Merge pull request #187 from ftokarev/netty-grpc-server-mtls-release-2.2

mbwhite · web-flow · commit 1be5e457e897 · 2021-07-01T11:35:35.000+01:00
NettyGrpcServer -- support mutual TLS (release-2.2 port)
diff --git a/fabric-chaincode-shim/build.gradle b/fabric-chaincode-shim/build.gradle
@@ -115,6 +115,8 @@ jacocoTestCoverageVerification {
                         'org.hyperledger.fabric.contract.ContractRouter',
                         'org.hyperledger.fabric.contract.routing.impl.ContractDefinitionImpl',
                         'org.hyperledger.fabric.contract.routing.RoutingRegistry',
+                        'org.hyperledger.fabric.contract.routing.impl.RoutingRegistryImpl',
+                        'org.hyperledger.fabric.contract.routing.impl.SerializerRegistryImpl',
                         'org.hyperledger.fabric.contract.execution.impl.ContractInvocationRequest',
                         'org.hyperledger.fabric.contract.routing.TransactionType',
                         'org.hyperledger.fabric.contract.metadata.MetadataBuilder',
@@ -139,6 +141,8 @@ jacocoTestCoverageVerification {
                         'org.hyperledger.fabric.contract.execution.impl.ContractInvocationRequest',
                         'org.hyperledger.fabric.contract.routing.impl.ContractDefinitionImpl',
                         'org.hyperledger.fabric.contract.routing.RoutingRegistry',
+                        'org.hyperledger.fabric.contract.routing.impl.RoutingRegistryImpl',
+                        'org.hyperledger.fabric.contract.routing.impl.SerializerRegistryImpl',
                         'org.hyperledger.fabric.shim.impl.Handler',
                         'org.hyperledger.fabric.shim.ChaincodeBase',
                         'org.hyperledger.fabric.contract.metadata.MetadataBuilder',
diff --git a/fabric-chaincode-shim/src/main/java/org/hyperledger/fabric/shim/ChaincodeServerProperties.java b/fabric-chaincode-shim/src/main/java/org/hyperledger/fabric/shim/ChaincodeServerProperties.java
@@ -20,6 +20,7 @@ public final class ChaincodeServerProperties {
     private String keyPassword;
     private String keyCertChainFile;
     private String keyFile;
+    private String trustCertCollectionFile;
     private boolean tlsEnabled = false;
 
     public ChaincodeServerProperties() {
@@ -133,6 +134,14 @@ public void setKeyFile(String keyFile) {
         this.keyFile = keyFile;
     }
 
+    public String getTrustCertCollectionFile() {
+        return trustCertCollectionFile;
+    }
+
+    public void setTrustCertCollectionFile(String trustCertCollectionFile) {
+        this.trustCertCollectionFile = trustCertCollectionFile;
+    }
+
     public boolean isTlsEnabled() {
         return tlsEnabled;
     }
diff --git a/fabric-chaincode-shim/src/main/java/org/hyperledger/fabric/shim/NettyGrpcServer.java b/fabric-chaincode-shim/src/main/java/org/hyperledger/fabric/shim/NettyGrpcServer.java
@@ -12,6 +12,7 @@
 import io.grpc.netty.shaded.io.netty.handler.ssl.SslContextBuilder;
 import io.grpc.netty.shaded.io.netty.handler.ssl.ApplicationProtocolConfig;
 import io.grpc.netty.shaded.io.netty.handler.ssl.ApplicationProtocolNames;
+import io.grpc.netty.shaded.io.netty.handler.ssl.ClientAuth;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 
@@ -72,6 +73,12 @@ public NettyGrpcServer(final ChaincodeBase chaincodeBase, final ChaincodeServerP
                     ApplicationProtocolNames.HTTP_2);
             sslContextBuilder.applicationProtocolConfig(apn);
 
+            if (chaincodeServerProperties.getTrustCertCollectionFile() != null) {
+                final File trustCertCollectionFile = Paths.get(chaincodeServerProperties.getTrustCertCollectionFile()).toFile();
+                sslContextBuilder.clientAuth(ClientAuth.REQUIRE);
+                sslContextBuilder.trustManager(trustCertCollectionFile);
+            }
+
             serverBuilder.sslContext(sslContextBuilder.build());
         }
 
