Commit 69d1c929 authored by Jay Guo's avatar Jay Guo
Browse files

FAB-14648 validate consenter cert in config update



The CR adds consenter cert validation to incoming config update
to avoid applying bad certificate.

FAB-14648 #done

Change-Id: I6ff457846fb0c4efa216f109dd9ddc13862f6957
Signed-off-by: default avatarJay Guo <guojiannan1101@gmail.com>
parent ade6dc48
......@@ -432,7 +432,7 @@ func (c *Chain) checkConfigUpdateValidity(ctx *common.Envelope) error {
return err
}
// Check that only the ConsensusType is updated in the write-set
// Validate consenter set if it is updated in the write-set
if ordererConfigGroup, ok := configUpdate.WriteSet.Groups["Orderer"]; ok {
if val, ok := ordererConfigGroup.Values["ConsensusType"]; ok {
return c.checkConsentersSet(val)
......@@ -1178,6 +1178,17 @@ func (c *Chain) checkConsentersSet(configValue *common.ConfigValue) error {
return err
}
// sanity check of certificates
for _, consenter := range updatedMetadata.Consenters {
if bl, _ := pem.Decode(consenter.ServerTlsCert); bl == nil {
return errors.Errorf("Invalid server TLS cert: %s", string(consenter.ServerTlsCert))
}
if bl, _ := pem.Decode(consenter.ClientTlsCert); bl == nil {
return errors.Errorf("Invalid client TLS cert: %s", string(consenter.ClientTlsCert))
}
}
if err := MetadataHasDuplication(updatedMetadata); err != nil {
return err
}
......
......@@ -1567,6 +1567,29 @@ var _ = Describe("Chain", func() {
Expect(err).To(MatchError("update of more than one consenter at a time is not supported, requested changes: add 0 node(s), remove 2 node(s)"))
})
It("rejects invalid certificates", func() {
configMetadata := &raftprotos.ConfigMetadata{}
for _, consenter := range consenters {
configMetadata.Consenters = append(configMetadata.Consenters, consenter)
}
configMetadata.Consenters[0].ServerTlsCert = []byte("hello")
value := map[string]*common.ConfigValue{
"ConsensusType": {
Version: 1,
Value: marshalOrPanic(&orderer.ConsensusType{
Metadata: marshalOrPanic(configMetadata),
}),
},
}
By("creating new configuration with invalid certificate")
configEnv := newConfigEnv(channelID, common.HeaderType_CONFIG, newConfigUpdateEnv(channelID, value))
c1.cutter.CutNext = true
By("sending config transaction")
Expect(c1.Configure(configEnv, 0)).To(MatchError("Invalid server TLS cert: hello"))
})
It("can rotate certificate by adding and removing 1 node in one config update", func() {
metadata := &raftprotos.ConfigMetadata{}
for id, consenter := range consenters {
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment