github.com/RobustRoundRobin/quorum@v20.10.0+incompatible/plugin/security/gateway.go (about) 1 package security 2 3 import ( 4 "context" 5 "crypto/tls" 6 "errors" 7 "math" 8 9 "github.com/jpmorganchase/quorum-security-plugin-sdk-go/proto" 10 ) 11 12 var ( 13 // harden the cipher strength by only using ciphers >=256bits 14 defaultCipherSuites = []uint16{ 15 tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 16 tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 17 tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 18 tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 19 } 20 ) 21 22 type TLSConfigurationSourcePluginGateway struct { 23 client proto.TLSConfigurationSourceClient 24 } 25 26 func (c *TLSConfigurationSourcePluginGateway) Get(ctx context.Context) (*tls.Config, error) { 27 resp, err := c.client.Get(ctx, &proto.TLSConfiguration_Request{}) 28 if err != nil { 29 return nil, err 30 } 31 if resp == nil || resp.GetData() == nil { // no tls config 32 return nil, nil 33 } 34 return transform(resp.GetData()) 35 } 36 37 // transform raw configuration received from the plugin to `tls.Config` object being used 38 // to configure TLS for JSON RPC servers 39 // The customized tls.Config follows: https://blog.bracebin.com/achieving-perfect-ssl-labs-score-with-go 40 func transform(tlsData *proto.TLSConfiguration_Data) (*tls.Config, error) { 41 tlsConfig := &tls.Config{ 42 // prioritize curve preferences from crypto/tls/common.go#defaultCurvePreferences 43 CurvePreferences: []tls.CurveID{ 44 tls.CurveP521, 45 tls.CurveP384, 46 tls.CurveP256, 47 tls.X25519, 48 }, 49 // Support only TLS1.2 & Above 50 MinVersion: tls.VersionTLS12, 51 } 52 receivedCipherSuites := tlsData.GetCipherSuites() 53 cipherSuites := make([]uint16, len(receivedCipherSuites)) 54 if len(receivedCipherSuites) > 0 { 55 for i, cs := range receivedCipherSuites { 56 if cs > math.MaxUint16 { 57 return nil, errors.New("cipher suite value overflow") 58 } 59 cipherSuites[i] = uint16(cs) 60 } 61 } else { 62 cipherSuites = defaultCipherSuites 63 } 64 tlsConfig.CipherSuites = cipherSuites 65 tlsConfig.PreferServerCipherSuites = true 66 67 cer, err := tls.X509KeyPair(tlsData.GetCertPem(), tlsData.GetKeyPem()) 68 if err != nil { 69 return nil, err 70 } 71 tlsConfig.Certificates = []tls.Certificate{cer} 72 73 return tlsConfig, nil 74 } 75 76 type AuthenticationManagerPluginGateway struct { 77 client proto.AuthenticationManagerClient 78 } 79 80 func (a *AuthenticationManagerPluginGateway) Authenticate(ctx context.Context, token string) (*proto.PreAuthenticatedAuthenticationToken, error) { 81 return a.client.Authenticate(ctx, &proto.AuthenticationToken{ 82 RawToken: []byte(token), 83 }) 84 } 85 86 func (a *AuthenticationManagerPluginGateway) IsEnabled(ctx context.Context) (bool, error) { 87 return true, nil 88 }