383 grpc over tls (#384)

* 383: Create script to generate certificates for TLS secured connection. * 383: GRPC secured by TLS x509 certificates. * 383: Use inner context in gossip.
bartossh · Mar 9, 2024 · 864c0a1 · 864c0a1
1 parent 9467a89
commit 864c0a1
Show file tree

Hide file tree

Showing 26 changed files with 269 additions and 48 deletions.
diff --git a/.gitignore b/.gitignore
@@ -41,9 +41,10 @@ c/client-node/packages/
 # test_wallet
 ./artefacts/test_wallet
 
-# pem files
+# pem files and certificates
 ed25519
-ed25519.pub
+*.pub
+*.pem
 
 # k8s config
 kubeconfig.yaml
@@ -54,7 +55,7 @@ __pycache__
 
 # test wallets 
 ed*
-wallet*
+wallet_*
 
 # DataBase backup
 .bak
diff --git a/README.md b/README.md
@@ -255,6 +255,8 @@ notary_server: # This section allows you to set up notary server parameters. The
   public_url: localhost:8000 # The notary server public IP that server will use to introduce itself.
   port: 8000 # The port at which the notary server will run.
   data_size_bytes: 15000 # Max data size per transaction in bytes.
+  certificate: "./certificates/server_cert.pem" # Path to server certificate.
+  key: "./certificates/server_key.pem" # Path to server key.
 gossip_server: # This section allows to set up gossip protocol server. The gossip protocol endpoints are run by this server. GRPC.
   url: "localhost:8080" # The notary server URL that server will use to introduce itself in the gossip network.
   genesis_url: # The genesis node URL from which the server will read all URLs of other nodes interconnected in that gossip network and introduce itself via gossip discovery protocol. When empty it starts the node as the first one in the network waiting for connections.
@@ -264,6 +266,9 @@ gossip_server: # This section allows to set up gossip protocol server. The gossi
     currency: 1000000 # Amount of primus tokens created during genesis.
     supplementary_currency: 0 # Amount of secundus tokens created during genesis.
   port: 8080 # Port on which GRPC server of gossip protocol will run.
+  certificate: "./certificates/server_cert.pem" # Path to server certificate.
+  key: "./certificates/server_key.pem" # Path to server key.
+  ca_cert: "./certificates/ca_cert.pem" # Path to certificate authority.
 accountant: # Accountant section allows to set up DAG accounting details.
   trusted_nodes_db_path: # Path to storage on disc for trusted nodes. When empty stored in RAM. Vertices created by trusted nodes have permission to be added to the DAG without balance accounting.  
   tokens_db_path: # Path to storage of access tokens. When empty stored in RAM.
@@ -280,6 +285,7 @@ file_operator: # File operator section allows to provide the path and decoding k
   wallet_path: "artefacts/wallet_notary_genesis" # Path to wallet.
   wallet_passwd: "dc6b5b1635453e0eb57344ffb6cb293e8300fc4001fad3518e721d548459c09d" # HEX string to encode wallet. 
   pem_path: "" # If PEM is used provide pem file.
+  ca_cert: "./certificates/ca_cert.pem" # Path to certificate authority.
 zinc_logger: # Zinc search section allows to connect the node to the zinc search so all logs are send to the zinc search server. 
   address: # Address of zinc search server. When empty logs goes to stdout.
   index: genesis # Specify the index for logs from currant node. Should be unique between all nodes.

diff --git a/artefacts/test_wallet b/artefacts/test_wallet
diff --git a/certificates/certificates.sh b/certificates/certificates.sh
@@ -0,0 +1,69 @@
+#!/bin/bash
+
+# Create the server CA certs.
+openssl req -x509 \
+	-newkey rsa:4096 \
+	-nodes \
+	-days 3650 \
+	-keyout ca_key.pem \
+	-out ca_cert.pem \
+	-subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-server_ca/ \
+	-config ./openssl.cnf \
+	-extensions test_ca \
+	-sha256
+
+# Create the client CA certs.
+openssl req -x509 \
+	-newkey rsa:4096 \
+	-nodes \
+	-days 3650 \
+	-keyout client_ca_key.pem \
+	-out client_ca_cert.pem \
+	-subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-client_ca/ \
+	-config ./openssl.cnf \
+	-extensions test_ca \
+	-sha256
+
+# Generate a server cert.
+openssl genrsa -out server_key.pem 4096
+openssl req -new \
+	-key server_key.pem \
+	-days 3650 \
+	-out server_csr.pem \
+	-subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-server1/ \
+	-config ./openssl.cnf \
+	-reqexts test_server
+openssl x509 -req \
+	-in server_csr.pem \
+	-CAkey ca_key.pem \
+	-CA ca_cert.pem \
+	-days 3650 \
+	-set_serial 1000 \
+	-out server_cert.pem \
+	-extfile ./openssl.cnf \
+	-extensions test_server \
+	-sha256
+openssl verify -verbose -CAfile ca_cert.pem server_cert.pem
+
+# Generate a client cert.
+openssl genrsa -out client_key.pem 4096
+openssl req -new \
+	-key client_key.pem \
+	-days 3650 \
+	-out client_csr.pem \
+	-subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-client1/ \
+	-config ./openssl.cnf \
+	-reqexts test_client
+openssl x509 -req \
+	-in client_csr.pem \
+	-CAkey client_ca_key.pem \
+	-CA client_ca_cert.pem \
+	-days 3650 \
+	-set_serial 1000 \
+	-out client_cert.pem \
+	-extfile ./openssl.cnf \
+	-extensions test_client \
+	-sha256
+openssl verify -verbose -CAfile client_ca_cert.pem client_cert.pem
+
+rm *_csr.pem
diff --git a/certificates/openssl.cnf b/certificates/openssl.cnf
@@ -0,0 +1,28 @@
+[req]
+distinguished_name = req_distinguished_name
+attributes = req_attributes
+
+[req_distinguished_name]
+
+[req_attributes]
+
+[test_ca]
+basicConstraints        = critical,CA:TRUE
+subjectKeyIdentifier    = hash
+authorityKeyIdentifier  = keyid:always,issuer:always
+keyUsage                = critical,keyCertSign
+
+[test_server]
+basicConstraints        = critical,CA:FALSE
+subjectKeyIdentifier    = hash
+keyUsage                = critical,digitalSignature,keyEncipherment,keyAgreement
+subjectAltName          = @server_alt_names
+
+[server_alt_names]
+DNS.1 = *
+
+[test_client]
+basicConstraints        = critical,CA:FALSE
+subjectKeyIdentifier    = hash
+keyUsage                = critical,nonRepudiation,digitalSignature,keyEncipherment
+extendedKeyUsage        = critical,clientAuth
diff --git a/conf/setup_bare.yaml b/conf/setup_bare.yaml
@@ -3,8 +3,10 @@ notary_server:
   public_url: localhost:8000
   port: 8000
   data_size_bytes: 15000
+  certificate: "./certificates/server_cert.pem"
+  key: "./certificates/server_key.pem" 
 gossip_server:
-  url: "localhost:8080"
+  url: localhost:8080
   genesis_url:
   load_dag_url:
   genesis_receiver: "1HspmQ7wjnKh9qhNdZ94Ta9c3ugsT9XoWJ9CdS32B1kSTBckpZ"
@@ -13,14 +15,17 @@ gossip_server:
     supplementary_currency: 0
   vertices_db_path:
   port: 8080
+  certificate: "./certificates/server_cert.pem"
+  key: "./certificates/server_key.pem" 
+  ca_cert: "./certificates/ca_cert.pem" 
 accountant:
   trusted_nodes_db_path:
   tokens_db_path:
   trxs_to_vertices_map_db_path:
   vertices_db_path:
   truncate_at_weight: 0
 nats:
-  server_address: 
+  server_address:
   client_name: "notary-genesis"
   token: "D9pHfuiEQPXtqPqPdyxozi8kU2FlHqC0FlSRIzpwDI0="
 dataprovider:
@@ -29,6 +34,7 @@ file_operator:
   wallet_path: "artefacts/wallet_notary_genesis"
   wallet_passwd: "dc6b5b1635453e0eb57344ffb6cb293e8300fc4001fad3518e721d548459c09d"
   pem_path: ""
+  ca_cert: "./certificates/ca_cert.pem" 
 webhooks_server:
   port: 8000
 zinc_logger:

diff --git a/conf/setup_bare_dependant.yaml b/conf/setup_bare_dependant.yaml
@@ -0,0 +1,43 @@
+is_profiling: false
+notary_server:
+  public_url: localhost:8001
+  port: 8001
+  data_size_bytes: 15000
+  certificate: "./certificates/server_cert.pem"
+  key: "./certificates/server_key.pem" 
+gossip_server:
+  url: localhost:8081
+  genesis_url: localhost:8080
+  load_dag_url: localhost:8080
+  genesis_receiver:
+  genesis_spice:
+    currency:
+    supplementary_currency:
+  vertices_db_path:
+  port: 8081
+  certificate: "./certificates/server_cert.pem"
+  key: "./certificates/server_key.pem" 
+  ca_cert: "./certificates/ca_cert.pem" 
+accountant:
+  trusted_nodes_db_path:
+  tokens_db_path:
+  trxs_to_vertices_map_db_path:
+  vertices_db_path:
+  truncate_at_weight: 0
+nats:
+  server_address:
+  client_name: "notary-dependant"
+  token: "D9pHfuiEQPXtqPqPdyxozi8kU2FlHqC0FlSRIzpwDI0="
+dataprovider:
+  longevity: 300
+file_operator:
+  wallet_path: "artefacts/wallet_notary_one"
+  wallet_passwd: "ce6c5f7da2b791befa726cebe1df78d7d01439a8292d26e116e894cb75f49e2e"
+  pem_path: ""
+  ca_cert: "./certificates/ca_cert.pem" 
+webhooks_server:
+  port: 8000
+zinc_logger:
+  address:
+  index: genesis
+  token: Basic YWRtaW46emluY3NlYXJjaA==
diff --git a/makefile b/makefile
@@ -58,6 +58,9 @@ generate-secret:
 generate-protobuf:
 	protoc --proto_path=protobuf --go-grpc_out=src/protobufcompiled --go_out=src/protobufcompiled --go-grpc_opt=paths=source_relative --go_opt=paths=source_relative  computantistypes.proto wallet.proto gossip.proto notary.proto webhooks.proto addons.proto
 
+generate-certificates:
+	cd ./certificates && ./certificates.sh
+
 run-node:
 	./bin/dedicated/node -c conf/setup_example.yaml &
 

diff --git a/src/aeswrapper/aeswrapper.go → src/aeswrapper/aes.wrapper.go b/src/aeswrapper/aeswrapper.go → src/aeswrapper/aes.wrapper.go
diff --git a/src/aeswrapper/aeswrapper_test.go → src/aeswrapper/aes.wrapper_test.go b/src/aeswrapper/aeswrapper_test.go → src/aeswrapper/aes.wrapper_test.go
diff --git a/src/cmd/wallet/main.go b/src/cmd/wallet/main.go
@@ -40,9 +40,10 @@ func main() {
 		walletFile   string
 		walletPasswd string
 		nodeURL      string
+		cert         string
 	)
 
-	configurator := func(pemFile, walletFile, walletPasswd string) (configuration.Configuration, error) {
+	configurator := func(pemFile, walletFile, walletPasswd, cert string) (configuration.Configuration, error) {
 		var cfg configuration.Configuration
 
 		if pemFile == "" {
@@ -56,7 +57,7 @@ func main() {
 		cfg.FileOperator.WalletPemPath = pemFile
 		cfg.FileOperator.WalletPath = walletFile
 		cfg.FileOperator.WalletPasswd = walletPasswd
-
+		cfg.FileOperator.CAPath = cert
 		return cfg, nil
 	}
 
@@ -69,7 +70,7 @@ func main() {
 				Aliases: []string{"n"},
 				Usage:   "Creates new wallet and saves it to encrypted GOBINARY file and PEM format.",
 				Action: func(_ *cli.Context) error {
-					cfg, err := configurator(pemFile, walletFile, walletPasswd)
+					cfg, err := configurator(pemFile, walletFile, walletPasswd, cert)
 					if err != nil {
 						return err
 					}
@@ -107,7 +108,7 @@ func main() {
 				Aliases: []string{"tp"},
 				Usage:   "Reads GOBINARY and saves it to PEM file format.",
 				Action: func(_ *cli.Context) error {
-					cfg, err := configurator(pemFile, walletFile, walletPasswd)
+					cfg, err := configurator(pemFile, walletFile, walletPasswd, cert)
 					if err != nil {
 						return err
 					}
@@ -145,7 +146,7 @@ func main() {
 				Aliases: []string{"tg"},
 				Usage:   "Reads PEM file format and saves it to GOBINARY encrypted file format.",
 				Action: func(_ *cli.Context) error {
-					cfg, err := configurator(pemFile, walletFile, walletPasswd)
+					cfg, err := configurator(pemFile, walletFile, walletPasswd, cert)
 					if err != nil {
 						return err
 					}
@@ -183,7 +184,7 @@ func main() {
 				Aliases: []string{"a"},
 				Usage:   "Reads wallet public address.",
 				Action: func(_ *cli.Context) error {
-					cfg, err := configurator(pemFile, walletFile, walletPasswd)
+					cfg, err := configurator(pemFile, walletFile, walletPasswd, cert)
 					if err != nil {
 						return err
 					}
@@ -214,7 +215,7 @@ func main() {
 				Aliases: []string{"c"},
 				Usage:   "Establish connection with node.",
 				Action: func(_ *cli.Context) error {
-					cfg, err := configurator(pemFile, walletFile, walletPasswd)
+					cfg, err := configurator(pemFile, walletFile, walletPasswd, cert)
 					if err != nil {
 						return err
 					}
@@ -245,6 +246,13 @@ func main() {
 						Destination: &walletPasswd,
 						Required:    true,
 					},
+					&cli.StringFlag{
+						Name:        "cert",
+						Aliases:     []string{"c"},
+						Usage:       "Path to certificate authority file.",
+						Destination: &cert,
+						Required:    true,
+					},
 				},
 			},
 		},
@@ -260,7 +268,7 @@ func runTransactionOps(cfg fileoperations.Config, nodeURL string) error {
 	ctx := context.Background()
 	h := fileoperations.New(cfg, aeswrapper.New())
 	verify := wallet.NewVerifier()
-	c, err := walletmiddleware.NewClient(nodeURL, &verify, &h, wallet.New)
+	c, err := walletmiddleware.NewClient(nodeURL, cfg.CAPath, &verify, &h, wallet.New)
 	if err != nil {
 		return fmt.Errorf("cannot establish connection to the node %s", nodeURL)
 	}
@@ -288,13 +296,13 @@ func runTransactionOps(cfg fileoperations.Config, nodeURL string) error {
 				continue
 			}
 			if v == 0.0 {
-				printError(errors.New("transfer value canot be 0"))
+				printError(errors.New("transfer value cannot be 0"))
 				continue
 			}
 			melange := spice.FromFloat(v)
 			result, _ := pterm.DefaultInteractiveConfirm.Show(
 				fmt.Sprintf(
-					"Are you sure you want to transfer [ %s ] tokans to [ %s ].\n",
+					"Are you sure you want to transfer [ %s ] tokens to [ %s ].\n",
 					melange.String(), receiver,
 				),
 			)

diff --git a/src/fileoperations/fileoperations.go → src/fileoperations/file.operations.go b/src/fileoperations/fileoperations.go → src/fileoperations/file.operations.go
@@ -2,9 +2,10 @@ package fileoperations
 
 // Config holds configuration of the file operator Helper.
 type Config struct {
-	WalletPath    string `yaml:"wallet_path"`   // wpath to the wallet gob file
+	WalletPath    string `yaml:"wallet_path"`   // wallet path to the wallet gob file
 	WalletPasswd  string `yaml:"wallet_passwd"` // password to the wallet gob file in hex format
 	WalletPemPath string `yaml:"pem_path"`      // path to ed25519 pem file
+	CAPath        string `yaml:"ca_cert"`       // path to ed25519 pem file
 }
 
 // Helper holds all file operation methods.