From 63bb2282fea6a0724e0fbd8c5dc05b22e51b4108 Mon Sep 17 00:00:00 2001 From: Tatsuya Sato Date: Wed, 19 Feb 2025 02:44:43 +0900 Subject: [PATCH] test-network: Add support for using BFT consensus with CA (#1301) Signed-off-by: Tatsuya Sato --- .../workflows/test-network-bft-orderer.yaml | 4 ++ ci/scripts/run-test-network-basic.sh | 12 +++- test-network/.gitignore | 1 + test-network/README.md | 2 +- test-network/network.sh | 5 -- .../organizations/fabric-ca/registerEnroll.sh | 57 +++++++++++-------- test-network/scripts/createChannel.sh | 6 -- 7 files changed, 47 insertions(+), 40 deletions(-) diff --git a/.github/workflows/test-network-bft-orderer.yaml b/.github/workflows/test-network-bft-orderer.yaml index 695c58c1..2a71d68c 100644 --- a/.github/workflows/test-network-bft-orderer.yaml +++ b/.github/workflows/test-network-bft-orderer.yaml @@ -25,6 +25,9 @@ jobs: - javascript - typescript - java + crypto: + - cryptogen + - ca steps: - name: Checkout @@ -43,3 +46,4 @@ jobs: env: CHAINCODE_LANGUAGE: ${{ matrix.chaincode-language }} ORDERER_TYPE: bft + CRYPTO: ${{ matrix.crypto }} diff --git a/ci/scripts/run-test-network-basic.sh b/ci/scripts/run-test-network-basic.sh index 3861968d..448af4a0 100755 --- a/ci/scripts/run-test-network-basic.sh +++ b/ci/scripts/run-test-network-basic.sh @@ -5,6 +5,12 @@ set -euo pipefail CHAINCODE_LANGUAGE=${CHAINCODE_LANGUAGE:-go} CHAINCODE_PATH=${CHAINCODE_PATH:-../asset-transfer-basic} ORDERER_TYPE=${ORDERER_TYPE:-raft} +CRYPTO=${CRYPTO:-ca} + +CRYPTO_OPTION="" +if [ "$CRYPTO" == "ca" ]; then + CRYPTO_OPTION="-ca" +fi function print() { GREEN='\033[0;32m' @@ -15,15 +21,15 @@ function print() { function createNetworkWithRaft() { print "Creating 3 Org network with Raft Orderers" - ./network.sh up createChannel -ca -s couchdb + ./network.sh up createChannel ${CRYPTO_OPTION} -s couchdb cd addOrg3 - ./addOrg3.sh up -ca -s couchdb + ./addOrg3.sh up ${CRYPTO_OPTION} -s couchdb cd .. } function createNetworkWithBFT() { print "Creating 2 Org network with BFT Orderers" - ./network.sh up createChannel -bft + ./network.sh up createChannel -bft ${CRYPTO_OPTION} } function createNetwork() { diff --git a/test-network/.gitignore b/test-network/.gitignore index ed5913d7..fdc2152a 100644 --- a/test-network/.gitignore +++ b/test-network/.gitignore @@ -8,6 +8,7 @@ organizations/fabric-ca/ordererOrg/* organizations/fabric-ca/org1/* organizations/fabric-ca/org2/* +addOrg3/fabric-ca/org3/* organizations/ordererOrganizations/* organizations/peerOrganizations/* system-genesis-block/* diff --git a/test-network/README.md b/test-network/README.md index 31578af1..643cf2fc 100644 --- a/test-network/README.md +++ b/test-network/README.md @@ -2,7 +2,7 @@ You can use the `./network.sh` script to stand up a simple Fabric test network. The test network has two peer organizations with one peer each and a single node raft ordering service. You can also use the `./network.sh` script to create channels and deploy chaincode. For more information, see [Using the Fabric test network](https://hyperledger-fabric.readthedocs.io/en/latest/test_network.html). The test network is being introduced in Fabric v2.0 as the long term replacement for the `first-network` sample. -If you are planning to run the test network with consensus type BFT then please pass `-bft` flag as input to the `network.sh` script when creating the channel. Note that currently this sample does not yet support the use of consensus type BFT and CA together. +If you are planning to run the test network with consensus type BFT then please pass `-bft` flag as input to the `network.sh` script when creating the channel. This sample also supports the use of consensus type BFT and CA together. That is to create a network use: ```bash ./network.sh up -bft diff --git a/test-network/network.sh b/test-network/network.sh index 821ae7c8..1afa28a5 100755 --- a/test-network/network.sh +++ b/test-network/network.sh @@ -619,11 +619,6 @@ while [[ $# -ge 1 ]] ; do shift done -## Check if user attempts to use BFT orderer and CA together -if [[ $BFT -eq 1 && "$CRYPTO" == "Certificate Authorities" ]]; then - fatalln "This sample does not yet support the use of consensus type BFT and CA together." -fi - if [ $BFT -eq 1 ]; then export FABRIC_CFG_PATH=${PWD}/bft-config COMPOSE_FILE_BASE=compose-bft-test-net.yaml diff --git a/test-network/organizations/fabric-ca/registerEnroll.sh b/test-network/organizations/fabric-ca/registerEnroll.sh index 178db6cf..e0635490 100755 --- a/test-network/organizations/fabric-ca/registerEnroll.sh +++ b/test-network/organizations/fabric-ca/registerEnroll.sh @@ -207,37 +207,44 @@ function createOrderer() { mkdir -p "${PWD}/organizations/ordererOrganizations/example.com/tlsca" cp "${PWD}/organizations/fabric-ca/ordererOrg/ca-cert.pem" "${PWD}/organizations/ordererOrganizations/example.com/tlsca/tlsca.example.com-cert.pem" - infoln "Registering orderer" - set -x - fabric-ca-client register --caname ca-orderer --id.name orderer --id.secret ordererpw --id.type orderer --tls.certfiles "${PWD}/organizations/fabric-ca/ordererOrg/ca-cert.pem" - { set +x; } 2>/dev/null +# Loop through each orderer (orderer, orderer2, orderer3, orderer4) to register and generate artifacts + for ORDERER in orderer orderer2 orderer3 orderer4; do + infoln "Registering ${ORDERER}" + set -x + fabric-ca-client register --caname ca-orderer --id.name ${ORDERER} --id.secret ${ORDERER}pw --id.type orderer --tls.certfiles "${PWD}/organizations/fabric-ca/ordererOrg/ca-cert.pem" + { set +x; } 2>/dev/null + infoln "Generating the ${ORDERER} MSP" + set -x + fabric-ca-client enroll -u https://${ORDERER}:${ORDERER}pw@localhost:9054 --caname ca-orderer -M "${PWD}/organizations/ordererOrganizations/example.com/orderers/${ORDERER}.example.com/msp" --tls.certfiles "${PWD}/organizations/fabric-ca/ordererOrg/ca-cert.pem" + { set +x; } 2>/dev/null + + cp "${PWD}/organizations/ordererOrganizations/example.com/msp/config.yaml" "${PWD}/organizations/ordererOrganizations/example.com/orderers/${ORDERER}.example.com/msp/config.yaml" + + # Workaround: Rename the signcert file to ensure consistency with Cryptogen generated artifacts + mv "${PWD}/organizations/ordererOrganizations/example.com/orderers/${ORDERER}.example.com/msp/signcerts/cert.pem" "${PWD}/organizations/ordererOrganizations/example.com/orderers/${ORDERER}.example.com/msp/signcerts/${ORDERER}.example.com-cert.pem" + + infoln "Generating the ${ORDERER} TLS certificates, use --csr.hosts to specify Subject Alternative Names" + set -x + fabric-ca-client enroll -u https://${ORDERER}:${ORDERER}pw@localhost:9054 --caname ca-orderer -M "${PWD}/organizations/ordererOrganizations/example.com/orderers/${ORDERER}.example.com/tls" --enrollment.profile tls --csr.hosts ${ORDERER}.example.com --csr.hosts localhost --tls.certfiles "${PWD}/organizations/fabric-ca/ordererOrg/ca-cert.pem" + { set +x; } 2>/dev/null + + # Copy the tls CA cert, server cert, server keystore to well known file names in the orderer's tls directory that are referenced by orderer startup config + cp "${PWD}/organizations/ordererOrganizations/example.com/orderers/${ORDERER}.example.com/tls/tlscacerts/"* "${PWD}/organizations/ordererOrganizations/example.com/orderers/${ORDERER}.example.com/tls/ca.crt" + cp "${PWD}/organizations/ordererOrganizations/example.com/orderers/${ORDERER}.example.com/tls/signcerts/"* "${PWD}/organizations/ordererOrganizations/example.com/orderers/${ORDERER}.example.com/tls/server.crt" + cp "${PWD}/organizations/ordererOrganizations/example.com/orderers/${ORDERER}.example.com/tls/keystore/"* "${PWD}/organizations/ordererOrganizations/example.com/orderers/${ORDERER}.example.com/tls/server.key" + + # Copy orderer org's CA cert to orderer's /msp/tlscacerts directory (for use in the orderer MSP definition) + mkdir -p "${PWD}/organizations/ordererOrganizations/example.com/orderers/${ORDERER}.example.com/msp/tlscacerts" + cp "${PWD}/organizations/ordererOrganizations/example.com/orderers/${ORDERER}.example.com/tls/tlscacerts/"* "${PWD}/organizations/ordererOrganizations/example.com/orderers/${ORDERER}.example.com/msp/tlscacerts/tlsca.example.com-cert.pem" + done + + # Register and generate artifacts for the orderer admin infoln "Registering the orderer admin" set -x fabric-ca-client register --caname ca-orderer --id.name ordererAdmin --id.secret ordererAdminpw --id.type admin --tls.certfiles "${PWD}/organizations/fabric-ca/ordererOrg/ca-cert.pem" { set +x; } 2>/dev/null - infoln "Generating the orderer msp" - set -x - fabric-ca-client enroll -u https://orderer:ordererpw@localhost:9054 --caname ca-orderer -M "${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/msp" --tls.certfiles "${PWD}/organizations/fabric-ca/ordererOrg/ca-cert.pem" - { set +x; } 2>/dev/null - - cp "${PWD}/organizations/ordererOrganizations/example.com/msp/config.yaml" "${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/msp/config.yaml" - - infoln "Generating the orderer-tls certificates, use --csr.hosts to specify Subject Alternative Names" - set -x - fabric-ca-client enroll -u https://orderer:ordererpw@localhost:9054 --caname ca-orderer -M "${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls" --enrollment.profile tls --csr.hosts orderer.example.com --csr.hosts localhost --tls.certfiles "${PWD}/organizations/fabric-ca/ordererOrg/ca-cert.pem" - { set +x; } 2>/dev/null - - # Copy the tls CA cert, server cert, server keystore to well known file names in the orderer's tls directory that are referenced by orderer startup config - cp "${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/tlscacerts/"* "${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/ca.crt" - cp "${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/signcerts/"* "${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/server.crt" - cp "${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/keystore/"* "${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/server.key" - - # Copy orderer org's CA cert to orderer's /msp/tlscacerts directory (for use in the orderer MSP definition) - mkdir -p "${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts" - cp "${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/tlscacerts/"* "${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem" - infoln "Generating the admin msp" set -x fabric-ca-client enroll -u https://ordererAdmin:ordererAdminpw@localhost:9054 --caname ca-orderer -M "${PWD}/organizations/ordererOrganizations/example.com/users/Admin@example.com/msp" --tls.certfiles "${PWD}/organizations/fabric-ca/ordererOrg/ca-cert.pem" diff --git a/test-network/scripts/createChannel.sh b/test-network/scripts/createChannel.sh index 8f7980d4..f3ff3915 100755 --- a/test-network/scripts/createChannel.sh +++ b/test-network/scripts/createChannel.sh @@ -95,12 +95,6 @@ setAnchorPeer() { . scripts/setAnchorPeer.sh $ORG $CHANNEL_NAME } - -## User attempts to use BFT orderer in Fabric network with CA -if [ $BFT -eq 1 ] && [ -d "organizations/fabric-ca/ordererOrg/msp" ]; then - fatalln "Fabric network seems to be using CA. This sample does not yet support the use of consensus type BFT and CA together." -fi - ## Create channel genesis block FABRIC_CFG_PATH=$PWD/../config/ BLOCKFILE="./channel-artifacts/${CHANNEL_NAME}.block"