Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
languagescala
titleSslSessionServerInterceptor.scala
linenumberstrue
class SslSessionServerInterceptor() extends ServerInterceptor {

  private val logger = Logger(this.getClass)

  def interceptCall[ReqT, RespT](
    call: ServerCall[ReqT, RespT],
    headers: Metadata,
    next: ServerCallHandler[ReqT, RespT]
  ): ServerCall.Listener[ReqT] = new InterceptionListener(next.startCall(call, headers), call)

  private class InterceptionListener[ReqT, RespT](next: ServerCall.Listener[ReqT], call: ServerCall[ReqT, RespT]) extends ServerCall.Listener[ReqT] {
    override def onHalfClose(): Unit = next.onHalfClose()
    override def onCancel(): Unit = next.onCancel()
    override def onComplete(): Unit = next.onComplete()
    override def onReady(): Unit = next.onReady()

    override def onMessage(message: ReqT): Unit = {
      message match {
        case handshake: HandshakeRequest =>
          val sslSession: Option[SSLSession] = Option(call.getAttributes.get(Grpc.TRANSPORT_ATTR_SSL_SESSION))
          if (sslSession.isEmpty) {
            logger.error("No SSL Session found in server call")
            close()
          } else {
            sslSession.foreach { session =>
              val pubKey = Base64.getEncoder.encodeToString(session.getPeerCertificates.head.getPublicKey.getEncoded)
              if (pubKey == handshake.key) {
                next.onMessage(message)
              } else {
                logger.error("Wrong public key")
                close()
              }
            }
          }
        case _ => next.onMessage(message)
      }
    }

    private def close(): Unit =
      throw Status.UNAUTHENTICATED.withDescription("Wrong public key").asRuntimeException()
  }
}

GRPC-Java and secp256k1 certificates

Motivation

Rchain tokens (RHOC) are ERC20 Ethereum based. On the other hand Ethereum uses the Elliptic-curve secp256k1 cryptographic algorithm (ECC) for private/public key creation. During the swap from RHOC to REV (the actual RChain currency) it's desirable that users can keep their public address (private/public keys) and just change the Ethereum address prefix from 0x the the RChain address prefix.

Node dependencies

In our first attempt we used for TLS encryption a netty library that is statically linked with Google's BoringSSL (netty-tcnative-boringssl-static). However, it turned out that BoringSSL doesn't support the secp256k1 group of ECC. To run the node with secp256k1 with GRPC-Java it must be used together with Openssl on the host machine. This means, that Openssl must be configured as a dependency in each of the deployment profiles (DEB, RPM, Docker and JAR).