External launch metadata uses PEM encoding

The `chaincode.json` generated by the peer for use with external builders and launchers uses strings to hold the PEM encoded certificates and keys provided to the chaincode. This change prevents base64 encoding of the (already) base64 PEM encoded materials. In practical terms, we no longer need to use `base64 --decode` in the run scripts. FAB-17007 # done Change-Id: I3ab3818ec5e82e86a2bb7975720384236163bd63 Signed-off-by: Matthew Sykes <sykesmat@us.ibm.com>
hyperledger · Nov 11, 2019 · f52af9a · f52af9a
1 parent 7b3fafc
commit f52af9a
Show file tree

Hide file tree

Showing 4 changed files with 23 additions and 24 deletions.
diff --git a/core/container/externalbuilders/externalbuilders.go b/core/container/externalbuilders/externalbuilders.go
@@ -381,9 +381,9 @@ func (b *Builder) Release(buildContext *BuildContext) error {
 type RunConfig struct {
 	CCID        string `json:"chaincode_id"`
 	PeerAddress string `json:"peer_address"`
-	ClientCert  []byte `json:"client_cert"`
-	ClientKey   []byte `json:"client_key"`
-	RootCert    []byte `json:"root_cert"`
+	ClientCert  string `json:"client_cert"` // PEM encoded client certifcate
+	ClientKey   string `json:"client_key"`  // PEM encoded client key
+	RootCert    string `json:"root_cert"`   // PEM encoded peer chaincode certificate
 }
 
 type RunStatus struct {
@@ -422,9 +422,9 @@ func (b *Builder) Run(ccid, bldDir string, peerConnection *ccintf.PeerConnection
 	}
 
 	if peerConnection.TLSConfig != nil {
-		lc.ClientCert = peerConnection.TLSConfig.ClientCert
-		lc.ClientKey = peerConnection.TLSConfig.ClientKey
-		lc.RootCert = peerConnection.TLSConfig.RootCert
+		lc.ClientCert = string(peerConnection.TLSConfig.ClientCert)
+		lc.ClientKey = string(peerConnection.TLSConfig.ClientKey)
+		lc.RootCert = string(peerConnection.TLSConfig.RootCert)
 	}
 
 	launchDir, err := ioutil.TempDir("", "fabric-run")

diff --git a/core/container/externalbuilders/testdata/goodbuilder/bin/run b/core/container/externalbuilders/testdata/goodbuilder/bin/run
@@ -1,11 +1,12 @@
 #!/bin/bash
 
-OUTPUT_JSON="$(jq -S . $2/chaincode.json)"
+OUTPUT_JSON="$(jq -S . "$2/chaincode.json")"
 
-EXPECTED_JSON="$(echo '{"chaincode_id":"test-ccid","peer_address":"fake-peer-address","client_cert":"ZmFrZS1jbGllbnQtY2VydA==","client_key":"ZmFrZS1jbGllbnQta2V5","root_cert":"ZmFrZS1yb290LWNlcnQ="}' | jq -S .)"
+EXPECTED_JSON="$(echo '{"chaincode_id":"test-ccid","peer_address":"fake-peer-address","client_cert":"fake-client-cert","client_key":"fake-client-key","root_cert":"fake-root-cert"}' | jq -S .)"
 
 if [ "$OUTPUT_JSON" = "$EXPECTED_JSON" ] ; then
     exit 0
 fi
 
+echo "got $OUTPUT_JSON; want $EXPECTED_JSON"
 exit 1
diff --git a/integration/externalbuilders/binary/bin/run b/integration/externalbuilders/binary/bin/run
@@ -14,21 +14,19 @@ fi
 OUTPUT=$1
 ARTIFACTS=$2
 
-export CORE_CHAINCODE_ID_NAME="$(jq -r .chaincode_id $ARTIFACTS/chaincode.json)"
-export CORE_TLS_CLIENT_CERT_PATH="$ARTIFACTS/client.crt"
-export CORE_TLS_CLIENT_KEY_PATH="$ARTIFACTS/client.key"
+# shellcheck disable=SC2155
+export CORE_CHAINCODE_ID_NAME="$(jq -r .chaincode_id "$ARTIFACTS/chaincode.json")"
+export CORE_PEER_TLS_ENABLED="true"
+export CORE_TLS_CLIENT_CERT_FILE="$ARTIFACTS/client.crt"
+export CORE_TLS_CLIENT_KEY_FILE="$ARTIFACTS/client.key"
 export CORE_PEER_TLS_ROOTCERT_FILE="$ARTIFACTS/root.crt"
 
-# Note, for strange historical reasons, the chaincode expects the cert and key
-# to be base64 encoded, but not the root cert.
-jq -r .client_cert $ARTIFACTS/chaincode.json > "$CORE_TLS_CLIENT_CERT_PATH"
-jq -r .client_key $ARTIFACTS/chaincode.json > "$CORE_TLS_CLIENT_KEY_PATH"
-jq -r .root_cert $ARTIFACTS/chaincode.json | base64 --decode > "$CORE_PEER_TLS_ROOTCERT_FILE"
+jq -r .client_cert "$ARTIFACTS/chaincode.json" > "$CORE_TLS_CLIENT_CERT_FILE"
+jq -r .client_key  "$ARTIFACTS/chaincode.json" > "$CORE_TLS_CLIENT_KEY_FILE"
+jq -r .root_cert   "$ARTIFACTS/chaincode.json" > "$CORE_PEER_TLS_ROOTCERT_FILE"
 
-if [ -z "$(cat $CORE_TLS_CLIENT_CERT_PATH)" ]  ; then
-    export CORE_PEER_TLS_ENABLED=false
-else
-    export CORE_PEER_TLS_ENABLED=true
+if [ -z "$(jq -r .client_cert "$ARTIFACTS/chaincode.json")" ]; then
+    export CORE_PEER_TLS_ENABLED="false"
 fi
 
-exec "$OUTPUT/chaincode" -peer.address=$(jq -r .peer_address "$ARTIFACTS/chaincode.json")
+exec "$OUTPUT/chaincode" -peer.address="$(jq -r .peer_address "$ARTIFACTS/chaincode.json")"
diff --git a/integration/externalbuilders/golang/bin/run b/integration/externalbuilders/golang/bin/run
@@ -21,9 +21,9 @@ export CORE_TLS_CLIENT_CERT_FILE="$ARTIFACTS/client.crt"
 export CORE_TLS_CLIENT_KEY_FILE="$ARTIFACTS/client.key"
 export CORE_PEER_TLS_ROOTCERT_FILE="$ARTIFACTS/root.crt"
 
-jq -r .root_cert   "$ARTIFACTS/chaincode.json" | base64 --decode > "$CORE_PEER_TLS_ROOTCERT_FILE"
-jq -r .client_key  "$ARTIFACTS/chaincode.json" | base64 --decode > "$CORE_TLS_CLIENT_KEY_FILE"
-jq -r .client_cert "$ARTIFACTS/chaincode.json" | base64 --decode > "$CORE_TLS_CLIENT_CERT_FILE"
+jq -r .client_cert "$ARTIFACTS/chaincode.json" > "$CORE_TLS_CLIENT_CERT_FILE"
+jq -r .client_key  "$ARTIFACTS/chaincode.json" > "$CORE_TLS_CLIENT_KEY_FILE"
+jq -r .root_cert   "$ARTIFACTS/chaincode.json" > "$CORE_PEER_TLS_ROOTCERT_FILE"
 
 if [ -z "$(jq -r .client_cert "$ARTIFACTS/chaincode.json")" ]; then
     export CORE_PEER_TLS_ENABLED="false"