Push config update (Integration tests - reconfiguration #247)

Signed-off-by: Genady Gurevich <genadyg@il.ibm.com>

Author: gengur

common/tools/armageddon/cryptogen.go

@@ -552,7 +552,7 @@ func copyFile(src, dst string) error {
 	return err
 }
 
-func CreateNewCertificateFromCA(caCertPath string, caPrivateKeyPath string, pathToNewTLSCert string, pathToNewTLSKey string, nodesIPs []string) ([]byte, error) {
+func CreateNewCertificateFromCA(caCertPath string, caPrivateKeyPath string, name string, pathToNewCert string, pathToNewPrivateKey string, nodesIPs []string) ([]byte, error) {
 	caCertBytes, err := utils.ReadPem(caCertPath)
 	if err != nil {
 		return nil, err
@@ -595,20 +595,20 @@ func CreateNewCertificateFromCA(caCertPath string, caPrivateKeyPath string, path
 		return nil, fmt.Errorf("failed marshaling private key, err: %s", err)
 	}
 
-	_, err = ca.SignCertificate(pathToNewTLSCert, "tls", nil, nodesIPs, GetPublicKey(privateKey), x509.KeyUsageCertSign|x509.KeyUsageCRLSign, []x509.ExtKeyUsage{
+	_, err = ca.SignCertificate(pathToNewCert, name, nil, nodesIPs, GetPublicKey(privateKey), x509.KeyUsageCertSign|x509.KeyUsageCRLSign|x509.KeyUsageDigitalSignature, []x509.ExtKeyUsage{
 		x509.ExtKeyUsageClientAuth,
 		x509.ExtKeyUsageServerAuth,
 	})
 	if err != nil {
 		return nil, err
 	}
 
-	err = utils.WritePEMToFile(pathToNewTLSKey, "PRIVATE KEY", privateKeyBytes)
+	err = utils.WritePEMToFile(pathToNewPrivateKey, "PRIVATE KEY", privateKeyBytes)
 	if err != nil {
 		return nil, err
 	}
 
-	newCertBytes, err := os.ReadFile(filepath.Join(pathToNewTLSCert, "tls-cert.pem"))
+	newCertBytes, err := os.ReadFile(filepath.Join(pathToNewCert, fmt.Sprintf("%s-cert.pem", name)))
 	if err != nil {
 		return nil, err
 	}

common/utils/net.go

@@ -64,6 +64,47 @@ func CertificateBytesToString(cert []byte) (string, error) {
 	return CertificateToString(x509Cert), nil
 }
 
+func AreCertificatesEqual(cert1, cert2 []byte) bool {
+	x509Cert1, err := Parsex509Cert(cert1)
+	if err != nil {
+		return false
+	}
+	x509Cert2, err := Parsex509Cert(cert2)
+	if err != nil {
+		return false
+	}
+
+	if x509Cert1.SerialNumber.Cmp(x509Cert2.SerialNumber) != 0 {
+		return false
+	}
+
+	if x509Cert1.Issuer.String() != x509Cert2.Issuer.String() {
+		return false
+	}
+
+	if x509Cert1.Subject.String() != x509Cert2.Subject.String() {
+		return false
+	}
+
+	if !x509Cert1.NotBefore.Equal(x509Cert2.NotBefore) {
+		return false
+	}
+
+	if !x509Cert1.NotAfter.Equal(x509Cert2.NotAfter) {
+		return false
+	}
+
+	if x509Cert1.PublicKeyAlgorithm != x509Cert2.PublicKeyAlgorithm {
+		return false
+	}
+
+	if x509Cert1.SignatureAlgorithm != x509Cert2.SignatureAlgorithm {
+		return false
+	}
+
+	return true
+}
+
 func CertificateToString(cert *x509.Certificate) string {
 	var sb strings.Builder
 	fmt.Fprintf(&sb, "Certificate:\n")

config/config.go

@@ -697,7 +697,7 @@ func (config *Configuration) CheckIfBatcherNodeExistsInSharedConfig(localSignCer
 		return fmt.Errorf("batcher in shard%d does not exist for party%d in the shared config", localShardID, localPartyID)
 	}
 
-	if !bytes.Equal(localTLSCert, sharedBatcherConfig.TlsCert) {
+	if !utils.AreCertificatesEqual(localTLSCert, sharedBatcherConfig.TlsCert) {
 		localTLSCertString, err := utils.CertificateBytesToString(localTLSCert)
 		if err != nil {
 			return err
@@ -709,7 +709,8 @@ func (config *Configuration) CheckIfBatcherNodeExistsInSharedConfig(localSignCer
 		return fmt.Errorf("certificate mismatch: the batcher of party %d shard %d is attempting to load with TLS certificate: %v that differs from the shared configuration TLS certificate: %v", localPartyID, localShardID, localTLSCertString, sharedTLSCertString)
 	}
 
-	if !bytes.Equal(localSignCert, sharedBatcherConfig.SignCert) {
+	// if !bytes.Equal(localSignCert, sharedBatcherConfig.SignCert) {
+	if !utils.AreCertificatesEqual(localSignCert, sharedBatcherConfig.SignCert) {
 		localSignCertString, err := utils.CertificateBytesToString(localSignCert)
 		if err != nil {
 			return err
@@ -737,7 +738,7 @@ func (config *Configuration) CheckIfConsenterNodeExistsInSharedConfig(localSignC
 			return fmt.Errorf("consenter configuration of partyID %d is missing from the shared configuration: %+v", localPartyID, sharedPartyConfig)
 		}
 
-		if !bytes.Equal(localSignCert, sharedPartyConfig.ConsenterConfig.SignCert) {
+		if !utils.AreCertificatesEqual(localSignCert, sharedPartyConfig.ConsenterConfig.SignCert) {
 			localSignCertString, err := utils.CertificateBytesToString(localSignCert)
 			if err != nil {
 				return err
@@ -749,7 +750,7 @@ func (config *Configuration) CheckIfConsenterNodeExistsInSharedConfig(localSignC
 			return fmt.Errorf("sign certificate mismatch: Consenter%d is attempting to load with sign certificate: %v that differs from the shared configuration sign certificate: %v", localPartyID, localSignCertString, sharedSignCertString)
 		}
 
-		if !bytes.Equal(localTLSCert, sharedPartyConfig.ConsenterConfig.TlsCert) {
+		if !utils.AreCertificatesEqual(localTLSCert, sharedPartyConfig.ConsenterConfig.TlsCert) {
 			localTLSCertString, err := utils.CertificateBytesToString(localTLSCert)
 			if err != nil {
 				return err
@@ -775,7 +776,7 @@ func (config *Configuration) CheckIfAssemblerNodeExistsInSharedConfig() error {
 			if sharedPartyConfig.AssemblerConfig == nil {
 				return fmt.Errorf("assembler configuration of partyID %d is missing from the shared configuration: %+v", localPartyID, sharedPartyConfig)
 			}
-			if !bytes.Equal(localTLSCert, sharedPartyConfig.AssemblerConfig.TlsCert) {
+			if !utils.AreCertificatesEqual(localTLSCert, sharedPartyConfig.AssemblerConfig.TlsCert) {
 				localTLSCertString, err := utils.CertificateBytesToString(localTLSCert)
 				if err != nil {
 					return err

node/consensus/consensus_real_reconfig_test.go

@@ -162,7 +162,7 @@ func TestConsensusWithRealConfigUpdate(t *testing.T) {
 		caPrivKeyPath := filepath.Join(dir, "crypto", "ordererOrganizations", fmt.Sprintf("org%d", consenterToUpdate), "tlsca", "priv_sk")
 		newCertPath := filepath.Join(dir, "crypto", "ordererOrganizations", fmt.Sprintf("org%d", consenterToUpdate), "orderers", fmt.Sprintf("party%d", consenterToUpdate), "consenter", "tls")
 		newKeyPath := filepath.Join(dir, "crypto", "ordererOrganizations", fmt.Sprintf("org%d", consenterToUpdate), "orderers", fmt.Sprintf("party%d", consenterToUpdate), "consenter", "tls", "key.pem")
-		newCert, err := armageddon.CreateNewCertificateFromCA(caCertPath, caPrivKeyPath, newCertPath, newKeyPath, nodesIPs)
+		newCert, err := armageddon.CreateNewCertificateFromCA(caCertPath, caPrivKeyPath, "tls", newCertPath, newKeyPath, nodesIPs)
 		require.NoError(t, err)
 		configUpdatePbData := configUpdateBuilder.UpdateConsensusTLSCert(t, consenterToUpdate, newCert)
 		env := configutil.CreateConfigTX(t, dir, parties, 1, configUpdatePbData)