[FABG-717] fix - Unhandled Panic in TLSCertHash

sudeshrshetty · sudeshrshetty · commit 36698e6d682b · 2018-08-14T10:57:06.000-04:00
Change-Id: If2237797fff517bc84ee91738fd2cb78c7c4c39f
Signed-off-by: Sudesh Shetty &lt;sudesh.shetty@securekey.com&gt;
diff --git a/pkg/core/config/comm/comm.go b/pkg/core/config/comm/comm.go
@@ -11,8 +11,9 @@ import (
 
 	"crypto/x509"
 
-	cutil "github.com/hyperledger/fabric-sdk-go/internal/github.com/hyperledger/fabric/common/util"
 	"github.com/hyperledger/fabric-sdk-go/pkg/common/providers/fab"
+	"github.com/hyperledger/fabric-sdk-go/pkg/core/cryptosuite"
+	"github.com/pkg/errors"
 )
 
 // TLSConfig returns the appropriate config for TLS including the root CAs,
@@ -31,17 +32,25 @@ func TLSConfig(cert *x509.Certificate, serverName string, config fab.EndpointCon
 }
 
 // TLSCertHash is a utility method to calculate the SHA256 hash of the configured certificate (for usage in channel headers)
-func TLSCertHash(config fab.EndpointConfig) []byte {
+func TLSCertHash(config fab.EndpointConfig) ([]byte, error) {
 	certs := config.TLSClientCerts()
 	if len(certs) == 0 {
-		return nil
+		return computeHash([]byte(""))
 	}
 
 	cert := certs[0]
 	if len(cert.Certificate) == 0 {
-		return nil
+		return computeHash([]byte(""))
 	}
 
-	h := cutil.ComputeSHA256(cert.Certificate[0])
-	return h
+	return computeHash(cert.Certificate[0])
+}
+
+//computeHash computes hash for given bytes using underlying cryptosuite default
+func computeHash(msg []byte) ([]byte, error) {
+	h, err := cryptosuite.GetDefault().Hash(msg, cryptosuite.GetSHA256Opts())
+	if err != nil {
+		return nil, errors.WithMessage(err, "failed to compute tls cert hash")
+	}
+	return h, err
 }
diff --git a/pkg/core/config/comm/comm_test.go b/pkg/core/config/comm/comm_test.go
@@ -22,6 +22,7 @@ import (
 
 	"github.com/golang/mock/gomock"
 	"github.com/hyperledger/fabric-sdk-go/pkg/common/providers/test/mockfab"
+	"github.com/stretchr/testify/assert"
 )
 
 func TestTLSConfigErrorAddingCertificate(t *testing.T) {
@@ -110,11 +111,9 @@ func TestNoTlsCertHash(t *testing.T) {
 
 	config.EXPECT().TLSClientCerts().Return([]tls.Certificate{})
 
-	tlsCertHash := TLSCertHash(config)
-
-	if len(tlsCertHash) != 0 {
-		t.Fatal("Unexpected non-empty cert hash")
-	}
+	tlsCertHash, err := TLSCertHash(config)
+	assert.NotNil(t, tlsCertHash)
+	assert.Nil(t, err)
 }
 
 func TestEmptyTlsCertHash(t *testing.T) {
@@ -125,11 +124,9 @@ func TestEmptyTlsCertHash(t *testing.T) {
 	emptyCert := tls.Certificate{}
 	config.EXPECT().TLSClientCerts().Return([]tls.Certificate{emptyCert})
 
-	tlsCertHash := TLSCertHash(config)
-
-	if len(tlsCertHash) != 0 {
-		t.Fatal("Unexpected non-empty cert hash")
-	}
+	tlsCertHash, err := TLSCertHash(config)
+	assert.NotNil(t, tlsCertHash)
+	assert.Nil(t, err)
 }
 
 func TestTlsCertHash(t *testing.T) {
@@ -143,8 +140,9 @@ func TestTlsCertHash(t *testing.T) {
 	}
 
 	config.EXPECT().TLSClientCerts().Return([]tls.Certificate{cert})
-	tlsCertHash := TLSCertHash(config)
-
+	tlsCertHash, err := TLSCertHash(config)
+	assert.NotNil(t, tlsCertHash)
+	assert.Nil(t, err)
 	// openssl x509 -fingerprint -sha256 -in testdata/server.crt
 	// SHA256 Fingerprint=0D:D5:90:B8:A5:0E:A6:04:3E:A8:75:16:BF:77:A8:FE:E7:C5:62:2D:4C:B3:CB:99:12:74:72:2A:D8:BA:B8:92
 	expectedHash, err := hex.DecodeString("0DD590B8A50EA6043EA87516BF77A8FEE7C5622D4CB3CB991274722AD8BAB892")
diff --git a/pkg/fab/comm/connection.go b/pkg/fab/comm/connection.go
@@ -68,11 +68,16 @@ func NewConnection(ctx fabcontext.Client, url string, opts ...options.Opt) (*GRP
 		return nil, errors.Wrapf(err, "could not connect to %s", url)
 	}
 
+	hash, err := comm.TLSCertHash(ctx.EndpointConfig())
+	if err != nil {
+		return nil, errors.Wrapf(err, "failed to get tls cert hash")
+	}
+
 	return &GRPCConnection{
 		context:     ctx,
 		commManager: commManager,
 		conn:        grpcconn,
-		tlsCertHash: comm.TLSCertHash(ctx.EndpointConfig()),
+		tlsCertHash: hash,
 	}, nil
 }
 
diff --git a/pkg/fab/discovery/discovery.go b/pkg/fab/discovery/discovery.go
@@ -124,8 +124,13 @@ func newAuthInfo(ctx fabcontext.Client) (*discovery.AuthInfo, error) {
 		return nil, err
 	}
 
+	hash, err := corecomm.TLSCertHash(ctx.EndpointConfig())
+	if err != nil {
+		return nil, errors.Wrapf(err, "failed to get tls cert hash")
+	}
+
 	return &discovery.AuthInfo{
 		ClientIdentity:    identity,
-		ClientTlsCertHash: corecomm.TLSCertHash(ctx.EndpointConfig()),
+		ClientTlsCertHash: hash,
 	}, nil
 }
diff --git a/pkg/fab/resource/block.go b/pkg/fab/resource/block.go
@@ -32,10 +32,16 @@ func retrieveBlock(reqCtx reqContext.Context, orderers []fab.Orderer, channel st
 		return nil, errors.Wrap(err, "generating TX ID failed")
 	}
 
+	hash, err := ccomm.TLSCertHash(ctx.EndpointConfig())
+	if err != nil {
+		return nil, errors.Wrapf(err, "failed to get tls cert hash")
+	}
+
 	channelHeaderOpts := txn.ChannelHeaderOpts{
 		TxnHeader:   th,
-		TLSCertHash: ccomm.TLSCertHash(ctx.EndpointConfig()),
+		TLSCertHash: hash,
 	}
+
 	seekInfoHeader, err := txn.CreateChannelHeader(common.HeaderType_DELIVER_SEEK_INFO, channelHeaderOpts)
 	if err != nil {
 		return nil, errors.Wrap(err, "CreateChannelHeader failed")
diff --git a/pkg/fab/resource/resource.go b/pkg/fab/resource/resource.go
@@ -240,9 +240,15 @@ func createOrUpdateChannel(reqCtx reqContext.Context, txh *txn.TransactionHeader
 	if !ok {
 		return errors.New("failed get client context from reqContext for Creating ChannelHeader")
 	}
+
+	hash, err := ccomm.TLSCertHash(ctx.EndpointConfig())
+	if err != nil {
+		return errors.WithMessage(err, "failed to get tls cert hash")
+	}
+
 	channelHeaderOpts := txn.ChannelHeaderOpts{
 		TxnHeader:   txh,
-		TLSCertHash: ccomm.TLSCertHash(ctx.EndpointConfig()),
+		TLSCertHash: hash,
 	}
 	channelHeader, err := txn.CreateChannelHeader(common.HeaderType_CONFIG_UPDATE, channelHeaderOpts)
 	if err != nil {

Original file line number	Diff line number	Diff line change
`@@ -124,8 +124,13 @@ func newAuthInfo(ctx fabcontext.Client) (*discovery.AuthInfo, error) {`
`124`	`124`	`return nil, err`
`125`	`125`	`}`
`126`	`126`
	`127`	`+ hash, err := corecomm.TLSCertHash(ctx.EndpointConfig())`
	`128`	`+ if err != nil {`
	`129`	`+ return nil, errors.Wrapf(err, "failed to get tls cert hash")`
	`130`	`+ }`
	`131`	`+`
`127`	`132`	`return &discovery.AuthInfo{`
`128`	`133`	`ClientIdentity: identity,`
`129`		`- ClientTlsCertHash: corecomm.TLSCertHash(ctx.EndpointConfig()),`
	`134`	`+ ClientTlsCertHash: hash,`
`130`	`135`	`}, nil`
`131`	`136`	`}`