feat(secret): remove Validator/Verifier secret keys from repository

- Remove validator sample CA keys hardcoded inside the repository.
- Generate fresh ECDSA keys when starting up electricity-trade
  or discounted-asset-trade sample apps.
- Add support for RSA CA keys in fabric-socketio validator.
  I couldn't find any trivial way of generating ECDSA self-signed certificate
  (without calling openssl cmdline, which seems poor from functional test perspective),
  so I've added support for RSA keys to simplify the tests.
- Allow selection of jwt algorithm in  fabric-socketio validator.
  It must correspond to the key used.
- Update the READMEs, add short description of SSL config option of fabric-socketio validator.

Closes: 2016
Closes: 2017

Depends on: 1977
Depends on: 2030

Signed-off-by: Michal Bajer <[email protected]>

Author: outSH

examples/cactus-example-discounted-asset-trade/Dockerfile

@@ -17,7 +17,7 @@ RUN apt-get update \
 # Note - indy_sdk:latest  must be ABI compatible with this image OS
 COPY --from=indy-sdk-cli:latest /usr/lib/libindy.so /usr/lib/
 
-COPY ./package.json ./dist/yarn.lock ./dist/fabric-connector.crt ./dist/ethereum-connector.crt ./dist/indy-connector.crt ./
+COPY ./package.json ./dist/yarn.lock ./
 RUN yarn add "${CACTUS_CMD_SOCKETIO_PATH}" "@hyperledger/cactus-verifier-client@${NPM_PKG_VERSION}" \
         --production --ignore-engines --non-interactive --cache-folder ./.yarnCache && \
     rm -rf ./.yarnCache

examples/cactus-example-discounted-asset-trade/config/validator-registry-config.yaml

@@ -3,7 +3,7 @@ ledgerPluginInfo:
     validatorID: 84jUisrs
     validatorType: legacy-socketio
     validatorURL: https://ethereum-validator:5050
-    validatorKeyPath: /root/cactus/ethereum-connector.crt
+    validatorKeyPath: /etc/cactus/connector-go-ethereum-socketio/CA/connector.crt
     maxCounterRequestID: 100
     syncFunctionTimeoutMillisecond: 5000
     socketOptions:
@@ -42,7 +42,7 @@ ledgerPluginInfo:
     validatorID: r9IS4dDf
     validatorType: legacy-socketio
     validatorURL: https://fabric-socketio-validator:5040
-    validatorKeyPath: /root/cactus/fabric-connector.crt
+    validatorKeyPath: /etc/cactus/connector-fabric-socketio/CA/connector.crt
     maxCounterRequestID: 100
     syncFunctionTimeoutMillisecond: 5000
     socketOptions:
@@ -57,7 +57,7 @@ ledgerPluginInfo:
     validatorID: 3PfTJw8g
     validatorType: legacy-socketio
     validatorURL: http://indy-validator-nginx:10080
-    validatorKeyPath: /root/cactus/indy-connector.crt
+    validatorKeyPath: /etc/cactus/validator_socketio_indy/CA/connector.crt
     maxCounterRequestID: 100
     syncFunctionTimeoutMillisecond: 5000
     socketOptions:

examples/cactus-example-discounted-asset-trade/package.json

@@ -11,12 +11,7 @@
     "build": "npm run build-ts && npm run build:dev:backend:postbuild",
     "build-ts": "tsc",
     "build_pip_indy_package": "cd ../../packages-python/cactus_validator_socketio_indy && python3 setup.py bdist_wheel",
-    "build:dev:backend:postbuild": "npm run copy-yarn-lock && npm run copy-validator-keys",
-    "copy-yarn-lock": "cp -f ../../yarn.lock ./dist/",
-    "copy-validator-keys": "npm run copy-fabric-key && npm run copy-ethereum-key && npm run copy-indy-key",
-    "copy-fabric-key": "cp -fr ../../packages/cactus-plugin-ledger-connector-fabric-socketio/sample-config/CA/connector.crt ./dist/fabric-connector.crt",
-    "copy-ethereum-key": "cp -fr ../../packages/cactus-plugin-ledger-connector-go-ethereum-socketio/sample-config/CA/connector.crt ./dist/ethereum-connector.crt",
-    "copy-indy-key": "cp -fr ../../packages-python/cactus_validator_socketio_indy/sample-CA/connector.crt ./dist/indy-connector.crt"
+    "build:dev:backend:postbuild": "cp -f ../../yarn.lock ./dist/"
   },
   "dependencies": {
     "axios": "0.24.0",

examples/cactus-example-discounted-asset-trade/script-start-ledgers.sh

@@ -13,6 +13,50 @@ export CACTUS_FABRIC_ALL_IN_ONE_CONTAINER_NAME="asset_trade_faio2x_testnet"
 export CACTUS_FABRIC_ALL_IN_ONE_VERSION="2.2.0"
 export CACTUS_FABRIC_TEST_LOOSE_MEMBERSHIP=1
 
+# Cert options
+CERT_CURVE_NAME="prime256v1"
+CERT_COUNTRY="JP"
+CERT_STATE="Tokyo"
+CERT_LOCALITY="Minato-Ku"
+CERT_ORG="CactusSamples"
+
+# generate_certificate <common-name> <destination>
+function generate_certificate() {
+    # Check OpenSSL command existance
+    if ! openssl version > /dev/null; then
+        echo "Could not execute [openssl version], check if OpenSSL tool is available on the system."
+        exit 1;
+    fi
+
+    # Check input parameters
+    ARGS_NUMBER=2
+    if [ "$#" -lt "$ARGS_NUMBER" ]; then
+        echo "generate_certificate called with wrong number of arguments (expected - $ARGS_NUMBER, actual - $#)";
+        exit 2
+    fi
+
+    common_name=$1
+    destination=$2
+    subject="/C=$CERT_COUNTRY/ST=$CERT_STATE/L=$CERT_LOCALITY/O=$CERT_ORG/CN=$common_name"
+    echo "Create new cert in '${destination}' with subject '${subject}'"
+
+    # Crete destination path
+    if [ ! -d "$destination" ]; then
+        echo "Re-create destination dir..."
+        rm -rf "$destination"
+        mkdir -p "$destination"
+    fi
+
+    keyPath="${destination}/connector.priv"
+    csrPath="${destination}/connector.csr"
+    certPath="${destination}/connector.crt"
+
+    # Generate keys
+    openssl ecparam -genkey -name "$CERT_CURVE_NAME" -out "$keyPath"
+    openssl req -new -sha256 -key "$keyPath" -out "$csrPath" -subj "$subject"
+    openssl req -x509 -sha256 -days 365 -key "$keyPath" -in "$csrPath" -out "$certPath"
+}
+
 function start_fabric_testnet() {
     echo ">> start_fabric_testnet()"
     pushd "${ROOT_DIR}/tools/docker/fabric-all-in-one"
@@ -54,6 +98,7 @@ function copy_fabric_validator_config() {
     echo ">> copy_fabric_validator_config()"
     cp -fr ${ROOT_DIR}/packages/cactus-plugin-ledger-connector-fabric-socketio/sample-config/* \
         "${CONFIG_VOLUME_PATH}/connector-fabric-socketio/"
+    generate_certificate "FabricSocketIOCactusValidator" "${CONFIG_VOLUME_PATH}/connector-fabric-socketio/CA/"
     echo ">> copy_fabric_validator_config() done."
 
     echo ">> copy_fabric_wallet()"
@@ -71,6 +116,7 @@ function copy_ethereum_validator_config() {
     echo ">> copy_ethereum_validator_config()"
     cp -fr ${ROOT_DIR}/packages/cactus-plugin-ledger-connector-go-ethereum-socketio/sample-config/* \
         "${CONFIG_VOLUME_PATH}/connector-go-ethereum-socketio/"
+    generate_certificate "GoEthereumCactusValidator" "${CONFIG_VOLUME_PATH}/connector-go-ethereum-socketio/CA/"
     echo ">> copy_ethereum_validator_config() done."
 }
 
@@ -91,7 +137,7 @@ function copy_indy_validator_config() {
 
 function copy_indy_validator_ca() {
     echo ">> copy_indy_validator_ca()"
-    cp -fr "${ROOT_DIR}/packages-python/cactus_validator_socketio_indy/sample-CA/" "${CONFIG_VOLUME_PATH}/validator_socketio_indy/CA"
+    generate_certificate "IndyCactusValidator" "${CONFIG_VOLUME_PATH}/validator_socketio_indy/CA/"
     echo ">> copy_indy_validator_ca() done."
 }
 

examples/cactus-example-electricity-trade/Dockerfile

@@ -6,7 +6,7 @@ ENV APP_HOME=/root/cactus
 
 WORKDIR ${APP_HOME}
 
-COPY ./dist/yarn.lock ./package.json ./dist/ethereum-connector.crt ./dist/sawtooth-connector.crt ./
+COPY ./dist/yarn.lock ./package.json ./
 RUN yarn add "${CACTUS_CMD_SOCKETIO_PATH}" "@hyperledger/cactus-verifier-client@${NPM_PKG_VERSION}" \
         --production --ignore-engines --non-interactive --cache-folder ./.yarnCache && \
     rm -rf ./.yarnCache

examples/cactus-example-electricity-trade/config/validator-registry-config.yaml

@@ -3,7 +3,7 @@ ledgerPluginInfo:
     validatorID: 84jUisrs
     validatorType: legacy-socketio
     validatorURL: https://ethereum-validator:5050
-    validatorKeyPath: /root/cactus/ethereum-connector.crt
+    validatorKeyPath: /etc/cactus/connector-go-ethereum-socketio/CA/connector.crt
     maxCounterRequestID: 100
     syncFunctionTimeoutMillisecond: 5000
     socketOptions:
@@ -42,7 +42,7 @@ ledgerPluginInfo:
     validatorID: sUr7d10R
     validatorType: legacy-socketio
     validatorURL: https://sawtooth-validator:5140
-    validatorKeyPath: /root/cactus/sawtooth-connector.crt
+    validatorKeyPath: /etc/cactus/connector-sawtooth-socketio/CA/connector.crt
     maxCounterRequestID: 100
     syncFunctionTimeoutMillisecond: 5000
     socketOptions:

examples/cactus-example-electricity-trade/package.json

@@ -10,11 +10,7 @@
     "start": "docker-compose build && docker-compose up",
     "build": "npm run build-ts && npm run build:dev:backend:postbuild",
     "build-ts": "tsc",
-    "build:dev:backend:postbuild": "npm run copy-yarn-lock && npm run copy-validator-keys",
-    "copy-yarn-lock": "cp -f ../../yarn.lock ./dist/",
-    "copy-validator-keys": "npm run copy-ethereum-key && npm run copy-sawtooth-key",
-    "copy-ethereum-key": "cp -fr ../../packages/cactus-plugin-ledger-connector-go-ethereum-socketio/sample-config/CA/connector.crt ./dist/ethereum-connector.crt",
-    "copy-sawtooth-key": "cp -fr ../../packages/cactus-plugin-ledger-connector-sawtooth-socketio/sample-config/CA/connector.crt ./dist/sawtooth-connector.crt"
+    "build:dev:backend:postbuild": "cp -f ../../yarn.lock ./dist/"
   },
   "dependencies": {
     "@types/node": "14.18.12",

examples/cactus-example-electricity-trade/script-start-ledgers.sh

@@ -7,6 +7,50 @@ set -e
 ROOT_DIR="../.." # Path to cactus root dir
 CONFIG_VOLUME_PATH="./etc/cactus" # Docker volume with shared configuration
 
+# Cert options
+CERT_CURVE_NAME="prime256v1"
+CERT_COUNTRY="JP"
+CERT_STATE="Tokyo"
+CERT_LOCALITY="Minato-Ku"
+CERT_ORG="CactusSamples"
+
+# generate_certificate <common-name> <destination>
+function generate_certificate() {
+    # Check OpenSSL command existance
+    if ! openssl version > /dev/null; then
+        echo "Could not execute [openssl version], check if OpenSSL tool is available on the system."
+        exit 1;
+    fi
+
+    # Check input parameters
+    ARGS_NUMBER=2
+    if [ "$#" -lt "$ARGS_NUMBER" ]; then
+        echo "generate_certificate called with wrong number of arguments (expected - $ARGS_NUMBER, actual - $#)";
+        exit 2
+    fi
+
+    common_name=$1
+    destination=$2
+    subject="/C=$CERT_COUNTRY/ST=$CERT_STATE/L=$CERT_LOCALITY/O=$CERT_ORG/CN=$common_name"
+    echo "Create new cert in '${destination}' with subject '${subject}'"
+
+    # Crete destination path
+    if [ ! -d "$destination" ]; then
+        echo "Re-create destination dir..."
+        rm -rf "$destination"
+        mkdir -p "$destination"
+    fi
+
+    keyPath="${destination}/connector.priv"
+    csrPath="${destination}/connector.csr"
+    certPath="${destination}/connector.crt"
+
+    # Generate keys
+    openssl ecparam -genkey -name "$CERT_CURVE_NAME" -out "$keyPath"
+    openssl req -new -sha256 -key "$keyPath" -out "$csrPath" -subj "$subject"
+    openssl req -x509 -sha256 -days 365 -key "$keyPath" -in "$csrPath" -out "$certPath"
+}
+
 function start_ethereum_testnet() {
     pushd "${ROOT_DIR}/tools/docker/geth-testnet"
     ./script-start-docker.sh
@@ -17,6 +61,7 @@ function copy_ethereum_validator_config() {
     echo ">> copy_ethereum_validator_config()"
     cp -fr ${ROOT_DIR}/packages/cactus-plugin-ledger-connector-go-ethereum-socketio/sample-config/* \
         "${CONFIG_VOLUME_PATH}/connector-go-ethereum-socketio/"
+    generate_certificate "GoEthereumCactusValidator" "${CONFIG_VOLUME_PATH}/connector-go-ethereum-socketio/CA/"
     echo ">> copy_ethereum_validator_config() done."
 }
 
@@ -33,6 +78,7 @@ function copy_sawtooth_validator_config() {
     echo ">> copy_sawtooth_validator_config()"
     cp -fr ${ROOT_DIR}/packages/cactus-plugin-ledger-connector-sawtooth-socketio/sample-config/* \
         "${CONFIG_VOLUME_PATH}/connector-sawtooth-socketio/"
+    generate_certificate "SawtoothCactusValidator" "${CONFIG_VOLUME_PATH}/connector-sawtooth-socketio/CA/"
     echo ">> copy_sawtooth_validator_config() done."
 }
 

packages-python/cactus_validator_socketio_indy/.gitignore

@@ -1 +1,2 @@
-CactusValidatorSocketIOIndy.egg-info/
+CactusValidatorSocketIOIndy.egg-info/
+testcli/connector.crt

packages-python/cactus_validator_socketio_indy/Dockerfile

@@ -10,10 +10,10 @@ WORKDIR /home/indy
 COPY --chown=indy:indy './dist/CactusValidatorSocketIOIndy-0.0.1-py3-none-any.whl' '/home/indy'
 RUN pip3 install /home/indy/CactusValidatorSocketIOIndy-0.0.1-py3-none-any.whl
 
-user root
+USER root
 RUN python3 /home/indy/.local/lib/python3.8/site-packages/other/post_install_script.py
 
-user indy
+USER indy
 ARG pool_ip=172.16.0.2
 ENV TEST_POOL_IP=$pool_ip
 

packages-python/cactus_validator_socketio_indy/README.md

@@ -15,22 +15,25 @@
 1. Start indy testnet pool (follow instructions from `../../tools/docker/indy-testnet/` README). It should create docker network `indy-testnet_indy_net`, pool should be available at `172.16.0.2`.
 1. Generate proof and store it in local `/etc/cactus`:
     ```
+    rm -r /etc/cactus/validator_socketio_indy/*
     cd ../../examples/register-indy-data/
-
     ./script-build-docker.sh
-
     docker run --rm -ti -v/etc/cactus/:/etc/cactus/ --net="host" register-indy-data --proof_only
     ```
 1. Copy indy validator config
     ```
-    mkdir -p /etc/cactus/validator_socketio_indy/
-    rm -r /etc/cactus/validator_socketio_indy/*
     cp -rf ./config/* /etc/cactus/validator_socketio_indy/
     ```
-1. Copy default validator CA
+1. Generate validator certificate using OpenSSL tool
     ```
-    rm -r /etc/cactus/validator_socketio_indy/CA
-    cp -rf ./sample-CA/ /etc/cactus/validator_socketio_indy/CA
+    mkdir -p "/etc/cactus/validator_socketio_indy/CA/"
+    openssl ecparam -genkey -name "prime256v1" -out "/etc/cactus/validator_socketio_indy/CA/connector.priv"
+    openssl req -new -sha256 -key "/etc/cactus/validator_socketio_indy/CA/connector.priv" \
+        -out "/etc/cactus/validator_socketio_indy/CA/connector.csr" \
+        -subj "/C=JP/ST=Tokyo/L=Minato-Ku/O=CactusSamples/CN=IndyValidator"
+    openssl req -x509 -sha256 -days 365 -key "/etc/cactus/validator_socketio_indy/CA/connector.priv" \
+        -in "/etc/cactus/validator_socketio_indy/CA/connector.csr" \
+        -out "/etc/cactus/validator_socketio_indy/CA/connector.crt"
     ```
 1. Build and run validator container:
     ```
@@ -41,9 +44,8 @@
 1. Open separate console, install dependencies and run the testing script:
     ```
     cd testcli/
-
+    ln -s /etc/cactus/validator_socketio_indy/CA/connector.crt .
     npm install
-
     node testsock.js
     ```
 

packages-python/cactus_validator_socketio_indy/post_install_script.py

@@ -73,6 +73,7 @@ def __copy(source: str, destination: str) -> bool:
     # Copy supervisord.conf file
     if __copy(source=f'{SITE_PACKAGES}/other/supervisord.conf', destination='/etc'):
         print('supervisord file successfully copied')
+
     # Copy utils.py
     if __copy(source=f'{UTILS_LOCATION}/utils.py',
               destination=f'{VALIDATOR_DST_DIR}/validator_socketio_module'):

packages-python/cactus_validator_socketio_indy/sample-CA/connector.crt

@@ -36,7 +36,7 @@ export function verifyValidatorJwt(
 ): Promise<JwtPayload> {
   return new Promise((resolve, reject) => {
     const option: VerifyOptions = {
-      algorithms: ["ES256"],
+      algorithms: ["ES256", "ES384", "ES512", "RS256", "RS384", "RS512"],
     };
 
     verify(

packages-python/cactus_validator_socketio_indy/sample-CA/connector.priv

@@ -1,13 +1,31 @@
+/**
+ * @deprecated Moved to packages/cactus-test-tooling/src/main/typescript/pki/self-signed-pki-generator.ts
+ */
+
 import { pki, md } from "node-forge";
 import { v4 as uuidV4 } from "uuid";
 import { Strings } from "@hyperledger/cactus-common";
 
+/**
+ * @deprecated Moved to \@hyperledger/cactus-test-tooling
+ */
 export type ForgeKeyPair = pki.rsa.KeyPair;
+/**
+ * @deprecated Moved to \@hyperledger/cactus-test-tooling
+ */
 export type ForgePrivateKey = pki.rsa.PrivateKey;
+/**
+ * @deprecated Moved to \@hyperledger/cactus-test-tooling
+ */
 export type ForgeCertificate = pki.Certificate;
+/**
+ * @deprecated Moved to \@hyperledger/cactus-test-tooling
+ */
 export type ForgeCertificateField = pki.CertificateField;
 
 /**
+ * @deprecated Moved to \@hyperledger/cactus-test-tooling
+ *
  * PKI as in public key infrastructure and x509 certificates.
  */
 export interface IPki {
@@ -18,6 +36,8 @@ export interface IPki {
 }
 
 /**
+ * @deprecated Moved to \@hyperledger/cactus-test-tooling
+ *
  * Do not use this for anything in a production deployment. It's meant as a helper
  * class for development and testing purposes (enhancing developer experience).
  *

packages-python/cactus_validator_socketio_indy/testcli/connector.crt

@@ -64,6 +64,10 @@ docker run -v/etc/cactus/:/etc/cactus -p 5040:5040 --net=fabric-all-in-one_testn
 npm run start
 ```
 
+## Configuration
+- Validator can be configured in `/etc/cactus/connector-fabric-socketio/default.yaml` (see [sample-config](./sample-config/default.yaml) for details).
+- This configuration can be overwriten in `NODE_CONFIG` environment variable (JSON format). See functional tests for example of that.
+
 ## Usage samples
 - To confirm the operation of this package, please refer to the following business-logic sample application:
     - [cactus-example-discounted-asset-trade](../../examples/cactus-example-discounted-asset-trade)