Skip to content
Permalink

Comparing changes

This is a direct comparison between two commits made in this repository or its related repositories. View the default comparison for this range or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: hyperledger/fabric
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: 8f7ec475b2db457d76520f1d168809a0e6fe647f
Choose a base ref
..
head repository: hyperledger/fabric
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: 490dca6c9cf3b09111d7d903bb80cf6f5b182c84
Choose a head ref
Showing with 60 additions and 11 deletions.
  1. +60 −11 integration/gossip/gossip_test.go
71 changes: 60 additions & 11 deletions integration/gossip/gossip_test.go
View file
Original file line number Diff line number Diff line change
@@ -9,9 +9,11 @@ package gossip
import (
"crypto/ecdsa"
"crypto/rand"
"crypto/sha256"
"crypto/x509"
"encoding/pem"
"fmt"
"math/big"
"os"
"path/filepath"
"syscall"
@@ -334,13 +336,15 @@ var _ = Describe("Gossip State Transfer and Membership", func() {
fmt.Println("===PKI-ID REPLACED===")
time.Sleep(5 * time.Second)

// By("verifying membership after cert renewed")
// Discovery check fails since discovered peer's cert is not identical to expected peer's cert (content is the same but signature has changed, perhaps due to how cert is re-created in expireCertificate)
// Eventually(
// nwo.DiscoverPeers(network, peer0Org1, "User1", "testchannel"),
// 60*time.Second,
// 100*time.Millisecond).Should(ContainElements(network.DiscoveredPeer(network.Peer("Org2", "peer0"), "_lifecycle"))
// )
By("verifying membership after cert renewed")
Eventually(
nwo.DiscoverPeers(network, peer0Org1, "User1", "testchannel"),
60*time.Second,
100*time.Millisecond).
Should(ContainElements(network.DiscoveredPeer(network.Peer("Org2", "peer0"), "_lifecycle")))

fmt.Println("===MEMBERSHIP VERIFIED WITH RENEWED CERT, NOW WAIT FOR CERT TO EXPIRE===")
time.Sleep(5 * time.Second)

By("waiting for cert to expire within a minute")
Eventually(peer0Org1Runner.Err(), network.EventuallyTimeout).Should(gbytes.Say("gossipping peer identity expired"))
@@ -355,8 +359,14 @@ var _ = Describe("Gossip State Transfer and Membership", func() {
By("ensuring that peer0Org1 establishes membership with peer0Org2 after final restart post-expiration")
startPeers(nwprocs, false, peer0Org2)

// Due to discovery check issue mentioned above, for now just check the log for membership
Eventually(peer0Org1Runner.Err(), network.EventuallyTimeout).Should(gbytes.Say("Membership view has changed. peers went online"))
Eventually(
nwo.DiscoverPeers(network, peer0Org1, "User1", "testchannel"),
60*time.Second,
100*time.Millisecond).
Should(ContainElements(network.DiscoveredPeer(network.Peer("Org2", "peer0"), "_lifecycle")))

time.Sleep(300 * time.Minute)

})
})

@@ -406,8 +416,31 @@ func expireCertificate(certPEM, caCertPEM, caKeyPEM []byte, expirationTime time.
// The certificate expires now
cert.NotAfter = expirationTime

// The CA signs the certificate
certBytes, err := x509.CreateCertificate(rand.Reader, cert, caCert, cert.PublicKey, caKey)
// The CA creates and signs a temporary certificate
tempCertBytes, err := x509.CreateCertificate(rand.Reader, cert, caCert, cert.PublicKey, caKey)
Expect(err).NotTo(HaveOccurred())

// Force the certificate to use Low-S signature to be compatible with the identities that Fabric uses

// Parse the certificate to extract the TBS (to-be-signed) data
tempParsedCert, err := x509.ParseCertificate(tempCertBytes)
Expect(err).NotTo(HaveOccurred())

// Hash the TBS data
hash := sha256.Sum256(tempParsedCert.RawTBSCertificate)

// Sign the hash using forceLowS
r, s, err := forceLowS(caKey, hash[:])
Expect(err).NotTo(HaveOccurred())

// Encode the signature (DER format)
signature := append(r.Bytes(), s.Bytes()...)

// Replace the signature in the certificate with the low-s signature
tempParsedCert.Signature = signature

// Re-encode the certificate with the low-s signature
certBytes, err := x509.CreateCertificate(rand.Reader, tempParsedCert, caCert, cert.PublicKey, caKey)
Expect(err).NotTo(HaveOccurred())

// The CA signs its own certificate
@@ -419,6 +452,22 @@ func expireCertificate(certPEM, caCertPEM, caKeyPEM []byte, expirationTime time.
return
}

// forceLowS ensures the ECDSA signature's S value is low
func forceLowS(priv *ecdsa.PrivateKey, hash []byte) (r, s *big.Int, err error) {
r, s, err = ecdsa.Sign(rand.Reader, priv, hash)
Expect(err).NotTo(HaveOccurred())

curveOrder := priv.Curve.Params().N
halfOrder := new(big.Int).Rsh(curveOrder, 1) // curveOrder / 2

// If s is greater than half the order, replace it with curveOrder - s
if s.Cmp(halfOrder) > 0 {
s.Sub(curveOrder, s)
}

return r, s, nil
}

func runTransactions(n *nwo.Network, orderer *nwo.Orderer, peer *nwo.Peer, chaincodeName string, channelID string) {
for i := 0; i < 5; i++ {
sess, err := n.PeerUserSession(peer, "User1", commands.ChaincodeInvoke{