[protoutil] Introduce HashTLSCertificate() (#93)

#### Type of change

- New feature

#### Description

- Introduce `protoutil.HashTLSCertificate()` to produce the expected
hash for `protoutil.CreateSignedEnvelopeWithTLSBinding()`

Signed-off-by: Liran Funaro <liran.funaro@gmail.com>

Author: liran-funaro

.gitignore

@@ -25,4 +25,5 @@ TESTS*.xml
 .tox/
 .vagrant/
 .vscode
+.bob
 *coverage.profile

protoutil/txutils.go

@@ -10,10 +10,11 @@ import (
 	"bytes"
 	"crypto/sha256"
 	b64 "encoding/base64"
+	"encoding/pem"
 
+	"github.com/cockroachdb/errors"
 	"github.com/hyperledger/fabric-protos-go-apiv2/common"
 	"github.com/hyperledger/fabric-protos-go-apiv2/peer"
-	"github.com/pkg/errors"
 	"google.golang.org/protobuf/proto"
 
 	"github.com/hyperledger/fabric-x-common/protoutil/identity"
@@ -59,6 +60,46 @@ func GetEnvelopeFromBlock(data []byte) (*common.Envelope, error) {
 	return env, nil
 }
 
+// HashTLSCertificate computes the SHA256 hash of a PEM-encoded TLS certificate.
+// The certificate must be provided in PEM format with block type "CERTIFICATE".
+// This hash can be used with CreateSignedEnvelopeWithTLSBinding to bind a transaction
+// to a specific TLS certificate.
+//
+// Parameters:
+//   - certPEMBlock: PEM-encoded TLS certificate bytes.
+//
+// Returns:
+//   - The SHA256 hash of the certificate DER bytes.
+//   - An error if the input is not a valid PEM-encoded certificate.
+//
+// Example usage:
+//
+//	tlsCertHash, err := protoutil.HashTLSCertificate(certPEMBlock)
+//	if err != nil {
+//	    return err
+//	}
+//	envelope, err := protoutil.CreateSignedEnvelopeWithTLSBinding(
+//	    txType, channelID, signer, dataMsg, msgVersion, epoch, tlsCertHash)
+func HashTLSCertificate(certPEMBlock []byte) ([]byte, error) {
+	var tlsCertBytes []byte
+	for len(tlsCertBytes) == 0 {
+		var certDERBlock *pem.Block
+		certDERBlock, certPEMBlock = pem.Decode(certPEMBlock)
+		if certDERBlock == nil {
+			break
+		}
+		if certDERBlock.Type == "CERTIFICATE" {
+			tlsCertBytes = certDERBlock.Bytes
+		}
+	}
+	if len(tlsCertBytes) == 0 {
+		return nil, errors.New("failed to find any PEM data in certificate input")
+	}
+
+	digest := sha256.Sum256(tlsCertBytes)
+	return digest[:], nil
+}
+
 // CreateSignedEnvelope creates a signed envelope with
 // cert in the signature header.
 func CreateSignedEnvelope( //nolint:revive // argument-limit; max 4 but got 6

protoutil/txutils_test.go

@@ -7,18 +7,28 @@ SPDX-License-Identifier: Apache-2.0
 package protoutil_test
 
 import (
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/sha256"
+	"crypto/tls"
+	"crypto/x509"
 	"encoding/hex"
+	"encoding/pem"
 	"errors"
 	"strconv"
 	"strings"
 	"testing"
 
 	cb "github.com/hyperledger/fabric-protos-go-apiv2/common"
 	pb "github.com/hyperledger/fabric-protos-go-apiv2/peer"
+	"google.golang.org/grpc/credentials"
+	"google.golang.org/grpc/peer"
 	"google.golang.org/protobuf/proto"
 
 	"github.com/stretchr/testify/require"
 
+	"github.com/hyperledger/fabric-x-common/common/util"
 	"github.com/hyperledger/fabric-x-common/protoutil"
 	"github.com/hyperledger/fabric-x-common/protoutil/identity/mocks"
 )
@@ -120,6 +130,85 @@ func TestGetPayloads(t *testing.T) {
 	t.Logf("error6 [%s]", err)
 }
 
+func TestHashTLSCertificate(t *testing.T) {
+	t.Parallel()
+
+	t.Run("PEM encoded certificate", func(t *testing.T) {
+		t.Parallel()
+		_, certPEM := generateTestCertPEM(t, "CERTIFICATE")
+
+		hash, err := protoutil.HashTLSCertificate(certPEM)
+		require.NoError(t, err)
+		require.NotNil(t, hash)
+		require.Len(t, hash, 32) // SHA256 produces 32 bytes
+
+		// The hash should be deterministic.
+		hash2, err := protoutil.HashTLSCertificate(certPEM)
+		require.NoError(t, err)
+		require.Equal(t, hash, hash2)
+	})
+
+	t.Run("Hash matches server-side extraction", func(t *testing.T) {
+		t.Parallel()
+		certDER, certPEM := generateTestCertPEM(t, "CERTIFICATE")
+
+		// Simulate server-side: create a gRPC context with TLS peer info
+		cert, err := x509.ParseCertificate(certDER)
+		require.NoError(t, err)
+		ctx := peer.NewContext(t.Context(), &peer.Peer{
+			AuthInfo: credentials.TLSInfo{
+				State: tls.ConnectionState{PeerCertificates: []*x509.Certificate{cert}},
+			},
+		})
+		// Use ExtractRawCertificateFromContext (server-side).
+		rawCert := util.ExtractRawCertificateFromContext(ctx)
+		require.NotNil(t, rawCert)
+
+		// Hash the raw certificate (server-side).
+		serverHash := sha256.Sum256(rawCert)
+
+		// Hash using HashTLSCertificate (client-side).
+		clientHash, err := protoutil.HashTLSCertificate(certPEM)
+		require.NoError(t, err)
+
+		// Verify both hashes match.
+		require.Equal(t, serverHash[:], clientHash, "Client-side hash should match server-side hash")
+	})
+
+	_, wrongCertPEMBlockType := generateTestCertPEM(t, "EC PRIVATE KEY")
+	for _, tc := range []struct {
+		name string
+		cert []byte
+	}{
+		{name: "Empty certificate", cert: nil},
+		{name: "Invalid certificate", cert: []byte("not a valid PEM certificate")},
+		{name: "Wrong PEM block type", cert: wrongCertPEMBlockType},
+	} {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			_, err := protoutil.HashTLSCertificate(tc.cert)
+			require.ErrorContains(t, err, "failed to find any PEM data in certificate input")
+		})
+	}
+}
+
+func generateTestCertPEM(t *testing.T, blockType string) (certDER, certPEM []byte) {
+	t.Helper()
+
+	priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	require.NoError(t, err)
+
+	template := &x509.Certificate{}
+	certDER, err = x509.CreateCertificate(rand.Reader, template, template, &priv.PublicKey, priv)
+	require.NoError(t, err)
+	require.NotNil(t, certDER)
+
+	certPEM = pem.EncodeToMemory(&pem.Block{Type: blockType, Bytes: certDER})
+	require.NotNil(t, certPEM)
+
+	return certDER, certPEM
+}
+
 func TestDeduplicateEndorsements(t *testing.T) {
 	signID := &mocks.SignerSerializer{}
 	signID.SerializeReturns([]byte("signer"), nil)