[FAB-10279] pinning script updates for fabric-ca

- no logic changes in SDK
- internal pkg updated to latest
 fabric-ca-client


Change-Id: I5f24cc0f30674f1e4ba2067be988cc2adf21e054
Signed-off-by: Sudesh Shetty <sudesh.shetty@securekey.com>

Author: sudeshrshetty

Makefile

@@ -64,7 +64,7 @@ FABRIC_DEV_REGISTRY_PRE_CMD ?= docker login -u docker -p docker nexus3.hyperledg
 
 # Upstream fabric patching (overridable)
 THIRDPARTY_FABRIC_CA_BRANCH ?= master
-THIRDPARTY_FABRIC_CA_COMMIT ?= 77dc5a6c072721e5e5c840391215c4146b72bef2
+THIRDPARTY_FABRIC_CA_COMMIT ?= 2032d7736ec3254f7ad2555770743b90c5956274
 THIRDPARTY_FABRIC_BRANCH    ?= master
 THIRDPARTY_FABRIC_COMMIT    ?= d78be9f4567d98e8c14542446a85ec5f8fcb5e5a
 

internal/github.com/hyperledger/fabric-ca/lib/client.go

@@ -20,6 +20,7 @@ import (
 	"net/url"
 	"os"
 	"path"
+	"path/filepath"
 	"strconv"
 	"strings"
 
@@ -110,6 +111,17 @@ func (c *Client) Init() error {
 			return errors.Wrap(err, "Failed to create cacerts directory")
 		}
 
+		// CA's Idemix public key
+		c.ipkFile = filepath.Join(mspDir, "IssuerPublicKey")
+
+		// Idemix credentials directory
+		c.idemixCredsDir = path.Join(mspDir, "user")
+		err = os.MkdirAll(c.idemixCredsDir, 0755)
+		if err != nil {
+			return errors.Wrap(err, "Failed to create Idemix credentials directory 'user'")
+		}
+		c.idemixCredFile = path.Join(c.idemixCredsDir, "SignerConfig")
+
 		c.csp = cfg.CSP
 		// Create http.Client object and associate it with this client
 		err = c.initHTTPClient()
@@ -132,6 +144,8 @@ func (c *Client) initHTTPClient() error {
 		if err2 != nil {
 			return fmt.Errorf("Failed to get client TLS config: %s", err2)
 		}
+		// set the default ciphers
+		tlsConfig.CipherSuites = tls.DefaultCipherSuites
 		tr.TLSClientConfig = tlsConfig
 	}
 	c.httpClient = &http.Client{Transport: tr}
@@ -204,6 +218,56 @@ func (c *Client) net2LocalServerInfo(net *common.CAInfoResponseNet, local *GetCA
 	return nil
 }
 
+func (c *Client) handleX509Enroll(req *api.EnrollmentRequest) (*EnrollmentResponse, error) {
+	// Generate the CSR
+	csrPEM, key, err := c.GenCSR(req.CSR, req.Name)
+	if err != nil {
+		return nil, errors.WithMessage(err, "Failure generating CSR")
+	}
+
+	reqNet := &api.EnrollmentRequestNet{
+		CAName:   req.CAName,
+		AttrReqs: req.AttrReqs,
+	}
+
+	if req.CSR != nil {
+		reqNet.SignRequest.Hosts = req.CSR.Hosts
+	}
+	reqNet.SignRequest.Request = string(csrPEM)
+	reqNet.SignRequest.Profile = req.Profile
+	reqNet.SignRequest.Label = req.Label
+
+	body, err := util.Marshal(reqNet, "SignRequest")
+	if err != nil {
+		return nil, err
+	}
+
+	// Send the CSR to the fabric-ca server with basic auth header
+	post, err := c.newPost("enroll", body)
+	if err != nil {
+		return nil, err
+	}
+	post.SetBasicAuth(req.Name, req.Secret)
+	var result common.EnrollmentResponseNet
+	err = c.SendReq(post, &result)
+	if err != nil {
+		return nil, err
+	}
+
+	// Create the enrollment response
+	return c.newEnrollmentResponse(&result, req.Name, key)
+}
+
+// Handles enrollment request for an Idemix credential
+// 1. Sends a request with empty body to the /api/v1/idemix/credentail REST endpoint
+//    of the server to get a Nonce from the CA
+// 2. Constructs a credential request using the nonce, CA's idemix public key
+// 3. Sends a request with the CredentialRequest object in the body to the
+//    /api/v1/idemix/credentail REST endpoint to get a credential
+func (c *Client) handleIdemixEnroll(req *api.EnrollmentRequest) (*EnrollmentResponse, error) {
+	return nil, errors.New("idemix enroll not supported")
+}
+
 // newEnrollmentResponse creates a client enrollment response from a network response
 // @param result The result from server
 // @param id Name of identity being enrolled or reenrolled
@@ -218,7 +282,6 @@ func (c *Client) newEnrollmentResponse(result *common.EnrollmentResponseNet, id
 	if err != nil {
 		return nil, err
 	}
-
 	x509Cred := x509cred.NewCredential(key, certByte, c)
 	err = x509Cred.SetVal(signer)
 	if err != nil {
@@ -287,6 +350,16 @@ func (c *Client) NewIdentity(creds []credential.Credential) (*Identity, error) {
 	return NewIdentity(c, name, creds), nil
 }
 
+// NewX509Identity creates a new identity
+func (c *Client) NewX509Identity(name string, creds []credential.Credential) x509cred.Identity {
+	return NewIdentity(c, name, creds)
+}
+
+// GetCSP returns BCCSP instance associated with this client
+func (c *Client) GetCSP() core.CryptoSuite {
+	return c.csp
+}
+
 // newGet create a new GET request
 func (c *Client) newGet(endpoint string) (*http.Request, error) {
 	curl, err := c.getURL(endpoint)
@@ -442,6 +515,24 @@ func (c *Client) getURL(endpoint string) (string, error) {
 	return rtn, nil
 }
 
+func (c *Client) checkX509Enrollment() error {
+	keyFileExists := util.FileExists(c.keyFile)
+	certFileExists := util.FileExists(c.certFile)
+	if keyFileExists && certFileExists {
+		return nil
+	}
+	// If key file does not exist, but certFile does, key file is probably
+	// stored by bccsp, so check to see if this is the case
+	if certFileExists {
+		_, _, _, err := util.GetSignerFromCertFile(c.certFile, c.csp)
+		if err == nil {
+			// Yes, the key is stored by BCCSP
+			return nil
+		}
+	}
+	return errors.New("X509 enrollment information does not exist")
+}
+
 func newCfsslBasicKeyRequest(bkr *api.BasicKeyRequest) *csr.BasicKeyRequest {
 	return &csr.BasicKeyRequest{A: bkr.Algo, S: bkr.Size}
 }
@@ -481,86 +572,3 @@ func NormalizeURL(addr string) (*url.URL, error) {
 	}
 	return u, nil
 }
-
-// Handles enrollment request for an Idemix credential
-// 1. Sends a request with empty body to the /api/v1/idemix/credentail REST endpoint
-//    of the server to get a Nonce from the CA
-// 2. Constructs a credential request using the nonce, CA's idemix public key
-// 3. Sends a request with the CredentialRequest object in the body to the
-//    /api/v1/idemix/credentail REST endpoint to get a credential
-func (c *Client) handleIdemixEnroll(req *api.EnrollmentRequest) (*EnrollmentResponse, error) {
-	log.Debugf("Getting nonce from CA %s", req.CAName)
-	return nil, errors.New("idemix enroll not supported")
-}
-
-func (c *Client) checkX509Enrollment() error {
-	keyFileExists := util.FileExists(c.keyFile)
-	certFileExists := util.FileExists(c.certFile)
-	if keyFileExists && certFileExists {
-		return nil
-	}
-	// If key file does not exist, but certFile does, key file is probably
-	// stored by bccsp, so check to see if this is the case
-	if certFileExists {
-		certBytes, err := util.ReadFile(c.certFile)
-		if err != nil {
-			return err
-		}
-		_, _, _, err = util.GetSignerFromCertFile(certBytes, c.csp)
-		if err == nil {
-			// Yes, the key is stored by BCCSP
-			return nil
-		}
-	}
-	return errors.New("X509 enrollment information does not exist")
-}
-
-func (c *Client) handleX509Enroll(req *api.EnrollmentRequest) (*EnrollmentResponse, error) {
-	// Generate the CSR
-	csrPEM, key, err := c.GenCSR(req.CSR, req.Name)
-	if err != nil {
-		return nil, errors.WithMessage(err, "Failure generating CSR")
-	}
-
-	reqNet := &api.EnrollmentRequestNet{
-		CAName:   req.CAName,
-		AttrReqs: req.AttrReqs,
-	}
-
-	if req.CSR != nil {
-		reqNet.SignRequest.Hosts = req.CSR.Hosts
-	}
-	reqNet.SignRequest.Request = string(csrPEM)
-	reqNet.SignRequest.Profile = req.Profile
-	reqNet.SignRequest.Label = req.Label
-
-	body, err := util.Marshal(reqNet, "SignRequest")
-	if err != nil {
-		return nil, err
-	}
-
-	// Send the CSR to the fabric-ca server with basic auth header
-	post, err := c.newPost("enroll", body)
-	if err != nil {
-		return nil, err
-	}
-	post.SetBasicAuth(req.Name, req.Secret)
-	var result common.EnrollmentResponseNet
-	err = c.SendReq(post, &result)
-	if err != nil {
-		return nil, err
-	}
-
-	// Create the enrollment response
-	return c.newEnrollmentResponse(&result, req.Name, key)
-}
-
-// GetCSP returns BCCSP instance associated with this client
-func (c *Client) GetCSP() core.CryptoSuite {
-	return c.csp
-}
-
-// NewX509Identity creates a new identity
-func (c *Client) NewX509Identity(name string, creds []credential.Credential) x509cred.Identity {
-	return NewIdentity(c, name, creds)
-}

internal/github.com/hyperledger/fabric-ca/lib/client/credential/credential.go

@@ -3,6 +3,10 @@ Copyright IBM Corp. All Rights Reserved.
 
 SPDX-License-Identifier: Apache-2.0
 */
+/*
+Notice: This file has been modified for Hyperledger Fabric SDK Go usage.
+Please review third_party pinning scripts and patches for more details.
+*/
 
 package credential
 

internal/github.com/hyperledger/fabric-ca/lib/client/credential/x509/credential.go

@@ -3,19 +3,26 @@ Copyright IBM Corp. All Rights Reserved.
 
 SPDX-License-Identifier: Apache-2.0
 */
+/*
+Notice: This file has been modified for Hyperledger Fabric SDK Go usage.
+Please review third_party pinning scripts and patches for more details.
+*/
 
 package x509
 
 import (
 	"encoding/hex"
+
+	"github.com/hyperledger/fabric-sdk-go/pkg/common/providers/core"
+
 	"net/http"
 
-	"github.com/cloudflare/cfssl/log"
+	factory "github.com/hyperledger/fabric-sdk-go/internal/github.com/hyperledger/fabric-ca/sdkpatch/cryptosuitebridge"
+	log "github.com/hyperledger/fabric-sdk-go/internal/github.com/hyperledger/fabric-ca/sdkpatch/logbridge"
+
 	"github.com/hyperledger/fabric-sdk-go/internal/github.com/hyperledger/fabric-ca/api"
 	"github.com/hyperledger/fabric-sdk-go/internal/github.com/hyperledger/fabric-ca/lib/client/credential"
-	factory "github.com/hyperledger/fabric-sdk-go/internal/github.com/hyperledger/fabric-ca/sdkpatch/cryptosuitebridge"
 	"github.com/hyperledger/fabric-sdk-go/internal/github.com/hyperledger/fabric-ca/util"
-	"github.com/hyperledger/fabric-sdk-go/pkg/common/providers/core"
 	"github.com/pkg/errors"
 )
 
@@ -86,7 +93,6 @@ func (cred *Credential) SetVal(val interface{}) error {
 // loaded from the location specified by the keyFile attribute, if the
 // private key is not found in the keystore managed by BCCSP
 func (cred *Credential) Load() error {
-
 	var err error
 	cred.val, err = NewSigner(cred.keyFile, cred.certFile)
 	if err != nil {

internal/github.com/hyperledger/fabric-ca/lib/client/credential/x509/signer.go

@@ -3,6 +3,10 @@ Copyright IBM Corp. All Rights Reserved.
 
 SPDX-License-Identifier: Apache-2.0
 */
+/*
+Notice: This file has been modified for Hyperledger Fabric SDK Go usage.
+Please review third_party pinning scripts and patches for more details.
+*/
 
 package x509
 

internal/github.com/hyperledger/fabric-ca/lib/common/serverresponses.go

@@ -3,6 +3,10 @@ Copyright IBM Corp. All Rights Reserved.
 
 SPDX-License-Identifier: Apache-2.0
 */
+/*
+Notice: This file has been modified for Hyperledger Fabric SDK Go usage.
+Please review third_party pinning scripts and patches for more details.
+*/
 
 package common
 

internal/github.com/hyperledger/fabric-ca/lib/identity.go

@@ -26,6 +26,13 @@ import (
 	"github.com/hyperledger/fabric-sdk-go/internal/github.com/hyperledger/fabric-ca/util"
 )
 
+// Identity is fabric-ca's implementation of an identity
+type Identity struct {
+	name   string
+	client *Client
+	creds  []credential.Credential
+}
+
 // NewIdentity is the constructor for identity
 func NewIdentity(client *Client, name string, creds []credential.Credential) *Identity {
 	id := new(Identity)
@@ -35,13 +42,6 @@ func NewIdentity(client *Client, name string, creds []credential.Credential) *Id
 	return id
 }
 
-// Identity is fabric-ca's implementation of an identity
-type Identity struct {
-	name   string
-	client *Client
-	creds  []credential.Credential
-}
-
 // GetName returns the identity name
 func (i *Identity) GetName() string {
 	return i.name
@@ -333,12 +333,11 @@ func (i *Identity) addTokenAuthHdr(req *http.Request, body []byte) error {
 	var token string
 	var err error
 	for _, cred := range i.creds {
-		if cred.Type() == x509.CredType {
-			token, err = cred.CreateToken(req, body)
-			if err != nil {
-				return errors.WithMessage(err, "Failed to add token authorization header")
-			}
+		token, err = cred.CreateToken(req, body)
+		if err != nil {
+			return errors.WithMessage(err, "Failed to add token authorization header")
 		}
+		break
 	}
 	req.Header.Set("authorization", token)
 	return nil

internal/github.com/hyperledger/fabric-ca/lib/tls/tls.go

@@ -33,6 +33,16 @@ import (
 	"github.com/hyperledger/fabric-sdk-go/pkg/common/providers/core"
 )
 
+// DefaultCipherSuites is a set of strong TLS cipher suites
+var DefaultCipherSuites = []uint16{
+	tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+	tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+	tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+	tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+	tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
+	tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
+}
+
 // ClientTLSConfig defines the key material for a TLS client
 type ClientTLSConfig struct {
 	Enabled   bool     `skip:"true"`