Skip to content

Commit 0afb706

Browse files
committed
[FAB-7640] Block expired x509 certs in gossip idStore
Although gossip auto-purges identities from its identity store right after they expire, it makes more semantic sense for the identity store not to accept expired identities in the first place. This change set adds a check that makes the identity store reject the identity if its time is not zero and it has expired. Change-Id: Ia60e1b333c58d98a6c2909254874749b90c262c8 Signed-off-by: yacovm <yacovm@il.ibm.com>
1 parent 84c4a8a commit 0afb706

File tree

2 files changed

+8
-0
lines changed

2 files changed

+8
-0
lines changed

gossip/identity/identity.go

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -128,6 +128,9 @@ func (is *identityMapperImpl) Put(pkiID common.PKIidType, identity api.PeerIdent
128128

129129
var expirationTimer *time.Timer
130130
if !expirationDate.IsZero() {
131+
if time.Now().After(expirationDate) {
132+
return errors.New("identity expired")
133+
}
131134
// Identity would be wiped out a millisecond after its expiration date
132135
timeToLive := expirationDate.Add(time.Millisecond).Sub(time.Now())
133136
expirationTimer = time.AfterFunc(timeToLive, func() {

gossip/identity/identity_test.go

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -238,17 +238,22 @@ func TestExpiration(t *testing.T) {
238238
}
239239
}
240240
x509Identity := api.PeerIdentityType("x509Identity")
241+
expiredX509Identity := api.PeerIdentityType("expiredX509Identity")
241242
nonX509Identity := api.PeerIdentityType("nonX509Identity")
242243
notSupportedIdentity := api.PeerIdentityType("notSupportedIdentity")
243244
x509PkiID := idStore.GetPKIidOfCert(x509Identity)
245+
expiredX509PkiID := idStore.GetPKIidOfCert(expiredX509Identity)
244246
nonX509PkiID := idStore.GetPKIidOfCert(nonX509Identity)
245247
notSupportedPkiID := idStore.GetPKIidOfCert(notSupportedIdentity)
246248
msgCryptoService.On("Expiration", x509Identity).Return(time.Now().Add(time.Second), nil)
249+
msgCryptoService.On("Expiration", expiredX509Identity).Return(time.Now().Add(-time.Second), nil)
247250
msgCryptoService.On("Expiration", nonX509Identity).Return(time.Time{}, nil)
248251
msgCryptoService.On("Expiration", notSupportedIdentity).Return(time.Time{}, errors.New("no MSP supports given identity"))
249252
// Add all identities
250253
err := idStore.Put(x509PkiID, x509Identity)
251254
assert.NoError(t, err)
255+
err = idStore.Put(expiredX509PkiID, expiredX509Identity)
256+
assert.Equal(t, "identity expired", err.Error())
252257
err = idStore.Put(nonX509PkiID, nonX509Identity)
253258
assert.NoError(t, err)
254259
err = idStore.Put(notSupportedPkiID, notSupportedIdentity)

0 commit comments

Comments
 (0)