登录 注册
开源 企业版 高校版 私有云 Gitee AI NEW
开源项目 > 区块链 &&
扫描微信二维码支付
取消
支付完成
Watch
不关注 关注所有动态 仅关注版本发行动态 关注但不提醒动态
63 Star 183 Fork 3

Gitee 极速下载/hyperledger-fabric

代码 Wiki 统计 流水线
服务
加入 Gitee
与超过 1200万 开发者一起发现、参与优秀开源项目,私有仓库也完全免费 :)
免费加入
文件
此仓库是为了提升国内下载速度的镜像仓库,每日同步一次。 原始仓库: https://github.com/hyperledger/fabric
克隆/下载
connection.go 6.18 KB
一键复制 编辑 原始数据 按行查看 历史
YACOVM 提交于 2017-06-08 14:56 . [FAB-3715] Harden deliveryService TLS credentials
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215
/*

Copyright IBM Corp. All Rights Reserved.



SPDX-License-Identifier: Apache-2.0

*/



package comm



import (

	"crypto/tls"

	"crypto/x509"

	"encoding/pem"

	"fmt"

	"os"

	"sync"

	"time"



	"github.com/hyperledger/fabric/common/flogging"

	"github.com/hyperledger/fabric/core/config"

	"github.com/spf13/viper"

	"google.golang.org/grpc"

	"google.golang.org/grpc/credentials"

	"google.golang.org/grpc/grpclog"

)



const defaultTimeout = time.Second * 3



var commLogger = flogging.MustGetLogger("comm")

var caSupport *CASupport

var once sync.Once



// CASupport type manages certificate authorities scoped by channel

type CASupport struct {

	sync.RWMutex

	AppRootCAsByChain     map[string][][]byte

	OrdererRootCAsByChain map[string][][]byte

	ClientRootCAs         [][]byte

	ServerRootCAs         [][]byte

}



// GetCASupport returns the signleton CASupport instance

func GetCASupport() *CASupport {



	once.Do(func() {

		caSupport = &CASupport{

			AppRootCAsByChain:     make(map[string][][]byte),

			OrdererRootCAsByChain: make(map[string][][]byte),

		}

	})

	return caSupport

}



// GetServerRootCAs returns the PEM-encoded root certificates for all of the

// application and orderer organizations defined for all chains.  The root

// certificates returned should be used to set the trusted server roots for

// TLS clients.

func (cas *CASupport) GetServerRootCAs() (appRootCAs, ordererRootCAs [][]byte) {

	cas.RLock()

	defer cas.RUnlock()



	appRootCAs = [][]byte{}

	ordererRootCAs = [][]byte{}



	for _, appRootCA := range cas.AppRootCAsByChain {

		appRootCAs = append(appRootCAs, appRootCA...)

	}



	for _, ordererRootCA := range cas.OrdererRootCAsByChain {

		ordererRootCAs = append(ordererRootCAs, ordererRootCA...)

	}



	// also need to append statically configured root certs

	appRootCAs = append(appRootCAs, cas.ServerRootCAs...)

	return appRootCAs, ordererRootCAs

}



// GetDeliverServiceCredentials returns GRPC transport credentials for given channel to be used by GRPC

// clients which communicate with ordering service endpoints.

// If the channel isn't found, error is returned.

func (cas *CASupport) GetDeliverServiceCredentials(channelID string) (credentials.TransportCredentials, error) {

	cas.RLock()

	defer cas.RUnlock()



	var creds credentials.TransportCredentials

	var tlsConfig = &tls.Config{}

	var certPool = x509.NewCertPool()



	rootCACerts, exists := cas.OrdererRootCAsByChain[channelID]

	if !exists {

		commLogger.Errorf("Attempted to obtain root CA certs of a non existent channel: %s", channelID)

		return nil, fmt.Errorf("didn't find any root CA certs for channel %s", channelID)

	}



	for _, cert := range rootCACerts {

		block, _ := pem.Decode(cert)

		if block != nil {

			cert, err := x509.ParseCertificate(block.Bytes)

			if err == nil {

				certPool.AddCert(cert)

			} else {

				commLogger.Warningf("Failed to add root cert to credentials (%s)", err)

			}

		} else {

			commLogger.Warning("Failed to add root cert to credentials")

		}

	}

	tlsConfig.RootCAs = certPool

	creds = credentials.NewTLS(tlsConfig)

	return creds, nil

}



// GetPeerCredentials returns GRPC transport credentials for use by GRPC

// clients which communicate with remote peer endpoints.

func (cas *CASupport) GetPeerCredentials(tlsCert tls.Certificate) credentials.TransportCredentials {

	var creds credentials.TransportCredentials

	var tlsConfig = &tls.Config{

		Certificates: []tls.Certificate{tlsCert},

	}

	var certPool = x509.NewCertPool()

	// loop through the orderer CAs

	roots, _ := cas.GetServerRootCAs()

	for _, root := range roots {

		block, _ := pem.Decode(root)

		if block != nil {

			cert, err := x509.ParseCertificate(block.Bytes)

			if err == nil {

				certPool.AddCert(cert)

			} else {

				commLogger.Warningf("Failed to add root cert to credentials (%s)", err)

			}

		} else {

			commLogger.Warning("Failed to add root cert to credentials")

		}

	}

	tlsConfig.RootCAs = certPool

	creds = credentials.NewTLS(tlsConfig)

	return creds

}



// GetClientRootCAs returns the PEM-encoded root certificates for all of the

// application and orderer organizations defined for all chains.  The root

// certificates returned should be used to set the trusted client roots for

// TLS servers.

func (cas *CASupport) GetClientRootCAs() (appRootCAs, ordererRootCAs [][]byte) {

	cas.RLock()

	defer cas.RUnlock()



	appRootCAs = [][]byte{}

	ordererRootCAs = [][]byte{}



	for _, appRootCA := range cas.AppRootCAsByChain {

		appRootCAs = append(appRootCAs, appRootCA...)

	}



	for _, ordererRootCA := range cas.OrdererRootCAsByChain {

		ordererRootCAs = append(ordererRootCAs, ordererRootCA...)

	}



	// also need to append statically configured root certs

	appRootCAs = append(appRootCAs, cas.ClientRootCAs...)

	return appRootCAs, ordererRootCAs

}



func getEnv(key, def string) string {

	val := os.Getenv(key)

	if len(val) > 0 {

		return val

	} else {

		return def

	}

}



func GetPeerTestingAddress(port string) string {

	return getEnv("UNIT_TEST_PEER_IP", "localhost") + ":" + port

}



// NewClientConnectionWithAddress Returns a new grpc.ClientConn to the given address.

func NewClientConnectionWithAddress(peerAddress string, block bool, tslEnabled bool, creds credentials.TransportCredentials) (*grpc.ClientConn, error) {

	var opts []grpc.DialOption

	if tslEnabled {

		opts = append(opts, grpc.WithTransportCredentials(creds))

	} else {

		opts = append(opts, grpc.WithInsecure())

	}

	opts = append(opts, grpc.WithTimeout(defaultTimeout))

	if block {

		opts = append(opts, grpc.WithBlock())

	}

	opts = append(opts, grpc.WithDefaultCallOptions(grpc.MaxCallRecvMsgSize(MaxRecvMsgSize()),

		grpc.MaxCallSendMsgSize(MaxSendMsgSize())))

	conn, err := grpc.Dial(peerAddress, opts...)

	if err != nil {

		return nil, err

	}

	return conn, err

}



// InitTLSForPeer returns TLS credentials for peer

func InitTLSForPeer() credentials.TransportCredentials {

	var sn string

	if viper.GetString("peer.tls.serverhostoverride") != "" {

		sn = viper.GetString("peer.tls.serverhostoverride")

	}

	var creds credentials.TransportCredentials

	if config.GetPath("peer.tls.rootcert.file") != "" {

		var err error

		creds, err = credentials.NewClientTLSFromFile(config.GetPath("peer.tls.rootcert.file"), sn)

		if err != nil {

			grpclog.Fatalf("Failed to create TLS credentials %v", err)

		}

	} else {

		creds = credentials.NewClientTLSFromCert(nil, sn)

	}

	return creds

}
Loading...
马建仓 AI 助手
尝试更多
代码解读
代码找茬
代码优化
Go
1
https://gitee.com/mirrors/hyperledger-fabric.git
git@gitee.com:mirrors/hyperledger-fabric.git
mirrors
hyperledger-fabric
hyperledger-fabric
v1.0.2
点此查找更多帮助

搜索帮助

Git 命令在线学习 如何在 Gitee 导入 GitHub 仓库
Git 仓库基础操作
企业版和社区版功能对比
SSH 公钥设置
如何处理代码冲突
仓库体积过大,如何减小?
如何找回被删除的仓库数据
Gitee 产品配额说明
GitHub仓库快速导入Gitee及同步更新
什么是 Release(发行版)
将 PHP 项目自动发布到 packagist.org
评论
仓库举报
回到顶部