[FAB-11325] VerifyPeerCertificate in SecureOptions

This change set adds the tls.Config's VerifyPeerCertificate
in order to add support for TLS layer certificate pinning.

This is needed for client-side enforcement of TLS pinning
with gRPC calls that aren't stream-based, but I added
also server-side tests support to be symmetric.

Change-Id: I5af7d51294a52c510cba81e4c92a9c7044a19b98
Signed-off-by: yacovm <yacovm@il.ibm.com>

Author: yacovm

core/comm/client.go

@@ -72,7 +72,8 @@ func (client *GRPCClient) parseSecureOptions(opts *SecureOptions) error {
 		return nil
 	}
 	client.tlsConfig = &tls.Config{
-		MinVersion: tls.VersionTLS12} // TLS 1.2 only
+		VerifyPeerCertificate: opts.VerifyCertificate,
+		MinVersion:            tls.VersionTLS12} // TLS 1.2 only
 	if len(opts.ServerRootCAs) > 0 {
 		client.tlsConfig.RootCAs = x509.NewCertPool()
 		for _, certBytes := range opts.ServerRootCAs {

core/comm/client_test.go

@@ -7,6 +7,7 @@ SPDX-License-Identifier: Apache-2.0
 package comm_test
 
 import (
+	"bytes"
 	"context"
 	"crypto/tls"
 	"crypto/x509"
@@ -281,6 +282,54 @@ func TestNewConnection(t *testing.T) {
 			},
 			success: true,
 		},
+		{
+			name:       "server TLS pinning success",
+			serverPort: 8358,
+			clientPort: 8358,
+			config: comm.ClientConfig{
+				SecOpts: &comm.SecureOptions{
+					VerifyCertificate: func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
+						if bytes.Equal(rawCerts[0], testCerts.serverCert.Certificate[0]) {
+							return nil
+						}
+						panic("mismatched certificate")
+					},
+					Certificate:       testCerts.certPEM,
+					Key:               testCerts.keyPEM,
+					UseTLS:            true,
+					RequireClientCert: true,
+					ServerRootCAs:     [][]byte{testCerts.caPEM}},
+				Timeout: testTimeout},
+			serverTLS: &tls.Config{
+				Certificates: []tls.Certificate{testCerts.serverCert},
+				ClientAuth:   tls.RequireAndVerifyClientCert,
+				ClientCAs:    certPool,
+			},
+			success: true,
+		},
+		{
+			name:       "server TLS pinning failure",
+			serverPort: 8359,
+			clientPort: 8359,
+			config: comm.ClientConfig{
+				SecOpts: &comm.SecureOptions{
+					VerifyCertificate: func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
+						return errors.New("TLS certificate mismatch")
+					},
+					Certificate:       testCerts.certPEM,
+					Key:               testCerts.keyPEM,
+					UseTLS:            true,
+					RequireClientCert: true,
+					ServerRootCAs:     [][]byte{testCerts.caPEM}},
+				Timeout: testTimeout},
+			serverTLS: &tls.Config{
+				Certificates: []tls.Certificate{testCerts.serverCert},
+				ClientAuth:   tls.RequireAndVerifyClientCert,
+				ClientCAs:    certPool,
+			},
+			success:  false,
+			errorMsg: "context deadline exceeded",
+		},
 	}
 
 	for _, test := range tests {

core/comm/config.go

@@ -8,6 +8,7 @@ package comm
 
 import (
 	"crypto/tls"
+	"crypto/x509"
 	"time"
 
 	"google.golang.org/grpc"
@@ -65,6 +66,10 @@ type ClientConfig struct {
 // SecureOptions defines the security parameters (e.g. TLS) for a
 // GRPCServer or GRPCClient instance
 type SecureOptions struct {
+	// VerifyCertificate, if not nil, is called after normal
+	// certificate verification by either a TLS client or server.
+	// If it returns a non-nil error, the handshake is aborted and that error results.
+	VerifyCertificate func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error
 	// PEM-encoded X509 public key to be used for TLS communication
 	Certificate []byte
 	// PEM-encoded private key to be used for TLS communication

core/comm/server.go

@@ -87,6 +87,7 @@ func NewGRPCServerFromListener(listener net.Listener, serverConfig ServerConfig)
 			}
 			//base server certificate
 			grpcServer.tlsConfig = &tls.Config{
+				VerifyPeerCertificate:  secureConfig.VerifyCertificate,
 				GetCertificate:         getCert,
 				SessionTicketsDisabled: true,
 				CipherSuites:           secureConfig.CipherSuites,

core/comm/server_test.go

@@ -7,6 +7,7 @@ SPDX-License-Identifier: Apache-2.0
 package comm_test
 
 import (
+	"bytes"
 	"crypto/tls"
 	"crypto/x509"
 	"errors"
@@ -20,6 +21,7 @@ import (
 	"testing"
 	"time"
 
+	"github.com/hyperledger/fabric/common/crypto/tlsgen"
 	"github.com/hyperledger/fabric/core/comm"
 	testpb "github.com/hyperledger/fabric/core/comm/testdata/grpc"
 	"github.com/stretchr/testify/assert"
@@ -656,6 +658,68 @@ func TestNewSecureGRPCServer(t *testing.T) {
 	}
 }
 
+func TestVerifyCertificateCallback(t *testing.T) {
+	t.Parallel()
+
+	ca, err := tlsgen.NewCA()
+	assert.NoError(t, err)
+
+	authorizedClientKeyPair, err := ca.NewClientCertKeyPair()
+	assert.NoError(t, err)
+
+	notAuthorizedClientKeyPair, err := ca.NewClientCertKeyPair()
+	assert.NoError(t, err)
+
+	serverKeyPair, err := ca.NewServerCertKeyPair("127.0.0.1")
+	assert.NoError(t, err)
+
+	verifyFunc := func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
+		if bytes.Equal(rawCerts[0], authorizedClientKeyPair.TLSCert.Raw) {
+			return nil
+		}
+		return errors.New("certificate mismatch")
+	}
+
+	probeTLS := func(endpoint string, clientKeyPair *tlsgen.CertKeyPair) error {
+		cert, err := tls.X509KeyPair(clientKeyPair.Cert, clientKeyPair.Key)
+		tlsCfg := &tls.Config{
+			Certificates: []tls.Certificate{cert},
+			RootCAs:      x509.NewCertPool(),
+		}
+		tlsCfg.RootCAs.AppendCertsFromPEM(ca.CertBytes())
+
+		conn, err := tls.Dial("tcp", endpoint, tlsCfg)
+		if err != nil {
+			return err
+		}
+		conn.Close()
+		return nil
+	}
+
+	gRPCServer, err := comm.NewGRPCServer("127.0.0.1:", comm.ServerConfig{
+		SecOpts: &comm.SecureOptions{
+			ClientRootCAs:     [][]byte{ca.CertBytes()},
+			Key:               serverKeyPair.Key,
+			Certificate:       serverKeyPair.Cert,
+			UseTLS:            true,
+			VerifyCertificate: verifyFunc,
+		},
+	})
+	go gRPCServer.Start()
+	defer gRPCServer.Stop()
+
+	t.Run("Success path", func(t *testing.T) {
+		err = probeTLS(gRPCServer.Address(), authorizedClientKeyPair)
+		assert.NoError(t, err)
+	})
+
+	t.Run("Failure path", func(t *testing.T) {
+		err = probeTLS(gRPCServer.Address(), notAuthorizedClientKeyPair)
+		assert.EqualError(t, err, "remote error: tls: bad certificate")
+	})
+
+}
+
 func TestNewSecureGRPCServerFromListener(t *testing.T) {
 
 	t.Parallel()