github.com/simranvc/fabric-ca@v0.0.0-20191030094829-acc364294dde/scripts/fvt/intermediateca_test.sh (about) 1 #!/bin/bash 2 # 3 # Copyright IBM Corp. All Rights Reserved. 4 # 5 # SPDX-License-Identifier: Apache-2.0 6 # 7 8 : ${TESTCASE:="intermediateca-test"} 9 TDIR=/tmp/$TESTCASE 10 FABRIC_CA="$GOPATH/src/github.com/hyperledger/fabric-ca" 11 SCRIPTDIR="$FABRIC_CA/scripts/fvt" 12 TESTDATA="$FABRIC_CA/testdata" 13 . $SCRIPTDIR/fabric-ca_utils 14 ROOT_CA_ADDR=localhost 15 TLSDIR="$TDIR/tls" 16 NUMINTCAS=8 17 MAXENROLL=$((2*NUMINTCAS)) 18 RC=0 19 TDIR=/tmp/intermediateca-tests 20 ROOT_CA_ADDR=localhost 21 CA_PORT=7054 22 TLSDIR="$TDIR/tls" 23 24 function setupTLScerts() { 25 oldhome=$HOME 26 rm -rf $TLSDIR 27 mkdir -p $TLSDIR 28 rm -rf /tmp/CAs $TLSDIR/rootTlsCa* $TLSDIR/subTlsCa* 29 export HOME=$TLSDIR 30 # Root TLS CA 31 $SCRIPTDIR/utils/pki -f newca -a rootTlsCa -t ec -l 256 -d sha256 \ 32 -n "/C=US/ST=NC/L=RTP/O=IBM/O=Hyperledger/OU=FVT/CN=localhost/" -S "IP:127.0.0.1,DNS:localhost" \ 33 -K "digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement,keyCertSign,cRLSign" \ 34 -E "serverAuth,clientAuth,codeSigning,emailProtection,timeStamping" \ 35 -e 20370101000000Z -s 20160101000000Z -p rootTlsCa- >/dev/null 2>&1 36 # Sub TLS CA 37 $SCRIPTDIR/utils/pki -f newsub -b subTlsCa -a rootTlsCa -t ec -l 256 -d sha256 \ 38 -n "/C=US/ST=NC/L=RTP/O=IBM/O=Hyperledger/OU=FVT/CN=subTlsCa/" -S "IP:127.0.0.1" \ 39 -K "digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement,keyCertSign,cRLSign" \ 40 -E "serverAuth,clientAuth,codeSigning,emailProtection,timeStamping" \ 41 -e 20370101000000Z -s 20160101000000Z -p subTlsCa- >/dev/null 2>&1 42 # EE TLS certs 43 i=0;while test $((i++)) -lt $((NUMINTCAS+1)); do 44 rm -rf $TLSDIR/intFabCaTls${i}* 45 $SCRIPTDIR/utils/pki -f newcert -a subTlsCa -t ec -l 256 -d sha512 \ 46 -n "/C=US/ST=NC/L=RTP/O=IBM/O=Hyperledger/OU=FVT/CN=intFabCaTls${i}/" -S "IP:127.0.${i}.1" \ 47 -K "digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement,keyCertSign,cRLSign" \ 48 -E "serverAuth,clientAuth,codeSigning,emailProtection,timeStamping" \ 49 -e 20370101000000Z -s 20160101000000Z -p intFabCaTls${i}- >/dev/null 2>&1 <<EOF 50 y 51 y 52 EOF 53 done 54 cat $TLSDIR/rootTlsCa-cert.pem $TLSDIR/subTlsCa-cert.pem > $TLSDIR/tlsroots.pem 55 HOME=$oldhome 56 } 57 58 function createRootCA() { 59 # Start RootCA 60 tlsopts="--tls.enabled \ 61 --tls.certfile $TLSDIR/rootTlsCa-cert.pem \ 62 --tls.keyfile $TLSDIR/rootTlsCa-key.pem" 63 64 mkdir -p "$TDIR/root" 65 $SCRIPTDIR/fabric-ca_setup.sh -I -x "$TDIR/root" -d $driver -m $MAXENROLL -a 66 FABRIC_CA_SERVER_HOME="$TDIR/root" fabric-ca-server start \ 67 --csr.hosts $ROOT_CA_ADDR --address $ROOT_CA_ADDR \ 68 $tlsopts -c $TDIR/root/runFabricCaFvt.yaml -d 2>&1 | 69 tee $TDIR/root/server.log & 70 pollFabricCa fabric-ca-server $ROOT_CA_ADDR $CA_DEFAULT_PORT 71 } 72 73 function createIntCA() { 74 # Start intermediate CAs 75 i=0;while test $((i++)) -lt $NUMINTCAS; do 76 mkdir -p "$TDIR/int${i}" 77 cp "$TDIR/intFabricCaFvt.yaml" "$TDIR/int${i}/runFabricCaFvt.yaml" 78 tlsopts="--tls.enabled --tls.certfile $TLSDIR/intFabCaTls${i}-cert.pem \ 79 --tls.keyfile $TLSDIR/intFabCaTls${i}-key.pem \ 80 --intermediate.tls.certfiles $TLSDIR/tlsroots.pem \ 81 --intermediate.tls.client.certfile $TLSDIR/intFabCaTls${i}-cert.pem \ 82 --intermediate.tls.client.keyfile $TLSDIR/intFabCaTls${i}-key.pem" 83 ADDR=127.0.${i}.1 84 FABRIC_CA_SERVER_HOME="$TDIR/int${i}" fabric-ca-server start --csr.hosts $ADDR -c $TDIR/int${i}/runFabricCaFvt.yaml \ 85 --address $ADDR $tlsopts -b admin:adminpw \ 86 -u ${PROTO}intermediateCa$i:intermediateCa${i}pw@$ROOT_CA_ADDR:$CA_DEFAULT_PORT -d 2>&1 | 87 tee $TDIR/int${i}/server.log & 88 done 89 i=0;while test $((i++)) -lt $NUMINTCAS; do 90 ADDR=127.0.${i}.1 91 pollFabricCa "" $ADDR $CA_DEFAULT_PORT 92 done 93 } 94 95 function createFailingCA { 96 last=$((NUMINTCAS+1)) 97 mkdir -p "$TDIR/int${last}" 98 cp "$TDIR/intFabricCaFvt.yaml" "$TDIR/int${last}/runFabricCaFvt.yaml" 99 tlsopts="--tls.enabled --tls.certfile $TLSDIR/intFabCaTls${last}-cert.pem \ 100 --tls.keyfile $TLSDIR/intFabCaTls${last}-key.pem \ 101 --intermediate.tls.certfiles $TLSDIR/tlsroots.pem \ 102 --intermediate.tls.client.certfile $TLSDIR/intFabCaTls${last}-cert.pem \ 103 --intermediate.tls.client.keyfile $TLSDIR/intFabCaTls${last}-key.pem" 104 FABRIC_CA_SERVER_HOME="$TDIR/int${last}" fabric-ca-server init --csr.hosts 127.0.${last}.1 -c "$TDIR/int${last}/runFabricCaFvt.yaml" \ 105 --address 127.0.${last}.1 $tlsopts -b admin:adminpw \ 106 -u ${PROTO}intermediateCa${last}:intermediateCa${last}pw@$ADDR:$CA_DEFAULT_PORT -d 2>&1 | tee $TDIR/int${last}/server.log 107 test ${PIPESTATUS[0]} -eq 0 && return 1 || return 0 108 } 109 110 function enrollUser() { 111 local rc=0 112 i=0;while test $((i++)) -lt $NUMINTCAS; do 113 ADDR=127.0.${i}.1 114 /usr/local/bin/fabric-ca-client enroll \ 115 --id.maxenrollments $MAXENROLL \ 116 -u ${PROTO}admin:adminpw@$ADDR:${CA_DEFAULT_PORT} \ 117 -c $TDIR/int${i}/admin/enroll.yaml \ 118 --tls.certfiles $TLSDIR/tlsroots.pem \ 119 --csr.hosts admin@fab-client.raleigh.ibm.com \ 120 --csr.hosts admin.fabric.raleigh.ibm.com,127.42.42.$i 121 rc=$((rc+$?)) 122 done 123 return $rc 124 } 125 126 function getCaCert() { 127 local rc=0 128 local intDir="" 129 i=0;while test $((i++)) -lt $NUMINTCAS; do 130 ADDR=127.0.${i}.1 131 export FABRIC_CA_CLIENT_HOME="$TDIR/int${i}" 132 # the location a filename of the returned cert bundle 133 intDir="$TDIR/int${i}/msp/cacerts" 134 caCertFile=$(echo ${ADDR}|sed 's/\./-/g')-${CA_DEFAULT_PORT}.pem 135 136 /usr/local/bin/fabric-ca-client getcacert \ 137 -u ${PROTO}admin:adminpw@$ADDR:${CA_DEFAULT_PORT} \ 138 --tls.certfiles $TLSDIR/tlsroots.pem 139 # if the file didn't get created, fail 140 if ! test -f "$intDir/$caCertFile"; then 141 echo "Failed to get cacert" 142 return 1 143 fi 144 done 145 } 146 147 function verifyCaCert() { 148 local rc=0 149 local intDir="" 150 i=0;while test $((i++)) -lt $NUMINTCAS; do 151 ADDR=127.0.${i}.1 152 # the location and filename of the returned cert bundle 153 intDir="$TDIR/int${i}/msp/cacerts" 154 caCertFile=$(echo ${ADDR}|sed 's/\./-/g')-${CA_DEFAULT_PORT}.pem 155 # verify that the returned bundle contains both the 156 # root CA public cert and the intermediate CA public cert 157 openssl crl2pkcs7 -nocrl -certfile "$intDir/$caCertFile" | 158 openssl pkcs7 -print_certs -noout | sed '/^[[:blank:]]*$/d' | 159 awk -F'=' \ 160 -v rc=0 \ 161 -v s="intermediateCa${i}" \ 162 -v i="fabric-ca-server" ' 163 NR==1 || NR==2 || NR==4 { 164 if ($NF!=i) rc+=1 165 } 166 NR==3 { 167 if ($NF!=s) rc+=1 168 }; END {exit rc}' 169 if test "$rc" -ne 0; then 170 echo "CA cert bundle $TDIR/int${i}/msp/cacerts/$caCertFile does not contain the correct certificates" 171 return 1 172 fi 173 done 174 return $rc 175 } 176 177 function registerAndEnrollUser() { 178 local rc=0 179 i=0;while test $((i++)) -lt $NUMINTCAS; do 180 pswd=$(/usr/local/bin/fabric-ca-client register -u ${PROTO}admin:adminpw@$ADDR:${CA_DEFAULT_PORT} \ 181 --id.name user${i} \ 182 --id.type user \ 183 --id.maxenrollments $MAXENROLL \ 184 --id.affiliation org1 \ 185 --tls.certfiles $TLSDIR/tlsroots.pem \ 186 -c $TDIR/int${i}/register.yaml|tail -n1 | awk '{print $NF}') 187 /usr/local/bin/fabric-ca-client enroll \ 188 --id.maxenrollments $MAXENROLL \ 189 -u ${PROTO}user${i}:$pswd@$ADDR:${CA_DEFAULT_PORT} \ 190 -c $TDIR/int${i}/user${i}/enroll.yaml \ 191 --tls.certfiles $TLSDIR/tlsroots.pem \ 192 --csr.hosts user${i}@fab-client.raleigh.ibm.com \ 193 --csr.hosts user${i}.fabric.raleigh.ibm.com,127.37.37.$i 194 rc=$((rc+$?)) 195 done 196 return $rc 197 } 198 199 function reenrollUser() { 200 local rc=0 201 i=0;while test $((i++)) -lt $NUMINTCAS; do 202 ADDR=127.0.${i}.1 203 /usr/local/bin/fabric-ca-client reenroll \ 204 --id.maxenrollments $MAXENROLL \ 205 -u ${PROTO}@$ADDR:${CA_DEFAULT_PORT} \ 206 -c $TDIR/int${i}/admin/reenroll.yaml \ 207 --tls.certfiles $TLSDIR/tlsroots.pem \ 208 --csr.hosts admin@fab-client.raleigh.ibm.com \ 209 --csr.hosts admin.fabric.raleigh.ibm.com,127.42.42.$i 210 rc=$((rc+$?)) 211 done 212 return $rc 213 } 214 215 function genIntCAConfig() { 216 cp $TDIR/root/runFabricCaFvt.yaml "$TDIR/intFabricCaFvt.yaml" 217 sed -i "s@\(^[[:blank:]]*maxpathlen: \).*@\1 0@ 218 s@\(^[[:blank:]]*pathlength: \).*@\1 0@ 219 s@\(^[[:blank:]]*certfile:\).*.pem@\1@ 220 s@\(^[[:blank:]]*keyfile:\).*.pem@\1@" "$TDIR/intFabricCaFvt.yaml" 221 } 222 223 ### Start Test ### 224 for driver in postgres mysql; do 225 $SCRIPTDIR/fabric-ca_setup.sh -R -x $TDIR/root -D -d $driver 226 rm -rf $TDIR 227 228 setupTLScerts 229 230 createRootCA || ErrorExit "Failed to create root CA" 231 232 # using the root config as a template, modify pathlen and cert/key 233 genIntCAConfig 234 235 createIntCA || ErrorExit "Failed to create $NUMINTCAS intermedeiate CAs" 236 237 # Attempt to enroll with an intermediate CA with pathlen 0 should fail 238 createFailingCA || ErrorMsg "Intermediate CA enroll should have failed" 239 grep "Policy violation request" $TDIR/int${i}/server.log || ErrorMsg "Policy violation request not found in response" 240 241 # roundrobin through all intermediate servers and grab the cacert 242 getCaCert || ErrorExit "Failed to getCaCert(s)" 243 244 # roundrobin through all intermediate servers and grab the cacert 245 verifyCaCert || ErrorExit "Failed to verify CaCert(s)" 246 247 # roundrobin through all intermediate servers and enroll a user 248 for iter in {0..1}; do 249 enrollUser || ErrorMsg "Failed to enroll users" 250 done 251 252 registerAndEnrollUser 253 254 # roundrobin through all intermediate servers and renroll same user 255 for iter in {0..1}; do 256 reenrollUser || ErrorMsg "Failed to reenroll users" 257 done 258 259 $SCRIPTDIR/fabric-ca_setup.sh -L -x $TDIR/root -D -d $driver 260 kill $(ps -x -o pid,comm | awk '$2~/fabric-ca-serve/ {print $1}') 261 done 262 263 # If the test failed, leave the results for debugging 264 test "$RC" -eq 0 && $SCRIPTDIR/fabric-ca_setup.sh -R -x $CA_CFG_PATH -d $driver 265 266 ### Clean up ### 267 rm -f $TESTDATA/openssl.cnf.base.req 268 CleanUp "$RC" 269 exit $RC