[FABG-949] Add support for generating CRL with Revoke (#49)

* [FABG-949] Add support for generating CRL with Revoke Currently in the SDK there's no GenCRL field in the msp.RevocationRequest. The msp.RevocationResponse, which has RevokedCerts and CRL fields, comes with an empty []byte for the CRL, so it's impossible to revoke a cert and then add de CRL to the config block, as required. Signed-off-by: Samuel Venzi <samuel.venzi@me.com> * Add integration test for revoke Signed-off-by: Samuel Venzi <samuel.venzi@me.com> * Remove unnecessary variable revokeSuccess Signed-off-by: Samuel Venzi <samuel.venzi@me.com> Co-authored-by: alikic <aleksandar.likic@securekey.com>
hyperledger · Feb 28, 2020 · 4919c92 · 4919c92
1 parent ff3bdd7
commit 4919c92
Show file tree

Hide file tree

Showing 4 changed files with 44 additions and 0 deletions.
diff --git a/pkg/client/msp/ca.go b/pkg/client/msp/ca.go
@@ -55,6 +55,8 @@ type RevocationRequest struct {
 	Reason string
 	// CAName is the name of the CA to connect to
 	CAName string
+	// GenCRL specifies whether to generate a CRL
+	GenCRL bool
 }
 
 // RevocationResponse represents response from the server for a revocation request

diff --git a/pkg/msp/api/api.go b/pkg/msp/api/api.go
@@ -119,6 +119,8 @@ type RevocationRequest struct {
 	Reason string
 	// CAName is the name of the CA to connect to
 	CAName string
+	// GenCRL specifies whether to generate a CRL
+	GenCRL bool
 }
 
 // RevocationResponse represents response from the server for a revocation request

diff --git a/pkg/msp/fabcaadapter.go b/pkg/msp/fabcaadapter.go
@@ -149,6 +149,7 @@ func (c *fabricCAAdapter) Revoke(key core.Key, cert []byte, request *api.Revocat
 		Serial: request.Serial,
 		AKI:    request.AKI,
 		Reason: request.Reason,
+		GenCRL: request.GenCRL,
 	}
 
 	registrar, err := c.newIdentity(key, cert)

diff --git a/test/integration/pkg/client/msp/enrollment_test.go b/test/integration/pkg/client/msp/enrollment_test.go
@@ -7,13 +7,16 @@ SPDX-License-Identifier: Apache-2.0
 package msp
 
 import (
+	"crypto/x509"
+	"encoding/pem"
 	"fmt"
 	"testing"
 
 	"github.com/hyperledger/fabric-sdk-go/pkg/client/msp"
 	"github.com/hyperledger/fabric-sdk-go/pkg/common/providers/context"
 	"github.com/hyperledger/fabric-sdk-go/pkg/fabsdk"
 	"github.com/hyperledger/fabric-sdk-go/test/integration"
+	"github.com/pkg/errors"
 	"github.com/stretchr/testify/require"
 )
 
@@ -121,6 +124,42 @@ func testRegisterEnrollWithCAInstance(t *testing.T, ctxProvider context.ClientPr
 
 	checkCertAttributes(t, si.EnrollmentCertificate(), testAttributes)
 
+	revokeResponse, err := mspClient.Revoke(&msp.RevocationRequest{Name: username, GenCRL: true})
+	if err != nil {
+		t.Fatalf("Revoke return error %s", err)
+	}
+	if revokeResponse.CRL == nil {
+		t.Fatal("Couldn't retrieve CRL")
+	}
+	ok, err := isInCRL(si.EnrollmentCertificate(), revokeResponse.CRL)
+	if err != nil {
+		t.Fatalf("Couldn't check if certificate is in CRL %s", err)
+	}
+	if !ok {
+		t.Fatal("Certificate is not in CRL")
+	}
+
+}
+
+func isInCRL(certBytes, crlBytes []byte) (bool, error) {
+	decoded, _ := pem.Decode(certBytes)
+	if decoded == nil {
+		return false, errors.New("Failed cert decoding")
+	}
+	cert, err := x509.ParseCertificate(decoded.Bytes)
+	if err != nil {
+		return false, err
+	}
+	crl, err := x509.ParseCRL(crlBytes)
+	if err != nil {
+		return false, err
+	}
+	for _, revokedCert := range crl.TBSCertList.RevokedCertificates {
+		if cert.SerialNumber.Cmp(revokedCert.SerialNumber) == 0 {
+			return true, nil
+		}
+	}
+	return false, nil
 }
 
 func TestEnrollWithOptions(t *testing.T) {