Support ignoring certificate expiry for re-enrolls

- add a new option to the config yaml file - there several cerficate checks, and these all do a cert expiry check - Make the expiry aspect of these null and void in the case of the flag in the config being set, and the action being a re-enroll Signed-off-by: Matthew B White <whitemat@uk.ibm.com>
hyperledger · Jul 22, 2021 · ac256a9 · ac256a9
1 parent 3852738
commit ac256a9
Show file tree

Hide file tree

Showing 5 changed files with 37 additions and 13 deletions.
diff --git a/docs/source/servercli.rst b/docs/source/servercli.rst
@@ -20,6 +20,7 @@ Fabric-CA Server's CLI
       -b, --boot string                               The user:pass for bootstrap admin which is required to build default config file
           --ca.certfile string                        PEM-encoded CA certificate file (default "ca-cert.pem")
           --ca.chainfile string                       PEM-encoded CA chain file (default "ca-chain.pem")
+          --ca.ignorecertexpiry                       Ignore Certificate Expirty for re-enroll
           --ca.keyfile string                         PEM-encoded CA key file
       -n, --ca.name string                            Certificate Authority name
           --cacount int                               Number of non-default CA instances

diff --git a/lib/ca.go b/lib/ca.go
@@ -471,11 +471,21 @@ func (ca *CA) initConfig() (err error) {
 
 // VerifyCertificate verifies that 'cert' was issued by this CA
 // Return nil if successful; otherwise, return an error.
-func (ca *CA) VerifyCertificate(cert *x509.Certificate) error {
+func (ca *CA) VerifyCertificate(cert *x509.Certificate, forceTime bool) error {
+
+	log.Debugf("Certicate Dates: NotAfter = %s\n Cert NotBefore = %s \n", cert.NotAfter.String(), cert.NotBefore.String())
+
 	opts, err := ca.getVerifyOptions()
 	if err != nil {
 		return errors.WithMessage(err, "Failed to get verify options")
 	}
+
+	// force time to be 30seconds after start to ensure expiry doesn't get flaged
+	// this is one of the checks that made on the certificate
+	if forceTime {
+		opts.CurrentTime = cert.NotBefore.Add(time.Duration(time.Second * 30))
+	}
+
 	_, err = cert.Verify(*opts)
 	if err != nil {
 		return errors.WithMessage(err, "Failed to verify certificate")

diff --git a/lib/ca_test.go b/lib/ca_test.go
@@ -591,14 +591,14 @@ func TestCAVerifyCertificate(t *testing.T) {
 	ca.Config.CA.Keyfile = caKey
 	ca.Config.CA.Certfile = caCert
 	ca.Config.CA.Chainfile = "../testdata/empty.json"
-	err = ca.VerifyCertificate(cert)
+	err = ca.VerifyCertificate(cert, false)
 	t.Log("ca.VerifyCertificate error: ", err)
 	if err == nil {
 		t.Error("VerifyCertificate should have failed")
 	}
 
 	ca.Config.CA.Chainfile = "../testdata/crl.pem"
-	err = ca.VerifyCertificate(cert)
+	err = ca.VerifyCertificate(cert, false)
 	t.Log("ca.VerifyCertificate error: ", err)
 	if err == nil {
 		t.Error("VerifyCertificate should have failed")
@@ -612,7 +612,7 @@ func TestCAVerifyCertificate(t *testing.T) {
 	err = ioutil.WriteFile(filepath.Join(os.TempDir(), "ca-chainfile.pem"), caCert2, 0644)
 	assert.NoError(t, err, "failed to write ca-chainfile.pem")
 	ca.Config.CA.Chainfile = filepath.Join(os.TempDir(), "ca-chainfile.pem")
-	err = ca.VerifyCertificate(cert)
+	err = ca.VerifyCertificate(cert, false)
 	t.Log("ca.VerifyCertificate error: ", err)
 	if err == nil {
 		t.Error("VerifyCertificate should have failed")
@@ -625,13 +625,13 @@ func TestCAVerifyCertificate(t *testing.T) {
 	ca.Config.CA.Chainfile = "doesNotExist"
 	ca.Config.CA.Certfile = "doesNotExist"
 	ca.Config.Intermediate.ParentServer.URL = "http://127.0.0.1:" + caPort
-	err = ca.VerifyCertificate(cert)
+	err = ca.VerifyCertificate(cert, false)
 	t.Log("ca.VerifyCertificate error: ", err)
 	if err == nil {
 		t.Error("VerifyCertificate should have failed")
 	}
 	ca.Config.CA.Chainfile = noUsageCert
-	err = ca.VerifyCertificate(cert)
+	err = ca.VerifyCertificate(cert, false)
 	t.Log("ca.VerifyCertificate error: ", err)
 	if err == nil {
 		t.Error("VerifyCertificate should have failed")

diff --git a/lib/caconfig.go b/lib/caconfig.go
@@ -49,6 +49,8 @@ ca:
   certfile: ca-cert.pem
   # The CA key file
   keyfile: ca-key.pem
+  # Ignore Certificate Expiration in the case of re-enroll
+  ignoreCertExpiry: false
 
 #############################################################################
 #  Database section
@@ -116,10 +118,11 @@ type affiliationsOptions struct {
 
 // CAInfo is the CA information on a fabric-ca-server
 type CAInfo struct {
-	Name      string `opt:"n" help:"Certificate Authority name"`
-	Keyfile   string `help:"PEM-encoded CA key file"`
-	Certfile  string `def:"ca-cert.pem" help:"PEM-encoded CA certificate file"`
-	Chainfile string `def:"ca-chain.pem" help:"PEM-encoded CA chain file"`
+	Name             string `opt:"n" help:"Certificate Authority name"`
+	Keyfile          string `help:"PEM-encoded CA key file"`
+	Certfile         string `def:"ca-cert.pem" help:"PEM-encoded CA certificate file"`
+	Chainfile        string `def:"ca-chain.pem" help:"PEM-encoded CA chain file"`
+	IgnoreCertExpiry bool   `def:"false" help:"Ignore Certificate Expirty for re-enroll"`
 }
 
 // CAConfigDB is the database part of the server's config

diff --git a/lib/serverrequestcontext.go b/lib/serverrequestcontext.go
@@ -188,11 +188,13 @@ func (ctx *serverRequestContextImpl) verifyX509Token(ca *CA, authHdr, method, ur
 	if err2 != nil {
 		return "", caerrors.NewAuthenticationErr(caerrors.ErrInvalidToken, "Invalid token in authorization header: %s", err2)
 	}
+
 	// Make sure the caller's cert was issued by this CA
-	err2 = ca.VerifyCertificate(cert)
+	err2 = ca.VerifyCertificate(cert, (ctx.endpoint.Path == "reenroll" && ctx.ca.Config.CA.IgnoreCertExpiry))
 	if err2 != nil {
 		return "", caerrors.NewAuthenticationErr(caerrors.ErrUntrustedCertificate, "Untrusted certificate: %s", err2)
 	}
+
 	id := util.GetEnrollmentIDFromX509Certificate(cert)
 	log.Debugf("Checking for revocation/expiration of certificate owned by '%s'", id)
 
@@ -202,10 +204,17 @@ func (ctx *serverRequestContextImpl) verifyX509Token(ca *CA, authHdr, method, ur
 	if !checked {
 		return "", caerrors.NewHTTPErr(401, caerrors.ErrCertRevokeCheckFailure, "Failed while checking for revocation")
 	}
+
 	if expired {
-		return "", caerrors.NewAuthenticationErr(caerrors.ErrCertExpired,
-			"The certificate in the authorization header is a revoked or expired certificate")
+		log.Debugf("Expired Certificate")
+		if ctx.endpoint.Path == "reenroll" && ctx.ca.Config.CA.IgnoreCertExpiry {
+			log.Infof("Ignoring expired certificate for re-endroll operation")
+		} else {
+			return "", caerrors.NewAuthenticationErr(caerrors.ErrCertExpired,
+				"The certificate in the authorization header is a revoked or expired certificate")
+		}
 	}
+
 	aki := hex.EncodeToString(cert.AuthorityKeyId)
 	serial := util.GetSerialAsHex(cert.SerialNumber)
 	aki = strings.ToLower(strings.TrimLeft(aki, "0"))
@@ -215,6 +224,7 @@ func (ctx *serverRequestContextImpl) verifyX509Token(ca *CA, authHdr, method, ur
 	if err != nil {
 		return "", err
 	}
+
 	if certificate.Status == "revoked" {
 		return "", caerrors.NewAuthenticationErr(caerrors.ErrCertRevoked, "The certificate in the authorization header is a revoked certificate")
 	}