Skip to content

Test mTLS from application client#976

Open
gengur wants to merge 1 commit into
hyperledger:mainfrom
gengur:mTLS_from_application_client
Open

Test mTLS from application client#976
gengur wants to merge 1 commit into
hyperledger:mainfrom
gengur:mTLS_from_application_client

Conversation

@gengur

@gengur gengur commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

issue #548
Test that we can submit TXs and pull blocks when the client (broadcast / delivery, resp) has a TLS and signing certificate from a CA(s) that belong to an application org (NOT orderer org).

@gengur gengur requested review from MayRosenbaum and tock-ibm July 1, 2026 07:23
@gengur gengur force-pushed the mTLS_from_application_client branch 3 times, most recently from 3c8a9da to 29657b3 Compare July 2, 2026 09:51
@tock-ibm tock-ibm requested a review from Copilot July 2, 2026 12:11

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds support and test coverage for exercising mTLS (broadcast + deliver) using an application-org client identity (TLS + signing certs issued by an application CA rather than an orderer-org CA), by introducing “peer” organizations into the test network generation and config-block/profile generation.

Changes:

  • Extend generated network model/config to include application peers and generate crypto + user_config.yaml for them.
  • Update configtx profile generation to build Application orgs from generated peerOrganizations MSPs.
  • Add an integration test that submits TXs and pulls blocks using a peer org’s TLS + signing materials; adjust supporting test utilities.

Reviewed changes

Copilot reviewed 11 out of 11 changed files in this pull request and generated 7 comments.

Show a summary per file
File Description
testutil/utils.go Adds Peers: ["peer1"] into generated network YAML used by tests.
testutil/signutil/signer.go Broadens MSP ID extraction to work for both ordererOrganizations and peerOrganizations.
testutil/configutil/config_update_utils.go Stops (commented out) updating Application MSP sections when updating party cert material; adds note/intent.
test/basic/router_basic_test.go Adds TestMTLSFromApplicationClient exercising mTLS using peer org credentials; simplifies party list usage.
node/consensus/consensus_real_reconfig_test.go Fixes submitting party argument passed to CreateConfigTX.
config/generate/network_config.go Adds Peers []string to the network YAML schema.
config/generate/config_block_gen.go Builds Application org definitions from generated peerOrganizations MSP directories.
config/config_test.go Updates expectation for number of extracted application trusted roots.
common/tools/armageddon/cryptogen.go Generates peer org crypto material (CAs, TLS/signing certs, folder structure).
common/tools/armageddon/armageddon.go Generates per-peer user_config.yaml during armageddon generate.
common/tools/armageddon/armageddon_test.go Updates config directory validation to require peer user_config.yaml.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines +368 to +371
_, err = ca.SignCertificate(filepath.Join(dir, "crypto", "peerOrganizations", peer, "tls"), "tls", nil, nodesIPs, GetPublicKey(privateKey), x509.KeyUsageCertSign|x509.KeyUsageCRLSign, []x509.ExtKeyUsage{
x509.ExtKeyUsageClientAuth,
x509.ExtKeyUsageServerAuth,
})
Comment on lines +375 to +379
userTLSPrivateKeyPath := filepath.Join(*outputDir, "crypto", "peerOrganizations", peer, "tls", "key.pem")
userTLSCertPath := filepath.Join(*outputDir, "crypto", "peerOrganizations", peer, "tls", "tls-cert.pem")
mspDir := filepath.Join(*outputDir, "crypto", "peerOrganizations", peer, "msp")

userConfig, err := NewUserConfig(mspDir, userTLSPrivateKeyPath, userTLSCertPath, tlsCACertsBytesPartiesCollection, networkConfig)
Comment on lines +385 to +387
peerConfigDir := path.Join(*outputDir, "config", peer)
os.MkdirAll(peerConfigDir, 0o755)

Comment on lines +403 to +406
f, err := os.Open(path.Join(dir, "config", "peer1", "user_config.yaml"))
require.NoError(t, err)
uc, err := armageddon.ReadUserConfig(&f)
require.NoError(t, err)
Comment on lines 96 to +99
func getMspIDfromDir(mspDir string) (string, error) {
re := regexp.MustCompile(`/ordererOrganizations/([^/]+)/`)
re := regexp.MustCompile(`/(orderer|peer)Organizations/([^/]+)(/|$)`)
matches := re.FindStringSubmatch(mspDir)
if matches == nil || len(matches) > 2 {
if len(matches) < 4 {
Comment on lines +72 to +76
peers, err := buildPeerNames(filepath.Join(dir, "crypto", "peerOrganizations"))
if err != nil {
return nil, err
}
profile.Application.Organizations = make([]*configtxgen.Organization, len(peers))
Comment on lines 529 to 531
overwriteNestedJSONValue(t, c.configData, tlsCACerts, "channel_group", "groups", "Orderer", "groups", org, "values", "MSP", "value", "config", "tls_root_certs")
overwriteNestedJSONValue(t, c.configData, tlsCACerts, "channel_group", "groups", "Application", "groups", org, "values", "MSP", "value", "config", "tls_root_certs")
// overwriteNestedJSONValue(t, c.configData, tlsCACerts, "channel_group", "groups", "Application", "groups", "peer1", "values", "MSP", "value", "config", "tls_root_certs")
return c.createConfigUpdate(t, c.configData)
Signed-off-by: Genady Gurevich <genadyg@il.ibm.com>
@tock-ibm tock-ibm force-pushed the mTLS_from_application_client branch from 29657b3 to 5f41e41 Compare July 2, 2026 14:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants