[FAB-7028] Dynamic TLS cert update

This change set adds an ability to the secureServer to dynamically
update its TLS certificate.

Change-Id: I1152ce65f203092ddd170ff494205eefeafc2e75
Signed-off-by: yacovm <yacovm@il.ibm.com>

Author: yacovm

core/comm/server.go

@@ -13,6 +13,7 @@ import (
 	"fmt"
 	"net"
 	"sync"
+	"sync/atomic"
 
 	"google.golang.org/grpc"
 )
@@ -46,6 +47,8 @@ type GRPCServer interface {
 	// SetClientRootCAs sets the list of authorities used to verify client
 	// certificates based on a list of PEM-encoded X509 certificate authorities
 	SetClientRootCAs(clientRoots [][]byte) error
+	// SetServerCertificate assigns the current TLS certificate to be the peer's server certificate
+	SetServerCertificate(tls.Certificate)
 }
 
 type grpcServerImpl struct {
@@ -56,7 +59,8 @@ type grpcServerImpl struct {
 	// GRPC server
 	server *grpc.Server
 	// Certificate presented by the server for TLS communication
-	serverCertificate tls.Certificate
+	// stored as an atomic reference
+	serverCertificate atomic.Value
 	// Key used by the server for TLS communication
 	serverKeyPEM []byte
 	// List of certificate authorities to optionally pass to the client during
@@ -112,14 +116,17 @@ func NewGRPCServerFromListener(listener net.Listener, serverConfig ServerConfig)
 			if err != nil {
 				return nil, err
 			}
-			grpcServer.serverCertificate = cert
+			grpcServer.serverCertificate.Store(cert)
 
 			//set up our TLS config
 
+			getCert := func(_ *tls.ClientHelloInfo) (*tls.Certificate, error) {
+				cert := grpcServer.serverCertificate.Load().(tls.Certificate)
+				return &cert, nil
+			}
 			//base server certificate
-			certificates := []tls.Certificate{grpcServer.serverCertificate}
 			grpcServer.tlsConfig = &tls.Config{
-				Certificates:           certificates,
+				GetCertificate:         getCert,
 				SessionTicketsDisabled: true,
 			}
 			grpcServer.tlsConfig.ClientAuth = tls.RequestClientCert
@@ -160,6 +167,11 @@ func NewGRPCServerFromListener(listener net.Listener, serverConfig ServerConfig)
 	return grpcServer, nil
 }
 
+// SetServerCertificate assigns the current TLS certificate to be the peer's server certificate
+func (gServer *grpcServerImpl) SetServerCertificate(cert tls.Certificate) {
+	gServer.serverCertificate.Store(cert)
+}
+
 // Address returns the listen address for this GRPCServer instance
 func (gServer *grpcServerImpl) Address() string {
 	return gServer.address
@@ -177,7 +189,7 @@ func (gServer *grpcServerImpl) Server() *grpc.Server {
 
 // ServerCertificate returns the tls.Certificate used by the grpc.Server
 func (gServer *grpcServerImpl) ServerCertificate() tls.Certificate {
-	return gServer.serverCertificate
+	return gServer.serverCertificate.Load().(tls.Certificate)
 }
 
 // TLSEnabled is a flag indicating whether or not TLS is enabled for the

core/comm/server_test.go

@@ -20,15 +20,13 @@ import (
 	"testing"
 	"time"
 
+	"github.com/hyperledger/fabric/core/comm"
+	testpb "github.com/hyperledger/fabric/core/comm/testdata/grpc"
 	"github.com/stretchr/testify/assert"
-
 	"golang.org/x/net/context"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/transport"
-
-	"github.com/hyperledger/fabric/core/comm"
-	testpb "github.com/hyperledger/fabric/core/comm/testdata/grpc"
 )
 
 //Embedded certificates for testing
@@ -1425,3 +1423,70 @@ func TestKeepaliveClientResponse(t *testing.T) {
 	_, err = clientTransport.NewStream(context.Background(), &transport.CallHdr{})
 	assert.NoError(t, err, "Unexpected error creating stream")
 }
+
+func TestUpdateTLSCert(t *testing.T) {
+	readFile := func(path string) []byte {
+		fName := filepath.Join("testdata", "dynamic_cert_update", path)
+		data, err := ioutil.ReadFile(fName)
+		if err != nil {
+			panic(fmt.Errorf("Failed reading %s: %v", fName, err))
+		}
+		return data
+	}
+	loadBytes := func(prefix string) (key, cert, caCert []byte) {
+		cert = readFile(filepath.Join(prefix, "server.crt"))
+		key = readFile(filepath.Join(prefix, "server.key"))
+		caCert = readFile(filepath.Join("ca.crt"))
+		return
+	}
+
+	key, cert, caCert := loadBytes("notlocalhost")
+
+	cfg := comm.ServerConfig{
+		SecOpts: &comm.SecureOptions{
+			UseTLS:            true,
+			ServerKey:         key,
+			ServerCertificate: cert,
+		},
+	}
+	srv, err := comm.NewGRPCServer("localhost:8333", cfg)
+	assert.NoError(t, err)
+	testpb.RegisterTestServiceServer(srv.Server(), &testServiceServer{})
+	go srv.Start()
+	defer srv.Stop()
+
+	certPool := x509.NewCertPool()
+	certPool.AppendCertsFromPEM(caCert)
+
+	probeServer := func() error {
+		_, err = invokeEmptyCall("localhost:8333",
+			[]grpc.DialOption{grpc.WithTransportCredentials(
+				credentials.NewTLS(&tls.Config{
+					RootCAs: certPool}))})
+		return err
+	}
+
+	// bootstrap TLS certificate has a SAN of "notlocalhost" so it should fail
+	err = probeServer()
+	assert.Error(t, err)
+	assert.Contains(t, err.Error(), "certificate is valid for notlocalhost.org1.example.com, notlocalhost, not localhost")
+
+	// new TLS certificate has a SAN of "localhost" so it should succeed
+	certPath := filepath.Join("testdata", "dynamic_cert_update", "localhost", "server.crt")
+	keyPath := filepath.Join("testdata", "dynamic_cert_update", "localhost", "server.key")
+	tlsCert, err := tls.LoadX509KeyPair(certPath, keyPath)
+	assert.NoError(t, err)
+	srv.SetServerCertificate(tlsCert)
+	err = probeServer()
+	assert.NoError(t, err)
+
+	// revert back to the old certificate, should fail.
+	certPath = filepath.Join("testdata", "dynamic_cert_update", "notlocalhost", "server.crt")
+	keyPath = filepath.Join("testdata", "dynamic_cert_update", "notlocalhost", "server.key")
+	tlsCert, err = tls.LoadX509KeyPair(certPath, keyPath)
+	assert.NoError(t, err)
+	srv.SetServerCertificate(tlsCert)
+	err = probeServer()
+	assert.Error(t, err)
+	assert.Contains(t, err.Error(), "certificate is valid for notlocalhost.org1.example.com, notlocalhost, not localhost")
+}

core/comm/testdata/dynamic_cert_update/ca.crt

@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICSTCCAe+gAwIBAgIQZMqAAhpj/lLHsJeIp1nJ7zAKBggqhkjOPQQDAjB2MQsw
+CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZy
+YW5jaXNjbzEZMBcGA1UEChMQb3JnMS5leGFtcGxlLmNvbTEfMB0GA1UEAxMWdGxz
+Y2Eub3JnMS5leGFtcGxlLmNvbTAeFw0xNzExMTcyMjM4NTZaFw0yNzExMTUyMjM4
+NTZaMHYxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH
+Ew1TYW4gRnJhbmNpc2NvMRkwFwYDVQQKExBvcmcxLmV4YW1wbGUuY29tMR8wHQYD
+VQQDExZ0bHNjYS5vcmcxLmV4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0D
+AQcDQgAEMDe9E6+fydjWG40IHBnS1sZh4Mpw4G1KCWd4plTPZb0qJ7YaLkARx2dm
+d65FGh7dhJGUBQTNWa3/cLVB28tQVaNfMF0wDgYDVR0PAQH/BAQDAgGmMA8GA1Ud
+JQQIMAYGBFUdJQAwDwYDVR0TAQH/BAUwAwEB/zApBgNVHQ4EIgQgLzJgBSiEH1GF
+M+2iuJA92mp7j0SPqxmRmYyfbI+1+3wwCgYIKoZIzj0EAwIDSAAwRQIhAIEXLz9u
+XpAt1nXTuEVYAJYipi6TYtSnsOB/teMxZ887AiAs5IU1lWKYk4/RXrU9NgNdrUs+
+hLygondsbVWt6bKZzg==
+-----END CERTIFICATE-----

core/comm/testdata/dynamic_cert_update/localhost/server.crt

@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIICdDCCAhqgAwIBAgIRAK5HIE/tumHtKRObBKPvnYQwCgYIKoZIzj0EAwIwdjEL
+MAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBG
+cmFuY2lzY28xGTAXBgNVBAoTEG9yZzEuZXhhbXBsZS5jb20xHzAdBgNVBAMTFnRs
+c2NhLm9yZzEuZXhhbXBsZS5jb20wHhcNMTcxMTE3MjIzODU2WhcNMjcxMTE1MjIz
+ODU2WjBfMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UE
+BxMNU2FuIEZyYW5jaXNjbzEjMCEGA1UEAxMabG9jYWxob3N0Lm9yZzEuZXhhbXBs
+ZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASyPS7GHgSfNsvB8X5d8WT2
+91Z1AG+Ie5OpkUtI4Cmqq4lTUz+ba1f22EftkP8AsvO3NV6EBPsTNnUgqwORk4Lu
+o4GfMIGcMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB
+BQUHAwIwDAYDVR0TAQH/BAIwADArBgNVHSMEJDAigCAvMmAFKIQfUYUz7aK4kD3a
+anuPRI+rGZGZjJ9sj7X7fDAwBgNVHREEKTAnghpsb2NhbGhvc3Qub3JnMS5leGFt
+cGxlLmNvbYIJbG9jYWxob3N0MAoGCCqGSM49BAMCA0gAMEUCIQDAYC/+I9f3Z8rk
+bUmmZojIcf+VKtt2r/Ws2gurw/OxSgIgKevKSlauM5DlLDvaJVgsbQhxmoUL/oyt
+3bQu7kpCZ0k=
+-----END CERTIFICATE-----

core/comm/testdata/dynamic_cert_update/localhost/server.key

@@ -0,0 +1,5 @@
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg4fKabn/wDrH9CNFt
+p41HuWqRZEalrLk0mwkVt42dCWahRANCAASyPS7GHgSfNsvB8X5d8WT291Z1AG+I
+e5OpkUtI4Cmqq4lTUz+ba1f22EftkP8AsvO3NV6EBPsTNnUgqwORk4Lu
+-----END PRIVATE KEY-----

core/comm/testdata/dynamic_cert_update/notlocalhost/server.crt

@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIICfTCCAiOgAwIBAgIRAPSubu0GrmfLZ0r9H0rOBdcwCgYIKoZIzj0EAwIwdjEL
+MAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBG
+cmFuY2lzY28xGTAXBgNVBAoTEG9yZzEuZXhhbXBsZS5jb20xHzAdBgNVBAMTFnRs
+c2NhLm9yZzEuZXhhbXBsZS5jb20wHhcNMTcxMTE3MjIzODU2WhcNMjcxMTE1MjIz
+ODU2WjBiMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UE
+BxMNU2FuIEZyYW5jaXNjbzEmMCQGA1UEAxMdbm90bG9jYWxob3N0Lm9yZzEuZXhh
+bXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAS4mepCqRSHMmEa7obW
+2BUBDXudRuuL5q2fKH62+6u22PChgavqTxs0AH7To6F6+vnGfq6RcvNe5fjQxphX
+rbgyo4GlMIGiMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
+KwYBBQUHAwIwDAYDVR0TAQH/BAIwADArBgNVHSMEJDAigCAvMmAFKIQfUYUz7aK4
+kD3aanuPRI+rGZGZjJ9sj7X7fDA2BgNVHREELzAtgh1ub3Rsb2NhbGhvc3Qub3Jn
+MS5leGFtcGxlLmNvbYIMbm90bG9jYWxob3N0MAoGCCqGSM49BAMCA0gAMEUCIQCw
+3ysg3FcPyIlMSlAhWcvNcf9ANpntSC7iRhexEdbsEgIgOpYSvBhLZTIo5OcmHHhy
+Uj5s3rI2qK45zuylQ2WSRG0=
+-----END CERTIFICATE-----

core/comm/testdata/dynamic_cert_update/notlocalhost/server.key

@@ -0,0 +1,5 @@
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgFec9IzGbSVizQbd3
+LjWHk9o3yACtfn4SnAdqMPWSgJOhRANCAAS4mepCqRSHMmEa7obW2BUBDXudRuuL
+5q2fKH62+6u22PChgavqTxs0AH7To6F6+vnGfq6RcvNe5fjQxphXrbgy
+-----END PRIVATE KEY-----