Skip to content

Commit

Permalink
Ignore expired CA/TLS CA certs on msp init (#3238) (#3249) (#3252)
Browse files Browse the repository at this point in the history
Signed-off-by: Ana Maria Franco <afrancoc2000@gmail.com>
(cherry picked from commit 0e6c8d4)

Co-authored-by: Ana Maria Franco <afrancoc2000@hotmail.com>
  • Loading branch information
mergify[bot] and afrancoc2000 authored Feb 23, 2022
1 parent c89ba60 commit 47dd17a
Show file tree
Hide file tree
Showing 2 changed files with 27 additions and 0 deletions.
1 change: 1 addition & 0 deletions msp/mspimplsetup.go
Original file line number Diff line number Diff line change
Expand Up @@ -493,6 +493,7 @@ func (msp *bccspmsp) setupTLSCAs(conf *m.FabricMSPConfig) error {
return errors.WithMessagef(err, "CA Certificate problem with Subject Key Identifier extension, (SN: %x)", cert.SerialNumber)
}

opts.CurrentTime = cert.NotBefore.Add(time.Second)
if err := msp.validateTLSCAIdentity(cert, opts); err != nil {
return errors.WithMessagef(err, "CA Certificate is not valid, (SN: %s)", cert.SerialNumber)
}
Expand Down
26 changes: 26 additions & 0 deletions msp/mspimplsetup_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,21 @@ f0wttSk8l5LfPAvLfL3/NwTT2YcyICA0glWF4D8FDUPKRTiOerR9KByrn4ktIjzd
vpx58pjg15TqKgrZF2h+TJ5jFa48O1wBvtMhP8WL6/6O+NjOEP56UnXPGie/3HLC
yvhEkMILRkzGUfd091cpuNxd+aGA37mZbwc+8UBpYbZFhq3NORL8zSxUQLzm1NcV
U98sznvJPRCkRiwYp5L9C5Xq72CHG/3M6cmoN0Cl0xjZicfpfnZSA/ix
-----END CERTIFICATE-----`

caExpired = `-----BEGIN CERTIFICATE-----
MIICODCCAd+gAwIBAgIUCpmti37GM0i87c7H9JXnAnXlkeQwCgYIKoZIzj0EAwIw
WDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNh
biBGcmFuY2lzY28xDTALBgNVBAoMBE9yZzIxDTALBgNVBAMMBE9yZzIwHhcNMjIw
MjE1MjA1NzQ5WhcNMjIwMjE2MjA1NzQ5WjBYMQswCQYDVQQGEwJVUzETMBEGA1UE
CAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwE
T3JnMjENMAsGA1UEAwwET3JnMjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABD9x
9DArA8shjxhqajd9OjTThUoJAHMCKXEORYaN8p/sofXJYYBJvg9y2zEOuevB7++p
PxhMmNISxt0U5IGlOlSjgYYwgYMwHQYDVR0OBBYEFLqzZtVcEWu2pw4IkpClBg9f
S4EEMB8GA1UdIwQYMBaAFLqzZtVcEWu2pw4IkpClBg9fS4EEMA8GA1UdEwEB/wQF
MAMBAf8wCwYDVR0PBAQDAgGmMA8GA1UdEQQIMAaCBE9yZzIwEgYDVR0TAQH/BAgw
BgEB/wIBADAKBggqhkjOPQQDAgNHADBEAiAccYeHn6h6Q1AA2fZc88sYgReSDSGY
MsALS92an024EQIgcFMjj0D0j2NhcjULCu0L7aGKac1q8XuCcvzfUdfbsdM=
-----END CERTIFICATE-----`
)

Expand All @@ -81,6 +96,17 @@ func TestTLSCAValidation(t *testing.T) {
gt.Expect(err).NotTo(gomega.HaveOccurred())
})

t.Run("ExpiredCert", func(t *testing.T) {
mspImpl := &bccspmsp{
opts: &x509.VerifyOptions{Roots: x509.NewCertPool(), Intermediates: x509.NewCertPool()},
}

err := mspImpl.setupTLSCAs(&msp.FabricMSPConfig{
TlsRootCerts: [][]byte{[]byte(caExpired)},
})
gt.Expect(err).NotTo(gomega.HaveOccurred())
})

t.Run("NonCACert", func(t *testing.T) {
mspImpl := &bccspmsp{
opts: &x509.VerifyOptions{Roots: x509.NewCertPool(), Intermediates: x509.NewCertPool()},
Expand Down

0 comments on commit 47dd17a

Please sign in to comment.