Allow network to keep working after renewing certs with the same key (#5268)

* Allow network to keep working after renewing certs with the same key pair in BFT

Signed-off-by: David VIEJO <[email protected]>

* Refactor certificate verification in dialers

- Updated the `VerifyCertificate` function in `PredicateDialer` to use the provided `verifyFunc` instead of a hardcoded function.
- Removed the logging and verification function in `StandardDialer`, setting it to `nil` for simplicity.

This change enhances flexibility in certificate verification while cleaning up unnecessary code.

Signed-off-by: David VIEJO <[email protected]>

* Remove logging and some comments

Signed-off-by: David VIEJO <[email protected]>

* Improve logging

Signed-off-by: David VIEJO <[email protected]>

* Update

Signed-off-by: David VIEJO <[email protected]>

* Add BFT test to verify renewal of certificates is working

Signed-off-by: David VIEJO <[email protected]>

* Refactor certificate handling in SmartBFT and Cluster services

- Renamed `renewOrdererCertificates` to `renewOrdererTLSCertificates` for clarity.
- Introduced `renewOrdererEnrollmentCertificates` to handle enrollment certificate renewal.
- Moved public key extraction logic to `util.go` and updated references in `consenter.go` and `clusterservice.go` to use the new method.
- Improved logging for certificate processing errors.

This refactor enhances code clarity and maintains consistency in certificate management across the codebase.

Signed-off-by: David VIEJO <[email protected]>

* Enhance certificate comparison functionality in Cluster service

- Refactored the `compareCertPublicKeys` function to `CompareCertPublicKeys` for improved clarity and consistency across the codebase.
- Updated references in `clusterservice.go` and `util.go` to utilize the new function.
- Added comprehensive unit tests for `CompareCertPublicKeys`, covering scenarios with certificates having the same public keys but different bytes, as well as handling errors gracefully for malformed certificates.

These changes improve the robustness of certificate handling and verification in the Cluster service.

Signed-off-by: David VIEJO <[email protected]>

* Update logging configuration in SmartBFT end-to-end tests

- Modified the logging specification for orderer runners in `smartbft_test.go` to focus on SmartBFT and gRPC debug logs, enhancing the clarity of test outputs.

Signed-off-by: David VIEJO <[email protected]>

* Updates based on the comments

Signed-off-by: David VIEJO <[email protected]>

* Add chaincode deployment and invocation tests in SmartBFT integration tests

- Implemented chaincode deployment and multiple invocation queries in the end-to-end SmartBFT configuration test.
- Removed unused certificate renewal functions to streamline the code.

These enhancements improve the testing coverage for SmartBFT and ensure proper chaincode functionality.

Signed-off-by: David VIEJO <[email protected]>

* Fixed formatting

Signed-off-by: dviejokfs <[email protected]>

* Remove unused logging statement in SmartBFT certificate renewal process to streamline code and improve clarity.

Signed-off-by: David VIEJO <[email protected]>

---------

Signed-off-by: David VIEJO <[email protected]>
Signed-off-by: dviejokfs <[email protected]>

Author: dviejokfs

integration/smartbft/smartbft_test.go

@@ -11,6 +11,8 @@ import (
 	"bytes"
 	"compress/gzip"
 	"context"
+	"crypto/ecdsa"
+	"crypto/rand"
 	"crypto/x509"
 	"encoding/pem"
 	"fmt"
@@ -165,7 +167,118 @@ var _ = Describe("EndToEnd Smart BFT configuration test", func() {
 			By("invoking the chaincode, again")
 			invokeQuery(network, peer, network.Orderers[2], channel, 80)
 		})
+		It("disregards certificate renewal if only the validity period changed", func() {
+			networkConfig := nwo.MultiNodeSmartBFT()
+			networkConfig.Channels = nil
+
+			network = nwo.New(networkConfig, testDir, client, StartPort(), components)
+			network.GenerateConfigTree()
+			network.Bootstrap()
+
+			var ordererRunners []*ginkgomon.Runner
+			for _, orderer := range network.Orderers {
+				runner := network.OrdererRunner(orderer)
+				runner.Command.Env = append(runner.Command.Env, "FABRIC_LOGGING_SPEC=orderer.consensus.smartbft=debug:grpc=debug")
+				ordererRunners = append(ordererRunners, runner)
+				proc := ifrit.Invoke(runner)
+				ordererProcesses = append(ordererProcesses, proc)
+				Eventually(proc.Ready(), network.EventuallyTimeout).Should(BeClosed())
+			}
+
+			peerRunner := network.PeerGroupRunner()
+			peerProcesses = ifrit.Invoke(peerRunner)
+
+			Eventually(peerProcesses.Ready(), network.EventuallyTimeout).Should(BeClosed())
+			peer := network.Peer("Org1", "peer0")
+
+			sess, err := network.ConfigTxGen(commands.OutputBlock{
+				ChannelID:   "testchannel1",
+				Profile:     network.Profiles[0].Name,
+				ConfigPath:  network.RootDir,
+				OutputBlock: network.OutputBlockPath("testchannel1"),
+			})
+			Expect(err).NotTo(HaveOccurred())
+			Eventually(sess, network.EventuallyTimeout).Should(gexec.Exit(0))
+
+			genesisBlockBytes, err := os.ReadFile(network.OutputBlockPath("testchannel1"))
+			Expect(err).NotTo(HaveOccurred())
+
+			genesisBlock := &common.Block{}
+			err = proto.Unmarshal(genesisBlockBytes, genesisBlock)
+			Expect(err).NotTo(HaveOccurred())
+
+			expectedChannelInfoPT := nwo.ChannelInfo{
+				Name:              "testchannel1",
+				URL:               "/participation/v1/channels/testchannel1",
+				Status:            "active",
+				ConsensusRelation: "consenter",
+				Height:            1,
+			}
+
+			for _, o := range network.Orderers {
+				By("joining " + o.Name + " to channel as a consenter")
+				nwo.Join(network, o, "testchannel1", genesisBlock, expectedChannelInfoPT)
+				channelInfo := nwo.ListOne(network, o, "testchannel1")
+				Expect(channelInfo).To(Equal(expectedChannelInfoPT))
+			}
+
+			By("Waiting for followers to see the leader")
+			Eventually(ordererRunners[1].Err(), network.EventuallyTimeout, time.Second).Should(gbytes.Say("Message from 1"))
+			Eventually(ordererRunners[2].Err(), network.EventuallyTimeout, time.Second).Should(gbytes.Say("Message from 1"))
+			Eventually(ordererRunners[3].Err(), network.EventuallyTimeout, time.Second).Should(gbytes.Say("Message from 1"))
+
+			channel := "testchannel1"
+			By(fmt.Sprintf("Peers with Channel %s are %+v\n", channel, network.PeersWithChannel(channel)))
+			orderer := network.Orderers[0]
+			network.JoinChannel(channel, orderer, network.PeersWithChannel(channel)...)
+
+			By("Killing all orderers")
+			for i := range network.Orderers {
+				ordererProcesses[i].Signal(syscall.SIGTERM)
+				Eventually(ordererProcesses[i].Wait(), network.EventuallyTimeout).Should(Receive())
+			}
+
+			By("Renewing the TLS certificates of the orderers")
+			renewOrdererTLSCertificates(network, network.Orderers...)
+
+			By("Renewing the enrollment certificates of the orderers")
+			renewOrdererEnrollmentCertificates(network, time.Now().Add(time.Hour), network.Orderers...)
+
+			By("Starting the orderers again")
+			for i := range network.Orderers {
+				ordererRunner := network.OrdererRunner(network.Orderers[i])
+				ordererRunners[i] = ordererRunner
+				ordererProcesses[i] = ifrit.Invoke(ordererRunner)
+				Eventually(ordererProcesses[i].Ready(), network.EventuallyTimeout).Should(BeClosed())
+			}
+			updateBatchSize(network, peer, orderer, channel, func(batchSize *ordererProtos.BatchSize) {
+				batchSize.AbsoluteMaxBytes = 1000000
+				batchSize.MaxMessageCount = 300
+			})
+			assertBlockReception(map[string]int{"testchannel1": 1}, network.Orderers, peer, network)
+
+			updateBatchSize(network, peer, orderer, channel, func(batchSize *ordererProtos.BatchSize) {
+				batchSize.AbsoluteMaxBytes = 1000000
+				batchSize.MaxMessageCount = 400
+			})
+
+			assertBlockReception(map[string]int{"testchannel1": 2}, network.Orderers, peer, network)
+
+			By("Try deploying chaincode")
+			peers := network.PeersWithChannel(channel)
+			Expect(len(peers)).ToNot(Equal(0))
 
+			// deploy the chaincode
+			deployChaincode(network, channel, testDir)
+
+			assertBlockReception(map[string]int{"testchannel1": 6}, network.Orderers, peer, network)
+
+			// test the chaincodes
+			invokeQuery(network, peer, orderer, channel, 90)
+			invokeQuery(network, peer, orderer, channel, 80)
+			invokeQuery(network, peer, orderer, channel, 70)
+			invokeQuery(network, peer, orderer, channel, 60)
+		})
 		It("smartbft node addition and removal", func() {
 			networkConfig := nwo.MultiNodeSmartBFT()
 			networkConfig.Channels = nil
@@ -2758,3 +2871,129 @@ func createPrePrepareRequest(
 
 	return req, block
 }
+
+func renewOrdererTLSCertificates(network *nwo.Network, orderers ...*nwo.Orderer) {
+	if len(orderers) == 0 {
+		return
+	}
+	ordererDomain := network.Organization(orderers[0].Organization).Domain
+	ordererTLSCAKeyPath := filepath.Join(network.RootDir, "crypto", "ordererOrganizations",
+		ordererDomain, "tlsca", "priv_sk")
+
+	ordererTLSCAKey, err := os.ReadFile(ordererTLSCAKeyPath)
+	Expect(err).NotTo(HaveOccurred())
+
+	ordererTLSCACertPath := filepath.Join(network.RootDir, "crypto", "ordererOrganizations",
+		ordererDomain, "tlsca", fmt.Sprintf("tlsca.%s-cert.pem", ordererDomain))
+	ordererTLSCACert, err := os.ReadFile(ordererTLSCACertPath)
+	Expect(err).NotTo(HaveOccurred())
+
+	serverTLSCerts := map[string][]byte{}
+	for _, orderer := range orderers {
+		tlsCertPath := filepath.Join(network.OrdererLocalTLSDir(orderer), "server.crt")
+		serverTLSCerts[tlsCertPath], err = os.ReadFile(tlsCertPath)
+		Expect(err).NotTo(HaveOccurred())
+	}
+
+	for filePath, certPEM := range serverTLSCerts {
+		renewedCert := renewCertificate(certPEM, ordererTLSCACert, ordererTLSCAKey, time.Now().Add(time.Hour))
+		err = os.WriteFile(filePath, renewedCert, 0o600)
+		Expect(err).NotTo(HaveOccurred())
+	}
+}
+
+// renewCertificate generates a new certificate with the same public key and subject as the original,
+// but with a new NotAfter (expiration time). Only the expiration is changed.
+func renewCertificate(certPEM, caCertPEM, caKeyPEM []byte, notAfter time.Time) (renewedCertPEM []byte) {
+	// Parse CA private key
+	keyAsDER, _ := pem.Decode(caKeyPEM)
+	caKeyWithoutType, err := x509.ParsePKCS8PrivateKey(keyAsDER.Bytes)
+	Expect(err).NotTo(HaveOccurred())
+	caKey := caKeyWithoutType.(*ecdsa.PrivateKey)
+
+	// Parse CA certificate
+	caCertAsDER, _ := pem.Decode(caCertPEM)
+	caCert, err := x509.ParseCertificate(caCertAsDER.Bytes)
+	Expect(err).NotTo(HaveOccurred())
+
+	// Parse the original certificate
+	certAsDER, _ := pem.Decode(certPEM)
+	cert, err := x509.ParseCertificate(certAsDER.Bytes)
+	Expect(err).NotTo(HaveOccurred())
+
+	// Create a new certificate template with the same fields as the original,
+	// but with a new NotAfter (expiration time)
+	newCert := &x509.Certificate{
+		SerialNumber:          cert.SerialNumber,
+		Subject:               cert.Subject,
+		NotBefore:             cert.NotBefore,
+		NotAfter:              notAfter,
+		KeyUsage:              cert.KeyUsage,
+		ExtKeyUsage:           cert.ExtKeyUsage,
+		UnknownExtKeyUsage:    cert.UnknownExtKeyUsage,
+		BasicConstraintsValid: cert.BasicConstraintsValid,
+		IsCA:                  cert.IsCA,
+		DNSNames:              cert.DNSNames,
+		EmailAddresses:        cert.EmailAddresses,
+		IPAddresses:           cert.IPAddresses,
+		URIs:                  cert.URIs,
+		SubjectKeyId:          cert.SubjectKeyId,
+		AuthorityKeyId:        cert.AuthorityKeyId,
+		SignatureAlgorithm:    cert.SignatureAlgorithm,
+		PublicKeyAlgorithm:    cert.PublicKeyAlgorithm,
+		PublicKey:             cert.PublicKey,
+		PolicyIdentifiers:     cert.PolicyIdentifiers,
+		CRLDistributionPoints: cert.CRLDistributionPoints,
+		OCSPServer:            cert.OCSPServer,
+		IssuingCertificateURL: cert.IssuingCertificateURL,
+		ExtraExtensions:       cert.ExtraExtensions,
+		Extensions:            cert.Extensions,
+	}
+
+	// The CA signs the new certificate
+	certBytes, err := x509.CreateCertificate(rand.Reader, newCert, caCert, cert.PublicKey, caKey)
+	Expect(err).NotTo(HaveOccurred())
+
+	renewedCertPEM = pem.EncodeToMemory(&pem.Block{Bytes: certBytes, Type: "CERTIFICATE"})
+	return
+}
+
+// renewOrdererEnrollmentCertificates renews the signcert for each orderer with a given expirationTime
+// and re-writes it to the orderer's signcerts directory, matching the actual crypto structure.
+func renewOrdererEnrollmentCertificates(network *nwo.Network, notAfter time.Time, orderers ...*nwo.Orderer) {
+	if len(orderers) == 0 {
+		return
+	}
+
+	for _, orderer := range orderers {
+		ordererDomain := network.Organization(orderer.Organization).Domain
+		// Use the orderer name as it appears in the file system, not the nwo.Orderer.ID()
+		// The directory is .../orderers/<ordererName>.<domain>/msp/signcerts/<ordererName>.<domain>-cert.pem
+		ordererName := orderer.Name
+		ordererFQDN := fmt.Sprintf("%s.%s", ordererName, ordererDomain)
+
+		// CA key and cert for the org
+		ordererCAKeyPath := filepath.Join(
+			network.RootDir, "crypto", "ordererOrganizations", ordererDomain, "ca", "priv_sk",
+		)
+		ordererCAKey, err := os.ReadFile(ordererCAKeyPath)
+		Expect(err).NotTo(HaveOccurred())
+
+		ordererCACertPath := filepath.Join(
+			network.RootDir, "crypto", "ordererOrganizations", ordererDomain, "ca", fmt.Sprintf("ca.%s-cert.pem", ordererDomain),
+		)
+		ordererCACert, err := os.ReadFile(ordererCACertPath)
+		Expect(err).NotTo(HaveOccurred())
+
+		// Path to the orderer's signcert
+		ordererSignCertPath := filepath.Join(
+			network.RootDir, "crypto", "ordererOrganizations", ordererDomain, "orderers", ordererFQDN, "msp", "signcerts", fmt.Sprintf("%s-cert.pem", ordererFQDN),
+		)
+		ordererSignCert, err := os.ReadFile(ordererSignCertPath)
+		Expect(err).NotTo(HaveOccurred())
+
+		renewedCert := renewCertificate(ordererSignCert, ordererCACert, ordererCAKey, notAfter)
+		err = os.WriteFile(ordererSignCertPath, renewedCert, 0o600)
+		Expect(err).NotTo(HaveOccurred())
+	}
+}

orderer/common/cluster/clusterservice.go

@@ -163,7 +163,12 @@ func (s *ClusterService) VerifyAuthRequest(stream orderer.ClusterNodeService_Ste
 		return nil, errors.Errorf("node %d is not member of channel %s", authReq.ToId, authReq.Channel)
 	}
 
-	if !bytes.Equal(toIdentity, s.NodeIdentity) {
+	equal, err := CompareCertPublicKeys(toIdentity, s.NodeIdentity)
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to compare cert public keys")
+	}
+	if !equal {
+		s.Logger.Debugf("node id mismatch for node %d, toIdentity: %s, s.NodeIdentity: %s", authReq.FromId, string(toIdentity), string(s.NodeIdentity))
 		return nil, errors.Errorf("node id mismatch")
 	}
 
@@ -263,6 +268,7 @@ func (c *ClusterService) ConfigureNodeCerts(channel string, newNodes []*common.C
 		if err != nil {
 			return err
 		}
+
 		channelMembership.MemberMapping[uint64(nodeIdentity.Id)] = sanitizedID
 	}