[FAB-10417] endpointconfig TLS client certs preload

- preloading tls client certs in endpoint config
- Fixed TLSConfig.TLSCert() not to throw status error
for empty certs, instead of new bool argument will be
returned


Change-Id: I39a540aa2f09398eff06b80f704f5a19dd7a0168
Signed-off-by: Sudesh Shetty <sudesh.shetty@securekey.com>

Author: sudeshrshetty

pkg/common/providers/fab/provider.go

@@ -81,7 +81,7 @@ type EndpointConfig interface {
 	ChannelOrderers(name string) ([]OrdererConfig, bool)
 	TLSCACertPool(certConfig ...*x509.Certificate) (*x509.CertPool, error)
 	EventServiceType() EventServiceType
-	TLSClientCerts() ([]tls.Certificate, error)
+	TLSClientCerts() []tls.Certificate
 	CryptoConfigPath() string
 }
 

pkg/common/providers/test/mockfab/mockconfig.go

@@ -39,7 +39,7 @@ func DefaultMockConfig(mockCtrl *gomock.Controller) *MockEndpointConfig {
 	config.EXPECT().TLSCACertPool(BadCert).Return(CertPool, errors.New(ErrorMessage)).AnyTimes()
 	config.EXPECT().TLSCACertPool().Return(CertPool, nil).AnyTimes()
 	config.EXPECT().Timeout(fab.EndorserConnection).Return(time.Second * 5).AnyTimes()
-	config.EXPECT().TLSClientCerts().Return([]tls.Certificate{TLSCert}, nil).AnyTimes()
+	config.EXPECT().TLSClientCerts().Return([]tls.Certificate{TLSCert}).AnyTimes()
 
 	return config
 }
@@ -52,7 +52,7 @@ func BadTLSClientMockConfig(mockCtrl *gomock.Controller) *MockEndpointConfig {
 	config.EXPECT().TLSCACertPool(BadCert).Return(CertPool, errors.New(ErrorMessage)).AnyTimes()
 	config.EXPECT().TLSCACertPool().Return(CertPool, nil).AnyTimes()
 	config.EXPECT().Timeout(fab.EndorserConnection).Return(time.Second * 5).AnyTimes()
-	config.EXPECT().TLSClientCerts().Return(nil, errors.Errorf(ErrorMessage)).AnyTimes()
+	config.EXPECT().TLSClientCerts().Return(nil).AnyTimes()
 
 	return config
 }

pkg/common/providers/test/mockfab/mockfab.gen.go

@@ -13,7 +13,6 @@ import (
 
 	cutil "github.com/hyperledger/fabric-sdk-go/internal/github.com/hyperledger/fabric/common/util"
 	"github.com/hyperledger/fabric-sdk-go/pkg/common/providers/fab"
-	"github.com/pkg/errors"
 )
 
 // TLSConfig returns the appropriate config for TLS including the root CAs,
@@ -35,18 +34,13 @@ func TLSConfig(cert *x509.Certificate, serverName string, config fab.EndpointCon
 		return nil, err
 	}
 
-	clientCerts, err := config.TLSClientCerts()
-	if err != nil {
-		return nil, errors.Errorf("Error loading cert/key pair for TLS client credentials: %s", err)
-	}
-
-	return &tls.Config{RootCAs: tlsCaCertPool, Certificates: clientCerts, ServerName: serverName}, nil
+	return &tls.Config{RootCAs: tlsCaCertPool, Certificates: config.TLSClientCerts(), ServerName: serverName}, nil
 }
 
 // TLSCertHash is a utility method to calculate the SHA256 hash of the configured certificate (for usage in channel headers)
 func TLSCertHash(config fab.EndpointConfig) []byte {
-	certs, err := config.TLSClientCerts()
-	if err != nil || len(certs) == 0 {
+	certs := config.TLSClientCerts()
+	if len(certs) == 0 {
 		return nil
 	}
 

pkg/core/config/comm/comm.go

@@ -43,7 +43,7 @@ func TestTLSConfigErrorFromClientCerts(t *testing.T) {
 
 	config := mockfab.BadTLSClientMockConfig(mockCtrl)
 
-	_, err := TLSConfig(mockfab.GoodCert, "", config)
+	_, err := TLSConfig(mockfab.BadCert, "", config)
 
 	if err == nil {
 		t.Fatal("Expected failure from loading client certs")
@@ -89,7 +89,7 @@ func TestNoTlsCertHash(t *testing.T) {
 	defer mockCtrl.Finish()
 	config := mockfab.NewMockEndpointConfig(mockCtrl)
 
-	config.EXPECT().TLSClientCerts().Return([]tls.Certificate{}, nil)
+	config.EXPECT().TLSClientCerts().Return([]tls.Certificate{})
 
 	tlsCertHash := TLSCertHash(config)
 
@@ -104,7 +104,7 @@ func TestEmptyTlsCertHash(t *testing.T) {
 	config := mockfab.NewMockEndpointConfig(mockCtrl)
 
 	emptyCert := tls.Certificate{}
-	config.EXPECT().TLSClientCerts().Return([]tls.Certificate{emptyCert}, nil)
+	config.EXPECT().TLSClientCerts().Return([]tls.Certificate{emptyCert})
 
 	tlsCertHash := TLSCertHash(config)
 
@@ -123,7 +123,7 @@ func TestTlsCertHash(t *testing.T) {
 		t.Fatalf("Unexpected error loading cert %s", err)
 	}
 
-	config.EXPECT().TLSClientCerts().Return([]tls.Certificate{cert}, nil)
+	config.EXPECT().TLSClientCerts().Return([]tls.Certificate{cert})
 	tlsCertHash := TLSCertHash(config)
 
 	// openssl x509 -fingerprint -sha256 -in testdata/server.crt

pkg/core/config/comm/comm_test.go

@@ -14,7 +14,6 @@ import (
 
 	"regexp"
 
-	"github.com/hyperledger/fabric-sdk-go/pkg/common/errors/status"
 	"github.com/pkg/errors"
 )
 
@@ -108,19 +107,19 @@ func (cfg *TLSConfig) LoadBytes() error {
 
 // TLSCert returns the tls certificate as a *x509.Certificate by loading it either from the embedded Pem or Path
 //TODO to be removed since separate TLSConfig should only be used in parsing
-func (cfg *TLSConfig) TLSCert() (*x509.Certificate, error) {
+func (cfg *TLSConfig) TLSCert() (*x509.Certificate, bool, error) {
 
 	block, _ := pem.Decode(cfg.bytes)
 
 	if block != nil {
 		pub, err := x509.ParseCertificate(block.Bytes)
 		if err != nil {
-			return nil, errors.Wrap(err, "certificate parsing failed")
+			return nil, false, errors.Wrap(err, "certificate parsing failed")
 		}
 
-		return pub, nil
+		return pub, true, nil
 	}
 
-	// return an error with an error code for clients to test against status.EmptyCert code
-	return nil, status.New(status.ClientStatus, status.EmptyCert.ToInt32(), "pem data missing", nil)
+	//no cert found and there is no error
+	return nil, false, nil
 }

pkg/core/config/endpoint/endpoint.go

@@ -154,8 +154,8 @@ func TestTLSConfig_TLSCertPostive(t *testing.T) {
 		t.Fatalf("error loading certificate for sample cert path %s", e)
 	}
 
-	c, e := tlsConfig.TLSCert()
-	if e != nil {
+	c, ok, e := tlsConfig.TLSCert()
+	if e != nil || !ok {
 		t.Fatalf("error loading certificate for sample cert path %s", e)
 	}
 	if c == nil {
@@ -179,8 +179,8 @@ V842OVjxCYYQwCjPIY+5e9ORR+8pxVzcMAoGCCqGSM49BAMCA0cAMEQCIGZ+KTfS
 eezqv0ml1VeQEmnAEt5sJ2RJA58+LegUYMd6AiAfEe6BKqdY03qFUgEYmtKG+3Dr
 O94CDp7l2k7hMQI0zQ==
 -----END CERTIFICATE-----`
-	c, e = tlsConfig.TLSCert()
-	if e != nil {
+	c, ok, e = tlsConfig.TLSCert()
+	if e != nil || !ok {
 		t.Fatalf("error loading certificate for sample cert path and pem %s", e)
 	}
 	if c == nil {
@@ -196,34 +196,33 @@ func TestTLSConfig_TLSCertNegative(t *testing.T) {
 		Path: "dummy/path",
 		Pem:  "",
 	}
-	c, e := tlsConfig.TLSCert()
-	if e == nil {
-		t.Fatal("expected error loading certificate for wrong cert path")
-	}
-	if c != nil {
-		t.Fatal("cert's TLSCert() call returned non empty certificate for wrong cert path")
-	}
+	e := tlsConfig.LoadBytes()
+	assert.NotNil(t, e, "expected error loading certificate for wrong cert path")
+
+	c, ok, e := tlsConfig.TLSCert()
+	assert.Nil(t, e, "error supposed to be nil for empty bytes")
+	assert.False(t, ok, "expected error loading certificate for wrong cert path")
+	assert.Nil(t, c, "cert's TLSCert() call returned non empty certificate for wrong cert path")
 
 	// test with empty path and empty pem
 	tlsConfig.Path = ""
-	c, e = tlsConfig.TLSCert()
-	if e == nil {
-		t.Fatal("expected error loading certificate for empty cert path and empty pem")
-	}
-	if c != nil {
-		t.Fatal("cert's TLSCert() call returned non empty certificate for wrong cert path and empty pem")
-	}
+	e = tlsConfig.LoadBytes()
+	assert.Nil(t, e, "not supposed to get error for empty path/pem")
+	c, ok, e = tlsConfig.TLSCert()
+	assert.Nil(t, e, "error supposed to be nil for empty bytes")
+	assert.False(t, ok, "expected error loading certificate for empty cert path and empty pem")
+	assert.Nil(t, c, "cert's TLSCert() call returned non empty certificate for wrong cert path and empty pem")
 
 	// test with wrong pem and empty path
 	tlsConfig.Path = ""
 	tlsConfig.Pem = "wrongcertpem"
-	c, e = tlsConfig.TLSCert()
-	if e == nil {
-		t.Fatalf("error loading certificate for empty cert path and and wrong pem %s", e)
-	}
-	if c != nil {
-		t.Fatal("cert's TLSCert() call returned non empty certificate")
-	}
+	e = tlsConfig.LoadBytes()
+	assert.Nil(t, e, "unexpected error loading certificate with wrong pem")
+
+	c, ok, e = tlsConfig.TLSCert()
+	assert.Nil(t, c, "cert's TLSCert() call returned non empty certificate")
+	assert.False(t, ok, "error loading certificate for empty cert path and and wrong pem ")
+	assert.Nil(t, e, "cert's TLSCert() call returned unexpected error")
 
 }
 

pkg/core/config/endpoint/endpoint_test.go

@@ -10,7 +10,6 @@ import (
 	"crypto/x509"
 	"time"
 
-	"github.com/hyperledger/fabric-sdk-go/pkg/common/errors/status"
 	"github.com/hyperledger/fabric-sdk-go/pkg/common/options"
 	"github.com/hyperledger/fabric-sdk-go/pkg/common/providers/fab"
 	"github.com/spf13/cast"
@@ -148,13 +147,9 @@ type connectTimeoutSetter interface {
 
 // OptsFromPeerConfig returns a set of connection options from the given peer config
 func OptsFromPeerConfig(peerCfg *fab.PeerConfig) ([]options.Opt, error) {
-	certificate, err := peerCfg.TLSCACerts.TLSCert()
+	certificate, _, err := peerCfg.TLSCACerts.TLSCert()
 	if err != nil {
-		//Ignore empty cert errors,
-		errStatus, ok := err.(*status.Status)
-		if !ok || errStatus.Code != status.EmptyCert.ToInt32() {
-			return nil, err
-		}
+		return nil, err
 	}
 
 	opts := []options.Opt{