...
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
class SslSessionServerInterceptor() extends ServerInterceptor { private val logger = Logger(this.getClass) def interceptCall[ReqT, RespT]( call: ServerCall[ReqT, RespT], headers: Metadata, next: ServerCallHandler[ReqT, RespT] ): ServerCall.Listener[ReqT] = new InterceptionListener(next.startCall(call, headers), call) private class InterceptionListener[ReqT, RespT](next: ServerCall.Listener[ReqT], call: ServerCall[ReqT, RespT]) extends ServerCall.Listener[ReqT] { override def onHalfClose(): Unit = next.onHalfClose() override def onCancel(): Unit = next.onCancel() override def onComplete(): Unit = next.onComplete() override def onReady(): Unit = next.onReady() override def onMessage(message: ReqT): Unit = { message match { case handshake: HandshakeRequest => val sslSession: Option[SSLSession] = Option(call.getAttributes.get(Grpc.TRANSPORT_ATTR_SSL_SESSION)) if (sslSession.isEmpty) { logger.error("No SSL Session found in server call") close() } else { sslSession.foreach { session => val pubKey = Base64.getEncoder.encodeToString(session.getPeerCertificates.head.getPublicKey.getEncoded) if (pubKey == handshake.key) { next.onMessage(message) } else { logger.error("Wrong public key") close() } } } case _ => next.onMessage(message) } } private def close(): Unit = throw Status.UNAUTHENTICATED.withDescription("Wrong public key").asRuntimeException() } } |
GRPC-Java and secp256k1
certificates
Motivation
Rchain tokens (RHOC) are ERC20 Ethereum based. On the other hand Ethereum uses the Elliptic-curve secp256k1
cryptographic algorithm (ECC) for private/public key creation. During the swap from RHOC to REV (the actual RChain currency) it's desirable that users can keep their public address (private/public keys) and just change the Ethereum address prefix from 0x
the the RChain address prefix.
Node dependencies
In our first attempt we used for TLS encryption a netty library that is statically linked with Google's BoringSSL (netty-tcnative-boringssl-static
). However, it turned out that BoringSSL doesn't support the secp256k1
group of ECC. To run the node with secp256k1
with GRPC-Java it must be used together with Openssl on the host machine. This means, that Openssl must be configured as a dependency in each of the deployment profiles (DEB, RPM, Docker and JAR).