登录 注册
开源 企业版 高校版 私有云 Gitee AI NEW
扫描微信二维码支付
取消
支付完成
Watch
不关注 关注所有动态 仅关注版本发行动态 关注但不提醒动态
1 Star 1 Fork 0

Hyperledger Fabric 国密 / fabric

代码 Issues 1 Pull Requests 0 Wiki 统计 流水线
服务
加入 Gitee
与超过 1200万 开发者一起发现、参与优秀开源项目,私有仓库也完全免费 :)
免费加入
克隆/下载
connection.go 8.30 KB
一键复制 编辑 原始数据 按行查看 历史
Jtyoui 提交于 2021-07-22 15:59 . 国密
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287
/*

Copyright IBM Corp. All Rights Reserved.



SPDX-License-Identifier: Apache-2.0

*/



package comm



import (

	"context"

	"encoding/base64"

	"encoding/pem"

	"fmt"

	"gitee.com/hyperledger-fabric-gm/fabric/bccsp/gm"

	"io/ioutil"

	"os"

	"sync"

	"time"



	tls "github.com/Hyperledger-TWGC/tjfoc-gm/gmtls"

	"github.com/Hyperledger-TWGC/tjfoc-gm/gmtls/gmcredentials"

	"github.com/Hyperledger-TWGC/tjfoc-gm/x509"

	"gitee.com/hyperledger-fabric-gm/fabric/common/flogging"

	"gitee.com/hyperledger-fabric-gm/fabric/core/config"

	"google.golang.org/grpc"

	"google.golang.org/grpc/credentials"

)



const defaultTimeout = time.Second * 3



var commLogger = flogging.MustGetLogger("comm")

var credSupport *CredentialSupport

var once sync.Once



// CertificateBundle bundles certificates

type CertificateBundle [][]byte



// PerOrgCertificateBundle maps organizations to CertificateBundles

type PerOrgCertificateBundle map[string]CertificateBundle



// OrgRootCAs defines root CA certificates of organizations, by their

// corresponding channels.

// channel --> organization --> certificates

type OrgRootCAs map[string]PerOrgCertificateBundle



type OrdererEndpoint struct {

	Address string

	PEMs    []byte

}



// CertificatesByChannelAndOrg returns the certificates of the given organization in the context

// of the given channel.

func (orc OrgRootCAs) CertificatesByChannelAndOrg(channel string, org string) CertificateBundle {

	if _, exists := orc[channel]; !exists {

		orc[channel] = make(PerOrgCertificateBundle)

	}

	return orc[channel][org]

}



// AppendCertificates appends certificates that belong to the given organization in the context of the given channel.

// This operation isn't thread safe.

func (orc OrgRootCAs) AppendCertificates(channel string, org string, rootCAs CertificateBundle) {

	certsByOrg, exists := orc[channel]

	if !exists {

		certsByOrg = make(PerOrgCertificateBundle)

		orc[channel] = certsByOrg

	}

	certificatesOfOrg := certsByOrg[org]

	certificatesOfOrg = append(certificatesOfOrg, rootCAs...)

	certsByOrg[org] = certificatesOfOrg

}



// CredentialSupport type manages credentials used for gRPC client connections

type CredentialSupport struct {

	sync.RWMutex

	AppRootCAsByChain           map[string]CertificateBundle

	OrdererRootCAsByChainAndOrg OrgRootCAs

	ClientRootCAs               CertificateBundle

	ServerRootCAs               CertificateBundle

	clientCert                  tls.Certificate

}



// GetCredentialSupport returns the singleton CredentialSupport instance

func GetCredentialSupport() *CredentialSupport {



	once.Do(func() {

		credSupport = &CredentialSupport{

			AppRootCAsByChain:           make(map[string]CertificateBundle),

			OrdererRootCAsByChainAndOrg: make(OrgRootCAs),

		}

	})

	return credSupport

}



// SetClientCertificate sets the tls.Certificate to use for gRPC client

// connections

func (cs *CredentialSupport) SetClientCertificate(cert tls.Certificate) {

	cs.clientCert = cert

}



// GetClientCertificate returns the client certificate of the CredentialSupport

func (cs *CredentialSupport) GetClientCertificate() tls.Certificate {

	return cs.clientCert

}



// GetDeliverServiceCredentials returns gRPC transport credentials for given channel

// to be used by gRPC clients which communicate with ordering service endpoints.

// If appendStaticRoots is set to true, ServerRootCAs are also included in the

// credentials.  If the channel isn't found, an error is returned.

func (cs *CredentialSupport) GetDeliverServiceCredentials(

	channelID string,

	appendStaticRoots bool,

	orgs []string,

	endpointOverrides map[string]*OrdererEndpoint,

) (credentials.TransportCredentials, error) {

	cs.RLock()

	defer cs.RUnlock()



	rootCACertsByOrg, exists := cs.OrdererRootCAsByChainAndOrg[channelID]

	if !exists {

		commLogger.Errorf("Attempted to obtain root CA certs of a non existent channel: %s", channelID)

		return nil, fmt.Errorf("didn't find any root CA certs for channel %s", channelID)

	}



	var rootCACerts CertificateBundle

	// Collect all TLS root CA certs for the organizations requested.

	for _, org := range orgs {

		rootCACerts = append(rootCACerts, rootCACertsByOrg[org]...)

	}



	// In case the peer is configured to use additional static TLS root CAs,

	// add them to the list as well.

	if appendStaticRoots {

		for _, cert := range cs.ServerRootCAs {

			rootCACerts = append(rootCACerts, cert)

		}

	}



	// Parse all PEM bundles and add them into the CA cert pool.

	certPool := x509.NewCertPool()



	for _, cert := range rootCACerts {

		block, _ := pem.Decode(cert)

		if block != nil {

			cert, err := x509.ParseCertificate(block.Bytes)

			if err == nil {

				certPool.AddCert(cert)

			} else {

				commLogger.Warningf("Failed to add root cert to credentials: %s", err)

			}

		} else {

			commLogger.Warning("Failed to add root cert to credentials")

		}

	}



	for _, override := range endpointOverrides {

		certPool.AppendCertsFromPEM(override.PEMs)

	}



	var gmSupport *tls.GMSupport



	if gm.IsPureGMTLSCertificate(&cs.clientCert) {

		gmSupport = &tls.GMSupport{}

	}



	// Finally, create a TLS client config with the computed TLS root CAs.

	var creds credentials.TransportCredentials

	tlsConfig := &tls.Config{

		GMSupport:    gmSupport,

		Certificates: []tls.Certificate{cs.clientCert},

		RootCAs:      certPool,

	}



	creds = gmcredentials.NewTLS(tlsConfig)

	return creds, nil

}



// GetPeerCredentials returns gRPC transport credentials for use by gRPC

// clients which communicate with remote peer endpoints.

func (cs *CredentialSupport) GetPeerCredentials() credentials.TransportCredentials {

	cs.RLock()

	defer cs.RUnlock()



	tlsConfig := &tls.Config{

		Certificates: []tls.Certificate{cs.clientCert},

	}



	if gm.IsPureGMTLSCertificate(&cs.clientCert) {

		tlsConfig.GMSupport = &tls.GMSupport{}

	}



	certPool := x509.NewCertPool()

	appRootCAs := [][]byte{}

	for _, appRootCA := range cs.AppRootCAsByChain {

		appRootCAs = append(appRootCAs, appRootCA...)

	}

	// also need to append statically configured root certs

	appRootCAs = append(appRootCAs, cs.ServerRootCAs...)

	// loop through the app root CAs

	for _, appRootCA := range appRootCAs {

		err := AddPemToCertPool(appRootCA, certPool)

		if err != nil {

			commLogger.Warningf("Failed adding certificates to peer's client TLS trust pool: %s", err)

		}

	}



	tlsConfig.RootCAs = certPool

	return gmcredentials.NewTLS(tlsConfig)

}



func getEnv(key, def string) string {

	val := os.Getenv(key)

	if len(val) > 0 {

		return val

	} else {

		return def

	}

}



// NewClientConnectionWithAddress Returns a new grpc.ClientConn to the given address

func NewClientConnectionWithAddress(peerAddress string, block bool, tslEnabled bool,

	creds credentials.TransportCredentials, ka *KeepaliveOptions) (*grpc.ClientConn, error) {

	var opts []grpc.DialOption



	if ka != nil {

		opts = ClientKeepaliveOptions(ka)

	} else {

		// set to the default options

		opts = ClientKeepaliveOptions(DefaultKeepaliveOptions)

	}



	if tslEnabled {

		opts = append(opts, grpc.WithTransportCredentials(creds))

	} else {

		opts = append(opts, grpc.WithInsecure())

	}

	if block {

		opts = append(opts, grpc.WithBlock())

	}

	opts = append(opts, grpc.WithDefaultCallOptions(

		grpc.MaxCallRecvMsgSize(MaxRecvMsgSize),

		grpc.MaxCallSendMsgSize(MaxSendMsgSize),

	))

	ctx, cancel := context.WithTimeout(context.Background(), defaultTimeout)

	defer cancel()

	conn, err := grpc.DialContext(ctx, peerAddress, opts...)

	if err != nil {

		return nil, err

	}

	return conn, err

}



func InitTLSForShim(key, certStr string) credentials.TransportCredentials {

	var sn string

	priv, err := base64.StdEncoding.DecodeString(key)

	if err != nil {

		commLogger.Panicf("failed decoding private key from base64, string: %s, error: %v", key, err)

	}

	pub, err := base64.StdEncoding.DecodeString(certStr)

	if err != nil {

		commLogger.Panicf("failed decoding public key from base64, string: %s, error: %v", certStr, err)

	}

	cert, err := tls.X509KeyPair(pub, priv)

	if err != nil {

		commLogger.Panicf("failed loading certificate: %v", err)

	}

	b, err := ioutil.ReadFile(config.GetPath("peer.tls.rootcert.file"))

	if err != nil {

		commLogger.Panicf("failed loading root ca cert: %v", err)

	}

	cp := x509.NewCertPool()

	if !cp.AppendCertsFromPEM(b) {

		commLogger.Panicf("failed to append certificates")

	}



	var gmSupport *tls.GMSupport

	if gm.IsPureGMTLSCertificate(&cert) {

		gmSupport = &tls.GMSupport{}

	}



	return gmcredentials.NewTLS(&tls.Config{

		GMSupport:    gmSupport,

		Certificates: []tls.Certificate{cert},

		RootCAs:      cp,

		ServerName:   sn,

	})

}
Go
1
https://gitee.com/hyperledger-fabric-gm/fabric.git
git@gitee.com:hyperledger-fabric-gm/fabric.git
hyperledger-fabric-gm
fabric
fabric
v1.4.9
点此查找更多帮助

搜索帮助

Git 命令在线学习 如何在 Gitee 导入 GitHub 仓库
Git 仓库基础操作
企业版和社区版功能对比
SSH 公钥设置
如何处理代码冲突
仓库体积过大,如何减小?
如何找回被删除的仓库数据
Gitee 产品配额说明
GitHub仓库快速导入Gitee及同步更新
什么是 Release(发行版)
将 PHP 项目自动发布到 packagist.org
评论
仓库举报
回到顶部