Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FAB-18339] CLI: update GetCerificate to only load client certificate as it is supposed to be #2146

Merged
merged 1 commit into from
Nov 30, 2020
Merged

[FAB-18339] CLI: update GetCerificate to only load client certificate as it is supposed to be #2146

merged 1 commit into from
Nov 30, 2020

Conversation

wenjianqiao
Copy link
Contributor

@wenjianqiao wenjianqiao commented Nov 18, 2020
edited
Loading

Signed-off-by: Wenjian Qiao wenjianq@gmail.com

Type of change

  • Bug fix

Description

Both "peer lifecycle chaincode" and "peer chaincode" commands need to get
the client certificate (when peer.tls.clientAuthRequired=true) for deliver service.
GetCertificate() returns a client certificate to pass to DeliverService. Currently, it
creates a PeerClient that unnecessarily loads server tls root file based on env vars,
which caused a problem loading tls files from env even if --tlsRootCertFile
already overwrites the env var.

The fix is to update GetCertificate to only load client certificate and rename it
to GetClientCertificate to avoid confusion.

Related issues

https://jira.hyperledger.org/browse/FAB-18339

@wenjianqiao wenjianqiao changed the title [FAB-18339] Do not get root cert file from env if --tlsRootCertFile is passed [FAB-18339] CLI: update GetCerificate to only load client certificate Nov 19, 2020
@wenjianqiao wenjianqiao marked this pull request as ready for review November 19, 2020 16:37
@wenjianqiao wenjianqiao requested a review from a team as a code owner November 19, 2020 16:37
@ale-linux
Copy link
Contributor

Thanks @wenjianqiao, one Q: if we don't load server certs, how can the client be sure that it contacts the intended OS node?

@wenjianqiao wenjianqiao changed the title [FAB-18339] CLI: update GetCerificate to only load client certificate [FAB-18339] CLI: update GetCerificate to only load client certificate as it is supposed to be Nov 23, 2020
@wenjianqiao
Copy link
Contributor Author

@ale-linux Good question. GetCertificate should be called GetClientCertificate because it only returns the client's TLS certificate (the client cert is passed to deliver service when mutual TLS is enabled). Therefore it is unnecessary to load server certs in this function. The CLI commands already load the server certs in GetEndorserClient, and GetPeerDeliverClient, etc. I will rename GetCertificate to GetClientCertificate to avoid confusion.

@ale-linux
Copy link
Contributor

@ale-linux Good question. GetCertificate should be called GetClientCertificate because it only returns the client's TLS certificate (the client cert is passed to deliver service when mutual TLS is enabled). Therefore it is unnecessary to load server certs in this function. The CLI commands already load the server certs in GetEndorserClient, and GetPeerDeliverClient, etc. I will rename GetCertificate to GetClientCertificate to avoid confusion.

Thanks @wenjianqiao, so the server certs are already available, and yet GetCertificate was loading them anyway

wlahti
wlahti reviewed Nov 23, 2020
View reviewed changes
Copy link
Contributor

@wlahti wlahti left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A few small nits that should be quick/easy to address.

One thing that you didn't introduce to these tests that I think can be split out into a follow-up JIRA is to stop using cert fixtures and instead use tlsgen (here) to generate the certs/keys and write them to a temp folder.

internal/peer/common/common.go Outdated Show resolved Hide resolved
internal/peer/common/common.go Outdated Show resolved Hide resolved
@wenjianqiao
[FAB-18339] CLI: rename GetCerificate to GetClientCertificate
7bbc084 
GetCertificate() should be renamed to GetClientCertificate() as it only returns
the client certificate. Currently GetCertificate() gets a PeerClient that unnecessarily
loads server tls root file based on env vars. Update the function to only load client certificate.

Signed-off-by: Wenjian Qiao <wenjianq@gmail.com>
wlahti
wlahti approved these changes Nov 30, 2020
View reviewed changes
Copy link
Contributor

@wlahti wlahti left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, Wenjian! Looks good to me (I also manually verified the behavior before/after the fix just to be sure). I'll open a follow-up task to move away from the cert fixtures in these tests.

@wlahti wlahti merged commit 9c41cbd into hyperledger:master Nov 30, 2020
@wenjianqiao wenjianqiao deleted the fab18339tlsrootfile branch December 8, 2020 14:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wlahti wlahti wlahti approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@wenjianqiao @ale-linux @wlahti