[FAB-12522] Extract TLS CA certificates from config

This change set adds extraction of TLS CA certificates from a configuration block. Change-Id: I00f82bfcbdac19463768f6f74accef70d47d508e Signed-off-by: yacovm <[email protected]>
hyperledger · Oct 25, 2018 · 365a710 · 365a710
1 parent 41da334
commit 365a710
Show file tree

Hide file tree

Showing 3 changed files with 87 additions and 0 deletions.
diff --git a/orderer/common/cluster/testdata/mychannel.block b/orderer/common/cluster/testdata/mychannel.block
diff --git a/orderer/common/cluster/util.go b/orderer/common/cluster/util.go
@@ -12,6 +12,7 @@ import (
 	"encoding/pem"
 	"sync/atomic"
 
+	"github.com/hyperledger/fabric/common/channelconfig"
 	"github.com/hyperledger/fabric/common/util"
 	"github.com/hyperledger/fabric/core/comm"
 	"github.com/hyperledger/fabric/protos/common"
@@ -262,3 +263,36 @@ func VerifyBlockSignature(block *common.Block, verifier BlockVerifier) error {
 
 	return verifier.VerifyBlockSignature(signatureSet)
 }
+
+// TLSCACertsFromConfigBlock retrieves TLS CA certificates
+// from a config block.
+func TLSCACertsFromConfigBlock(block *common.Block) ([][]byte, error) {
+	if block == nil {
+		return nil, errors.New("nil block")
+	}
+	envelopeConfig, err := utils.ExtractEnvelope(block, 0)
+	if err != nil {
+		return nil, err
+	}
+	var res [][]byte
+	bundle, err := channelconfig.NewBundleFromEnvelope(envelopeConfig)
+	if err != nil {
+		return nil, errors.Wrap(err, "failed extracting bundle from envelope")
+	}
+	msps, err := bundle.MSPManager().GetMSPs()
+	if err != nil {
+		return nil, errors.Wrap(err, "failed obtaining MSPs from MSPManager")
+	}
+	ordererConfig, ok := bundle.OrdererConfig()
+	if !ok {
+		return nil, errors.New("failed obtaining orderer config from bundle")
+	}
+	for _, org := range ordererConfig.Organizations() {
+		msp := msps[org.MSPID()]
+		if msp == nil {
+			return nil, errors.Errorf("no MSP found for MSP with ID of %s", org.MSPID())
+		}
+		res = append(res, msp.GetTLSRootCerts()...)
+	}
+	return res, nil
+}
diff --git a/orderer/common/cluster/util_test.go b/orderer/common/cluster/util_test.go
@@ -8,6 +8,8 @@ package cluster_test
 
 import (
 	"crypto/x509"
+	"encoding/pem"
+	"io/ioutil"
 	"sync"
 	"testing"
 	"time"
@@ -329,3 +331,54 @@ func createBlockChain(start, end uint64) []*common.Block {
 	assignHashes(blockchain)
 	return blockchain
 }
+
+func TestTLSCACertsFromConfigBlockGreenPath(t *testing.T) {
+	blockBytes, err := ioutil.ReadFile("testdata/mychannel.block")
+	assert.NoError(t, err)
+
+	block := &common.Block{}
+	assert.NoError(t, proto.Unmarshal(blockBytes, block))
+
+	certs, err := cluster.TLSCACertsFromConfigBlock(block)
+	assert.NoError(t, err)
+	assert.Len(t, certs, 1)
+
+	bl, _ := pem.Decode(certs[0])
+	cert, err := x509.ParseCertificate(bl.Bytes)
+	assert.NoError(t, err)
+
+	assert.True(t, cert.IsCA)
+	assert.Equal(t, "tlsca.example.com", cert.Subject.CommonName)
+}
+
+func TestTLSCACertsFromConfigBlockFailures(t *testing.T) {
+	t.Run("nil block", func(t *testing.T) {
+		certs, err := cluster.TLSCACertsFromConfigBlock(nil)
+		assert.Nil(t, certs)
+		assert.EqualError(t, err, "nil block")
+	})
+
+	t.Run("nil block data", func(t *testing.T) {
+		certs, err := cluster.TLSCACertsFromConfigBlock(&common.Block{})
+		assert.Nil(t, certs)
+		assert.EqualError(t, err, "block data is nil")
+	})
+
+	t.Run("no envelope", func(t *testing.T) {
+		certs, err := cluster.TLSCACertsFromConfigBlock(&common.Block{
+			Data: &common.BlockData{},
+		})
+		assert.Nil(t, certs)
+		assert.EqualError(t, err, "envelope index out of bounds")
+	})
+
+	t.Run("bad envelope", func(t *testing.T) {
+		certs, err := cluster.TLSCACertsFromConfigBlock(&common.Block{
+			Data: &common.BlockData{
+				Data: [][]byte{{}},
+			},
+		})
+		assert.Nil(t, certs)
+		assert.EqualError(t, err, "failed extracting bundle from envelope: envelope header cannot be nil")
+	})
+}