add consnter info to router config

add router info to consenter config
router's certificate pinning in SubmitConfig
add configSubmitter to router, without forwarding config requests

Signed-off-by: Dor.Katzelnick <Dor.Katzelnick@ibm.com>

Author: DorKatzelnick

common/utils/pem_utils.go

@@ -0,0 +1,72 @@
+/*
+Copyright IBM Corp. All Rights Reserved.
+
+SPDX-License-Identifier: Apache-2.0
+*/
+
+package utils
+
+import (
+	"crypto/ecdsa"
+	"crypto/x509"
+	"encoding/pem"
+	"fmt"
+	"os"
+)
+
+func ReadPem(path string) ([]byte, error) {
+	if path == "" {
+		return nil, fmt.Errorf("failed reading pem file, path is empty")
+	}
+	data, err := os.ReadFile(path)
+	if err != nil {
+		return nil, fmt.Errorf("failed reading a pem file from %s, err: %v", path, err)
+	}
+
+	return data, nil
+}
+
+func blockToPublicKey(block *pem.Block) []byte {
+	cert, err := x509.ParseCertificate(block.Bytes)
+	if err != nil {
+		panic(fmt.Sprintf("Failed parsing consenter signing certificate: %v", err))
+	}
+
+	pubKey, ok := cert.PublicKey.(*ecdsa.PublicKey)
+	if !ok {
+		panic(fmt.Sprintf("Failed parsing consenter public key: %v", err))
+	}
+
+	publicKeyBytes, err := x509.MarshalPKIXPublicKey(pubKey)
+	if err != nil {
+		panic(fmt.Sprintf("Failed marshaling consenter public key: %v", err))
+	}
+
+	pemPublicKey := pem.EncodeToMemory(&pem.Block{
+		Type:  "PUBLIC KEY",
+		Bytes: publicKeyBytes,
+	})
+
+	return pemPublicKey
+}
+
+func GetPublicKeyFromCertificate(nodeCert []byte) []byte {
+	// Fetch public key from signing certificate
+	// NOTE: ARMA's new configuration now uses certificates, which inherently contain the public key, instead of a separate public key field.
+	// To ensure backward compatibility until the full new config integration, the public key it enabled.
+	block, _ := pem.Decode(nodeCert)
+	if block == nil || block.Bytes == nil {
+		panic("Failed decoding consenter signing certificate")
+	}
+
+	var pemPublicKey []byte
+	if block.Type == "CERTIFICATE" {
+		pemPublicKey = blockToPublicKey(block)
+	}
+
+	if block.Type == "PUBLIC KEY" {
+		pemPublicKey = nodeCert
+	}
+
+	return pemPublicKey
+}

common/utils/read_pem_test.go renamed to common/utils/pem_utils_test.go

@@ -7,9 +7,6 @@ SPDX-License-Identifier: Apache-2.0
 package config
 
 import (
-	"crypto/ecdsa"
-	"crypto/x509"
-	"encoding/pem"
 	"fmt"
 	"os"
 	"path/filepath"
@@ -249,6 +246,7 @@ func (config *Configuration) ExtractRouterConfig(configBlock *common.Block) *nod
 		ListenAddress:                       config.LocalConfig.NodeLocalConfig.GeneralConfig.ListenAddress + ":" + strconv.Itoa(int(config.LocalConfig.NodeLocalConfig.GeneralConfig.ListenPort)),
 		ConfigStorePath:                     config.LocalConfig.NodeLocalConfig.FileStore.Path,
 		Shards:                              config.ExtractShards(),
+		Consenter:                           config.ExtractConsenterInParty(),
 		NumOfConnectionsForBatcher:          config.LocalConfig.NodeLocalConfig.RouterParams.NumberOfConnectionsPerBatcher,
 		NumOfgRPCStreamsPerConnection:       config.LocalConfig.NodeLocalConfig.RouterParams.NumberOfStreamsPerConnection,
 		UseTLS:                              config.LocalConfig.TLSConfig.Enabled,
@@ -318,6 +316,7 @@ func (config *Configuration) ExtractConsenterConfig() *nodeconfig.ConsenterNodeC
 	consenterConfig := &nodeconfig.ConsenterNodeConfig{
 		Shards:             config.ExtractShards(),
 		Consenters:         config.ExtractConsenters(),
+		Router:             config.ExtractRouterInParty(),
 		Directory:          config.LocalConfig.NodeLocalConfig.FileStore.Path,
 		ListenAddress:      config.LocalConfig.NodeLocalConfig.GeneralConfig.ListenAddress + ":" + strconv.Itoa(int(config.LocalConfig.NodeLocalConfig.GeneralConfig.ListenPort)),
 		PartyId:            config.LocalConfig.NodeLocalConfig.PartyID,
@@ -372,22 +371,7 @@ func (config *Configuration) ExtractShards() []nodeconfig.ShardInfo {
 		for _, batcher := range party.BatchersConfig {
 			shardId := types.ShardID(batcher.ShardID)
 
-			// Fetch public key from signing certificate
-			// NOTE: ARMA's new configuration uses certificates, which inherently contain the public key, instead of a separate public key field.
-			// To ensure backward compatibility until the full new config integration, the public key it enabled.
-			block, _ := pem.Decode(batcher.SignCert)
-			if block == nil || block.Bytes == nil {
-				panic("Failed decoding batcher signing certificate")
-			}
-
-			var pemPublicKey []byte
-			if block.Type == "CERTIFICATE" {
-				pemPublicKey = blockToPublicKey(block)
-			}
-
-			if block.Type == "PUBLIC KEY" {
-				pemPublicKey = batcher.SignCert
-			}
+			pemPublicKey := utils.GetPublicKeyFromCertificate(batcher.SignCert)
 
 			batcher := nodeconfig.BatcherInfo{
 				PartyID:    types.PartyID(party.PartyID),
@@ -425,22 +409,7 @@ func (config *Configuration) ExtractConsenters() []nodeconfig.ConsenterInfo {
 			tlsCACertsCollection = append(tlsCACertsCollection, ca)
 		}
 
-		// Fetch public key from signing certificate
-		// NOTE: ARMA's new configuration now uses certificates, which inherently contain the public key, instead of a separate public key field.
-		// To ensure backward compatibility until the full new config integration, the public key it enabled.
-		block, _ := pem.Decode(party.ConsenterConfig.SignCert)
-		if block == nil || block.Bytes == nil {
-			panic("Failed decoding consenter signing certificate")
-		}
-
-		var pemPublicKey []byte
-		if block.Type == "CERTIFICATE" {
-			pemPublicKey = blockToPublicKey(block)
-		}
-
-		if block.Type == "PUBLIC KEY" {
-			pemPublicKey = party.ConsenterConfig.SignCert
-		}
+		pemPublicKey := utils.GetPublicKeyFromCertificate(party.ConsenterConfig.SignCert)
 
 		consenterInfo := nodeconfig.ConsenterInfo{
 			PartyID:    types.PartyID(party.PartyID),
@@ -454,26 +423,28 @@ func (config *Configuration) ExtractConsenters() []nodeconfig.ConsenterInfo {
 	return consenters
 }
 
-func blockToPublicKey(block *pem.Block) []byte {
-	cert, err := x509.ParseCertificate(block.Bytes)
-	if err != nil {
-		panic(fmt.Sprintf("Failed parsing consenter signing certificate: %v", err))
-	}
+func (config *Configuration) ExtractRouterInParty() nodeconfig.RouterInfo {
+	partyID := config.LocalConfig.NodeLocalConfig.PartyID
+	party := config.SharedConfig.PartiesConfig[partyID-1]
+	routerConfig := party.RouterConfig
 
-	pubKey, ok := cert.PublicKey.(*ecdsa.PublicKey)
-	if !ok {
-		panic(fmt.Sprintf("Failed parsing consenter public key: %v", err))
+	var tlsCACertsCollection []nodeconfig.RawBytes
+	for _, ca := range party.TLSCACerts {
+		tlsCACertsCollection = append(tlsCACertsCollection, ca)
 	}
 
-	publicKeyBytes, err := x509.MarshalPKIXPublicKey(pubKey)
-	if err != nil {
-		panic(fmt.Sprintf("Failed marshaling consenter public key: %v", err))
+	routerInfo := nodeconfig.RouterInfo{
+		PartyID:    partyID,
+		Endpoint:   routerConfig.Host + ":" + strconv.Itoa(int(routerConfig.Port)),
+		TLSCACerts: tlsCACertsCollection,
+		TLSCert:    routerConfig.TlsCert,
 	}
 
-	pemPublicKey := pem.EncodeToMemory(&pem.Block{
-		Type:  "PUBLIC KEY",
-		Bytes: publicKeyBytes,
-	})
+	return routerInfo
+}
 
-	return pemPublicKey
+func (config *Configuration) ExtractConsenterInParty() nodeconfig.ConsenterInfo {
+	partyID := config.LocalConfig.NodeLocalConfig.PartyID
+	consenterInfos := config.ExtractConsenters()
+	return consenterInfos[partyID-1]
 }

common/utils/read_pem.go

@@ -65,6 +65,13 @@ type ConsenterInfo struct {
 	TLSCACerts []RawBytes
 }
 
+type RouterInfo struct {
+	PartyID    types.PartyID
+	Endpoint   string
+	TLSCACerts []RawBytes
+	TLSCert    RawBytes
+}
+
 type RouterNodeConfig struct {
 	// Private config
 	PartyID            types.PartyID
@@ -74,6 +81,7 @@ type RouterNodeConfig struct {
 	ConfigStorePath    string
 	// Shared config
 	Shards                              []ShardInfo
+	Consenter                           ConsenterInfo
 	NumOfConnectionsForBatcher          int
 	NumOfgRPCStreamsPerConnection       int
 	UseTLS                              bool
@@ -134,6 +142,7 @@ type ConsenterNodeConfig struct {
 	// Shared config
 	Shards        []ShardInfo
 	Consenters    []ConsenterInfo
+	Router        RouterInfo
 	Directory     string
 	ListenAddress string
 	// Private config

config/config.go

@@ -25,12 +25,15 @@ func TestRouterNodeConfigToYaml(t *testing.T) {
 		{2, "127.0.0.1:7051", []RawBytes{{1, 2, 3}, {4, 5, 6}}, RawBytes("BatcherPubKey-2"), RawBytes("TLS CERT")},
 	}
 
+	consenter := ConsenterInfo{1, "127.0.0.1:7050", RawBytes("ConsenterPubKey-1"), []RawBytes{{1, 2, 3}, {4, 5, 6}}}
+
 	shards := []ShardInfo{{ShardId: 1, Batchers: batchers}}
 	rnc := &RouterNodeConfig{
 		TLSCertificateFile:            []byte("tls cert"),
 		TLSPrivateKeyFile:             []byte("tls key"),
 		PartyID:                       1,
 		Shards:                        shards,
+		Consenter:                     consenter,
 		NumOfConnectionsForBatcher:    1,
 		NumOfgRPCStreamsPerConnection: 2,
 	}
@@ -87,10 +90,12 @@ func TestConsenterNodeConfigToYaml(t *testing.T) {
 	}
 	shards := []ShardInfo{{ShardId: 1, Batchers: batchers}}
 	consenters := []ConsenterInfo{{1, "127.0.0.1:7050", RawBytes("ConsenterPubKey-1"), []RawBytes{{1, 2, 3}, {4, 5, 6}}}}
+	router := RouterInfo{1, "127.0.0.1:7050", []RawBytes{{1, 2, 3}, {4, 5, 6}}, RawBytes("ConsenterPubKey-1")}
 
 	cnc := &ConsenterNodeConfig{
 		Shards:             shards,
 		Consenters:         consenters,
+		Router:             router,
 		PartyId:            1,
 		TLSPrivateKeyFile:  RawBytes("TlsPrivateKey"),
 		TLSCertificateFile: RawBytes("TlsCertKey"),

node/config/config.go

@@ -12,6 +12,7 @@ import (
 	"encoding/asn1"
 	"encoding/base64"
 	"encoding/hex"
+	"encoding/pem"
 	"fmt"
 	"io"
 	"math/rand"
@@ -23,6 +24,7 @@ import (
 	"github.com/hyperledger/fabric-protos-go-apiv2/common"
 	"github.com/hyperledger/fabric-protos-go-apiv2/orderer"
 	arma_types "github.com/hyperledger/fabric-x-orderer/common/types"
+	"github.com/hyperledger/fabric-x-orderer/node"
 	"github.com/hyperledger/fabric-x-orderer/node/comm"
 	"github.com/hyperledger/fabric-x-orderer/node/config"
 	"github.com/hyperledger/fabric-x-orderer/node/consensus/badb"
@@ -141,9 +143,15 @@ func (c *Consensus) NotifyEvent(stream protos.Consensus_NotifyEventServer) error
 }
 
 // SubmitConfig is used to submit a config request from the router in the consenter's party.
-// TODO - add certificate pinning of the router, and forward the request.
-func (sc *Consensus) SubmitConfig(ctx context.Context, request *protos.Request) (*protos.SubmitResponse, error) {
-	return nil, fmt.Errorf("SubmitConfig not implemented")
+func (c *Consensus) SubmitConfig(ctx context.Context, request *protos.Request) (*protos.SubmitResponse, error) {
+	err := c.validateRouterFromContext(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	c.Logger.Infof("Received config request from router %s", c.Config.Router.Endpoint)
+
+	return &protos.SubmitResponse{Error: "SubmitConfig is not implemented in consenter", TraceId: request.TraceId}, nil
 }
 
 func (c *Consensus) SubmitRequest(req []byte) error {
@@ -559,3 +567,24 @@ func (c *Consensus) verifyCE(req []byte) (smartbft_types.RequestInfo, *state.Con
 		return smartbft_types.RequestInfo{}, ce, fmt.Errorf("empty control event")
 	}
 }
+
+func (c *Consensus) validateRouterFromContext(ctx context.Context) error {
+	// extract the client certificate from the context
+	cert := node.ExtractCertificateFromContext(ctx)
+	if cert == nil {
+		return errors.New("error: access denied; could not extract certificate from context")
+	}
+
+	// extract the router certificate from the ConsenterNodeConfig
+	rawRouterCert := c.Config.Router.TLSCert
+	pemBlock, _ := pem.Decode(rawRouterCert)
+	if pemBlock == nil || pemBlock.Bytes == nil {
+		return fmt.Errorf("error decoding router TLS certificate")
+	}
+
+	// compare the two certificates
+	if !bytes.Equal(pemBlock.Bytes, cert.Raw) {
+		return fmt.Errorf("error: access denied; client certificatte is different than the router's certificate")
+	}
+	return nil
+}