Peer cli assist for client request/response processing

Signed-off-by: michael steiner <[email protected]>

Author: g2flyer

fabric/bin/peer.sh

@@ -500,13 +500,106 @@ handle_lifecycle_chaincode_initEnclave() {
 # Chaincode command wrappers
 #--------------------------------------------
 
+handle_chaincode_call() {
+    CMD=$1; shift
+
+    OTHER_ARGS=()
+    while [[ $# > 0 ]]; do
+        case "$1" in
+	    -C|--channelID)
+		CHAN_ID=$2;
+		shift; shift
+		;;
+            --peerAddresses)
+		PEER_ADDRESS=$2
+		EXPLICIT_PEER=1
+		shift; shift
+		;;
+            -n|--name)
+                CC_NAME=$2;
+                shift; shift
+                ;;
+            -c|--ctor)
+                CC_MSG=$2;
+                shift; shift
+                ;;
+	    -I|--isInit)
+                IS_INIT=$2;
+                shift; shift
+                ;;
+	    --transient)
+                TRANSIENT=$2;
+                shift; shift
+                ;;
+            *)
+		# these args we pass to both enclave query and validation invoke
+		# e.g., --clientauth, --(tls|ca|cert|key)*, --(waitFor|conn*)*, --order*
+                OTHER_ARGS+=( "$1" )
+                shift
+                ;;
+            esac
+    done
+
+    # - iff it is not a fpc pkg
+    if [ ! -f "${FABRIC_STATE_DIR}/is-fpc-c-chaincode.${CC_NAME}"* ]; then
+	[ -z ${DEBUG+x} ] || say "non-FPC chaincode"
+	return
+    else
+	[ -z ${DEBUG+x} ] || say "FPC chaincode"
+    fi
+
+    # - check for unsupported options $IS_INIT, $TRANSIENT
+    [ -z "${IS_INIT}" ] || die "--isInit/-I is not supported for for FPC chaincodes"
+    [ -z "${TRANSIENT}" ] || die "--transient is not supported for for FPC chaincodes"
+
+
+
+    #  [ -z ${DEBUG+x} ] || ...
+
+
+    # - query ercc.queryChaincodeEncryptionKey for chaincode encryption key
+    #   cc_ek=....
+    #  [ -z ${DEBUG+x} ] || ...
+    # - if no endpoint specified, query ercc.queryChaincodeEndPoints for endpoint
+    #  [ -z ${DEBUG+x} ] || ...
+    #   
+    # - start cli assist with input to fd 3 and output from fd 4, a fifo
+    #   result_pipe=$(mktemp -u -t peer_cli_assistXXXX)
+    #   mkfifo $result_pipe || die "can't create fifo '${result_pipe}'"
+    #   exec 3> >(${PEER_ASSIST_CMD} handleRequestAndResponse "${cc_ek}" "${result_pipe}")
+    #   assist_pid=$!
+    #   exec 4<${result_pipe}
+    # - send clear-text request to assist
+    #  [ -z ${DEBUG+x} ] || ...
+    #   echo >&3 "${request_json}"
+    # - receive encrypted request from assist
+    #   read <&4 encrypted_request
+    #  [ -z ${DEBUG+x} ] || ...
+    # - query enclave
+    #   encrypted_response=... endpoint __invoke ${encrypted_request}
+    #   (must include `--peerAddresses PEER_ADDRESS`, but only once?)
+    # - send encrypted response to assist
+    #  [ -z ${DEBUG+x} ] || ...
+    #   echo >&3 "${encrypted_response}"
+    # - receive decrypted response from assist
+    #   read <&4 decrypted_response
+    #  [ -z ${DEBUG+x} ] || ...
+    # - get assist return code
+    #   wait ${assist_pid}
+    #   rc=$?
+    #   [ ${rc} == 0 ] || die "assist could not properly transform requests/responses (rc=${rc})"
+    #  [ -z ${DEBUG+x} ] || ...
+    # - invoke validation of enclave endorsement
+    #   validation_response=invoke __endorse ${encrypted_response}
+}
+
 handle_chaincode_invoke() {
-    # TODO: eventually add client-side encryption/decryption
+    handle_chaincode_call "invoke" "$@"
     return
 }
 
 handle_chaincode_query() {
-    # TODO: eventually add client-side encryption/decryption
+    handle_chaincode_call "query" "$@"
     return
 }
 

utils/fabric/Makefile

@@ -10,9 +10,11 @@ GO_CMDS= get-fabric-container-name peer-cli-assist
 
 build: $(GO_CMDS)
 
-$(GO_CMDS): 
+$(GO_CMDS): FORCE
 	$(GO) build $(GOTAGS) ./$@.src/$@.go 
 
+FORCE:
+
 test: build
 
 clean: 

utils/fabric/peer-cli-assist.src/peer-cli-assist.go

@@ -7,21 +7,39 @@
 package main
 
 import (
+	"bufio"
+	"encoding/json"
 	"fmt"
 	"io/ioutil"
 	"os"
+	"strings"
 
 	"github.com/hyperledger-labs/fabric-private-chaincode/client_sdk/go/fpc"
+	"github.com/hyperledger-labs/fabric-private-chaincode/client_sdk/go/fpc/crypto"
+	"github.com/hyperledger/fabric/common/flogging"
 )
 
+var logger = flogging.MustGetLogger("peer-cli-assist")
+
 func printHelp() {
 	fmt.Printf(
-		`Usage: %s [attestation2Evidence | createEncryptRequest | processEncryptedResponse]
+		`Usage: %s [attestation2Evidence | handleRequestAndResponse <cid> <pipe>]
 - attestation2Evidence: convert attestation to evidence in (base64-encoded) Credentials protobuf
-- createEncryptRequest: create a (base64-encoded) encrypted fpc chaincode request protobuf
-- processEncryptedResponse: decrypt and validate an (base64-encoded) encrypted fpc chaincode response protobuf
-Input and outpus are via stdin and stdout, respectively.`,
+  (Input and outpus are via stdin and stdout, respectively.)
+- handleRequestAndResponse: handles the encryption of invocation requests as well as the decryption
+  of the corresponding responses.
+  Expects three parameters
+  - <c_ek> the chaincode encryption key, as returned from ercc.QueryChaincodeEncryptionKey 
+    (i.e., a base64-encoded string)
+  - <pipe> a path to an (existing) fifo file through which the results are communicated back
+  As input, expects two lines
+  - a (single line!) json string in peer cli format '{"Function": "...", "Args": [...]}' with the invocation params, 
+    after which it returns (as single line) the (base64-encoded) ChaincodeRequestMessage protobuf, and then
+  - a (base64-encoded) ChaincodeResponseMessage protobuf, after which it will decrypt it and 
+    return a json-encoded fabric response protobuf object
+`,
 		os.Args[0])
+	// TODO: above we have to fix the response payload format (json?)
 }
 
 func main() {
@@ -45,12 +63,13 @@ func main() {
 			os.Exit(1)
 		}
 		fmt.Printf("%s\n", credentialsStringOut)
-	case "createEncryptRequest":
-		fmt.Fprintf(os.Stderr, "FATAL: command %s not yet implemented\n", os.Args[1])
-		os.Exit(1)
-	case "processEncryptedResponse":
-		fmt.Fprintf(os.Stderr, "FATAL: command %s not yet implemented\n", os.Args[1])
-		os.Exit(1)
+	case "handleRequestAndResponse":
+		if len(os.Args) != 4 {
+			fmt.Fprintf(os.Stderr, "ERROR: command 'handleRequestAndResponse' needs exactly two arguments\n")
+			printHelp()
+			os.Exit(1)
+		}
+		handleEncryptedRequestAndResponse(os.Args[2], os.Args[3])
 	default:
 		fmt.Fprintf(os.Stderr, "ERROR: Illegal command '%s'\n", os.Args[1])
 		printHelp()
@@ -59,3 +78,74 @@ func main() {
 
 	os.Exit(0)
 }
+
+func handleEncryptedRequestAndResponse(chaincodeEncryptionKey string, resultPipeName string) {
+	reader := bufio.NewReader(os.Stdin)
+	resultPipeFile, err := os.OpenFile(resultPipeName, os.O_APPEND|os.O_WRONLY, 0644)
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "ERROR: couldn't open pipe '%s': %v\n", resultPipeName, err)
+		os.Exit(1)
+	}
+
+	// read request
+	requestJSON, err := reader.ReadString('\n')
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "ERROR: couldn't read json request: %v\n", err)
+		os.Exit(1)
+	}
+	type Request struct {
+		Function string
+		Args     []string
+	}
+	clearRequest := &Request{}
+	if err := json.Unmarshal([]byte(requestJSON), clearRequest); err != nil {
+		fmt.Fprintf(os.Stderr, "ERROR: unexpected json '%s': %v\n", requestJSON, err)
+		os.Exit(1)
+	}
+
+	// setup crypto context
+	ep := &crypto.EncryptionProviderImpl{
+		GetCcEncryptionKey: func() ([]byte, error) {
+			// TODO: might have to do some re-formatting, e.g., de-hex, here?
+			return []byte(chaincodeEncryptionKey), nil
+		}}
+
+	ctx, err := ep.NewEncryptionContext()
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "ERROR: could not setup crypto context: %v\n", err)
+		os.Exit(1)
+	}
+	logger.Debugf("Setup crypto context based on CC-ek '%v'", chaincodeEncryptionKey)
+
+	// encrypt request ...
+	encryptedRequest, err := ctx.Conceal(clearRequest.Function, clearRequest.Args)
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "ERROR: could not encrypt request: %v\n", err)
+		os.Exit(1)
+	}
+	// ... and return it
+	logger.Debugf("Transformed request '%v' to '%v' and write to pipe '%s'", clearRequest, encryptedRequest, resultPipeName)
+	resultPipeFile.WriteString(fmt.Sprintf("%s\n", encryptedRequest))
+
+	// read encrypted response ...
+	encryptedResponse, err := reader.ReadString('\n')
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "ERROR: couldn't read encrypted response: %v\n", err)
+		os.Exit(1)
+	}
+	encryptedResponse = strings.TrimSuffix(encryptedResponse, "\n")
+
+	// .. decrypt it ..
+	// TODO: requires fix in Conceal & ecc/mock
+	// - should be base64 encoded
+	// - encrypted response should be a proper (serialized) response object, not only a string, and hence conceal should
+	//   return the deserialized response, not a byte array ..
+	clearResponse, err := ctx.Reveal([]byte(encryptedResponse))
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "ERROR: could not decrypt response: %v\n", err)
+		os.Exit(1)
+	}
+	// TODO: create a (single-line) json encoding once we get above a proper response object ...
+	logger.Debugf("Transformed response '%v' to '%v' and write to pipe '%s'", encryptedResponse, clearResponse, resultPipeName)
+	resultPipeFile.WriteString(fmt.Sprintf("%s\n", clearResponse))
+}

utils/fabric/peer-cli-assist.src/test.sh

@@ -0,0 +1,28 @@
+#!/bin/bash
+# Copyright 2020 Intel Corporation
+#
+# SPDX-License-Identifier: Apache-2.0
+
+#set -ex 
+
+result_pipe=$(mktemp -u -t testpipeXXXX)
+mkfifo $result_pipe
+
+cc_ek="a-key"
+exec  3> >( ./peer-cli-assist handleRequestAndResponse "${cc_ek}" "${result_pipe}")
+assist_pid=$!
+exec 4<${result_pipe}
+
+echo >&3 '{"Function":"init", "Args": ["MyAuctionHouse"]}'
+
+read <&4 encrypted_request
+echo "encrypted_request='$encrypted_request'"
+
+echo >&3 "I'm supposed to be an base64 encoded serialized ChaincodeResponseMessage"
+read <&4 decrypted_response
+echo "decrypted_response='$decrypted_response'"
+
+wait ${assist_pid}
+echo "child exit code=$?"
+
+rm $result_pipe