test-network: Add support for using BFT consensus with CA (#1301)

Signed-off-by: Tatsuya Sato <tatsuya.sato.so@hitachi.com>

Author: satota2

.github/workflows/test-network-bft-orderer.yaml

@@ -25,6 +25,9 @@ jobs:
           - javascript
           - typescript
           - java
+        crypto:
+          - cryptogen
+          - ca
 
     steps:
       - name: Checkout
@@ -43,3 +46,4 @@ jobs:
         env:
           CHAINCODE_LANGUAGE: ${{ matrix.chaincode-language }}
           ORDERER_TYPE: bft
+          CRYPTO: ${{ matrix.crypto }}

ci/scripts/run-test-network-basic.sh

@@ -5,6 +5,12 @@ set -euo pipefail
 CHAINCODE_LANGUAGE=${CHAINCODE_LANGUAGE:-go}
 CHAINCODE_PATH=${CHAINCODE_PATH:-../asset-transfer-basic}
 ORDERER_TYPE=${ORDERER_TYPE:-raft}
+CRYPTO=${CRYPTO:-ca}
+
+CRYPTO_OPTION=""
+if [ "$CRYPTO" == "ca" ]; then
+  CRYPTO_OPTION="-ca"
+fi
 
 function print() {
 	GREEN='\033[0;32m'
@@ -15,15 +21,15 @@ function print() {
 
 function createNetworkWithRaft() {
   print "Creating 3 Org network with Raft Orderers"
-  ./network.sh up createChannel -ca -s couchdb
+  ./network.sh up createChannel ${CRYPTO_OPTION} -s couchdb
   cd addOrg3
-  ./addOrg3.sh up -ca -s couchdb
+  ./addOrg3.sh up ${CRYPTO_OPTION} -s couchdb
   cd ..
 }
 
 function createNetworkWithBFT() {
   print "Creating 2 Org network with BFT Orderers"
-  ./network.sh up createChannel -bft
+  ./network.sh up createChannel -bft ${CRYPTO_OPTION}
 }
 
 function createNetwork() {

test-network/.gitignore

@@ -8,6 +8,7 @@
 organizations/fabric-ca/ordererOrg/*
 organizations/fabric-ca/org1/*
 organizations/fabric-ca/org2/*
+addOrg3/fabric-ca/org3/*
 organizations/ordererOrganizations/*
 organizations/peerOrganizations/*
 system-genesis-block/*

test-network/README.md

@@ -2,7 +2,7 @@
 
 You can use the `./network.sh` script to stand up a simple Fabric test network. The test network has two peer organizations with one peer each and a single node raft ordering service. You can also use the `./network.sh` script to create channels and deploy chaincode. For more information, see [Using the Fabric test network](https://hyperledger-fabric.readthedocs.io/en/latest/test_network.html). The test network is being introduced in Fabric v2.0 as the long term replacement for the `first-network` sample.
 
-If you are planning to run the test network with consensus type BFT then please pass `-bft` flag as input to the `network.sh` script when creating the channel. Note that currently this sample does not yet support the use of consensus type BFT and CA together.
+If you are planning to run the test network with consensus type BFT then please pass `-bft` flag as input to the `network.sh` script when creating the channel. This sample also supports the use of consensus type BFT and CA together.
 That is to create a network use:
 ```bash
 ./network.sh up -bft

test-network/network.sh

@@ -619,11 +619,6 @@ while [[ $# -ge 1 ]] ; do
   shift
 done
 
-## Check if user attempts to use BFT orderer and CA together
-if [[ $BFT -eq 1 && "$CRYPTO" == "Certificate Authorities" ]]; then
-  fatalln "This sample does not yet support the use of consensus type BFT and CA together."
-fi
-
 if [ $BFT -eq 1 ]; then
   export FABRIC_CFG_PATH=${PWD}/bft-config
   COMPOSE_FILE_BASE=compose-bft-test-net.yaml

test-network/organizations/fabric-ca/registerEnroll.sh

@@ -207,37 +207,44 @@ function createOrderer() {
   mkdir -p "${PWD}/organizations/ordererOrganizations/example.com/tlsca"
   cp "${PWD}/organizations/fabric-ca/ordererOrg/ca-cert.pem" "${PWD}/organizations/ordererOrganizations/example.com/tlsca/tlsca.example.com-cert.pem"
 
-  infoln "Registering orderer"
-  set -x
-  fabric-ca-client register --caname ca-orderer --id.name orderer --id.secret ordererpw --id.type orderer --tls.certfiles "${PWD}/organizations/fabric-ca/ordererOrg/ca-cert.pem"
-  { set +x; } 2>/dev/null
-
+# Loop through each orderer (orderer, orderer2, orderer3, orderer4) to register and generate artifacts
+  for ORDERER in orderer orderer2 orderer3 orderer4; do
+    infoln "Registering ${ORDERER}"
+    set -x
+    fabric-ca-client register --caname ca-orderer --id.name ${ORDERER} --id.secret ${ORDERER}pw --id.type orderer --tls.certfiles "${PWD}/organizations/fabric-ca/ordererOrg/ca-cert.pem"
+    { set +x; } 2>/dev/null
+
+    infoln "Generating the ${ORDERER} MSP"
+    set -x
+    fabric-ca-client enroll -u https://${ORDERER}:${ORDERER}pw@localhost:9054 --caname ca-orderer -M "${PWD}/organizations/ordererOrganizations/example.com/orderers/${ORDERER}.example.com/msp" --tls.certfiles "${PWD}/organizations/fabric-ca/ordererOrg/ca-cert.pem"
+    { set +x; } 2>/dev/null
+
+    cp "${PWD}/organizations/ordererOrganizations/example.com/msp/config.yaml" "${PWD}/organizations/ordererOrganizations/example.com/orderers/${ORDERER}.example.com/msp/config.yaml"
+
+    # Workaround: Rename the signcert file to ensure consistency with Cryptogen generated artifacts
+    mv "${PWD}/organizations/ordererOrganizations/example.com/orderers/${ORDERER}.example.com/msp/signcerts/cert.pem" "${PWD}/organizations/ordererOrganizations/example.com/orderers/${ORDERER}.example.com/msp/signcerts/${ORDERER}.example.com-cert.pem"
+
+    infoln "Generating the ${ORDERER} TLS certificates, use --csr.hosts to specify Subject Alternative Names"
+    set -x
+    fabric-ca-client enroll -u https://${ORDERER}:${ORDERER}pw@localhost:9054 --caname ca-orderer -M "${PWD}/organizations/ordererOrganizations/example.com/orderers/${ORDERER}.example.com/tls" --enrollment.profile tls --csr.hosts ${ORDERER}.example.com --csr.hosts localhost --tls.certfiles "${PWD}/organizations/fabric-ca/ordererOrg/ca-cert.pem"
+    { set +x; } 2>/dev/null
+
+    # Copy the tls CA cert, server cert, server keystore to well known file names in the orderer's tls directory that are referenced by orderer startup config
+    cp "${PWD}/organizations/ordererOrganizations/example.com/orderers/${ORDERER}.example.com/tls/tlscacerts/"* "${PWD}/organizations/ordererOrganizations/example.com/orderers/${ORDERER}.example.com/tls/ca.crt"
+    cp "${PWD}/organizations/ordererOrganizations/example.com/orderers/${ORDERER}.example.com/tls/signcerts/"* "${PWD}/organizations/ordererOrganizations/example.com/orderers/${ORDERER}.example.com/tls/server.crt"
+    cp "${PWD}/organizations/ordererOrganizations/example.com/orderers/${ORDERER}.example.com/tls/keystore/"* "${PWD}/organizations/ordererOrganizations/example.com/orderers/${ORDERER}.example.com/tls/server.key"
+
+    # Copy orderer org's CA cert to orderer's /msp/tlscacerts directory (for use in the orderer MSP definition)
+    mkdir -p "${PWD}/organizations/ordererOrganizations/example.com/orderers/${ORDERER}.example.com/msp/tlscacerts"
+    cp "${PWD}/organizations/ordererOrganizations/example.com/orderers/${ORDERER}.example.com/tls/tlscacerts/"* "${PWD}/organizations/ordererOrganizations/example.com/orderers/${ORDERER}.example.com/msp/tlscacerts/tlsca.example.com-cert.pem"
+  done
+
+  # Register and generate artifacts for the orderer admin
   infoln "Registering the orderer admin"
   set -x
   fabric-ca-client register --caname ca-orderer --id.name ordererAdmin --id.secret ordererAdminpw --id.type admin --tls.certfiles "${PWD}/organizations/fabric-ca/ordererOrg/ca-cert.pem"
   { set +x; } 2>/dev/null
 
-  infoln "Generating the orderer msp"
-  set -x
-  fabric-ca-client enroll -u https://orderer:ordererpw@localhost:9054 --caname ca-orderer -M "${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/msp" --tls.certfiles "${PWD}/organizations/fabric-ca/ordererOrg/ca-cert.pem"
-  { set +x; } 2>/dev/null
-
-  cp "${PWD}/organizations/ordererOrganizations/example.com/msp/config.yaml" "${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/msp/config.yaml"
-
-  infoln "Generating the orderer-tls certificates, use --csr.hosts to specify Subject Alternative Names"
-  set -x
-  fabric-ca-client enroll -u https://orderer:ordererpw@localhost:9054 --caname ca-orderer -M "${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls" --enrollment.profile tls --csr.hosts orderer.example.com --csr.hosts localhost --tls.certfiles "${PWD}/organizations/fabric-ca/ordererOrg/ca-cert.pem"
-  { set +x; } 2>/dev/null
-
-  # Copy the tls CA cert, server cert, server keystore to well known file names in the orderer's tls directory that are referenced by orderer startup config
-  cp "${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/tlscacerts/"* "${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/ca.crt"
-  cp "${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/signcerts/"* "${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/server.crt"
-  cp "${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/keystore/"* "${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/server.key"
-
-  # Copy orderer org's CA cert to orderer's /msp/tlscacerts directory (for use in the orderer MSP definition)
-  mkdir -p "${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts"
-  cp "${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/tlscacerts/"* "${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem"
-
   infoln "Generating the admin msp"
   set -x
   fabric-ca-client enroll -u https://ordererAdmin:ordererAdminpw@localhost:9054 --caname ca-orderer -M "${PWD}/organizations/ordererOrganizations/example.com/users/Admin@example.com/msp" --tls.certfiles "${PWD}/organizations/fabric-ca/ordererOrg/ca-cert.pem"

test-network/scripts/createChannel.sh

@@ -95,12 +95,6 @@ setAnchorPeer() {
   . scripts/setAnchorPeer.sh $ORG $CHANNEL_NAME 
 }
 
-
-## User attempts to use BFT orderer in Fabric network with CA
-if [ $BFT -eq 1 ] && [ -d "organizations/fabric-ca/ordererOrg/msp" ]; then
-  fatalln "Fabric network seems to be using CA. This sample does not yet support the use of consensus type BFT and CA together."
-fi
-
 ## Create channel genesis block
 FABRIC_CFG_PATH=$PWD/../config/
 BLOCKFILE="./channel-artifacts/${CHANNEL_NAME}.block"