hyperledger
diff --git a/‎common/utils/pem_utils.go‎
Lines changed: 72 additions & 0 deletions b/‎common/utils/pem_utils.go‎
Lines changed: 72 additions & 0 deletions
diff --git a/‎common/utils/read_pem_test.go‎ renamed to ‎common/utils/pem_utils_test.go‎ b/‎common/utils/read_pem_test.go‎ renamed to ‎common/utils/pem_utils_test.go‎
diff --git a/‎common/utils/read_pem.go‎
Lines changed: 0 additions & 24 deletions b/‎common/utils/read_pem.go‎
Lines changed: 0 additions & 24 deletions
diff --git a/‎config/config.go‎
Lines changed: 35 additions & 50 deletions b/‎config/config.go‎
Lines changed: 35 additions & 50 deletions
diff --git a/‎node/config/config.go‎
Lines changed: 9 additions & 0 deletions b/‎node/config/config.go‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎node/config/config_test.go‎
Lines changed: 5 additions & 0 deletions b/‎node/config/config_test.go‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎node/consensus/consensus.go‎
Lines changed: 32 additions & 3 deletions b/‎node/consensus/consensus.go‎
Lines changed: 32 additions & 3 deletions
@@ -0,0 +1,72 @@
+/*
+Copyright IBM Corp. All Rights Reserved.
+
+SPDX-License-Identifier: Apache-2.0
+*/
+
+package utils
+
+import (
+	"crypto/ecdsa"
+	"crypto/x509"
+	"encoding/pem"
+	"fmt"
+	"os"
+)
+
+func ReadPem(path string) ([]byte, error) {
+	if path == "" {
+		return nil, fmt.Errorf("failed reading pem file, path is empty")
+	}
+	data, err := os.ReadFile(path)
+	if err != nil {
+		return nil, fmt.Errorf("failed reading a pem file from %s, err: %v", path, err)
+	}
+
+	return data, nil
+}
+
+func blockToPublicKey(block *pem.Block) []byte {
+	cert, err := x509.ParseCertificate(block.Bytes)
+	if err != nil {
+		panic(fmt.Sprintf("Failed parsing consenter signing certificate: %v", err))
+	}
+
+	pubKey, ok := cert.PublicKey.(*ecdsa.PublicKey)
+	if !ok {
+		panic(fmt.Sprintf("Failed parsing consenter public key: %v", err))
+	}
+
+	publicKeyBytes, err := x509.MarshalPKIXPublicKey(pubKey)
+	if err != nil {
+		panic(fmt.Sprintf("Failed marshaling consenter public key: %v", err))
+	}
+
+	pemPublicKey := pem.EncodeToMemory(&pem.Block{
+		Type:  "PUBLIC KEY",
+		Bytes: publicKeyBytes,
+	})
+
+	return pemPublicKey
+}
+
+func GetPublicKeyFromCertificate(nodeCert []byte) []byte {
+	// Fetch public key from signing certificate
+	// NOTE: ARMA's new configuration now uses certificates, which inherently contain the public key, instead of a separate public key field.
+	// To ensure backward compatibility until the full new config integration, the public key it enabled.
+	block, _ := pem.Decode(nodeCert)
+	if block == nil || block.Bytes == nil {
+		panic("Failed decoding consenter signing certificate")
+	}
+
+	var pemPublicKey []byte
+	if block.Type == "CERTIFICATE" {
+		pemPublicKey = blockToPublicKey(block)
+	}
+
+	if block.Type == "PUBLIC KEY" {
+		pemPublicKey = nodeCert
+	}
+
+	return pemPublicKey
+}
@@ -7,10 +7,8 @@ SPDX-License-Identifier: Apache-2.0
 package config
 
 import (
-	"crypto/ecdsa"
-	"crypto/x509"
-	"encoding/pem"
 	"fmt"
+	"net"
 	"os"
 	"path/filepath"
 	"sort"
@@ -254,6 +252,7 @@ func (config *Configuration) ExtractRouterConfig(configBlock *common.Block) *nod
 		ListenAddress:                       config.LocalConfig.NodeLocalConfig.GeneralConfig.ListenAddress + ":" + strconv.Itoa(int(config.LocalConfig.NodeLocalConfig.GeneralConfig.ListenPort)),
 		ConfigStorePath:                     config.LocalConfig.NodeLocalConfig.FileStore.Path,
 		Shards:                              config.ExtractShards(),
+		Consenter:                           config.ExtractConsenterInParty(),
 		NumOfConnectionsForBatcher:          config.LocalConfig.NodeLocalConfig.RouterParams.NumberOfConnectionsPerBatcher,
 		NumOfgRPCStreamsPerConnection:       config.LocalConfig.NodeLocalConfig.RouterParams.NumberOfStreamsPerConnection,
 		UseTLS:                              config.LocalConfig.TLSConfig.Enabled,
@@ -333,6 +332,7 @@ func (config *Configuration) ExtractConsenterConfig() *nodeconfig.ConsenterNodeC
 	consenterConfig := &nodeconfig.ConsenterNodeConfig{
 		Shards:                  config.ExtractShards(),
 		Consenters:              config.ExtractConsenters(),
+		Router:                  config.ExtractRouterInParty(),
 		Directory:               config.LocalConfig.NodeLocalConfig.FileStore.Path,
 		ListenAddress:           config.LocalConfig.NodeLocalConfig.GeneralConfig.ListenAddress + ":" + strconv.Itoa(int(config.LocalConfig.NodeLocalConfig.GeneralConfig.ListenPort)),
 		PartyId:                 config.LocalConfig.NodeLocalConfig.PartyID,
@@ -394,22 +394,7 @@ func (config *Configuration) ExtractShards() []nodeconfig.ShardInfo {
 		for _, batcher := range party.BatchersConfig {
 			shardId := types.ShardID(batcher.ShardID)
 
-			// Fetch public key from signing certificate
-			// NOTE: ARMA's new configuration uses certificates, which inherently contain the public key, instead of a separate public key field.
-			// To ensure backward compatibility until the full new config integration, the public key it enabled.
-			block, _ := pem.Decode(batcher.SignCert)
-			if block == nil || block.Bytes == nil {
-				panic("Failed decoding batcher signing certificate")
-			}
-
-			var pemPublicKey []byte
-			if block.Type == "CERTIFICATE" {
-				pemPublicKey = blockToPublicKey(block)
-			}
-
-			if block.Type == "PUBLIC KEY" {
-				pemPublicKey = batcher.SignCert
-			}
+			pemPublicKey := utils.GetPublicKeyFromCertificate(batcher.SignCert)
 
 			batcher := nodeconfig.BatcherInfo{
 				PartyID:    types.PartyID(party.PartyID),
@@ -447,22 +432,7 @@ func (config *Configuration) ExtractConsenters() []nodeconfig.ConsenterInfo {
 			tlsCACertsCollection = append(tlsCACertsCollection, ca)
 		}
 
-		// Fetch public key from signing certificate
-		// NOTE: ARMA's new configuration now uses certificates, which inherently contain the public key, instead of a separate public key field.
-		// To ensure backward compatibility until the full new config integration, the public key it enabled.
-		block, _ := pem.Decode(party.ConsenterConfig.SignCert)
-		if block == nil || block.Bytes == nil {
-			panic("Failed decoding consenter signing certificate")
-		}
-
-		var pemPublicKey []byte
-		if block.Type == "CERTIFICATE" {
-			pemPublicKey = blockToPublicKey(block)
-		}
-
-		if block.Type == "PUBLIC KEY" {
-			pemPublicKey = party.ConsenterConfig.SignCert
-		}
+		pemPublicKey := utils.GetPublicKeyFromCertificate(party.ConsenterConfig.SignCert)
 
 		consenterInfo := nodeconfig.ConsenterInfo{
 			PartyID:    types.PartyID(party.PartyID),
@@ -476,28 +446,43 @@ func (config *Configuration) ExtractConsenters() []nodeconfig.ConsenterInfo {
 	return consenters
 }
 
-func blockToPublicKey(block *pem.Block) []byte {
-	cert, err := x509.ParseCertificate(block.Bytes)
-	if err != nil {
-		panic(fmt.Sprintf("Failed parsing consenter signing certificate: %v", err))
+func (config *Configuration) ExtractRouterInParty() nodeconfig.RouterInfo {
+	partyID := config.LocalConfig.NodeLocalConfig.PartyID
+	var party *protos.PartyConfig
+	for _, p := range config.SharedConfig.PartiesConfig {
+		if types.PartyID(p.PartyID) == partyID {
+			party = p
+		}
+	}
+	if party == nil {
+		panic("failed to extract router from config")
 	}
 
-	pubKey, ok := cert.PublicKey.(*ecdsa.PublicKey)
-	if !ok {
-		panic(fmt.Sprintf("Failed parsing consenter public key: %v", err))
+	routerConfig := party.RouterConfig
+
+	var tlsCACertsCollection []nodeconfig.RawBytes
+	for _, ca := range party.TLSCACerts {
+		tlsCACertsCollection = append(tlsCACertsCollection, ca)
 	}
 
-	publicKeyBytes, err := x509.MarshalPKIXPublicKey(pubKey)
-	if err != nil {
-		panic(fmt.Sprintf("Failed marshaling consenter public key: %v", err))
+	routerInfo := nodeconfig.RouterInfo{
+		PartyID:    partyID,
+		Endpoint:   net.JoinHostPort(routerConfig.Host, strconv.Itoa(int(routerConfig.Port))),
+		TLSCACerts: tlsCACertsCollection,
+		TLSCert:    routerConfig.TlsCert,
 	}
 
-	pemPublicKey := pem.EncodeToMemory(&pem.Block{
-		Type:  "PUBLIC KEY",
-		Bytes: publicKeyBytes,
-	})
+	return routerInfo
+}
 
-	return pemPublicKey
+func (config *Configuration) ExtractConsenterInParty() nodeconfig.ConsenterInfo {
+	consenterInfos := config.ExtractConsenters()
+	for _, consenter := range consenterInfos {
+		if consenter.PartyID == config.LocalConfig.NodeLocalConfig.PartyID {
+			return consenter
+		}
+	}
+	panic("failed to extract consenter from config")
 }
 
 func (config *Configuration) extractBundleFromConfigBlock(configBlock *common.Block) channelconfig.Resources {
 
@@ -65,6 +65,13 @@ type ConsenterInfo struct {
 	TLSCACerts []RawBytes
 }
 
+type RouterInfo struct {
+	PartyID    types.PartyID
+	Endpoint   string
+	TLSCACerts []RawBytes
+	TLSCert    RawBytes
+}
+
 type RouterNodeConfig struct {
 	// Private config
 	PartyID            types.PartyID
@@ -74,6 +81,7 @@ type RouterNodeConfig struct {
 	ConfigStorePath    string
 	// Shared config
 	Shards                              []ShardInfo
+	Consenter                           ConsenterInfo
 	NumOfConnectionsForBatcher          int
 	NumOfgRPCStreamsPerConnection       int
 	UseTLS                              bool
@@ -141,6 +149,7 @@ type ConsenterNodeConfig struct {
 	// Shared config
 	Shards        []ShardInfo
 	Consenters    []ConsenterInfo
+	Router        RouterInfo
 	Directory     string
 	ListenAddress string
 	// Private config
 
@@ -25,12 +25,15 @@ func TestRouterNodeConfigToYaml(t *testing.T) {
 		{2, "127.0.0.1:7051", []RawBytes{{1, 2, 3}, {4, 5, 6}}, RawBytes("BatcherPubKey-2"), RawBytes("TLS CERT")},
 	}
 
+	consenter := ConsenterInfo{1, "127.0.0.1:7050", RawBytes("ConsenterPubKey-1"), []RawBytes{{1, 2, 3}, {4, 5, 6}}}
+
 	shards := []ShardInfo{{ShardId: 1, Batchers: batchers}}
 	rnc := &RouterNodeConfig{
 		TLSCertificateFile:            []byte("tls cert"),
 		TLSPrivateKeyFile:             []byte("tls key"),
 		PartyID:                       1,
 		Shards:                        shards,
+		Consenter:                     consenter,
 		NumOfConnectionsForBatcher:    1,
 		NumOfgRPCStreamsPerConnection: 2,
 	}
@@ -87,10 +90,12 @@ func TestConsenterNodeConfigToYaml(t *testing.T) {
 	}
 	shards := []ShardInfo{{ShardId: 1, Batchers: batchers}}
 	consenters := []ConsenterInfo{{1, "127.0.0.1:7050", RawBytes("ConsenterPubKey-1"), []RawBytes{{1, 2, 3}, {4, 5, 6}}}}
+	router := RouterInfo{1, "127.0.0.1:7050", []RawBytes{{1, 2, 3}, {4, 5, 6}}, RawBytes("ConsenterPubKey-1")}
 
 	cnc := &ConsenterNodeConfig{
 		Shards:             shards,
 		Consenters:         consenters,
+		Router:             router,
 		PartyId:            1,
 		TLSPrivateKeyFile:  RawBytes("TlsPrivateKey"),
 		TLSCertificateFile: RawBytes("TlsCertKey"),
 
@@ -12,6 +12,7 @@ import (
 	"encoding/asn1"
 	"encoding/base64"
 	"encoding/hex"
+	"encoding/pem"
 	"fmt"
 	"io"
 	"math/rand"
@@ -23,6 +24,7 @@ import (
 	"github.com/hyperledger/fabric-protos-go-apiv2/common"
 	"github.com/hyperledger/fabric-protos-go-apiv2/orderer"
 	arma_types "github.com/hyperledger/fabric-x-orderer/common/types"
+	"github.com/hyperledger/fabric-x-orderer/node"
 	"github.com/hyperledger/fabric-x-orderer/node/comm"
 	"github.com/hyperledger/fabric-x-orderer/node/config"
 	"github.com/hyperledger/fabric-x-orderer/node/consensus/badb"
@@ -142,9 +144,14 @@ func (c *Consensus) NotifyEvent(stream protos.Consensus_NotifyEventServer) error
 }
 
 // SubmitConfig is used to submit a config request from the router in the consenter's party.
-// TODO - add certificate pinning of the router, and forward the request.
-func (sc *Consensus) SubmitConfig(ctx context.Context, request *protos.Request) (*protos.SubmitResponse, error) {
-	return nil, fmt.Errorf("SubmitConfig not implemented")
+func (c *Consensus) SubmitConfig(ctx context.Context, request *protos.Request) (*protos.SubmitResponse, error) {
+	if err := c.validateRouterFromContext(ctx); err != nil {
+		return nil, errors.Wrap(err, "failed to validate router from context")
+	}
+
+	c.Logger.Infof("Received config request from router %s", c.Config.Router.Endpoint)
+
+	return &protos.SubmitResponse{Error: "SubmitConfig is not implemented in consenter", TraceId: request.TraceId}, nil
 }
 
 func (c *Consensus) SubmitRequest(req []byte) error {
@@ -562,3 +569,25 @@ func (c *Consensus) verifyCE(req []byte) (smartbft_types.RequestInfo, *state.Con
 		return smartbft_types.RequestInfo{}, ce, fmt.Errorf("empty control event")
 	}
 }
+
+func (c *Consensus) validateRouterFromContext(ctx context.Context) error {
+	// extract the client certificate from the context
+	cert := node.ExtractCertificateFromContext(ctx)
+	if cert == nil {
+		return errors.New("error: access denied; could not extract certificate from context")
+	}
+
+	// extract the router certificate from the ConsenterNodeConfig
+	rawRouterCert := c.Config.Router.TLSCert
+	pemBlock, _ := pem.Decode(rawRouterCert)
+	if pemBlock == nil || pemBlock.Bytes == nil {
+		return errors.New("error decoding router TLS certificate")
+	}
+
+	// compare the two certificates
+	if !bytes.Equal(pemBlock.Bytes, cert.Raw) {
+		c.Logger.Errorf("error: access denied. The client certificate does not match the router's certificate. \n client's certificate: \n %s \n %x \n ", node.CertificateToString(cert), cert.Raw)
+		return errors.New("error: access denied. The client certificate does not match the router's certificate")
+	}
+	return nil
+}