[FAB-10396] Move chaincode tls keygen to core/common

This change set moves the TLS certificate generation found in
core/chaincode/accesscontrol/ to core/common/tlsgen

In order to be reused in the discovery CLI

Change-Id: Icee57f00e09c85ac7ed717d7dafe744ea65258b1
Signed-off-by: yacovm <yacovm@il.ibm.com>

Author: yacovm

core/chaincode/accesscontrol/ca.go common/crypto/tlsgen/ca.go

@@ -4,7 +4,12 @@ Copyright IBM Corp. All Rights Reserved.
 SPDX-License-Identifier: Apache-2.0
 */
 
-package accesscontrol
+package tlsgen
+
+import (
+	"crypto"
+	"crypto/x509"
+)
 
 // CertKeyPair denotes a TLS certificate and corresponding key,
 // both PEM encoded
@@ -13,6 +18,9 @@ type CertKeyPair struct {
 	Cert []byte
 	// Key is the key corresponding to the certificate, PEM encoded
 	Key []byte
+
+	crypto.Signer
+	TLSCert *x509.Certificate
 }
 
 // CA defines a certificate authority that can generate
@@ -24,7 +32,7 @@ type CA interface {
 	// newCertKeyPair returns a certificate and private key pair and nil,
 	// or nil, error in case of failure
 	// The certificate is signed by the CA and is used for TLS client authentication
-	newClientCertKeyPair() (*certKeyPair, error)
+	NewClientCertKeyPair() (*CertKeyPair, error)
 
 	// NewServerCertKeyPair returns a CertKeyPair and nil,
 	// with a given custom SAN.
@@ -34,7 +42,7 @@ type CA interface {
 }
 
 type ca struct {
-	caCert *certKeyPair
+	caCert *CertKeyPair
 }
 
 func NewCA() (CA, error) {
@@ -55,17 +63,17 @@ func (c *ca) CertBytes() []byte {
 // newClientCertKeyPair returns a certificate and private key pair and nil,
 // or nil, error in case of failure
 // The certificate is signed by the CA and is used as a client TLS certificate
-func (c *ca) newClientCertKeyPair() (*certKeyPair, error) {
-	return newCertKeyPair(false, false, "", c.caCert.Signer, c.caCert.cert)
+func (c *ca) NewClientCertKeyPair() (*CertKeyPair, error) {
+	return newCertKeyPair(false, false, "", c.caCert.Signer, c.caCert.TLSCert)
 }
 
 // newServerCertKeyPair returns a certificate and private key pair and nil,
 // or nil, error in case of failure
 // The certificate is signed by the CA and is used as a server TLS certificate
 func (c *ca) NewServerCertKeyPair(host string) (*CertKeyPair, error) {
-	keypair, err := newCertKeyPair(false, true, host, c.caCert.Signer, c.caCert.cert)
+	keypair, err := newCertKeyPair(false, true, host, c.caCert.Signer, c.caCert.TLSCert)
 	if err != nil {
 		return nil, err
 	}
-	return keypair.CertKeyPair, nil
+	return keypair, nil
 }

core/chaincode/accesscontrol/ca_test.go common/crypto/tlsgen/ca_test.go

@@ -4,7 +4,7 @@ Copyright IBM Corp. All Rights Reserved.
 SPDX-License-Identifier: Apache-2.0
 */
 
-package accesscontrol
+package tlsgen
 
 import (
 	"crypto/tls"
@@ -54,10 +54,10 @@ func TestTLSCA(t *testing.T) {
 	defer srv.Stop()
 	defer l.Close()
 
-	probeTLS := func(kp *certKeyPair) error {
-		keyBytes, err := base64.StdEncoding.DecodeString(kp.privKeyString())
+	probeTLS := func(kp *CertKeyPair) error {
+		keyBytes, err := base64.StdEncoding.DecodeString(kp.PrivKeyString())
 		assert.NoError(t, err)
-		certBytes, err := base64.StdEncoding.DecodeString(kp.pubKeyString())
+		certBytes, err := base64.StdEncoding.DecodeString(kp.PubKeyString())
 		assert.NoError(t, err)
 		cert, err := tls.X509KeyPair(certBytes, keyBytes)
 		tlsCfg := &tls.Config{
@@ -78,14 +78,14 @@ func TestTLSCA(t *testing.T) {
 
 	// Good path - use a cert key pair generated from the CA
 	// that the TLS server started with
-	kp, err := ca.newClientCertKeyPair()
+	kp, err := ca.NewClientCertKeyPair()
 	assert.NoError(t, err)
 	err = probeTLS(kp)
 	assert.NoError(t, err)
 
 	// Bad path - use a cert key pair generated from a foreign CA
 	foreignCA, _ := NewCA()
-	kp, err = foreignCA.newClientCertKeyPair()
+	kp, err = foreignCA.NewClientCertKeyPair()
 	assert.NoError(t, err)
 	err = probeTLS(kp)
 	assert.Error(t, err)

core/chaincode/accesscontrol/key.go common/crypto/tlsgen/key.go

@@ -4,7 +4,7 @@ Copyright IBM Corp. All Rights Reserved.
 SPDX-License-Identifier: Apache-2.0
 */
 
-package accesscontrol
+package tlsgen
 
 import (
 	"crypto"
@@ -20,19 +20,11 @@ import (
 	"time"
 )
 
-type KeyGenFunc func() (*certKeyPair, error)
-
-type certKeyPair struct {
-	*CertKeyPair
-	crypto.Signer
-	cert *x509.Certificate
-}
-
-func (p *certKeyPair) privKeyString() string {
+func (p *CertKeyPair) PrivKeyString() string {
 	return base64.StdEncoding.EncodeToString(p.Key)
 }
 
-func (p *certKeyPair) pubKeyString() string {
+func (p *CertKeyPair) PubKeyString() string {
 	return base64.StdEncoding.EncodeToString(p.Cert)
 }
 
@@ -62,7 +54,7 @@ func newCertTemplate() (x509.Certificate, error) {
 	}, nil
 }
 
-func newCertKeyPair(isCA bool, isServer bool, host string, certSigner crypto.Signer, parent *x509.Certificate) (*certKeyPair, error) {
+func newCertKeyPair(isCA bool, isServer bool, host string, certSigner crypto.Signer, parent *x509.Certificate) (*CertKeyPair, error) {
 	privateKey, privBytes, err := newPrivKey()
 	if err != nil {
 		return nil, err
@@ -87,10 +79,8 @@ func newCertKeyPair(isCA bool, isServer bool, host string, certSigner crypto.Sig
 		template.NotAfter = tenYearsFromNow
 		template.ExtKeyUsage = append(template.ExtKeyUsage, x509.ExtKeyUsageServerAuth)
 		if ip := net.ParseIP(host); ip != nil {
-			logger.Debug("Classified", host, "as an IP address, adding it as an IP SAN")
 			template.IPAddresses = append(template.IPAddresses, ip)
 		} else {
-			logger.Debug("Classified", host, "as a hostname, adding it as a DNS SAN")
 			template.DNSNames = append(template.DNSNames, host)
 		}
 	}
@@ -111,12 +101,30 @@ func newCertKeyPair(isCA bool, isServer bool, host string, certSigner crypto.Sig
 		return nil, err
 	}
 	privKey := encodePEM("EC PRIVATE KEY", privBytes)
-	return &certKeyPair{
-		CertKeyPair: &CertKeyPair{
-			Key:  privKey,
-			Cert: pubKey,
-		},
-		Signer: privateKey,
-		cert:   cert,
+	return &CertKeyPair{
+		Key:     privKey,
+		Cert:    pubKey,
+		Signer:  privateKey,
+		TLSCert: cert,
+	}, nil
+}
+
+func encodePEM(keyType string, data []byte) []byte {
+	return pem.EncodeToMemory(&pem.Block{Type: keyType, Bytes: data})
+}
+
+// CertKeyPairFromString converts the given strings in base64 encoding to a CertKeyPair
+func CertKeyPairFromString(privKey string, pubKey string) (*CertKeyPair, error) {
+	priv, err := base64.StdEncoding.DecodeString(privKey)
+	if err != nil {
+		return nil, err
+	}
+	pub, err := base64.StdEncoding.DecodeString(pubKey)
+	if err != nil {
+		return nil, err
+	}
+	return &CertKeyPair{
+		Key:  priv,
+		Cert: pub,
 	}, nil
 }

common/crypto/tlsgen/key_test.go

@@ -0,0 +1,40 @@
+/*
+Copyright IBM Corp. All Rights Reserved.
+
+SPDX-License-Identifier: Apache-2.0
+*/
+
+package tlsgen
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/pem"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestCertEncoding(t *testing.T) {
+	pair, err := newCertKeyPair(false, false, "", nil, nil)
+	assert.NoError(t, err)
+	assert.NotNil(t, pair)
+	assert.NotEmpty(t, pair.PrivKeyString())
+	assert.NotEmpty(t, pair.PubKeyString())
+	pair2, err := CertKeyPairFromString(pair.PrivKeyString(), pair.PubKeyString())
+	assert.Equal(t, pair.Key, pair2.Key)
+	assert.Equal(t, pair.Cert, pair2.Cert)
+}
+
+func TestLoadCert(t *testing.T) {
+	pair, err := newCertKeyPair(false, false, "", nil, nil)
+	assert.NoError(t, err)
+	assert.NotNil(t, pair)
+	tlsCertPair, err := tls.X509KeyPair(pair.Cert, pair.Key)
+	assert.NoError(t, err)
+	assert.NotNil(t, tlsCertPair)
+	block, _ := pem.Decode(pair.Cert)
+	cert, err := x509.ParseCertificate(block.Bytes)
+	assert.NoError(t, err)
+	assert.NotNil(t, cert)
+}

core/chaincode/accesscontrol/access.go

@@ -11,6 +11,7 @@ import (
 	"fmt"
 
 	"github.com/golang/protobuf/proto"
+	"github.com/hyperledger/fabric/common/crypto/tlsgen"
 	"github.com/hyperledger/fabric/common/flogging"
 	pb "github.com/hyperledger/fabric/protos/peer"
 	"google.golang.org/grpc"
@@ -36,9 +37,9 @@ func (auth *Authenticator) Wrap(srv pb.ChaincodeSupportServer) pb.ChaincodeSuppo
 }
 
 // NewAuthenticator returns a new authenticator that can wrap a chaincode service
-func NewAuthenticator(ca CA) *Authenticator {
+func NewAuthenticator(ca tlsgen.CA) *Authenticator {
 	return &Authenticator{
-		mapper: newCertMapper(ca.newClientCertKeyPair),
+		mapper: newCertMapper(ca.NewClientCertKeyPair),
 	}
 }
 
@@ -51,8 +52,8 @@ func (ac *Authenticator) Generate(ccName string) (*CertAndPrivKeyPair, error) {
 		return nil, err
 	}
 	return &CertAndPrivKeyPair{
-		Key:  cert.privKeyString(),
-		Cert: cert.pubKeyString(),
+		Key:  cert.PrivKeyString(),
+		Cert: cert.PubKeyString(),
 	}, nil
 }
 

core/chaincode/accesscontrol/access_test.go

@@ -16,6 +16,7 @@ import (
 	"time"
 
 	"github.com/golang/protobuf/proto"
+	"github.com/hyperledger/fabric/common/crypto/tlsgen"
 	"github.com/hyperledger/fabric/common/flogging"
 	pb "github.com/hyperledger/fabric/protos/peer"
 	"github.com/op/go-logging"
@@ -66,7 +67,20 @@ func (cs *ccSrv) stop() {
 	cs.l.Close()
 }
 
-func newCCServer(t *testing.T, port int, expectedCCname string, withTLS bool, ca CA) *ccSrv {
+func createTLSService(t *testing.T, ca tlsgen.CA, host string) *grpc.Server {
+	keyPair, err := ca.NewServerCertKeyPair(host)
+	cert, err := tls.X509KeyPair(keyPair.Cert, keyPair.Key)
+	assert.NoError(t, err)
+	tlsConf := &tls.Config{
+		Certificates: []tls.Certificate{cert},
+		ClientAuth:   tls.RequireAndVerifyClientCert,
+		ClientCAs:    x509.NewCertPool(),
+	}
+	tlsConf.ClientCAs.AppendCertsFromPEM(ca.CertBytes())
+	return grpc.NewServer(grpc.Creds(credentials.NewTLS(tlsConf)))
+}
+
+func newCCServer(t *testing.T, port int, expectedCCname string, withTLS bool, ca tlsgen.CA) *ccSrv {
 	var s *grpc.Server
 	if withTLS {
 		s = createTLSService(t, ca, "localhost")
@@ -162,7 +176,7 @@ func TestAccessControl(t *testing.T) {
 		Type: pb.ChaincodeMessage_PUT_STATE,
 	}
 
-	ca, _ := NewCA()
+	ca, _ := tlsgen.NewCA()
 	srv := newCCServer(t, 7052, "example02", true, ca)
 	auth := NewAuthenticator(ca)
 	pb.RegisterChaincodeSupportServer(srv.grpcSrv, auth.Wrap(srv))
@@ -175,8 +189,8 @@ func TestAccessControl(t *testing.T) {
 	assert.Contains(t, err.Error(), "context deadline exceeded")
 
 	// Create an attacker with its own TLS certificate
-	maliciousCA, _ := NewCA()
-	keyPair, err := maliciousCA.newClientCertKeyPair()
+	maliciousCA, _ := tlsgen.NewCA()
+	keyPair, err := maliciousCA.NewClientCertKeyPair()
 	cert, err := tls.X509KeyPair(keyPair.Cert, keyPair.Key)
 	assert.NoError(t, err)
 	_, err = newClient(t, 7052, &cert, ca.CertBytes())
@@ -269,7 +283,7 @@ func TestAccessControl(t *testing.T) {
 	// Create a real chaincode, that its cert was generated by us
 	// but have it reconnect only after too much time.
 	// This tests a use case where the CC's cert has been expired
-	// and the CC has been compromized. We don't want it to be able
+	// and the CC has been compromised. We don't want it to be able
 	// to reconnect to us.
 	kp, err = auth.Generate("example02")
 	assert.NoError(t, err)

core/chaincode/accesscontrol/mapper.go

@@ -7,11 +7,10 @@ SPDX-License-Identifier: Apache-2.0
 package accesscontrol
 
 import (
-	"encoding/base64"
-	"encoding/pem"
 	"sync"
 	"time"
 
+	"github.com/hyperledger/fabric/common/crypto/tlsgen"
 	"github.com/hyperledger/fabric/common/util"
 	"golang.org/x/net/context"
 	"google.golang.org/grpc/credentials"
@@ -22,6 +21,8 @@ var ttl = time.Minute * 10
 
 type certHash string
 
+type KeyGenFunc func() (*tlsgen.CertKeyPair, error)
+
 type certMapper struct {
 	keyGen KeyGenFunc
 	sync.RWMutex
@@ -56,37 +57,16 @@ func (r *certMapper) purge(hash certHash) {
 	delete(r.m, hash)
 }
 
-func certKeyPairFromString(privKey string, pubKey string) (*certKeyPair, error) {
-	priv, err := base64.StdEncoding.DecodeString(privKey)
-	if err != nil {
-		return nil, err
-	}
-	pub, err := base64.StdEncoding.DecodeString(pubKey)
-	if err != nil {
-		return nil, err
-	}
-	return &certKeyPair{
-		CertKeyPair: &CertKeyPair{
-			Key:  priv,
-			Cert: pub,
-		},
-	}, nil
-}
-
-func (r *certMapper) genCert(name string) (*certKeyPair, error) {
+func (r *certMapper) genCert(name string) (*tlsgen.CertKeyPair, error) {
 	keyPair, err := r.keyGen()
 	if err != nil {
 		return nil, err
 	}
-	hash := util.ComputeSHA256(keyPair.cert.Raw)
+	hash := util.ComputeSHA256(keyPair.TLSCert.Raw)
 	r.register(certHash(hash), name)
 	return keyPair, nil
 }
 
-func encodePEM(keyType string, data []byte) []byte {
-	return pem.EncodeToMemory(&pem.Block{Type: keyType, Bytes: data})
-}
-
 // ExtractCertificateHash extracts the hash of the certificate from the stream
 func extractCertificateHashFromContext(ctx context.Context) []byte {
 	pr, extracted := peer.FromContext(ctx)