \ 113 --intermediate.tls.client.keyfile $TLSDIR/intFabCaTls${last}-key.pem" 114 FABRIC_CA_SERVER_HOME="$TDIR/int${last}" fabric-ca-server init --csr.hosts 127.0.${last}.1 -c "$TDIR/int${last}/runFabricCaFvt.yaml" \ 115 --address 127.0.${last}.1 $tlsopts -b admin:adminpw \ 116 -u ${PROTO}intermediateCa${last}:intermediateCa${last}pw@$ADDR:$CA_DEFAULT_PORT -d 2>&1 | tee $TDIR/int${last}/server.log 117 test ${PIPESTATUS[0]} -eq 0 && return 1 || return 0 118 } 119 120 function enrollUser() { 121 local rc=0 122 i=0;while test $((i++)) -lt $NUMINTCAS; do 123 ADDR=127.0.${i}.1 124 /usr/local/bin/fabric-ca-client enroll \ 125 --id.maxenrollments $MAXENROLL \ 126 -u ${PROTO}admin:adminpw@$ADDR:${CA_DEFAULT_PORT} \ 127 -c $TDIR/int${i}/admin/enroll.yaml \ 128 --tls.certfiles $TLSDIR/tlsroots.pem \ 129 --csr.hosts admin@fab-client.raleigh.ibm.com \ 130 --csr.hosts admin.fabric.raleigh.ibm.com,127.42.42.$i 131 rc=$((rc+$?)) 132 done 133 return $rc 134 } 135 136 function getCaCert() { 137 local rc=0 138 local intDir="" 139 i=0;while test $((i++)) -lt $NUMINTCAS; do 140 ADDR=127.0.${i}.1 141 export FABRIC_CA_CLIENT_HOME="$TDIR/int${i}" 142 # the location a filename of the returned cert bundle 143 intDir="$TDIR/int${i}/msp/cacerts" 144 caCertFile=$(echo ${ADDR}|sed 's/\./-/g')-${CA_DEFAULT_PORT}.pem 145 146 /usr/local/bin/fabric-ca-client getcacert \ 147 -u ${PROTO}admin:adminpw@$ADDR:${CA_DEFAULT_PORT} \ 148 --tls.certfiles $TLSDIR/tlsroots.pem 149 # if the file didn't get created, fail 150 if ! test -f "$intDir/$caCertFile"; then 151 echo "Failed to get cacert" 152 return 1 153 fi 154 done 155 } 156 157 function verifyCaCert() { 158 local rc=0 159 local intDir="" 160 i=0;while test $((i++)) -lt $NUMINTCAS; do 161 ADDR=127.0.${i}.1 162 # the location and filename of the returned cert bundle 163 intDir="$TDIR/int${i}/msp/cacerts" 164 caCertFile=$(echo ${ADDR}|sed 's/\./-/g')-${CA_DEFAULT_PORT}.pem 165 # verify that the returned bundle contains both the 166 # root CA public cert and the intermediate CA public cert 167 openssl crl2pkcs7 -nocrl -certfile "$intDir/$caCertFile" | 168 openssl pkcs7 -print_certs -noout | sed '/^[[:blank:]]*$/d' | 169 awk -F'=' \ 170 -v rc=0 \ 171 -v s="intermediateCa${i}" \ 172 -v i="fabric-ca-server" ' 173 NR==1 || NR==2 || NR==4 { 174 if ($NF!=i) rc+=1 175 } 176 NR==3 { 177 if ($NF!=s) rc+=1 178 }; END {exit rc}' 179 if test "$rc" -ne 0; then 180 echo "CA cert bundle $TDIR/int${i}/msp/cacerts/$caCertFile does not contain the correct certificates" 181 return 1 182 fi 183 done 184 return $rc 185 } 186 187 function registerAndEnrollUser() { 188 local rc=0 189 i=0;while test $((i++)) -lt $NUMINTCAS; do 190 pswd=$(/usr/local/bin/fabric-ca-client register -u ${PROTO}admin:adminpw@$ADDR:${CA_DEFAULT_PORT} \ 191 --id.name user${i} \ 192 --id.type user \ 193 --id.maxenrollments $MAXENROLL \ 194 --id.affiliation org1 \ 195 --tls.certfiles $TLSDIR/tlsroots.pem \ 196 -c $TDIR/int${i}/register.yaml|tail -n1 | awk '{print $NF}') 197 /usr/local/bin/fabric-ca-client enroll \ 198 --id.maxenrollments $MAXENROLL \ 199 -u ${PROTO}user${i}:$pswd@$ADDR:${CA_DEFAULT_PORT} \ 200 -c $TDIR/int${i}/user${i}/enroll.yaml \ 201 --tls.certfiles $TLSDIR/tlsroots.pem \ 202 --csr.hosts user${i}@fab-client.raleigh.ibm.com \ 203 --csr.hosts user${i}.fabric.raleigh.ibm.com,127.37.37.$i 204 rc=$((rc+$?)) 205 done 206 return $rc 207 } 208 209 function reenrollUser() { 210 local rc=0 211 i=0;while test $((i++)) -lt $NUMINTCAS; do 212 ADDR=127.0.${i}.1 213 /usr/local/bin/fabric-ca-client reenroll \ 214 --id.maxenrollments $MAXENROLL \ 215 -u ${PROTO}@$ADDR:${CA_DEFAULT_PORT} \ 216 -c $TDIR/int${i}/admin/reenroll.yaml \ 217 --tls.certfiles $TLSDIR/tlsroots.pem \ 218 --csr.hosts admin@fab-client.raleigh.ibm.com \ 219 --csr.hosts admin.fabric.raleigh.ibm.com,127.42.42.$i 220 rc=$((rc+$?)) 221 done 222 return $rc 223 } 224 225 function setTLS() { 226 : ${FABRIC_TLS:="false"} 227 if $($FABRIC_TLS); then 228 setupTLScerts 229 PROTO="https://" 230 fi 231 } 232 233 function genIntCAConfig() { 234 cp $TDIR/root/runFabricCaFvt.yaml "$TDIR/intFabricCaFvt.yaml" 235 sed -i "s@\(^[[:blank:]]*maxpathlen: \).*@\1 0@ 236 s@\(^[[:blank:]]*pathlength: \).*@\1 0@ 237 s@\(^[[:blank:]]*certfile:\).*.pem@\1@ 238 s@\(^[[:blank:]]*keyfile:\).*.pem@\1@" "$TDIR/intFabricCaFvt.yaml" 239 } 240 241 ### Start Test ### 242 for driver in postgres mysql; do 243 $SCRIPTDIR/fabric-ca_setup.sh -R -x $TDIR/root -D -d $driver 244 rm -rf $TDIR 245 246 # if ENV FABRIC_TLS=true, use TLS 247 setTLS 248 249 createRootCA || ErrorExit "Failed to create root CA" 250 251 # using the root config as a template, modify pathlen and cert/key 252 genIntCAConfig 253 254 createIntCA || ErrorExit "Failed to create $NUMINTCAS intermedeiate CAs" 255 256 # Attempt to enroll with an intermediate CA with pathlen 0 should fail 257 createFailingCA || ErrorMsg "Intermediate CA enroll should have failed" 258 grep "Policy violation request" $TDIR/int${i}/server.log || ErrorMsg "Policy violation request not found in response" 259 260 # roundrobin through all intermediate servers and grab the cacert 261 getCaCert || ErrorExit "Failed to getCaCert(s)" 262 263 # roundrobin through all intermediate servers and grab the cacert 264 verifyCaCert || ErrorExit "Failed to verify CaCert(s)" 265 266 # roundrobin through all intermediate servers and enroll a user 267 for iter in {0..1}; do 268 enrollUser || ErrorMsg "Failed to enroll users" 269 done 270 271 registerAndEnrollUser 272 273 # roundrobin through all intermediate servers and renroll same user 274 for iter in {0..1}; do 275 reenrollUser || ErrorMsg "Failed to reenroll users" 276 done 277 278 $SCRIPTDIR/fabric-ca_setup.sh -L -x $TDIR/root -D -d $driver 279 kill $(ps -x -o pid,comm | awk '$2~/fabric-ca-serve/ {print $1}') 280 done 281 282 # If the test failed, leave the results for debugging 283 test "$RC" -eq 0 && $SCRIPTDIR/fabric-ca_setup.sh -R -x $CA_CFG_PATH -d $driver 284 285 ### Clean up ### 286 rm -f $TESTDATA/openssl.cnf.base.req 287 CleanUp "$RC" 288 exit $RC