review comments

Signed-off-by: Matthew B White <whitemat@uk.ibm.com>
hyperledger · Jul 22, 2021 · 9b0e156 · 9b0e156
1 parent 5c502ff
commit 9b0e156
Show file tree

Hide file tree

Showing 4 changed files with 12 additions and 5 deletions.
diff --git a/docs/source/servercli.rst b/docs/source/servercli.rst
@@ -22,7 +22,7 @@ Fabric-CA Server's CLI
           --ca.chainfile string                       PEM-encoded CA chain file (default "ca-chain.pem")
           --ca.keyfile string                         PEM-encoded CA key file
       -n, --ca.name string                            Certificate Authority name
-          --ca.reenrollignorecertexpiry               Ignore Certificate Expirty for re-enroll
+          --ca.reenrollignorecertexpiry               Ignore Certificate Expiry for re-enroll
           --cacount int                               Number of non-default CA instances
           --cafiles strings                           A list of comma-separated CA configuration files
           --cfg.affiliations.allowremove              Enables removal of affiliations dynamically

diff --git a/lib/ca.go b/lib/ca.go
@@ -471,6 +471,10 @@ func (ca *CA) initConfig() (err error) {
 
 // VerifyCertificate verifies that 'cert' was issued by this CA
 // Return nil if successful; otherwise, return an error.
+// 'forceTime' if false, certificate expiry times will be checked based
+// on the current time.
+// if true, it will force the time to be used to check for expiry to be 30 seconds
+// after the certificate start time.  (this is to support reenrollIgnoreCertExpiry)
 func (ca *CA) VerifyCertificate(cert *x509.Certificate, forceTime bool) error {
 
 	log.Debugf("Certicate Dates: NotAfter = %s NotBefore = %s \n", cert.NotAfter.String(), cert.NotBefore.String())
@@ -480,8 +484,8 @@ func (ca *CA) VerifyCertificate(cert *x509.Certificate, forceTime bool) error {
 		return errors.WithMessage(err, "Failed to get verify options")
 	}
 
-	// force time to be 30seconds after start to ensure expiry doesn't get flaged
-	// this is one of the checks that made on the certificate
+	// force check time to be 30 seconds after certificate start time to ensure expiry doesn't get flagged
+	// this is one of the checks that is made on the certificate in Verify()
 	if forceTime {
 		opts.CurrentTime = cert.NotBefore.Add(time.Duration(time.Second * 30))
 	}

diff --git a/lib/caconfig.go b/lib/caconfig.go
@@ -120,7 +120,7 @@ type CAInfo struct {
 	Keyfile                  string `help:"PEM-encoded CA key file"`
 	Certfile                 string `def:"ca-cert.pem" help:"PEM-encoded CA certificate file"`
 	Chainfile                string `def:"ca-chain.pem" help:"PEM-encoded CA chain file"`
-	ReenrollIgnoreCertExpiry bool   `def:"false" help:"Ignore Certificate Expirty for re-enroll"`
+	ReenrollIgnoreCertExpiry bool   `def:"false" help:"Ignore Certificate Expiry for re-enroll"`
 }
 
 // CAConfigDB is the database part of the server's config

diff --git a/lib/serverrequestcontext.go b/lib/serverrequestcontext.go
@@ -189,8 +189,11 @@ func (ctx *serverRequestContextImpl) verifyX509Token(ca *CA, authHdr, method, ur
 		return "", caerrors.NewAuthenticationErr(caerrors.ErrInvalidToken, "Invalid token in authorization header: %s", err2)
 	}
 
-	// Make sure the caller's cert was issued by this CA
+	// determine if this being called for a reenroll and the ignore cert expiry property isset
+	// passed to the verify certificate to force it's checking of expiry time to be effectively ignored
 	reenrollIgnoreCertExpiry := ctx.endpoint.Path == "reenroll" && ctx.ca.Config.CA.ReenrollIgnoreCertExpiry
+
+	// Make sure the caller's cert was issued by this CA
 	err2 = ca.VerifyCertificate(cert, reenrollIgnoreCertExpiry)
 	if err2 != nil {
 		return "", caerrors.NewAuthenticationErr(caerrors.ErrUntrustedCertificate, "Untrusted certificate: %s", err2)