[FAB-7632] Block expired x509 identities in endorsement

This change set adds an authentication filter
which is enabled by default (but can be removed at will)
that blocks proposals with identities that are x509 identities
and they are expired.

Change-Id: Id1d30d6be297a06dbc4579a4e8652ed07139241b
Signed-off-by: yacovm <yacovm@il.ibm.com>

Author: yacovm

core/handlers/auth/filter/expiration.go

@@ -0,0 +1,62 @@
+/*
+Copyright IBM Corp. All Rights Reserved.
+
+SPDX-License-Identifier: Apache-2.0
+*/
+
+package filter
+
+import (
+	"time"
+
+	"github.com/hyperledger/fabric/common/crypto"
+	"github.com/hyperledger/fabric/core/handlers/auth"
+	"github.com/hyperledger/fabric/protos/peer"
+	"github.com/hyperledger/fabric/protos/utils"
+	"github.com/pkg/errors"
+	"golang.org/x/net/context"
+)
+
+// NewExpirationCheckFilter creates a new Filter that checks identity expiration
+func NewExpirationCheckFilter() auth.Filter {
+	return &expirationCheckFilter{}
+}
+
+type expirationCheckFilter struct {
+	next peer.EndorserServer
+}
+
+// Init initializes the Filter with the next EndorserServer
+func (f *expirationCheckFilter) Init(next peer.EndorserServer) {
+	f.next = next
+}
+
+func validateProposal(signedProp *peer.SignedProposal) error {
+	prop, err := utils.GetProposal(signedProp.ProposalBytes)
+	if err != nil {
+		return errors.Wrap(err, "failed parsing proposal")
+	}
+
+	hdr, err := utils.GetHeader(prop.Header)
+	if err != nil {
+		return errors.Wrap(err, "failed parsing header")
+	}
+
+	sh, err := utils.GetSignatureHeader(hdr.SignatureHeader)
+	if err != nil {
+		return errors.Wrap(err, "failed parsing signature header")
+	}
+	expirationTime := crypto.ExpiresAt(sh.Creator)
+	if !expirationTime.IsZero() && time.Now().After(expirationTime) {
+		return errors.New("identity expired")
+	}
+	return nil
+}
+
+// ProcessProposal processes a signed proposal
+func (f *expirationCheckFilter) ProcessProposal(ctx context.Context, signedProp *peer.SignedProposal) (*peer.ProposalResponse, error) {
+	if err := validateProposal(signedProp); err != nil {
+		return nil, err
+	}
+	return f.next.ProcessProposal(ctx, signedProp)
+}

core/handlers/auth/filter/expiration_test.go

@@ -0,0 +1,136 @@
+/*
+Copyright IBM Corp. All Rights Reserved.
+
+SPDX-License-Identifier: Apache-2.0
+*/
+
+package filter
+
+import (
+	"io/ioutil"
+	"path/filepath"
+	"testing"
+
+	"github.com/golang/protobuf/proto"
+	"github.com/hyperledger/fabric/protos/common"
+	"github.com/hyperledger/fabric/protos/msp"
+	"github.com/hyperledger/fabric/protos/peer"
+	"github.com/hyperledger/fabric/protos/utils"
+	"github.com/stretchr/testify/assert"
+	"golang.org/x/net/context"
+)
+
+type mutator func([]byte) []byte
+
+func noopMutator(b []byte) []byte {
+	return b
+}
+
+func corruptMutator(b []byte) []byte {
+	b = append(b, 0)
+	return b
+}
+
+func createX509Identity(t *testing.T, certFileName string) []byte {
+	certBytes, err := ioutil.ReadFile(filepath.Join("testdata", certFileName))
+	assert.NoError(t, err)
+	sId := &msp.SerializedIdentity{
+		IdBytes: certBytes,
+	}
+	idBytes, err := proto.Marshal(sId)
+	assert.NoError(t, err)
+	return idBytes
+}
+
+func createIdemixIdentity(t *testing.T) []byte {
+	idemixId := &msp.SerializedIdemixIdentity{
+		NymX: []byte{1, 2, 3},
+		NymY: []byte{1, 2, 3},
+		OU:   []byte("OU1"),
+	}
+	idemixBytes, err := proto.Marshal(idemixId)
+	assert.NoError(t, err)
+	sId := &msp.SerializedIdentity{
+		IdBytes: idemixBytes,
+	}
+	idBytes, err := proto.Marshal(sId)
+	assert.NoError(t, err)
+	return idBytes
+}
+
+func createSignedProposal(t *testing.T, serializedIdentity []byte, corruptSigHdr mutator, corruptHdr mutator) *peer.SignedProposal {
+	sHdr := utils.MakeSignatureHeader(serializedIdentity, nil)
+	hdr := utils.MakePayloadHeader(&common.ChannelHeader{}, sHdr)
+	hdr.SignatureHeader = corruptSigHdr(hdr.SignatureHeader)
+	hdrBytes, err := proto.Marshal(hdr)
+	assert.NoError(t, err)
+	prop := &peer.Proposal{
+		Header: hdrBytes,
+	}
+	prop.Header = corruptHdr(prop.Header)
+	propBytes, err := proto.Marshal(prop)
+	assert.NoError(t, err)
+	return &peer.SignedProposal{
+		ProposalBytes: propBytes,
+	}
+}
+
+func createValidSignedProposal(t *testing.T, serializedIdentity []byte) *peer.SignedProposal {
+	return createSignedProposal(t, serializedIdentity, noopMutator, noopMutator)
+}
+
+func createSignedProposalWithInvalidSigHeader(t *testing.T, serializedIdentity []byte) *peer.SignedProposal {
+	return createSignedProposal(t, serializedIdentity, corruptMutator, noopMutator)
+}
+
+func createSignedProposalWithInvalidHeader(t *testing.T, serializedIdentity []byte) *peer.SignedProposal {
+	return createSignedProposal(t, serializedIdentity, noopMutator, corruptMutator)
+}
+
+func TestExpirationCheckFilter(t *testing.T) {
+	nextEndorser := &mockEndorserServer{}
+	auth := NewExpirationCheckFilter()
+	auth.Init(nextEndorser)
+
+	// Scenario I: Expired x509 identity
+	sp := createValidSignedProposal(t, createX509Identity(t, "expiredCert.pem"))
+	_, err := auth.ProcessProposal(context.Background(), sp)
+	assert.Equal(t, err.Error(), "identity expired")
+	assert.False(t, nextEndorser.invoked)
+
+	// Scenario II: Not expired x509 identity
+	sp = createValidSignedProposal(t, createX509Identity(t, "notExpiredCert.pem"))
+	_, err = auth.ProcessProposal(context.Background(), sp)
+	assert.NoError(t, err)
+	assert.True(t, nextEndorser.invoked)
+	nextEndorser.invoked = false
+
+	// Scenario III: Idemix identity
+	sp = createValidSignedProposal(t, createIdemixIdentity(t))
+	_, err = auth.ProcessProposal(context.Background(), sp)
+	assert.NoError(t, err)
+	assert.True(t, nextEndorser.invoked)
+	nextEndorser.invoked = false
+
+	// Scenario IV: Malformed proposal
+	sp = createValidSignedProposal(t, createX509Identity(t, "notExpiredCert.pem"))
+	sp.ProposalBytes = append(sp.ProposalBytes, 0)
+	_, err = auth.ProcessProposal(context.Background(), sp)
+	assert.Error(t, err)
+	assert.Contains(t, err.Error(), "failed parsing proposal")
+	assert.False(t, nextEndorser.invoked)
+
+	// Scenario V: Malformed signature header
+	sp = createSignedProposalWithInvalidSigHeader(t, createX509Identity(t, "notExpiredCert.pem"))
+	_, err = auth.ProcessProposal(context.Background(), sp)
+	assert.Error(t, err)
+	assert.Contains(t, err.Error(), "failed parsing signature header")
+	assert.False(t, nextEndorser.invoked)
+
+	// Scenario VI: Malformed header
+	sp = createSignedProposalWithInvalidHeader(t, createX509Identity(t, "notExpiredCert.pem"))
+	_, err = auth.ProcessProposal(context.Background(), sp)
+	assert.Error(t, err)
+	assert.Contains(t, err.Error(), "failed parsing header")
+	assert.False(t, nextEndorser.invoked)
+}

core/handlers/auth/filter/testdata/expiredCert.pem

@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICGTCCAcCgAwIBAgIRAKLReasLg2oNMbOafRp0a/EwCgYIKoZIzj0EAwIwczEL
+MAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBG
+cmFuY2lzY28xGTAXBgNVBAoTEG9yZzEuZXhhbXBsZS5jb20xHDAaBgNVBAMTE2Nh
+Lm9yZzEuZXhhbXBsZS5jb20wHhcNODkxMjE1MDc1NTAwWhcNODkxMjE1MDgwMDAw
+WjBbMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMN
+U2FuIEZyYW5jaXNjbzEfMB0GA1UEAxMWcGVlcjAub3JnMS5leGFtcGxlLmNvbTBZ
+MBMGByqGSM49AgEGCCqGSM49AwEHA0IABGRKxsl6MGrNEgyj78c1uVDgR0lqHvuf
+jBS/hlMbOqkF9f+oj1Hfr2oAQYMgj6hwiePxzXTRyk+NboqgVgccstujTTBLMA4G
+A1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMCsGA1UdIwQkMCKAIEIBuSbFuduz
+ktspAE6FAP7r1N5ClHZM1B/fSiRh9BXGMAoGCCqGSM49BAMCA0cAMEQCIFWScCx8
+KIAmvO0qN2qPdG8UeeSr10gvdHl7vohRlDMXAiBt1Pks8/McNoUNI1Q5kInsWroH
+1pE6XdTNIOsKDKnd5g==
+-----END CERTIFICATE-----

core/handlers/auth/filter/testdata/notExpiredCert.pem

@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICNjCCAd2gAwIBAgIRAMnf9/dmV9RvCCVw9pZQUfUwCgYIKoZIzj0EAwIwgYEx
+CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1TYW4g
+RnJhbmNpc2NvMRkwFwYDVQQKExBvcmcxLmV4YW1wbGUuY29tMQwwCgYDVQQLEwND
+T1AxHDAaBgNVBAMTE2NhLm9yZzEuZXhhbXBsZS5jb20wHhcNMTcxMTEyMTM0MTEx
+WhcNMjcxMTEwMTM0MTExWjBpMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZv
+cm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEMMAoGA1UECxMDQ09QMR8wHQYD
+VQQDExZwZWVyMC5vcmcxLmV4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0D
+AQcDQgAEZ8S4V71OBJpyMIVZdwYdFXAckItrpvSrCf0HQg40WW9XSoOOO76I+Umf
+EkmTlIJXP7/AyRRSRU38oI8Ivtu4M6NNMEswDgYDVR0PAQH/BAQDAgeAMAwGA1Ud
+EwEB/wQCMAAwKwYDVR0jBCQwIoAginORIhnPEFZUhXm6eWBkm7K7Zc8R4/z7LW4H
+ossDlCswCgYIKoZIzj0EAwIDRwAwRAIgVikIUZzgfuFsGLQHWJUVJCU7pDaETkaz
+PzFgsCiLxUACICgzJYlW7nvZxP7b6tbeu3t8mrhMXQs956mD4+BoKuNI
+-----END CERTIFICATE-----

core/handlers/library/library.go

@@ -27,6 +27,12 @@ func (r *HandlerLibrary) DefaultAuth() auth.Filter {
 	return filter.NewFilter()
 }
 
+// ExpirationCheck is an auth filter which blocks requests
+// from identities with expired x509 certificates
+func (r *HandlerLibrary) ExpirationCheck() auth.Filter {
+	return filter.NewExpirationCheckFilter()
+}
+
 // DefaultDecorator creates a default decorator
 // that doesn't do anything with the input, simply
 // returns the input as output.

sampleconfig/core.yaml

@@ -368,6 +368,8 @@ peer:
         authFilters:
           -
             name: DefaultAuth
+          -
+            name: ExpirationCheck    # This filter checks identity x509 certificate expiration
         decorators:
           -
             name: DefaultDecorator