[FAB-5406] Mutual TLS in chaincode service-P3

This change set makes golang CC run on a different port (7052)
and at startup of a chaincode container - generate a TLS certificate
and pass it as commandline options to the shim container.

The full details are in the JIRA item

Change-Id: I6d274a235f2a66b310e61ee878ec4b881d6c8f49
Signed-off-by: yacovm <yacovm@il.ibm.com>

Author: yacovm

core/chaincode/chaincode_support.go

@@ -21,17 +21,13 @@ import (
 	"io"
 	"path/filepath"
 	"strconv"
+	"strings"
 	"sync"
 	"time"
 
 	"github.com/golang/protobuf/proto"
-	logging "github.com/op/go-logging"
-	"github.com/spf13/viper"
-	"golang.org/x/net/context"
-
-	"strings"
-
 	"github.com/hyperledger/fabric/common/flogging"
+	"github.com/hyperledger/fabric/core/chaincode/accesscontrol"
 	"github.com/hyperledger/fabric/core/chaincode/platforms"
 	"github.com/hyperledger/fabric/core/chaincode/shim"
 	"github.com/hyperledger/fabric/core/common/ccprovider"
@@ -41,6 +37,9 @@ import (
 	"github.com/hyperledger/fabric/core/container/ccintf"
 	"github.com/hyperledger/fabric/core/ledger"
 	pb "github.com/hyperledger/fabric/protos/peer"
+	logging "github.com/op/go-logging"
+	"github.com/spf13/viper"
+	"golang.org/x/net/context"
 )
 
 type key string
@@ -49,7 +48,7 @@ const (
 	// DevModeUserRunsChaincode property allows user to run chaincode in development environment
 	DevModeUserRunsChaincode       string = "dev"
 	chaincodeStartupTimeoutDefault int    = 5000
-	peerAddressDefault             string = "0.0.0.0:7051"
+	peerAddressDefault             string = "0.0.0.0:7052"
 
 	//TXSimulatorKey is used to attach ledger simulation context
 	TXSimulatorKey key = "txsimulatorkey"
@@ -132,38 +131,39 @@ func (chaincodeSupport *ChaincodeSupport) launchStarted(chaincode string) bool {
 }
 
 // NewChaincodeSupport creates a new ChaincodeSupport instance
-func NewChaincodeSupport(getCCEndpoint func() (*pb.PeerEndpoint, error), userrunsCC bool, ccstartuptimeout time.Duration) *ChaincodeSupport {
+func NewChaincodeSupport(getCCEndpoint func() (*pb.PeerEndpoint, error), userrunsCC bool, ccstartuptimeout time.Duration, ca accesscontrol.CA) pb.ChaincodeSupportServer {
 	ccprovider.SetChaincodesPath(config.GetPath("peer.fileSystemPath") + string(filepath.Separator) + "chaincodes")
-
 	pnid := viper.GetString("peer.networkId")
 	pid := viper.GetString("peer.id")
 
-	theChaincodeSupport = &ChaincodeSupport{runningChaincodes: &runningChaincodes{chaincodeMap: make(map[string]*chaincodeRTEnv), launchStarted: make(map[string]bool)}, peerNetworkID: pnid, peerID: pid}
+	theChaincodeSupport = &ChaincodeSupport{
+		runningChaincodes: &runningChaincodes{
+			chaincodeMap:  make(map[string]*chaincodeRTEnv),
+			launchStarted: make(map[string]bool),
+		}, peerNetworkID: pnid, peerID: pid,
+	}
 
-	//initialize global chain
+	theChaincodeSupport.auth = accesscontrol.NewAuthenticator(theChaincodeSupport, ca)
 
 	ccEndpoint, err := getCCEndpoint()
 	if err != nil {
-		chaincodeLogger.Errorf("Error getting chaincode endpoint, using chaincode.peerAddress: %s", err)
-		theChaincodeSupport.peerAddress = viper.GetString("chaincode.peerAddress")
+		chaincodeLogger.Errorf("Error getting chaincode endpoint because %v, using %s", err, peerAddressDefault)
+		theChaincodeSupport.peerAddress = peerAddressDefault
 	} else {
 		theChaincodeSupport.peerAddress = ccEndpoint.Address
 	}
 	chaincodeLogger.Infof("Chaincode support using peerAddress: %s\n", theChaincodeSupport.peerAddress)
-	//peerAddress = viper.GetString("peer.address")
-	if theChaincodeSupport.peerAddress == "" {
-		theChaincodeSupport.peerAddress = peerAddressDefault
-	}
 
 	theChaincodeSupport.userRunsCC = userrunsCC
-
 	theChaincodeSupport.ccStartupTimeout = ccstartuptimeout
 
 	theChaincodeSupport.peerTLS = viper.GetBool("peer.tls.enabled")
 	if theChaincodeSupport.peerTLS {
 		theChaincodeSupport.peerTLSCertFile = config.GetPath("peer.tls.cert.file")
 		theChaincodeSupport.peerTLSKeyFile = config.GetPath("peer.tls.key.file")
 		theChaincodeSupport.peerTLSSvrHostOrd = viper.GetString("peer.tls.serverhostoverride")
+	} else {
+		theChaincodeSupport.auth.DisableAccessCheck()
 	}
 
 	kadef := 0
@@ -201,7 +201,7 @@ func NewChaincodeSupport(getCCEndpoint func() (*pb.PeerEndpoint, error), userrun
 	theChaincodeSupport.shimLogLevel = getLogLevelFromViper("shim")
 	theChaincodeSupport.logFormat = viper.GetString("chaincode.logging.format")
 
-	return theChaincodeSupport
+	return theChaincodeSupport.auth
 }
 
 // getLogLevelFromViper gets the chaincode container log levels from viper
@@ -226,6 +226,7 @@ func getLogLevelFromViper(module string) string {
 
 // ChaincodeSupport responsible for providing interfacing with chaincodes from the Peer.
 type ChaincodeSupport struct {
+	auth              accesscontrol.Authenticator
 	runningChaincodes *runningChaincodes
 	peerAddress       string
 	ccStartupTimeout  time.Duration
@@ -360,6 +361,13 @@ func (chaincodeSupport *ChaincodeSupport) sendReady(context context.Context, ccc
 	return err
 }
 
+func (chaincodeSupport *ChaincodeSupport) appendTLScerts(args []string, keyPair *accesscontrol.CertAndPrivKeyPair) []string {
+	if keyPair == nil {
+		return args
+	}
+	return append(args, []string{"--key", keyPair.Key, "--cert", keyPair.Cert}...)
+}
+
 //get args and env given chaincodeID
 func (chaincodeSupport *ChaincodeSupport) getArgsAndEnv(cccid *ccprovider.CCContext, cLang pb.ChaincodeSpec_Type) (args []string, envs []string, err error) {
 	canName := cccid.GetCanonicalName()
@@ -375,7 +383,12 @@ func (chaincodeSupport *ChaincodeSupport) getArgsAndEnv(cccid *ccprovider.CCCont
 	// the image may be stale and the admin will need to remove the current containers
 	// before restarting the peer.
 	// ----------------------------------------------------------------------------
+	var certKeyPair *accesscontrol.CertAndPrivKeyPair
 	if chaincodeSupport.peerTLS {
+		certKeyPair, err = chaincodeSupport.auth.Generate(cccid.GetCanonicalName())
+		if err != nil {
+			return nil, nil, fmt.Errorf("failed generating TLS cert for %s: %v", cccid.GetCanonicalName(), err)
+		}
 		envs = append(envs, "CORE_PEER_TLS_ENABLED=true")
 		if chaincodeSupport.peerTLSSvrHostOrd != "" {
 			envs = append(envs, "CORE_PEER_TLS_SERVERHOSTOVERRIDE="+chaincodeSupport.peerTLSSvrHostOrd)
@@ -398,6 +411,7 @@ func (chaincodeSupport *ChaincodeSupport) getArgsAndEnv(cccid *ccprovider.CCCont
 	switch cLang {
 	case pb.ChaincodeSpec_GOLANG, pb.ChaincodeSpec_CAR:
 		args = []string{"chaincode", fmt.Sprintf("-peer.address=%s", chaincodeSupport.peerAddress)}
+		args = theChaincodeSupport.appendTLScerts(args, certKeyPair)
 	case pb.ChaincodeSpec_JAVA:
 		args = []string{"java", "-jar", "chaincode.jar", "--peerAddress", chaincodeSupport.peerAddress}
 	default:

core/chaincode/chaincode_support_test.go

@@ -33,6 +33,7 @@ import (
 	mocklgr "github.com/hyperledger/fabric/common/mocks/ledger"
 	mockpeer "github.com/hyperledger/fabric/common/mocks/peer"
 	"github.com/hyperledger/fabric/common/util"
+	"github.com/hyperledger/fabric/core/chaincode/accesscontrol"
 	"github.com/hyperledger/fabric/core/chaincode/shim"
 	"github.com/hyperledger/fabric/core/common/ccprovider"
 	"github.com/hyperledger/fabric/core/config"
@@ -152,7 +153,8 @@ func initMockPeer(chainIDs ...string) error {
 	}
 
 	ccStartupTimeout := time.Duration(2) * time.Second
-	NewChaincodeSupport(getPeerEndpoint, false, ccStartupTimeout)
+	ca, _ := accesscontrol.NewCA()
+	NewChaincodeSupport(getPeerEndpoint, false, ccStartupTimeout, ca)
 	theChaincodeSupport.executetimeout = time.Duration(1) * time.Second
 
 	// Mock policy checker

core/chaincode/exectransaction_test.go

@@ -38,6 +38,7 @@ import (
 	mockpolicies "github.com/hyperledger/fabric/common/mocks/policies"
 	"github.com/hyperledger/fabric/common/policies"
 	"github.com/hyperledger/fabric/common/util"
+	"github.com/hyperledger/fabric/core/chaincode/accesscontrol"
 	"github.com/hyperledger/fabric/core/common/ccprovider"
 	"github.com/hyperledger/fabric/core/config"
 	"github.com/hyperledger/fabric/core/container"
@@ -109,7 +110,8 @@ func initPeer(chainIDs ...string) (net.Listener, error) {
 	}
 
 	ccStartupTimeout := time.Duration(chaincodeStartupTimeoutDefault) * time.Millisecond
-	pb.RegisterChaincodeSupportServer(grpcServer, NewChaincodeSupport(getPeerEndpoint, false, ccStartupTimeout))
+	ca, _ := accesscontrol.NewCA()
+	pb.RegisterChaincodeSupportServer(grpcServer, NewChaincodeSupport(getPeerEndpoint, false, ccStartupTimeout, ca))
 
 	// Mock policy checker
 	policy.RegisterPolicyCheckerFactory(&mockPolicyCheckerFactory{})

core/chaincode/shim/chaincode.go

@@ -46,6 +46,9 @@ import (
 var chaincodeLogger = logging.MustGetLogger("shim")
 var logOutput = os.Stderr
 
+var key string
+var cert string
+
 const (
 	minUnicodeRuneValue   = 0            //U+0000
 	maxUnicodeRuneValue   = utf8.MaxRune //U+10FFFF - maximum (and unallocated) code point
@@ -84,6 +87,10 @@ var streamGetter peerStreamGetter
 //the non-mock user CC stream establishment func
 func userChaincodeStreamGetter(name string) (PeerChaincodeStream, error) {
 	flag.StringVar(&peerAddress, "peer.address", "", "peer address")
+	if comm.TLSEnabled() {
+		flag.StringVar(&key, "key", "", "key in BASE64")
+		flag.StringVar(&cert, "cert", "", "certificate in BASE64")
+	}
 
 	flag.Parse()
 
@@ -233,7 +240,7 @@ func getPeerAddress() string {
 func newPeerClientConnection() (*grpc.ClientConn, error) {
 	var peerAddress = getPeerAddress()
 	if comm.TLSEnabled() {
-		return comm.NewClientConnectionWithAddress(peerAddress, true, true, comm.InitTLSForPeer())
+		return comm.NewClientConnectionWithAddress(peerAddress, true, true, comm.InitTLSForShim(key, cert))
 	}
 	return comm.NewClientConnectionWithAddress(peerAddress, true, false, nil)
 }

core/chaincode/systemchaincode_test.go

@@ -23,6 +23,7 @@ import (
 	"time"
 
 	"github.com/hyperledger/fabric/common/util"
+	"github.com/hyperledger/fabric/core/chaincode/accesscontrol"
 	"github.com/hyperledger/fabric/core/common/ccprovider"
 	"github.com/hyperledger/fabric/core/peer"
 	"github.com/hyperledger/fabric/core/scc"
@@ -71,7 +72,8 @@ func initSysCCTests() (*oldSysCCInfo, net.Listener, error) {
 	}
 
 	ccStartupTimeout := time.Duration(5000) * time.Millisecond
-	pb.RegisterChaincodeSupportServer(grpcServer, NewChaincodeSupport(getPeerEndpoint, false, ccStartupTimeout))
+	ca, _ := accesscontrol.NewCA()
+	pb.RegisterChaincodeSupportServer(grpcServer, NewChaincodeSupport(getPeerEndpoint, false, ccStartupTimeout, ca))
 
 	go grpcServer.Serve(lis)
 

core/comm/connection.go

@@ -9,8 +9,11 @@ package comm
 import (
 	"crypto/tls"
 	"crypto/x509"
+	"encoding/base64"
 	"encoding/pem"
+	"errors"
 	"fmt"
+	"io/ioutil"
 	"os"
 	"sync"
 	"time"
@@ -213,3 +216,35 @@ func InitTLSForPeer() credentials.TransportCredentials {
 	}
 	return creds
 }
+
+func InitTLSForShim(key, certStr string) credentials.TransportCredentials {
+	var sn string
+	if viper.GetString("peer.tls.serverhostoverride") != "" {
+		sn = viper.GetString("peer.tls.serverhostoverride")
+	}
+	priv, err := base64.StdEncoding.DecodeString(key)
+	if err != nil {
+		panic(fmt.Errorf("failed decoding private key from base64, string: %s, error: %v", key, err))
+	}
+	pub, err := base64.StdEncoding.DecodeString(certStr)
+	if err != nil {
+		panic(fmt.Errorf("failed decoding public key from base64, string: %s, error: %v", certStr, err))
+	}
+	cert, err := tls.X509KeyPair(pub, priv)
+	if err != nil {
+		panic(fmt.Errorf("failed loading certificate: %v", err))
+	}
+	b, err := ioutil.ReadFile(config.GetPath("peer.tls.rootcert.file"))
+	if err != nil {
+		panic(fmt.Errorf("failed loading root ca cert: %v", err))
+	}
+	cp := x509.NewCertPool()
+	if !cp.AppendCertsFromPEM(b) {
+		panic(errors.New("failed to append certificates"))
+	}
+	return credentials.NewTLS(&tls.Config{
+		Certificates: []tls.Certificate{cert},
+		RootCAs:      cp,
+		ServerName:   sn,
+	})
+}

core/endorser/endorser_test.go

@@ -37,6 +37,7 @@ import (
 	"github.com/hyperledger/fabric/common/policies"
 	"github.com/hyperledger/fabric/common/util"
 	"github.com/hyperledger/fabric/core/chaincode"
+	"github.com/hyperledger/fabric/core/chaincode/accesscontrol"
 	"github.com/hyperledger/fabric/core/common/ccprovider"
 	"github.com/hyperledger/fabric/core/config"
 	"github.com/hyperledger/fabric/core/container"
@@ -104,7 +105,8 @@ func initPeer(chainID string) (*testEnvironment, error) {
 	}
 
 	ccStartupTimeout := time.Duration(30000) * time.Millisecond
-	pb.RegisterChaincodeSupportServer(grpcServer, chaincode.NewChaincodeSupport(getPeerEndpoint, false, ccStartupTimeout))
+	ca, _ := accesscontrol.NewCA()
+	pb.RegisterChaincodeSupportServer(grpcServer, chaincode.NewChaincodeSupport(getPeerEndpoint, false, ccStartupTimeout, ca))
 
 	syscc.RegisterSysCCs()
 

core/scc/cscc/configure_test.go

@@ -29,6 +29,7 @@ import (
 	"github.com/hyperledger/fabric/common/mocks/scc"
 	"github.com/hyperledger/fabric/common/policies"
 	"github.com/hyperledger/fabric/core/chaincode"
+	"github.com/hyperledger/fabric/core/chaincode/accesscontrol"
 	"github.com/hyperledger/fabric/core/chaincode/shim"
 	"github.com/hyperledger/fabric/core/common/sysccprovider"
 	"github.com/hyperledger/fabric/core/deliverservice"
@@ -180,7 +181,8 @@ func TestConfigerInvokeJoinChainCorrectParams(t *testing.T) {
 		return &pb.PeerEndpoint{Id: &pb.PeerID{Name: "cscctestpeer"}, Address: peerEndpoint}, nil
 	}
 	ccStartupTimeout := time.Duration(30000) * time.Millisecond
-	chaincode.NewChaincodeSupport(getPeerEndpoint, false, ccStartupTimeout)
+	ca, _ := accesscontrol.NewCA()
+	chaincode.NewChaincodeSupport(getPeerEndpoint, false, ccStartupTimeout, ca)
 
 	// Init the policy checker
 	policyManagerGetter := &policymocks.MockChannelPolicyManagerGetter{