[FAB-17129] Configure peer and orderer to use PKCS#11 as BCCSP in int…

…egration test Signed-off-by: Tiffany Harris <tiffany.harris@ibm.com>
hyperledger · Oct 5, 2020 · bf0b300 · bf0b300
1 parent 8407bc8
commit bf0b300
Show file tree

Hide file tree

Showing 6 changed files with 539 additions and 0 deletions.
diff --git a/integration/nwo/fabricconfig/core.go b/integration/nwo/fabricconfig/core.go
@@ -170,13 +170,22 @@ type Authentication struct {
 type BCCSP struct {
 	Default string            `yaml:"Default,omitempty"`
 	SW      *SoftwareProvider `yaml:"SW,omitempty"`
+	PKCS11  *PKCS11           `yaml:"PKCS11,omitempty"`
 }
 
 type SoftwareProvider struct {
 	Hash     string `yaml:"Hash,omitempty"`
 	Security int    `yaml:"Security,omitempty"`
 }
 
+type PKCS11 struct {
+	Hash     string `yaml:"Hash,omitempty"`
+	Security int    `yaml:"Security,omitempty"`
+	Pin      string `yaml:"Pin,omitempty"`
+	Label    string `yaml:"Label,omitempty"`
+	Library  string `yaml:"Library,omitempty"`
+}
+
 type DeliveryClient struct {
 	ReconnectTotalTimeThreshold time.Duration      `yaml:"reconnectTotalTimeThreshold,omitempty"`
 	AddressOverrides            []*AddressOverride `yaml:"addressOverrides,omitempty"`

diff --git a/integration/nwo/network.go b/integration/nwo/network.go
@@ -416,6 +416,28 @@ func (n *Network) userCryptoDir(org *Organization, nodeOrganizationType, user, c
 	)
 }
 
+// PeerOrgCADir returns the path to the folder containing the CA certificate(s) and/or
+// keys for the specified peer organization.
+func (n *Network) PeerOrgCADir(o *Organization) string {
+	return filepath.Join(
+		n.CryptoPath(),
+		"peerOrganizations",
+		o.Domain,
+		"ca",
+	)
+}
+
+// OrdererOrgCADir returns the path to the folder containing the CA certificate(s) and/or
+// keys for the specified orderer organization.
+func (n *Network) OrdererOrgCADir(o *Organization) string {
+	return filepath.Join(
+		n.CryptoPath(),
+		"ordererOrganizations",
+		o.Domain,
+		"ca",
+	)
+}
+
 // PeerUserMSPDir returns the path to the MSP directory containing the
 // certificates and keys for the specified user of the peer.
 func (n *Network) PeerUserMSPDir(p *Peer, user string) string {

diff --git a/integration/pkcs11/p11key.go b/integration/pkcs11/p11key.go
@@ -0,0 +1,62 @@
+/*
+Copyright IBM Corp. All Rights Reserved.
+
+SPDX-License-Identifier: Apache-2.0
+*/
+
+package pkcs11
+
+import (
+	"crypto"
+	"crypto/ecdsa"
+	"encoding/asn1"
+	"fmt"
+	"io"
+	"math/big"
+
+	"github.com/miekg/pkcs11"
+)
+
+// P11ECDSAKey test implementation of crypto.Signer.
+type P11ECDSAKey struct {
+	ctx              *pkcs11.Ctx
+	session          pkcs11.SessionHandle
+	publicKey        *ecdsa.PublicKey
+	privateKeyHandle pkcs11.ObjectHandle
+}
+
+// Public returns the corresponding public key for the
+// private key.
+func (k *P11ECDSAKey) Public() crypto.PublicKey {
+	return k.publicKey
+}
+
+// Sign implements crypto.Signer Sign(). Signs the digest the with the private key and returns a byte signature.
+func (k *P11ECDSAKey) Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) (signature []byte, err error) {
+	if len(digest) != opts.HashFunc().Size() {
+		return nil, fmt.Errorf("digest length does not equal hash function length")
+	}
+
+	mech := []*pkcs11.Mechanism{
+		pkcs11.NewMechanism(pkcs11.CKM_ECDSA, nil),
+	}
+
+	err = k.ctx.SignInit(k.session, mech, k.privateKeyHandle)
+	if err != nil {
+		return nil, fmt.Errorf("sign init failed: %s", err)
+	}
+
+	signature, err = k.ctx.Sign(k.session, digest)
+	if err != nil {
+		return nil, fmt.Errorf("sign failed: %s", err)
+	}
+
+	type ECDSASignature struct{ R, S *big.Int }
+
+	R := new(big.Int)
+	S := new(big.Int)
+	R.SetBytes(signature[0 : len(signature)/2])
+	S.SetBytes(signature[len(signature)/2:])
+
+	return asn1.Marshal(ECDSASignature{R: R, S: S})
+}
diff --git a/integration/pkcs11/pkcs11_suite_test.go b/integration/pkcs11/pkcs11_suite_test.go
@@ -0,0 +1,54 @@
+/*
+Copyright IBM Corp. All Rights Reserved.
+
+SPDX-License-Identifier: Apache-2.0
+*/
+
+package pkcs11
+
+import (
+	"encoding/json"
+	"testing"
+
+	bpkcs11 "github.com/hyperledger/fabric/bccsp/pkcs11"
+	"github.com/hyperledger/fabric/integration"
+	"github.com/hyperledger/fabric/integration/nwo"
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+)
+
+func TestPKCS11(t *testing.T) {
+	RegisterFailHandler(Fail)
+	lib, pin, label := bpkcs11.FindPKCS11Lib()
+	if lib == "" || pin == "" || label == "" {
+		t.Skip("Skipping PKCS11 Suite: Required ENV variables not set")
+	}
+	RunSpecs(t, "PKCS11 Suite")
+}
+
+var (
+	buildServer *nwo.BuildServer
+	components  *nwo.Components
+)
+
+var _ = SynchronizedBeforeSuite(func() []byte {
+	buildServer = nwo.NewBuildServer("-tags=pkcs11")
+	buildServer.Serve()
+
+	components = buildServer.Components()
+	payload, err := json.Marshal(components)
+	Expect(err).NotTo(HaveOccurred())
+	return payload
+}, func(payload []byte) {
+	err := json.Unmarshal(payload, &components)
+	Expect(err).NotTo(HaveOccurred())
+})
+
+var _ = SynchronizedAfterSuite(func() {
+}, func() {
+	buildServer.Shutdown()
+})
+
+func StartPort() int {
+	return integration.PKCS11Port.StartPortForNode()
+}