-
Notifications
You must be signed in to change notification settings - Fork 206
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Incorrect parsing of SSL certificates and keys in ChaincodeBase in external launcher case #220
Comments
Hello @emc2. you're correct that throughout Fabric there are two ways of handling certificates. And it is not always clear which is needed where. Which external builder are you using? Just on a 'admin' point - we're keen to get contributors and would like to limit the 'hoops' needed? Can you suggest what blockers we could look at removing? Thanks |
We started out using the example Java external builder/launcher (I forget where exactly, but there's a boilerplate example). We later modified it so that we can just directly deploy JARs, but the issue is the same. It sets up certs in a temporary directory, and they are in PEM format. As to the 'hoops', that's got to do with my org (research lab). We are in fact hoping to make contributions, but there are various checks, sponsor approval, etc. that we have to clear. |
I understand the issues with 'hoops' :-) Problem with the certificates is that when started by the peer the certificates get passed as base64, hence why there are a multitude of options. Not great I freely admit.
Think the best thing is to permit each form to be used, but have the PEM version have precedence if both specified. On the subject of JAR files - were you aware that without using an external builder, you can supply a fully built JAR? It does get run in the fabric-javaenv docker image, so that might not match your requirements as to Java version. Alternatively, chaincode-as-a-service gives you complete freedom in how the chaincode is run. |
All of our work explicitly avoids the use of docker, for a number of reasons. We are using the external builder/launcher, installing with basic OS packages (which we have built), and doing all the setup and config with ansible. At least the version of peer (2.2.4) that we are using drops regular PEM-encoded certs into a temp directory when it calls the external builder/launcher scripts. I verified this by modifying the scripts, and a patch that has trustManager and keyManager read in the files directly (with no base64 decoding) gets things working for us. |
@emc2 and @jt-nti I've coded up PR #222 to try and make this easier to use. Thinking more about it however, I wonder if that PR is the wrong approach.
Thoughts welcome! |
FYI _ I've added the tag of help-wanted... I agree that the chaincodes should be consistent in the their approach to certificates... but personally I've not got the resources to make this update myself... |
ChaincodeBase attempts to parse SSL certificates and keys provided by an external launcher in the following manner:
This fails, because the certs deployed by the external builder are in PEM format, but the code attempts to Base64 decode them.
The fix is obvious, and I have used it successfully in testing (however, I would have to jump through a bunch of hoops to contribute it, so someone else should probably do it).
The text was updated successfully, but these errors were encountered: