[FAB-7387] Ability to load system cert pool

sandrask · sandrask · commit a062492e7425 · 2017-12-08T12:33:38.000-05:00
Change-Id: I8d0d531cdca272efd49f9a1b64403e472ef7849c
Signed-off-by: Sandra Vrtikapa &lt;sandra.vrtikapa@securekey.com&gt;
diff --git a/pkg/config/config.go b/pkg/config/config.go
@@ -67,7 +67,12 @@ func InitConfigFromBytes(configBytes []byte, configType string) (*Config, error)
 
 	setLogLevel(myViper)
 
-	return &Config{tlsCertPool: x509.NewCertPool(), configViper: myViper}, nil
+	tlsCertPool, err := getCertPool(myViper)
+	if err != nil {
+		return nil, err
+	}
+
+	return &Config{tlsCertPool: tlsCertPool, configViper: myViper}, nil
 }
 
 // getNewViper returns a new instance of viper
@@ -111,9 +116,25 @@ func initConfigWithCmdRoot(configFile string, cmdRootPrefix string) (*Config, er
 	}
 
 	setLogLevel(myViper)
+	tlsCertPool, err := getCertPool(myViper)
+	if err != nil {
+		return nil, err
+	}
 
 	logger.Infof("%s logging level is set to: %s", logModule, lu.LogLevelString(logging.GetLevel(logModule)))
-	return &Config{tlsCertPool: x509.NewCertPool(), configViper: myViper}, nil
+	return &Config{tlsCertPool: tlsCertPool, configViper: myViper}, nil
+}
+
+func getCertPool(myViper *viper.Viper) (*x509.CertPool, error) {
+	tlsCertPool := x509.NewCertPool()
+	if myViper.GetBool("client.systemcertpool") == true {
+		var err error
+		if tlsCertPool, err = x509.SystemCertPool(); err != nil {
+			return nil, err
+		}
+		logger.Debugf("Loaded system cert pool of size: %d", len(tlsCertPool.Subjects()))
+	}
+	return tlsCertPool, nil
 }
 
 // setLogLevel will set the log level of the client
@@ -416,9 +437,10 @@ func (c *Config) OrderersConfig() ([]apiconfig.OrdererConfig, error) {
 	}
 
 	for _, orderer := range config.Orderers {
+
 		if orderer.TLSCACerts.Path != "" {
 			orderer.TLSCACerts.Path = substGoPath(orderer.TLSCACerts.Path)
-		} else if len(orderer.TLSCACerts.Pem) == 0 {
+		} else if len(orderer.TLSCACerts.Pem) == 0 && c.configViper.GetBool("client.systemcertpool") == false {
 			errors.Errorf("Orderer has no certs configured. Make sure TLSCACerts.Pem or TLSCACerts.Path is set for %s", orderer.URL)
 		}
 
@@ -479,7 +501,7 @@ func (c *Config) PeersConfig(org string) ([]apiconfig.PeerConfig, error) {
 
 	for _, peerName := range peersConfig {
 		p := config.Peers[strings.ToLower(peerName)]
-		if err = verifyPeerConfig(p, peerName, urlutil.IsTLSEnabled(p.URL)); err != nil {
+		if err = c.verifyPeerConfig(p, peerName, urlutil.IsTLSEnabled(p.URL)); err != nil {
 			return nil, err
 		}
 		if p.TLSCACerts.Path != "" {
@@ -591,7 +613,7 @@ func (c *Config) ChannelPeers(name string) ([]apiconfig.ChannelPeer, error) {
 			return nil, errors.Errorf("peer config not found for %s", peerName)
 		}
 
-		if err = verifyPeerConfig(p, peerName, urlutil.IsTLSEnabled(p.URL)); err != nil {
+		if err = c.verifyPeerConfig(p, peerName, urlutil.IsTLSEnabled(p.URL)); err != nil {
 			return nil, err
 		}
 
@@ -626,7 +648,7 @@ func (c *Config) NetworkPeers() ([]apiconfig.NetworkPeer, error) {
 
 	for name, p := range netConfig.Peers {
 
-		if err = verifyPeerConfig(p, name, urlutil.IsTLSEnabled(p.URL)); err != nil {
+		if err = c.verifyPeerConfig(p, name, urlutil.IsTLSEnabled(p.URL)); err != nil {
 			return nil, err
 		}
 
@@ -670,14 +692,14 @@ func (c *Config) PeerMspID(name string) (string, error) {
 
 }
 
-func verifyPeerConfig(p apiconfig.PeerConfig, peerName string, tlsEnabled bool) error {
+func (c *Config) verifyPeerConfig(p apiconfig.PeerConfig, peerName string, tlsEnabled bool) error {
 	if p.URL == "" {
 		return errors.Errorf("URL does not exist or empty for peer %s", peerName)
 	}
 	if p.EventURL == "" {
 		return errors.Errorf("event URL does not exist or empty for peer %s", peerName)
 	}
-	if tlsEnabled && len(p.TLSCACerts.Pem) == 0 && p.TLSCACerts.Path == "" {
+	if tlsEnabled && len(p.TLSCACerts.Pem) == 0 && p.TLSCACerts.Path == "" && c.configViper.GetBool("client.systemcertpool") == false {
 		return errors.Errorf("tls.certificate does not exist or empty for peer %s", peerName)
 	}
 	return nil
diff --git a/pkg/config/config.yaml b/pkg/config/config.yaml
@@ -96,6 +96,8 @@ client:
      #library: "/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so, /usr/lib/softhsm/libsofthsm2.so ,/usr/lib/s390x-linux-gnu/softhsm/libsofthsm2.so, /usr/lib/powerpc64le-linux-gnu/softhsm/libsofthsm2.so, /usr/local/Cellar/softhsm/2.1.0/lib/softhsm/libsofthsm2.so"
      library: "add BCCSP library here"
 
+  # [Optional]. Use system certificate pool when connecting to peers, orderers (for negotiating TLS) Default: false
+  # systemcertpool: true
 
 #
 # [Optional]. But most apps would have this section so that channel objects can be constructed
diff --git a/pkg/config/config_test.go b/pkg/config/config_test.go
@@ -675,6 +675,40 @@ func TestInterfaces(t *testing.T) {
 	}
 }
 
+func TestSystemCertPoolDisabled(t *testing.T) {
+
+	// get a config file with pool disabled
+	c, err := InitConfig(configTestFilePath)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// cert pool should be empty
+	if len(c.tlsCertPool.Subjects()) > 0 {
+		t.Fatal("Expecting empty tls cert pool due to disabled system cert pool")
+	}
+}
+
+func TestSystemCertPoolEnabled(t *testing.T) {
+
+	// get a config file with pool enabled
+	c, err := InitConfig(configPemTestFilePath)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if len(c.tlsCertPool.Subjects()) == 0 {
+		t.Fatal("System Cert Pool not loaded even though it is enabled")
+	}
+
+	// Org2 'mychannel' peer is missing cert + pem (it should not fail when systemcertpool enabled)
+	_, err = c.ChannelPeers("mychannel")
+	if err != nil {
+		t.Fatalf("Should have skipped verifying ca cert + pem: %s", err)
+	}
+
+}
+
 func TestSetTLSCACertPool(t *testing.T) {
 	configImpl.SetTLSCACertPool(nil)
 	t.Log("TLSCACertRoot must be created. Nothing additional to verify..")
diff --git a/pkg/config/testdata/config_test_pem.yaml b/pkg/config/testdata/config_test_pem.yaml
@@ -90,6 +90,9 @@ client:
      ephemeral: false
      level: 256
 
+  # [Optional]. Use system certificate pool when connecting to peers, orderers (for negotiating TLS) Default: false
+  systemcertpool: true
+
 #
 # [Optional]. But most apps would have this section so that channel objects can be constructed
 # based on the content below. If an app is creating channels, then it likely will not need this
@@ -127,6 +130,12 @@ channels:
         # Default: true
         eventSource: true
 
+      peer0.org2.example.com:
+        endorsingPeer: true
+        chaincodeQuery: true
+        ledgerQuery: true
+        eventSource: true
+
     # [Optional]. what chaincodes are expected to exist on this channel? The application can use
     # this information to validate that the target peers are in the expected state by comparing
     # this list with the query results of getInstalledChaincodes() and getInstantiatedChaincodes()
@@ -292,22 +301,7 @@ peers:
     grpcOptions:
       ssl-target-name-override: peer0.org2.example.com
     tlsCACerts:
-      pem: |
-        -----BEGIN CERTIFICATE-----
-        MIICSDCCAe+gAwIBAgIQK5RpVCPowqtM5Sn0g5udaTAKBggqhkjOPQQDAjB2MQsw
-        CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZy
-        YW5jaXNjbzEZMBcGA1UEChMQb3JnMi5leGFtcGxlLmNvbTEfMB0GA1UEAxMWdGxz
-        Y2Eub3JnMi5leGFtcGxlLmNvbTAeFw0xNzA3MjgxNDI3MjBaFw0yNzA3MjYxNDI3
-        MjBaMHYxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH
-        Ew1TYW4gRnJhbmNpc2NvMRkwFwYDVQQKExBvcmcyLmV4YW1wbGUuY29tMR8wHQYD
-        VQQDExZ0bHNjYS5vcmcyLmV4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0D
-        AQcDQgAE/YuiAkpf8ZldX8+4tERG8EjT7sx+bAWG1WGYzNS7MEHOE8aUnoe2gBat
-        6d5I6OBRd7qlLB2U6bNPv/1vQOSfjKNfMF0wDgYDVR0PAQH/BAQDAgGmMA8GA1Ud
-        JQQIMAYGBFUdJQAwDwYDVR0TAQH/BAUwAwEB/zApBgNVHQ4EIgQgQBzZ6fWlqa1m
-        tTVjm5tyQdcIrIqzpRnICRCRkFDIBuwwCgYIKoZIzj0EAwIDRwAwRAIgLB3onZnH
-        4hp6WZbmIxPfkesVuNjMY9hsveA4n2xvA6ICIE2h9rspRxy08NLPIJXD2L6zPQum
-        isLpe/VZtWneH2xM
-        -----END CERTIFICATE-----
+      pem:
       path:
       #path: $GOPATH/src/github.com/hyperledger/fabric-sdk-go/test/fixtures/channel/crypto-config/peerOrganizations/org2.example.com/tlsca/tlsca.org2.example.com-cert.pem
 
diff --git a/test/fixtures/config/config_test.yaml b/test/fixtures/config/config_test.yaml
@@ -90,6 +90,9 @@ client:
      ephemeral: false
      level: 256
 
+  # [Optional]. Use system certificate pool when connecting to peers, orderers (for negotiating TLS) Default: false
+  systemcertpool: false
+
 #
 # [Optional]. But most apps would have this section so that channel objects can be constructed
 # based on the content below. If an app is creating channels, then it likely will not need this

Original file line number	Diff line number	Diff line change
`@@ -96,6 +96,8 @@ client:`
`96`	`96`	`#library: "/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so, /usr/lib/softhsm/libsofthsm2.so ,/usr/lib/s390x-linux-gnu/softhsm/libsofthsm2.so, /usr/lib/powerpc64le-linux-gnu/softhsm/libsofthsm2.so, /usr/local/Cellar/softhsm/2.1.0/lib/softhsm/libsofthsm2.so"`
`97`	`97`	`library: "add BCCSP library here"`
`98`	`98`
	`99`	`+ # [Optional]. Use system certificate pool when connecting to peers, orderers (for negotiating TLS) Default: false`
	`100`	`+ # systemcertpool: true`
`99`	`101`
`100`	`102`	`#`
`101`	`103`	`# [Optional]. But most apps would have this section so that channel objects can be constructed`
Original file line number	Diff line number	Diff line change
`@@ -90,6 +90,9 @@ client:`
`90`	`90`	`ephemeral: false`
`91`	`91`	`level: 256`
`92`	`92`
	`93`	`+ # [Optional]. Use system certificate pool when connecting to peers, orderers (for negotiating TLS) Default: false`
	`94`	`+ systemcertpool: false`
	`95`	`+`
`93`	`96`	`#`
`94`	`97`	`# [Optional]. But most apps would have this section so that channel objects can be constructed`
`95`	`98`	`# based on the content below. If an app is creating channels, then it likely will not need this`