Correct handling of CA VerifyOptions (#306)

The verify options strucutre is global property - but the verify struture in the case of re-enroll is set back by 30 seconds. If this is the global structure - then that is not good. Duplicating the structure. Many ways to solve this problem; but this the current approach is cleaner. Signed-off-by: Matthew B White <[email protected]>
hyperledger · Jun 27, 2022 · 3be7a15 · 3be7a15
1 parent 076f37b
commit 3be7a15
Show file tree

Hide file tree

Showing 8 changed files with 874 additions and 2 deletions.
diff --git a/go.mod b/go.mod
@@ -16,6 +16,7 @@ require (
 	github.com/grantae/certinfo v0.0.0-20170412194111-59d56a35515b
 	github.com/hyperledger/fabric v1.4.11
 	github.com/hyperledger/fabric-lib-go v1.0.0
+	github.com/jinzhu/copier v0.3.5
 	github.com/jmoiron/sqlx v1.2.0
 	github.com/kisielk/sqlstruct v0.0.0-20201105191214-5f3e10d3ab46
 	github.com/lib/pq v1.8.0

diff --git a/go.sum b/go.sum
@@ -101,6 +101,8 @@ github.com/hyperledger/fabric-protos-go v0.0.0-20210911123859-041d13f0980c/go.mo
 github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM=
 github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
 github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
+github.com/jinzhu/copier v0.3.5 h1:GlvfUwHk62RokgqVNvYsku0TATCF7bAHVwEXoBh3iJg=
+github.com/jinzhu/copier v0.3.5/go.mod h1:DfbEm0FYsaqBcKcFuvmOZb218JkPGtvSHsKg8S8hyyg=
 github.com/jmhodges/clock v0.0.0-20160418191101-880ee4c33548 h1:dYTbLf4m0a5u0KLmPfB6mgxbcV7588bOCx79hxa5Sr4=
 github.com/jmhodges/clock v0.0.0-20160418191101-880ee4c33548/go.mod h1:hGT6jSUVzF6no3QaDSMLGLEHtHSBSefs+MgcDWnmhmo=
 github.com/jmoiron/sqlx v0.0.0-20180124204410-05cef0741ade/go.mod h1:IiEW3SEiiErVyFdH8NTuWjSifiEQKUoyK3LNqr2kCHU=

diff --git a/lib/ca.go b/lib/ca.go
@@ -50,6 +50,8 @@ import (
 	"github.com/hyperledger/fabric-ca/util"
 	"github.com/hyperledger/fabric/bccsp"
 	"github.com/pkg/errors"
+
+	"github.com/jinzhu/copier"
 )
 
 const (
@@ -487,13 +489,18 @@ func (ca *CA) VerifyCertificate(cert *x509.Certificate, forceTime bool) error {
 		return errors.WithMessage(err, "Failed to get verify options")
 	}
 
+	// some cases the structure needs to be update; create a duplicate
+	// *could* only do this one path but the code then isn't quite as clean.
+	// Not in a perforamnce path, so chose this approach
+	checkOpts := x509.VerifyOptions{}
+	copier.Copy(&checkOpts, opts)
 	// force check time to be 30 seconds after certificate start time to ensure expiry doesn't get flagged
 	// this is one of the checks that is made on the certificate in Verify()
 	if forceTime {
-		opts.CurrentTime = cert.NotBefore.Add(time.Duration(time.Second * 30))
+		checkOpts.CurrentTime = cert.NotBefore.Add(time.Duration(time.Second * 30))
 	}
 
-	_, err = cert.Verify(*opts)
+	_, err = cert.Verify(checkOpts)
 	if err != nil {
 		return errors.WithMessage(err, "Failed to verify certificate")
 	}

diff --git a/vendor/github.com/jinzhu/copier/License b/vendor/github.com/jinzhu/copier/License
diff --git a/vendor/github.com/jinzhu/copier/README.md b/vendor/github.com/jinzhu/copier/README.md