From 47dd17a735118c306c59310fc21f3648e3676e3b Mon Sep 17 00:00:00 2001 From: "mergify[bot]" <37929162+mergify[bot]@users.noreply.github.com> Date: Wed, 23 Feb 2022 12:01:19 +0000 Subject: [PATCH] Ignore expired CA/TLS CA certs on msp init (#3238) (#3249) (#3252) Signed-off-by: Ana Maria Franco (cherry picked from commit 0e6c8d40ca6acb6aa1cb9b225c5a30833e59cded) Co-authored-by: Ana Maria Franco --- msp/mspimplsetup.go | 1 + msp/mspimplsetup_test.go | 26 ++++++++++++++++++++++++++ 2 files changed, 27 insertions(+) diff --git a/msp/mspimplsetup.go b/msp/mspimplsetup.go index 9d23ff179a0..87a8e28a897 100644 --- a/msp/mspimplsetup.go +++ b/msp/mspimplsetup.go @@ -493,6 +493,7 @@ func (msp *bccspmsp) setupTLSCAs(conf *m.FabricMSPConfig) error { return errors.WithMessagef(err, "CA Certificate problem with Subject Key Identifier extension, (SN: %x)", cert.SerialNumber) } + opts.CurrentTime = cert.NotBefore.Add(time.Second) if err := msp.validateTLSCAIdentity(cert, opts); err != nil { return errors.WithMessagef(err, "CA Certificate is not valid, (SN: %s)", cert.SerialNumber) } diff --git a/msp/mspimplsetup_test.go b/msp/mspimplsetup_test.go index 4553fef83be..4b2ca4014de 100644 --- a/msp/mspimplsetup_test.go +++ b/msp/mspimplsetup_test.go @@ -64,6 +64,21 @@ f0wttSk8l5LfPAvLfL3/NwTT2YcyICA0glWF4D8FDUPKRTiOerR9KByrn4ktIjzd vpx58pjg15TqKgrZF2h+TJ5jFa48O1wBvtMhP8WL6/6O+NjOEP56UnXPGie/3HLC yvhEkMILRkzGUfd091cpuNxd+aGA37mZbwc+8UBpYbZFhq3NORL8zSxUQLzm1NcV U98sznvJPRCkRiwYp5L9C5Xq72CHG/3M6cmoN0Cl0xjZicfpfnZSA/ix +-----END CERTIFICATE-----` + + caExpired = `-----BEGIN CERTIFICATE----- +MIICODCCAd+gAwIBAgIUCpmti37GM0i87c7H9JXnAnXlkeQwCgYIKoZIzj0EAwIw +WDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNh +biBGcmFuY2lzY28xDTALBgNVBAoMBE9yZzIxDTALBgNVBAMMBE9yZzIwHhcNMjIw +MjE1MjA1NzQ5WhcNMjIwMjE2MjA1NzQ5WjBYMQswCQYDVQQGEwJVUzETMBEGA1UE +CAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwE +T3JnMjENMAsGA1UEAwwET3JnMjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABD9x +9DArA8shjxhqajd9OjTThUoJAHMCKXEORYaN8p/sofXJYYBJvg9y2zEOuevB7++p +PxhMmNISxt0U5IGlOlSjgYYwgYMwHQYDVR0OBBYEFLqzZtVcEWu2pw4IkpClBg9f +S4EEMB8GA1UdIwQYMBaAFLqzZtVcEWu2pw4IkpClBg9fS4EEMA8GA1UdEwEB/wQF +MAMBAf8wCwYDVR0PBAQDAgGmMA8GA1UdEQQIMAaCBE9yZzIwEgYDVR0TAQH/BAgw +BgEB/wIBADAKBggqhkjOPQQDAgNHADBEAiAccYeHn6h6Q1AA2fZc88sYgReSDSGY +MsALS92an024EQIgcFMjj0D0j2NhcjULCu0L7aGKac1q8XuCcvzfUdfbsdM= -----END CERTIFICATE-----` ) @@ -81,6 +96,17 @@ func TestTLSCAValidation(t *testing.T) { gt.Expect(err).NotTo(gomega.HaveOccurred()) }) + t.Run("ExpiredCert", func(t *testing.T) { + mspImpl := &bccspmsp{ + opts: &x509.VerifyOptions{Roots: x509.NewCertPool(), Intermediates: x509.NewCertPool()}, + } + + err := mspImpl.setupTLSCAs(&msp.FabricMSPConfig{ + TlsRootCerts: [][]byte{[]byte(caExpired)}, + }) + gt.Expect(err).NotTo(gomega.HaveOccurred()) + }) + t.Run("NonCACert", func(t *testing.T) { mspImpl := &bccspmsp{ opts: &x509.VerifyOptions{Roots: x509.NewCertPool(), Intermediates: x509.NewCertPool()},