Merge pull request #186 from ftokarev/netty-grpc-server-mtls

mbwhite · web-flow · commit 33d16aec5f60 · 2021-06-30T08:56:52.000+01:00
NettyGrpcServer -- support mutual TLS
diff --git a/fabric-chaincode-shim/src/main/java/org/hyperledger/fabric/shim/ChaincodeServerProperties.java b/fabric-chaincode-shim/src/main/java/org/hyperledger/fabric/shim/ChaincodeServerProperties.java
@@ -20,6 +20,7 @@ public final class ChaincodeServerProperties {
     private String keyPassword;
     private String keyCertChainFile;
     private String keyFile;
+    private String trustCertCollectionFile;
     private boolean tlsEnabled = false;
 
     public ChaincodeServerProperties() {
@@ -133,6 +134,14 @@ public void setKeyFile(String keyFile) {
         this.keyFile = keyFile;
     }
 
+    public String getTrustCertCollectionFile() {
+        return trustCertCollectionFile;
+    }
+
+    public void setTrustCertCollectionFile(String trustCertCollectionFile) {
+        this.trustCertCollectionFile = trustCertCollectionFile;
+    }
+
     public boolean isTlsEnabled() {
         return tlsEnabled;
     }
diff --git a/fabric-chaincode-shim/src/main/java/org/hyperledger/fabric/shim/NettyGrpcServer.java b/fabric-chaincode-shim/src/main/java/org/hyperledger/fabric/shim/NettyGrpcServer.java
@@ -11,6 +11,7 @@
 import io.grpc.netty.shaded.io.grpc.netty.NettyServerBuilder;
 import io.grpc.netty.shaded.io.netty.handler.ssl.ApplicationProtocolConfig;
 import io.grpc.netty.shaded.io.netty.handler.ssl.ApplicationProtocolNames;
+import io.grpc.netty.shaded.io.netty.handler.ssl.ClientAuth;
 import io.grpc.netty.shaded.io.netty.handler.ssl.SslContextBuilder;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
@@ -73,6 +74,12 @@ public NettyGrpcServer(final ChaincodeBase chaincodeBase, final ChaincodeServerP
                     ApplicationProtocolNames.HTTP_2);
             sslContextBuilder.applicationProtocolConfig(apn);
 
+            if (chaincodeServerProperties.getTrustCertCollectionFile() != null) {
+                final File trustCertCollectionFile = Paths.get(chaincodeServerProperties.getTrustCertCollectionFile()).toFile();
+                sslContextBuilder.clientAuth(ClientAuth.REQUIRE);
+                sslContextBuilder.trustManager(trustCertCollectionFile);
+            }
+
             serverBuilder.sslContext(sslContextBuilder.build());
         }
 
