TLS enabled external chaincode example (#438)

* Enable TLS on asset-transfer-basic external chaincode

1. Introduce environment variables to enable or disable TLS
at runtime. Also, introduce environment variables which carries
the server key, cert and the client machine's root CA cert
information.
2. Read the environment variables to decide with appropriate
assumptions on default values to work as is today.

Signed-off-by: S m, Aruna <arun.s.m.cse@gmail.com>

* Update the chaincode.env with new options

1. Introduce four new environment variables to the default
chaincode environment file.
2. Add two new environment files for easy/automation running
of the external chaincodes for different organizations.

Note that when TLS enabled, the package contents will change.
So each organization will have their own package ID
generated unlike earlier. Also, there will be two chaincode
containers running instead of one for the given example.

Signed-off-by: S m, Aruna <arun.s.m.cse@gmail.com>

* Add docker compose file for running chaincodes

The file will build and run the chaincode on the fly.
Also, it will make use of the available files which is
configured by the user as part of execution. This will
help in bringup/bringdown of the chaincode containers.

In addition, it will help in updating the environment
variables on the go.

Signed-off-by: S m, Aruna <arun.s.m.cse@gmail.com>

* Introduce crypto directory and ignore the pem contents

The directory is used by the docker-compose file for
automation. Instructions in the README.md file will
suffice the filling up of required files in this directory.

Signed-off-by: S m, Aruna <arun.s.m.cse@gmail.com>

* Instructions on TLS enabled external chaincode server

1. Add instructions to generate a chaincode server TLS
parameters.
2. Add instructions on different parameters that peer node
expects and the chaincode expects.
3. Add instructions on steps to be followed in asset-transfer
-basic to work with iTLS enabled exteral chaincode.

Signed-off-by: S m, Aruna <arun.s.m.cse@gmail.com>

* Enable chaincode to work without TLS as well

1. Root certificate is an optional parameter supplied for
chaincode to verify the peer's connection in response.
2. If TLS is enabled, then specify the key and cert
parameters. Do not expect it otherwise.

Signed-off-by: S m, Aruna <arun.s.m.cse@gmail.com>

asset-transfer-basic/chaincode-external/.gitignore

@@ -1,2 +1,3 @@
 *.tar.gz
 *.tgz
+crypto/*.pem

asset-transfer-basic/chaincode-external/README.md

@@ -172,3 +172,65 @@ node app.js
 ```
 
 If all goes well, the program should run exactly the same as described in the "Writing Your First Application" tutorial.
+
+## Enabling TLS for chaincode and peer communication
+
+**Note:** This section uses an example of self-signed certificate. You may use your organization hosted CA to issue the certificate and generate a key for production deployment.
+
+In the sample so far, you connected both peers in `test-network` to the single instance of chaincode server. However, if you would like to enable TLS between the peer nodes and the chaincode server, each peer node needs to have its own CA certificate. Enabling TLS is made possible at runtime in the chaincode.
+
+- As a first step generate a keypair that can be used. Run these commands from the `fabric-samples/asset-transfer-basic/chaincode-external` directory.
+
+*Find instructions to install `openssl` in [openssl.org](https://www.openssl.org/)*
+
+For `org1.example.com`
+
+```
+openssl req -nodes -x509 -newkey rsa:4096 -keyout crypto/key1.pem -out crypto/cert1.pem -subj "/C=IN/ST=KA/L=Bangalore/O=example Inc/OU=Developer/CN=asset-transfer-basic.org1.example.com/emailAddress=dev@asset-transfer-basic.org1.example.com"
+```
+
+For `org2.example.com`
+
+```
+openssl req -nodes -x509 -newkey rsa:4096 -keyout crypto/key2.pem -out crypto/cert2.pem -subj "/C=IN/ST=KA/L=Bangalore/O=example Inc/OU=Developer/CN=asset-transfer-basic.org2.example.com/emailAddress=dev@asset-transfer-basic.org2.example.com"
+```
+
+- Copy the CA file contents for both `org1.example.com` & `org2.example.com`
+
+```
+cp ../../test-network/organizations/peerOrganizations/org1.example.com/ca/ca.org1.example.com-cert.pem crypto/rootcert1.pem
+cp ../../test-network/organizations/peerOrganizations/org2.example.com/ca/ca.org2.example.com-cert.pem crypto/rootcert2.pem
+```
+
+- Generate a client key and cert for auth purpose. You need a key and cert generated from the CA of each organization. Peer nodes act as clients to chaincode server.
+
+- Change the `connection.json` with the below contents. The `root_cert` parameter is the root CA certificate which the chaincode server is run with. You may run the below commands to get the certificate file contents as strings and copy them when needed.
+
+```
+awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}' crypto/cert1.pem
+awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}' crypto/cert2.pem
+```
+
+Similarly, replace the `client_key` and the `client_cert` contents with the values from the previous step.
+
+```
+{
+  "address": "asset-transfer-basic.org1.example.com:9999",
+  "dial_timeout": "10s",
+  "tls_required": true,
+  "client_auth_required": true,
+  "client_key": "-----BEGIN PRIVATE KEY----- ... -----END PRIVATE KEY-----",
+  "client_cert": "-----BEGIN CERTIFICATE---- ... -----END CERTIFICATE-----",
+  "root_cert": "-----BEGIN CERTIFICATE---- ... -----END CERTIFICATE-----"
+}
+```
+
+- Follow the instructions in [Package](#packaging-and-installing-chaincode) and [Install](#installing-the-external-chaincode) steps for each organization. Remember that the chaincode server's address for the second organization is `asset-transfer-basic.org2.example.com:9999`.
+
+- Copy the appropriate `CHAINCODE_ID` to both [chaincode1.env](./chaincode1.env) and [chaincode2.env](./chaincode2.env) files. Bring up the chaincode containers using the docker-compose command below
+
+```
+docker-compose up -f docker-compose-chaincode.yaml up --build -d
+```
+
+- Follow the instructions in [Finish Deployment](#finish-deploying-the-asset-transfer-basic-external-chaincode-) for each organization seperately.

asset-transfer-basic/chaincode-external/assetTransfer.go

@@ -7,8 +7,10 @@ package main
 import (
 	"encoding/json"
 	"fmt"
+	"io/ioutil"
 	"log"
 	"os"
+	"strconv"
 
 	"github.com/hyperledger/fabric-chaincode-go/shim"
 	"github.com/hyperledger/fabric-contract-api-go/contractapi"
@@ -224,12 +226,66 @@ func main() {
 		CCID:    config.CCID,
 		Address: config.Address,
 		CC:      chaincode,
-		TLSProps: shim.TLSProperties{
-			Disabled: true,
-		},
+		TLSProps: getTLSProperties(),
 	}
 
 	if err := server.Start(); err != nil {
 		log.Panicf("error starting asset-transfer-basic chaincode: %s", err)
 	}
 }
+
+func getTLSProperties() shim.TLSProperties {
+	// Check if chaincode is TLS enabled
+	tlsDisabledStr := getEnvOrDefault("CHAINCODE_TLS_DISABLED", "true")
+	key := getEnvOrDefault("CHAINCODE_TLS_KEY", "")
+	cert := getEnvOrDefault("CHAINCODE_TLS_CERT", "")
+	clientCACert := getEnvOrDefault("CHAINCODE_CLIENT_CA_CERT", "")
+
+	// convert tlsDisabledStr to boolean
+	tlsDisabled := getBoolOrDefault(tlsDisabledStr, false)
+	var keyBytes, certBytes, clientCACertBytes []byte
+	var err error
+
+	if !tlsDisabled {
+		keyBytes, err = ioutil.ReadFile(key)
+		if err != nil {
+			log.Panicf("error while reading the crypto file: %s", err)
+		}
+		certBytes, err = ioutil.ReadFile(cert)
+		if err != nil {
+			log.Panicf("error while reading the crypto file: %s", err)
+		}
+	}
+	// Did not request for the peer cert verification
+	if clientCACert != "" {
+		clientCACertBytes, err = ioutil.ReadFile(clientCACert)
+		if err != nil {
+			log.Panicf("error while reading the crypto file: %s", err)
+		}
+	}
+
+	return shim.TLSProperties{
+		Disabled: tlsDisabled,
+		Key: keyBytes,
+		Cert: certBytes,
+		ClientCACerts: clientCACertBytes,
+	}
+}
+
+func getEnvOrDefault(env, defaultVal string) string {
+	value, ok := os.LookupEnv(env)
+	if !ok {
+		value = defaultVal
+	}
+	return value
+}
+
+// Note that the method returns default value if the string
+// cannot be parsed!
+func getBoolOrDefault(value string, defaultVal bool) bool {
+	parsed, err := strconv.ParseBool(value)
+	if err!= nil {
+		return defaultVal
+	}
+	return parsed
+}

asset-transfer-basic/chaincode-external/chaincode.env

@@ -6,3 +6,19 @@ CHAINCODE_SERVER_ADDRESS=asset-transfer-basic.org1.example.com:9999
 # on install. The `peer lifecycle chaincode queryinstalled` command can be
 # used to get the ID after install if required
 CHAINCODE_ID=basic_1.0:0262396ccaffaa2174bc09f750f742319c4f14d60b16334d2c8921b6842c090c
+
+# Optional parameters that will be used for TLS connection between peer node
+# and the chaincode.
+# TLS is disabled by default, uncomment the following line to enable TLS connection
+# CHAINCODE_TLS_DISABLED=false
+
+# Following variables will be ignored if TLS is not enabled.
+# They need to be in PEM format
+# CHAINCODE_TLS_KEY=/path/to/private/key/file
+# CHAINCODE_TLS_CERT=/path/to/public/cert/file
+
+# The following variable will be used by the chaincode server to verify the
+# connection from the peer node.
+# Note that when this is set a single chaincode server cannot be shared
+# across organizations unless their root CA is same.
+# CHAINCODE_CLIENT_CA_CERT=/path/to/peer/organization/root/ca/cert/file

asset-transfer-basic/chaincode-external/chaincode1.env

@@ -0,0 +1,24 @@
+# CHAINCODE_SERVER_ADDRESS must be set to the host and port where the peer can
+# connect to the chaincode server
+CHAINCODE_SERVER_ADDRESS=asset-transfer-basic.org1.example.com:9999
+
+# CHAINCODE_ID must be set to the Package ID that is assigned to the chaincode
+# on install. The `peer lifecycle chaincode queryinstalled` command can be
+# used to get the ID after install if required
+CHAINCODE_ID=basic_1.0:6726c6b6d8ff66fcf5710b72c6ce512d24f118c51c3de510b3d43e51fa592a7d
+
+# Optional parameters that will be used for TLS connection between peer node
+# and the chaincode.
+# TLS is disabled by default, uncomment the following line to enable TLS connection
+CHAINCODE_TLS_DISABLED=false
+
+# Following variables will be ignored if TLS is not enabled.
+# They need to be in PEM format
+CHAINCODE_TLS_KEY=/crypto/key1.pem
+CHAINCODE_TLS_CERT=/crypto/cert1.pem
+
+# The following variable will be used by the chaincode server to verify the
+# connection from the peer node.
+# Note that when this is set a single chaincode server cannot be shared
+# across organizations unless their root CA is same.
+CHAINCODE_CLIENT_CA_CERT=/crypto/rootcert1.pem

asset-transfer-basic/chaincode-external/chaincode2.env

@@ -0,0 +1,24 @@
+# CHAINCODE_SERVER_ADDRESS must be set to the host and port where the peer can
+# connect to the chaincode server
+CHAINCODE_SERVER_ADDRESS=asset-transfer-basic.org2.example.com:9999
+
+# CHAINCODE_ID must be set to the Package ID that is assigned to the chaincode
+# on install. The `peer lifecycle chaincode queryinstalled` command can be
+# used to get the ID after install if required
+CHAINCODE_ID=basic_1.0:e8f9052385e3763ecf5635591155da05d8efbb6905ccbfc1c7229eb6bd28df1b
+
+# Optional parameters that will be used for TLS connection between peer node
+# and the chaincode.
+# TLS is disabled by default, uncomment the following line to enable TLS connection
+CHAINCODE_TLS_DISABLED=false
+
+# Following variables will be ignored if TLS is not enabled.
+# They need to be in PEM format
+CHAINCODE_TLS_KEY=/crypto/key2.pem
+CHAINCODE_TLS_CERT=/crypto/cert2.pem
+
+# The following variable will be used by the chaincode server to verify the
+# connection from the peer node.
+# Note that when this is set a single chaincode server cannot be shared
+# across organizations unless their root CA is same.
+CHAINCODE_CLIENT_CA_CERT=/crypto/rootcert2.pem

asset-transfer-basic/chaincode-external/docker-compose-chaincode.yaml

@@ -0,0 +1,32 @@
+version: "3.6"
+
+networks:
+    docker_test:
+        external: true
+
+services:
+    asset-transfer-basic.org1.example.com:
+        build: .
+        container_name: asset-transfer-basic.org1.example.com
+        hostname: asset-transfer-basic.org1.example.com
+        volumes:
+            - ./crypto:/crypto
+        env_file:
+            - chaincode1.env
+        networks:
+            docker_test:
+        expose:
+            - 9999
+
+    asset-transfer-basic.org2.example.com:
+        build: .
+        container_name: asset-transfer-basic.org2.example.com
+        hostname: asset-transfer-basic.org2.example.com
+        volumes:
+            - ./crypto:/crypto
+        env_file:
+            - chaincode2.env
+        networks:
+            docker_test:
+        expose:
+            - 9999