Skip to content

Commit

Permalink
feat(secret): remove Validator/Verifier secret keys from repository
Browse files Browse the repository at this point in the history
- Remove validator sample CA keys hardcoded inside the repository.
- Generate fresh ECDSA keys when starting up electricity-trade
  or discounted-asset-trade sample apps.
- Add support for RSA CA keys in fabric-socketio validator.
  I couldn't find any trivial way of generating ECDSA self-signed certificate
  (without calling openssl cmdline, which seems poor from functional test perspective),
  so I've added support for RSA keys to simplify the tests.
- Allow selection of jwt algorithm in  fabric-socketio validator.
  It must correspond to the key used.
- Update the READMEs, add short description of SSL config option of fabric-socketio validator.

Closes: 2016
Closes: 2017

Depends on: 1977
Depends on: 2030

Signed-off-by: Michal Bajer <michal.bajer@fujitsu.com>
  • Loading branch information
outSH authored and petermetz committed Jul 19, 2022
1 parent 3c561a8 commit 59b4af4
Show file tree
Hide file tree
Showing 35 changed files with 353 additions and 151 deletions.
2 changes: 1 addition & 1 deletion examples/cactus-example-discounted-asset-trade/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ RUN apt-get update \
# Note - indy_sdk:latest must be ABI compatible with this image OS
COPY --from=indy-sdk-cli:latest /usr/lib/libindy.so /usr/lib/

COPY ./package.json ./dist/yarn.lock ./dist/fabric-connector.crt ./dist/ethereum-connector.crt ./dist/indy-connector.crt ./
COPY ./package.json ./dist/yarn.lock ./
RUN yarn add "${CACTUS_CMD_SOCKETIO_PATH}" "@hyperledger/cactus-verifier-client@${NPM_PKG_VERSION}" \
--production --ignore-engines --non-interactive --cache-folder ./.yarnCache && \
rm -rf ./.yarnCache
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ ledgerPluginInfo:
validatorID: 84jUisrs
validatorType: legacy-socketio
validatorURL: https://ethereum-validator:5050
validatorKeyPath: /root/cactus/ethereum-connector.crt
validatorKeyPath: /etc/cactus/connector-go-ethereum-socketio/CA/connector.crt
maxCounterRequestID: 100
syncFunctionTimeoutMillisecond: 5000
socketOptions:
Expand Down Expand Up @@ -42,7 +42,7 @@ ledgerPluginInfo:
validatorID: r9IS4dDf
validatorType: legacy-socketio
validatorURL: https://fabric-socketio-validator:5040
validatorKeyPath: /root/cactus/fabric-connector.crt
validatorKeyPath: /etc/cactus/connector-fabric-socketio/CA/connector.crt
maxCounterRequestID: 100
syncFunctionTimeoutMillisecond: 5000
socketOptions:
Expand All @@ -57,7 +57,7 @@ ledgerPluginInfo:
validatorID: 3PfTJw8g
validatorType: legacy-socketio
validatorURL: http://indy-validator-nginx:10080
validatorKeyPath: /root/cactus/indy-connector.crt
validatorKeyPath: /etc/cactus/validator_socketio_indy/CA/connector.crt
maxCounterRequestID: 100
syncFunctionTimeoutMillisecond: 5000
socketOptions:
Expand Down
7 changes: 1 addition & 6 deletions examples/cactus-example-discounted-asset-trade/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -11,12 +11,7 @@
"build": "npm run build-ts && npm run build:dev:backend:postbuild",
"build-ts": "tsc",
"build_pip_indy_package": "cd ../../packages-python/cactus_validator_socketio_indy && python3 setup.py bdist_wheel",
"build:dev:backend:postbuild": "npm run copy-yarn-lock && npm run copy-validator-keys",
"copy-yarn-lock": "cp -f ../../yarn.lock ./dist/",
"copy-validator-keys": "npm run copy-fabric-key && npm run copy-ethereum-key && npm run copy-indy-key",
"copy-fabric-key": "cp -fr ../../packages/cactus-plugin-ledger-connector-fabric-socketio/sample-config/CA/connector.crt ./dist/fabric-connector.crt",
"copy-ethereum-key": "cp -fr ../../packages/cactus-plugin-ledger-connector-go-ethereum-socketio/sample-config/CA/connector.crt ./dist/ethereum-connector.crt",
"copy-indy-key": "cp -fr ../../packages-python/cactus_validator_socketio_indy/sample-CA/connector.crt ./dist/indy-connector.crt"
"build:dev:backend:postbuild": "cp -f ../../yarn.lock ./dist/"
},
"dependencies": {
"axios": "0.24.0",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,50 @@ export CACTUS_FABRIC_ALL_IN_ONE_CONTAINER_NAME="asset_trade_faio2x_testnet"
export CACTUS_FABRIC_ALL_IN_ONE_VERSION="2.2.0"
export CACTUS_FABRIC_TEST_LOOSE_MEMBERSHIP=1

# Cert options
CERT_CURVE_NAME="prime256v1"
CERT_COUNTRY="JP"
CERT_STATE="Tokyo"
CERT_LOCALITY="Minato-Ku"
CERT_ORG="CactusSamples"

# generate_certificate <common-name> <destination>
function generate_certificate() {
# Check OpenSSL command existance
if ! openssl version > /dev/null; then
echo "Could not execute [openssl version], check if OpenSSL tool is available on the system."
exit 1;
fi

# Check input parameters
ARGS_NUMBER=2
if [ "$#" -lt "$ARGS_NUMBER" ]; then
echo "generate_certificate called with wrong number of arguments (expected - $ARGS_NUMBER, actual - $#)";
exit 2
fi

common_name=$1
destination=$2
subject="/C=$CERT_COUNTRY/ST=$CERT_STATE/L=$CERT_LOCALITY/O=$CERT_ORG/CN=$common_name"
echo "Create new cert in '${destination}' with subject '${subject}'"

# Crete destination path
if [ ! -d "$destination" ]; then
echo "Re-create destination dir..."
rm -rf "$destination"
mkdir -p "$destination"
fi

keyPath="${destination}/connector.priv"
csrPath="${destination}/connector.csr"
certPath="${destination}/connector.crt"

# Generate keys
openssl ecparam -genkey -name "$CERT_CURVE_NAME" -out "$keyPath"
openssl req -new -sha256 -key "$keyPath" -out "$csrPath" -subj "$subject"
openssl req -x509 -sha256 -days 365 -key "$keyPath" -in "$csrPath" -out "$certPath"
}

function start_fabric_testnet() {
echo ">> start_fabric_testnet()"
pushd "${ROOT_DIR}/tools/docker/fabric-all-in-one"
Expand Down Expand Up @@ -54,6 +98,7 @@ function copy_fabric_validator_config() {
echo ">> copy_fabric_validator_config()"
cp -fr ${ROOT_DIR}/packages/cactus-plugin-ledger-connector-fabric-socketio/sample-config/* \
"${CONFIG_VOLUME_PATH}/connector-fabric-socketio/"
generate_certificate "FabricSocketIOCactusValidator" "${CONFIG_VOLUME_PATH}/connector-fabric-socketio/CA/"
echo ">> copy_fabric_validator_config() done."

echo ">> copy_fabric_wallet()"
Expand All @@ -71,6 +116,7 @@ function copy_ethereum_validator_config() {
echo ">> copy_ethereum_validator_config()"
cp -fr ${ROOT_DIR}/packages/cactus-plugin-ledger-connector-go-ethereum-socketio/sample-config/* \
"${CONFIG_VOLUME_PATH}/connector-go-ethereum-socketio/"
generate_certificate "GoEthereumCactusValidator" "${CONFIG_VOLUME_PATH}/connector-go-ethereum-socketio/CA/"
echo ">> copy_ethereum_validator_config() done."
}

Expand All @@ -91,7 +137,7 @@ function copy_indy_validator_config() {

function copy_indy_validator_ca() {
echo ">> copy_indy_validator_ca()"
cp -fr "${ROOT_DIR}/packages-python/cactus_validator_socketio_indy/sample-CA/" "${CONFIG_VOLUME_PATH}/validator_socketio_indy/CA"
generate_certificate "IndyCactusValidator" "${CONFIG_VOLUME_PATH}/validator_socketio_indy/CA/"
echo ">> copy_indy_validator_ca() done."
}

Expand Down
2 changes: 1 addition & 1 deletion examples/cactus-example-electricity-trade/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ ENV APP_HOME=/root/cactus

WORKDIR ${APP_HOME}

COPY ./dist/yarn.lock ./package.json ./dist/ethereum-connector.crt ./dist/sawtooth-connector.crt ./
COPY ./dist/yarn.lock ./package.json ./
RUN yarn add "${CACTUS_CMD_SOCKETIO_PATH}" "@hyperledger/cactus-verifier-client@${NPM_PKG_VERSION}" \
--production --ignore-engines --non-interactive --cache-folder ./.yarnCache && \
rm -rf ./.yarnCache
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ ledgerPluginInfo:
validatorID: 84jUisrs
validatorType: legacy-socketio
validatorURL: https://ethereum-validator:5050
validatorKeyPath: /root/cactus/ethereum-connector.crt
validatorKeyPath: /etc/cactus/connector-go-ethereum-socketio/CA/connector.crt
maxCounterRequestID: 100
syncFunctionTimeoutMillisecond: 5000
socketOptions:
Expand Down Expand Up @@ -42,7 +42,7 @@ ledgerPluginInfo:
validatorID: sUr7d10R
validatorType: legacy-socketio
validatorURL: https://sawtooth-validator:5140
validatorKeyPath: /root/cactus/sawtooth-connector.crt
validatorKeyPath: /etc/cactus/connector-sawtooth-socketio/CA/connector.crt
maxCounterRequestID: 100
syncFunctionTimeoutMillisecond: 5000
socketOptions:
Expand Down
6 changes: 1 addition & 5 deletions examples/cactus-example-electricity-trade/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -10,11 +10,7 @@
"start": "docker-compose build && docker-compose up",
"build": "npm run build-ts && npm run build:dev:backend:postbuild",
"build-ts": "tsc",
"build:dev:backend:postbuild": "npm run copy-yarn-lock && npm run copy-validator-keys",
"copy-yarn-lock": "cp -f ../../yarn.lock ./dist/",
"copy-validator-keys": "npm run copy-ethereum-key && npm run copy-sawtooth-key",
"copy-ethereum-key": "cp -fr ../../packages/cactus-plugin-ledger-connector-go-ethereum-socketio/sample-config/CA/connector.crt ./dist/ethereum-connector.crt",
"copy-sawtooth-key": "cp -fr ../../packages/cactus-plugin-ledger-connector-sawtooth-socketio/sample-config/CA/connector.crt ./dist/sawtooth-connector.crt"
"build:dev:backend:postbuild": "cp -f ../../yarn.lock ./dist/"
},
"dependencies": {
"@types/node": "14.18.12",
Expand Down
46 changes: 46 additions & 0 deletions examples/cactus-example-electricity-trade/script-start-ledgers.sh
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,50 @@ set -e
ROOT_DIR="../.." # Path to cactus root dir
CONFIG_VOLUME_PATH="./etc/cactus" # Docker volume with shared configuration

# Cert options
CERT_CURVE_NAME="prime256v1"
CERT_COUNTRY="JP"
CERT_STATE="Tokyo"
CERT_LOCALITY="Minato-Ku"
CERT_ORG="CactusSamples"

# generate_certificate <common-name> <destination>
function generate_certificate() {
# Check OpenSSL command existance
if ! openssl version > /dev/null; then
echo "Could not execute [openssl version], check if OpenSSL tool is available on the system."
exit 1;
fi

# Check input parameters
ARGS_NUMBER=2
if [ "$#" -lt "$ARGS_NUMBER" ]; then
echo "generate_certificate called with wrong number of arguments (expected - $ARGS_NUMBER, actual - $#)";
exit 2
fi

common_name=$1
destination=$2
subject="/C=$CERT_COUNTRY/ST=$CERT_STATE/L=$CERT_LOCALITY/O=$CERT_ORG/CN=$common_name"
echo "Create new cert in '${destination}' with subject '${subject}'"

# Crete destination path
if [ ! -d "$destination" ]; then
echo "Re-create destination dir..."
rm -rf "$destination"
mkdir -p "$destination"
fi

keyPath="${destination}/connector.priv"
csrPath="${destination}/connector.csr"
certPath="${destination}/connector.crt"

# Generate keys
openssl ecparam -genkey -name "$CERT_CURVE_NAME" -out "$keyPath"
openssl req -new -sha256 -key "$keyPath" -out "$csrPath" -subj "$subject"
openssl req -x509 -sha256 -days 365 -key "$keyPath" -in "$csrPath" -out "$certPath"
}

function start_ethereum_testnet() {
pushd "${ROOT_DIR}/tools/docker/geth-testnet"
./script-start-docker.sh
Expand All @@ -17,6 +61,7 @@ function copy_ethereum_validator_config() {
echo ">> copy_ethereum_validator_config()"
cp -fr ${ROOT_DIR}/packages/cactus-plugin-ledger-connector-go-ethereum-socketio/sample-config/* \
"${CONFIG_VOLUME_PATH}/connector-go-ethereum-socketio/"
generate_certificate "GoEthereumCactusValidator" "${CONFIG_VOLUME_PATH}/connector-go-ethereum-socketio/CA/"
echo ">> copy_ethereum_validator_config() done."
}

Expand All @@ -33,6 +78,7 @@ function copy_sawtooth_validator_config() {
echo ">> copy_sawtooth_validator_config()"
cp -fr ${ROOT_DIR}/packages/cactus-plugin-ledger-connector-sawtooth-socketio/sample-config/* \
"${CONFIG_VOLUME_PATH}/connector-sawtooth-socketio/"
generate_certificate "SawtoothCactusValidator" "${CONFIG_VOLUME_PATH}/connector-sawtooth-socketio/CA/"
echo ">> copy_sawtooth_validator_config() done."
}

Expand Down
3 changes: 2 additions & 1 deletion packages-python/cactus_validator_socketio_indy/.gitignore
Original file line number Diff line number Diff line change
@@ -1 +1,2 @@
CactusValidatorSocketIOIndy.egg-info/
CactusValidatorSocketIOIndy.egg-info/
testcli/connector.crt
4 changes: 2 additions & 2 deletions packages-python/cactus_validator_socketio_indy/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -10,10 +10,10 @@ WORKDIR /home/indy
COPY --chown=indy:indy './dist/CactusValidatorSocketIOIndy-0.0.1-py3-none-any.whl' '/home/indy'
RUN pip3 install /home/indy/CactusValidatorSocketIOIndy-0.0.1-py3-none-any.whl

user root
USER root
RUN python3 /home/indy/.local/lib/python3.8/site-packages/other/post_install_script.py

user indy
USER indy
ARG pool_ip=172.16.0.2
ENV TEST_POOL_IP=$pool_ip

Expand Down
20 changes: 11 additions & 9 deletions packages-python/cactus_validator_socketio_indy/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -15,22 +15,25 @@
1. Start indy testnet pool (follow instructions from `../../tools/docker/indy-testnet/` README). It should create docker network `indy-testnet_indy_net`, pool should be available at `172.16.0.2`.
1. Generate proof and store it in local `/etc/cactus`:
```
rm -r /etc/cactus/validator_socketio_indy/*
cd ../../examples/register-indy-data/
./script-build-docker.sh
docker run --rm -ti -v/etc/cactus/:/etc/cactus/ --net="host" register-indy-data --proof_only
```
1. Copy indy validator config
```
mkdir -p /etc/cactus/validator_socketio_indy/
rm -r /etc/cactus/validator_socketio_indy/*
cp -rf ./config/* /etc/cactus/validator_socketio_indy/
```
1. Copy default validator CA
1. Generate validator certificate using OpenSSL tool
```
rm -r /etc/cactus/validator_socketio_indy/CA
cp -rf ./sample-CA/ /etc/cactus/validator_socketio_indy/CA
mkdir -p "/etc/cactus/validator_socketio_indy/CA/"
openssl ecparam -genkey -name "prime256v1" -out "/etc/cactus/validator_socketio_indy/CA/connector.priv"
openssl req -new -sha256 -key "/etc/cactus/validator_socketio_indy/CA/connector.priv" \
-out "/etc/cactus/validator_socketio_indy/CA/connector.csr" \
-subj "/C=JP/ST=Tokyo/L=Minato-Ku/O=CactusSamples/CN=IndyValidator"
openssl req -x509 -sha256 -days 365 -key "/etc/cactus/validator_socketio_indy/CA/connector.priv" \
-in "/etc/cactus/validator_socketio_indy/CA/connector.csr" \
-out "/etc/cactus/validator_socketio_indy/CA/connector.crt"
```
1. Build and run validator container:
```
Expand All @@ -41,9 +44,8 @@
1. Open separate console, install dependencies and run the testing script:
```
cd testcli/
ln -s /etc/cactus/validator_socketio_indy/CA/connector.crt .
npm install
node testsock.js
```
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,7 @@ def __copy(source: str, destination: str) -> bool:
# Copy supervisord.conf file
if __copy(source=f'{SITE_PACKAGES}/other/supervisord.conf', destination='/etc'):
print('supervisord file successfully copied')

# Copy utils.py
if __copy(source=f'{UTILS_LOCATION}/utils.py',
destination=f'{VALIDATOR_DST_DIR}/validator_socketio_module'):
Expand Down

This file was deleted.

This file was deleted.

This file was deleted.

Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ export function verifyValidatorJwt(
): Promise<JwtPayload> {
return new Promise((resolve, reject) => {
const option: VerifyOptions = {
algorithms: ["ES256"],
algorithms: ["ES256", "ES384", "ES512", "RS256", "RS384", "RS512"],
};

verify(
Expand Down
Original file line number Diff line number Diff line change
@@ -1,13 +1,31 @@
/**
* @deprecated Moved to packages/cactus-test-tooling/src/main/typescript/pki/self-signed-pki-generator.ts
*/

import { pki, md } from "node-forge";
import { v4 as uuidV4 } from "uuid";
import { Strings } from "@hyperledger/cactus-common";

/**
* @deprecated Moved to \@hyperledger/cactus-test-tooling
*/
export type ForgeKeyPair = pki.rsa.KeyPair;
/**
* @deprecated Moved to \@hyperledger/cactus-test-tooling
*/
export type ForgePrivateKey = pki.rsa.PrivateKey;
/**
* @deprecated Moved to \@hyperledger/cactus-test-tooling
*/
export type ForgeCertificate = pki.Certificate;
/**
* @deprecated Moved to \@hyperledger/cactus-test-tooling
*/
export type ForgeCertificateField = pki.CertificateField;

/**
* @deprecated Moved to \@hyperledger/cactus-test-tooling
*
* PKI as in public key infrastructure and x509 certificates.
*/
export interface IPki {
Expand All @@ -18,6 +36,8 @@ export interface IPki {
}

/**
* @deprecated Moved to \@hyperledger/cactus-test-tooling
*
* Do not use this for anything in a production deployment. It's meant as a helper
* class for development and testing purposes (enhancing developer experience).
*
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,10 @@ docker run -v/etc/cactus/:/etc/cactus -p 5040:5040 --net=fabric-all-in-one_testn
npm run start
```
## Configuration
- Validator can be configured in `/etc/cactus/connector-fabric-socketio/default.yaml` (see [sample-config](./sample-config/default.yaml) for details).
- This configuration can be overwriten in `NODE_CONFIG` environment variable (JSON format). See functional tests for example of that.
## Usage samples
- To confirm the operation of this package, please refer to the following business-logic sample application:
- [cactus-example-discounted-asset-trade](../../examples/cactus-example-discounted-asset-trade)
Expand Down
Loading

0 comments on commit 59b4af4

Please sign in to comment.