Replace Shake with SHA

This change-set introduces the following:
1. add support to SHA256 in channel config
2. set default hash algorithm to SHA256 in defaultHashingAlgorithm
3. ComputeCryptoHash computes SHA256
4. Gossip crypto uses BCCSP to compute SHA256
5. Removing unsed security section from yaml files

This change-set comes in the context of
https://jira.hyperledger.org/browse/FAB-2354

Change-Id: I874e823ad8bc93897fd6dfd77723a77597eaff7b
Signed-off-by: Angelo De Caro <[email protected]>

Author: adecaro

common/configvalues/channel/config.go

@@ -59,8 +59,11 @@ const (
 
 // Hashing algorithm types
 const (
-	// SHAKE256 is the algorithm type for the sha3 shake256 hashing algorithm with 512 bits of output
-	SHA3Shake256 = "SHAKE256"
+	// SHA3256 is SHA3 with fixed size 256-bit hash
+	SHA3256 = "SHA3256"
+
+	// SHA256 is SHA2 with fixed size 256-bit hash
+	SHA256 = "SHA256"
 )
 
 var logger = logging.MustGetLogger("configvalues/channel")
@@ -164,8 +167,10 @@ func (c *Config) ProposeValue(key string, configValue *cb.ConfigValue) error {
 			return fmt.Errorf("Unmarshaling error for HashingAlgorithm: %s", err)
 		}
 		switch hashingAlgorithm.Name {
-		case SHA3Shake256:
-			c.pending.hashingAlgorithm = util.ComputeCryptoHash
+		case SHA256:
+			c.pending.hashingAlgorithm = util.ComputeSHA256
+		case SHA3256:
+			c.pending.hashingAlgorithm = util.ComputeSHA3256
 		default:
 			return fmt.Errorf("Unknown hashing algorithm type: %s", hashingAlgorithm.Name)
 		}

common/configvalues/channel/config_util.go

@@ -23,7 +23,7 @@ import (
 	"github.com/hyperledger/fabric/protos/utils"
 )
 
-const defaultHashingAlgorithm = SHA3Shake256
+const defaultHashingAlgorithm = SHA256
 
 func configGroup(key string, value []byte) *cb.ConfigGroup {
 	result := cb.NewConfigGroup()

common/util/utils.go

@@ -18,16 +18,16 @@ package util
 
 import (
 	"crypto/rand"
-	"crypto/sha256"
 	"fmt"
 	"io"
 	"math/big"
 	"strings"
 	"time"
 
 	"github.com/golang/protobuf/ptypes/timestamp"
+	"github.com/hyperledger/fabric/bccsp"
+	"github.com/hyperledger/fabric/bccsp/factory"
 	"github.com/hyperledger/fabric/common/metadata"
-	"golang.org/x/crypto/sha3"
 )
 
 type alg struct {
@@ -40,10 +40,21 @@ var availableIDgenAlgs = map[string]alg{
 	defaultAlg: {GenerateIDfromTxSHAHash},
 }
 
-// ComputeCryptoHash should be used in openchain code so that we can change the actual algo used for crypto-hash at one place
-func ComputeCryptoHash(data []byte) (hash []byte) {
-	hash = make([]byte, 64)
-	sha3.ShakeSum256(hash, data)
+// ComputeSHA256 returns SHA2-256 on data
+func ComputeSHA256(data []byte) (hash []byte) {
+	hash, err := factory.GetDefaultOrPanic().Hash(data, &bccsp.SHA256Opts{})
+	if err != nil {
+		panic(fmt.Errorf("Failed computing SHA256 on [% x]", data))
+	}
+	return
+}
+
+// ComputeSHA3256 returns SHA3-256 on data
+func ComputeSHA3256(data []byte) (hash []byte) {
+	hash, err := factory.GetDefaultOrPanic().Hash(data, &bccsp.SHA3_256Opts{})
+	if err != nil {
+		panic(fmt.Errorf("Failed computing SHA3_256 on [% x]", data))
+	}
 	return
 }
 
@@ -87,12 +98,12 @@ func CreateUtcTimestamp() *timestamp.Timestamp {
 
 //GenerateHashFromSignature returns a hash of the combined parameters
 func GenerateHashFromSignature(path string, args []byte) []byte {
-	return ComputeCryptoHash(args)
+	return ComputeSHA256(args)
 }
 
 // GenerateIDfromTxSHAHash generates SHA256 hash using Tx payload
 func GenerateIDfromTxSHAHash(payload []byte) string {
-	return fmt.Sprintf("%x", sha256.Sum256(payload))
+	return fmt.Sprintf("%x", ComputeSHA256(payload))
 }
 
 // GenerateIDWithAlg generates an ID using a custom algorithm

common/util/utils_test.go

@@ -26,10 +26,10 @@ import (
 )
 
 func TestComputeCryptoHash(t *testing.T) {
-	if bytes.Compare(ComputeCryptoHash([]byte("foobar")), ComputeCryptoHash([]byte("foobar"))) != 0 {
+	if bytes.Compare(ComputeSHA256([]byte("foobar")), ComputeSHA256([]byte("foobar"))) != 0 {
 		t.Fatalf("Expected hashes to match, but they did not match")
 	}
-	if bytes.Compare(ComputeCryptoHash([]byte("foobar1")), ComputeCryptoHash([]byte("foobar2"))) == 0 {
+	if bytes.Compare(ComputeSHA256([]byte("foobar1")), ComputeSHA256([]byte("foobar2"))) == 0 {
 		t.Fatalf("Expected hashes to be different, but they match")
 	}
 }

core/chaincode/chaincodetest.yaml

@@ -446,45 +446,6 @@ ledger:
         # 'tire' has no additional configurations exposed as yet
 
 
-###############################################################################
-#
-#    Security section - Applied to all entities (client, NVP, VP)
-#
-###############################################################################
-security:
-    # Enable security will force every entity on the network to enroll with obc-ca
-    # and maintain a valid set of certificates in order to communicate with
-    # other peers
-    enabled: false
-    # To enroll NVP or VP with membersrvc. These parameters are for 1 time use.
-    # They will not be valid on subsequent times without un-enroll first.
-    # The values come from off-line registration with obc-ca. For testing, make
-    # sure the values are in membersrvc/membersrvc.yaml file eca.users
-    enrollID: vp
-    enrollSecret: f3489fy98ghf
-    # To enable privacy of transactions (requires security to be enabled). This
-    # encrypts the transaction content during transit and at rest. The state
-    # data is also encrypted
-    privacy: false
-
-    # Can be 256 or 384. If you change here, you have to change also
-    # the same property in membersrvc.yaml to the same value
-    level: 256
-
-    # Can be SHA2 or SHA3. If you change here, you have to change also
-    # the same property in membersrvc.yaml to the same value
-    hashAlgorithm: SHA3
-
-    # TCerts related configuration
-    tcert:
-      batch:
-        # The size of the batch of TCerts
-        size:  200
-      attributes:
-        company: IBM
-        position: "Software Engineer"
-
-
 ################################################################################
 #
 #   SECTION: STATETRANSFER

core/chaincode/platforms/util/utils.go

@@ -26,7 +26,7 @@ func ComputeHash(contents []byte, hash []byte) []byte {
 	copy(newSlice[len(contents):], hash[:])
 
 	//compute new hash
-	hash = util.ComputeCryptoHash(newSlice)
+	hash = util.ComputeSHA256(newSlice)
 
 	return hash
 }

core/chaincode/platforms/util/utils_test.go

@@ -13,7 +13,7 @@ import (
 // TestHashContentChange changes a random byte in a content and checks for hash change
 func TestHashContentChange(t *testing.T) {
 	b := []byte("firstcontent")
-	hash := util.ComputeCryptoHash(b)
+	hash := util.ComputeSHA256(b)
 
 	b2 := []byte("To be, or not to be- that is the question: Whether 'tis nobler in the mind to suffer The slings and arrows of outrageous fortune Or to take arms against a sea of troubles, And by opposing end them. To die- to sleep- No more; and by a sleep to say we end The heartache, and the thousand natural shocks That flesh is heir to. 'Tis a consummation Devoutly to be wish'd.")
 
@@ -48,7 +48,7 @@ func TestHashContentChange(t *testing.T) {
 // TestHashLenChange changes a random length of a content and checks for hash change
 func TestHashLenChange(t *testing.T) {
 	b := []byte("firstcontent")
-	hash := util.ComputeCryptoHash(b)
+	hash := util.ComputeSHA256(b)
 
 	b2 := []byte("To be, or not to be-")
 
@@ -70,7 +70,7 @@ func TestHashLenChange(t *testing.T) {
 // TestHashOrderChange changes a order of hash computation over a list of lines and checks for hash change
 func TestHashOrderChange(t *testing.T) {
 	b := []byte("firstcontent")
-	hash := util.ComputeCryptoHash(b)
+	hash := util.ComputeSHA256(b)
 
 	b2 := [][]byte{[]byte("To be, or not to be- that is the question:"),
 		[]byte("Whether 'tis nobler in the mind to suffer"),
@@ -119,7 +119,7 @@ func TestHashOrderChange(t *testing.T) {
 // TestHashOverFiles computes hash over a directory and ensures it matches precomputed, hardcoded, hash
 func TestHashOverFiles(t *testing.T) {
 	b := []byte("firstcontent")
-	hash := util.ComputeCryptoHash(b)
+	hash := util.ComputeSHA256(b)
 
 	hash, err := HashFilesInDir(".", "hashtestfiles1", hash, nil)
 
@@ -129,7 +129,7 @@ func TestHashOverFiles(t *testing.T) {
 	}
 
 	//as long as no files under "hashtestfiles1" are changed, hash should always compute to the following
-	expectedHash := "a4fe18bebf3d7e1c030c042903bdda9019b33829d03d9b95ab1edc8957be70dee6d786ab27b207210d29b5d9f88456ff753b8da5c244458cdcca6eb3c28a17ce"
+	expectedHash := "0c92180028200dfabd08d606419737f5cdecfcbab403e3f0d79e8d949f4775bc"
 
 	computedHash := hex.EncodeToString(hash[:])
 
@@ -140,7 +140,7 @@ func TestHashOverFiles(t *testing.T) {
 
 func TestHashDiffDir(t *testing.T) {
 	b := []byte("firstcontent")
-	hash := util.ComputeCryptoHash(b)
+	hash := util.ComputeSHA256(b)
 
 	hash1, err := HashFilesInDir(".", "hashtestfiles1", hash, nil)
 	if err != nil {
@@ -157,7 +157,7 @@ func TestHashDiffDir(t *testing.T) {
 }
 func TestHashSameDir(t *testing.T) {
 	b := []byte("firstcontent")
-	hash := util.ComputeCryptoHash(b)
+	hash := util.ComputeSHA256(b)
 
 	hash1, err := HashFilesInDir(".", "hashtestfiles1", hash, nil)
 	if err != nil {

core/container/ccintf/ccintf.go

@@ -67,7 +67,7 @@ func (ccid *CCID) GetName() string {
 
 	//this better be chainless system chaincode!
 	if ccid.ChainID != "" {
-		hash := util.ComputeCryptoHash([]byte(ccid.ChainID))
+		hash := util.ComputeSHA256([]byte(ccid.ChainID))
 		hexstr := hex.EncodeToString(hash[:])
 		name = name + "-" + hexstr
 	}

core/endorser/endorser_test.yaml

@@ -467,46 +467,6 @@ ledger:
         # configurations for 'trie'
         # 'tire' has no additional configurations exposed as yet
 
-
-###############################################################################
-#
-#    Security section - Applied to all entities (client, NVP, VP)
-#
-###############################################################################
-security:
-    # Enable security will force every entity on the network to enroll with obc-ca
-    # and maintain a valid set of certificates in order to communicate with
-    # other peers
-    enabled: false
-    # To enroll NVP or VP with membersrvc. These parameters are for 1 time use.
-    # They will not be valid on subsequent times without un-enroll first.
-    # The values come from off-line registration with obc-ca. For testing, make
-    # sure the values are in membersrvc/membersrvc.yaml file eca.users
-    enrollID: vp
-    enrollSecret: f3489fy98ghf
-    # To enable privacy of transactions (requires security to be enabled). This
-    # encrypts the transaction content during transit and at rest. The state
-    # data is also encrypted
-    privacy: false
-
-    # Can be 256 or 384. If you change here, you have to change also
-    # the same property in membersrvc.yaml to the same value
-    level: 256
-
-    # Can be SHA2 or SHA3. If you change here, you have to change also
-    # the same property in membersrvc.yaml to the same value
-    hashAlgorithm: SHA3
-
-    # TCerts related configuration
-    tcert:
-      batch:
-        # The size of the batch of TCerts
-        size:  200
-      attributes:
-        company: IBM
-        position: "Software Engineer"
-
-
 ################################################################################
 #
 #   SECTION: STATETRANSFER

gossip/comm/crypto.go

@@ -20,7 +20,6 @@ import (
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	"crypto/rand"
-	"crypto/sha256"
 	"crypto/tls"
 	"crypto/x509"
 	"encoding/pem"
@@ -29,6 +28,7 @@ import (
 	"os"
 	"time"
 
+	"github.com/hyperledger/fabric/common/util"
 	"golang.org/x/net/context"
 	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/peer"
@@ -75,9 +75,7 @@ func certHashFromRawCert(rawCert []byte) []byte {
 	if len(rawCert) == 0 {
 		return nil
 	}
-	hash := sha256.New()
-	hash.Write(rawCert)
-	return hash.Sum(nil)
+	return util.ComputeSHA256(rawCert)
 }
 
 // ExtractCertificateHash extracts the hash of the certificate from the stream

protos/common/block.go

@@ -71,7 +71,7 @@ func (b *BlockHeader) Bytes() []byte {
 // Hash returns the hash of the block header.
 // XXX This method will be removed shortly to allow for confgurable hashing algorithms
 func (b *BlockHeader) Hash() []byte {
-	return util.ComputeCryptoHash(b.Bytes())
+	return util.ComputeSHA256(b.Bytes())
 }
 
 // Bytes returns a deterministically serialized version of the BlockData
@@ -84,5 +84,5 @@ func (b *BlockData) Bytes() []byte {
 
 // Hash returns the hash of the marshaled representation of the block data.
 func (b *BlockData) Hash() []byte {
-	return util.ComputeCryptoHash(b.Bytes())
+	return util.ComputeSHA256(b.Bytes())
 }