[FAB-7800] making config pem path consistent

Change-Id: Iabe442b9aef122c934954182dc3443fa099588ef Signed-off-by: Sudesh Shetty <[email protected]>
hyperledger · Feb 19, 2018 · 54fe270 · 54fe270
1 parent 1f2274d
commit 54fe270
Show file tree

Hide file tree

Showing 9 changed files with 155 additions and 140 deletions.
diff --git a/api/apiconfig/network.go b/api/apiconfig/network.go
@@ -194,15 +194,9 @@ type MutualTLSConfig struct {
 	Pem []string
 	// Certfiles root certificates for TLS validation (Comma separated path list)
 	Path string
-	// Client client TLS information
-	Client struct {
-		KeyPem string
-		// Keyfile client key path
-		Keyfile string
-		CertPem string
-		// Certfile client cert path
-		Certfile string
-	}
+
+	//Client TLS information
+	Client TLSKeyPair
 }
 
 // TLSKeyPair contains the private key and certificate for TLS encryption

diff --git a/pkg/config/config.go b/pkg/config/config.go
@@ -268,8 +268,8 @@ func (c *Config) Client() (*apiconfig.ClientConfig, error) {
 	client := config.Client
 
 	client.TLSCerts.Path = substPathVars(client.TLSCerts.Path)
-	client.TLSCerts.Client.Keyfile = substPathVars(client.TLSCerts.Client.Keyfile)
-	client.TLSCerts.Client.Certfile = substPathVars(client.TLSCerts.Client.Certfile)
+	client.TLSCerts.Client.Key.Path = substPathVars(client.TLSCerts.Client.Key.Path)
+	client.TLSCerts.Client.Cert.Path = substPathVars(client.TLSCerts.Client.Cert.Path)
 
 	return &client, nil
 }
@@ -373,7 +373,7 @@ func (c *Config) CAClientKeyPath(org string) (string, error) {
 	if _, ok := config.CertificateAuthorities[strings.ToLower(caName)]; !ok {
 		return "", errors.Errorf("CA Server Name '%s' not found", caName)
 	}
-	return substPathVars(config.CertificateAuthorities[strings.ToLower(caName)].TLSCACerts.Client.Keyfile), nil
+	return substPathVars(config.CertificateAuthorities[strings.ToLower(caName)].TLSCACerts.Client.Key.Path), nil
 }
 
 // CAClientKeyPem Read configuration option for the fabric CA client key pem embedded in the client config
@@ -392,11 +392,11 @@ func (c *Config) CAClientKeyPem(org string) (string, error) {
 	}
 
 	ca := config.CertificateAuthorities[strings.ToLower(caName)]
-	if len(ca.TLSCACerts.Client.CertPem) == 0 {
+	if len(ca.TLSCACerts.Client.Key.Pem) == 0 {
 		return "", errors.New("Empty Client Key Pem")
 	}
 
-	return ca.TLSCACerts.Client.KeyPem, nil
+	return ca.TLSCACerts.Client.Key.Pem, nil
 }
 
 // CAClientCertPath Read configuration option for the fabric CA client cert file
@@ -413,7 +413,7 @@ func (c *Config) CAClientCertPath(org string) (string, error) {
 	if _, ok := config.CertificateAuthorities[strings.ToLower(caName)]; !ok {
 		return "", errors.Errorf("CA Server Name '%s' not found", caName)
 	}
-	return substPathVars(config.CertificateAuthorities[strings.ToLower(caName)].TLSCACerts.Client.Certfile), nil
+	return substPathVars(config.CertificateAuthorities[strings.ToLower(caName)].TLSCACerts.Client.Cert.Path), nil
 }
 
 // CAClientCertPem Read configuration option for the fabric CA client cert pem embedded in the client config
@@ -433,11 +433,11 @@ func (c *Config) CAClientCertPem(org string) (string, error) {
 	}
 
 	ca := config.CertificateAuthorities[strings.ToLower(caName)]
-	if len(ca.TLSCACerts.Client.CertPem) == 0 {
+	if len(ca.TLSCACerts.Client.Cert.Pem) == 0 {
 		return "", errors.New("Empty Client Cert Pem")
 	}
 
-	return ca.TLSCACerts.Client.CertPem, nil
+	return ca.TLSCACerts.Client.Cert.Pem, nil
 }
 
 // TimeoutOrDefault reads connection timeouts for the given connection type
@@ -914,13 +914,9 @@ func (c *Config) TLSClientCerts() ([]tls.Certificate, error) {
 	clientConfig := config.Client
 	var clientCerts tls.Certificate
 	var cb, kb []byte
-	if clientConfig.TLSCerts.Client.CertPem != "" {
-		cb = []byte(clientConfig.TLSCerts.Client.CertPem)
-	} else if clientConfig.TLSCerts.Client.Certfile != "" {
-		cb, err = loadByteKeyOrCertFromFile(&clientConfig, false)
-		if err != nil {
-			return nil, errors.Wrapf(err, "Failed to load cert from file path '%s'", clientConfig.TLSCerts.Client.Certfile)
-		}
+	cb, err = clientConfig.TLSCerts.Client.Cert.Bytes()
+	if err != nil {
+		return nil, errors.Wrapf(err, "failed to load tls client cert")
 	}
 
 	if len(cb) == 0 {
@@ -935,12 +931,12 @@ func (c *Config) TLSClientCerts() ([]tls.Certificate, error) {
 	// If CryptoSuite fails to load private key from cert then load private key from config
 	if err != nil || pk == nil {
 		logger.Debugf("Reading pk from config, unable to retrieve from cert: %s", err)
-		if clientConfig.TLSCerts.Client.KeyPem != "" {
-			kb = []byte(clientConfig.TLSCerts.Client.KeyPem)
-		} else if clientConfig.TLSCerts.Client.Keyfile != "" {
+		if clientConfig.TLSCerts.Client.Key.Pem != "" {
+			kb = []byte(clientConfig.TLSCerts.Client.Key.Pem)
+		} else if clientConfig.TLSCerts.Client.Key.Path != "" {
 			kb, err = loadByteKeyOrCertFromFile(&clientConfig, true)
 			if err != nil {
-				return nil, errors.Wrapf(err, "Failed to load key from file path '%s'", clientConfig.TLSCerts.Client.Keyfile)
+				return nil, errors.Wrapf(err, "Failed to load key from file path '%s'", clientConfig.TLSCerts.Client.Key.Path)
 			}
 		}
 
@@ -967,12 +963,12 @@ func loadByteKeyOrCertFromFile(c *apiconfig.ClientConfig, isKey bool) ([]byte, e
 	var path string
 	a := "key"
 	if isKey {
-		path = substPathVars(c.TLSCerts.Client.Keyfile)
-		c.TLSCerts.Client.Keyfile = path
+		path = substPathVars(c.TLSCerts.Client.Key.Path)
+		c.TLSCerts.Client.Key.Path = path
 	} else {
 		a = "cert"
-		path = substPathVars(c.TLSCerts.Client.Certfile)
-		c.TLSCerts.Client.Certfile = path
+		path = substPathVars(c.TLSCerts.Client.Cert.Path)
+		c.TLSCerts.Client.Cert.Path = path
 	}
 	bts, err := ioutil.ReadFile(path)
 	if err != nil {

diff --git a/pkg/config/config_test.go b/pkg/config/config_test.go
@@ -1013,10 +1013,10 @@ func TestInitConfigFromRawWrongType(t *testing.T) {
 }
 
 func TestTLSClientCertsFromFiles(t *testing.T) {
-	configImpl.networkConfig.Client.TLSCerts.Client.Certfile = "../../test/fixtures/config/mutual_tls/client_sdk_go.pem"
-	configImpl.networkConfig.Client.TLSCerts.Client.Keyfile = "../../test/fixtures/config/mutual_tls/client_sdk_go-key.pem"
-	configImpl.networkConfig.Client.TLSCerts.Client.CertPem = ""
-	configImpl.networkConfig.Client.TLSCerts.Client.KeyPem = ""
+	configImpl.networkConfig.Client.TLSCerts.Client.Cert.Path = "../../test/fixtures/config/mutual_tls/client_sdk_go.pem"
+	configImpl.networkConfig.Client.TLSCerts.Client.Key.Path = "../../test/fixtures/config/mutual_tls/client_sdk_go-key.pem"
+	configImpl.networkConfig.Client.TLSCerts.Client.Cert.Pem = ""
+	configImpl.networkConfig.Client.TLSCerts.Client.Key.Pem = ""
 
 	certs, err := configImpl.TLSClientCerts()
 	if err != nil {
@@ -1036,10 +1036,10 @@ func TestTLSClientCertsFromFiles(t *testing.T) {
 
 func TestTLSClientCertsFromFilesIncorrectPaths(t *testing.T) {
 	// incorrect paths to files
-	configImpl.networkConfig.Client.TLSCerts.Client.Certfile = "/test/fixtures/config/mutual_tls/client_sdk_go.pem"
-	configImpl.networkConfig.Client.TLSCerts.Client.Keyfile = "/test/fixtures/config/mutual_tls/client_sdk_go-key.pem"
-	configImpl.networkConfig.Client.TLSCerts.Client.CertPem = ""
-	configImpl.networkConfig.Client.TLSCerts.Client.KeyPem = ""
+	configImpl.networkConfig.Client.TLSCerts.Client.Cert.Path = "/test/fixtures/config/mutual_tls/client_sdk_go.pem"
+	configImpl.networkConfig.Client.TLSCerts.Client.Key.Path = "/test/fixtures/config/mutual_tls/client_sdk_go-key.pem"
+	configImpl.networkConfig.Client.TLSCerts.Client.Cert.Pem = ""
+	configImpl.networkConfig.Client.TLSCerts.Client.Key.Pem = ""
 
 	_, err := configImpl.TLSClientCerts()
 	if err == nil {
@@ -1052,10 +1052,10 @@ func TestTLSClientCertsFromFilesIncorrectPaths(t *testing.T) {
 }
 
 func TestTLSClientCertsFromPem(t *testing.T) {
-	configImpl.networkConfig.Client.TLSCerts.Client.Certfile = ""
-	configImpl.networkConfig.Client.TLSCerts.Client.Keyfile = ""
+	configImpl.networkConfig.Client.TLSCerts.Client.Cert.Path = ""
+	configImpl.networkConfig.Client.TLSCerts.Client.Key.Path = ""
 
-	configImpl.networkConfig.Client.TLSCerts.Client.CertPem = `-----BEGIN CERTIFICATE-----
+	configImpl.networkConfig.Client.TLSCerts.Client.Cert.Pem = `-----BEGIN CERTIFICATE-----
 MIIC5TCCAkagAwIBAgIUMYhiY5MS3jEmQ7Fz4X/e1Dx33J0wCgYIKoZIzj0EAwQw
 gYwxCzAJBgNVBAYTAkNBMRAwDgYDVQQIEwdPbnRhcmlvMRAwDgYDVQQHEwdUb3Jv
 bnRvMREwDwYDVQQKEwhsaW51eGN0bDEMMAoGA1UECxMDTGFiMTgwNgYDVQQDEy9s
@@ -1074,7 +1074,7 @@ gw2rrxqbW67ulwmMQzp6EJbm/28T2pIoYWWyIwpzrquypI7BOuf8is5b7Jcgn9oz
 3YkZ9DhdH1tN4U/h+YulG/CkKOtUATtQxg==
 -----END CERTIFICATE-----`
 
-	configImpl.networkConfig.Client.TLSCerts.Client.KeyPem = `-----BEGIN EC PRIVATE KEY-----
+	configImpl.networkConfig.Client.TLSCerts.Client.Key.Pem = `-----BEGIN EC PRIVATE KEY-----
 MIGkAgEBBDByldj7VTpqTQESGgJpR9PFW9b6YTTde2WN6/IiBo2nW+CIDmwQgmAl
 c/EOc9wmgu+gBwYFK4EEACKhZANiAAT6I1CGNrkchIAEmeJGo53XhDsoJwRiohBv
 2PotEEGuO6rMyaOupulj2VOj+YtgWw4ZtU49g4Nv6rq1QlKwRYyMwwRJSAZHIUMh
@@ -1098,10 +1098,10 @@ YZjcDi7YEOZ3Fs1hxKmIxR+TTR2vf9I=
 }
 
 func TestTLSClientCertFromPemAndKeyFromFile(t *testing.T) {
-	configImpl.networkConfig.Client.TLSCerts.Client.Certfile = ""
-	configImpl.networkConfig.Client.TLSCerts.Client.Keyfile = "../../test/fixtures/config/mutual_tls/client_sdk_go-key.pem"
+	configImpl.networkConfig.Client.TLSCerts.Client.Cert.Path = ""
+	configImpl.networkConfig.Client.TLSCerts.Client.Key.Path = "../../test/fixtures/config/mutual_tls/client_sdk_go-key.pem"
 
-	configImpl.networkConfig.Client.TLSCerts.Client.CertPem = `-----BEGIN CERTIFICATE-----
+	configImpl.networkConfig.Client.TLSCerts.Client.Cert.Pem = `-----BEGIN CERTIFICATE-----
 MIIC5TCCAkagAwIBAgIUMYhiY5MS3jEmQ7Fz4X/e1Dx33J0wCgYIKoZIzj0EAwQw
 gYwxCzAJBgNVBAYTAkNBMRAwDgYDVQQIEwdPbnRhcmlvMRAwDgYDVQQHEwdUb3Jv
 bnRvMREwDwYDVQQKEwhsaW51eGN0bDEMMAoGA1UECxMDTGFiMTgwNgYDVQQDEy9s
@@ -1120,7 +1120,7 @@ gw2rrxqbW67ulwmMQzp6EJbm/28T2pIoYWWyIwpzrquypI7BOuf8is5b7Jcgn9oz
 3YkZ9DhdH1tN4U/h+YulG/CkKOtUATtQxg==
 -----END CERTIFICATE-----`
 
-	configImpl.networkConfig.Client.TLSCerts.Client.KeyPem = ""
+	configImpl.networkConfig.Client.TLSCerts.Client.Key.Pem = ""
 
 	certs, err := configImpl.TLSClientCerts()
 	if err != nil {
@@ -1139,12 +1139,12 @@ gw2rrxqbW67ulwmMQzp6EJbm/28T2pIoYWWyIwpzrquypI7BOuf8is5b7Jcgn9oz
 }
 
 func TestTLSClientCertFromFileAndKeyFromPem(t *testing.T) {
-	configImpl.networkConfig.Client.TLSCerts.Client.Certfile = "../../test/fixtures/config/mutual_tls/client_sdk_go.pem"
-	configImpl.networkConfig.Client.TLSCerts.Client.Keyfile = ""
+	configImpl.networkConfig.Client.TLSCerts.Client.Cert.Path = "../../test/fixtures/config/mutual_tls/client_sdk_go.pem"
+	configImpl.networkConfig.Client.TLSCerts.Client.Key.Path = ""
 
-	configImpl.networkConfig.Client.TLSCerts.Client.CertPem = ""
+	configImpl.networkConfig.Client.TLSCerts.Client.Cert.Pem = ""
 
-	configImpl.networkConfig.Client.TLSCerts.Client.KeyPem = `-----BEGIN EC PRIVATE KEY-----
+	configImpl.networkConfig.Client.TLSCerts.Client.Key.Pem = `-----BEGIN EC PRIVATE KEY-----
 MIGkAgEBBDByldj7VTpqTQESGgJpR9PFW9b6YTTde2WN6/IiBo2nW+CIDmwQgmAl
 c/EOc9wmgu+gBwYFK4EEACKhZANiAAT6I1CGNrkchIAEmeJGo53XhDsoJwRiohBv
 2PotEEGuO6rMyaOupulj2VOj+YtgWw4ZtU49g4Nv6rq1QlKwRYyMwwRJSAZHIUMh
@@ -1169,10 +1169,10 @@ YZjcDi7YEOZ3Fs1hxKmIxR+TTR2vf9I=
 
 func TestTLSClientCertsPemBeforeFiles(t *testing.T) {
 	// files have incorrect paths, but pems are loaded first
-	configImpl.networkConfig.Client.TLSCerts.Client.Certfile = "/test/fixtures/config/mutual_tls/client_sdk_go.pem"
-	configImpl.networkConfig.Client.TLSCerts.Client.Keyfile = "/test/fixtures/config/mutual_tls/client_sdk_go-key.pem"
+	configImpl.networkConfig.Client.TLSCerts.Client.Cert.Path = "/test/fixtures/config/mutual_tls/client_sdk_go.pem"
+	configImpl.networkConfig.Client.TLSCerts.Client.Key.Path = "/test/fixtures/config/mutual_tls/client_sdk_go-key.pem"
 
-	configImpl.networkConfig.Client.TLSCerts.Client.CertPem = `-----BEGIN CERTIFICATE-----
+	configImpl.networkConfig.Client.TLSCerts.Client.Cert.Pem = `-----BEGIN CERTIFICATE-----
 MIIC5TCCAkagAwIBAgIUMYhiY5MS3jEmQ7Fz4X/e1Dx33J0wCgYIKoZIzj0EAwQw
 gYwxCzAJBgNVBAYTAkNBMRAwDgYDVQQIEwdPbnRhcmlvMRAwDgYDVQQHEwdUb3Jv
 bnRvMREwDwYDVQQKEwhsaW51eGN0bDEMMAoGA1UECxMDTGFiMTgwNgYDVQQDEy9s
@@ -1191,7 +1191,7 @@ gw2rrxqbW67ulwmMQzp6EJbm/28T2pIoYWWyIwpzrquypI7BOuf8is5b7Jcgn9oz
 3YkZ9DhdH1tN4U/h+YulG/CkKOtUATtQxg==
 -----END CERTIFICATE-----`
 
-	configImpl.networkConfig.Client.TLSCerts.Client.KeyPem = `-----BEGIN EC PRIVATE KEY-----
+	configImpl.networkConfig.Client.TLSCerts.Client.Key.Pem = `-----BEGIN EC PRIVATE KEY-----
 MIGkAgEBBDByldj7VTpqTQESGgJpR9PFW9b6YTTde2WN6/IiBo2nW+CIDmwQgmAl
 c/EOc9wmgu+gBwYFK4EEACKhZANiAAT6I1CGNrkchIAEmeJGo53XhDsoJwRiohBv
 2PotEEGuO6rMyaOupulj2VOj+YtgWw4ZtU49g4Nv6rq1QlKwRYyMwwRJSAZHIUMh
@@ -1215,10 +1215,10 @@ YZjcDi7YEOZ3Fs1hxKmIxR+TTR2vf9I=
 }
 
 func TestTLSClientCertsNoCerts(t *testing.T) {
-	configImpl.networkConfig.Client.TLSCerts.Client.Certfile = ""
-	configImpl.networkConfig.Client.TLSCerts.Client.Keyfile = ""
-	configImpl.networkConfig.Client.TLSCerts.Client.CertPem = ""
-	configImpl.networkConfig.Client.TLSCerts.Client.KeyPem = ""
+	configImpl.networkConfig.Client.TLSCerts.Client.Cert.Path = ""
+	configImpl.networkConfig.Client.TLSCerts.Client.Key.Path = ""
+	configImpl.networkConfig.Client.TLSCerts.Client.Cert.Pem = ""
+	configImpl.networkConfig.Client.TLSCerts.Client.Key.Pem = ""
 
 	certs, err := configImpl.TLSClientCerts()
 	if err != nil {

diff --git a/pkg/config/testdata/config_test_pem.yaml b/pkg/config/testdata/config_test_pem.yaml
@@ -349,36 +349,36 @@ certificateAuthorities:
       #path: ${GOPATH}/src/github.com/hyperledger/fabric-sdk-go/test/fixtures/fabricca/tls/certs/ca_root.pem
       # Client key and cert for SSL handshake with Fabric CA
       client:
-        keyPem: |
-          -----BEGIN EC PRIVATE KEY-----
-          MIGkAgEBBDAeWRhdAl+olgpLiI9mXHwcgJ1g4NNgPrYFSkkukISeAGfvK348izwG
-          0Aub948H5IygBwYFK4EEACKhZANiAATJb6oe7bpmnuJwjYMaQX7D2YQ0vLHmRWKs
-          QSn674xQJ5N8rMHAA/DXtpIMKI5uulot0jJ5xFkpikLGd8+6soQp8pd5tkMqZB0a
-          nFoUptdom8LjgRus6rnHbXxGqcIN6oA=
-          -----END EC PRIVATE KEY-----
-        keyfile:
-       #keyfile: ${GOPATH}/src/github.com/hyperledger/fabric-sdk-go/test/fixtures/fabricca/tls/certs/client/client_fabric_client-key.pem
-        certPem: |
-          -----BEGIN CERTIFICATE-----
-          MIIC5TCCAkegAwIBAgIUBzAG7MTjO4n9GFkYTkJBnvCInRIwCgYIKoZIzj0EAwQw
-          gYwxCzAJBgNVBAYTAkNBMRAwDgYDVQQIEwdPbnRhcmlvMRAwDgYDVQQHEwdUb3Jv
-          bnRvMREwDwYDVQQKEwhsaW51eGN0bDEMMAoGA1UECxMDTGFiMTgwNgYDVQQDEy9s
-          aW51eGN0bCBFQ0MgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAoTGFiKTAe
-          Fw0xNzA3MTkxOTUyMDBaFw0xODA3MTkxOTUyMDBaMGoxCzAJBgNVBAYTAkNBMRAw
-          DgYDVQQIEwdPbnRhcmlvMRAwDgYDVQQHEwdUb3JvbnRvMREwDwYDVQQKEwhsaW51
-          eGN0bDEMMAoGA1UECxMDTGFiMRYwFAYDVQQDDA1mYWJyaWNfY2xpZW50MHYwEAYH
-          KoZIzj0CAQYFK4EEACIDYgAEyW+qHu26Zp7icI2DGkF+w9mENLyx5kVirEEp+u+M
-          UCeTfKzBwAPw17aSDCiObrpaLdIyecRZKYpCxnfPurKEKfKXebZDKmQdGpxaFKbX
-          aJvC44EbrOq5x218RqnCDeqAo4GKMIGHMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUE
-          DDAKBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBRBA9pDyeovnjWP
-          uvftCfEagM/wKjAfBgNVHSMEGDAWgBQUcJ+Hm9wjfMO4jh0E7LBIXBATDzASBgNV
-          HREECzAJggd0ZXN0aW5nMAoGCCqGSM49BAMEA4GLADCBhwJCATMHAs0T6yZFDByA
-          XNzhG5LwkITa+GcMJNR9qXlFBG18P+LM/2cdT6Y2+Fz9ZEvGjYMC+c+yg4nyRwu3
-          rIYog3WBAkECntF217dk3VCZHXfl+rik6wm+ijzYk+k336UERiSJRu09YHHEh7x6
-          NRCHI3uXUJ5/3zDZM3qtV8UYHou4KDS35Q==
-          -----END CERTIFICATE-----
-        certfile:
-       #certfile: ${GOPATH}/src/github.com/hyperledger/fabric-sdk-go/test/fixtures/fabricca/tls/certs/client/client_fabric_client.pem
+        key:
+          pem: |
+            -----BEGIN EC PRIVATE KEY-----
+            MIGkAgEBBDAeWRhdAl+olgpLiI9mXHwcgJ1g4NNgPrYFSkkukISeAGfvK348izwG
+            0Aub948H5IygBwYFK4EEACKhZANiAATJb6oe7bpmnuJwjYMaQX7D2YQ0vLHmRWKs
+            QSn674xQJ5N8rMHAA/DXtpIMKI5uulot0jJ5xFkpikLGd8+6soQp8pd5tkMqZB0a
+            nFoUptdom8LjgRus6rnHbXxGqcIN6oA=
+            -----END EC PRIVATE KEY-----
+#          path: ${GOPATH}/src/github.com/hyperledger/fabric-sdk-go/test/fixtures/fabricca/tls/certs/client/client_fabric_client-key.pem
+        cert:
+          pem: |
+            -----BEGIN CERTIFICATE-----
+            MIIC5TCCAkegAwIBAgIUBzAG7MTjO4n9GFkYTkJBnvCInRIwCgYIKoZIzj0EAwQw
+            gYwxCzAJBgNVBAYTAkNBMRAwDgYDVQQIEwdPbnRhcmlvMRAwDgYDVQQHEwdUb3Jv
+            bnRvMREwDwYDVQQKEwhsaW51eGN0bDEMMAoGA1UECxMDTGFiMTgwNgYDVQQDEy9s
+            aW51eGN0bCBFQ0MgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAoTGFiKTAe
+            Fw0xNzA3MTkxOTUyMDBaFw0xODA3MTkxOTUyMDBaMGoxCzAJBgNVBAYTAkNBMRAw
+            DgYDVQQIEwdPbnRhcmlvMRAwDgYDVQQHEwdUb3JvbnRvMREwDwYDVQQKEwhsaW51
+            eGN0bDEMMAoGA1UECxMDTGFiMRYwFAYDVQQDDA1mYWJyaWNfY2xpZW50MHYwEAYH
+            KoZIzj0CAQYFK4EEACIDYgAEyW+qHu26Zp7icI2DGkF+w9mENLyx5kVirEEp+u+M
+            UCeTfKzBwAPw17aSDCiObrpaLdIyecRZKYpCxnfPurKEKfKXebZDKmQdGpxaFKbX
+            aJvC44EbrOq5x218RqnCDeqAo4GKMIGHMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUE
+            DDAKBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBRBA9pDyeovnjWP
+            uvftCfEagM/wKjAfBgNVHSMEGDAWgBQUcJ+Hm9wjfMO4jh0E7LBIXBATDzASBgNV
+            HREECzAJggd0ZXN0aW5nMAoGCCqGSM49BAMEA4GLADCBhwJCATMHAs0T6yZFDByA
+            XNzhG5LwkITa+GcMJNR9qXlFBG18P+LM/2cdT6Y2+Fz9ZEvGjYMC+c+yg4nyRwu3
+            rIYog3WBAkECntF217dk3VCZHXfl+rik6wm+ijzYk+k336UERiSJRu09YHHEh7x6
+            NRCHI3uXUJ5/3zDZM3qtV8UYHou4KDS35Q==
+            -----END CERTIFICATE-----
+#          path: ${GOPATH}/src/github.com/hyperledger/fabric-sdk-go/test/fixtures/fabricca/tls/certs/client/client_fabric_client.pem
 
     # Fabric-CA supports dynamic user enrollment via REST APIs. A "root" user, a.k.a registrar, is
     # needed to enroll and invoke new users.
@@ -398,8 +398,10 @@ certificateAuthorities:
       path: ${GOPATH}/src/github.com/hyperledger/fabric-sdk-go/test/fixtures/fabricca/tls/certs/ca_root.pem
       # Client key and cert for SSL handshake with Fabric CA
       client:
-       keyfile: ${GOPATH}/src/github.com/hyperledger/fabric-sdk-go/test/fixtures/fabricca/tls/certs/client/client_fabric_client-key.pem
-       certfile: ${GOPATH}/src/github.com/hyperledger/fabric-sdk-go/test/fixtures/fabricca/tls/certs/client/client_fabric_client.pem
+        key:
+          path: ${GOPATH}/src/github.com/hyperledger/fabric-sdk-go/test/fixtures/fabricca/tls/certs/client/client_fabric_client-key.pem
+        cert:
+          path: ${GOPATH}/src/github.com/hyperledger/fabric-sdk-go/test/fixtures/fabricca/tls/certs/client/client_fabric_client.pem
 
      # Fabric-CA supports dynamic user enrollment via REST APIs. A "root" user, a.k.a registrar, is
      # needed to enroll and invoke new users.

diff --git a/pkg/config/testdata/template/config.yaml b/pkg/config/testdata/template/config.yaml
@@ -251,12 +251,18 @@ certificateAuthorities:
 #    httpOptions:
 #      verify: true
 #    tlsCACerts:
+#      dash-pipe ('- |') delimited pem strings of CA cert
+#      pem: 'pem strings of CA cert'
       # Comma-Separated list of paths
 #      path: path/to/tls/cert/for/ca-org1
       # Client key and cert for SSL handshake with Fabric CA
 #      client:
-#       keyfile: path/to/client_fabric_client-key.pem
-#       certfile: path/to/client_fabric_client.pem
+#        key:
+#          path: path/to/client_fabric_client-key.pem
+#          pem: `key pem'
+#        cert:
+#          path: path/to/client_fabric_client-key.pem
+#          pem: `cert pem`
 
     # Fabric-CA supports dynamic user enrollment via REST APIs. A "root" user, a.k.a registrar, is
     # needed to enroll and invoke new users.

diff --git a/pkg/fabric-client/mocks/mockconfig.go b/pkg/fabric-client/mocks/mockconfig.go
@@ -43,12 +43,17 @@ func (c *MockConfig) Client() (*config.ClientConfig, error) {
 
 	if c.mutualTLSEnabled {
 		mutualTLSCerts := config.MutualTLSConfig{
-			Client: struct {
-				KeyPem   string
-				Keyfile  string
-				CertPem  string
-				Certfile string
-			}{KeyPem: "", Keyfile: "../../../test/fixtures/config/mutual_tls/client_sdk_go-key.pem", CertPem: "", Certfile: "../../../test/fixtures/config/mutual_tls/client_sdk_go.pem"},
+
+			Client: config.TLSKeyPair{
+				Key: config.TLSConfig{
+					Path: "../../../test/fixtures/config/mutual_tls/client_sdk_go-key.pem",
+					Pem:  "",
+				},
+				Cert: config.TLSConfig{
+					Path: "../../../test/fixtures/config/mutual_tls/client_sdk_go.pem",
+					Pem:  "",
+				},
+			},
 		}
 		clientConfig.TLSCerts = mutualTLSCerts
 	}