[FAB-3255] Added creating orderer with root CAs

Change-Id: Ia1df735bd105fb64330550f94dcf7b1c8c38bbc8
Signed-off-by: Emir Heidinger <emir.heidinger@securekey.com>

Author: emirsh

config/config.go

@@ -22,6 +22,7 @@ package config
 import (
 	"crypto/x509"
 	"encoding/pem"
+	"errors"
 	"fmt"
 	"io/ioutil"
 	"os"
@@ -189,7 +190,28 @@ func GetTLSCACertPool(tlsCertificate string) (*x509.CertPool, error) {
 			return nil, err
 		}
 
-		certPool.AddCert(loadCAKey(rawData))
+		cert, err := loadCAKey(rawData)
+		if err != nil {
+			return nil, err
+		}
+
+		certPool.AddCert(cert)
+	}
+
+	return certPool, nil
+}
+
+// GetTLSCACertPoolFromRoots ...
+func GetTLSCACertPoolFromRoots(ordererRootCAs [][]byte) (*x509.CertPool, error) {
+	certPool := x509.NewCertPool()
+
+	for _, root := range ordererRootCAs {
+		cert, err := loadCAKey(root)
+		if err != nil {
+			return nil, err
+		}
+
+		certPool.AddCert(cert)
 	}
 
 	return certPool, nil
@@ -247,12 +269,16 @@ func GetKeyStorePath() string {
 }
 
 // loadCAKey
-func loadCAKey(rawData []byte) *x509.Certificate {
+func loadCAKey(rawData []byte) (*x509.Certificate, error) {
 	block, _ := pem.Decode(rawData)
 
-	pub, err := x509.ParseCertificate(block.Bytes)
-	if err != nil {
-		panic(err)
+	if block != nil {
+		pub, err := x509.ParseCertificate(block.Bytes)
+		if err != nil {
+			return nil, errors.New("Failed to parse certificate: " + err.Error())
+		}
+
+		return pub, nil
 	}
-	return pub
+	return nil, errors.New("No pem data found")
 }

fabric-client/orderer.go

@@ -20,6 +20,7 @@ limitations under the License.
 package fabricclient
 
 import (
+	"crypto/x509"
 	"fmt"
 	"io"
 	"strings"
@@ -48,19 +49,41 @@ type orderer struct {
 
 // CreateNewOrderer Returns a Orderer instance
 func CreateNewOrderer(url string, certificate string, serverHostOverride string) (Orderer, error) {
-	var opts []grpc.DialOption
-	opts = append(opts, grpc.WithTimeout(time.Second*3))
 	if config.IsTLSEnabled() {
 		tlsCaCertPool, err := config.GetTLSCACertPool(certificate)
 		if err != nil {
 			return nil, err
 		}
-		creds := credentials.NewClientTLSFromCert(tlsCaCertPool, serverHostOverride)
-		opts = append(opts, grpc.WithTransportCredentials(creds))
-	} else {
-		opts = append(opts, grpc.WithInsecure())
+		return createNewOrdererWithCertPool(url, tlsCaCertPool, serverHostOverride), nil
+	}
+	return createNewOrdererWithoutTLS(url), nil
+}
+
+// CreateNewOrdererWithRootCAs Returns a new Orderer instance using the passed in orderer root CAs
+func CreateNewOrdererWithRootCAs(url string, ordererRootCAs [][]byte, serverHostOverride string) (Orderer, error) {
+	if config.IsTLSEnabled() {
+		tlsCaCertPool, err := config.GetTLSCACertPoolFromRoots(ordererRootCAs)
+		if err != nil {
+			return nil, err
+		}
+		return createNewOrdererWithCertPool(url, tlsCaCertPool, serverHostOverride), nil
 	}
-	return &orderer{url: url, grpcDialOption: opts}, nil
+	return createNewOrdererWithoutTLS(url), nil
+}
+
+func createNewOrdererWithoutTLS(url string) Orderer {
+	var opts []grpc.DialOption
+	opts = append(opts, grpc.WithTimeout(time.Second*3))
+	opts = append(opts, grpc.WithInsecure())
+	return &orderer{url: url, grpcDialOption: opts}
+}
+
+func createNewOrdererWithCertPool(url string, tlsCaCertPool *x509.CertPool, serverHostOverride string) Orderer {
+	var opts []grpc.DialOption
+	opts = append(opts, grpc.WithTimeout(time.Second*3))
+	creds := credentials.NewClientTLSFromCert(tlsCaCertPool, serverHostOverride)
+	opts = append(opts, grpc.WithTransportCredentials(creds))
+	return &orderer{url: url, grpcDialOption: opts}
 }
 
 // GetURL Get the Orderer url. Required property for the instance objects.