Ignore expired CA/TLS CA certs on msp init (#3238) (#3249) (#3252)

Signed-off-by: Ana Maria Franco <afrancoc2000@gmail.com> (cherry picked from commit 0e6c8d4) Co-authored-by: Ana Maria Franco <afrancoc2000@hotmail.com>
hyperledger · Feb 23, 2022 · 47dd17a · 47dd17a
1 parent c89ba60
commit 47dd17a
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 0 deletions.
diff --git a/msp/mspimplsetup.go b/msp/mspimplsetup.go
@@ -493,6 +493,7 @@ func (msp *bccspmsp) setupTLSCAs(conf *m.FabricMSPConfig) error {
 			return errors.WithMessagef(err, "CA Certificate problem with Subject Key Identifier extension, (SN: %x)", cert.SerialNumber)
 		}
 
+		opts.CurrentTime = cert.NotBefore.Add(time.Second)
 		if err := msp.validateTLSCAIdentity(cert, opts); err != nil {
 			return errors.WithMessagef(err, "CA Certificate is not valid, (SN: %s)", cert.SerialNumber)
 		}

diff --git a/msp/mspimplsetup_test.go b/msp/mspimplsetup_test.go
@@ -64,6 +64,21 @@ f0wttSk8l5LfPAvLfL3/NwTT2YcyICA0glWF4D8FDUPKRTiOerR9KByrn4ktIjzd
 vpx58pjg15TqKgrZF2h+TJ5jFa48O1wBvtMhP8WL6/6O+NjOEP56UnXPGie/3HLC
 yvhEkMILRkzGUfd091cpuNxd+aGA37mZbwc+8UBpYbZFhq3NORL8zSxUQLzm1NcV
 U98sznvJPRCkRiwYp5L9C5Xq72CHG/3M6cmoN0Cl0xjZicfpfnZSA/ix
+-----END CERTIFICATE-----`
+
+	caExpired = `-----BEGIN CERTIFICATE-----
+MIICODCCAd+gAwIBAgIUCpmti37GM0i87c7H9JXnAnXlkeQwCgYIKoZIzj0EAwIw
+WDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNh
+biBGcmFuY2lzY28xDTALBgNVBAoMBE9yZzIxDTALBgNVBAMMBE9yZzIwHhcNMjIw
+MjE1MjA1NzQ5WhcNMjIwMjE2MjA1NzQ5WjBYMQswCQYDVQQGEwJVUzETMBEGA1UE
+CAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwE
+T3JnMjENMAsGA1UEAwwET3JnMjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABD9x
+9DArA8shjxhqajd9OjTThUoJAHMCKXEORYaN8p/sofXJYYBJvg9y2zEOuevB7++p
+PxhMmNISxt0U5IGlOlSjgYYwgYMwHQYDVR0OBBYEFLqzZtVcEWu2pw4IkpClBg9f
+S4EEMB8GA1UdIwQYMBaAFLqzZtVcEWu2pw4IkpClBg9fS4EEMA8GA1UdEwEB/wQF
+MAMBAf8wCwYDVR0PBAQDAgGmMA8GA1UdEQQIMAaCBE9yZzIwEgYDVR0TAQH/BAgw
+BgEB/wIBADAKBggqhkjOPQQDAgNHADBEAiAccYeHn6h6Q1AA2fZc88sYgReSDSGY
+MsALS92an024EQIgcFMjj0D0j2NhcjULCu0L7aGKac1q8XuCcvzfUdfbsdM=
 -----END CERTIFICATE-----`
 )
 
@@ -81,6 +96,17 @@ func TestTLSCAValidation(t *testing.T) {
 		gt.Expect(err).NotTo(gomega.HaveOccurred())
 	})
 
+	t.Run("ExpiredCert", func(t *testing.T) {
+		mspImpl := &bccspmsp{
+			opts: &x509.VerifyOptions{Roots: x509.NewCertPool(), Intermediates: x509.NewCertPool()},
+		}
+
+		err := mspImpl.setupTLSCAs(&msp.FabricMSPConfig{
+			TlsRootCerts: [][]byte{[]byte(caExpired)},
+		})
+		gt.Expect(err).NotTo(gomega.HaveOccurred())
+	})
+
 	t.Run("NonCACert", func(t *testing.T) {
 		mspImpl := &bccspmsp{
 			opts: &x509.VerifyOptions{Roots: x509.NewCertPool(), Intermediates: x509.NewCertPool()},