[Fix]: Provide a meaningful error for cert sanitization (release-2.2)

This commit handles the error where the certificate sanitization procedure fails to construct the certificate chain due to misconfiguration. Before this commit, the peer will simply fail with panic without a clear explanation of what exactly was wrong. Addresses (hyperledger#4302). Signed-off-by: David Enyeart <[email protected]>
denyeart · Jul 19, 2023 · 669cf52 · 669cf52
1 parent 8b00a02
commit 669cf52
Show file tree

Hide file tree

Showing 2 changed files with 49 additions and 3 deletions.
diff --git a/msp/mspimpl.go b/msp/mspimpl.go
@@ -13,6 +13,7 @@ import (
 	"encoding/asn1"
 	"encoding/hex"
 	"encoding/pem"
+	"fmt"
 	"strings"
 
 	"github.com/golang/protobuf/proto"
@@ -925,10 +926,15 @@ func (msp *bccspmsp) sanitizeCert(cert *x509.Certificate) (*x509.Certificate, er
 			return cert, nil
 		}
 
-		// ok, this is no a root CA cert, and now we
-		// then we have chain of certs and can get parent
+		// ok, this is not a root CA cert, and now we
+		// have chain of certs and can extract parent
 		// to sanitize the cert whenever it's intermediate or leaf certificate
-		parentCert := chain[1]
+		var parentCert *x509.Certificate
+		if len(chain) <= 1 {
+			return nil, fmt.Errorf("failed to traverse certificate verification chain"+
+				" for leaf or intermediate certificate, with subject %s", cert.Subject)
+		}
+		parentCert = chain[1]
 
 		// Sanitize
 		return sanitizeECDSASignedCert(cert, parentCert)

diff --git a/msp/mspimplsetup_test.go b/msp/mspimplsetup_test.go
@@ -11,6 +11,9 @@ import (
 	"testing"
 
 	"github.com/hyperledger/fabric-protos-go/msp"
+	"github.com/hyperledger/fabric/bccsp"
+	"github.com/hyperledger/fabric/bccsp/sw"
+	"github.com/hyperledger/fabric/common/crypto/tlsgen"
 
 	"github.com/onsi/gomega"
 )
@@ -127,6 +130,43 @@ func TestTLSCAValidation(t *testing.T) {
 	})
 }
 
+func TestMalformedCertsChainSetup(t *testing.T) {
+	gt := gomega.NewGomegaWithT(t)
+
+	ca, err := tlsgen.NewCA()
+	gt.Expect(err).NotTo(gomega.HaveOccurred())
+
+	inter, err := ca.NewIntermediateCA()
+	gt.Expect(err).NotTo(gomega.HaveOccurred())
+
+	cp, err := sw.NewDefaultSecurityLevelWithKeystore(sw.NewDummyKeyStore())
+	gt.Expect(err).NotTo(gomega.HaveOccurred())
+
+	cp.GetHash(&bccsp.SHA256Opts{})
+	mspImpl := &bccspmsp{
+		opts:  &x509.VerifyOptions{Roots: x509.NewCertPool(), Intermediates: x509.NewCertPool()},
+		bccsp: cp,
+		cryptoConfig: &msp.FabricCryptoConfig{
+			IdentityIdentifierHashFunction: "SHA256",
+		},
+	}
+
+	// Add root CA certificate
+	// cert, err := mspImpl.getCertFromPem([]byte(ca.CertBytes()))
+	certInter, err := mspImpl.getCertFromPem([]byte(inter.CertBytes()))
+	gt.Expect(err).NotTo(gomega.HaveOccurred())
+	mspImpl.opts.Roots.AddCert(certInter)
+	mspImpl.rootCerts = []Identity{&identity{cert: certInter}}
+
+	err = mspImpl.finalizeSetupCAs()
+	gt.Expect(err).NotTo(gomega.HaveOccurred())
+
+	// Extract identity from the leaf certificate
+	_, _, err = mspImpl.getIdentityFromConf(inter.CertBytes())
+	gt.Expect(err).To(gomega.HaveOccurred())
+	gt.Expect(err.Error()).To(gomega.ContainSubstring("failed to traverse certificate verification chain"))
+}
+
 func TestCAValidation(t *testing.T) {
 	gt := gomega.NewGomegaWithT(t)