fix(fsccli): Fix TLS config for fsccli

Signed-off-by: Marcus Brandenburger <bur@zurich.ibm.com>

Author: mbrandenburger

integration/benchmark/node/bench_test.go

@@ -183,10 +183,13 @@ func setupClient(tb testing.TB, confPath string) (*benchmark.ViewClient, error)
 		return nil, err
 	}
 
+	tlsEnabled := config.TLSConfig.Enabled
+	tlsRootCACert := path.Clean(config.TLSConfig.RootCACertPath)
+
 	cc := &grpc.ConnectionConfig{
 		Address:           config.Address,
-		TLSEnabled:        true,
-		TLSRootCertFile:   path.Join(config.TLSConfig.PeerCACertPath),
+		TLSEnabled:        tlsEnabled,
+		TLSRootCertFile:   tlsRootCACert,
 		ConnectionTimeout: 10 * time.Second,
 	}
 

integration/nwo/fsc/fsc.go

@@ -151,13 +151,18 @@ func (p *Platform) GenerateArtifacts() {
 			p.GenerateRoutingConfig()
 		}
 
+		// TLS settings
+		var tlsConfig view2.TLSClientConfig
+		tlsConfig.RootCACertPath = path.Join(p.NodeLocalTLSDir(peer.Peer), "ca.crt")
+		tlsConfig.Enabled = len(tlsConfig.RootCACertPath) > 0
+
+		// TODO: note that NWO does not yet support mTLS
+		tlsConfig.ClientAuthRequired = p.ClientAuthRequired()
+
 		c := view2.Config{
-			Version: 0,
-			Address: p.PeerAddress(peer, ListenPort),
-			TLSConfig: view2.TLSConfig{
-				PeerCACertPath: path.Join(p.NodeLocalTLSDir(peer.Peer), "ca.crt"),
-				Timeout:        10 * time.Minute,
-			},
+			Version:   0,
+			Address:   p.PeerAddress(peer, ListenPort),
+			TLSConfig: tlsConfig,
 			SignerConfig: view2.SignerConfig{
 				IdentityPath: p.LocalMSPIdentityCert(peer.Peer),
 				KeyPath:      p.LocalMSPPrivateKey(peer.Peer),

integration/nwo/fsc/node/core_template.go

@@ -50,9 +50,9 @@ fsc:
       # Private key used for TLS server
       key:
         file: {{ .NodeLocalTLSDir Peer }}/server.key
+      {{- if .ClientAuthRequired }}
       # If mutual TLS is enabled, clientRootCAs.files contains a list of additional root certificates
       # used for verifying certificates of client connections.
-      {{- if .ClientAuthRequired }}
       clientRootCAs:
         files:
         - {{ .NodeLocalTLSDir Peer }}/ca.crt
@@ -122,20 +122,25 @@ fsc:
     # HTTPS server listener address
     address: 0.0.0.0:{{ .NodePort Replica "Web" }}
     tls:
+      # Require server-side TLS
       enabled:  true
+      # Require client certificates / mutual TLS for inbound connections.
+      # Note that clients that are not configured to use a certificate will
+      # fail to connect to the node.
+      clientAuthRequired: {{ .ClientAuthRequired }}
+      # X.509 certificate used for TLS server
       cert:
         file: {{ .NodeLocalTLSDir Peer }}/server.crt
+      # Private key used for TLS server
       key:
         file: {{ .NodeLocalTLSDir Peer }}/server.key
-      # Require client certificates / mutual TLS for inbound connections.
-      # Note that clients that are not configured to use a certificate will
-      # fail to connect to the node.
-      clientAuthRequired: false
+      {{- if .ClientAuthRequired }}
       # If mutual TLS is enabled, clientRootCAs.files contains a list of additional root certificates
       # used for verifying certificates of client connections.
       clientRootCAs:
         files:
         - {{ .NodeLocalTLSDir Peer }}/ca.crt
+      {{- end }}
   tracing:
     # Type of provider to be used: none (default), file, otlp, console
     provider: {{ Topology.Monitoring.TracingType }}

platform/view/services/view/grpc/client/cmd/config.go

@@ -8,7 +8,6 @@ package view
 
 import (
 	"os"
-	"time"
 
 	"github.com/hyperledger-labs/fabric-smart-client/pkg/utils/errors"
 	"gopkg.in/yaml.v2"
@@ -20,19 +19,20 @@ type SignerConfig struct {
 	KeyPath      string
 }
 
-// TLSConfig defines configuration of a Client
-type TLSConfig struct {
-	CertPath       string
-	KeyPath        string
-	PeerCACertPath string
-	Timeout        time.Duration
+// TLSClientConfig defines configuration of a Client
+type TLSClientConfig struct {
+	Enabled            bool   `yaml:"enabled"`
+	RootCACertPath     string `yaml:"rootCACertPath,omitempty"`
+	ClientAuthRequired bool   `yaml:"clientAuthRequired,omitempty"`
+	ClientCertPath     string `yaml:"clientCertPath,omitempty"`
+	ClientKeyPath      string `yaml:"clientKeyPath,omitempty"`
 }
 
 // Config aggregates configuration of TLS and signing
 type Config struct {
 	Version      int
 	Address      string
-	TLSConfig    TLSConfig
+	TLSConfig    TLSClientConfig
 	SignerConfig SignerConfig
 }
 
@@ -76,3 +76,31 @@ func validateConfig(conf Config) error {
 	}
 	return nil
 }
+
+func ValidateTLSConfig(config TLSClientConfig) error {
+	isEmpty := func(val string) bool {
+		return len(val) == 0
+	}
+
+	if !config.Enabled {
+		return nil
+	}
+
+	if isEmpty(config.RootCACertPath) {
+		return errors.New("rootCACertPath not set")
+	}
+
+	if !config.ClientAuthRequired {
+		return nil
+	}
+
+	if isEmpty(config.ClientKeyPath) {
+		return errors.New("clientKeyPath not set")
+	}
+
+	if isEmpty(config.ClientCertPath) {
+		return errors.New("ClientCertPath not set")
+	}
+
+	return nil
+}

platform/view/services/view/grpc/client/cmd/config_test.go

@@ -24,11 +24,12 @@ func TestConfig(t *testing.T) {
 	fmt.Println(configFilePath)
 	t.Run("save and load a config", func(t *testing.T) {
 		c := Config{
-			TLSConfig: TLSConfig{
-				CertPath:       "foo",
-				KeyPath:        "foo",
-				PeerCACertPath: "foo",
-				Timeout:        time.Second * 3,
+			TLSConfig: TLSClientConfig{
+				Enabled:            true,
+				ClientAuthRequired: true,
+				ClientCertPath:     "foo",
+				ClientKeyPath:      "foo",
+				RootCACertPath:     "foo",
 			},
 			SignerConfig: SignerConfig{
 				KeyPath:      "foo",

platform/view/services/view/grpc/client/cmd/view.go

@@ -110,10 +110,12 @@ func parseFlagsToConfig() Config {
 			IdentityPath: userCert,
 			KeyPath:      userKey,
 		},
-		TLSConfig: TLSConfig{
-			KeyPath:        tlsKey,
-			CertPath:       tlsCert,
-			PeerCACertPath: tlsCA,
+		TLSConfig: TLSClientConfig{
+			Enabled:            len(tlsCA) > 0,
+			RootCACertPath:     tlsCA,
+			ClientAuthRequired: len(tlsCert) > 0 && len(tlsKey) > 0,
+			ClientCertPath:     tlsCert,
+			ClientKeyPath:      tlsKey,
 		},
 	}
 	return conf
@@ -145,10 +147,25 @@ func invoke() error {
 		return err
 	}
 
+	if err := ValidateTLSConfig(config.TLSConfig); err != nil {
+		return err
+	}
+
+	// parse TLS configuration
+	tlsEnabled := config.TLSConfig.Enabled
+	tlsRootCACert := path.Clean(config.TLSConfig.RootCACertPath)
+
+	// TODO:
+	// parse mTLS configuration
+	//mtlsEnabled := config.TLSConfig.ClientAuthRequired
+	//tlsClientCert := path.Clean(config.TLSConfig.ClientCertPath)
+	//tlsClientKey := path.Clean(config.TLSConfig.ClientKeyPath)
+
 	cc := &grpc.ConnectionConfig{
-		Address:           config.Address,
-		TLSEnabled:        true,
-		TLSRootCertFile:   path.Join(config.TLSConfig.PeerCACertPath),
+		Address:         config.Address,
+		TLSEnabled:      tlsEnabled,
+		TLSRootCertFile: tlsRootCACert,
+		//TLSClientSideAuth: mtlsEnabled,
 		ConnectionTimeout: 10 * time.Second,
 	}
 

platform/view/services/web/server/server.go

@@ -40,23 +40,13 @@ func (t TLS) Config() (*tls.Config, error) {
 	if !t.Enabled {
 		return tlsConfig, nil
 	}
+
+	// setup TLS
 	cert, err := tls.LoadX509KeyPair(t.CertFile, t.KeyFile)
 	if err != nil {
 		return nil, err
 	}
 
-	if len(t.ClientCACertFiles) == 0 {
-		return nil, errors.Errorf("client TLS CA certificate pool must not be empty")
-	}
-
-	caCertPool := x509.NewCertPool()
-	for _, caPath := range t.ClientCACertFiles {
-		caPem, err := os.ReadFile(caPath)
-		if err != nil {
-			return nil, err
-		}
-		caCertPool.AppendCertsFromPEM(caPem)
-	}
 	tlsConfig = &tls.Config{
 		Certificates: []tls.Certificate{cert},
 		CipherSuites: []uint16{
@@ -71,13 +61,29 @@ func (t TLS) Config() (*tls.Config, error) {
 		},
 		MinVersion: tls.VersionTLS12,
 		MaxVersion: tls.VersionTLS13,
-		ClientCAs:  caCertPool,
+		ClientAuth: tls.VerifyClientCertIfGiven,
 	}
-	if t.ClientAuth {
-		tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
-	} else {
-		tlsConfig.ClientAuth = tls.VerifyClientCertIfGiven
+
+	if !t.ClientAuth {
+		return tlsConfig, nil
+	}
+
+	// setup mTLS
+	if len(t.ClientCACertFiles) == 0 {
+		return nil, errors.Errorf("client TLS CA certificate pool must not be empty")
 	}
+
+	caCertPool := x509.NewCertPool()
+	for _, caPath := range t.ClientCACertFiles {
+		caPem, err := os.ReadFile(caPath)
+		if err != nil {
+			return nil, err
+		}
+		caCertPool.AppendCertsFromPEM(caPem)
+	}
+	tlsConfig.ClientCAs = caCertPool
+	tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
+
 	return tlsConfig, nil
 }