diff --git a/integration_tests/constants/constants.go b/integration_tests/constants/constants.go index 1d1de5384..b94e08799 100644 --- a/integration_tests/constants/constants.go +++ b/integration_tests/constants/constants.go @@ -242,6 +242,19 @@ IwQYMBaAFOKQjTacPKPBE7sJ4k3BzMWmZpHUMB0GA1UdDgQWBBTikI02nDyjwRO7 CeJNwczFpmaR1DAOBgNVHQ8BAf8EBAMCAQYwCgYIKoZIzj0EAwIDSAAwRQIhAPZJ skxY48EcSnatPseu6GcuFZw/bE/7uvp/PknnofJVAiAFXbU9SkxGi+Lqqa4YQRx9 tpcQ/mhg7DECwutZLCxKyA== +-----END CERTIFICATE-----` + + PAACertExpired = `-----BEGIN CERTIFICATE----- +MIIBvDCCAWKgAwIBAgIIAwFMXQkbuSQwCgYIKoZIzj0EAwIwMDEYMBYGA1UEAwwP +TWF0dGVyIFRlc3QgUEFBMRQwEgYKKwYBBAGConwCAQwERkZGMjAeFw0yMTA2Mjgx +NDIzNDNaFw0yMjA2MjgxNDIzNDJaMDAxGDAWBgNVBAMMD01hdHRlciBUZXN0IFBB +QTEUMBIGCisGAQQBgqJ8AgEMBEZGRjIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC +AAS3ChaWbeRtv7g4oICrIP92kJfHqKAh37RKtoeyBOARLTsQffxqcPdTKIHbdlbU +kCTiECbFVfuSLYkJzG8MBbHKo2YwZDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1Ud +DwEB/wQEAwIBBjAdBgNVHQ4EFgQUm7KZu6ZJfbWgTh4Yx8IOrsVMQukwHwYDVR0j +BBgwFoAUm7KZu6ZJfbWgTh4Yx8IOrsVMQukwCgYIKoZIzj0EAwIDSAAwRQIgED1f +neH8IHXIiGiNf/knk09MXh43Cqmj8tAWJGNqtGECIQCjqZb5p6tl5zLGr4d70sVO +2GL5RcHKohx+qL0o57dAuQ== -----END CERTIFICATE-----` RootIssuer = "MDQxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApzb21lLXN0YXRlMRAwDgYDVQQKDAdyb290LWNh" diff --git a/x/pki/keeper/approved_certificates.go b/x/pki/keeper/approved_certificates.go index 27d1749ed..6ba8a9dd2 100644 --- a/x/pki/keeper/approved_certificates.go +++ b/x/pki/keeper/approved_certificates.go @@ -121,7 +121,7 @@ func (k Keeper) verifyCertificate(ctx sdk.Context, // nolint:nestif if x509Certificate.IsSelfSigned() { // in this system a certificate is self-signed if and only if it is a root certificate - if err := x509Certificate.Verify(x509Certificate); err == nil { + if err := x509Certificate.Verify(x509Certificate, ctx.BlockTime()); err == nil { return x509Certificate.Subject, x509Certificate.SubjectKeyID, nil } } else { @@ -139,7 +139,7 @@ func (k Keeper) verifyCertificate(ctx sdk.Context, } // verify certificate against parent - if err := x509Certificate.Verify(parentX509Certificate); err != nil { + if err := x509Certificate.Verify(parentX509Certificate, ctx.BlockTime()); err != nil { continue } diff --git a/x/pki/x509/x509.go b/x/pki/x509/x509.go index 3fbfc7930..29a1cfdeb 100644 --- a/x/pki/x509/x509.go +++ b/x/pki/x509/x509.go @@ -21,6 +21,7 @@ import ( "encoding/pem" "fmt" "strings" + "time" "github.com/zigbee-alliance/distributed-compliance-ledger/x/pki/types" ) @@ -112,11 +113,11 @@ func BytesToHex(bytes []byte) string { return strings.Join(bytesHex, ":") } -func (c Certificate) Verify(parent *Certificate) error { +func (c Certificate) Verify(parent *Certificate, blockTime time.Time) error { roots := x509.NewCertPool() roots.AddCert(parent.Certificate) - opts := x509.VerifyOptions{Roots: roots} + opts := x509.VerifyOptions{Roots: roots, CurrentTime: blockTime} if _, err := c.Certificate.Verify(opts); err != nil { return types.NewErrInvalidCertificate(fmt.Sprintf("Certificate verification failed. Error: %v", err)) diff --git a/x/pki/x509/x509_test.go b/x/pki/x509/x509_test.go index d743c7f41..ea9d958ff 100644 --- a/x/pki/x509/x509_test.go +++ b/x/pki/x509/x509_test.go @@ -17,6 +17,7 @@ package x509 import ( "testing" + "time" "github.com/stretchr/testify/require" testconstants "github.com/zigbee-alliance/distributed-compliance-ledger/integration_tests/constants" @@ -82,13 +83,25 @@ func Test_DecodeCertificatesWithVID(t *testing.T) { func Test_VerifyLeafCertificate(t *testing.T) { certificate, _ := DecodeX509Certificate(testconstants.LeafCertPem) parentCertificate, _ := DecodeX509Certificate(testconstants.IntermediateCertPem) - err := certificate.Verify(parentCertificate) + blockTime := time.Date(2022, 12, 22, 22, 22, 22, 22, time.UTC) + + err := certificate.Verify(parentCertificate, blockTime) require.Nil(t, err) } func Test_VerifyRootCertificate(t *testing.T) { certificate, _ := DecodeX509Certificate(testconstants.RootCertPem) - err := certificate.Verify(certificate) + blockTime := time.Date(2022, 12, 22, 22, 22, 22, 22, time.UTC) + + err := certificate.Verify(certificate, blockTime) + require.Nil(t, err) +} + +func Test_FastSync_VerifyExpiredRootCertificateWhenBlockTimeInPast(t *testing.T) { + certificate, _ := DecodeX509Certificate(testconstants.PAACertExpired) + blockTime := time.Date(2022, 5, 4, 22, 22, 22, 22, time.UTC) + + err := certificate.Verify(certificate, blockTime) require.Nil(t, err) }