NettyGrpcServer -- support mutual TLS

ftokarev · ftokarev · commit 52e78b558c67 · 2021-06-30T11:18:30.000+03:00
Signed-off-by: Fedor Tokarev &lt;ftokarev@gmail.com&gt;
diff --git a/fabric-chaincode-shim/src/main/java/org/hyperledger/fabric/shim/ChaincodeServerProperties.java b/fabric-chaincode-shim/src/main/java/org/hyperledger/fabric/shim/ChaincodeServerProperties.java
@@ -20,6 +20,7 @@ public final class ChaincodeServerProperties {
     private String keyPassword;
     private String keyCertChainFile;
     private String keyFile;
+    private String trustCertCollectionFile;
     private boolean tlsEnabled = false;
 
     public ChaincodeServerProperties() {
@@ -133,6 +134,14 @@ public void setKeyFile(String keyFile) {
         this.keyFile = keyFile;
     }
 
+    public String getTrustCertCollectionFile() {
+        return trustCertCollectionFile;
+    }
+
+    public void setTrustCertCollectionFile(String trustCertCollectionFile) {
+        this.trustCertCollectionFile = trustCertCollectionFile;
+    }
+
     public boolean isTlsEnabled() {
         return tlsEnabled;
     }
diff --git a/fabric-chaincode-shim/src/main/java/org/hyperledger/fabric/shim/NettyGrpcServer.java b/fabric-chaincode-shim/src/main/java/org/hyperledger/fabric/shim/NettyGrpcServer.java
@@ -12,6 +12,7 @@
 import io.grpc.netty.shaded.io.netty.handler.ssl.SslContextBuilder;
 import io.grpc.netty.shaded.io.netty.handler.ssl.ApplicationProtocolConfig;
 import io.grpc.netty.shaded.io.netty.handler.ssl.ApplicationProtocolNames;
+import io.grpc.netty.shaded.io.netty.handler.ssl.ClientAuth;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 
@@ -72,6 +73,12 @@ public NettyGrpcServer(final ChaincodeBase chaincodeBase, final ChaincodeServerP
                     ApplicationProtocolNames.HTTP_2);
             sslContextBuilder.applicationProtocolConfig(apn);
 
+            if (chaincodeServerProperties.getTrustCertCollectionFile() != null) {
+                final File trustCertCollectionFile = Paths.get(chaincodeServerProperties.getTrustCertCollectionFile()).toFile();
+                sslContextBuilder.clientAuth(ClientAuth.REQUIRE);
+                sslContextBuilder.trustManager(trustCertCollectionFile);
+            }
+
             serverBuilder.sslContext(sslContextBuilder.build());
         }
 
